Professional Documents
Culture Documents
Side Channel Analysis of Embedded Systems An Efficient Algorithmic Approach Maamar Ouladj Online Ebook Texxtbook Full Chapter PDF
Side Channel Analysis of Embedded Systems An Efficient Algorithmic Approach Maamar Ouladj Online Ebook Texxtbook Full Chapter PDF
Side Channel Analysis of Embedded Systems An Efficient Algorithmic Approach Maamar Ouladj Online Ebook Texxtbook Full Chapter PDF
https://ebookmeta.com/product/side-channel-analysis-of-embedded-
systems-maamar-ouladj-sylvain-guilley/
https://ebookmeta.com/product/decision-making-in-anesthesiology-
an-algorithmic-approach-5th-edition-m-d-bready/
https://ebookmeta.com/product/rhinoplasty-in-practice-an-
algorithmic-approach-to-modern-surgical-techniques-1st-edition-
suleyman-tas/
Ramamurthy s Decision Making in Pain Management an
Algorithmic Approach 3rd Edition Ameet Nagpal
https://ebookmeta.com/product/ramamurthy-s-decision-making-in-
pain-management-an-algorithmic-approach-3rd-edition-ameet-nagpal/
https://ebookmeta.com/product/embedded-systems-a-hardware-
software-co-design-approach-unleash-the-power-of-arduino-1st-
edition-bashir-i-morshed/
https://ebookmeta.com/product/the-engineering-of-reliable-
embedded-systems-michael-j-pont/
https://ebookmeta.com/product/energy-audit-of-building-systems-
an-engineering-approach-3rd-edition-krarti/
https://ebookmeta.com/product/design-principles-for-embedded-
systems-kcs-murti/
Maamar Ouladj and Sylvain Guilley
Sylvain Guilley
Secure-IC, S.A.S., Paris, France
This work is subject to copyright. All rights are solely and exclusively
licensed by the Publisher, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, reuse of
illustrations, recitation, broadcasting, reproduction on microfilms or in
any other physical way, and transmission or information storage and
retrieval, electronic adaptation, computer software, or by similar or
dissimilar methodology now known or hereafter developed.
The publisher, the authors and the editors are safe to assume that the
advice and information in this book are believed to be true and accurate
at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, expressed or implied, with respect to the
material contained herein or for any errors or omissions that may have
been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer
Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham,
Switzerland
Contents
1 General Introduction
References
Part I Classical Side-Channel Attacks
2 Foundations of Side-Channel Attacks
2.1 Notations
2.2 General Framework for Side-Channel Attacks
2.3 Leakage Models
2.3.1 Hamming Weight Leakage Model
2.3.2 Hamming Distance Leakage Model
2.3.3 The Unevenly Weighted Sum of the Bits (UWSB)
Leakage Model
2.3.4 Polynomial Leakage Model
2.3.5 Leakage Model in Profiled SCA
2.4 SCA Security Metrics
2.4.1 Success Rate (SR)
2.4.2 Guessing Entropy (GE)
2.4.3 Signal-to-Noise Ratio (SNR)
2.4.4 Normalized Inter-Class Variance (NICV)
2.4.5 Information Theory Metric
2.4.6 Metrics in Machine Learning
2.4.7 Relation Between the Security Metrics
2.5 Pre-processing of the Leakage Traces for SCA
2.5.1 Traces Synchronization
2.5.2 Noise Filtering
2.5.3 Points-of-Interest (PoI) Selection
2.5.4 Dimensionality Reduction
References
3 Side-Channel Distinguishers
3.1 SCA Distinguishers Classification
3.2 First-Order Distinguishers
3.2.1 Simple Power Analysis (SPA)
3.2.2 Differential Power Analysis (DPA)
3.2.3 Correlation Power Analysis (CPA)
3.2.4 Rank-Based CPAs
3.2.5 Covariance-Based Distinguisher
3.2.6 Collision Side-Channel Attacks
3.2.7 Mutual Information Analysis (MIA)
3.2.8 Kolmogorov-Smirnov Distance (KS)-Based
Distinguisher
3.2.9 Chi-Squared Test (Chi-2-Test)-Based Distinguisher
3.2.10 Template Attack (TA)
3.2.11 Linear Regression-Based Side-Channel Attacks (LRA)
3.2.12 Machine Learning-Based Distinguishers
3.3 Higher Order Distinguishers
3.3.1 Higher Order Distinguishers Overs Combination
3.3.2 Higher Order Distinguishers Without a Prerequisite
Combination
3.4 Comparison of Distinguishers
References
4 SCA Countermeasures
4.1 Hiding
4.1.1 Hiding on the Time Dimension
4.1.2 Hiding on the Amplitude Dimension
4.2 Masking Countermeasure
4.2.1 Boolean Masking (BM)
4.2.2 Multiplicative Masking (MM)
4.2.3 Affine Masking (AfM)
4.2.4 Arithmetic Masking (ArM)
4.2.5 Polynomials-Based Masking (PM)
4.2.6 Leakage Squeezing Masking (LSM)
4.2.7 Rotating S-Boxes Masking (RSM)
4.2.8 Inner Product Masking (IPM)
4.2.9 Direct Sum Masking (DSM)
4.2.10 Comparison Between Masking Schemes
4.3 Combination of Countermeasures
References
Part II Spectral Approach in Side-Channel Attacks
5 Spectral Approach to Speed up the Processing
5.1 Walsh-Hadamard Transformation to Speed Up Convolution
Computation
5.2 Convolution Product
5.3 Extension of the Spectral Approach to the Higher Order
5.4 Conclusion
Reference
6 Generalized Spectral Approach to Speed up the Correlation
Power Analysis
6.1 Introduction
6.1.1 Outline
6.2 CPA’s Preliminaries
6.2.1 Target of the Attack
6.3 Carrying Out the CPA, with Arbitrary Set of Messages,
According to the Spectral Approach
6.3.1 Incremental CPA Computation
6.4 Extension of the Improvements to the Protected
Implementations by Masking
6.5 Experiments
6.6 Conclusion
References
Part III Coalescence-based Side-Channel Attacks
7 Coalescence Principle
7.1 Difference Between SCAs with and Without Coalescence
7.2 Optimization of the Stochastic Collision Attack Thanks to
the Coalescence
7.2.1 Preliminaries
7.2.2 New Concept of Stochastic Collision Distinguisher
7.2.3 Main Result
7.3 Conclusion
References
8 Linear Regression Analysis with Coalescence Principle
8.1 Introduction
8.1.1 State-of-the-Art’s Review
8.1.2 Contributions
8.1.3 Outline
8.2 Mathematical Modelization
8.2.1 Description of Stochastic Attacks
8.3 LRA Study and Improvements of Its Implementation
8.3.1 LRA with Assumption of Equal Images Under different
Subkeys (EIS)
8.3.2 Spectral Approach Computation to Speed up LRA (with
EIS)
8.3.3 Further Improvement
8.3.4 Incremental Implementation of LRA
8.4 Extension of the Improvements to the Protected
Implementations by Masking
8.4.1 Normalized Product Combination Against Arithmetic
Masking
8.5 Experiments
8.5.1 LRA with and Without Spectral Approach
8.5.2 SCAs with and Without Coalescence
8.5.3 LRA Against Higher Order Masking
8.6 Conclusion and Perspectives
References
9 Template Attack with Coalescence Principle
9.1 Introduction
9.1.1 Context:The Side-Channel Threat
9.1.2 Problem:Making the Most of High Dimensionality
9.1.3 State-of-the-Art
9.1.4 Contributions
9.1.5 Outline
9.2 Mathematical Modelization of the Problem and Notations
9.2.1 Side-Channel Problem
9.2.2 Additional Notations
9.3 Formalization of Template Attacks
9.3.1 Template Attack (Without Coalescence)
9.3.2 Template Attack (With Coalescence)
9.3.3 State-of-the-Art Dimensionality Reduction for TA
9.4 Efficiently Computing Templates with Coalescence
9.4.1 Simplification by the Law of Large Number (LLN)
9.4.2 Profiling and Attack Algorithms
9.4.3 Improved Profiling and Attack Algorithms
9.4.4 Extension of Our Approach to Masked
Implementations
9.4.5 Computational Performance Analysis
9.5 Experiments
9.5.1 Traces Used for the Case Study
9.5.2 Template Attacks with Windows of Increasing Size
9.5.3 Comparison with PCA
9.5.4 Template Attack after Dimensionality Reduction (over
First Eigen-Components)
9.5.5 Study of Our Approach with Simulated Traces
9.6 Conclusion
References
10 Spectral Approach to Process the High-Order Template Attack
Against any Masking Scheme
10.1 Introduction
10.1.1 Related Works
10.1.2 Contributions
10.1.3 Outline
10.2 Preliminaries
10.2.1 Linear Algebra and Linear Codes
10.3 Higher Order Template Attack
10.3.1 High-Order Boolean Masking
10.3.2 Attack on High-Order Boolean Masking
10.3.3 Computing the Template Profile Functions
1. General Introduction
Maamar Ouladj1 and Sylvain Guilley2
(1) Paris 8 University, Paris, France
(2) Secure-IC, S.A.S., Paris, France
Maamar Ouladj
Email: ouladj.maamar@gmail.com
References
1. Kocher PC (1996) Timing attacks on implementations of Diffie-Hellman, RSA,
DSS, and other systems. In: Koblitz N (ed) Advances in cryptology - CRYPTO’96,
16th annual international cryptology conference, Santa Barbara, California, USA,
August 18–22, 1996, Proceedings. Lecture notes in computer science, vol 1109.
Springer, pp 104–113
2.
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Advances in
cryptology - CRYPTO’99. Springer, pp 388–397
3.
Richter B, Wild A, Moradi A (2019) Automated probe repositioning for on-die
EM measurements. In: Pan DZ (ed) Proceedings of the international conference
on computer-aided design, ICCAD 2019, Westminster, CO, USA, November 4–7,
2019. ACM, pp 1–6
4.
Genkin D, Shamir A, Tromer E (2014) RSA key extraction via low-bandwidth
acoustic cryptanalysis. In: Garay JA, Gennaro R (eds) Advances in cryptology -
CRYPTO 2014 - 34th annual cryptology conference, Santa Barbara, CA, USA,
August 17–21, 2014, Proceedings, Part I. Lecture notes in computer science, vol
8616. Springer, pp 444–461
5.
Genkin D, Pattani M, Schuster R, Tromer E (2018) Synesthesia: detecting screen
content via remote acoustic side channels. CoRR arXiv:abs/1809.02629
6.
Tramèr F, Boneh D, Paterson KG (2020) Remote side-channel attacks on
anonymous transactions. Cryptology ePrint Archive, Report 2020/220. https://
eprint.iacr.org/2020/220
7.
Genkin D, Pipman I, Tromer E (2015) Get your hands off my laptop: physical
side-channel key-extraction attacks on PCs - extended version. J Cryptogr Eng
5(2):95–112
[Crossref]
8.
Balasch J, Gierlichs B, Reparaz O, Verbauwhede I (2015) DPA, bitslicing and
masking at 1 GHz. In Gü neysu T, Handschuh H (eds) Cryptographic hardware and
embedded systems - CHES 2015 - 17th international workshop, Saint-Malo,
France, September 13–16, 2015, Proceedings. Lecture notes in computer science,
vol 9293. Springer, pp 599–619
9.
Genkin D, Pachmanov L, Pipman I, Tromer E (2015) Stealing keys from PCs using
a radio: cheap electromagnetic attacks on windowed exponentiation, pp 207–
228, 09 2015
10.
Mangard S, Oswald E, Popp T (2006) Power analysis attacks: revealing the
secrets of smart cards. http://www.springer.c om/. Springer, December 2006.
ISBN 0-387-30857-1, http://www.dpabook.org/
11.
Brier É , Clavier C, Olivier F (2004) Correlation power analysis with a leakage
model. In: Joye M, Quisquater J-J (eds) Cryptographic hardware and embedded
systems - CHES 2004: 6th international workshop Cambridge, MA, USA, August
11–13, 2004. Proceedings. Lecture notes in computer science, vol 3156. Springer,
pp 16–29
12.
Heuser A, Rioul O, Guilley S (2014) Good is not good enough - deriving optimal
distinguishers from communication theory. In: Batina L, Robshaw M (eds)
Cryptographic hardware and embedded systems - CHES 2014 - 16th
international workshop, Busan, South Korea, September 23–26, 2014.
Proceedings. Lecture notes in computer science, vol 8731. Springer, pp 55–74
13.
Carbone M, Tiran S, Ordas S, Agoyan M, Teglia Y, Ducharme GR, Maurine P (2014)
On adaptive bandwidth selection for efficient MIA. In: Prouff E (ed) Constructive
side-channel analysis and secure design - 5th international workshop, COSADE
2014, Paris, France, April 13–15, 2014. Revised selected papers. Lecture notes in
computer science, vol 8622. Springer, pp 82–97
14.
Schindler W (2005) On the optimization of side-channel attacks by advanced
stochastic methods. In: Vaudenay S (ed) Public key cryptography - PKC 2005, 8th
international workshop on theory and practice in public key cryptography, Les
Diablerets, Switzerland, January 23–26, 2005, Proceedings. Lecture notes in
computer science, vol 3386. Springer, pp 85–103
15.
Chari S, Rao JR, Rohatgi P (2002) Template attacks. In: Kaliski BS, Jr., Koç ÇK,
Paar C (eds) Cryptographic hardware and embedded systems - CHES 2002, 4th
international workshop, Redwood Shores, CA, USA, August 13–15, 2002, Revised
papers. Lecture notes in computer science, vol 2523. Springer, pp 13–28
16.
TELECOM ParisTech SEN research group. DPA Contest. http://www.DPAcontest.
org/
17.
Werner S, Kerstin L, Paar C (2005) A model stochastic, for differential side
channel cryptanalysis. In: LNCS, vol 3659, CHES (Sept 2005), Edinburgh,
Scotland, UK. Springer, pp. 30–46
18.
Dabosville G, Doget J, Prouff E (2013) A new second-order side channel attack
based on linear regression. IEEE Trans Comput 62(8):1629–1640
[MathSciNet][Crossref]
19.
Lomné V, Prouff E, Roche T (2013) Behind the scene of side channel attacks. In:
Sako K, Sarkar P (eds) ASIACRYPT (1). Lecture notes in computer science, vol
8269. Springer, pp 506–525
20.
Guillot P, Millérioux G, Dravie B, El Mrabet N (2017) Spectral approach for
correlation power analysis. In: El Hajji S, Nitaj A, Souidi EM (eds) Codes,
cryptology and information security - 2nd international conference, C2SI 2017,
Rabat, Morocco, April 10–12, 2017, Proceedings - in honor of Claude Carlet.
Lecture notes in computer science, vol 10194. Springer, pp 238–253
21.
NIST/ITL/CSD. Advanced encryption standard (AES). FIPS PUB 197, Nov 2001.
http://nvlpubs.nist.gov/nistpubs/FIPS/N IST.FIPS.197.pdf (also ISO/IEC 18033-
3:2010)
22.
ISO/IEC 18033-3:2010. Information technology – security techniques –
encryption algorithms – Part 3: Block ciphers
23.
Ouladj M, Guillot P, Mokrane F (2020) Generalized spectral approach to speed up
the correlation power analysis. In: Yet another conference on CRYPTography and
embedded devices YACCRYPTED’2020, Porquerolles (IGESA Center), France, June
15–19th 2020
24.
Ouladj M, Guilley S, Prouff E (2020) On the implementation efficiency of linear
regression-based side-channel attacks. In: Constructive side-channel analysis and
secure design - 11th international workshop, COSADE 2020, Lugano, Switzerland,
October 5–7, 2020, Proceedings
25.
Carlet C, Guillot P (1999) A new representation of Boolean functions. In:
Fossorier MPC, Imai H, Lin S, Poli A (eds) AAECC. Lecture notes in computer
science, vol 1719. Springer, pp 94–103
26.
Ouladj M, El Mrabet N, Guilley S, Guillot P, Millérioux G (2020) On the power of
template attacks in highly multivariate context. J Cryptogr Eng-JCEN
Part I
Classical Side-Channel Attacks
Maamar Ouladj
Email: ouladj.maamar@gmail.com
Let us first adopt some useful notations that will hold for the remainder
of the book.
2.1 Notations
In this book, we use capital letters for random variables. A realization of
a random variable (e.g., X) is denoted by the corresponding lowercase
letter (e.g., x). A sample of several observations of X is denoted by .
Sometimes it is viewed as a vector. The notation means the
initialization of the set of observations from X. and
denote, respectively, the mean and the standard deviation of X.
The notation denotes column vectors and denotes its
matrices, denote, respectively, the square and the square root of all the
vector/matrix coordinates.
In the following side-channel attacks, we will consider that the
adversary targets a single sensitive variable Z. The results can be
directly extended to the general case, where several variables are
targeted in parallel. The sensitive variable Z depends on a public
variable X (typically a plaintext or ciphertext) and on a secret subkey
such that where . The bit lengths n
and m depend on the cryptographic algorithm and the device
architecture. Typically , where sbox denotes a
substitution box and denotes the bitwise addition.
An attack is carried out with N side-channel traces , ..., . Each
corresponds to the processing of , such that
and . The number of samples per traces (time leakage
points) is denoted by D.
time samples.
(2.1)
Finally, the SCAs are usually carried out in two phases. The fist one
named the preparation phase consists in profiling and characterizing
the leakage using a training device. It is used, for example, in template
attack [2], in the profiled side channel based in the LRA [3], and some
machine learning-based SCAs [4]. This phase is optional for
adversaries. In fact, one can assume that the deterministic part of the
leakage follows some model function M as will be detailed in Sect. 2.3.
Thereby adversaries could overcome this phase as in the CPA Sect. 3.2.3
and MIA Sect. 3.2.7. In such case, the attack is called non-profiled SCA.
As far as evaluators are concerned, this phase is mandatory to properly
profile the leakage.
The second phase named the exploitation phase consists in guessing
the most likely key, using usually one of the statistical methods called
distinguishers (see Chap. 3 for more details). The distinguisher
requires optionally the results of the preparation phase.
Adversaries need some metrics to compare different side-channel
attacks. In practice, they use the success rate and the guessing entropy.
Readers can refer to Sect. 2.4 for more details.
In contrast, a side-channel evaluator aims at profiling the physical
leakage, independently from the subsequent attack kind. In practice,
evaluators make use of the information theoretic metric (using the
conditional entropy) to compare different implementations [1].
This is the most general form of the leakage model and it must be
considered by designers, in order to study the device resistance against
SCA in the worst-case scenario.
(2.2)
(2.3)
References
1. Standaert F-X, Malkin T, Yung M (2009) A unified framework for the analysis of
side-channel key recovery attacks. In: EUROCRYPT, April 26–30 2009, Cologne,
Germany. LNCS, vol 5479. Springer, pp 443–461
2.
Chari S, Rao JR, Rohatgi P (2002) Template attacks. In: Kaliski BS, Jr., Koç ÇK,
Paar C (eds) Cryptographic hardware and embedded systems - CHES 2002, 4th
international workshop, Redwood Shores, CA, USA, August 13–15, 2002, Revised
papers. Lecture notes in computer science, vol 2523. Springer, pp 13–28
3.
Schindler W (2005) On the optimization of side-channel attacks by advanced
stochastic methods. In: Vaudenay S (ed) Public key cryptography - PKC 2005, 8th
international workshop on theory and practice in public key cryptography, Les
Diablerets, Switzerland, January 23–26, 2005, Proceedings. Lecture notes in
computer science, vol 3386. Springer, pp 85–103
4.
Masure L, Dumas C, Prouff E (2019) Gradient visualization for general
characterization in profiling attacks. In: Constructive side-channel analysis and
secure design - 10th international workshop, COSADE 2019, Darmstadt,
Germany, April 3–5, 2019, Proceedings, pp 145–167
5.
Doget J, Prouff E, Rivain M, Standaert F-X (2011) Univariate side channel attacks
and leakage modeling. J Cryptogr Eng 1(2):123–144
[Crossref]
6.
Duc A, Dziembowski S, Faust S (2014) Unifying leakage models: from probing
attacks to noisy leakage. IACR Cryptol ePrint Arch 2014:79
[zbMATH]
7.
Prest T, Goudarzi D, Martinelli A, Passelègue A (2019) Unifying leakage models
on a rényi day. In: Advances in cryptology - CRYPTO 2019 - 39th annual
international cryptology conference, Santa Barbara, CA, USA, August 18–22,
2019, Proceedings, Part I, pp 683–712
8.
Perin G (2019) Deep learning model generalization in side-channel analysis.
Cryptology ePrint Archive, Report 2019/978. https://eprint.iacr.org/2019/978
9.
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Advances in
cryptology - CRYPTO’99. Springer, pp 388–397
10.
Messerges TS, Dabbish EA, Sloan RH (1999) Investigations of power analysis
attacks on smartcards. In: USENIX — Smartcard’99, May 10–11 1999, Chicago,
Illinois, USA, pp 151–162 (Online PDF)
11.
Kerstin L, Kai S, Paar C (2004) DPA on -bit sized Boolean and arithmetic
operations and its application to IDEA, RC6, and the HMAC-construction. In:
CHES, August 11–13, Cambridge, MA, USA. Lecture notes in computer science,
vol 3156. Springer, pp. 205–219
12.
Brier É , Clavier C, Olivier F (2004) Correlation power analysis with a leakage
model. In: Joye M, Quisquater J-J (eds) Cryptographic hardware and embedded
systems - CHES 2004: 6th international workshop Cambridge, MA, USA, August
11–13, 2004. Proceedings. Lecture notes in computer science, vol 3156. Springer,
pp 16–29
13.
Zheng Y, Zhou Y, Yu Z, Hu C, Zhang H (2014) How to compare selections of points
of interest for side-channel distinguishers in practice? In: Hui LCK, Qing SH, Shi
E, Yiu S-M (eds) Information and communications security - 16th international
conference, ICICS 2014, Hong Kong, China, December 16-17, 2014, Revised
selected papers. Lecture notes in computer science, vol 8958. Springer, pp 200–
214
14.
ISO/IEC JTC 1/SC 27/WG 3. ISO/IEC 17825:2016: information technology –
security techniques – testing methods for the mitigation of non-invasive attack
classes against cryptographic modules. https://www.iso.org/standard/60612.
html
15.
Standaert F-X, Gierlichs B, Verbauwhede I (2008) Partition vs. comparison side-
channel distinguishers: an empirical evaluation of statistical tests for univariate
side-channel attacks against two unprotected CMOS devices. In: ICISC, December
3–5 2008, Seoul, Korea. LNCS, vol 5461. Springer, pp 253–267
16.
Mangard S, Oswald E, Popp T (2006) Power analysis attacks: revealing the
secrets of smart cards. Springer, Berlin. ISBN 0-387-30857-1, http://www.
dpabook.org/
17.
Bhasin S, Danger J-L, Guilley S, Najm Z (2014) Side-channel leakage and trace
compression using normalized inter-class variance. In: Proceedings of the 3rd
workshop on hardware and architectural support for security and privacy,
HASP’14, New York, NY, USA. ACM, pp 7:1–7:9
18.
Bhasin S, Danger J-L, Guilley S, Najm Z (2014) NICV: normalized inter-class
variance for detection of side-channel leakage. In: International symposium on
electromagnetic compatibility (EMC’14/Tokyo). IEEE, May 12–16 2014. Session
OS09: EM Information Leakage. Hitotsubashi Hall (National Center of Sciences),
Chiyoda, Tokyo, Japan
19.
Timon B (2019) Non-profiled deep learning-based side-channel attacks with
sensitivity analysis. IACR Trans Cryptogr Hardw Embed Syst 2019(2):107–131
Feb
[Crossref]
20.
Simonyan K, Vedaldi A, Zisserman A (2013) Deep inside convolutional networks:
visualising image classification models and saliency maps. CoRR arXiv:abs/1312.
6034
21.
Shrikumar A, Greenside P, Kundaje A (2017) Learning important features through
propagating activation differences. ArXiv arXiv:abs/1704.02685,
22.
Picek S, Heuser A, Jovic A, Bhasin S, Regazzoni F (2018) The curse of class
imbalance and conflicting metrics with machine learning for side-channel
evaluations. IACR Trans Cryptogr Hardw Embed Syst 2019(1):209–237 Nov
[Crossref]
23.
de Chérisey E, Guilley S, Rioul O, Piantanida P (2019) Best information is most
successful mutual information and success rate in side-channel analysis. IACR
Trans Cryptogr Hardw Embed Syst 2019(2):49–79
[Crossref]
24.
van Woudenberg JGJ, Witteman MF, Bakker B (2011) Improving differential
power analysis by elastic alignment. In: Kiayias A (ed) CT-RSA. Lecture notes in
computer science, vol 6558. Springer, pp 104–119
25.
Debande N, Souissi Y, Elaabid MA, Guilley S, Danger J-L (2012) Wavelet transform
based pre-processing for side channel analysis. In: 45th annual IEEE/ACM
international symposium on microarchitecture, MICRO 2012, workshops
proceedings, Vancouver, BC, Canada, December 1–5, 2012. IEEE Computer
Society, pp 32–38
26.
Le T-H, Cledière J, Servière C, Lacoume J-L (2007) Noise reduction in side
channel attack using fourth-order cumulant. IEEE Trans Inf Forensics Secur
2(4):710–720. https://doi.org/10.1109/TIFS.2007.910252 December
[Crossref]
27.
Souissi Y, Guilley S, Danger J-L, Duc G, Mekki S (2010) Improvement of power
analysis attacks using Kalman filter. In: ICASSP, IEEE Signal Processing Society,
March 14–19 (2010), Dallas, TX, USA. IEEE, pp. 1778–1781. https://doi.org/10.
1109/I CASSP.2010.5495428
28.
Del Pozo SM, Standaert F-X (2015) Blind source separation from single
measurements using singular spectrum analysis. In: Gü neysu T, Handschuh H
(eds) Cryptographic hardware and embedded systems - CHES 2015 - 17th
international workshop, Saint-Malo, France, September 13–16, 2015,
Proceedings. Lecture notes in computer science, vol 9293. Springer, pp 42–59
29.
Pelletier H, Charvet X (2005) Improving the DPA attack using wavelet transform,
September 26–29 2005. Honolulu, Hawai, USA; NIST’s physical security testing
workshop. Website: http://c src.nist.gov/groups/STM/c mvp/documents/
fips140-3/physec/papers/physecpaper14.pdf
30.
Maghrebi H, Prouff E (2018) On the use of independent component analysis to
denoise side-channel measurements. In: Fan J, Gierlichs B (eds) Constructive
side-channel analysis and secure design - 9th international workshop, COSADE
2018, Singapore, April 23–24, 2018, Proceedings. Lecture notes in computer
science, vol 10815. Springer, pp 61–81
31.
Le T-H, Cledière J, Servière C, Lacoume J-L (2007) How can signal processing
benefit side channel attacks? In: Proceedings of IEEE workshop on signal
processing applications for public security and forensics (SAFE), pp 1–7, April
11–13 2007, Washington D.C., USA
32.
Durvaux F, Standaert F-X (2016) From improved leakage detection to the
detection of points of interests in leakage traces, pp 240–262, 05 2016
33.
Rechberger C, Oswald E (2004) Practical template attacks. In: WISA, August 23–
25 2004, Jeju Island, Korea. LNCS, vol 3325. Springer, pp 443–457
34.
Ou C, Lam SK, Jiang G (2019) The art of guessing in combined side-channel
collision attacks. IACR Cryptol ePrint Arch 2019:690
35.
Schneider T, Moradi A (2016) Leakage assessment methodology. J Cryptogr Eng
6:02
[Crossref]
36.
Ding AA, Chen C, Eisenbarth T (2016) Simpler, faster, and more robust t-test
based leakage detection, vol 9689, pp 163–183, 04 2016
37.
Gierlichs B, Lemke-Rust K, Paar C (2006) Templates vs. stochastic methods. In:
CHES, October 10–13 2006, Yokohama, Japan. LNCS, vol 4249. Springer, pp 15–29
38.
Zotkin Y, Olivier F, Bourbao E (2018) Deep learning vs template attacks in front
of fundamental targets: experimental study. IACR Cryptol ePrint Arch 2018:1213
39.
Choudary O, Kuhn MG (2013) Efficient template attacks. In: Francillon A, Rohatgi
P (eds) Smart card research and advanced applications - 12th international
conference, CARDIS 2013, Berlin, Germany, November 27–29, 2013. Revised
selected papers. LNCS, vol 8419. Springer, pp 253–270
40.
Danger J-L, Debande N, Guilley S, Souissi Y (2014) High-order timing attacks. In:
Proceedings of the 1st workshop on cryptography and security in computing
systems, CS2’14, New York, NY, USA. ACM, pp 7–12
41.
Durvaux F, Standaert F-X, Veyrat-Charvillon N, Mairy J-B, Deville Y (2015)
Efficient selection of time samples for higher-order DPA with projection
pursuits. In: Mangard S, Poschmann AY (eds) Constructive side-channel analysis
and secure design - 6th international workshop, COSADE 2015, Berlin, Germany,
April 13–14, 2015. Revised selected papers. Lecture notes in computer science,
vol 9064. Springer, pp 34–50
42.
Prouff E, Rivain M, Bevan R (2009) Statistical analysis of second order
differential power analysis. IEEE Trans Comput 58(6):799–811
[MathSciNet][Crossref]
43.
Jolliffe IT (2002) Principal component analysis. Springer series in statistics.
ISBN: 0387954422
44.
Fisher RA (1936) The use of multiple measurements in taxonomic problems. Ann
Eugen 7:179–188, 01 (1936)
45.
Friedman J, Tukey JW (1974) A projection pursuit algorithm for exploratory data
analysis. IEEE Trans Comput c-23:881–889, 10 (1974)
46.
Bruneau N, Guilley S, Heuser A, Marion D, Rioul O (2015) Less is more -
dimensionality reduction from a theoretical perspective. In: Gü neysu T,
Handschuh H (eds) Cryptographic hardware and embedded systems - CHES 2015
- 17th international workshop, Saint-Malo, France, September 13–16, 2015,
Proceedings. Lecture notes in computer science, vol 9293. Springer, pp 22–41
47.
Wu W, Mallet Y, Walczak B, Penninckx W, Massart DL, Heuerding S, Erni F (1996)
Comparison of regularized discriminant analysis linear discriminant analysis
and quadratic discriminant analysis applied to NIR data. Anal Chim Acta
329(3):257–265
[Crossref]
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021
M. Ouladj, S. Guilley, Side-Channel Analysis of Embedded Systems
https://doi.org/10.1007/978-3-030-77222-2_3
3. Side-Channel Distinguishers
Maamar Ouladj1 and Sylvain Guilley2
(1) Paris 8 University, Paris, France
(2) Secure-IC, S.A.S., Paris, France
Maamar Ouladj
Email: ouladj.maamar@gmail.com
(3.1)
This statistical tool estimates how much two random variables (leakage
and model) are linearly dependent. The good guess of the key leads to
the highest value of the coefficient. This approach is introduced in the
SCA topic by Coron et al. in [8], then used in [9] and called the
Correlation Power Analysis (CPA) in [10].
(3.3)
The good guess of the key leads to the highest value of the covariance.
In fact, this distinguisher is none other than the numerator for the
Pearson coefficient. Similar to the CPA, one can compute an incremental
covariance distinguisher by
(3.4)
A lthough the meal lasted but a few minutes, much was said.
Harper and Altman developed a talkative streak and had much
to tell their guest. The three had been located at the station for more
than two months during a portion of which time “business was lively.”
Only a fortnight before, the cabin underwent a siege for three days
and nights from a large party of Piutes, who peppered the logs well.
They ran off a couple of ponies, but Harper and Jenkins recovered
both after a long pursuit.
The redskins circled about the structure and fired through the
windows, but did not harm any of the defenders, who picked off two
or three of them. Things might have turned out ill had not one of the
Express Riders carried the news to the nearest fort which hurried a
squad of cavalry to the spot.
There had been no trouble with the Indians since, though parties
now and then appeared in the distance as if reconnoitering. It was
not to be expected that they would remain tranquil much longer.
“What kind of a route is it to the next station?” asked Alden, when
the party had gone outside and he had mounted.
“Pretty much like what you’ve ridden over. Some stretches of good
ground, with plenty of ravines and gullies and two or three streams to
cross, but you couldn’t have a better season.”
“The pony seems to be a good one; I shall be satisfied if he is the
equal of Dick.”
“He’s tough and fast; I think he once belonged to a circus, for he
knows a good many tricks.”
“If he knows the trick of getting me through, neither I nor any one
else could ask anything more of him.”
Alden was about to start when he recalled the matter of the
cartridges. He gave his belt to Jenkins and accepted one from him. It
might seem a trifling thing that he should leave the heavier one
behind for the sake of the saving in weight, but such was the fact,
though the difference was slight. He could secure all the other
cartridges he might need from his friends.
“I must weigh twenty pounds more than Dick Lightfoot and
everything counts. What is the pony’s name?”
“Bucephalus,” was the amazing reply.
“Great Cæsar!” laughed Alden; “do you call him that?”
“’Ceph for short; well, good bye!”
Alden waved his hand and was off like a thunderbolt.
Our young friend was hardly out of sight of the little group who
stood watching him, when ’Ceph became playful. He had been
resting so long that he yearned for exercise and action. As an
introduction he reached around and nipped at the rider’s ankle. A
horse is quick to learn what kind of man holds the reins, and woe to
him whom the equine despises! Bucephalus would not have needed
any enlightenment had Harper or any one of the regular riders been
in the saddle, but he wasn’t sure about the lusty young fellow who
was trying to lord it over him.
When the head came about, and Alden saw what the pony meant,
he gave him a vigorous kick on the end of his nose. ’Ceph wasn’t
pleased with that, and after a brief wait tried to bite the other ankle.
Alden promptly kicked him harder than before.
Evidently that wasn’t the right way to overcome the conceited
young man, so what did Bucephalus do but suddenly buck? He
arched his back, jammed his hoofs together and bounced up and
down as if the ground had suddenly become red hot. Alden hadn’t
expected anything of the kind, and came within a hair of being
unhorsed. He saved himself, braced his legs and body and then let
the animal do his best or worst. The youth was sorry he had no
spurs, for he would have been glad to drive them into the sides of
the mischievous brute. The latter bucked until tired, then spun
around as if on a pivot and finally dashed off on a dead run.
Alden let him go unrestrained, knowing he was taking the right
course, for he saw plenty of hoof prints in the ground over which they
skimmed. It was not difficult for our young friend to keep his seat,
and he was rather pleased with the liveliness of the animal.
“There won’t be much of this left in you at the end of fifteen miles,
’Cephy, and I have no objection so long as it doesn’t block the
game.”
After a time it was plain the pony had given up the fight. He was
galloping steadily, as if like the others, he had but one ambition in life
which was to throw the miles behind him in the shortest possible
time. All the same, Alden was on his guard. There was no saying
what whim might enter the head of the brute. One of his kind will be
good for weeks with no other object than to throw a man off his
guard. It did not seem likely that such was the case with the animal
Alden was riding, though it might be so. He thought it more probably
due to a natural exuberance of spirits, which after a time would wear
off.
There was no perceptible change in the character of the country
through which he was riding until some four or five miles had been
traversed. The undulations were trifling and at the end of the
distance named, it may be doubted whether horse and rider were ten
feet higher or lower than at their starting point. The surface was
rough in many places, but not once did ’Ceph slacken his splendid
pace, which must have risen to twenty miles an hour. He had to
swerve and occasionally make rather long detours to avoid natural
obstacles, but he lost no time. Had the conditions lasted he would
have covered the fifteen miles well within three-fourths of an hour.
The pony slackened his pace, though still maintaining a gallop, for
the ground not only compelled him to veer first to the right and then
to the left, but took an upward turn. Following his rule of leaving his
animal to his own will, Alden did not touch the reins. The fact that
tracks showed on the right and left as well as in front indicated that
he was following a well-traveled course, though he could not discern
any traces of wagon wheels.
The sun had sunk behind the mountain range which towered to
the northwest and the jagged crests were tinted with the golden rays.
The scene was grandly beautiful, and though he had looked upon
many like it, Alden never lost his admiration of those pictures which
are nowhere seen in such majesty and impressiveness as in our own
country.
Well to the northward rose a peak, whose white crest showed it
was always crowned with snow. Seen in the distance the spotless
blanket had a faint bluish tint, caused by the miles of pure,
intervening atmosphere. Although the range to his left did not sweep
around far enough to cross the course he was pursuing, Alden could
not help wondering whether a turn in the trail would not force him to
pass through the spur as he had done in the case of the lesser range
behind him.
“If it is so, there must be a pass, for many others have traveled this
road before me.”
It seemed that he ought to overtake some emigrant train, since
hundreds of them were plodding westward, and his speed was much
greater than theirs. But he saw no more evidence of other persons
about him than if he were in the midst of an unknown desert. He
might as well have been the only horseman or footman within a
thousand miles of the spot.
It was with a queer sensation that once more scanning the ridge to
the northwest, Alden distinguished a column of smoke climbing into
the sky, just as he had discerned one earlier in the afternoon. He had
not yet decided in his own mind whether the former bore any relation
to his passage through the gorge, and he was equally uncertain
about the signal that now obtruded itself. He brought his binocular to
bear, and with ’Ceph on a rapid walk, spent several minutes in
studying the vapor. The result was as in the previous instance,
except that the fire which gave off the smoke appeared to be burning
among a clump of pines instead of behind a pile of boulders. Once or
twice in the gathering gloom he fancied he detected the twinkle of
the blaze; but if so, the fact gave him no additional knowledge of the
puzzling question.
It cannot be said that he felt any misgiving, so long as the course
of the pony did not lead him toward the signal smoke which may not
have been a signal after all. Wandering bands of Indians must have
had frequent need of fires for preparing food, and it would seem that
more of them ought to have been seen by the horseman.
’Ceph was still walking. Although the steepness had declined, he
showed no disposition to increase his pace. Alden was surprised, for
it was not that way with Dick. The viciousness shown by the pony
lowered him in the esteem of the youth. He could not shake off the
suspicion that the ugly spirit would show itself again, even though
the animal had been conquered for the time.
For the last fifteen minutes, Alden was conscious of a dull, steady
roar which gradually increased as he went on. He was drawing near
the cause and must soon learn its nature. He was still wandering and
speculating, when he caught the gleam of water through the sparse
willows that lined the trail.
“Jenkins told me I should have to cross some streams and this
must be one of them.”
So it proved. A minute later, the animal came to the margin of a
swift creek which flowed at right angles to his course. In the
obscurity of the settling night, Alden made out the farther bank,
which was about a hundred yards away. A growth of willows showed,
and ’Ceph hesitated with outstretched nose, as he snuffed the
ground. Instead of entering the water at once, he moved to the right
for several rods and stopped again. He was looking for the ford, from
which fact his rider judged they were off the regular trail. Leaning
over in the saddle he scrutinized the ground. He saw no signs of
hoofprints or tracks of wagon wheels.
He did not interfere with the horse, who, having passed the brief
distance, began snuffing again and gingerly stepped into the stream.
When the water came to his knees, he paused long enough to drink
and then resumed feeling his way across.
With the setting of the sun, the temperature had fallen a number of
degrees. Alden was warmly clothed, but had no blanket. When he
left the train in company with Jethro he expected to rejoin his friends
before the close of the afternoon and a blanket would have been an
incumbrance, but quite acceptable now.
“I hope ’Ceph won’t have to swim,” he said, with a shudder: “I shall
be chilled, for I know the water is icy, but there’s no help for it.”
The roar that had caught his attention some time before sounded
on his left in the direction of the ridge, where the signal fire was
burning. The explanation was clear: the stream issued from some
gorge or tumbled over rapids or falls, and gave out the noise that
was audible for a long distance in the stillness of approaching night.
The pony felt his way carefully, with nose thrust forward,
occasionally snorting and not bearing down until he found the bottom
with his advanced hoof. Once he slipped, but instantly recovered
himself.
Alden waited till his feet were within a few inches of the surface.
Then he slipped them out of the stirrups and drew them up in front.
Deprived thus of his “balancing poles,” a quick flirt of the pony to one
side would have flung him into the water, but ’Ceph, if he was aware
of it (and it would seem he ought to have been), did not seize the
chance.
Half the distance was passed and the dangling stirrups dipped.
Would the good fortune continue all the way across?
It did. The stream shallowed, and increasing his pace, the pony
stepped out on the other bank, with the moisture dripping from his
fetlocks. Only the lower part of his body, however, had been wetted.
Alden himself was dry even to the soles of his shoes.
“Thank fortune!” he exclaimed; “I hope we shall have the same
luck at the next stream. Now we’re off again, old fellow.”
As nearly as the rider could judge, he had ridden half the distance
to the next station. If he were right, seven or eight miles remained to
be traversed. He was doing well but why did not ’Ceph “let himself
out,” when the ground was favorable? He still walked, though ever
stepping rapidly, with head dipping with each fall of the hoof.
For the first time, Alden broke the rule which had governed him
heretofore: he spoke sharply to the pony and jerked the bridle rein.
The animal instantly responded with a gallop which he kept up for a
half mile, when he dropped again to a walk. And before he did this,
his rider discovered to his consternation that he was going lame.
The limp showed more plainly when he was walking, and was
steadily aggravated until the progress became painful to the rider. He
was of a merciful disposition and could not bear the sight of suffering
in a dumb creature. He stopped the horse and dropped from the
saddle.
“I shall be in a fine fix if you give out, ’Ceph, not knowing the way
to the next station nor to the one we have left, but I am more sorry
for you than for myself.”
The animal was bearing his weight on three legs, the tip of the
right fore hoof just touching the ground. He seemed to be suffering,
and favored the disabled leg all he could. Speaking soothingly, Alden
gently passed his hand down the graceful limb from the bent knee to
the fetlock. Although he used only the weakest pressure, ’Ceph
winced when the friendly fingers glided over the slim shank, as if the
touch was painful.
“There’s where the trouble is,” he decided; “he must have strained
a tendon, though I don’t feel any difference.”
With infinite care and tenderness Alden fondled the limb, and
’Ceph showed his appreciation by touching his nose to his shoulders
as he bent over his task. The youth increased the pressure and
rubbed more briskly. The action seemed to give relief, and by and by
the pony set the hoof down on the ground and stood evenly on his
four legs.
Hoping that the trouble had passed, Alden walked backward a few
steps and called upon ’Ceph to follow. He obeyed and stepped off
without the slightest evidence of trouble. The rider’s hopes rose
higher.
“If you will lead I’ll be glad to follow; it won’t do—”
His heart sank, for hardly half a dozen steps were taken when
’Ceph limped again: the halt grew more pronounced, and suddenly
he hobbled one or two steps on three legs, holding the remaining
hoof clear of the ground as he did so.
“That settles it,” said his master; “you may be able to reach the
station without any load by resting often, but it will be hard work.”
In the effort to aid the sufferer, Alden now removed the saddle and
mail pouches. With his rifle they formed quite a burden, but he was
strong and rugged, and knew he could carry them as fast and
probably faster than his companion would travel.
“I ought to leave you here,” reflected the youth, “and I should do
so, if I knew my way: I need you as a guide and shall have to suit my
pace to yours.”
Once more he nursed the foreleg and after a time, ’Ceph set it
down. He hobbled forward a score of paces before the limp
reappeared. After that he kept it up until his master called to him to
stop.
It looked as if the mustang understood what was asked of him,
and was doing his utmost to grant it. Alden kept at his side, and as
soon as he paused, patted his neck and spoke encouragingly.
’Ceph rested but a few minutes when he resumed his walk without
any word from his master. The latter with amazement noted that the
animal’s gait improved. He stepped off with increasing speed. Soon
no limp was perceptible: he walked as well as ever!
“Good!” called Alden; “you’ve got pluck; I take back all I said
against you. Whoa! whoa!”
Instead of obeying the youth hurrying at his heels, ’Ceph broke
into a gallop and speedily passed from sight. Alden kept up the
useless pursuit until exhausted. Then he stopped disgusted and
angered. He understood the whole business.
It has been said that Bucephalus once belonged to a circus. He
had been a trick pony and remembered several things. One of them
was to get rid of a rider whom he disliked by pretending to be lame.
He had worked the stratagem upon Alden Payne, who when too late
saw through the whole mean business.
CHAPTER XIX
A BLESSING IN DISGUISE
S everal facts saved Alden Payne from drowning. In the first place,
the deep hole into which he stepped was only three or four feet
across. The space was so slight indeed that his own momentum in
walking threw him against the other side, where the water was
shallower than before. Moreover, he was a powerful swimmer, but
the strongest swimmer that ever lived could not sustain himself when
incumbered by such heavy clothing, two mail pouches and a rifle.
The youth promptly let go of the weapon, but clung to Uncle Sam’s
property as if it were his very life. It was a desperate struggle but
when he floundered to his feet he held the bags intact and they were
with him as he stepped out upon the bank.
His gun was gone beyond recovery, but he had his revolver, which
like the contents of his match safe was not affected by the
submersion. It could be fired as readily as before, though it was a
weak substitute for the gun that was gone.
But his plight could not have been more dismal. He was wet to the
skin by the frigid water which made his teeth chatter, and the night
had grown so cold that he must do something quickly to save himself
from perishing. Two plans offered themselves. His first thought was
to hunt a sheltered spot, gather wood and start a vigorous blaze, but
a minute’s reflection showed him that would never do. Leaving out
the danger of such action, the largest fire in the open would do little
good. With no blanket, his clothing saturated and most of the warmth
going to waste, he would only make his condition more miserable.
He might pivot his body to the blaze, but he would always be chilled.
It would take a long time to collect enough fuel, and he would have
to keep the fire going throughout the night.
The only thing that could save him was exercise. The healthful,
reviving glow must come from within, and that had to be generated