5.1.13 Optimization of Attacks In a

5.1.13 Optimization of Attacks
In a SCA attack, the attacker usually guesses the secret key portion by portion. As a consequence, a large number of measurements are required to mount a successful SCA attack. However in the real world of a SCA attack, the number of measurements is often limited, or it is at least costly to perform a large number of measurements. From the attacker’s point of view it is hence desirable to minimize the error probabilities for the guesses of the particular key parts (for a given number of measurements) or vice versa, to minimize the number of measurements which is necessary for a successful attack. If the outcome of the previous guesses has an impact on the guessing strategy of the present key part it is additionally desirable to have criteria with which the correctness of the previous guesses can be verified with reasonable probability. In order to exploit the side-channel information in an optimal manner, Schindler developed a general approach to optimize the SCA attacks through using stochastic process methods and statistical decision theory [112]. It was demonstrated that by applying appropriate stochastic methods it was possible to increase the efficiency of a number of known attacks considerably, in one case even by factor 50. Noticing the ample power of the optimizations, we are justified in anticipating that more advanced statistical methods and even multivariate data analyzing theories be adopted to optimize the well-known side channel attacks.
5.2 Concrete Countermeasures
So far, there are many strategies (both in hardware and software) being proposed to combat side-channel attacks, among which some general strategies are [76]: ● de-correlate the output traces on individual runs (e.g., by introducing random timing shifts and wait states, inserting dummy instructions, randomization of the execution of operations, etc.); ● replace critical assembler instructions with ones whose “consumption signature” is hard to analyze, or re-engineer the critical circuitry which performs arithmetic operations or memory transfers; ● make algorithmic changes to the cryptographic primitives so that attacks are provably inefficient on the obtained implementation, e.g., masking data and key with random mask generated at each run. It had been shown [75,76] that among all these kinds of countermeasures, algorithmic techniques are the most versatile, all-pervasive, and may be the most powerful. Also, in many contexts they are the cheapest to put in place. Software-based countermeasures include introducing dummy instructions, randomization of the instruction execution sequence, balancing Hamming weights of the internal data, and bit splitting. On the hardware level, the countermeasures usually include clock randomization [80,91], power consumption randomization or compensation [82], randomization of instruction set execution and/or register usage [83]. However, the effect of these countermeasures can be reduced by various signal processing techniques [84]. Software countermeasures against SCA attacks considerably hinder performance of cryptographic algorithms in terms of memory or execution time or both. One of the challenges is to achieve secure implementation with as little extra cost as possible.