How Far Can We Reach? Breaking RSM-Masked AES-128 Implementation Using Only One Trace

Rotating Sbox Masking (RSM) scheme is a lightweight and highly efficient first-order masking scheme proposed to protect cryptographic implementations like AES from side channel attacks. It is a Low Entropy Masking Scheme (LEMS) and has attracted special attention from academia and industry with its low overhead and high performance. The two public targets of DPA Contest v4 are both RSM-masked AES implementations, specifically, AES-256 (namely RSM-AES-256) for v4.1 and AES-128 (namely RSM-AES-128) for v4.2 respectively. The security of RSM-AES-256 was intensively studied by researchers worldwide under the framework of DPA Contest and several flaws were identified. Its improved version is RSM-AES-128, in which several pitfalls of RSM-AES-256 were fixed. However, the practical security of RSM-AES-128 is still not thoroughly studied. In this paper, we focus on analyzing the practical security of RSM-AES-128 from a profiling attack point of view. Specifically, we firstly present a Multivariate Template Attack (MTA) to maximize the success rates of key recovery. Next, we propose a new Depth-First Key Enumeration Algorithm (DFKEA) that could be applied to find the correct key efficiently after a side channel attack. By combining the DFKEA to our MTA, we propose a novel multivariate profiling attack scheme which could recover the secret key of RSM-AES-128 with over 95% possibility only using one trace. It is the best attack among all attacks submitted to DPA Contest Official up to now. After thoroughly analyzed our attack scheme and RSM-AES-128, we finally present two proposals to improve the practical security of this implementation at an acceptable overhead and performance loss.

[1]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[2]  François-Xavier Standaert,et al.  An optimal Key Enumeration Algorithm and its Application to Side-Channel Attacks , 2012, IACR Cryptol. ePrint Arch..

[3]  Emmanuel Prouff,et al.  Higher-Order Masking and Shuffling for Software Implementations of Block Ciphers , 2009, CHES.

[4]  Sylvain Guilley,et al.  Analysis and Improvements of the DPA Contest v4 Implementation , 2014, SPACE.

[5]  Stefan Mangard,et al.  An AES Smart Card Implementation Resistant to Power Analysis Attacks , 2006, ACNS.

[6]  Romain Poussier,et al.  Simple Key Enumeration (and Rank Estimation) Using Histograms: An Integrated Approach , 2016, CHES.

[7]  Claude Carlet,et al.  Leakage Squeezing of Order Two , 2012, INDOCRYPT.

[8]  Sylvain Guilley,et al.  First Principal Components Analysis: A New Side Channel Distinguisher , 2010, ICISC.

[9]  Sylvain Guilley,et al.  Leakage Squeezing Countermeasure against High-Order Attacks , 2011, WISTP.

[10]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[11]  Sylvain Guilley,et al.  Implementation flaws in the masking scheme of DPA Contest v4 , 2017, IET Inf. Secur..

[12]  Jean-Sébastien Coron,et al.  Side Channel Cryptanalysis of a Higher Order Masking Scheme , 2007, CHES.

[13]  Werner Schindler,et al.  How to Compare Profiled Side-Channel Attacks? , 2009, ACNS.

[14]  Sylvain Guilley,et al.  Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures against Side-Channel Attacks , 2011, INDOCRYPT.

[15]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[16]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[17]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[18]  Sylvain Guilley,et al.  Formally Proved Security of Assembly Code Against Leakage , 2013, IACR Cryptol. ePrint Arch..

[19]  Andrey Bogdanov,et al.  Fast and Memory-Efficient Key Recovery in Side-Channel Attacks , 2015, SAC.

[20]  Sylvain Guilley,et al.  Detecting Hidden Leakages , 2014, ACNS.

[21]  Thomas Eisenbarth,et al.  On the Vulnerability of Low Entropy Masking Schemes , 2013, CARDIS.

[22]  Sylvain Guilley,et al.  RSM: A small and fast countermeasure for AES, secure against 1st and 2nd-order zero-offset SCAs , 2012, 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[23]  François-Xavier Standaert,et al.  Using Subspace-Based Template Attacks to Compare and Combine Power and Electromagnetic Information Leakages , 2008, CHES.

[24]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[25]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[26]  Yuan Zhao,et al.  Leakage Fingerprints: A Non-negligible Vulnerability in Side-Channel Analysis , 2016, AsiaCCS.

[27]  Christophe Clavier,et al.  Differential Power Analysis in the Presence of Hardware Countermeasures , 2000, CHES.

[28]  Elisabeth Oswald,et al.  Multi-target DPA Attacks: Pushing DPA Beyond the Limits of a Desktop Computer , 2014, ASIACRYPT.

[29]  Emmanuel Prouff,et al.  DPA Attacks and S-Boxes , 2005, FSE.

[30]  Sylvain Guilley,et al.  Multivariate High-Order Attacks of Shuffled Tables Recomputation , 2017, Journal of Cryptology.