scholarly journals A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks

2009 ◽  
pp. 443-461 ◽  
Author(s):  
François-Xavier Standaert ◽  
Tal G. Malkin ◽  
Moti Yung
Keyword(s):  
Side Channel ◽  
Unified Framework ◽  
Key Recovery ◽  
Key Recovery Attacks

scholarly journals Efficient Side-Channel Secure Message Authentication with Better Bounds

2020 ◽  
pp. 23-53
Author(s):  
Chun Guo ◽  
François-Xavier Standaert ◽  
Weijia Wang ◽  
Yu Yu
Keyword(s):  
Time Complexity ◽  
Side Channel ◽  
Message Authentication ◽  
Security Threat ◽  
Cryptographic Primitives ◽  
Key Recovery ◽  
Leakage Resilience ◽  
Authentication Schemes ◽  
Key Recovery Attacks ◽  
Provably Secure

We investigate constructing message authentication schemes from symmetric cryptographic primitives, with the goal of achieving security when most intermediate values during tag computation and verification are leaked (i.e., mode-level leakage-resilience). Existing efficient proposals typically follow the plain Hash-then-MAC paradigm T = TGenK(H(M)). When the domain of the MAC function TGenK is {0, 1}128, e.g., when instantiated with the AES, forgery is possible within time 264 and data complexity 1. To dismiss such cheap attacks, we propose two modes: LRW1-based Hash-then-MAC (LRWHM) that is built upon the LRW1 tweakable blockcipher of Liskov, Rivest, and Wagner, and Rekeying Hash-then-MAC (RHM) that employs internal rekeying. Built upon secure AES implementations, LRWHM is provably secure up to (beyond-birthday) 278.3 time complexity, while RHM is provably secure up to 2121 time. Thus in practice, their main security threat is expected to be side-channel key recovery attacks against the AES implementations. Finally, we benchmark the performance of instances of our modes based on the AES and SHA3 and confirm their efficiency.

Evaluation of Side-Channel Key-Recovery Attacks on LoRaWAN End-Device

2020 ◽  
pp. 74-92
Author(s):  
Kazuhide Fukushima ◽  
Damien Marion ◽  
Yuto Nakano ◽  
Adrien Facon ◽  
Shinsaku Kiyomoto ◽  
...  
Keyword(s):  
Side Channel ◽  
Key Recovery ◽  
Key Recovery Attacks

scholarly journals Speed Optimizations in Bitcoin Key Recovery Attacks

2016 ◽  
Vol 67 (1) ◽  
pp. 55-68 ◽  
Author(s):  
Nicolas Courtois ◽  
Guangyan Song ◽  
Ryan Castellucci
Keyword(s):  
Elliptic Curve ◽  
State Of The Art ◽  
The State ◽  
Side Channel ◽  
Side Channel Attacks ◽  
Key Recovery ◽  
Weak Keys ◽  
Key Recovery Attacks

Abstract In this paper, we study and give the first detailed benchmarks on existing implementations of the secp256k1 elliptic curve used by at least hundreds of thousands of users in Bitcoin and other cryptocurrencies. Our implementation improves the state of the art by a factor of 2.5 with a focus on the cases, where side channel attacks are not a concern and a large quantity of RAM is available. As a result, we are able to scan the Bitcoin blockchain for weak keys faster than any previous implementation. We also give some examples of passwords which we have cracked, showing that brain wallets are not secure in practice even for quite complex passwords.

scholarly journals Tightness of the Suffix Keyed Sponge Bound

2020 ◽  
pp. 195-212
Author(s):  
Christoph Dobraunig ◽  
Bart Mennink
Keyword(s):  
Side Channel ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Side Channel Attacks ◽  
Key Recovery ◽  
Security Proofs ◽  
Generic Attacks ◽  
Key Recovery Attacks ◽  
Security Bound

Generic attacks are a vital ingredient in the evaluation of the tightness of security proofs. In this paper, we evaluate the tightness of the suffix keyed sponge (SuKS) bound. As its name suggests, SuKS is a sponge-based construction that absorbs the key after absorbing the data, but before producing an output. This absorption of the key can be done via an easy to invert operation, like an XOR, or a hard to invert operation, like a PRF. Using SuKS with a hard to invert absorption provides benefits with respect to its resistance against side-channel attacks, and such a construction is used as part of the authenticated encryption scheme Isap. We derive two key recovery attacks against SuKS with easy to invert key absorption, and a forgery in case of hard to invert key absorption. The attacks closely match the terms in the PRF security bound of SuKS by Dobraunig and Mennink, ToSC 2019(4), and therewith show that these terms are justified, even if the function used to absorb the key is a PRF, and regardless of whether SuKS is used as a PRF or a MAC.

scholarly journals Leakage Detection with the x2-Test

2018 ◽  
pp. 209-237 ◽  
Author(s):  
Amir Moradi ◽  
Bastian Richter ◽  
Tobias Schneider ◽  
François-Xavier Standaert
Keyword(s):  
Black Box ◽  
Higher Order ◽  
T Test ◽  
Statistical Moments ◽  
Side Channel ◽  
Leakage Detection ◽  
Key Recovery ◽  
Detection Techniques ◽  
The Moment ◽  
Key Recovery Attacks

We describe how Pearson’s χ2-test can be used as a natural complement to Welch’s t-test for black box leakage detection. In particular, we show that by using these two tests in combination, we can mitigate some of the limitations due to the moment-based nature of existing detection techniques based on Welch’s t-test (e.g., for the evaluation of higher-order masked implementations with insufficient noise). We also show that Pearson’s χ2-test is naturally suited to analyze threshold implementations with information lying in multiple statistical moments, and can be easily extended to a distinguisher for key recovery attacks. As a result, we believe the proposed test and methodology are interesting complementary ingredients of the side-channel evaluation toolbox, for black box leakage detection and non-profiled attacks, and as a preliminary before more demanding advanced analyses.

scholarly journals Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers

Cybersecurity ◽  
2021 ◽  
Vol 4 (1) ◽  
Author(s):  
Wenqin Cao ◽  
Wentao Zhang
Keyword(s):  
Time Complexity ◽  
Block Ciphers ◽  
Linear Cryptanalysis ◽  
Compression Technique ◽  
Key Recovery ◽  
Linear Approximations ◽  
Theoretical Advantage ◽  
Multidimensional Linear ◽  
Multidimensional Linear Cryptanalysis ◽  
Key Recovery Attacks

AbstractFor block ciphers, Bogdanov et al. found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. Based on this property, Bogdanov et al. proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128. In this paper, we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias. The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations. We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128. By using the relations of the involved round keys to reduce the number of guessed subkey bits. Moreover, the partial-compression technique is used to reduce the time complexity. We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts, 278.85 time complexity and 261 bytes of memory requirements. Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts, 2126.15 time complexity and 261 bytes of memory requirements. The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.

scholarly journals Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

2007 ◽  
pp. 13-30 ◽  
Author(s):  
Pierre-Alain Fouque ◽  
Gaëtan Leurent ◽  
Phong Q. Nguyen
Keyword(s):  
Key Recovery ◽  
Key Recovery Attacks
Sign in / Sign up

Export Citation Format

Share Document