Template attack on masking AES based on fault sensitivity analysis

Wang, Qian; Wang, An; Wu, Liji; Qu, Gang; Zhang, Guoshuang

doi:10.1109/hst.2015.7140245

Cited by 5 publications

(4 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In HOST 2015, Wang et al [19] gave the definition of right or wrong collision (RW collision for short), and employed it for a template-based fault attack.…”

Section: Template Attack Based On Right or Wrong Collision Ratementioning

confidence: 99%

“…And the cost in offline stage will be very little since the only computation module consists of two comparators and a counter. From another point of view, template-based RW collision rate attack [19] costs many pre-encryptions on template setup and plaintext choice. So, we try to construct a collision attack to avoid the profiling process.…”

Section: Basic Ideamentioning

confidence: 99%

“…Even if the attacker want to compute the RW collision probability, only one division may be computed. Table 1 The efficiency comparisons of six methods for finding a collision Item CEPA [15] CCPA [8] CTC [16] FRA [17] T-RWCRA [19] This paper…”

Section: Efficiency Comparisonmentioning

confidence: 99%

“…In 2013, the fault rate induced by the clock glitch is employed for collision detection on masked AES S-boxes [17]. Soon after, some other models are discussed [18,19].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Right or wrong collision rate analysis without profiling: full-automatic collision fault attack

Wang

Tian

Wang

et al. 2017

Sci. China Inf. Sci.

Self Cite

View full text Add to dashboard Cite

In CHES 2010, Fault Sensitivity Analysis (FSA) on Advanced Encryption Standard (AES) hardware circuit based on S-box setup-time acquired by injecting clock glitches is proposed. Soon after, some improvements of FSA were presented such as colliding timing characteristics from Moradi et al. However, the acquisition of timing characteristics requires complex procedure due to the very gradual decrease of clock glitch cycle and the heavy requirements of setup-time samples. In HOST 2015, Wang et al. presented template-based right or wrong collision rate attack to improve the efficiency of FSA, but its profiling and plaintexts-choice procedures required too many encryptions. In this paper, we fix only one specific clock glitch cycle, and take the right or wrong collision rate as a collision distinguisher. So, the whole process is a non-profiling collision attack which can be executed automatically without massive pre-computations and interactions between PC and signal generator. According to the experiments, 256 encryptions are enough for exactly deciding whether two plaintext bytes can induce an S-box collision. Compared with the existing power analysis and FSA-based attacks on AES hardware, it costs negligible time (about 6.65 s) and storage space (only one byte), and no offline computations for finding the collision between two masked S-boxes. Furthermore, our study shows that the signal-to-noise ratio in FSA-based attacks is much higher than power-based attacks.

show abstract

“…In HOST 2015, Wang et al [19] gave the definition of right or wrong collision (RW collision for short), and employed it for a template-based fault attack.…”

Section: Template Attack Based On Right or Wrong Collision Ratementioning

confidence: 99%

Section: Basic Ideamentioning

confidence: 99%

Section: Efficiency Comparisonmentioning

confidence: 99%

“…In 2013, the fault rate induced by the clock glitch is employed for collision detection on masked AES S-boxes [17]. Soon after, some other models are discussed [18,19].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations