Novel Leakage Against Realistic Masking and Shuffling Countermeasures

Case Study on PRINCE and SEED
  • Yoo-Seung Won
  • Aesun Park
  • Dong-Guk Han
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10779)


It is often considered reasonable to combine first-order Boolean masking and shuffling countermeasures. However, shuffling countermeasures can sometimes be applied only to some rounds to improve performance. Herein, we define combinations of partial shuffling and masking countermeasures as restricted shuffling and masking countermeasures.

Moreover, we propose a novel leakage on restricted shuffling and masking countermeasures that have low attack complexity and a small correlation-reduction factor. Our novel leakage ignores the confusion layer to prevent shuffling from increasing the attack complexity. To reduce the complexity, we can confirm a partial correlation between the diffusion and confusion layer outputs. We identify that our proposal, which exploits this fact offers an overwhelming advantage compared with existing attacks when applied to the PRINCE and SEED block ciphers. Furthermore, we demonstrate the effectiveness of our proposed scheme using both simulated and realistic traces. In simulations, the number of traces required was reduced by up to 95%. When attacking a realistic device, a few traces were enough to recover the correct key, although existing attacks failed to reveal the correct key.


Shuffling Masking Second-order correlation power analysis PRINCE SEED 



This work was supported by the Institute for Information and Communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. 20170005200011001, Development of SCR-Friendly Symmetric Key Cryptosystem and Its Application Modes).


  1. 1.
    Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  2. 2.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). CrossRefGoogle Scholar
  3. 3.
    Choudary, O., Kuhn, M.G.: Efficient template attacks. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 253–270. Springer, Cham (2014). Google Scholar
  4. 4.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). CrossRefGoogle Scholar
  5. 5.
    Goubin, L., Patarin, J.: DES and differential power analysis the “Duplication” method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999). CrossRefGoogle Scholar
  6. 6.
    Herbst, C., Oswald, E., Mangard, S.: An AES smart card implementation resistant to power analysis attacks. In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol. 3989, pp. 239–252. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  7. 7.
    Kim, H., Cho, Y.I., Choi, D., Han, D.G., Hong, S.: Efficient masked implementation for SEED based on combined masking. ETRI J. 33(2), 267–274 (2011)CrossRefGoogle Scholar
  8. 8.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007).
  9. 9.
    O’Flynn, C., Chen, Z.D.: ChipWhisperer: an open-source platform for hardware embedded security research. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 243–260. Springer, Cham (2014). Google Scholar
  10. 10.
    Oswald, E., Mangard, S., Herbst, C., Tillich, S.: Practical second-order DPA attacks for masked smart card implementations of block ciphers. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 192–207. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  11. 11.
    Prouff, E., Rivain, M., Bevan, R.: Statistical analysis of second order differential power analysis. IEEE Trans. Comput. 58(6), 799–8141 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Rivain, M., Prouff, E., Doget, J.: Higher-order masking and shuffling for software implementations of block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 171–188. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  13. 13.
    Information Technology \(-\) Security Techniques \(-\) Encryption Algorithms \(-\) Part 3: Block Ciphers, ISO/IEC 18033–3:2005 (2005)Google Scholar
  14. 14.
    Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  15. 15.
    Tillich, S., Herbst, C.: Attacking state-of-the-art software countermeasures—a case study for AES. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 228–243. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  16. 16.
    Tillich, S., Herbst, C., Mangard, S.: Protecting AES software implementations on 32-bit processors against power analysis. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 141–157. Springer, Heidelberg (2007). CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of Financial Information SecurityKookmin UniversitySeoulKorea
  2. 2.Department of Information Security, Cryptology, and MathematicsKookmin UniversitySeoulKorea

Personalised recommendations