Zeyi Liu
ABSTRACT
Low-entropy masking schemes and shuffling technique are two common countermeasures against traditional side-channel analysis. Improved Rotating S-box Masking (RSM) is a combination of both countermeasures and is implemented by DPA contest committee to improve the software security level of AES-128. Compared with the original version, improved RSM mainly introduces both the offset and shuffle array as security foundations to counteract the existing attacks. In this paper, we first point out a general vulnerability referred to as "leakage fingerprints" and make use of it to successfully crack the offset array with 100% accuracy, which breaks down the masking countermeasure in the first step. Then, we show that cracking the shuffle array is still feasible but not necessary since several other vulnerabilities in the implementation level can be exploited to bypass the shuffle countermeasure directly. By selectively combining all these vulnerabilities, a dozen of attacks can be put forward, and we perform two of them as examples to verify their effectiveness. Official evaluation results show that, both attacks submitted by us are practical and feasible, and also operate with high efficiency. In terms of two major performance metrics, our best scheme requires 4 traces to reveal the AES master key with 80% Global Success Rate (GSR) and only 2 traces are enough to reduce the Maximum Partial Guessing Entropy (PGE) under 10.
- Implementation of the dpa contest v4.2 on the atmel atmega-163 smart card. http://www.dpacontest.org/v4/data/v4_2/smart_v42_2.zip.Google Scholar
- Other attacks submitted in the official website. http://www.dpacontest.org/v4/42_hall_of_fame.php.Google Scholar
- S. Bhasin, N. Bruneau, J.-L. Danger, S. Guilley, and Z. Najm. Analysis and improvements of the dpa contest v4 implementation. In Security, Privacy, and Applied Cryptography Engineering, pages 201--218. Springer, 2014.Google Scholar
- E. Brier, C. Clavier, and F. Olivier. Correlation power analysis with a leakage model. In Cryptographic Hardware and Embedded Systems-CHES 2004, pages 16--29. Springer, 2004.Google ScholarCross Ref
- C. Carlet and S. Guilley. Side-channel indistinguishability. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 9. ACM, 2013. Google ScholarDigital Library
- S. Chari, J. R. Rao, and P. Rohatgi. Template attacks. In Cryptographic Hardware and Embedded Systems-CHES 2002, pages 13--28. Springer, 2003. Google ScholarDigital Library
- J.-S. Coron and L. Goubin. On boolean and arithmetic masking against differential power analysis. In Cryptographic Hardware and Embedded Systems--CHES 2000, pages 231--237. Springer, 2000. Google ScholarDigital Library
- G. Fumaroli, A. Martinelli, E. Prouff, and M. Rivain. Affine masking against higher-order side channel analysis. In Selected Areas in Cryptography, pages 262--280. Springer, 2011. Google ScholarDigital Library
- C. Herbst, E. Oswald, and S. Mangard. An aes smart card implementation resistant to power analysis attacks. In Applied cryptography and Network security, pages 239--252. Springer, 2006. Google ScholarDigital Library
- P. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Advances in Cryptology--CRYPTO'99, pages 388--397. Springer, 1999. Google ScholarDigital Library
- S. Kutzner and A. Poschmann. On the security of rsm-presenting 5 first-and second-order attacks. In Constructive Side-Channel Analysis and Secure Design, pages 299--312. Springer, 2014.Google ScholarCross Ref
- S. Mangard. A simple power-analysis (spa) attack on implementations of the aes key expansion. In Information Security and Cryptology--ICISC 2002, pages 343--358. Springer, 2003. Google ScholarDigital Library
- S. Mangard, E. Oswald, and T. Popp. Power analysis attacks: Revealing the secrets of smart cards, volume 31. Springer Science & Business Media, 2008. Google ScholarDigital Library
- R. P. McEvoy, C. C. Murphy, W. P. Marnane, and M. Tunstall. Isolated wddl: a hiding countermeasure for differential power analysis on fpgas. ACM Transactions on Reconfigurable Technology and Systems (TRETS), 2(1):3, 2009. Google ScholarDigital Library
- M. Nassar, S. Guilley, and J.-L. Danger. Formal analysis of the entropy/security trade-off in first-order masking countermeasures against side-channel attacks. In Progress in Cryptology--INDOCRYPT 2011, pages 22--39. Springer, 2011. Google ScholarDigital Library
- M. Nassar, Y. Souissi, S. Guilley, and J.-L. Danger.protectRSM: a small and fast countermeasure for aes, secure against 1st and 2nd-order zero-offset scas. In Design, Automation & Test in Europe Conference & Exhibition (DATE), 2012, pages 1173--1178. IEEE, 2012. Google ScholarDigital Library
- E. Prouff and M. Rivain. A generic method for secure sbox implementation. In Information Security Applications, pages 227--244. Springer, 2007. Google ScholarDigital Library
- N. F. Pub. 197: Advanced encryption standard (aes). Federal Information Processing Standards Publication, 197:441--0311, 2001.Google Scholar
- M. Rivain and E. Prouff. Provably secure higher-order masking of aes. In Cryptographic Hardware and Embedded Systems, CHES 2010, pages 413--427. Springer, 2010. Google ScholarDigital Library
- F.-X. Standaert, T. G. Malkin, and M. Yung. A unified framework for the analysis of side-channel key recovery attacks. In Advances in Cryptology-EUROCRYPT 2009, pages 443--461. Springer, 2009.Google ScholarCross Ref
- K. Tiri and I. Verbauwhede. A logic level design methodology for a secure dpa resistant asic or fpga implementation. In Proceedings of the conference on Design, automation and test in Europe-Volume 1, page 10246. IEEE Computer Society, 2004. Google ScholarDigital Library
- M. Tunstall, C. Whitnall, and E. Oswald. Masking tables-an underestimated security risk. In Fast Software Encryption, pages 425--444. Springer, 2014.Google Scholar
- J. VanLaven, M. Brehob, and K. J. Compton. A computationally feasible spa attack on aes via optimized search. In Security and Privacy in the Age of Ubiquitous Computing, pages 577--588. Springer, 2005.Google Scholar
- N. Veyrat-Charvillon, M. Medwed, S. Kerckhof, and F.-X. Standaert. Shuffling against side-channel attacks: A comprehensive study with cautionary note. In Advances in Cryptology--ASIACRYPT 2012, pages 740--757. Springer, 2012. Google ScholarDigital Library
Index Terms
- Leakage Fingerprints: A Non-negligible Vulnerability in Side-Channel Analysis
Recommendations
Counteract side-channel analysis of neural networks by shuffling
DATE '22: Proceedings of the 2022 Conference & Exhibition on Design, Automation & Test in EuropeMachine learning is becoming an essential part in almost every electronic device. Implementations of neural networks are mostly targeted towards computational performance or memory footprint. Nevertheless, security is also an important part in order to ...
POSTER: Stopping Run-Time Countermeasures in Cryptographic Primitives
Applied Cryptography and Network Security WorkshopsAbstractWhite-box cryptographic implementations with masking and shuffling have been proposed to protect against key extraction attacks. However, higher-order Differential Computation Analysis (HO-DCA) and its variants have been developed to break these ...
Poster: When Adversary Becomes the Guardian -- Towards Side-channel Security With Adversarial Attacks
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityMachine learning algorithms fall prey to adversarial examples. As profiling side-channel attacks are seeing rapid adoption of machine learning-based approaches that can even defeat commonly used side-channel countermeasures, we investigate the potential ...
Comments