Skip to main content
SpringerLink
Log in

Correlation Power Analysis and Higher-Order Masking Implementation of WAGE

  • Conference paper
  • First Online:
Selected Areas in Cryptography (SAC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12804))

Included in the following conference series:

Abstract

WAGE is a hardware-oriented authenticated cipher, which has the smallest (unprotected) hardware cost (for 128-bit security level) among the round 2 candidates of the NIST lightweight cryptography (LWC) competition. In this work, we analyze the security of WAGE against the correlation power analysis (CPA) on ARM Cortex-M4F microcontroller. Our attack detects the secret key leakage from power consumption for up to 12 (out of 111) rounds of the WAGE permutation and requires 10,000 power traces to recover the 128-bit secret key. Motivated by the CPA attack and the low hardware cost of WAGE, we propose the first optimized masking scheme of WAGE in the t-strong non-interference (SNI) security model. We investigate different masking schemes for S-boxes by exploiting their internal structures and leveraging the state-of-the-art masking techniques. To practically demonstrate the effectiveness of masking, we perform the test vector leakage assessment on the 1-order masked WAGE. We evaluate the hardware performance of WAGE for 1, 2, and 3-order security and provide a comparison with other NIST LWC round 2 candidates.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A fair comparison is difficult due to different types of side-channel implementations and ASIC libraries.

  2. 2.

    https://www.riscure.com/product/pinata-training-target/.

  3. 3.

    We use “word” and “register” interchangeably throughout this section.

References

  1. Aagaard, M., AlTawy, R., Gong, G., Mandal, K., Rohit, R., Zidaric, N.: WAGE: an authenticated cipher (2019). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/wage-spec-round2.pdf

  2. Aagaard, M., Sattarov, M., Zidarič, N.: Hardware design and analysis of the ACE and WAGE ciphers. In: NIST LWC Workshop (2019). https://arxiv.org/abs/1909.12338

  3. Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side—channel(s). In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_4

    Chapter  Google Scholar 

  4. Akkar, M.-L., Bévan, R., Goubin, L.: Two power analysis attacks against one-mask methods. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 332–347. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_21

    Chapter  Google Scholar 

  5. Akkar, M.-L., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_26

    Chapter  Google Scholar 

  6. AlTawy, R., Gong, G., Mandal, K., Rohit, R.: WAGE: an authenticated encryption with a twist. IACR Trans. Sym. Cryptol. 2020(S1), 132–159 (2020)

    Article  Google Scholar 

  7. Banik, S., et al.: GIFT-COFB. Cryptology ePrint Archive, Report 2020/738 (2020). https://eprint.iacr.org/2020/738

  8. Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 2016), pp. 116–129. ACM, New York (2016)

    Google Scholar 

  9. Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P.-A., Grégoire, B., Strub, P.-Y.: Verified proofs of higher-order masking. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 457–485. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_18

    Chapter  Google Scholar 

  10. Barthe, G., et al.: Strong non-interference and type-directed higher-order masking. Cryptology ePrint Archive, Report 2015/506 (2015). https://eprint.iacr.org/2015/506

  11. Bassham, L., Calik, C., Chang, D., Kang, J., McKay, K., Turan, M.S.: Lightweight cryptography: round 2 candidates (2019). https://csrc.nist.gov/Projects/lightweight-cryptography/round-2-candidates

  12. Beierle, C., et al.: SKINNY-AEAD and SKINNY-hash. IACR Trans. Sym. Cryptol. 2020(S1), 88–131 (2020). https://doi.org/10.13154/tosc.v2020.iS1.88-131

  13. Benoît, O., Peyrin, T.: Side-channel analysis of six SHA-3 candidates. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 140–157. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_10

    Chapter  Google Scholar 

  14. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2

    Chapter  Google Scholar 

  15. Caforio, A., Balli, F., Banik, S.: Energy analysis of lightweight AEAD circuits. Cryptology ePrint Archive, Report 2020/607 (2020). https://eprint.iacr.org/2020/607

  16. Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for S-boxes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 366–384. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_21

    Chapter  Google Scholar 

  17. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_26

    Chapter  Google Scholar 

  18. Cooper, J., DeMulder, E., Goodwill, G., Jaffe, J., Kenworthy, G.: Test vector leakage assessment (TVLA) methodology in practice. In: International Cryptographic Module Conference, vol. 20 (2013)

    Google Scholar 

  19. Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_25

    Chapter  Google Scholar 

  20. Coron, J.-S., Greuet, A., Prouff, E., Zeitoun, R.: Faster evaluation of SBoxes via common shares. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 498–514. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_24

    Chapter  Google Scholar 

  21. Coron, J.-S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_21

    Chapter  Google Scholar 

  22. Coron, J.-S., Rondepierre, F., Zeitoun, R.: High order masking of look-up tables with common shares. IACR Trans. Cryptograp. Hardw. Embed. Syst. (CHES 2018), 2018(1), 40–72 (2018). https://doi.org/10.13154/tches.v2018.i1.40-72

  23. De Cnudde, T., Reparaz, O., Bilgin, B., Nikova, S., Nikov, V., Rijmen, V.: Masking AES with \(d+1\) shares in hardware. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 194–212. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_10

  24. Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_21

    Chapter  Google Scholar 

  25. Gross, H., Mangard, S.: Reconciling \(d+1\) masking in hardware and software. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 115–136. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_6

  26. Groß, H., Mangard, S.: A unified masking approach. J. Cryptogr. Eng. 8(2), 109–124 (2018)

    Article  Google Scholar 

  27. Groß, H., Mangard, S., Korak, T.: Domain-oriented masking: ccompact masked hardware implementations with arbitrary protection order. In: Proceedings of the 2016 ACM Workshop on Theory of Implementation Security (TIS 2016). p. 3. ACM, New York (2016)

    Google Scholar 

  28. Groß, H., Wenger, E., Dobraunig, C., Ehrenhöfer, C.: Suit up! - made-to-measure hardware implementations of ASCON. In: 2015 Euromicro Conference on Digital System Design, pp. 645–652 (2015)

    Google Scholar 

  29. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27

    Chapter  Google Scholar 

  30. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  31. Mangard, S., Oswald, E., Popp, T.: Power Aanalysis Attacks: Revealing the Secrets of Smart Cards, vol. 31, Springer Science & Business Media, Cham (2008). https://doi.org/10.1007/978-0-387-38162-6

  32. Nikova, S., Rechberger, C., Rijmen, V.: Threshold Implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006). https://doi.org/10.1007/11935308_38

    Chapter  MATH  Google Scholar 

  33. Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_37

    Chapter  Google Scholar 

  34. Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_28

    Chapter  Google Scholar 

  35. Roy, A., Vivek, S.: Analysis and improvement of the generic higher-order masking scheme of FSE 2012. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 417–434. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_24

    Chapter  Google Scholar 

  36. Sasdrich, P., Bilgin, P., Hutter, M., Marson, M.E.: Low-latency hardware masking with application to AES. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(2), 300–326 (2020). https://doi.org/10.13154/tches.v2020.i2.300-326

  37. Standaert, F.-X.: How (not) to use welch’s \(t\)-test in side-channel security evaluations. In: International Conference on Smart Card Research and Advanced Applications, pp. 65–79. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-030-68487-7

  38. Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 282–296. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_15

    Chapter  Google Scholar 

Download references

Acknowledgement

Hardware implementation in this work are based on the original WAGE hardware implementation from [1]. The authors would like to thank Dr. Mark Aagaard for his great help with synthesis tools and valuable suggestions for this work. The work of Yunsi Fei, Cheng Gongye and Tianhong Xu was supported in part by US National Science Foundation under grant SaTC-1563697. The work of Guang Gong, Raghvendra Rohit, Yunjie Yi, and Nusa Zidaric was supported by the NSERC SPG grant, and the work of Kalikinkar Mandal was partially supported by the NSERC SPG grant when he was at University of Waterloo.

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Northeastern University, 360 Huntington Avenue, Boston, MA, 02115, USA

    Yunsi Fei, Cheng Gongye & Tianhong Xu

  2. Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, ON, N2L 3G1, Canada

    Guang Gong, Raghvendra Rohit, Yunjie Yi & Nusa Zidaric

  3. Faculty of Computer Science, University of New Brunswick, Fredericton, E3B 5A3, Canada

    Kalikinkar Mandal

Authors
  1. Yunsi Fei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guang Gong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cheng Gongye
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kalikinkar Mandal
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Raghvendra Rohit
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Tianhong Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Yunjie Yi
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Nusa Zidaric
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kalikinkar Mandal .

Editor information

Editors and Affiliations

  1. University of Haifa, Haifa, Israel

    Orr Dunkelman

  2. University of Calgary, Calgary, AB, Canada

    Michael J. Jacobson, Jr.

  3. Dalhousie University, Halifax, NS, Canada

    Colin O'Flynn

A Details on Correlation Power Analysis of WAGE

A Details on Correlation Power Analysis of WAGE

CPA Attack Final Phase. In Table 5, we provide the details of key words recovery information at different batches in the final phase of the CPA attack.

Table 5. Key word recovery information at different batches in the final phase of attack. The corresponding round number, state register, and previously known key words used for the attack.
Full size table

Test Vector Leakage Assessment of First-Order Masked WAGE . We use the standard test vector leakage assessment (TVLA) to test the resistance of the first-order masked implementation of WAGE against the CPA attack. We collected same number of traces (nearly 10,000) and applied the TVLA on both the unprotected and first-order masked implementations. An example of TVLA for both implementations for the least significant bit (LSB) of \(K_{18}\) is shown in Fig. 7. It can be seen that the t-values are larger than 5 for the unprotected version (Fig. 7a) which indicates the leakage. For the masked WAGE, t-values are uniform for up to 60,000 time points (Fig. 7b) and as such no leakage is detected.

Fig. 7.
figure 7

TVLA of LSB of \(K_{18}\) at round 10: a) unprotected WAGE and b) first-order masked WAGE.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fei, Y. et al. (2021). Correlation Power Analysis and Higher-Order Masking Implementation of WAGE. In: Dunkelman, O., Jacobson, Jr., M.J., O'Flynn, C. (eds) Selected Areas in Cryptography. SAC 2020. Lecture Notes in Computer Science(), vol 12804. Springer, Cham. https://doi.org/10.1007/978-3-030-81652-0_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-81652-0_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-81651-3

  • Online ISBN: 978-3-030-81652-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation