Mutual Information Analysis: a Comprehensive Study

Batina, Lejla; Gierlichs, Benedikt; Prouff, Emmanuel; Rivain, Matthieu; Standaert, François‐Xavier; Veyrat-Charvillon, Nicolas

doi:10.1007/s00145-010-9084-8

Cited by 221 publications

(132 citation statements)

References 28 publications

Supporting

Mentioning

127

Contrasting

Order By: Relevance

“…As expected, and as a straightforward implication of the atomicity principle, the doubling and addition schemes perform exactly the same sequence of field operations if the star (dummy) operations are well chosen 3 . This implies that it is impossible to distinguish a doubling from an addition by just looking at the sequence of calculations (i.e.…”

Section: Attack On Chevallier-mames Et Al's Schemesupporting

confidence: 69%

See 1 more Smart Citation

Horizontal Collision Correlation Attack on Elliptic Curves

Bauer

Jaulmes

Prouff

et al. 2014

Selected Areas in Cryptography -- SAC 2013

Self Cite

View full text Add to dashboard Cite

Abstract. Elliptic curves based algorithms are nowadays widely spread among embedded systems. They indeed have the double advantage of providing efficient implementations with short certificates and of being relatively easy to secure against side-channel attacks. As a matter of fact, when an algorithm with constant execution flow is implemented together with randomization techniques, the obtained design usually thwarts classical side-channel attacks while keeping good performances. Recently, a new technique that makes some randomizations ineffective, has been successfully applied in the context of RSA implementations. This method, related to a so-called horizontal modus operandi, introduced by Walter in 2001, turns out to be very powerful since it only requires leakages on a single algorithm execution. In this paper, we combine such kind of techniques together with the collision correlation analysis, introduced at CHES 2010 by Moradi et al., to propose a new attack on elliptic curves atomic implementations (or unified formulas) with input randomization. We show how it may be applied against several state-of-the art implementations, including those of Chevallier-Mames et al., of Longa and of Giraud-Verneuil and also Bernstein and Lange for unified Edward's formulas. Finally, we provide simulation results for several sizes of elliptic curves on different hardware architectures. These results, which turn out to be the very first horizontal attacks on elliptic curves, open new perspectives in securing such implementations. Indeed, this paper shows that two of the main existing countermeasures for elliptic curve implementations become irrelevant when going from vertical to horizontal analysis.

show abstract

Section: Attack On Chevallier-mames Et Al's Schemesupporting

confidence: 69%

“…Most attacks [3,9,24] enter into this category and the number of different indices i may for instance correspond to the attack order [27]. The second method, called horizontal [13,33], applies on a single algorithm execution.…”

Section: Notations and Basics On Side-channel Attacksmentioning

confidence: 99%

Horizontal Collision Correlation Attack on Elliptic Curves

Bauer

Jaulmes

Prouff

et al. 2014

Selected Areas in Cryptography -- SAC 2013

Self Cite

View full text Add to dashboard Cite

show abstract

“…We subsequently apply our framework to an example question which is a 'hot topic' in the current literature: Mutual Information Analysis (MIA) was proposed in [11] as an 'optimised' and generic enhancement to correlation-based DPA (CPA), but has disappointed in (most) subsequent comparisons (see [3] for a good overview). By rigorously assessing the theoretic capabilities of MIA with respect to a range of leakage scenarios we shed new light on the rift between the a priori reasoning and the empirical evidence, demonstrating when and in what sense it does represent a superior attack methodology.…”

Section: Our Contributionmentioning

confidence: 99%

“…The authors of [3] presented three such notions and explored how each could be adapted to the purposes of DPA. They subsequently demonstrated that the three were essentially (theoretically) equivalent in the case of a perfectly implemented masking scheme (i.e.…”

mentioning

confidence: 99%

A fair evaluation framework for comparing side-channel distinguishers

Whitnall

Oswald

2011

J Cryptogr Eng

View full text Add to dashboard Cite

Abstract. The ability to make meaningful comparisons between side-channel distinguishers is important both to attackers seeking an optimal strategy and to designers wishing to secure a device against the strongest possible threat. The usual experimental approach requires the distinguishing vectors to be estimated: outcomes do not fully represent the inherent theoretic capabilities of distinguishers and do not provide a basis for conclusive, like-for-like comparisons. This is particularly problematic in the case of mutual information-based side channel analysis (MIA) which is notoriously sensitive to the choice of estimator. We propose an evaluation framework which captures those theoretic characteristics of attack distinguishers having the strongest bearing on an attacker's general ability to estimate with practical success, thus enabling like-for-like comparisons between different distinguishers in various leakage scenarios. We apply our framework to an evaluation of MIA relative to its rather more well-established correlationbased predecessor and a proposed variant inspired by the Kolmogorov-Smirnov distance. Our analysis makes sense of the rift between the a priori reasoning in favour of MIA and the disappointing empirical findings of previous comparative studies, and moreover reveals several unprecedented features of the attack distinguishers in terms of their sensitivity to noise. It also explores-to our knowledge, for the first time-theoretic properties of near-generic power models previously proposed (and experimentally verified) for use in attacks targeting injective functions.

show abstract

“…This strategy is winning in terms of performance (albeit at the expense of more ROM). Security-wise, as the mask S 1 is no longer uniformly distributed, zero-offset [45] or mutual information attacks [2] become possible. But the degree to which the leakage shall be raised for a CPA attack -on a platform with a linear leakage function -to be successful can be made strictly larger than three (see next section), and thus becomes the relevant security parameter.…”

Section: Multi-mask Fems Vs Mono-mask Lemsmentioning

confidence: 99%

Detecting Hidden Leakages

Moradi

Guilley

Heuser

2014

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. Reducing the entropy of the mask is a technique which has been proposed to mitigate the high performance overhead of masked software implementations of symmetric block ciphers. Rotating S-box Masking (RSM) is an example of such schemes applied to AES with the purpose of maintaining the security at least against univariate first-order side-channel attacks. This article examines the vulnerability of a realization of such technique using the side-channel measurements publicly available through DPA contest V4. Our analyses which focus on exploiting the first-order leakage of the implementation discover a couple of potential attacks which can recover the secret key. Indeed the leakage we exploit is due to a design mistake as well as the characteristics of the implementation platform, none of which has been considered during the design of the countermeasure (implemented in naive C code).

show abstract

Mutual Information Analysis: a Comprehensive Study

Cited by 221 publications

References 28 publications

Horizontal Collision Correlation Attack on Elliptic Curves

Horizontal Collision Correlation Attack on Elliptic Curves

A fair evaluation framework for comparing side-channel distinguishers

Detecting Hidden Leakages

Contact Info

Product

Resources

About