Not Optimal but Efficient: A Distinguisher Based on the Kruskal-Wallis Test

Abstract

Research about the theoretical properties of side channel distinguishers revealed the rules by which to maximise the probability of first order success (“optimal distinguishers”) under different assumptions about the leakage model and noise distribution . Simultaneously, research into bounding first order success (as a function of the number of observations) has revealed universal bounds, which suggest that (even optimal) distinguishers are not able to reach theoretically possible success rates. Is this gap a proof artefact (aka the bounds are not tight) or does a distinguisher exist that is more trace efficient than the “optimal” one? We show that in the context of an unknown (and not linear) leakage model there is indeed a distinguisher that outperforms the “optimal” distinguisher in terms of trace efficiency: it is based on the Kruskal-Wallis test.

Appendices

A The KW Statistic

Let \(X_{ij}\) where \(i = 1, \ldots , t\), \(j = 1, \ldots , n_i\) be independent random samples collected from a population having t groups and the sample size for group i is \(n_i\). Let us assume that the random variables \(X_{ij}\) have distribution \(F_i\). The generic null and alternative hypotheses of KW test are

$$\begin{aligned} H_0 &: F_1 = F_2 = \ldots = F_t \\ \nonumber H_a &: F_i \ne F_j \quad \text {for some} \quad i, j \quad \text {s.t} \quad i \ne j. \end{aligned}$$

(6)

The observations are combined into one sample of size N where

$$ N = \sum _{i=1}^{t}n_i $$

This combined sample is ranked. Suppose, \(R_{i,j}\) is the ranking of the j-th sample from the group i, \(\bar{R}_{i}\) the average rank of all samples from group i:

$$ \bar{R}_{i} = {n_i}^{-1}\sum _{j = 1}^{n_i}{R_{i,j}} $$

and \(\bar{R} = (N+1)/2\) the average of all \(R_{i,j}\).

The KW test statistic \(H_{KW}\) is defined [KW52] as:

$$\begin{aligned} H_{KW} = (N-1)\frac{\sum _{i = 1}^{t}{n_i(\bar{R}_i - \bar{R})^2}}{\sum _{i = 1}^{t}{\sum _{j=1}^{n_i}{(R_{i,j} - \bar{R})^2}}} \end{aligned}$$

(7)

In Eq. (27) the denominator \(\sum _{i = 1}^{t}{n_i(\bar{R}_i - \bar{R})^2}\) describes the variation of ranks between groups, and the numerator \(\sum _{i = 1}^{t}{\sum _{j=1}^{n_i}{(R_{i,j} - \bar{R})^2}}\) describes the variation of ranks in the combined sample. Intuitively, if \(X_{ij}\) are all sampled from the same distribution, then all \(\bar{R_i}\) are expected to be close to \(\bar{R}\) and thus the statistics \(H_{KW}\) should be smaller, and vice versa. Large values of the test statistic results in rejecting the null hypothesis of the KW test.

B Further Experimental Results

(Se Fig. 5).

Fig. 5.

Attacking the AES SubBytes target, drop** 4 most significant bits