Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.06.001

2012-01-01

Abstract:The security of EPCBC,a lightweight block cipher proposed in CANS 2011,against the side-channel cube attack is evaluated by combining cube cryptanalysis with side-channel attack under the 8-bit Hamming weight leakage model.Under the black-box attack scenario,the adversary firstly generates random cube and superpoly.Then the cube is used to generate chosen plaintexts.The adversary deduces one bit of the intermediate state from the side-channel attack for each chosen plaintext and computes the high order differences of these one bit values to verify the relations between the cube and superpoly.Simulation experiments are launched on two variants of EPCBC with different block lengths.The results demonstrate that the unprotected implementation of EPCBC is vulnerable to side-channel cube attacks.If the adversary can accurately deduce the Hamming weight of the intermediate states from the side-channel leakages,many cubes and superpolys can be extracted and used for key recovery.372 chosen plaintexts can recover 48-bit of the master key for EPCBC(48,96) and reduce the key search space to 248.610 chosen plaintexts can recover full 96-bit of the master key for EPCBC(96,96) directly.The techniques of this paper can provide certain references to black-box side-channel cube attacks on other block ciphers.

Xiao Yu,Ning Wu,Fang Zhou,Jinbao Zhang,Xinggan Zhang

DOI: https://doi.org/10.1109/iecon.2019.8927097

2019-01-01

Abstract:The side-channel attack (SCA) poses a great threat to the information security of the Internet of things (IoT). However, the excessive resource cost caused by the corresponding countermeasure will hinder the extensive application of SCA-defendable technology in resource-limited devices. In this paper, a compact hardware structure of PRESENT cipher combining Threshold Implementation (TI) technique with multiple-bit serial architecture is presented. The 16-bit serial PRESENT is implemented mainly by reducing the width of datapath and building a direction-alterable register array. The implementation of TI-based substitution box is optimized by reusing common circuit, which makes slices utilization on Xilinx Kintex-7 FPGA reduced by 14.0% for 16-bit serial PRESENT with TI. Compared to the typical implementation of TI-based PRESENT, the proposed work saves resource consumption by 59.1%, which is available to resource-constrained scenarios.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

Shize Guo,Xinjie Zhao,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Francois-Xavier Standaert,Chujiao Ma

DOI: https://doi.org/10.1109/tifs.2014.2315534

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Grobner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.

Wang Yongjuan,Wang Tao,Yuan Qingjun,Gao Yang,Wang Xiangbin

DOI: https://doi.org/10.11999/JEIT181075

2020-01-01

Abstract:The complexity of the pre-processing phase of the cubic attack grows exponentially with the number of output bit algebras, and the difficulty of finding an effective cube set increases. In this paper, the algorithm of preprocessing stage in cubic attack is improved. In the cube set search, from random search to target search, a new target search optimization algorithm is designed to optimize the computational complexity of the preprocessing stage. In turn, the offline phase time complexity is significantly reduced. The improved cubic attack combined with the side-channel method is applied to the MIBS block cipher algorithm. The algorithm characteristics of MIBS are analyzed from the perspective of side-channel attack. The leak location is selected in the third round, and the overdetermined linear equations from initial key and output bit are established, which can directly recover 33bit key. Then the 6bit key can be recovered by quadric-detecting. The amount of plaintext required is 2(21.64), time complexity is 2(25). This result is greatly improved compared with the existing results, the number of keys recovered is increased, and the time complexity of the online phase is reduced.

Yufeng Tang,Zheng Gong,Tao Sun,Jinhai Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-030-88323-2_22

2021-01-01

Abstract:White-box block cipher (WBC) aims at protecting the secret key of a block cipher even if an adversary has full control over the implementations. At CHES 2016, Bos et al. proved that WBC are also threatened by side-channel analysis (SCA), e.g., differential fault analysis (DFA) and differential computation analysis (DCA). Therefore, advanced countermeasures have been proposed by Lee et al. for resisting DFA and DCA, such as table redundancy and improved masking methods, respectively. In this paper, we introduce a new adaptive side-channel analysis model which assumes that an adversary adaptively collects the intermediate values of a specific function and can mount the DFA/DCA attack with chosen inputs. In the adaptive SCA model, both theoretical analysis and experimental results show that Lee et al.’s proposed methods are vulnerable to DFA and DCA attacks. Moreover, a negative proposition is also demonstrated on the corresponding high-order countermeasures under our new model.

Jorge Nakahara,Pouyan Sepehrdad,Bingsheng Zhang,Meiqin Wang

DOI: https://doi.org/10.1007/978-3-642-10433-6_5

2009-01-01

Abstract:The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al., announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

HUANG Jing,ZHAO Xin-jie,ZHANG Fan,GUO Shi-ze,ZHOU Ping,CHEN Hao,YANG Jian

DOI: https://doi.org/10.11959/j.issn.1000-436x.2016165

2016-01-01

Abstract:An enhanced algebraic fault analysis on PRESENT was proposed.Algebraic cryptanalysis was introduced to build the algebraic equations for both the target cipher and faults.The equation set of PRESENT was built reversely in order to accelerate the solving speed.An algorithm of estimating the reduced key entropy for given amount of fault injec-tions was proposed,which can evaluate the resistance of PRESENT against fault attacks under different fault models.Fi-nally,extensive glitch-based fault attacks were conducted on an 8-bit smart card PRESENT implemented on a smart card.The best results show that only one fault injection was required for the key recovery,this is the best result of fault attacks on PRESENT in terms of the data complexity.

Xiangyu Li,Chaoqun Yang,Jiangsha Ma,Yongchang Liu,Shujuan Yin

DOI: https://doi.org/10.1109/tvlsi.2017.2752212

2017-01-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:Energy-efficient countermeasures to side-channel attacks are required for Internet of Things hardware. This paper proposes a special hiding technique for the substitution operation in block ciphers, which equalizes the power consumption of a circuit by appropriate feedforward compensation and is called power-aware hiding (PAH). A hybrid application configuration, in which PAH is applied to the S-boxes while the left linear operations are protected with a general masking method, is proposed as well. This solution not only has higher energy efficiency but can also be implemented automatically in a semicustom manner. The Advanced Encryption Standard VLSI adopting this solution was implemented and manufactured in 180-nm technology as a demonstration. The implementation issues regarding the countermeasures are discussed in this paper. Testing shows that the chip has a throughput up to 1.175 Gb/s with 18.1-mW power consumption and its number of measurements to disclosure is 13.4 million.

Qi Chen,Dongyan Zhao,Liang Liu,Xuesong Yan,Yidong Yuan,Xige Zhang,Hongmei Wu,Zhe Wang

DOI: https://doi.org/10.1016/j.csi.2021.103569

IF: 3.721

2022-01-01

Computer Standards & Interfaces

Abstract:Side-channel attacks (SCAs) have become a significant threat nowadays to cryptographic devices, especially central processing units (CPUs). Based on the implementation of AES-128, the side-channel information leakage analysis is carried out in a 32-bit CPU microarchitecture in this work. Correlation power analysis (CPA) results show that it is obvious to reveal the secret key by using only 30 power traces based on the net-list simulation. Three flexibly configurable hardware-based countermeasures are proposed to prevent information leakage in the arithmetic and logic unit (ALU), register file (RF) and load/store unit (LSU), respectively, which are the most sensitive components according to our analysis. The proposed countermeasures have different protection effects on the CPU since the required trace number to reveal the secret key has increased from 30 to 100 similar to 120,000. Moreover, the anti-attack capability of the CPU is improved by 4000 times using the three countermeasures simultaneously. The proposed countermeasures can be freely combined while considering the CPU security and implementation overhead. In practice, the anti-attack capability of the CPU can be further improved when the proposed countermeasures are implemented in real-world measurements, because additional noise will be introduced during the measurements.

Xinjie Zhao,Tao Wang,Shize Guo,Fan Zhang,Zhijie Shi,Huiying Liu,Kehui Wu

2011-01-01

Abstract:Introduced in 2009, Algebraic Side-Channel Attack (ASCA) has become a very effective cryptanalysis technique that is different from conventional side-channel attacks such as DPA and CPA. In this paper, we propose an innovative and generic attack framework named as SATETASCA (SAT based Error Tolerant Algebraic Side-Channel Attack). The proposed framework is effective even if the leakage information is not accurate and has large variants or errors. We show its generality by successfully launching SAT-ETASCA to AES on two different platforms, using different types of leakages. The first attack is to an AES implementation on an 8-bit microcontroller, using the Hamming weight leakage model. We demonstrate that SAT-ETASCA can recover the full key even when the obtained leakage information has about 60% errors. The second attack is based on an innovative idea of applying the external cache …

Gregory V. Bard,Nicolas T. Courtois,Jorge Nakahara Jr,Pouyan Sepehrdad,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-17401-8_14

2010-01-01

Abstract:This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

Takaya Kubota,Kota Yoshida,Mitsuru Shiozaki,Takeshi Fujino

DOI: https://doi.org/10.1016/j.micpro.2020.103383

IF: 3.503

2021-11-01

Microprocessors and Microsystems

Abstract:<p>In the field of image recognition, machine learning technologies, especially deep learning, have been rapidly advancing alongside the advances of hardware such as GPUs. In image recognition, in general, large numbers of labeled images to be identified are input to a neural network, and repeatedly learning the images enables the neural network to identify objects with high accuracy. A new profiling side-channel attack method, the deep learning side-channel attack (DL-SCA), utilizes the neural network's high identifying ability to unveil a cryptographic module's secret key from side-channel information. In DL-SCAs, the neural network is trained with power waveforms captured from a target cryptographic module, and the trained network extracts the leaky part that depends on the secret. However, at this stage, the main target of investigation has been software implementation, and studies regarding hardware implementation, such as ASIC, are somewhat lacking. In this paper, we first depict deep learning techniques, profiling side-channel attacks, and leak models to clarify the relation between secret and side channels. Next, we investigate the use of DL-SCA against hardware implementations of AES and discuss the problem derived from the Hamming distance model and ShiftRow operation of AES. To solve the problem, we propose a new network training method called "mixed model dataset based on round-round XORed value." We prove that our proposal solves the problem and gives the attack capability to neural networks. We also compare the attack performance and characteristics of DL-SCA to conventional analysis methods such as correlation power analysis and conventional template attack. In our experiment, a dedicated ASIC chip for side-channel analysis is utilized and the chip is also equipped with a side-channel countermeasure AES. We show how DL-SCA can recover secret keys against the side-channel countermeasure circuit. Our results demonstrate that DL-SCA can be a more powerful option against side-channel countermeasure implementations than conventional SCAs.</p>

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Huaxin Wang,Yiwen Gao,Yuejun Liu,Qian Zhang,Yongbin Zhou

DOI: https://doi.org/10.1186/s42400-024-00209-9

2024-06-05

Abstract:During the standardisation process of post-quantum cryptography, NIST encourages research on side-channel analysis for candidate schemes. As the recommended lattice signature scheme, CRYSTALS-Dilithium, when implemented on hardware, has seen limited research on side-channel analysis, and current attacks are incomplete or requires a substantial quantity of traces. Therefore, we conducted a more complete analysis to investigate the leakage of an FPGA implementation of CRYSTALS-Dilithium using the Correlation Power Analysis (CPA) method, where with a minimum of 70,000 traces partial private key coefficients can be recovered. Furthermore, we optimise the attack by extracting Point-of-Interests using known information due to parallelism (named CPA-PoI) and by iteratively utilising parallel leakages (named CPA-ITR). Our experimental results show that CPA-PoI reduces the number of traces by up to 16.67%, CPA-ITR by up to 25%, and both increase the number of recovered key coefficients by up to 55.17% and 93.10% using the same number of traces. They outperfom the CPA method. As a result, it suggests that the FPGA implementation of CRYSTALS-Dilithium is more vulnerable than thought before to side-channel analysis.

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/ITNG.2008.183

2008-01-01

Abstract:Elliptic curve cryptography (ECC) has been adopted in many systems because it requires shorter keys than traditional public-key algorithms in primary fields. However, power analysis attacks can exploit the power consumption of ECC devices to retrieve secret keys. In this paper, we propose an efficient window-based countermeasure that is secure against existing power analysis attacks. Compared to previous counter- measures, our method has low memory overhead, requiring only a table of w+1 entries when the window size is w bits. It also has better performance than many algorithms that perform one point addition or subtraction for every bit in the scalar.

Yulin Zhao,Jiayou Song,Xingjun Wu,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.1109/icasid.2018.8693139

2018-01-01

Abstract:Hardware Trojans (HT) have become a new threat to integrated circuits, which is difficult to be detected and couldn’t be removed. Most of the HTs are designed for extracting the secret key in cryptographic devices. We proposed a new implementation of Trojan side-channel (TSC) combining with side channel attacks (SCA) in this article. This TSC could change the random numbers input of the encryption algorithm with masking method and invalid the protective measures (masking scheme) of encryption algorithm. We insert the TSC into SM4 algorithm and test it on FPGA and the experimental results prove the feasibility of the proposed scheme.

R. Sherine Jenny R. Sudhakar R. Sherine Jenny received her B.E degree in Electronics and Communication Engineering in 1998 from V.L.B.Janakiammal college of Engineering and Technology,Bharathiar University,Coimbatore and M.E Applied Electronics from Dr. Mahalingam College of Engineering and Technology,Anna University,Chennai in 2009. Her area of expertise includes Network security,Cryptography and Embedded systems.Dr. R. Sudhakar received the B.E. degree in Electronics and Communication Engineering in 1990 from University of Madras,Chennai,and the M.E. degree in Communication Systems in 2002 from Thiagarajar College of Engineering (Autonomous),Madurai. He received his PhD degree in Information and Communication Engineering from PSG College of Technology,Anna University,Chennai in 2007. He has 17 years of teaching experience and 3 year industry experience. He is currently the Professor and Heading the Department of Electronics and Communication Engineering,Dr. Mahalingam College of Engineering and Technology,Pollachi,India. He is also an Associate editor of IEEE-Access a multidisciplinary Journal published by IEEE and IET Image Processing by Wiley. He is an editorial board member for 3 International journals. He is a reviewer of 16 international journals. He has published 130 papers in international,national journals and conference proceedings. His areas of research include Digital Image Processing,Image Analysis,Wavelet Transforms and Digital Signal Processing.

DOI: https://doi.org/10.1080/01611194.2024.2350403

2024-06-09

Cryptologia

Abstract:The most widely used technology at the moment is the Internet of Things (IoT), which is expanding at a rapid pace because it allows us to remotely control and manage a variety of smart devices and relieves us from our demanding daily routines. Technology is also vulnerable to security breaches, as evidenced by the rise in cybercrimes and identity theft. More so than any other known IoT security breach, side-channel analysis is extremely insecure. A current issue for lightweight IoT applications is differential power analysis, a kind of side-channel analysis that is very accurate in obtaining the secret key. As a result, developing a safe style takes more time and effort. PRESENT is an easy-to-use, low-power encryption algorithm that is based on Advanced Encryption Standard (AES) and is utilized in IoT devices like RFID tags and access cards. Even with the plethora of countermeasures proposed in the last ten years, none are able to keep up with the IoT's rapid expansion. A clever combination of masking and hiding techniques could stop several security breaches. Masked three-phase dual rail pre-charge logic is a new hybrid countermeasure that thwarts combined side-channel attacks and is suggested as a means of attaining the necessary degree of security. The hybrid design utilized in PRESENT resulted in an increase in complexity and required more work in terms of area and power. Consequently, more PRESENT optimization techniques are applied. Additionally, for PRESENT hardware implementation, a flexible key scheduling structure with parallel input and output is proposed. Using the Cadence Virtuoso simulation tool with 180-nm technology, a secured structure combining optimized algorithm and secured logic is designed, and the outcomes are analyzed. Normalized energy deviation (NED)/normalized standard deviation (NSD) analysis and Pearson correlation are used to analyze safety. The simulation results for the gates show that our proposed logic has the lowest values of NED and NSD at the assigned frequencies. When compared with side-channel analysis, the outcomes have shown to be both safe and effective. In comparison to earlier designs, the suggested system's area and power consumption are cut by 67% and 64%, respectively.

mathematics, applied,computer science, theory & methods,history & philosophy of science

Zixin Liu,Zhibo Wang,Mingxing Ling

DOI: https://doi.org/10.13052/jwe1540-9589.2127

2022-01-01

Abstract:Side-channel attack (SCA) based on machine learning has proved to be a valid technique in cybersecurity, especially subjecting to the symmetric-key crypto implementations in serial operation. At the same time, parallel-encryption computing based on Field Programmable Gate Arrays (FPGAs) grows into a new influencer, but the attack results using machine learning are exiguous. Research on the traditional SCA has been mostly restricted to pre-processing: Signal Noisy Ratio (SNR) and Principal Component Analysis (PCA), etc. In this work, firstly, we propose to replace Points of Interests (POIs) and dimensionality reduction by utilizing word embedding, which converts power traces into sensitive vectors. Secondly, we combined sensitive vectors with Long Short Term Memories (LSTM) to execute SCA based on FPGA crypto-implementations. In addition, compared with traditional Template Attack (TA), Multiple Multilayer Perceptron (MLP) and Convolutional Neural Network (CNN). The result shows that the proposed model can not only reduce the manual operation, such as parametric assumptions and dimensionality setting, which limits their range of application, but improve the effectiveness of side-channel attacks as well.

Yan Ting Ren,Li Ji Wu

DOI: https://doi.org/10.4028/www.scientific.net/amr.718-720.2376

2013-01-01

Advanced Materials Research

Abstract:In order to test the security of cryptographic devices against Side Channel Attacks (SCA), an automatic general-purpose power analysis system (TH-PAS-01) is designed and implemented. TH-PAS-01 is scalable and can be applied to many cryptographic devices when specific modules are installed. Using the system TH-PAS-01, correlation power analysis (CPA) are carried out on an AES chip under two working models: normal and shuffling mode. The security level of the countermeasure provided by the target chip is verified by TH-PAS-01. The experimental results show that the correct key of the AES chip is obtained with around 50,000 power traces when the chip was working under normal mode, while the whole key bits are not obtained with 960,000 power traces when the chip works under shuffling mode. The automatic general-purpose system TH-PAS-01 is feasible for security analysis on power analysis for cryptographic devices.