Constructive Side-Channel Analysis and Secure Design

In this paper, we propose a setup that improves the performance of implementation attacks by exploiting the difference of side-channel leakages. The main idea of our setup is to use two cryptographic devices and to measure the difference of their physical leakages, e.g., their power consumption. This increases the signal-to-noise ratio of the measurement and reduces the number of needed power-consumption traces in order to succeed an attack. The setup can efficiently be applied (but is not limited) in scenarios where two synchronous devices are available for analysis. By applying template-based attacks, only a few power traces are required to successfully identify weak but data-dependent leakage differences. In order to quantify the efficiency of our proposed setup, we performed practical experiments by designing three evaluation boards that assemble different cryptographic implementations. The results of our investigations show that the needed number of traces can be reduced up to 90%.

Radio-frequency identification (RFID) technology is the enabler for applications like the future internet of things (IoT), where security plays an important role. When integrating security to RFID tags, not only the cryptographic algorithms need to be secure but also their implementation. In this work we present differential power analysis (DPA) and differential electromagnetic analysis (DEMA) attacks on a security-enabled RFID tag. The attacks are conducted on both an ASIC-chip version and on an FPGA-prototype version of the tag. The design of the ASIC version equals that of commercial RFID tags and has analog and digital part integrated on a single chip. Target of the attacks is an implementation of the Advanced Encryption Standard (AES) with 128-bit key length and DPA countermeasures. The countermeasures are shuffling of operations and insertion of dummy rounds. Our results illustrate that the effort for successfully attacking the ASIC chip in a real-world scenario is only 4.5 times higher than for the FPGA prototype in a laboratory environment. This let us come to the conclusion that the effort for attacking contactless devices like RFID tags is only slightly higher than that for contact-based devices. The results further underline that the design of countermeasures like the insertion of dummy rounds has to be done with great care, since the detection of patterns in power or electromagnetic traces can be used to significantly lower the attacking effort.

Recent literature surveys showed that in excess of 700 papers have been published on attacks (or countermeasures thereto) on embedded devices and smart cards, in particular. Most of these attacks fall into one of three classes, (hardware) reverse engineering, fault attacks, and side–channel attacks. Not included here are pure software attacks. Each year another 50–100 papers are being added to this stack and hence it is becoming a necessity to find new ways to cope with new attacks found during the design of secure smart cards, be it on the hardware or the software side, or during their deployment phase. This paper explores possible solutions to this issue.

Early propagation effect (EPE) is a critical problem in conventional dual-rail logic implementations against Side Channel Attacks (SCAs). Among previous EPE-resistant architectures, PA-DPL logic offers EPE-free capability at relatively low cost. However, its separate dual core structure is a weakness when facing concentrated EM attacks where a tiny EM probe can be precisely positioned closer to one of the two cores. In this paper, we present an PA-DPL dual-core interleaved structure to strengthen resistance against sophisticated EM attacks on Xilinx FPGA implementations. The main merit of the proposed structure is that every two routing in each signal pair are kept identical even the dual cores are interleaved together. By minimizing the distance between the complementary routings and instances of both cores, even the concentrated EM measurement cannot easily distinguish the minor EM field unbalance. In PA-DPL, EPE is avoided by compressing the evaluation phase to a small portion of the clock period, therefore, the speed is inevitably limited. Regarding this, we made an improvement to extend the duty cycle of evaluation phase to more than 40 percent, yielding a larger maximum working frequency. The detailed design flow is also presented. We validate the security improvement against EM attack by implementing a simplified AES co-processor in Virtex-5 FPGA.

Feedback Shift Register (FSR) based stream ciphers are known to be vulnerable to power analysis attacks due to their simple hardware structure. In this paper, we propose a countermeasure against non-invasive power analysis attacks based on switching activity masking. Our solution has a 50% smaller power overhead on average compared to the previous standard cell-based countermeasures. Its resistance against different types of attacks is evaluated on the example of Grain-80 stream cipher.

To guarantee the security of a cryptographic implementation against Side Channel Attacks, a common approach is to formally prove the security of the corresponding scheme in a model as pertinent as possible. Nowadays, security proofs for masking schemes in the literature are usually conducted for models where only the manipulated data are assumed to leak. However in practice, the leakage is better modeled encompassing the memory transitions as e.g. the Hamming distance model. From this observation, a natural question is to decide at which extent a countermeasure proved to be secure in the first model stays secure in the second. In this paper, we look at this issue and we show that it must definitely be taken into account. Indeed, we show that a countermeasure proved to be secure against second-order side-channel attacks in the first model becomes vulnerable against a first-order side-channel attack in the second model. Our result emphasize the issue of porting an implementation from devices leaking only on the manipulated data to devices leaking on the memory transitions.

A standard SPA protection for RSA implementations is exponent blinding (see [7]). Fouque et al., [4] and more recently Schindler and Itoh, [8] have described side-channel attacks against such implementations. The attack in [4] requires that the attacker knows some bits of the blinded exponent with certainty. The attack methods of [8] can be defeated by choosing a sufficiently large blinding factor (about 64 bit).

In this paper we start from a more realistic model for the information an attacker can obtain by simple power analysis (SPA) than the one that forms the base of the attack in [4]. We show how the methods of [4] can be extended to work in this setting. This new attack works, under certain restrictions, even for long blinding factors (i.e. 64 bit or more).

This paper proposes a new scan-based side-channel attack on RSA public-key cryptographic implementations in the presence of advanced Design for Testability (DfT) techniques. The attack is performed on an actual hardware implementation, for which different test scenarios were conceived (response compaction, X-Masking). The practical aspects of scan-based attacks on the RSA cryptosystem are also presented. Additionally, a novel scan-attack security analysis tool is proposed which helps in evaluating the scan-chain leakage resilience of security circuits.

We present several new side-channel attacks against RSA key generation. Our attacks may be combined and are powerful enough to fully reveal RSA primes generated on a tamper-resistant device, unless adequate countermeasures are implemented. More precisely, we describe a DPA attack, a template attack and several fault attacks against prime generation. Our experimental results confirm the practicality of the DPA and template attacks. To the best of our knowledge, these attacks are the first of their kind and demonstrate that basic timing and SPA countermeasures may not be sufficient for high-security applications.

A fault-based attack on the new low-cost LED block cipher is reported. Parameterized sets of key candidates called fault tuples are generated, and filtering techniques are employed to quickly eliminate fault tuples not containing the correct key. Experiments for LED-64 show that the number of remaining key candidates is practical for performing brute-force evaluation even for a single fault injection. The extension of the attack to LED-128 is also discussed.

\(\textsf{LBlock}\) is a 64-bit lightweight block cipher which can be implemented in both hardware environments and software platforms. It was designed by Wu and Zhang, and published at ACNS2011. In this paper, we explore the strength of \(\textsf{LBlock}\) against the differential fault analysis (\(\textsf{DFA}\)). As far as we know, this is the first time the \(\textsf{DFA}\) attack is used to analyze \(\textsf{LBlock}\). Our \(\textsf{DFA}\) attack adopts the random bit fault model. When the fault is injected at the end of the round from the 25 ^th round to the 31 ^st round, the \(\textsf{DFA}\) attack is used to reveal the last three round subkeys (i.e., K ₃₂, K ₃₁ and K ₃₀) by analyzing the \(\textit{active S-box}\) of which the input and output differences can be obtained from the right and faulty ciphertexts (C, \(\widetilde{C}\)). Then, the master key can be recovered based on the analysis of the key scheduling. Specially, for the condition that the fault is injected at the end of the 25 ^th and 26 ^th round, we show that the active S-box can be distinguished from the \(\textit{false active S-box}\) by analyzing the nonzero differences from the pair of ciphertexts (C, \(\widetilde{C}\)). The false active S-box which we define implies that the nonzero input difference does not correspond to the right output difference. Moreover, as the \(\textsf{LBlock}\) can achieve the best diffusion in eight rounds, there can exist the countermeasures that protect the first and last eight rounds. This countermeasure raises a question whether provoking a fault at the former round of \(\textsf{LBlock}\) can reveal the round subkey. Our current work also gives an answer to the question that the \(\textsf{DFA}\) attack can be used to reveal the round subkey when the fault is injected into the 24 ^th round. If the fault model used in this analysis is a \(\textit{semi-random bit model}\), the round subkey can be revealed directly. Specially, the semi-random bit model corresponds to an adversary who could know the corrupted 4 bits at the chosen round but not know the exact bit in these 4 bits. Finally, the data complexity analysis and simulations show the number of necessary faults for revealing the master key.

True random number generators (TRNGs) are ubiquitous in data security as one of basic cryptographic primitives. They are primarily used as generators of confidential keys, to initialize vectors, to pad values, but also as random masks generators in some side channel attacks countermeasures. As such, they must have good statistical properties, be unpredictable and robust against attacks. This paper presents a contactless and local active attack on ring oscillators (ROs) based TRNGs using electromagnetic fields. Experiments show that in a TRNG featuring fifty ROs, the impact of a local electromagnetic emanation on the ROs is so strong, that it is possible to lock them on the injected signal and thus to control the monobit bias of the TRNG output even when low power electromagnetic fields are exploited. These results confirm practically that the electromagnetic waves used for harmonic signal injection may represent a serious security threat for secure circuits that embed RO-based TRNG.

The issue of random number generation is crucial for the implementation of cryptographic systems. Random numbers are often used in key generation processes, authentication protocols, zeroknowledge protocols, padding, in many digital signature and encryption schemes, and even in some side channel attack countermeasures. For these applications, security depends to a great extent on the quality of the source of randomness and on the way this source is exploited. The quality of the generated numbers is checked by statistical tests. In addition to the good statistical properties of the obtained numbers, the output of the generator used in cryptography must be unpredictable. Besides quality and unpredictability requirements, the generator must be robust against aging effects and intentional or unintentional environmental variations, such as temperature, power supply, electromagnetic emanations, etc. In this paper, we discuss practical aspects of a true random number generator design. Special attention is given to the analysis of security requirements and on the way how this requirements can be met in practice.

Schindler and Itoh proposed a side-channel attack on implementations of the double-and-add-algorithm with blinded exponents, where dummy additions can be detected with errors. Here this approach is generalized to partial information leakage: If window methods are used, several different types of additions occur. If the attacker can only discriminate between some types of additions, but not between all types, the so-called basic version of the attack is still feasible and the attacker can correct her guessing errors and find out the secret scalar. Sometimes generalized Schindler-Itoh methods can reveal even more bits than leak by SPA. In fact this makes an attack on a 2bit-window-algorithm feasible for a 32-bit randomization, where the attacker can distinguish between additions of different values with error rates up to 0.15, but cannot detect dummy additions. A barrier to applying the so-called enhanced version to partial information leakage is described.

At the cutting edge of todays security research and development, the SHA-3 contest evaluates a new successor of SHA-2 for secure hashing operations. One of the finalists is the SHA-3 candidate Skein. Like many other cryptographic primitives Skein utilizes arithmetic operations, for instance modular addition. In this paper we introduce a new method of performing a DPA on modular addition of arbitrary length. We will give an overview over side channel analysis of modular addition, followed by problems occurring when dealing with large operand sizes of 32 bits and more. To overcome these problems, we suggest a new method, called the Butterfly-Attack to exploit the leakage of modular additions. Real world application is being shown by applying our new approach to Skein-MAC, enabling us to forge legitimate MACs using Skein.

Algebraic side-channel attack (ASCA) is a powerful cryptanalysis technique different from conventional side-channel attacks. This paper studies ASCA from three aspects: enhancement, analysis and application. To enhance ASCA, we propose a generic method, called Multiple Deductions-based ASCA (MDASCA), to cope the multiple deductions caused by inaccurate measurements or interferences. For the first time, we show that ASCA can exploit cache leakage models. We analyze the attacks and estimate the minimal amount of leakages required for a successful ASCA on AES under different leakage models. In addition, we apply MDASCA to attack AES on an 8-bit microcontroller under Hamming weight leakage model, on two typical microprocessors under access driven cache leakage model, and on a 32-bit ARM microprocessor under trace driven cache leakage model. Many better results are achieved compared to the previous work. The results are also consistent with the theoretical analysis. Our work shows that MDASCA poses great threats with its excellence in error tolerance and new leakage model exploitation.

In this contribution we propose the so-called SVM attack, a profiling based side channel attack, which uses the machine learning algorithm support vector machines (SVM) in order to recover a cryptographic secret. We compare the SVM attack to the template attack by evaluating the number of required traces in the attack phase to achieve a fixed guessing entropy. In order to highlight the benefits of the SVM attack, we perform the comparison for power traces with a varying noise level and vary the size of the profiling base. Our experiments indicate that due to the generalization of SVM the SVM attack is able to recover the key using a smaller profiling base than the template attack. Thus, the SVM attack counters the main drawback of the template attack, i.e. a huge profiling base.