Abstract
At Africacrypt 2010, Medwed et al. presented Fresh Re-Keying as a countermeasure to protect low-cost devices against side-channel analysis. They propose to use binary-field multiplication as a re-keying function. In this paper, we present a new side-channel attack on this construction (and multiplication in general). By using template attacks and the simple algebraic structure of multiplication, the problem of key recovery can be casted to the well known Learning Parity with Noise problem (LPN). However, instead of using standard LPN solving algorithms, we present a method which makes extensive use of bit reliabilities derived from side-channel information. It allows us to decrease the attack runtime in cases with low-to-medium error probabilities. In a practical experiment, we can successfully attack a protected 8-bit Fresh Re-Keying implementation by Medwed et al. using only 512 traces.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This method is only of limited use in a standard DPA, where the device uses a fixed key, as it strictly limits the number of observable plaintexts per key byte.
- 2.
This assumes that there is no reshuffling between key addition and S-box processing.
- 3.
This is not entirely correct for the attack of [1], in which each sampled error rate is applied to n samples instead of a single one. We neglect this minor difference.
- 4.
Beware that due to the strong dependency on the quality of the samples and the exponential complexity, the runtime can still vary greatly for a certain trace count.
- 5.
For the plaintext, we only consider leakage during the key addition. The initial operand fetching was ignored, as this can be implemented without leaking the shuffling position.
- 6.
In fact, BelaĂŻd et al. [15] present an attack on an 8-bit implementation using this approach. However, they do not consider the shuffling countermeasure and use Hamming-weight filtering instead of S-box templates.
- 7.
Note that we already used our S-box templates and bit-wise filtering for this estimation. When using the extreme Hamming weight method proposed in [1] (on 8-bit data), then the expected error and thus runtime increases.
References
Belaïd, S., Coron, J.-S., Fouque, P.-A., Gérard, B., Kammerer, J.-G., Prouff, E.: Improved side-channel analysis of finite-field multiplication. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 395–415. Springer, Heidelberg (2015)
Belaïd, S., Fouque, P.-A., Gérard, B.: Side-channel analysis of multiplications in GF(2\(^{128}\)). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 306–325. Springer, Heidelberg (2014)
Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008)
Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)
Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Trans. Inf. Theor. 44(1), 367–378 (1998)
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski Jr, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003)
Coffey, J., Goodman, R.: Any code of which we cannot think is good. IEEE Trans. Inf. Theor. 36(6), 1453–1461 (1990)
Dobraunig, C., Eichlseder, M., Mangard, S., Mendel, F.: On the security of fresh re-keying to counteract side-channel and fault attacks. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 233–244. Springer, Heidelberg (2015)
Dobraunig, C., Koeune, F., Mangard, S., Mendel, F., Standaert, F.: Towards fresh and hybrid re-keying schemes with beyond birthday security. In: 14th International Conference on Smart Card Research and Advanced Applications, CARDIS (2015, to appear)
Fernandez, M., Williams, S.: Closed-form expression for the poisson-binomial probability density function. IEEE Trans. Aerosp. Electron. Syst. 46(2), 803–817 (2010)
Gierlichs, B., Lemke-Rust, K., Paar, C.: Templates vs. stochastic methods. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 15–29. Springer, Heidelberg (2006)
Guo, Q., Johansson, T., Löndahl, C.: Solving LPN using covering codes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 1–20. Springer, Heidelberg (2014)
Levieil, É., Fouque, P.-A.: An improved LPN algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006)
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks - Revealing the Secrets of Smart Cards. Springer, USA (2007). 978-0-387-30857-9
Medwed, M., Petit, C., Regazzoni, F., Renauld, M., Standaert, F.-X.: Fresh re-keying II: securing multiple parties against side-channel and fault attacks. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 115–132. Springer, Heidelberg (2011)
Medwed, M., Standaert, F.-X., Großschädl, J., Regazzoni, F.: Fresh re-keying: security against side-channel and fault attacks for low-cost devices. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 279–296. Springer, Heidelberg (2010)
Pietrzak, K.: Cryptography from learning parity with noise. In: Bieliková, M., Friedrich, G., Gottlob, G., Katzenbeisser, S., Turán, G. (eds.) SOFSEM 2012. LNCS, vol. 7147, pp. 99–114. Springer, Heidelberg (2012)
Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theor. 8(5), 5–9 (1962)
Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Godlewski, P. (eds.) Coding Theory 1986. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1988)
Valembois, A.: Fast soft-decision decoding of linear codes, stochastic resonance in algorithms. In: Proceedings of the IEEE International Symposium on Information Theory, p. 91 (2000)
Acknowledgements
The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644052 (HECTOR). Furthermore, this work has been supported by the Austrian Research Promotion Agency (FFG) under grant number 845589 (SCALAS). We would also like to thank Benoît Gérard and Jean-Gabriel Kammerer for answering questions regarding their work and for providing the source code used for their runtime estimation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Pessl, P., Mangard, S. (2016). Enhancing Side-Channel Analysis of Binary-Field Multiplication with Bit Reliability. In: Sako, K. (eds) Topics in Cryptology - CT-RSA 2016. CT-RSA 2016. Lecture Notes in Computer Science(), vol 9610. Springer, Cham. https://doi.org/10.1007/978-3-319-29485-8_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-29485-8_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29484-1
Online ISBN: 978-3-319-29485-8
eBook Packages: Computer ScienceComputer Science (R0)