Gini-Impurity Index Analysis
In the past few decades, DPA-based side-channel attack strategies, such as DPA and CPA, have shown strong ability to analyze the security of the cryptographic implementations. However, the unpredictability of the leakage model and the correspondence between leakage behavior of the target device and...
Gespeichert in:
Veröffentlicht in: | IEEE transactions on information forensics and security 2021, Vol.16, p.3154-3169 |
---|---|
Hauptverfasser: | , , |
Format: | Artikel |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext bestellen |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
Zusammenfassung: | In the past few decades, DPA-based side-channel attack strategies, such as DPA and CPA, have shown strong ability to analyze the security of the cryptographic implementations. However, the unpredictability of the leakage model and the correspondence between leakage behavior of the target device and the hypothetical leakage value make it less-effective without prior knowledge. Therefore, in this paper, we present a novel generic side-channel analysis method called Gini-impurity Index Analysis (GIA), utilizing Gini-impurity Index as the distinguisher, which can perform well even without any leakage model and is not sensitive to the existing methods' restrictions about the leakage behavior. Firstly, we introduce the basic idea of GIA. According to the proposed GIA attack strategy, the Gini-impurity index for each key hypothesis should be calculated, determined by the clustered power consumption and the classified subsets based on the key dependent target function. Secondly, we verify the feasibility and evaluate the efficiency of GIA with different target functions by the practical experimental results against AES-128 implemented on an AT89S52 microcontroller. We present one possible multivariate extension of GIA and find the advantage of GIA on leakage information utilization. Thirdly, we present the results of comparisons. On the one hand, we compare GIA with three widely-used distinguishers under simulated traces in various leakage scenarios and practical traces with Hamming-weight-related leakage. Results confirm that GIA can always perform well with different leakage models in most situations. On the other hand, we analyze the relationship between GIA and Mutual Information Analysis (MIA). Theoretical and experimental results confirm that these two methods can obtain similar attack results. However, the guessing entropy of GIA is lower than MIA by up to 21%, and the averaged computational time overhead of GIA is lower than MIA by up to 13.3%, indicating that GIA is more efficient than MIA. Compared to traditional MIA, GIA is easier to operate and more flexible with noise. Therefore, GIA is an efficient and useful alternative to these existed strategies. |
---|---|
ISSN: | 1556-6013 1556-6021 |
DOI: | 10.1109/TIFS.2021.3076932 |