Junrong Liu

Small Tweaks Do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards

Side-channel attacks are an increasingly important concern for the security of cryptographic embedded devices, such as the SIM cards used in mobile phones. Previous works have exhibited such attacks against implementations of the 2G GSM algorithms COMP-128, A5. In this paper, we show that they remain an important issue for USIM cards implementing the AES-based MILENAGE algorithm used in 3G/4G communications. In particular, we analyze instances of cards from a variety of operators and manufacturers, and describe successful Differential Power Analysis attacks that recover encryption keys and other secrets needed to clone the USIM cards within a few minutes. Further, we discuss the impact of the operator-defined secret parameters in MILENAGE on the difficulty to perform Differential Power Analysis, and show that they do not improve implementation security. Our results back up the observation that physical security issues raise long-term challenges that should be solved early in the development of cryptographic implementations, with adequatei¾źcountermeasures.

Differential power analysis of stream ciphers with LFSRs

Abstract Side-channel attacks on block ciphers and public key algorithms have been discussed extensively, but only a few systematic studies on the applicability of side-channel attacks to stream ciphers could be found. The objective of the present study is to develop general differential power analysis techniques which can be employed to attack the stream ciphers with linear feedback shift registers. To illustrate the new approach, a common structure of a stream cipher with the basic components is given. Then the approach is employed to analyze the given structure. The results show that the linear feedback shift registers may leak the information of the secret key. The approach is also applied to Crypto-1 and the experimental results show that it is very effective. 28-bit information of the 48-bit secret key can be obtained just by analyzing some power traces. Furthermore, the present work may be helpful in analyzing a variety of stream ciphers with LFSRs.

Differential Fault Analysis on Lightweight Blockciphers with Statistical Cryptanalysis Techniques

Differential fault analysis is one of the most efficient side channel attack techniques that threat the security of block cipher. However, it often requires a penultimate or an antepenultimate round faulty encryption and is not suitable for middle round fault. This paper presents attacks combining differential fault analysis with statistical cryptanalysis techniques against lightweight ciphers. The analysis makes use of statistical cryptanalysis techniques in practice rather than theoretically, and exploits the weakness of bit-permutation adopted by many lightweight block ciphers under fault attack. Specific attacks against PRESENT and PRINT\scriptsize{CIPHER} \normalsize are given to prove the validity. The result shows that about one fifth of the iterative rounds are needed to be protected for these lightweight ciphers with bit-permutation.

Inner Product Masking for Bitslice Ciphers and Security Order Amplification for Linear Leakages

Designers of masking schemes are usually torn between the contradicting goals of maximizing the security gains while minimizing the performance overheads. Boolean masking is one extreme example of this tradeoff: its algebraic structure is as simple as can be (and so are its implementations), but it typically suffers more from implementation weaknesses. For example knowing one bit of each share is enough to know one bit of secret in this case. Inner product masking lies at the other side of this tradeoff: its algebraic structure is more involved, making it more expensive to implement (especially at higher orders), but it ensures stronger security guarantees. For example, knowing one bit of each share is not enough to know one bit of secret in this case.

An Improved Side-Channel Attack Based on Support Vector Machine

Side-channel attack (SCA) is a very efficient cryptanalysis technology to attack cryptographic devices. It takes advantage of physical information leakages to recover the cryptographic key. In order to strengthen the power to extract the cryptographic key-relevant information, this article introduces the Support Vector Machine technologies. Taking a software implementation of masked AES-256 on an Atmel ATMega-163 smart card, we applied an improved profiled side-channel attack to recover the cryptographic key. The current best result of our attack is able to recover the first 128 bits key using only one power trace.

A Power Analysis on SMS4 Using the Chosen Plaintext Method

SMS4 is the first official released commercial cryptographic algorithm. It provides unified standards for designing and using local area wireless network product. The general DPA attack is not suitable for SMS4 owing to the ample random diffusion of the round output. This article proposed a new power analysis method for SMS4 to reduce the diffusion by chosen plaintext. Two means - Hamming distance model and bit model - are used to build the power model. Simulation results show that this method is effective and can be used in actual cryptographic circuit such as smart cards.

Correlation Power Analysis Against Stream Cipher MICKEY v2

In this paper we discuss correlation power analysis attack against stream cipher MICKEY v2. In such attacks, we use Hamming-Distance model to simulate the power consumption. Hamming-Distance model is a more accurate description to power consumption than other models such as Hamming-Weight, bit model etc. Generally, Hamming-Distance model is used to map the transitions that occur at the cells’ outputs of a CMOS circuit to the values of power consumption. In our attacks, we propose the Hamming-Distance model based on internal nodes of XOR gates considering that the basic structure of MICKEY v2 is a two-input and a three-input XOR gate. We simulate the power which is coming from not only the output of gate but also the internal nodes. This model is more accurate than before ones because we simulate the power consumption of all transistors consumed. Then we designed the attack way to MICKEY v2 by this model. And finally we simulate the result of attacking. The result shows that it needs only few or ten power traces during initialization for us to reveal the secret key by using weakness of MICKEY v2 initialization when resynchronization.

Similar operation template attack on RSA-CRT as a case study

A template attack, the most powerful side-channel attack methods, usually first builds the leakage profiles from a controlled profiling device, and then uses these profiles to recover the secret of the target device. It is based on the fact that the profiling device shares similar leakage characteristics with the target device. In this study, we focus on the similar operations in a single device and propose a new variant of the template attack, called the similar operation template attack (SOTA). SOTA builds the models on public variables (e.g., input/output) and recovers the values of the secret variables that leak similar to the public variables. SOTA’s advantage is that it can avoid the requirement of an additional profiling device. In this study, the proposed SOTA method is applied to a straightforward RSA-CRT implementation. Because the leakage is (almost) the same in similar operations, we reduce the security of RSA-CRT to a hidden multiplier problem (HMP) over GF(q), which can be solved byte-wise using our proposed heuristic algorithm. The effectiveness of our proposed method is verified as an entire prime recovery procedure in a practical leakage scenario.

Evaluation and Improvement of Generic-Emulating DPA Attacks

At CT-RSA 2014, Whitnall, Oswald and Standaert gave the impossibility result that no generic DPA strategies (i.e., without any a priori knowledge about the leakage characteristics) can recover secret information from a physical device by considering an injective target function (e.g., AES and PRESENT S-boxes), and as a remedy, they proposed a slightly relaxed strategy “generic-emulating DPAs” free from the non-injectivity constraint. However, as we show in this paper, the only generic-emulating DPA proposed in their work, namely the SLR-based DPA, suffers from two drawbacks: unstable outcomes in the high-noise regime (i.e., for a small number of traces) and poor performance especially on real smart cards (compared with traditional DPAs with a specific power model). In order to solve these problems, we introduce two new generic-emulating distinguishers, based on lasso and ridge regression strategies respectively, with more stable and better performances than the SLR-based one. Further, we introduce the cross-validation technique that improves the generic-emulating DPAs in general and might be of independent interest. Finally, we compare the performances of all aforementioned generic-emulating distinguishers (both with and without cross-validation) in simulated leakages functions of different degrees, and on an AES ASIC implementation. Our experimental results show that our generic-emulating distinguishers are stable and some of them behave even better than (resp., almost the same as) the best Difference-of-Means distinguishers in simulated leakages (resp., on a real implementation), and thus make themselves good alternatives to traditional DPAs.

A combinational power analysis method against cryptographic hardware

Power analysis is a non-invasive attack against cryptographic hardware, which effectively exploits runtime power consumption characteristics of circuits. This paper proposes a new power model which combines Hamming Distance model and the model based on the template value of power consumption in combinational logic circuit. The new model can describe the power consumption characteristics of sequential logic circuits and those of combinational logic as well. The new model can be used to improve the existing power analysis methods and detect the information leakage of power consumption. Experimental results show that, compared to CPA(Correlation Power Analysis) method, our proposed attack which adopt the combinational model is more efficient in terms of the number of required power traces.