Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top

2019 | Book

Targeted Ciphers for Format-Preserving Encryption Read chapter Read first chapter

Selected Areas in Cryptography – SAC 2018

25th International Conference, Calgary, AB, Canada, August 15–17, 2018, Revised Selected Papers

Editors: Carlos Cid, Prof. Michael J. Jacobson Jr.

Publisher: Springer International Publishing

Book Series : Lecture Notes in Computer Science

Part of: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Login to get access
insite
SEARCH

About this book

This book contains revised selected papers from the 25th International Conference on Selected Areas in Cryptography, SAC 2018, held in Calgary, AB, Canada in August 2018.


The 22 full papers presented in this volume were carefully reviewed and selected from 57 submissions. They cover the following research areas:

design and analysis of symmetric key primitives and cryptosystems, including block and stream ciphers, hash functions, MAC algorithms, and authenticated encryption schemes

efficient implementations of symmetric and public key algorithmsmathematical and algorithmic aspects of applied cryptologycryptography for the Internet of Things

Table of Contents

Frontmatter

Design of Symmetric Key Primitives

Frontmatter
Targeted Ciphers for Format-Preserving Encryption
Abstract
We introduce Targeted Ciphers, which typically encipher points on domain \(\mathcal {X}\), but can be easily modified to instead encipher points on some subset \(\mathcal{S}\subseteq \mathcal {X}\). Ciphers that can directly support this domain targeting are useful in Format-Preserving Encryption, where one wishes to encipher points on a potentially complex domain \(\mathcal{S}\). We propose two targeted ciphers and analyze their security. The first, Targeted Swap-or-Not, is a modification of the Swap-or-Not cipher proposed by Hoang, Morris, and Rogaway (CRYPTO 2012). The second, a new cipher we call Mix-Swap-Unmix, achieves the stronger notion of full security. Our targeted ciphers perform domain targeting more efficiently than the recently proposed Cycle Slicer algorithm of Miracle and Yilek (ASIACRYPT 2017).
Sarah Miracle, Scott Yilek
Variants of the AES Key Schedule for Better Truncated Differential Bounds
Abstract
Differential attacks are one of the main ways to attack block ciphers. Hence, we need to evaluate the security of a given block cipher against these attacks. One way to do so is to determine the minimal number of active S-boxes, and use this number along with the maximal differential probability of the S-box to determine the minimal probability of any differential characteristic. Thus, if one wants to build a new block cipher, one should try to maximize the minimal number of active S-boxes. On the other hand, the related-key security model is now quite important, hence, we also need to study the security of block ciphers in this model.
In this work, we search how one could design a key schedule to maximize the number of active S-boxes in the related-key model. However, we also want this key schedule to be efficient, and therefore choose to only consider permutations. Our target is AES, and along with a few generic results about the best reachable bounds, we found a permutation to replace the original key schedule that reaches a minimal number of active S-boxes of 20 over 6 rounds, while no differential characteristic with a probability larger than \(2^{-128}\) exists. We also describe an algorithm which helped us to show that there is no permutation that can reach 18 or more active S-boxes in 5 rounds. Finally, we give several pairs \((P_s, P_k)\), replacing respectively the ShiftRows operation and the key schedule of the AES, reaching a minimum of 21 active S-boxes over 6 rounds, while again, there is no differential characteristic with a probability larger than \(2^{-128}\).
Patrick Derbez, Pierre-Alain Fouque, Jérémy Jean, Baptiste Lambin
Analysis and Improvement of an Authentication Scheme in Incremental Cryptography
Abstract
Introduced in cryptography by Bellare, Goldreich and Goldwasser in 1994, incrementality is an attractive feature that enables to update efficiently a cryptographic output like a ciphertext, a signature or an authentication tag after modifying the corresponding input. This property is very valuable in large scale systems where gigabytes of data are continuously processed (e.g. in cloud storage). Adding cryptographic operations on such systems can decrease dramatically their performance and incrementality is an interesting solution to have security at a reduced cost.
We focus on the so-called XOR-scheme, the first incremental authentication construction proposed by Bellare, Goldreich and Goldwasser, and the only strongly incremental scheme (i.e. incremental regarding insert and delete update operations at any position in a document). Surprisingly, we found a simple attack on this construction that breaks the basic security claimed by the authors in 1994 with only one authentication query (not necessarily chosen). Our analysis gives different ways to fix the scheme; some of these patches are discussed in this paper and we provide a security proof for one of them.
Louiza Khati, Damien Vergnaud

Cryptanalysis of Symmetric Key Primitives

Frontmatter
Integral Attacks on Round-Reduced Bel-T-256
Abstract
Bel-T is the national block cipher encryption standard of the Republic of Belarus. It has a 128-bit block size and a variable key length of 128, 192 or 256 bits. Bel-T combines a Feistel network with a Lai-Massey scheme to build a complex round function with 7 S-box layers per round then iterate this round function 8 times to construct the whole cipher. In this paper, we present integral attacks against Bel-T-256 using the propagation of the bit-based division property. Firstly, we propose two 2-round integral characteristics by employing a Mixed Integer Linear Programming (MILP) (Our open source code to generate the MILP model can be downloaded from https://​github.​com/​mhgharieb/​Bel-T-256) approach to propagate the division property through the round function. Then, we utilize these integral characteristics to attack 3\(\frac{2}{7}\) rounds (out of 8) Bel-T-256 with data and time complexities of \(2^{13}\) chosen plaintexts and \(2^{199.33}\) encryption operations, respectively. We also present an attack against 3\(\frac{6}{7}\) rounds with data and time complexities of \(2^{33}\) chosen plaintexts and \(2^{254.61}\) encryption operations, respectively. To the best of our knowledge, these attacks are the first published theoretical attacks against the cipher in the single-key model.
Muhammad ElSheikh, Mohamed Tolba, Amr M. Youssef
Cryptanalysis of Reduced sLiSCP Permutation in Sponge-Hash and Duplex-AE Modes
Abstract
This paper studies security of a family of lightweight permutations sLiSCP that was proposed by AlTawy et al. at SAC 2017. sLiSCP also specifies an authenticated encryption (AE) mode and a hashing mode based on the sponge framework, however the designers’ analysis focuses on the indistinguishability of the permutation, and there is no analysis for those modes. This paper presents the first analysis of reduced-step sLiSCP in the AE and hashing modes fully respecting the recommended parameters and usage by the designers. Forgery and collision attacks are presented against 6 (out of 18) steps of the AE and hashing modes. Moreover, rebound distinguishers are presented against 15 steps of the permutation. We believe that those results especially about the AE and hashing modes provide a better understanding of sLiSCP, and bring more confidence about the lightweight version sLiSCP-light.
Yunwen Liu, Yu Sasaki, Ling Song, Gaoli Wang
Finding Integral Distinguishers with Ease
Abstract
The division property method is a technique to determine integral distinguishers on block ciphers. While the complexity of finding these distinguishers is higher, it has recently been shown that MILP and SAT solvers can efficiently find such distinguishers. In this paper, we provide a framework to automatically find those distinguishers which solely requires a description of the cryptographic primitive. We demonstrate that by finding integral distinguishers for 30 primitives with different design strategies.
We provide several new or improved bit-based division property distinguishers for ChaCha, Chaskey, DES, GIFT, LBlock, Mantis, Qarma, RoadRunner, Salsa and SM4. Furthermore, we present an algorithm to find distinguishers with lower data complexity more efficiently.
Zahra Eskandari, Andreas Brasen Kidmose, Stefan Kölbl, Tyge Tiessen
Towards Key-Dependent Integral and Impossible Differential Distinguishers on 5-Round AES
Abstract
Reduced-round AES has been a popular underlying primitive to design new cryptographic schemes and thus its security including distinguishing properties deserves more attention. At Crypto’16, a key-dependent integral distinguisher on 5-round AES was put forward, which opened up a new direction to take more insights into the distinguishing properties of AES. After that, two key-dependent impossible differential (ID) distinguishers on 5-round AES were proposed at FSE’16 and CT-RSA’18, respectively. It is strange that the current key-dependent integral distinguisher requires significantly higher complexities than the key-dependent ID distinguishers, even though they are constructed with the same property of MixColumns (\(2^{128} \gg 2^{98.2}\)). Proposers of the 5-round key-dependent distinguishers claimed that the corresponding integral and ID distinguishers can only work under chosen-ciphertext and chosen-plaintext settings, respectively, which is very different from the situations of traditional key-independent distinguishers.
In this paper, we first construct a novel key-dependent integral distinguisher on 5-round AES with \(2^{96}\) chosen plaintexts, which is much better than the previous key-dependent integral distinguisher that requires the full codebook proposed at Crypto’16. Secondly, We show that both distinguishers are valid under either chosen-plaintext setting or chosen-ciphertext setting, which is different from the claims of previous cryptanalysis. However, under different settings, complexities of key-dependent integral distinguishers are very different while those of the key-dependent ID distinguishers are almost the same. We analyze the reasons for it.
Kai Hu, Tingting Cui, Chao Gao, Meiqin Wang
Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis
Abstract
Resistance against differential cryptanalysis is an important design criteria for any modern block cipher and most designs rely on finding some upper bound on probability of single differential characteristics. However, already at EUROCRYPT’91, Lai et al. comprehended that differential cryptanalysis rather uses differentials instead of single characteristics.
In this paper, we consider exactly the gap between these two approaches and investigate this gap in the context of recent lightweight cryptographic primitives. This shows that for many recent designs like Midori, Skinny or Sparx one has to be careful as bounds from counting the number of active S-boxes only give an inaccurate evaluation of the best differential distinguishers. For several designs we found new differential distinguishers and show how this gap evolves. We found an 8-round differential distinguisher for Skinny-64 with a probability of \(2^{-56.93}\), while the best single characteristic only suggests a probability of \(2^{-72}\). Our approach is integrated into publicly available tools and can easily be used when developing new cryptographic primitives.
Moreover, as differential cryptanalysis is critically dependent on the distribution over the keys for the probability of differentials, we provide experiments for some of these new differentials found, in order to confirm that our estimates for the probability are correct. While for Skinny-64 the distribution over the keys follows a Poisson distribution, as one would expect, we noticed that Speck-64 follows a bimodal distribution, and the distribution of Midori-64 suggests a large class of weak keys.
Ralph Ankele, Stefan Kölbl

Side Channel and Fault Attacks

Frontmatter
Sliding-Window Correlation Attacks Against Encryption Devices with an Unstable Clock
Abstract
Power analysis side channel attacks rely on aligned traces. As a counter-measure, devices can use a jittered clock to misalign the power traces. In this paper we suggest a way to overcome this counter-measure, using an old method of integrating samples over time followed by a correlation attack (Sliding Window CPA). We theoretically re-analyze this general method with characteristics of jittered clocks and show that it is stronger than previously believed. We show that integration of samples over a suitably chosen window size actually amplifies the correlation both with and without jitter—as long as multiple leakage points are present within the window. We then validate our analysis on a new data-set of traces measured on a board implementing a jittered clock. The data-set we collected is public and accessible online. Our experiments show that the SW-CPA attack with a well-chosen window size is very successful against a jittered clock counter-measure and significantly outperforms previous suggestions, requiring a much smaller set of traces to correctly identify the correct key.
Dor Fledel, Avishai Wool
Assessing the Feasibility of Single Trace Power Analysis of Frodo
Abstract
Lattice-based schemes are among the most promising post-quantum schemes, yet the effect of both parameter and implementation choices on their side-channel resilience is still poorly understood. Aysu et al. (HOST’18) recently investigated single-trace attacks against the core lattice operation, namely multiplication between a public matrix and a “small” secret vector, in the context of a hardware implementation. We complement this work by considering single-trace attacks against software implementations of “ring-less” LWE-based constructions.
Specifically, we target Frodo, one of the submissions to the standardisation process of NIST, when implemented on an (emulated) ARM Cortex M0 processor. We confirm Aysu et al.’s observation that a standard divide-and-conquer attack is insufficient and instead we resort to a sequential, extend-and-prune approach. In contrast to Aysu et al. we find that, in our setting where the power model is far from being as clear as theirs, both profiling and less aggressive pruning are needed to obtain reasonable key recovery rates for SNRs of practical relevance. Our work drives home the message that parameter selection for LWE schemes is a double-edged sword: the schemes that are deemed most secure against (black-box) lattice attacks can provide the least security when considering side-channels. Finally, we suggest some easy countermeasures that thwart standard extend-and-prune attacks.
Joppe W. Bos, Simon Friedberger, Marco Martinoli, Elisabeth Oswald, Martijn Stam
Cache-Attacks on the ARM TrustZone Implementations of AES-256 and AES-256-GCM via GPU-Based Analysis
Abstract
The ARM TrustZone is a security extension which is used in recent Samsung flagship smartphones to create a Trusted Execution Environment (TEE) called a Secure World, which runs secure processes (Trustlets). The Samsung TEE includes cryptographic key storage and functions inside the Keymaster trustlet. The secret key used by the Keymaster trustlet is derived by a hardware device and is inaccessible to the Android OS. However, the ARM32 AES implementation used by the Keymaster is vulnerable to side channel cache-attacks. The Keymaster trustlet uses AES-256 in GCM mode, which makes mounting a cache attack against this target much harder. In this paper we show that it is possible to perform a successful cache attack against this AES implementation, in AES-256/GCM mode, using widely available hardware. Using a laptop’s GPU to parallelize the analysis, we are able to extract a raw AES-256 key with 7 min of measurements and under a minute of analysis time and an AES-256/GCM key with 40 min of measurements and 30 min of analysis.
Ben Lapid, Avishai Wool
Fault Attacks on Nonce-Based Authenticated Encryption: Application to Keyak and Ketje
Abstract
In the context of fault attacks on nonce-based authenticated encryption, an attacker faces two restrictions. The first is the uniqueness of the nonce for each new encryption that prevents the attacker from collecting pairs of correct and faulty outputs to perform, e.g., differential fault attacks. The second restriction concerns the verification/decryption, which releases only verified plaintext. While many recent works either exploit misuse scenarios (e.g. nonce-reuse, release of unverified plaintext), we turn the fact that the decryption/verification gives us information on the effect of a fault (whether a fault changed a value or not) against it.
In particular, we extend the idea of statistical ineffective fault attacks (SIFA) to target the initialization performed in nonce-based authenticated encryption schemes. By targeting the initialization performed during decryption/verification, most nonce-based authenticated encryption schemes provide the attacker with an oracle whether a fault was ineffective or not. This information is all the attacker needs to mount statistical ineffective fault attacks. To demonstrate the practical threat of the attack, we target software implementations of the authenticated encryption schemes Keyak and Ketje. The presented fault attacks can be carried out without the need of sophisticated equipment. In our practical evaluation the inputs corresponding to 24 ineffective fault inductions were required to reveal large parts of the secret key in both scenarios.
Christoph Dobraunig, Stefan Mangard, Florian Mendel, Robert Primas

Post-Quantum Cryptography

Frontmatter
EFLASH: A New Multivariate Encryption Scheme
Abstract
Multivariate Public Key Cryptography is a leading option for security in a post quantum society. In this paper we propose a new encryption scheme, EFLASH, and analyze its efficiency and security.
Ryann Cartor, Daniel Smith-Tone
Public Key Compression for Constrained Linear Signature Schemes
Abstract
We formalize the notion of a constrained linear trapdoor as an abstract strategy for the generation of signature schemes, concrete instantiations of which can be found in MQ-based, code-based, and lattice-based cryptography. Moreover, we revisit and expand on a transformation by Szepieniec et al. [39] to shrink the public key at the cost of a larger signature while reducing their combined size. This transformation can be used in a way that is provably secure in the random oracle model, and in a more aggressive variant whose security remained unproven. In this paper we show that this transformation applies to any constrained linear trapdoor signature scheme, and prove the security of the first mode in the quantum random oracle model. Moreover, we identify a property of constrained linear trapdoors that is sufficient (and necessary) for the more aggressive variant to be secure in the quantum random oracle model. We apply the transformation to an MQ-based scheme, a code-based scheme and a lattice-based scheme targeting 128-bits of post quantum security, and we show that in some cases the combined size of a signature and a public key can be reduced by more than a factor 300.
Ward Beullens, Bart Preneel, Alan Szepieniec
On the Cost of Computing Isogenies Between Supersingular Elliptic Curves
Abstract
The security of the Jao-De Feo Supersingular Isogeny Diffie-Hellman (SIDH) key agreement scheme is based on the intractability of the Computational Supersingular Isogeny (CSSI) problem—computing \({\mathbb F}_{p^2}\)-rational isogenies of degrees \(2^e\) and \(3^e\) between certain supersingular elliptic curves defined over \({\mathbb F}_{p^2}\). The classical meet-in-the-middle attack on CSSI has an expected running time of \(O(p^{1/4})\), but also has \(O(p^{1/4})\) storage requirements. In this paper, we demonstrate that the van Oorschot-Wiener golden collision finding algorithm has a lower cost (but higher running time) for solving CSSI, and thus should be used instead of the meet-in-the-middle attack to assess the security of SIDH against classical attacks. The smaller parameter p brings significantly improved performance for SIDH.
Gora Adj, Daniel Cervantes-Vázquez, Jesús-Javier Chi-Domínguez, Alfred Menezes, Francisco Rodríguez-Henríquez

Lattice-Based Cryptography

Frontmatter
A Full RNS Variant of Approximate Homomorphic Encryption
Abstract
The technology of Homomorphic Encryption (HE) has improved rapidly in a few years. The newest HE libraries are efficient enough to use in practical applications. For example, Cheon et al. (ASIACRYPT’17) proposed an HE scheme with support for arithmetic of approximate numbers. An implementation of this scheme shows the best performance in computation over the real numbers. However, its implementation could not employ a core optimization technique based on the Residue Number System (RNS) decomposition and the Number Theoretic Transformation (NTT).
In this paper, we present a variant of approximate homomorphic encryption which is optimal for implementation on standard computer system. We first introduce a new structure of ciphertext modulus which allows us to use both the RNS decomposition of cyclotomic polynomials and the NTT conversion on each of the RNS components. We also suggest new approximate modulus switching procedures without any RNS composition. Compared to previous exact algorithms requiring multi-precision arithmetic, our algorithms can be performed by using only word size (64-bit) operations.
Our scheme achieves a significant performance gain from its full RNS implementation. For example, compared to the earlier implementation, our implementation showed speed-ups 17.3, 6.4, and 8.3 times for decryption, constant multiplication, and homomorphic multiplication, respectively, when the dimension of a cyclotomic ring is 32768. We also give experimental result for evaluations of some advanced circuits used in machine learning or statistical analysis. Finally, we demonstrate the practicability of our library by applying to machine learning algorithm. For example, our single core implementation takes 1.8 min to build a logistic regression model from encrypted data when the dataset consists of 575 samples, compared to the previous best result 3.5 min using four cores.
Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim, Yongsoo Song
Analysis of Error-Correcting Codes for Lattice-Based Key Exchange
Abstract
Lattice problems allow the construction of very efficient key exchange and public-key encryption schemes. When using the Learning with Errors (LWE) or Ring-LWE (RLWE) problem such schemes exhibit an interesting trade-off between decryption error rate and security. The reason is that secret and error distributions with a larger standard deviation lead to better security but also increase the chance of decryption failures. As a consequence, various message/key encoding or reconciliation techniques have been proposed that usually encode one payload bit into several coefficients. In this work, we analyze how error-correcting codes can be used to enhance the error resilience of protocols like NewHope, Frodo, or Kyber. For our case study, we focus on the recently introduced NewHope Simple and propose and analyze four different options for error correction: (i) BCH code; (ii) combination of BCH code and additive threshold encoding; (iii) LDPC code; and (iv) combination of BCH and LDPC code. We show that lattice-based cryptography can profit from classical and modern codes by combining BCH and LDPC codes. This way we achieve quasi-error-free communication and an increase of the estimated post-quantum bit-security level by 20.39% and a decrease of the communication overhead by 12.8%.
Tim Fritzmann, Thomas Pöppelmann, Johanna Sepulveda
Provably Secure NTRUEncrypt over Any Cyclotomic Field
Abstract
NTRUEncrypt is generally recognized as one of candidate encryption schemes for post quantum cryptography, due to its moderate key sizes, remarkable performance and potential capacity of resistance to quantum computers. However, the previous provably secure NTRUEncrypts are only based on prime-power cyclotomic rings. Whether there are provably secure NTRUEncrypt schemes over more general algebraic number fields is still an open problem. In this paper, we answer this question and present a new provably IND-CPA secure NTRUEncrypt over any cyclotomic field. The security of our scheme is reduced to a variant of learning with errors problem over rings (Ring-LWE). More precisely, the security of our scheme is based on the worst-case approximate shortest independent vectors problem (SIVP\(_\gamma \)) over ideal lattices. We prove that, once the field is fixed, the bounds of the reduction parameter \(\gamma \) and the modulus q in our scheme are less dependent on the choices of plaintext spaces. This leads to that our scheme provides more flexibility for the choices of plaintext spaces with higher efficiency under stronger security assumption. Furthermore, the probability that the decryption algorithm of our scheme fails to get the correct plaintext is much smaller than that of the previous works.
Yang Wang, Mingqiang Wang

Classical Public Key Cryptography

Frontmatter
A Generalized Attack on Some Variants of the RSA Cryptosystem
Abstract
Let \(N=pq\) be an RSA modulus with unknown factorization. The RSA cryptosystem can be attacked by using the key equation \(ed-k(p-1)(q-1)=1\). Similarly, some variants of RSA, such as RSA combined with singular elliptic curves, LUC and RSA with Gaussian primes can be attacked by using the key equation \(ed- k\left( p^2-1\right) \left( q^2-1\right) =1\). In this paper, we consider the more general equation \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\) and present a new attack that finds the prime factors p and q in the case that u, v and w satisfy some specific conditions. The attack is based on Coppersmith’s technique and improves the former attacks.
Abderrahmane Nitaj, Yanbin Pan, Joseph Tonien
Injective Encodings to Binary Ordinary Elliptic Curves
Abstract
Representing points of elliptic curves in a way that no pattern can be detected by sensors in the transmitted data is a crucial problem in elliptic curve cryptography. One of the methods that we can represent points of the elliptic curves in a way to be indistinguishable from random bit strings is using injective encoding function. So far, several injective encodings to elliptic curves have been presented, but the previous encoding functions have not supported the binary elliptic curves. More precisely, the only injective encoding to binary elliptic curves was given for Hessian curves, the family of elliptic curves with a point of order 3. In this paper, we propose approaches for constructing injective encoding algorithms to the ordinary binary elliptic curves \(y^2+xy=x^3+ax^2+b\) with \(\mathrm {Tr}(a)=1\) as well as those with \(\mathrm {Tr}(a+1)=0\).
Mojtaba Fadavi, Reza Rezaeian Farashahi, Soheila Sabbaghian

Machine Learning and Cryptography

Frontmatter
Unsupervised Machine Learning on Encrypted Data
Abstract
In the context of Fully Homomorphic Encryption, which allows computations on encrypted data, Machine Learning has been one of the most popular applications in the recent past. All of these works, however, have focused on supervised learning, where there is a labeled training set that is used to configure the model. In this work, we take the first step into the realm of unsupervised learning, which is an important area in Machine Learning and has many real-world applications, by addressing the clustering problem. To this end, we show how to implement the \(K\)-Means-Algorithm. This algorithm poses several challenges in the FHE context, including a division, which we tackle by using a natural encoding that allows division and may be of independent interest. While this theoretically solves the problem, performance in practice is not optimal, so we then propose some changes to the clustering algorithm to make it executable under more conventional encodings. We show that our new algorithm achieves a clustering accuracy comparable to the original \(K\)-Means-Algorithm, but has less than \(5\%\) of its runtime.
Angela Jäschke, Frederik Armknecht
Profiled Power Analysis Attacks Using Convolutional Neural Networks with Domain Knowledge
Abstract
Evaluation of cryptographic implementations against profiled side-channel attacks plays a fundamental role in security testing nowadays. Recently, deep neural networks and especially Convolutional Neural Networks have been introduced as a new tool for that purpose. Although having several practical advantages over common Gaussian templates such as intrinsic feature extraction, the deep-learning-based profiling techniques proposed in literature still require a suitable leakage model for the implementation under test. Since this is a crucial task, we are introducing domain knowledge to exploit the full power of approximating very complex functions with neural networks. By doing so, we are able to attack the secret key directly without any assumption about the leakage behavior. Our experiments confirmed that our method is much more efficient than state-of-the-art profiling approaches when targeting an unprotected hardware and a protected software implementation of the AES.
Benjamin Hettwer, Stefan Gehrer, Tim Güneysu
Backmatter
Metadata
Title
Selected Areas in Cryptography – SAC 2018
Editors
Carlos Cid
Prof. Michael J. Jacobson Jr.
Copyright Year
2019
Electronic ISBN
978-3-030-10970-7
Print ISBN
978-3-030-10969-1
DOI
https://doi.org/10.1007/978-3-030-10970-7

Premium Partner

    Image Credits