A Novel Multiple-Bits Collision Attack Based on Double Detection with Error-Tolerant Mechanism

,


Introduction
Although modern cryptographic algorithms have been proven to be safe mathematically, this does not mean that the physical implementation is safe enough, where attacker can obtain some physical information from side channel.Side-channel attack (SCA) was proposed almost 20 years ago, which was first put forward in 1996 by Kocher [1] and became a powerful cryptanalysis technique.Power consumption analyses are widely used in SCA, which utilizes the relation between power consumption or electromagnetic signal of the executing device and processed data in order to recover the key value.Since Differential Power Analysis (DPA) was proposed in 1997 [2], whose distinguisher is the difference of the mean traces, various distinguishers have been designed and improved to enhance attack ability and efficiency, for example, Pearson correlation coefficient as a distinguisher for Correlation Power Analysis (CPA)[3], mutual information for Mutual Information Analysis (MIA) [4], and maximum likelihood for Template Attack [5,6] (TA) and Template Based DPA [7].However, the necessity of estimating and establishing the leakage model has been a serious restriction for SCA, which collision attack can ignore.Collision attack was first proposed to analyze Hash algorithm [8] and has become a branch of mathematical cryptanalysis, but it only reveals relation between input and output without exploiting internal information as SCA.
As a combination of SCA and collision attack, sidechannel collision attack can exploit the information of internal leakage without a large number of power traces as well as the knowledge of the leakage model.Side-channel collision attack showed strong ability of attack, when first presented [9] against Data Encryption Standard (DES) by Schramm et al., which was applied to AES [10] successfully later.Then all kinds of improved versions [11][12][13][14][15][16][17] of side-channel collision attack sprang up, and most of these methods show high sensitivity to errors, where the recovered key is totally wrong even when error occurs only in 1 bit under the high noise level circumstance, leading to a low efficiency.Bogdanov presented some voting detection methods that seemed to be more practical [14], but they need too many traces in a profiling phase and encrypting the same plaintexts repeatedly for decreasing the influence of noise may not be realistic.In 2010, Moradi proposed a correlation-enhanced method [15] that improves the probability of collision, but it may need lots of average power traces to process an attack and is sensitive to errors.In 2011, Bogdanov proposed an attack strategy [17] that uses the results of DPA to test chain separately.This method can improve the success probability in a sense that it cannot check the mistakes in collision detection which highly impact the attack results.Then Gérard et al. combined Low Density Parity Check (LDPC) decoding with correlationenhanced and Euclidean Distance detection method in 2012 [16], which can be a globally efficient attack strategy in noisy settings.Two side-channel collision attack procedures based on bitwise collision detection were proposed, respectively, by Ren et al [18] in 2015 and by Wang et al [19] in 2017, which may have a poor performance on the detection success rate with high level noise.However, efficiency of collision detection and lack of error-tolerant and check mechanism are two main issues of existing side-channel collision attack.
Our Contribution.In this paper, we propose a novel multiplebits collision attack framework.In particular, double distance voting detection (DDVD) and the error-tolerant and check mechanism are presented to ensure the high accuracy.In addition, we compare our collision detection method called DDVD with the Euclidean Distance and the correlationenhanced collision methods under different intensity of noise, which indicates that our detection technique has a better performance in the circumstances of noise.Furthermore, 4-bit collision attack is proven to be optimal in theory and experiments.Practical attack experiments are performed successfully on a hardware implementation of AES in FPGA board.
The remainder of this paper is organized as follows.In Section 2, for a better understanding, we introduce some notations of our method as well as the basic linear collision attacks and then review the binary and ternary voting detection methods, correlation-enhanced collision attack, and LDPC decoding method in collision attack.In Section 3, a novel framework of multiple-bits collision attack is presented and we take the 4-bit model as an example to explain the attack procedure.In Section 4, we propose an improved version with an error-tolerant and check mechanism.In Section 5, we compare our collision detection method with other widely used detection techniques under different intensity of noise and analyze our model, and the experiments as well as the comparisons are also shown.Finally, we give the conclusion in Section 6.

Preliminaries
In order to understand the strategy easily, AES is chosen as the target block cipher to perform the attack method.As for the hardware implementation of this paper, it operates each of 16 S-boxes, which are used for the SubBytes operation, sequentially one by one.The following proposed statements and techniques can be successfully utilized in other cryptographic symmetric algorithms.

Notations.
For a better description of the proposed method, we define some notations as follows.First we use letters k and p for 16-byte plaintext and first round subkey, with subscripts indicating a particular byte: Then we use the superscripts letters m and l for the 4 most significant bits and 4 least significant bits separately, meaning that    ≜   [7: 4],    ≜   [7: 4],    ≜   [3: 0],    ≜   [3: 0].Next, the attacker is able to choose the value of plaintext with key value all the same.The superscripts   and   state that the 4 most significant bits and 4 least significant bits are equal to values  and  in decimal format: Each trace acquired corresponding to first-round encryption contains 16 subtraces due to 16 sequential S-boxes, with subscripts indicating a particular S-box and each subtrace contains a number p of points, which are denoted by the subscripts: Furthermore, we use    (   ) to denote the power trace corresponding to the plaintext, where the value of 4 most (least) significant bits of all 16 bytes is f () in decimal format; namely, {   = } 16 =1 ({   = } 16 =1 ).However, if the superscript is a certain digit, it shows that the plaintext is this value or power trace is corresponding to the plaintext with this value.For example,  128  1 means that the first byte of plaintext equals 128 in decimal format and  128  1 is denoted as the power trace of the first S-box operation with the corresponding plaintext byte being 128.Meanwhile, we use () and () for the nth acquisition of power traces and plaintexts, respectively.

Linear Collision Attack.
The internal collision was first presented for attacking DES [9].It is based on the fact that if a collision on a key-dependent function can be detected, the attacker can acquire some relations between the different inputs.
Linear collision is based on the internal collision.When it is applied to AES, if a collision between two S-boxes operations of the first round is detected (e.g., the collision between the ith and the jth S-boxes in Figure 1), it is obvious that (4) is tenable: Then one can obtain a linear equation about the relation between plaintexts and first round subkey: Online Stage: (1)  If the attacker can find all possible relations among 16 key bytes by detecting the collision of S-boxes, then he will obtain an equation set about the key bytes of the first round containing 15 linear equations: Note that all the equations in the set are relevant, and there is only one free variable.Thus, this equation set only has 2 8 possible solutions, which means that we just need to enumerate all 256 possible candidates of 1 key byte to recover the whole key value.However, under the noisy experiment setting, the collision detection method may detect wrong collisions, which lead to some incorrect equations in (6).For all equations in (6) are relevant, even if only one bit error occurs in any equation, the equation system will have no solution.Thus, in this paper, we propose a detection method called DDVD which is to ensure a high detection success rate.

Voting Detection Methods.
In [14], Bogdanov proposed the voting detection containing binary voting test and ternary voting test.Both binary and ternary voting tests are based on Euclidean Distance.For binary voting test, if an attacker can acquire a lot of power traces of the same plaintexts, he will calculate the Euclidean Distance between two trace pairs of different plaintexts.Then the attacker should calculate the total number of the trace pairs whose distance is less than a predetermined threshold.When the total number is more than the predetermined voting value, it can be confirmed that one collision is detected.However, the basic strategy of ternary voting test is the same as binary voting test, but instead of calculating the Euclidean Distance directly, this method requires calculating the distance between each of the obtained power traces with certain plaintexts and the reference power traces that are obtained during a profiling phase preparing a set of reference traces without knowing related encrypting values.[15].This method compares the correlation coefficient between two sets of power traces corresponding to two different Sboxes rather than detecting the collision between two single power traces.

Correlation-Enhanced Collision Attack. Correlation-enhanced collision attack was one of the last major advanced detection techniques proposed by Moradi et al in 2010
As can be seen in Algorithm 1, we take the detection between S-box 1 and S-box 2 as an example.In the online stage, an attacker should obtain N power traces corresponding to N plaintexts.When in offline stage, the attacker cuts the power trace into 16 sections based on the operation of 16 S-boxes and takes the section for S-box 1 and S-box 2. Then  1 () is divided into 256 groups according to the plaintext byte value and the attacker can get the averaged power traces of each group ({  1 } 255 =0 ), which is the same for S-box 2. Next, for each value of Δ ∈ (2 8 ), the attacker rearranges { 2 } based on the value of  ⊕ Δ and calculates correlation coefficients (Δ) between {  1 } 255 =0 and { ⊕Δ 2 } 255 =0 .If Δ =  1 ⊕  2 , the correlation (Δ) shall reach a maximum value; otherwise, it should have a pretty low value.

LDPC Decoding Problem in Collision Attack. In [16],
Gérard et al. proposed a unified and optimized collision attack method.The proposed method rewrote the linear collision attack as a LDPC decoding problem, according to the linear relationship: (1) Algorithm 2: Multiple-bits side-channel collision attack.
The vector ΔK = (Δ 1,2 , Δ 2,3 , ⋅ ⋅ ⋅ , Δ 15,16 ) can be seen as an LDPC codeword whose dimension is 15 and length is 120.Finding the right key value is just to decode the LDPC code.Furthermore, in order to make the attack method have a better performance in the noisy settings, actual posteriori probability value of each code was used for LDPC decoding, which is called soft decision decoding.Unlike soft decision decoding, hard decision decoding uses bit value for decoding.Compared to soft decision decoding, the effect of hard decision decoding is worse in a noise setting but the computation complexity is lower.
In this paper, for the error-tolerant and check mechanism, we choose top three possible values for each Δ  1 , 3 as candidates and find the likeliest value based on (7).It may be seen as a kind of hard decision decoding procedure.However, due to the DDVD, the detection success rate may remain in a high level in some noisy settings.

A Novel Framework of Multiple-Bits Collision Attack
In this section, a framework of multiple-bits side-channel collision attack is presented.As can be seen in Figure 2, plaintexts need to be chosen based on multiple-bits (n-bits) model and then we prepare the power trace.Double distance voting detection is the important part of the framework ensuring the high success probability along with high efficiency.However, the principal part of the framework is based on a circulation.Each iteration stands for an attack, where we obtain only nbits of a byte relation between all key bytes.After several iterations, the whole byte value of Δ between all key bytes can be acquired, which will be utilized to recover the key value.Due to the fact that the 4-bit collision attack leads to the highest efficiency, which will be proven and verified in Section 5, we take the 4-bit model as an example to explain our attack method.According to our attack framework, for 4-bit model, 2 iterations are enough to recover the key value, whereof one is for the four most significant bits and the other is for the four least significant bits.In the rest of this paper, we only describe the strategy for the four most significant bits of one byte.The remaining four least significant bits can be found using the same technique.(1) for  = 0: 15 statements can be applied to our multiple-bits models.For example, some parameters of 4-bit model are 15 or 16, which can be interpreted as 2 4 − 1 or 2 4 , and thus for other n-bits model, the parameters should be 2  − 1 or 2  .Like most of other attack strategies, our method also first gets some traces and proceeds with some preprocessing, seen from Steps1, 2, and 3. Double distance voting detection is the core of our method combining enhanced Euclidean Distance detection and voting detection, which ensures our success rate.Finally, based on the main idea in Section 2.2, when we find all possible relations among 16 key bytes, the brute force way is able to find the right key value quickly, for we only need to enumerate 256 key values.Some details will be presented in the following sections.

Choose Plaintexts.
According to our attack strategy, we assume that the attacker is able to choose the plaintext.The 4-bit side-channel collision attack model aims to detect the collision of 4 bits between 2 different S-boxes, and in this situation other 4 bits are the noise for the detection.It is important for improving the efficiency of our method to determine how to choose the value of { being random.As for preprocessing the power traces, the detailed procedures are stated in Algorithm 4. For each of the trace sets, we can average all N power traces in this set to a single averaged trace.Each of the averaged power traces is composed of 16 subtraces corresponding to 16 sequential S-boxes operations and can be cut into 16 subtraces.Thus, we can obtain 16 averaged power traces containing 16 subtraces.

Double Distance Voting Detection. Double distance vot-
ing detection is the core of our attack technique ensuring the high success rate and stability.As is seen in Algorithm 5, DDVD is composed of enhanced Euclidean Distance detection and voting detection.For a better understanding of our DDVD technique, a diagrammatic sketch is shown in Figure 3. Taking S-boxes  1 and  2 as an example, there shall be 16 subtraces {t m j 1  Input: 2 sets of sub-traces:{t Output: the 4 most significant bits of Δk i 1 ,i 2 : Δk m i 1 ,i 2

Improved Framework
In this section, we propose an improved framework of multiple-bits side-channel collision attack, where we modify our double distance voting detection and insert the errortolerant and check mechanism.As is shown in Figure 4, in this new framework, the modified double distance detection works with the error-tolerant and check mechanism, which leads to a remarkable promotion in the success rate as well as the attack efficiency.We still take the 4-bit model as an example to describe the improved attack framework of our method.The procedure is shown in Algorithm 6.Like Section 3, we only care about the four most significant bits, with the four least significant bits being almost the same.Algorithms of ChoosePlaintexts, AcquireTrace, and PreprocessTrace are all the same.In the rest of this section, we only explain the modified double distance voting detection and the fresh error-tolerant and check mechanism.

Modified Double Distance Voting Detection.
The modified detection method is shown in Algorithm 7. Just like the original one, the input of the DDVD is still 2 sets of subtraces corresponding to 2 different S-boxes, but the output changes from a single value to a 1×3 matrix including 3 candidate values of Δ   1 , 2 .Euclidean Distance between each subtrace of a certain S-box and a set of subtraces of another S-box also should be calculated first.Then, instead of choosing n with the maximum number as the result, we prefer three values whose number is in the top three Δ   1 , 2 where  1 and  2 range from 1 to 15.

Error-Tolerant and Check Mechanism.
Error-tolerant and check mechanism is presented in Algorithm 8. Three candidate values ensure the error-tolerant mechanism.The main thought of the error detection and tolerance is based on (6), which provides a way to find errors occurring in collision detections.
In order to recover the key value correctly, 15 delta values (Δ 1,2 , Δ 2,3 , . . ., Δ 15,16 ) should be right.Thus, for each candidate of Δ ,+1 , any exiting relations in ( 7) should be checked.If there exists a candidate of Δ ,+1 that can pass the check, it will be the final result of Δ ,+1 ; otherwise this attack is considered to have failed and should start from the beginning again.

Comparison of Detection Success Rate under Noise. Collision detection technique has played an important role in
side-channel collision attack.In this section, we compare double distance voting detection (DDVD) proposed in this paper with other two widely used detection techniques, which are correlation-enhanced detection [15] and traditional Euclidean Distance detection with dimension reduction [17], respectively.

Input : 3 candidates for each Δk
= 0 exiting all loops (8) end if (9) end for (10)end for Algorithm 8: Error-tolerant.collision detection generates incorrect results, DPA makes no sense for recovering the right key value.Therefore, the success rate of Euclidean Distance detection for that method is the key part.
The power traces are obtained from an AES hardware design implemented on a SAKURA-G board.Each trace shall be averaged by four power traces with the same input.The noise of the traces usually comes from both electronic noise mainly containing power supply noise, clock generator noise, conducted emissions, and radiated emissions and algorithm noise which are the power assumption of other uncorrelated operations.For SAKURA-G is a dedicated board that may be far from being noisy, we can add the Gaussian noise of different intensity into the averaged traces to model the noise, which can be used for an initial analysis of efficiency of different detection techniques [14].SNR (signal-to-noise ratio) is used for indicating the intensity of the noise, which is defined as follows: The comparison result is shown in Figure 5. Detection technique proposed in this paper is marked with DDVD, and correlation-enhanced method in [15] and Euclidean Distance in [17] are denoted as CE and ED, respectively.The value of SNR ranges from 0 dB to 30 dB.Each technique is done for 1000 times to calculate the success rate.As is shown in Figure 5, our detection technique performs better under the noise.

How Many Bits Are Best for Multiple-Bits Model.
In this paper, we propose a multiple-bits collision attack model, and all the statements are based on the 4-bit model, which can be expanded to other n-bits (n ranging from 1 to 8) models.However, one question we should figure out is how many bits are best for the multiple-bits model of our attack method.
What matters in our attack strategy is the necessary number of power traces to reach a given success rate, which reflects the attack efficiency.Therefore, we will analyze the necessary number of power traces for different model both in theory and in experiment.
In Section 5.1, the performance of our detection method in noise environment is presented; thus, for a simple analysis in this section, we assume that the noise for an n-bits model only comes from the operation of other 8-n bits and all 2  decision making units in Figure 3 are independent.So, for the n-bits model, when preparing the power traces (Sections 3.2 and 3.3), we need h power traces of each byte to obtain the averaged traces.When we compute the Euclidean Distance between two single averaged traces whose n-bits can cause the collision (e.g., the probability that these two averaged traces have the least Euclidean Distance is where letter C is denoted as combinatorial number, n equals the number of bits in the model, and h equals the number of traces for calculating the average.Due to the fact that 8 n-bits of one byte are random, there are a total of  ℎ 2 8− ×  ℎ 2 8− kinds of choices to determine these two averaged power traces.Since there shall be only one corresponding plaintext of one byte which can cause a collision with each plaintext of another byte, there are a total of  ℎ 2 8− ×  ℎ 2 8− −ℎ kinds of choices that include no collision plaintext pair.
The probability of successful detection for the method proposed in Section 3 and the improved method presented in Section 4 is calculated separately as follows: where Pr is equal to (9) and n is the number of bits in the model.From the illustration of Figure 3, there are 2  decision making units for the n-bits model.According to the rules of voting detection that the value that occurs the maximum times is chosen as the final result, if more than half of the decision making units generate the wrong answer, the voting detection shall fail.Result of all 2  decision making units can be seen as the binomial distribution, so the probability that more than half of the units generate wrong result is Analysis for the improved method in Section 4 is similar, and if more than threequarters of the decision making units generate the wrong answer, the voting detection shall fail.
As for the necessary number of the power traces, it can be calculated as follows: where ⌈⌉ stands for the minimum integer that is larger than n.According to our attack strategy, for each n-bits model, we should get 2  averaged power traces and each trace is averaged by h original power traces.Obviously, the method should be operated for ⌈8/⌉ times.According to (9), ( 10), (11), and (12), we estimate the necessary number of the power traces to reach a 90% success rate for the basic attack method in Section 3 and an improved version in Section 4, shown in Tables 1 and 2, respectively.The 1-bit model only has two possible results, so improved method makes no sense for it.It is obvious that, in theory, 4-bit model collision attack needs the least number of traces with high efficiency, which will be verified later in experiments.Furthermore, the practical experiments have been carried out to find how many bits are best for the proposed multiplebits model.Figure 6 shows the necessary number of power traces to reach a 90% success rate for the original approach presented in Section 3 (denoted as MBDD), while Figure 7 shows the he necessary number of power traces for the improved version proposed in Section 4 (denoted as MBDD-ET).As can be seen in Figures 6 and 7, it is verified that 4bit model (in black) is the best choice when operating the proposed attack strategy.

Experiments and Results
. The attack method and the improved method with error-tolerant mechanism have been performed successfully in practice against a hardware design with an 8-bit data path of AES, where 16 S-boxes are sequentially operated in every round operation.The target AES is implemented on a Xilinx SPARTAN-6 FPGA of a SAKURA-G circuit board.An Agilent MSO-X 9104A oscilloscope is employed to collect original power traces.In our case, each power trace obtained contains about 32365 points.
For a better understanding, operation on  The accumulation of all points' square of difference between two subtraces is the value of Euclidean Distance.We take Figure 8(a) as an example to describe its meaning.} 15  1 =0 is marked by grey curves.If the black curve is lower than any other grey curves, the decision making unit will generate the right candidate.An initial and rough conclusion can be drawn that when in situations like Figure 8(a), whose black curve is close to zero, two traces corresponding to a collision may have the lowest distance, meaning that the corresponding decision making unit generates the right candidate, but in some exceptional situations such as Figure 8(p), whose black curve is higher than some grey curves, collision cannot be assured by minimum Euclidean Distance and the unit generates the wrong candidate.Therefore, voting detection works to determine the final value of Δ  1,2 .As is shown in Figure 9, (1011) 2 occurs the maximum times, and voting detection chooses it to be the final result.

Comparison.
In this section, we compare our improved attack version denoted as MBDD with correlation-enhanced collision attack [15], bitwise collision attack [19], and LDPC method with Euclidean Distance detection [16] denoted as CECA, BCA, and LDPC, respectively.Comparisons are done from three aspects, which are relation between success rate and necessary number of traces, relation between success rate and online time, and relation between offline time and online time.Each compared method was performed 1000 times for calculating an actual success rate.
In this section,  V is used for indicating the total time that the oscilloscope spends on capturing and averaging one power trace in real time, and   is for indicating the time that the oscilloscope spends on acquiring and saving one trace.Taking Agilent MSO-X 9104A oscilloscope that we use for acquiring power traces as an example,   is about 50 times of  V .The number of power traces used to obtain one averaged power trace in oscilloscope is denoted as q, and the number of saved averaged power traces is n.Therefore, the online time denoted as   can be written as And we fix  = 6 for this experiment, so Figure 10 presents the relations between success rate and number of traces.As can be seen from Figure 10, LDPC  has a better performance.To get a high given success rate, LDPC needs less number of traces.However, in Figure 11, the success rate is as a function of the total online time rather than the number of original power traces.As is mentioned above, we can decrease the online time due to the fact that the time an oscilloscope spends on averaging one trace is much less than saving one trace.It is obvious in Figure 11 that the performance of MBDD with error-tolerant mechanism got a promotion under this setting.Due to the fact that the 4-bit model of MBDD can find all 120 relations among 16 key bytes with 32 averaged power traces, the fact that the oscilloscope spends less time on averaging traces does a favor for MBDD to have a higher success rate with the same online time.Meanwhile, it seems that LDPC method does not have a remarkable promotion as MBDD with the help of averaging traces.The reason may be that the collision detection method of LDPC will need more averaged traces to detect all collisions occurring among 16 key bytes, even if traces are far from being noisy.However, the results of Figures 10 and 11 can reflect that LDPC is more tolerant to noise because the performance of LDPC in a noisy setting is almost the same as that in a less noisy setting.
Finally, we show the relation between offline time and online time for LDPC and MBDD.The offline time, which reflects the computational complexity, was estimated by MATLAB.As is shown in Figure 12, LDPC is more costly in terms of computation time than MMBD.However, the increased time overhead is slight.For LDPC, the offline time decreases as the online time increases, which indicates that the number of iterations for LDPC decoding decreases.For MBDD, the offline time increases as the online time increases, and it quickly converges to a certain value.
From these comparisons, it can be confirmed that LDPC with soft decision decoding has less trace overhead but more computation time overhead than MBDD, which can be seen as a kind of hard decision decoding procedure.In addition, the necessary number of traces for our method is 90% less than CECA and 96% less than BCA.

Conclusion
In this paper, we proposed a basic multiple-bits side-channel collision attack framework based on double distance voting detection.Then an improved version with modified double detection as well as error-tolerant and mechanism is presented.The 4-bit model is proven to be the optimal choice for the novel attack strategy in both theory and practice.Practical attack experiments are performed successfully on a hardware implementation of AES on SAKURA-G circuit board with Xilinx SPARTAN-6.Results show that our detection method performs steadily in noisy environment.We compare our methods with other attacking methods; our method needs less computation time but more traces than LDPC method, and to reach 90% success rate, the necessary number of traces for our method is 90% less than CECA and 96% less than BCA.The novel framework proposed in this paper can be utilized in other cryptographic symmetric algorithms.

Figure 1 :
Figure 1: Collisions between two S boxes.

Figure 3 :
Figure 3: Flow of double distance voting detection.

Figure 5 :
Figure 5: Comparison of detection success rate.

Figure 6 :Figure 7 :
Figure 6: Necessary number of traces for MBDD to reach 90% success rate.

Figure 8 ( 1 ,
Figure 8(a) shows the result of (  0 1, −    2 2, ) 2 for each point  ranging from 1 to 32365 and each value of  2 ranging from 0 to 15.The black curve represents the square of difference between each point of   0 1, and   0⊕Δ  1,2

Figure 10 :
Figure 10: Relations between success rate and number of traces.

Figure 11 :
Figure 11: Relations between success rate and online time.

Figure 12 :
Figure 12: Relations between success rate and online time.
Due to the fact that the value belonging to (2 4) ranges from (0000) 2 to (1111) 2 , 16N plaintexts should be obtained.3.3.Acquire Traces and PreprocessTraces.We can obtain 16N power traces of the first round operation corresponding to 16N plaintexts. Te obtained power traces can be divided into 16 sets according to the values of {   } 16 =1 .For the values of {   } 16 =1 are the same all the time ranging from 0 to 15 referred to Section 3.2 and each value corresponds to N random value for {   } 16 =1 , the number of the sets is 16 and each set contains N power traces.

Table 1 :
The necessary number of original attacks to reach 90% success rate.

Table 2 :
The necessary number of improved attacks to reach 90% success rate.