Exploiting Small Leakages in Masks to Turn a Second-Order Attack into a First-Order Attack and Improved Rotating Substitution Box Masking with Linear Code Cosets.
Bottom Line: We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory.Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second-order attack.Eventually, we specify a method to enhance the countermeasure by selecting a suitable coset of the masks set.
Affiliation: New York University, New York, NY 10012, USA.
Masking countermeasures, used to thwart side-channel attacks, have been shown to be vulnerable to mask-extraction attacks. State-of-the-art mask-extraction attacks on the Advanced Encryption Standard (AES) algorithm target S-Box recomputation schemes but have not been applied to scenarios where S-Boxes are precomputed offline. We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory. Our attack targets AES implemented in software protected by a low entropy masking scheme and recovers the masks with 91% success rate. Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second-order attack. Moreover, we show that this attack remains viable in a noisy environment or with a reduced number of leakage points. Eventually, we specify a method to enhance the countermeasure by selecting a suitable coset of the masks set.
No MeSH data available.
Related in: MedlinePlus
Mentions: The next step is to launch a modified CPA attack on the subtraces in V. Since we do not know in which order the masks were loaded, we guess every combination, as shown in the 16 × 16 matrix M = [ℳ0 ⋯ ℳ15]⊤. Each column of M corresponds to an offset applied to the base set of masks ℳ0, where (2)M=m0m1m2⋯m15m1m2m3⋯m0⋮⋮⋮⋱⋮m15m0m1⋯m14.We apply a Hamming weight power model wH(·) to the mask matrix M, which is generally a good model for microprocessors [13, 27]. The hypothetical power consumption is H = wH(M). The next step is to compare the modeled power consumption with the measured power consumption. If we assume the power model to be linear, for example, Hamming weight or Hamming distance, a natural choice for the attack is the correlation coefficient. Correlation power analysis (CPA) evaluates the amount of correlation between a set of measured power traces T and a model of the key-dependent device leakage, L , and is calculated for every time sample. Pearson's correlation coefficient is calculated as ρ(T, L) = cov(T, L)/(σTσL); however, this can be difficult (or impossible) to compute, and so we instead use an estimate (where ) which is calculated as for the set of traces T (containing n traces ti) and hypothetical power model L, containing n hypothetical power consumption values l. Wrong guesses for the key will have correlations close to 0, while the correct guess will have close to 1 (assuming the power model is accurate). We calculate , which leads to 16 correlation coefficients. Each correlation coefficient corresponds to a mask offset. By choosing the location where occurs, we can guess the offset. The overall procedure is exhibited in Algorithm 1. Using the offset guess, we can predict the S-Box output and deploy a CPA attack to recover the key.
No MeSH data available.