SCARE of Secret Ciphers under Rough Leakage Model

. Most previousside-channel analysis-based reverse engineering (SCARE) methods were based on collision attack. However, the collision-based methods generally need noise-free traces and can hardly be verifed by realistic implementations. Tis paper proposes a novel SCARE, which is named as OSHDG-SCARE, targeting on secret S-box. We defne a graph as OSHDG (one-step HD graph) to recover the parameters of any secret S-box. Due to the redundancy of OSHDG, the multiple paths can flter the correct results and improve the success rate of the reverse method even when the samples deviate from leakage model. We classify the deviation of side channel signal as two types, which are the gap between real leakage and leakage model, and measurement noise. Experiments are performed on real power traces satisfying the inaccurate HW (Hamming Weight) leakage model from a software implementation of AES-like cipher. OSHDG-SCARE recovers the secret S-box when the deviation rate of traces is 1.45%.


Introduction
According to Kirchhof's theorem [1], the cryptographic algorithm considers the secrecy of the key as a condition to ensure security.Meanwhile, designers disclose the structure to promise there is no trap and accept security challenges in open.Te existing commercial cryptographic algorithms generally accept these rules including algorithm disclosure and key secrecy.However, there are still cipher algorithms, S-box of which is secret or related to secret data.As examples, we found the following ciphers that use secret S-box: (1) Twofsh, (2) MARS, and (3) A3/A8.Te secrecy of cipher algorithms is believed to be practical and can be utilized to enhance security.
Reverse engineering of the secret cipher is an important way to evaluate the security of the secret algorithm.Within our knowledge, the reverse methods can be divided into three categories: mathematical reverse [2][3][4], fault injection technology [5][6][7], and side channel analysis [8][9][10].Te mathematical reverse analysis usually utilizes the input and output of the cryptographic algorithm to establish the functions of target component.However, it is hard to obtain the accurate intermediate values of an unknown algorithm and mathematical reverse analysis is usually operated with reduced round ciphers [11,12] that can recover the secret Sbox when AES-like cipher is reduced to 5 rounds.By changing the intermediate state of the algorithm, fault injection analysis acquires a false output, which is determined by the secret components.Fault injection relies on expensive equipment, the rich experience of analysts, and the risk of damaging the equipment.By contrast, the cost of the side channel method is relatively low.
Te reverse method based on side-channel leakage (SCARE) refers to the recovery of an unknown algorithm by analyzing side-channel signal during the execution.As a powerful tool, SCARE has been proposed for many block ciphers containing confusion (nonlinear) layers and difusion (linear) layers.
Existing SCARE towards S-box is mainly based on collision [13][14][15][16].In collision-based SCARE, the attacker is able to distinguish through side channel whether two intermediate values are the same.Roman Novak proposed the concept of SCARE based on collision in the literature [15] to reverse the S-box of the A3/A8 algorithm in 2003.In 2007, Clavier improved the method, recovering S-boxes (T1 and T2) only relying on the knowledge of the frst layer [13].Later, general structures, such as Festiel [16] and SPN [14], are also the targets of SCARE.
Within our knowledge, most existing SCAREs are signifcantly infuenced by sample deviation.Te feasibility of collision-based attack is limited by the probability of errors in the collision test [15].Tus, most collision-based SCAREs are limited by the deviation of samples and can only rely on the pre-processing step.For instance, in the measurementaided simulation in [14], when the SNR decreased from 1 to 0.1, the number of required traces increased more than ten times.However, during the physical side channel acquisition, noise and physical deviation are common [17].Tis is the reason why none of the proposed collision-based SCARE is verifed with realistic hardware implementations.
In addition to collision-based SCARE, existing work includes: In 2010, Guilley et al. proposed a S-box recovery method based on 1 bit CPA [18].Te analysis relies solely on correlation attacks with an assumed HD leakage model.However, the attacker needs to know which bit in the right register should store the guessed bit.In [19], Si et al. proposed a SCARE method based on linear regression attack (LRA) with less prior knowledge.As LRA can only recover the size and inputs of S-box, further work such as collision attack is needed for recovering the parameters of S-box.In 2019, Breier et al. [20] reversed the 4 bit S-box in a PRESENT-like structure.While even in this situation, the attacker can observe the Hamming weight (HW) of the frst two bits and the last two bits of S(k0) ⊕ S(k0 ⊕ i), the number of ciphers needed to check is 2 24 .
In this paper, we propose a SCARE method under the condition that a real leakage signal contains obvious distance with the proposed leakage model.We name the reverse method as OSHDG-SCARE, where OSHDG (one-step HD graph) is a network structure of power samples and the edge in the network corresponds to the signal whose HD/HW is 1.Assuming other components except the S-box are known, the secret parameters of S-box can be reversed based on OSHDG.In our experiment, the key is considered controllable when reversing the S-box of AES-like cipher under rough HW model.
Te interesting work in this paper is we take advantage of the redundancy of OSHDG and propose the OSHDG-SCARE which is tolerant for deviations including measurement noise and inaccurate leakage model.In other words, the OSHDG-SCARE does not solely rely on the pre-processing to eliminate the noise and is more practical in realistic scenario.Additionally, our method uses multiple paths to cross verify and improve the success rate of reverse engineering.
In the experiment, the deviation tolerance of OSHDG-SCARE is evaluated.Te S-box is successfully reversed when the accuracy of clustering the traces is less than 99.55%.Whereas, existing SCAREs require the accuracy to be 100% [21].
Te rest of the paper is organized as: Section 2 introduces the structure of OSHDG and the process of reverse engineering.Section 3 analyses the efectiveness of OSHDG-SCARE in the case of sample deviation.Section 4 presents the results of the experiments and comparison with latest work.Final section is the conclusion.

One-Step HD Graph
2.1.Defnition of One-Step HD Graph.In this paper, our purpose is to recover the truth table of the secret S-box based on power samples whose leakage model is rough HW/HD.Te size of S-box is represented as m bits.Te SCARE is divided into two stages.Te frst stage is called "RS-RE (Raw Sample Reverse Engineering)" which is the process of the physical signal and the construction of OSHDG.Te second stage is "GB-RE (Graph-Based Reverse Engineering)" which is to reverse the secret parameters of S-box based on OSHDG.
In the RS-RE stage, traces with the same immediate value are averaged.Te averaged traces are sorted and divided into 9 clusters, where the size of i-th cluster is C i 8 .Ideally, each cluster contains traces with the same HW/HD as shown in [21].Tus, the index of cluster is considered as the inferred HW/HD of traces.
Since the HD between any traces can be inferred, we can build the HD matrix with the size of 2 m * 2 m .Every element of the matrix represents the HD between two output values of the S-box.For instance, Table 1 is the S-box of PRESENT [22] and Figure 1 shows the ideal HD matrix where HD Matrix(i, j) � HD(Sbox(i), Sbox(j)), i, j ∈ 0, 2 m   . ( We only retain the elements whose value equals 1 to build one-step HD matrix.Te matrix is regarded as the adjacency matrix of OSHDG which can be used to reverse the secret S-box.If other elements, such as 7, are retained instead of 1, a similar structure can be obtained.In this paper, we take OSHDG as an example to explain the process of reverse engineering, which is named OSHDG-SCARE.
Note that in the real scenario, duel to the noise and unknown leakage model, the HD matrix and OSHDG may have deviations.However, the GB-RE stage of OSHDG-SCARE is tolerant for deviations because of the redundancy of OSHDG.Te deviation tolerance of our method is described in Section 3 and verifed by experiments.In Section 2, we describe the properties of OSHDG and how to reverse secret S-box.
Tere are 2 m vertexes in the OSHDG and the number of edges is 2 m− 1 * m. Figure 2 shows the OSHDG of PRESENT where the index of vertex is the input of S-box.
By the defnition of OSHDG, we propose and prove some properties related to the truth table of the S-box.Te properties are used in Section 2.2 to obtain the value of vertexes and edges in OSHDG.Furthermore, these properties are later used in Section 3 to improve the deviation tolerance of SCARE which is the main contribution of this work.

2
Security and Communication Networks , where V i and V j are two vertexes directly connected by E ij . ( Te elements of V i and E ij are indicated as following: O i is the output value of secret S-box when the input is i.L i means the distance from V i to the starting vertex of OSHDG and is named as the layer of V i .Te starting vertex is named V s and L s � 0.
[NV] i is a set of vertexes.
Obviously, every vertex relates to m edges of diferent value.LoE ij means the layer of E ij and is equal to the maximum of L i and L j .Tere are m layers of edges in the OSHDG.
Defnition 2. Path between any pair of vertexes: Suppose there are g paths from represents the set of paths.Furthermore, we defne the value of According to the defnition of VoE, VoP kh is also equal to the XOR of VoE in a path from V k to V h .Obviously, since the HW of any edge is 1, HW(VoP kh ) is equal to the distance from V k to V h .HW(VoP kh ) � 1 indicates that V k is directly connected with V h .Besides, the set of paths from V s to V i is represented as P si .According to the defnition of layer, HW(VoP si ) � L i .
Tere exists a path from ), and the value of this path is: In summary, for any two vertexes Te Ring is the key structure of our proposed OSHDG-SCARE.Proposition 3 indicates that the ring exists for any vertex whose |[NV]| ≥ 2. For example, Figure 3 highlights a ring in the OSHDG of PRESENT.Here, we discuss the value of vertexes and edges in the ring.
Since the k2-th bit of VoP sx is one, then Considering each vertex has m edges with diferent values, there is a vertex V o directly connected with V a and VoE oa � 2 k2 .
Tere is a path from V s to V o through V a and V x , then Since the k1-th and k2-th bit of VoP sx is one, then Tere is a path from V o to V b through V a and V x , then ( Considering HW(VoP ob ) � 1, V o is directly connected with V b .Besides, we have proven that to clearly describe the progress of OSHDG-SCARE.
As discussed in Section 2.1, O i can be obtained by O s and VoP si since VoP si � O s ⊕ O i .Terefore, it is enough to recover the TT S if O s is known and the value of all edges is known.
Figure 4 illustrates the fow of OSHDG-SCARE.Te structure of OSHDG is obtained after RS-RE.Ten, we exhaustive search the value of edges of which layer is 1.LoE � 1 indicates that the value of edges satisfying HW(VoE) � 1. Tus, the possible values of edges are the factorial of m.Considering Proposition 7, it is sufcient to recover the value of all edges in OSHDG.Tus, the value of path from V s to any vertex V i can be calculated.
To recover TT S , the value of O s is also needed.In our experiment, O s is obtained by fnding traces whose HW = 0 and the success rate is nearly 100%.
Step 1: RS-RE: constructing OSHDG OSHDG is constructed by HD matrix.Note that the value of m edges whose layer is one is unknown.After the structure of OSHDG is constructed, we exhaustively search their values as mentioned before.
Step 2: Acquiring L i and [NV] i In Algorithm 1, the OSHDG is traversed in a Breadth First Search (BFS)-like way to fnd the shortest path from V s to any vertex.In this way, the layer of any vertex V i can be obtained.Ten, [NV] k is the set of vertexes connected with V k but with higher layer.Te complexity of LAYER is related with the size of the secret S-box and is represented as O(2 2m ).
Step 3: Obtaining VoE ij In Algorithm 2, we traverse all rings in OSHDG.According to Proposition 3, for any vertex V o , we select any V a and V b (a ≠ b) from [NV] o and take the only vertex in In summary, the time complexity of OSHDG-SCARE is O(2 2m ).However, m! candidates' truth tables are needed to be checked since we exhaustively search the value of edges whose layer is 1. m! � 2 15.3 when m is 8.

Key Issues in Real Scenario
3.1.Deviation.In real scenario, the leakage model varies from device to device, and the leakage of nontheoretical leakage model is common in actual situations [17,23,24].Lacking the accurate leakage model, the non-profled method assumes an approximate leakage model, such as the HD model.Tere are always deviations between the leakage model and physical samples.We classify deviations into structural deviation and VoE deviation.VoE deviation is the type of deviation which is not obvious in the structure while the equation VoE ij � O i ⊕ O j does not hold.For example, Figure 6 illustrates VoE deviation.V o , V a , V b , and V x ft the structure of R oaxb while V a and V x are wrongly connected when HW(O a ⊕ O x ) ≠ 1.

Security and Communication Networks
queue.push (j); ( 12) } ( 13) } ( 14) //get the [NV] of each vertex (15) Security and Communication Networks Rule 10.To detect edge overfow, for any When existing edge overfow, there are more than two vertexes connected with both V o and V x .It contradicts with Corollary 6.
Rule 11.To detect VoE deviation, check for V k that O k varies in diferent rings.
When there is an existing VoE deviation, there is VoE ij ≠ O i ⊕ O j .Considering there are multiple paths from V s to any vertex V k , VoP sk ≠ O sv ⊕ O k when the path contains E ij , while VoP sk � O sv ⊕ O k still holds for any path without E ij .When there is VoE deviation, diferent VoP sk can be detected.
In order to detect structural deviation and VOE deviation, Rules 9-11 are applied to Algorithm 3.

Te Deviation Tolerance of
Corollary 12 indicates the redundancy of OSHDG-SCARE which is the premise of deviation tolerance.First, R * oaxb with structural deviation is abandoned after the detection of deviation.Because of the redundancy, the value of E ax could still be recovered in other rings.Second, though there are VoE deviations, the true value of O a should be obtained most frequently.Tus, OSHDG-SCARE is deviation-tolerant.

Evaluation and Comparison
In modern cipher design, the secrecy of cipher algorithms was believed to enhance security.Several modern ciphers such as Twofsh, MARS and A3/A8 contain secret keydependent components.As the only nonlinear operations of most block ciphers, S-box is the target of our reverse engineering method.
Several research studies have been proposed to reverse secret S-box by side channel leakage.However, it has been studied that the leakage model in real scenario always deviates from theoretical leakage model.Tis situation has a great impact on existing SCAREs.In this paper, we propose a deviation-tolerant OSHDG-SCARE to recover secret S-box under rough leakage model.In this section, the simulation of traces under diferent SNR and leakage model evaluates the degree of deviations.Besides, we evaluate the deviation tolerance of proposed method by power traces from a software implementation of AES-like cipher and compare the method with the latest SCARE.
Input: SV, * OSHDG Output: (1)  Security and Communication Networks 4.1.Simulation of Deviation Rate.In this section, we investigate the degree of deviation by simulations.Te deviation rate (DR) after the RS-RE is defned as follow when the size of target is m bits.
Te HD matrix is obtained after the RS-RE stage; HD between any two outputs can be calculated if the Sbox is known.Te DR describes the accuracy of HD matrix and is used to evaluate the degree of how the traces is deviated from ideal HW/HD model.Besides, we defne DR(k) to describe the deviation rate of specifc cluster of traces.
where C k m is the ideal number of the k-th cluster after RS-RE.For example, C 1 8 � 8. C 2 8 � 28.DR(k) refers to the error probability of the element with the value of k in the HD matrix.
Before experiments on physical traces, we simulate the nonstandard model and measurement noise to evaluate the possible impact of these two factors on the actual SCARE.Te leakage model in the simulation is weighted bit model, and the noise conforms to Gaussian distribution.Note that OSHDG-SCARE is not limited to this setting, but applicable to any rough HW/HD model.
Te leakage model is simulated by the stochastic model as following: where iv i represents the i-th bit of IV; α i refers to the weight of i-th bit.
To simulate diferent levels of deviation, we utilize MATLAB R2021a to generate random parameters.Te weight α i satisfes the normal distribution (1, Var(α i )).Tree groups of traces are generated with SNR � 18/20 dB and without noise.Among each group of traces, Var(α i ) varies from 0.01 to 0.1.To obtain the average of deviation rate, 200 simulations are done for each Var(α i ).Te result is shown in Figure 7.
Figure 7 shows the infuence of noise and nonstandard model on RS-RE stage.Te simulated stochastic model deviates from the standard model as Var(α i ) increases.Te point (0.1, 27%) on the red line in Figure 7 represents that the deviation rate of the HD matrix is 27% when the stochastic model satisfying N(1, 0.1) in the noise-free simulation.When reach the threshold of SR, the maximum deviation rate tolerated by OSHDG-SCARE is used to describe the deviation tolerance ability.
As shown in Figure 7, even in the noise-free scenario, the deviation is generated by inaccurate leakage model and will lead to a wrong result when clustering the traces.However, deviation is not tolerated by most existing SCAREs.

Experiment with Real Leakage.
To evaluate the efectiveness of OSHDG-SCARE, we collect 196,608 (�65536 * 3) power traces of AES-like cipher with a secret S-box.Te cipher is implemented on an ATMega163 card within SASEBO-W board.Te frequency of AES is 24 MHz and the acquisition frequency is 2 GHz.Each trace contains of 50,000 points while we perform RS-RE on 10 points corresponding to the S-box in the frst round.Te SNR of real traces after pre-processing reaches 43.925.Te leakage model of target device is considered as rough HW model.
We describe briefy how we control the key to get the HD of S-box outputs.AK 1 represents the AddRoundKey operation in the frst round of AES; AK 1 [0] represents the frst byte of AK 1 output.Te other operations of AES are represented in a similar way.We fnd that AK 1 [0] equals to the XOR of two S-box outputs when meeting specifc conditions.Terefore, HD matrix can be constructed when the leakage model is HW.

Security and Communication Networks
If By controlling the master key of AES and the plaintext, the condition ① and ② can be satisfed.Tus, In this way, power traces corresponding to HD of S-box outputs are sampled.
Tere are 2 8 steps to obtain the HD matrix, where the result of each step is one line of HD matrix.In each step of our experiment, 256 * 3 traces are used.Tese traces are classifed by immediate values and averaged.Ten averaged traces are sorted and clustered into 9 classes.Te number of the n-th cluster is C n 8 , which is the ideal number of traces with the same Hamming weight.However, due to non-standard leakage model, clustering based solely on number will result in deviations.Te deviation rate in our experiment is shown in Table 2 which indicates that the actual leakage model of SASEBO-W is deviated from HW model.Within our knowledge, existing SCAREs are not applicable to traces under this level of deviation rate.
Despite the deviations, the constructed OSHDG can still successfully reverse the S-box.Te result verifes the deviation tolerance of OSHDG-SCARE.
In addition, we constructed another OSHDG using hw � 7 instead of 1. Due to the larger DR (7), the accuracy of reversing the S-box is only 37.89%.

Comparison with Existing Work.
In [21] and [25], S-box is reconstructed based on mathematic analysis.Both methods utilize the relationship between the value of S-box and the HW of the MixColumns intermediate results to flter out wrong candidate S-box output.Unfortunately, both methods are not deviation-tolerant and need to accurately cluster HW values on every preprocessed trace.
However, there are deviations in our experiment which indicates that the method of [21] and [25] could not be applicable.For example, the frst and second stage of S-box reconstruction in [21] could be afected and attackers would obtain a complete but wrong S-box tree in stage 3.
Te interesting work of our proposed SCARE is to tolerate the deviation between power samples and theoretical leakage model.OSHDG-SCARE can successfully recover the S-box when deviation rate is as shown in Table 2. Te reason is that OSHDG-SCARE utilizes the structural features of OSHDG for error detection and the redundant paths in OSHDG for cross verifcation and error correction.OSHDG-SCARE is also better-performed at time complexity [21] claimed that the total time of reconstructing S-box is less than two minutes while our method takes less than one second.It takes about 2 ms to obtain the candidates truth tables and the verifcation time of m! candidate tables when m = 8 is about 990 ms.Caforio et al. didn't discuss the time complexity in [25], while the number of required traces to recover the secret Sbox is ten times more than this paper.
A detailed comparison of the SCARE in [21] with OSHDG-SCARE of this paper is listed in Table 3.

Conclusion
SCARE is an important method to verify the actual security of secret cryptographic algorithm with side channel information.As we know, there exists an obvious deviation between the side channel signal and supposed leakage because of the noise in measurement and the imperfect leakage model.Whereas, the deviation will greatly infuence the efectiveness of SCARE.
In this paper, we propose a new SCARE which builds the redundant graph named OSHDG.Supposing HD model is the known and standard leakage model, our method can reverse the secret S-box under imperfect side channel leakage model.Moreover, due to the redundant structure of OSHDG, we defne several properties of the graph and improve the deviation tolerance of the SCARE in noisy measurement.Te experimental results show the efectiveness and deviation tolerance ability of our method to reverse the secret S-box.Te limitation of OSHDG-SCARE lies in its high data complexity when recover the secret components with larger size.A possible solution is to utilize multiple locations of a single trace.For example, AK 1 [0] and AK 1 [5] could contain information about diferent lines of HD matrix by controlling the master key.Ten, the needed number of traces is halved.In addition, one of our future works is to combine elements with diferent values in the HD matrix and improve the success rate.

Data Availability
Te data that support the fndings of this study are available from the authors upon reasonable request.

Figure 1 :
Figure 1: An example of hamming distance matrix.
there is one and only one vertex in [NV] a ∩ [NV] b .Proposition 3 is proved.□ Defnition 4. Ring OAXB: Te Ring is defned as follows: (k1, k2 ∈ [0, m−1]).We try to prove Proposition 7 in three steps.(a) To prove there is a vertex V b that V x ∈ [NV] b .Considering each vertex has m edges with diferent values, there is a vertex V b directly connected with V x and VoE bx � 2 k2 .HW VoP sb  � HW VoP sx ⊕ VoE bx  � HW VoP sx ⊕ 2 k2  .

Figure 3 :
Figure 3: An example of the ring in OSHDG.

R
oaxb infuenced by those deviations is represented as R * oaxb .OSHDG * refers to OSHDG includes at least one R * oaxb .(a) Structural Deviation Structural deviation will change the original R oaxb and includes two types: edge shortage and edge overfow.Edge shortage corresponds the R * oaxb without enough edges as shown in Figure 5(b).R * oaxb of edge overfow contains more edges than R oaxb , which results in multiple rings from V o and V x as shown in Figure 5(c).(b) VoE Deviation

Figure 7 :
Figure 7: Deviation rate for various variance of stochastic model with/without noise.

Table 1 :
S-box of PRESENT.

Corollary 5 .
In R oaxb , VoE ax � VoE ob and VoE bx � VoE oa .Proof.It has been proved in Proposition 3 that V x satisfed VoE ax � VoE ob is the only vertex of [NV] a ∩ [NV] b .Tus, equation (1) still holds in R oaxb .According to the defnition of VoE, VoE bx � VoE oa indicates O b ⊕ O x � O o ⊕ O a .Tus, O a ⊕ O x � O o ⊕ O b and then VoE ax � VoE ob .Corollary 5 is proved.If V o and V x belong to R oaxb , there are only two vertexes in OSHDG connected with both V o and V x .Proof.If there exists V c (a ≠ b ≠ c) connected with V o and V x , then there exists R oaxb and R oaxc .According to Corollary 5, VoE ax � VoE ob in R oaxb and VoE ax � VoE oc in R oaxc .Since VoE ob and VoE oc are connected with V o , it contradicts with VoE ob � VoE oc .Corollary 6 is proved.For any E ax where V x ∈ [NV] a and L x ≥ 2, there exists E ob that LoE ob � LoE ax − 1 and VoE ob � VoE ax .Proof.L x ≥ 2 indicates that HW(VoP sx ) ≥ 2. Assume k1 and k2 bits of VoP sx are one and VoE ax � 2 k1 □ Corollary 6. □ Proposition 7.
It fts Defnition 4. Tus, VoE ax � VoE ob and Proposition 7 is proved.According to Proposition 7, the value of edge whose layer is no less than two can be recovered if edges at lower layer are known.Tus, it is sufcient to recover the value of all edges in OSHDG if the value of edges whose layer is one is known.□ 2.2.Main Idea of OSHDG-SCARE.Any logic function can be expressed as its truth table.In this section, we will prove that the truth table of secret S-box can be obtained by OSHDG.Te key point of our reverse engineering method is to construct OSHDG through power consumption samples.Defnition 8. Truth table: Te secret S-box is represented as S. i and O(i) correspond to input and output respectively.
R oaxb as Defnition 4. Furthermore, with Corollary 5 and Proposition 7, VoE ax and VoE bx can be obtained since VoE oa and VoE ob in the lower layer are known.In this way, value of all edges in the OSHDG is acquired.Te complexity of VALUE is equal to the number of rings in OSHDG and is represented as O(2 m * m 2 ).Step 4: Obtaining the TT S In the OSHDG, if O s and value of every edge are known, any O i � O s ⊕ VoP si can be obtained.Tus, any element 〈i, O i 〉 of TT S is known.
Improved RE Corollary 12.For any E ax where V x ∈ [NV] a and L x ≥ 3, the number of E ob that LoE ob � LoE ax − 1 and VoE ob � VoE ax is LoE ax − 1. Proof.It has been proved in Proposition 7 that there exists E ob satisfying the condition.Besides, VoE bx � 2 k2 and VoP so � VoP sx ⊕ 2 k1 ⊕ 2 k2 .It indicates that V b , V o , and E ob are determined when k2 is determined.Since k1 is known and k1 ≠ k2, the number of possible values of k2 is HW Te level of noise is indicated as SNR, Var(Sig) represents the variance of signal which is related with the leakage model, and Var(Noise) is the variance of noise.

Table 2 :
Distribution of DR.

Table 3 :
Comparison with the state-of-art work.
* Te complexity of S-box reconstruction stage.