Clustering Algorithms for Non-profiled Single-Execution Attacks on Exponentiations

Heyszl, Johann; Ibing, Andreas; Mangard, Stefan; Santis, Fabrizio De; Sigl, Georg

doi:10.1007/978-3-319-08302-5_6

Cited by 48 publications

(30 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Montgomery's ladder [41], Joye's regular algorithms [33], and other algorithms, where for-loops iterate only on non-static values, are not vulnerable because there is no static T that would be used in Ψ which is required by our attacks. However, other similar types of single-trace attacks have recently identified similar weaknesses also in such algorithms (e.g., [4,5,31]). …”

Section: Preliminariesmentioning

confidence: 99%

“…Clustering has been previously used in side-channel attacks on ECC by Heyszl et al in [31]. They used it for launching an attack without any profile about the device (a hardware implementation) by clustering repeating patterns in a power trace; i.e., they would cluster the entire trace of Ψ .…”

Section: Clustering Attack With Unknown Precomputationsmentioning

confidence: 99%

“…Another trend of attacks uses clustering algorithms to launch a single-trace attack on ECC. A clustering attack was shown to break an ECC hardware implementation without any profiling or leakage models by Heyszl et al [31]; Sprecht et al [49] later improved this attack. In addition to these, also local electromagnetic measurements have been shown to offer means to launch successful single-trace attacks, e.g., by Heyszl et al [32].…”

Section: Introductionmentioning

confidence: 99%

“…Such algorithms have been recently used for side-channel protected lightweight hardware implementations, e.g., in [47,48] as well as fast software, e.g., in [14]. In the light of new advanced single-trace attacks, there have been doubts about the security offered by these algorithms (see, e.g., [3,31,47]). …”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations

Järvinen

Balasch

2017

Smart Card Research and Advanced Applications

View full text Add to dashboard Cite

Abstract. Single-trace side-channel attacks are a serious threat to elliptic curve cryptography in practice because they can break also cryptosystems where scalars are nonces (e.g., ECDSA). Previously it was believed that single-trace attacks can be avoided by using scalar multiplication algorithms with regular patterns of operations but recently we have learned that they can be broken with correlation tests to decide whether different operations share common operands. In this work, we extend these attacks to scalar multiplication algorithms with precomputations. We show that many algorithms are vulnerable to our attack which correlates measurements with precomputed values. We also show that successful attacks are possible even without knowledge of precomputed values by using clustering instead of correlations. We provide extensive evidence for the feasibility of the attacks with simulations and experiments with an 8-bit AVR. Finally, we discuss the effectiveness of certain countermeasures against our attacks.

show abstract

Section: Preliminariesmentioning

confidence: 99%

Section: Clustering Attack With Unknown Precomputationsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations

Järvinen

Balasch

2017

Smart Card Research and Advanced Applications

View full text Add to dashboard Cite

show abstract

“…In [18], unsupervised learning has been presented to demonstrate the efficiency of localized EM attacks on exponentiations using a kmeans clustering algorithm to differentiate the attacked samples. Their attack is performed on an ECC [27] implementation over a binary field using Lopez-Dahab coordinates [26].…”

Section: Introductionmentioning

confidence: 99%

Attacking Randomized Exponentiations Using Unsupervised Learning

Perin

Imbert

Torres

et al. 2014

Constructive Side-Channel Analysis and Secure Design

View full text Add to dashboard Cite

Abstract. Countermeasures to defeat most of side-channel attacks on exponentiations are based on randomization of processed data. The exponent and the message blinding are particular techniques to thwart simple, collisions, differential and correlation analyses. Attacks based on a single (trace) execution of exponentiations, like horizontal correlation analysis and profiled template attacks, have shown to be efficient against most of popular countermeasures. In this paper we show how an unsupervised learning can explore the remaining leakages caused by conditional control tests and memory addressing in a RNS-based implementation of the RSA. The device under attack is protected with the exponent blinding and the leak resistant arithmetic. The developed attack combines the leakage of several samples over the segments of the exponentiation in order to recover the entire exponent. We demonstrate how to find the points of interest using trace pre-processing and clustering algorithms. This attack can recover the exponent using a single trace.

show abstract

Crucial pitfall of DPA Contest V4.2 implementation

Martinásek

Iglesias

Malina

et al. 2016

Security Comm Networks

View full text Add to dashboard Cite

Differential power analysis (DPA) is a powerful side‐channel key recovery attack that efficiently breaks cryptographic algorithm implementations. In order to prevent these types of attacks, hardware designers and software programmers make use of masking and hiding techniques. DPA contest is an international framework that allows researchers to compare their power analysis attacks under the same conditions. The latest version of DPA contest, denoted as V4.2, provides an improved implementation of the rotating S‐box masking scheme where low‐entropy boolean masking is combined with the shuffling technique to protect Advanced Encryption Standard implementation on a smart card. The improvements were designed based on the awareness of implementation lacks analyzed from attacks carried out during the previous DPA contest V4. Therefore, this new approach is devised to resist most of the proposed attacks to the original rotating S‐box masking implementation. In this paper, we investigate the security of this new implementation in practice. Our analysis, focused on exploiting the first‐order leakage, discovered important lacks. The main vulnerability observed is that an adversary can mount a standard DPA attack aimed at the S‐box output in order to recover the whole secret key even when a shuffling technique is used. We tested this observation on a public dataset and implemented a successful attack that revealed the secret key using only 35 power traces. Copyright © 2017 John Wiley & Sons, Ltd.

show abstract

Clustering Algorithms for Non-profiled Single-Execution Attacks on Exponentiations

Cited by 48 publications

References 24 publications

Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations

Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations

Attacking Randomized Exponentiations Using Unsupervised Learning

Crucial pitfall of DPA Contest V4.2 implementation

Contact Info

Product

Resources

About