Embed Size (px)
Citation preview
Research ArticleAnalysis of Software Implemented Low EntropyMasking Schemes
Dan Li12 Jiazhe Chen 2 An Wang 3 and Xiaoyun Wang 14
1 Institute for Advanced Study Tsinghua University Beijing 100084 China2China Information Technology Security Evaluation Center Beijing 100085 China3School of Computer Science Beijing Institute of Technology Beijing 100081 China4Key Laboratory of Cryptologic Technology and Information Security Ministry of Education Shandong UniversityJinan China
Correspondence should be addressed to Jiazhe Chen jiazhechengmailcomand Xiaoyun Wang xiaoyunwangmailtsinghuaeducn
Received 31 October 2017 Accepted 16 January 2018 Published 26 March 2018
Academic Editor Emanuele Maiorana
Copyright copy 2018 Dan Li et al This is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Low Entropy Masking Schemes (LEMS) are countermeasure techniques to mitigate the high performance overhead of maskedhardware and software implementations of symmetric block ciphers by reducing the entropy of the mask sets The security ofLEMS depends on the choice of the mask sets Previous research mainly focused on searching balanced mask sets for hardwareimplementations In this paper we find that those balanced mask sets may have vulnerabilities in terms of absolute differencewhen applied in software implemented LEMS The experiments verify that such vulnerabilities certainly make the software LEMSimplementations insecure To fix the vulnerabilities we present a selection criterion to choose the mask sets When some feasiblemask sets are already picked out by certain searching algorithms our selection criterion could be a reference factor to help decideon a more secure one for software LEMS
1 Introduction
First introduced by Kocher [1] side channel attacks (SCA)can be used to evaluate the implementation security of cryp-tographic ciphers by analyzing the time the electromagneticradiation the power consumption and so on [2ndash6]
To resist SCA several valid countermeasures have beenproposed [7ndash10] Among those countermeasures maskingschemes are most popular and widely applied The main ideaof masking schemes is to make the side channel informationindependent of the sensitive data by randomizing the inter-mediate values In general first-order masking scheme anysensitive intermediate variable denoted by119885will be split intotwo shares so that 119885 = 1198780 oplus 1198781 where the randomly drawnvariable 1198780 is called the mask All the computations of thecryptographic algorithm are performed on the shared valuesindependently At the same time the sensitive data must berecovered by recombining the two shares For this purposeevery computation function 119891 of cryptographic algorithms
should be designed to satisfy 119891(119885) = 11987810158400 oplus 11987810158401 where 11987810158400 and11987810158401 are the new shares after the operation 119891 If 119891 is a linearoperation with respect to XOR then 11987810158400 = 119891(1198780) and 11987810158401 =119891(1198781) When 119891 is the substitution box (S-Box) some adjust-ment is necessary to make up for its nonlinear property Theadjusted S-Box function changes along with the value of themask whichmakes it hard to compute canceling the sensitiveintermediate value analyticallyTherefore precomputing andcaching the required masked S-Boxes are more relevant andefficient However if the mask is drawn randomly from 2119899possible masks too much memory is required to keep allthe possible masked S-Boxes To offer a reasonable solutionto balance the security protection and the performance ofimplementations Low Entropy Masking Schemes (LEMS)[10 11] are designed by limiting the amount of maskentropy
LEMS use the masks drawn from the limited mask setM = 1198981 1198982 119898119904 sub F1198992 whose mask entropy is log2(119904)The security of LEMS implementations should be guaranteed
HindawiSecurity and Communication NetworksVolume 2018 Article ID 7206835 8 pageshttpsdoiorg10115520187206835
2 Security and Communication Networks
in two aspects In the architecture aspect cryptographicalgorithms should carefully be implemented to avoid first-order leakage [12] Some countermeasure techniques such asshuffling [13] can also be combined to help defeat certainbivariate and higher order attacks [14ndash17] Another aspectis the chosen mask set which plays significant roles insecurity Some research studied how to select them forhardware implemented LEMS [11 18] The selection criterionof the mask sets considered finding secure mask sets undertwo important assumptions [19] The first one is that theattackers could only exploit the leakage of the masked value119885 oplus 119872 The second one is that the deterministic part ofthe leakage function 119897119885oplus119872 is linear in the bits of maskedvariable 119885 oplus 119872 such as Hamming weight function Underthose two conditions the main goal of selecting mask setsfor LEMS is to find balanced mask sets resistant to highorder univariate CPA (following the definition of [20] theattack combining 119899 different time instances is called 119899-variateattack and the 119899th order attack is the one with 119899th orderstatistical moments) Therefore making E((119897119885oplus119872)120572 | 119885)independent of intermediate 119885 is the selection criterion ofthe mask sets for the designer of the hardware counter-measures However we find it is not enough for softwareimplemented LEMS The absolute difference |119897119911oplus119898 minus 1198971199111015840oplus1198981015840 |may bring the unbalance to the intermediate pair (119911 1199111015840)which allows attackers to get the information of (119911 1199111015840) whenonly the leakages corresponding to the masked values areavailable
Our Contributions In this paper we study the unbalance interms of absolute difference on software Low Entropy Mask-ing Schemes (LEMS) implementations and make selectioncriterion for their mask sets
(i) We find that the mask sets selected according toselection criteria in [11 18] have the vulnerabili-ties based on the absolute difference measurementson software LEMS Such vulnerabilities make thesoftware LEMS implementations insecure when theleakages corresponding to themasked values could beexploited
(ii) To fix the vulnerabilities and make software LEMSimplementations resistant to high order univariateattacks we further extend the selection criterion ofbalanced mask sets Moreover we prove the perfectbalanced mask sets should not be linear and theircardinalities should satisfy certain conditions
(iii) When some feasible mask sets are already pickedout by searching algorithms like those in [11] ourselection criterion could be a reference factor to helpdecide on a more secure one from them
Organization The rest of the paper is organized as followsIn Section 2 we introduce the notations and some relatedbackground knowledge Section 3 presents vulnerabilitiesthat make the software LEMS insecure Section 4 provesthe necessary conditions that the balanced mask sets shouldsatisfy and discusses the selection methods of mask setsFinally Section 5 concludes the paper
2 Preliminaries
In this paper sets are denoted with calligraphic letters(eg M) We use capital letters (eg 119872) and lowercaseones (eg 119898) for random variables and their realizationsrespectivelyThroughout the paper119885 and1198851015840 are independentand uniformly distributed random variables representingintermediates 119872 and 1198721015840 are two independent randomvariables drawn from the uniform distribution in the masksetM
Let 119897120596 be the value of leakage measurements correspond-ing to the intermediate value 120596 120596 isin F1198992 To match withrealistic leakage functions in practice the widely appliedHamming weight leakage model is used during the choice ofthe mask sets in this paper Thus in software environments119897120596 = 120598HW[120596] + 120575 where 120598 is an unknown constant and120575 is the Gaussian distributed (N(0 1205902)) noise In hardwareenvironments 119897120596 = 120598HW[120596] (to describe the theories in [1118] more clearly we use the same no noise model here) Wefurther denote the absolute difference of two measurementscorresponding to the values 1205961 and 1205962 by |1198971205961 minus 1198971205962 |
Mean and variance are denoted byE andVar respectivelyLet 1198831 and 1198832 be two independent random variables and 119891be a certain function1198831 is randomly drawn fromXE(119891(11988311198832) | 1198831 = 1199091) is the conditional expectation when 1198831 = 1199091The variance among those conditional expectations is
Var (E (119891 (1198831 1198832) | 1198831)) = 1|X|sdot sum1199091isinX
(E (119891 (1198831 1198832) | 1198831 = 1199091) minus E (119891 (1198831 1198832)))2 (1)
which can measure the dispersion degree of E(119891(1198831 1198832) |1198831) Obviously when Var(E(119891(1198831 1198832) | 1198831)) = 0 thespecific value of 1198831 cannot be recognized according toE(119891(1198831 1198832) | 1198831)This property wasmainly applied by someworks [11 18] studying the selection criterion of mask sets forhardware LEMS Their theories are as follows
To defeat high order univariate CPA the value of interme-diate119885 should be independent of the statistic values of 119897119885oplus119872 =120598HW[119885 oplus 119872] Usually those statistics indicate 120572th momentsdenoted by E((120598HW[119885 oplus 119872])120572) Hence Var(E((120598HW[119885 oplus119872])120572 | 119885)) = 0 is the selection criterion The mask set is saidto resist univariate 119889th-order attacks if forall 1 le 120572 le 119889 120572 isin NVar(E((120598HW[119885 oplus119872])120572 | 119885)) = 0
The work in [11] proved that only 12 mask values aresufficient for 119889 = 2 when 119899 = 8 (M12 = 03 18 311986555 60 6119864 8119862 1198605 1198612 1198621198611198636 1198659) The work in [18] furtherstudied the linear code mask sets for different 119889 and 119899For example in [8 4 4] linear code mask set can reach thestandard of 119889 = 3 with 16 mask values when 119899 = 8 (likeM16 = 00 0119865 36 39 53 5119862 65 6119860 95 9119860 1198603 119860119862 1198626 11986291198650 119865119865 used in DPA Contest v4) The linear mask setM hasthe property that 119898119894 oplus 119898119895 isin M 119898119894 119898119895 isin M [21] We willdiscuss and use the property in the following sections
3 Vulnerabilities on Software LEMS
As stated in Section 2 the selection of the mask sets for hard-ware LEMS considers the balance between the intermediate
Security and Communication Networks 3
values119885 and the leakagemeasurements 119897119885oplus119872 to avoid leakingthe information of 119885 Nonetheless the unbalance of absolutedifference measurements |119897119885oplus119872 minus 1198971198851015840oplus1198721015840 | may leak the infor-mation of intermediate pair (119885 1198851015840) in software LEMS In thissection we will study (120572 represents the order with respect tothe absolute difference indeed the absolute difference itself isnot first order according to Taylor expansion [22] hence theorder with respect to the original leakage measurement hereis higher than 120572) E
(120572)
(1198851198851015840)= E(|119897119885oplus119872 minus 1198971198851015840oplus1198721015840 |120572 | 119885 1198851015840) 120572 =
1 2Theproofswill show thatE(2)(1198851198851015840)
is independent of (119885 1198851015840)if the mask set satisfies the hardware selection criterionVar(E(HW[119885 oplus 119872]120572 | 119885)) = 0 120572 = 1 2 And it is uncertainfor E(1)(1198851198851015840)
The unbalanced E(1)
(1198851198851015840)leads to the unbalanced
variance and coefficient of variation (coefficient of variation isthe ratio of standard deviation to mean) which can also helpidentify the intermediate pair (119885 1198851015840) in attacks The resultsof experiments show that the unbalance of E(1)
(1198851198851015840)makes
the implementations insecure Those vulnerabilities are theproperties of mask sets and cannot be fixed by the architec-tures of specific implementations like shuffling So finding thebalanced mask sets in terms of absolute difference is neces-sary for software LEMS which will be discussed in the nextsection
As 119897119911oplus119898 minus 1198971199111015840oplus1198981015840 sim N(120598HW[119911 oplus 119898] minus 120598HW[1199111015840 oplus 1198981015840] 21205902)E((119897119911oplus119898 minus 1198971199111015840oplus1198981015840)2) = (120598HW[119911 oplus 119898] minus 120598HW[1199111015840 oplus 1198981015840])2 + 21205902and E(|119897119911oplus119898minus1198971199111015840oplus1198981015840 |) = 119891(120598(HW[119911oplus119898]minusHW[1199111015840oplus1198981015840]) radic2120590)according to Appendix A We deduce that
E(1)
(1199111199111015840)= E (1003816100381610038161003816119897119885oplus119872 minus 1198971198851015840oplus1198721015840 1003816100381610038161003816 | 119885 = 119911 1198851015840 = 1199111015840) (2)
= 1|M|2 sum1198981198981015840isinM
E (1003816100381610038161003816119897119911oplus119898 minus 1198971199111015840oplus1198981015840 1003816100381610038161003816) (3)
= 1|M|2 sum1198981198981015840isinM
119891 (120598 (HW [119911 oplus 119898] minus HW [1199111015840 oplus 1198981015840]) radic2120590)
(4)
E(2)
(1199111199111015840)= E ((119897119885oplus119872 minus 1198971198851015840oplus1198721015840)2 | 119885 = 119911 1198851015840 = 1199111015840) (5)
= 1|M|2 sum1198981198981015840isinM
E ((119897119911oplus119898 minus 1198971199111015840oplus1198981015840)2) (6)
= 1|M|2 sum1198981198981015840isinM
((120598HW [119911 oplus 119898] minus 120598HW [1199111015840 oplus 1198981015840])2
+ 21205902)(7)
= E ((120598HW [119885 oplus119872])2 | 119885 = 119911)+ E ((120598HW [119885 oplus119872])2 | 119885 = 1199111015840) minus 2E (120598HW [119885oplus119872] | 119885 = 119911)E (120598HW [119885 oplus119872] | 119885 = 1199111015840) + 21205902
(8)
200100
0 0 50 100 150 250200Z
Z
12
13
14
15
16
17
18
E(1)
(ZZ
)
Figure 1 E(1)(1198851198851015840)
overM12
Obviously for the mask set M which satisfies the hard-ware selection criterion (Var(E((120598HW[119885 oplus 119872])120572 | 119885)) = 0120572 = 1 2) E(2)
(1198851198851015840)is independent of (119885 1198851015840)
E(1)
(1198851198851015840)is associated with the noise For certain value
120590 the value of E(1)
(1198851198851015840)converges from 2120590radic120587 to (120598|M|2) sum1198981198981015840isinM |HW[119911 oplus 119898] minus HW[1199111015840 oplus 1198981015840]| along with120598120590 = 0 rarr infin Hence we can evaluate the unbalance of
E(1)
(1198851198851015840)for a certain mask set with (1|M|2) sum1198981198981015840isinM |HW[119911oplus119898] minus HW[1199111015840 oplus 1198981015840]| We take the mask set M12 sub F82
mentioned in Section 2 as an example and draw values ofE(1)
(1198851198851015840)for 22lowast8 intermediate pairs (119885 1198851015840) in Figure 1 which
shows that M12 has vulnerabilities in terms of the absolutedifference Univariate attacks using these vulnerabilities canbe performed on one S-Box
The results of experiments in Appendix B verify that suchvulnerabilities we highlighted can really threaten the securityof software LEMS implementations To make software LEMSimplementations resistant to high order univariate attacks(CPA and also attacks based on the vulnerabilities above)specific implementations like shuffling are not enough andselecting the balanced mask sets in terms of the absolutedifference is necessary
4 Selection of Balanced Mask Sets
In this section we will modify the selection criterion to findthe balanced mask sets The proofs give two conditions thatthe balanced mask sets should satisfy which considerablynarrow down the search for the mask sets
The selection of the mask sets should first satisfy thecriteria for hardware selectionsVar(E(HW[119885oplus119872]120572) | 119885) = 0at least for 120572 = 1 2 In such a condition E(2)
(1198851198851015840)is balanced
as analyzed in Section 3 Hence if Var(E(1)(1198851198851015840)
| 119885 1198851015840) = 0E(1) Var(1198851198851015840) and CV(1198851198851015840) will also be balanced Accordingto (4) E(1)
(1198851198851015840)can further be denoted by 120590119891119890(120598120590 119911 1199111015840) We
can deduce that
Var (E(1)(1198851198851015840)
| 119885 1198851015840) = E ((E(1)(1198851198851015840)
)2) minus (E (E(1)(1198851198851015840)
))2
4 Security and Communication Networks
= 120590222119899 sum1199111199111015840isinF119899
2
(119891119890 ( 120598120590 119911 1199111015840))2
minus ( 12059022119899 sum1199111199111015840isinF119899
2
119891119890 ( 120598120590 119911 1199111015840))2
(9)
Var(E(1)(1198851198851015840)
| 119885 1198851015840) will converge from 0 to 120574 =Var(E(|120598HW[119885 oplus119872] minus 120598HW[1198851015840 oplus1198721015840]| | 119885 1198851015840)) when 120598120590 =0 rarr infin for any fixed value 120590
The value of 120574 is an intrinsic property of the mask setThus 120574 = 0 is the selection criterion In this case E(1)
(1198851198851015840)
will be balanced for any 120598120590 Aiming at the selection criterionwe can deduce the following conclusions to help select masksets120574 = 0 indicatesE(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]| | 119885 1198851015840) is aconstant the value ofwhich isE(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]|)We have the following
Lemma 1 E(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]|) = (2119899minus1)2119899(119899minus1)Proof Let W119886 = E(|HW[119885] minus HW[1198851015840]| | HW[119885 oplus 1198851015840] = 119886)W0 = 0 obviously For 119896 isin N we can deduce that
W2119896+1 = 122119896+12119896+1sum119894=0
(2119896 + 1119894 ) |2119896 + 1 minus 2119894|
= 122119896+1119896sum119894=0
2(2119896 + 1119894 ) (2119896 + 1 minus 2119894)
= 122119896 ((2119896 + 1) 22119896 minus 2 (2119896 + 1)119896minus1sum119894=0
(2119896119894 ))= (2119896 + 1) ( 2119896119896 )22119896 = (2119896 + 1) (2119896)22119896 (119896)2= (2119896 + 1)(2119896)
(10)
The second equality uses ( 2119896+1119894 ) = ( 2119896+12119896+1minus119894 )The third one is according to sum119896119894=0 ( 2119896+1119894 ) = 22119896 and119894 ( 2119896+1119894 ) = (2119896 + 1) ( 2119896119894minus1 )Similarly W2119896+2 = (2119896 + 1)(2119896) = W2119896+1 = ((2119896 +1)2119896)W2119896 Hence
E (10038161003816100381610038161003816HW [119885 oplus119872] minus HW [1198851015840 oplus1198721015840]10038161003816100381610038161003816)= 1|M|2 4119899 sum
1199111199111015840isinF1198992
sum1198981198981015840isinM
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [1199111015840 oplus 1198981015840]10038161003816100381610038161003816= 1|M|2 4119899 sum
1198981198981015840isinM
sum1199111199111015840isinF119899
2
10038161003816100381610038161003816HW [119911] minus HW [1199111015840]10038161003816100381610038161003816
= 14119899 sum1199111199111015840isinF119899
2
10038161003816100381610038161003816HW [119911] minus HW [1199111015840]10038161003816100381610038161003816
= 12119899119899sum119894=0
(119899119894)W119894(11)
We will use mathematical induction to prove A119899 =sum119899119894=0 ( 119899119894 )W119894 = (2119899 minus 1)(119899 minus 1)When 119899 = 1 A1 = sum1119894=0 ( 1119894 )W119894 = 1 = (2 minus 1)(0)Suppose A119899 = (2119899 minus 1)(119899 minus 1) If 119899 is odd we have
A119899+1 = 119899+1sum119894=0
(119899 + 1119894 )W119894
= 119899sum119894=1
((119899119894) + (119899
119894 minus 1))W119894 +W119899+1
= A119899 + 119899sum119894=0
(119899119894)W119894+1
= A119899 + (119899minus1)2sum119894=0
((1198992119894) + (119899
2119894 + 1))W2119894+1
= A119899 + (119899minus1)2sum119894=0
((1198992119894) 119899 + 1119899 W2119894
+ ((1198992119894)(1 minus (119899 + 1) (2119894)119899 (2119894 + 1) ) + (119899
2119894 + 1))W2119894+1)
= A119899 + 119899 + 1119899(119899minus1)2sum119894=0
((1198992119894)W2119894 + ( 1198992119894 + 1)W2119894+1)
= 2119899 + 1119899 A119899 = (2119899 + 1)(119899)
(12)
The second equality is based on ( 119899+1119894 ) = ( 119899119894 ) + ( 119899119894minus1 )The fourth one followsW2119894+1 = W2119894+2 and the fifth one usesW2119894 = (2119894(2119894 + 1))W2119894+1
The situation when 119899 is even can be proved similarlyThus E(|HW[119885 oplus119872] minus HW[1198851015840 oplus1198721015840]|) = A1198992119899 = (2119899 minus1)2119899(119899 minus 1)As stated above E(|HW[119885 oplus119872] minusHW[1198851015840 oplus1198721015840]| | 119885 1198851015840)
for any pair (119885 1198851015840) and themeans of their combinations suchas EM = E(E(|HW[119885 oplus 119872] minus HW[119885 oplus 1198721015840]| | 119885)) shouldbe equal to the constant value (2119899 minus 1)2119899(119899 minus 1) We canprove two necessary conditions for balanced mask set M byanalyzing EM = (2119899 minus 1)2119899(119899 minus 1)Theorem 2 One necessary condition for 120574 = 0 is |M| =1198962lfloor1198992rfloor+1 119896 isin N
Security and Communication Networks 5
Proof We deduce that
EM = E (E (10038161003816100381610038161003816HW [119885 oplus119872] minus HW [119885 oplus1198721015840]10038161003816100381610038161003816 | 119885)) (13)
= 1|M|2 2119899 sum119911isinF1198992
sum1198981198981015840isinM
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [119911 oplus 1198981015840]10038161003816100381610038161003816 (14)
= 1|M|2 sum1198981198981015840isinM
12119899 sum119911isinF1198992
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [119911 oplus 1198981015840]10038161003816100381610038161003816 (15)
= 1|M|2 sum1198981198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840 = 119898oplus 1198981015840)
(16)
Let C119894 = sum1198981198981015840isinM 984858119894(119898 oplus 1198981015840) where
984858119894 (119909) = 1 HW [119909] = 1198940 otherwise (17)
As 119898 oplus 1198981015840 = 1198981015840 oplus 119898 C119894 119894 gt 0 is even Let C119894 =2C1015840119894 119894 gt 0 As W0 = 0 EM = (1|M|2) sum119899119894=0 C119894W119894 =(2|M|2) sum119899119894=1 C1015840119894W119894 If EM = (2119899 minus 1)2119899(119899 minus 1) we candeduce
2|M|2119899sum119894=1
C1015840119894W119894 = (2119899 minus 1)2119899 (119899 minus 1) 997904rArr
2119899+1|M|2119899sum119894=1
C1015840119894 ((119899 minus 1)W119894) = (2119899 minus 1) 997904rArr
2119899+1 | |M|2
(18)
The reason of the second arrow is as follows RecallW2119896+2 = W2119896+1 = (2119896 + 1)(2119896) in Lemma 1 forall119899 ge 2119896 + 1(119899minus1)W2119896+2 = (119899minus1)W2119896+1 = ((2119896minus1))2(2119896+1)prod119899minus1119894=2119896+1119894 isinN In other words forall119894 le 119899 (119899 minus 1)W119894 isin N 2119899+1sum119899119894=1 C1015840119894((119899 minus1)W119894) isin N and (2119899 minus 1) is odd Therefore |M|2 must bedivisible by 2119899+1
Hence |M| = 1198962lfloor1198992rfloor+1 119896 isin N
Theorem 3 forall|M| lt 2119899 isin N ifM is a linear mask set 120574 = 0Proof If M is linear 119898 oplus 1198981015840 isin M 1198981198981015840 isin M Let D119898 =119898 oplus1198981015840 | 1198981015840 isin M Obviously forall119898 isin MD119898 = M And (16)will further be
EM = 1|M|2 sum1198981198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840
= 119898 oplus 1198981015840)
= 1|M|2 sum119898isinM sum1198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840
= 1198981015840)= 1|M|
119899sum119894=0
C119894W119894(19)
where C119894 = sum119898isinM 984858119894(119898) 984858119894(sdot) is defined by (17)If EM = (2119899 minus 1)2119899(119899 minus 1) we can deduce
1|M|119899sum119894=1
C119894W119894 = (2119899 minus 1)2119899 (119899 minus 1) 997904rArr2119899|M|119899sum119894=1
C119894 ((119899 minus 1)W119894) = (2119899 minus 1) 997904rArr2119899 | |M|
(20)
which contradicts |M| lt 2119899 Thus EM = (2119899 minus 1)2119899(119899 minus1) which indicates Var(E(|HW[119885 oplus 119872] minus HW[1198851015840 oplus 1198721015840]| |119885 1198851015840)) = 0Theorem 2 indicates that the search should be among
mask sets satisfying |M| = 1198962lfloor1198992rfloor+1 119896 isin N to findthe perfect balanced mask set with 120574 = 0 However inconsideration of the effect of the noise 120574 = 0 couldnot be necessary According to Theorem 3 and the resultsin Appendix B the linear mask sets will be more vul-nerable because of their linear property Hence one canfirst use the searching algorithms like those in [11] to getsome nonlinear mask sets and use our selection crite-rion as a reference factor to select the one with smaller1205745 Conclusion
In this paper we analyzed the vulnerabilities on themask setsof software Low EntropyMasking Schemes implementationsWe found that satisfying the conditions in [11 18] was notenough for mask sets used in software LEMS implemen-tations The experiments verified that such vulnerabilitiescertainlymade the software LEMS implementations insecureTo fix the vulnerabilities we further gave a selection criterionMoreover two theorems were proved and our selectioncriterion could be a reference factor when selecting themask sets picked out by searching algorithms like those in[11]
For future work there remain two research directionsThe first direction is the proof of the existence of such perfectbalancedmask setsThe secondone is designingmore feasiblesearch algorithms and giving the masking values selectionrules based on those conditions
6 Security and Communication Networks
Appendix
A The Proof of 119891(120583120590)119891(120583 120590) = E(|119883|) where random variable 119883 sim 119873(120583 1205902) Wecan deduce that
E (|119883|) = 1radic2120587120590 intinfin
minusinfin|119909| 119890minus(119909minus120583)221205902d119909
= 1radic2120587120590 (intinfin
0119909119890minus(119909minus120583)221205902
minus int0minusinfin
119909119890minus(119909minus120583)221205902) d119909(A1)
Here
intinfin0119909119890minus(119909minus120583)221205902d119909 = intinfin
minus120583(119910 + 120583) 119890minus119910221205902d119910
= intinfinminus120583119910119890minus119910221205902d119910
+ intinfinminus120583120583119890minus119910221205902d119910
(A2)
= 1205902119890minus120583221205902+ radic2120587120590120583(1 minus 120601(minus120583120590 )) (A3)
int0minusinfin
119909119890minus(119909minus120583)221205902d119909 = minus1205902119890minus120583221205902
+ radic2120587120590120583120601(minus120583120590 ) (A4)
where 120601(119909) = int119909minusinfin
(1radic2120587)119890minus11991022d119910 can be checked on thenormal distribution table
Therefore using (A3) and (A4)
119891 (120583 120590) = E (|119883|)= radic 2120587120590119890minus120583221205902 + 120583(1 minus 2120601 (minus120583120590 )) (A5)
B Results of Experiments
We take a typical [8 4 4] linear codemask setM16mentionedin Section 2 and its variant M101584016 = 119898 oplus 011990903 | 119898 isin M16which are respectively used in the RSM (Rotating S-BoxMasking (RSM) [10] is a realization of LEMS) implemen-tations of DPA Contest v4 and DPA Contest v42 [15] as
examples to analyze the security in different SNR environ-ment in practice The software implementation of AES-256in DPAcv4 is protected by basic RSM countermeasure andthe traces are collected from an ATMega-163 smart card Ourattacks are performed on the leakage of the outputs of S-Boxes in first-round AES As the implementation of AES-128in DPAcv42 is protected by enhanced RSM countermeasureusing shuffling techniques we carry out the attacks on theleakage of the ShiftRow in the first round where the noise isbigger
Aiming at the vulnerabilities of unbalanced E(1)
(1198851198851015840) lots
of distinguishers can be designed Here we will presentexamples combined with the linear property of the mask setM forall1198981198981015840 isin M119898 oplus 1198981015840 isin M
Such property results in the following for any intermedi-ate 119911M119911 = 119911oplus119898 | 119898 isin M is the same as that of 119911119894 = 119911oplus119898119894[21]The reason isforall119898 isin M 119911119894oplus119898 = 119911oplus(119898119894oplus119898) isin M119911 whichmeans M119911119894 sub M119911 Moreover |M119911119894 | = |M119911| = |M| HenceM119911119894 = M119911 We further find the variants of the linear maskset 119898 oplus C | 119898 isin M where C is a constant also having thesame properties Gathering the intermediates with the samemasked values together F1198992 is divided into several sets I119894119894 = 1 2 119888 (119911 1199111015840 isin I ifM119911 = M119911
1015840
)Let O be the set of all the measurements O119896119894 represents
the set of measurements whose corresponding plaintext 119901satisfies 120595(119901 119896) isin I119894 where 120595(sdot sdot) is the function of sensitiveintermediate The distinguisher could be
D (119896) = E (120579 (O119896119894 O119896119894 ))120579 (OO) (B1)
where 120579(sdot sdot) is the estimated statistic value of absolutedifference values between two measurements sets When 119896is wrong the classification O119896119894 will be wrong and randomwhich makes the values of numerator and denominatorapproximate When 119896 is the correct key the value of numer-ator will differ from that of denominator (Theorem 3 inSection 4 will prove this) 119896lowast = argmax119896D(119896) or 119896lowast =argmin119896D(119896)120579 can be E(1) obviously As E(2) is independent of (119885 1198851015840)and Var(119883) = E(1198832) minus (E(119883))2 CV(119883) = radicVar(119883)E(119883)we can also use Var and CV as 120579 We name those distin-guishers for different statistics as 119903V 119903cv and 119903(1)119898 respec-tively
Using the traces in DPAcv4 we obtain 256 119903V 119903cv and 119903(1)119898curves and show the time samples around the output of oneS-Box in Figure 2(a) The correct keyrsquos 119903V and 119903cv curves haveapparent peaks with 1000 traces Furthermore we generate119903(1)119898 119903V and 119903cv curves over the number of traces at the peaktime sample and show the results in Figure 2(b) The blackand 255 grey curves represent the cases of the correct keyand wrong key hypotheses respectively The results showthat all those distinguishers can recover the key with enoughtraces
We then do the second experiment using traces inDPAcv42 at the ShiftRow in the first round where the weakerinformation is leaked The three distinguishers succeed with
Security and Communication Networks 7
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
096
098
1
102
104
r
098
099
1
101
102
103
r =P
098
099
1
101
102
r(1)
m
(a)
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
098
1
102
104
r
099
1
101
102
103
r =P
099
1
101
102
103
r(1)
m
(b)
Figure 2 119903V 119903cv and 119903(1)119898 over (a) time samples using 1000 traces (b) and number of traces at the peak location
about 6000 traces because of the lower SNRWe omit similarfigures here
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by National Key Researchand Development Program of China (Grant no2017YFA0303903) National Natural Science Foundation
of China (Grant nos 61402536 and 61402252) BeijingNatural Science Foundation (Grant no 4162053)National Cryptography Development Fund (Grantno MMJJ20170201) and 973 Program (Grant no2013CB834205)
References
[1] P C Kocher ldquoTiming attacks on implementations of Diffie-Hellman RSA DSS and other systemsrdquo in Proceedings of the16th Annual International Cryptology Conference CRYPTO rsquo96Lecture Notes in Computer Science pp 104ndash113 SpringerAugust 1996
8 Security and Communication Networks
[2] S Bhasin J-L Danger S Guilley and Z Najm ldquoSide-channelleakage and trace compression using normalized inter-classvariancerdquo in Proceedings of the 3rd International Workshop onHardware and Architectural Support for Security and PrivacyHASP 2014 pp 71ndash79 ACM USA June 2014
[3] G Dabosville J Doget and E Prouff ldquoA new second-order sidechannel attack based on linear regressionrdquo IEEETransactions onComputers vol 62 no 8 pp 1629ndash1640 2013
[4] M Kayaalp N Abu-Ghazaleh D Ponomarev and A JaleelldquoA high-resolution side-channel attack on last-level cacherdquo inProceedings of the 53rd Annual ACM IEEE Design AutomationConference DAC 2016 USA June 2016
[5] A A Pammu K-S Chong W-G Ho and B-H Gwee ldquoInter-ceptive side channel attack on AES-128 wireless communica-tions for IoT applicationsrdquo in Proceedings of the 2016 IEEE AsiaPacific Conference on Circuits and Systems APCCAS 2016 pp650ndash653 Republic of Korea October 2016
[6] Y Li M Chen and J Wang ldquoIntroduction to side-channelattacks and fault attacksrdquo in Proceedings of the 7th Asia-Pacific International Symposium on Electromagnetic Compatibil-ity APEMC 2016 pp 573ndash575 May 2016
[7] R Lumbiarres-Lopez M Lopez-Garcia and E Canto-NavarroldquoHardware architecture implemented on FPGA for protectingcryptographic keys against side-channel attacksrdquo IEEE Trans-actions on Dependable and Secure Computing 2016
[8] T Backenstrass M Blot S Pontie and R Leveugle ldquoPro-tection of ECC computations against side-channel attacks forlightweight implementationsrdquo in Proceedings of the 1st IEEEInternational Verification and Security Workshop IVSW 2016pp 1ndash6 July 2016
[9] M-L Akkar and C Giraud ldquoAn implementation of DESand AES secure against some attacksrdquo in Proceedings of thethird International Workshop on Cryptographic Hardware andEmbedded Systems CHES 2001 vol 2162 of Lecture Notes inComputer Science pp 309ndash318 Springer May 2001
[10] M Nassar Y Souissi S Guilley and J-L Danger ldquoRSM asmall and fast countermeasure for AES secure against 1st and2nd-order zero-offset SCAsrdquo in Proceedings of the 2012 DesignAutomation amp Test in Europe Conference amp Exhibition DATE2012 pp 1173ndash1178 Dresden Germany March 2012
[11] M Nassar S Guilley and J-L Danger ldquoFormal analysis of theentropysecurity trade-off in first-order masking countermea-sures against side-channel attacksrdquo in Proceedings of the 12thInternational Conference on Cryptology INDOCRYPT 2011 vol7107 of Lecture Notes in Computer Science pp 22ndash39 SpringerDecember 2011
[12] A Moradi S Guilley and A Heuser ldquoDetecting HiddenLeakagesrdquo in Proceedings of the 12th International Conferenceon Applied Cryptography and Network Security ACNS 2014vol 8479 of Lecture Notes in Computer Science pp 324ndash342Springer International Publishing June 2014
[13] C Herbst E Oswald and S Mangard ldquoAn AES smart cardimplementation resistant to power analysis attacksrdquo in Proceed-ings of the 4th International Conference on Applied Cryptographyand Network Security ACNS 2006 vol 3989 of Lecture Notes inComputer Science pp 239ndash252 Springer June 2006
[14] P Belgarric S Bhasin N Bruneau et al ldquoTime-FrequencyAnalysis for Second-Order Attacksrdquo in Smart Card Researchand Advanced Applications vol 8419 of Lecture Notes in Com-puter Science pp 108ndash122 Springer International PublishingCham 2014
[15] S Bhasin N Bruneau J-L Danger S Guilley and Z NajmldquoAnalysis and improvements of the DPA contest v4 implemen-tationrdquo in Proceedings of the 4th International Conference onSecurity Privacy and Applied Cryptography Engineering SPACE2014 vol 8804 of Lecture Notes in Computer Science pp 201ndash218 Springer October 2014
[16] C Clavier B Feix G Gagnerot M Roussellet and V VerneuilldquoImproved collision-correlation power analysis on first orderprotected AESrdquo in Proceedings of the 13th International Work-shop on Cryptographic Hardware and Embedded Systems CHES2011 vol 6917 pp 49ndash62 Springer October 2011
[17] X Ye and T Eisenbarth ldquoOn the Vulnerability of Low EntropyMasking Schemesrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 44ndash60 Springer International Publishing November 2014
[18] S Bhasin C Carlet and S Guilley ldquoTheory of masking withcodewords in hardware low-weight dth-order correlation-im-mune boolean functionsrdquo Cryptology ePrint Archive IACR vol2013 p 303 2013
[19] V Grosso F-X Standaert and E Prouff ldquoLow entropymaskingschemes revisitedrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 33ndash43 Springer November 2014
[20] A Moradi and O Mischke ldquoHow far should theory be frompractice - evaluation of a countermeasurerdquo in Proceedings ofthe 14th InternationalWorkshop onCryptographicHardware andEmbedded Systems CHES 2012 vol 7428 of Lecture Notes inComputer Science pp 92ndash106 Springer September 2012
[21] B Ege T Eisenbarth and L Batina ldquoNear collision side channelattacksrdquo in Proceedings of the 22nd International Conference onSelected Areas in Cryptography SAC 2015 vol 9566 of LectureNotes in Computer Science pp 277ndash292 Springer August 2015
[22] httpfunctionswolframcomComplexComponentsAbs06ShowAllhtml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
2 Security and Communication Networks
in two aspects In the architecture aspect cryptographicalgorithms should carefully be implemented to avoid first-order leakage [12] Some countermeasure techniques such asshuffling [13] can also be combined to help defeat certainbivariate and higher order attacks [14ndash17] Another aspectis the chosen mask set which plays significant roles insecurity Some research studied how to select them forhardware implemented LEMS [11 18] The selection criterionof the mask sets considered finding secure mask sets undertwo important assumptions [19] The first one is that theattackers could only exploit the leakage of the masked value119885 oplus 119872 The second one is that the deterministic part ofthe leakage function 119897119885oplus119872 is linear in the bits of maskedvariable 119885 oplus 119872 such as Hamming weight function Underthose two conditions the main goal of selecting mask setsfor LEMS is to find balanced mask sets resistant to highorder univariate CPA (following the definition of [20] theattack combining 119899 different time instances is called 119899-variateattack and the 119899th order attack is the one with 119899th orderstatistical moments) Therefore making E((119897119885oplus119872)120572 | 119885)independent of intermediate 119885 is the selection criterion ofthe mask sets for the designer of the hardware counter-measures However we find it is not enough for softwareimplemented LEMS The absolute difference |119897119911oplus119898 minus 1198971199111015840oplus1198981015840 |may bring the unbalance to the intermediate pair (119911 1199111015840)which allows attackers to get the information of (119911 1199111015840) whenonly the leakages corresponding to the masked values areavailable
Our Contributions In this paper we study the unbalance interms of absolute difference on software Low Entropy Mask-ing Schemes (LEMS) implementations and make selectioncriterion for their mask sets
(i) We find that the mask sets selected according toselection criteria in [11 18] have the vulnerabili-ties based on the absolute difference measurementson software LEMS Such vulnerabilities make thesoftware LEMS implementations insecure when theleakages corresponding to themasked values could beexploited
(ii) To fix the vulnerabilities and make software LEMSimplementations resistant to high order univariateattacks we further extend the selection criterion ofbalanced mask sets Moreover we prove the perfectbalanced mask sets should not be linear and theircardinalities should satisfy certain conditions
(iii) When some feasible mask sets are already pickedout by searching algorithms like those in [11] ourselection criterion could be a reference factor to helpdecide on a more secure one from them
Organization The rest of the paper is organized as followsIn Section 2 we introduce the notations and some relatedbackground knowledge Section 3 presents vulnerabilitiesthat make the software LEMS insecure Section 4 provesthe necessary conditions that the balanced mask sets shouldsatisfy and discusses the selection methods of mask setsFinally Section 5 concludes the paper
2 Preliminaries
In this paper sets are denoted with calligraphic letters(eg M) We use capital letters (eg 119872) and lowercaseones (eg 119898) for random variables and their realizationsrespectivelyThroughout the paper119885 and1198851015840 are independentand uniformly distributed random variables representingintermediates 119872 and 1198721015840 are two independent randomvariables drawn from the uniform distribution in the masksetM
Let 119897120596 be the value of leakage measurements correspond-ing to the intermediate value 120596 120596 isin F1198992 To match withrealistic leakage functions in practice the widely appliedHamming weight leakage model is used during the choice ofthe mask sets in this paper Thus in software environments119897120596 = 120598HW[120596] + 120575 where 120598 is an unknown constant and120575 is the Gaussian distributed (N(0 1205902)) noise In hardwareenvironments 119897120596 = 120598HW[120596] (to describe the theories in [1118] more clearly we use the same no noise model here) Wefurther denote the absolute difference of two measurementscorresponding to the values 1205961 and 1205962 by |1198971205961 minus 1198971205962 |
Mean and variance are denoted byE andVar respectivelyLet 1198831 and 1198832 be two independent random variables and 119891be a certain function1198831 is randomly drawn fromXE(119891(11988311198832) | 1198831 = 1199091) is the conditional expectation when 1198831 = 1199091The variance among those conditional expectations is
Var (E (119891 (1198831 1198832) | 1198831)) = 1|X|sdot sum1199091isinX
(E (119891 (1198831 1198832) | 1198831 = 1199091) minus E (119891 (1198831 1198832)))2 (1)
which can measure the dispersion degree of E(119891(1198831 1198832) |1198831) Obviously when Var(E(119891(1198831 1198832) | 1198831)) = 0 thespecific value of 1198831 cannot be recognized according toE(119891(1198831 1198832) | 1198831)This property wasmainly applied by someworks [11 18] studying the selection criterion of mask sets forhardware LEMS Their theories are as follows
To defeat high order univariate CPA the value of interme-diate119885 should be independent of the statistic values of 119897119885oplus119872 =120598HW[119885 oplus 119872] Usually those statistics indicate 120572th momentsdenoted by E((120598HW[119885 oplus 119872])120572) Hence Var(E((120598HW[119885 oplus119872])120572 | 119885)) = 0 is the selection criterion The mask set is saidto resist univariate 119889th-order attacks if forall 1 le 120572 le 119889 120572 isin NVar(E((120598HW[119885 oplus119872])120572 | 119885)) = 0
The work in [11] proved that only 12 mask values aresufficient for 119889 = 2 when 119899 = 8 (M12 = 03 18 311986555 60 6119864 8119862 1198605 1198612 1198621198611198636 1198659) The work in [18] furtherstudied the linear code mask sets for different 119889 and 119899For example in [8 4 4] linear code mask set can reach thestandard of 119889 = 3 with 16 mask values when 119899 = 8 (likeM16 = 00 0119865 36 39 53 5119862 65 6119860 95 9119860 1198603 119860119862 1198626 11986291198650 119865119865 used in DPA Contest v4) The linear mask setM hasthe property that 119898119894 oplus 119898119895 isin M 119898119894 119898119895 isin M [21] We willdiscuss and use the property in the following sections
3 Vulnerabilities on Software LEMS
As stated in Section 2 the selection of the mask sets for hard-ware LEMS considers the balance between the intermediate
Security and Communication Networks 3
values119885 and the leakagemeasurements 119897119885oplus119872 to avoid leakingthe information of 119885 Nonetheless the unbalance of absolutedifference measurements |119897119885oplus119872 minus 1198971198851015840oplus1198721015840 | may leak the infor-mation of intermediate pair (119885 1198851015840) in software LEMS In thissection we will study (120572 represents the order with respect tothe absolute difference indeed the absolute difference itself isnot first order according to Taylor expansion [22] hence theorder with respect to the original leakage measurement hereis higher than 120572) E
(120572)
(1198851198851015840)= E(|119897119885oplus119872 minus 1198971198851015840oplus1198721015840 |120572 | 119885 1198851015840) 120572 =
1 2Theproofswill show thatE(2)(1198851198851015840)
is independent of (119885 1198851015840)if the mask set satisfies the hardware selection criterionVar(E(HW[119885 oplus 119872]120572 | 119885)) = 0 120572 = 1 2 And it is uncertainfor E(1)(1198851198851015840)
The unbalanced E(1)
(1198851198851015840)leads to the unbalanced
variance and coefficient of variation (coefficient of variation isthe ratio of standard deviation to mean) which can also helpidentify the intermediate pair (119885 1198851015840) in attacks The resultsof experiments show that the unbalance of E(1)
(1198851198851015840)makes
the implementations insecure Those vulnerabilities are theproperties of mask sets and cannot be fixed by the architec-tures of specific implementations like shuffling So finding thebalanced mask sets in terms of absolute difference is neces-sary for software LEMS which will be discussed in the nextsection
As 119897119911oplus119898 minus 1198971199111015840oplus1198981015840 sim N(120598HW[119911 oplus 119898] minus 120598HW[1199111015840 oplus 1198981015840] 21205902)E((119897119911oplus119898 minus 1198971199111015840oplus1198981015840)2) = (120598HW[119911 oplus 119898] minus 120598HW[1199111015840 oplus 1198981015840])2 + 21205902and E(|119897119911oplus119898minus1198971199111015840oplus1198981015840 |) = 119891(120598(HW[119911oplus119898]minusHW[1199111015840oplus1198981015840]) radic2120590)according to Appendix A We deduce that
E(1)
(1199111199111015840)= E (1003816100381610038161003816119897119885oplus119872 minus 1198971198851015840oplus1198721015840 1003816100381610038161003816 | 119885 = 119911 1198851015840 = 1199111015840) (2)
= 1|M|2 sum1198981198981015840isinM
E (1003816100381610038161003816119897119911oplus119898 minus 1198971199111015840oplus1198981015840 1003816100381610038161003816) (3)
= 1|M|2 sum1198981198981015840isinM
119891 (120598 (HW [119911 oplus 119898] minus HW [1199111015840 oplus 1198981015840]) radic2120590)
(4)
E(2)
(1199111199111015840)= E ((119897119885oplus119872 minus 1198971198851015840oplus1198721015840)2 | 119885 = 119911 1198851015840 = 1199111015840) (5)
= 1|M|2 sum1198981198981015840isinM
E ((119897119911oplus119898 minus 1198971199111015840oplus1198981015840)2) (6)
= 1|M|2 sum1198981198981015840isinM
((120598HW [119911 oplus 119898] minus 120598HW [1199111015840 oplus 1198981015840])2
+ 21205902)(7)
= E ((120598HW [119885 oplus119872])2 | 119885 = 119911)+ E ((120598HW [119885 oplus119872])2 | 119885 = 1199111015840) minus 2E (120598HW [119885oplus119872] | 119885 = 119911)E (120598HW [119885 oplus119872] | 119885 = 1199111015840) + 21205902
(8)
200100
0 0 50 100 150 250200Z
Z
12
13
14
15
16
17
18
E(1)
(ZZ
)
Figure 1 E(1)(1198851198851015840)
overM12
Obviously for the mask set M which satisfies the hard-ware selection criterion (Var(E((120598HW[119885 oplus 119872])120572 | 119885)) = 0120572 = 1 2) E(2)
(1198851198851015840)is independent of (119885 1198851015840)
E(1)
(1198851198851015840)is associated with the noise For certain value
120590 the value of E(1)
(1198851198851015840)converges from 2120590radic120587 to (120598|M|2) sum1198981198981015840isinM |HW[119911 oplus 119898] minus HW[1199111015840 oplus 1198981015840]| along with120598120590 = 0 rarr infin Hence we can evaluate the unbalance of
E(1)
(1198851198851015840)for a certain mask set with (1|M|2) sum1198981198981015840isinM |HW[119911oplus119898] minus HW[1199111015840 oplus 1198981015840]| We take the mask set M12 sub F82
mentioned in Section 2 as an example and draw values ofE(1)
(1198851198851015840)for 22lowast8 intermediate pairs (119885 1198851015840) in Figure 1 which
shows that M12 has vulnerabilities in terms of the absolutedifference Univariate attacks using these vulnerabilities canbe performed on one S-Box
The results of experiments in Appendix B verify that suchvulnerabilities we highlighted can really threaten the securityof software LEMS implementations To make software LEMSimplementations resistant to high order univariate attacks(CPA and also attacks based on the vulnerabilities above)specific implementations like shuffling are not enough andselecting the balanced mask sets in terms of the absolutedifference is necessary
4 Selection of Balanced Mask Sets
In this section we will modify the selection criterion to findthe balanced mask sets The proofs give two conditions thatthe balanced mask sets should satisfy which considerablynarrow down the search for the mask sets
The selection of the mask sets should first satisfy thecriteria for hardware selectionsVar(E(HW[119885oplus119872]120572) | 119885) = 0at least for 120572 = 1 2 In such a condition E(2)
(1198851198851015840)is balanced
as analyzed in Section 3 Hence if Var(E(1)(1198851198851015840)
| 119885 1198851015840) = 0E(1) Var(1198851198851015840) and CV(1198851198851015840) will also be balanced Accordingto (4) E(1)
(1198851198851015840)can further be denoted by 120590119891119890(120598120590 119911 1199111015840) We
can deduce that
Var (E(1)(1198851198851015840)
| 119885 1198851015840) = E ((E(1)(1198851198851015840)
)2) minus (E (E(1)(1198851198851015840)
))2
4 Security and Communication Networks
= 120590222119899 sum1199111199111015840isinF119899
2
(119891119890 ( 120598120590 119911 1199111015840))2
minus ( 12059022119899 sum1199111199111015840isinF119899
2
119891119890 ( 120598120590 119911 1199111015840))2
(9)
Var(E(1)(1198851198851015840)
| 119885 1198851015840) will converge from 0 to 120574 =Var(E(|120598HW[119885 oplus119872] minus 120598HW[1198851015840 oplus1198721015840]| | 119885 1198851015840)) when 120598120590 =0 rarr infin for any fixed value 120590
The value of 120574 is an intrinsic property of the mask setThus 120574 = 0 is the selection criterion In this case E(1)
(1198851198851015840)
will be balanced for any 120598120590 Aiming at the selection criterionwe can deduce the following conclusions to help select masksets120574 = 0 indicatesE(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]| | 119885 1198851015840) is aconstant the value ofwhich isE(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]|)We have the following
Lemma 1 E(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]|) = (2119899minus1)2119899(119899minus1)Proof Let W119886 = E(|HW[119885] minus HW[1198851015840]| | HW[119885 oplus 1198851015840] = 119886)W0 = 0 obviously For 119896 isin N we can deduce that
W2119896+1 = 122119896+12119896+1sum119894=0
(2119896 + 1119894 ) |2119896 + 1 minus 2119894|
= 122119896+1119896sum119894=0
2(2119896 + 1119894 ) (2119896 + 1 minus 2119894)
= 122119896 ((2119896 + 1) 22119896 minus 2 (2119896 + 1)119896minus1sum119894=0
(2119896119894 ))= (2119896 + 1) ( 2119896119896 )22119896 = (2119896 + 1) (2119896)22119896 (119896)2= (2119896 + 1)(2119896)
(10)
The second equality uses ( 2119896+1119894 ) = ( 2119896+12119896+1minus119894 )The third one is according to sum119896119894=0 ( 2119896+1119894 ) = 22119896 and119894 ( 2119896+1119894 ) = (2119896 + 1) ( 2119896119894minus1 )Similarly W2119896+2 = (2119896 + 1)(2119896) = W2119896+1 = ((2119896 +1)2119896)W2119896 Hence
E (10038161003816100381610038161003816HW [119885 oplus119872] minus HW [1198851015840 oplus1198721015840]10038161003816100381610038161003816)= 1|M|2 4119899 sum
1199111199111015840isinF1198992
sum1198981198981015840isinM
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [1199111015840 oplus 1198981015840]10038161003816100381610038161003816= 1|M|2 4119899 sum
1198981198981015840isinM
sum1199111199111015840isinF119899
2
10038161003816100381610038161003816HW [119911] minus HW [1199111015840]10038161003816100381610038161003816
= 14119899 sum1199111199111015840isinF119899
2
10038161003816100381610038161003816HW [119911] minus HW [1199111015840]10038161003816100381610038161003816
= 12119899119899sum119894=0
(119899119894)W119894(11)
We will use mathematical induction to prove A119899 =sum119899119894=0 ( 119899119894 )W119894 = (2119899 minus 1)(119899 minus 1)When 119899 = 1 A1 = sum1119894=0 ( 1119894 )W119894 = 1 = (2 minus 1)(0)Suppose A119899 = (2119899 minus 1)(119899 minus 1) If 119899 is odd we have
A119899+1 = 119899+1sum119894=0
(119899 + 1119894 )W119894
= 119899sum119894=1
((119899119894) + (119899
119894 minus 1))W119894 +W119899+1
= A119899 + 119899sum119894=0
(119899119894)W119894+1
= A119899 + (119899minus1)2sum119894=0
((1198992119894) + (119899
2119894 + 1))W2119894+1
= A119899 + (119899minus1)2sum119894=0
((1198992119894) 119899 + 1119899 W2119894
+ ((1198992119894)(1 minus (119899 + 1) (2119894)119899 (2119894 + 1) ) + (119899
2119894 + 1))W2119894+1)
= A119899 + 119899 + 1119899(119899minus1)2sum119894=0
((1198992119894)W2119894 + ( 1198992119894 + 1)W2119894+1)
= 2119899 + 1119899 A119899 = (2119899 + 1)(119899)
(12)
The second equality is based on ( 119899+1119894 ) = ( 119899119894 ) + ( 119899119894minus1 )The fourth one followsW2119894+1 = W2119894+2 and the fifth one usesW2119894 = (2119894(2119894 + 1))W2119894+1
The situation when 119899 is even can be proved similarlyThus E(|HW[119885 oplus119872] minus HW[1198851015840 oplus1198721015840]|) = A1198992119899 = (2119899 minus1)2119899(119899 minus 1)As stated above E(|HW[119885 oplus119872] minusHW[1198851015840 oplus1198721015840]| | 119885 1198851015840)
for any pair (119885 1198851015840) and themeans of their combinations suchas EM = E(E(|HW[119885 oplus 119872] minus HW[119885 oplus 1198721015840]| | 119885)) shouldbe equal to the constant value (2119899 minus 1)2119899(119899 minus 1) We canprove two necessary conditions for balanced mask set M byanalyzing EM = (2119899 minus 1)2119899(119899 minus 1)Theorem 2 One necessary condition for 120574 = 0 is |M| =1198962lfloor1198992rfloor+1 119896 isin N
Security and Communication Networks 5
Proof We deduce that
EM = E (E (10038161003816100381610038161003816HW [119885 oplus119872] minus HW [119885 oplus1198721015840]10038161003816100381610038161003816 | 119885)) (13)
= 1|M|2 2119899 sum119911isinF1198992
sum1198981198981015840isinM
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [119911 oplus 1198981015840]10038161003816100381610038161003816 (14)
= 1|M|2 sum1198981198981015840isinM
12119899 sum119911isinF1198992
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [119911 oplus 1198981015840]10038161003816100381610038161003816 (15)
= 1|M|2 sum1198981198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840 = 119898oplus 1198981015840)
(16)
Let C119894 = sum1198981198981015840isinM 984858119894(119898 oplus 1198981015840) where
984858119894 (119909) = 1 HW [119909] = 1198940 otherwise (17)
As 119898 oplus 1198981015840 = 1198981015840 oplus 119898 C119894 119894 gt 0 is even Let C119894 =2C1015840119894 119894 gt 0 As W0 = 0 EM = (1|M|2) sum119899119894=0 C119894W119894 =(2|M|2) sum119899119894=1 C1015840119894W119894 If EM = (2119899 minus 1)2119899(119899 minus 1) we candeduce
2|M|2119899sum119894=1
C1015840119894W119894 = (2119899 minus 1)2119899 (119899 minus 1) 997904rArr
2119899+1|M|2119899sum119894=1
C1015840119894 ((119899 minus 1)W119894) = (2119899 minus 1) 997904rArr
2119899+1 | |M|2
(18)
The reason of the second arrow is as follows RecallW2119896+2 = W2119896+1 = (2119896 + 1)(2119896) in Lemma 1 forall119899 ge 2119896 + 1(119899minus1)W2119896+2 = (119899minus1)W2119896+1 = ((2119896minus1))2(2119896+1)prod119899minus1119894=2119896+1119894 isinN In other words forall119894 le 119899 (119899 minus 1)W119894 isin N 2119899+1sum119899119894=1 C1015840119894((119899 minus1)W119894) isin N and (2119899 minus 1) is odd Therefore |M|2 must bedivisible by 2119899+1
Hence |M| = 1198962lfloor1198992rfloor+1 119896 isin N
Theorem 3 forall|M| lt 2119899 isin N ifM is a linear mask set 120574 = 0Proof If M is linear 119898 oplus 1198981015840 isin M 1198981198981015840 isin M Let D119898 =119898 oplus1198981015840 | 1198981015840 isin M Obviously forall119898 isin MD119898 = M And (16)will further be
EM = 1|M|2 sum1198981198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840
= 119898 oplus 1198981015840)
= 1|M|2 sum119898isinM sum1198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840
= 1198981015840)= 1|M|
119899sum119894=0
C119894W119894(19)
where C119894 = sum119898isinM 984858119894(119898) 984858119894(sdot) is defined by (17)If EM = (2119899 minus 1)2119899(119899 minus 1) we can deduce
1|M|119899sum119894=1
C119894W119894 = (2119899 minus 1)2119899 (119899 minus 1) 997904rArr2119899|M|119899sum119894=1
C119894 ((119899 minus 1)W119894) = (2119899 minus 1) 997904rArr2119899 | |M|
(20)
which contradicts |M| lt 2119899 Thus EM = (2119899 minus 1)2119899(119899 minus1) which indicates Var(E(|HW[119885 oplus 119872] minus HW[1198851015840 oplus 1198721015840]| |119885 1198851015840)) = 0Theorem 2 indicates that the search should be among
mask sets satisfying |M| = 1198962lfloor1198992rfloor+1 119896 isin N to findthe perfect balanced mask set with 120574 = 0 However inconsideration of the effect of the noise 120574 = 0 couldnot be necessary According to Theorem 3 and the resultsin Appendix B the linear mask sets will be more vul-nerable because of their linear property Hence one canfirst use the searching algorithms like those in [11] to getsome nonlinear mask sets and use our selection crite-rion as a reference factor to select the one with smaller1205745 Conclusion
In this paper we analyzed the vulnerabilities on themask setsof software Low EntropyMasking Schemes implementationsWe found that satisfying the conditions in [11 18] was notenough for mask sets used in software LEMS implemen-tations The experiments verified that such vulnerabilitiescertainlymade the software LEMS implementations insecureTo fix the vulnerabilities we further gave a selection criterionMoreover two theorems were proved and our selectioncriterion could be a reference factor when selecting themask sets picked out by searching algorithms like those in[11]
For future work there remain two research directionsThe first direction is the proof of the existence of such perfectbalancedmask setsThe secondone is designingmore feasiblesearch algorithms and giving the masking values selectionrules based on those conditions
6 Security and Communication Networks
Appendix
A The Proof of 119891(120583120590)119891(120583 120590) = E(|119883|) where random variable 119883 sim 119873(120583 1205902) Wecan deduce that
E (|119883|) = 1radic2120587120590 intinfin
minusinfin|119909| 119890minus(119909minus120583)221205902d119909
= 1radic2120587120590 (intinfin
0119909119890minus(119909minus120583)221205902
minus int0minusinfin
119909119890minus(119909minus120583)221205902) d119909(A1)
Here
intinfin0119909119890minus(119909minus120583)221205902d119909 = intinfin
minus120583(119910 + 120583) 119890minus119910221205902d119910
= intinfinminus120583119910119890minus119910221205902d119910
+ intinfinminus120583120583119890minus119910221205902d119910
(A2)
= 1205902119890minus120583221205902+ radic2120587120590120583(1 minus 120601(minus120583120590 )) (A3)
int0minusinfin
119909119890minus(119909minus120583)221205902d119909 = minus1205902119890minus120583221205902
+ radic2120587120590120583120601(minus120583120590 ) (A4)
where 120601(119909) = int119909minusinfin
(1radic2120587)119890minus11991022d119910 can be checked on thenormal distribution table
Therefore using (A3) and (A4)
119891 (120583 120590) = E (|119883|)= radic 2120587120590119890minus120583221205902 + 120583(1 minus 2120601 (minus120583120590 )) (A5)
B Results of Experiments
We take a typical [8 4 4] linear codemask setM16mentionedin Section 2 and its variant M101584016 = 119898 oplus 011990903 | 119898 isin M16which are respectively used in the RSM (Rotating S-BoxMasking (RSM) [10] is a realization of LEMS) implemen-tations of DPA Contest v4 and DPA Contest v42 [15] as
examples to analyze the security in different SNR environ-ment in practice The software implementation of AES-256in DPAcv4 is protected by basic RSM countermeasure andthe traces are collected from an ATMega-163 smart card Ourattacks are performed on the leakage of the outputs of S-Boxes in first-round AES As the implementation of AES-128in DPAcv42 is protected by enhanced RSM countermeasureusing shuffling techniques we carry out the attacks on theleakage of the ShiftRow in the first round where the noise isbigger
Aiming at the vulnerabilities of unbalanced E(1)
(1198851198851015840) lots
of distinguishers can be designed Here we will presentexamples combined with the linear property of the mask setM forall1198981198981015840 isin M119898 oplus 1198981015840 isin M
Such property results in the following for any intermedi-ate 119911M119911 = 119911oplus119898 | 119898 isin M is the same as that of 119911119894 = 119911oplus119898119894[21]The reason isforall119898 isin M 119911119894oplus119898 = 119911oplus(119898119894oplus119898) isin M119911 whichmeans M119911119894 sub M119911 Moreover |M119911119894 | = |M119911| = |M| HenceM119911119894 = M119911 We further find the variants of the linear maskset 119898 oplus C | 119898 isin M where C is a constant also having thesame properties Gathering the intermediates with the samemasked values together F1198992 is divided into several sets I119894119894 = 1 2 119888 (119911 1199111015840 isin I ifM119911 = M119911
1015840
)Let O be the set of all the measurements O119896119894 represents
the set of measurements whose corresponding plaintext 119901satisfies 120595(119901 119896) isin I119894 where 120595(sdot sdot) is the function of sensitiveintermediate The distinguisher could be
D (119896) = E (120579 (O119896119894 O119896119894 ))120579 (OO) (B1)
where 120579(sdot sdot) is the estimated statistic value of absolutedifference values between two measurements sets When 119896is wrong the classification O119896119894 will be wrong and randomwhich makes the values of numerator and denominatorapproximate When 119896 is the correct key the value of numer-ator will differ from that of denominator (Theorem 3 inSection 4 will prove this) 119896lowast = argmax119896D(119896) or 119896lowast =argmin119896D(119896)120579 can be E(1) obviously As E(2) is independent of (119885 1198851015840)and Var(119883) = E(1198832) minus (E(119883))2 CV(119883) = radicVar(119883)E(119883)we can also use Var and CV as 120579 We name those distin-guishers for different statistics as 119903V 119903cv and 119903(1)119898 respec-tively
Using the traces in DPAcv4 we obtain 256 119903V 119903cv and 119903(1)119898curves and show the time samples around the output of oneS-Box in Figure 2(a) The correct keyrsquos 119903V and 119903cv curves haveapparent peaks with 1000 traces Furthermore we generate119903(1)119898 119903V and 119903cv curves over the number of traces at the peaktime sample and show the results in Figure 2(b) The blackand 255 grey curves represent the cases of the correct keyand wrong key hypotheses respectively The results showthat all those distinguishers can recover the key with enoughtraces
We then do the second experiment using traces inDPAcv42 at the ShiftRow in the first round where the weakerinformation is leaked The three distinguishers succeed with
Security and Communication Networks 7
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
096
098
1
102
104
r
098
099
1
101
102
103
r =P
098
099
1
101
102
r(1)
m
(a)
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
098
1
102
104
r
099
1
101
102
103
r =P
099
1
101
102
103
r(1)
m
(b)
Figure 2 119903V 119903cv and 119903(1)119898 over (a) time samples using 1000 traces (b) and number of traces at the peak location
about 6000 traces because of the lower SNRWe omit similarfigures here
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by National Key Researchand Development Program of China (Grant no2017YFA0303903) National Natural Science Foundation
of China (Grant nos 61402536 and 61402252) BeijingNatural Science Foundation (Grant no 4162053)National Cryptography Development Fund (Grantno MMJJ20170201) and 973 Program (Grant no2013CB834205)
References
[1] P C Kocher ldquoTiming attacks on implementations of Diffie-Hellman RSA DSS and other systemsrdquo in Proceedings of the16th Annual International Cryptology Conference CRYPTO rsquo96Lecture Notes in Computer Science pp 104ndash113 SpringerAugust 1996
8 Security and Communication Networks
[2] S Bhasin J-L Danger S Guilley and Z Najm ldquoSide-channelleakage and trace compression using normalized inter-classvariancerdquo in Proceedings of the 3rd International Workshop onHardware and Architectural Support for Security and PrivacyHASP 2014 pp 71ndash79 ACM USA June 2014
[3] G Dabosville J Doget and E Prouff ldquoA new second-order sidechannel attack based on linear regressionrdquo IEEETransactions onComputers vol 62 no 8 pp 1629ndash1640 2013
[4] M Kayaalp N Abu-Ghazaleh D Ponomarev and A JaleelldquoA high-resolution side-channel attack on last-level cacherdquo inProceedings of the 53rd Annual ACM IEEE Design AutomationConference DAC 2016 USA June 2016
[5] A A Pammu K-S Chong W-G Ho and B-H Gwee ldquoInter-ceptive side channel attack on AES-128 wireless communica-tions for IoT applicationsrdquo in Proceedings of the 2016 IEEE AsiaPacific Conference on Circuits and Systems APCCAS 2016 pp650ndash653 Republic of Korea October 2016
[6] Y Li M Chen and J Wang ldquoIntroduction to side-channelattacks and fault attacksrdquo in Proceedings of the 7th Asia-Pacific International Symposium on Electromagnetic Compatibil-ity APEMC 2016 pp 573ndash575 May 2016
[7] R Lumbiarres-Lopez M Lopez-Garcia and E Canto-NavarroldquoHardware architecture implemented on FPGA for protectingcryptographic keys against side-channel attacksrdquo IEEE Trans-actions on Dependable and Secure Computing 2016
[8] T Backenstrass M Blot S Pontie and R Leveugle ldquoPro-tection of ECC computations against side-channel attacks forlightweight implementationsrdquo in Proceedings of the 1st IEEEInternational Verification and Security Workshop IVSW 2016pp 1ndash6 July 2016
[9] M-L Akkar and C Giraud ldquoAn implementation of DESand AES secure against some attacksrdquo in Proceedings of thethird International Workshop on Cryptographic Hardware andEmbedded Systems CHES 2001 vol 2162 of Lecture Notes inComputer Science pp 309ndash318 Springer May 2001
[10] M Nassar Y Souissi S Guilley and J-L Danger ldquoRSM asmall and fast countermeasure for AES secure against 1st and2nd-order zero-offset SCAsrdquo in Proceedings of the 2012 DesignAutomation amp Test in Europe Conference amp Exhibition DATE2012 pp 1173ndash1178 Dresden Germany March 2012
[11] M Nassar S Guilley and J-L Danger ldquoFormal analysis of theentropysecurity trade-off in first-order masking countermea-sures against side-channel attacksrdquo in Proceedings of the 12thInternational Conference on Cryptology INDOCRYPT 2011 vol7107 of Lecture Notes in Computer Science pp 22ndash39 SpringerDecember 2011
[12] A Moradi S Guilley and A Heuser ldquoDetecting HiddenLeakagesrdquo in Proceedings of the 12th International Conferenceon Applied Cryptography and Network Security ACNS 2014vol 8479 of Lecture Notes in Computer Science pp 324ndash342Springer International Publishing June 2014
[13] C Herbst E Oswald and S Mangard ldquoAn AES smart cardimplementation resistant to power analysis attacksrdquo in Proceed-ings of the 4th International Conference on Applied Cryptographyand Network Security ACNS 2006 vol 3989 of Lecture Notes inComputer Science pp 239ndash252 Springer June 2006
[14] P Belgarric S Bhasin N Bruneau et al ldquoTime-FrequencyAnalysis for Second-Order Attacksrdquo in Smart Card Researchand Advanced Applications vol 8419 of Lecture Notes in Com-puter Science pp 108ndash122 Springer International PublishingCham 2014
[15] S Bhasin N Bruneau J-L Danger S Guilley and Z NajmldquoAnalysis and improvements of the DPA contest v4 implemen-tationrdquo in Proceedings of the 4th International Conference onSecurity Privacy and Applied Cryptography Engineering SPACE2014 vol 8804 of Lecture Notes in Computer Science pp 201ndash218 Springer October 2014
[16] C Clavier B Feix G Gagnerot M Roussellet and V VerneuilldquoImproved collision-correlation power analysis on first orderprotected AESrdquo in Proceedings of the 13th International Work-shop on Cryptographic Hardware and Embedded Systems CHES2011 vol 6917 pp 49ndash62 Springer October 2011
[17] X Ye and T Eisenbarth ldquoOn the Vulnerability of Low EntropyMasking Schemesrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 44ndash60 Springer International Publishing November 2014
[18] S Bhasin C Carlet and S Guilley ldquoTheory of masking withcodewords in hardware low-weight dth-order correlation-im-mune boolean functionsrdquo Cryptology ePrint Archive IACR vol2013 p 303 2013
[19] V Grosso F-X Standaert and E Prouff ldquoLow entropymaskingschemes revisitedrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 33ndash43 Springer November 2014
[20] A Moradi and O Mischke ldquoHow far should theory be frompractice - evaluation of a countermeasurerdquo in Proceedings ofthe 14th InternationalWorkshop onCryptographicHardware andEmbedded Systems CHES 2012 vol 7428 of Lecture Notes inComputer Science pp 92ndash106 Springer September 2012
[21] B Ege T Eisenbarth and L Batina ldquoNear collision side channelattacksrdquo in Proceedings of the 22nd International Conference onSelected Areas in Cryptography SAC 2015 vol 9566 of LectureNotes in Computer Science pp 277ndash292 Springer August 2015
[22] httpfunctionswolframcomComplexComponentsAbs06ShowAllhtml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 3
values119885 and the leakagemeasurements 119897119885oplus119872 to avoid leakingthe information of 119885 Nonetheless the unbalance of absolutedifference measurements |119897119885oplus119872 minus 1198971198851015840oplus1198721015840 | may leak the infor-mation of intermediate pair (119885 1198851015840) in software LEMS In thissection we will study (120572 represents the order with respect tothe absolute difference indeed the absolute difference itself isnot first order according to Taylor expansion [22] hence theorder with respect to the original leakage measurement hereis higher than 120572) E
(120572)
(1198851198851015840)= E(|119897119885oplus119872 minus 1198971198851015840oplus1198721015840 |120572 | 119885 1198851015840) 120572 =
1 2Theproofswill show thatE(2)(1198851198851015840)
is independent of (119885 1198851015840)if the mask set satisfies the hardware selection criterionVar(E(HW[119885 oplus 119872]120572 | 119885)) = 0 120572 = 1 2 And it is uncertainfor E(1)(1198851198851015840)
The unbalanced E(1)
(1198851198851015840)leads to the unbalanced
variance and coefficient of variation (coefficient of variation isthe ratio of standard deviation to mean) which can also helpidentify the intermediate pair (119885 1198851015840) in attacks The resultsof experiments show that the unbalance of E(1)
(1198851198851015840)makes
the implementations insecure Those vulnerabilities are theproperties of mask sets and cannot be fixed by the architec-tures of specific implementations like shuffling So finding thebalanced mask sets in terms of absolute difference is neces-sary for software LEMS which will be discussed in the nextsection
As 119897119911oplus119898 minus 1198971199111015840oplus1198981015840 sim N(120598HW[119911 oplus 119898] minus 120598HW[1199111015840 oplus 1198981015840] 21205902)E((119897119911oplus119898 minus 1198971199111015840oplus1198981015840)2) = (120598HW[119911 oplus 119898] minus 120598HW[1199111015840 oplus 1198981015840])2 + 21205902and E(|119897119911oplus119898minus1198971199111015840oplus1198981015840 |) = 119891(120598(HW[119911oplus119898]minusHW[1199111015840oplus1198981015840]) radic2120590)according to Appendix A We deduce that
E(1)
(1199111199111015840)= E (1003816100381610038161003816119897119885oplus119872 minus 1198971198851015840oplus1198721015840 1003816100381610038161003816 | 119885 = 119911 1198851015840 = 1199111015840) (2)
= 1|M|2 sum1198981198981015840isinM
E (1003816100381610038161003816119897119911oplus119898 minus 1198971199111015840oplus1198981015840 1003816100381610038161003816) (3)
= 1|M|2 sum1198981198981015840isinM
119891 (120598 (HW [119911 oplus 119898] minus HW [1199111015840 oplus 1198981015840]) radic2120590)
(4)
E(2)
(1199111199111015840)= E ((119897119885oplus119872 minus 1198971198851015840oplus1198721015840)2 | 119885 = 119911 1198851015840 = 1199111015840) (5)
= 1|M|2 sum1198981198981015840isinM
E ((119897119911oplus119898 minus 1198971199111015840oplus1198981015840)2) (6)
= 1|M|2 sum1198981198981015840isinM
((120598HW [119911 oplus 119898] minus 120598HW [1199111015840 oplus 1198981015840])2
+ 21205902)(7)
= E ((120598HW [119885 oplus119872])2 | 119885 = 119911)+ E ((120598HW [119885 oplus119872])2 | 119885 = 1199111015840) minus 2E (120598HW [119885oplus119872] | 119885 = 119911)E (120598HW [119885 oplus119872] | 119885 = 1199111015840) + 21205902
(8)
200100
0 0 50 100 150 250200Z
Z
12
13
14
15
16
17
18
E(1)
(ZZ
)
Figure 1 E(1)(1198851198851015840)
overM12
Obviously for the mask set M which satisfies the hard-ware selection criterion (Var(E((120598HW[119885 oplus 119872])120572 | 119885)) = 0120572 = 1 2) E(2)
(1198851198851015840)is independent of (119885 1198851015840)
E(1)
(1198851198851015840)is associated with the noise For certain value
120590 the value of E(1)
(1198851198851015840)converges from 2120590radic120587 to (120598|M|2) sum1198981198981015840isinM |HW[119911 oplus 119898] minus HW[1199111015840 oplus 1198981015840]| along with120598120590 = 0 rarr infin Hence we can evaluate the unbalance of
E(1)
(1198851198851015840)for a certain mask set with (1|M|2) sum1198981198981015840isinM |HW[119911oplus119898] minus HW[1199111015840 oplus 1198981015840]| We take the mask set M12 sub F82
mentioned in Section 2 as an example and draw values ofE(1)
(1198851198851015840)for 22lowast8 intermediate pairs (119885 1198851015840) in Figure 1 which
shows that M12 has vulnerabilities in terms of the absolutedifference Univariate attacks using these vulnerabilities canbe performed on one S-Box
The results of experiments in Appendix B verify that suchvulnerabilities we highlighted can really threaten the securityof software LEMS implementations To make software LEMSimplementations resistant to high order univariate attacks(CPA and also attacks based on the vulnerabilities above)specific implementations like shuffling are not enough andselecting the balanced mask sets in terms of the absolutedifference is necessary
4 Selection of Balanced Mask Sets
In this section we will modify the selection criterion to findthe balanced mask sets The proofs give two conditions thatthe balanced mask sets should satisfy which considerablynarrow down the search for the mask sets
The selection of the mask sets should first satisfy thecriteria for hardware selectionsVar(E(HW[119885oplus119872]120572) | 119885) = 0at least for 120572 = 1 2 In such a condition E(2)
(1198851198851015840)is balanced
as analyzed in Section 3 Hence if Var(E(1)(1198851198851015840)
| 119885 1198851015840) = 0E(1) Var(1198851198851015840) and CV(1198851198851015840) will also be balanced Accordingto (4) E(1)
(1198851198851015840)can further be denoted by 120590119891119890(120598120590 119911 1199111015840) We
can deduce that
Var (E(1)(1198851198851015840)
| 119885 1198851015840) = E ((E(1)(1198851198851015840)
)2) minus (E (E(1)(1198851198851015840)
))2
4 Security and Communication Networks
= 120590222119899 sum1199111199111015840isinF119899
2
(119891119890 ( 120598120590 119911 1199111015840))2
minus ( 12059022119899 sum1199111199111015840isinF119899
2
119891119890 ( 120598120590 119911 1199111015840))2
(9)
Var(E(1)(1198851198851015840)
| 119885 1198851015840) will converge from 0 to 120574 =Var(E(|120598HW[119885 oplus119872] minus 120598HW[1198851015840 oplus1198721015840]| | 119885 1198851015840)) when 120598120590 =0 rarr infin for any fixed value 120590
The value of 120574 is an intrinsic property of the mask setThus 120574 = 0 is the selection criterion In this case E(1)
(1198851198851015840)
will be balanced for any 120598120590 Aiming at the selection criterionwe can deduce the following conclusions to help select masksets120574 = 0 indicatesE(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]| | 119885 1198851015840) is aconstant the value ofwhich isE(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]|)We have the following
Lemma 1 E(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]|) = (2119899minus1)2119899(119899minus1)Proof Let W119886 = E(|HW[119885] minus HW[1198851015840]| | HW[119885 oplus 1198851015840] = 119886)W0 = 0 obviously For 119896 isin N we can deduce that
W2119896+1 = 122119896+12119896+1sum119894=0
(2119896 + 1119894 ) |2119896 + 1 minus 2119894|
= 122119896+1119896sum119894=0
2(2119896 + 1119894 ) (2119896 + 1 minus 2119894)
= 122119896 ((2119896 + 1) 22119896 minus 2 (2119896 + 1)119896minus1sum119894=0
(2119896119894 ))= (2119896 + 1) ( 2119896119896 )22119896 = (2119896 + 1) (2119896)22119896 (119896)2= (2119896 + 1)(2119896)
(10)
The second equality uses ( 2119896+1119894 ) = ( 2119896+12119896+1minus119894 )The third one is according to sum119896119894=0 ( 2119896+1119894 ) = 22119896 and119894 ( 2119896+1119894 ) = (2119896 + 1) ( 2119896119894minus1 )Similarly W2119896+2 = (2119896 + 1)(2119896) = W2119896+1 = ((2119896 +1)2119896)W2119896 Hence
E (10038161003816100381610038161003816HW [119885 oplus119872] minus HW [1198851015840 oplus1198721015840]10038161003816100381610038161003816)= 1|M|2 4119899 sum
1199111199111015840isinF1198992
sum1198981198981015840isinM
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [1199111015840 oplus 1198981015840]10038161003816100381610038161003816= 1|M|2 4119899 sum
1198981198981015840isinM
sum1199111199111015840isinF119899
2
10038161003816100381610038161003816HW [119911] minus HW [1199111015840]10038161003816100381610038161003816
= 14119899 sum1199111199111015840isinF119899
2
10038161003816100381610038161003816HW [119911] minus HW [1199111015840]10038161003816100381610038161003816
= 12119899119899sum119894=0
(119899119894)W119894(11)
We will use mathematical induction to prove A119899 =sum119899119894=0 ( 119899119894 )W119894 = (2119899 minus 1)(119899 minus 1)When 119899 = 1 A1 = sum1119894=0 ( 1119894 )W119894 = 1 = (2 minus 1)(0)Suppose A119899 = (2119899 minus 1)(119899 minus 1) If 119899 is odd we have
A119899+1 = 119899+1sum119894=0
(119899 + 1119894 )W119894
= 119899sum119894=1
((119899119894) + (119899
119894 minus 1))W119894 +W119899+1
= A119899 + 119899sum119894=0
(119899119894)W119894+1
= A119899 + (119899minus1)2sum119894=0
((1198992119894) + (119899
2119894 + 1))W2119894+1
= A119899 + (119899minus1)2sum119894=0
((1198992119894) 119899 + 1119899 W2119894
+ ((1198992119894)(1 minus (119899 + 1) (2119894)119899 (2119894 + 1) ) + (119899
2119894 + 1))W2119894+1)
= A119899 + 119899 + 1119899(119899minus1)2sum119894=0
((1198992119894)W2119894 + ( 1198992119894 + 1)W2119894+1)
= 2119899 + 1119899 A119899 = (2119899 + 1)(119899)
(12)
The second equality is based on ( 119899+1119894 ) = ( 119899119894 ) + ( 119899119894minus1 )The fourth one followsW2119894+1 = W2119894+2 and the fifth one usesW2119894 = (2119894(2119894 + 1))W2119894+1
The situation when 119899 is even can be proved similarlyThus E(|HW[119885 oplus119872] minus HW[1198851015840 oplus1198721015840]|) = A1198992119899 = (2119899 minus1)2119899(119899 minus 1)As stated above E(|HW[119885 oplus119872] minusHW[1198851015840 oplus1198721015840]| | 119885 1198851015840)
for any pair (119885 1198851015840) and themeans of their combinations suchas EM = E(E(|HW[119885 oplus 119872] minus HW[119885 oplus 1198721015840]| | 119885)) shouldbe equal to the constant value (2119899 minus 1)2119899(119899 minus 1) We canprove two necessary conditions for balanced mask set M byanalyzing EM = (2119899 minus 1)2119899(119899 minus 1)Theorem 2 One necessary condition for 120574 = 0 is |M| =1198962lfloor1198992rfloor+1 119896 isin N
Security and Communication Networks 5
Proof We deduce that
EM = E (E (10038161003816100381610038161003816HW [119885 oplus119872] minus HW [119885 oplus1198721015840]10038161003816100381610038161003816 | 119885)) (13)
= 1|M|2 2119899 sum119911isinF1198992
sum1198981198981015840isinM
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [119911 oplus 1198981015840]10038161003816100381610038161003816 (14)
= 1|M|2 sum1198981198981015840isinM
12119899 sum119911isinF1198992
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [119911 oplus 1198981015840]10038161003816100381610038161003816 (15)
= 1|M|2 sum1198981198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840 = 119898oplus 1198981015840)
(16)
Let C119894 = sum1198981198981015840isinM 984858119894(119898 oplus 1198981015840) where
984858119894 (119909) = 1 HW [119909] = 1198940 otherwise (17)
As 119898 oplus 1198981015840 = 1198981015840 oplus 119898 C119894 119894 gt 0 is even Let C119894 =2C1015840119894 119894 gt 0 As W0 = 0 EM = (1|M|2) sum119899119894=0 C119894W119894 =(2|M|2) sum119899119894=1 C1015840119894W119894 If EM = (2119899 minus 1)2119899(119899 minus 1) we candeduce
2|M|2119899sum119894=1
C1015840119894W119894 = (2119899 minus 1)2119899 (119899 minus 1) 997904rArr
2119899+1|M|2119899sum119894=1
C1015840119894 ((119899 minus 1)W119894) = (2119899 minus 1) 997904rArr
2119899+1 | |M|2
(18)
The reason of the second arrow is as follows RecallW2119896+2 = W2119896+1 = (2119896 + 1)(2119896) in Lemma 1 forall119899 ge 2119896 + 1(119899minus1)W2119896+2 = (119899minus1)W2119896+1 = ((2119896minus1))2(2119896+1)prod119899minus1119894=2119896+1119894 isinN In other words forall119894 le 119899 (119899 minus 1)W119894 isin N 2119899+1sum119899119894=1 C1015840119894((119899 minus1)W119894) isin N and (2119899 minus 1) is odd Therefore |M|2 must bedivisible by 2119899+1
Hence |M| = 1198962lfloor1198992rfloor+1 119896 isin N
Theorem 3 forall|M| lt 2119899 isin N ifM is a linear mask set 120574 = 0Proof If M is linear 119898 oplus 1198981015840 isin M 1198981198981015840 isin M Let D119898 =119898 oplus1198981015840 | 1198981015840 isin M Obviously forall119898 isin MD119898 = M And (16)will further be
EM = 1|M|2 sum1198981198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840
= 119898 oplus 1198981015840)
= 1|M|2 sum119898isinM sum1198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840
= 1198981015840)= 1|M|
119899sum119894=0
C119894W119894(19)
where C119894 = sum119898isinM 984858119894(119898) 984858119894(sdot) is defined by (17)If EM = (2119899 minus 1)2119899(119899 minus 1) we can deduce
1|M|119899sum119894=1
C119894W119894 = (2119899 minus 1)2119899 (119899 minus 1) 997904rArr2119899|M|119899sum119894=1
C119894 ((119899 minus 1)W119894) = (2119899 minus 1) 997904rArr2119899 | |M|
(20)
which contradicts |M| lt 2119899 Thus EM = (2119899 minus 1)2119899(119899 minus1) which indicates Var(E(|HW[119885 oplus 119872] minus HW[1198851015840 oplus 1198721015840]| |119885 1198851015840)) = 0Theorem 2 indicates that the search should be among
mask sets satisfying |M| = 1198962lfloor1198992rfloor+1 119896 isin N to findthe perfect balanced mask set with 120574 = 0 However inconsideration of the effect of the noise 120574 = 0 couldnot be necessary According to Theorem 3 and the resultsin Appendix B the linear mask sets will be more vul-nerable because of their linear property Hence one canfirst use the searching algorithms like those in [11] to getsome nonlinear mask sets and use our selection crite-rion as a reference factor to select the one with smaller1205745 Conclusion
In this paper we analyzed the vulnerabilities on themask setsof software Low EntropyMasking Schemes implementationsWe found that satisfying the conditions in [11 18] was notenough for mask sets used in software LEMS implemen-tations The experiments verified that such vulnerabilitiescertainlymade the software LEMS implementations insecureTo fix the vulnerabilities we further gave a selection criterionMoreover two theorems were proved and our selectioncriterion could be a reference factor when selecting themask sets picked out by searching algorithms like those in[11]
For future work there remain two research directionsThe first direction is the proof of the existence of such perfectbalancedmask setsThe secondone is designingmore feasiblesearch algorithms and giving the masking values selectionrules based on those conditions
6 Security and Communication Networks
Appendix
A The Proof of 119891(120583120590)119891(120583 120590) = E(|119883|) where random variable 119883 sim 119873(120583 1205902) Wecan deduce that
E (|119883|) = 1radic2120587120590 intinfin
minusinfin|119909| 119890minus(119909minus120583)221205902d119909
= 1radic2120587120590 (intinfin
0119909119890minus(119909minus120583)221205902
minus int0minusinfin
119909119890minus(119909minus120583)221205902) d119909(A1)
Here
intinfin0119909119890minus(119909minus120583)221205902d119909 = intinfin
minus120583(119910 + 120583) 119890minus119910221205902d119910
= intinfinminus120583119910119890minus119910221205902d119910
+ intinfinminus120583120583119890minus119910221205902d119910
(A2)
= 1205902119890minus120583221205902+ radic2120587120590120583(1 minus 120601(minus120583120590 )) (A3)
int0minusinfin
119909119890minus(119909minus120583)221205902d119909 = minus1205902119890minus120583221205902
+ radic2120587120590120583120601(minus120583120590 ) (A4)
where 120601(119909) = int119909minusinfin
(1radic2120587)119890minus11991022d119910 can be checked on thenormal distribution table
Therefore using (A3) and (A4)
119891 (120583 120590) = E (|119883|)= radic 2120587120590119890minus120583221205902 + 120583(1 minus 2120601 (minus120583120590 )) (A5)
B Results of Experiments
We take a typical [8 4 4] linear codemask setM16mentionedin Section 2 and its variant M101584016 = 119898 oplus 011990903 | 119898 isin M16which are respectively used in the RSM (Rotating S-BoxMasking (RSM) [10] is a realization of LEMS) implemen-tations of DPA Contest v4 and DPA Contest v42 [15] as
examples to analyze the security in different SNR environ-ment in practice The software implementation of AES-256in DPAcv4 is protected by basic RSM countermeasure andthe traces are collected from an ATMega-163 smart card Ourattacks are performed on the leakage of the outputs of S-Boxes in first-round AES As the implementation of AES-128in DPAcv42 is protected by enhanced RSM countermeasureusing shuffling techniques we carry out the attacks on theleakage of the ShiftRow in the first round where the noise isbigger
Aiming at the vulnerabilities of unbalanced E(1)
(1198851198851015840) lots
of distinguishers can be designed Here we will presentexamples combined with the linear property of the mask setM forall1198981198981015840 isin M119898 oplus 1198981015840 isin M
Such property results in the following for any intermedi-ate 119911M119911 = 119911oplus119898 | 119898 isin M is the same as that of 119911119894 = 119911oplus119898119894[21]The reason isforall119898 isin M 119911119894oplus119898 = 119911oplus(119898119894oplus119898) isin M119911 whichmeans M119911119894 sub M119911 Moreover |M119911119894 | = |M119911| = |M| HenceM119911119894 = M119911 We further find the variants of the linear maskset 119898 oplus C | 119898 isin M where C is a constant also having thesame properties Gathering the intermediates with the samemasked values together F1198992 is divided into several sets I119894119894 = 1 2 119888 (119911 1199111015840 isin I ifM119911 = M119911
1015840
)Let O be the set of all the measurements O119896119894 represents
the set of measurements whose corresponding plaintext 119901satisfies 120595(119901 119896) isin I119894 where 120595(sdot sdot) is the function of sensitiveintermediate The distinguisher could be
D (119896) = E (120579 (O119896119894 O119896119894 ))120579 (OO) (B1)
where 120579(sdot sdot) is the estimated statistic value of absolutedifference values between two measurements sets When 119896is wrong the classification O119896119894 will be wrong and randomwhich makes the values of numerator and denominatorapproximate When 119896 is the correct key the value of numer-ator will differ from that of denominator (Theorem 3 inSection 4 will prove this) 119896lowast = argmax119896D(119896) or 119896lowast =argmin119896D(119896)120579 can be E(1) obviously As E(2) is independent of (119885 1198851015840)and Var(119883) = E(1198832) minus (E(119883))2 CV(119883) = radicVar(119883)E(119883)we can also use Var and CV as 120579 We name those distin-guishers for different statistics as 119903V 119903cv and 119903(1)119898 respec-tively
Using the traces in DPAcv4 we obtain 256 119903V 119903cv and 119903(1)119898curves and show the time samples around the output of oneS-Box in Figure 2(a) The correct keyrsquos 119903V and 119903cv curves haveapparent peaks with 1000 traces Furthermore we generate119903(1)119898 119903V and 119903cv curves over the number of traces at the peaktime sample and show the results in Figure 2(b) The blackand 255 grey curves represent the cases of the correct keyand wrong key hypotheses respectively The results showthat all those distinguishers can recover the key with enoughtraces
We then do the second experiment using traces inDPAcv42 at the ShiftRow in the first round where the weakerinformation is leaked The three distinguishers succeed with
Security and Communication Networks 7
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
096
098
1
102
104
r
098
099
1
101
102
103
r =P
098
099
1
101
102
r(1)
m
(a)
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
098
1
102
104
r
099
1
101
102
103
r =P
099
1
101
102
103
r(1)
m
(b)
Figure 2 119903V 119903cv and 119903(1)119898 over (a) time samples using 1000 traces (b) and number of traces at the peak location
about 6000 traces because of the lower SNRWe omit similarfigures here
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by National Key Researchand Development Program of China (Grant no2017YFA0303903) National Natural Science Foundation
of China (Grant nos 61402536 and 61402252) BeijingNatural Science Foundation (Grant no 4162053)National Cryptography Development Fund (Grantno MMJJ20170201) and 973 Program (Grant no2013CB834205)
References
[1] P C Kocher ldquoTiming attacks on implementations of Diffie-Hellman RSA DSS and other systemsrdquo in Proceedings of the16th Annual International Cryptology Conference CRYPTO rsquo96Lecture Notes in Computer Science pp 104ndash113 SpringerAugust 1996
8 Security and Communication Networks
[2] S Bhasin J-L Danger S Guilley and Z Najm ldquoSide-channelleakage and trace compression using normalized inter-classvariancerdquo in Proceedings of the 3rd International Workshop onHardware and Architectural Support for Security and PrivacyHASP 2014 pp 71ndash79 ACM USA June 2014
[3] G Dabosville J Doget and E Prouff ldquoA new second-order sidechannel attack based on linear regressionrdquo IEEETransactions onComputers vol 62 no 8 pp 1629ndash1640 2013
[4] M Kayaalp N Abu-Ghazaleh D Ponomarev and A JaleelldquoA high-resolution side-channel attack on last-level cacherdquo inProceedings of the 53rd Annual ACM IEEE Design AutomationConference DAC 2016 USA June 2016
[5] A A Pammu K-S Chong W-G Ho and B-H Gwee ldquoInter-ceptive side channel attack on AES-128 wireless communica-tions for IoT applicationsrdquo in Proceedings of the 2016 IEEE AsiaPacific Conference on Circuits and Systems APCCAS 2016 pp650ndash653 Republic of Korea October 2016
[6] Y Li M Chen and J Wang ldquoIntroduction to side-channelattacks and fault attacksrdquo in Proceedings of the 7th Asia-Pacific International Symposium on Electromagnetic Compatibil-ity APEMC 2016 pp 573ndash575 May 2016
[7] R Lumbiarres-Lopez M Lopez-Garcia and E Canto-NavarroldquoHardware architecture implemented on FPGA for protectingcryptographic keys against side-channel attacksrdquo IEEE Trans-actions on Dependable and Secure Computing 2016
[8] T Backenstrass M Blot S Pontie and R Leveugle ldquoPro-tection of ECC computations against side-channel attacks forlightweight implementationsrdquo in Proceedings of the 1st IEEEInternational Verification and Security Workshop IVSW 2016pp 1ndash6 July 2016
[9] M-L Akkar and C Giraud ldquoAn implementation of DESand AES secure against some attacksrdquo in Proceedings of thethird International Workshop on Cryptographic Hardware andEmbedded Systems CHES 2001 vol 2162 of Lecture Notes inComputer Science pp 309ndash318 Springer May 2001
[10] M Nassar Y Souissi S Guilley and J-L Danger ldquoRSM asmall and fast countermeasure for AES secure against 1st and2nd-order zero-offset SCAsrdquo in Proceedings of the 2012 DesignAutomation amp Test in Europe Conference amp Exhibition DATE2012 pp 1173ndash1178 Dresden Germany March 2012
[11] M Nassar S Guilley and J-L Danger ldquoFormal analysis of theentropysecurity trade-off in first-order masking countermea-sures against side-channel attacksrdquo in Proceedings of the 12thInternational Conference on Cryptology INDOCRYPT 2011 vol7107 of Lecture Notes in Computer Science pp 22ndash39 SpringerDecember 2011
[12] A Moradi S Guilley and A Heuser ldquoDetecting HiddenLeakagesrdquo in Proceedings of the 12th International Conferenceon Applied Cryptography and Network Security ACNS 2014vol 8479 of Lecture Notes in Computer Science pp 324ndash342Springer International Publishing June 2014
[13] C Herbst E Oswald and S Mangard ldquoAn AES smart cardimplementation resistant to power analysis attacksrdquo in Proceed-ings of the 4th International Conference on Applied Cryptographyand Network Security ACNS 2006 vol 3989 of Lecture Notes inComputer Science pp 239ndash252 Springer June 2006
[14] P Belgarric S Bhasin N Bruneau et al ldquoTime-FrequencyAnalysis for Second-Order Attacksrdquo in Smart Card Researchand Advanced Applications vol 8419 of Lecture Notes in Com-puter Science pp 108ndash122 Springer International PublishingCham 2014
[15] S Bhasin N Bruneau J-L Danger S Guilley and Z NajmldquoAnalysis and improvements of the DPA contest v4 implemen-tationrdquo in Proceedings of the 4th International Conference onSecurity Privacy and Applied Cryptography Engineering SPACE2014 vol 8804 of Lecture Notes in Computer Science pp 201ndash218 Springer October 2014
[16] C Clavier B Feix G Gagnerot M Roussellet and V VerneuilldquoImproved collision-correlation power analysis on first orderprotected AESrdquo in Proceedings of the 13th International Work-shop on Cryptographic Hardware and Embedded Systems CHES2011 vol 6917 pp 49ndash62 Springer October 2011
[17] X Ye and T Eisenbarth ldquoOn the Vulnerability of Low EntropyMasking Schemesrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 44ndash60 Springer International Publishing November 2014
[18] S Bhasin C Carlet and S Guilley ldquoTheory of masking withcodewords in hardware low-weight dth-order correlation-im-mune boolean functionsrdquo Cryptology ePrint Archive IACR vol2013 p 303 2013
[19] V Grosso F-X Standaert and E Prouff ldquoLow entropymaskingschemes revisitedrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 33ndash43 Springer November 2014
[20] A Moradi and O Mischke ldquoHow far should theory be frompractice - evaluation of a countermeasurerdquo in Proceedings ofthe 14th InternationalWorkshop onCryptographicHardware andEmbedded Systems CHES 2012 vol 7428 of Lecture Notes inComputer Science pp 92ndash106 Springer September 2012
[21] B Ege T Eisenbarth and L Batina ldquoNear collision side channelattacksrdquo in Proceedings of the 22nd International Conference onSelected Areas in Cryptography SAC 2015 vol 9566 of LectureNotes in Computer Science pp 277ndash292 Springer August 2015
[22] httpfunctionswolframcomComplexComponentsAbs06ShowAllhtml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
4 Security and Communication Networks
= 120590222119899 sum1199111199111015840isinF119899
2
(119891119890 ( 120598120590 119911 1199111015840))2
minus ( 12059022119899 sum1199111199111015840isinF119899
2
119891119890 ( 120598120590 119911 1199111015840))2
(9)
Var(E(1)(1198851198851015840)
| 119885 1198851015840) will converge from 0 to 120574 =Var(E(|120598HW[119885 oplus119872] minus 120598HW[1198851015840 oplus1198721015840]| | 119885 1198851015840)) when 120598120590 =0 rarr infin for any fixed value 120590
The value of 120574 is an intrinsic property of the mask setThus 120574 = 0 is the selection criterion In this case E(1)
(1198851198851015840)
will be balanced for any 120598120590 Aiming at the selection criterionwe can deduce the following conclusions to help select masksets120574 = 0 indicatesE(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]| | 119885 1198851015840) is aconstant the value ofwhich isE(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]|)We have the following
Lemma 1 E(|HW[119885oplus119872]minusHW[1198851015840oplus1198721015840]|) = (2119899minus1)2119899(119899minus1)Proof Let W119886 = E(|HW[119885] minus HW[1198851015840]| | HW[119885 oplus 1198851015840] = 119886)W0 = 0 obviously For 119896 isin N we can deduce that
W2119896+1 = 122119896+12119896+1sum119894=0
(2119896 + 1119894 ) |2119896 + 1 minus 2119894|
= 122119896+1119896sum119894=0
2(2119896 + 1119894 ) (2119896 + 1 minus 2119894)
= 122119896 ((2119896 + 1) 22119896 minus 2 (2119896 + 1)119896minus1sum119894=0
(2119896119894 ))= (2119896 + 1) ( 2119896119896 )22119896 = (2119896 + 1) (2119896)22119896 (119896)2= (2119896 + 1)(2119896)
(10)
The second equality uses ( 2119896+1119894 ) = ( 2119896+12119896+1minus119894 )The third one is according to sum119896119894=0 ( 2119896+1119894 ) = 22119896 and119894 ( 2119896+1119894 ) = (2119896 + 1) ( 2119896119894minus1 )Similarly W2119896+2 = (2119896 + 1)(2119896) = W2119896+1 = ((2119896 +1)2119896)W2119896 Hence
E (10038161003816100381610038161003816HW [119885 oplus119872] minus HW [1198851015840 oplus1198721015840]10038161003816100381610038161003816)= 1|M|2 4119899 sum
1199111199111015840isinF1198992
sum1198981198981015840isinM
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [1199111015840 oplus 1198981015840]10038161003816100381610038161003816= 1|M|2 4119899 sum
1198981198981015840isinM
sum1199111199111015840isinF119899
2
10038161003816100381610038161003816HW [119911] minus HW [1199111015840]10038161003816100381610038161003816
= 14119899 sum1199111199111015840isinF119899
2
10038161003816100381610038161003816HW [119911] minus HW [1199111015840]10038161003816100381610038161003816
= 12119899119899sum119894=0
(119899119894)W119894(11)
We will use mathematical induction to prove A119899 =sum119899119894=0 ( 119899119894 )W119894 = (2119899 minus 1)(119899 minus 1)When 119899 = 1 A1 = sum1119894=0 ( 1119894 )W119894 = 1 = (2 minus 1)(0)Suppose A119899 = (2119899 minus 1)(119899 minus 1) If 119899 is odd we have
A119899+1 = 119899+1sum119894=0
(119899 + 1119894 )W119894
= 119899sum119894=1
((119899119894) + (119899
119894 minus 1))W119894 +W119899+1
= A119899 + 119899sum119894=0
(119899119894)W119894+1
= A119899 + (119899minus1)2sum119894=0
((1198992119894) + (119899
2119894 + 1))W2119894+1
= A119899 + (119899minus1)2sum119894=0
((1198992119894) 119899 + 1119899 W2119894
+ ((1198992119894)(1 minus (119899 + 1) (2119894)119899 (2119894 + 1) ) + (119899
2119894 + 1))W2119894+1)
= A119899 + 119899 + 1119899(119899minus1)2sum119894=0
((1198992119894)W2119894 + ( 1198992119894 + 1)W2119894+1)
= 2119899 + 1119899 A119899 = (2119899 + 1)(119899)
(12)
The second equality is based on ( 119899+1119894 ) = ( 119899119894 ) + ( 119899119894minus1 )The fourth one followsW2119894+1 = W2119894+2 and the fifth one usesW2119894 = (2119894(2119894 + 1))W2119894+1
The situation when 119899 is even can be proved similarlyThus E(|HW[119885 oplus119872] minus HW[1198851015840 oplus1198721015840]|) = A1198992119899 = (2119899 minus1)2119899(119899 minus 1)As stated above E(|HW[119885 oplus119872] minusHW[1198851015840 oplus1198721015840]| | 119885 1198851015840)
for any pair (119885 1198851015840) and themeans of their combinations suchas EM = E(E(|HW[119885 oplus 119872] minus HW[119885 oplus 1198721015840]| | 119885)) shouldbe equal to the constant value (2119899 minus 1)2119899(119899 minus 1) We canprove two necessary conditions for balanced mask set M byanalyzing EM = (2119899 minus 1)2119899(119899 minus 1)Theorem 2 One necessary condition for 120574 = 0 is |M| =1198962lfloor1198992rfloor+1 119896 isin N
Security and Communication Networks 5
Proof We deduce that
EM = E (E (10038161003816100381610038161003816HW [119885 oplus119872] minus HW [119885 oplus1198721015840]10038161003816100381610038161003816 | 119885)) (13)
= 1|M|2 2119899 sum119911isinF1198992
sum1198981198981015840isinM
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [119911 oplus 1198981015840]10038161003816100381610038161003816 (14)
= 1|M|2 sum1198981198981015840isinM
12119899 sum119911isinF1198992
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [119911 oplus 1198981015840]10038161003816100381610038161003816 (15)
= 1|M|2 sum1198981198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840 = 119898oplus 1198981015840)
(16)
Let C119894 = sum1198981198981015840isinM 984858119894(119898 oplus 1198981015840) where
984858119894 (119909) = 1 HW [119909] = 1198940 otherwise (17)
As 119898 oplus 1198981015840 = 1198981015840 oplus 119898 C119894 119894 gt 0 is even Let C119894 =2C1015840119894 119894 gt 0 As W0 = 0 EM = (1|M|2) sum119899119894=0 C119894W119894 =(2|M|2) sum119899119894=1 C1015840119894W119894 If EM = (2119899 minus 1)2119899(119899 minus 1) we candeduce
2|M|2119899sum119894=1
C1015840119894W119894 = (2119899 minus 1)2119899 (119899 minus 1) 997904rArr
2119899+1|M|2119899sum119894=1
C1015840119894 ((119899 minus 1)W119894) = (2119899 minus 1) 997904rArr
2119899+1 | |M|2
(18)
The reason of the second arrow is as follows RecallW2119896+2 = W2119896+1 = (2119896 + 1)(2119896) in Lemma 1 forall119899 ge 2119896 + 1(119899minus1)W2119896+2 = (119899minus1)W2119896+1 = ((2119896minus1))2(2119896+1)prod119899minus1119894=2119896+1119894 isinN In other words forall119894 le 119899 (119899 minus 1)W119894 isin N 2119899+1sum119899119894=1 C1015840119894((119899 minus1)W119894) isin N and (2119899 minus 1) is odd Therefore |M|2 must bedivisible by 2119899+1
Hence |M| = 1198962lfloor1198992rfloor+1 119896 isin N
Theorem 3 forall|M| lt 2119899 isin N ifM is a linear mask set 120574 = 0Proof If M is linear 119898 oplus 1198981015840 isin M 1198981198981015840 isin M Let D119898 =119898 oplus1198981015840 | 1198981015840 isin M Obviously forall119898 isin MD119898 = M And (16)will further be
EM = 1|M|2 sum1198981198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840
= 119898 oplus 1198981015840)
= 1|M|2 sum119898isinM sum1198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840
= 1198981015840)= 1|M|
119899sum119894=0
C119894W119894(19)
where C119894 = sum119898isinM 984858119894(119898) 984858119894(sdot) is defined by (17)If EM = (2119899 minus 1)2119899(119899 minus 1) we can deduce
1|M|119899sum119894=1
C119894W119894 = (2119899 minus 1)2119899 (119899 minus 1) 997904rArr2119899|M|119899sum119894=1
C119894 ((119899 minus 1)W119894) = (2119899 minus 1) 997904rArr2119899 | |M|
(20)
which contradicts |M| lt 2119899 Thus EM = (2119899 minus 1)2119899(119899 minus1) which indicates Var(E(|HW[119885 oplus 119872] minus HW[1198851015840 oplus 1198721015840]| |119885 1198851015840)) = 0Theorem 2 indicates that the search should be among
mask sets satisfying |M| = 1198962lfloor1198992rfloor+1 119896 isin N to findthe perfect balanced mask set with 120574 = 0 However inconsideration of the effect of the noise 120574 = 0 couldnot be necessary According to Theorem 3 and the resultsin Appendix B the linear mask sets will be more vul-nerable because of their linear property Hence one canfirst use the searching algorithms like those in [11] to getsome nonlinear mask sets and use our selection crite-rion as a reference factor to select the one with smaller1205745 Conclusion
In this paper we analyzed the vulnerabilities on themask setsof software Low EntropyMasking Schemes implementationsWe found that satisfying the conditions in [11 18] was notenough for mask sets used in software LEMS implemen-tations The experiments verified that such vulnerabilitiescertainlymade the software LEMS implementations insecureTo fix the vulnerabilities we further gave a selection criterionMoreover two theorems were proved and our selectioncriterion could be a reference factor when selecting themask sets picked out by searching algorithms like those in[11]
For future work there remain two research directionsThe first direction is the proof of the existence of such perfectbalancedmask setsThe secondone is designingmore feasiblesearch algorithms and giving the masking values selectionrules based on those conditions
6 Security and Communication Networks
Appendix
A The Proof of 119891(120583120590)119891(120583 120590) = E(|119883|) where random variable 119883 sim 119873(120583 1205902) Wecan deduce that
E (|119883|) = 1radic2120587120590 intinfin
minusinfin|119909| 119890minus(119909minus120583)221205902d119909
= 1radic2120587120590 (intinfin
0119909119890minus(119909minus120583)221205902
minus int0minusinfin
119909119890minus(119909minus120583)221205902) d119909(A1)
Here
intinfin0119909119890minus(119909minus120583)221205902d119909 = intinfin
minus120583(119910 + 120583) 119890minus119910221205902d119910
= intinfinminus120583119910119890minus119910221205902d119910
+ intinfinminus120583120583119890minus119910221205902d119910
(A2)
= 1205902119890minus120583221205902+ radic2120587120590120583(1 minus 120601(minus120583120590 )) (A3)
int0minusinfin
119909119890minus(119909minus120583)221205902d119909 = minus1205902119890minus120583221205902
+ radic2120587120590120583120601(minus120583120590 ) (A4)
where 120601(119909) = int119909minusinfin
(1radic2120587)119890minus11991022d119910 can be checked on thenormal distribution table
Therefore using (A3) and (A4)
119891 (120583 120590) = E (|119883|)= radic 2120587120590119890minus120583221205902 + 120583(1 minus 2120601 (minus120583120590 )) (A5)
B Results of Experiments
We take a typical [8 4 4] linear codemask setM16mentionedin Section 2 and its variant M101584016 = 119898 oplus 011990903 | 119898 isin M16which are respectively used in the RSM (Rotating S-BoxMasking (RSM) [10] is a realization of LEMS) implemen-tations of DPA Contest v4 and DPA Contest v42 [15] as
examples to analyze the security in different SNR environ-ment in practice The software implementation of AES-256in DPAcv4 is protected by basic RSM countermeasure andthe traces are collected from an ATMega-163 smart card Ourattacks are performed on the leakage of the outputs of S-Boxes in first-round AES As the implementation of AES-128in DPAcv42 is protected by enhanced RSM countermeasureusing shuffling techniques we carry out the attacks on theleakage of the ShiftRow in the first round where the noise isbigger
Aiming at the vulnerabilities of unbalanced E(1)
(1198851198851015840) lots
of distinguishers can be designed Here we will presentexamples combined with the linear property of the mask setM forall1198981198981015840 isin M119898 oplus 1198981015840 isin M
Such property results in the following for any intermedi-ate 119911M119911 = 119911oplus119898 | 119898 isin M is the same as that of 119911119894 = 119911oplus119898119894[21]The reason isforall119898 isin M 119911119894oplus119898 = 119911oplus(119898119894oplus119898) isin M119911 whichmeans M119911119894 sub M119911 Moreover |M119911119894 | = |M119911| = |M| HenceM119911119894 = M119911 We further find the variants of the linear maskset 119898 oplus C | 119898 isin M where C is a constant also having thesame properties Gathering the intermediates with the samemasked values together F1198992 is divided into several sets I119894119894 = 1 2 119888 (119911 1199111015840 isin I ifM119911 = M119911
1015840
)Let O be the set of all the measurements O119896119894 represents
the set of measurements whose corresponding plaintext 119901satisfies 120595(119901 119896) isin I119894 where 120595(sdot sdot) is the function of sensitiveintermediate The distinguisher could be
D (119896) = E (120579 (O119896119894 O119896119894 ))120579 (OO) (B1)
where 120579(sdot sdot) is the estimated statistic value of absolutedifference values between two measurements sets When 119896is wrong the classification O119896119894 will be wrong and randomwhich makes the values of numerator and denominatorapproximate When 119896 is the correct key the value of numer-ator will differ from that of denominator (Theorem 3 inSection 4 will prove this) 119896lowast = argmax119896D(119896) or 119896lowast =argmin119896D(119896)120579 can be E(1) obviously As E(2) is independent of (119885 1198851015840)and Var(119883) = E(1198832) minus (E(119883))2 CV(119883) = radicVar(119883)E(119883)we can also use Var and CV as 120579 We name those distin-guishers for different statistics as 119903V 119903cv and 119903(1)119898 respec-tively
Using the traces in DPAcv4 we obtain 256 119903V 119903cv and 119903(1)119898curves and show the time samples around the output of oneS-Box in Figure 2(a) The correct keyrsquos 119903V and 119903cv curves haveapparent peaks with 1000 traces Furthermore we generate119903(1)119898 119903V and 119903cv curves over the number of traces at the peaktime sample and show the results in Figure 2(b) The blackand 255 grey curves represent the cases of the correct keyand wrong key hypotheses respectively The results showthat all those distinguishers can recover the key with enoughtraces
We then do the second experiment using traces inDPAcv42 at the ShiftRow in the first round where the weakerinformation is leaked The three distinguishers succeed with
Security and Communication Networks 7
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
096
098
1
102
104
r
098
099
1
101
102
103
r =P
098
099
1
101
102
r(1)
m
(a)
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
098
1
102
104
r
099
1
101
102
103
r =P
099
1
101
102
103
r(1)
m
(b)
Figure 2 119903V 119903cv and 119903(1)119898 over (a) time samples using 1000 traces (b) and number of traces at the peak location
about 6000 traces because of the lower SNRWe omit similarfigures here
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by National Key Researchand Development Program of China (Grant no2017YFA0303903) National Natural Science Foundation
of China (Grant nos 61402536 and 61402252) BeijingNatural Science Foundation (Grant no 4162053)National Cryptography Development Fund (Grantno MMJJ20170201) and 973 Program (Grant no2013CB834205)
References
[1] P C Kocher ldquoTiming attacks on implementations of Diffie-Hellman RSA DSS and other systemsrdquo in Proceedings of the16th Annual International Cryptology Conference CRYPTO rsquo96Lecture Notes in Computer Science pp 104ndash113 SpringerAugust 1996
8 Security and Communication Networks
[2] S Bhasin J-L Danger S Guilley and Z Najm ldquoSide-channelleakage and trace compression using normalized inter-classvariancerdquo in Proceedings of the 3rd International Workshop onHardware and Architectural Support for Security and PrivacyHASP 2014 pp 71ndash79 ACM USA June 2014
[3] G Dabosville J Doget and E Prouff ldquoA new second-order sidechannel attack based on linear regressionrdquo IEEETransactions onComputers vol 62 no 8 pp 1629ndash1640 2013
[4] M Kayaalp N Abu-Ghazaleh D Ponomarev and A JaleelldquoA high-resolution side-channel attack on last-level cacherdquo inProceedings of the 53rd Annual ACM IEEE Design AutomationConference DAC 2016 USA June 2016
[5] A A Pammu K-S Chong W-G Ho and B-H Gwee ldquoInter-ceptive side channel attack on AES-128 wireless communica-tions for IoT applicationsrdquo in Proceedings of the 2016 IEEE AsiaPacific Conference on Circuits and Systems APCCAS 2016 pp650ndash653 Republic of Korea October 2016
[6] Y Li M Chen and J Wang ldquoIntroduction to side-channelattacks and fault attacksrdquo in Proceedings of the 7th Asia-Pacific International Symposium on Electromagnetic Compatibil-ity APEMC 2016 pp 573ndash575 May 2016
[7] R Lumbiarres-Lopez M Lopez-Garcia and E Canto-NavarroldquoHardware architecture implemented on FPGA for protectingcryptographic keys against side-channel attacksrdquo IEEE Trans-actions on Dependable and Secure Computing 2016
[8] T Backenstrass M Blot S Pontie and R Leveugle ldquoPro-tection of ECC computations against side-channel attacks forlightweight implementationsrdquo in Proceedings of the 1st IEEEInternational Verification and Security Workshop IVSW 2016pp 1ndash6 July 2016
[9] M-L Akkar and C Giraud ldquoAn implementation of DESand AES secure against some attacksrdquo in Proceedings of thethird International Workshop on Cryptographic Hardware andEmbedded Systems CHES 2001 vol 2162 of Lecture Notes inComputer Science pp 309ndash318 Springer May 2001
[10] M Nassar Y Souissi S Guilley and J-L Danger ldquoRSM asmall and fast countermeasure for AES secure against 1st and2nd-order zero-offset SCAsrdquo in Proceedings of the 2012 DesignAutomation amp Test in Europe Conference amp Exhibition DATE2012 pp 1173ndash1178 Dresden Germany March 2012
[11] M Nassar S Guilley and J-L Danger ldquoFormal analysis of theentropysecurity trade-off in first-order masking countermea-sures against side-channel attacksrdquo in Proceedings of the 12thInternational Conference on Cryptology INDOCRYPT 2011 vol7107 of Lecture Notes in Computer Science pp 22ndash39 SpringerDecember 2011
[12] A Moradi S Guilley and A Heuser ldquoDetecting HiddenLeakagesrdquo in Proceedings of the 12th International Conferenceon Applied Cryptography and Network Security ACNS 2014vol 8479 of Lecture Notes in Computer Science pp 324ndash342Springer International Publishing June 2014
[13] C Herbst E Oswald and S Mangard ldquoAn AES smart cardimplementation resistant to power analysis attacksrdquo in Proceed-ings of the 4th International Conference on Applied Cryptographyand Network Security ACNS 2006 vol 3989 of Lecture Notes inComputer Science pp 239ndash252 Springer June 2006
[14] P Belgarric S Bhasin N Bruneau et al ldquoTime-FrequencyAnalysis for Second-Order Attacksrdquo in Smart Card Researchand Advanced Applications vol 8419 of Lecture Notes in Com-puter Science pp 108ndash122 Springer International PublishingCham 2014
[15] S Bhasin N Bruneau J-L Danger S Guilley and Z NajmldquoAnalysis and improvements of the DPA contest v4 implemen-tationrdquo in Proceedings of the 4th International Conference onSecurity Privacy and Applied Cryptography Engineering SPACE2014 vol 8804 of Lecture Notes in Computer Science pp 201ndash218 Springer October 2014
[16] C Clavier B Feix G Gagnerot M Roussellet and V VerneuilldquoImproved collision-correlation power analysis on first orderprotected AESrdquo in Proceedings of the 13th International Work-shop on Cryptographic Hardware and Embedded Systems CHES2011 vol 6917 pp 49ndash62 Springer October 2011
[17] X Ye and T Eisenbarth ldquoOn the Vulnerability of Low EntropyMasking Schemesrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 44ndash60 Springer International Publishing November 2014
[18] S Bhasin C Carlet and S Guilley ldquoTheory of masking withcodewords in hardware low-weight dth-order correlation-im-mune boolean functionsrdquo Cryptology ePrint Archive IACR vol2013 p 303 2013
[19] V Grosso F-X Standaert and E Prouff ldquoLow entropymaskingschemes revisitedrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 33ndash43 Springer November 2014
[20] A Moradi and O Mischke ldquoHow far should theory be frompractice - evaluation of a countermeasurerdquo in Proceedings ofthe 14th InternationalWorkshop onCryptographicHardware andEmbedded Systems CHES 2012 vol 7428 of Lecture Notes inComputer Science pp 92ndash106 Springer September 2012
[21] B Ege T Eisenbarth and L Batina ldquoNear collision side channelattacksrdquo in Proceedings of the 22nd International Conference onSelected Areas in Cryptography SAC 2015 vol 9566 of LectureNotes in Computer Science pp 277ndash292 Springer August 2015
[22] httpfunctionswolframcomComplexComponentsAbs06ShowAllhtml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 5
Proof We deduce that
EM = E (E (10038161003816100381610038161003816HW [119885 oplus119872] minus HW [119885 oplus1198721015840]10038161003816100381610038161003816 | 119885)) (13)
= 1|M|2 2119899 sum119911isinF1198992
sum1198981198981015840isinM
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [119911 oplus 1198981015840]10038161003816100381610038161003816 (14)
= 1|M|2 sum1198981198981015840isinM
12119899 sum119911isinF1198992
10038161003816100381610038161003816HW [119911 oplus 119898] minus HW [119911 oplus 1198981015840]10038161003816100381610038161003816 (15)
= 1|M|2 sum1198981198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840 = 119898oplus 1198981015840)
(16)
Let C119894 = sum1198981198981015840isinM 984858119894(119898 oplus 1198981015840) where
984858119894 (119909) = 1 HW [119909] = 1198940 otherwise (17)
As 119898 oplus 1198981015840 = 1198981015840 oplus 119898 C119894 119894 gt 0 is even Let C119894 =2C1015840119894 119894 gt 0 As W0 = 0 EM = (1|M|2) sum119899119894=0 C119894W119894 =(2|M|2) sum119899119894=1 C1015840119894W119894 If EM = (2119899 minus 1)2119899(119899 minus 1) we candeduce
2|M|2119899sum119894=1
C1015840119894W119894 = (2119899 minus 1)2119899 (119899 minus 1) 997904rArr
2119899+1|M|2119899sum119894=1
C1015840119894 ((119899 minus 1)W119894) = (2119899 minus 1) 997904rArr
2119899+1 | |M|2
(18)
The reason of the second arrow is as follows RecallW2119896+2 = W2119896+1 = (2119896 + 1)(2119896) in Lemma 1 forall119899 ge 2119896 + 1(119899minus1)W2119896+2 = (119899minus1)W2119896+1 = ((2119896minus1))2(2119896+1)prod119899minus1119894=2119896+1119894 isinN In other words forall119894 le 119899 (119899 minus 1)W119894 isin N 2119899+1sum119899119894=1 C1015840119894((119899 minus1)W119894) isin N and (2119899 minus 1) is odd Therefore |M|2 must bedivisible by 2119899+1
Hence |M| = 1198962lfloor1198992rfloor+1 119896 isin N
Theorem 3 forall|M| lt 2119899 isin N ifM is a linear mask set 120574 = 0Proof If M is linear 119898 oplus 1198981015840 isin M 1198981198981015840 isin M Let D119898 =119898 oplus1198981015840 | 1198981015840 isin M Obviously forall119898 isin MD119898 = M And (16)will further be
EM = 1|M|2 sum1198981198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840
= 119898 oplus 1198981015840)
= 1|M|2 sum119898isinM sum1198981015840isinM
E (10038161003816100381610038161003816HW [119885] minus HW [1198851015840]10038161003816100381610038161003816 | 119885 oplus 1198851015840
= 1198981015840)= 1|M|
119899sum119894=0
C119894W119894(19)
where C119894 = sum119898isinM 984858119894(119898) 984858119894(sdot) is defined by (17)If EM = (2119899 minus 1)2119899(119899 minus 1) we can deduce
1|M|119899sum119894=1
C119894W119894 = (2119899 minus 1)2119899 (119899 minus 1) 997904rArr2119899|M|119899sum119894=1
C119894 ((119899 minus 1)W119894) = (2119899 minus 1) 997904rArr2119899 | |M|
(20)
which contradicts |M| lt 2119899 Thus EM = (2119899 minus 1)2119899(119899 minus1) which indicates Var(E(|HW[119885 oplus 119872] minus HW[1198851015840 oplus 1198721015840]| |119885 1198851015840)) = 0Theorem 2 indicates that the search should be among
mask sets satisfying |M| = 1198962lfloor1198992rfloor+1 119896 isin N to findthe perfect balanced mask set with 120574 = 0 However inconsideration of the effect of the noise 120574 = 0 couldnot be necessary According to Theorem 3 and the resultsin Appendix B the linear mask sets will be more vul-nerable because of their linear property Hence one canfirst use the searching algorithms like those in [11] to getsome nonlinear mask sets and use our selection crite-rion as a reference factor to select the one with smaller1205745 Conclusion
In this paper we analyzed the vulnerabilities on themask setsof software Low EntropyMasking Schemes implementationsWe found that satisfying the conditions in [11 18] was notenough for mask sets used in software LEMS implemen-tations The experiments verified that such vulnerabilitiescertainlymade the software LEMS implementations insecureTo fix the vulnerabilities we further gave a selection criterionMoreover two theorems were proved and our selectioncriterion could be a reference factor when selecting themask sets picked out by searching algorithms like those in[11]
For future work there remain two research directionsThe first direction is the proof of the existence of such perfectbalancedmask setsThe secondone is designingmore feasiblesearch algorithms and giving the masking values selectionrules based on those conditions
6 Security and Communication Networks
Appendix
A The Proof of 119891(120583120590)119891(120583 120590) = E(|119883|) where random variable 119883 sim 119873(120583 1205902) Wecan deduce that
E (|119883|) = 1radic2120587120590 intinfin
minusinfin|119909| 119890minus(119909minus120583)221205902d119909
= 1radic2120587120590 (intinfin
0119909119890minus(119909minus120583)221205902
minus int0minusinfin
119909119890minus(119909minus120583)221205902) d119909(A1)
Here
intinfin0119909119890minus(119909minus120583)221205902d119909 = intinfin
minus120583(119910 + 120583) 119890minus119910221205902d119910
= intinfinminus120583119910119890minus119910221205902d119910
+ intinfinminus120583120583119890minus119910221205902d119910
(A2)
= 1205902119890minus120583221205902+ radic2120587120590120583(1 minus 120601(minus120583120590 )) (A3)
int0minusinfin
119909119890minus(119909minus120583)221205902d119909 = minus1205902119890minus120583221205902
+ radic2120587120590120583120601(minus120583120590 ) (A4)
where 120601(119909) = int119909minusinfin
(1radic2120587)119890minus11991022d119910 can be checked on thenormal distribution table
Therefore using (A3) and (A4)
119891 (120583 120590) = E (|119883|)= radic 2120587120590119890minus120583221205902 + 120583(1 minus 2120601 (minus120583120590 )) (A5)
B Results of Experiments
We take a typical [8 4 4] linear codemask setM16mentionedin Section 2 and its variant M101584016 = 119898 oplus 011990903 | 119898 isin M16which are respectively used in the RSM (Rotating S-BoxMasking (RSM) [10] is a realization of LEMS) implemen-tations of DPA Contest v4 and DPA Contest v42 [15] as
examples to analyze the security in different SNR environ-ment in practice The software implementation of AES-256in DPAcv4 is protected by basic RSM countermeasure andthe traces are collected from an ATMega-163 smart card Ourattacks are performed on the leakage of the outputs of S-Boxes in first-round AES As the implementation of AES-128in DPAcv42 is protected by enhanced RSM countermeasureusing shuffling techniques we carry out the attacks on theleakage of the ShiftRow in the first round where the noise isbigger
Aiming at the vulnerabilities of unbalanced E(1)
(1198851198851015840) lots
of distinguishers can be designed Here we will presentexamples combined with the linear property of the mask setM forall1198981198981015840 isin M119898 oplus 1198981015840 isin M
Such property results in the following for any intermedi-ate 119911M119911 = 119911oplus119898 | 119898 isin M is the same as that of 119911119894 = 119911oplus119898119894[21]The reason isforall119898 isin M 119911119894oplus119898 = 119911oplus(119898119894oplus119898) isin M119911 whichmeans M119911119894 sub M119911 Moreover |M119911119894 | = |M119911| = |M| HenceM119911119894 = M119911 We further find the variants of the linear maskset 119898 oplus C | 119898 isin M where C is a constant also having thesame properties Gathering the intermediates with the samemasked values together F1198992 is divided into several sets I119894119894 = 1 2 119888 (119911 1199111015840 isin I ifM119911 = M119911
1015840
)Let O be the set of all the measurements O119896119894 represents
the set of measurements whose corresponding plaintext 119901satisfies 120595(119901 119896) isin I119894 where 120595(sdot sdot) is the function of sensitiveintermediate The distinguisher could be
D (119896) = E (120579 (O119896119894 O119896119894 ))120579 (OO) (B1)
where 120579(sdot sdot) is the estimated statistic value of absolutedifference values between two measurements sets When 119896is wrong the classification O119896119894 will be wrong and randomwhich makes the values of numerator and denominatorapproximate When 119896 is the correct key the value of numer-ator will differ from that of denominator (Theorem 3 inSection 4 will prove this) 119896lowast = argmax119896D(119896) or 119896lowast =argmin119896D(119896)120579 can be E(1) obviously As E(2) is independent of (119885 1198851015840)and Var(119883) = E(1198832) minus (E(119883))2 CV(119883) = radicVar(119883)E(119883)we can also use Var and CV as 120579 We name those distin-guishers for different statistics as 119903V 119903cv and 119903(1)119898 respec-tively
Using the traces in DPAcv4 we obtain 256 119903V 119903cv and 119903(1)119898curves and show the time samples around the output of oneS-Box in Figure 2(a) The correct keyrsquos 119903V and 119903cv curves haveapparent peaks with 1000 traces Furthermore we generate119903(1)119898 119903V and 119903cv curves over the number of traces at the peaktime sample and show the results in Figure 2(b) The blackand 255 grey curves represent the cases of the correct keyand wrong key hypotheses respectively The results showthat all those distinguishers can recover the key with enoughtraces
We then do the second experiment using traces inDPAcv42 at the ShiftRow in the first round where the weakerinformation is leaked The three distinguishers succeed with
Security and Communication Networks 7
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
096
098
1
102
104
r
098
099
1
101
102
103
r =P
098
099
1
101
102
r(1)
m
(a)
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
098
1
102
104
r
099
1
101
102
103
r =P
099
1
101
102
103
r(1)
m
(b)
Figure 2 119903V 119903cv and 119903(1)119898 over (a) time samples using 1000 traces (b) and number of traces at the peak location
about 6000 traces because of the lower SNRWe omit similarfigures here
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by National Key Researchand Development Program of China (Grant no2017YFA0303903) National Natural Science Foundation
of China (Grant nos 61402536 and 61402252) BeijingNatural Science Foundation (Grant no 4162053)National Cryptography Development Fund (Grantno MMJJ20170201) and 973 Program (Grant no2013CB834205)
References
[1] P C Kocher ldquoTiming attacks on implementations of Diffie-Hellman RSA DSS and other systemsrdquo in Proceedings of the16th Annual International Cryptology Conference CRYPTO rsquo96Lecture Notes in Computer Science pp 104ndash113 SpringerAugust 1996
8 Security and Communication Networks
[2] S Bhasin J-L Danger S Guilley and Z Najm ldquoSide-channelleakage and trace compression using normalized inter-classvariancerdquo in Proceedings of the 3rd International Workshop onHardware and Architectural Support for Security and PrivacyHASP 2014 pp 71ndash79 ACM USA June 2014
[3] G Dabosville J Doget and E Prouff ldquoA new second-order sidechannel attack based on linear regressionrdquo IEEETransactions onComputers vol 62 no 8 pp 1629ndash1640 2013
[4] M Kayaalp N Abu-Ghazaleh D Ponomarev and A JaleelldquoA high-resolution side-channel attack on last-level cacherdquo inProceedings of the 53rd Annual ACM IEEE Design AutomationConference DAC 2016 USA June 2016
[5] A A Pammu K-S Chong W-G Ho and B-H Gwee ldquoInter-ceptive side channel attack on AES-128 wireless communica-tions for IoT applicationsrdquo in Proceedings of the 2016 IEEE AsiaPacific Conference on Circuits and Systems APCCAS 2016 pp650ndash653 Republic of Korea October 2016
[6] Y Li M Chen and J Wang ldquoIntroduction to side-channelattacks and fault attacksrdquo in Proceedings of the 7th Asia-Pacific International Symposium on Electromagnetic Compatibil-ity APEMC 2016 pp 573ndash575 May 2016
[7] R Lumbiarres-Lopez M Lopez-Garcia and E Canto-NavarroldquoHardware architecture implemented on FPGA for protectingcryptographic keys against side-channel attacksrdquo IEEE Trans-actions on Dependable and Secure Computing 2016
[8] T Backenstrass M Blot S Pontie and R Leveugle ldquoPro-tection of ECC computations against side-channel attacks forlightweight implementationsrdquo in Proceedings of the 1st IEEEInternational Verification and Security Workshop IVSW 2016pp 1ndash6 July 2016
[9] M-L Akkar and C Giraud ldquoAn implementation of DESand AES secure against some attacksrdquo in Proceedings of thethird International Workshop on Cryptographic Hardware andEmbedded Systems CHES 2001 vol 2162 of Lecture Notes inComputer Science pp 309ndash318 Springer May 2001
[10] M Nassar Y Souissi S Guilley and J-L Danger ldquoRSM asmall and fast countermeasure for AES secure against 1st and2nd-order zero-offset SCAsrdquo in Proceedings of the 2012 DesignAutomation amp Test in Europe Conference amp Exhibition DATE2012 pp 1173ndash1178 Dresden Germany March 2012
[11] M Nassar S Guilley and J-L Danger ldquoFormal analysis of theentropysecurity trade-off in first-order masking countermea-sures against side-channel attacksrdquo in Proceedings of the 12thInternational Conference on Cryptology INDOCRYPT 2011 vol7107 of Lecture Notes in Computer Science pp 22ndash39 SpringerDecember 2011
[12] A Moradi S Guilley and A Heuser ldquoDetecting HiddenLeakagesrdquo in Proceedings of the 12th International Conferenceon Applied Cryptography and Network Security ACNS 2014vol 8479 of Lecture Notes in Computer Science pp 324ndash342Springer International Publishing June 2014
[13] C Herbst E Oswald and S Mangard ldquoAn AES smart cardimplementation resistant to power analysis attacksrdquo in Proceed-ings of the 4th International Conference on Applied Cryptographyand Network Security ACNS 2006 vol 3989 of Lecture Notes inComputer Science pp 239ndash252 Springer June 2006
[14] P Belgarric S Bhasin N Bruneau et al ldquoTime-FrequencyAnalysis for Second-Order Attacksrdquo in Smart Card Researchand Advanced Applications vol 8419 of Lecture Notes in Com-puter Science pp 108ndash122 Springer International PublishingCham 2014
[15] S Bhasin N Bruneau J-L Danger S Guilley and Z NajmldquoAnalysis and improvements of the DPA contest v4 implemen-tationrdquo in Proceedings of the 4th International Conference onSecurity Privacy and Applied Cryptography Engineering SPACE2014 vol 8804 of Lecture Notes in Computer Science pp 201ndash218 Springer October 2014
[16] C Clavier B Feix G Gagnerot M Roussellet and V VerneuilldquoImproved collision-correlation power analysis on first orderprotected AESrdquo in Proceedings of the 13th International Work-shop on Cryptographic Hardware and Embedded Systems CHES2011 vol 6917 pp 49ndash62 Springer October 2011
[17] X Ye and T Eisenbarth ldquoOn the Vulnerability of Low EntropyMasking Schemesrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 44ndash60 Springer International Publishing November 2014
[18] S Bhasin C Carlet and S Guilley ldquoTheory of masking withcodewords in hardware low-weight dth-order correlation-im-mune boolean functionsrdquo Cryptology ePrint Archive IACR vol2013 p 303 2013
[19] V Grosso F-X Standaert and E Prouff ldquoLow entropymaskingschemes revisitedrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 33ndash43 Springer November 2014
[20] A Moradi and O Mischke ldquoHow far should theory be frompractice - evaluation of a countermeasurerdquo in Proceedings ofthe 14th InternationalWorkshop onCryptographicHardware andEmbedded Systems CHES 2012 vol 7428 of Lecture Notes inComputer Science pp 92ndash106 Springer September 2012
[21] B Ege T Eisenbarth and L Batina ldquoNear collision side channelattacksrdquo in Proceedings of the 22nd International Conference onSelected Areas in Cryptography SAC 2015 vol 9566 of LectureNotes in Computer Science pp 277ndash292 Springer August 2015
[22] httpfunctionswolframcomComplexComponentsAbs06ShowAllhtml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
6 Security and Communication Networks
Appendix
A The Proof of 119891(120583120590)119891(120583 120590) = E(|119883|) where random variable 119883 sim 119873(120583 1205902) Wecan deduce that
E (|119883|) = 1radic2120587120590 intinfin
minusinfin|119909| 119890minus(119909minus120583)221205902d119909
= 1radic2120587120590 (intinfin
0119909119890minus(119909minus120583)221205902
minus int0minusinfin
119909119890minus(119909minus120583)221205902) d119909(A1)
Here
intinfin0119909119890minus(119909minus120583)221205902d119909 = intinfin
minus120583(119910 + 120583) 119890minus119910221205902d119910
= intinfinminus120583119910119890minus119910221205902d119910
+ intinfinminus120583120583119890minus119910221205902d119910
(A2)
= 1205902119890minus120583221205902+ radic2120587120590120583(1 minus 120601(minus120583120590 )) (A3)
int0minusinfin
119909119890minus(119909minus120583)221205902d119909 = minus1205902119890minus120583221205902
+ radic2120587120590120583120601(minus120583120590 ) (A4)
where 120601(119909) = int119909minusinfin
(1radic2120587)119890minus11991022d119910 can be checked on thenormal distribution table
Therefore using (A3) and (A4)
119891 (120583 120590) = E (|119883|)= radic 2120587120590119890minus120583221205902 + 120583(1 minus 2120601 (minus120583120590 )) (A5)
B Results of Experiments
We take a typical [8 4 4] linear codemask setM16mentionedin Section 2 and its variant M101584016 = 119898 oplus 011990903 | 119898 isin M16which are respectively used in the RSM (Rotating S-BoxMasking (RSM) [10] is a realization of LEMS) implemen-tations of DPA Contest v4 and DPA Contest v42 [15] as
examples to analyze the security in different SNR environ-ment in practice The software implementation of AES-256in DPAcv4 is protected by basic RSM countermeasure andthe traces are collected from an ATMega-163 smart card Ourattacks are performed on the leakage of the outputs of S-Boxes in first-round AES As the implementation of AES-128in DPAcv42 is protected by enhanced RSM countermeasureusing shuffling techniques we carry out the attacks on theleakage of the ShiftRow in the first round where the noise isbigger
Aiming at the vulnerabilities of unbalanced E(1)
(1198851198851015840) lots
of distinguishers can be designed Here we will presentexamples combined with the linear property of the mask setM forall1198981198981015840 isin M119898 oplus 1198981015840 isin M
Such property results in the following for any intermedi-ate 119911M119911 = 119911oplus119898 | 119898 isin M is the same as that of 119911119894 = 119911oplus119898119894[21]The reason isforall119898 isin M 119911119894oplus119898 = 119911oplus(119898119894oplus119898) isin M119911 whichmeans M119911119894 sub M119911 Moreover |M119911119894 | = |M119911| = |M| HenceM119911119894 = M119911 We further find the variants of the linear maskset 119898 oplus C | 119898 isin M where C is a constant also having thesame properties Gathering the intermediates with the samemasked values together F1198992 is divided into several sets I119894119894 = 1 2 119888 (119911 1199111015840 isin I ifM119911 = M119911
1015840
)Let O be the set of all the measurements O119896119894 represents
the set of measurements whose corresponding plaintext 119901satisfies 120595(119901 119896) isin I119894 where 120595(sdot sdot) is the function of sensitiveintermediate The distinguisher could be
D (119896) = E (120579 (O119896119894 O119896119894 ))120579 (OO) (B1)
where 120579(sdot sdot) is the estimated statistic value of absolutedifference values between two measurements sets When 119896is wrong the classification O119896119894 will be wrong and randomwhich makes the values of numerator and denominatorapproximate When 119896 is the correct key the value of numer-ator will differ from that of denominator (Theorem 3 inSection 4 will prove this) 119896lowast = argmax119896D(119896) or 119896lowast =argmin119896D(119896)120579 can be E(1) obviously As E(2) is independent of (119885 1198851015840)and Var(119883) = E(1198832) minus (E(119883))2 CV(119883) = radicVar(119883)E(119883)we can also use Var and CV as 120579 We name those distin-guishers for different statistics as 119903V 119903cv and 119903(1)119898 respec-tively
Using the traces in DPAcv4 we obtain 256 119903V 119903cv and 119903(1)119898curves and show the time samples around the output of oneS-Box in Figure 2(a) The correct keyrsquos 119903V and 119903cv curves haveapparent peaks with 1000 traces Furthermore we generate119903(1)119898 119903V and 119903cv curves over the number of traces at the peaktime sample and show the results in Figure 2(b) The blackand 255 grey curves represent the cases of the correct keyand wrong key hypotheses respectively The results showthat all those distinguishers can recover the key with enoughtraces
We then do the second experiment using traces inDPAcv42 at the ShiftRow in the first round where the weakerinformation is leaked The three distinguishers succeed with
Security and Communication Networks 7
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
096
098
1
102
104
r
098
099
1
101
102
103
r =P
098
099
1
101
102
r(1)
m
(a)
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
098
1
102
104
r
099
1
101
102
103
r =P
099
1
101
102
103
r(1)
m
(b)
Figure 2 119903V 119903cv and 119903(1)119898 over (a) time samples using 1000 traces (b) and number of traces at the peak location
about 6000 traces because of the lower SNRWe omit similarfigures here
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by National Key Researchand Development Program of China (Grant no2017YFA0303903) National Natural Science Foundation
of China (Grant nos 61402536 and 61402252) BeijingNatural Science Foundation (Grant no 4162053)National Cryptography Development Fund (Grantno MMJJ20170201) and 973 Program (Grant no2013CB834205)
References
[1] P C Kocher ldquoTiming attacks on implementations of Diffie-Hellman RSA DSS and other systemsrdquo in Proceedings of the16th Annual International Cryptology Conference CRYPTO rsquo96Lecture Notes in Computer Science pp 104ndash113 SpringerAugust 1996
8 Security and Communication Networks
[2] S Bhasin J-L Danger S Guilley and Z Najm ldquoSide-channelleakage and trace compression using normalized inter-classvariancerdquo in Proceedings of the 3rd International Workshop onHardware and Architectural Support for Security and PrivacyHASP 2014 pp 71ndash79 ACM USA June 2014
[3] G Dabosville J Doget and E Prouff ldquoA new second-order sidechannel attack based on linear regressionrdquo IEEETransactions onComputers vol 62 no 8 pp 1629ndash1640 2013
[4] M Kayaalp N Abu-Ghazaleh D Ponomarev and A JaleelldquoA high-resolution side-channel attack on last-level cacherdquo inProceedings of the 53rd Annual ACM IEEE Design AutomationConference DAC 2016 USA June 2016
[5] A A Pammu K-S Chong W-G Ho and B-H Gwee ldquoInter-ceptive side channel attack on AES-128 wireless communica-tions for IoT applicationsrdquo in Proceedings of the 2016 IEEE AsiaPacific Conference on Circuits and Systems APCCAS 2016 pp650ndash653 Republic of Korea October 2016
[6] Y Li M Chen and J Wang ldquoIntroduction to side-channelattacks and fault attacksrdquo in Proceedings of the 7th Asia-Pacific International Symposium on Electromagnetic Compatibil-ity APEMC 2016 pp 573ndash575 May 2016
[7] R Lumbiarres-Lopez M Lopez-Garcia and E Canto-NavarroldquoHardware architecture implemented on FPGA for protectingcryptographic keys against side-channel attacksrdquo IEEE Trans-actions on Dependable and Secure Computing 2016
[8] T Backenstrass M Blot S Pontie and R Leveugle ldquoPro-tection of ECC computations against side-channel attacks forlightweight implementationsrdquo in Proceedings of the 1st IEEEInternational Verification and Security Workshop IVSW 2016pp 1ndash6 July 2016
[9] M-L Akkar and C Giraud ldquoAn implementation of DESand AES secure against some attacksrdquo in Proceedings of thethird International Workshop on Cryptographic Hardware andEmbedded Systems CHES 2001 vol 2162 of Lecture Notes inComputer Science pp 309ndash318 Springer May 2001
[10] M Nassar Y Souissi S Guilley and J-L Danger ldquoRSM asmall and fast countermeasure for AES secure against 1st and2nd-order zero-offset SCAsrdquo in Proceedings of the 2012 DesignAutomation amp Test in Europe Conference amp Exhibition DATE2012 pp 1173ndash1178 Dresden Germany March 2012
[11] M Nassar S Guilley and J-L Danger ldquoFormal analysis of theentropysecurity trade-off in first-order masking countermea-sures against side-channel attacksrdquo in Proceedings of the 12thInternational Conference on Cryptology INDOCRYPT 2011 vol7107 of Lecture Notes in Computer Science pp 22ndash39 SpringerDecember 2011
[12] A Moradi S Guilley and A Heuser ldquoDetecting HiddenLeakagesrdquo in Proceedings of the 12th International Conferenceon Applied Cryptography and Network Security ACNS 2014vol 8479 of Lecture Notes in Computer Science pp 324ndash342Springer International Publishing June 2014
[13] C Herbst E Oswald and S Mangard ldquoAn AES smart cardimplementation resistant to power analysis attacksrdquo in Proceed-ings of the 4th International Conference on Applied Cryptographyand Network Security ACNS 2006 vol 3989 of Lecture Notes inComputer Science pp 239ndash252 Springer June 2006
[14] P Belgarric S Bhasin N Bruneau et al ldquoTime-FrequencyAnalysis for Second-Order Attacksrdquo in Smart Card Researchand Advanced Applications vol 8419 of Lecture Notes in Com-puter Science pp 108ndash122 Springer International PublishingCham 2014
[15] S Bhasin N Bruneau J-L Danger S Guilley and Z NajmldquoAnalysis and improvements of the DPA contest v4 implemen-tationrdquo in Proceedings of the 4th International Conference onSecurity Privacy and Applied Cryptography Engineering SPACE2014 vol 8804 of Lecture Notes in Computer Science pp 201ndash218 Springer October 2014
[16] C Clavier B Feix G Gagnerot M Roussellet and V VerneuilldquoImproved collision-correlation power analysis on first orderprotected AESrdquo in Proceedings of the 13th International Work-shop on Cryptographic Hardware and Embedded Systems CHES2011 vol 6917 pp 49ndash62 Springer October 2011
[17] X Ye and T Eisenbarth ldquoOn the Vulnerability of Low EntropyMasking Schemesrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 44ndash60 Springer International Publishing November 2014
[18] S Bhasin C Carlet and S Guilley ldquoTheory of masking withcodewords in hardware low-weight dth-order correlation-im-mune boolean functionsrdquo Cryptology ePrint Archive IACR vol2013 p 303 2013
[19] V Grosso F-X Standaert and E Prouff ldquoLow entropymaskingschemes revisitedrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 33ndash43 Springer November 2014
[20] A Moradi and O Mischke ldquoHow far should theory be frompractice - evaluation of a countermeasurerdquo in Proceedings ofthe 14th InternationalWorkshop onCryptographicHardware andEmbedded Systems CHES 2012 vol 7428 of Lecture Notes inComputer Science pp 92ndash106 Springer September 2012
[21] B Ege T Eisenbarth and L Batina ldquoNear collision side channelattacksrdquo in Proceedings of the 22nd International Conference onSelected Areas in Cryptography SAC 2015 vol 9566 of LectureNotes in Computer Science pp 277ndash292 Springer August 2015
[22] httpfunctionswolframcomComplexComponentsAbs06ShowAllhtml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 7
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
200 400 600 800 10000Time samples
096
098
1
102
104
r
098
099
1
101
102
103
r =P
098
099
1
101
102
r(1)
m
(a)
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
2000 3000 4000 50001000Number of traces
098
1
102
104
r
099
1
101
102
103
r =P
099
1
101
102
103
r(1)
m
(b)
Figure 2 119903V 119903cv and 119903(1)119898 over (a) time samples using 1000 traces (b) and number of traces at the peak location
about 6000 traces because of the lower SNRWe omit similarfigures here
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by National Key Researchand Development Program of China (Grant no2017YFA0303903) National Natural Science Foundation
of China (Grant nos 61402536 and 61402252) BeijingNatural Science Foundation (Grant no 4162053)National Cryptography Development Fund (Grantno MMJJ20170201) and 973 Program (Grant no2013CB834205)
References
[1] P C Kocher ldquoTiming attacks on implementations of Diffie-Hellman RSA DSS and other systemsrdquo in Proceedings of the16th Annual International Cryptology Conference CRYPTO rsquo96Lecture Notes in Computer Science pp 104ndash113 SpringerAugust 1996
8 Security and Communication Networks
[2] S Bhasin J-L Danger S Guilley and Z Najm ldquoSide-channelleakage and trace compression using normalized inter-classvariancerdquo in Proceedings of the 3rd International Workshop onHardware and Architectural Support for Security and PrivacyHASP 2014 pp 71ndash79 ACM USA June 2014
[3] G Dabosville J Doget and E Prouff ldquoA new second-order sidechannel attack based on linear regressionrdquo IEEETransactions onComputers vol 62 no 8 pp 1629ndash1640 2013
[4] M Kayaalp N Abu-Ghazaleh D Ponomarev and A JaleelldquoA high-resolution side-channel attack on last-level cacherdquo inProceedings of the 53rd Annual ACM IEEE Design AutomationConference DAC 2016 USA June 2016
[5] A A Pammu K-S Chong W-G Ho and B-H Gwee ldquoInter-ceptive side channel attack on AES-128 wireless communica-tions for IoT applicationsrdquo in Proceedings of the 2016 IEEE AsiaPacific Conference on Circuits and Systems APCCAS 2016 pp650ndash653 Republic of Korea October 2016
[6] Y Li M Chen and J Wang ldquoIntroduction to side-channelattacks and fault attacksrdquo in Proceedings of the 7th Asia-Pacific International Symposium on Electromagnetic Compatibil-ity APEMC 2016 pp 573ndash575 May 2016
[7] R Lumbiarres-Lopez M Lopez-Garcia and E Canto-NavarroldquoHardware architecture implemented on FPGA for protectingcryptographic keys against side-channel attacksrdquo IEEE Trans-actions on Dependable and Secure Computing 2016
[8] T Backenstrass M Blot S Pontie and R Leveugle ldquoPro-tection of ECC computations against side-channel attacks forlightweight implementationsrdquo in Proceedings of the 1st IEEEInternational Verification and Security Workshop IVSW 2016pp 1ndash6 July 2016
[9] M-L Akkar and C Giraud ldquoAn implementation of DESand AES secure against some attacksrdquo in Proceedings of thethird International Workshop on Cryptographic Hardware andEmbedded Systems CHES 2001 vol 2162 of Lecture Notes inComputer Science pp 309ndash318 Springer May 2001
[10] M Nassar Y Souissi S Guilley and J-L Danger ldquoRSM asmall and fast countermeasure for AES secure against 1st and2nd-order zero-offset SCAsrdquo in Proceedings of the 2012 DesignAutomation amp Test in Europe Conference amp Exhibition DATE2012 pp 1173ndash1178 Dresden Germany March 2012
[11] M Nassar S Guilley and J-L Danger ldquoFormal analysis of theentropysecurity trade-off in first-order masking countermea-sures against side-channel attacksrdquo in Proceedings of the 12thInternational Conference on Cryptology INDOCRYPT 2011 vol7107 of Lecture Notes in Computer Science pp 22ndash39 SpringerDecember 2011
[12] A Moradi S Guilley and A Heuser ldquoDetecting HiddenLeakagesrdquo in Proceedings of the 12th International Conferenceon Applied Cryptography and Network Security ACNS 2014vol 8479 of Lecture Notes in Computer Science pp 324ndash342Springer International Publishing June 2014
[13] C Herbst E Oswald and S Mangard ldquoAn AES smart cardimplementation resistant to power analysis attacksrdquo in Proceed-ings of the 4th International Conference on Applied Cryptographyand Network Security ACNS 2006 vol 3989 of Lecture Notes inComputer Science pp 239ndash252 Springer June 2006
[14] P Belgarric S Bhasin N Bruneau et al ldquoTime-FrequencyAnalysis for Second-Order Attacksrdquo in Smart Card Researchand Advanced Applications vol 8419 of Lecture Notes in Com-puter Science pp 108ndash122 Springer International PublishingCham 2014
[15] S Bhasin N Bruneau J-L Danger S Guilley and Z NajmldquoAnalysis and improvements of the DPA contest v4 implemen-tationrdquo in Proceedings of the 4th International Conference onSecurity Privacy and Applied Cryptography Engineering SPACE2014 vol 8804 of Lecture Notes in Computer Science pp 201ndash218 Springer October 2014
[16] C Clavier B Feix G Gagnerot M Roussellet and V VerneuilldquoImproved collision-correlation power analysis on first orderprotected AESrdquo in Proceedings of the 13th International Work-shop on Cryptographic Hardware and Embedded Systems CHES2011 vol 6917 pp 49ndash62 Springer October 2011
[17] X Ye and T Eisenbarth ldquoOn the Vulnerability of Low EntropyMasking Schemesrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 44ndash60 Springer International Publishing November 2014
[18] S Bhasin C Carlet and S Guilley ldquoTheory of masking withcodewords in hardware low-weight dth-order correlation-im-mune boolean functionsrdquo Cryptology ePrint Archive IACR vol2013 p 303 2013
[19] V Grosso F-X Standaert and E Prouff ldquoLow entropymaskingschemes revisitedrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 33ndash43 Springer November 2014
[20] A Moradi and O Mischke ldquoHow far should theory be frompractice - evaluation of a countermeasurerdquo in Proceedings ofthe 14th InternationalWorkshop onCryptographicHardware andEmbedded Systems CHES 2012 vol 7428 of Lecture Notes inComputer Science pp 92ndash106 Springer September 2012
[21] B Ege T Eisenbarth and L Batina ldquoNear collision side channelattacksrdquo in Proceedings of the 22nd International Conference onSelected Areas in Cryptography SAC 2015 vol 9566 of LectureNotes in Computer Science pp 277ndash292 Springer August 2015
[22] httpfunctionswolframcomComplexComponentsAbs06ShowAllhtml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
8 Security and Communication Networks
[2] S Bhasin J-L Danger S Guilley and Z Najm ldquoSide-channelleakage and trace compression using normalized inter-classvariancerdquo in Proceedings of the 3rd International Workshop onHardware and Architectural Support for Security and PrivacyHASP 2014 pp 71ndash79 ACM USA June 2014
[3] G Dabosville J Doget and E Prouff ldquoA new second-order sidechannel attack based on linear regressionrdquo IEEETransactions onComputers vol 62 no 8 pp 1629ndash1640 2013
[4] M Kayaalp N Abu-Ghazaleh D Ponomarev and A JaleelldquoA high-resolution side-channel attack on last-level cacherdquo inProceedings of the 53rd Annual ACM IEEE Design AutomationConference DAC 2016 USA June 2016
[5] A A Pammu K-S Chong W-G Ho and B-H Gwee ldquoInter-ceptive side channel attack on AES-128 wireless communica-tions for IoT applicationsrdquo in Proceedings of the 2016 IEEE AsiaPacific Conference on Circuits and Systems APCCAS 2016 pp650ndash653 Republic of Korea October 2016
[6] Y Li M Chen and J Wang ldquoIntroduction to side-channelattacks and fault attacksrdquo in Proceedings of the 7th Asia-Pacific International Symposium on Electromagnetic Compatibil-ity APEMC 2016 pp 573ndash575 May 2016
[7] R Lumbiarres-Lopez M Lopez-Garcia and E Canto-NavarroldquoHardware architecture implemented on FPGA for protectingcryptographic keys against side-channel attacksrdquo IEEE Trans-actions on Dependable and Secure Computing 2016
[8] T Backenstrass M Blot S Pontie and R Leveugle ldquoPro-tection of ECC computations against side-channel attacks forlightweight implementationsrdquo in Proceedings of the 1st IEEEInternational Verification and Security Workshop IVSW 2016pp 1ndash6 July 2016
[9] M-L Akkar and C Giraud ldquoAn implementation of DESand AES secure against some attacksrdquo in Proceedings of thethird International Workshop on Cryptographic Hardware andEmbedded Systems CHES 2001 vol 2162 of Lecture Notes inComputer Science pp 309ndash318 Springer May 2001
[10] M Nassar Y Souissi S Guilley and J-L Danger ldquoRSM asmall and fast countermeasure for AES secure against 1st and2nd-order zero-offset SCAsrdquo in Proceedings of the 2012 DesignAutomation amp Test in Europe Conference amp Exhibition DATE2012 pp 1173ndash1178 Dresden Germany March 2012
[11] M Nassar S Guilley and J-L Danger ldquoFormal analysis of theentropysecurity trade-off in first-order masking countermea-sures against side-channel attacksrdquo in Proceedings of the 12thInternational Conference on Cryptology INDOCRYPT 2011 vol7107 of Lecture Notes in Computer Science pp 22ndash39 SpringerDecember 2011
[12] A Moradi S Guilley and A Heuser ldquoDetecting HiddenLeakagesrdquo in Proceedings of the 12th International Conferenceon Applied Cryptography and Network Security ACNS 2014vol 8479 of Lecture Notes in Computer Science pp 324ndash342Springer International Publishing June 2014
[13] C Herbst E Oswald and S Mangard ldquoAn AES smart cardimplementation resistant to power analysis attacksrdquo in Proceed-ings of the 4th International Conference on Applied Cryptographyand Network Security ACNS 2006 vol 3989 of Lecture Notes inComputer Science pp 239ndash252 Springer June 2006
[14] P Belgarric S Bhasin N Bruneau et al ldquoTime-FrequencyAnalysis for Second-Order Attacksrdquo in Smart Card Researchand Advanced Applications vol 8419 of Lecture Notes in Com-puter Science pp 108ndash122 Springer International PublishingCham 2014
[15] S Bhasin N Bruneau J-L Danger S Guilley and Z NajmldquoAnalysis and improvements of the DPA contest v4 implemen-tationrdquo in Proceedings of the 4th International Conference onSecurity Privacy and Applied Cryptography Engineering SPACE2014 vol 8804 of Lecture Notes in Computer Science pp 201ndash218 Springer October 2014
[16] C Clavier B Feix G Gagnerot M Roussellet and V VerneuilldquoImproved collision-correlation power analysis on first orderprotected AESrdquo in Proceedings of the 13th International Work-shop on Cryptographic Hardware and Embedded Systems CHES2011 vol 6917 pp 49ndash62 Springer October 2011
[17] X Ye and T Eisenbarth ldquoOn the Vulnerability of Low EntropyMasking Schemesrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 44ndash60 Springer International Publishing November 2014
[18] S Bhasin C Carlet and S Guilley ldquoTheory of masking withcodewords in hardware low-weight dth-order correlation-im-mune boolean functionsrdquo Cryptology ePrint Archive IACR vol2013 p 303 2013
[19] V Grosso F-X Standaert and E Prouff ldquoLow entropymaskingschemes revisitedrdquo in Proceedings of the 12th InternationalConference on Smart Card Research and Advanced ApplicationsCARDIS 2013 vol 8419 of Lecture Notes in Computer Sciencepp 33ndash43 Springer November 2014
[20] A Moradi and O Mischke ldquoHow far should theory be frompractice - evaluation of a countermeasurerdquo in Proceedings ofthe 14th InternationalWorkshop onCryptographicHardware andEmbedded Systems CHES 2012 vol 7428 of Lecture Notes inComputer Science pp 92ndash106 Springer September 2012
[21] B Ege T Eisenbarth and L Batina ldquoNear collision side channelattacksrdquo in Proceedings of the 22nd International Conference onSelected Areas in Cryptography SAC 2015 vol 9566 of LectureNotes in Computer Science pp 277ndash292 Springer August 2015
[22] httpfunctionswolframcomComplexComponentsAbs06ShowAllhtml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
![Leia: A Lightweight Cryptographic Neural Network Inference ... · data to cloud in plaintext can put individual’s privacy in danger [9,19]. On the other hand, from the aspect of](https://img.pdfslide.net/doc/110x75/5f0836a17e708231d420e5cf/leia-a-lightweight-cryptographic-neural-network-inference-data-to-cloud-in.jpg)
