Crucial pitfall of DPA Contest V4.2 Implementation

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216305%3A26220%2F17%3APU123794" target="_blank" >RIV/00216305:26220/17:PU123794 - isvavai.cz</a>

Výsledek na webu

<a href="http://onlinelibrary.wiley.com/doi/10.1002/sec.1760/full" target="_blank" >http://onlinelibrary.wiley.com/doi/10.1002/sec.1760/full</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1002/sec.1760" target="_blank" >10.1002/sec.1760</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Crucial pitfall of DPA Contest V4.2 Implementation

Popis výsledku v původním jazyce

Differential Power Analysis (DPA) is a powerful side-channel key recovery attack that efficiently breaks cryptographic algorithm implementations. In order to prevent these types of attacks, hardware designers and software programmers make use of masking and hiding techniques. DPA Contest is an international framework that allows researchers to compare their power analysis attacks under the same conditions. The latest version of DPA Contest, denoted as V4.2, provides an improved implementation of the Rotating Sbox Masking (RSM) scheme where low-entropy boolean masking is combined with the shuffling technique to protect AES (Advanced Encryption Standard) implementation on a smart card. The improvements were designed based on the awareness of implementation lacks analyzed from attacks carried out during the previous DPA Contest V4. Therefore, this new approach is devised to resist most of the proposed attacks to the original RSM implementation. In this article, we investigate the security of this new implementation in practice. Our analysis, focused on exploiting the first-order leakage, discovered important lacks. The main vulnerability observed is that an adversary can mount a standard DPA attack aimed at the S-box output in order to recover the whole secret key even when a shuffling technique is used. We tested this observation on a public dataset and implemented a successful attack that revealed the secret key using only 35 power traces.

Název v anglickém jazyce

Crucial pitfall of DPA Contest V4.2 Implementation

Popis výsledku anglicky

Differential Power Analysis (DPA) is a powerful side-channel key recovery attack that efficiently breaks cryptographic algorithm implementations. In order to prevent these types of attacks, hardware designers and software programmers make use of masking and hiding techniques. DPA Contest is an international framework that allows researchers to compare their power analysis attacks under the same conditions. The latest version of DPA Contest, denoted as V4.2, provides an improved implementation of the Rotating Sbox Masking (RSM) scheme where low-entropy boolean masking is combined with the shuffling technique to protect AES (Advanced Encryption Standard) implementation on a smart card. The improvements were designed based on the awareness of implementation lacks analyzed from attacks carried out during the previous DPA Contest V4. Therefore, this new approach is devised to resist most of the proposed attacks to the original RSM implementation. In this article, we investigate the security of this new implementation in practice. Our analysis, focused on exploiting the first-order leakage, discovered important lacks. The main vulnerability observed is that an adversary can mount a standard DPA attack aimed at the S-box output in order to recover the whole secret key even when a shuffling technique is used. We tested this observation on a public dataset and implemented a successful attack that revealed the secret key using only 35 power traces.

Druh

J_imp - Článek v periodiku v databázi Web of Science

CEP obor

—

OECD FORD obor

20201 - Electrical and electronic engineering

Projekt

<a href="/cs/project/LO1401" target="_blank" >LO1401: Interdisciplinární výzkum bezdrátových technologií</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)<br>S - Specificky vyzkum na vysokych skolach

Rok uplatnění

2017

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název periodika

Security and Communication Networks (online)

ISSN

1939-0114

e-ISSN

1939-0122

Svazek periodika

9

Číslo periodika v rámci svazku

18

Stát vydavatele periodika

GB - Spojené království Velké Británie a Severního Irska

Počet stran výsledku

17

Strana od-do

1-17

Kód UT WoS článku

000398221800092

EID výsledku v databázi Scopus

2-s2.0-85016609370