2010 Reports : Cryptology ePrint Archive Forum

**Re: Cryptanalysis of 2010/523.**

Discussion forum for Cryptology ePrint Archive reports posted in 2010.
Please put the report number in the subject.

Cryptanalysis of 2010/523.

Posted by: **fpautot** (IP Logged)

Date: 18 October 2010 07:47

I see no difficulty in cryptanalyzing this linear masking, e.g estimating Z(k,m) from side-channel signals L1, L2 and L3.

Let O1, O2 and O3 be the parameters of the side-channel models for L1, L2 and L3 resp., e.g. mus and sigmas for Gaussian models (why are the authors so reluctant to introduce parametric side-channel models?)

You just need to write down the joint direct pdf for a single encryption:

p(L1,L2,L3|U1,U2,K,m,O1,O2,O3,I)=

p(L1|U1,U2,k,m,O1,O2,O3,I)p(L2|U1,U2,k,m,O1,O2,O3,I)p(L3|U1,U2,K,m,O1,O2,O3,I) (conditionally mutually independent noises)

=p(L1|U1,O1,I)p(L2|U2,O2,I)p(L3|U1,U2,k,m,O3,I)

p(L3|U1,U2,k,m,O3,I)=p(L3|U3,O3,I)

with U3(U1,U2,k,m)=Z(k,m)^-1.(U1 XOR U2) by eq.4

That's it! The rest is given in 2008/208 that deals with arbitrary masking schemes:

p(Z|M)=sum_U1,1 ... sum_U1,N sum_U2,1 ... sum_U1,N integral_01 integral_02 integral_03...

the real thing.

Of course, if you ignore relevant papers, reject your masters (e.g. Shannon) and don't use the proper tools, it's more difficult.

F. Pautot

Let O1, O2 and O3 be the parameters of the side-channel models for L1, L2 and L3 resp., e.g. mus and sigmas for Gaussian models (why are the authors so reluctant to introduce parametric side-channel models?)

You just need to write down the joint direct pdf for a single encryption:

p(L1,L2,L3|U1,U2,K,m,O1,O2,O3,I)=

p(L1|U1,U2,k,m,O1,O2,O3,I)p(L2|U1,U2,k,m,O1,O2,O3,I)p(L3|U1,U2,K,m,O1,O2,O3,I) (conditionally mutually independent noises)

=p(L1|U1,O1,I)p(L2|U2,O2,I)p(L3|U1,U2,k,m,O3,I)

p(L3|U1,U2,k,m,O3,I)=p(L3|U3,O3,I)

with U3(U1,U2,k,m)=Z(k,m)^-1.(U1 XOR U2) by eq.4

That's it! The rest is given in 2008/208 that deals with arbitrary masking schemes:

p(Z|M)=sum_U1,1 ... sum_U1,N sum_U2,1 ... sum_U1,N integral_01 integral_02 integral_03...

the real thing.

Of course, if you ignore relevant papers, reject your masters (e.g. Shannon) and don't use the proper tools, it's more difficult.

F. Pautot

Posted by: **fpautot** (IP Logged)

Date: 18 October 2010 07:48

Sorry, read 2008/508 instead of 2008/208 in the previous post.

Please log in for posting a message. Only registered users may post in this forum.