First-order side channel attacks on Zhang’s countermeasures

Zhang’s three countermeasures are known to be secure against certain first-order side channel attacks such as differential power analysis and correlation power analysis. This security comes from the countermeasures’ use of random points to blind the message and random integers to blind the secret scalar. In this paper, we propose first-order side channel attack methods that can perfectly break these three countermeasures. Even though Zhang’s countermeasures use random points and random integers our attacks are made possible by the fact that intermediate values computed by these countermeasures are dependent on specific values that we can guess. The experimental results verify that the proposed attack methods can successfully break existing countermeasures.     

Improved Side‐Channel Attack on DES with the First Four Rounds Masked

This letter describes an improved side‐channel attack on DES with the first four rounds masked. Our improvement is based on truncated differentials and power traces which provide knowledge of Hamming weights for the intermediate data computed during the enciphering of plaintexts. Our results support the claim that masking several outer rounds rather than all rounds is not sufficient for the ciphers to be resistant to side‐channel attacks.     

Practical and Provable Security against Differential and Linear Cryptanalysis for Substitution‐Permutation Networks

We examine the diffusion layers of some block ciphers referred to as substitution‐permutation networks. We investigate the practical and provable security of these diffusion layers against differential and linear cryptanalysis. First, in terms of practical security, we show that the minimum number of differentially active S‐boxes and that of linearly active S‐boxes are generally not identical and propose some special conditions in which those are identical. We also study the optimal diffusion effect for some diffusion layers according to their constraints. Second, we obtain the results that the consecutive two rounds of SPN structure provide provable security against differential and linear cryptanalysis, i.e., we prove that the probability of each differential (resp. linear hull) of the consecutive two rounds of SPN structure with a maximal diffusion layer is bounded by pⁿ (resp. qⁿ) and that of each differential (resp. linear hull) of the SDS function with a semi‐maximal diffusion layer is bounded by p^n‐1 (resp. q^n‐1), where p and q are maximum differential and linear probabilities of the substitution layer, respectively.     

Known-IV, Known-in-Advance-IV, and Replayed-and-Known-IV Attacks on Multiple Modes of Operation of Block Ciphers

Normally, it has been believed that the initial values of cryptographic schemes do not need to be managed secretly unlike the secret keys. However, we show that multiple modes of operation of block ciphers can suffer a loss of security by the state of the initial values. We consider several attacks according to the environment of the initial values; known-IV attack, known-in-advance-IV attack, and replayed-and-known-IV attack. Our attacks on cascaded three-key triple modes of operation requires 3-7 blocks of plaintexts (or ciphertexts) and 3 · 2⁵⁶-9 · 2⁵⁶ encryptions. We also give the attacks on multiple modes proposed by Biham.     

Practical Second‐Order Correlation Power Analysis on the Message Blinding Method and Its Novel Countermeasure for RSA

Recently power attacks on RSA cryptosystems have been widely investigated, and various countermeasures have been proposed. One of the most efficient and secure countermeasures is the message blinding method, which includes the RSA derivative of the binary‐with‐random‐initial‐point algorithm on elliptical curve cryptosystems. It is known to be secure against first‐order differential power analysis (DPA); however, it is susceptible to second‐order DPA. Although second‐order DPA gives some solutions for defeating message blinding methods, this kind of attack still has the practical difficulty of how to find the points of interest, that is, the exact moments when intermediate values are being manipulated. In this paper, we propose a practical second‐order correlation power analysis (SOCPA). Our attack can easily find points of interest in a power trace and find the private key with a small number of power traces. We also propose an efficient countermeasure which is secure against the proposed SOCPA as well as existing power attacks.     

An Efficient DPA Countermeasure for the EtaT Pairing Algorithm over GF(2n) Based on Random Value Addition

This paper presents an efficient differential power analysis (DPA) countermeasure for the Eta_T pairing algorithm over GF(2ⁿ). The proposed algorithm is based on a random value addition (RVA) mechanism. An RVA‐based DPA countermeasure for the Eta_T pairing computation over GF(3ⁿ) was proposed in 2008. This paper examines the security of this RVA‐based DPA countermeasure and defines the design principles for making the countermeasure more secure. Finally, the paper proposes an efficient RVA‐based DPA countermeasure for the secure computation of the Eta_T pairing over GF(2ⁿ). The proposed countermeasure not only overcomes the security flaws in the previous RVA‐based method but also exhibits the enhanced performance. Actually, on the 8‐bit ATmega128L and 16‐bit MSP430 processors, the proposed method can achieve almost 39% and 43% of performance improvements, respectively, compared with the best‐known countermeasure.     

Efficient Masking Methods Appropriate for the Block Ciphers ARIA and AES

In this paper, we propose efficient masking methods for ARIA and AES. In general, a masked S‐box (MS) block can be constructed in different ways depending on the implementation platform, such as hardware and software. However, the other components of ARIA and AES have less impact on the implementation cost. We first propose an efficient masking structure by minimizing the number of mask corrections under the assumption that we have an MS block. Second, to make a secure and efficient MS block for ARIA and AES, we propose novel methods to solve the table size problem for the MS block in a software implementation and to reduce the cost of a masked inversion which is the main part of the MS block in the hardware implementation.     

Correction to: An efficient implementation of pairing-based cryptography on MSP430 processor

The Journal of Supercomputing - The Acknowledgements section is missing in the original article. Now the Acknowledgements section is given.     

New Type of Collision Attack on First‐Order Masked AESs

This paper introduces a new type of collision attack on first‐order masked Advanced Encryption Standards. This attack is a known‐plaintext attack, while the existing collision attacks are chosen‐plaintext attacks. In addition, our method requires significantly fewer power measurements than any second‐order differential power analysis or existing collision attacks.