In 2013, Standaert \emph{et al.} proposed the notion of simulatable
leakage to connect theoretical leakage resilience with the practice
of side channel attacks. Their use of simulators, based on physical
devices, to support proofs of leakage resilience allows verification
of underlying assumptions: the indistinguishability game, involving
real vs. simulated leakage, can be `played' by an evaluator. Using
a concrete, block cipher based leakage resilient PRG and high-level
simulator definition (based on concatenating two partial leakage traces),
they included detailed reasoning why said simulator (for AES-128)
resists state-of-the-art side channel attacks.
\\\\
In this paper, we demonstrate a distinguisher against their simulator
and thereby falsify their hypothesis. Our distinguishing technique,
which is evaluated using concrete implementations of the Standaert
\emph{et al.} simulator on several platforms, is based on `tracking'
consistency (resp. identifying simulator {\em in}consistencies) in
leakage traces by means of cross-correlation. In attempt to rescue
the approach, we propose several alternative simulator definitions
based on splitting traces at points of low intrinsic cross-correlation.
Unfortunately, these come with significant caveats, and we conclude
that the most natural way of producing simulated leakage is by using
the underlying construction `as is' (but with a random key).
↧