Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

What can Information Guess? Guessing Advantage vs. Rényi Entropy for Small Leakages

Julien Béguinot, Olivier Rioul

TL;DR

This work addresses bounding an adversary's guessing advantage under small information leakage by exploiting the Gibbs inequality and its Rényi generalization to obtain closed-form parametric lower bounds for the $\rho$-th order guessing entropy $G_\rho(X|Y)$ in terms of the Rényi-Arimoto entropy $H_\alpha(X|Y)$. The authors derive explicit parametric curves for the unconditional and conditional cases, including a first-order bound $\Delta G_\rho(X;Y) \lesssim c\sqrt{\Delta H_\alpha(X;Y)}$ in the small-leakage regime, and validate the results in Hamming weight leakage and random probing models. The bounds show substantial improvements over prior non-asymptotic and asymptotic results, enabling tighter practical assessment of leakage resilience and aiding countermeasure design. The framework also points to extensions to additive-noise leakage models, nonuniform priors, and negative $\alpha$ values for broader applicability.

Abstract

We leverage the Gibbs inequality and its natural generalization to Rényi entropies to derive closed-form parametric expressions of the optimal lower bounds of $ρ$th-order guessing entropy (guessing moment) of a secret taking values on a finite set, in terms of the Rényi-Arimoto $α$-entropy. This is carried out in an non-asymptotic regime when side information may be available. The resulting bounds yield a theoretical solution to a fundamental problem in side-channel analysis: Ensure that an adversary will not gain much guessing advantage when the leakage information is sufficiently weakened by proper countermeasures in a given cryptographic implementation. Practical evaluation for classical leakage models show that the proposed bounds greatly improve previous ones for analyzing the capability of an adversary to perform side-channel attacks.

What can Information Guess? Guessing Advantage vs. Rényi Entropy for Small Leakages

TL;DR

This work addresses bounding an adversary's guessing advantage under small information leakage by exploiting the Gibbs inequality and its Rényi generalization to obtain closed-form parametric lower bounds for the -th order guessing entropy in terms of the Rényi-Arimoto entropy . The authors derive explicit parametric curves for the unconditional and conditional cases, including a first-order bound in the small-leakage regime, and validate the results in Hamming weight leakage and random probing models. The bounds show substantial improvements over prior non-asymptotic and asymptotic results, enabling tighter practical assessment of leakage resilience and aiding countermeasure design. The framework also points to extensions to additive-noise leakage models, nonuniform priors, and negative values for broader applicability.

Abstract

We leverage the Gibbs inequality and its natural generalization to Rényi entropies to derive closed-form parametric expressions of the optimal lower bounds of th-order guessing entropy (guessing moment) of a secret taking values on a finite set, in terms of the Rényi-Arimoto -entropy. This is carried out in an non-asymptotic regime when side information may be available. The resulting bounds yield a theoretical solution to a fundamental problem in side-channel analysis: Ensure that an adversary will not gain much guessing advantage when the leakage information is sufficiently weakened by proper countermeasures in a given cryptographic implementation. Practical evaluation for classical leakage models show that the proposed bounds greatly improve previous ones for analyzing the capability of an adversary to perform side-channel attacks.
Paper Structure (9 sections, 6 theorems, 27 equations, 4 figures)

This paper contains 9 sections, 6 theorems, 27 equations, 4 figures.

Table of Contents

  1. Introduction
  2. Notations
  3. Optimal Lower Bound on $G_\rho(X|Y)$ vs. $H_\alpha(X|Y)$
  4. $G(X|Y)$ vs. $H(X|Y)$
  5. $G_\rho(X|Y)$ vs. $H(X|Y)$
  6. $G_\rho(X|Y)$ vs. $H_\alpha(X|Y)$
  7. Evaluation in the Hamming Weight Lekage Model
  8. Evaluation in the Random Probing Model
  9. Conclusion

Key Result

Theorem 1

The optimal lower bound on $G(X|Y)$ vs. $H(X|Y)$ is given by the parametric curve for $\gamma\in(0,1)$: where the limiting case $\gamma\to 1$ gives $G=\frac{M+1}{2}$ and $H=\log M$ attained for the uniform distribution. The optimal upper bound on $\Delta G(X ; Y) = \frac{M+1}{2}-G(X|Y)$ vs. $\Delta H(X ; Y) = \log M -H(X|Y)$ is given by the parametric curve for $\mu\in(0,+\infty)$:

Figures (4)

  • Figure 1: Optimal joint range region between $H(X|Y)$ and $G(X|Y)$ for different values of $M$. The (optimal) upper bound is that of Mc Eliece and Yu mceliece1995inequality. The optimal lower bound is derived in this paper. The black dotted and dash-dotted curves correspond to Massey's massey1994guessing and Rioul's rioul2022variations inequalities, that do not depend on $M$.
  • Figure 2: Solid: Illustration of Theorems \ref{['th:GH']},\ref{['th:GrhoH']},\ref{['th:GrhoHalpha']} (upper bounds of $\Delta G_\rho$ vs. $\Delta H_\alpha$) for various values of $\alpha$ and $\rho$ when $M=2^8$. Dashed: First-order lower bound $\Delta G_\rho\leqslant c \sqrt{\Delta H_\alpha}$ from Corollary \ref{['thm:explicit']}.
  • Figure 3: Bound on the guessing advantage in the Hamming weight leakage model for increasing noise variance $\sigma^2$.
  • Figure 4: Improved bound ($M=32$) from Theorem \ref{['thm:improved-random-probing']} (solid, red) compared to Theorem \ref{['th:GrhoHalpha']} (solid, black), Corollary \ref{['thm:explicit']} (dashed), and scatter plot of exact values when $Y=f(K)$ for arbitrarily given functions $f$.

Theorems & Definitions (14)

  • Theorem 1
  • proof
  • Theorem 2
  • proof
  • Theorem 3
  • Lemma 1: Generalized Gibbs Inequality
  • proof : Proof of Theorem \ref{['th:GrhoHalpha']}
  • Remark 1
  • Corollary 1
  • proof
  • ...and 4 more