A first-order chosen-plaintext DPA attack on the third round of DES

DPA attacks usually exhibit a divide-and-conquer property: the adversary needs to enumerate only a small space of the key (a key sub-space) when performing the DPA attack. This is achieved trivially in the outer rounds of a cryptographic implementation since intermediates depend on only few key bits. In the inner rounds, however, intermediates depend on too many key bits to make DPA practical or even to pose an advantage over cryptanalysis. For this reason, DPA countermeasures may be deployed only to outer rounds if performance or efficiency are critical. This paper shows a DPA attack exploiting leakage from the third round of a Feistel cipher, such as DES. We require the ability of fixing inputs, but we do not place any special restriction on the leakage model. The complexity of the attack is that of two to three DPA attacks on the first round of DES plus some minimal differential cryptanalysis

Advanced Cryptographic Power Analysis

This project seeks to advance the differential power analysis MQP of Hnath and Pettengill. Using their work as a foundation, we implement a power analysis attack on the Advanced Encryption Standard (AES). We then evaluate our attack according to the criteria from the DPA Contest. In addition, we explore several strategies to improve the attack. Our attempts result in slight improvements in select cases. We also seek to attack AES using the differential template attack (DTA) of Karakoyunlu and Sunar. Although originally designed to attack physically unclonable functions, we show the DTA can be used against AES. We implement the DTA to attack AES and find it promising, but not entirely successful. We then present our theories on how to improve the DTA

Differential Behavioral Analysis

International audienceThis paper describes an attack on cryptographic devices calledDifferential Behavioral Analysis (or DBA). This is an hybrid attackbetween two already powerful attacks: differential power analysis(DPA) for the statistical treatment and safe-error attack for the fault type. DBA, simulated on an algorithmic model of AES appears to be very efficient. The attacker is able to recover the entire secret keywith byte-wise \textquotedblleft stuck-at'' faults injected repetitively. A theorical as well as a more realistic approach are presented

Lightweight Cryptography Meets Threshold Implementation: A Case Study for SIMON

Securing data transmission has always been a challenge. While many cryptographic algorithms are available to solve the problem, many applications have tough area constraints while requiring high-level security. Lightweight cryptography aims at achieving high-level security with the benefit of being low cost. Since the late nineties and with the discovery of side channel attacks the approach towards cryptography has changed quite significantly. An attacker who can get close to a device can extract sensitive data by monitoring side channels such as power consumption, sound, or electromagnetic emanation. This means that embedded implementations of cryptographic schemes require protection against such attacks to achieve the desired level of security. In this work we combine a low-cost embedded cipher, Simon, with a stateof-the-art side channel countermeasure called Threshold Implementation (TI). We show that TI is a great match for lightweight cryptographic ciphers, especially for hardware implementation. Our implementation is the smallest TI of a block-cipher on an FPGA. This implementation utilizes 96 slices of a low-cost Spartan-3 FPGA and 55 slices a modern Kintex-7 FPGA. Moreover, we present a higher order TI which is resistant against second order attacks. This implementation utilizes 163 slices of a Spartan-3 FPGA and 95 slices of a Kintex-7 FPGA. We also present a state of the art leakage analysis and, by applying it to the designs, show that the implementations achieve the expected security. The implementations even feature a significant robustness to higher order attacks, where several million observations are needed to detect leakage

Methodologies for power analysis attacks on hardware implementations of AES

Side Channel Attacks (SCA) exploit weaknesses in implementations of cryptographic functions resulting from unintended inputs and outputs such as execution timing, power consumption, electromagnetic radiation, thermal and acoustic emanations. Power Analysis Attacks (PAA) are a type of SCA in which an attacker measures the power consumption of a cryptographic device during normal execution. An attempt is then made to uncover a relationship between the instantaneous power consumption and secret key information. PAAs can be subdivided into Simple Power Analysis (SPA), Differential Power Analysis (DPA), and Correlation Power Analysis (CPA). Many attacks have been documented since PAAs were first described in 1998. But since they often vary significantly, it is difficult to directly compare the vulnerability of the implementations used in each. Research is necessary to identify and develop standard methods of evaluating the vulnerability of cryptographic implementations to PAAs. This thesis defines methodologies for performing PAAs on hardware implementations of AES. The process is divided into identification, extraction, and evaluation stages. The extraction stage is outlined for both simulated power consumption waveforms as well as for waveforms captured from physical implementations. An AES encryption hardware design is developed for the experiment. The hardware design is synthesized with the Synopsys 130-nm CMOS standard cell library. Simulated instantaneous power consumption waveforms are generated with Synopsys PrimeTime PX. Single and multiple-bit DPA attacks are performed on the waveforms. Improvements are applied in order to automate and improve the precision and performance of the system. The attacks on the simulated power waveforms are successful. The correct key byte is identified in 15 of the 16 single-bit attacks after 10,000 traces. The single-bit attack which does not uniquely identify the correct key byte becomes successful after 15,000 or more traces are applied. The key byte is found in 36 of the 38 multiple-bit attacks. The main contribution of this work is a methodology and simulation environment which can be used to design hardware which is resistant to PAA and determine and compare vulnerability

Compromising emissions from a high speed cryptographic embedded system

Specific hardware implementations of cryptographic algorithms have been subject to a number of “side channel” attacks of late. A side channel is any information bearing emission that results from the physical implementation of a cryptographic algorithm. Smartcard realisations have been shown to be particularly vulnerable to these attacks. Other more complex embedded cryptographic systems may also be vulnerable, and each new design needs to be tested. The vulnerability of a recently developed high speed cryptographic accelerator is examined. The purpose of this examination is not only to verify the integrity of the device, but also to allow its designers to make a determination of its level of conformance with any standard that they may wish to comply with. A number of attacks were reviewed initially and two were chosen for examination and implementation - Power Analysis and Electromagnetic Analysis. These particular attacks appeared to offer the greatest threat to this particular system. Experimental techniques were devised to implement these attacks and a simulation and micrcontroller emulation were setup to ensure these techniques were sound. Each experimental setup was successful in attacking the simulated data and the micrcontroller circuit. The significance of this was twofold in that it verified the integrity of the setup and proved that a real threat existed. However, the attacks on the cryptographic accelerator failed in all cases to reveal any significant information. Although this is considered a positive result, it does not prove the integrity of the device as it may be possible for an adversary with more resources to successfully attack the board. It does however increase the level of confidence in this particular product and acts as a stepping stone towards conformance of cryptographic standards. The experimental procedures developed can also be used by designers wishing to test the vulnerability of their own products to these attacks

Analysis of DPA and DEMA Attacks

Side channel attacks (SCA) are attacks on the implementations of cryptographic algorithms or cryptography devices that do not employ full brute force attack or exploit the weaknesses of the algorithms themselves. There are mant types of side channel attacks, and they include timing, sound, power consumptions, electromag- netic (EM) radiations, and more. A statistical side channel attack technique that uses power consumption and EM readings was developed, and they are called Differential Power Analysis (DPA) and Differential Electromagnetic Analysis respectively. DPA takes the overall power consumption readings from the system of interest, and DEMA takes a localized EM readings from the system of interest. In this project, we will examine the effectiveness of both techniques and compare the results. We will compare the techniques based on the amount of resource and time they needed to perform a successful SCA on the same system. In addition, we will attempt to use a radio receiver to down mix the power consumption readings and the EM readings to reduce the amount of computing resources it takes to perform SCA. We will provide our test results of performing SCA with DPA and DEMA, and we will also compare the results to determine the effectiveness of the two techniques

Obfuscating Against Side-Channel Power Analysis Using Hiding Techniques for AES

The transfer of information has always been an integral part of military and civilian operations, and remains so today. Because not all information we share is public, it is important to secure our data from unwanted parties. Message encryption serves to prevent all but the sender and recipient from viewing any encrypted information as long as the key stays hidden. The Advanced Encryption Standard (AES) is the current industry and military standard for symmetric-key encryption. While AES remains computationally infeasible to break the encrypted message stream, it is susceptible to side-channel attacks if an adversary has access to the appropriate hardware. The most common and effective side-channel attack on AES is Differential Power Analysis (DPA). Thus, countermeasures to DPA are crucial to data security. This research attempts to evaluate and combine two hiding DPA countermeasures in an attempt to further hinder side-channel analysis of AES encryption. Analysis of DPA attack success before and after the countermeasures is used to determine effectiveness of the protection techniques. The results are measured by evaluating the number of traces required to attack the circuit and by measuring the signal-to-noise ratios