# Tight and Scalable Side-Channel Attack Evaluations through Asymptotically Optimal Massey-like Inequalities on Guessing Entropy

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

- We demonstrate that a recent improvement on Massey’s inequality between Massey’ Guessing entropy and Shannon’s entropy (Rioul’s improved inequality) is asymptotically optimal (which is highly relevant to scalability).
- We provide a new improvement on Massey’s inequality that is even tighter than the above for all finite-size data distributions.
- We extend and prove the above results when dealing with multiple lists of probabilities (distributions), as is the case when dealing with the results of side-channel attacks on multiple key bytes (proving scalability).
- We apply our results on concrete side-channel attack datasets to demonstrate the improvements of the methods from this paper over the state of the art.

## 2. Preliminaries

## 3. The Asymptotically Optimal Massey-like Inequality

**Proof.**

## 4. Refinement for Finite Support Distributions

**Lemma**

**1.**

**Proof.**

**Theorem**

**2.**

**Proof.**

^{th}component of the sequence ${\mathbf{Q}}_{k}$, we define the terms of the list $\left(\right)$ as follows. We let the support of the first term coincide with $\mathbf{p}$, i.e., ${\mathbf{Q}}_{0}=\left(\right)open="("\; close=")">{p}_{0},\phantom{\rule{0.166667em}{0ex}}{p}_{1},\phantom{\rule{0.166667em}{0ex}}\dots ,\phantom{\rule{0.166667em}{0ex}}{p}_{n},\phantom{\rule{0.166667em}{0ex}}0,\phantom{\rule{0.166667em}{0ex}}0,\phantom{\rule{0.166667em}{0ex}}\dots ,\phantom{\rule{0.166667em}{0ex}}0,\phantom{\rule{0.166667em}{0ex}}\dots $, and we define the other terms by recurrence:

## 5. Scalability of Bounds

**Theorem**

**3.**

**Theorem**

**4.**

**Proofs.**

## 6. Evaluation on Side-Channel Attack Data

#### 6.1. Evaluation Data

- For each dataset (power traces), we run a Template Attack [23] using the set of power traces to determine the most likely value of each of the 16 bytes of the AES key. The result of this attack is a list of probabilities ${\mathbf{p}}^{k}=\{{p}_{1},{p}_{2},\dots ,{p}_{256}\}$ for each of the 16 bytes of the AES key ($K=[{k}_{1}{k}_{2}\dots {k}_{16}]$).
- Using the lists of probabilities ${\mathbf{p}}^{1},{\mathbf{p}}^{2},\dots ,{\mathbf{p}}^{16}$, we compute the bounds (those from this paper as well as those from CHES 2017) first for each byte individually and then for attacks on two or more key bytes. Please note that a direct computation of the guessing entropy through the computation of the cross-product of several lists of probabilities (e.g., for more than 8 key bytes) is not feasible as we would have to process lists of more than ${2}^{64}$ elements. Instead, the bounds from this paper (as well as those from CHES 2017) use directly and very efficiently the lists of probabilities for each key byte, without performing the cross-product, to derive security metrics for attacks on many target bytes.

#### 6.2. Evaluation on a Single Byte

#### 6.3. Evaluation on Two Bytes

#### 6.4. Evaluation on All 16 Bytes

## 7. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## References

- Network and Security. Cyber Security and Resilience of Smart Cars; Network and Security: Columbia, MD, USA, 2016. [Google Scholar]
- Network and Security. Sectoral/Thematic Threat Analysis: ENISA Thread Lanscape; Network and Security: Columbia, MD, USA, 2020. [Google Scholar]
- Garcia, F.D.; Oswald, D.; Kasper, T.; Pavlides, P. Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems; USENIX Security Symposium: Austin, TX, USA, 2016. [Google Scholar]
- Camurati, G.; Poeplau, S.; Muench, M.; Hayes, T.; Francillon, A. Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers. ACM SIGSAC Conf. Comput. Commun. Secur. (CCS)
**2018**, 2018, 163–177. [Google Scholar] - Standaert, F.X.; Malkin, T.G.; Yung, M. A unified framework for the analysis of side-channel key recovery attacks. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, 26–30 April 2009; Springer: Berlin/Heidelberg, Germany, 2009; pp. 443–461, ISBN 978-3-642-01001-9. [Google Scholar]
- Veyrat-Charvillon, N.; Gerard, B.; Renauld, M.; Standaert, F.X. An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks. In Proceedings of the Selected Areas of Cryptography: 2012, Windsor, ON, Canada, 15–16 August 2012; pp. 390–406, ISBN 978-3-642-35999-6. [Google Scholar]
- Veyrat-Charvillon, N.; Gerard, B.; Standaert, F.X. Security evaluations beyond computing power. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, 26–30 May 2013; pp. 126–141, ISBN 978-3-642-38348-9. [Google Scholar]
- Bernstein, D.J.; Lange, T.; van Vredendaal, C. Tighter, Faster, Simpler Side-Channel Security Evaluations beyond Computing Power. ePrint Archive. 2015. Available online: https://eprint.iacr.org/2015/221 (accessed on 1 June 2021).
- Glowacz, C.; Grosso, V.; Poussier, R.; Schüth, J.; Standaert, F.X. Simpler and more efficient rank estimation for side-channel security assessment. In Proceedings of the International Workshop on Fast Software Encryption, Istanbul, Turkey, 8–11 March 2015; pp. 117–129, ISBN 978-3-662-48116-5. [Google Scholar]
- Poussier, R.; Standaert, F.X.; Grosso, V. Simple key enumeration (and rank estimation) using histograms: An integrated approach. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems (CHES), Santa Barbara, CA, USA, 17–19 August 2016; pp. 61–81, ISBN 978-3-662-53140-2. [Google Scholar]
- David, L.; Wool, A. A Bounded-Space Near-Optimal Key Enumeration Algorithm for Multi-subkey Side-Channel Attacks. In Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, CA, USA, 14–17 February 2017; pp. 311–327, ISBN 978-3-319-52153-4. [Google Scholar]
- Choudary, M.O.; Popescu, P.G. Back to Massey: Impressively fast, scalable and tight security evaluation tools. In Proceedings of the 2017 International Conference on Cryptographic Hardware and Embedded Systems (CHES), Taipei, Taiwan, 25–28 September 2017; pp. 367–386, ISBN 978-3-319-66787-4. [Google Scholar]
- Massey, J.L. Guessing and entropy. In Proceedings of the 1994 IEEE International Symposium on Information Theory (ISIT), Trondheim, Norway, 27 June–1 July 1994; p. 204, ISBN 0-7803-2015-8. [Google Scholar]
- Grosso, V. Scalable key rank estimation (and key enumeration) algorithm for large keys. In Proceedings of the International Conference on Smart Card Research and Advanced Applications, Montpellier, France, 12–14 November 2018; pp. 80–94, ISBN 978-3-030-15462-2. [Google Scholar]
- Popescu, P.G.; Choudary, M.O. Refinement of Massey Inequality. In Proceedings of the 2019 IEEE International Symposium on Information Theory (ISIT), Paris, France, 7–12 July 2019; pp. 495–496. [Google Scholar]
- Rioul, O. On Guessing. 2013; unpublished note. [Google Scholar]
- De Chérisey, E.; Guilley, S.; Rioul, O.; Piantanida, P. Best Information is Most Successful. In Proceedings of the 2019 International Conference on Cryptographic Hardware and Embedded Systems (CHES), Atlanta, GA, USA, 25–28 August 2019; pp. 49–79. [Google Scholar]
- Tănăsescu, A.; Popescu, P.G. Exploiting the Massey Gap. Entropy
**2020**, 22, 1398. [Google Scholar] [CrossRef] [PubMed] - Rioul, O. Variations on a Theme by Massey. arXiv
**2021**, arXiv:2102.04200. [Google Scholar] - Mazumdar, B.; Mukhopadhyay, D.; Sengupta, I. Constrained Search for a Class of Good Bijective S-Boxes With Improved DPA Resistivity. IEEE Trans. Inf. Forensics Secur.
**2013**, 8, 2154–2163. [Google Scholar] [CrossRef] - Choudary, M.O.; Kuhn, M.G. Efficient, portable template attacks. IEEE Trans. Inf. Forensics Secur.
**2017**, 13, 490–501. [Google Scholar] [CrossRef] [Green Version] - Carré, S.; Guilley, S.; Rioul, O. Persistent fault analysis with few encryptions. In Proceedings of the 2020 International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE), Lugano, Switzerland, 1–3 April 2020; ISBN 978-3-030-68773-1. [Google Scholar]
- Chari, S.; Rao, J.R.; Rohatgi, P. Template Attacks. In Proceedings of the 2003 Cryptographic Hardware and Embedded Systems (CHES), Redwood Shores, CA, USA, 13–15 August 2002; pp. 13–28, ISBN 978-3-540-36400-9. [Google Scholar]
- The Common Criteria Web Site. 2021. Available online: https://www.commoncriteriaportal.org/ (accessed on 1 June 2021).
- Arikan, E. An inequality on guessing and its application to sequential decoding. IEEE Trans. Inf. Theory
**1996**, 42, 99–105. [Google Scholar] [CrossRef] [Green Version] - Sason, I.; Verdú, S. Improved bounds on lossless source coding and guessing moments via Rényi measures. IEEE Trans. Inf. Theory
**2018**, 64, 4323–4346. [Google Scholar] [CrossRef] [Green Version] - Kuzuoka, S. On the conditional smooth Rényi entropy and its applications in guessing and source coding. IEEE Trans. Inf. Theory
**2019**, 66, 1674–1690. [Google Scholar] [CrossRef] [Green Version] - Huleihel, W.; Salamatian, S.; Médard, M. Guessing with limited memory. In Proceedings of the 2017 IEEE International Symposium on Information Theory (ISIT), Aachen, Germany, 25–30 June 2017; pp. 2253–2257. [Google Scholar]

**Figure 1.**Bounds for the simulated (

**left**) and real (

**right**) datasets, when targeting a single subkey byte. These are averaged results over 100 experiments.

**Figure 2.**Bounds for the simulated (

**left**) and real (

**right**) datasets, when targeting two subkey bytes. These are averaged results over 100 experiments.

**Figure 3.**Bounds for the simulated (

**left**) and real (

**right**) datasets, when targeting all the 16 AES key bytes. These are averaged results over 100 experiments.

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Tănăsescu, A.; Choudary, M.O.; Rioul, O.; Popescu, P.G.
Tight and Scalable Side-Channel Attack Evaluations through Asymptotically Optimal Massey-like Inequalities on Guessing Entropy. *Entropy* **2021**, *23*, 1538.
https://doi.org/10.3390/e23111538

**AMA Style**

Tănăsescu A, Choudary MO, Rioul O, Popescu PG.
Tight and Scalable Side-Channel Attack Evaluations through Asymptotically Optimal Massey-like Inequalities on Guessing Entropy. *Entropy*. 2021; 23(11):1538.
https://doi.org/10.3390/e23111538

**Chicago/Turabian Style**

Tănăsescu, Andrei, Marios O. Choudary, Olivier Rioul, and Pantelimon George Popescu.
2021. "Tight and Scalable Side-Channel Attack Evaluations through Asymptotically Optimal Massey-like Inequalities on Guessing Entropy" *Entropy* 23, no. 11: 1538.
https://doi.org/10.3390/e23111538