Abstract
We introduce a novel side-channel-based reverse engineering technique capable of reconstructing a procedure solely from inputs, outputs, and traces of execution. Beyond generic restrictions, we do not assume any prior knowledge of the procedure or the chip it operates on. These restrictions confine our analysis to 8-bit RISC constant-time software implementations. Specifically we demonstrate with simulated traces the theoretical feasibility of reconstructing a symmetric cryptographic cipher, even in scenarios where traces are sampled with information loss and noise, such as when measuring the power consumption of the chip.
Similar content being viewed by others
Data availability
The source code for the proof of concept can be found at https://gitlab.inria.fr/bbscare
References
Bursztein, E., Invernizzi, L., Král, K., Moghimi, D., Picod, J.M., Zhang, M.: Generic attacks against cryptographic hardware through long-range deep learning. arXiv preprint arXiv:2306.07249 (2023)
Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M.J. (Ed.) Advances in Cryptology—CRYPTO’99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 1999, Proceedings. Lecture Notes in Computer Science, vol. 1666, pp. 398–412. Springer, Berlin (1999). https://doi.org/10.1007/3-540-48405-1_26,
Clavier, C.: An improved SCARE cryptanalysis against a secret A3/A8 GSM algorithm. In: McDaniel, P.D., Gupta, S.K. (Eds.) Third International Conference on Information Systems Security (ICISS). vol. 4812, pp. 143–155. Springer, Berlin (2007)
Clavier, C., Isorez, Q., Marion, D., Wurcker, A.: Complete reverse-engineering of aes-like block ciphers by SCARE and FIRE attacks. Cryptogr. Commun. 7(1), 121–162 (2015)
Clavier, C., Reynaud, L.: Improved blind side-channel analysis by exploitation of joint distributions of leakages. In: Fischer, W., Homma, N., (eds.) Cryptographic Hardware and Embedded Systems—CHES. vol. 10529, pp. 24–44. Springer, Berlin (2017)
Cristiani, V., Lecomte, M., Hiscock, T.: A bit-level approach to side channel based disassembling. In: Belaïd, S., Güneysu, T. (eds.) Smart Card Research and Advanced Applications—18th International Conference, CARDIS 2019, vol. 11833, pp. 143–158. Springer, Berlin (2019)
Daemen, J., Rijmen, V.: The pelican MAC function. IACR Cryptol. ePrint Arch. p. 88 (2005). http://eprint.iacr.org/2005/088
Daudigny, R., Ledig, H., Muller, F., Valette, F.: Scare of the des. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) Applied Cryptography and Network Security. pp. 393–406. Springer, Berlin (2005)
Eisenbarth, T., Paar, C., Weghenkel, B.: Building a side channel based disassembler. Trans. Comput. Sci. 10, 78–99 (2010)
Guilley, S., Sauvage, L., Micolod, J., Réal, D., Valette, F.: Defeating any secret cryptography with SCARE attacks. In: Abdalla, M., Barreto, P.S.L.M. (eds.) Progress in Cryptology—LATINCRYPT. vol. 6212, pp. 273–293. Springer, Berlin (2010)
Jap, D., Bhasin, S.: Practical reverse engineering of secret sboxes by side-channel analysis. In: IEEE International Symposium on Circuits and Systems (ISCAS). pp. 1–5. IEEE (2020)
Le Bouder, H., Lashermes, R., Linge, Y., Thomas, G., Zie, J.: A multi-round side channel attack on AES using belief propagation. In: Cuppens, F., Wang, L., Cuppens-Boulahia, N., Tawbi, N., García-Alfaro, J. (eds.) Foundations and Practice of Security—9th International Symposium, FPS. vol. 10128, pp. 199–213. Springer, Berlin (2016)
Linge, Y., Dumas, C., Lambert-Lacroix, S.: Using the joint distributions of a cryptographic function in side channel analysis. In: Prouff, E. (ed.) Constructive Side-Channel Analysis and Secure Design—5th International Workshop, COSADE 2014, vol. 8622, pp. 199–213. Springer, Berlin (2014)
Meraneh, A.H., Clavier, C., Le Bouder, H., Maillard, J., Thomas, G.: Blind side channel on the elephant LFSR. In: SECRYPT (2022)
Novak, R.: Side-channel attack on substitution blocks. In: Zhou, J., Yung, M., Han, Y. (eds.) Applied Cryptography and Network Security, First International Conference, ACNS. vol. 2846, pp. 307–318. Springer, Berlin (2003)
Réal, D., Dubois, V., Guilloux, A., Valette, F., Drissi, M.: SCARE of an unknown hardware feistel implementation. In: Grimaud, G., Standaert, F. (eds.) Smart Card Research and Advanced Applications, 8th IFIP WG 8.8/11.2 International Conference, CARDIS. vol. 5189, pp. 218–227. Springer, Berlin (2008)
Rivain, M., Roche, T.: SCARE of secret ciphers with SPN structures. In: Sako, K., Sarkar, P. (eds.) Advances in Cryptology—ASIACRYPT, vol. 8269, pp. 526–544. Springer, Berlin (2013)
Funding
This work was not supported by any grant.
Author information
Authors and Affiliations
Contributions
This is a joint work between R.L. and H.LB. They both devised the theory, wrote and reviewed the paper. R.L. is the main author of the proof of concept source code.
Corresponding authors
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest. This work was done on the research time of the authors, in a tenure-equivalent position.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary Information
Below is the link to the electronic supplementary material.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Lashermes, R., Le Bouder, H. Generic SCARE: reverse engineering without knowing the algorithm nor the machine. J Cryptogr Eng (2024). https://doi.org/10.1007/s13389-024-00356-2
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s13389-024-00356-2