access icon free Implementation flaws in the masking scheme of DPA Contest v4

© The Institution of Engineering and Technology
Received 12/10/2016, Accepted 22/06/2017, Revised 15/06/2017, Published 22/06/2017

This study presents an implementation flaw in Differential Power Analysis Contest (DPA) Contest v4. This version of DPA Contest uses Advanced Encryption Standard (AES) protected against side-channel attacks using rotating s-box masking (RSM) countermeasure. The authors identify a flaw in the masking scheme that was used in this contest. More specifically, the problem lies in an unfortunate choice of values for masks. An unbalance in the masking scheme leads to a first order leakage. This vulnerability could be used in order to mount a first order side-channel attack against AES-RSM. The attack was implemented and tested on DPA Contest v4 reference traces. The authors also provide a way to avoid the newly discovered problem and suggest new values for masks.

Inspec keywords: cryptography

Other keywords: side-channel attacks; side-channel attack; implementation flaws; AES-RSM; differential power analysis contest; DPA Contest v4; RSM countermeasure; advanced encryption standard

Subjects: Cryptography theory; Cryptography

References

    1. 1)
      • 8. Coron, J., Prouff, E., Rivain, M., et al: ‘Higher-order side channel security and mask refreshing’. Fast Software Encryption – 20th Int. Workshop, FSE 2013, Singapore, 11–13 March 2013. Revised Selected Papers, 2013 (LNCS, 8424), pp. 410424.
    2. 2)
      • 23. Lerman, L., Medeiros, S.F., Bontempi, G., et al: ‘A machine learning approach against a masked AES’, Smart Card Research and Advanced Applications, 2014, 8419, pp. 6175, Available at http://dx.doi.org/10.1007/978-3-319-08302-5_5.
    3. 3)
      • 25. NIST: ‘AES proposal: Rijndael (now FIPS PUB 197)’, April 2003.
    4. 4)
      • 10. Liardet, P.-Y., Romain, F.: ‘Secured cryptographic calculation method, in particular against DFA and one-way attacks, and corresponding component’, 6 April 2011, Patent: EP2509252A1, and also demand US20120257747 A1 (under a slightly different title: ‘Method of secure cryptographic calculation, in particular, against attacks of the DFA and unidirectional type, and corresponding component’).
    5. 5)
      • 9. Coron, J.-S., Giraud, C., Prouff, E., et al: ‘Attack and improvement of a secure S-box calculation based on the fourier transform’. Cryptographic Hardware and Embedded Systems – CHES 2008, 10th Int. Workshop, Washington, D.C., USA, 10–13 August 2008. Proc., 2008 (LNCS, 5154), pp. 114.
    6. 6)
      • 19. Ye, X., Eisenbarth, T.: ‘On the vulnerability of low entropy masking schemes’, Smart Card Research and Advanced Applications, 2014, 8419, pp. 4460.
    7. 7)
      • 5. Herbst, C., Oswald, E., Mangard, S.: ‘An AES smart card implementation resistant to power analysis attacks’. ACNS, 2006 (LNCS, 3989), pp. 239252.
    8. 8)
      • 20. Kutzner, S., Poschmann, A.: ‘On the security of RSM – presenting 5 first- and second-order attacks’. Constructive Side-Channel Analysis and Secure Design – 5th Int. Workshop, COSADE 2014, Paris, France, 13–15 April 2014. Revised Selected Papers, 2014 (LNCS, 8622), pp. 299312.
    9. 9)
      • 16. T. P. S. research group: ‘Description of the masked AES of the DPA Contest v4’, 2013. Available at http://www.dpacontest.org/v4/data/rsm/aes-rsm.pdf, accessed 1 September 2016.
    10. 10)
      • 2. Chari, S., Jutla, C.S., Rao, J.R., et al: ‘Towards sound approaches to counteract power-analysis attacks’. CRYPTO, 1999 (LNCS, 1666), pp. 398412.
    11. 11)
      • 27. T. P. S. research group: ‘DPA contest version 4.2’, 2014–2015. Available at http://www.dpacontest.org/v4/42_doc.php, accessed 1 September 2016.
    12. 12)
      • 24. Zeng, Z., Gu, D., Liu, J., et al: ‘An improved side-channel attack based on support vector machine’. Tenth Int. Conf. on Computational Intelligence and Security, CIS 2014, Kunming, Yunnan, China, 15–16 November 2014, 2014, pp. 676680. Available at http://dx.doi.org/10.1109/CIS.2014.80.
    13. 13)
      • 1. Kocher, P.C.: ‘Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems’. Advances in Cryptology – CRYPTO ‘96, 16th Annual Int. Cryptology Conf., Santa Barbara, California, USA, 18–22 August 1996, Proc., 1996 (LNCS, 1109), pp. 104113.
    14. 14)
      • 4. Rivain, M., Prouff, E., Doget, J.: ‘Higher-order masking and shuffling for software implementations of block ciphers’. CHES, Lausanne, Switzerland, 2009 (LNCS, 5747), pp. 171188.
    15. 15)
      • 12. Nassar, M., Guilley, S., Danger, J.-L.: ‘Formal analysis of the entropy / security trade-off in first-order masking countermeasures against side-channel attacks’. INDOCRYPT, Chennai, Tamil Nadu, India, 2011 (LNCS, 7107), pp. 2239, doi: 10.1007/978-3-642-25578-6 4.
    16. 16)
      • 30. Kocher, P.C., Jaffe, J., Jun, B.: ‘Differential power analysis’. Proc. of CRYPTO'99, 1999 (LNCS, 1666), pp. 388397.
    17. 17)
      • 21. Bruneau, N., Danger, J., Guilley, S., et al: ‘Boosting Higher-Order Correlation Attacks by Dimensionality Reduction’, Security, Privacy, and Applied Cryptography Engineering, 2014, 8804, pp. 183200.
    18. 18)
      • 14. Yamashita, N., Minematsu, K., Okamura, T., et al: ‘A smaller and faster variant of RSM’. DATE, 2014, pp. 16.
    19. 19)
      • 18. Bhasin, S., Bruneau, N., Danger, J., et al: ‘Analysis and improvements of the DPA Contest v4 implementation’, Security, Privacy, and Applied Cryptography Engineering, 2014, 8804, pp. 201218.
    20. 20)
      • 13. Nassar, M., Souissi, Y., Guilley, S., et al: ‘RSM: a small and fast countermeasure for AES, secure against first- and second-order zero-offset SCAs’. DATE, Dresden, Germany, 2012, pp. 11731178. (TRACK A: ‘Application Design’, TOPIC A5: ‘Secure Systems’).
    21. 21)
      • 6. Prouff, E., Giraud, C., Aumônier, S.: ‘Provably secure S-box implementation based on Fourier transform’. CHES, Yokohama, Japan, 2006 (LNCS, 4249), pp. 216230.
    22. 22)
      • 26. Mather, L., Oswald, E., Whitnall, C.: ‘Multi-target DPA attacks: pushing DPA beyond the limits of a desktop computer’. Advances in Cryptology – ASIACRYPT 2014 – 20th Int. Conf. on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., 7–11 December 2014. Proc., Part I, 2014 (LNCS, 8873), pp. 243261, Available at http://dx.doi.org/10.1007/978-3-662-45611-8_13.
    23. 23)
      • 15. Moradi, A., Guilley, S., Heuser, A.: ‘Detecting hidden leakages’. Applied Cryptography and Network Security – 12th Int. Conf., ACNS 2014, Lausanne, Switzerland, 10–13 June 2014. Proc., 2014 (LNCS, 8479), pp. 324342. Available at http://dx.doi.org/10.1007/978-3-319-07536-5_20.
    24. 24)
      • 3. Goubin, L., Patarin, J.: ‘DES and differential power analysis (the ‘duplication’ method)’. Cryptographic Hardware and Embedded Systems, First Int. Workshop, CHES'99, Worcester, MA, USA, 12–13 August 1999, Proc., 1999 (LNCS, 1717), pp. 158172, Available at http://dx.doi.org/10.1007/3-540-48059-5_15.
    25. 25)
      • 28. Chari, S., Rao, J.R., Rohatgi, P.: ‘Template attacks’. CHES, San Francisco Bay (Redwood City), USA, 2002 (LNCS, 2523), pp. 1328.
    26. 26)
      • 7. Rivain, M., Prouff, E.: ‘Provably secure higher-order masking of AES’. CHES, 2010 (LNCS, 6225), pp. 413427.
    27. 27)
      • 22. Oren, Y., Weisse, O., Wool, A.: ‘A new framework for constraint-based probabilistic template side channel attacks’. Cryptographic Hardware and Embedded Systems – CHES 2014 – 16th Int. Workshop, Busan, South Korea, 23–26 September 2014. Proc., 2014 (LNCS, 8731), pp. 1734.
    28. 28)
      • 17. Belgarric, P., Bhasin, S., Bruneau, N., et al: ‘Time-frequency analysis for second-order attacks’, Smart Card Research and Advanced Applications, 2014, 8419, pp. 108122.
    29. 29)
      • 29. T. P. S. research group: ‘DPA Contest version 4’, 2013–2014. Available at http://www.dpacontest.org/v4/, accessed 1 September 2016.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2016.0475
Loading

Related content

content/journals/10.1049/iet-ifs.2016.0475
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading