Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Previous Work
Results and Conclusions
References
All Topics
Computer Science
Hardware and Architecture

A New Class of Collision Attacks and Its Application to DES

Profile image of Christof PaarChristof Paar

2003, Lecture Notes in Computer Science

https://doi.org/10.1007/978-3-540-39887-5_16
visibility

description

18 pages

link

1 file

Abstract

Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new class of attacks which originates from Hans Dobbertin and is based on the fact that side channel analysis can be used to detect internal collisions. We applied our attack against the widely used Data Encryption Standard (DES). We exploit the fact that internal collisions can be caused in three adjacent S-Boxes of DES [DDQ84] in order to gain information about the secret key-bits. As result, we were able to exploit an internal collision with a minimum of 140 encryptions 1 yielding 10.2 key-bits. Moreover, we successfully applied the attack to a smart card processor.

Related papers

Overview of the Side Channel Attacks
EKAMBARAM KESAVULU REDDY

2013

The security of cryptographic algorithms such as block ciphers and public-key algorithms relies on the secrecy of the key. Traditionally, when cryptanalysists examine the security of a cryptographic algorithm, they try to recover the secret key by observing the inputs and outputs of the algorithm. Assuming this type of attack models, cryptologists have made commonly-used cryptographic algorithms secure against such attacks. However, a real computing device not only generates the outputs specified in algorithms but also inevitably produces some other information such as timing and power. These types of information, called side-channel information, can be exploited in side-channel attacks to retrieve secret keys. Side channel attacks have successfully broken many algorithms.

View PDFchevron_right
Side Channel Attacks: Vulnerability Analysis of PRINCE and RECTANGLE using DPA
Dillibabu Shanmugam

2014

Over a decade, cryptographers are more attentive on designing lightweight ciphers in focus to compact cryptographic devices. More often, the security of these algorithms are defined in terms of its resistance to mathematical cryptanalysis methods. Nevertheless, designers are well aware of implementation attacks and concentrating on new design strategies to improve the defence quality against implementation attack. PRINCE [3] and RECTANGLE [17] lightweight block ciphers are designed using new design strategies for efficiency and security. In this paper we analyse the security of PRINCE and RECTANGLE against a type of implementation attack called Differential Power Analysis (DPA) attack. Our attack reduces key search space from 2 to 33008 for PRINCE and 2 to 288 for RECTANGLE.

View PDFchevron_right
Correlation-Enhanced Power Analysis Collision Attack
amir moradi

Cryptographic Hardware and Embedded Systems, 2010

Side-channel based collision attacks are a mostly disregarded alternative to DPA for analyzing unprotected implementations. The advent of strong countermeasures, such as masking, has made further research in collision attacks seemingly in vain. In this work, we show that the principles of collision attacks can be adapted to efficiently break some masked hardware implementation of the AES which still have first-order leakage. The proposed attack breaks an AES implementation based on the corrected version of the masked S-box of Canright and Batina presented at ACNS 2008. The attack requires only six times the number of traces necessary for breaking a comparable unprotected implementation. At the same time, the presented attack has minimal requirements on the abilities and knowledge of an adversary. The attack requires no detailed knowledge about the design, nor does it require a profiling phase.

View PDFchevron_right
Satisfiability-based Framework for Enabling Side-channelAttacks on Cryptographic Software
Ruby B. Lee

Many electronic systems contain implementations of cryptographic algorithms in order to provide security. It is well known that cryptographic algorithms, irrespective of their theoretical strength, can be broken through weaknesses in their implementation. In particular, side-channel attacks, which exploit unintended information leakage from the implementation, have been established as a powerful way of attacking cryptographic systems. All side-channel attacks can be viewed as consisting of two phases -an observation phase, wherein information is gathered from the target system, and an analysis or deduction phase in which the collected information is used to infer the cryptographic key. Thus far, most side-channel attacks have focused on extracting information that directly reveals the key, or variables from which the key can be easily deduced.

View PDFchevron_right
Masking the Energy Behavior of DES Encryption
Hendra Saputra

2003

Smart cards are vulnerable to both invasive and non-invasive attacks. Specifically, non-invasive attacks using power and timing measurements to extract the cryptographic key has drawn a lot of negative publicity for smart card usage. The power measurement techniques rely on the data-dependent energy behavior of the underlying system. Further, power analysis can be used to identify the specific portions of the program being executed to induce timing glitches that may in turn help to bypass key checking. Thus, it is important to mask the energy consumption when executing the encryption algorithms.

View PDFchevron_right
Side-channel attacks based on linear approximations
Cedric Tavernier

2009

Power analysis attacks against embedded secret key cryptosystems are widely studied since the seminal paper of Paul C. Kocher, Joshua Jaffe and Benjamin Jun in 1998 where has been introduced the powerful Differential Power Analysis. The strength of DPA is such that it became necessary to develop sound and efficient countermeasures. Nowadays embedded cryptographic primitives usually integrate one or several of these countermeasures (e.g. masking techniques, asynchronous designs, balanced dynamic dual-rail gates designs, noise adding, power consumption smoothing, etc. ...). This document presents new power analysis attacks based on linear approximations of the target cipher. This new type of attacks have several advantages compared to classical DPA-like attacks: first they can use multiple intermediate values by query (i.e. power trace) allowing to reduce data complexity to a minimum, secondly they can be applied on parts of the symmetric cipher that are practically unreachable by DPA-like attacks and finally they can be mounted on an unknown cipher implementation.

View PDFchevron_right
A Side-Channel Analysis Resistant Description of the AES S-Box
Vincent Rijmen

Lecture Notes in Computer Science, 2005

So far, efficient algorithmic countermeasures to secure the AES algorithm against (first-order) differential side-channel attacks have been very expensive to implement. In this article, we introduce a new masking countermeasure which is not only secure against first-order sidechannel attacks, but which also leads to relatively small implementations compared to other masking schemes implemented in dedicated hardware. Our approach is based on shifting the computation of the finite field inversion in the AES S-box down to GF (4). In this field, the inversion is a linear operation and therefore it is easy to mask. Summarizing, the new masking scheme combines the concepts of multiplicative and additive masking in such a way that security against firstorder side-channel attacks is maintained, and that small implementations in dedicated hardware can be achieved.

View PDFchevron_right
Evaluation of countermeasure implementations based on Boolean masking to thwart side-channel attacks
Art Box

2009

This paper presents hardware implementations of a DES cryptoprocessor with masking countermeasures and their evaluation against side-channel attacks (SCAs) in FPGAs. The masking protection has been mainly studied from a theoretical viewpoint without any thorough test in a noisy real world designs.

View PDFchevron_right
Algebraic Cryptanalysis of the Data Encryption Standard
Nicolas Courtois

Proceedings of the 11th IMA international …, 2007

In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple DES is believed very secure, is widely used, especially in the financial sector, and should remain so for many many years to come. In addition, some doubts have been risen whether its replacement AES is secure, given the extreme level of "algebraic vulnerability" of the AES S-boxes (their low I/O degree and exceptionally large number of quadratic I/O equations). Is DES secure from the point of view of algebraic cryptanalysis, a new very fast-growing area of research? We do not really hope to break it, but just to advance the field of cryptanalysis. At a first glance, DES seems to be a very poor target-as there is (apparently) no strong algebraic structure of any kind in DES. However in [14] it was shown that "small" S-boxes always have a low I/O degree (cubic for DES as we show below). In addition, due to their low gate count requirements, by introducing additional variables, we can always get an extremely sparse system of quadratic equations. To assess the algebraic vulnerabilities is the easy part, that may appear unproductive. In this paper we demonstrate that in this way, several interesting attacks on a real-life "industrial" block cipher can be found. One of our attack is the fastest known algebraic attack on 6 rounds of DES. Yet, it requires only one single known plaintext (instead of a very large quantity) which is quite interesting in itself. Though (on a PC) we recover the key for only six rounds, in a much weaker sense we can also attack 12 rounds of DES. These results are very interesting because DES is known to be a very robust cipher, and our methods are very generic. They can be applied to DES with modified S-boxes and potentially other reduced-round block ciphers.

View PDFchevron_right

References (32)

  1. D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi. The EM Side -Channel(s). In C ¸. K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Systems -CHES 2002. Springer-Verlag, 2002.
  2. R. Anderson and M. Kuhn. Tamper Resistance -a Cautionary Note. In Second Usenix Workshop on Electronic Commerce, pages 1-11, November 1996.
  3. M. Briceno, I. Goldberg, and D. Wagner. An Implementation of the GSM A3A8 algorithm, 1998. http://www.scard.org/gsm/a3a8.txt.
  4. M. Briceno, I. Goldberg, and D. Wagner. GSM cloning, 1998. http://www.isaac.cs.berkely.edu/isaac/gsm-faq.html.
  5. C. Clavier and J.-S. Coron. On Boolean and Arithmetic Masking against Differential Power Analysis. In C ¸. K. Koç and C. Paar, editors, Crypto- graphic Hardware and Embedded Systems -CHES 2000, volume LNCS 1965, pages 231 -237. Springer-Verlag, 2000.
  6. C. Clavier, J.-S. Coron, and N. Dabbour. Differential Power Anajlysis in the Presence of Hardware Countermeasures. In C ¸. K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Systems -CHES 2000, volume LNCS 1965, pages 252 -263. Springer-Verlag, 2000.
  7. C. Clavier, J.S. Coron, and N. Dabbous. Differential Power Analysis in the Presence of Hardware Countermeasures. In C ¸. K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Systems -CHES 2000, volume LNCS 1965, pages 252-263. Springer-Verlag, 2000.
  8. CJR + 99a] S. Chari, C. S. Jutla, J. R. Rao, , and P. Rohatgi. A Cauttionary Note Re- garding the Evaluation of AES Condidates on Smart Cards. In Proceedings: Second AES Candidate Conference (AES2), Rome, Italy, March 1999. [CJR + 99b] S. Chari, C. S. Jutla, J. R. Rao, , and P. Rohatgi. Towards Sound Ap- proaches to Counteract Power-Analysis Attacks. In Advances in Cryptology -CRYPTO '99, volume LNCS 1666, pages 398 -412. Springer-Verlag, August 1999.
  9. D. Coppersmith. The Data Encryption Standard (DES) and its Strength Against Attacks. Technical report rc 186131994, IBM Thomas J. Watson Research Center, December 1994.
  10. J.-S. Coron. Resistance against Differentail Power Analysis for Elliptic Curve Cryptosystems. In C ¸. K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Systems -CHES 1999, volume LNCS 1717, pages 292 -302. Springer-Verlag, 1999.
  11. B. den Boer and A. Bosselaers. Collisions for the Compression Function of MD5. In T. Hellenseth, editor, Advances in Cryptology -EUROCRYPT '93, volume LNCS 0765, pages 293 -304, Berlin, Germany, 1994. Springer- Verlag.
  12. M. Davio, Y. Desmedt, and J.-J. Quisquater. Propagation Characteristics of the DES. In Advances in Cryptology -CRYPTO '84, pages 62-74.
  13. H. Dobbertin. RIPEMD with two-round compress function is not collision- free. Journal of Cryptology, 10:51-68, 1997.
  14. H. Dobbertin. Cryptanalysis of md4. Journal of Cryptology, 11:253-271, 1998.
  15. P. N. Fahn and P.K. Rearson. IPA: A New Class of Power Attacks. In C ¸. K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Systems -CHES 1999, volume LNCS 1717, pages 173 -186. Springer- Verlag, 1999.
  16. L. Goubin and J. Patarin. DES and Differential Power Analysis. In C ¸. K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Sys- tems -CHES 1999, volume LNCS 1717, pages 158 -172. Springer-Verlag, 1999.
  17. Technical Information -GSM System Security Study, 1998. http://jya.com/gsm061088.htm.
  18. P. Kocher, J. Jaffe, and B. Jun. Introduction to Differential Power Analysis and Related Attacks. http://www.cryptography.com/dpa/technical, 1998. Manuscript, Cryptography Research, Inc.
  19. P. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In Advances in Cryptology -CRYPTO '99, volume LNCS 1666, pages 388-397. Springer- Verlag, 1999.
  20. T. S. Messerges, E. A. Dabbish, and R. H. Sloan. Investigations of Power Analysis Attacks on Smartcards. In USENIX Workshop on Smartcard Tech- nology, pages 151-162, 1999.
  21. T. S. Messerges. Using Second-Order Power Analysis to Attack DPA Resis- tant Software. In C ¸. K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Systems -CHES 2000, volume LNCS 1965, pages 238 - 251. Springer-Verlag, 2000.
  22. R. Mayer-Sommer. Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smart Cards. In C ¸. K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Systems -CHES 2000, volume LNCS 1965, pages 78 -92. Springer-Verlag, 2000.
  23. J.A. Muir. Techniques of Side Channel Cryptanalysis. Master thesis, 2001. University of Waterloo, Canada.
  24. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, Boca Raton, Florida, USA, 1997.
  25. NIST FIPS PUB 46-3. Data Encryption Standard. Federal Information Processing Standards, National Bureau of Standards, U.S. Department of Commerce, Washington D.C., 1977.
  26. NIST FIPS PUB 180-1. Secure Hash Standard. Federal Information Pro- cessing Standards, National Bureau of Standards, U.S. Department of Com- merce, Washington D.C., April 1995.
  27. R. Rivest. RFC 1320: The MD4 Message-Digest Algorithm. Corporation for National Research Initiatives, Internet Engineering Task Force, Network Working Group, Reston, Virginia, USA, April 1992.
  28. R. L. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21(2):120-126, February 1978.
  29. Adi Shamir. Protecting Smart Cards form Power Analysis with Detached Power Supplies. In C ¸. K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Systems -CHES 2000, volume LNCS 1965, pages 71 -77.
  30. S. Vaudenay. On the need of Multipermutations: Cryptanalysis of MD4 and SAFER. In Fast Software Encryption -FSE '94, volume LNCS 1008, pages 286 -297, Berlin, Germany, 1994. Springer-Verlag.
  31. A. Wiemers. Partial Collision Search by Side Channel Analysis. Presen- tation at the Workshop: Smartcards and Side Channel Attacks, January 2003. Horst Goertz Institute, Bochum, Germany. 101100 4 ((000100(02,0),101000(04,2)), ((001011(05,1),100111(03,3))
  32. 111001 6 ((010011(09,1),101010(05,2)), ((010111(11,1),101110(07,2)), ((011111(15,1),100110(03,2)) 111010

Related papers

An Implementation of DES and AES, Secure against Some Attacks
Mehdi-Laurent Akkar, Christophe Giraud

Lecture Notes in Computer Science, 2001

Since Power Analysis on smart cards was introduced by Paul Kocher [7], many countermeasures have been proposed to protect implementations of cryptographic algorithms. In this paper we propose a new protection principle: the transformed masking method. We apply this method to protect two of the most popular block ciphers: DES and the AES Rijndael. To this end we introduce some transformed S-boxes for DES and a new masking method and its applications to the non-linear part of Rijndael.

View PDFchevron_right
Differential Cryptanalysis of DES-like Cryptosystems
Eli A A

1990

The Data Encryption Standard (DES) is the best known and most widely used cryptosystem for civilian applications. It was developed at IBM and adopted by the National Buraeu of Standards in the mid 70’s, and has successfully withstood all the attacks published so far in the open literature. In this paper we develop a new type of cryptanalytic attack which can break DES with up to eight rounds in a few minutes on a PC and can break DES with up to 15 rounds faster than an exhaustive search. The new attack can be applied to a variety of DES-like substitution/permutation cryptosystems, and demonstrates the crucial role of the (unpublished) design rules.

View PDFchevron_right
A dynamic study with side channel against An Identification Based Encryption
Mostafa Belkasmi

International Journal of Communication Networks and Information Security, 2015

Recently, the side channel keeps the attention of researchers in theory of pairing, since, several studies have been done in this subject and all they have the aim in order to attack the cryptosystems of Identification Based Encryption (IBE) which are integrated into Smart Cards (more than 80% of those cryptosystems are based on a pairing). The great success and the remarkable development of the cryptography IBE in the recent years and the direct connection of this success to the ability of resistance against any kind of attack, especially the DPA (Differential Power Analysis) and DFA (Differential Fault Analysis) attacks, leave us to browse saying all the studies of the DPA and DFA attacks applied to a pairing and we have observed that they have no great effect to attack the cryptosystems of IBE. That is what we will see in this paper. In this work we will illuminate the effect of the DPA attack on a cryptosystems of IBE and we would see on what level we can arrive. Thus in the case where this attack can influence on those cryptosystems, we can present an appropriate countermeasures to resist such attack. In the other part, we will also propose a convenient countermeasure to defend against the DFA attack when the embedding degree is even.

View PDFchevron_right
Power analysis attacks against FPGA implementations of the DES
Berna Ors Yalcin, François-xavier Standaert

Field Programmable Logic …, 2004

Cryptosystem designers frequently assume that secret parameters will be manipulated in tamper resistant environments. However, physical implementations can be extremely difficult to control and may result in the unintended leakage of side-channel information. In power analysis attacks, it is assumed that the power consumption is correlated to the data that is being processed. An attacker may therefore recover secret information by simply monitoring the power consumption of a device. Several articles have investigated power attacks in the context of smart card implementations. While FPGAs are becoming increasingly popular for cryptographic applications, there are only a few articles that assess their vulnerability to physical attacks. In this article, we demonstrate the specific properties of FPGAs w.r.t. Differential Power Analysis (DPA). First we emphasize that the original attack by Kocher et al. and the improvements by Brier et al. do not apply directly to FPGAs because their physical behavior differs substantially from that of smart cards. Then we generalize the DPA attack to FPGAs and provide strong evidence that FPGA implementations of the Data Encryption Standard (DES) are vulnerable to such attacks.

View PDFchevron_right
Improved Meet-in-the-Middle Attacks on Reduced-Round DES
Mohamed Tolba

Lecture Notes in Computer Science

The Data Encryption Standard (DES) is a 64-bit block cipher. Despite its short key size of 56 bits, DES continues to be used to protect financial transactions valued at billions of Euros. In this paper, we investigate the strength of DES against attacks that use a limited number of plaintexts and ciphertexts. By mounting meet-in-the-middle attacks on reduced-round DES, we find that up to 6-round DES is susceptible to this kind of attacks. The results of this paper lead to a better understanding on the way DES can be used.

View PDFchevron_right

Related topics

  • Smart Card
  • Hash Function
  • Data Encryption Standard
  • Side Channel attacks

    • Cited by

    Correlation-Enhanced Power Analysis Collision Attack
    amir moradi

    Cryptographic Hardware and Embedded Systems, 2010

    Side-channel based collision attacks are a mostly disregarded alternative to DPA for analyzing unprotected implementations. The advent of strong countermeasures, such as masking, has made further research in collision attacks seemingly in vain. In this work, we show that the principles of collision attacks can be adapted to efficiently break some masked hardware implementation of the AES which still have first-order leakage. The proposed attack breaks an AES implementation based on the corrected version of the masked S-box of Canright and Batina presented at ACNS 2008. The attack requires only six times the number of traces necessary for breaking a comparable unprotected implementation. At the same time, the presented attack has minimal requirements on the abilities and knowledge of an adversary. The attack requires no detailed knowledge about the design, nor does it require a profiling phase.

    View PDFchevron_right
    Side-Channel Analysis of Montgomery’s Representation Randomization
    Eliane Jaulmes

    Lecture Notes in Computer Science, 2014

    Elliptic curve cryptography is today widely spread in embedded systems and the protection of their implementation against side-channel attacks has been largely investigated. At CHES 2012, a countermeasure has been proposed which adapts Montgomery's arithmetic to randomize the intermediate results during scalar point multiplications. The approach turned out to be a valuable alternative to the previous strategies based on hiding and/or masking techniques. It was argued to be specifically dedicated to hardware implementations and it aimed to defeat first-order side-channel attacks involving Pearson's correlation as distinguisher. In this paper however, we exhibit an important flaw in the countermeasure and we show, through various simulations, that it leads to efficient first-order correlation-based attacks.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved