Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

Li Zhu,Da-wu Gu,Chao Wang

DOI: https://doi.org/10.1007/s11741-008-0212-2

2008-01-01

Abstract:Based on the structure of the side channel attacks (SCAs) to RSA cryptosystem can resist the fault attack and combine with the randomization method for the message and secret exponent, a new implementation scheme of CRT-based (the Chinese remained theorem) RSA is proposed. The proposed scheme can prevent simple power analysis (SPA), differential power analysis (DPA) and time attack, and is compatible with the existing RSA-CRT cryptosystem as well. In addition, an improvement for resisting fault attack is proposed, which can reduce extra computation time.

CHENG Wei,GU Da-wu,GUO Zheng,ZHANG Lei

DOI: https://doi.org/10.3969/j.issn.1002-0802.2011.06.043

2011-01-01

Abstract:As a fast RSA implementation,RSA-CRT is widely applied to computing-limited devices,such as smart cards.This paper describes a side channel attack against RSA-CRT implementation.By properly choosing input data,the power consumption of the intermediate value after the modular reduction is analyzed.This attack first determines the size of one of the primes,then based on it,takes another DPA attack and gets the byte-by-byte prime.The simulation experiment shows that this attack is effective,and relative to MRED,could reduce the number of needed power traces and raise the attack efficiency.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Huiying Liu,Keke Ji,Jing Huang

DOI: https://doi.org/10.1016/j.jss.2012.11.007

IF: 3.5

2013-01-01

Journal of Systems and Software

Abstract:The side-channel cube attack (SCCA) is a powerful cryptanalysis technique that combines the side-channel and cube attack. This paper proposes several advanced techniques to improve the Hamming weight-based SCCA (HW-SCCA) on the block cipher PRESENT. The new techniques utilize non-linear equations and an iterative scheme to extract more information from leakage. The new attacks need only 2^8^.^9^5 chosen plaintexts to recover 72 key bits of PRESENT-80 and 2^9^.^7^8 chosen plaintexts to recover 121 key bits of PRESENT-128. To the best of our knowledge, these are the most efficient SCCAs on PRESENT-80/128. To show the feasibility of the proposed techniques, real attacks have been conducted on PRESENT on an 8-bit microcontroller, which are the first SCCAs on PRESENT on a real device. The proposed HW-SCCA can successfully break PRESENT implementations even if they have some countermeasures such as random delay and masking.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.06.001

2012-01-01

Abstract:The security of EPCBC,a lightweight block cipher proposed in CANS 2011,against the side-channel cube attack is evaluated by combining cube cryptanalysis with side-channel attack under the 8-bit Hamming weight leakage model.Under the black-box attack scenario,the adversary firstly generates random cube and superpoly.Then the cube is used to generate chosen plaintexts.The adversary deduces one bit of the intermediate state from the side-channel attack for each chosen plaintext and computes the high order differences of these one bit values to verify the relations between the cube and superpoly.Simulation experiments are launched on two variants of EPCBC with different block lengths.The results demonstrate that the unprotected implementation of EPCBC is vulnerable to side-channel cube attacks.If the adversary can accurately deduce the Hamming weight of the intermediate states from the side-channel leakages,many cubes and superpolys can be extracted and used for key recovery.372 chosen plaintexts can recover 48-bit of the master key for EPCBC(48,96) and reduce the key search space to 248.610 chosen plaintexts can recover full 96-bit of the master key for EPCBC(96,96) directly.The techniques of this paper can provide certain references to black-box side-channel cube attacks on other block ciphers.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

Lihui Wang,Qing Li,Gang Zhang,Jun Yu,Zhimin Zhang,Limin Guo,David Wei Zhang

DOI: https://doi.org/10.1109/CIS.2015.85

2015-01-01

Abstract:Elliptic Curve Cryptography (ECC) is becoming widely deployed in embedded cryptographic devices because of the reduced number of key bits. However, the side-channel attacks especially simple side-channel analysis (SPA) can obtain secret keys by measuring power consumption. To resist this attack there appear a number of countermeasures such as Montgomery ladder and double-and-add-always algorithm. This paper proposes a new simple power analysis attack to these countermeasures by distinguishing the conditional subtraction of Montgomery modular multiplication (MMM). Experimental results on smart cards demonstrate that this attack method can retrieve secret keys easily in several seconds using one power trace. Several countermeasures that can resist this kind of SPA attack are also demonstrated in this paper.

Ievgen Kabin,Zoya Dyka,Dan Klann,Peter Langendoerfer

DOI: https://doi.org/10.48550/arXiv.2201.02866

2022-01-08

Cryptography and Security

Abstract:Due to the nature of applications such as critical infrastructure and the Internet of Things etc. side channel analysis attacks are becoming a serious threat. Side channel analysis attacks take advantage from the fact that the behavior of crypto implementations can be observed and provides hints that simplify revealing keys. A new type of SCA are the so called horizontal SCAs. Well known randomization based countermeasures are effective means against vertical DPA attacks but they are not effective against horizontal DPA attacks. In this paper we investigate how the formula used to implement the multiplication of $GF(2^n)$-elements influences the results of horizontal DPA attacks against a Montgomery kP implementation. We implemented 5 designs with different partial multipliers, i.e. based on different multiplication formulae. We used two different technologies, i.e. a 130 and a 250 nm technology, to simulate power traces for our analysis. We show that the implemented multiplication formula influences the success of horizontal attacks significantly, but we also learned that its impact differs from technology to technology. Our analysis also reveals that the use of different multiplication formulae as the single countermeasure is not sufficient to protect cryptographic designs against horizontal DPA attacks.

lihui wang,qing li,zhimin zhang,weijun shan,davidwei zhang

DOI: https://doi.org/10.2991/iset-15.2015.33

2015-01-01

Abstract:Elliptic curve cryptosystems (ECCs) are becoming more popular because of the reduced number of key bits required in comparison to other cryptosystems such as RSA. They are especially suited to smartcards because of the limited memory and computational power available on these devices. However, the side-channel attacks especially simple side-channel analysis (SPA) can obtain information about the cryptosystem by measuring power consumption and processing time. To resist this attack there appear a number of countermeasures and the most widely used methods are Montgomery ladder and double-and-add-always algorithm. This paper proposes a novel simple power analysis attack to these countermeasures. Experimental results on smart cards demonstrate that this attack method can retrieve secret keys by distinguishing the conditional subtraction of Montgomery modular multiplication (MMM). Several countermeasures that can resist this kind of SPA attack are also demonstrated in this paper.

Zou Dabi,Lin Dongdai

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.09.031

2006-01-01

Abstract:The scalar multiplication is the dominant operation in Elliptic Curve Cryptosystems(ECC).In this paper,we have proposed a modified width-w window method to compute the scalar multiplication efficiently and securely against side channel analysis,based on the side channel atomicity introduced by Benoit Chevallier-Mames.Utilizing this window method,we have proposed a new parallel scalar multiplication algorithm,which is secure against side channel analysis and is also very efficient.

LI Zhi-yuan,BAI Xue-fei,GUO Li

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2010.02.032

2010-01-01

Abstract:In this paper,the defense mechanism of differential power analysis attacks on the RSA cipher algorithm is discussed.Based on analyses of self-randomized modular exponentiation algorithm,a new side-channel atomic strict self-randomized modular exponentiation algorithm is proposed in which a BBS random number generator and the side-channel atomic technology are applied to improve the original algorithm.The results of simulation experiments indicate that this method is effective and practical to prevent differential power analysis attacks.

Bo Qu,Dawu Gu,Zheng Guo,Junrong Liu

DOI: https://doi.org/10.1016/j.camwa.2012.02.024

IF: 3.218

2012-01-01

Computers & Mathematics with Applications

Abstract:Side-channel attacks on block ciphers and public key algorithms have been discussed extensively, but only a few systematic studies on the applicability of side-channel attacks to stream ciphers could be found. The objective of the present study is to develop general differential power analysis techniques which can be employed to attack the stream ciphers with linear feedback shift registers. To illustrate the new approach, a common structure of a stream cipher with the basic components is given. Then the approach is employed to analyze the given structure. The results show that the linear feedback shift registers may leak the information of the secret key. The approach is also applied to Crypto-1 and the experimental results show that it is very effective. 28-bit information of the 48-bit secret key can be obtained just by analyzing some power traces. Furthermore, the present work may be helpful in analyzing a variety of stream ciphers with LFSRs.

Shize Guo,Xinjie Zhao,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Francois-Xavier Standaert,Chujiao Ma

DOI: https://doi.org/10.1109/tifs.2014.2315534

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Grobner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.

Xiaowei Han,Beibei Wang,An Wang,Liji Wu,Woogeun Rhee

DOI: https://doi.org/10.1109/CIS.2014.116

2014-01-01

Abstract:SM2 is a public-key cryptography algorithm which is based on elliptic curves. Since the side channel leakage of devices can be used to deduce the information of secret keys, algorithms to implement SM2 need to be improved. In this paper, we propose an initialized masking scalar multiplication algorithm (IMSM), a modified atomic point doubling and point addition algorithm (MADA), and a transformed formula countermeasure (TFCS). Analysis shows they can resist Simple Power Analysis (SPA), Differential Power Analysis and Template Attacks. IMSM and MADA have been verified to resist SPA on FPGA board successfully. Compared to Binary Expansion with RIP algorithm, 28.6% calculations can be saved when the scalar is divided into four parts, which is rather fast.

Yufeng Tang,Zheng Gong,Tao Sun,Jinhai Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-030-88323-2_22

2021-01-01

Abstract:White-box block cipher (WBC) aims at protecting the secret key of a block cipher even if an adversary has full control over the implementations. At CHES 2016, Bos et al. proved that WBC are also threatened by side-channel analysis (SCA), e.g., differential fault analysis (DFA) and differential computation analysis (DCA). Therefore, advanced countermeasures have been proposed by Lee et al. for resisting DFA and DCA, such as table redundancy and improved masking methods, respectively. In this paper, we introduce a new adaptive side-channel analysis model which assumes that an adversary adaptively collects the intermediate values of a specific function and can mount the DFA/DCA attack with chosen inputs. In the adaptive SCA model, both theoretical analysis and experimental results show that Lee et al.’s proposed methods are vulnerable to DFA and DCA attacks. Moreover, a negative proposition is also demonstrated on the corresponding high-order countermeasures under our new model.

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/itng.2007.152

2007-01-01

Abstract:Power analysis can exploit the instantaneous power consumptions of elliptic curve cryptography (ECC) devices and retrieve secret keys. Many countermeasures have been proposed to make ECC implementations secure. One of the approaches is the randomized algorithms proposed by Oswald et al., which combine two scalar point multiplication algorithms and use random variables to decide which algorithm to follow at different stages of the computation. In this paper, we describe a power analysis attack that can break randomized automata proposed by Oswald et al. effectively, even with a small number of power traces

Fan Zhang,Bolin Yang,Xiaofei Dong,Sylvain Guilley,Zhe Liu,Wei He,Fangguo Zhang,Kui Ren

DOI: https://doi.org/10.1109/tc.2020.3020407

IF: 3.183

2020-11-01

IEEE Transactions on Computers

Abstract:The implementations of post-quantum cryptographic algorithms have been newly explored, whereas, the protection against side-channel attacks shall be considered upfront, since it can have a non-negligible impact on security and performance. In this article, the security of supersingular isogeny key encapsulation (SIKE), a second-round candidate of NIST's on-going post-quantum standardization process, is thoroughly evaluated under side-channel analysis. First, the vulnerabilities of reference and optimized implementations of SIKE are thoroughly analyzed in terms of both horizontal and vertical side-channel leakage. After the optimized SIKE, which is based on Three-point Montgomery Differential Ladder algorithm, is proved to be constant-time and there is no horizontal leakage, a vertical vulnerability is analyzed based on the source code at the algorithmic level, and a theoretical differential power analysis (DPA) attack is proposed. In order to exploit this vulnerability, the differential electromagnetic attack (DEMA) is put into practice to extract the private key of SIKE based on a 32-bit ARM platform. To the best of our knowledge, this is the first practical side-channel attack at SIKE implemented on real ARM-based devices. Our experiments show that the DEMA needs only hundreds of electromagnetic traces to carry out the attack. More importantly, an efficient window-based countermeasure is proposed to eliminate the vertical leakage and prevent side-channel attacks with only a little overhead. The security of our countermeasure is carefully evaluated against most of well-known power analysis attacks. Through careful evaluation and comparison with other countermeasures, this method can lead to higher security at a very small cost in terms of time and memory.

engineering, electrical & electronic,computer science, hardware & architecture

蒋惠萍,毛志刚

DOI: https://doi.org/10.3321/j.issn:0367-6234.2004.12.031

2004-01-01

Abstract:Side channel information could be used to analysis the key information according to leakage information depending on the operation of cryptography algorithm and its hardware. Fault analysis (Bellcore-Lenstra) and power analysis are the chief attack methods. Because of high effectiveness with low cost, the problem of side channel information attacks during the design of RSA-CRT cryptography coprocessor should be think better. In order to maximize the cost perforance, MASK and removing intermediate value technique are introduced into RSA-CRT, which cost only more 30% timing to realize secure RSA-CRT algorithm. Contemporary the effectiveness of advanced RSA-CRT is illuminated briefly.

Wang Yongjuan,Wang Tao,Yuan Qingjun,Gao Yang,Wang Xiangbin

DOI: https://doi.org/10.11999/JEIT181075

2020-01-01

Abstract:The complexity of the pre-processing phase of the cubic attack grows exponentially with the number of output bit algebras, and the difficulty of finding an effective cube set increases. In this paper, the algorithm of preprocessing stage in cubic attack is improved. In the cube set search, from random search to target search, a new target search optimization algorithm is designed to optimize the computational complexity of the preprocessing stage. In turn, the offline phase time complexity is significantly reduced. The improved cubic attack combined with the side-channel method is applied to the MIBS block cipher algorithm. The algorithm characteristics of MIBS are analyzed from the perspective of side-channel attack. The leak location is selected in the third round, and the overdetermined linear equations from initial key and output bit are established, which can directly recover 33bit key. Then the 6bit key can be recovered by quadric-detecting. The amount of plaintext required is 2(21.64), time complexity is 2(25). This result is greatly improved compared with the existing results, the number of keys recovered is increased, and the time complexity of the online phase is reduced.

Tianwei Zhang,Jun Jiang,Yinqian Zhang

DOI: https://doi.org/10.48550/arXiv.1911.09312

2019-12-12

Abstract:We systematize software side-channel attacks with a focus on vulnerabilities and countermeasures in the cryptographic implementations. Particularly, we survey past research literature to categorize vulnerable implementations, and identify common strategies to eliminate them. We then evaluate popular libraries and applications, quantitatively measuring and comparing the vulnerability severity, response time and coverage. Based on these characterizations and evaluations, we offer some insights for side-channel researchers, cryptographic software developers and users. We hope our study can inspire the side-channel research community to discover new vulnerabilities, and more importantly, to fortify applications against them.

Cryptography and Security