scholarly journals Leakage Detection with the x2-Test

2018 ◽  
pp. 209-237 ◽  
Author(s):  
Amir Moradi ◽  
Bastian Richter ◽  
Tobias Schneider ◽  
François-Xavier Standaert
Keyword(s):  
Black Box ◽  
Higher Order ◽  
T Test ◽  
Statistical Moments ◽  
Side Channel ◽  
Leakage Detection ◽  
Key Recovery ◽  
Detection Techniques ◽  
The Moment ◽  
Key Recovery Attacks

We describe how Pearson’s χ2-test can be used as a natural complement to Welch’s t-test for black box leakage detection. In particular, we show that by using these two tests in combination, we can mitigate some of the limitations due to the moment-based nature of existing detection techniques based on Welch’s t-test (e.g., for the evaluation of higher-order masked implementations with insufficient noise). We also show that Pearson’s χ2-test is naturally suited to analyze threshold implementations with information lying in multiple statistical moments, and can be easily extended to a distinguisher for key recovery attacks. As a result, we believe the proposed test and methodology are interesting complementary ingredients of the side-channel evaluation toolbox, for black box leakage detection and non-profiled attacks, and as a preliminary before more demanding advanced analyses.

scholarly journals Semi-Automatic Locating of Cryptographic Operations in Side-Channel Traces

2021 ◽  
pp. 345-366
Author(s):  
Jens Trautmann ◽  
Arthur Beckers ◽  
Lennert Wouters ◽  
Stefan Wildermann ◽  
Ingrid Verbauwhede ◽  
...  
Keyword(s):  
Fault Injection ◽  
Side Channel ◽  
Leakage Detection ◽  
Clock Frequency ◽  
Detection Techniques ◽  
Effective Time ◽  
Meta Information ◽  
Software Implementations ◽  
Single Data ◽  
The Time Domain

Locating a cryptographic operation in a side-channel trace, i.e. finding out where it is in the time domain, without having a template, can be a tedious task even for unprotected implementations. The sheer amount of data can be overwhelming. In a simple call to OpenSSL for AES-128 ECB encryption of a single data block, only 0.00028% of the trace relate to the actual AES-128 encryption. The rest is overhead. We introduce the (to our best knowledge) first method to locate a cryptographic operation in a side-channel trace in a largely automated fashion. The method exploits meta information about the cryptographic operation and requires an estimate of its implementation’s execution time.The method lends itself to parallelization and our implementation in a tool greatly benefits from GPU acceleration. The tool can be used offline for trace segmentation and for generating a template which can then be used online in real-time waveformmatching based triggering systems for trace acquisition or fault injection. We evaluate it in six scenarios involving hardware and software implementations of different cryptographic operations executed on diverse platforms. Two of these scenarios cover realistic protocol level use-cases and demonstrate the real-world applicability of our tool in scenarios where classical leakage-detection techniques would not work. The results highlight the usefulness of the tool because it reliably and efficiently automates the task and therefore frees up time of the analyst.The method does not work on traces of implementations protected by effective time randomization countermeasures, e.g. random delays and unstable clock frequency, but is not affected by masking, shuffling and similar countermeasures.

scholarly journals Efficient Side-Channel Secure Message Authentication with Better Bounds

2020 ◽  
pp. 23-53
Author(s):  
Chun Guo ◽  
François-Xavier Standaert ◽  
Weijia Wang ◽  
Yu Yu
Keyword(s):  
Time Complexity ◽  
Side Channel ◽  
Message Authentication ◽  
Security Threat ◽  
Cryptographic Primitives ◽  
Key Recovery ◽  
Leakage Resilience ◽  
Authentication Schemes ◽  
Key Recovery Attacks ◽  
Provably Secure

We investigate constructing message authentication schemes from symmetric cryptographic primitives, with the goal of achieving security when most intermediate values during tag computation and verification are leaked (i.e., mode-level leakage-resilience). Existing efficient proposals typically follow the plain Hash-then-MAC paradigm T = TGenK(H(M)). When the domain of the MAC function TGenK is {0, 1}128, e.g., when instantiated with the AES, forgery is possible within time 264 and data complexity 1. To dismiss such cheap attacks, we propose two modes: LRW1-based Hash-then-MAC (LRWHM) that is built upon the LRW1 tweakable blockcipher of Liskov, Rivest, and Wagner, and Rekeying Hash-then-MAC (RHM) that employs internal rekeying. Built upon secure AES implementations, LRWHM is provably secure up to (beyond-birthday) 278.3 time complexity, while RHM is provably secure up to 2121 time. Thus in practice, their main security threat is expected to be side-channel key recovery attacks against the AES implementations. Finally, we benchmark the performance of instances of our modes based on the AES and SHA3 and confirm their efficiency.

Evaluation of Side-Channel Key-Recovery Attacks on LoRaWAN End-Device

2020 ◽  
pp. 74-92
Author(s):  
Kazuhide Fukushima ◽  
Damien Marion ◽  
Yuto Nakano ◽  
Adrien Facon ◽  
Shinsaku Kiyomoto ◽  
...  
Keyword(s):  
Side Channel ◽  
Key Recovery ◽  
Key Recovery Attacks

scholarly journals Speed Optimizations in Bitcoin Key Recovery Attacks

2016 ◽  
Vol 67 (1) ◽  
pp. 55-68 ◽  
Author(s):  
Nicolas Courtois ◽  
Guangyan Song ◽  
Ryan Castellucci
Keyword(s):  
Elliptic Curve ◽  
State Of The Art ◽  
The State ◽  
Side Channel ◽  
Side Channel Attacks ◽  
Key Recovery ◽  
Weak Keys ◽  
Key Recovery Attacks

Abstract In this paper, we study and give the first detailed benchmarks on existing implementations of the secp256k1 elliptic curve used by at least hundreds of thousands of users in Bitcoin and other cryptocurrencies. Our implementation improves the state of the art by a factor of 2.5 with a focus on the cases, where side channel attacks are not a concern and a large quantity of RAM is available. As a result, we are able to scan the Bitcoin blockchain for weak keys faster than any previous implementation. We also give some examples of passwords which we have cracked, showing that brain wallets are not secure in practice even for quite complex passwords.

scholarly journals Tightness of the Suffix Keyed Sponge Bound

2020 ◽  
pp. 195-212
Author(s):  
Christoph Dobraunig ◽  
Bart Mennink
Keyword(s):  
Side Channel ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Side Channel Attacks ◽  
Key Recovery ◽  
Security Proofs ◽  
Generic Attacks ◽  
Key Recovery Attacks ◽  
Security Bound

Generic attacks are a vital ingredient in the evaluation of the tightness of security proofs. In this paper, we evaluate the tightness of the suffix keyed sponge (SuKS) bound. As its name suggests, SuKS is a sponge-based construction that absorbs the key after absorbing the data, but before producing an output. This absorption of the key can be done via an easy to invert operation, like an XOR, or a hard to invert operation, like a PRF. Using SuKS with a hard to invert absorption provides benefits with respect to its resistance against side-channel attacks, and such a construction is used as part of the authenticated encryption scheme Isap. We derive two key recovery attacks against SuKS with easy to invert key absorption, and a forgery in case of hard to invert key absorption. The attacks closely match the terms in the PRF security bound of SuKS by Dobraunig and Mennink, ToSC 2019(4), and therewith show that these terms are justified, even if the function used to absorb the key is a PRF, and regardless of whether SuKS is used as a PRF or a MAC.

scholarly journals How to fool a black box machine learning based side-channel security evaluation

2021 ◽  
Author(s):  
Charles-Henry Bertrand Van Ouytsel ◽  
Olivier Bronchain ◽  
Gaëtan Cassiers ◽  
François-Xavier Standaert
Keyword(s):  
Machine Learning ◽  
Black Box ◽  
Security Evaluation ◽  
Side Channel
Sign in / Sign up

Export Citation Format

Share Document