Side-Channel Leakage Detection with One-Way Analysis of Variance

Yang, Wei; Jia, Anni

doi:https://doi.org/10.1155/2021/6614702

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Experimental Results and Discussion Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Multimodality Data Analysis in Information Security

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 6614702 | https://doi.org/10.1155/2021/6614702

Side-Channel Leakage Detection with One-Way Analysis of Variance

Wei Yang¹and Anni Jia¹

Academic Editor: Liguo Zhang

Received01 Jan 2021

Revised07 Feb 2021

Accepted25 Feb 2021

Published05 Mar 2021

Abstract

Side-channel analysis (SCA) is usually used for security evaluation to test the side-channel vulnerability of a cryptographic device. However, in practice, an analyser may need to cope with enormous amounts of side-channel measurement data to extract valuable information for SCA. Under the circumstances, side-channel leakage detection can be used to identify leakage points which contain secret information and therefore improve the efficiency of security assessment. This investigation proposes a new black-box leakage detection approach on the basis of the one-way analysis of variance (ANOVA). In accordance with the relevance between leakage points and inputs of a cryptographic algorithm, the proposed method divides side-channel samples into multiple classes and tests the difference among these classes by taking advantage of the one-way ANOVA. Afterwards, leakage points and nonleakage points can be distinguished by determining whether the null hypothesis is accepted. Further, we extend our proposed method to multichannel leakage detection. In particular, a new SCA attack with a -statistic-based distinguisher is capable of developing if the input of the leakage detection approach is replaced by a sensitive intermediate variable. Practical experiments show the effectiveness of the proposed methods.

1. Introduction

Side-channel analysis (SCA) applies the physical leakage signals (e.g., sound, power consumption, electromagnetic radiation, and the like) of a running cryptographic device for retrieving the secret information [1–4]. Due to the efficiency and easy achievement, SCA has been a serious threat to cryptographic devices, but at the same time, SCA can also be used to evaluate the side-cannel resistance of these devices. In practice, SCA usually needs numerous leakage traces for security evaluation. That may lead to a fairly high computation complexity and significantly reduce the efficiency of the assessment. Therefore, side-channel leakage detection is proposed to reduce the computation complexity of security evaluation and improve the efficiencies of SCA attacks [5, 6].

Points in a side-channel signal can be grouped into two sets: leakage points and nonleakage points [6]. Leakage points contain sensitive information related to the key used in a crypto device and can be utilized by SCA. By contrast, nonleakage points include useless information for SCA. The task of leakage detection is to find the leakage points in side-channel measurements. Generally, the existing leakage detection methods view leakage points as the outliers in the measurement data and use differing statistics to winnow them. A simple way is to exploit the SCA distinguisher output as the statistic; any point with a high score is assigned to the leakage point set [7]. Additionally, a major category of leakage detection is based on the hypothesis test and identifies the “outliers” through computing a test statistic and a significance level. For example, the typical Test Vector Leakage Assessment (TVLA) methodology searches the leakage points by exploiting Welch’s -test. The TVLA checks the -statistic over the same time instants. If the value of the statistic is greater than the threshold determined by a prespecified significance level, the corresponding point will be regarded as a leakage point. Some similar leakage detection approaches are also proposed, such as leakage detection based on mutual information [8], the correlation-based -test [9], the paired -test [10], leakage detection with -test [11], and the rest. Besides, a method based on normalized interclass variance and a new approach based on the constant parameter channel model [12] are investigated as well.

Nevertheless, some of the aforementioned methods need numerous traces to highlight the difference between leakage points and nonleakage points [11, 13], some methods need the knowledge of leakage models [7, 13], some require the low-noise measurements [11] or carefully chosen inputs [5, 9, 10], some need complicated calculation [8, 12], and so forth.

In sight of the limitations of the previous work, this paper proposes a black-box leakage detection approach based on the one-way analysis of variance (ANOVA). The main idea of the proposed method is that side-channel leakage samples at one point depend on the corresponding inputs of a cryptographic algorithm. That is, the same input yields the same leakage, while two differing inputs lead to two differing leakages. Consequently, according to the relevance between the leakage points and inputs of the algorithm, side-channel samples can be divided into multiple groups. These groups corresponding to a leakage point are supposed to have a statically significant difference because that variations of the inputs and the corresponding side-channel leakages are synchronous. On the contrary, the groups corresponding to a nonleakage point should have a statistically insignificant difference. Then, leakage points can be detected by the one-way ANOVA which is used for testing the difference of multiple groups.

The proposed method relies only on the inputs (i.e., plaintext or ciphertext) of the cryptographic algorithm and the corresponding side-channel samples. Hence, it is unnecessary to acquire any in-depth knowledge of the cryptographic algorithm implementation and the leakage model of a device. Moreover, it has no special requirements for the inputs and measurements and can be performed rapidly.

Further, we develop a new SCA distinguisher by changing the input of the proposed leakage detection approach. The effectiveness of the SCA attack using the distinguisher is verified by two practical experiments.

The rest of the paper consists of four sections, including the preliminaries (Section 2), the proposed method and its extensions (Section 3), the experimental results and analysis (Section 4), and the conclusion (Section 5).

2. Preliminaries

2.1. Side-Channel Leakage Detection

Side-channel leakage detection is used to detect the information leakage in a specific side-channel [5]. Unlike SCA attacks, leakage detection needs not to distinguish the correct key used in a cryptographic implementation from the other incorrect key guesses. Its task is to find key-dependent sample points (i.e., leakage points) in a side-channel leakage trace. That is to say, the output of leakage detection is a set of points of interest, which are corresponding to the formative moments of leakages related to secret information. Leakage detection is an important part of the side-channel evaluation and provides a preliminary result for further analysis or advanced assessment.

2.2. Test Vector Leakage Assessment

Test Vector Leakage Assessment (TVLA) methodology is a classical and extensively used technology for side-channel leakage detection. The basic assumption of TVLA is that leakage points and nonleakage points belong to two normally distributed populations, respectively. Then, an analyser can distinguish leakage points from nonleakage points by using Welch’s -test to compare the parameters of these two populations.

The TVLA methodology includes two methods, that is, specific -test and nonspecific -test [5, 13, 14]. For the specific -test, the side-channel traces are divided into two sets in accordance with the value of a single bit of a targeted intermediate key-dependent variable. If the two trace sets are considered as two normally distributed populations, Welch’s -test can be applied to detect side-channel information leakage by testing the difference of the two population means over each time instant in the traces. The -statistic is shown as follows:where and are the two trace sets, , , , , , and are the means, variances, and size of and , respectively. If the value of -statistic at one time instant exceeds the threshold determined by the degrees of freedom and a prespecified significance level, the point will be categorized as a leakage point. Otherwise, the point will be categorized as a nonleakage point.

For the nonspecific -test, it needs to acquire two groups of side-channel measurements with the same size to apply for the pairwise -test. One set of traces corresponds to a fixed input, and the other corresponds to random inputs. If one point in time for which the value of -statistic is beyond that threshold, the point will be selected as a leakage point. If the corresponding -statistic is within the bounds determined by that threshold, the point will be marked as a nonleakage point.

2.3. Leakage Detection with -Test

The leakage detection with the -test can be regarded as a complement to TVLA [11]. The core idea of this approach is to apply the -test of independence to check the association between the input groups (i.e., plaintext or ciphertext) and the measured leakage points.

The -test of independence is also named the -test of association. It is a nonparametric test to determine whether two categorical variables are related or independent. The statistic for the -test of association is computed aswhere represents the number of the input groups (i.e., plaintext or ciphertext), represents the number of the measured leakage points, denotes the total number of the observations of two categorical variables, and denote the number and the frequency of concurrence of the observations of two categorical variables, respectively.

Similarly, if one point in time for which the value of -test exceeds the threshold determined by the degrees of freedom and a prespecified significance level, the point will be incorporated into the leakage points. Otherwise, the point will be incorporated into the nonleakage points.

2.4. One-Way Analysis of Variance

One-way analysis of variance (one-way ANOVA) can be seen as a generalization of Welch’s -test. Where Welch’s -test would be applied for comparison of group means of two normally distributed populations, one-way ANOVA is applied for the comparison of multiple group means [15, 16]. It assumes that samples in each group are independently drawn from a normally distributed population, and all populations have the same variance. The test statistic iswhere represents the number of the input groups, denotes the total number of the samples in all groups, denotes the sum of squares between groups, that is, the between-group variation, and denotes the residual variance within groups, that is, the within-group variation. If the value of -statistic is beyond the threshold, it states that all populations own the same mean value.

3. The Proposed Method

In this section, one-way ANOVA is applied for leakage detection, including monochannel and multichannel leakage detection. In addition, a novel SCA distinguisher is developed to serve for key recovery attack as well.

3.1. Side-Channel Leakage Detection with One-Way ANOVA

What the one-way ANOVA investigates is the influence of a numerical or categorical input variable on a numerical dependent variable. For a cryptographic implementation, the side-channel leakage samples depend on the inputs and the secret key of the crypto algorithm (i.e., plaintext or ciphetext). Since the key is usually changeless in a short period of time, the leakage data can be viewed as the numerical response data of a variable which relies on the inputs. Additionally, the possible values of the plaintext or ciphertext of a crypto algorithm are limited and can be categorized into multiple classes. Therefore, it is possible to detect leakage points by exploiting the one-way ANOVA.

Suppose that there are side-channel leakage traces. They are collected from a running crypto device and correspond to random plaintext (or ciphertext) with the same key. At one point in time, these traces can be grouped into groups according to the inputs of the crypto algorithm, and the group consists of samples, scilicet , . Let denote the normally distributed populations corresponding to the groups, respectively. That is,where represents the normal distribution with mean and variance , , .

For a leakage point in time, the corresponding leakage should be varied with the input variable of the crypto algorithm. Consequently, at this point, the leakage samples in all groups drawn from the populations should be statistically distinguishable. In other words, the means of these populations should have a significant difference. On the contrary, for a nonleakage point, the corresponding samples contain no information about the secret key. As a result, the variation of the samples should be random at this point. In this case, the samples in all groups drawn from the populations should be statistically indistinguishable. Namely, the means of these populations should have a statistically insignificant difference.

On the basis of the above-mentioned inference, we can perform leakage detection by using the one-way ANOVA. Table 1 depicts the data organization of the one-way ANOVA. Hence, the between-group variation and the within-group variation in equation (3) can be, respectively, rewritten aswhere means the sample mean of the group. Obviously, the expectation of is equal to . It can be viewed that the between-group variation indicates the difference between each group mean and the total sample mean, and the within-group variation indicates the difference between the samples in a group and the group mean. If is much greater than , it states that there is a significant difference among all groups, and these populations are unlikely from the same normal population. From this viewpoint, it is reasonable to apply the one-way ANOVA for leakage detection, because the samples corresponding to leakage points contain information about multiple input data and can be deemed to come from different populations, while the samples corresponding to nonleakage points include random data information and can be considered to come from the same population.

The threshold for the hypothesis test iswhere denotes the significance level and and represent the distribution and the degrees of freedom, respectively. Points which exceed the threshold are acceptable as the leakage points, while the other points within the bound determined by the threshold are classified as the nonleakage points. The whole test procedure is described as follows: Initially, for each point in time, divide the side-channel samples at this point into multiple groups according to the corresponding plaintext or ciphertext. Secondly, compute the value of -statistic in accordance with equations (3), (5), and (6). Finally, compare the -statistic with the threshold in equation (7), and mark the point as a leakage point () or a nonleakage point ().

The proposed leakage detection algorithm (LD_ANOVA for short) is elaborated in Algorithm 1. The symbol denotes a matrix constructed by side-channel traces in row, denotes the corresponding plain text or cipher text set, and denotes the significance level. Further, can be represented by the following formula:

	Input: , , and
	Output: leakage point set
(1)
(2)	For // denotes the number of points per trace
(3)	, , , ,
(4)	Divide the column of into groups according to the samples of
(5)	For
(6)
(7)	End
(8)	// denotes the element of the vector .
(9)
(10)
(11)
(12)	End
(13)	Return: .

3.2. Extension to Multichannel Leakages

Generally, a crypto device in operation leaks multiple types of side information simultaneously. Consider that multichannel leakages usually contain much more potential key-dependent information than monochannel leakage [17], and it is feasible for an analyser to collect these leakages from multiple channels in practice; we also investigate how to enhance the leakage detection result by utilizing multichannel leakages.

To make the proposed detection approach in the previous section apply to the case of multichannel leakages as well, a preprocessing step aiming at transforming the multichannel leakage sets into a fused leakage set is needed. Based on the types of crypto implementations, there are different methods to perform the transform [17]. For instance, it is suitable to use the treatment of Simple Fusion Attack (SFA) to perform transform, if multichannel measurements are acquired from a crypto implementation with a few leakage points. And the fusion way of Fusion Attack Based Singular Value Decomposition (SVD_FA) may be a better fit for an implementation with multiple leakage points [17].

Algorithm 2 describes the proposed leakage detection algorithm for multichannel leakage detection. In the algorithm, the pseudocode in the first row means that, according to the leakage characteristic of a crypto implementation, applying a function Tr to transform the multichannel leakage sets ML into a monochannel leakage set L and transform the multichannel input sets MX into a monochannel input set X corresponding to L. The operator indicates the corresponding transform.

	Input: , , and
	Output: leakage point set
(1)	,
(2)	On the basis of and , apply Algorithm 1 to detect leakage points
	Return: .

3.3. SCA Distinguisher Based on One-Way ANOVA

Interestingly, we find that if we group the side-channel leakage samples in Table 1 in accordance with the values of a targeted intermediate variable, we can develop a novel SCA distinguisher to perform key recovery.

The idea is that the difference of means among all groups is supposed to be the most significant when the leakage data is categorized correctly. As compared to the correct key, the wrong key candidates will make the samples in the same group scattered in disparate groups and therefore make the difference of all populations indistinguishable and the leakage information related to the correct key hidden. Hence, the SCA distinguisher can be defined as follows:

In equation (9), and denote the candidates of key and the key guess, respectively. In addition, represents the -statistic function in equation (3).

Naturally, a new SCA method yields. Its details are shown in Algorithm 3.

	Input: , , and
	Output: key guess
(1)	Select a targeted intermediate variable
(2)	For
(3)	Calculate the intermediate values in accordance with the samples of
(4)
(5)	For
(6)	, ,
(7)	Divide the column of into groups according to the target intermediate values
(8)	For
(9)
(10)	End
(11)
(12)
(13)	End
(14)
(15)	End
(16)
	Return:

4. Experimental Results and Discussion

4.1. Monochannel Leakage Detection

To access the effectiveness of the proposed detection approach (i.e., LD_ANOVA), we collected two sets of side-channel traces to perform monochannel leakage detection at first. These two side-channel leakage sets include 30, 000 power traces acquired from an unprotected AES-128 encryption algorithm running on FPGA (Xilinx Kintex-7) and 5, 000 power traces acquired from a masked AES-128 encryption algorithm running on an embedded 8-bit MCU. The FPGA implementation belongs to a parallel hardware implementation, while the MCU version is a serial software implementation. The traces are all corresponding to random inputs. Parameters of the leakage acquisition are listed in Table 2.

Figures 1 and 2 show the detection results of the FPGA implementation by the proposed method and the other two typical detection methods. The two selected approaches used for comparison are the TVLA technology [13] and its complement, namely, the leakage detection with the -test (LD_CS for short) [11]. Compared with the nonspecific -test, the specific -test can offer higher confidence of detection at a lower cost [18]; the paper uses the latter -test as the comparison. All values of the significance level in the three aforementioned methods for leakage detection are set to 0.0001 to obtain results at a confidence of 99.99% [5]. Note that, the red-dashed lines in all figures represent the thresholds determined by the significance level .

(a)

(b)

(c)

(d)

(e)

(f)

(a)

(b)

(c)

It can be seen that our proposed approach performs better than the other methods. For instance, LD_ANOVA is capable of finding the first leakage point by exploiting 10, 000 traces. In this case, both the TVLA and LD_CS fail to detect any leakage point. Moreover, LD_ANOVA always identifies more leakage points than the TVLA and LD_CS. A comparison for the number of leakage points detected by these three methods is listed in Table 3 (rows 2, 6, and 10). In order to accurately evaluate the efficiency of the proposed method, the false positive points (i.e., the detected nonleakage points, denoted as ) and the false negative points (i.e., the undetected leakage points, denoted as ) are shown in Figure 3. Likewise, the number of the detected “real” leakage points are investigated (denoted as ). Naturally, the coverage rate of the “real” leakage points, the false positive rate, and the false negative rate are also calculated and illustrated in Figure 3. These three metrics are defined as follows:where means the leakage point set of an implementation; D means the detected leakage point set; “” denotes the cardinality of a set; and , , and represent the false positive rate, the false negative rate, and the coverage rate, respectively. It is noted that an efficient detection method should lead to lower and and higher as compared to an inefficient method. From the data in Table 3, it can draw a conclusion that the proposed method is more efficient than the other two.

(a)

(b)

(c)

(d)

(e)

(f)

For the masked implementation, before applying for the detection approaches, the side-channel samples are recombined by the normalized product function to eliminate the influence of Boolean masking [19]. The preprocessing function computes the product of the leakages corresponding to the masked intermediate variable and the masking variable as the leakage of the key-dependent variable so that leakage points can be matched with the inputs. Figures 3 and 4 illustrate that LD_ANOVA still exhibits the best performance. For example, it marks 38 points as leakage points when the TVLA finds one leakage point by using 1,000 traces. Although these points contain plenty of nonleakage points, there are still 20 leakage points. Due to the limited number of traces, the detection result is changeable; for example, only 4 leakage points are discovered when we use 3,000 traces to execute LD_ANOVA. The number of the detected leakage points increases with the increasing traces; for example, 39 leakage points are identified when 5,000 traces are used. The information of leakage points detected by the three methods is described in Table 4. The three rates defined in equations (10)–(12) are demonstrated in Table 4 as well. The results lead to a similar inference to the first experiment.

(a)

(b)

(c)

Besides, the coverage rate in Table 4 becomes higher than that in Table 3 when all the traces are used. The cause of this phenomenon is that the FPGA implementation is a parallel implementation which makes the collected traces include more switching noise [20] as compared to the 8-bit MCU implementation.

It is noted that LD_CS fails to distinguish leakage points from nonleakage points in the above two experiments. The reason is that the method needs to divided leakage samples into multiple bins before performing the test of independence, and the process is vulnerable to the noise in the side-channel traces, which will influence the detection efficiency [12]. The reason that LD_ANOVA shows a better performance than the TVLA is because the former divides side-channel samples into more than two classes according to the input classes and obtains much more information about the relevance between the two.

4.2. Multichannel Leakage Detection

Consider that multiple types of leakages of a running cryptographic device can be collected from multiple side channels, which may expose much more information that monochannel SCA cannot utilize; the proposed method is used for multichannel leakage detection as well. We simultaneously collected 30, 000 and 5,000 electromagnetic (EM) traces from the FPGA and MCU implementations in the previous section (Section A, Section 4), respectively. Due to the fact that the oscilloscope we used in the experiments can only collect the power traces and the EM traces with the same sample rate, the sample rates of these two EM trace sets are set to be the same as the sample rates of the corresponding power traces (viz., 5G Sa/s and 1G Sa/s). The sample rates are experimentally selected to ensure both the power and EM trace sets contain adequate leakage information for side-channel analysis.

Figure 5 depicts an example of multichannel leakage detection for the FPGA implementation. The fused trace set is obtained by the nonnegative matrix factorization-based leakage fusion [17]. Two monochannel detection results by utilizing the power leakage and the EM leakage are also illustrated in the figure. As shown in Figure 5, multichannel leakage detection performs better than any monochannel leakage detection.

(a)

(b)

(c)

Figure 6 compares the union of the detected power leakage points and the detected EM leakage points to the result of the multichannel leakage detection by exploiting fused traces. It can be viewed that the fusion of monochannel leakages makes a mass of potential monochannel leakage points exposed. For instance, 341 leakage points are identified when the multichannel detection uses all fused traces, while the monochannel detection only identifies 50 and 61 leakage points, respectively. Furthermore, the fusion of the differing channel makes the influence of the switching noise in the traces significantly reduce and the coverage rate significantly increase. More detailed data is illustrated in Table 5.

The detection results for the 8-bit MCU implementation draw a similar conclusion. Similarly, the corresponding details are described in Table 6.

4.3. Runtime and Memory

To ensure that our proposed method can be efficiently performed for practical evaluation, the runtime and memory of the proposed approach are investigated experientially. We perform a monochannel leakage detection by applying TVLA, LD_CS, and LD_ANOVA, respectively.

This experiment is executed on the HP laptop with the Intel Core i7-7500U CPU (Dual-Core, 2.70 GHz and 2.90 GHz), 8 GB RAM, and MATLAB R2017a software platform. The three detections are repeated 10 times with 30,000 power traces acquired from the FPGA implementation in Section A, and the averages of the runtimes and the memories are plotted in Figure 7.

Note that, the code of the TVLA approach is performed in parallel. As a result, it can be seen that TVLA is the most efficient in terms of time. Moreover, LD_ANOVA is the most efficient in terms of memory, while LD_CS is the most inefficient—in both time and memory. On the whole, the computation cost of a practical security evaluation applying the proposed leakage detection approach is able to afford an analyser.

4.4. New Attack

Finally, two practical experiments are also carried out to evaluate the effectiveness of the proposed new SCA attack based on ANOVA (ANOVA_SCA for short) in Algorithm 3. Two power trace sets and two EM trace sets of the two aforementioned implementations in Section A are exploited to launch the key attack recovery, respectively. The leakage models of the FPGA and MCU implementations are approximate to the Hamming Distance and Hamming Weight models, respectively. Besides, the randomly selected attack targets are the XOR of the input and output of the 9^th S-box in the last round of AES-128 and the output of the 16^th S-box in the last round of the encryption algorithm, respectively. The other classical SCA attack, namely, correlation analysis attack (CAA) [17, 21, 22], is also used for comparison. The security metric, guess entropy [23], serves as the evaluation metric of the key recovery attacks. The attack results depicted in Figure 8 confirm the efficacy and efficiency of ANOVA_SCA. In particular, ANOVA_SCA is even much more efficient than CAA for the masked implementation.

(a)

(b)

We also estimate the average runtimes and the average memories when performing ANOVA_SCA and CAA, respectively. These two attacks are repeated 10 times with 30,000 power traces acquired from the FPGA implementation in Section A. This experiment is executed on the same HP laptop and MATLAB software platform mentioned in Section C. The statistical results are plotted in Figure 9. It can be viewed that it is feasible to apply the proposed attack for security assessment because of its practical utility and high efficiency.

5. Conclusions

The paper develops a black-box side-channel leakage detection approach, which is designed for the security assessment of cryptographic devices. The proposed detection method is based on the one-way ANOVA, which ensures that the evaluation is highly efficient—in terms of both time and memory. On the basis of monochannel leakage detection, the proposed method is extended to detect multichannel leakages as well. Compared with utilizing monochannel leakage individually, the use of the fused leakage is beneficial in finding much more leakage points efficiently. Furthermore, the proposed detection method is capable of applying for the key recovery attack, when a key-dependent immediate variable serves as the input of the method. In the future, the extension of our proposed approach to enhance the performance of multichannel leakage detection will be investigated further.

Data Availability

The side-channel measurement data and codes used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by National Natural Science Foundation of China (nos. 61802186, 61472189, 61572255, and 62002167).

References

P. C. Kocher, “Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems,” in Proceedings of the CRYPTO 1996, pp. 104–113, Santa Barbara, CA, USA, August 1996.
View at: Google Scholar
P. C. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Proceedngs of the CRYPTO 1999, pp. 388–397, Santa Barbara, CA, USA, August 1999.
View at: Google Scholar
K. Gandolfi, C. Mourtel, and F. Olivier, “Electromagnetic analysis: concrete results,” in Proceedings of the Cryptographic Hardware and Embedded Systems -2001, pp. 251–261, Paris, France, May 2001.
View at: Google Scholar
D. Genkin, A. Shamir, and E. Tromer, “RSA key extraction via low-bandwidth acoustic cryptanalysis,” in Proceedings of the CRYPTO 2014, pp. 444–461, Santa Barbara, CA, USA, August 2014.
View at: Google Scholar
G. Goodwill, B. Jun, J. Jaffe et al., “A testing methodology for side-channel resistance validation,” in Proceedings of the NIST NIAT 2011, pp. 115–136, Nara, Japan, September 2011.
View at: Google Scholar
S. Bhasin, J. Danger, S. Guilley et al., “NICV: normalized interclass variance for detection of side-channel leakage,” in Proceedings of the EMC’14, pp. 310–313, Tokyo, Japan, May 2014.
View at: Google Scholar
J. Liu, Z. Guo, D. Gu et al., “Enhanced side-channel leakage detection method by considering combinational logic,” China Communications, vol. 12, no. 6, pp. 1–10, 2015.
View at: Publisher Site | Google Scholar
L. Mather, E. Oswald, J. Bandenburg et al., “Does my device leak information? an a priori statistical power analysis of leakage detection tests,” in Proceedings of the ASIACRYPT 2013, pp. 486–505, Bengaluru, India, December 2013.
View at: Google Scholar
F. Durvaux and F. Standaert, “From improved leakage detection to the detection of points of interests in leakage traces,” in Proceedings of the EUROCRYPT 2016, pp. 240–262, Vienna, Austria, May 2016.
View at: Google Scholar
A. A. Ding, C. Chen, and T. Eisenbarth, “Simpler, faster, and more robust t-test based leakage detection,” in Proceedings of the COSADE 2016, pp. 163–183, Graz, Austria, April 2016.
View at: Google Scholar
A. Moradi, B. Richter, T. Schneider et al., “Leakage detection with the -test,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2018, no. 1, pp. 209–237, 2018.
View at: Google Scholar
W. Yang, H. Zhang, Y. Gao et al., “Side-Channel leakage detection based on constant parameter channel model,” in Proceedings of the International Conference on Computer Design 2020, pp. 553–560, Hartford, CT, USA, October 2020.
View at: Google Scholar
G. Becker, J. Cooper, E. DeMulder, G. Goodwill et al., “Test vector leakage assessment (TVLA) methodology in practice,” in Proceedings of the International Catholic Migration Commission 2013, Gaithersburg, MD, USA, September 2013.
View at: Google Scholar
D. B. Roy, S. Bhasin, S. Guilley, A. Heuser, S. Patranabis, and D. Mukhopadhyay, “CC meets FIPS: a hybrid test methodology for first order side channel analysis,” IEEE Transactions on Computers, vol. 68, no. 3, pp. 347–361, 2019.
View at: Publisher Site | Google Scholar
S. McKillup, Statistics Explained: An Introductory Guide for Life Scientists, Cambridge University Press, Cambridge, UK, 2nd edition, 2011.
W. Snedecor and C. George, Statistical Methods, Iowa State University Press, Sioux, IA, USA, 8th edition, 1989.
W. Yang, Y. Zhou, Y. Cao, H. Zhang, Q. Zhang, and H. Wang, “multi-channel fusion attacks,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 8, pp. 1757–1771, 2017.
View at: Publisher Site | Google Scholar
T. Schneider and A. Moradi, “Leakage assessment methodology–a clear roadmap for side-channel evaluations,” in Proceedings of the Cryptographic Hardware and Embedded Systems - 2015, pp. 495–513, SaintMalo, France, September 2015.
View at: Google Scholar
P. Bottinelli and J. W. Bos, “Computational aspects of correlation power analysis,” Journal of Cryptographic Engineering, vol. 7, no. 3, pp. 167–181, 2017.
View at: Publisher Site | Google Scholar
S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards, Springer, New York, NY, USA, 2007.
E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with a leakage model,” in Proceedings of the Cryptographic Hardware and Embedded Systems-2004, pp. 16–29, Boston, MA, USA, August 2004.
View at: Google Scholar
E. Peeters, Advanced DPA Theory and Practice, Springer, New York, NY, USA, 2013.
F.-X. Standaert, T. G. Malkin, and M. Yung, “A unified framework for the analysis of side-channel key recovery attacks,” in Proceedings of the EUROCRYPT 2009, pp. 443–461, Cologne, Germany, April 2009.
View at: Google Scholar

Copyright

Copyright © 2021 Wei Yang and Anni Jia. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1415

Downloads

893

Citations