An ANOVA Method to Rapidly Assess Information Leakage Near Cryptographic Modules

Abstract

A measurement method based on the analysis of variance <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">F</i> -statistic is presented to rapidly evaluate cryptographic modules’ vulnerability to fine-grained EM side-channel analysis (SCA) attacks. The proposed method assumes that evaluators can control the device under test to set carefully chosen inputs to computations of interest and to repeat measurements as many times as needed. It identifies optimal measurement configurations—that minimize the marginal cost for repeated attacks to extract the data of interest—in three stages. In the first two stages, the variances in observed fields are analyzed using specially designed test cases and low <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">F-</i> value measurement configurations susceptible to noise are eliminated. In the third stage, the data of interest are extracted via a correlation-analysis attack using the remaining, high <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">F-</i> value, configurations. The method is used to evaluate nine Advanced Encryption Standard (AES) implementations, seven of which were hardened against EM SCA attacks. The test cases for the first two stages are constructed by generating extreme AES encryption keys and input plaintexts. The least/most effective countermeasures are found to increase the marginal cost of EM SCA attacks by ∼1.1×/>30×; the proposed method could evaluate the vulnerabilities of hardened AES modules using ∼1.5–37× fewer measurements than alternatives.