Journal of Cryptographic Engineering

, Volume 4, Issue 4, pp 259–274 | Cite as

Practical improvements of side-channel attacks on AES: feedback from the 2nd DPA contest

  • Christophe Clavier
  • Jean-Luc Danger
  • Guillaume Duc
  • M. Abdelaziz Elaabid
  • Benoît Gérard
  • Sylvain Guilley
  • Annelie Heuser
  • Michael Kasper
  • Yang Li
  • Victor Lomné
  • Daisuke Nakatsu
  • Kazuo Ohta
  • Kazuo Sakiyama
  • Laurent Sauvage
  • Werner Schindler
  • Marc Stöttinger
  • Nicolas Veyrat-Charvillon
  • Matthieu Walle
  • Antoine Wurcker
Regular Paper

Abstract

Side-channel analyses constitute a major threat for embedded devices, because they allow an attacker to recover secret keys without the device being aware of the sensitive information theft. They have been proved to be efficient in practice on many deployed cryptosystems. Even during the standardization process for the AES, many scientists have raised the attention on the potential vulnerabilities against implementation-level attacks Chari et al. (A Cautionary Note Regarding Evaluation of AES Candidates on Smart-cards, 133–147, 1999). The evaluation of devices against side-channel attacks is now common practice, especially in ITSEFs. This procedure has even been formalized recently Standaert et al. (EUROCRYPT LNCS 5479:443–461, 2009). The framework suggests to estimate the leakage via an information theoretic metric, and the performance of real attacks thanks to either the success rates or the guessing entropy metrics. The DPA contests are a series of international challenges that allow researchers to improve existing side-channel attacks or develop new ones and compare their effectiveness on several reference sets of power consumption traces using a common methodology. In this article, we focus on the second edition of this contest, which targeted a FPGA-based implementation of AES. This article has been written jointly with several of the participants who describe their tactics used in their attacks and their improvements beyond the state of the art. In particular, this feedback puts to the fore some considerations seldom described in the scientific literature, yet relevant to increase the convergence rate of attacks. These considerations concern in particular the correction of acquisition defects such as the drifting side-channel leakage, the identification of the most leaking samples, the order in which subkeys are attacked, how to exploit subkeys that are revealed easily to help retrieve subkeys that leak less, and non-linear leakage models.

Keywords

SCA CPA Profiled attacks AES DPA contest Attacks metrics 

References

  1. 1.
    Brier, É., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: CHES, LNCS, vol. 3156, pp. 16–29. Springer: Cambridge (2004)Google Scholar
  2. 2.
    Chari, S., Jutla, C., Rao, J.R., Rohatgi, P.: A Cautionary Note Regarding Evaluation of AES Candidates on Smart-cards. In. In Second Advanced Encryption Standard (AES) Candidate Conference, pp. 133–147 (1999)Google Scholar
  3. 3.
    Chari, S., Rao, J.R., Rohatgi, P.: Template Attacks. In: CHES, LNCS, vol. 2523, pp. 13–28. Springer (2002). San Francisco Bay (Redwood City), USAGoogle Scholar
  4. 4.
    Elaabid, M.A., Guilley, S.: Practical Improvements of Profiled Side-Channel Attacks on a Hardware Crypto-Accelerator. In: AFRICACRYPT, LNCS, vol. 6055, pp. 243–260. Springer (2010). Stellenbosch, South Africa. doi:10.1007/978-3-642-12678-9_15
  5. 5.
    Eo, Y., Eisenstadt, W., Jeong, J.Y., Kwon, O.K.: A new on-chip interconnect crosstalk model and experimental verification for CMOS VLSI circuit design. Electron Dev. IEEE Trans. 47(1), 129–140 (2000)CrossRefGoogle Scholar
  6. 6.
    Gierlichs, B., Lemke-Rust, K., Paar, C.: Templates versus Stochastic Methods. In: CHES, LNCS, vol. 4249, pp. 15–29. Springer: Yokohama (2006)Google Scholar
  7. 7.
    Heuser, A., Kasper, M., Schinder, W., Stöttinger, M.: How a Symmetry Metric Assists Side-Channel Evaluation—A Novel Model Verification Method for Power Analysis. In: 14th Euromicro Conference on Digital System Design Architectures, Methods and Tools (DSD 2011). IEEE (2011)Google Scholar
  8. 8.
    Heuser, A., Kasper, M., Schindler, W., Stöttinger, M.: A new difference method for side-channel analysis with high-dimensional leakage models. In: O. Dunkelman (ed.) CT-RSA, Lecture Notes in Computer Science, vol. 7178, pp. 365–382. Springer (2012)Google Scholar
  9. 9.
    Jolliffe, I.: Principal Component Analysis. Springer, London (1986)CrossRefGoogle Scholar
  10. 10.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: CRYPTO, LNCS, vol. 1666, pp. 388–397. Springer (1999)Google Scholar
  11. 11.
    Li, Y., Nakatsu, D., Li, Q., Ohta, K., Sakiyama, K.: Clockwise Collision Analysis - Overlooked Side-Channel Leakage Inside Your Measurements. Cryptology ePrint Archive, Report 2011/579 (2011). http://eprint.iacr.org/2011/579
  12. 12.
    Nakasone, T., Li, Y., Sasaki, Y., Iwamoto, M., Ohta, K., Sakiyama, K.: Key-Dependent Weakness of AES-Based Ciphers under Clockwise Collision Distinguisher. In: T. Kwon, M.K. Lee, D. Kwon (eds.) ICISC, Lecture Notes in Computer Science, vol. 7839, pp. 395–409. Springer (2012)Google Scholar
  13. 13.
    Nassar, M., Souissi, Y., Guilley, S., Danger, J.L.: “Rank Correction”: A New Side-Channel Approach for Secret Key Recovery. In: M. Joye, D. Mukhopadhyay, M. Tunstall (eds.) InfoSecHiComNet, Lecture Notes in Computer Science, vol. 7011, pp. 128–143. Springer (2011)Google Scholar
  14. 14.
    Nassar, M., Souissi, Y., Guilley, S., Danger, J.L.: RSM: a Small and Fast Countermeasure for AES, Secure against First- and Second-order Zero-Offset SCAs. In: DATE, pp. 1173–1178 (2012). Dresden, Germany. (TRACK A: “Application Design”, TOPIC A5: “Secure Systems”). On-line version: http://hal.archives-ouvertes.fr/hal-00666337/en
  15. 15.
    Nieuwland, A.K., Katoch, A., Meijer, M.: Reducing Cross-Talk Induced Power Consumption and Delay. In: E. Macii, O.G. Koufopavlou, V. Paliouras (eds.) Integrated Circuit and System Design, Power and Timing Modeling, Optimization and Simulation, Lecture Notes in Computer Science, vol. 3254, pp. 179–188. Springer (2004)Google Scholar
  16. 16.
    Paige, C.C., Saunders, M.A.: LSQR: an algorithm for sparse linear equations and sparse least squares. ACM Trans. Math. Softw. 8(1), 43–71 (1982). doi:10.1145/355984.355989 MathSciNetCrossRefMATHGoogle Scholar
  17. 17.
    Rivain, M.: On the Exact Success Rate of Side Channel Analysis in the Gaussian Model. In: Selected Areas in Cryptography, LNCS, vol. 5381, pp. 165–183. Springer: Sackville, New Brunswick (2008) Google Scholar
  18. 18.
    Satoh, A.: Side-channel Attack Standard Evaluation Board, SASEBO. Project of the AIST—RCIS (Research Center for Information Security), http://www.risec.aist.go.jp/project/sasebo/
  19. 19.
    Schindler, W., Lemke, K., Paar, C.: A Stochastic Model for Differential Side Channel Cryptanalysis. In: J.R. Rao, B. Sunar (eds.) CHES 2005, Lecture Notes in Computer Science, vol. 3659, pp. 30–46. Springer: Edinburgh (2005)Google Scholar
  20. 20.
    Standaert, F.X., Bulens, P., de Meulenaer, G., Veyrat-Charvillon, N.: Improving the Rules of the DPA Contest. Cryptology ePrint Archive, Report 2008/517 (2008). http://eprint.iacr.org/2008/517
  21. 21.
    Standaert, F.X., Malkin, T., Yung, M.: A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. In: EUROCRYPT, LNCS, vol. 5479, pp. 443–461. Springer: Cologne (2009)Google Scholar
  22. 22.
    TELECOM ParisTech SEN research group: DPA Contest (2nd edn) (2009–2010). http://www.DPAcontest.org/v2/
  23. 23.
    Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.X.: An Optimal Key Enumeration Algorithm and its Application to Side-Channel Attacks. In: Selected Areas in Cryptography (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Christophe Clavier
    • 3
  • Jean-Luc Danger
    • 1
  • Guillaume Duc
    • 1
  • M. Abdelaziz Elaabid
    • 1
  • Benoît Gérard
    • 9
  • Sylvain Guilley
    • 1
  • Annelie Heuser
    • 1
  • Michael Kasper
    • 5
  • Yang Li
    • 2
  • Victor Lomné
    • 8
  • Daisuke Nakatsu
    • 2
  • Kazuo Ohta
    • 2
  • Kazuo Sakiyama
    • 2
  • Laurent Sauvage
    • 1
  • Werner Schindler
    • 6
  • Marc Stöttinger
    • 7
  • Nicolas Veyrat-Charvillon
    • 9
  • Matthieu Walle
    • 4
  • Antoine Wurcker
    • 3
  1. 1.CNRS LTCI, COMELEC labInstitut Mines-Télécom/Télécom ParisTechParis Cedex 13France
  2. 2.The University of Electro-CommunicationsTokyoJapan
  3. 3.XLIMUniversité de LimogesLimogesFrance
  4. 4.Thales CommunicationsParisFrance
  5. 5.Fraunhofer Institute for Secure Information, Center for Advanced Research DarmstadtDarmstadtGermany
  6. 6.Bundesamt für Sicherheit in der Informationstechnik (BSI), Center for Advanced Research DarmstadtBonn, DarmstadtGermany
  7. 7.Division of Mathematical SciencesNanyang Technological University/PACE Temasek LaboratoriesSingaporeSingapore
  8. 8.Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI)ParisFrance
  9. 9.Université Catholique de LouvainLouvainBelgium

Personalised recommendations