DPA Success Metrics and Leakage Assessment

Questions and Answers

In the context of side-channel analysis, what does 'guessing entropy' (GE) quantify?

• The average position of the correct key candidate in a series of experiments. (correct)
• The probability of finding the correct key with a single query.
• The total number of possible key candidates.
• The number of queries needed to find the correct key.

What is the order in 'Success Rate of order o' referring to?

• The number of queries used in the attack.
• The ranking position within which the correct target intermediate is located. (correct)
• The security order of the cryptographic algorithm.
• The number of target intermediates.

In hypothesis testing for side-channel analysis, what is the primary role of the null hypothesis (H0)?

• To assume, for the sake of argument, that the device does not leak information. (correct)
• To determine the statistical power of the side-channel attack.
• To prove that the device is vulnerable to side-channel attacks.
• To provide evidence that the device is leaking information.

What key component is required to perform hypothesis testing?

A population and sample data. (D)

How is a 'test statistic' used in the context of hypothesis testing?

To evaluate how compatible the experimental results are with the hypothesis test. (B)

In Null Hypothesis Significance Testing (NHST), what does rejecting the null hypothesis imply?

There is sufficient evidence to support the alternative hypothesis. (A)

What is the purpose of the 'null-distribution' in the context of hypothesis testing?

To provide a distribution of outcomes for a test statistic assuming the null hypothesis is true. (D)

How is the p-value used in hypothesis testing to assess statistical significance?

It is the probability of observing a test statistic as extreme as, or more extreme than, the one computed, assuming the null hypothesis is true. (C)

What does the 'significance level' ($\alpha$) represent in hypothesis testing?

The threshold probability at which the null hypothesis will be rejected. (A)

What does Test Vector Leakage Assessment (TVLA) aim to achieve?

To detect if a device leaks information that can be used in a side-channel attack. (D)

What differentiates a 'Non-specific TVLA test' from a 'Specific TVLA test'?

Whether the test aims to find any leakage versus targeting a specific intermediate value. (B)

In a TVLA, if the t-test value exceeds a certain threshold, what does it typically indicate?

There is a statistically significant difference between the fixed and random datasets, suggesting leakage. (B)

During TVLA, what is assumed in H0?

That the device is not guilty of leaking information. (B)

What should always be checked with dealing with a high-order implementation?

If lower orders leak. (C)

In the context of hypothesis testing, what could be considered a good choice for $H_0$?

The polio vaccine has no effect on the probability of developing paralytic polio. (B)

Why is TVLA considered a qualitative measure of leakage?

It indicates whether leakage is present, but not the extent of the leakage. (C)

Which of the following is a reason for a TVLA test to fail?

The effect size is too small. (B)

Using a success rate of order o, what does this metric specifically evaluate?

The probability that the correct encryption key is ranked among the first o guesses. (B)

To ensure data is representative, which known techniques can be applied?

Random Sampling, Counting Off, Convenience Sampling. (C)

When does the alternative hypothesis hold more relevance in hypothesis testing?

When the test statistic computes low p-values. (D)

For a selected null hypothesis, its validity is reinforced when...?

The tested samples provide p-values tending to 1. (B)

In the context of securing devices against power analysis, when assessing a high-order implementation, why should you look into its lower orders?

Side Channel analysis can lead to surprises. (A)

If you fail when performing a side channel analysis, using the TVLA method, but are not able to find vulnerabilities of a device, can you always be certain that the device is safe?

False - due to not finding vulnerabilities for now, doesn't mean that device is safe by any means. (B)

Assuming a set of traces, where the means match for both random and fixed subsets, should you still dismiss the hypothesis on a tested device?

The device should still maintain tests for other possible leaks. (D)

Flashcards

Guessing Entropy

Average position of the correct key in several experiments.

Success Rate of order o

A metric that represents whether target is ranked within the first 'o' positions.

Hypothesis

A tentative assumption made to draw out and test logical consequences.

Hypothesis testing

A tool for making decisions about a population, given some sample data.

Test statistic

A value calculated from sample data to evaluate compatibility with a hypothesis test.

Null hypothesis (H0)

A specific statement about a population parameter generated by the researcher.

Null-distribution

The sampling distribution of outcomes for a test statistic if the null hypothesis is true.

P-value

The probability that a value at least as extreme as our test statistics is observed when H0 is true.

Significance level (α)

The probability at which we reject the null hypothesis and conclude an effect is statistically significant.

Non-specific test

Aims to detect any leakage that depends on input data (or key), fixed vs. random.

Specific-test

Targets a specific intermediate value of the cryptographic algorithm, fixed vs. fixed.

Test Vector Leakage Detection (TVLA)

A popular leakage detection test.

Two-Sample T-Test

The test examines the means for two sets of data.

TVLA test

TVLA test is qualitative measure of leakage, NOT quantitative.

Study Notes

• Radboud University presents study notes on DPA Success Metrics and Leakage assessment, presented by Ileana Buhan, March 2024

DPA Attacks

• DPA attacks involve an encryption process E(k) and a distinguisher to analyze leakage models.
• DPA attacks use multiple message inputs (m1...mq) to perform cryptographic encryption E(k), then correlate with leakage models.
• Distinguisher (dq) processes predicted hypothetical values for each target intermediate.

Lecture Topics

• DPA Success Metrics
• Hypothesis Testing: A Primer
• Leakage Assessment

Success Metrics in SCA

• Success Metrics in Side Channel Analysis.

Guessing Entropy/Key Rank

• A key recovery experiment uses q queries to determine the correct value v*.
• The guess vector, denoted as gq, is the ordered ranking of guesses based on distinguisher values.
• Guessing entropy gives the correct key's average position in several experiments
• GE(q) = E[i, gi(v*) ∈ gq]
• GE (q) denotes the guessing entropy, defined as the expected position of the correct key v* within the guess vector gq
• The position of the correct key candidate is averaged over multiple experiments to compute GE(q).
• Helps to measure the average number of key candidates to be tested after a side-channel attack
• Helps to measure how much a side-channel attack reduced the complexity of an exhaustive key search

Success Rate

• Assesses if the correct target intermediate is ranked within the first 'o' positions.
• Success Rate of order o is expressed as SR°(q) = Pr{v* ∈ [g1, ... go]}.

Hypothesis Testing

• Used to check vulnerability to side-channel attacks
• Used to decide that a device is leaking information.
• The two hypothesis are device is or isn't guilty of leaking information
• Null Hypothesis Significance Testing (NHST) used

Types of questions

• Two-sample test- compares the test statics of 2 samples
• One-sample test- compares the test statics to a value

Hypothesis

• A tentative assumption that draws out logical or empirical consequences.

Population vs sample

• Population: The average concentration of salt for the water in the lake is 3%.
• Sample data: what is taken from the population to be tested
• When determining the salt concentration in the lake is testing a single sample: one-sample test

What Is Hypothesis Testing

• A tool for making decisions about a population (lake) given some sample data (glass of water).
• Evaluates two mutually exclusive statements about a population using sample data.

Test Statistic

• A number calculated from sample data- used to evaluate compatibility of experimental results with the hypothesis test.

Null Hypothesis Significance Testing in Three Steps

• Select the null hypothesis (H0) and significance level (α).
• Collect data.
• Test, to see if the null hypothesis can be rejected

Step 1: Selecting the Null Hypothesis

• The null hypothesis is a specific statement about a population parameter formulated by the researcher.
• A good null hypothesis should be interesting to reject and must be specific.
• The polio vaccine has no effect on the probability of developing paralytic polio is a good choice of H0
• Adding free gifts does not increase sales is a good choice of H0
• The power consumption of a device does not depend on the processed data is a good choice of H0
• The ratio of left to right-handed people is equal in the population is a good choice of H0

Step 2: Collecting Sample Data

• The sample collected must be representative of the population
• Known Techniques are: Random sampling, convenience sampling, counting off.

Step 3: Testing the Significance

• Consists of three parts: Null-distribution, P-values, Significance level.
• Null-distribution: Describes the universe where the null hypothesis is true.
• P-values: Measure the surprise, how surprised are we if we observe these data.
• Significance level.

3A: The Null-Distribution

• The sampling distribution of the outcomes for a test statistic under the assumption that the null hypothesis is true.

3B: P-Value

• The probability that a value at least as extreme as the test statistics is observed, assuming the null hypothesis is correct.
• If a small p value results, the observed sample test is unlikely which would case the H0 to be rejected
• Compute a p-value needing: null-distribution and an observed sample statistic.

3C: Significance Level

• The probability at which there is preparation to reject the null hypothesis and conclude the effect is statistically significant.

Leakage Assessment

• Test Vector Leakage Detection (TVLA) most popular leakage detection test.
• Non-Specific or General test: Aims to detect any leakage that depends on input data (or key); aka fixed vs random
• Specific-Test: Targets a specific intermediate value of the cryptographic algorithm that could be exploited to recover keys or other sensitive information; aka fixed -vs- fixed

TVLA

• Compare AES original implementation, to AES with ROSITA.

TVLA 1: Null Hypothesis

• H0: device is NOT guilty of leaking information -> μfixed = μrandom
• Ha: device is guilty of leaking information -> μfixed ≠ μrandom

TVLA 2: Collecting Data

• Involves collecting mean traces from encryption operations E(k) processing message inputs.

TVLA 3: Testing Significance

• Compute the sample statistic (standardized difference or t-score).
• Produce the appropriate null distribution (a t-distribution).
• Compute the p-value.
• Compare the p-value to the chosen significance level (α).

TVLA - Two-Sample t-Test

• First order tests analyze each sample independently.
• Can be expressed as t = (Xf - Xr) / √(sf² + sr² / (n-1))
• Where s² is average of sum from i=1 to n (xi - x)²

Experiment 1 (μf ≠ μr)

• T-scores and corresponding p-values are calculated to evaluate the statistical significance of the observed results.
• Power consumption tests for a device.

Experiment 2 (μf = μr)

• Analyzes power consumption with T-scores and corresponding p-values.

T-Scores and P-Values

• Help to measure the question: if I live in a world where H0 is true, how surprizing is to measure a t-score of -6.019?

TVLA Notes

• TVLA tests are qualitative, not quantitative, measure of leakage.
• When dealing with a high-order implementation, always check if lower orders leak.

Action Time

• TVLA results when using a fixed vs random data.
• Byte-Masked-AES TVLA result real vs. simulatio.

Final Notes

• Rejecting H0 vs. Accepting H0:
• A lack of evidence to support the guilty verdict does not mean the device is "innocent"; "We fail to reject HO" and NOT "we accept HO"
• The evidence supports the decision to reject HO at a significance level α.
• Why would TVLA fail: sample size too small, effect size too small because of wrong fixed input, too much noise, or bad luck from statistical tests being probabilistic.