Bitsliced Masking and Distance-Based Leakages. In order to perform leakage detection and determine the actual masking order, we opt to use the fixed vs. random, non-specific t-test statistic. The process involves two steps: a custom acquisition of two trace sets (populations) and a population comparison based on statistical inference. In the first step, we perform a fixed vs. random acquisition and obtain two distinct trace sets for comparison: Sfixed and Srandom, under the same encryp- tion key. For Sfixed, the input plaintext is set to a fixed value, while for Srandom, 7 Knowledge about the device can often be limited in the context of black-box evaluations. the input is drawn from a uniformly random distribution. Following the sugges- tion from ▇▇▇▇▇▇▇▇ et al. [42], the implementation receives the fixed or random plaintext in a non-deterministic and randomly-interleaved manner. This type of acquisition is performed in order to randomize the implementation’s internal state and avoid measurement-related variations over time, e.g. due to environ- mental parameters. The evaluation test to be performed is non-specific, i.e. we target all sensitive values computed during encryption. Thus, we maintain a wide attack scope, without any prior assumptions on the leakage model or intermedi- ate values. The acquisition is performed on the ARM-based Pinata device, using a Pico- scope 5203 oscilloscope and the Riscure current probe8. The device clock operates on 168 MHz and the oscilloscope’s sample rate is 1 GSample/sec. We also apply post-processing in the form of signal resampling. } and {S For the second step, we model the sets Sfixed and Srandom as inde- pendent random samples {S1
Appears in 1 contract
Sources: End User Agreement
Bitsliced Masking and Distance-Based Leakages. In order to perform leakage detection and determine the actual masking order, we opt to use the fixed vs. random, non-specific t-test statistic. The process involves two steps: a custom acquisition of two trace sets (populations) and a population comparison based on statistical inference. In the first first step, we perform a fixed vs. random acquisition and obtain two distinct trace sets for comparison: Sfixed and Srandom, under the same encryp- tion key. For Sfixed, the input plaintext is set to a fixed fixed value, while for Srandom, 7 Knowledge about the device can often be limited in the context of black-box evaluations. the input is drawn from a uniformly random distribution. Following the sugges- tion from ▇▇▇▇▇▇▇▇ et al. [42], the implementation receives the fixed fixed or random plaintext in a non-deterministic and randomly-interleaved manner. This type of acquisition is performed in order to randomize the implementation’s internal state and avoid measurement-related variations over time, e.g. due to environ- mental parameters. The evaluation test to be performed is non-specific, i.e. we target all sensitive values computed during encryption. Thus, we maintain a wide attack scope, without any prior assumptions on the leakage model or intermedi- ate values. The acquisition is performed on the ARM-based Pinata device, using a Pico- scope 5203 oscilloscope and the Riscure current probe8. The device clock operates on 168 MHz and the oscilloscope’s sample rate is 1 GSample/sec. We also apply post-processing in the form of signal resampling. } and {S For the second step, we model the sets Sfixed and Srandom as inde- pendent random samples {S1
Appears in 1 contract
Sources: End User Agreement