Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations

Mangard, Stefan; Schramm, Kai

doi:10.1007/11894063_7

Cited by 84 publications

(58 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is known that glitches can defeat masking schemes [30,29,31]. Some masking schemes which somehow tolerate [21,36,40,22] or avoid glitches [28,32] have been put forward.…”

Section: (B))mentioning

confidence: 99%

Codes for Side-Channel Attacks and Protections

Guilley

Heuser

Rioul

2017

Codes, Cryptology and Information Security

View full text Add to dashboard Cite

Abstract. This article revisits side-channel analysis from the standpoint of coding theory. On the one hand, the attacker is shown to apply an optimal decoding algorithm in order to recover the secret key from the analysis of the side-channel. On the other hand, the side-channel protections are presented as a coding problem where the information is mixed with randomness to weaken as much as possible the sensitive information leaked into the side-channel. Therefore, the field of side-channel analysis is viewed as a struggle between a coder and a decoder. In this paper, we focus on the main results obtained through this analysis. In terms of attacks, we discuss optimal strategy in various practical contexts, such as type of noise, dimensionality of the leakage and of the model, etc. Regarding countermeasures, we give a formal analysis of some masking schemes, including enhancements based on codes contributed via fruitful collaborations with Claude Carlet.

show abstract

“…It is known that glitches can defeat masking schemes [30,29,31]. Some masking schemes which somehow tolerate [21,36,40,22] or avoid glitches [28,32] have been put forward.…”

Section: (B))mentioning

confidence: 99%

Codes for Side-Channel Attacks and Protections

Guilley

Heuser

Rioul

2017

Codes, Cryptology and Information Security

View full text Add to dashboard Cite

show abstract

“…Another well known illustration of the default of the probing security model has been given in [MPG05,MS06] where it is shown that glitches 5 enable successful attacks against theoretically sound masked implementations due to unsatisfactory leakage modeling. In a series of works, the concept of Threshold Implementations (TI) has been introduced (see e.g.…”

Section: Algorithm 16 Twomatrixquadraticmentioning

confidence: 99%

“…The application of this work to the AES SBox led the authors of [GPS14] to describe a scheme which can be secure at any order n and is a valuable alternative to the scheme proposed in [RP10]. In parallel, some schemes [BGN + 14, NRS11, PR11] have been proposed which remain secure in the probing model even in presence of so-called glitches [MS06] and the recent work [RBN + 15] has investigated relations between these schemes and the ISW construction.…”

Section: Introductionmentioning

confidence: 99%

Faster Evaluation of SBoxes via Common Shares

Coron

Greuet

Prouff

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We describe a new technique for improving the efficiency of the masking countermeasure against side-channel attacks. Our technique is based on using common shares between secret variables, in order to reduce the number of finite field multiplications. Our algorithms are proven secure in the ISW probing model with n t + 1 shares against t probes. For AES, we get an equivalent of 2.8 nonlinear multiplications for every SBox evaluation, instead of 4 in the Rivain-Prouff countermeasure. We obtain similar improvements for other block-ciphers. Our technique is easy to implement and performs relatively well in practice, with roughly a 20% speed-up compared to existing algorithms.

show abstract

“…The energy consumption E g ((a, b),(x, y)) has to be substituted by the expected value [17] pin-pointed that the XOR gates in masked gates are responsible for the correlation between power consumption and the value of q. In the common mask multiplier (Fig.…”

Section: Masking On Gate Level As Countermeasurementioning

confidence: 99%

“…A detailed theoretical analysis and some practical experimental results on DPA attacks by Mangard et al [16], reported that all proposed masked gates are vulnerable to powerbased side-channel leakage in the presence of glitches. This publication and there after [17] shows that the AES implementation based on masked gates are not without threats. The first successful masked AES S-box was broken by Mangard et al [5].…”

mentioning

confidence: 93%

Effect of glitches against masked AES S-box implementation and countermeasure

Alam

Ghosh

Mohan

et al. 2009

IET Information Security

View full text Add to dashboard Cite

Masking of gates is one of the most popular techniques to prevent differential power analysis (DPA) of AES algorithm. It has been shown that the logic circuits used in the implementation of cryptographic algorithms leak side-channel information inspite of masking, which can be exploited, in differential power attacks. The phenomenon in CMOS circuits responsible for the leakage of masked circuits is known as glitching. Motivated by this fact, the authors analyse the effect of glitches in CMOS circuits against masked implementation of the AES S-box. The authors explicitly demonstrate that glitches do not affect always. There exists a relation between combinational path delay of the circuit and timing difference of input vectors to the circuit, which has a bearance on the amount of information leaked by the masked gates. A balanced masked S-box circuit is proposed where the inputs are synchronised by sequential components. Detailed SPICE results are shown to support the claim that the modifications indeed reduce the vulnerability of the masked AES S-box against DPA attacks.

show abstract

Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations

Cited by 84 publications

References 21 publications

Codes for Side-Channel Attacks and Protections

Codes for Side-Channel Attacks and Protections

Faster Evaluation of SBoxes via Common Shares

Effect of glitches against masked AES S-box implementation and countermeasure

Contact Info

Product

Resources

About