You Cannot Hide behind the Mask: Power Analysis on a Provably Secure S-Box Implementation

Pan, Jing; Hartog, J.I. den; Lu, Jiqiang

doi:10.1007/978-3-642-10838-9_14

Cited by 20 publications

(18 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…First of all, it has an inherently low security level, because some efficient attacks have reported, such as second-order attacks (that combine two leaking samples in a view to remove their common mask) are very practical. Moreover, there exist efficient techniques, e.g., [34,44], which target the precomputation of MaskedSubBytes. 2.…”

Section: Problemsmentioning

confidence: 99%

Detecting Hidden Leakages

Moradi

Guilley

Heuser

2014

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. Reducing the entropy of the mask is a technique which has been proposed to mitigate the high performance overhead of masked software implementations of symmetric block ciphers. Rotating S-box Masking (RSM) is an example of such schemes applied to AES with the purpose of maintaining the security at least against univariate first-order side-channel attacks. This article examines the vulnerability of a realization of such technique using the side-channel measurements publicly available through DPA contest V4. Our analyses which focus on exploiting the first-order leakage of the implementation discover a couple of potential attacks which can recover the secret key. Indeed the leakage we exploit is due to a design mistake as well as the characteristics of the implementation platform, none of which has been considered during the design of the countermeasure (implemented in naive C code).

show abstract

Section: Problemsmentioning

confidence: 99%

Detecting Hidden Leakages

Moradi

Guilley

Heuser

2014

Applied Cryptography and Network Security

View full text Add to dashboard Cite

show abstract

“…Secondly, some current developments in side-channel cryptanalysis indicate that masking might succumb to a so-called horizontal side-channel attack (see e.g. [20,22]). By targeting the table generation phase of a masking scheme, an attacker may succeed to recover the secret key when the signal-to-noise ratio is low.…”

Section: Limitations Of the Security Proofsmentioning

confidence: 99%

Algorithms for Switching between Boolean and Arithmetic Masking of Second Order

Vadnala

Großschädl

2013

Security, Privacy, and Applied Cryptography Engineering

View full text Add to dashboard Cite

Abstract. Masking is a widely-used countermeasure to thwart Differential Power Analysis (DPA) attacks, which, depending on the involved operations, can be either Boolean, arithmetic, or multiplicative. When used to protect a cryptographic algorithm that performs both Boolean and arithmetic operations, it is necessary to change the masks from one form to the other in order to be able to unmask the secret value at the end of the algorithm. To date, known techniques for conversion between Boolean and arithmetic masking can only resist first-order DPA. This paper presents the first solution to the problem of converting between Boolean and arithmetic masking of second order. To set the context, we show that a straightforward extension of first-order conversion schemes to second order is not possible. Then, we introduce two algorithms to convert from Boolean to arithmetic masking based on the second-order provably secure S-box output computation method proposed by Rivain et al (FSE 2008). The same can be used to obtain second-order secure arithmetic to Boolean masking. We prove the security of our conversion algorithms using similar arguments as Rivain et al. Finally, we provide implementation results of the algorithms on three different platforms.

show abstract

“…This method is called masking, and its major advantage with respect to this work is that it can be implemented using standard EDA software. However the recent research discovered a mathematical modification of power analysis that can break the masking approach [10].…”

Section: Types Of Attacks and Countermeasuresmentioning

confidence: 99%

Secure Design Flow for Asynchronous Multi-valued Logic Circuits

Rafiev

Murphy

Yakovlev

2010

2010 40th IEEE International Symposium on Multiple-Valued Logic

View full text Add to dashboard Cite

Abstract-The purpose of secure devices such as smartcards is to protect secret information against software and hardware attacks. Implementation of the appropriate protection techniques often implies non-standard methods that are not supported by the conventional design tools. In the recent decade the designers of secure devices have been working hard on customising the workflow. The presented research aims to collect the up-to-date experiences in this area and create a generic approach to the secure design flow that can be used as guidance by engineers.In the presented paper the emphasis is put on multi-valued logic synthesis and asynchronous system design. The proposed flow employs the tool based on higher radix and mixed radix Reed-Muller expansions [1], power-balanced logic component libraries and TiDE design environment [2]. The challenge of the research here is interfacing between different EDA tools and technologies. An example is also presented and described from the view of the system designer.

show abstract

You Cannot Hide behind the Mask: Power Analysis on a Provably Secure S-Box Implementation

Cited by 20 publications

References 12 publications

Detecting Hidden Leakages

Detecting Hidden Leakages

Algorithms for Switching between Boolean and Arithmetic Masking of Second Order

Secure Design Flow for Asynchronous Multi-valued Logic Circuits

Contact Info

Product

Resources

About