Effective side-channel analysis: exploiting new leakages on cryptography circuits secured with side-channel countermeasures

This thesis pertains to the investigation of Side-Channel Analysis (SCA) techniques for evaluating the security of cryptographic devices secured with side-channel countermeasures. SCA, a non-invasive technique, proves highly effective in scrutinizing vulnerabilities in the implementation of cryptographic algorithms by analyzing the Physical Information Leakage (PLI), such as power dissipation and electromagnetic emanation. These leakages often expose critical information, including encryption/decryption keys, which are pivotal for cryptographic algorithms. To mitigate the risk of key leakage, a range of side channel countermeasures, categorized as Masking and Hiding countermeasures, have been developed to impede SCA and safeguard cryptographic circuits. In this thesis, novel SCA techniques are proposed to evaluate cryptographic circuits secured with two widely utilized countermeasures: Boolean Masking and Horizontal Hiding (HH). Firstly, we have proposed a pre-/post-normalized variance-based Differential Power Analysis (vDPA) to effectively target cryptographic circuits protected with Boolean Masking. The pre-/post-normalized vDPA comprises two main aspects. As the first aspect, we propose two normalization techniques to mitigate the occurrence of ghost peaks in Differential Power Analysis (DPA). Ghost peaks refer to the DPA output generated by incorrect key guesses, exhibiting higher amplitudes than the DPA output generated by the correct key guess. For the second aspect, vDPA is proposed to attack cryptographic circuits secured with Boolean Masking. Experimental results demonstrate that the proposed basic vDPA (without normalization), pre-normalized vDPA, and post-normalized vDPA all successfully reveal the encryption key-byte from the public ASCAD synchronized dataset. Moreover, the pre- and post-normalized vDPAs require up to 18× and 14× fewer traces than the basic vDPA, respectively. When attacking the ASCAD dataset, both the proposed pre- and post-normalized vDPAs outperform the reported 2nd order CPA, achieving a speedup of 13,095×, and successfully revealing the key-bytes with only half the number of side-channel traces required by the reported Zero-offset DPA. Secondly, we have proposed a non-profiling multivariate side-channel attack called Multivariate Linear Regression Attack (MLRA) to attack the cryptographic devices protected by the prevalent HH countermeasure. The process of MLRA with linear regression is analytically formulated to effectively extract leakage information from multiple locations of the physical measurements simultaneously. Comprehensive evaluations are conducted using both simulated traces and physical measurements. The simulated traces are protected with two prevalent HH effects: Shifting and Shuffling, under varying Signal-to-Noise Ratios (SNRs). By benchmarking against the reported attacks on the simulated traces, our proposed MLRA is demonstrated to require the fewest number of measurements to achieve a 100% Success Rate (SR) generally. As for the physical measurements, we validate the proposed MLRA on two datasets. The first dataset AES-RD contains 50 thousand power measurements collected from Advanced Encryption Standard 128 (AES-128), characterized by Floating Mean Method based HH. In this validation, our proposed MLRA demonstrates exceptional effectiveness by revealing a maximum of 8 key-bytes, outperforming all other reported attacks. The second dataset contains 55 million EM measurements collected from the present-art HH-based Asynchronous Logic AES (HHAL-AES), characterized by complex HH effects. When applied to HHAL-AES, our proposed MLRA requires significantly fewer measurements to reveal a key-byte as compared to the reported attacks, achieving a reduction of 9× to 2750× based on byte-wise Measurement to Disclosure (MTD). Additionally, our proposed MLRA achieves an overall MTD reduction of 4.52× to 27.78× for revealing all 16 key-bytes. Thirdly, we have proposed a non-profiling Wavelet Scattering Transform-based Correlation Optimization with Deep Learning Analysis (WST-CO-DLA) to evaluate cryptographic devices protected with both Boolean Masking and HH. WST-CO-DLA offers a dual contribution. First, Correlation Optimization with Deep Learning Analysis (CO-DLA) addresses the Class Imbalance Problem (CIP) that arises from analyzing PLI measurements with significantly different data sizes in various data groups. Secondly, the training-free WST block is employed to filter distortion in measurements and extract time-frequency features, without increasing the complexity of the neural network. Experiments on the public masked AES-128 datasets without and with HH demonstrate the excellent efficacy of our proposal. In the masked dataset without HH, CO-DLA requires only 5k measurements, achieving at least 50% reduction as compared to that of the reported benchmarking attacks to reveal the key-byte. For the two masked datasets with HH, CO-DLA successfully reveals the key-byte with only 10k measurements. Moreover, WST-CO-DLA further reduces the required PLI measurements by 50% and 75% for the masked datasets without and with HH respectively as compared to CO-DLA, surpassing the other benchmarking non profiling SCA with Deep Learning Analysis. In conclusion, the thesis has proposed novel SCA techniques that effectively reveal potential vulnerabilities in cryptographic circuits secured with Boolean Masking and HH. The findings highlight the importance of incorporating these proposed SCA techniques in the assessment of side-channel security for cryptographic devices. In the future, there is scope for further research to extend the application of these SCA techniques to other implementations, with necessary modifications and improvements. By exploring these new SCA techniques, it is possible to enhance the understanding and mitigation of vulnerabilities in cryptographic systems, ensuring robust security measures in the face of evolving threats.