Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA)
|
|
- Kenneth Chambers
- 5 years ago
- Views:
Transcription
1 Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche, Cédric Tavernier Laboratoire LIG, Grenoble, France. Communications and Systems, Le Plessis Robinson, France. Cryptopuces Porquerolles 8 juin 2009
2 Plan 1 List decoding of the First order Reed-Muller codes and Multi-linear cryptanalysis Multi-linear cryptanalysis List Decoding of RM(1,m) codes Complexity 2 Application to Power Analysis attacks : MLPA MLPA attack MLPA vs Other approaches A template-like attack 3 Conclusion and Open perspectives
3 Multi-linear cryptanalysis Symmetric cipher (4-bits plaintexts, 4-bits key) P K E C
4 Multi-linear cryptanalysis Symmetric cipher (4-bits plaintexts, 4-bits key) p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0
5 Multi-linear cryptanalysis Linear approximations p 3 p 1 k 2 k 0 p 2 p 0 k 3 k 1 E c 3 c 2 c 1 c 0 linear approximation p 1 p 3 k 0 k 2 = c 0 c 1 c 3 hold with probability p = 1/2 + ɛ.
6 Multi-linear cryptanalysis Multi-linear cryptanalysis k 0 k 2 = p 1 p 3 c 0 c 1 c 3 p = 1/2 + ɛ 1 k 0 k 1 k 2 = p 0 p 2 c 2 c 3 p = 1/2 + ɛ 2 k 1 k 3 = p 2 p 3 c 1 c 3 p = 1/2 + ɛ 3 k 1 k 2 k 3 = p 0 p 1 p 2 p 3 c 2 c 3 p = 1/2 + ɛ 4 Complexity of the attack [Biry 04] Given n linear approximations α i, P µ i, K = β i, E(P, K) #Plaintexts = O( 1 Pi (ɛ2 i ))
7 Multi-linear cryptanalysis Multi-linear cryptanalysis k 0 k 2 = p 1 p 3 c 0 c 1 c 3 p = 1/2 + ɛ 1 k 0 k 1 k 2 = p 0 p 2 c 2 c 3 p = 1/2 + ɛ 2 k 1 k 3 = p 2 p 3 c 1 c 3 p = 1/2 + ɛ 3 k 1 k 2 k 3 = p 0 p 1 p 2 p 3 c 2 c 3 p = 1/2 + ɛ 4 Complexity of the attack [Biry 04] Given n linear approximations α i, P µ i, K = β i, E(P, K) #Plaintexts = O( 1 Pi (ɛ2 i ))
8 Multi-linear cryptanalysis Multivariate degree 1 polynomial reconstruction P K E C α, P µ, K = β, E(P, K)
9 List Decoding of RM(1,m) codes Reed-Muller code properties Definition of RM(1, m) RM(1, m) = {f GF (2) (1) [x 1, x 2,, x m ]} ; Usual representation : (f (0), f (1),, f (2 m 1)) ; Boolean representation : f = f 1 x 1 f 2 x 2 f m x m code of lenght n = 2 m and minimal distance d = n/2. Classical Problem Given a Boolean function g, we want to construct the list {f RM(1, m) d H (f, g) n(1/2 ɛ)}, which is equivalent to L g (ɛ) = {f RM(1, m) l (g) (f ) = ( 1) f (x) g(x) 2ɛn}. x GF (2) m Johnson Bound In fact L g (ɛ) 1 4ɛ 2
10 List Decoding of RM(1,m) codes List Decoding Algorithms A simple idea 2ɛn l (g) (f ) s GF (2) m i f (i) = f 1 x 1 f i x i. r GF (2) i ( 1) g(r,s) f (i) (r) where Screnning process : we suggest f i and we check if the inequality is satisfied. L (i) g (ɛ) = {f RM(1, i) ( 1) g(r,s) f (r) 2ɛn}. s r GF (2) i In fact 4nɛ 2 M a Eb E M = L (i) g (ɛ) 1 4ɛ 2. With E = L (i) g (ɛ) ( 1) g(r,s) a(i) (r) g(r,s) b(i)(r) n. s r GF (2) i
11 Complexity Complexity Worst case complexity The complexity of this algorithm is in O(n log 2 2(ɛ)) [I Du 07]. The complexity of the prob. version is in O(m 2 /ɛ 6 ) [Kaba 04]. The size of the result can be of size m/2ɛ 2, thus optimal complexity could be in O(m/ɛ 2 ). Optimal complexity In fact Goldreich and Levin algorithm : O(m/ɛ 4 ). I. Dumer, G. Kabatiansky and C. Tavernier, not yet published : O(m/ɛ 2 )
12 Plan 1 List decoding of the First order Reed-Muller codes and Multi-linear cryptanalysis Multi-linear cryptanalysis List Decoding of RM(1,m) codes Complexity 2 Application to Power Analysis attacks : MLPA MLPA attack MLPA vs Other approaches A template-like attack 3 Conclusion and Open perspectives
13 Side channel measurements p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0
14 Side channel measurements p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0
15 MLPA attack Linear approximations and Power Analysis p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0 HD and HW models Leaked information related to the Hamming weight of the manipulated data.
16 MLPA attack Linear approximations and Power Analysis p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 HW () h 2 h 1 h 0 E c 3 c 2 c 1 c 0 HD and HW models Leaked information related to the Hamming weight of the manipulated data.
17 MLPA attack Attack algorithm and results on DPA-contest traces 1 Offline static computation : Find many and good approximations of the intermediate data Hamming weight (for every output mask). 2 Online attack : multi-linear cryptanalysis assuming Leaked information = Hamming distance. From traces "secmatv " Cipher rounds # linear equ. # key bits # traces DES DES DES DES Tab.: Attack on DPA-contest traces Results
18 MLPA attack Approximation examples Output Mask (in binary) : Bias Equations (plain part) Equations (key part) P[5, 26, 27, 31, 45, 53, 61]+ K[6, 7, 29, 38, 52] P[28, 29, 31, 37, 45, 53]+ K[6, 7, 29, 61] P[5, 28, 29, 31, 37, 45]+ K[6, 29, 38, 61] P[5, 28, 29, 31, 37, 53]+ K[7, 29, 38, 61] P[5, 8, 9, 37, 45, 53, 61]+ K[6, 7, 38, 52, 61] P[5, 14, 15, 31, 37, 45, 61]+ K[6, 29, 38, 52, 61] P[5, 28, 29, 31, 37, 53, 61]+ K[7, 29, 38, 52, 61] P[5, 26, 27, 31, 37, 53, 61]+ K[7, 29, 38, 52, 61] P[5, 26, 27, 31, 37, 45, 53, 61]+ K[6, 7, 29, 38, 52, 61]
19 MLPA vs Other approaches Classical Power Analysis attacks p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0 Limitations Intermediate data should be dependent to less than 32 key-bits.
20 MLPA vs Other approaches Classical Power Analysis attacks p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0 Limitations Intermediate data should be dependent to less than 32 key-bits.
21 MLPA vs Other approaches Countermeasures The implementation is safe if one can shut down all information leakages : Suppress synchronization elements. (buses and registers) and/or Randomize the data processed. (masking techniques [Akka 01, Akka 03, Akka 04, Lv 05]) and/or Add random useless computations. and/or balanced dynamic dual-rail gates designs. and/or... Secure... But not for free! e.g. Three 32-Bit Random Masks and Six Additional S-Boxes are the Minimal Cost for a Secure DES Implementation [Lv 05]
22 MLPA vs Other approaches Countermeasures The implementation is safe if one can shut down all information leakages : Suppress synchronization elements. (buses and registers) and/or Randomize the data processed. (masking techniques [Akka 01, Akka 03, Akka 04, Lv 05]) and/or Add random useless computations. and/or balanced dynamic dual-rail gates designs. and/or... Secure... But not for free! e.g. Three 32-Bit Random Masks and Six Additional S-Boxes are the Minimal Cost for a Secure DES Implementation [Lv 05]
23 MLPA vs Other approaches Glued Blocks Possible solution Concentrate on the firsts and lasts rounds. i.e. no information leak during these critical rounds No observable intermediate value is dependent to less than 32 key bits. Sufficient countermeasure against DPA-like, CPA, MIA, etc... Not against MLPA!
24 A template-like attack Training device attack Remark The List-decoding algorithm operates on the target boolean function as a black-box. Getting the linear approximations from a twin board i.e. Chosen plaintexts and keys Approximations directly linked to the leaked information. much more accurate. No need to choose a power consumption model. No need to know the target block cipher. still need to know where/when to attack.
25 Next Steps on MLPA : MLPA on a consumption measurement refinement. Simultaneous MLPA on several rounds. HO-MLPA. MLPA on static masked implementation. Other block ciphers. Better linear approximations. MLPA template attack. Unknown block cipher attack.
26 The end.
27 references I M.-L. Akkar and C. Giraud. An Implementation of DES and AES, Secure against Some Attacks. In : Çetin Kaya Koç, D. Naccache, and C. Paar, Eds., CHES, pp , Springer, M.-L. Akkar and L. Goubin. A Generic Protection against High-Order Differential Power Analysis. In : T. Johansson, Ed., FSE, pp , Springer, M.-L. Akkar, R. Bevan, and L. Goubin. Two Power Analysis Attacks against One-Mask Methods. In : B. K. Roy and W. Meier, Eds., FSE, pp , Springer, 2004.
28 references II A. Biryukov, C. D. Cannière, and M. Quisquater. On Multiple Linear Approximations. In : M. K. Franklin, Ed., CRYPTO, pp. 1 22, Springer, G. K. I. Dumer and C. Tavernier. List Decoding of the First Order Binary Reed Muller Codes. Problems of Information Transmission, Vol. 43, No. 3, pp , G. Kabatiansky and C. Tavernier. List decoding with Reed Muller codes of order one. In : nine International Workshop On Algebraic and Combinatorial Coding Theory, pp , 2004.
29 references III J. Lv and Y. Han. Enhanced DES Implementation Secure Against High-Order Differential Power Analysis in Smartcards. In : C. Boyd and J. M. G. Nieto, Eds., ACISP, pp , Springer, 2005.
Affine Masking against Higher-Order Side Channel Analysis
Affine Masking against Higher-Order Side Channel Analysis Guillaume Fumaroli 1, Ange Martinelli 1, Emmanuel Prouff 2, and Matthieu Rivain 3 1 Thales Communications {guillaume.fumaroli, jean.martinelli}@fr.thalesgroup.com
More informationMultiple-Differential Side-Channel Collision Attacks on AES
Multiple-Differential Side-Channel Collision Attacks on AES Andrey Bogdanov Horst Görtz Institute for IT Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. In
More informationSIDE Channel Analysis (SCA in short) exploits information. Statistical Analysis of Second Order Differential Power Analysis
1 Statistical Analysis of Second Order Differential Power Analysis Emmanuel Prouff 1, Matthieu Rivain and Régis Bévan 3 Abstract Second Order Differential Power Analysis O- DPA is a powerful side channel
More informationMultiple-Differential Side-Channel Collision Attacks on AES
Multiple-Differential Side-Channel Collision Attacks on AES Andrey Bogdanov Horst Görtz Institute for IT Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de, www.crypto.rub.de Abstract. In
More informationTemplates as Master Keys
Templates as Master Keys Dakshi Agrawal, Josyula R. Rao, Pankaj Rohatgi, and Kai Schramm IBM Watson Research Center P.O. Box 74 Yorktown Heights, NY 1598 USA {agrawal,jrrao,rohatgi}@us.ibm.com Communication
More informationComparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
International Conference on Manufacturing Science and Engineering (ICMSE 2015) Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
More informationLeakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi
Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Wednesday, September 16 th, 015 Motivation Security Evaluation Motivation Security Evaluation
More informationDifferential Power Analysis Attacks Based on the Multiple Correlation Coefficient Xiaoke Tang1,a, Jie Gan1,b, Jiachao Chen2,c, Junrong Liu3,d
4th International Conference on Sensors, Measurement and Intelligent Materials (ICSMIM 2015) Differential Power Analysis Attacks Based on the Multiple Correlation Coefficient Xiaoke Tang1,a, Jie Gan1,b,
More informationLS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More information4488 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 54, NO. 10, OCTOBER /$ IEEE
4488 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 54, NO. 10, OCTOBER 2008 List Decoding of Biorthogonal Codes the Hadamard Transform With Linear Complexity Ilya Dumer, Fellow, IEEE, Grigory Kabatiansky,
More informationCollision-Correlation Attack against some 1 st -order Boolean Masking Schemes in the Context of Secure Devices
Collision-Correlation Attack against some 1 st -order Boolean Masking Schemes in the Context of Secure Devices Thomas Roche and Victor Lomné ANSSI 51 boulevard de la Tour-Maubourg, 75700 Paris 07 SP, France
More informationNovel Approaches for Improving the Power Consumption Models in Correlation Analysis
Novel Approaches for Improving the Power Consumption Models in Correlation Analysis Thanh-Ha Le, Quoc-Thinh Nguyen-Vuong, Cécile Canovas, Jessy Clédière CEA-LETI 17 avenue des Martyrs, 38 054 Grenoble
More informationChannel Equalization for Side Channel Attacks
Channel Equalization for Side Channel Attacks Colin O Flynn and Zhizhang (David) Chen Dalhousie University, Halifax, Canada {coflynn, z.chen}@dal.ca Revised: July 10, 2014 Abstract. This paper introduces
More informationA Proposition for Correlation Power Analysis Enhancement
A Proposition for Correlation Power Analysis Enhancement Thanh-Ha Le 1, Jessy Clédière 1,Cécile Canovas 1, Bruno Robisson 1, Christine Servière, and Jean-Louis Lacoume 1 CEA-LETI 17 avenue des Martyrs,
More informationOn the Masking Countermeasure and Higher-Order Power Analysis Attacks
1 On the Masking Countermeasure and Higher-Order Power Analysis Attacks François-Xavier Standaert, Eric Peeters, Jean-Jacques Quisquater UCL Crypto Group, Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium.
More informationA Collision-Attack on AES Combining Side Channel- and Differential-Attack
A Collision-Attack on AES Combining Side Channel- and Differential-Attack Kai Schramm, Gregor Leander, Patrick Felke, and Christof Paar Horst Görtz Institute for IT Security Ruhr-Universität Bochum, Germany
More informationInvestigations of Power Analysis Attacks on Smartcards *
Investigations of Power Analysis Attacks on Smartcards * Thomas S. Messerges Ezzy A. Dabbish Robert H. Sloan 1 Dept. of EE and Computer Science Motorola Motorola University of Illinois at Chicago tomas@ccrl.mot.com
More informationProtecting AES with Shamir s Secret Sharing Scheme
Protecting AES with Shamir s Secret Sharing Scheme Louis Goubin 1 and Ange Martinelli 1,2 1 Versailles Saint-Quentin-en-Yvelines University Louis.Goubin@prism.uvsq.fr 2 Thales Communications jean.martinelli@fr.thalesgroup.com
More informationAlgebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection
Algebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection Andrey Bogdanov 1, Ilya Kizhvatov 2, and Andrey Pyshkin 3 1 Horst Görtz Institute for Information Security Ruhr-University
More informationSide-Channel Leakage in Masked Circuits Caused by Higher-Order Circuit Effects
Side-Channel Leakage in Masked Circuits Caused by Higher-Order Circuit Effects Zhimin Chen, Syed Haider, and Patrick Schaumont Virginia Tech, Blacksburg, VA 24061, USA {chenzm,syedh,schaum}@vt.edu Abstract.
More informationTHEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys
THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER A. A. Zadeh and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland
More informationOn the Security of NOEKEON against Side Channel Cube Attacks
On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationHow to Evaluate Side-Channel Leakages
How to Evaluate Side-Channel Leakages 7. June 2017 Ruhr-Universität Bochum Acknowledgment Tobias Schneider 2 Motivation Security Evaluation Attack based Testing Information theoretic Testing Testing based
More informationUsing Second-Order Power Analysis to Attack DPA Resistant Software
Using Second-Order Power Analysis to Attack DPA Resistant Software Thomas S. Messerges Motorola Labs, Motorola 3 E. Algonquin Road, Room 7, Schaumburg, IL 696 Tom.Messerges@motorola.com Abstract. Under
More information«Differential Behavioral Analysis»
«Differential Behavioral Analysis» Bruno ROBISSON Pascal MANET CEA-LETI SESAM Laboratory (joint R&D team CEA-LETI/EMSE), Centre Microélectronique de Provence Avenue des Anémones, 13541 Gardanne, France
More informationRandom Delay Insertion: Effective Countermeasure against DPA on FPGAs
Random Delay Insertion: Effective Countermeasure against DPA on FPGAs Lu, Yingxi Dr. Máire O Neill Prof. John McCanny Overview September 2004 PRESENTATION OUTLINE DPA and countermeasures Random Delay Insertion
More informationFast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures
Fast Evaluation of Polynomials over Binary Finite Fields and Application to Side-channel Countermeasures Jean-Sébastien Coron 1, Arnab Roy 1,2, Srinivas Vivek 1 1 University of Luxembourg 2 DTU, Denmark
More informationA Very Compact Perfectly Masked S-Box
A Very Compact Perfectly Masked S-Box for AES D. Canright 1 and Lejla Batina 2 1 Applied Math., Naval Postgraduate School, Monterey CA 93943, USA, dcanright@nps.edu 2 K.U. Leuven ESAT/COSIC, Kasteelpark
More informationOn the Use of Masking to Defeat Power-Analysis Attacks
1/32 On the Use of Masking to Defeat Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security
More informationImproved Collision-Correlation Power Analysis on First Order Protected AES
Improved Collision-Correlation Power Analysis on First Order Protected AES Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent Verneuil To cite this version: Christophe Clavier,
More informationExtended Cubes: Enhancing the Cube Attack by Extracting Low-Degree Non-Linear Equations
Extended Cubes: Enhancing the Cube Attack by Extracting Low-Degree Non-Linear Equations Shekh Faisal Abdul-Latip School of Computer Science and Software Engineering University of Wollongong, Australia
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationInformation Security Theory vs. Reality
Information Security Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer 1 Power Analysis Simple Power Analysis Correlation Power
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationCorrelation Power Analysis. Chujiao Ma
Correlation Power Analysis Chujiao Ma Power Analysis Simple Power Analysis (SPA) different operations consume different power Differential Power Analysis (DPA) different data consume different power Correlation
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationAlgebraic Side-Channel Collision Attacks on AES
Algebraic Side-Channel Collision Attacks on AES Andrey Bogdanov 1 and Andrey Pyshkin 2 1 Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de 2 Department of Computer
More informationMutual Information Analysis
Mutual Information Analysis A Universal Differential Side-Channel Attack Benedikt Gierlichs 1, Lejla Batina 1, and Pim Tuyls 1,2 1 K.U. Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee,
More informationComprehensive Evaluation of AES Dual Ciphers as a Side-Channel Countermeasure
Comprehensive Evaluation of AES Dual Ciphers as a Side-Channel Countermeasure Amir Moradi and Oliver Mischke Horst Görtz Institute for IT Security, Ruhr University Bochum, Germany {moradi,mischke}@crypto.rub.de
More informationDifferential Cache Trace Attack Against CLEFIA
Differential Cache Trace Attack Against CLEFIA Chester Rebeiro and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur, India {chester,debdeep}@cse.iitkgp.ernet.in
More informationDPA Attacks and S-Boxes
DPA Attacks and S-Boxes Emmanuel Prouff Oberthur Card Systems 5 rue Auguste Blanche, 9800 Puteaux, France e.prouff@oberthurcs.com Abstract. For the power consumption model called Hamming weight model,
More informationMaximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationMasking and Dual-rail Logic Don't Add Up
Masking and Dual-rail Logic Don't Add Up Patrick Schaumont schaum@vt.edu Secure Embedded Systems Group ECE Department Kris Tiri kris.tiri@intel.com Digital Enterprise Group Intel Corporation Our Contributions
More informationAlgebraic Side-Channel Attacks
Algebraic Side-Channel Attacks Mathieu Renauld, François-Xavier Standaert UCL Crypto Group, Université catholique de Louvain, B-1348 Louvain-la-Neuve. e-mails: mathieu.renauld,fstandae@uclouvain.be Abstract.
More informationStart Simple and then Refine: Bias-Variance Decomposition as a Diagnosis Tool for Leakage Profiling
IEEE TRANSACTIONS ON COMPUTERS, VOL.?, NO.?,?? 1 Start Simple and then Refine: Bias-Variance Decomposition as a Diagnosis Tool for Leakage Profiling Liran Lerman, Nikita Veshchikov, Olivier Markowitch,
More informationPower Analysis of Hardware Implementations Protected with Secret Sharing
Power Analysis of Hardware Implementations Protected with Secret Sharing Guido Bertoni, Joan Daemen, Nicolas Debande, Thanh-Ha Le, Michaël Peeters and Gilles Van Assche, STMicroelectronics, Morpho, TELECOM
More informationNew Results in the Linear Cryptanalysis of DES
New Results in the Linear Cryptanalysis of DES Igor Semaev Department of Informatics University of Bergen, Norway e-mail: igor@ii.uib.no phone: (+47)55584279 fax: (+47)55584199 May 23, 2014 Abstract Two
More informationHardware Security Side channel attacks
Hardware Security Side channel attacks R. Pacalet renaud.pacalet@telecom-paristech.fr May 24, 2018 Introduction Outline Timing attacks P. Kocher Optimizations Conclusion Power attacks Introduction Simple
More informationA New Framework for Constraint-Based Probabilistic Template Side Channel Attacks
A New Framework for Constraint-Based Probabilistic Template Side Channel Attacks Yossef Oren 1, Ofir Weisse 2, Avishai Wool 3 yos@cs.columbia.edu, ofirweisse@gmail.com, yash@eng.tau.ac.il 1 Network Security
More informationFault Analysis of the KATAN Family of Block Ciphers
Fault Analysis of the KATAN Family of Block Ciphers Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Centre for Computer and Information Security Research,
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationDPA-Resistance without routing constraints?
Introduction Attack strategy Experimental results Conclusion Introduction Attack strategy Experimental results Conclusion Outline DPA-Resistance without routing constraints? A cautionary note about MDPL
More informationSecurity Analysis of Higher-Order Boolean Masking Schemes for Block Ciphers
Security Analysis of Higher-Order Boolean Masking Schemes for Block Ciphers (with Conditions of Perfect Masking) Gilles Piret 1, François-Xavier Standaert 2 1 Ecole Normale Supérieure, Département d Informatique,
More informationDynamic Runtime Methods to Enhance Private Key Blinding
Dynamic Runtime Methods to Enhance Private Key Blinding Karine Gandolfi-Villegas and Nabil Hamzi Gemalto Security Labs {nabil.hamzi,karine.villegas}@gemalto.com Abstract. In this paper we propose new methods
More informationSeveral Masked Implementations of the Boyar-Peralta AES S-Box
Several Masked Implementations of the Boyar-Peralta AES S-Box Ashrujit Ghoshal 1[0000 0003 2436 0230] and Thomas De Cnudde 2[0000 0002 2711 8645] 1 Indian Institute of Technology Kharagpur, India ashrujitg@iitkgp.ac.in
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationLinear Regression Side Channel Attack Applied on Constant XOR
Linear Regression Side Channel Attack Applied on Constant XOR Shan Fu ab, Zongyue Wang c, Fanxing Wei b, Guoai Xu a, An Wang d a National Engineering Laboratory of Mobile Internet Security, Beijing University
More informationSymbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS Inès Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz Sorbonne Universités, UPMC Univ Paris
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationCryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks
Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park ETRI Network & Communication Security Division, 909 Jeonmin-dong, Yuseong-gu, Daejeon, Korea Abstract.
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationBitslice Ciphers and Power Analysis Attacks
Bitslice Ciphers and Power Analysis Attacks Joan Daemen, Michael Peeters and Gilles Van Assche Proton World Intl. Rue Du Planeur 10, B-1130 Brussel, Belgium Email: {daemen.j, peeters.m, vanassche.g}@protonworld.com
More informationMaking Masking Security Proofs Concrete
Making Masking Security Proofs Concrete Or How to Evaluate the Security of any Leaking Device Extended Version Alexandre Duc 1, Sebastian Faust 1,2, François-Xavier Standaert 3 1 HEIG-VD, Lausanne, Switzerland
More informationDIFFERENTIAL POWER ANALYSIS MODEL AND SOME RESULTS
DIFFERENTIAL POWER ANALYSIS MODEL AND SOME RESULTS Sylvain Guilley, Philippe Hoogvorst and Renaud Pacalet GET / Télécom Paris, CNRS LTCI Département communication et électronique 46 rue Barrault, 75634
More informationA Statistical Model for DPA with Novel Algorithmic Confusion Analysis
A Statistical Model for DPA with Novel Algorithmic Confusion Analysis Yunsi Fei 1, Qiasi Luo 2,, and A. Adam Ding 3 1 Department of Electrical and Computer Engineering Northeastern University, Boston,
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationGeneric Side-Channel Distinguishers: Improvements and Limitations
Generic Side-Channel Distinguishers: Improvements and Limitations Nicolas Veyrat-Charvillon, François-Xavier Standaert UCL Crypto Group, Université catholique de Louvain. Place du Levant 3, B-1348, Louvain-la-Neuve,
More informationA New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg Helsinki University of Technology, Department of Information
More informationNumerical Solvers in Cryptanalysis
Numerical Solvers in Cryptanalysis M. Lamberger, T. Nad, V. Rijmen Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria
More informationImproved High-Order Conversion From Boolean to Arithmetic Masking
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1, Jean-Sébastien Coron 2, and Rina Zeitoun 1 1 IDEMIA, France luk.bettale@idemia.com, rina.zeitoun@idemia.com 2 University
More informationFormal Verification of Side-Channel Countermeasures
Formal Verification of Side-Channel Countermeasures Sonia Belaïd June 5th 2018 1 / 35 1 Side-Channel Attacks 2 Masking 3 Formal Tools Verification of Masked Implementations at Fixed Order Verification
More informationProvable Security against Side-Channel Attacks
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable
More informationImproved Linear Distinguishers for SNOW 2.0
Improved Linear Distinguishers for SNOW 2.0 Kaisa Nyberg 1,2 and Johan Wallén 1 1 Helsinki University of Technology and 2 Nokia Research Center, Finland Email: kaisa.nyberg@nokia.com; johan.wallen@tkk.fi
More informationIN this paper, we exploit the information given by the generalized
4496 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 10, OCTOBER 2006 A New Upper Bound on the Block Error Probability After Decoding Over the Erasure Channel Frédéric Didier Abstract Motivated by
More informationEfficient Hamming Weight-based Side-Channel Cube Attacks on PRESENT
Efficient Hamming Weight-based Side-Channel Cube Attacks on PRESENT Xinjie Zhao a,, Shize Guo b, Fan Zhang c, Tao Wang a, Zhijie Shi c a Department of Computer Engineering, Ordnance Engineering College,
More informationMultiplicative complexity in block cipher design and analysis
Multiplicative complexity in block cipher design and analysis Pavol Zajac Institute of Computer Science and Mathematics Slovak University of Technology pavol.zajac@stuba.sk Fewer Multiplications in Cryptography
More informationLightweight Cryptography Meets Threshold Implementation: A Case Study for Simon
Lightweight Cryptography Meets Threshold Implementation: A Case Study for Simon by Aria Shahverdi A Thesis Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the
More informationAN FPGA IMPLEMENTATION OF RIJNDAEL: TRADE-OFFS FOR SIDE-CHANNEL SECURITY. Nele Mentens, Lejla Batina, Bart Preneel and Ingrid Verbauwhede
AN FPGA IMPLEMENTATION OF RIJNDAEL: TRADE-OFFS FOR SIDE-CHANNEL SECURIT Nele Mentens, Lejla Batina, Bart Preneel and Ingrid Verbauwhede {Nele.Mentens,Lejla.Batina,Bart.Preneel,Ingrid.Verbauwhede} @esat.kuleuven.ac.be
More informationFirst-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure
Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US
More informationEase of Side-Channel Attacks on AES-192/256 by Targeting Extreme Keys
Ease of Side-Channel Attacks on AES-192/256 by Targeting Extreme Keys Antoine Wurcker eshard, France, antoine.wurcker@eshard.com Abstract. Concerning the side-channel attacks on Advanced Encryption Standard,
More informationMasking against Side-Channel Attacks: a Formal Security Proof
Masking against Side-Channel Attacks: a Formal Security Proof Emmanuel Prouff 1 and Matthieu Rivain 2 1 ANSSI emmanuel.prouff@ssi.gouv.fr 2 CryptoExperts matthieu.rivain@cryptoexperts.com Abstract. Masking
More informationCryptanalysis of Achterbahn-128/80. Maria Naya-Plasencia. INRIA-Projet CODES FRANCE
Cryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia INRIA-Projet CODES FRANCE Outline 1 Achterbahn 2 Tools used in our cryptanalysis 3 Cryptanalysis of Achterbahn-128/80 Achterbahn [Gammel-Göttfert-Kniffler05]...
More informationConstant-Time Higher-Order Boolean-to-Arithmetic Masking
Constant-Time Higher-Order Boolean-to-Arithmetic Masking Michael Hutter and Michael Tunstall Cryptography Research, 425 Market Street, 11th Floor, San Francisco, CA 94105, United States {michael.hutter,michael.tunstall}@cryptography.com
More informationPower Analysis Attacks and Algorithmic Approaches to their Countermeasures for Koblitz Curve Cryptosystems
Power Analysis Attacks and Algorithmic Approaches to their Countermeasures for Koblitz Curve Cryptosystems M. Anwar Hasan Department of Electrical and Computer Engineering University of Waterloo, Waterloo,
More informationNICV: Normalized Inter-Class Variance for Detection of Side-Channel Leakage
NICV: Normalized Inter-Class Variance for Detection of Side-Channel Leakage Shivam Bhasin 1 Jean-Luc Danger 1,2 Sylvain Guilley 1,2 Zakaria Najm 1 1 Institut MINES-TELECOM, TELECOM ParisTech, Department
More informationOn the Use of Shamir s Secret Sharing Against Side-Channel Analysis
On the Use of Shamir s Secret Sharing Against Side-Channel Analysis Jean-Sébastien Coron 1, Emmanuel Prouff 2, and Thomas Roche 2 1 Tranef jscoron@tranef.com 2 ANSSI, 51, Bd de la Tour-Maubourg, 75700
More informationParallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model G. Barthe, F. Dupressoir, S. Faust, B. Grégoire, F.-X. Standaert, P.-Y. Strub IMDEA (Spain), Univ. Surrey (UK), Univ. Bochum
More informationPublic Key Perturbation of Randomized RSA Implementations
Public Key Perturbation of Randomized RSA Implementations A. Berzati, C. Dumas & L. Goubin CEA-LETI Minatec & Versailles St Quentin University Outline 1 Introduction 2 Public Key Perturbation Against R2L
More informationOn the Practical Security of a Leakage Resilient Masking Scheme
On the Practical Security of a Leakage Resilient Masking Scheme T. Roche thomas.roche@ssi.gouv.fr Joint work with E. Prouff and M. Rivain French Network and Information Security Agency (ANSSI) CryptoExperts
More informationPower Analysis to ECC Using Differential Power between Multiplication and Squaring
Power Analysis to ECC Using Differential Power between Multiplication and Squaring Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Information Technologies Laboratories, Tokyo, Japan akishita@pal.arch.sony.co.jp
More informationSystematic Construction and Comprehensive Evaluation of Kolmogorov-Smirnov Test Based Side-Channel Distinguishers
Systematic Construction and Comprehensive Evaluation of Kolmogorov-Smirnov Test Based Side-Channel Distinguishers Hui Zhao, Yongbin Zhou,,François-Xavier Standaert 2, and Hailong Zhang State Key Laboratory
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More information