Gaëtan Cassiers
TU Graz, Graz, Austria

Henri Devillez
UCLouvain, ICTEAM, Crypto Group, Louvain-la-Neuve, Belgium

François-Xavier Standaert
UCLouvain, ICTEAM, Crypto Group, Louvain-la-Neuve, Belgium

Balazs Udvarhelyi
UCLouvain, ICTEAM, Crypto Group, Louvain-la-Neuve, Belgium

Keywords: Linear Regression, Linear Discriminant Analysis, Belief Propagation

Abstract

32-bit software implementations become increasingly popular for embedded security applications. As a result, profiling 32-bit target intermediate values becomes increasingly needed to evaluate their side-channel security. This implies the need of statistical tools that can deal with long traces and large number of classes. While there are good options to solve these issues separately (e.g., linear regression and linear discriminant analysis), the current state of the art lacks efficient tools to solve them jointly. To the best of our knowledge, the best-known option is to fragment the profiling in smaller parts, which is suboptimal from the information theoretic viewpoint. In this paper, we therefore revisit regression-based linear discriminant analysis, which combines linear regression and linear discriminant analysis, and improve its efficiency so that it can be used for profiling long traces corresponding to 32-bit implementations. Besides introducing the optimizations needed for this purpose, we show how to use regression-based linear discriminant analysis in order to obtain efficient bounds for the perceived information, an information theoretic metric characterizing the security of an implementation against profiled attacks. We also combine this tool with optimizations of soft analytical side-channel attack that apply to bitslice implementations. We use these results to attack a 32-bit implementation of SAP instantiated with Ascon’s permutation, and show that breaking the initialization of its re-keying in one trace is feasible for determined adversaries.