scholarly journals Analysis and Comparison of Table-based Arithmetic to Boolean Masking

2021 ◽  
pp. 275-297
Author(s):  
Michiel Van Beirendonck ◽  
Jan-Pieter D’Anvers ◽  
Ingrid Verbauwhede
Keyword(s):  
Power Analysis ◽  
Experimental Validation ◽  
Side Channel ◽  
Signature Schemes ◽  
Intermediate Variable ◽  
Conversion Algorithm ◽  
Memory Footprint ◽  
Protection Mechanisms ◽  
The Cost ◽  
Additional Memory

Masking is a popular technique to protect cryptographic implementations against side-channel attacks and comes in several variants including Boolean and arithmetic masking. Some masked implementations require conversion between these two variants, which is increasingly the case for masking of post-quantum encryption and signature schemes. One way to perform Arithmetic to Boolean (A2B) mask conversion is a table-based approach first introduced by Coron and Tchulkine, and later corrected and adapted by Debraize in CHES 2012. In this work, we show both analytically and experimentally that the table-based A2B conversion algorithm proposed by Debraize does not achieve the claimed resistance against differential power analysis due to a non-uniform masking of an intermediate variable. This non-uniformity is hard to find analytically but leads to clear leakage in experimental validation. To address the non-uniform masking issue, we propose two new A2B conversions: one that maintains efficiency at the cost of additional memory and one that trades efficiency for a reduced memory footprint. We give analytical and experimental evidence for their security, and will make their implementations, which are shown to be free from side-channel leakage in 100.000 power traces collected on the ARM Cortex-M4, available online. We conclude that when designing side-channel protection mechanisms, it is of paramount importance to perform both a theoretical analysis and an experimental validation of the method.

scholarly journals A Countermeasure against DPA on SIMON with an Area-Efficient Structure

Electronics ◽  
2019 ◽  
Vol 8 (2) ◽  
pp. 240 ◽  
Author(s):  
Yuanyuan Zhang ◽  
Ning Wu ◽  
Fang Zhou ◽  
Jinbao Zhang ◽  
Muhammad Yahya
Keyword(s):  
Circuit Design ◽  
Power Analysis ◽  
Fault Injection ◽  
Low Cost ◽  
T Test ◽  
Side Channel ◽  
Cryptographic Algorithms ◽  
Randomization Scheme ◽  
The Cost ◽  
Area Efficient

Differential power analysis (DPA) is an effective side channel attack method, which poses a critical threat to cryptographic algorithms, especially lightweight ciphers such as SIMON. In this paper, we propose an area-efficient countermeasure against DPA on SIMON based on the power randomization. Firstly, we review and analyze the architecture of SIMON algorithm. Secondly, we prove the threat of DPA attack to SIMON by launching actual DPA attack on SIMON 32/64 circuit. Thirdly, a low-cost power randomization scheme is proposed by combining fault injection with double rate technology, and the corresponding circuit design is implemented. To the best of our knowledge, this is the first scheme that applies the combination of fault injection and double rate technology to the DPA-resistance. Finally, the t-test is used to evaluate the security mechanism of the proposed designs with leakage quantification. Our experimental results show that the proposed design implements DPA-resistance of SIMON algorithm at certain overhead the cost of 47.7% LUTs utilization and 39.6% registers consumption. As compared to threshold implementation and bool mask, the proposed scheme has greater advantages in resource consumption.

scholarly journals Will You Cross the Threshold for Me?

2021 ◽  
pp. 722-761
Author(s):  
Prasanna Ravi ◽  
Martianus Frederic Ezerman ◽  
Shivam Bhasin ◽  
Anupam Chattopadhyay ◽  
Sujoy Sinha Roy
Keyword(s):  
Experimental Validation ◽  
Side Channel ◽  
Secret Key ◽  
Intermediate Variable ◽  
Side Channels ◽  
Different Types ◽  
Protection Strategies ◽  
Standardization Process ◽  
Post Quantum Cryptography ◽  
Decryption Oracle

In this work, we propose generic and novel side-channel assisted chosenciphertext attacks on NTRU-based key encapsulation mechanisms (KEMs). These KEMs are IND-CCA secure, that is, they are secure in the chosen-ciphertext model. Our attacks involve the construction of malformed ciphertexts. When decapsulated by the target device, these ciphertexts ensure that a targeted intermediate variable becomes very closely related to the secret key. An attacker, who can obtain information about the secret-dependent variable through side-channels, can subsequently recover the full secret key. We propose several novel CCAs which can be carried through by using side-channel leakage from the decapsulation procedure. The attacks instantiate three different types of oracles, namely a plaintext-checking oracle, a decryptionfailure oracle, and a full-decryption oracle, and are applicable to two NTRU-based schemes, which are NTRU and NTRU Prime. The two schemes are candidates in the ongoing NIST standardization process for post-quantum cryptography. We perform experimental validation of the attacks on optimized and unprotected implementations of NTRU-based schemes, taken from the open-source pqm4 library, using the EM-based side-channel on the 32-bit ARM Cortex-M4 microcontroller. All of our proposed attacks are capable of recovering the full secret key in only a few thousand chosen ciphertext queries on all parameter sets of NTRU and NTRU Prime. Our attacks, therefore, stress on the need for concrete side-channel protection strategies for NTRUbased KEMs.

scholarly journals Automatic Generation of HCCA Resistant Scalar Multiplication Algorithm by Proper Sequencing of Field Multiplier Operands

10.29007/qszz ◽  
2018 ◽  
Author(s):  
Poulami Das ◽  
Debapriya Basu Roy ◽  
Debdeep Mukhopadhyay
Keyword(s):  
Correlation Analysis ◽  
Elliptic Curve ◽  
Power Analysis ◽  
Experimental Validation ◽  
Information Leakage ◽  
Automatic Generation ◽  
Side Channel ◽  
Multiplication Algorithm ◽  
Elliptic Curve Cryptosystems ◽  
First Time

Horizontal collision correlation analysis (HCCA) imposes a serious threat tosimple power analysis resistant elliptic curve cryptosystems involving unified algorithms, for e.g. Edward curve unified formula. This attack can be mounted even in presence of differential power analysis resistant randomization schemes. In this paper we have designed an effective countermeasure for HCCA protection, where the dependency of side-channel leakage from a school-book multiplication with the underling multiplier operands is investigated. We have shown how changing the sequence in which the operands are passed to the multiplication algorithm introduces dissimilarity in the information leakage. This disparity has been utilized in constructing a zero-cost countermeasure against HCCA. This countermeasure has been shown to help in HCCA resistivity. Additionally we provide experimental validation for our proposed countermeasure technique on a SASEBO platform. To the best of our knowledge, this is the first time that asymmetry in information leakage has been utilized in designing a side channel countermeasure and successfully applied in an ECC-based crypto-module.

scholarly journals Side-Channel Power Resistance for Encryption Algorithms Using Implementation Diversity

Cryptography ◽  
2020 ◽  
Vol 4 (2) ◽  
pp. 13
Author(s):  
Ivan Bow ◽  
Nahome Bete ◽  
Fareena Saqib ◽  
Wenjie Che ◽  
Chintan Patel ◽  
...  
Keyword(s):  
Power Analysis ◽  
Side Channel ◽  
Side Channel Attacks ◽  
Dynamic Partial Reconfiguration ◽  
Channel Power ◽  
Diversity Techniques ◽  
Gate Arrays ◽  
Field Programmable ◽  
Programmable Gate Arrays ◽  
Encryption Algorithms

This paper investigates countermeasures to side-channel attacks. A dynamic partial reconfiguration (DPR) method is proposed for field programmable gate arrays (FPGAs)s to make techniques such as differential power analysis (DPA) and correlation power analysis (CPA) difficult and ineffective. We call the technique side-channel power resistance for encryption algorithms using DPR, or SPREAD. SPREAD is designed to reduce cryptographic key related signal correlations in power supply transients by changing components of the hardware implementation on-the-fly using DPR. Replicated primitives within the advanced encryption standard (AES) algorithm, in particular, the substitution-box (SBOX)s, are synthesized to multiple and distinct gate-level implementations. The different implementations change the delay characteristics of the SBOXs, reducing correlations in the power traces, which, in turn, increases the difficulty of side-channel attacks. The effectiveness of the proposed countermeasures depends greatly on this principle; therefore, the focus of this paper is on the evaluation of implementation diversity techniques.

scholarly journals Comparison of Cost of Protection against Differential Power Analysis of Selected Authenticated Ciphers

Cryptography ◽  
2018 ◽  
Vol 2 (3) ◽  
pp. 26 ◽  
Author(s):  
William Diehl ◽  
Abubakr Abdulgadir ◽  
Farnoud Farahmand ◽  
Jens-Peter Kaps ◽  
Kris Gaj
Keyword(s):  
Energy Efficient ◽  
Power Analysis ◽  
Side Channel ◽  
Sensitive Data ◽  
Differential Power Analysis ◽  
Test Vectors ◽  
Power And Energy ◽  
Cost Of Protection ◽  
Test Architecture ◽  
Leakage Assessment

Authenticated ciphers, which combine the cryptographic services of confidentiality, integrity, and authentication into one algorithmic construct, can potentially provide improved security and efficiencies in the processing of sensitive data. However, they are vulnerable to side-channel attacks such as differential power analysis (DPA). Although the Test Vector Leakage Assessment (TVLA) methodology has been used to confirm improved resistance of block ciphers to DPA after application of countermeasures, extension of TVLA to authenticated ciphers is non-trivial, since authenticated ciphers have expanded input and output requirements, complex interfaces, and long test vectors which include protocol necessary to describe authenticated cipher operations. In this research, we upgrade the FOBOS test architecture with capability to perform TVLA on authenticated ciphers. We show that FPGA implementations of the CAESAR Round 3 candidates ACORN, Ascon, CLOC (with AES and TWINE primitives), SILC (with AES, PRESENT, and LED primitives), JAMBU (with AES and SIMON primitives), and Ketje Jr.; as well as AES-GCM, are vulnerable to 1st order DPA. We then use threshold implementations to protect the above cipher implementations against 1st order DPA, and verify the effectiveness of countermeasures using the TVLA methodology. Finally, we compare the unprotected and protected cipher implementations in terms of area, performance (maximum frequency and throughput), throughput-to-area (TP/A) ratio, power, and energy per bit (E/bit). Our results show that ACORN consumes the lowest number of resources, has the highest TP/A ratio, and is the most energy-efficient of all DPA-resistant implementations. However, Ketje Jr. has the highest throughput.

scholarly journals The Design of Compact SM4 Encryption and Decryption Circuits That Are Resistant to Bypass Attack

Electronics ◽  
2020 ◽  
Vol 9 (7) ◽  
pp. 1102
Author(s):  
Fang Zhou ◽  
Benjun Zhang ◽  
Ning Wu ◽  
Xiangli Bu
Keyword(s):  
Linear Transformation ◽  
Power Analysis ◽  
Side Channel ◽  
Random Delay ◽  
Side Channel Attacks ◽  
Differential Power Analysis ◽  
Operation Method ◽  
Encryption And Decryption ◽  
Power Curves ◽  
Random Insertion

In order to achieve the purpose of defending against side channel attacks, a compact SM4 circuit was designed based on the mask and random delay technique, and the linear transformation module was designed with random insertion of the pseudo operation method. By analyzing the glitch data generated by the S-box of SM4 with different inputs, the security against glitch attacks was confirmed. Then, the DPA (Differential Power Analysis) was performed on the designed circuit. The key could not be successfully obtained even in the case of 100,000 power curves, so that the safety of SM4 against DPA is verified. Finally, using Synopsys DC (Design Compiler, Mountain View, CA94043DC, USA) to synthesize the designed circuit, the results show that the area of the designed circuit in the SMIC 0.18 process is 82,734 μm2, which is 48% smaller than results reported in other papers.

Sign in / Sign up

Export Citation Format

Share Document