DPA Countermeasure Based on the “Masking Method”

Itoh, Kazuya; Takenaka, Masahiko; Torii, Naoya

doi:10.1007/3-540-45861-1_33

Cited by 28 publications

(25 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Since these results did not represent the energy dissipation of the memory, and since it is well known that memory energy dissipation is significant and often dominates, an analysis was performed with static RAM models from [11]. For example with (1/5) th the number of masks, [13] …”

Section: Differential Em Results For Rijndaelmentioning

confidence: 99%

“…The proposed split mask countermeasure stores randomly masked data in the S-box (masked S-box table, S' [x]). Unlike previous research [13,14] Then one would merge them as : t0 = t0a+ t0b and t0=t0 + rki (where t0 value is then combined with the masked round key for input to the next set of tables, which may also have masked inputs). A similar implementation for DES and other cryptographic algorithms is also possible.…”

Section: Appendix: Split Mask Countermeasurementioning

confidence: 99%

See 1 more Smart Citation

EM Analysis of Rijndael and ECC on a Wireless Java-Based PDA

Gebotys

Tiu

2005

Cryptographic Hardware and Embedded Systems – CHES 2005

View full text Add to dashboard Cite

Abstract. Although many wireless portable devices offer more resistance to bus probing and power analysis due to their compact size, susceptibility to electromagnetic (EM) attacks must be analyzed. This paper demonstrates, for the first time, a real EM-based attack on a PDA running Rijndael and elliptic curve cryptography. A new frequency-based differential EM analysis, which computes the spectrogram, is presented. Additionally a low energy countermeasure for symmetric key cryptography is presented which avoids large overheads of table regeneration or excessive storage. Unlike previous research the new differential analysis does not require perfect alignment of EM traces, thus supporting attacks on real embedded systems. This research is important for future wireless embedded systems which will increasingly demand higher levels of security.

show abstract

Section: Differential Em Results For Rijndaelmentioning

confidence: 99%

Section: Appendix: Split Mask Countermeasurementioning

confidence: 99%

EM Analysis of Rijndael and ECC on a Wireless Java-Based PDA

Gebotys

Tiu

2005

Cryptographic Hardware and Embedded Systems – CHES 2005

View full text Add to dashboard Cite

show abstract

“…This so-called masking of the intermediate results counteracts first-order DPA attacks and is usually used, when the AES is implemented in software on a standard smart-card processor. There are several recent publications (see [2], [11], [12] and [24]) that describe various masking strategies for the AES. However, it is important to outline that the currently proposed masking strategies do not provide any protection to the implementation of the AES key expansion.…”

Section: Introductionmentioning

confidence: 99%

A Simple Power-Analysis (SPA) Attack on Implementations of the AES Key Expansion

Mangard

2003

Lecture Notes in Computer Science

106

View full text Add to dashboard Cite

Abstract. This article presents a simple power-analysis (SPA) attack on implementations of the AES key expansion. The attack reveals the secret key of AES software implementations on smart cards by exploiting the fact that the power consumption of most smart-card processors leaks information during the AES key expansion. The presented attack efficiently utilizes this information leakage to substantially reduce the key space that needs to be considered in a brute-force search for the secret key. The details of the attack are described on the basis of smart cards that leak the Hamming weight of intermediate results occurring during the AES key expansion.

show abstract

“…This solution extends the original split mask countermeasure so that the masks at the inputs of S-boxes are no longer fixed. They are generated randomly or selected from a pregenerated set of masks as in [16] after a large number of algorithm executions, which is less than the number of acquisitions required for the successful DPA attack.…”

Section: Attacks On the Strengthened Methodsmentioning

confidence: 99%

“…Ways of reducing the amount of precomputations and memory while keeping resistance to higher order DPA are a target of recent research. For example, Itoh et al [16] suggested using a limited set of masks, so that all possible masked lookup tables can be precomputed once and stored in memory, thus avoiding recomputations at all.…”

Section: Introductionmentioning

confidence: 99%

Analysis of the split mask countermeasure for embedded systems

Coron

Kizhvatov

2009

Proceedings of the 4th Workshop on Embedded Systems Security

View full text Add to dashboard Cite

We analyze a countermeasure against differential power and electromagnetic attacks that was recently introduced under the name of split mask. We show a general weakness of the split mask countermeasure that makes standard DPA attacks with a full key recovery applicable to masked AES and DES implementations. Complexity of the attacks is the same as for unmasked implementations. We implement the most efficient attack on an 8-bit AVR microcontroller. We also show that the strengthened variant of the countermeasure is susceptible to a second order DPA attack independently of the number of used mask tables.

show abstract

DPA Countermeasure Based on the “Masking Method”

Cited by 28 publications

References 9 publications

EM Analysis of Rijndael and ECC on a Wireless Java-Based PDA

EM Analysis of Rijndael and ECC on a Wireless Java-Based PDA

A Simple Power-Analysis (SPA) Attack on Implementations of the AES Key Expansion

Analysis of the split mask countermeasure for embedded systems

Contact Info

Product

Resources

About