Abstract
It is believed that masking is an effective countermeasure against power analysis attacks: before a certain operation involving a key is performed in a cryptographic chip, the input to this operation is combined with a random value. This has to prevent leaking information since the input to the operation is random.
We show that this belief might be wrong. We present a Hamming weight attack on an addition operation. It works with random inputs to the addition circuit, hence masking even helps in the case when we cannot control the plaintext. It can be applied to any round of the encryption. Even with moderate accuracy of measuring power consumption it determines explicitly subkey bits. The attack combines the classical power analysis (over Hamming weight) with the strategy of the saturation attack performed using a random sample.
We conclude that implementing addition in cryptographic devices must be done very carefully as it might leak secret keys used for encryption. In particular, the simple key schedule of certain algorithms (such as IDEA and Twofish) combined with the usage of addition might be a serious danger.
This research was initiated when the second author visited University of Mannheim
Chapter PDF
Similar content being viewed by others
References
Burwick C., Coppersmith D., D’Avignon E., Gennaro R., Halevi S., Jutla C., Matyas S., O’Connor L., Peyravian M., Safford D., Zunic N., MARS — A Candidate Cipher for AES, http://www.research.ibm.com/security/mars.html.
Chari S., Jutla Ch., Rao J. R., Rohatgi P., A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards, Second Advanced Encryption Standard (AES) Candidate Conference.
Chari S., Jutla Ch., Rao J.R., Rohatgi P., Towards sound approaches to counteract power-analysis attacks, CRYPTO’99, Lecture Notes in Computer Science 1666. Springer-Verlag, 398–412.
Coron J. S., On Boolean and arithmetic masking against differential power analysis, CHES’2000, Lecture Notes in Computer Science 1965. Springer-Verlag, 231–237.
Daemen J., Knudsen L., Rijmen V., The block cipher Square, Fast Software Encryption’97, Lecture Notes in Computer Science 1267. Springer-Verlag, 149–165.
Daemen J., Rijmen V., The block cipher Rijndael, http://www.esat.kuleuven.ac.be/~rijmen/rijndael.
Goubin L., A sound method for switching between Boolean and arithmetic masking, CHES’2001, Lecture Notes in Computer Science 2162. Springer-Verlag, 3–15.
Gandolfi K., Mourtel Ch., Olivier F., Electromagnetic Analysis: Concrete Results, CHES’2001, Lecture Notes in Computer Science 2162. Springer-Verlag, 251–261.
Goubin L., Patarin J., DES and Differential Power Analysis (The “Duplication” Method), CHES’99, Lecture Notes in Computer Science 1717. Springer-Verlag, 158–172.
Kesley J., Schneier B., Wagner D., Hall Ch., Side channel cryptanalysis of product ciphers, Journal on Computer Security 8 (2000), 141–158.
Kocher P., Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. CRYPTO’96, Lecture Notes in Computer Science 1109. Springer-Verlag, 104–113.
Kocher P., Jaffe J., Jun B., Differential power analysis, CRYPTO’99, Lecture Notes in Computer Science 1666. Springer-Verlag, 388–397, also: Introduction to differential power analysis and related attacks, http://www.cryptography.com/dpa/technical.
Lucks S., The saturation attack-a bait for Twofish, http://eprint.iacr.org/2000/046/.
Messerges Th., Securing AES finalists against power analysis attack, FSE’2000, Lecture Notes in Computer Science 1978. Springer-Verlag, 150–164.
Rivest R., Robshaw M., Sidney R., The RC6 Block Cipher, http://theory.lcs.mit.edu/~rivest/rc6.ps.
Schneier B., Kesley J., Whiting D., Wagner D., Ch. Hall, N. Ferguson, The Twofish Encryption Algorithm: a 128-Bit Block Cipher, Wiley, 1999, ISBN 0-471-35381-7.
AES Development Effort, NIST, http://www.nist.gov/aes.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gomuffłkiewicz, M., Kutyffłowski, M. (2002). Hamming Weight Attacks on Cryptographic Hardware — Breaking Masking Defense. In: Gollmann, D., Karjoth, G., Waidner, M. (eds) Computer Security — ESORICS 2002. ESORICS 2002. Lecture Notes in Computer Science, vol 2502. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45853-0_6
Download citation
DOI: https://doi.org/10.1007/3-540-45853-0_6
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44345-2
Online ISBN: 978-3-540-45853-1
eBook Packages: Springer Book Archive