Abstract
Masking countermeasures, used to thwart side-channel attacks, have been shown to be vulnerable to mask-extraction attacks. State-of-the-art mask-extraction attacks on the Advanced Encryption Standard (AES) algorithm target S-Box recomputation schemes but have not been applied to scenarios where S-Boxes are precomputed offline. We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory. Our attack targets AES implemented in software protected by a low entropy masking scheme and recovers the masks with 91% success rate. Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second-order attack. Moreover, we show that this attack remains viable in a noisy environment or with a reduced number of leakage points. Eventually, we specify a method to enhance the countermeasure by selecting a suitable coset of the masks set.
Highlights
A cryptographic algorithm was considered secure if it withstood classical linear and differential cryptanalysis
The Advanced Encryption Standard (AES) is the standard symmetric key encryption specified by the National Institute of Standards and Technology (NIST)
We show that the state-of-the-art mask-extraction attack [20] on S-Box precomputation can be retargeted towards masked AES implementation
Summary
A cryptographic algorithm was considered secure if it withstood classical linear and differential cryptanalysis. A side-channel attack exploits physical characteristics of a device in order to recover secret information, such as the encryption key. Power dissipation and electromagnetic (EM) emanation side-channel attacks are of particular concern because of their low implementation cost, ease of use, and effectiveness in extracting secret information [1]. [2] and is included in ISO/IEC 18033-3:2010 [3]. It is widely used in electronic systems such as automated teller machines, telecommunications, and virtual private networks. If AES is not carefully implemented, side-channel attacks can leak the secret key [1, 4,5,6,7,8]
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have