Cryptology ePrint Archive: Report 2017/283

On the Easiness of Turning Higher-Order Leakages into First-Order

Thorben Moos and Amir Moradi

Abstract: Applying random and uniform masks to the processed intermediate values of cryptographic algorithms is arguably the most common countermeasure to thwart side-channel analysis attacks. So-called masking schemes exist in various shapes but are mostly used to prevent side-channel leakages up to a certain statistical order. Thus, to learn any information about the key-involving computations a side-channel adversary has to estimate the higher-order statistical moments of the leakage distributions. However, the complexity of this approach increases exponentially with the statistical order to be estimated and the precision of the estimation suffers from an enormous sensitivity to the noise level. In this work we present an alternative procedure to exploit higher-order leakages which captivates by its simplicity and effectiveness. Our approach, which focuses on (but is not limited to) univariate leakages of hardware masking schemes, is based on categorizing the power traces according to the distribution of leakage points. In particular, at each sample point an individual subset of traces is considered to mount ordinary first-order attacks. We present the theoretical concept of our approach based on simulation traces and examine its efficiency on noisy real-world measurements taken from a first-order secure threshold implementation of the block cipher PRESENT-80, implemented on a 150nm CMOS ASIC prototype chip. Our analyses verify that the proposed technique is indeed a worthy alternative to conventional higher-order attacks and suggest that it might be able to relax the sensitivity of higher-order evaluations to the noise level.

Category / Keywords: implementation / side-channel analysis, masking, higher-order

Original Publication (in the same form): COSADE 2017

Date: received 27 Mar 2017

Contact author: Thorben Moos at rub de

Available format(s): PDF | BibTeX Citation

Version: 20170330:124637 (All versions of this report)

Short URL: ia.cr/2017/283

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]