Abstract
WAGE is a hardware-oriented authenticated cipher, which has the smallest (unprotected) hardware cost (for 128-bit security level) among the round 2 candidates of the NIST lightweight cryptography (LWC) competition. In this work, we analyze the security of WAGE against the correlation power analysis (CPA) on ARM Cortex-M4F microcontroller. Our attack detects the secret key leakage from power consumption for up to 12 (out of 111) rounds of the WAGE permutation and requires 10,000 power traces to recover the 128-bit secret key. Motivated by the CPA attack and the low hardware cost of WAGE, we propose the first optimized masking scheme of WAGE in the t-strong non-interference (SNI) security model. We investigate different masking schemes for S-boxes by exploiting their internal structures and leveraging the state-of-the-art masking techniques. To practically demonstrate the effectiveness of masking, we perform the test vector leakage assessment on the 1-order masked WAGE. We evaluate the hardware performance of WAGE for 1, 2, and 3-order security and provide a comparison with other NIST LWC round 2 candidates.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A fair comparison is difficult due to different types of side-channel implementations and ASIC libraries.
- 2.
- 3.
We use “word” and “register” interchangeably throughout this section.
References
Aagaard, M., AlTawy, R., Gong, G., Mandal, K., Rohit, R., Zidaric, N.: WAGE: an authenticated cipher (2019). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/wage-spec-round2.pdf
Aagaard, M., Sattarov, M., Zidarič, N.: Hardware design and analysis of the ACE and WAGE ciphers. In: NIST LWC Workshop (2019). https://arxiv.org/abs/1909.12338
Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side—channel(s). In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_4
Akkar, M.-L., Bévan, R., Goubin, L.: Two power analysis attacks against one-mask methods. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 332–347. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_21
Akkar, M.-L., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_26
AlTawy, R., Gong, G., Mandal, K., Rohit, R.: WAGE: an authenticated encryption with a twist. IACR Trans. Sym. Cryptol. 2020(S1), 132–159 (2020)
Banik, S., et al.: GIFT-COFB. Cryptology ePrint Archive, Report 2020/738 (2020). https://eprint.iacr.org/2020/738
Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 2016), pp. 116–129. ACM, New York (2016)
Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y.: Verified proofs of higher-order masking. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 457–485. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_18
Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. Cryptology ePrint Archive, Report 2015/506 (2015). https://eprint.iacr.org/2015/506
Bassham, L., Calik, C., Chang, D., Kang, J., McKay, K., Turan, M.S.: Lightweight cryptography: round 2 candidates (2019). https://csrc.nist.gov/Projects/lightweight-cryptography/round-2-candidates
Beierle, C., et al.: SKINNY-AEAD and SKINNY-hash. IACR Trans. Sym. Cryptol. 2020(S1), 88–131 (2020). https://doi.org/10.13154/tosc.v2020.iS1.88-131
Benoît, O., Peyrin, T.: Side-channel analysis of six SHA-3 candidates. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 140–157. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_10
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2
Caforio, A., Balli, F., Banik, S.: Energy analysis of lightweight AEAD circuits. Cryptology ePrint Archive, Report 2020/607 (2020). https://eprint.iacr.org/2020/607
Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for S-boxes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 366–384. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_21
Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_26
Cooper, J., DeMulder, E., Goodwill, G., Jaffe, J., Kenworthy, G.: Test vector leakage assessment (TVLA) methodology in practice. In: International Cryptographic Module Conference, vol. 20 (2013)
Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_25
Coron, J.-S., Greuet, A., Prouff, E., Zeitoun, R.: Faster evaluation of SBoxes via common shares. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 498–514. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_24
Coron, J.-S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_21
Coron, J.-S., Rondepierre, F., Zeitoun, R.: High order masking of look-up tables with common shares. IACR Trans. Cryptograp. Hardw. Embed. Syst. (CHES 2018), 2018(1), 40–72 (2018). https://doi.org/10.13154/tches.v2018.i1.40-72
De Cnudde, T., Reparaz, O., Bilgin, B., Nikova, S., Nikov, V., Rijmen, V.: Masking AES with \(d+1\) shares in hardware. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 194–212. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_10
Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_21
Gross, H., Mangard, S.: Reconciling \(d+1\) masking in hardware and software. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 115–136. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_6
Groß, H., Mangard, S.: A unified masking approach. J. Cryptogr. Eng. 8(2), 109–124 (2018)
Groß, H., Mangard, S., Korak, T.: Domain-oriented masking: ccompact masked hardware implementations with arbitrary protection order. In: Proceedings of the 2016 ACM Workshop on Theory of Implementation Security (TIS 2016). p. 3. ACM, New York (2016)
Groß, H., Wenger, E., Dobraunig, C., Ehrenhöfer, C.: Suit up! - made-to-measure hardware implementations of ASCON. In: 2015 Euromicro Conference on Digital System Design, pp. 645–652 (2015)
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Mangard, S., Oswald, E., Popp, T.: Power Aanalysis Attacks: Revealing the Secrets of Smart Cards, vol. 31, Springer Science & Business Media, Cham (2008). https://doi.org/10.1007/978-0-387-38162-6
Nikova, S., Rechberger, C., Rijmen, V.: Threshold Implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006). https://doi.org/10.1007/11935308_38
Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_37
Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_28
Roy, A., Vivek, S.: Analysis and improvement of the generic higher-order masking scheme of FSE 2012. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 417–434. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_24
Sasdrich, P., Bilgin, P., Hutter, M., Marson, M.E.: Low-latency hardware masking with application to AES. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(2), 300–326 (2020). https://doi.org/10.13154/tches.v2020.i2.300-326
Standaert, F.-X.: How (not) to use welch’s \(t\)-test in side-channel security evaluations. In: International Conference on Smart Card Research and Advanced Applications, pp. 65–79. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-030-68487-7
Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 282–296. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_15
Acknowledgement
Hardware implementation in this work are based on the original WAGE hardware implementation from [1]. The authors would like to thank Dr. Mark Aagaard for his great help with synthesis tools and valuable suggestions for this work. The work of Yunsi Fei, Cheng Gongye and Tianhong Xu was supported in part by US National Science Foundation under grant SaTC-1563697. The work of Guang Gong, Raghvendra Rohit, Yunjie Yi, and Nusa Zidaric was supported by the NSERC SPG grant, and the work of Kalikinkar Mandal was partially supported by the NSERC SPG grant when he was at University of Waterloo.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Details on Correlation Power Analysis of WAGE
A Details on Correlation Power Analysis of WAGE
CPA Attack Final Phase. In Table 5, we provide the details of key words recovery information at different batches in the final phase of the CPA attack.
Test Vector Leakage Assessment of First-Order Masked WAGE . We use the standard test vector leakage assessment (TVLA) to test the resistance of the first-order masked implementation of WAGE against the CPA attack. We collected same number of traces (nearly 10,000) and applied the TVLA on both the unprotected and first-order masked implementations. An example of TVLA for both implementations for the least significant bit (LSB) of \(K_{18}\) is shown in Fig. 7. It can be seen that the t-values are larger than 5 for the unprotected version (Fig. 7a) which indicates the leakage. For the masked WAGE, t-values are uniform for up to 60,000 time points (Fig. 7b) and as such no leakage is detected.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Fei, Y. et al. (2021). Correlation Power Analysis and Higher-Order Masking Implementation of WAGE. In: Dunkelman, O., Jacobson, Jr., M.J., O'Flynn, C. (eds) Selected Areas in Cryptography. SAC 2020. Lecture Notes in Computer Science(), vol 12804. Springer, Cham. https://doi.org/10.1007/978-3-030-81652-0_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-81652-0_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81651-3
Online ISBN: 978-3-030-81652-0
eBook Packages: Computer ScienceComputer Science (R0)