Models and algorithms for physical cryptanalysis

This thesis is dedicated to models and algorithms for the use in physical cryptanalysis which is a new evolving discipline in implementation security of information systems. It is based on physically observable and manipulable properties of a cryptographic implementation. Physical observables, such as the power consumption or electromagnetic emanation of a cryptographic device are so-called ‘side channels’. They contain exploitable information about internal states of an implementation at runtime. Physical effects can also be used for the injection of faults. Fault injection is successful if it recovers internal states by examining the effects of an erroneous state propagating through the computation. This thesis provides a unified framework for side channel and fault cryptanalysis. Its objective is to improve the understanding of physically enabled cryptanalysis and to provide new models and algorithms. A major motivation for this work is that methodical improvements for physical cryptanalysis can also help in developing efficient countermeasures for securing cryptographic implementations. This work examines differential side channel analysis of boolean and arithmetic operations which are typical primitives in cryptographic algorithms. Different characteristics of these operations can support a side channel analysis, even of unknown ciphers. It also provides evidence that existing simple leakage models are suboptimal in practice and that there is a need for improvements. A main research contribution of this thesis is a new stochastic model for multivariate side channel analysis, allowing for an approximation of the real side channel leakage for any given internal state of an implementation. The proposed stochastic methods can capture both different time instants and different internal states as part of a multivariate side channel cryptanalysis. Furthermore, methods are made available in case the implementation applies masking techniques to hide internal states. Experimental results are included confirming the efficiency of these stochastic algorithms. Particularly, it is proved that the new algorithms are clearly superior to univariate differential side channel analysis. A performance analysis for templates and stochastic methods has been added. This led to further optimizations so that the final algorithms can be seen as the most efficient ones for side channel cryptanalysis.