Collision-Correlation Attack against Some 1st-Order Boolean Masking Schemes in the Context of Secure Devices

In this paper we study the collision-correlation attack published by Clavier et al. at CHES 2011 on a 1-order boolean masking scheme and show its lack of robustness against unknown and high level of measurement noise. In order to improve the attack, we follow the approach that Gérard and Standaert proposed in a recent paper at CHES 2012. Then we address the problem of heterogeneous leakage pointed out by Gérard and Standaert (when the leakage noise is different from one Sbox output to the others due for instance to implementation particularities or resynchronisation reasons), by inserting an efficient termination algorithm in the key-recovery phase of the attack. In a last contribution, we compare (over simulations and real experiments) the enhanced collision-correlation attack and the 2-order CPA attack. Similarly to the results of Gérard and Standaert, we show – in the context of masked implementations – the superiority of 2-order CPA when its leakage model is not too far from the real leakage function.