Carolyn Whitnall

Learn More
The literature on side-channel analysis describes numerous masking schemes designed to protect block ciphers at the implementation level. Such masking schemes typically require the computation of masked tables prior to the execution of an encryption function. In this paper we revisit an attack which directly exploits this computation in such a way as to(More)
The ability to make meaningful comparisons between side-channel distinguishers is important both to attackers seeking an optimal strategy and to designers wishing to secure a device against the strongest possible threat. The usual experimental approach requires the distinguishing vectors to be estimated: outcomes do not fully represent the inherent(More)
Following the pioneering CRYPTO ’99 paper by Kocher et al. differential power analysis (DPA) was initially geared around lowcost computations performed using standard desktop equipment with minimal reliance on device-specific assumptions. In subsequent years, the scope was broadened by, e.g., making explicit use of (approximate) power models. An important(More)
A generic DPA strategy is one which is able to recover secret information from physically observable device leakage without any a priori knowledge about the device's leakage characteristics. Here we provide much-needed clari cation on results emerging from the existing literature, demonstrating precisely that such methods (strictly de ned) are inherently(More)
Side-channel attacks using only a single trace crucially rely on the capability of reliably extracting side-channel information (e.g. Hamming weights of intermediate target values) from traces. In particular, in original versions of simple power analysis (SPA) or algebraic side channel attacks (ASCA) it was assumed that an adversary can correctly extract(More)
The resistance of cryptographic implementations to side channel analysis is matter of considerable interest to those concerned with information security. It is particularly desirable to identify the attack methodology (e.g. di erential power analysis using correlation or distance-of-means as the distinguisher) able to produce the best results. Attempts to(More)
A theme of recent side-channel research has been the quest for distinguishers which remain e ective even when few assumptions can be made about the underlying distribution of the measured leakage traces. The Kolmogorov-Smirnov (KS) test is a well known nonparametric method for distinguishing between distributions, and, as such, a perfect candidate and an(More)
Power (along with EM, cache and timing) leaks are of considerable concern for developers who have to deal with cryptographic components as part of their overall software implementation, in particular in the context of embedded devices. Whilst there exist some compiler tools to detect timing leaks, similar progress towards pinpointing power and EM leaks has(More)
Performance targets are commonly used in the public sector, despite their well known problems when organisations have multiple objectives and performance is difficult to measure. It is possible that such targets may work where there is considerable consensus that performance needs to be improved. We investigate this possibility by examining the response of(More)
A theme of recent side-channel research has been the quest for distinguishers which remain e ective even when few assumptions can be made about the underlying distribution of the measured leakage traces. The Kolmogorov-Smirnov (KS) test is a well known non-parametric method for distinguishing between distributions, and, as such, a perfect candidate and an(More)