Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Huiying Liu,Keke Ji,Jing Huang

DOI: https://doi.org/10.1016/j.jss.2012.11.007

IF: 3.5

2013-01-01

Journal of Systems and Software

Abstract:The side-channel cube attack (SCCA) is a powerful cryptanalysis technique that combines the side-channel and cube attack. This paper proposes several advanced techniques to improve the Hamming weight-based SCCA (HW-SCCA) on the block cipher PRESENT. The new techniques utilize non-linear equations and an iterative scheme to extract more information from leakage. The new attacks need only 2^8^.^9^5 chosen plaintexts to recover 72 key bits of PRESENT-80 and 2^9^.^7^8 chosen plaintexts to recover 121 key bits of PRESENT-128. To the best of our knowledge, these are the most efficient SCCAs on PRESENT-80/128. To show the feasibility of the proposed techniques, real attacks have been conducted on PRESENT on an 8-bit microcontroller, which are the first SCCAs on PRESENT on a real device. The proposed HW-SCCA can successfully break PRESENT implementations even if they have some countermeasures such as random delay and masking.

Yufeng Tang,Zheng Gong,Tao Sun,Jinhai Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-030-88323-2_22

2021-01-01

Abstract:White-box block cipher (WBC) aims at protecting the secret key of a block cipher even if an adversary has full control over the implementations. At CHES 2016, Bos et al. proved that WBC are also threatened by side-channel analysis (SCA), e.g., differential fault analysis (DFA) and differential computation analysis (DCA). Therefore, advanced countermeasures have been proposed by Lee et al. for resisting DFA and DCA, such as table redundancy and improved masking methods, respectively. In this paper, we introduce a new adaptive side-channel analysis model which assumes that an adversary adaptively collects the intermediate values of a specific function and can mount the DFA/DCA attack with chosen inputs. In the adaptive SCA model, both theoretical analysis and experimental results show that Lee et al.’s proposed methods are vulnerable to DFA and DCA attacks. Moreover, a negative proposition is also demonstrated on the corresponding high-order countermeasures under our new model.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

Wang Yongjuan,Wang Tao,Yuan Qingjun,Gao Yang,Wang Xiangbin

DOI: https://doi.org/10.11999/JEIT181075

2020-01-01

Abstract:The complexity of the pre-processing phase of the cubic attack grows exponentially with the number of output bit algebras, and the difficulty of finding an effective cube set increases. In this paper, the algorithm of preprocessing stage in cubic attack is improved. In the cube set search, from random search to target search, a new target search optimization algorithm is designed to optimize the computational complexity of the preprocessing stage. In turn, the offline phase time complexity is significantly reduced. The improved cubic attack combined with the side-channel method is applied to the MIBS block cipher algorithm. The algorithm characteristics of MIBS are analyzed from the perspective of side-channel attack. The leak location is selected in the third round, and the overdetermined linear equations from initial key and output bit are established, which can directly recover 33bit key. Then the 6bit key can be recovered by quadric-detecting. The amount of plaintext required is 2(21.64), time complexity is 2(25). This result is greatly improved compared with the existing results, the number of keys recovered is increased, and the time complexity of the online phase is reduced.

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/ITNG.2008.183

2008-01-01

Abstract:Elliptic curve cryptography (ECC) has been adopted in many systems because it requires shorter keys than traditional public-key algorithms in primary fields. However, power analysis attacks can exploit the power consumption of ECC devices to retrieve secret keys. In this paper, we propose an efficient window-based countermeasure that is secure against existing power analysis attacks. Compared to previous counter- measures, our method has low memory overhead, requiring only a table of w+1 entries when the window size is w bits. It also has better performance than many algorithms that perform one point addition or subtraction for every bit in the scalar.

Gregory V. Bard,Nicolas T. Courtois,Jorge Nakahara Jr,Pouyan Sepehrdad,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-17401-8_14

2010-01-01

Abstract:This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

Kexin Qiao,Zhaoyang Wang,Heng Chang,Siwei Sun,Zehan Wu,Junjie Cheng,Changhai Ou,An Wang,Liehuang Zhu

DOI: https://doi.org/10.1007/s11432-024-4150-3

2024-10-26

Science China Information Sciences

Abstract:The implementation security of post-quantum cryptography (PQC) algorithms has emerged as a critical concern with the PQC standardization process reaching its end. In a side-channel-assisted chosen-ciphertext attack, the attacker builds linear inequalities on secret key components and uses the belief propagation (BP) algorithm to solve. The number of inequalities leverages the query complexity of the attack, so the fewer the better. In this paper, we use the PQC standard algorithm CRYSTALS-K yber as a study case to construct bilateral inequalities on key variables with substantially narrower intervals using a side-channel-assisted oracle. For K YBER 512, K YBER 768, and K YBER 1024, the average Shannon entropy carried by such inequality is improved from the previous 0.6094, 0.4734, and 0.8544 to 0.6418, 0.4777, and 1.2007. The number of such inequalities required to recover the key utilizing the BP algorithm for K YBER 512 and K YBER 1024 is reduced by 5.32% and 40.53% in theory and experimentally the reduction is even better. The query complexity is reduced by 43%, 37%, and 48% for K YBER 512, 768, and 1024 assuming reasonably perfect reliability. Furthermore, we introduce a strategy aimed at further refining the interval of inequalities. Diving into the BP algorithm, we discover a measure metric named JSD (Jensen-Shannon distance)-metric that can gauge the tightness of an inequality. We then develop a machine learning-based strategy to utilize the JSD-metrics to contract boundaries of inequalities even with fewer inequalities given, thus improving the entropy carried by the system of linear inequalities. This contraction strategy is at the algorithmic level and has the potential to be employed in all attacks endeavoring to establish a system of inequalities concerning key variables.

computer science, information systems,engineering, electrical & electronic

Yun-fei MA,Tao WANG,Hao CHEN,Fan ZHANG,Xiao-xuan LOU,Lu-min XU,Wen-bing YANG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2017.09.011

2017-01-01

Abstract:A fault-cube method was given aiming at the special property of And operation (&) in SIMON and the problem in previous cube attack and fault attack.The round-candidates for fault injection were identified according to the number of linear and quadratic equations.Positions for fault injection were determined by using a difference-characteristics table.Some round-keys were recovered by extracting low-degree equations during the off-line phase.Then,the entire round-keys were obtained with combination of guess-and-determine attack.The experimental results show that the attack on SIMON32/64 needs 69 fault injections on average and requires a compute complexity of 247.91,which is better than the previous cube attack.Compared to differential fault attack,the fault-cube method is more effective in determining fault positions.Moreover,using the fault model is easier to realize and the attack process is of high automation.The fault-cube method will provide some ideas on other lightweight block ciphers with low-degree core operations as well.

Zhuang Xu,Owen Pemberton,Sujoy Sinha Roy,David Oswald,Wang Yao,Zhiming Zheng,Owen Michael Pemberton

DOI: https://doi.org/10.1109/tc.2021.3122997

IF: 3.183

2022-01-01

IEEE Transactions on Computers

Abstract:Lattice-based cryptography, as an active branch of post-quantum cryptography (PQC), has drawn great attention from side-channel analysis researchers in recent years. Despite the various side-channel targets examined in previous studies, detail on revealing the secret-dependent information efficiently is less studied. In this paper, we propose adaptive EM side-channel attacks with carefully constructed ciphertexts on Kyber, which is a finalist of NIST PQC standardization project. We demonstrate that specially chosen ciphertexts allow an adversary to modulate the leakage of a target device and enable full key extraction with a small number of traces through simple power analysis. Compared to prior research, our techniques require fewer traces and avoid building complex templates. We practically evaluate our methods using both a reference implementation and the ARM-specific implementation in pqm4 library. For the reference implementation, we target the leakage of the output of the inverse NTT computation and recover the full key with only four traces. For the pqm4 implementation, we develop a message-recovery attack that leads to extraction of the full secret key with between eight and 960 traces, depending on the compiler optimization level. We discuss the relevance of our findings to other lattice-based schemes and explore potential countermeasures.

engineering, electrical & electronic,computer science, hardware & architecture

Wenhai Zhou,Fan-tong Kong

DOI: https://doi.org/10.1109/ICCT46805.2019.8947185

2019-10-01

Abstract:Correlative electromagnetic side channel attack (CEMA) is a common and effective method in side channel attacks. However, a large amount of data acquisition and processing restricts the time of key cracking. This paper proposes a fast side channel attack method, which encrypts the selected plaintexts and filters the collected electromagnetic data on frequency domain, and then performs CEMA analysis. Finally, only 150 pieces of electromagnetic data are used to successfully crack all the keys of the advanced encryption standard (AES) cryptographic algorithm, and the cracking time is reduced to 1/50 of the traditional method.

Engineering,Computer Science

Fan Zhang,Liang Geng,Jizhong Shen,Shivam Bhasin,Xinjie Zhao,Shize Guo

DOI: https://doi.org/10.1109/AsianHOST.2017.8353994

2017-01-01

Abstract:Recent lightweight cryptographic algorithms are vulnerable to side channel attacks (SCA), requiring a careful design of implementations. In this paper, we carefully investigate the "Low-Entropy Masking Scheme" (LEMS) on the block cipher LED in the context of resource-constrained environments. We propose an improved LEMS called "iMLED", so as to satisfy two different yet unified design goals: to maintain the entropy of the masking at one bit, meanwhile, to enhance first-order SCA-resistance against advanced SCAs such as correlation-enhanced collision attack (CCA). The security of the implementation has been evaluated based on the SASEBO-W board, which proves that iM-LED has boosted its mitigation against SCA with limited overheads.

Shize Guo,Xinjie Zhao,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Francois-Xavier Standaert,Chujiao Ma

DOI: https://doi.org/10.1109/tifs.2014.2315534

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Grobner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.

Dongmei Xue,Xiaole Cui,Chung-Len Lee,Lifei Liu,Shijie Zhang

DOI: https://doi.org/10.1109/icsict.2014.7021566

2014-01-01

Abstract:Elliptic Curve Cryptography is a popular algorithm since it can achieve good security level with a small key size. However, the ECC hardware is suffering from some side channel attacks, such as Differential power-analysis (DPA), which can retrieve secret keys by analyzing power consumption of the attacked devices. In this paper, a countermeasure to secure the modular multiplication, an important operation of Elliptic Curve Cryptography, with randomization method is studied. The experiment results show that unprotected device reveal the secret key within 1000 power traces, while the protected one can defend DPA attack with 105 power traces, with only 8% additional area cost.

Lihui Wang,Qing Li,Gang Zhang,Jun Yu,Zhimin Zhang,Limin Guo,David Wei Zhang

DOI: https://doi.org/10.1109/CIS.2015.85

2015-01-01

Abstract:Elliptic Curve Cryptography (ECC) is becoming widely deployed in embedded cryptographic devices because of the reduced number of key bits. However, the side-channel attacks especially simple side-channel analysis (SPA) can obtain secret keys by measuring power consumption. To resist this attack there appear a number of countermeasures such as Montgomery ladder and double-and-add-always algorithm. This paper proposes a new simple power analysis attack to these countermeasures by distinguishing the conditional subtraction of Montgomery modular multiplication (MMM). Experimental results on smart cards demonstrate that this attack method can retrieve secret keys easily in several seconds using one power trace. Several countermeasures that can resist this kind of SPA attack are also demonstrated in this paper.

Yahya S. Khiabani,Shuangqing Wei,Jian Yuan,Jian Wang

DOI: https://doi.org/10.1109/glocom.2012.6503220

2012-01-01

Abstract:In this paper, we study the effect of channel errors on the performance of linear cryptanalysis against block ciphered system. We study DES block cipher working in cipher feedback mode (CFB) as a special case. In our model, eavesdropper launches linear attack by querying an oracle which provides her with corrupted ciphertexts over a binary symmetric channel (BSC). A new verification strategy in linear attack has been designed and numerically optimized to allow Eve to mount a successful attack in noisy environments. However, we show that even by utilizing this optimized strategy, there is still possibility of misdetection in Eve's cryptanalysis, which directly depends on the channel degradation level. Numerical results show that the proposed attack strategy lets Eve maintain a high performance even for relatively high noise levels. On the other hand, they suggest that due to Eve's possible failures in her attack, tunable cross over probability of the channel can bring about the lowest performance for Eve as well as a higher security.

Han Li

DOI: https://doi.org/10.48550/arXiv.1912.07005

2019-12-15

Abstract:The McEliece cryptosystem based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes is first purposed in 2013\cite{QCMDPC} and is considered a promising contender in the post-quantum era. Understanding its security is hence essential. Till now, the most effective attacks are the reaction attack\cite{Reaction} and the timing attack\cite{Timing}. Both of these attacks rely on the decoding performance to recover the private key. The reaction attack relies on the decoding failure rate and the timing attack relies on the iterations during decoding. However, the mechanics behind these attacks remain elusive. In this paper, a mathematical model is proposed to explain both attacks by connecting the spectrum of private key and first-layer performance of the decoder.

Cryptography and Security

Senyang Huang,Xiaoyun Wang,Guangwu Xu,Meiqin Wang,Jingyuan Zhao

DOI: https://doi.org/10.1007/978-3-319-56614-6_9

2017-01-01

Abstract:The security analysis of Keccak, the winner of SHA-3, has attracted considerable interest. Recently, some attention has been paid to the analysis of keyed modes of Keccak sponge function. As a notable example, the most efficient key recovery attacks on Keccak-MAC and Keyak were reported at EUROCRYPT'15 where cube attacks and cube-attack-like cryptanalysis have been applied. In this paper, we develop a new type of cube distinguisher, the conditional cube tester, for Keccak sponge function. By imposing some bit conditions for certain cube variables, we are able to construct cube testers with smaller dimensions. Our conditional cube testers are used to analyse Keccak in keyed modes. For reduced-round Keccak-MAC and Keyak, our attacks greatly improve the best known attacks in key recovery in terms of the number of rounds or the complexity. Moreover, our new model can also be applied to keyless setting to distinguish Keccak sponge function from random permutation. We provide a searching algorithm to produce the most efficient conditional cube tester by modeling it as an MILP (mixed integer linear programming) problem. As a result, we improve the previous distinguishing attacks on Keccak sponge function significantly. Most of our attacks have been implemented and verified by desktop computers. Finally we remark that our attacks on the reduced-round Keccak will not threat the security margin of Keccak sponge function.

Keting Jia,Jiazhe Chen,Meiqin Wang,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-28496-0_11

2011-01-01

Abstract:Modular Multiplication based Block Cipher (MMB) is a block cipher designed by Daemen et al. as an alternative to the IDEA block cipher. In this paper, we give a practical sandwich attack on MMB with adaptively chosen plaintexts and ciphertexts. By constructing a 5-round sandwich distinguisher of the full 6-round MMB with probability 1, we recover the main key of MMB with text complexity 240 and time complexity 240 MMB encryptions. We also present a chosen plaintexts attack on the full MMB by employing the rectangle-like sandwich attack, which the complexity is 266.5 texts, 266.5 MMB encryptions and 270.5 bytes of memory. In addition, we introduce an improved differential attack on MMB with 296 chosen plaintexts, 296 encryptions and 266 bytes of memory. Especially, even if MMB is extended to 7 rounds, the improved differential attack is applicable with the same complexity as that of the full MMB.

Qi Chen,Dongyan Zhao,Liang Liu,Xuesong Yan,Yidong Yuan,Xige Zhang,Hongmei Wu,Zhe Wang

DOI: https://doi.org/10.1016/j.csi.2021.103569

IF: 3.721

2022-01-01

Computer Standards & Interfaces

Abstract:Side-channel attacks (SCAs) have become a significant threat nowadays to cryptographic devices, especially central processing units (CPUs). Based on the implementation of AES-128, the side-channel information leakage analysis is carried out in a 32-bit CPU microarchitecture in this work. Correlation power analysis (CPA) results show that it is obvious to reveal the secret key by using only 30 power traces based on the net-list simulation. Three flexibly configurable hardware-based countermeasures are proposed to prevent information leakage in the arithmetic and logic unit (ALU), register file (RF) and load/store unit (LSU), respectively, which are the most sensitive components according to our analysis. The proposed countermeasures have different protection effects on the CPU since the required trace number to reveal the secret key has increased from 30 to 100 similar to 120,000. Moreover, the anti-attack capability of the CPU is improved by 4000 times using the three countermeasures simultaneously. The proposed countermeasures can be freely combined while considering the CPU security and implementation overhead. In practice, the anti-attack capability of the CPU can be further improved when the proposed countermeasures are implemented in real-world measurements, because additional noise will be introduced during the measurements.