山東建筑大學(xué)土木畢業(yè)設(shè)計(jì)外文文獻(xiàn)及翻譯

本科畢業(yè)設(shè)計(jì)外文文獻(xiàn)及譯文文獻(xiàn)題目：CorrelationerAnalysiswithaLeaageModel文獻(xiàn)、資料來源：期刊文獻(xiàn)、資料發(fā)表〔出版〕日期：2004院〔部〕：土木工程學(xué)院專業(yè)：城市地下空間工程班級：地工121姓名：王玉錚學(xué)號：20230234008指導(dǎo)教師：鐘世英翻譯日期：2023.6.11外文文獻(xiàn)：CorrelationPowerAnalysiswithaLeakageModelEricBrier,ChristopheClvier,andrancisOlivierGemplusCardIternational,ranceSecuriyehnologyDepartmet{eric.brier,christophe.clavier,}Abstract.Aclassicalmodelisusedforthepowerconsumptionofcryptographicdevices.ItisbasedontheHammingdistanceofthedatahandledwithregardtoanunknownbutconstantreferencestate.OncevalidatedexperimentallyitallowsanoptimalattacktobederivedcalledCorrelationPowerAnalysis.ItalsoexplainsthedefectsofformerapproachessuchasdifferentialPowerAnalysis.Keywords:Correlationfactor,CPA,DPA,Hammingdistance,poweranalysis,DES,AES,securecryptographicdevice,sidechannel.1 IntroductionInthescopeofstatisticalpoweranalysisagainstcryptographicdevices,twohistoricaltrendscanbeobserved.The?rstoneisthewellknowndifferentialpoweranalysis(DPA)introducedbyPaulKocher[12,13]andformalizedbyThomasMessergesetal.[16].Thesecondonehasbeensuggestedinvariouspapers[8,14,18]andproposedtousethecorrelationfactorbetweenthepowersamplesandtheHammingweightofthehandleddata.Bothapproachesexhibitsomelimitationsduetounrealisticassumptionsandmodelimperfectionsthatwillbeexaminedmorethoroughlyinthispaper.ThisworkfollowspreviousstudiesaimingateitherimprovingtheHammingweightmodel[2],orenhancingtheDPAitselfbyvariousmeans[6,4].TheproposedapproachisbasedontheHammingdistancemodelwhichcanbeseenasageneralizationoftheHammingweightmodel.Allitsbasicassumptionswerealreadymentionedinvariouspapersfromyear2000[16,8,6,2].ButtheyremainedallusiveaspossibleexplanationofDPAdefectsandneverleadedtoanycompleteandconvenientexploitation.Ourexperimentalworkisasynthesisofthoseformerapproachesinordertogiveafullinsightonthedataleakage.Following[8,14,18]weproposetousethecorrelationpoweranalysis(CPA)toidentifytheparametersoftheleakagemodel.ThenweshowthatsoundandefficientattackscanbeconductedagainstunprotectedimplementationsofmanyalgorithmssuchasDESorAES.Thisstudydeliberatelyrestrictsitselftothescopeofsecretkeycryptographyalthoughitmaybeextendedbeyond.Thispaperisorganizedasfollows:Section2introducestheHammingdistancemodelandSection3provestherelevanceofthecorrelationfactor.ThemodelbasedcorrelationattackisdescribedinSection4withtheimpactonthemodelerrors.Section5addressestheestimationproblemandtheexperimentalresultswhichvalidatethemodelareexposedinSection6.Section7containsthecomparativestudywithDPAandaddressesmorespecificallytheso-called“ghostpeaks〞problemencounteredbythosewhohavetodealwitherroneousconclusionswhenimplementingclassicalDPAonthesubstitutionboxesoftheDES?rstround:itisshowntherehowtheproposedmodelexplainsmanydefectsoftheDPAandhowthecorrelationpoweranalysiscanhelpinconductingsoundattacksinoptimalconditions.OurconclusionsummarizestheadvantagesanddrawbacksofCPAversusDPAandremindsthatcountermeasuresworkagainstbothmethodsaswell.2 TheHammingDistanceConsumptionModelClassically,mostpoweranalysesfoundinliteraturearebasedupontheHammingweightmodel[13,16],thatisthenumberofbitssetinadataword.Inam-bitmicroprocessor,binarydataiscoded,withthebitvaluesdj=0or1.ItsHammingweightissimplythenumberofbitssetto1,Itsintegervaluesstandbetween0andm.IfDcontainsmindependentanduniformlydistributedbits,thewholewordhasanaverageHammingweightandavariance.Itisgenerallyassumedthatthedataleakagethroughthepowerside-channeldependsonthenumberofbitsswitchingfromonestatetotheother[6,8]atagiventime.Amicroprocessorismodeledasastatewheretransitionsfromstatetostatearetriggeredbyeventssuchastheedgesofaclocksignal.ThisseemsrelevantwhenlookingatalogicalelementarygateasimplementedinCMOStechnology.Thecurrentconsumedisrelatedtotheenergyrequiredto?ipthebitsfromonestatetothenext.Itiscomposedoftwomaincontributions:thecapacitor’schargeandtheshortcircuitinducedbythegatetransition.Curiously,thiselementarybehavioriscommonlyadmittedbuthasnevergivenrisetoanysatisfactorymodelthatiswidelyapplicable.Onlyhardwaredesignersarefamiliarwithsimulationtoolstoforeseethecurrentconsumptionofmicroelectronicdevices.Ifthetransitionmodelisadopted,abasicquestionisposed:whatisthereferencestatefromwhichthebitsareswitched?Weassumeherethatthisreferencestateisaconstantmachineword,R,whichisunknown,butnotnecessarilyzero.Itwillalwaysbethesameifthesamedatamanipulationalwaysoccursatthesametime,althoughthisassumestheabsenceofanydesynchronizingeffect.Moreover,itisassumedthatswitchingabitfrom0to1orfrom1to0requiresthesameamountofenergyandthatallthemachinebitshandledatagiventimeareperfectlybalancedandconsumethesame.Theserestrictiveassumptionsarequiterealisticandaffordablewithoutanythoroughknowledgeofmicroelectronicdevices.Theyleadtoaconvenientexpressionfortheleakagemodel.Indeedthenumberof?ippingbitstogofromRtoDisdescribedbyH(D⊕R)alsocalledtheHammingdistancebetweenDandR.ThisstatementenclosestheHammingweightmodelwhichassumesthatR=0.IfDisauniformrandomvariable,soisD⊕R,andH(D⊕R)hasthesamemeanm/2andvariancem/4asH(D).WealsoassumealinearrelationshipbetweenthecurrentconsumptionandH(D⊕R).Thiscanbeseenasalimitationbutconsideringachipasalargesetofelementaryelectricalcomponents,thislinearmodel?tsrealityquitewell.Itdoesnotrepresenttheentireconsumptionofachipbutonlythedatadependentpart.Thisdoesnotseemunrealisticbecausethebuslinesareusuallyconsideredasthemostconsumingelementswithinamicro-controller.Alltheremainingthingsinthepowerconsumptionofachipareassignedtoatermdenotedbwhichisassumedindependentfromtheothervariables:enclosesofsets,timedependentcomponentsandnoise.Thereforethebasicmodelforthedatadependencycanbewritten:whereaisascalargainbetweentheHammingdistanceandWthepowerconsumed.3 TheLinearCorrelationFactorAlinearmodelimpliessomerelationshipsbetweenthevariancesofthedifferenttermsconsideredasrandomvariables:,ClassicalstatisticsintroducethecorrelationfactorρWHbetweentheHammingdistanceandthemeasuredpowertoassessthelinearmodel?ttingrate.Itisthecovariancebetweenbbothrandomvariablesnormalizedbytheproductoftheirstandarddeviations.Undertheuncorrelatednoiseassumption,thisde?nitionleadsto:bThisequationcomplieswiththewellknownproperty:?1≤ρWH≤+1:foraperfectmodelthecorrelationfactortendsto±1ifthevarianceofnoisetendsto0,thesigndependingonthesignofthelineargaina.Ifthemodelappliesonlytolindependentbitsamongstm,apartialcorrelationstillexists:4 SecretInferenceBasedonCorrelationPowerAnalysisTherelationshipswrittenaboveshowthatifthemodelisvalidthecorrelationfactorismaximizedwhenthenoisevarianceisminimum.ThismeansthatρWHcanhelptodeterminethereferencestateR.Assume,justlikeinDPA,thatasetofknownbutrandomlyvaryingdataDandasetofrelatedpowerconsumptionWareavailable.Ifthe2mpossiblevaluesofRarescannedexhaustivelytheycanberankedbythecorrelationfactortheyproducewhencombinedwiththeobservationW.Thisisnotthatexpensivewhenconsideringan8-bitmicro-controller,thecasewithmanyoftoday’ssmartcards,asonly256valuesaretobetested.On32-bitarchitecturesthisexhaustivesearchcannotbeappliedassuch.Butitisstillpossibletoworkwithpartialcorrelationortointroducepriorknowledge.LetRbethetruereferenceandH=H(D⊕R)therightpredictionontheHammingdistance.LetRrepresentacandidatevalueandHtherelatedmodelH=H(D⊕R).AssumeavalueofRthathaskbitsthatdifferfromthoseofR,then:H(R⊕R)=k.Sincebisindependentfromothervariables,thecorrelationtestleadsto(see[5]):ThisformulashowshowthecorrelationfactoriscapableofrejectingwrongcandidatesforR.Forinstance,ifasinglebitiswrongamongstan8-bitword,thecorrelationisreducedby1/4.Ifallthebitsarewrong,i-eR=?R,thenananti-correlationshouldbeobservedwithρWH=?ρWH.Inabsolutevalueorifthelineargainisassumedpositive(a>0),therecannotbeanyRleadingtoahighercorrelationratethanR.Thisprovestheuniquenessofthesolutionandthereforehowthereferencestatecanbedetermined.Thisanalysiscanbeperformedonthepowertraceassignedtoapieceofcodewhilemanipulatingknownandvaryingdata.IfweassumethatthehandleddataistheresultofaXORoperationbetweenasecretkeywordKandaknownmessagewordM,D=K⊕M,theproceduredescribedabove,i-eexhaustivesearchonRandcorrelationtest,shouldleadtoK⊕Rassociatedwithmax(ρWH).IndeedifacorrelationoccurswhenMishandledwithrespecttoR1,anotherhastooccurlateron,whenM⊕Kismanipulatedinturn,possiblywithadifferentreferencestateR2(infactwithK⊕R2sinceonlyMisknown).Forinstance,whenconsideringthe?rstAddRoundKeyfunctionatthebeginningoftheAESalgorithmembeddedonan8-bitprocessor,itisobviousthatsuchamethodleadstothewholekeymaskedbytheconstantreferencebyteR2.IfR2isthesameforallthekeybytes,whichishighlyplausible,only28possibilitiesremaintobetestedbyexhaustivesearchtoinfertheentirekeymaterial.ThiscomplementarybruteforcemaybeavoidedifR2isdeterminedbyothermeansorknowntobealwaysequalto0(oncertainchips).Thisattackisnotrestrictedtothe⊕operation.Italsoappliestomanyotheroperatorsoftenencounteredinsecretkeycryptography.Forinstance,otherarithmetic,logicaloperationsorlook-uptables(LUT)canbetreatedinthesamemannerbyusingH(LUT(MK)⊕R),whererepresentstheinvolvedfunctioni.e.⊕,+,-,OR,AND,orwhateveroperation.Let’snoticethattheambiguitybetweenKandK⊕Riscompletelyremovedbythesubstitutionboxesencounteredinsecretkeyalgorithmsthankstothenon-linearityofthecorrespondingLUT:thismayrequiretoexhaustbothKandR,butonlyonceforRinmostcases.Toconductananalysisinthebestconditions,weemphasizethebene?tofcorrectlymodelingthewholemachinewordthatisactuallyhandledanditstransitionwithrespecttothereferencestateRwhichistobedeterminedasanunknownoftheproblem.5 EstimationInarealcasewithasetofNpowercurvesWiandNassociatedrandomdatawordsMi,foragivenreferencestateRtheknowndatawordsproduceasetofNpredictedHammingdistancesHi,R=H(Mi⊕R).Anestimateρ?WHofthecorrelationfactorρWHisgivenbythefollowingformula:wherethesummationsaretakenovertheNsamples(i=1,N)ateachtimestepwithinthepowertracesWi(t).Itistheoreticallydifficulttocomputethevarianceoftheestimatorρ?WHwithrespecttothenumberofavailablesamplesN.Inpracticeafewhundredexperimentssufficetoprovideaworkableestimateofthecorrelationfactor.Nhastobeincreasedwiththemodelvariancem/4(higherona32-bitarchitecture)andinpresenceofmeasurementnoiselevelobviously.Nextresultswillshowthatthisismorethannecessaryforconductingreliabletests.Thereaderisreferredto[5]forfurtherdiscussionabouttheestimationonexperimentaldataandoptimalityissues.Itisshownthatthisapproachcanbeseenasamaximumlikelihoodmodel?ttingprocedurewhenRisexhaustedtomaximizeρ?WH.6 ExperimentalResultsThissectionaimsatconfrontingtheleakagemodeltorealexperiments.Generalrulesofbehaviorarederivedfromtheanalysisofvariouschipsforsecuredevicesconductedduringthepassedyears.Our?rstexperiencewasperformedontoabasicXORalgorithmimplementedina8-bitchipknownforleakinginformation(moresuitablefordidacticpurpose).Thesequenceofinstructionswassimplythefollowing:–loadabyteD1intotheaccumulator–XORD1withaconstantD2–storetheresultfromtheaccumulatortoadestinationmemorycell.Theprogramwasexecuted256timeswithD1varyingfrom0to255.AsdisplayedonFigure1,twosigni?cantcorrelationpeakswereobtainedwithtwodifferentreferencestates:the?rstonebeingtheaddressofD1,thesecondonetheopcodeoftheXORinstruction.Thesecurvesbringtheexperimentalevidenceofleakageprinciplesthatpreviousworksjusthintat,withoutgoingintomoredetail[16,8,6,17].Theyillustratethemostgeneralcaseofatransfersequenceonacommonbus.Theaddressofadatawordistransmittedjustbeforeitsvaluethatisinturnimmediatelyfollowedbytheopcodeofthenextinstructionwhichisfetched.Suchabehaviorcanbeobservedonawidevarietyofchipseventhoseimplementing16or32-bitarchitectures.Correlationratesrangingfrom60%tomorethan90%canoftenbeobtained.Figure2showsanexampleofpartialcorrelationona32-bitarchitecture:whenonly4bitsarepredictedamong32,thecorrelationlossisinabouttheratio√8whichisconsistentwiththedisplayedcorrelations.Thissortofresultscanbeobservedonvarioustechnologiesandimplementations.Neverthelessthefollowingrestrictionshavetobementioned:–Sometimesthereferencestateissystematically0.Thiscanbeassignedtotheso-calledchargedlogicwherethebusisclearedbetweeneachtransferredvalue.Anotherpossiblereasonisthatcomplexarchitecturesimplementseparatedfordataandaddresses,thatmayprohibitcertaintransitions.InallthosecasestheHammingweightmodelisrecoveredasaparticularcaseofthemoregeneralHammingdistancemodel.–Thesequenceofcorrelationpeaksmaysometimesbeblurredorspreadoverthetimeinpresenceofapipeline.–Somerecenttechnologiesimplementhardwaresecurityfeaturesdesignedtoimpedestatisticalpoweranalysis.Thesecountermeasuresoffervariouslevelsogoingfromthemostnaiveandeasytobypass,tothemosteffectivewhichmerelycancelanydatadependency.TherearedifferentkindsofcountermeasureswhicharecompletelysimilartothosedesignedagainstDPA.–Someofthemconsistinintroducingdesynchronizationintheexecutionoftheprocesssothatthecurvesarenotalignedanymorewithinasameacquisitionset.Forthatpurposethereexistvarioustechniquessuchasfakecyclesinsertion,unstableclockingorrandomdelays[6,18].Incertaincasestheireffectcanbecorrectedbyapplyingappropriatesignalprocessing.Fig.1.Upper:consecutivecorrelationpeaksfortwodifferentreferencestates.Lower:forvaryingdata(0-255),modelarrayandmeasurementarraytakenatthetimeofthesecondcorrelationpeak.Fig.2.Twocorrelationpeaksforfullword(32bits)andpartial(4bits)predictions.Accordingtotheorythe20%peakshouldratherbearound26%.–Othercountermeasuresconsistinblurringthepowertraceswithadditionalnoiseor?lteringcircuitry[19].Sometimestheycanbebypassedbycurvesselectionand/oraveragingorbyusinganothersidechannelsuchaselectromagneticradiation[9,1].–Thedatacanalsobeciphereddynamicallyduringaprocessbyhardware(suchasbusencryption)orsoftwaremeans(datamaskingwitharandom[11,7,20,10]),sothatthehandledvariablesbecomeunpredictable:thennocorrelationcanbeexpectedanymore.Intheorysophisticatedattackssuchashigherorderanalysis[15]canovercomethedatamaskingmethod;buttheyareeasytothwartinpracticebyusingdesynchronizationforinstance.Indeed,ifimplementedalone,noneofthesecountermeasurescanbeconsideredasabsolutelysecureagainststatisticalanalyses.Theyjustincreasetheamountofeffortandlevelofexpertiserequiredtoachieveanattack.Howevercombineddefenses,implementingatleasttwoofthesecountermeasures,provetobeveryefficientandpracticallydissuasive.Thestateoftheartofcountermeasuresinthedesignoftamperresistantdeviceshasmadebigadvancesintherecentyears.Itisnowadmittedthatsecurityrequirementsincludesoundimplementationsasmuchasrobustcryptographicschemes.7 ComparisonwithDPAThissectionaddressesthecomparisonoftheproposedCPAmethodwithDifferentialPowerAnalysis(DPA).ItreferstotheformerworksdonebyMessergesetal.[16,17]whoformalizedtheideaspreviouslysuggestedbyKocher[12,13].Acriticalstudyisproposedin[5].7.1 PracticalProblemswithDPA:The“GhostPeaks〞WejustconsiderhereafterthepracticalimplementationofDPAagainsttheDESsubstitutions(1stround).Infactthiswell-knownattackworksquitewellonlyifthefollowingassumptionsareful?lled:1.Wordspaceassumption:withinthewordhostingthepredictedbit,thecontributionofthenon-targetedbitsisindependentofthetargetedbitvalue.Theiraveragein?uenceinthecurvespackof0isthesameasthatinthecurvespackof1.Sotheattackerdoesnotneedtocareaboutthesebits.2.Guessspaceassumption:thepredictedvalueofthetargetedbitforanywrongsub-keyguessdoesnotdependonthevalueassociatedtothecorrectguess.3.Timespaceassumption:thepowerconsumptionWdoesnotdependonthevalueofthetargetedbitexceptwhenitisexplicitlyhandled.Butwhenconfrontedtotheexperience,theattackcomesupagainstthefollowingfacts.–FactA.Forthecorrectguess,DPApeaksappearalsowhenthetargetedbitisnotexplicitlyhandled.Thisisworthbeingnoticedalbeitnotreallyembarrassing.Howeverthiscontradictsthethirdassumption.–FactB.SomeDPApeaksalsoappearforwrongguesses:theyarecalled“ghostpeaks〞.Thisfactismoreproblematicformakingasounddecisionandcomesincontradictionwiththesecondassumption.–FactC.ThetrueDPApeakgivenbytherightguessmaybesmallerthansomeghostpeaks,andevennullornegative!Thisseemssomewhatamazingandquiteconfusingforanattacker.Thereasonsmustbesearchedforinsidethecrudenessoftheoptimistic?rstassumption.7.2 The“GhostPeaks〞ExplanationWiththehelpofathoroughanalysisofsubstitutionboxesandtheHammingdistancemodelitisnowpossibletoexplaintheobservedfactsandshowhowwrongthebasicassumptionsofDPAcanbe.FactA.Asamatteroffactsomedatahandledalongthealgorithmmaybepar-tiallycorrelatedwiththetargetedbit.ThisisnotthatsurprisingwhenlookingatthestructureoftheDES.AbittakenfromtheoutputnibbleofaSBoxhasalifetimelastingatleastuntiltheendoftheround(andbeyondiftheleftpartoftheIPoutputdoesnotvarytoomuch).ADPApeakriseseachtimethisbitandits3peerbitsundergothefollowingPpermutationsincetheyallbelongtothesamemachineword.FactB.ThereasonwhywrongguessesmaygenerateDPApeaksisthatthedistributionsofanSBoxoutputbitfortwodifferentguessesaredeterministicandsopossiblypartiallycorrelated.Thefollowingexampleisveryconvincingaboutthatpoint.Let’sconsidertheleftmostbitofthe?fthSBoxoftheDESwhentheinputdataDvariesfrom0to63andcombinedwithtwodifferentsub-keys:MSB(SBox5(D⊕0x00))andMSB(SBox5(D⊕0x36)).Bothseriesofbitsarerespectivelylistedhereafter,withtheirbitwiseXORonthethirdline:Thethirdlinecontains8setbits,revealingonlyeighterrorsofpredictionamong64.Thisexampleshowsthatawrongguess,say0,canprovideagoodpredictionatarateof56/64,thatisnotthatfarfromthecorrectone0x36.Theresultwouldbeequivalentforanyotherpairofsub-keysKandK⊕0x36.ConsequentlyasubstantialconcurrentDPApeakwillappearatthesamelocationthantherightone.TheweaknessofthecontrastwilldisturbtheguessesrankingespeciallyinpresenceofhighSNR.FactC.DPAimplicitlyconsidersthewordbitscarriedalongwiththetargetedbitasuniformlydistributedandindependentfromthetargetedone.Thisiserroneousbecauseimplementationintroducesadeterministiclinkbetweentheirvalues.TheirasymmetriccontributionmayaffecttheheightandsignofaDPApeak.Thismayin?uencetheanalysisontheonehandbyshrinkingrelevantpeaks,ontheotherhandbyenhancingmeaninglessones.Thereexistsawellknowntricktobypassthisdifficultyasmentionedin[4].ItconsistsinshiftingtheDPAattacksalittlebitfurtherintheprocessingandperformthepredictionjustaftertheendofthe?rstroundwhentherightpartofthedata(32bits)isXORedwiththeleftpartoftheIPoutput.Asthemessageischosenfreely,thisrepresentsanopportunitytore-balancethelossofrandomnessbybringingnewrefreshedrandomdata.Butthisdoesnot?xFactBinageneralcase.Togetridoftheseambiguitiesthemodelbasedapproachaimsattakingthewholeinformationintoaccount.ThisrequirestointroducethenotionofalgorithmicimplementationthatDPAassumptionscompletelyoccult.WhenconsideringthesubstitutionboxesoftheDES,itcannotbeavoidedtoremindthattheoutputvaluesare4-bitvalues.Althoughthese4bitsareinprincipleequivalentasDPAselectionbits,theylivetogetherwith4otherbitsinthecontextofan8-bitmicroprocessor.Efficientimplementationsusetoexploitthose4bitstosavesomestoragespaceinconstrainedenvironmentslikesmartcardchips.Atrickreferredtoas“SBoxcompression〞consistsinstoring2SBoxvalueswithinasamebyte.Thustherequiredspaceishalved.Therearedifferentwaystoimplementthis.Let’sconsiderforinstancethe2?rstboxes:insteadofallocating2differentarrays,itismoreefficienttobuildupthefollowinglook-uptable:LUT12(k)=SBox1(k)SBox2(k).Foragiveninputindexk,thearraybytecontainsthevaluesoftwoneighboringboxes.ThenaccordingtotheHammingdistanceconsumptionmodel,thepowertraceshouldvarylike:–H(LUT12(D1⊕K1)⊕R1)whencomputingSBox1.–H(LUT12(D2⊕K2)⊕R2)whencomputingSBox2.Ifthevaluesarebindlikethis,theirrespectivebitscannotbeconsideredasindependentanymore.Toprovethisassertionwehaveconductedanexperimentonareal8-bitimplementationthatwasnotprotectedbyanyDPAcountermeasures.Workingina“whitebox〞mode,themodelparametershadbeenpreviouslycalibratedwithrespecttothemeasuredconsumptiontraces.ThereferencestateR=0xB7hadbeenidenti?edastheOpcodeofaninstructiontransferringthecontentoftheaccumulatortoRAMusingdirectaddressing.Themodel?ttedtheexperimentaldatasamplesquitewell;theircorrelationfactorevenreached97%.SowewereabletosimulatetherealconsumptionoftheSboxoutputwithahighaccuracy.ThenthestudyconsistedinapplyingaclassicalsinglebitDPAtotheoutputofSBox1inparallelonbothsetsof200datasamples:themeasuredandthesimulatedpowerconsumptions.As?gure3shows,thesimulatedandexperimentalDPAbiasesmatchparticularlywell.Onecannoticethefollowingpoints:–The4outputbitsarefarfrombeingequivalent.–Thepolarityofthepeakassociatedtothecorrectguess24dependsonthepolarityofthereferencestate.AsR=0xB7itsleftmostnibblealignedwithSBox1is0xB=’1011’andonlytheselectionbit2(countedfromtheleft)resultsinapositivepeakwhereasthe3othersundergoatransitionfrom1to0,leadingtoanegativepeak.–Inadditionthisbitisasomewhatluckybitbecausewhenitisusedasselectionbitonlyguess50competeswiththerightsub-key.ThisisaparticularfavorablecaseoccurringhereonSBox1,partlyduetothesetof200usedmessages.Itcannotbeextrapolatedtootherboxes.–ThedispersionoftheDPAbiasovertheguessesisquiteconfuse(seebit4).Thequalityofthemodelingprovesthatthosefactscannotbeincriminatedtothenumberofacquisitions.Increasingitmuchhigherthan200doesnothelp:thelevelofthepeakswithrespecttotheguessesdoesnotevolveandconvergestothesameranking.Thisparticularcounter-exampleprovesthattheambiguityofDPAdoesnotlieinimperfectestimationbutinwrongbasichypotheses.Fig.3.DPAbiasesonSBox1versusguessesforselectionbits1,2,3and4,onmodeledandexperimentaldata;thecorrectguessis24.7.3 ResultsofModelBasedCPAForcomparisonthetablehereafterprovidestherankingofthe6?rstguessessortedbydecreasingcorrelationrates.Thisresultisobtainedwithasfewasonly40curves!Thefullkeyis1122334455667788inhexadecimalformatandthecorrespondingsub-keysatthe?rstroundare24,19,8,8,5,50,43,2indecimalrepresentation.SBx1 SBx2SBx3SBx4 SBx5 SBx6 SBx7SBx8KρmaxKρmaxKρmaxKρmaxKρmaxKρmaxKρmaxKρmax2492%1990%887%888%591%5092%4389%289%4874%1877%1869%4467%3271%2571%4276%2877%0174%5770%0568%4967%2570%0570%5270%6176%3374%0270%2266%0266%3469%5470%3869%4172%1574%1268%5866%2966%6167%2969%069%3770%0674%1367%4365%3765%3767%5367%3068%1569%Thistableshowsthatthecorrectguessalwaysstandsoutwithagoodcontrast.Thereforeasounddecisioncanbemadewithoutanyambiguitydespitearoughestimationofρmax.Asimilarattackhasalsobeenconductedona32-bitimplementation,inawhiteboxmodewithaperfectknowledgeoftheimplementedsubstitutiontablesandthereferencestatewhichwas0.Thekeywas7CA110454A1A6E57inhexadecimalformatandtherelatedsub-keysatthe1stroundwere28,12,43,0,15,60,5,38indecimalrepresentation.Thenumberofcurvesis100.Asnexttableshows,thecontrastisgoodbetweenthecorrectandthemostcompetingwrongguess(around40%onboxes1to4).Thecorrelationrateisnotthathighonboxes5to8,de?nitelybecauseofpartialandimperfectmodeling,butitprovestoremainexploitableandthusarobustindicator.Whenthenumberofbitspermachinewordisgreater,thecontrastbetweentheguessesisrelativelyenhanced,but?ndingtherightmodelcouldbemoredi?cultinablackboxmode.SBx1 SBx2SBx3 SBx4 SBx5 SBx6 SBx7 SBx8K