Side-Channel Leakage Detection with One-Way Analysis of Variance

Side-channel analysis (SCA) is usually used for security evaluation to test the side-channel vulnerability of a cryptographic device. However, in practice, an analyser may need to cope with enormous amounts of side-channel measurement data to extract valuable information for SCA. Under the circumstances, side-channel leakage detection can be used to identify leakage points which contain secret information and therefore improve the efficiency of security assessment. *is investigation proposes a new blackbox leakage detection approach on the basis of the one-way analysis of variance (ANOVA). In accordance with the relevance between leakage points and inputs of a cryptographic algorithm, the proposed method divides side-channel samples into multiple classes and tests the difference among these classes by taking advantage of the one-way ANOVA. Afterwards, leakage points and nonleakage points can be distinguished by determining whether the null hypothesis is accepted. Further, we extend our proposed method to multichannel leakage detection. In particular, a new SCA attack with a F-statistic-based distinguisher is capable of developing if the input of the leakage detection approach is replaced by a sensitive intermediate variable. Practical experiments show the effectiveness of the proposed methods.


Introduction
Side-channel analysis (SCA) applies the physical leakage signals (e.g., sound, power consumption, electromagnetic radiation, and the like) of a running cryptographic device for retrieving the secret information [1][2][3][4]. Due to the efficiency and easy achievement, SCA has been a serious threat to cryptographic devices, but at the same time, SCA can also be used to evaluate the side-cannel resistance of these devices. In practice, SCA usually needs numerous leakage traces for security evaluation. at may lead to a fairly high computation complexity and significantly reduce the efficiency of the assessment. erefore, side-channel leakage detection is proposed to reduce the computation complexity of security evaluation and improve the efficiencies of SCA attacks [5,6].
Points in a side-channel signal can be grouped into two sets: leakage points and nonleakage points [6]. Leakage points contain sensitive information related to the key used in a crypto device and can be utilized by SCA. By contrast, nonleakage points include useless information for SCA. e task of leakage detection is to find the leakage points in side-channel measurements. Generally, the existing leakage detection methods view leakage points as the outliers in the measurement data and use differing statistics to winnow them. A simple way is to exploit the SCA distinguisher output as the statistic; any point with a high score is assigned to the leakage point set [7]. Additionally, a major category of leakage detection is based on the hypothesis test and identifies the "outliers" through computing a test statistic and a significance level. For example, the typical Test Vector Leakage Assessment (TVLA) methodology searches the leakage points by exploiting Welch's t-test. e TVLA checks the t-statistic over the same time instants. If the value of the statistic is greater than the threshold determined by a prespecified significance level, the corresponding point will be regarded as a leakage point. Some similar leakage detection approaches are also proposed, such as leakage detection based on mutual information [8], the correlation-based ρ-test [9], the paired t-test [10], leakage detection with χ 2 -test [11], and the rest. Besides, a method based on normalized interclass variance and a new approach based on the constant parameter channel model [12] are investigated as well.
Nevertheless, some of the aforementioned methods need numerous traces to highlight the difference between leakage points and nonleakage points [11,13], some methods need the knowledge of leakage models [7,13], some require the low-noise measurements [11] or carefully chosen inputs [5,9,10], some need complicated calculation [8,12], and so forth.
In sight of the limitations of the previous work, this paper proposes a black-box leakage detection approach based on the one-way analysis of variance (ANOVA). e main idea of the proposed method is that side-channel leakage samples at one point depend on the corresponding inputs of a cryptographic algorithm. at is, the same input yields the same leakage, while two differing inputs lead to two differing leakages. Consequently, according to the relevance between the leakage points and inputs of the algorithm, side-channel samples can be divided into multiple groups. ese groups corresponding to a leakage point are supposed to have a statically significant difference because that variations of the inputs and the corresponding sidechannel leakages are synchronous. On the contrary, the groups corresponding to a nonleakage point should have a statistically insignificant difference. en, leakage points can be detected by the one-way ANOVA which is used for testing the difference of multiple groups. e proposed method relies only on the inputs (i.e., plaintext or ciphertext) of the cryptographic algorithm and the corresponding side-channel samples. Hence, it is unnecessary to acquire any in-depth knowledge of the cryptographic algorithm implementation and the leakage model of a device. Moreover, it has no special requirements for the inputs and measurements and can be performed rapidly.
Further, we develop a new SCA distinguisher by changing the input of the proposed leakage detection approach. e effectiveness of the SCA attack using the distinguisher is verified by two practical experiments. e rest of the paper consists of four sections, including the preliminaries (Section 2), the proposed method and its extensions (Section 3), the experimental results and analysis (Section 4), and the conclusion (Section 5).

Side-Channel Leakage Detection.
Side-channel leakage detection is used to detect the information leakage in a specific side-channel [5]. Unlike SCA attacks, leakage detection needs not to distinguish the correct key used in a cryptographic implementation from the other incorrect key guesses. Its task is to find key-dependent sample points (i.e., leakage points) in a side-channel leakage trace. at is to say, the output of leakage detection is a set of points of interest, which are corresponding to the formative moments of leakages related to secret information. Leakage detection is an important part of the side-channel evaluation and provides a preliminary result for further analysis or advanced assessment.

Test Vector Leakage Assessment. Test Vector Leakage
Assessment (TVLA) methodology is a classical and extensively used technology for side-channel leakage detection. e basic assumption of TVLA is that leakage points and nonleakage points belong to two normally distributed populations, respectively. en, an analyser can distinguish leakage points from nonleakage points by using Welch's t-test to compare the parameters of these two populations.
e TVLA methodology includes two methods, that is, specific t-test and nonspecific t-test [5,13,14]. For the specific t-test, the side-channel traces are divided into two sets in accordance with the value of a single bit of a targeted intermediate key-dependent variable. If the two trace sets are considered as two normally distributed populations, Welch's t-test can be applied to detect side-channel information leakage by testing the difference of the two population means over each time instant in the traces. e t-statistic is shown as follows: where T A and T B are the two trace sets, T A , T B , S A , S B , N A , and S B are the means, variances, and size of T A and T B , respectively. If the value of t-statistic at one time instant exceeds the threshold determined by the degrees of freedom and a prespecified significance level, the point will be categorized as a leakage point. Otherwise, the point will be categorized as a nonleakage point. For the nonspecific t-test, it needs to acquire two groups of side-channel measurements with the same size to apply for the pairwise t-test. One set of traces corresponds to a fixed input, and the other corresponds to random inputs. If one point in time for which the value of t-statistic is beyond that threshold, the point will be selected as a leakage point. If the corresponding t-statistic is within the bounds determined by that threshold, the point will be marked as a nonleakage point.

Leakage Detection with χ 2 -Test.
e leakage detection with the χ 2 -test can be regarded as a complement to TVLA [11]. e core idea of this approach is to apply the χ 2 -test of independence to check the association between the input groups (i.e., plaintext or ciphertext) and the measured leakage points.
e χ 2 -test of independence is also named the χ 2 -test of association. It is a nonparametric test to determine whether two categorical variables are related or independent. e statistic for the χ 2 -test of association is computed as where r represents the number of the input groups (i.e., plaintext or ciphertext), s represents the number of the measured leakage points, N denotes the total number of the observations of two categorical variables, V ij and P ij denote the number and the frequency of concurrence of the observations of two categorical variables, respectively.
Similarly, if one point in time for which the value of χ 2 -test exceeds the threshold determined by the degrees of freedom and a prespecified significance level, the point will be incorporated into the leakage points. Otherwise, the point will be incorporated into the nonleakage points.
2.4. One-Way Analysis of Variance. One-way analysis of variance (one-way ANOVA) can be seen as a generalization of Welch's t-test. Where Welch's t-test would be applied for comparison of group means of two normally distributed populations, one-way ANOVA is applied for the comparison of multiple group means [15,16]. It assumes that samples in each group are independently drawn from a normally distributed population, and all populations have the same variance. e test statistic is where r represents the number of the input groups, N denotes the total number of the samples in all groups, SS b denotes the sum of squares between groups, that is, the between-group variation, and SS w denotes the residual variance within groups, that is, the within-group variation. If the value of F-statistic is beyond the threshold, it states that all r populations own the same mean value.

The Proposed Method
In this section, one-way ANOVA is applied for leakage detection, including monochannel and multichannel leakage detection. In addition, a novel SCA distinguisher is developed to serve for key recovery attack as well.

Side-Channel Leakage Detection with One-Way ANOVA.
What the one-way ANOVA investigates is the influence of a numerical or categorical input variable on a numerical dependent variable. For a cryptographic implementation, the side-channel leakage samples depend on the inputs and the secret key of the crypto algorithm (i.e., plaintext or ciphetext). Since the key is usually changeless in a short period of time, the leakage data can be viewed as the numerical response data of a variable which relies on the inputs. Additionally, the possible values of the plaintext or ciphertext of a crypto algorithm are limited and can be categorized into multiple classes. erefore, it is possible to detect leakage points by exploiting the one-way ANOVA. Suppose that there are N side-channel leakage traces. ey are collected from a running crypto device and correspond to N random plaintext (or ciphertext) with the same key. At one point in time, these N traces can be grouped into r groups according to the inputs of the crypto algorithm, and the i th group consists of n i samples, scilicet l i1 , l i2 , . . . , l in 1 , i � 1, 2, . . . , r. Let l 1 , l 2 , . . . , l r denote the normally distributed populations corresponding to the r groups, respectively. at is, where ϕ(μ i , σ 2 ) represents the normal distribution with mean μ i and variance σ 2 , i � 1, 2, . . . , r, j � 1, 2, . . . , n i . For a leakage point in time, the corresponding leakage should be varied with the input variable of the crypto algorithm. Consequently, at this point, the leakage samples in all r groups drawn from the r populations should be statistically distinguishable. In other words, the means of these populations should have a significant difference. On the contrary, for a nonleakage point, the corresponding samples contain no information about the secret key. As a result, the variation of the samples should be random at this point. In this case, the samples in all r groups drawn from the r populations should be statistically indistinguishable. Namely, the means of these populations should have a statistically insignificant difference.
On the basis of the above-mentioned inference, we can perform leakage detection by using the one-way ANOVA. Table 1 depicts the data organization of the one-way ANOVA. Hence, the between-group variation SS b and the within-group variation SS w in equation (3) can be, respectively, rewritten as where l i means the sample mean of the i th group. Obviously, the expectation of l i is equal to μ i . It can be viewed that the between-group variation SS b indicates the difference between each group mean and the total sample mean, and the withingroup variation SS w indicates the difference between the samples in a group and the group mean. If SS b is much greater than SS w , it states that there is a significant difference among all groups, and these r populations are unlikely from the same normal population. From this viewpoint, it is reasonable to apply the one-way ANOVA for leakage detection, because the samples corresponding to leakage points contain information about multiple input data and can be deemed to come from different populations, while the samples corresponding to nonleakage points include random data information and can be considered to come from the same population. e threshold for the hypothesis test is where α denotes the significance level and F and (r − 1, N − 1) represent the F distribution and the degrees of freedom, respectively. Points which exceed the threshold Th are acceptable as the leakage points, while the other points within the bound Security and Communication Networks determined by the threshold are classified as the nonleakage points. e whole test procedure is described as follows: Initially, for each point in time, divide the side-channel samples at this point into multiple groups according to the corresponding plaintext or ciphertext. Secondly, compute the value of F-statistic in accordance with equations (3), (5), and (6). Finally, compare the F-statistic with the threshold Th in equation (7), and mark the point as a leakage point (F > Th) or a nonleakage point (F ≤ Th).
e proposed leakage detection algorithm (LD_ANOVA for short) is elaborated in Algorithm 1. e symbol L denotes a matrix constructed by side-channel traces in row, X denotes the corresponding plain text or cipher text set, and α denotes the significance level. Further, L can be represented by the following formula:

Extension to Multichannel
Leakages. Generally, a crypto device in operation leaks multiple types of side information simultaneously. Consider that multichannel leakages usually contain much more potential key-dependent information than monochannel leakage [17], and it is feasible for an analyser to collect these leakages from multiple channels in practice; we also investigate how to enhance the leakage detection result by utilizing multichannel leakages.
To make the proposed detection approach in the previous section apply to the case of multichannel leakages as well, a preprocessing step aiming at transforming the multichannel leakage sets into a fused leakage set is needed. Based on the types of crypto implementations, there are different methods to perform the transform [17]. For instance, it is suitable to use the treatment of Simple Fusion Attack (SFA) to perform transform, if multichannel measurements are acquired from a crypto implementation with a few leakage points. And the fusion way of Fusion Attack Based Singular Value Decomposition (SVD_FA) may be a better fit for an implementation with multiple leakage points [17].
Algorithm 2 describes the proposed leakage detection algorithm for multichannel leakage detection. In the algorithm, the pseudocode in the first row means that, according to the leakage characteristic of a crypto implementation, applying a function Tr to transform the multichannel leakage sets ML into a monochannel leakage set L and transform the multichannel input sets MX into a monochannel input set X corresponding to L. e operator Tr(·) indicates the corresponding transform.

SCA Distinguisher Based on One-Way ANOVA.
Interestingly, we find that if we group the side-channel leakage samples in Table 1 in accordance with the values of a targeted intermediate variable, we can develop a novel SCA distinguisher to perform key recovery. e idea is that the difference of means among all groups is supposed to be the most significant when the leakage data is categorized correctly. As compared to the correct key, the wrong key candidates will make the samples in the same group scattered in disparate groups and therefore make the difference of all populations indistinguishable and the leakage information related to the correct key hidden. Hence, the SCA distinguisher can be defined as follows: In equation (9), k and k denote the candidates of key and the key guess, respectively. In addition, F(·) represents the F-statistic function in equation (3).
Naturally, a new SCA method yields. Its details are shown in Algorithm 3.

Monochannel Leakage Detection.
To access the effectiveness of the proposed detection approach (i.e., LD_A-NOVA), we collected two sets of side-channel traces to perform monochannel leakage detection at first. ese two side-channel leakage sets include 30, 000 power traces acquired from an unprotected AES-128 encryption algorithm running on FPGA (Xilinx Kintex-7) and 5, 000 power traces acquired from a masked AES-128 encryption algorithm running on an embedded 8-bit MCU.
e FPGA implementation belongs to a parallel hardware implementation, while the MCU version is a serial software implementation. e traces are all corresponding to random inputs. Parameters of the leakage acquisition are listed in Table 2. Figures 1 and 2 show the detection results of the FPGA implementation by the proposed method and the other two typical detection methods. e two selected approaches used for comparison are the TVLA technology [13] and its complement, namely, the leakage detection with the χ 2 -test (LD_CS for short) [11]. Compared with the nonspecific t-test, the specific t-test can offer higher confidence of detection at a lower cost [18]; the paper uses the latter t-test as the comparison. All values of the significance level α in the three aforementioned methods for leakage detection are set to 0.0001 to obtain results at a confidence of 99.99% [5]. Note that, the red-dashed lines in all figures represent the thresholds determined by the significance level α.
It can be seen that our proposed approach performs better than the other methods. For instance, LD_ANOVA is capable of finding the first leakage point by exploiting 10, 000 traces. In this case, both the TVLA and LD_CS fail to Table 1: One-way ANOVA data organization.

Group
Observations  Table 3 (rows 2, 6, and 10). In order to accurately evaluate the efficiency of the proposed method, the false positive points (i.e., the detected nonleakage points, denoted as N fp ) and the false negative points (i.e., the undetected leakage points, denoted as N fn ) are shown in Figure 3. Likewise, the number of the detected "real" leakage points are investigated (denoted as N c ).
Divide the m th column of L into r m groups according to the target intermediate values (8) For i � 1, 2, . . . , r m Return: k ALGORITHM 3: SCA distinguisher based on one-way ANOVA.   Naturally, the coverage rate of the "real" leakage points, the false positive rate, and the false negative rate are also calculated and illustrated in Figure 3. ese three metrics are defined as follows:

Security and Communication Networks
where P means the leakage point set of an implementation; D means the detected leakage point set; "| · |" denotes the cardinality of a set; and R fp , R fn , and R c represent the false positive rate, the false negative rate, and the coverage rate, respectively. It is noted that an efficient detection method should lead to lower R fp and R fn and higher R c as compared to an inefficient method. From the data in Table 3, it can draw a conclusion that the proposed method is more efficient than the other two. For the masked implementation, before applying for the detection approaches, the side-channel samples are recombined by the normalized product function to eliminate the influence of Boolean masking [19]. e preprocessing function computes the product of the leakages corresponding to the masked intermediate variable and the masking variable as the leakage of the key-dependent variable so that leakage points can be matched with the inputs. Figures 3 and 4 illustrate that LD_ANOVA still exhibits the best performance. For example, it marks 38 points as leakage points when the TVLA finds one leakage point by using 1,000 traces. Although these points contain plenty of nonleakage points, there are still 20 leakage points. Due to the limited number of traces, the detection result is changeable; for example, only 4 leakage points are discovered when we use 3,000 traces to execute LD_ANOVA. e number of the detected leakage points increases with the increasing traces; for example, 39 leakage points are identified when 5,000 traces are used. e information of leakage points detected by the three methods is described in Table 4. e three rates defined in equations (10)- (12) are demonstrated in Table 4 as well. e results lead to a similar inference to the first experiment.
Besides, the coverage rate in Table 4 becomes higher than that in Table 3 when all the traces are used. e cause of this phenomenon is that the FPGA implementation is a parallel implementation which makes the collected traces include more switching noise [20] as compared to the 8-bit MCU implementation.

Security and Communication Networks
It is noted that LD_CS fails to distinguish leakage points from nonleakage points in the above two experiments. e reason is that the method needs to divided leakage samples into multiple bins before performing the test of independence, and the process is vulnerable to the noise in the sidechannel traces, which will influence the detection efficiency [12]. e reason that LD_ANOVA shows a better performance than the TVLA is because the former divides sidechannel samples into more than two classes according to the input classes and obtains much more information about the relevance between the two.

Multichannel Leakage Detection.
Consider that multiple types of leakages of a running cryptographic device can be collected from multiple side channels, which may expose much more information that monochannel SCA cannot utilize; the proposed method is used for multichannel leakage detection as well. We simultaneously collected 30, 000 and 5,000 electromagnetic (EM) traces from the FPGA and MCU implementations in the previous section (Section A, Section 4), respectively. Due to the fact that the oscilloscope we used in the experiments can only collect the power traces and the EM traces with the same sample rate, the sample rates of these two EM trace sets are set to be the same as the sample rates of the corresponding power traces (viz., 5G Sa/s and 1G Sa/s). e sample rates are experimentally selected to ensure both the power and EM trace sets contain adequate leakage information for side-channel analysis. Figure 5 depicts an example of multichannel leakage detection for the FPGA implementation. e fused trace set is obtained by the nonnegative matrix factorization-based leakage fusion [17]. Two monochannel detection results by utilizing the power leakage and the EM leakage are also illustrated in the figure. As shown in Figure 5, multichannel leakage detection performs better than any monochannel leakage detection. Figure 6 compares the union of the detected power leakage points and the detected EM leakage points to the result of the multichannel leakage detection by exploiting fused traces. It can be viewed that the fusion of monochannel leakages makes a mass of potential monochannel leakage points exposed. For instance, 341 leakage points are identified when the multichannel detection uses all fused traces, while the monochannel detection only identifies 50 and 61 leakage points, respectively. Furthermore, the fusion of the differing channel makes the influence of the switching noise  in the traces significantly reduce and the coverage rate significantly increase. More detailed data is illustrated in Table 5. e detection results for the 8-bit MCU implementation draw a similar conclusion. Similarly, the corresponding details are described in Table 6.

Runtime and Memory.
To ensure that our proposed method can be efficiently performed for practical evaluation, the runtime and memory of the proposed approach are investigated experientially. We perform a monochannel leakage detection by applying TVLA, LD_CS, and LD_A-NOVA, respectively.
is experiment is executed on the HP laptop with the Intel Core i7-7500U CPU (Dual-Core, 2.70 GHz and 2.90 GHz), 8 GB RAM, and MATLAB R2017a software platform. e three detections are repeated 10 times with 30,000 power traces acquired from the FPGA implementation in Section A, and the averages of the runtimes and the memories are plotted in Figure 7.
Note that, the code of the TVLA approach is performed in parallel. As a result, it can be seen that TVLA is the most efficient in terms of time. Moreover, LD_ANOVA is the most efficient in terms of memory, while LD_CS is the most inefficient-in both time and memory. On the whole, the computation cost of a practical security evaluation applying the proposed leakage detection approach is able to afford an analyser.   SCA attack based on ANOVA (ANOVA_SCA for short) in Algorithm 3. Two power trace sets and two EM trace sets of the two aforementioned implementations in Section A are exploited to launch the key attack recovery, respectively. e leakage models of the FPGA and MCU implementations are approximate to the Hamming Distance and Hamming Weight models, respectively. Besides, the randomly selected attack targets are the XOR of the input and output of the 9 th S-box in the last round of AES-128 and the output of the 16 th S-box in the last round of the encryption algorithm, respectively. e other classical SCA attack, namely, correlation analysis attack (CAA) [17,21,22], is also used for comparison. e security metric, guess entropy [23], serves as the evaluation metric of the key recovery attacks. e attack results depicted in Figure 8 confirm the efficacy and efficiency of ANOVA_SCA. In particular, ANOVA_SCA is even much more efficient than CAA for the masked implementation.
We also estimate the average runtimes and the average memories when performing ANOVA_SCA and CAA, respectively.
ese two attacks are repeated 10 times with 30,000 power traces acquired from the FPGA implementation in Section A. is experiment is executed on the same HP laptop and MATLAB software platform mentioned in Section C. e statistical results are plotted in Figure 9. It can be viewed that it is feasible to apply the proposed attack for security assessment because of its practical utility and high efficiency.

Conclusions
e paper develops a black-box side-channel leakage detection approach, which is designed for the security assessment of cryptographic devices. e proposed detection method is based on the one-way ANOVA, which ensures that the evaluation is highly efficient-in terms of both time and memory. On the basis of monochannel leakage detection, the proposed method is extended to detect multichannel leakages as well. Compared with utilizing monochannel leakage individually, the use of the fused leakage is beneficial in finding much more leakage points efficiently. Furthermore, the proposed detection method is capable of applying for the key recovery attack, when a key-   dependent immediate variable serves as the input of the method. In the future, the extension of our proposed approach to enhance the performance of multichannel leakage detection will be investigated further.
Data Availability e side-channel measurement data and codes used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.