Skip to content

Simulatable Leakage: Analysis, Pitfalls, and New Constructions

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Standard

Simulatable Leakage: Analysis, Pitfalls, and New Constructions. / Longo, Jake; Martin, Daniel P; Oswald, M E; Page, Daniel; Stam, Martijn; Tunstall, Mike.

Advances in Cryptology - ASIACRYPT 2014. Vol. 8873 Springer Berlin Heidelberg, 2014. p. 223-242 (Lecture Notes in Computer Science; Vol. 8873).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Longo, J, Martin, DP, Oswald, ME, Page, D, Stam, M & Tunstall, M 2014, Simulatable Leakage: Analysis, Pitfalls, and New Constructions. in Advances in Cryptology - ASIACRYPT 2014. vol. 8873, Lecture Notes in Computer Science, vol. 8873, Springer Berlin Heidelberg, pp. 223-242. https://doi.org/10.1007/978-3-662-45611-8_12

APA

Longo, J., Martin, D. P., Oswald, M. E., Page, D., Stam, M., & Tunstall, M. (2014). Simulatable Leakage: Analysis, Pitfalls, and New Constructions. In Advances in Cryptology - ASIACRYPT 2014 (Vol. 8873, pp. 223-242). (Lecture Notes in Computer Science; Vol. 8873). Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-662-45611-8_12

Vancouver

Longo J, Martin DP, Oswald ME, Page D, Stam M, Tunstall M. Simulatable Leakage: Analysis, Pitfalls, and New Constructions. In Advances in Cryptology - ASIACRYPT 2014. Vol. 8873. Springer Berlin Heidelberg. 2014. p. 223-242. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-662-45611-8_12

Author

Longo, Jake ; Martin, Daniel P ; Oswald, M E ; Page, Daniel ; Stam, Martijn ; Tunstall, Mike. / Simulatable Leakage: Analysis, Pitfalls, and New Constructions. Advances in Cryptology - ASIACRYPT 2014. Vol. 8873 Springer Berlin Heidelberg, 2014. pp. 223-242 (Lecture Notes in Computer Science).

Bibtex

@inproceedings{73c61817360f4d47a5c22ea3fda5ab8b,
title = "Simulatable Leakage: Analysis, Pitfalls, and New Constructions",
abstract = "In 2013, Standaert \emph{et al.} proposed the notion of simulatable leakage to connect theoretical leakage resilience with the practice of side channel attacks. Their use of simulators, based on physical devices, to support proofs of leakage resilience allows verification of underlying assumptions: the indistinguishability game, involving real vs. simulated leakage, can be `played' by an evaluator. Using a concrete, block cipher based leakage resilient PRG and high-level simulator definition (based on concatenating two partial leakage traces), they included detailed reasoning why said simulator (for AES-128) resists state-of-the-art side channel attacks. \\\\ In this paper, we demonstrate a distinguisher against their simulator and thereby falsify their hypothesis. Our distinguishing technique, which is evaluated using concrete implementations of the Standaert \emph{et al.} simulator on several platforms, is based on `tracking' consistency (resp. identifying simulator {\em in}consistencies) in leakage traces by means of cross-correlation. In attempt to rescue the approach, we propose several alternative simulator definitions based on splitting traces at points of low intrinsic cross-correlation. Unfortunately, these come with significant caveats, and we conclude that the most natural way of producing simulated leakage is by using the underlying construction `as is' (but with a random key).",
author = "Jake Longo and Martin, {Daniel P} and Oswald, {M E} and Daniel Page and Martijn Stam and Mike Tunstall",
year = "2014",
month = "12",
day = "7",
doi = "10.1007/978-3-662-45611-8_12",
language = "English",
isbn = "978-3-662-45607-1",
volume = "8873",
series = "Lecture Notes in Computer Science",
publisher = "Springer Berlin Heidelberg",
pages = "223--242",
booktitle = "Advances in Cryptology - ASIACRYPT 2014",
address = "Germany",

}

RIS - suitable for import to EndNote

TY - GEN

T1 - Simulatable Leakage: Analysis, Pitfalls, and New Constructions

AU - Longo, Jake

AU - Martin, Daniel P

AU - Oswald, M E

AU - Page, Daniel

AU - Stam, Martijn

AU - Tunstall, Mike

PY - 2014/12/7

Y1 - 2014/12/7

N2 - In 2013, Standaert \emph{et al.} proposed the notion of simulatable leakage to connect theoretical leakage resilience with the practice of side channel attacks. Their use of simulators, based on physical devices, to support proofs of leakage resilience allows verification of underlying assumptions: the indistinguishability game, involving real vs. simulated leakage, can be `played' by an evaluator. Using a concrete, block cipher based leakage resilient PRG and high-level simulator definition (based on concatenating two partial leakage traces), they included detailed reasoning why said simulator (for AES-128) resists state-of-the-art side channel attacks. \\\\ In this paper, we demonstrate a distinguisher against their simulator and thereby falsify their hypothesis. Our distinguishing technique, which is evaluated using concrete implementations of the Standaert \emph{et al.} simulator on several platforms, is based on `tracking' consistency (resp. identifying simulator {\em in}consistencies) in leakage traces by means of cross-correlation. In attempt to rescue the approach, we propose several alternative simulator definitions based on splitting traces at points of low intrinsic cross-correlation. Unfortunately, these come with significant caveats, and we conclude that the most natural way of producing simulated leakage is by using the underlying construction `as is' (but with a random key).

AB - In 2013, Standaert \emph{et al.} proposed the notion of simulatable leakage to connect theoretical leakage resilience with the practice of side channel attacks. Their use of simulators, based on physical devices, to support proofs of leakage resilience allows verification of underlying assumptions: the indistinguishability game, involving real vs. simulated leakage, can be `played' by an evaluator. Using a concrete, block cipher based leakage resilient PRG and high-level simulator definition (based on concatenating two partial leakage traces), they included detailed reasoning why said simulator (for AES-128) resists state-of-the-art side channel attacks. \\\\ In this paper, we demonstrate a distinguisher against their simulator and thereby falsify their hypothesis. Our distinguishing technique, which is evaluated using concrete implementations of the Standaert \emph{et al.} simulator on several platforms, is based on `tracking' consistency (resp. identifying simulator {\em in}consistencies) in leakage traces by means of cross-correlation. In attempt to rescue the approach, we propose several alternative simulator definitions based on splitting traces at points of low intrinsic cross-correlation. Unfortunately, these come with significant caveats, and we conclude that the most natural way of producing simulated leakage is by using the underlying construction `as is' (but with a random key).

U2 - 10.1007/978-3-662-45611-8_12

DO - 10.1007/978-3-662-45611-8_12

M3 - Conference contribution

SN - 978-3-662-45607-1

VL - 8873

T3 - Lecture Notes in Computer Science

SP - 223

EP - 242

BT - Advances in Cryptology - ASIACRYPT 2014

PB - Springer Berlin Heidelberg

ER -