On Side Channel Cryptanalysis and Sequential Decoding

This paper presents an approach for side channel cryptanalysis with iterative approximate Bayesian inference, based on sequential decoding methods. Reliability information about subkey hypotheses is generated in the form of likelihoods, and sets of subkey hypothesis likelihoods are optimally combined into key bit log likelihood ratios. The redundancy of expanded keys in multi-round cryptographic schemes is exploited to correct round key estimation errors. This is achieved by sequential decoding, where subkey candidates are sorted by a probabilistic path metric and iteratively extended. The M-algorithm is presented as a concrete implementation example with deterministic runtime behaviour. The resulting algorithm contains previous hard decision differential analysis as special case for single-round analysis and M=1, and is strictly more accurate otherwise. The trade-off between estimation accuracy and complexity is scalable by parameter choice. The proposed algorithm is simulatively shown in an example scenario to reduce the number of required side channel traces compared to standard differential analysis by a factor of two when run with reasonable complexity, for the whole investigated signal-to-noise ratio range.