Multilateral White-Box Cryptanalysis: Case study on WB-AES of CHES Challenge 2016

The security requirement of white-box cryptography (WBC) is that it should protect the secret key from a white-box security model that permits an adversary who is able to entirely control the execution of the cryptographic algorithm and its environment. It has already been demonstrated that most of the WBCs are vulnerable to algebraic attacks from a white-box security perspective. Recently, a new differential computation analysis (DCA) attack has been proposed that thwarts the white-box implementation of block cipher AES (WB-AES) by monitoring the memory information accessed during the execution of the algorithm. Although the attack requires the ability to estimate the internal information of the memory pattern, it retrieves the secret key after a few attempts. In addition, it is proposed that the hardware implementation of WB-AES is vulnerable to differential power analysis (DPA) attack. In this paper, we propose a DPA-based attack that directly exploits the intermediate values of WB-AES computation with ut requiring to utilize memory data. We also demonstrate its practicability with respect to public software implementation of WB-AES. Additionally, we investigate the vulnerability of our target primitive to DPA by acquiring actual power consumption traces of software implementation

Single-Trace Vulnerability of Countermeasures against Instruction-related Timing Attack

In this paper, we propose that countermeasures against instruction-related timing attack would be vulnerable to single-trace attacks, which are presented at ISPEC 2017 and CHES 2019. The countermeasures use determiner to make operations, which leak timing side-channel information, perform in a constant-time. Since determiner is divided into two groups according to secret credentials, it is possible to recover secret credentials by clustering determiner into two groups

Efficient Conversion Method from Arithmetic to Boolean Masking in Constrained Devices

A common technique employed for preventing a side channel analysis is boolean masking. However, the application of this scheme is not so straightforward when it comes to block ciphers based on Addition-Rotation-Xor structure. In order to address this issue, since 2000, scholars have investigated schemes for converting Arithmetic to Boolean (AtoB) masking and Boolean to Arithmetic (BtoA) masking schemes. However, these solutions have certain limitations. The time performance of the AtoB scheme is extremely unsatisfactory because of the high complexity of $\mathcal{O}(k)$ where $k$ is the size of addition bit. At the FSE 2015, an improved algorithm with time complexity $\mathcal{O}(\log k)$ based on the Kogge-Stone carry look-ahead adder was suggested. Despite its efficiency, this algorithm cannot consider for constrained environments. Although the original algorithm naturally extends to low-resource devices, there is no advantage in time performance; we call this variant as the generic variant. In this study, we suggest an enhanced variant algorithm to apply to constrained devices. Our solution is based on the principle of the Kogge-Stone carry look-ahead adder, and it uses a divide and conquer approach. In addition, we prove the security of our new algorithm against first-order attack. In implementation results, when $k=64$ and the register bit size of a chip is $8$, $16$ or $32$, we obtain $58$\%, $72$\%, or $68$\% improvement, respectively, over the results obtained using the generic variant. When applying those algorithms to first-order SPECK, we also achieve about $40$\% improvement. Moreover, our proposal extends to higher-order countermeasures as previous study

Differential Fault Attack on Lightweight Block Cipher PIPO

With the recent development of Internet of Things (IoT) devices, related security issues are also increasing. In particular, the possibility of accessing and hijacking cryptographic devices is also increasing due to the rapid increase in usage of these devices. Therefore, research on cryptographic technologies that can provide a safe environment even in resource-constrained environments has been actively conducted. Among them, there are increasing security issues of side-channel analysis for devices due to their physical accessibility. The lightweight block cipher PIPO was recently proposed in ICISC 2020 to address these issues. The PIPO has the characteristic of providing robust security strength while having less overhead when using the side-channel analysis countermeasures. A differential fault attack is a type of side-channel analysis that induces fault in cryptographic operations and utilizes difference information that occurs. Differential fault attacks on the PIPO have not yet been studied. This paper proposed a single-bit flip-based differential fault attack on the lightweight block cipher PIPO for the first time. We show that simulations enable the recovery of the correct secret key with about 98% probability through 64 fault ciphertexts. Therefore, the PIPO does not provide security against differential fault attacks. When using the PIPO cipher on IoT devices, designers must apply appropriate countermeasures against fault injection attacks

Novel Single-Trace ML Profiling Attacks on NIST 3 Round candidate Dilithium

Dilithium is a lattice-based digital signature, one of the finalist candidates in the NIST\u27s standardization process for post-quantum cryptography. In this paper, we propose a first side-channel attack on the process of signature generation of Dilithium. During the Dilithium signature generation process, we used NTT encryption single-trace for machine learning-based profiling attacks. In addition, it is possible to attack masked Dilithium using sparse multiplication. The proposed method is shown through experiments that all key values can be exposed 100% through a single-trace regardless of the optimization level

Non-Profiled Side Channel Attack based on Deep Learning using Picture Trace

In this paper, we suggest a new format for converting side channel traces to fully utilize the deep learning schemes. Due to the fact that many deep learning schemes have been advanced based on MNIST style datasets, we convert from raw-trace based on float or byte data to picture-formatted trace based on position. This is induced that the best performance can be acquired from deep learning schemes. Although the overfitting cannot be avoided in our suggestion, the accuracy for validation outperforms to previous results of side channel analysis based on deep learning. Additionally, we provide a novel criteria for attack success or fail based on statistical confidence level rather than rule of thumb. Even though the data storage is slightly increased, our suggestion can completely be recovered the correct key compared to previous results. Moreover, our suggestion scheme has a lot of potential to improve side channel attack

The effect of the stacking fault on the diffusion of chemisorbed hydrogen atoms inside few-layered graphene

We examined the diffusion of hydrogen atoms in mono-, bi- and tetralayer graphene with AB stacking and two bilayer graphene with stacking faults using density functional theory. The bi- and tetralayer graphene provide diffusion pathways with lower energy barriers inside the interlayer space. Inside the bi- and tetralayer graphene with AB stacking, the in-plane diffusion is more favorable than the inter-plane jumping. However, the stacking faults made by sliding layer planes lowers the energy barrier of the inter-plane jumping and the effective frequency of the inter-plane jump is larger than that of the in-plane diffusion inside the graphene layers with the stacking faults. This suggests that hydrogen atoms can diffuse over a long distance inside few-layered graphene with stacking faults jumping consecutively between adjacent layers.close0

Some Analysis of Radix-r Representations

We deal with the radix-r representation used for the scalar multiplication of pairing-based cryptosystems with characteristic r. Our goal of this paper is to present some invariant properties about the signed radix-r representation; (1) approximation formulae for the average significant length and the average hamming weight of gNAF and wrNAF representation, (2) some classification formulae of equivalent classes called as Cutting Lemma, Collision Lemma, and Search Space Theorem. We also analyze the security of signed radix-r representations in the sense of side channel attacks, and to this end we propose a secure countermeasure