Elisabeth Oswald

The World Is Not Enough: Another Look on Second-Order DPA

In a recent work, Mangard et al. showed that under certain assumptions, the (so-called) standard univariate side-channel attacks using a distance-of-means test, correlation analysis and Gaussian templates are essentially equivalent. In this paper, we show that in the context of multivariate attacks against masked implementations, this conclusion does not hold anymore. While a single distinguisher can be used to compare the susceptibility of different unprotected devices to first-order DPA, understanding second-order attacks requires to carefully investigate the information leakages and the adversaries exploiting these leakages, separately. Using a framework put forward by Standaert et al. at Eurocrypt 2009, we provide the first analysis that explores these two topics in the case of a masked implementation exhibiting a Hamming weight leakage model. Our results lead to refined intuitions regarding the efficiency of various practically-relevant distinguishers. Further, we also investigate the case of second- and third-order masking (i.e. using three and four shares to represent one value). This evaluation confirms that higher-order masking only leads to significant security improvements if the secret sharing is combined with a sufficient amount of noise. Eventually, we show that an information theoretic analysis allows determining this necessary noise level, for different masking schemes and target security levels, with high accuracy and smaller data complexity than previous methods.

A side-channel analysis resistant description of the AES s-box

So far, efficient algorithmic countermeasures to secure the AES algorithm against (first-order) differential side-channel attacks have been very expensive to implement. In this article, we introduce a new masking countermeasure which is not only secure against first-order side-channel attacks, but which also leads to relatively small implementations compared to other masking schemes implemented in dedicated hardware. Our approach is based on shifting the computation of the finite field inversion in the AES S-box down to GF(4). In this field, the inversion is a linear operation and therefore it is easy to mask. Summarizing, the new masking scheme combines the concepts of multiplicative and additive masking in such a way that security against first-order side-channel attacks is maintained, and that small implementations in dedicated hardware can be achieved.

Successfully attacking masked AES hardware implementations

During the last years, several masking schemes for AES have been proposed to secure hardware implementations against DPA attacks. In order to investigate the effectiveness of these countermeasures in practice, we have designed and manufactured an ASIC. The chip features an unmasked and two masked AES-128 encryption engines that can be attacked independently. In addition to conventional DPA attacks on the output of registers, we have also mounted attacks on the output of logic gates. Based on simulations and physical measurements we show that the unmasked and masked implementations leak side-channel information due to glitches at the output of logic gates. It turns out that masking the AES S-Boxes does not prevent DPA attacks, if glitches occur in the circuit.

Cryptographic Hardware and Embedded Systems – CHES 2008

Side-Channel Analysis 1.- Attack and Improvement of a Secure S-Box Calculation Based on the Fourier Transform.- Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs.- Multiple-Differential Side-Channel Collision Attacks on AES.- Implementations 1.- Time-Area Optimized Public-Key Engines: -Cryptosystems as Replacement for Elliptic Curves?.- Ultra High Performance ECC over NIST Primes on Commercial FPGAs.- Exploiting the Power of GPUs for Asymmetric Cryptography.- Fault Analysis 1.- High-Performance Concurrent Error Detection Scheme for AES Hardware.- A Lightweight Concurrent Fault Detection Scheme for the AES S-Boxes Using Normal Basis.- RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks.- Random Number Generation.- A Design for a Physical RNG with Robust Entropy Estimators.- Fast Digital TRNG Based on Metastable Ring Oscillator.- Efficient Helper Data Key Extractor on FPGAs.- Side-Channel Analysis 2.- The Carry Leakage on the Randomized Exponent Countermeasure.- Recovering Secret Keys from Weak Side Channel Traces of Differing Lengths.- Attacking State-of-the-Art Software Countermeasures-A Case Study for AES.- Cryptography and Cryptanalysis.- Binary Edwards Curves.- A Real-World Attack Breaking A5/1 within Hours.- Hash Functions and RFID Tags: Mind the Gap.- Implementations 2.- A New Bit-Serial Architecture for Field Multiplication Using Polynomial Bases.- A Very Compact Hardware Implementation of the MISTY1 Block Cipher.- Light-Weight Instruction Set Extensions for Bit-Sliced Cryptography.- Fault Analysis 2.- Power and Fault Analysis Resistance in Hardware through Dynamic Reconfiguration.- RFID and Its Vulnerability to Faults.- Perturbating RSA Public Keys: An Improved Attack.- Side-Channel Analysis 3.- Divided Backend Duplication Methodology for Balanced Dual Rail Routing.- Using Subspace-Based Template Attacks to Compare and Combine Power and Electromagnetic Information Leakages.- Mutual Information Analysis.- Invited Talks.- RSA-Past, Present, Future.- A Vision for Platform Security.

An ASIC Implementation of the AES SBoxes

This article presents a hardware implementation of the S-Boxes from the Advanced Encryption Standard (AES). The SBoxes substitute an 8-bit input for an 8-bit output and are based on arithmetic operations in the finite field GF(28). We show that a calculation of this function and its inverse can be done efficiently with combinational logic. This approach has advantages over a straight-forward implementation using read-only memories for table lookups. Most of the functionality is used for both encryption and decryption. The resulting circuit offers low transistor count, has low die-size, is convenient for pipelining, and can be realized easily within a semi-custom design methodology like a standard-cell design. Our standard cell implementation on a 0.6 ?m CMOS process requires an area of only 0.108 mm2 and has delay below 15 ns which equals a maximum clock frequency of 70 MHz. These results were achieved without applying any speed optimization techniques like pipelining.

Power-analysis attack on an ASIC AES implementation

The AES (advanced encryption standard) is a new block cipher standard published by the US government in November 2001. As a consequence, there is a growing interest in efficient implementations of the AES. For many applications, these implementations need to be resistant against side channel attacks, that is, it should not be too easy to extract secret information from physical measurements on the device. We present the first results on the feasibility of power analysis attack against an AES hardware implementation. Our attack is targeted against an ASIC implementation of the AES developed by the ETH Zurich. We show how to build a reliable measurement setup and how to improve the correlation coefficients, i.e., the signal to noise ratio for our measurements. Our approach is also the first step to link a behavior HDL simulator generated simulated power measurements to real power measurements.

Power-Analysis Attacks on an FPGA - First Experimental Results

Field Programmable Gate Arrays (FPGAs) are becoming increasingly popular, especially for rapid prototyping. For implementations of cryptographic algorithms, not only the speed and the size of the circuit are important, but also their security against implementation attacks such as side-channel attacks. Power-analysis attacks are typical examples of side-channel attacks, that have been demonstrated to be effective against implementations without special countermeasures. The flexibility of FPGAs is an important advantage in real applications but also in lab environments. It is therefore natural to use FPGAs to assess the vulnerability of hardware implementations to power-analysis attacks. To our knowledge, this paper is the first to describe a setup to conduct power-analysis attacks on FPGAs. We discuss the design of our hand-made FPGA-board and we provide a first characterization of the power consumption of a Virtex 800 FPGA. Finally we provide strong evidence that implementations of elliptic curve cryptosystems without specific countermeasures are indeed vulnerable to simple power-analysis attacks.

Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks

Power Analysis attacks on elliptic curve cryptosystems and various countermeasures against them, have been first discussed by Coron ([6]). All proposed countermeasures are based on the randomization or blinding of the inputparameters of the binary algorithm. We propose a countermeasure that randomizes the binary algorithm itself. Our algorithm needs approximately 9% more additions than the ordinary binary algorithm, but makes power analysis attacks really difficult.

Update on SHA-1

We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 280 operations.

Practical template attacks

Side-channel attacks pose a serious threat to implementations of cryptographic algorithms. In the pioneering article of Chari, Rao and Rohatgi, the general idea behind template attacks was introduced. Template attacks apply advanced statistical methods and can break implementations secure against other forms of side-channel attacks. However, in our research it turned out that several details, which are essential to practical implementations of template attacks, still need to be answered. In this article we provide answers to open issues, such as how to select points of interest in an efficient way, or how to preprocess noisy data. In addition, we show the benefits of trial classifications and we point out that in practice so-called amplified template attacks have to be considered as a potential threat.