Side-Channel Analysis of Keymill

@article{Dobraunig2017SideChannelAO,
  title={Side-Channel Analysis of Keymill},
  author={Christoph Dobraunig and Maria Eichlseder and Thomas Korak and Florian Mendel},
  journal={IACR Cryptol. ePrint Arch.},
  year={2017},
  volume={2016},
  pages={793}
}
One prominent countermeasure against side-channel attacks, especially differential power analysis (DPA), is fresh re-keying. In such schemes, the so-called re-keying function takes the burden of protecting a cryptographic primitive against DPA. To ensure the security of the scheme against side-channel analysis, the re-keying function has to withstand both simple power analysis (SPA) and differential power analysis (DPA). Recently, at SAC 2016, Taha et al. proposed Keymill, a side-channel… 

Fresh re-keying with strong PUFs: A new approach to side-channel security

TLDR
This work proposes a novel approach to fresh re-keying that replaces the arithmetic key update function with a strong Physically Unclonable Function (PUF) and shows that SCA-PUF is resistant to simple power analysis and that it is resilient to a modeling attack that uses machine learning on the power side-channel.

DAPA: Differential Analysis aided Power Attack on (Non-)Linear Feedback Shift Registers (Extended version)

TLDR
This work generalises their methodology and combines with differential analysis, called differential analysis aided power attack (DAPA), to uncover more bit relations and take into account the linear or non-linear functions that feedback to the shift registers (i.e. LFSRs or NLFSRs).

Stateless leakage resiliency from NLFSRs

TLDR
This paper follows the second approach to design a stateless leakage resilient function using non-linear feedback shift registers (NLFSRs) and shows that the uncertainty on an n-bit key after any SCA attack exceeds n/2 bits, the birthday boundary, and can approach nbits, the brute-force boundary.

Comparing Sboxes of ciphers from the perspective of side-channel attacks

TLDR
This paper analyses the non-linear part (called Sboxes) of ciphers, which is often targeted by implementation attacks, and demonstrates that the theoretical metrics provide no information on the resiliency of the Sboxes against side-channel attacks.

Some Applications of Hamming Weight Correlations

TLDR
This work revisits the tight correlation between the Hamming Weight and the observed power consumption of an algorithm and shifts its attention to a masked implementation of AES, specifically the secAES proposal put forward by the French National Cybersecurity Agency that concisely combines several side-channel countermeasure techniques.

Survey on the Effectiveness of DAPA-Related Attacks against Shift Register Based AEAD Schemes

TLDR
NIST Lightweight Cryptography (LWC) standardization process was initiated in August 2018 to solicit, evaluate, and standardize lightweight cryptographic algorithms that are suitable for use in constrained environments and one of the main focuses being the side-channel evaluation of the finalists.

References

SHOWING 1-10 OF 17 REFERENCES

On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

TLDR
This paper presents a generic chosen-plaintext key-recovery attack on both fresh re-keying schemes to counter side-channel and fault attacks and suggests weaker primitives like 80-bit PRESENT are used, even lower attack complexities are possible.

Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks

TLDR
This paper extends the fresh re-keying scheme to n low-cost parties, examines the susceptibility of the scheme to algebraic SPA attacks, and implemented the scheme on a common 8-bit microcontroller to show its efficiency in software.

Enhancing Side-Channel Analysis of Binary-Field Multiplication with Bit Reliability

TLDR
A new side-channel attack on binary-field multiplication as a re-keying function and multiplication in general, using template attacks and the simple algebraic structure of multiplication to decrease the attack runtime in cases with low-to-medium error probabilities.

Towards Sound Fresh Re-keying with Hard (Physical) Learning Problems

TLDR
This work proposes two new constructions that, for the first time, allow a more formal treatment of fresh re-keying, and reduces the security of the re- keying schemes to two building blocks that can be of independent interest.

Masking against Side-Channel Attacks: A Formal Security Proof

TLDR
It is proved that the information gained by observing the leakage from one execution can be made negligible (in the masking order) and a formal security proof for masked implementations of block ciphers is provided.

LFSR Based Stream Ciphers Are Vulnerable to Power Attacks

TLDR
It is shown that the state of an n-bit LFSR can be determined by making O(n) power measurements, and neither the primitive polynomial nor the value of n be known to the adversary launching the proposed attack.

An AES Smart Card Implementation Resistant to Power Analysis Attacks

TLDR
An efficient AES software implementation that is well suited for 8-bit smart cards and resistant against power analysis attacks and randomization, and the results prove the theoretical assessment of the countermeasures to be correct.

Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices

TLDR
This paper proposes a fresh re-keying scheme that is especially suited for challenge-response protocols such as used to authenticate tags, and estimates the cost in terms of area and execution time for various security/performance trade-offs.

Secure Hardware Implementation of Non-linear Functions in the Presence of Glitches

TLDR
A recently introduced masking method which is based on secret sharing is discussed and results in implementations that are provable resistant against first-order side-channel attacks, even in the presence of glitches.

Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches

TLDR
A recently introduced masking method which is based on secret sharing and multi-party computation methods is discussed, which results in implementations that are provably resistant against a wide range of attacks, while making only minimal assumptions on the hardware.