New Type of Collision Attack on First-Order Masked AESs

Kim, Hee Seok; Hong, Seokhie

doi:10.4218/etrij.16.0114.0854

Cited by 5 publications

(4 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The mainly handled data is the masking value. This phase is a good target for horizontal correlation attacks [29,30]. However, this attack can effectively cope with shuffling and dummy operations.…”

Section: Security Analysis and Soundness Of Algorithmmentioning

confidence: 99%

Lightweight Conversion from Arithmetic to Boolean Masking for Embedded IoT Processor

2019

Self Cite

View full text Add to dashboard Cite

A masking method is a widely known countermeasure against side-channel attacks. To apply a masking method to cryptosystems consisting of Boolean and arithmetic operations, such as ARX (Addition, Rotation, XOR) block ciphers, a masking conversion algorithm should be used. Masking conversion algorithms can be classified into two categories: "Boolean to Arithmetic (B2A)" and "Arithmetic to Boolean (A2B)". The A2B algorithm generally requires more execution time than the B2A algorithm. Using pre-computation tables, the A2B algorithm substantially reduces its execution time, although it requires additional space in RAM. In CHES2012, B. Debraize proposed a conversion algorithm that somewhat reduced the memory cost of using pre-computation tables. However, they still require (2 (k+1) ) entries of length (k + 1)-bit where k denotes the size of the processed data. In this paper, we propose a low-memory algorithm to convert A2B masking that requires only (2 k )(k)-bit. Our contributions are three-fold. First, we specifically show how to reduce the pre-computation table from (k + 1)-bit to (k)-bit, as a result, the memory use for the pre-computation table is reduced from (2 (k+1) )(k + 1)-bit to (2 k )(k)-bit. Second, we optimize the execution times of the pre-computation phase and the conversion phase, and determine that our pre-computation algorithm requires approximately half of the operations than Debraize's algorithm. The results of the 8/16/32-bit simulation show improved speed in the pre-computation phase and the conversion phase as compared to Debraize's results. Finally, we verify the security of the algorithm against side-channel attacks as well as the soundness of the proposed algorithm.the algorithm) and the processed value (the value that is actually processed by the device) by using random numbers. The typical types of masking methods include Boolean masking and arithmetic masking [8]. Boolean masking uses an XOR (exclusive or) to blind values such as x = x ⊕ r, and arithmetic masking uses an algebraic operation such as A = (x − r) mod 2 k .These two types of masking should be selectively used for cryptographic algorithms that consist of Boolean and arithmetic operations such as ARX (Addition, Rotation, XOR) block ciphers [9][10][11], cryptographic hash functions [12,13], and stream ciphers [14]. In general, Boolean operations (AND, XOR, SHIFT, etc.) and arithmetic operations (Addition, Subtraction, Multiplication, etc.) can be efficiently computed using Boolean masking and arithmetic masking, respectively; however, it is very difficult to execute arithmetic operations in Boolean masking and to execute Boolean operations in arithmetic masking. This problem can be easily solved using a masking conversion algorithm between Boolean and arithmetic masking. Related WorkThe first masking conversion algorithm to counteract first-order DPA was proposed by L. Goubin in 2001 [15]. This conversion algorithm from Boolean to arithmetic masking (B2A) has been elaborately implemented without any improvements made upon it. I...

show abstract

Section: Security Analysis and Soundness Of Algorithmmentioning

confidence: 99%

Lightweight Conversion from Arithmetic to Boolean Masking for Embedded IoT Processor

2019

Self Cite

View full text Add to dashboard Cite

show abstract

“…As an international block cipher algorithm, AES is widely used in the field of information security for its high key sensitivity, short build time and low memory requirements. However, the Collision Attack (CA) technology developed in recent years can quickly recover the key of AES, and has brought great challenges to the security of AES circuits [1,2,3,4,5,6,7,8,9].…”

Section: Introductionmentioning

confidence: 99%

A new method for resisting collision attack based on parallel random delay S-box

Fang

Zhang

et al. 2019

IEICE Electron. Express

View full text Add to dashboard Cite

Collision Attack (CA) has posed a huge threat to the security of AES circuit. To protect sensitive information, it's necessary to do research on defense strategy of CA. This letter proposes a new method to defense CA through the implementation of random delay based parallel S-box. It can destroy the consistency of the power consumption curves, confuse the judgment of the collision and the setting of the collision threshold to achieve the goal of resisting the CA. Compared to the well-known random mask method and other CA countermeasures, our strategy can defense CA without changing the AES round transformation architecture and bring extra resource overhead.

show abstract

“…These attacks pose a very serious threat to embedded systems with cryptographic algorithms. There has been a great deal of effort put into finding various SCAs and developing secure counter-measures, recently [3][4][5][6][7][8][9][10][11][12][13][14][15][16].This special issue has been organized to provide a possibility for researchers in the area of SCAs to highlight the most recent and exciting technologies. The research papers selected for this special issue represent recent progress in the field, including power analysis attacks [17][18][19], cache-based timing attacks , system-level counter-measures [42][43][44][45][46][47][48], and so on [49][50][51][52][53][54][55][56][57][58][59][60].…”

mentioning

confidence: 99%