A Comparison of x²-Test and Mutual Information as Distinguisher for Side-Channel Analysis

Abstract

Masking is known as the most widely studied countermea[1]sure against side-channel analysis attacks. Since a masked implementa[1]tion is based on a certain number of shares (referred to as the order of masking), it still exhibits leakages at higher orders. In order to exploit such leakages, higher-order statistical moments individually at each order need to be estimated reflecting the higher-order attacks. Instead, Mutual Information Analysis (MIA) known for more than 10 years avoids such a moment-based analysis by considering the entire distribution for the key recovery. Recently the χ 2 -test has been proposed for leakage detection and as a distinguisher where also the whole distribution of the leakages is analyzed. In this work, we compare these two schemes to examine their dependency. Indeed, one of the goals of this research is to conclude whether one can outperform the other. In addition to a theoretical comparison, we present two case studies and their corresponding practical evaluations. Both case studies are masked hardware implementations; one is an FPGA-based re[1]alization of a threshold implementation of PRESENT, and the other is an AES implementation as a coprocessor on a commercial smart card.