The World Is Not Enough: Another Look on Second-Order DPA

Standaert, François‐Xavier; Veyrat-Charvillon, Nicolas; Oswald, Elisabeth; Gierlichs, Benedikt; Medwed, Marcel; Kasper, Markus; Mangard, Stefan

doi:10.1007/978-3-642-17373-8_7

Cited by 138 publications

(109 citation statements)

References 22 publications

Supporting

Mentioning

102

Contrasting

Order By: Relevance

“…But they do not exhibit strongly different efficiencies. Overall, these experiments also follow the analysis in [30], which shows that the efficiency of non-profiled (second-order) side-channel distinguishers is difficult to predict and highly dependent on the implementation context.…”

Section: Methodssupporting

confidence: 69%

“…For example, [19,20,33] discuss the statistical properties of the original distinguisher; [9,20,22,30] consider its application to implementations protected by masking or other countermeasures; and [29] performs exhaustive empirical comparisons of various side-channel distinguishers, including MIA. In this paper, we compile these recent results into a single comprehensive treatment.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Mutual Information Analysis: a Comprehensive Study

et al. 2010

Self Cite

View full text Add to dashboard Cite

Abstract. Mutual Information Analysis is a generic side-channel distinguisher that has been introduced at CHES 2008. It aims to allow successful attacks requiring minimum assumptions and knowledge of the target device by the adversary. In this paper, we compile recent contributions and applications of MIA in a comprehensive study. From a theoretical point of view, we carefully discuss its statistical properties and relationship with probability density estimation tools. From a practical point of view, we apply MIA in two of the most investigated contexts for side-channel attacks. Namely, we consider first order attacks against an unprotected implementation of the DES in a full custom IC and second order attacks against a masked implementation of the DES in an 8-bit microcontroller. These experiments allow to put forward the strengths and weaknesses of this new distinguisher and to compare it with standard power analysis attacks using the correlation coefficient.

show abstract

Section: Methodssupporting

confidence: 69%

Section: Introductionmentioning

confidence: 99%

Mutual Information Analysis: a Comprehensive Study

et al. 2010

Self Cite

View full text Add to dashboard Cite

show abstract

“…More generally, our study relies on a well studied problem which is the comparison of the results of two different instantaneous attacks [11,20,33,34,36,38]. For the LRA, it will lead to a modification of the candidate selection rule.…”

Section: Effectiveness Discussionmentioning

confidence: 99%

Behind the Scene of Side Channel Attacks

Lomné

Prouff

Roche

2013

Advances in Cryptology - ASIACRYPT 2013

View full text Add to dashboard Cite

Abstract. Since the introduction of side channel attacks in the nineties, a large amount of work has been devoted to their effectiveness and efficiency improvements. On the one side, general results and conclusions are drawn in theoretical frameworks, but the latter ones are often set in a too ideal context to capture the full complexity of an attack performed in real conditions. On the other side, practical improvements are proposed for specific contexts but the big picture is often put aside, which makes them difficult to adapt to different contexts. This paper tries to bridge the gap between both worlds. We specifically investigate which kind of issues is faced by a security evaluator when performing a state of the art attack. This analysis leads us to focus on the very common situation where the exact time of the sensitive processing is drown in a large number of leakage points. In this context we propose new ideas to improve the effectiveness and/or efficiency of the three considered attacks. In the particular case of stochastic attacks, we show that the existing literature, essentially developed under the assumption that the exact sensitive time is known, cannot be directly applied when the latter assumption is relaxed. To deal with this issue, we propose an improvement which makes stochastic attack a real alternative to the classical correlation power analysis. Our study is illustrated by various attack experiments performed on several copies of three micro-controllers with different CMOS technologies (respectively 350, 130 and 90 nanometers).

show abstract

“…In order to answer this question, we first repeated exactly the information theoretic analysis described in [30] and applied to the masking countermeasure in [31]. It leads to the information theoretic curves for the unprotected S-box and the 1st-order masked one in Figure 7.…”

Section: How Good Must the Randomness Be?mentioning

confidence: 99%

“…case of single-bit DPA attacks [3], then experimented by Standaert et al in more general contexts [31], and recently shown formally by Prouff and Rivain [25], using the mutual information put forward in [30] as evaluation metric.…”

mentioning

confidence: 99%

Masking vs. Multiparty Computation: How Large Is the Gap for AES?

Grosso

Standaert

Faust

2013

Cryptographic Hardware and Embedded Systems - CHES 2013

Self Cite

View full text Add to dashboard Cite

Abstract. In this paper, we evaluate the performances of state-of-theart higher-order masking schemes for the AES. Doing so, we pay a particular attention to the comparison between specialized solutions introduced exclusively as countermeasures against side-channel analysis, and a recent proposal by Roche and Prouff exploiting MultiParty Computation (MPC) techniques. We show that the additional security features this latter scheme provides (e.g. its glitch-freeness) comes at the cost of large performance overheads. We then study how exploiting standard optimization techniques from the MPC literature can be used to reduce this gap. In particular, we show that "packed secret sharing" based on a modified multiplication algorithm can speed up MPC-based masking when the order of the masking scheme increases. Eventually, we discuss the randomness requirements of masked implementations. For this purpose, we first show with information theoretic arguments that the security guarantees of masking are only preserved if this randomness is uniform, and analyze the consequences of a deviation from this requirement. We then conclude the paper by including the cost of randomness generation in our performance evaluations. These results should help actual designers to choose a masking scheme based on security and performance constraints.

show abstract

The World Is Not Enough: Another Look on Second-Order DPA

Cited by 138 publications

References 22 publications

Mutual Information Analysis: a Comprehensive Study

Mutual Information Analysis: a Comprehensive Study

Behind the Scene of Side Channel Attacks

Masking vs. Multiparty Computation: How Large Is the Gap for AES?

Contact Info

Product

Resources

About