Crucial pitfall of DPA Contest V4.2 Implementation
Identifikátory výsledku
Kód výsledku v IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216305%3A26220%2F17%3APU123794" target="_blank" >RIV/00216305:26220/17:PU123794 - isvavai.cz</a>
Výsledek na webu
<a href="http://onlinelibrary.wiley.com/doi/10.1002/sec.1760/full" target="_blank" >http://onlinelibrary.wiley.com/doi/10.1002/sec.1760/full</a>
DOI - Digital Object Identifier
<a href="http://dx.doi.org/10.1002/sec.1760" target="_blank" >10.1002/sec.1760</a>
Alternativní jazyky
Jazyk výsledku
angličtina
Název v původním jazyce
Crucial pitfall of DPA Contest V4.2 Implementation
Popis výsledku v původním jazyce
Differential Power Analysis (DPA) is a powerful side-channel key recovery attack that efficiently breaks cryptographic algorithm implementations. In order to prevent these types of attacks, hardware designers and software programmers make use of masking and hiding techniques. DPA Contest is an international framework that allows researchers to compare their power analysis attacks under the same conditions. The latest version of DPA Contest, denoted as V4.2, provides an improved implementation of the Rotating Sbox Masking (RSM) scheme where low-entropy boolean masking is combined with the shuffling technique to protect AES (Advanced Encryption Standard) implementation on a smart card. The improvements were designed based on the awareness of implementation lacks analyzed from attacks carried out during the previous DPA Contest V4. Therefore, this new approach is devised to resist most of the proposed attacks to the original RSM implementation. In this article, we investigate the security of this new implementation in practice. Our analysis, focused on exploiting the first-order leakage, discovered important lacks. The main vulnerability observed is that an adversary can mount a standard DPA attack aimed at the S-box output in order to recover the whole secret key even when a shuffling technique is used. We tested this observation on a public dataset and implemented a successful attack that revealed the secret key using only 35 power traces.
Název v anglickém jazyce
Crucial pitfall of DPA Contest V4.2 Implementation
Popis výsledku anglicky
Differential Power Analysis (DPA) is a powerful side-channel key recovery attack that efficiently breaks cryptographic algorithm implementations. In order to prevent these types of attacks, hardware designers and software programmers make use of masking and hiding techniques. DPA Contest is an international framework that allows researchers to compare their power analysis attacks under the same conditions. The latest version of DPA Contest, denoted as V4.2, provides an improved implementation of the Rotating Sbox Masking (RSM) scheme where low-entropy boolean masking is combined with the shuffling technique to protect AES (Advanced Encryption Standard) implementation on a smart card. The improvements were designed based on the awareness of implementation lacks analyzed from attacks carried out during the previous DPA Contest V4. Therefore, this new approach is devised to resist most of the proposed attacks to the original RSM implementation. In this article, we investigate the security of this new implementation in practice. Our analysis, focused on exploiting the first-order leakage, discovered important lacks. The main vulnerability observed is that an adversary can mount a standard DPA attack aimed at the S-box output in order to recover the whole secret key even when a shuffling technique is used. We tested this observation on a public dataset and implemented a successful attack that revealed the secret key using only 35 power traces.
Klasifikace
Druh
J<sub>imp</sub> - Článek v periodiku v databázi Web of Science
CEP obor
—
OECD FORD obor
20201 - Electrical and electronic engineering
Návaznosti výsledku
Projekt
<a href="/cs/project/LO1401" target="_blank" >LO1401: Interdisciplinární výzkum bezdrátových technologií</a><br>
Návaznosti
P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)<br>S - Specificky vyzkum na vysokych skolach
Ostatní
Rok uplatnění
2017
Kód důvěrnosti údajů
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů
Údaje specifické pro druh výsledku
Název periodika
Security and Communication Networks (online)
ISSN
1939-0114
e-ISSN
1939-0122
Svazek periodika
9
Číslo periodika v rámci svazku
18
Stát vydavatele periodika
GB - Spojené království Velké Británie a Severního Irska
Počet stran výsledku
17
Strana od-do
1-17
Kód UT WoS článku
000398221800092
EID výsledku v databázi Scopus
2-s2.0-85016609370