Experimental Pitfalls Clause Samples
Experimental Pitfalls. The effective and efficient evaluation of the actual mask order of cryptographic implementations remains an open problem due to several evaluation pitfalls. Effectivity-wise, when evaluating a masking scheme via the measured power consumption, we face the pitfall of the limited attack scope. That is, a particular attack technique in use may fail to exploit the available leakage due to e.g. an unsuitable choice of intermediate values or an incorrect power model assumption7. Moreover, introducing additional countermeasures on top of the masking scheme may render particular exploitation techniques ineffective, while the implementation remains vulnerable to different lines of attack. In order to tackle this issue, the research community followed several approaches. Prior research established generic side-channel distinguishers such as Mutual Information Analysis (MIA) [4], the Kolmogorov-▇▇▇▇▇▇▇ and the Cr`amer-von Mises tests [48, 49], which require minimal assumptions about the noise and the power model of the device under test. On the other side of the spectrum, ▇▇▇▇▇▇▇▇▇ et al. [44] proposed an evaluation framework assuming the strongest possible adversary, equipped with extensive profiling capabilities and Bayesian templates. While being effective, the aforementioned approaches focus on leakage exploitation and perform key recovery, which may require a large number of traces. Thus, they face the efficiency pitfall w.r.t. computational and storage requirements. Note that this increased demand for resources is magnified when inserting extra countermeasures in a masked implementation. Thus, it can be difficult to decide with confidence whether the masking order is reduced or not. In order to evaluate the effective masking order, we opt for a more recent app- ▇▇▇▇▇ called leakage detection methodology [31]. This approach focuses on leakage detection and disregards exploitation. Thus, the acquisition and the computa- tional cost is reduced while the methodology can retain its generic nature. Despite the gain achieved via decoupling detection and exploitation, the leak- age detection methodology still presents challenges w.r.t. efficiency. In the con- text of software masking, we need to combine multiple time samples in order to evaluate the masked implementation. Thus, we rely on the work by ▇▇▇▇▇▇▇▇▇ et al. [42], who extended the leakage detection methodology into higher-order evaluations by providing efficient, incremental formulas that can handle the com- putation involved wi...
Experimental Pitfalls. The effective and efficient evaluation of the actual mask order of cryptographic implementations remains an open problem due to several evaluation pitfalls. Effectivity-wise, when evaluating a masking scheme via the measured power consumption, we face the pitfall of the limited attack scope. That is, a particular attack technique in use may fail to exploit the available leakage due to e.g. an unsuitable choice of intermediate values or an incorrect power model assumption7. Moreover, introducing additional countermeasures on top of the masking scheme may render particular exploitation techniques ineffective, while the implementation remains vulnerable to different lines of attack. In order to tackle this issue, the research community followed several approaches. Prior research established generic side-channel distinguishers such as Mutual Information Analysis (MIA) [4], the Kolmogorov-▇▇▇▇▇▇▇ and the Cr`amer-von Mises tests [48, 49], which require minimal assumptions about the noise and the power model of the device under test. On the other side of the spectrum, ▇▇▇▇▇▇▇▇▇ et al. [44] proposed an evaluation framework assuming the strongest possible adversary, equipped with extensive profiling capabilities and Bayesian templates.