Balanced Encoding of Near-Zero Correlation for an AES Implementation

Power analysis poses a significant threat to the security of cryptographic algorithms, as it can be leveraged to recover secret keys. While various software-based countermeasures exist to mitigate this non-invasive attack, they often involve a trade-off between time and space constraints. Techniques such as masking and shuffling, while effective, can noticeably impact execution speed and rely heavily on run-time random number generators. On the contrary, internally encoded implementations of block ciphers offer an alternative approach that does not rely on run-time random sources, but it comes with the drawback of requiring substantial memory space to accommodate lookup tables. Internal encoding, commonly employed in white-box cryptography, suffers from a security limitation as it does not effectively protect the secret key against statistical analysis. To overcome this weakness, this paper introduces a secure internal encoding method for an AES implementation. By addressing the root cause of vulnerabilities found in previous encoding methods, we propose a balanced encoding technique that aims to minimize the problematic correlation with key-dependent intermediate values. We analyze the potential weaknesses associated with the balanced encoding and present a method that utilizes complementary sets of lookup tables. In this approach, the size of the lookup tables is approximately 512KB, and the number of table lookups is 1,024. This is comparable to the table size of non-protected white-box AES-128 implementations, while requiring only half the number of lookups. By adopting this method, our aim is to introduce a non-masking technique that mitigates the vulnerability to statistical analysis present in current internally-encoded AES implementations.Comment: 36 pages, 17 figures, submitte

Improvement on a Masked White-box Cryptographic Implementation

White-box cryptography is a software technique to protect secret keys of cryptographic algorithms from attackers who have access to memory. By adapting techniques of differential power analysis to computation traces consisting of runtime information, Differential Computation Analysis (DCA) has recovered the secret keys from white-box cryptographic implementations. In order to thwart DCA, a masked white-box implementation has been suggested. However, each byte of the round output was not masked and just permuted by byte encodings. This is the main reason behind the success of DCA variants on the masked white-box implementation. In this paper, we improve the masked white-box cryptographic implementation in such a way to protect against DCA variants by obfuscating the round output with random masks. Specifically, we implement a white-box AES implementation applying masking techniques to the key-dependent intermediate value and the several outer-round outputs. Our analysis and experimental results show that the proposed method can protect against DCA variants including DCA with a 2-byte key guess, collision and bucketing attacks. This work requires approximately 3.7 times the table size and 0.7 times the number of lookups compared to the previous masked WB-AES implementation

Alternative Tower Field Construction for Quantum Implementation of the AES S-box

Grover’s search algorithm allows a quantum adversary to find a k-bit secret key of a block cipher by making O(2k/2) block cipher queries. Resistance of a block cipher to such an attack is evaluated by quantum resources required to implement Grover’s oracle for the target cipher. The quantum resources are typically estimated by the T-depth of its circuit implementation (time) and the number of qubits used by the circuit (space). Since the AES S-box is the only component which requires T-gates in the quantum implementation of AES, recent research has put its focus on efficient implementation of the AES S-box. However, any efficient implementation with low T-depth will not be practical in the real world without considering qubit consumption of the implementation. In this work, we propose four methods of trade-off between time and space for the quantum implementation of the AES S-box. In particular,one of our methods turns out to use the smallest number of qubits among the existing methods, significantly reducing its T-depth

On the Linear Transformation in White-box Cryptography

Linear transformations are applied to the white-box cryptographic implementation for the diffusion effect to prevent key-dependent intermediate values from being analyzed. However, it has been shown that there still exists a correlation before and after the linear transformation, and thus this is not enough to protect the key against statistical analysis. So far, the Hamming weight of rows in the invertible matrix has been considered the main cause of the key leakage from the linear transformation. In this study, we present an in-depth analysis of the distribution of intermediate values and the characteristics of block invertible binary matrices. Our mathematical analysis and experimental results show that the balanced distribution of the key-dependent intermediate value is the main cause of the key leakage

저가형 태그를 위한 경량 및 초경량 RFID 인증 프로토콜

MasterCounterfeiting is emerging as a serious threat to low-cost Radio Frequency Identification (RFID) tags. In addition, these RFID tags have engendered controversies on privacydue to their capability to provide unique identification. To solve theses problems, sophisticated tags can engage in authentication protocols using standard cryptographic algorithms. However, low-cost tags lack resources to implement these standard algorithms. So far, many studies have focused on implementing secure authentication protocols for low-cost tags.The protocols for low-cost tags can be classified into two classes: lightweight and ultralightweight. The lightweight protocols require a random number generator and simple functions such as Cyclic Redundancy Checksum code but not a hash function while the ultralightweight protocols involve only bitwise operations on the tag-side. In the lightweight protocol class, HB+ is computationally efficient but is vulnerable to a simple man-in-the-middle (MITM) attack, called the GRS attack.Later, HB# improves HB+ over the GRS attack. While HB+ is a multi-round protocol, where each round consists of three passes, HB# is a single-round protocol consisting of three passes, and thus reduces communication costs between the tag and the reader. But HB# requires relatively large size of memory in hundreds of thousands bits for two shared secret matrices. More importantly, this protocol is also known to be vulnerable to a new type of MITM attack, called the OOV attack.In the ultralightweight protocol class, the Gossamer protocol, the most recently published protocol, involves too heavyweight operations including modular additions and modulo operations with modulus 96.In this thesis, we propose HB-SK, which is an improved version of HB+. HB-SK is shown to be resistant to the GRS attack and also more lightweight than HB+. Next, we propose HB#-SK, which is an improved version of HB#. HB#-SK is shown to be resistant to the OOV attack. Finally, we also propose an ultralightweight RFID authentication protocol, called UFO. UFO is shown to be more lightweight than the conventional Gossamer protocol

Characteristic Features of Stone-Wales Defects in Single-Walled Carbon Nanotube; Adsorption, Dispersion, and Field Emission

Adsorption behaviors of dodecanethiol (C12H25SH) molecules are investigated on the surface of single-walled carbon nanotubes (SWCNTs) with vibrational and X-ray photoelectron spectrometers. The active adsorption sites are proved as Stone-Wales (SW) defects (5–7 ring defects). The SW defect-removed SWCNTs formed by reacting nanotubes with allyl acrylate molecules are compared with pristine SWCNTs in dispersion and field emission. The former shows higher dispersion and field emission than the latter