Algebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection

Bogdanov, Andrey; Kizhvatov, Ilya; Pyshkin, Andrey

doi:10.1007/978-3-540-89754-5_20

Cited by 33 publications

(31 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Figures (5,6,7,8) illustrate the spreading of the obtained Pearson's coefficient around the mean value. This variance gives us information about the amount of trust we can put into the mean values.…”

Section: Methodsmentioning

confidence: 99%

“…In Figs. (5,6,7,8), we plot estimations of the mean and variance ofρ 0,t (τ ) andρ 1,t (τ ) for several pairs (τ, t). Clearly, the efficiency of the attack described in Sect.…”

Section: Methodsmentioning

confidence: 99%

“…This led us to approximate the distribution of the coefficientsρ 0,t (τ ) andρ 1,t (τ ) by a Gaussian distribution with mean and variance estimated in the Hamming weight model (as given in Figs. 5,6,7,8). Attacks reported in Figs.…”

Section: Methodsmentioning

confidence: 99%

“…Such attacks require the use of a statistical tool, also known as a distinguisher, together with a leakage model to compare hypotheses with real traces (each one related to known or chosen inputs). The latter constraint may however be relaxed thanks to the so-called collision attacks [32] which aim at detecting the occurrences of colliding values during a computation, that can be linked to the secret [8,14,30,31]. In order to counteract all those attacks, randomization techniques can be implemented (e.g.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Horizontal Collision Correlation Attack on Elliptic Curves

Bauer

Jaulmes

Prouff

et al. 2014

Selected Areas in Cryptography -- SAC 2013

View full text Add to dashboard Cite

Abstract. Elliptic curves based algorithms are nowadays widely spread among embedded systems. They indeed have the double advantage of providing efficient implementations with short certificates and of being relatively easy to secure against side-channel attacks. As a matter of fact, when an algorithm with constant execution flow is implemented together with randomization techniques, the obtained design usually thwarts classical side-channel attacks while keeping good performances. Recently, a new technique that makes some randomizations ineffective, has been successfully applied in the context of RSA implementations. This method, related to a so-called horizontal modus operandi, introduced by Walter in 2001, turns out to be very powerful since it only requires leakages on a single algorithm execution. In this paper, we combine such kind of techniques together with the collision correlation analysis, introduced at CHES 2010 by Moradi et al., to propose a new attack on elliptic curves atomic implementations (or unified formulas) with input randomization. We show how it may be applied against several state-of-the art implementations, including those of Chevallier-Mames et al., of Longa and of Giraud-Verneuil and also Bernstein and Lange for unified Edward's formulas. Finally, we provide simulation results for several sizes of elliptic curves on different hardware architectures. These results, which turn out to be the very first horizontal attacks on elliptic curves, open new perspectives in securing such implementations. Indeed, this paper shows that two of the main existing countermeasures for elliptic curve implementations become irrelevant when going from vertical to horizontal analysis.

show abstract

Section: Methodsmentioning

confidence: 99%

“…In Figs. (5,6,7,8), we plot estimations of the mean and variance ofρ 0,t (τ ) andρ 1,t (τ ) for several pairs (τ, t). Clearly, the efficiency of the attack described in Sect.…”

Section: Methodsmentioning

confidence: 99%

Section: Methodsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Horizontal Collision Correlation Attack on Elliptic Curves

Bauer

Jaulmes

Prouff

et al. 2014

Selected Areas in Cryptography -- SAC 2013

View full text Add to dashboard Cite

show abstract

“…In fact, the most noticeable exceptions attempting to better exploit computational power in physical attacks are based on advanced techniques, e.g. exploiting the detection of collisions [5,18,31,32], or taking advantage of algebraic cryptanalysis [6,23,27,28], of which the practical relevance remains an open question (because of stronger assumptions). But as again suggested by previous works in statistical cryptanalysis, optimal key ranking procedures would be a more direct approach in order to better trade data and time complexities in "standard" side-channel attacks.…”

Section: Introductionmentioning

confidence: 99%

An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks

Veyrat-Charvillon

Gérard

Renauld

et al. 2013

Lecture Notes in Computer Science

103

View full text Add to dashboard Cite

Abstract. Methods for enumerating cryptographic keys based on partial information obtained on key bytes are important tools in cryptanalysis. This paper discusses two contributions related to the practical application and algorithmic improvement of such tools. On the one hand, we observe that modern computing platforms allow performing very large amounts of cryptanalytic operations, approximately reaching 2 50 to 2 60 block cipher encryptions. As a result, cryptographic key sizes for such ciphers typically range between 80 and 128 bits. By contrast, the evaluation of leaking devices is generally based on distinguishers with very limited computational cost, such as Kocher's Differential Power Analysis. We bridge the gap between these cryptanalytic contexts and show that giving side-channel adversaries some computing power has major consequences for the security of leaking devices. For this purpose, we first propose a Bayesian extension of non-profiled side-channel attacks that allows us to rate key candidates in function of their respective probabilities. Next, we investigate the impact of key enumeration taking advantage of this Bayesian formulation, and quantify the resulting reduction in the data complexity of the attacks. On the other hand, we observe that statistical cryptanalyses usually try to reduce the number and size of lists corresponding to partial information on key bytes, in order to limit the time and memory complexity of the key enumeration. Quite surprisingly, few solutions exist that allow an efficient merging of large lists of subkey candidates. We provide a new deterministic algorithm that significantly reduces the number of keys to test in a divide-and-conquer attack, at the cost of limited (practically tractable) memory requirements. It allows us to optimally enumerate key candidates from any number of (possibly redundant) lists of any size, given that the subkey information is provided as probabilities. As an illustration, we finally exhibit side-channel cryptanalysis experiments where the correct key candidate is ranked up to position 2 32 , in which our algorithm reduces the number of keys to test offline by an average factor 2 5 and a factor larger than 2 10 in the worst observed cases, compared to previous solutions. We also suggest examples of statistical attacks in which the new deterministic algorithm would allow improved results.

show abstract

Side Channel Assessment Platforms and Tools for Ubiquitous Systems

Fournaris

Moschos

Sklavos

2021

Security of Ubiquitous Computing Systems

View full text Add to dashboard Cite

Side Channel Attacks are nowadays considered a serious risk for many security products and ubiquitous devices. Strong security solution providers need to evaluate their implementations against such attacks before publishing them on the market, thus performing a thorough assessment. However, this procedure is not straightforward and even with the appropriate equipment, it may require considerable time to provide results due to the slow process of collecting measurements (traces) and the inflexible way of controlling the tested implementation. In this chapter, we explore and overview the trace collection landscape for generic devices under test (including ubiquitous systems) highlighting and overviewing the latest trace collection toolsets and their shortcomings, but also proposing a trace collection approach that can be applied on the most recent, open source toolsets. We showcase our proposed approach on the FlexLeco project architecture, which we have developed in our lab, and manage to practically describe how an evaluator using the proposed methodology can collect traces easily and quickly without the need to completely redesign a control mechanism for the implementation under test.

show abstract

Algebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection

Cited by 33 publications

References 5 publications

Horizontal Collision Correlation Attack on Elliptic Curves

Horizontal Collision Correlation Attack on Elliptic Curves

An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks

Side Channel Assessment Platforms and Tools for Ubiquitous Systems

Contact Info

Product

Resources

About