On the Security of RSM - Presenting 5 First- and Second-Order Attacks

Lightweight cryptography and efficient implementations, including efficient countermeasures against side-channel analysis, are of great importance for embedded devices, and, consequently, a lot of progress has been done in this area in recent years. In 2012, the RSM masking scheme [15] was introduced as an efficient countermeasure against side-channel attacks on AES. RSM has no time penalty, only reasonable area overhead, uses only 4 bit of entropy, and is deemed to be secure against univariate first- and second-order attacks. In this paper we first review the original practical security evaluation and discuss some shortcomings. We then reveal a weakness in the set of masks used in RSM, i.e., we found that certain pairs of masks have a constant difference. This weakness is subsequently exploited to mount five different side-channel attacks against RSM: a univariate first-order CPA enabled by simple pre-processing and a variant of a first-order correlation-enhanced collision attack, both on a smart card implementation, and a univariate second-order CPA as well as two first- and second-order collision attacks against an FPGA implementation. All five attacks show how such a vulnerability in the mask set can undermine the security of the scheme and therefore highlight the importance of carefully choosing the masks.

[1]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[2]  Sylvain Guilley,et al.  Exploiting FPGA block memories for protected cryptographic implementations , 2013, ReCoSoC.

[3]  Marc Joye,et al.  Cryptographic Hardware and Embedded Systems - CHES 2004 , 2004, Lecture Notes in Computer Science.

[4]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[5]  Huaxiong Wang,et al.  On 3-Share Threshold Implementations for 4-Bit S-boxes , 2013, COSADE.

[6]  N. J. A. Sloane,et al.  A new table of constant weight codes , 1990, IEEE Trans. Inf. Theory.

[7]  Sylvain Guilley,et al.  A low-entropy first-degree secure provable masking scheme for resource-constrained devices , 2013, WESS '13.

[8]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[9]  Claude Carlet,et al.  Side-channel indistinguishability , 2013, HASP '13.

[10]  Sylvain Guilley,et al.  From cryptography to hardware: analyzing and protecting embedded Xilinx BRAM for cryptographic applications , 2013, Journal of Cryptographic Engineering.

[11]  Thomas Eisenbarth,et al.  Correlation-Enhanced Power Analysis Collision Attack , 2010, CHES.

[12]  Sylvain Guilley,et al.  RSM: A small and fast countermeasure for AES, secure against 1st and 2nd-order zero-offset SCAs , 2012, 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[13]  Amir Moradi,et al.  Side-Channel Resistant Crypto for Less than 2,300 GE , 2011, Journal of Cryptology.

[14]  Tsuyoshi Takagi,et al.  Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings , 2011, CHES.

[15]  Yang Li,et al.  Power Variance Analysis breaks a masked ASIC implementation of AES , 2010, 2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010).

[16]  J. MacQueen Some methods for classification and analysis of multivariate observations , 1967 .

[17]  Christophe Clavier,et al.  Improved Collision-Correlation Power Analysis on First Order Protected AES , 2011, CHES.

[18]  David A. Wagner,et al.  Towards Efficient Second-Order Power Analysis , 2004, CHES.

[19]  Stefan Mangard,et al.  Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings , 2010, CHES.

[20]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .