Jie Cui,Liusheng Huang,Hong Zhong,Chinchen Chang,Wei Yang

2011-01-01

Abstract:S-box is a unique nonlinear operation in Rijndael, one encryption algorithm chosen as AES, and it, determines the performance of AES. In this paper, the weaknesses in complexity and security of AES S-box are analyzed. We propose to increase the complexity and security of AES S-box by modifying the affine transformation and adding an affine transformation. Performance analysis demonstrates that the improved AES S-box has following cryptographic properties: the affine transformation period is increased from 4 to the most 16, the iterative period is increased from less than 88 to the most 256, and the distance to SAC is reduced from, 432 to 372. Moreover, the number of terms in the improved AES S-box algebraic expression is increased from 9 to 255, and its inverse S-box keeps almost the same as AES inverse S-box. Comparison results suggest that the improved AES S-box has better performance and can readily be applied to AES.

Jiangsha Ma,Xiangyu Li,Moyang Wang

DOI: https://doi.org/10.1049/el.2014.1559

2014-01-01

Electronics Letters

Abstract:A power analysis attack countermeasure, called power-awareness-based hiding, is proposed. It is effective in implementing nonlinear operations, S-boxes, in cryptographic algorithms. An advanced encryption standard (AES) S-box circuit has been implemented in this approach using the Domino logic array style. The post-layout simulation results show that the power-aware hiding AES S-box achieves a delay of 1.56 ns and a mean power consumption of 3.57 mW. The proposed method improves the power delay product by 65%, the normalised energy deviation by 43% and the normalised standard deviation by 30% compared to other secure methods.

Yan Ting Ren,Li Ji Wu

DOI: https://doi.org/10.4028/www.scientific.net/amr.718-720.2376

2013-01-01

Advanced Materials Research

Abstract:In order to test the security of cryptographic devices against Side Channel Attacks (SCA), an automatic general-purpose power analysis system (TH-PAS-01) is designed and implemented. TH-PAS-01 is scalable and can be applied to many cryptographic devices when specific modules are installed. Using the system TH-PAS-01, correlation power analysis (CPA) are carried out on an AES chip under two working models: normal and shuffling mode. The security level of the countermeasure provided by the target chip is verified by TH-PAS-01. The experimental results show that the correct key of the AES chip is obtained with around 50,000 power traces when the chip was working under normal mode, while the whole key bits are not obtained with 960,000 power traces when the chip works under shuffling mode. The automatic general-purpose system TH-PAS-01 is feasible for security analysis on power analysis for cryptographic devices.

Jiangshan Long,Changhai Ou,Zhu Wang,Shihui Zheng,Fei Yan,Fan Zhang,Siew-Kei Lam

2022-01-01

Abstract:The performance of Side-Channel Attacks (SCAs) decays rapidly when considering more sub-keys, making the full-key recovery a very challenging problem. Limited to independent collision information utilization, collision attacks establish the relationship among sub-keys but do not significantly slow down this trend. To solve it, we first exploit the samples from the previously attacked S-boxes to assist attacks on the targeted S-box under an assumption that similar leakage occurs in program loop or code reuse scenarios. The later considered S-boxes are easier to be recovered since more samples participate in this assist attack, which results in the “snowball” effect. We name this scheme as Snowball, which significantly slows down the attenuation rate of attack performance. We further introduce confusion coefficient into the collision attack to construct collision confusion coefficient, and deduce its relationship with correlation coefficient. Based on this relationship, we give two optimizations on our Snowball exploiting the “values” information and “rankings” information of collision correlation coefficients named Least Deviation from Pearson correlation coefficient (PLD) and Least Deviation from confusion coefficient (CLD). Experiments show that the above optimizations significantly improve the performance of our Snowball.

Owen Lo,William J. Buchanan,Douglas Carson

DOI: https://doi.org/10.1080/23742917.2016.1231523

2016-09-19

Journal of Cyber Security Technology

Abstract:This article demonstrates two fundamental techniques of power analysis, differential power analysis (DPA) and correlation power analysis (CPA), against a modern piece of hardware which is widely available to the public: the Arduino Uno microcontroller. The DPA attack we implement is referred to as the Difference of Means attack while the CPA attack is implemented by building a power model of the device using the Hamming Weight Power Model method. The cryptographic algorithm we have chosen to attack is AES-128. In particular, the AddRoundKey and SubBytes functions of this algorithm are implemented on an Arduino Uno and we demonstrate how the full 16-byte cipher key can be deduced using the two techniques by monitoring the power consumption of the device during cryptographic operations. The results of experimentation find that both forms of attack, DPA and CPA, are viable against the Arduino Uno. However, it was found that CPA produces results which are easier to interpret from an analytical perspective. Thus, our contributions in this article is providing a side-by-side comparison on how applicable these two power analysis attack techniques are along with providing a methodology to enable readers to replicate and learn how one may perform such attacks on their own hardware.

Nan Liao,Xiaoxin Cui,Tian Wang,Kai Liao,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/icist.2016.7483412

2016-01-01

Abstract:A high-efficient fault attack on AES S-box is proposed in this paper. Faults are introduced in the encryption process by changing the mapping relationship of S-box. Based on the round in which the faults are introduced, two fault models are presented. Attack results show that the first model only needs 16 faulty ciphertexts to recover the 128-bit secret key. The second fault model is more efficient. In this model, two rounds of attacks are enough to find out the 4-byte round-key based on DFA on the 9th round S-box. For covering all the possible fault situations, influence of multi-byte faults are considered, which effectively improves the attack accuracy and reduces the attack rounds. Compared with previous fault models, our work in this paper shows significant advantage of efficiency.

Chaoqun Yang,Xiangyu Li,Shujuan Yin

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2018.00217

2018-01-01

Abstract:Power-Aware Hiding (PAH) has been proposed as a kind of energy-efficient Side Channel Attacks (SCA) countermeasure for S-boxes. However, it has large area overhead. In this paper, an improved SCA-resistant AES S-box implementation, which is based on PAH technique but has smaller area, is proposed. It implements the S-Box in the masked composited field approach but applies the PAH method to the inversion in GF(2^4). Evaluation result shows that its area is shrunken to 47.7% of the full PAH S-box, and that its power-delay product is about 81% lower than that of the traditional masking implementation. Simulation shows that the PAH inverteru0027s power difference is smaller than the other candidates, including the PAH S-box. It is secure under moment-correlating power analysis with 70,000 noiseless power traces at least.

Xiangyu Li,Pengyuan Jiao,Chaoqun Yang

DOI: https://doi.org/10.1088/1674-4926/42/3/032402

2021-01-01

Abstract:A side-channel attack (SCA)-resistant AES S-box implementation is proposed, which is an improvement from the power-aware hiding (PAH) S-box but with higher security and a smaller area. We use the composite field approach and apply the PAH method to the inversion in the nonlinear kernel and a masking method to the other parts. In addition, a delay-matched enable control technique is used to suppress glitches in the masked parts. The evaluation results show that its area is contracted to 63.3% of the full PAH S-box, and its power-delay product is much lower than that of the masking implementation. The leakage assessment using simulation power traces concludes that it has no detectable leakage under t-test and that it at least can thwart the moment-correlation analysis using 665 000 noiseless traces.

Wen-jing Hu,Liji Wu,An Wang,Xin-Jun Xie,Zhi-Hui Zhu,Shun Luo

DOI: https://doi.org/10.1109/cis.2014.94

2014-01-01

Abstract:Yongdae K ea al. poposed biasing power traces to improve correlation in power analysis attack in 2010. However this method abandons large numbers of power traces which is unreasonable in comparison with traditional CPA. In this paper, the traces acquirement process is divided into two stages. In the first stage, some plaintexts are chosen randomly and two most probable key byte candidates are recovered. In the second stage, we adaptively choose specific plaintexts corresponding to the traces with high signal-to-noise ratio, encrypt them, and acquire the second batch of traces. So the attack can be finished with fewer traces. According to our experiments on AT89S52 software implementation of AES, getting the same success rate 0.955, our adaptive chosen-plaintext CPA only requires 78.9% traces of traditional CPA. Our proposal can be implemented by automatic software through two interactions with the AT89S52.

Yufeng Tang,Zheng Gong,Tao Sun,Jinhai Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-030-88323-2_22

2021-01-01

Abstract:White-box block cipher (WBC) aims at protecting the secret key of a block cipher even if an adversary has full control over the implementations. At CHES 2016, Bos et al. proved that WBC are also threatened by side-channel analysis (SCA), e.g., differential fault analysis (DFA) and differential computation analysis (DCA). Therefore, advanced countermeasures have been proposed by Lee et al. for resisting DFA and DCA, such as table redundancy and improved masking methods, respectively. In this paper, we introduce a new adaptive side-channel analysis model which assumes that an adversary adaptively collects the intermediate values of a specific function and can mount the DFA/DCA attack with chosen inputs. In the adaptive SCA model, both theoretical analysis and experimental results show that Lee et al.’s proposed methods are vulnerable to DFA and DCA attacks. Moreover, a negative proposition is also demonstrated on the corresponding high-order countermeasures under our new model.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

Adil Waheed,Fazli Subhan,Mazliham Mohd Suud,Mansoor Alam,Sohaib Ahmad

DOI: https://doi.org/10.1007/s11042-023-14910-3

IF: 2.577

2023-03-05

Multimedia Tools and Applications

Abstract:The expansion of worldwide networking has created new possibilities for management, development, and presentation in the form of digital data. The uncomplicated accessibility to digital resources i.e., internet banking, electronic advertising, digital marketing, and libraries has resulted in grave security concerns. Consequently, rapid use of digital information and technology, security of digital transactions is a big concern. Although many data security solutions exist, still they need further improvement. In symmetric cryptography, the strength of a Substitution Box (S-box) assures the strength of block ciphers. S-box is a critical nonlinear element of cryptosystem that creates turmoil in transactions. This study aims to formulate a variety of methodologies to measure the effectiveness of an S-box against linear and differential algebraic attacks. These malicious attacks may disrupt and leak confidential information. Therefore, a comparative analysis is presented to understand the S-box construction methodologies, key characteristics of eminent S-boxes, major challenges, and their weak cryptographic properties. S-box is considered to be secure if it meets a number of criteria, i.e., maximum linear probability, bijection, nonlinearity, input/output XOR distribution, bit independence criterion, and strict avalanche criterion. These criteria are analyzed in detail to evaluate the performance, reliability, and effectiveness of S-box.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

An Wang,Yuan Li,Yaoling Ding,Liehuang Zhu,Yongjuan Wang

DOI: https://doi.org/10.1109/tifs.2021.3117091

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Various Artificial Intelligence (AI) techniques are combined with classic side-channel methods to improve the efficiency of attacks. Among them, Genetic-Algorithms-based Correlation Power Analysis (GA-CPA) is proposed to launch attacks on hardware cryptosystems to extract the secret key efficiently. However, the convergence efficiency of GA-CPA is unsatisfactory due to two problems: the randomly generated initial population generally have low fitness, and the mutation operation in each iteration hardly produces high-quality individuals because of the confusion and diffusion characteristics of S-boxes. In this paper, we propose an analysis framework of GA-CPA which focuses on solving these two problems. First, we explore the list of candidate key bytes which is the result of Correlation Power Analysis (CPA) on a limited number of power traces, so that the population can be initialized with high quality candidates. Second, we improve the mutation operation by guiding the candidate key to mutate in a higher-fitness direction instead of randomly. Third, we make full use of the fitness calculation method and combine it with key enumeration algorithms to further improve the efficiency of key recovery. Simulation experimental results show that our method reduces the number of traces by 33.3% and 43.9% compared to CPA with key enumeration and GA-CPA respectively when the success rate is fixed to 90%. Real experiments performed on SAKURA-G confirm that the number of traces required in our method is much less than the numbers of traces required in CPA and GA-CPA. Besides, we adjust our method to deal with DPA contest v1 dataset, and achieve a better result of 40.76 traces than the winning proposal of 42.42 traces. The computation cost of our proposal is nearly 16.7% of the winner.

computer science, theory & methods,engineering, electrical & electronic

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/ITNG.2008.183

2008-01-01

Abstract:Elliptic curve cryptography (ECC) has been adopted in many systems because it requires shorter keys than traditional public-key algorithms in primary fields. However, power analysis attacks can exploit the power consumption of ECC devices to retrieve secret keys. In this paper, we propose an efficient window-based countermeasure that is secure against existing power analysis attacks. Compared to previous counter- measures, our method has low memory overhead, requiring only a table of w+1 entries when the window size is w bits. It also has better performance than many algorithms that perform one point addition or subtraction for every bit in the scalar.

Claude Carlet,Annelie Heuser,Stjepan Picek

DOI: https://doi.org/10.1007/978-3-319-61204-1_20

2017-01-01

Abstract:When discussing how to improve side-channel resilience of a cipher, an obvious direction is to use various masking or hiding countermeasures. However, such schemes come with a cost, e.g. an increase in the area and/or reduction of the speed. When considering lightweight cryptography and various constrained environments, the situation becomes even more difficult due to numerous implementation restrictions. However, some options are possible like using S-boxes that are easier to mask or (more on a fundamental level), using S-boxes that possess higher inherent side-channel resilience. In this paper we investigate what properties should an S-box possess in order to be more resilient against side-channel attacks. Moreover, we find certain connections between those properties and cryptographic properties like nonlinearity and differential uniformity. Finally, to strengthen our theoretical findings, we give an extensive experimental validation of our results.

An Wang,Yu Zhang,Weina Tian,Qian Wang,Guoshuang Zhang,Liehuang Zhu

DOI: https://doi.org/10.1007/s11432-016-0616-4

2018-01-01

Abstract:In CHES 2010, Fault Sensitivity Analysis (FSA) on Advanced Encryption Standard (AES) hardware circuit based on S-box setup-time acquired by injecting clock glitches is proposed. Soon after, some improvements of FSA were presented such as colliding timing characteristics from Moradi et al. However, the acquisition of timing characteristics requires complex procedure due to the very gradual decrease of clock glitch cycle and the heavy requirements of setup-time samples. In HOST 2015, Wang et al. presented template-based right or wrong collision rate attack to improve the efficiency of FSA, but its profiling and plaintexts-choice procedures required too many encryptions. In this paper, we fix only one specific clock glitch cycle, and take the right or wrong collision rate as a collision distinguisher. So, the whole process is a non-profiling collision attack which can be executed automatically without massive pre-computations and interactions between PC and signal generator. According to the experiments, 256 encryptions are enough for exactly deciding whether two plaintext bytes can induce an S-box collision. Compared with the existing power analysis and FSA-based attacks on AES hardware, it costs negligible time (about 6.65 s) and storage space (only one byte), and no offline computations for finding the collision between two masked S-boxes. Furthermore, our study shows that the signal-to-noise ratio in FSA-based attacks is much higher than power-based attacks.

Liu Leibo,Zhu Min,Wu Youyu,Luo Kai,Yin Shouyi,Wei Shaojun

2016-01-01

Abstract:The invention discloses an AES (Advanced Encryption Standard) encryption method and a power attack resisting method based on the same; the AES encryption method comprises the following steps: grouping clear data; carrying out XOR operation on an input and an expanded secret key of a round function; carrying out data replacement with an S box having an 8-bit input and a 32-bit output; shifting 32-bit data output by the S box; carrying out the XOR operation correspondingly on the 32-bit data output by row shifting operation; carrying out the XOR operation on the expanded secret key; carrying out the data replacement with the S box having the 8-bit input and the 8-bit output; carrying out the XOR operation with the expanded secret key; and outputting encrypted data. The invention has the following advantages: the operations needed by each of the steps in the encryption method only have table look-up, shifting and XOR, so the logic implementation is relatively simple and efficient; and the power attack resisting method has mixcolumn, so the power attack resisting effect is good.

Arslan Shafique,Kashif Hesham Khan,Mohammad Mazyad Hazzazi,Ismail Bahkali,Zaid Bassfar,Mujeeb Ur Rehman

DOI: https://doi.org/10.3390/math11102322

IF: 2.4

2023-05-17

Mathematics

Abstract:Substitution boxes are the key factor in symmetric-key cryptosystems that determines their ability to resist various cryptanalytic attacks. Creating strong substitution boxes that have multiple strong cryptographic properties at the same time is a challenging task for cryptographers. A significant amount of research has been conducted on S-boxes in the past few decades, but the resulting S-boxes have been found to be vulnerable to various cyberattacks. This paper proposes a new method for creating robust S-boxes that exhibit superior performance and possess high scores in multiple cryptographic properties. The hybrid S-box method presented in this paper is based on Chua's circuit chaotic map, two-dimensional cellular automata, and an algebraic permutation group structure. The proposed 16×16 S-box has an excellent performance in terms of security parameters, including a minimum nonlinearity of 102, the absence of fixed points, the satisfaction of bit independence and strict avalanche criteria, a low differential uniformity of 5, a low linear approximation probability of 0.0603, and an auto-correlation function of 28. The analysis of the performance comparison indicates that the proposed S-box outperforms other state-of-the-art S-box techniques in several aspects. It possesses better attributes, such as a higher degree of inherent security and resilience, which make it more secure and less vulnerable to potential attacks.

mathematics

Yuxiao Ling,Zheng Guo,Zhimin Zhang,Zhigang Mao,Zeleng Zhuang

DOI: https://doi.org/10.1109/CIS.2013.101

2013-01-01

Abstract:In this paper, we will present a block cipher circuit design against Power Analysis. This design consists of usual masking and hiding method. For XOR, permutation and other linear layer, masking method of protection is used, but for S-box and other non-linear layer, hiding method is used in the reason that masking requires a lot of hardware consumption. We accomplished hardware implementation and Power Analysis in our research, whose test results proved that the design had strong capacity against Power Analysis. 200, 000 curves were extracted in our attack simulation, and the key successfully resisted complete recovery.

Sulong Tang,Liji Wu,Xiangmin Zhang,Xingjun Wu,Beibei Wang

DOI: https://doi.org/10.1109/cis.2016.0055

2016-01-01

Abstract:SM4 is a 128-bit block cipher used in the WAPI (Wireless LAN Authentication and Privacy Infrastructure) standard for protecting data packets in WLAN. This paper proposes a novel method of CPA (Correlation Power Analysis) on SM4 based on chosen-plaintext. Using SM4 as target algorithm, Sakura-G FPGA board as hardware verification platform, we only collect 1000 power consumption waveforms to obtain the first round key of SM4 successfully, significantly lowering the number of power consumption waveforms used in regular CPA.