Conference Paper

On the Vulnerability of Low Entropy Masking Schemes

Authors:
Xin Ye at Ford Motor Company
Xin Ye
Thomas Eisenbarth
Thomas Eisenbarth
Thomas Eisenbarth
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download citation
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Low Entropy Masking Schemes (LEMS) have been proposed to offer a reasonable tradeoff between the good protection against side-channel attacks offered by masking countermeasures and the high overhead that results from their implementation. Besides the limited analysis done in the original proposals of LEMS, their specific leakage characteristics have not yet been analyzed. This work explores the leakage behavior of these countermeasures and shows two different methods how the leakage can be exploited, even by generic univariate attacks. In particular, an attack that exploits specific properties of RSM for AES as well as a more generic attack making very little assumptions about the underlying LEMS are introduced. All attacks are practically verified by applying them to publicly available leakage samples of the RSM countermeasure.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... As related works we should address three recently published articles [3,23,46] which made use of DPA Contest V4 measurements. Although all of these articles provide many useful discussions and analysis tools, none of them exploits the first-order leakage that we present here. ...
... For this reason, every intermediate variable is masked independently (e.g., the same masked S-box cannot be used twice), and the sharing is done with strictly more than two shares. Hence the name multi-mask fully entropic masking scheme (FEMS, as coined in [46]). However, this generalization is not trivial. ...
... At the opposite direction, some masking schemes have been designed to limit the amount of entropy. They are referred to as LEMS (low-entropy masking schemes) in [46]. Specifically, the masking scheme requires only one mask, that can take only a small number of values. ...
Detecting Hidden Leakages
Conference Paper
Full-text available
  • Jun 2014
  • Lect Notes Comput Sci
Reducing the entropy of the mask is a technique which has been proposed to mitigate the high performance overhead of masked software implementations of symmetric block ciphers. Rotating s-box masking (RSM) is an example of such schemes applied to AES with the purpose of maintaining the security at least against univariate first-order side-channel attacks. This article examines the vulnerability of a realization of such technique using the side-channel measurements publicly available through DPA contest V4. Our analyses which focus on exploiting the first-order leakage of the implementation discover a couple of potential attacks which can recover the secret key. Indeed the leakage we exploit is due to a design mistake as well as the characteristics of the implementation platform, none of which has been considered during the design of the countermeasure (implemented in naive C code).
View
... In the architecture aspect, cryptographic algorithms should carefully be implemented to avoid firstorder leakage [12]. Some countermeasure techniques such as shuffling [13] can also be combined to help defeat certain bivariate and higher order attacks [14][15][16][17]. Another aspect is the chosen mask set which plays significant roles in security. ...
... where C = ∑ ∈M ( ). (⋅) is defined by (17). ...
Analysis of Software Implemented Low Entropy Masking Schemes
Article
Full-text available
  • Mar 2018
Low Entropy Masking Schemes (LEMS) are countermeasure techniques to mitigate the high performance overhead of masked hardware and software implementations of symmetric block ciphers by reducing the entropy of the mask sets. The security of LEMS depends on the choice of the mask sets. Previous research mainly focused on searching balanced mask sets for hardware implementations. In this paper, we find that those balanced mask sets may have vulnerabilities in terms of absolute difference when applied in software implemented LEMS. The experiments verify that such vulnerabilities certainly make the software LEMS implementations insecure. To fix the vulnerabilities, we present a selection criterion to choose the mask sets. When some feasible mask sets are already picked out by certain searching algorithms, our selection criterion could be a reference factor to help decide on a more secure one for software LEMS.
View
... solution to real life threats posed by leaking sensitive data to an insider in Medical Smartphone Networks (MSN) [27]. However, with the passage of time SCA has got maturity and cryptographers have come up with twisting countermeasures to resist different attacks, for detailed study on countermeasures reader is referred to [28][29][30][31][32][33][34][35][36]. However; countermeasures do not ensure shielded security and can still be attacked [37]. ...
... For GCM the counter mode can be exploited using Eqs. (33), (28), (30) and (29). ...
View
... In any case, the implementation of countermeasures brings overheads in terms of memory and time, hence causing that researchers start to look for lightweight approaches. One of such lightweight countermeasures is the rotating S-box masking (RSM), which is a type of lowentropy masking scheme [42][43][44]. The main idea behind RSM consists in the usage of precomputed lookup tables [45] and, at the same time, reducing the overhead by carefully choosing the limited mask set [46]. ...
... So far, participants of the contest have performed many attacks aimed at the original RSM implementation. Different techniques were used such as mutual information analysis [20,43], collision on the S-box [49], or recovering the offset value based on TA [20]. We refer to work [46] that provides a deep analysis of attacks executed during the DPA Contest V4. ...
Crucial pitfall of DPA Contest V4.2 implementation
Article
  • Jan 2017
Differential power analysis (DPA) is a powerful side-channel key recovery attack that efficiently breaks cryptographic algorithm implementations. In order to prevent these types of attacks, hardware designers and software programmers make use of masking and hiding techniques. DPA contest is an international framework that allows researchers to compare their power analysis attacks under the same conditions. The latest version of DPA contest, denoted as V4.2, provides an improved implementation of the rotating S-box masking scheme where low-entropy boolean masking is combined with the shuffling technique to protect Advanced Encryption Standard implementation on a smart card. The improvements were designed based on the awareness of implementation lacks analyzed from attacks carried out during the previous DPA contest V4. Therefore, this new approach is devised to resist most of the proposed attacks to the original rotating S-box masking implementation. In this paper, we investigate the security of this new implementation in practice. Our analysis, focused on exploiting the first-order leakage, discovered important lacks. The main vulnerability observed is that an adversary can mount a standard DPA attack aimed at the S-box output in order to recover the whole secret key even when a shuffling technique is used. We tested this observation on a public dataset and implemented a successful attack that revealed the secret key using only 35 power traces. Copyright
View
... Low Entropy Masking Schemes (LEMS) initially attempted to relax such requirements on the quality of random numbers in order to reduce costs while still maintaining the security order. However, these schemes had to make additional assumptions which have been demonstrated to not always hold in practice [GSP13,YE13]. The need for unpredictability of random numbers is even more obvious in masking contexts. ...
Randomness Generation for Secure Hardware Masking – Unrolled Trivium to the Rescue
Article
Full-text available
  • Jul 2024
Masking is a prominent strategy to protect cryptographic implementations against side-channel analysis. Its popularity arises from the exponential security gains that can be achieved for (approximately) quadratic resource utilization. Many variants of the countermeasure tailored for different optimization goals have been proposed. The common denominator among all of them is the implicit demand for robust and high entropy randomness. Simply assuming that uniformly distributed random bits are available, without taking the cost of their generation into account, leads to a poor understanding of the efficiency vs. security tradeoff of masked implementations. This is especially relevant in case of hardware masking schemes which are known to consume large amounts of random bits per cycle due to parallelism. Currently, there seems to be no consensus on how to most efficiently derive many pseudo-random bits per clock cycle from an initial seed and with properties suitable for masked hardware implementations. In this work, we evaluate a number of building blocks for this purpose and find that hardware-oriented stream ciphers like Trivium and its reduced-security variant Bivium B outperform most competitors when implemented in an unrolled fashion. Unrolled implementations of these primitives enable the flexible generation of many bits per cycle, which is crucial for satisfying the large randomness demands of state-of-the-art masking schemes. According to our analysis, only Linear Feedback Shift Registers (LFSRs), when also unrolled, are capable of producing long non-repetitive sequences of random-looking bits at a higher rate per cycle for the same or lower cost as Trivium and Bivium B. Yet, these instances do not provide black-box security as they generate only linear outputs. We experimentally demonstrate that using multiple output bits from an LFSR in the same masked implementation can violate probing security and even lead to harmful randomness cancellations. Circumventing these problems, and enabling an independent analysis of randomness generation and masking, requires the use of cryptographically stronger primitives like stream ciphers. As a result of our studies, we provide an evidence-based estimate for the cost of securely generating n fresh random bits per cycle. Depending on the desired level of black-box security and operating frequency, this cost can be as low as 20 n to 30 n ASIC gate equivalents (GE) or 3 n to 4 n FPGA look-up tables (LUTs), where n is the number of random bits required. Our results demonstrate that the cost per bit is (sometimes significantly) lower than estimated in previous works, incentivizing parallelism whenever exploitable. This provides further motivation to potentially move low randomness usage from a primary to a secondary design goal in hardware masking research.
View
... Whereas Zhang et al. [35] trained deep learning assisted with a new metric to improve SCA attacks. Security of LEMS has also been studied by Grosso et al. [36], Ye et al. [37], and Zhang et al. [38]. ...
Algebraic Structures Induced by the Insertion and Detection of Malware
Article
Full-text available
  • Jul 2023
Since its introduction, researching malware has had two main goals. On the one hand, malware writers have been focused on developing software that can cause more damage to a targeted host for as long as possible. On the other hand, malware analysts have as one of their main purposes the development of tools such as malware detection systems (MDS) or network intrusion detection systems (NIDS) to prevent and detect possible threats to the informatic systems. Obfuscation techniques, such as the encryption of the virus’s code lines, have been developed to avoid their detection. In contrast, shallow machine learning and deep learning algorithms have recently been introduced to detect them. This paper is devoted to some theoretical implications derived from these investigations. We prove that hidden algebraic structures as equipped posets and their categories of representations are behind the research of some infections. Properties of these categories are given to provide a better understanding of different infection techniques.
View
... Compared with the high cost of masking schemes, lower entropy masking scheme (LEMS) [78,114,170] provides a practical approach to reduce both randomness and implementation costs by only taking a small set of random masks. As a specific example, rotating S-Box masking (RSM) [12,44,110,114] takes only 16 random masks which are elaborately chosen to achieve maximal protection. ...
What Can Information Guess ? Towards Information Leakage Quantification in Side-Channel Analysis
Thesis
  • Dec 2021
Cryptographic algorithms are nowadays prevalent in establishing secure connectivity in our digital society. Such computations handle sensitive information like encryption keys, which are usually very exposed during manipulation, resulting in a huge threat to the security of the sensitive information concealed in cryptographic components. In the field of embedded systems security, side-channel analysis is one of the most powerful techniques against cryptographic implementations. The main subject of this thesis is the measurable side-channel security of cryptographic implementations, particularly in the presence of random masking. Overall, this thesis consists of two topics. One is the leakage quantification of the most general form of masking equipped with the linear codes, so-called code-based masking; the other one is exploration of applying more generic information measures in a context of side-channel analysis. Two topics are inherently connected to each other in assessing and enhancing the practical security of cryptographic implementations .Regarding the former, we propose a unified coding-theoretic framework for measuring the information leakage in code-based masking. Specifically, our framework builds formal connections between coding properties and leakage metrics in side-channel analysis. Those formal connections enable us to push forward the quantitative evaluation on how the linear codes can affect the concrete security of all code-based masking schemes. Moreover, relying on our framework, we consolidate code-based masking by providing the optimal linear codes in the sense of maximizing the side-channel resistance of the corresponding masking scheme. Our framework is finally verified by attack-based evaluation, where the attacks utilize maximum-likelihood based distinguishers and are therefore optimal. Regarding the latter, we present a full spectrum of application of alpha-information, a generalization of (Shannon) mutual information, for assessing side-channel security. In this thesis, we propose to utilize a more general information-theoretic measure, namely alpha-information (alpha-information) of order alpha. The new measure also gives the upper bound on success rate and the lower bound on the number of measurements. More importantly, with proper choices of alpha, alpha-information provides very tight bounds, in particular, when alpha approaches to positive infinity, the bounds will be exact. As a matter of fact, maximum-likelihood based distinguishers will converge to the bounds. Therefore, we demonstrate how the two world, information-theoretic measures (bounds) and maximum-likelihood based side-channel attacks, are seamlessly connected in side-channel analysis .In summary, our study in this thesis pushes forward the evaluation and consolidation of side-channel security of cryptographic implementations. From a protection perspective, we provide a best-practice guideline for the application of code-based masking. From an evaluation perspective, the application of alpha-information enables practical evaluators and designers to have a more accurate (or even exact) estimation of concrete side-channel security level of their cryptographic chips.
View
... This AES-RSM implementation was already analysed [15,[17][18][19] and attacked numerous times [20] using various techniques including correlation power analysis [21], template attacks (TA) [22] and machine learning [23,24]. These previous analyses mostly focus on ways of retrieving one byte of the key at a time either through combination of several points of power traces or by trying to retrieve the mask offset before going through key hypotheses. ...
Implementation flaws in the masking scheme of DPA Contest v4
Article
Full-text available
  • Jun 2017
This study presents an implementation flaw in Differential Power Analysis Contest (DPA) Contest v4. This version of DPA Contest uses Advanced Encryption Standard (AES) protected against side-channel attacks using rotating s-box masking (RSM) countermeasure. The authors identify a flaw in the masking scheme that was used in this contest. More specifically, the problem lies in an unfortunate choice of values for masks. An unbalance in the masking scheme leads to a first order leakage. This vulnerability could be used in order to mount a first order side-channel attack against AES-RSM. The attack was implemented and tested on DPA Contest v4 reference traces. The authors also provide a way to avoid the newly discovered problem and suggest new values for masks.
View
... Weizhi Meng et al, also efficiently addresses solution to real life threats posed by leaking sensitive data to an insider in Medical Smartphone Networks (MSN) [27]. However, with the passage of time SCA has got maturity and cryptographers have come up with twisting countermeasures to resist different attacks, for detailed study on countermeasures reader is referred to [28,29,30,31,32,33,34,35,36]. However; countermeasures do not ensure shielded security and can still be attacked [37]. ...
Correlation Power Analysis of Modes of Encryption in AES and its Countermeasures
Article
  • Jun 2017
  • FUTURE GENER COMP SY
Secure implementation of cryptographic algorithms is an important area of research. Cryptographer prefers to secure algorithms against known attacks; however designer focuses on efficient implementation. It has been established in several researches that an attack on implementation of a cipher requires far less effort than exploiting mathematical weakness of the structure. Implementation vulnerabilities are utilized by side channel attacks (SCA). In practical environment block cipher is implemented in one of the modes of encryption like ECB, CBC, CTR. Our research focuses on finding leakage points in different modes of encryption including GCM to build hypothetical power consumption model for correlation power analysis (CPA) attack. CPA is simulated on AES-128-ECB in PIC18F4520 which yields secret key extraction in 2346 traces. Algorithmic level countermeasures for Counter mode and GCM mode are also presented. Proposed Counter and GCM mode implementation in FPGA yields 0.179% and 6.66% area overhead respectively. Authentication structure of proposed GCM is tolerant against fault injection attacks and propagates error with high probability. Single bit modifies approximately 51% bits in subsequent multiplications and disturbing the Tag by 48%. This research also highlights future recommendations for designing new resilient modes of encryption against power analysis attacks.
View
... Additionally, there have been numerous attacks on AES-128 [3], [12], [24]. In the latest work researcher are now focusing on AES-256 and have shown they are able to break it using side channel analysis [15], [18], [29]. ...
View
... It is clear, that the implementation of countermeasures brings overhead in terms of memory and time therefore researchers have started to look for the lightweight possibilities. One of these lightweight countermeasures is Rotating Sbox Masking that is a type of Low-Entropy Masking Scheme [23][24][25]. The main idea is based on the usage of the precomputed table look-ups [26] and at the same time the overhead is reducing by carefully choosing the limited mask set [27]. ...
k-Nearest Neighbors Algorithm in Profiling Power Analysis Attacks
Article
Full-text available
  • Apr 2016
  • RADIOENGINEERING
Power analysis presents the typical example of successful attacks against trusted cryptographic devices such as RFID (Radio-Frequency IDentifications) and contact smart cards. In recent years, the cryptographic community has explored new approaches in power analysis based on machine learning models such as Support Vector Machine (SVM), RF (Random Forest) and Multi-Layer Perceptron (MLP). In this paper, we made an extensive comparison of machine learning algorithms in the power analysis. For this purpose, we implemented a verification program that always chooses the optimal settings of individual machine learning models in order to obtain the best classification accuracy. In our research, we used three datasets, the first contains the power traces of an unprotected AES (Advanced Encryption Standard) implementation. The second and third datasets are created independently from public available power traces corresponding to a masked AES implementation (DPA Contest v4). The obtained results revealed some interesting facts, namely, an elementary k-NN (k-Nearest Neighbors) algorithm, which has not been commonly used in power analysis yet, shows great application potential in practice.
View
... More details can be found in [47]. DUT #3 should be identified to leakage based on a higher-order statistical moment, i.e. fourth, as also underlined in [52] and [27], corresponding to a real-world application of the simulated leakage in Section 5.2.2. ...
Mutual information analysis: higher-order statistical moments, efficiency and efficacy
Article
Full-text available
  • Apr 2017
The wide attention given to the mutual information analysis (MIA) is often connected to its statistical genericity, denoted flexibility in this paper. Indeed, MIA is expected to lead to successful key recoveries with no reliance on a priori knowledge about the implementation (impacted by the error modeling made by the attacker. and with as minimum assumptions as possible about the leakage distribution, i.e. able to exploit information lying in any statistical moment and to detect all types of functional dependencies), up to the error modeling which impacts its efficiency (and even its effectiveness). However, emphasis is put on the powerful generality of the concept behind the MIA, as well as on the significance of adequate probability density functions (PDF) estimation which seriously impacts its performance. By contrast to its theoretical advantages, MIA suffers from underperformance in practice limiting its usage. Considering that this underperformance could be explained by suboptimal estimation procedures, we studied in-depth MIA by analyzing the link between the setting of tuning parameters involved in the commonly used nonparametric density estimation, namely kernel density estimation, with respect to three criteria: the statistical moment where the leakage prevails, MIA’s efficiency and its flexibility according to the classical Hamming weight model. The goal of this paper was, therefore, to cast some interesting light on the field of PDF estimation issues in MIA for which much work has been devoted to finding improved estimators having their pros and cons, while little attempt has been made to identify whether existing classical methods can be practically improved or not according to the degree of freedom offered by hyperparameters (when available). We show that some ‘optimal’ estimation procedures following a problem-based approach rather than the systemic use of heuristics following an accuracy-based approach can make MIA more efficient and flexible and a practical guideline for tuning the hyperparameters involved in MIA should be designed. The results of this analysis allowed us defining a guideline based on a detailed comparison of MIA’s results across various simulations and real-world datasets (including publicly available ones such as DPA contest V2 and V4.1).
View
Coding-Theoretic Formalization and Evaluation
Chapter
  • Oct 2024
Over the last few decades, coding theory has closely associated and interplayed with cryptography in many aspects. An interesting example is the secret-sharing scheme in which the underlying idea can be characterized from both coding-theoretic and cryptographic perspectives. This chapter presents a new formalization and characterization of masking schemes and shows how to enhance their security through a coding-theoretic approach. We first present a coding-theoretic formalization of various masking schemes, by the so-called code-based masking (CBM) paradigm. We then propose a framework for quantifying the information leakage of CBM using mutual information and signal-to-noise (SNR) as the leakage metrics. We derive an interesting formal connection between these two metrics and coding-theoretic properties of the underlying linear codes in CBM. At last, we define the optimal linear code for CBM and show some interesting properties to enhance inner product masking and Shamir’s secret sharing (SSS)-based polynomial masking schemes and more generally any CBM scheme.
View
View
Analysis of Multiplicative Low Entropy Masking Schemes Against Correlation Power Attack
Article
  • Jul 2021
Low Entropy Masking Schemes (LEMS) had been proposed to mitigate the high-performance overhead results from the Full Entropy Masking Schemes (FEMS) while offering good protection against side-channel attacks. The masking schemes usually rely on Boolean masking, however, splitting sensitive variables in a multiplicative way is more amenable to non-linear functions and it had been applied to both software and hardware with a competitive alternative to state-of-the-art masked design. Compared to the comprehensive analysis done for Boolean LEMS, the specific leakage characteristics of Multiplicative LEMS have not yet been analyzed. In this paper, we introduce security models for LEMS to characterize the balance of the mask set. Based on the security model, we present an inherent weakness of Multiplicative LEMS. We prove that this defect of Multiplicative LEMS cannot be compensated by choosing a proper mask set, and the security of FEMS is guaranteed thanks to the Dirac function which is used to resist zero-value attack. Then, we exhibit the leakages in the implementation of Multiplicative LEMS. In particular, we propose a new attack against Multiplicative LEMS more efficient by utilizing the distribution of masked intermediate values. The feasibility of the attack is verified by both simulation and practical experiments.
View
SCA-Resistance for AES: How Cheap Can We Go?
Chapter
  • Apr 2018
  • Lect Notes Comput Sci
This paper introduces a novel AES structure capable of improving the robustness against power analysis attacks while allowing for a very compact structure with a potentially negligible area and performance impact. The proposed design is based on a low entropy masking scheme, where half of the time the true value and half of the time the complemented value are used to mask the power consumption variation. The obtained experimental results suggest that the area overhead for the protection against power analysis is as low as 5% LUT increase with a performance degradation of about 10%. When compared with the state of the art supported on FPGAs, efficiency improvements above 6 times and a throughput improvement of at least two times higher are achieved.
View
Mind the Balance: Revealing the Vulnerabilities in Low Entropy Masking Schemes
Article
  • May 2020
Low Entropy Masking Schemes (LEMS) have attracted wide attention due to their implementations simplicity and relatively good performance in protecting cryptographic implementations against Side-Channel-Attacks (SCAs). To achieve desired security, it is necessary (but not sufficient) to find proper low entropy mask sets to protect all sensitive secret-dependant intermediate variables. However, one crucial problem concerning this intuitive idea is that what 'proper' mask sets should be. To formally capture such crucial qualification, we introduce the notion of balancedness to characterize this natural attribute of mask sets themselves. Considering that this notion is limited to characterize first-order security, we generalize it to d-dimension balancedness to accommodate d th -order security, then we exhibit lower and upper bounds on d-dimension balancedness for any d. With the help of these essential definitions, we prove that no balanced low entropy mask set really exists, which implies that LEMS implementations always have vulnerabilities in theory due to the unbalancedness of underlying mask sets. In order to further demonstrate the practical implications of balancedness, we show 4 different kinds of attacks on three state-of-the-art LEMS implementations. Specifically, the distribution attack proposed in this paper is a general first-order attack on LEMS. The results demonstrate that unbalanced mask sets actually do lead to serious vulnerabilities.
View
View
Low Area-Overhead Low-Entropy Masking Scheme (LEMS) Against Correlation Power Analysis Attack
Article
  • Feb 2018
The low-entropy masking scheme (LEMS) is a cost-security tradeoff solution that ensures a certain level of security with much lower overheads than a full-entropy masking scheme (FEMS). However, most existing LEMSs are based on a look-up-table (LUT) and limited to the first-order, which is vulnerable to classical higher-order correlation power analysis (CPA) attack and other special types of attack (e.g., collision attack). This paper proposes a new type of LEMS for a block cipher in which the S-box consists of power functions and an affine function. First, a low masking-complexity algorithm for evaluating S-boxes is developed by fully utilizing the property of a hybrid addition-chain (AC) named LUT-AC. Next, an LEMS for block ciphers is proposed. This LEMS provides two different masking modes to realize various cost-security tradeoff schemes. Due to the “masked invariant property” of the LUT-AC, the masking complexity of the proposed LEMS is equal to O{O} ( d{d} ), whereas under FEMS it is equal to O{O} ( d2{d}^{{2}} ). Compared with existing LEMSs, the proposed LEMS has following advantages: higher security in terms of the masking entropy; resistance against collision attacks; and scalability to higher-order schemes. Per the proposed algorithm, an architecture without any nonlinear multiplication for evaluating AES is developed by replacing the LUT with seven scalar multiplications. The different LEMSs based on this architecture are developed. Their area overheads are evaluated by implementing different schemes in 65 nm CMOS process. The security of the first-order LEMS with rotation mode is verified by performing CPA on the SAKURA-G FPGA board. From the experimental success rates, it shows that the proposed first-order LEMS can resist CPA without revealing the correct subkey for up to 100 000 power traces, whereas the unprotected scheme is broken at 1100 traces.
View
Detecting Side Channel Vulnerabilities in Improved Rotating S-Box Masking Scheme—Presenting Four Non-profiled Attacks
Conference Paper
  • Oct 2017
  • Lect Notes Comput Sci
Improved Rotating S-box Masking (RSM2.0 for short) is a well-known countermeasure designed and implemented by DPA Contest V4.2 committee to provide security protection for AES-128. By combining both 1st-order masking and shuffling techniques, improved RSM claims to offer at least non-profiled resistance for its software implementation and up to now no systematic research has been published to challenge such security claim yet. To study the practical security of RSM2.0 against non-profiled attacks, we first propose an analytical methodology to guide the detection of the exploitable vulnerabilities in RSM2.0. On the basis of the methodology, several potential flaws hidden in both the algorithm design and detailed implementation of RSM2.0 are discovered and we make use of them to design six attacking schemes in total, all of which belong to non-profiled attacks. Four representative attacks are eventually implemented and submitted to DPA Contest V4.2 for official evaluation and the results show that all the submitted attacks are both practical and feasible. Among them, the best attack scheme requires only 257 power traces to crack the complete 128-bit master key with 80% success rate. To further improve the security level of RSM2.0, we also discuss some possible strategies to eliminate or mitigate the threats proposed by us.
View
Near Collision Side Channel Attacks
Conference Paper
  • Jan 2016
  • Lect Notes Comput Sci
Side channel collision attacks are a powerful method to exploit side channel leakage. Otherwise than a few exceptions, collision attacks usually combine leakage from distinct points in time, making them inherently bivariate. This work introduces the notion of near collisions to exploit the fact that values depending on the same sub-key can have similar while not identical leakage. We show how such knowledge can be exploited to mount a key recovery attack. The presented approach has several desirable features when compared to other state-of-the-art collision attacks: Near collision attacks are truly univariate. They have low requirements on the leakage functions, since they work well for leakages that are linear in the bits of the targeted intermediate state. They are applicable in the presence of masking countermeasures if there exist distinguishable leakages, as in the case of leakage squeezing. Results are backed up by a broad range of simulations for unprotected and masked implementations, as well as an analysis of the measurement set provided by DPA Contest v4.
View
Exploiting small leakages in masks to turn a second-order attack into a first-order attack
Conference Paper
  • Jun 2015
Masking countermeasures, used to thwart side-channel attacks, have been shown to be vulnerable to mask-extraction attacks. State-of-the-art mask-extraction attacks on the Advanced Encryption Standard (AES) algorithm target S-Box re-computation schemes, but have not been applied to scenarios where S-Boxes are precomputed offline. We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory. Our attack targets AES implemented in software protected by a low entropy masking scheme and recovers the masks with 91% success rate. Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second order attack. Moreover, we show that this attack remains viable in a noisy environment, or with a reduced number of leakage points.
View
Orthogonal Direct Sum Masking
Conference Paper
  • Jun 2014
  • Lect Notes Comput Sci
Secure elements, such as smartcards or trusted platform modules (TPMs), must be protected against implementation-level attacks. Those include side-channel and fault injection attacks. We introduce ODSM, Orthogonal Direct Sum Masking, a new computation paradigm that achieves protection against those two kinds of attacks. A large vector space is structured as two supplementary orthogonal subspaces. One subspace (called a code C\mathcal{C}) is used for the functional computation, while the second subspace carries random numbers. As the random numbers are entangled with the sensitive data, ODSM ensures a protection against (monovariate) side-channel attacks. The random numbers can be checked either occasionally, or globally, thereby ensuring a detection capability. The security level can be formally detailed: it is proved that monovariate side-channel attacks of order up to dC1d_\mathcal{C}-1, where dCd_\mathcal{C} is the minimal distance of C\mathcal{C}, are impossible, and that any fault of Hamming weight strictly less than dCd_\mathcal{C} is detected. A complete instantiation of ODSM is given for AES. In this case, all monovariate side-channel attacks of order strictly less than 5 are impossible, and all fault injections perturbing strictly less than 5 bits are detected.
View
Gate-Level Masking under a Path-Based Leakage Metric
Conference Paper
  • Sep 2014
  • Lect Notes Comput Sci
Masking is a popular countermeasure against differential power analysis (DPA) and other side-channel attacks. When designing integrated circuits to resist DPA, masking at the logic gate level has the benefit that it can be implemented without consideration of the high-level function of the circuit. However, the phenomena of glitches and early propagation reduce the effectiveness of many gate-level masking schemes. In this paper we present a new technique for gate-level masking that is free of glitches and early propagation, yet requires only cell-level “don’t touch” constraints. Our technique, which we call LUT-Masked Dual-rail with Precharge Logic (LMDPL), can therefore be implemented in a typical FPGA or standard cell ASIC design flow. LMDPL does not require routing constraints, nor sequencing of the evaluation of individual gates with enables, registers, or latches. We verify our techniques with an AES implementation on an FPGA. Our implementation shows no significant leaks in evaluations using up to 200 million traces.
View
Analysis and Improvements of the DPA Contest v4 Implementation
Conference Paper
  • Oct 2014
  • Lect Notes Comput Sci
DPA Contest is an international framework which allows researchers to compare their attacks under a common setting. The latest version of DPA Contest proposes a software implementation of AES-256 protected with a low-entropy masking scheme. The masking scheme is called Rotating Sbox Masking (RSM) which claims first-degree security. In this paper, we review the attacks submitted against DPA Contest v4 implementation to identify the common loop holes in the proposed implementation. Next we propose some ideas to improve the existing implementation to resist most of the proposed attacks at affordable performance overhead. Finally we compare our implementation with the original proposal in terms of complexity and side-channel leakage.
View
RSM: a Small and Fast Countermeasure for AES, Secure against 1st and 2nd-order Zero-Offset SCAs
Article
Full-text available
  • Mar 2012
Amongst the many existing countermeasures against Side Channel Attacks (SCA) on symmetrical cryptographic algorithms, masking is one of the most widespread, thanks to its relatively low overhead, its low performance loss and its robustness against first-order attacks. However, several articles have recently pinpointed the limitations of this countermeasure when matched with variance-based and other high-order analyses. In this article, we present a new form of Boolean masking for the Advanced Encryption Standard (AES) called “RSM”, which shows the same level in performances as the state-of-the-art, while being less area consuming, and secure against Variance-based Power Analysis (VPA) and second-order zero-offset CPA. Our theoretical security evaluation is then validated with simulations as well as real-life CPA and VPA on an AES 256 implemented on FPGA.
View
A Collision-Attack on AES
Conference Paper
Full-text available
  • Jul 2004
  • Lect Notes Comput Sci
Recently a new class of collision attacks which was originally suggested by Hans Dobbertin has been introduced. These attacks use side channel analysis to detect internal collisions and are generally not restricted to a particular cryptographic algorithm. As an example, a collision attack against DES was proposed which combines internal collisions with side channel information leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES). This contribution takes the same basic ideas and develops new optimized attacks against AES. Our major finding is that the new combined analytical and side channel approach reduces the attack effort compared to all other known side channel attacks. We develop several versions and refinements of the attack. First we show that key dependent collisions can be caused in the output bytes of the mix column transformation in the first round. By taking advantage of the birthday paradox, it is possible to cause a collision in an output with as little as 20 measurements. If a SPA leak is present from which collisions can be determined with certainty, then each collision will reveal at least 8 bits of the secret key. Furthermore, in an optimized attack, it is possible to cause collisions in all four output bytes of the mix column transformation with an average of only 31 measurements, which results in knowledge of all 32 key bits. Finally, if collisions are caused in all four columns of the AES in parallel, it is possible to determine the entire 128-bit key with only 40 measurements, which a is a distinct improvement compared to DPA and other side channel attacks. Keywords: AES, side channel attacks, internal collisions, birthday paradox.
View
Univariate side channel attacks and leakage modeling
Article
Full-text available
  • Apr 2012
Differential power analysis is a powerful cryptanalytic technique that exploits information leaking from physical implementations of cryptographic algorithms. During the two last decades, numerous variations of the original principle have been published. In particular, the univariate case, where a single instantaneous leakage is exploited, has attracted much research effort. In this paper, we argue that several univariate attacks among the most frequently used by the community are not only asymptotically equivalent, but can also be rewritten one in function of the other, only by changing the leakage model used by the adversary. In particular, we prove that most univariate attacks proposed in the literature can be expressed as correlation power analyses with different leakage models. This result emphasizes the major role plays by the model choice on the attack efficiency. In a second point of this paper, we hence also discuss and evaluate side channel attacks that involve no leakage model but rely on some general assumptions about the leakage. Our experiments show that such attacks, named robust, are a valuable alternative to the univariate differential power analyses. They only loose bit of efficiency in case a perfect model is available to the adversary, and gain a lot in case such information is not available. KeywordsSide channel attack–Correlation–Regression–Model
View
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures against Side-Channel Attacks
Conference Paper
Full-text available
  • Dec 2011
  • Lect Notes Comput Sci
Several types of countermeasures against side-channel attacks are known. The one called masking is of great interest since it can be applied to any protocol and/or algorithm, without nonetheless requiring special care at the implementation level. Masking countermeasures are usually studied with the maximal possible entropy for the masks. However, in practice, this requirement can be viewed as too costly. It is thus relevant to study how the security evolves when the number of mask values decreases. In this article, we study a first-order masking scheme, that makes use of one n-bit mask taking values in a strict subset of F2n\mathbb{F}_2^n. For a given entropy budget, we show that the security does depend on the choice of the mask values. More specifically, we explore the space of mask sets that resist first and second-order correlation analysis (CPA and 2O-CPA), using exhaustive search for word size n5n \leqslant 5 bit and a SAT-solver for n up to 8 bit. We notably show that it is possible to protect algorithms against both CPA and 2O-CPA such as AES with only 12 mask values. If the general trend is that more entropy means less leakage, some particular mask subsets can leak less (or on the contrary leak remarkably more). Additionally, we exhibit such mask subsets that allows a minimal leakage.
View
A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks
Conference Paper
Full-text available
  • Apr 2009
  • Lect Notes Comput Sci
The fair evaluation and comparison of side-channel attacks and countermeasures has been a long standing open question, limiting further developments in the field. Motivated by this challenge, this work proposes a framework for the analysis of cryptographic implementations that includes a theoretical model and an application methodology. The model is based on weak and commonly accepted hypotheses about side- channels that computations give rise to. It allows quantifying the effect of practically relevant leakage functions with a combination of security and information theoretic metrics, respectively measuring the quality of an implementation and the strength of an adversary. From a theoretical point of view, we demonstrate formal connections between these metrics and discuss their intuitive meaning. From a practical point of view, the model implies a unified methodology for the analysis of side-channel key recovery. The proposed solution allows getting rid of most of the subjective parameters that were limiting previous specialized and often ad hoc approaches in the evaluation of physically observable devices. It typically determines the extent to which basic (but practically essential) questions such as "How to compare two implementations?" or "How to compare two side-channel adversaries?" can be fairly answered.
View
Mutual Information Analysis: How, When and Why?
Conference Paper
Full-text available
  • Sep 2009
  • Lect Notes Comput Sci
The Mutual Information Analysis (MIA) is a generic side-channel distinguisher that has been introduced at CHES 2008. This paper brings three contributions with respect to its applicability to practice. First, we emphasize that the MIA principle can be seen as a toolbox in which different (more or less effective) statistical methods can be plugged in. Doing this, we introduce interesting alternatives to the original proposal. Second, we discuss the contexts in which the MIA can lead to successful key recoveries with lower data complexity than classical attacks such as, e.g. using Pearson’s correlation coefficient. We show that such contexts exist in practically meaningful situations and analyze them statistically. Finally, we study the connections and differences between the MIA and a framework for the analysis of side-channel key recovery published at Eurocrypt 2009. We show that the MIA can be used to compare two leaking devices only if the discrete models used by an adversary to mount an attack perfectly correspond to the physical leakages.
View
Correlation Power Analysis with a Leakage Model
Conference Paper
Full-text available
  • Aug 2004
  • Lect Notes Comput Sci
A classical model is used for the power consumption of cryptographic devices. It is based on the Hamming distance of the data handled with regard to an unknown but constant reference state. Once validated experimentally it allows an optimal attack to be derived called Correlation Power Analysis. It also explains the defects of former approaches such as Differential Power Analysis. Keywords: Correlation factor, CPA, DPA, Hamming distance, power analysis, DES, AES, secure cryptographic device, side channel.
View
Mutual Information Analysis
Conference Paper
Full-text available
  • Aug 2008
  • Lect Notes Comput Sci
We propose a generic information-theoretic distinguisher for differential side-channel analysis. Our model of side-channel leakage is a refinement of the one given by Standaert et al. An embedded device containing a secret key is modeled as a black box with a leakage function whose output is captured by an adversary through the noisy measurement of a physical observable. Although quite general, the model and the distinguisher are practical and allow us to develop a new differential side-channel attack. More precisely, we build a distinguisher that uses the value of the Mutual Information between the observed measurements and a hypothetical leakage to rank key guesses. The attack is effective without any knowledge about the particular dependencies between measurements and leakage as well as between leakage and processed data, which makes it a universal tool. Our approach is confirmed by results of power analysis experiments. We demonstrate that the model and the attack work effectively in an attack scenario against DPA-resistant logic.
View
A Generic Method for Secure SBox Implementation
Conference Paper
Full-text available
  • Aug 2007
  • Lect Notes Comput Sci
Cryptographic algorithms embedded in low resource devices are vulnerable to side channel attacks. Since their introduction in 1996, the effectiveness of these attacks has been highly improved and many countermeasures have been invalidated. It was especially true for countermeasures whose security was based on heuristics and experiments. Consequently, there is not only a need for designing new and various countermeasures, but it is also necessary to prove the security of the new proposals in formal models. In this paper we provide a simple method for securing the software implementation of functions called SBoxes that are widely used in symmetric cryptosystems. The main advantage of the proposed solution is that it does not require any RAM allocation. We analyze its efficiency and we compare it with other well-known countermeasures. Moreover, we use a recently introduced proof-of-security framework to demonstrate the resistance of our countermeasure from the viewpoint of Differential Power Analysis. Finally, we apply our method to protect the AES implementation and we show that the performances are suitable for practical implementations.
View
Template Attacks on Masking—Resistance Is Futile
Conference Paper
Full-text available
  • Feb 2007
  • Lect Notes Comput Sci
In this article we discuss different types of template attacks on masked implementations. All template attacks that we describe are applied in practice to a masked AES software implementation on an 8-bit microcontroller. They all break this implementation. However, they all require quite a different number of traces. It turns out that a template-based DPA attack leads to the best results. In fact, a template-based DPA attack is the most natural way to apply a template attack to a masked implementation. It can recover the key from about 15 traces. All other attacks that we present perform worse. They require between about 30 and 1800 traces. There is no difference between the application of a template-based DPA attack to an unmasked and to a masked implementation. Hence, we conclude that in the scenario of template attacks, masking does not improve the security of an implementation.
View
An Exploration of the Kolmogorov-Smirnov Test as a Competitor to Mutual Information Analysis
Conference Paper
Full-text available
  • Sep 2011
  • Lect Notes Comput Sci
A theme of recent side-channel research has been the quest for distinguishers which remain effective even when few assumptions can be made about the underlying distribution of the measured leakage traces. The Kolmogorov-Smirnov (KS) test is a well known non-parametric method for distinguishing between distributions, and, as such, a perfect candidate and an interesting competitor to the (already much discussed) mutual information (MI) based attacks. However, the side-channel distinguisher based on the KS test statistic has received only cursory evaluation so far, which is the gap we narrow here. This contribution explores the effectiveness and efficiency of Kolmogorov-Smirnov analysis (KSA), and compares it with mutual information analysis (MIA) in a number of relevant scenarios ranging from optimistic first-order DPA to multivariate settings. We show that KSA shares certain ‘generic' capabilities in common with MIA whilst being more robust to noise than MIA in univariate settings. This has the practical implication that designers should consider results of KSA to determine the resilience of their designs against univariate power analysis attacks.
View
Exploiting FPGA Block Memories for Protected Cryptographic Implementations
Conference Paper
  • Jul 2013
Modern Field Programmable Gate Arrays (FPGAs) are power packed with features to facilitate designers. Availability of features like huge block memory (BRAM), Digital Signal Processing (DSP) cores, embedded CPU makes the design strategy of FPGAs quite different from ASICs. FPGA are also widely used in security-critical application where protection against known attacks is of prime importance. We focus ourselves on physical attacks which target physical implementations. To design countermeasures against such attacks, the strategy for FPGA designers should also be different from that in ASIC. The available features should be exploited to design compact and strong countermeasures. In this paper, we propose methods to exploit the BRAMs in FPGAs for designing compact countermeasures. BRAM can be used to optimize intrinsic countermeasures like masking and dual-rail logic, which otherwise have significant overhead (at least 2X). The optimizations are applied on a real AES-128 co-processor and tested for area overhead and resistance on Xilinx Virtex-5 chips. The presented masking countermeasure has an overhead of only 16% when applied on AES. Moreover Dual-rail Precharge Logic (DPL) countermeasure has been optimized to pack the whole sequential part in the BRAM, hence enhancing the security. Proper robustness evaluations are conducted to analyze the optimization for area and security.
View
Lecture Notes in Computer Science
Conference Paper
  • Dec 1999
  • Lect Notes Comput Sci
Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.Keywordsdifferential power analysisDPASPAcryptanalysisDES
View
Analyzing Side Channel Leakage of Masked Implementations with Stochastic Methods
Conference Paper
  • Sep 2007
  • Lect Notes Comput Sci
Side channel cryptanalysis is a collective term for implementation attacks aiming at recovering secret or private keys from a cryptographic module by observing its physical leakage at run-time. Stochastic methods have already been introduced for first order differential side channel analysis. This contribution provides a compendium for the use of stochastic methods on masked implementations, i.e., on implementations that use internal random numbers in order to effectively prevent first order side channel attacks. Practical evidence is given that stochastic methods are also well suited for analyzing masked implementations, especially, as they are capable of combining several chosen components of different internal states for a multivariate side channel analysis.
View
Multiplicative Masking and Power Analysis of AES
Conference Paper
  • Aug 2002
  • Lect Notes Comput Sci
The recently proposed multiplicative masking countermeasure against power analysis attacks on AES is interesting as it does not require the costly recomputation and RAM storage of S-boxes for every run of AES. This is important for applications where the available space is very limited such as the smart card applications. Unfortunately, it is here shown that this method is in fact inherently vulnerable to differential power analysis. However, it is also shown that the multiplicative masking method can be modified so as to provide resistance to differential power analysis of nonideal but controllable security level, at the expense of increased computational complexity. Other possible random masking methods are also discussed.
View
On Boolean and Arithmetic Masking against Differential Power Analysis.
Conference Paper
  • Sep 2000
  • Lect Notes Comput Sci
Since the announcement of the Differential Power Analysis (DPA) by Paul Kocher and al., several countermeasures were proposed in order to protect software implementations of cryptographic algorithms. In an attempt to reduce the resulting memory and execution time overhead, Thomas Messerges recently proposed a general method that "masks" all the intermediate data. This masking strategy is possible if all the fundamental operations used in a given algorithm can be rewritten with masked input data, giving masked output data. This is easily seen to be the case in classical algorithms such as DES or RSA. However, for algorithms that combine Boolean and arithmetic functions, such as IDEA or several of the AES candidates, two different kinds of masking have to be used. There is thus a need for a method to convert back and forth between Boolean masking and arithmetic masking. In the present paper, we show that the `BooleanToArithmetic' algorithm proposed by T. Messerges is not sufficient to prevent Differential Power Analysis. In a similar way, the 'ArithmeticToBoolean' algorithm is not secure either.
View
Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints
Conference Paper
  • Jan 2005
  • Lect Notes Comput Sci
During the last years, several logic styles that counteract side-channel attacks have been proposed. They all have in common that their level of resistance heavily depends on implementation constraints that are costly to satisfy. For example, the capacitive load of complemen- tary wires in an integrated circuit may need to be balanced. This article describes a novel side-channel analysis resistant logic style called MDPL that completely avoids such constraints. It is a masked and dual-rail pre-charge logic style and can be implemented using common CMOS standard cell libraries. This makes MDPL perfectly suitable for semi- custom designs.
View
Correlation-Enhanced Power Analysis Collision Attack
Conference Paper
  • Aug 2010
  • Lect Notes Comput Sci
Side-channel based collision attacks are a mostly disregarded alternative to DPA for analyzing unprotected implementations. The advent of strong countermeasures, such as masking, has made further research in collision attacks seemingly in vain. In this work, we show that the principles of collision attacks can be adapted to efficiently break some masked hardware implementation of the AES which still have first-order leakage. The proposed attack breaks an AES implementation based on the corrected version of the masked S-box of Canright and Batina presented at ACNS 2008. The attack requires only six times the number of traces necessary for breaking a comparable unprotected implementation. At the same time, the presented attack has minimal requirements on the abilities and knowledge of an adversary. The attack requires no detailed knowledge about the design, nor does it require a profiling phase.
View
A Stochastic Model for Differential Side Channel Cryptanalysis
Conference Paper
  • Aug 2005
  • Lect Notes Comput Sci
This contribution presents a new approach to optimize the eciency of dieren tial side channel cryptanalysis against block ciphers by advanced stochastic methods. We approximate the real leakage func- tion within a suitable vector subspace. Under appropriate conditions proling requires only one test key. For the key extraction we present a 'minimum principle' that solely uses deterministic data dependencies and the 'maximum likelihood principle' that additionally incorporates the characterization of the noise revealed during proling. The theoretical predictions are accompanied and conrmed by experiments. We demon- strate that the adaptation of probability densities is clearly advantageous regarding the correlation method, especially, if multiple leakage signals at dieren t times can be jointly evaluated. Though our eciency at key extraction is limited by template attacks proling is much more ecien t which is highly relevant if the designer of a cryptosystem is bounded by the number of measurements in the proling step.
View
Gaussian Mixture Models for Higher-Order Side Channel Analysis
Conference Paper
  • Sep 2007
  • Lect Notes Comput Sci
We introduce the use of multivariate Gaussian mixture models for enhancing higher-order side channel analysis on masked cryptographic implementations. Our contribution considers an adversary with incomplete knowledge at profiling, i.e., the adversary does not know random numbers used for masking. At profiling, the adversary observes a mixture probability density of the side channel leakage. However, the EM algorithm can provide estimates on the unknown parameters of the component densities using samples drawn from the mixture density. Practical results are presented and confirm the usefulness of Gaussian mixture models and the EM algorithm. Especially, success rates obtained by automatic classification based on the estimates of the EM algorithm are very close to success rates of template attacks.
View
Masking and Dual-Rail Logic Don’t Add Up
Conference Paper
  • Sep 2007
  • Lect Notes Comput Sci
Masked logic styles use a random mask bit to de-correlate the power consumption of the circuit from the state of the algorithm. The eect of the random mask bit is that the circuit switches between two complementary states with a dierent power profile. Earlier work has shown that the mask-bit value can be estimated from the power con- sumption profile, and that masked logic remains susceptible to classic power attacks after only a simple filtering operation. In this contribu- tion we will show that this conclusion also holds for masked pre-charged logic styles and for all practical implementations of masked dual-rail logic styles. Up to now, it was believed that masking and dual-rail can be com- bined to provide a routing-insensitive logic style. We will show that this assumption is not correct. We demonstrate that the routing imbalances can be used to detect the value of the mask bit. Simulations as well as analysis of design data from an AES chip support this conclusion.
View
Higher order masking of the AES
Conference Paper
  • Feb 2006
  • Lect Notes Comput Sci
The development of masking schemes to secure AES implementations against side channel attacks is a topic of ongoing research. Many different ap- proaches focus on the AES S-box and have been discussed in the previous years. Unfortunately, toourknowledge mostofthesecountermeasures onlyaddress first- order DPA. In this article, we discuss the theoretical background of higher order DPA. We give the expected measurement costs an adversary has to deal with for different hardware models. Moreover, we present a masking scheme which pro- tectsanAESimplementationagainsthigherorderDPA.Wehaveimplementedthis maskingschemeforvariousordersandpresent thecorresponding performancede- tails implementors will have to expect.
View
On Boolean and Arithmetic Masking against Differential Power Analysis
Conference Paper
  • Jun 2004
  • Lect Notes Comput Sci
Since the announcement of the Differential Power Analysis (DPA) by Paul Kocher and al., several countermeasures were proposed in order to protect software implementations of cryptographic algorithms. In an attempt to reduce the resulting memory and execution time overhead, Thomas Messerges recently proposed a general method that “masks” all the intermediate data. This masking strategy is possible if all the fundamental operations used in a given algorithm can be rewritten with masked input data, giving masked output data. This is easily seen to be the case in classical algorithms such as DES or RSA. However, for algorithms that combine Boolean and arithmetic functions, such as IDEA or several of the AES candidates, two different kinds of masking have to be used. There is thus a need for a method to convert back and forth between Boolean masking and arithmetic masking. In the present paper, we show that the ‘BooleanToArithmetic’ algorithm proposed by T. Messerges is not sufficient to prevent Differential Power Analysis. In a similar way, the ‘ArithmeticToBoolean’ algorithm is not secure either.
View
Differential Power Analysis
Article
  • Sep 1999
. Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information. Keywords: differential power analysis, DPA, SPA, cryptanalysis, DES 1 Background Attacks that involvemultiple parts of a security system are difficult to predict and model. If cipher designers, software developers, and hardware engineers do not understand or review each other's work, security assumptions made at each level of a system's design may be incomplete or unrealistic. As a result, security faults often involveunanticipated interactions between components designed by different people. Manytechniques ...
View