The Myth of Generic DPA…and the Magic of Learning

Whitnall, Carolyn; Oswald, Elisabeth; Standaert, François‐Xavier

doi:10.1007/978-3-319-04852-9_10

Cited by 60 publications

(67 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, we investigate two important directions left open by Piret et al First, we observe that non-bijective S-boxes usually lead to simple non-profiled attacks (as their output directly gives rise to "meaningful leakage models" [59]). As recently shown by Whitnall et al, we even have a proof that generic (non-profiled) SCAs against bijective S-boxes cannot exist [61]. This naturally gives a strong incentive to consider bijective S-boxes in block ciphers that are purposed for masked implementations.…”

Section: Introductionmentioning

confidence: 70%

“…As one goal of this paper is to find an adequate trade-off between these conflicting goals, this section briefly summarizes the main cryptographic properties we will consider. As mentioned in introduction, we will focus in bijective S-boxes since (a) non-bijective S-boxes have already been investigated in [47] and (b) non-bijective S-boxes are more exposed to structural attacks [21,52] and also more sensitive to so-called generic (nonprofiled) SCAs [61]. We now recall some tools used for evaluating the resistance of S-boxes against linear, differential and algebraic attacks.…”

Section: A Backgroundmentioning

confidence: 99%

See 1 more Smart Citation

Block Ciphers That Are Easier to Mask: How Far Can We Go?

Gérard

Grosso

Naya-Plasencia

et al. 2013

Lecture Notes in Computer Science

Self Cite

114

View full text Add to dashboard Cite

Abstract. The design and analysis of lightweight block ciphers has been a very active research area over the last couple of years, with many innovative proposals trying to optimize different performance figures. However, since these block ciphers are dedicated to low-cost embedded devices, their implementation is also a typical target for side-channel adversaries. As preventing such attacks with countermeasures usually implies significant performance overheads, a natural open problem is to propose new algorithms for which physical security is considered as an optimization criteria, hence allowing better performances again. We tackle this problem by studying how much we can tweak standard block ciphers such as the AES Rijndael in order to allow efficient masking (that is one of the most frequently considered solutions to improve security against side-channel attacks). For this purpose, we first investigate alternative Sboxes and round structures. We show that both approaches can be used separately in order to limit the total number of non-linear operations in the block cipher, hence allowing more efficient masking. We then combine these ideas into a concrete instance of block cipher called Zorro. We further provide a detailed security analysis of this new cipher taking its design specificities into account, leading us to exploit innovative techniques borrowed from hash function cryptanalysis (that are sometimes of independent interest). Eventually, we conclude the paper by evaluating the efficiency of masked Zorro implementations in an 8-bit microcontroller, and exhibit their interesting performance figures.

show abstract

Section: Introductionmentioning

confidence: 70%

Section: A Backgroundmentioning

confidence: 99%

Block Ciphers That Are Easier to Mask: How Far Can We Go?

Gérard

Grosso

Naya-Plasencia

et al. 2013

Lecture Notes in Computer Science

Self Cite

114

View full text Add to dashboard Cite

show abstract

“…The distance between CPA and NICV is, in non-information theoretic attacks (i.e., attacks in the proportional / ordinal scale, as opposed to the nominal scale [37]) similar to the distance between perceived information (PI) and mutual information (MI) [29]. Like CPA, NICV also achieves an asymptotically constant value, once the measurement set has reached a representative sample size.…”

Section: Rationale Of the Nicv Detection Techniquementioning

confidence: 99%

Side-channel leakage and trace compression using normalized inter-class variance

Bhasin

Danger

Guilley

et al. 2014

Proceedings of the Third Workshop on Hardware and Architectural Support for Security and Privacy

View full text Add to dashboard Cite

Security and safety critical devices must undergo penetration testing including Side-Channel Attacks (SCA) before certification. SCA are powerful and easy to mount but often need huge computation power, especially in the presence of countermeasures. Few efforts have been done to reduce the computation complexity of SCA by selecting a small subset of points where leakage prevails. In this paper, we propose a method to detect relevant leakage points in side-channel traces. The method is based on Normalized Inter-Class Variance (NICV). A key advantage of NICV over state-of-the-art is that NICV does neither need a clone device nor the knowledge of secret parameters of the crypto-system. NICV has a low computation requirement and it detects leakage using public information like input plaintexts or output ciphertexts only. It is shown that NICV can be related to Pearson correlation and signal to noise ratio (SNR) which are standard metrics. NICV can be used to theoretically compute the minimum number of traces required to attack an implementation. A theoretical rationale of NICV with some practical application on real crypto-systems are provided to support our claims.

show abstract

“…Therefore, optimal distinguishers for different scenarios should be tested [91]. Analyses based on the linear regression promise to be both efficient and flexible and should therefore be examined in more detail [181]. Moreover, not only generic, but also profiled attacks, which exploit information about the leakage distribution, should be conducted.…”

Section: Exploring the Full Attack Potentialmentioning

confidence: 99%

Why cryptography should not rely on physical attack complexity

Krämer

2016

It - Information Technology

View full text Add to dashboard Cite

Ich versichere an Eides statt, dass ich diese Dissertation selbständig verfasst und nur die angegebenen Quellen und Hilfsmittel verwendet habe. Datum Für meine Eltern AbstractEver since the first side channel attacks and fault attacks on cryptographic devices were introduced in the mid-nineties, new possibilities of physical attacks have been consistently explored. The risk that these attacks pose is reduced by reacting to known attacks and by developing and implementing countermeasures against them. For physical attacks whose theory is known but which have not been conducted yet, however, the situation is different. Attacks whose physical realization is assumed to be very complex are taken less seriously. The trust that these attacks will not be realized due to their physical complexity means that no countermeasures are developed at all. This leads to unprotected devices once the assessment of the complexity turns out to be wrong.This thesis presents two practical physical attacks whose theory is known for several years. Since neither attack has previously been successfully implemented in practice, however, they were not considered a serious threat. Their physical attack complexity has been overestimated and the implied security threat has been underestimated. First, we introduce the photonic side channel, which offers not only temporal resolution, but also the highest possible spatial resolution. Due to the high cost of its first realization, it has not been taken seriously. We show both simple and differential photonic side channel analyses. Then, we present a fault attack against pairing-based cryptography. Due to the need for at least two independent precise faults in a single pairing computation, it has also not been taken seriously. We show how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these physical attacks. We present countermeasures on the software and the hardware level, which help to prevent these attacks in the future.Based on these two presented attacks, this thesis shows that the assessment of physical attack complexity is error-prone. Hence, cryptography should not rely on it. Cryptographic technologies have to be protected against all physical attacks, have they already been realized or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is understood.

show abstract

The Myth of Generic DPA…and the Magic of Learning

Cited by 60 publications

References 32 publications

Block Ciphers That Are Easier to Mask: How Far Can We Go?

Block Ciphers That Are Easier to Mask: How Far Can We Go?

Side-channel leakage and trace compression using normalized inter-class variance

Why cryptography should not rely on physical attack complexity

Contact Info

Product

Resources

About