Scan-Based Attack on Stream Ciphers: A Case Study on eSTREAM Finalists

“…In the most of papers [1,[10][11][12][13][14][15][16][17][18][19] discussing scan-based attacks, it has been assumed that the adversary has physical access to the crypto-chip and knows the used encryption algorithm, but he/she does not have information about the details of the scan chain structure. Accordingly, a successful scan-based attack needs two phases of (i) discovery of the scan chain structure, and (ii) extraction of secret keys.…”

“…By repeating these steps, the adversary will have a set of applied plain texts and a set of scanned out patterns. Analysing these two sets reveals a one-to-one [1,10,13,[15][16][17][18][19], or one-tomany [11,12,14] mapping between the chip primary inputs and cells of the scan chain. It is worthy of note that, this mapping is strictly required in order to do the second phase of a scan-based attack [1,11,21,24].…”

“…Several types of research have focused on the scan-based attacks on hardware implementations of famous encryption algorithms, e.g. Advanced Encryption Standard (AES) [10][11][12][13][14][15], Data Encryption Standard (DES) [1,12], Rivest-Shamir-Adleman (RSA) [12,16,17] and some stream ciphers such as e-Stream [18] and Trivium [19]. In contrast, various countermeasures such as key mirroring [10], on-chip comparison [20], dynamic scan chain [21], partial scan chain [22], access prevention to scan chain [23], round register masking [13], and scan chain obfuscation [24] have been proposed to cope with scan-based attacks.…”

Vulnerability modelling of crypto‐chips against scan‐based attacks

“…In the most of papers [1,[10][11][12][13][14][15][16][17][18][19] discussing scan-based attacks, it has been assumed that the adversary has physical access to the crypto-chip and knows the used encryption algorithm, but he/she does not have information about the details of the scan chain structure. Accordingly, a successful scan-based attack needs two phases of (i) discovery of the scan chain structure, and (ii) extraction of secret keys.…”

“…By repeating these steps, the adversary will have a set of applied plain texts and a set of scanned out patterns. Analysing these two sets reveals a one-to-one [1,10,13,[15][16][17][18][19], or one-tomany [11,12,14] mapping between the chip primary inputs and cells of the scan chain. It is worthy of note that, this mapping is strictly required in order to do the second phase of a scan-based attack [1,11,21,24].…”

“…Several types of research have focused on the scan-based attacks on hardware implementations of famous encryption algorithms, e.g. Advanced Encryption Standard (AES) [10][11][12][13][14][15], Data Encryption Standard (DES) [1,12], Rivest-Shamir-Adleman (RSA) [12,16,17] and some stream ciphers such as e-Stream [18] and Trivium [19]. In contrast, various countermeasures such as key mirroring [10], on-chip comparison [20], dynamic scan chain [21], partial scan chain [22], access prevention to scan chain [23], round register masking [13], and scan chain obfuscation [24] have been proposed to cope with scan-based attacks.…”

Vulnerability modelling of crypto‐chips against scan‐based attacks

“…Since the feedback in LFSR is given to s 15 register only and all remaining 15 shift registers being clocked with values of previous registers, attack could possibly be made. Many attacks related to LFSR are proposed in [4][5][6][9][10][11] which are scan-based attack, power analysis attack, algebraic attack, fast correlation attack, posing threat to algorithms especially based on producing stream ciphers.Attack related to cache-timing attack [3] is also there which have stream-ciphers as the target. According to it, on all word-based LFSR implementations that use lookup tables to speed up multiplications a full attack can be done making threat to algorithm.…”

Modifying LFSR of ZUC to Reduce Time for Key-Stream Generation

An Efficient Approach for Mitigating Covert Storage Channel Attacks in Virtual Machines by the Anti-Detection Criterion