2017 年 E100.A 巻 11 号 p. 2398-2407
In ASIACRYPT2015, a new model for the analysis of block cipher against side-channel attack and a dedicated attack, differential bias attack, were proposed by Bogdanov et al. The model assumes an adversary who has leaked values whose positions are unknown and randomly chosen from internal states (random leakage model). This paper improves the security analysis on AES under the random leakage model. In the previous method, the adversary requires at least 234 chosen plaintexts; therefore, it is hard to recover a secret key with a small number of data. To consider the security against the adversary given a small number of data, we reestimate complexity. We propose another hypothesis-testing method which can minimize the number of required data. The proposed method requires time complexity more than t>260 because of time-data tradeoff, and some attacks are tractable under t≤280. Therefore, the attack is a threat for the long-term security though it is not for the short-term security. In addition, we apply key enumeration to the differential bias attack and propose two evaluation methods, information-theoretic evaluation and experimental one with rank estimation. From the evaluations on AES, we show that the attack is a practical threat for the long-term security.
