Showing papers on "Side channel attack published in 2002"

Examining smart-card security under the threat of power analysis attacks

Abstract: This paper examines how monitoring power consumption signals might breach smart-card security. Both simple power analysis and differential power analysis attacks are investigated. The theory behind these attacks is reviewed. Then, we concentrate on showing how power analysis theory can be applied to attack an actual smart card. We examine the noise characteristics of the power signals and develop an approach to model the signal-to-noise ratio (SNR). We show how this SNR can be significantly improved using a multiple-bit attack. Experimental results against a smart-card implementation of the Data Encryption Standard demonstrate the effectiveness of our multiple-bit attack. Potential countermeasures to these attacks are also discussed.

Template Attacks

Abstract: We present template attacks, the strongest form of side channel attack possible in an information theoretic sense. These attacks can break implementations and countermeasures whose security is dependent on the assumption that an adversary cannot obtain more than one or a limited number of side channel samples. They require that an adversary has access to an identical experimental device that he can program to his choosing. The success of these attacks in such constraining situations is due manner in which noise within each sample is handled. In contrast to previous approaches which viewed noise as a hindrance that had to be reduced or eliminated, our approach focuses on precisely modeling noise, and using this to fully extract information present in a single sample. We describe in detail how an implementation of RC4, not amenable to techniques such as SPA and DPA, can easily be broken using template attacks with a single sample. Other applications include attacks on certain DES implementations which use DPA-resistant hardware and certain SSL accelerators which can be attacked by monitoring electromagnetic emanations from an RSA operation even from distances of fifteen feet.

The EM Side-Channel(s)

Abstract: We present results of a systematic investigation of leakage of compromising information via electromagnetic (EM) emanations from CMOS devices. These emanations are shown to consist of a multiplicity of signals, each leaking somewhat different information about the underlying computation. We show that not only can EM emanations be used to attack cryptographic devices where the power side-channel is unavailable, they can even be used to break power analysis countermeasures.

Security flaws induced by CBC padding -applications to SSL, IPSEC, WTLS …

Abstract: In many standards, e.g. SSL/TLS, IPSEC, WTLS, messages are first pre-formatted, then encrypted in CBC mode with a block cipher. Decryption needs to check if the format is valid. Validity of the format is easily leaked from communication protocols in a chosen ciphertext attack since the receiver usually sends an acknowledgment or an error message. This is a side channel. In this paper we show various ways to perform an efficient side channel attack. We discuss potential applications, extensions to other padding schemes and various ways to fix the problem.

Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel.

Abstract: We expand on the idea, proposed by Kelsey et al [?], of cache memory being used as a side-channel which leaks information during the run of a cryptographic algorithm By using this side-channel, an attacker may be able to reveal or narrow the possible values of secret information held on the target device We describe an attack which encrypts 2 chosen plaintexts on the target processor in order to collect cache profiles and then performs around 2 computational steps to recover the key As well as describing and simulating the theoretical attack, we discuss how hardware and algorithmic alterations can be used to defend against such techniques

Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS ...

Abstract: In many standards, e.g. SSL/TLS, IPSEC, WTLS, messages are first pre-formatted, then encrypted in CBC mode with a block cipher. Decryption needs to check if the format is valid. Validity of the format is easily leaked from communication protocols in a chosen ciphertext attack since the receiver usually sends an acknowledgment or an error message. This is a side channel.In this paper we show various ways to perform an efficient side channel attack. We discuss potential applications, extensions to other padding schemes and various ways to fix the problem.

Concurrent error detection schemes for fault-based side-channel cryptanalysis of symmetric block ciphers

Abstract: Fault-based side-channel cryptanalysis is very effective against symmetric and asymmetric encryption algorithms. Although straightforward hardware and time redundancy-based concurrent error detection (CED) architectures can be used to thwart such attacks, they entail significant overheads (either area or performance). The authors investigate systematic approaches to low-cost low-latency CED techniques for symmetric encryption algorithms based on inverse relationships that exist between encryption and decryption at algorithm level, round level, and operation level and develop CED architectures that explore tradeoffs among area overhead, performance penalty, and fault detection latency. The proposed techniques have been validated on FPGA implementations of Advanced Encryption Standard (AES) finalist 128-bit symmetric encryption algorithms.

Simplified Adaptive Multiplicative Masking for AES

Abstract: Software counter measures against side channel attacks considerably hinder performance of cryptographic algorithms in terms of memory or execution time or both. The challenge is to achieve secure implementation with as little extra cost as possible. In this paper we optimize a counter measure for the AES block cipher consisting in transforming a boolean mask to a multiplicative mask prior to a non-linear Byte Substitution operation (thus, avoiding S-box re-computations for every run or storing multiple S-box tables in RAM), while preserving a boolean mask everywhere else. We demonstrate that it is possible to achieve such transformation for a cost of two additional multiplications in the field.However, due to an inherent vulnerability of multiplicative masking to so-called zero attack, an additional care must be taken to securize its implementation. We describe one possible, although not perfect, approach to such an implementation which combines algebraic techniques and partial re-computation of S-boxes. This adds one more multiplication operation, and either occasional S-box re-computations or extra 528 bytes of memory to the total price of the counter measure.

Partitioning attacks: or how to rapidly clone some GSM cards

Abstract: In this paper, we introduce a new class of side-channel attacks called partitioning attacks. We have successfully launched a version of the attack on several implementations of COMP128, the popular GSM authentication algorithm that has been deployed by different service providers in several types of SIM cards, to retrieve the 128 bit key using as few as 8 chosen plaintexts. We show how partitioning attacks can be used effectively to attack implementations that have been equipped with ad hoc and inadequate countermeasures against side-channel attacks. Such ad hoc countermeasures are systemic in implementations of cryptographic algorithms, such as COMP128, which require the use of large tables since there has been a mistaken belief that sound countermeasures require more resources than are available. To address this problem, we describe a new resource-efficient countermeasure for protecting table lookups in cryptographic implementations and justify its correctness rigorously.

Compression and Information Leakage of Plaintext

Abstract: Cryptosystems like AES and triple-DES are designed to encrypt a sequence of input bytes (the plaintext) into a sequence of output bytes (the ciphertext) in such a way that the output carries no information about that plaintext except its length. In recent years, concerns have been raised about ”side-channel” attacks on various cryptosystems—attacks that make use of some kind of leaked information about the cryptographic operations (e.g., power consumption or timing) to defeat them. In this paper, we describe a somewhat different kind of side-channel provided by data compression algorithms, yielding information about their inputs by the size of their outputs. The existence of some information about a compressor’s input in the size of its output is obvious; here, we discuss ways to use this apparently very small leak of information in surprisingly powerful ways.

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks

Abstract: Recently it has been shown that smart cards as cryptographic devices are vulnerable to power attacks if they have no defence against them. Randomization on ECC scalar multiplication is one of the fundamental concepts in methods of defence against side-channel attacks. In this paper by using the randomization concept together with the NAF recoding algorithm, we propose an efficient countermeasure for ECCs against power attacks. The countermeasure provides a randomized signed-scalar representation at every scalar multiplication to resist DPA. To protect against SPA it additionally employs a simple SPA-immune addition-subtraction multiplication algorithm. Our analysis shows that it needs no additional computation load compared to the ordinary binary scalar multiplication, where the average number of doublings plus additions for a bit length n is 1.5n+O(1).

Improved Elliptic Curve Multiplication Methods Resistant against Side Channel Attacks

Abstract: We improve several elliptic curve multiplication algorithms secure against side channel attacks (SCA). While some efficient SCA-resistant algorithms were developed that apply only to special classes of curves, we are interested in algorithms that are suitable for general elliptic curves and can be applied to the recommended curves found in various standards. We compare the running time and memory usage of the improved schemes.

Implementation of Elliptic Curve Cryptography with Built-In Counter Measures against Side Channel Attacks

Abstract: Many software implementations of public key cryptosystems have been concerned with efficiency. The advent of side channel attacks, such as timing and power analysis attacks, force us to reconsider the strategy of implementation of group arithmetic. This paper presents a study of software counter measures against side channel attacks for elliptic curve cryptosystems.We introduce two new counter measures. The first is a new implementation technique, namely, homogeneous group operations, which has the property that addition and doubling on elliptic curves cannot be distinguished from side channel analysis. Being inexpensive time-wise, this technique is an alternative to a well-known Montgomery ladder. The second is a non-deterministic method of point exponentiation with precomputations. Although requiring rather large ROM, it provides an effective resistance against high-order power analysis attacks for the price of index re-computations and ROM accesses.An experimental implementation of NIST-recommended elliptic curves over binary fields with a balanced suite of counter measures built-in in group arithmetic is presented, and the penalty paid is analyzed. The results of the implementation in C on an AMD Duron 600 MHz running Linux are included in the paper.

Parallelizable Elliptic Curve Point Multiplication Method with Resistance against Side-Channel Attacks

Abstract: We present a new 2?-ary elliptic curve point multiplication method with resistance against side-channel attacks. This method provides two advantages compared with previous similar side-channel attack countermeasures: It avoids a fixed table, thus reducing potential information leakage available to adversaries; and it is easily parallelizable on two-processor systems, where it provides much improved performance.

On Insecurity of the Side Channel Attack Countermeasure Using Addition-Subtraction Chains under Distinguishability between Addition and Doubling

Abstract: We show that a randomized addition-subtraction chains countermeasure against side channel attacks is vulnerable to SPA attack, a kind of side channel attack, under distinguishability between addition and doubling. A side channel attackis an attackthat takes advantage of information leaked during execution of a cryptographic procedure. The randomized addition-subtraction chains countermeasure has been proposed by Oswald-Aigner, and is a random decision inserted into computations. However, its immunity to side channel attacks is still controversial. As for timing attack, a kind of side channel attack, the randomized addition-subtraction chains countermeasure is also vulnerable. Moreover, compared with other countermeasures against side channel attacks, the randomized addition-subtraction chains countermeasure, after being improved to prevent side channel attacks, is much slower.

A Second-Order DPA Attack Breaks a Window-Method Based Countermeasure against Side Channel Attacks

Abstract: Moller proposed a countermeasure using window method against side channel attacks. However, its immunity to side channel attacks is still controversial. In this paper, we show Moller's countermeasure is vulnerable to a second-order differential power analysis attack. A side channel attackis an attackthat takes advantage of information leaked during execution of a cryptographic procedure. An nth-order differential power analysis attackis the side channel attack which uses n different leaked data that correspond to n different intermediate values during the execution. Our proposed attackagainst Moller's countermeasure finds out the use of same elliptic points, and restricts candidates of the secret scalar value. In these circumstances, the attack completely detects the scalar value using Baby-Step-Giant-Step method as a direct-computational attack. For a 160-bit scalar value, the proposed attack restricts the number of candidates of the scalar to a 45-bit integer, and the direct-computational attackcan actually detect the scalar value. Besides, we improve Moller's countermeasure to prevent the proposed attack. We compare the original method and improved countermeasure in terms of the computational intractability and the computational cost of the scalar multiplication.

Automatic code recognition for smart cards using a Kohonen neural network

Abstract: A processor can leak information by different ways. Although, the possibility of attacking smart cards by analyzing their power consumption [Kocher] or their electromagnetic radiations is now commonly accepted [Gandolfi]. A lot of publications recognize the possibility to recover the signature of an instruction in a side channel trace. It seems that no article demonstrate how to automate reverse engineering of software code, using this assumption. Our work describes a method to recognize the instructions carried out by the processor. In a general way, a classifier permits to identify the right or wrong value during the comparison of a pin code or large parts of a software code. On a few micro-controllers, using a classical correlation between the power trace and a dictionary, we show how to identify the CPU's actions. Sometimes, silicon manufacturers hide specific opcodes deliberately. The EM investigation and the template attack demonstrated by IBM, at Cryptographic Hardware and Embedded Systems 2002, rely on multivariate signal processing for electromagnetic and power traces. The method presented in this article is based on a self organizing map. On a CISC processor, it is then obvious to find a hidden instruction looking for a hole or a bad construction of the map. The case of pipelined processors is a little bit different: as they decode, execute, fetch, several parts of different opcodes at the same time, it is more difficult to recognize a specific signature.

On multi-exponentiation in cryptography.

Abstract: We describe and analyze new combinations of multi-exponentiation algorithms with representations of the exponents. We deal mainly but not exclusively with the case where the inversion of group elements is fast: This is true for example for elliptic curves, groups of rational divisor classes of hyperelliptic curves, trace zero varieties and XTR. These methods are most attractive with exponents in the range from80 to256 bits, and can also be used for computing single exponentiations in groups which admit an automorphism satisfying a monic equation of small degree over the integers. The choice of suitable exponent representations allows us to match or improve the running time of the best multi-exponentiation techniques in the aforementioned range, while keeping the memory requirements as small as possible. Hence some of the methods presented here are particularly attractive for deployment in memory constrained environments such as smart cards. By construction, such methods provide good resistance against side channel attacks. We also describe some applications of these algorithms.

Observability Analysis - Detecting When Improved Cryptosystems Fail

Abstract: In this paper we show that, paradoxically, what looks like a "universal improvement" or a "straight-forward improvement" which enables better security and better reliability on a theoretical level, may in fact, within certain operational contexts, introduce new exposures and attacks, resulting in a weaker operational cryptosystem. We demonstrate a number of such dangerous "improvements". This implies that careful considerations should be given to the fact that an implemented cryptosystem exists within certain operational environments (which may enable certain types of tampering and other observed information channels via faults, side-channel attacks or behavior of system operators). We use our case studies to draw conclusions about certain investigations required in studying implementations and suggested improvements of cryptosystems; looking at them in the context of their operating environments (combined with their potential adversarial settings). We call these investigations observability analysis.

Side channel cryptanalysis

Abstract: Cryptology includes cryptography and cryptanalysis technics. Cryptography is managed by Kerckhoffs principles, so any information related to a cryptosystem can be public except the keys. The cryptanalysis is the sum of a lot of very advanced technics in order to find these keys. The controversy about the Data Encryption Standard security has highly contributed to the development of new cryptanalysis methods based on mathematics. The linear and differentials analysis are the most convincing examples. Although these techniques often require great quantities of plain texts and ciphered texts, there are other very powerful methods based on the involuntary "information leakage". Indeed a cryptosystem can leak information in various manners, thus significant data can be extracted from physical signals emitted by the ciphering device. Temperature, acoustic waves, electromagnetic radiations, time or light (radiated, laser, infrared, . . . ) signs which can be extremely dangerous. It is then possible to define side channel. The side channel cryptanalysis has been the speciality of secret services for a long time, but ten years ago, the scientific world started contributing to develop new side channel very effective technics.

Breaking the liardet-smart randomized exponentiation algorithm

Abstract: In smartcard encryption and signature applications, randomised algorithms are used to increase tamper resistance against attacks beased on side channel leakage Recently several such algorithms have appeared which are suitable for RSA exponentiation and/or EOC point multiplication We show that under certain apparently reasonable hypotheses about the countermeasures in place and the attacker's monitoring equipment, repeated use of the same secret key with the algorithm of Liardet and Smart is insecure against any side channel which leaks enough data to differentiate between the adds and doubles in a single scalar multiplication Thus the scalar needs to be blinded in the standard way, or some other suitable counter-measures employed, if the algorithm is to be used safely in such a context

Further Results and Considerations on Side Channel Attacks on RSA

Abstract: This paper contains three parts. In the first part we present a new side channel attack on a plaintext encrypted by EME-OAEP PKCS#1 v.2.1. In contrast with Manger's attack, we attack that part of the plaintext, which is shielded by the OAEP method. In the second part we show that Bleichenbacher's and Manger's attack on the RSA encryption scheme PKCS#1 v.1.5 and EME-OAEP PKCS#1 v.2.1 can be converted to an attack on the RSA signature scheme with any message encoding (not only PKCS). In the third part we deploy a general idea of fault-based attacks on the RSA-KEM scheme and present two particular attacks as the examples. The result is the private key instead of the plaintext as with attacks on PKCS#1 v.1.5 and v.2.1. These attacks should highlight the fact that the RSA-KEM scheme is not an entirely universal solution to problems of RSAES-OAEP implementation and that even here the manner of implementation is significant.

Some Security Aspects of the M IST Randomized Exponentiation Algorithm

Abstract: The MIST exponentiation algorithm is intended for use in embedded crypto-systems to provide protection against power analysis and other side channel attacks. It generates randomly different addition chains for performing a particular exponentiation. This means that side channel attacks on RSA decryption or signing which require averaging over a number of exponentiation power traces become impossible. However, averaging over digit-by-digit multiplication traces may allow the detection of operand re-use. Although this provides a handle for an attacker by which the exponent search space might be considerably reduced, the number of possible exponents is shown to be still well outside the range of feasible computation in the foreseeable future.

Random slip generator

Abstract: A random slip generator is provided to lessen side channel leakage and thus thwart cryptanalysis attacks, such as timing attacks and power analysis attacks. Random slip generation may be configurable so that the average frequency of random slips generated by the system may be set. Additional techniques are provided to make nullified instructions consume power like any other executing instruction.

Hardware fault attack on RSA with CRT revisited

Abstract: In this paper, some powerful fault attacks will be pointed out which can be used to factorize the RSA modulus if CRT is employed to speedup the RSA computation. These attacks are generic and can be applicable to Shamir's countermeasure and also applicable to a recently published enhanced countermeasure (trying to improve Shamir's method) for RSA with CRT. These two countermeasures share some similar structure in their designs and both suffer from some of the proposed attacks. The first kind of attack proposed in this paper is to induce a fault (which can be either a computational fault or any fault when data being accessed) into an important modulo reduction operation of the above two countermeasures. Note that this hardware fault attack can neither be detected by Shamir's countermeasure nor by the recently announced enhancement. The second kind of attack proposed in this paper considers permanent fault on some stored parameters in the above two countermeasures. The result shows that some permanent faults cannot be detected. Hence, the CRT-based factorization attack still works. The proposed CRT-based fault attacks once again reveals the importance of developing a sound countermeasure against RSA with CRT.

Compression and information leakage of plaintext

Abstract: Cryptosystems like AES and triple-DES are designed to encrypt a sequence of input bytes (the plaintext) into a sequence of output bytes (the ciphertext) in such a way that the output carries no information about that plaintext except its length. In recent years, concerns have been raised about ”side-channel” attacks on various cryptosystems—attacks that make use of some kind of leaked information about the cryptographic operations (e.g., power consumption or timing) to defeat them. In this paper, we describe a somewhat different kind of side-channel provided by data compression algorithms, yielding information about their inputs by the size of their outputs. The existence of some information about a compressor’s input in the size of its output is obvious; here, we discuss ways to use this apparently very small leak of information in surprisingly powerful ways.

Method and device for calculating elliptic curve scalar multiple

Abstract: PROBLEM TO BE SOLVED: To provide an elliptic curve scalar multiple calculating method capable of preventing a side channel attack and a fault attack SOLUTION: In this scalar multiple calculating method for calculating a scalar multiple point from a scalar value and a point on an elliptic curve, a side channel attack is prevented by randomizing a given point and performing an elliptic curve calculation independent of a bit value in each bit of the scalar value As for a fault attack, the fault attack is prevented by restoring the Y coordinate of the scalar multiple point and determining whether the scalar multiple point satisfies a definitional equation COPYRIGHT: (C)2003,JPO

Hamming Weight Attacks on Cryptographic Hardware - Breaking Masking Defense

Abstract: It is believed that masking is an effective countermeasure against power analysis attacks: before a certain operation involving a key is performed in a cryptographic chip, the input to this operation is combined with a random value. This has to prevent leaking information since the input to the operation is random.We show that this belief might be wrong. We present a Hamming weight attack on an addition operation. It works with random inputs to the addition circuit, hence masking even helps in the case when we cannot control the plaintext. It can be applied to any round of the encryption. Even with moderate accuracy of measuring power consumption it determines explicitly subkey bits. The attack combines the classical power analysis (over Hamming weight) with the strategy of the saturation attack performed using a random sample.We conclude that implementing addition in cryptographic devices must be done very carefully as it might leak secret keys used for encryption. In particular, the simple key schedule of certain algorithms (such as IDEA and Twofish) combined with the usage of addition might be a serious danger.

DES Sidechannel Collision Attacks On Smartcard Implementations

Abstract: Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this thesis a new class of attacks is introduced which uses side channel analysis to detect internal collisions. We applied our attack against the widely used Data Encryption Standard (DES). We show that internal collisions can be caused in the S-Boxes of DES in order to gain information about the secret key-bits. As result, we were able to exploit an internal collision with a minimum of 140 encryptions yielding 10.2 key-bits. Moreover, we successfully applied the attack to a smart card compatible processor. averaged over 10,000 keys