How Far Can We Reach? Breaking RSM-Masked AES-128 Implementation Using Only One Trace
نویسندگان
چکیده
Rotating Sbox Masking (RSM) scheme is a lightweight and highly efficient first-order masking scheme proposed to protect cryptographic implementations like AES from side channel attacks. It is a Low Entropy Masking Scheme (LEMS) and has attracted special attention from academia and industry with its low overhead and high performance. The two public targets of DPA Contest v4 are both RSM-masked AES implementations, specifically, AES-256 (namely RSM-AES-256) for v4.1 and AES-128 (namely RSM-AES-128) for v4.2 respectively. The security of RSM-AES-256 was intensively studied by researchers worldwide under the framework of DPA Contest and several flaws were identified. Its improved version is RSM-AES-128, in which several pitfalls of RSM-AES-256 were fixed. However, the practical security of RSM-AES-128 is still not thoroughly studied. In this paper, we focus on analyzing the practical security of RSM-AES-128 from a profiling attack point of view. Specifically, we firstly present a Multivariate Template Attack (MTA) to maximize the success rates of key recovery. Next, we propose a new Depth-First Key Enumeration Algorithm (DFKEA) that could be applied to find the correct key efficiently after a side channel attack. By combining the DFKEA to our MTA, we propose a novel multivariate profiling attack scheme which could recover the secret key of RSM-AES-128 with over 95% possibility only using one trace. It is the best attack among all attacks submitted to DPA Contest Official up to now. After thoroughly analyzed our attack scheme and RSM-AES-128, we finally present two proposals to improve the practical security of this implementation at an acceptable overhead and performance loss.
منابع مشابه
Pushing the Limits: A Very Compact and a Threshold Implementation of AES
Our contribution is twofold: first we describe a very compact hardware implementation of AES-128, which requires only 2400 GE. This is to the best of our knowledge the smallest implementation reported so far. Then we apply the threshold countermeasure by Nikova et al. to the AES S-box and yield an implementation of the AES improving the level of resistance against first-order side-channel attac...
متن کاملCorrelation-Enhanced Power Analysis Collision Attack
Side-channel based collision attacks are a mostly disregarded alternative to DPA for analyzing unprotected implementations. The advent of strong countermeasures, such as masking, has made further research in collision attacks seemingly in vain. In this work, we show that the principles of collision attacks can be adapted to efficiently break some masked hardware implementation of the AES which ...
متن کاملNovel Impossible Differential Cryptanalysis of Zorro Block Cipher
Impossible difference attack is a powerful tool for evaluating the security of block ciphers based on finding a differential characteristic with the probability of exactly zero. The linear layer diffusion rate of a cipher plays a fundamental role in the security of the algorithm against the impossible difference attack. In this paper, we show an efficient method, which is independent of the qua...
متن کاملEnhanced Flush+Reload Attack on AES
In cloud computing, multiple users can share the same physical machine that can potentially leak secret information, in particular when the memory de-duplication is enabled. Flush+Reload attack is a cache-based attack that makes use of resource sharing. T-table implementation of AES is commonly used in the crypto libraries like OpenSSL. Several Flush+Reload attacks on T-table implementat...
متن کاملFully Pipelined High Speed SB and MC of AES Based on FPGA
Abstract: A new implementation scheme of high speed mixcolumn based on sharing the use of sbox is introduced in this paper. The single MC (mixcolumn) shares the single SB(sbox-subbyte) based on the time slot. For each time slot SB and MC performed parallelly. Earlier they use 16 individual sbox for each input. In our paper, we introduce sharing concept of sbox which can eliminate the use of 16 ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2017 شماره
صفحات -
تاریخ انتشار 2017