Exploiting small leakages in masks to turn a second-order attack into a first-order attack

Alexander Detrano, Sylvain Guilley, Xiaofei Guo, Naghmeh Karimi, Ramesh Karri

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Masking countermeasures, used to thwart side-channel attacks, have been shown to be vulnerable to mask-extraction attacks. State-of-the-art mask-extraction attacks on the Advanced Encryption Standard (AES) algorithm target S-Box re-computation schemes, but have not been applied to scenarios where S-Boxes are precomputed offline. We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory. Our attack targets AES implemented in software protected by a low entropy masking scheme and recovers the masks with 91% success rate. Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second order attack. Moreover, we show that this attack remains viable in a noisy environment, or with a reduced number of leakage points.

Original languageEnglish (US)
Title of host publicationHardware and Architectural Support for Security and Privacy, HASP 2015
PublisherAssociation for Computing Machinery
Volume14-June-2015
ISBN (Print)9781450334839
DOIs
StatePublished - Jun 14 2015
Event4th International Workshop on Hardware and Architectural Support for Security and Privacy, HASP 2015 - Portland, United States
Duration: Jun 14 2015 → …

Other

Other4th International Workshop on Hardware and Architectural Support for Security and Privacy, HASP 2015
CountryUnited States
CityPortland
Period6/14/15 → …

Fingerprint

Masks
Cryptography
Entropy
Data storage equipment
Side channel attack

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software

Cite this

Detrano, A., Guilley, S., Guo, X., Karimi, N., & Karri, R. (2015). Exploiting small leakages in masks to turn a second-order attack into a first-order attack. In Hardware and Architectural Support for Security and Privacy, HASP 2015 (Vol. 14-June-2015). [a7] Association for Computing Machinery. https://doi.org/10.1145/2768566.2768573

Exploiting small leakages in masks to turn a second-order attack into a first-order attack. / Detrano, Alexander; Guilley, Sylvain; Guo, Xiaofei; Karimi, Naghmeh; Karri, Ramesh.

Hardware and Architectural Support for Security and Privacy, HASP 2015. Vol. 14-June-2015 Association for Computing Machinery, 2015. a7.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Detrano, A, Guilley, S, Guo, X, Karimi, N & Karri, R 2015, Exploiting small leakages in masks to turn a second-order attack into a first-order attack. in Hardware and Architectural Support for Security and Privacy, HASP 2015. vol. 14-June-2015, a7, Association for Computing Machinery, 4th International Workshop on Hardware and Architectural Support for Security and Privacy, HASP 2015, Portland, United States, 6/14/15. https://doi.org/10.1145/2768566.2768573
Detrano A, Guilley S, Guo X, Karimi N, Karri R. Exploiting small leakages in masks to turn a second-order attack into a first-order attack. In Hardware and Architectural Support for Security and Privacy, HASP 2015. Vol. 14-June-2015. Association for Computing Machinery. 2015. a7 https://doi.org/10.1145/2768566.2768573
Detrano, Alexander ; Guilley, Sylvain ; Guo, Xiaofei ; Karimi, Naghmeh ; Karri, Ramesh. / Exploiting small leakages in masks to turn a second-order attack into a first-order attack. Hardware and Architectural Support for Security and Privacy, HASP 2015. Vol. 14-June-2015 Association for Computing Machinery, 2015.
@inproceedings{689c4d0f2da0483d8166ba9c685d1c16,
title = "Exploiting small leakages in masks to turn a second-order attack into a first-order attack",
abstract = "Masking countermeasures, used to thwart side-channel attacks, have been shown to be vulnerable to mask-extraction attacks. State-of-the-art mask-extraction attacks on the Advanced Encryption Standard (AES) algorithm target S-Box re-computation schemes, but have not been applied to scenarios where S-Boxes are precomputed offline. We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory. Our attack targets AES implemented in software protected by a low entropy masking scheme and recovers the masks with 91{\%} success rate. Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second order attack. Moreover, we show that this attack remains viable in a noisy environment, or with a reduced number of leakage points.",
author = "Alexander Detrano and Sylvain Guilley and Xiaofei Guo and Naghmeh Karimi and Ramesh Karri",
year = "2015",
month = "6",
day = "14",
doi = "10.1145/2768566.2768573",
language = "English (US)",
isbn = "9781450334839",
volume = "14-June-2015",
booktitle = "Hardware and Architectural Support for Security and Privacy, HASP 2015",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - Exploiting small leakages in masks to turn a second-order attack into a first-order attack

AU - Detrano, Alexander

AU - Guilley, Sylvain

AU - Guo, Xiaofei

AU - Karimi, Naghmeh

AU - Karri, Ramesh

PY - 2015/6/14

Y1 - 2015/6/14

N2 - Masking countermeasures, used to thwart side-channel attacks, have been shown to be vulnerable to mask-extraction attacks. State-of-the-art mask-extraction attacks on the Advanced Encryption Standard (AES) algorithm target S-Box re-computation schemes, but have not been applied to scenarios where S-Boxes are precomputed offline. We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory. Our attack targets AES implemented in software protected by a low entropy masking scheme and recovers the masks with 91% success rate. Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second order attack. Moreover, we show that this attack remains viable in a noisy environment, or with a reduced number of leakage points.

AB - Masking countermeasures, used to thwart side-channel attacks, have been shown to be vulnerable to mask-extraction attacks. State-of-the-art mask-extraction attacks on the Advanced Encryption Standard (AES) algorithm target S-Box re-computation schemes, but have not been applied to scenarios where S-Boxes are precomputed offline. We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory. Our attack targets AES implemented in software protected by a low entropy masking scheme and recovers the masks with 91% success rate. Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second order attack. Moreover, we show that this attack remains viable in a noisy environment, or with a reduced number of leakage points.

UR - http://www.scopus.com/inward/record.url?scp=84962572266&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84962572266&partnerID=8YFLogxK

U2 - 10.1145/2768566.2768573

DO - 10.1145/2768566.2768573

M3 - Conference contribution

SN - 9781450334839

VL - 14-June-2015

BT - Hardware and Architectural Support for Security and Privacy, HASP 2015

PB - Association for Computing Machinery

ER -