Improved first-order power analysis attacks on low entropy masking schemes

Abstract

We validate the efficiency of this attack using side-channel measurements publicly available from the DPA Contest V4. We demonstrate that an attack modeling leakage using leakage sets can recover an encryption key with efficacy comparable to an attack on an unprotected device. The leakage set model can be used in combination with mutual information analysis (MIA) and Kolmogorov-Smirnov analysis (KSA). MIA using a leakage set model can successfully recover a key using 52.1% - 53.5% of the leakage measurements needed to achieve similar results using MIA with a Hamming weight model. Likewise, leakage sets require as low as 16.4% - 16.6% of the measurements needed to perform a successful KSA using a Hamming weight model.

Masking countermeasures are effective methods of protecting encryption algorithms from side-channel attacks; however, a masked cipher incurs a significant overhead in performance and memory consumption. Low entropy masking schemes (LEMS) have been proposed to provide a significant reduction in the overhead associated with masking while maintaining resistance to side-channel attacks. While effectively eliminating the linear dependence between the sensitive data on a cryptographic device and the information leakage, LEMS permit non-linear residual leakage to remain.

Previous works have demonstrated attacks that exploit this non-linear leakage; however, each prior investigation fails to demonstrate an attack with efficacy comparable to an attack on an unprotected device. In this work, we demonstrate a non-profiled, univariate attack on LEMS that models the information leakage based on the set of all values leaked by a device with a given internal state. This leakage set model can lend a significant advantage to an attacker over commonly used models such as the Hamming weight model.