Although protecting leaking devices against key recovery attacks is already diffi-cult, ensuring security against this type of attacks is unfortunately not sufficient.
One generally expects pseudorandom generators, functions, or permutations to be indistinguishable from truly random. For example, we can refer to the formal defi-nitions of security for symmetric encryption schemes in [4]. As an illustration, we use the real or random indistinguishability. In this setting, the adversary has access to an oracleEnck(RR(·,b))that takes an input message x and does the following:
toss a coin b, if b = 0, returnEnck(x), else returnEnck(r), whereEnck(x)is an encryption scheme (i.e., typically, our block cipherEk(x)put into a certain mode of operation) and r ←R−X is a uniformly distributed random message.
Definition 1 LetEnc:K×X →Xbe an encryption scheme andAbe an algorithm that has access to the oracleEnck(RR(·,b)). We consider
1In [31,42], an implementation is defined as the combination of a target device and a measurement setup. We use the same definition in this chapter.
SuccrorEnc,A−ind−b =Pr[k←−R K:A(Enck(RR(·,b)))=1] The ror-advantage of a chosen plaintext adversaryAagainstEncis:
AdvrorEnc,A−cpa=SuccrorEnc,A−ind−1−SuccEnc,Aror−ind−0
We say that an encryption schemeEncis ror-indistinguishable if this ror-advantage is negligible for any polynomial time adversary.
The central issue when trying to adapt this definition to a physically observ-able device is that in general, a leakage trace easily allows distinguishing real inputs/outputs from random ones. This can be intuitively understood by looking at Fig.3 where the leakage trace corresponding to an encryption yi = Enck(xi) is plotted. In this trace, we see that different dependencies can be observed and exploited: the beginning of the trace mainly leaks about the input xi; the core of the trace leaks jointly about the input xi and the secret key k; finally, the end of the trace mainly leaks about the output yi. In most practical side-channel attacks, the leakage is in fact sufficient to recover the secret key k, provided a sufficient amount of (different) encrypted plaintexts can be observed.
Say now that the adversary does not have to recover the key, but to distinguish a real outputEnck(xi)from a random oneEnck(r), given the input xiand the leakage trace corresponding to the encryption of xi. In fact, the leakage trace will easily allow doing this distinction. For example, imagine that some samples in the leakage trace depend on the Hamming weight HW(xi), a frequently considered model in practice. With high probability, this Hamming weight will not be equal to HW(r). In
Fig. 3 Impossibility to assume indistinguishability for block ciphers
other words, since we can hardly achieve implementations secure against key recov-ery, it is even harder to achieve implementations providing an indistinguishability notion. At least, this is definitely not something that we can take for granted. Note that for exactly the same reasons, the existence of durable functions and maximal one-way functions as assumed in [31] cannot be considered as reasonable founda-tions for a leakage resilient cryptography.
The previous discussion suggests that “protecting” the inputs/outputs of a crypto-graphic algorithm against distinguishing attacks enhanced with physical leakages is a difficult task. Following this observation, a natural idea is to try analyzing simpler security notions for simpler primitives first. For example, [22,31,33,34] consider PRGs. In this context, two security definitions can be considered, namely the next bit unpredictability introduced in [6] and the current output indistinguishability intro-duced in [49]. In a black box setting, these two notions are equivalent. But as pointed out in [31], this equivalence does not hold anymore with physically observable devices. The reason of this difference can be easily understood from the example in Fig.3. Intuitively, what essentially matters from a side-channel point of view is the word “next” in these definitions. That is, distinguishing current outputs from random ones is trivial if one can access the leakage corresponding to this output (as in the Hamming weight example). But predicting the next output bit may still be difficult in this case. Therefore, the following sections will consider a definition of security that corresponds to the next output indistinguishability (or equivalently to the next bit unpredictability). We denote this security notion as physical indistinguishability.
Definition 2 LetGq:K→K×Xqbe an iterative pseudorandom generator, with q iterations denoted as[k1,x1] =G(x0),[k2,x2] =G(k1), . . . ,[kq,xq] =G(kq−1).
Let lq = [L(k1,x1),L(k2,x2), . . . ,L(kq,xq)]be the leakage vector corresponding to these q iterations. LetPq=(Gq,L)be the physical implementation correspond-ing to the combination of the pseudorandom generatorGqwith the leakage function L. Let finallyAbe an algorithm that takes the plaintexts xq = [x1,x2, . . . ,xq]and leakages lqas input and returns a bit. We consider
SuccprgPq,−Aind−0=Pr[k0
←−R K,[xq+1,kq+1] =Pq+1(k0)lq+1:A(xq+1,lq)=1), SuccprgPq,A−ind−1=Pr[k0
←−R K,[xq,kq]=Pq(k0)lq;xq+1
←R−X :A(xq+1,lq)=1).
The ind-advantage ofAagainstPqis defined as:
AdvprgPq,A−ind=SuccprgPq,A−ind−0−SuccprgPq,A−ind−1
The implementation of a PRG is physically indistinguishable if the ind-advantage of any polynomial time adversary against this implementation is negligible.
We observe that, contrary to the definitions of Dziembowski and Pietrzak [12, 34], our definition is not adaptive in the sense that the leakage function is the pre-defined before the q iterations of the PRG. We believe that this definition is realistic
since the information leaked is essentially a function of the targeted device rather than a choice of the adversary. Besides, letting the adversary select different leakage functions for different runs of the circuit results in an overly strong definition in many cases, as we will further discuss in Sects.5.1and6.4.