### Citations

961 | No free lunch theorems for optimization
- Wolpert, Macready
(Show Context)
Citation Context ...practice, there are many options open to the attacker in steps 2 and 3. It is notoriously difficult to a priori apply the most well-suited machine learning solution to any particular problem instance =-=[26]-=-, and an exhaustive testing of all possible strategies is infeasible. Given the infeasibility to find ‘optimal’ strategies across scenarios, we provide some meaningful choices using the methods outlin... |

288 | Razor: a low-power pipeline based on circuitlevel timing speculation.
- ERNST, KIM, et al.
- 2003
(Show Context)
Citation Context ... conditional noise. Note that this incorporates the scenario in which the traces are misaligned (possibly deliberately, via ‘hiding in the time dimension’ [15]; it also covers countermeasures such as =-=[9,3]-=- which are based on frequency/voltage changing. Assuming some proportion of the traces coincide for a given intermediate value, the signal will persist weakly, with the remaining (non-aligned) traces ... |

262 |
Power Analysis Attacks: Revealing the Secrets of Smart Cards.
- Mangard, Oswald, et al.
- 2007
(Show Context)
Citation Context ...increasingly large proportion to the observed conditional noise. Note that this incorporates the scenario in which the traces are misaligned (possibly deliberately, via ‘hiding in the time dimension’ =-=[15]-=-; it also covers countermeasures such as [9,3] which are based on frequency/voltage changing. Assuming some proportion of the traces coincide for a given intermediate value, the signal will persist we... |

158 |
Template Attacks.
- Chari, Rao, et al.
- 2003
(Show Context)
Citation Context ... profiling data sets achieved this via Bayesian classification in a supervised manner: so called template DPA attacks utilise multivariate Gaussian distributions, which are built in a profiling phase =-=[6]-=- from traces with a known key. Recent strategies have incorporated more explicit machine learning tools such as support vector machines (SVM) [12,11,14] and random forests [14]. Theoretically, any sup... |

140 | A unified framework for the analysis of side-channel key recovery attacks.
- Standaert, Malkin, et al.
- 2009
(Show Context)
Citation Context ...indow widths and to the various profiling/attack trace discrepancies detailed above. 4.1 ‘Straightforward’ (software) scenario Fig. 1 shows the guessing entropies (average ranks of the correct subkey =-=[21]-=-) after attacks against the output of the first S-box in software as the sample sizes vary. Crucially, the clustering strategy can be seen to ‘work’—that is, all the variants reduce uncertainty about ... |

68 | A stochastic model for differential side channel cryptanalysis
- Schindler, Lemke, et al.
- 2005
(Show Context)
Citation Context ...access to (and control of) a device matching the one they intend to target. They can therefore, in a preliminary stage, build informed models for the secret-value-dependent form of the device leakage =-=[6,19,12]-=-. The measurements obtained from a target device can then be compared with these models (e.g. using Bayesian classification) to reveal the most likely secret values. The motivation behind our clusteri... |

29 | Mutual Information Analysis A Generic Side-Channel Distinguisher
- Gierlichs, Batina, et al.
- 2008
(Show Context)
Citation Context ... model’ in the terminology of [25]). Our suggestion is to extract such a nominal power model in a profiling phase designed to be followed by a partition-based DPA attack [20] (mutual information (MI) =-=[10]-=-, Kolmogorov-Smirnov (KS) [23], the variance ratio (VR) [20] and its multivariate extension in the context of Differential Cluster Analysis (DCA) [4], to name a few examples). Such a strategy represen... |

27 | Partition vs. comparison side-channel distinguishers: An empirical evaluation of statistical tests for univariate side-channel attacks against two unprotected cmos devices.
- Standaert, Gierlichs, et al.
- 2008
(Show Context)
Citation Context ...arget values (a ‘nominal power model’ in the terminology of [25]). Our suggestion is to extract such a nominal power model in a profiling phase designed to be followed by a partition-based DPA attack =-=[20]-=- (mutual information (MI) [10], Kolmogorov-Smirnov (KS) [23], the variance ratio (VR) [20] and its multivariate extension in the context of Differential Cluster Analysis (DCA) [4], to name a few examp... |

26 |
D.: A formal study of power variability issues and sidechannel attacks for nanoscale devices
- Renauld, Standaert, et al.
- 2011
(Show Context)
Citation Context ...template attacks when the profiling and attack measurements are generated by distinct devices (or even just distinct acquisition campaigns) are the subject of considerable attention in the literature =-=[18,8]-=-; Choudhary et al. [7] find that the main difference is a DC offset, which may be compensated for to some extent by simply mean-centering the traces and/or via well-chosen compression techniques such ... |

24 | One for All, All for One: Unifying Standard DPA Attacks, Cryptology ePrint Archive, Report 2009/449
- Mangard, Oswald, et al.
(Show Context)
Citation Context ...sequent attack phases. In Sect. 4 we present our experimental results, and we conclude in 5. 2 Preliminaries 2.1 Differential power analysis We consider a ‘standard DPA attack’ scenario as defined in =-=[16]-=-, and briefly explain the underlying idea as well as introduce the necessary terminology here. We assume that the power consumption P = {P1, ..., PT } of a cryptographic device (as measured at time po... |

21 | Template attacks in principal subspaces
- Archambeau, Peeters, et al.
- 2006
(Show Context)
Citation Context ...s that all of the ‘important’ information will be concentrated into a small number of components. PCA has been proposed as a means of locating ‘points of interest’ for inclusion in Gaussian templates =-=[2,17]-=-. It has also been used to pre-process traces for more efficient non-profiled correlation DPA attacks [5]. Moreover, it is typically used in combination with unsupervised clustering algorithms to conc... |

21 | Practical Template Attacks
- Rechberger, Oswald
(Show Context)
Citation Context ...s that all of the ‘important’ information will be concentrated into a small number of components. PCA has been proposed as a means of locating ‘points of interest’ for inclusion in Gaussian templates =-=[2,17]-=-. It has also been used to pre-process traces for more efficient non-profiled correlation DPA attacks [5]. Moreover, it is typically used in combination with unsupervised clustering algorithms to conc... |

15 | Power Attack Resistant Cryptosystem Design: A Dynamic Voltage and Frequency Switching Approach
- Yang, Wolf, et al.
- 2005
(Show Context)
Citation Context ...window width. (See Sect. 4.6). – The attack traces are imperfectly aligned, as though (for example) the dynamic power saving technique of [9] had been in operation, or a hiding countermeasure such as =-=[27]-=-. Whilst methods exist to improve alignment (see, e.g. [22]), none are known to remove the problem entirely. By ranging from small to greater distortions, we approximate cases in which alignment metho... |

14 |
Differential cluster analysis
- Batina, Gierlichs, et al.
- 2009
(Show Context)
Citation Context ...on-based DPA attack [20] (mutual information (MI) [10], Kolmogorov-Smirnov (KS) [23], the variance ratio (VR) [20] and its multivariate extension in the context of Differential Cluster Analysis (DCA) =-=[4]-=-, to name a few examples). Such a strategy represents an interesting middle course between completely unprofiled attacks relying on difference-of-means or on ‘typical’ power models such as the Hamming... |

13 | Mutual information analysis: How, when and why
- Veyrat-Charvillon, Standaert
- 2009
(Show Context)
Citation Context ...[25]). Our suggestion is to extract such a nominal power model in a profiling phase designed to be followed by a partition-based DPA attack [20] (mutual information (MI) [10], Kolmogorov-Smirnov (KS) =-=[23]-=-, the variance ratio (VR) [20] and its multivariate extension in the context of Differential Cluster Analysis (DCA) [4], to name a few examples). Such a strategy represents an interesting middle cours... |

12 | Getting More from PCA: First Results of Using Principal Component Analysis for Extensive Power Analysis - Batina, Hogenboom, et al. - 2012 |

12 | E.: A Fair Evaluation Framework for Comparing SideChannel Distinguishers
- Whitnall, Oswald
- 2011
(Show Context)
Citation Context ...riance ratio [20]. We choose to practically verify our strategy using the latter of these, because of its conceptual simplicity, its computational efficiency, its good performance in previous studies =-=[20,24]-=-, and the fact that it very naturally extends to multivariate DCA attacks as shown by Batina et al. in [4]. The variance ratio ranks hypothesis-dependent cluster arrangements according to the proporti... |

10 |
Machine learning in side-channel analysis: a first study
- Hospodar, Gierlichs, et al.
- 2011
(Show Context)
Citation Context ...an distributions, which are built in a profiling phase [6] from traces with a known key. Recent strategies have incorporated more explicit machine learning tools such as support vector machines (SVM) =-=[12,11,14]-=- and random forests [14]. Theoretically, any supervised classification method could be chosen—with varying degrees of success as different algorithms are more or less suited to different underlying da... |

9 | Evaluation of Dynamic Voltage and Frequency Scaling as a Differential Power Analysis Countermeasure
- Baddam, Zwolinski
(Show Context)
Citation Context ... conditional noise. Note that this incorporates the scenario in which the traces are misaligned (possibly deliberately, via ‘hiding in the time dimension’ [15]; it also covers countermeasures such as =-=[9,3]-=- which are based on frequency/voltage changing. Assuming some proportion of the traces coincide for a given intermediate value, the signal will persist weakly, with the remaining (non-aligned) traces ... |

8 |
B.: Improving Differential Power Analysis by Elastic Alignment
- Woudenberg, Witteman, et al.
(Show Context)
Citation Context ...rfectly aligned, as though (for example) the dynamic power saving technique of [9] had been in operation, or a hiding countermeasure such as [27]. Whilst methods exist to improve alignment (see, e.g. =-=[22]-=-), none are known to remove the problem entirely. By ranging from small to greater distortions, we approximate cases in which alignment methods have been applied with varying success. We achieved this... |

6 | Power analysis attack: an approach based on machine learning
- Lerman, Bontempi, et al.
(Show Context)
Citation Context ...an distributions, which are built in a profiling phase [6] from traces with a known key. Recent strategies have incorporated more explicit machine learning tools such as support vector machines (SVM) =-=[12,11,14]-=- and random forests [14]. Theoretically, any supervised classification method could be chosen—with varying degrees of success as different algorithms are more or less suited to different underlying da... |

5 |
The myth of generic dpa...and the magic of learning
- Whitnall, Oswald, et al.
(Show Context)
Citation Context ...lying an unsupervised clustering algorithm to leakage measurements with known sensitive values we thus learn a meaningful partition of the target values (a ‘nominal power model’ in the terminology of =-=[25]-=-). Our suggestion is to extract such a nominal power model in a profiling phase designed to be followed by a partition-based DPA attack [20] (mutual information (MI) [10], Kolmogorov-Smirnov (KS) [23]... |

4 |
Portability of templates
- Elaabid, Guilley
(Show Context)
Citation Context ...template attacks when the profiling and attack measurements are generated by distinct devices (or even just distinct acquisition campaigns) are the subject of considerable attention in the literature =-=[18,8]-=-; Choudhary et al. [7] find that the main difference is a DC offset, which may be compensated for to some extent by simply mean-centering the traces and/or via well-chosen compression techniques such ... |

3 | Template Attacks on Different Devices
- Choudhary, Kuhn
- 2014
(Show Context)
Citation Context ... profiling and attack measurements are generated by distinct devices (or even just distinct acquisition campaigns) are the subject of considerable attention in the literature [18,8]; Choudhary et al. =-=[7]-=- find that the main difference is a DC offset, which may be compensated for to some extent by simply mean-centering the traces and/or via well-chosen compression techniques such as linear discriminant... |

2 |
Intelligent Machine Homicide
- Heuser, Zohner
- 2012
(Show Context)
Citation Context ...an distributions, which are built in a profiling phase [6] from traces with a known key. Recent strategies have incorporated more explicit machine learning tools such as support vector machines (SVM) =-=[12,11,14]-=- and random forests [14]. Theoretically, any supervised classification method could be chosen—with varying degrees of success as different algorithms are more or less suited to different underlying da... |

1 |
Attacking an AES-Enabled NFC Tag: Implications from Design to a Real-World Scenario
- Korak, Plos, et al.
- 2012
(Show Context)
Citation Context ...f the coarser 6 All our data stems from real devices: one implementation of AES on an ARM7 processor, and one implementation of AES in dedicated hardware (an ASIC custom-built for the TAMPRES project =-=[1,13]-=-) using a 32-bit architecture but with a serial S-box look-up. In order to create data sets with different characteristics we did however not change the measurement setups as this would have been a to... |