Improved Timing Attacks against the Secret Permutation in the McEliece PKC

In this paper, we detail two side-channel attacks against the McEliece public-key cryptosystem. They are exploiting timing differences on the Patterson decoding algorithm in order to reveal one part of the secret key: the support permutation. The first one is improving two existing timing attacks and uses the correlation between two different steps of the decoding algorithm. This improvement can be deployed on all error-vectors with Hamming weight smaller than a quarter of the minimum distance of the code. The second attack targets the evaluation of the error locator polynomial and succeeds on several different decoding algorithms. We also give an appropriate countermeasure.

Download Full-text

Efficiency through Diversity in Ensemble Models applied to Side-Channel Attacks

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2021.i3.60-96 ◽

2021 ◽

pp. 60-96

Author(s):

Gabriel Zaid ◽

Lilian Bossuet ◽

Amaury Habrard ◽

Alexandre Venelli

Keyword(s):

Deep Learning ◽

Model Performance ◽

Public Key ◽

Side Channel ◽

Ensemble Model ◽

Secret Key ◽

Side Channel Attacks ◽

Ensemble Models ◽

Remaining Time ◽

Multiple Scenarios

Deep Learning based Side-Channel Attacks (DL-SCA) are considered as fundamental threats against secure cryptographic implementations. Side-channel attacks aim to recover a secret key using the least number of leakage traces. In DL-SCA, this often translates in having a model with the highest possible accuracy. Increasing an attack’s accuracy is particularly important when an attacker targets public-key cryptographic implementations where the recovery of each secret key bits is directly related to the model’s accuracy. Commonly used in the deep learning field, ensemble models are a well suited method that combine the predictions of multiple models to increase the ensemble accuracy by reducing the correlation between their errors. Linked to this correlation, the diversity is considered as an indicator of the ensemble model performance. In this paper, we propose a new loss, namely Ensembling Loss (EL), that generates an ensemble model which increases the diversity between the members. Based on the mutual information between the ensemble model and its related label, we theoretically demonstrate how the ensemble members interact during the training process. We also study how an attack’s accuracy gain translates to a drastic reduction of the remaining time complexity of a side-channel attacks through multiple scenarios on public-key implementations. Finally, we experimentally evaluate the benefits of our new learning metric on RSA and ECC secure implementations. The Ensembling Loss increases by up to 6.8% the performance of the ensemble model while the remaining brute-force is reduced by up to 222 operations depending on the attack scenario.

Download Full-text

A CUBIC EL-GAMAL ENCRYPTION SCHEME BASED ON LUCAS SEQUENCE AND ELLIPTIC CURVE

Advances in Mathematics: Scientific Journal ◽

10.37418/amsj.10.11.5 ◽

2021 ◽

Vol 10 (11) ◽

pp. 3439-3447

Author(s):

T. J. Wong ◽

L. F. Koo ◽

F. H. Naning ◽

A. F. N. Rasedee ◽

M. M. Magiman ◽

...

Keyword(s):

Elliptic Curve ◽

Elliptic Curve Cryptography ◽

Mathematical Problem ◽

Public Key ◽

Public Key Cryptosystem ◽

Encryption Scheme ◽

Secret Key ◽

Chosen Plaintext Attack ◽

The Public ◽

Lucas Sequence

The public key cryptosystem is fundamental in safeguard communication in cyberspace. This paper described a new cryptosystem analogous to El-Gamal encryption scheme, which utilizing the Lucas sequence and Elliptic Curve. Similar to Elliptic Curve Cryptography (ECC) and Rivest-Shamir-Adleman (RSA), the proposed cryptosystem requires a precise hard mathematical problem as the essential part of security strength. The chosen plaintext attack (CPA) was employed to investigate the security of this cryptosystem. The result shows that the system is vulnerable against the CPA when the sender decrypts a plaintext with modified public key, where the cryptanalyst able to break the security of the proposed cryptosystem by recovering the plaintext even without knowing the secret key from either the sender or receiver.

Download Full-text

Power-Balancing Software Implementation to Mitigate Side-Channel Attacks without Using Look-Up Tables

Applied Sciences ◽

10.3390/app10072454 ◽

2020 ◽

Vol 10 (7) ◽

pp. 2454

Author(s):

HanBit Kim ◽

HeeSeok Kim ◽

Seokhie Hong

Keyword(s):

Software Implementation ◽

Side Channel ◽

Random Numbers ◽

Hamming Weight ◽

Side Channel Attacks ◽

Power Balancing

With the increasing number of side-channel attacks, countermeasure designers continue to develop various implementations to address such threats. Power-balancing (PB) methods hold the number of 1s and/or transitions (i.e., Hamming weight/distance) of internal processes constant to ensure side-channel safety in an environment in which it is difficult to use random numbers. Most existing studies employed look-up tables (LUTs) to compute those operations, except for XOR and NOT operations. However, LUT-based schemes exhibit some side-channel issues in the address bits of LUTs. In this paper, we propose the application of AND and ADD operations to PB methods based on a rule that encodes 8-bit data into a 32-bit codeword without using LUTs. Unlike previous studies that employed LUTs, our proposals overcome side-channel vulnerabilities associated with the address bits and memory wastage. In addition, we evaluate the side-channel security ensured by the proposed method in comparison with that ensured by other methods. Finally, we apply our methods to SIMON/SPECK ciphers and analyze their performance by comparing them with older schemes.

Download Full-text

An Improved Montgomery Window Algorithm on Modular Exponentiation Secure against Side Channel Attacks

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.392.862 ◽

2013 ◽

Vol 392 ◽

pp. 862-866

Author(s):

Mu Han ◽

Jia Zhao ◽

Shi Dian Ma

Keyword(s):

Public Key Cryptography ◽

Public Key ◽

Side Channel ◽

Modular Exponentiation ◽

Side Channel Attacks ◽

The Core

As one of the core algorithms in most public key cryptography, modular exponentiation has a flaw of its efficiency, which often uses the Montgomerys algorithm to realize the fast operation. But the Montgomerys algorithm has the issue of side channel leakage from the final conditional subtraction. Aiming at this problem, this paper presents an improved fast Montgomery window algorithm. The new algorithm generates the remainder table with odd power to reduce the amount of pre-computation, and combines with the improved Montgomerys algorithm to realize modular exponentiation, which can accelerate the speed and reduce the side channel leakage. The new algorithm cant only thwart side channel attacks, but also improve the efficiency.

Download Full-text

Lattice-Based Linearly Homomorphic Signature Scheme over F 2

Security and Communication Networks ◽

10.1155/2020/8857815 ◽

2020 ◽

Vol 2020 ◽

pp. 1-7

Author(s):

Jie Cai ◽

Han Jiang ◽

Hao Wang ◽

Qiuliang Xu

Keyword(s):

Public Key ◽

Side Channel ◽

Signature Scheme ◽

Side Channel Attacks ◽

Sampling Function ◽

Uniform Sampling ◽

Restricted Condition ◽

Gaussian Sampling

In this paper, we design a new lattice-based linearly homomorphic signature scheme over F 2 . The existing schemes are all constructed based on hash-and-sign lattice-based signature framework, where the implementation of preimage sampling function is Gaussian sampling, and the use of trapdoor basis needs a larger dimension m ≥ 5 n log q . Hence, they cannot resist potential side-channel attacks and have larger sizes of public key and signature. Under Fiat–Shamir with aborting signature framework and general SIS problem restricted condition m ≥ n log q , we use uniform sampling of filtering technology to design the scheme, and then, our scheme has a smaller public key size and signature size than the existing schemes and it can resist side-channel attacks.

Download Full-text

Side-Channel Attacks and Countermeasures for Identity-Based Cryptographic Algorithm SM9

Security and Communication Networks ◽

10.1155/2018/9701756 ◽

2018 ◽

Vol 2018 ◽

pp. 1-14 ◽

Cited By ~ 2

Author(s):

Qi Zhang ◽

An Wang ◽

Yongchuan Niu ◽

Ning Shang ◽

Rixin Xu ◽

...

Keyword(s):

Main Part ◽

Digital Certificate ◽

Side Channel ◽

Cyber Physical System ◽

Secret Key ◽

Side Channel Attacks ◽

Fault Attack ◽

Private Key ◽

Cryptographic Algorithm ◽

Identity Based

Identity-based cryptographic algorithm SM9, which has become the main part of the ISO/IEC 14888-3/AMD1 standard in November 2017, employs the identities of users to generate public-private key pairs. Without the support of digital certificate, it has been applied for cloud computing, cyber-physical system, Internet of Things, and so on. In this paper, the implementation of SM9 algorithm and its Simple Power Attack (SPA) are discussed. Then, we present template attack and fault attack on SPA-resistant SM9. Our experiments have proved that if attackers try the template attack on an 8-bit microcontrol unit, the secret key can be revealed by enabling the device to execute one time. Fault attack even allows the attackers to obtain the 256-bit key of SM9 by performing the algorithm twice and analyzing the two different results. Accordingly, some countermeasures to resist the three kinds of attacks above are given.

Download Full-text

An Efficient Correlation Power Analysis Attack Using Variational Mode Decomposition

JST: Smart Systems and Devices ◽

10.51316/jst.150.ssad.2021.31.1.3 ◽

2020 ◽

Vol 31 (1) ◽

pp. 17-25

Keyword(s):

Power Analysis ◽

Side Channel ◽

Variational Mode Decomposition ◽

Secret Key ◽

Intrinsic Mode Functions ◽

Side Channel Attacks ◽

Mode Decomposition ◽

Noisy Conditions ◽

Correlation Power Analysis ◽

Evaluation Board

Side channel attacks (SCAs) are now a real threat to cryptographic devices and correlation power analysis (CPA) is the most powerful attack. So far, a CPA attack usually exploits the leakage information from raw power consumption traces that collected from the attack device. In real attack scenarios, these traces collected from measurement equipment are usually contaminated by noise resulting in a decrease in attack efficiency. In this paper, we propose a variant CPA attack that exploits the leakage information from intrinsic mode functions (IMFs) of the power traces. These IMFs are the results of the variational mode decomposition (VMD) process on the raw power traces. This attack technique decreases the number of power traces for correctly recovering the secret key by approximately 13% in normal conditions and 60% in noisy conditions compared to a traditional CPA attack. Experiments were performed on power traces of AES-128 implemented in both microcontroller and FPGA by Sakura-G/W side channel evaluation board to verify the effectiveness of our method.

Download Full-text

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2019.i4.180-212 ◽

2019 ◽

pp. 180-212 ◽

Cited By ~ 1

Author(s):

Bo-Yeon Sim ◽

Jihoon Kwon ◽

Kyu Young Choi ◽

Jihoon Cho ◽

Aesun Park ◽

...

Keyword(s):

Power Consumption ◽

Power Analysis ◽

Cyclic Code ◽

Linear Equations ◽

Constant Time ◽

Side Channel ◽

Parity Check ◽

Side Channel Attacks ◽

Timing Attacks ◽

Code Based Cryptography

Chou suggested a constant-time implementation for quasi-cyclic moderatedensity parity-check (QC-MDPC) code-based cryptography to mitigate timing attacks at CHES 2016. This countermeasure was later found to become vulnerable to a differential power analysis (DPA) in private syndrome computation, as described by Rossi et al. at CHES 2017. The proposed DPA, however, still could not completely recover accurate secret indices, requiring further solving linear equations to obtain entire secret information. In this paper, we propose a multiple-trace attack which enables to completely recover accurate secret indices. We further propose a singletrace attack which can even work when using ephemeral keys or applying Rossi et al.’s DPA countermeasures. Our experiments show that the BIKE and LEDAcrypt may become vulnerable to our proposed attacks. The experiments are conducted using power consumption traces measured from ChipWhisperer-Lite XMEGA (8-bit processor) and ChipWhisperer UFO STM32F3 (32-bit processor) target boards.

Download Full-text

Generic Side-channel attacks on CCA-secure lattice-based PKE and KEMs

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2020.i3.307-335 ◽

2020 ◽

pp. 307-335 ◽

Cited By ~ 2

Author(s):

Prasanna Ravi ◽

Sujoy Sinha Roy ◽

Anupam Chattopadhyay ◽

Shivam Bhasin

Keyword(s):

Experimental Validation ◽

Error Correcting Codes ◽

Public Key ◽

Side Channel ◽

Public Key Encryption ◽

Side Channel Attacks ◽

Key Recovery ◽

Binary Information ◽

Channel Information ◽

Standardization Process

In this work, we demonstrate generic and practical EM side-channel assisted chosen ciphertext attacks over multiple LWE/LWR-based Public Key Encryption (PKE) and Key Encapsulation Mechanisms (KEM) secure in the chosen ciphertext model (IND-CCA security). We show that the EM side-channel information can be efficiently utilized to instantiate a plaintext checking oracle, which provides binary information about the output of decryption, typically concealed within IND-CCA secure PKE/KEMs, thereby enabling our attacks. Firstly, we identified EM-based side-channel vulnerabilities in the error correcting codes (ECC) enabling us to distinguish based on the value/validity of decrypted codewords. We also identified similar vulnerabilities in the Fujisaki-Okamoto transform which leaks information about decrypted messages applicable to schemes that do not use ECC. We subsequently exploit these vulnerabilities to demonstrate practical attacks applicable to six CCA-secure lattice-based PKE/KEMs competing in the second round of the NIST standardization process. We perform experimental validation of our attacks on implementations taken from the open-source pqm4 library, running on the ARM Cortex-M4 microcontroller. Our attacks lead to complete key-recovery in a matter of minutes on all the targeted schemes, thus showing the effectiveness of our attack.

Download Full-text

Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2019.i2.107-131 ◽

2019 ◽

pp. 107-131 ◽

Cited By ~ 4

Author(s):

Benjamin Timon

Keyword(s):

Neural Networks ◽

Sensitivity Analysis ◽

Deep Learning ◽

New Method ◽

Invariance Property ◽

Side Channel ◽

Translation Invariance ◽

Secret Key ◽

Side Channel Attacks ◽

Learning Techniques

Deep Learning has recently been introduced as a new alternative to perform Side-Channel analysis [MPP16]. Until now, studies have been focused on applying Deep Learning techniques to perform Profiled Side-Channel attacks where an attacker has a full control of a profiling device and is able to collect a large amount of traces for different key values in order to characterize the device leakage prior to the attack. In this paper we introduce a new method to apply Deep Learning techniques in a Non-Profiled context, where an attacker can only collect a limited number of side-channel traces for a fixed unknown key value from a closed device. We show that by combining key guesses with observations of Deep Learning metrics, it is possible to recover information about the secret key. The main interest of this method is that it is possible to use the power of Deep Learning and Neural Networks in a Non-Profiled scenario. We show that it is possible to exploit the translation-invariance property of Convolutional Neural Networks [CDP17] against de-synchronized traces also during Non-Profiled side-channel attacks. In this case, we show that this method can outperform classic Non-Profiled attacks such as Correlation Power Analysis. We also highlight that it is possible to break masked implementations in black-box, without leakages combination pre-preprocessing and with no assumptions nor knowledge about the masking implementation. To carry the attack, we introduce metrics based on Sensitivity Analysis that can reveal both the secret key value as well as points of interest, such as leakages and masks locations in the traces. The results of our experiments demonstrate the interests of this new method and show that this attack can be performed in practice.

Download Full-text