Correlation Power Analysis of Lightweight Block Ciphers

Similar documents
Power Analysis Based Side Channel Attack

Finding the key in the haystack

Evaluation of On-chip Decoupling Capacitor s Effect on AES Cryptographic Circuit

Power Analysis Attacks on SASEBO January 6, 2010

JICE: Joint Data Compression and Encryption for Wireless Energy Auditing Networks

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

Threshold Implementations. Svetla Nikova

DPA Leakage Models for CMOS Logic Circuits

Transform. Jeongchoon Ryoo. Dong-Guk Han. Seoul, Korea Rep.

Test Apparatus for Side-Channel Resistance Compliance Testing

Methodologies for power analysis attacks on hardware implementations of AES

When Failure Analysis Meets Side-Channel Attacks

Constructing TI-Friendly Substitution Boxes using Shift-Invariant Permutations. Si Gao, Arnab Roy, and Elisabeth Oswald

k-nearest Neighbors Algorithm in Profiling Power Analysis Attacks

A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery

Hardware Bit-Mixers. Laszlo Hars January, 2016

paioli Power Analysis Immunity by Offsetting Leakage Intensity Sylvain Guilley perso.enst.fr/ guilley Telecom ParisTech

Towards a Cryptanalysis of Scrambled Spectral-Phase Encoded OCDMA

Eliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA

From New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security

Evaluation of the Masked Logic Style MDPL on a Prototype Chip

Differential Power Analysis Attack on FPGA Implementation of AES

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

Conditional Cube Attack on Reduced-Round Keccak Sponge Function

Block Ciphers Security of block ciphers. Symmetric Ciphers

Recommendations for Secure IC s and ASIC s

Meet-in-the-Middle Attacks on Reduced-Round Midori-64

CSIsnoop: Attacker Inference of Channel State Information in Multi-User WLANs

Variety of scalable shuffling countermeasures against side channel attacks

Tunnel FET Current Mode Logic for DPA-Resilient Circuit Designs

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

arxiv: v1 [cs.cr] 2 May 2016

Comparison of Profiling Power Analysis Attacks Using Templates and Multi-Layer Perceptron Network

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR. Pieter Robyns

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

Investigations of Power Analysis Attacks on Smartcards

EE 109 Midterm Review

Differential-Phase-Shift Quantum Key Distribution

Analysis of Self-Pulsation in Distributed Bragg Reflector Laser based on Four-Wave Mixing

A Simulation-Based Methodology for Evaluating the DPA-Resistance of Cryptographic Functional Units with Application to CMOS and MCML Technologies

Oversampling Converters

Quantum Cryptography Kvantekryptering

Debouncing Switches. The non-ideal behavior of the contacts that creates multiple electrical transitions for a single user input.

Synchronous Sampling and Clock Recovery of Internal Oscillators for Side Channel Analysis

NPTEL. VLSI Data Conversion Circuits - Video course. Electronics & Communication Engineering.

Paper presentation Ultra-Portable Devices

DETECTING POWER ATTACKS ON RECONFIGURABLE HARDWARE. Adrien Le Masle, Wayne Luk

ADC and DAC Standards Update

Towards Optimal Pre-processing in Leakage Detection

Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme

Signal Conditioning Parameters for OOFDM System

ADC and DAC converters. Laboratory Instruction

Exploiting On-Chip Voltage Regulators as a Countermeasure Against Power Analysis Attacks

Advances in SCA and RF-DNA Fingerprinting Through Enhanced Linear Regression Attacks and Application of Random Forest Classifiers

Information Security Theory vs. Reality

Recovering Lost Sensor Data through Compressed Sensing

Communication using Synchronization of Chaos in Semiconductor Lasers with optoelectronic feedback

אני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים

Generic Attacks on Feistel Schemes

FIBRE CHANNEL CONSORTIUM

Keywords: dynamic P-Box and S-box, modular calculations, prime numbers, key encryption, code breaking.

Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:

ProxiMate : Proximity Based Secure Pairing using Ambient Wireless Signals

Ultrafast electro-optic delay Reservoir

MMF Channel Characteristics

Implementation of All-Optical Logic AND Gate using XGM based on Semiconductor Optical Amplifiers

High Speed Digital Design & Verification Seminar. Measurement fundamentals

ECE 556 BASICS OF DIGITAL SPEECH PROCESSING. Assıst.Prof.Dr. Selma ÖZAYDIN Spring Term-2017 Lecture 2

Chapter 2 Distributed Consensus Estimation of Wireless Sensor Networks

Synchronization Method for SCA and Fault Attacks

Side-Channel Leakage through Static Power

An Architecture-Independent Instruction Shuffler to Protect against Side-Channel Attacks

FPGA Side Channel Attacks without Physical Access

Loading Binary Waveforms into ArbStudio. SampleRate. SampleRate 1GS LAB BRIEF LAB-913

Design and FPGA Implementation of an Adaptive Demodulator. Design and FPGA Implementation of an Adaptive Demodulator

A VCO-based analog-to-digital converter with secondorder sigma-delta noise shaping

SIDE-CHANNEL attacks exploit the leaked physical information

NOVEMBER 29, 2017 COURSE PROJECT: CMOS TRANSIMPEDANCE AMPLIFIER ECG 720 ADVANCED ANALOG IC DESIGN ERIC MONAHAN

Performance Comparison of ZF, LMS and RLS Algorithms for Linear Adaptive Equalizer

We are IntechOpen, the world s leading publisher of Open Access books Built by scientists, for scientists. International authors and editors

Eavesdropping Attacks on High-Frequency RFID Tokens

Communications IB Paper 6 Handout 3: Digitisation and Digital Signals

Noise Analysis of AHR Spectrometer Author: Andrew Xiang

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

IDPAL - Input Decoupled Partially Adiabatic Logic Family: Theory and Implementation of Side- Channel Attack Resistant Circuits

Investigate the characteristics of PIN Photodiodes and understand the usage of the Lightwave Analyzer component.

Does The Radio Even Matter? - Transceiver Characterization Testing Framework

Progress in Reducing Size and Cost of Trace Gas Analyzers Based on Tunable Diode Laser Absorption Spectroscopy

Optimization-based design of multisine signals for plant-friendly identification of highly interactive systems

A Hardware-based Countermeasure to Reduce Side-Channel Leakage

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Performance evaluation methodology

Yb-doped Mode-locked fiber laser based on NLPR Yan YOU

A Practical Approach to Bitrate Control in Wireless Mesh Networks using Wireless Network Utility Maximization

Information Leakage from Cryptographic Hardware via Common-Mode Current

Chapter 3 Novel Digital-to-Analog Converter with Gamma Correction for On-Panel Data Driver

Performance Limitations of WDM Optical Transmission System Due to Cross-Phase Modulation in Presence of Chromatic Dispersion

Introduction to Cryptography CS 355

Side Channel Analysis Attacks on Stream Ciphers

Transcription:

Correlation Power Analysis of Lightweight Block Ciphers From Theory to Practice Alex Biryukov Daniel Dinu Johann Großschädl SnT, University of Luxembourg ESC 2017 (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 1 / 21

Outline 1 Motivation 2 Theory Selection Function Correlation Power Analysis (CPA) 3 Practice Evaluation Framework Quantifying the Leakage Results 4 Conclusion (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 2 / 21

Motivation Theory many theoretical metrics for the SCA resistance of S-boxes: Nonlinearity (NL) Transparency Order (TO) Improved Transparency Order (ITO) DPA Signal-to-Noise Ratio (SNR)... SCA resistance is often associated with low nonlinearity (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 3 / 21

Motivation Theory many theoretical metrics for the SCA resistance of S-boxes: Nonlinearity (NL) Transparency Order (TO) Improved Transparency Order (ITO) DPA Signal-to-Noise Ratio (SNR)... SCA resistance is often associated with low nonlinearity Practice how good are these theoretical metrics to quantify the SCA leakage? which are the best targets for SCA attacks? (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 3 / 21

Selection Function x known part of the input of the round function k unknown part of the round key Definition (Selection Function) In the context of side-channel attacks, a selection function gives the intermediate result, also referred to as sensitive value φ k, which is used by the attacker to recover the secret key. ϕ : F n 2 F m 2 φ k = ϕ(x, k) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 4 / 21

Correlation Power Analysis (CPA) φ k = ϕ(x, k) sensitive value used by the attacker to recover the secret key x known part of the input of the round function k unknown part of the round key Definition (Correlation Power Analysis (CPA)) Given a set of power traces and the corresponding sets of intermediate values φ 1, φ 2,...φ 2 k, Correlation Power Analysis (CPA) aims at recovering the secret subkey k using a correlation factor between the measured power samples and the power model of the computed sensitive values. (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 5 / 21

Evaluation Framework Measurement Setup target board: 8-bit AVR ATmega2561 oscilloscope: LeCroy waverunner 104MXi noise reduction: Farday cage, regulated power supply, fiber-optic communication (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 6 / 21

Evaluation Framework Measurement Setup target board: 8-bit AVR ATmega2561 oscilloscope: LeCroy waverunner 104MXi noise reduction: Farday cage, regulated power supply, fiber-optic communication Metrics Success Rate (SR) Guessing Entropy (GE) average over 100 experiments up to 2000 traces per experiment (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 6 / 21

Quantifying the Leakage Which assembly instruction leaks more? register-only instructions: and, add memory access instructions: lpm, ld, st (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 7 / 21

Quantifying the Leakage Which assembly instruction leaks more? register-only instructions: and, add memory access instructions: lpm, ld, st Which selection function leaks more? logical operations: AND ( ), OR ( ), XOR ( ) modular addition: ADD ( ), ADC ( ) S-boxes: AES, LBlock, Piccolo, PRINCE L-boxes: Fantomas (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 7 / 21

Correlation Coefficient Difference (δ) Definition (Correlation Coefficient Difference) The difference between the correlation coefficient of the correct key k, i.e. c k, and the correlation coefficient of the most likely key guess k, i.e. c k, with k k. Leaks less δ = c k c k 0 Leaks more (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 8 / 21

Correlation Coefficient Difference (δ) Definition (Correlation Coefficient Difference) The difference between the correlation coefficient of the correct key k, i.e. c k, and the correlation coefficient of the most likely key guess k, i.e. c k, with k k. Leaks less δ < 0 δ = c k c k 0 Leaks more several guesses c k c k δ (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 8 / 21

Correlation Coefficient Difference (δ) Definition (Correlation Coefficient Difference) The difference between the correlation coefficient of the correct key k, i.e. c k, and the correlation coefficient of the most likely key guess k, i.e. c k, with k k. Leaks less δ < 0 δ = c k c k 0 δ > 0 Leaks more several guesses 1 guess c k c k δ c k c k δ (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 8 / 21

Understanding the Device s Leakage 0.8 0.6 Cor. Coef. Diff. (δ) 0.4 0.2 0-0.2-0.4 and add -0.6 lpm ld st -0.8 0x00 0x01 0x03 0x07 0x0F 0x1F 0x3F 0x7F 0xFF Correct Key register-only instructions: and, add memory instructions: lpm, ld, st (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 9 / 21

Comparison of Different Selection Functions target st instruction 4 groups of selection functions: logical operations: AND ( ), OR ( ), XOR ( ) modular addition: ADD ( ), ADC ( ) S-boxes: AES, LBlock, Piccolo, PRINCE L-boxes: Fantomas (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 10 / 21

1. Logical Operations 0.1 0.05 Cor. Coef. Diff. (δ) 0-0.05-0.1-0.15-0.2 ϕ 1 ϕ 2 ϕ 3-0.25 0x00 0x01 0x03 0x07 0x0F 0x1F 0x3F 0x7F 0xFF Correct Key ϕ 1 (x, k) = x k ϕ 2 (x, k) = x k ϕ 3 (x, k) = x k (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 11 / 21

2. Modular Addition 0.2 ϕ 4 ϕ 5 Cor. Coef. Diff. (δ) 0.15 0.1 0.05 0 0x00 0x01 0x03 0x07 0x0F 0x1F 0x3F 0x7F 0xFF Correct Key ϕ 4 (x, k) = x k ϕ 5 (x, k, c) = x k c (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 12 / 21

3. S-boxes 0.7 Cor. Coef. Diff. (δ) 0.6 0.5 0.4 0.3 ϕ 6 ϕ 7 ϕ 8 ϕ 9 ϕ 10 ϕ 11 ϕ 12 0.2 0.1 0x00 0x01 0x03 0x07 0x0F 0x1F 0x3F 0x7F 0xFF Correct Key 8-bit: ϕ 6 = S AES (x k) 4-bit: ϕ 7 = S LBlock (x k), ϕ 9 = S Piccolo (x k), ϕ 11 = S PRINCE (x k) 8-bit: ϕ 8 = S LBlock (x k), ϕ 10 = S Piccolo (x k), ϕ 12 = S PRINCE (x k) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 13 / 21

4. L-boxes Cor. Coef. Diff. (δ) 0.2 0.15 0.1 0.05 ϕ 13 ϕ 14 ϕ 15 ϕ 16 0 0x00 0x01 0x03 0x07 0x0F 0x1F 0x3F 0x7F 0xFF Correct Key ϕ 13 = LSB(L 1 1,Fantomas (x k)), ϕ 14 = MSB(L 1 1,Fantomas (x k)), ϕ 15 = LSB(L 1 2,Fantomas (x k)), ϕ 16 = MSB(L 1 2,Fantomas (x k)) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 14 / 21

Comparison of Different Selection Functions Selection function n m NL δ ϕ 1 (x, k) = x k 16 8 16384-0.005 ϕ 2 (x, k) = x k 16 8 16384-0.018 ϕ 3 (x, k) = x k 16 8 0-0.153 ϕ 4 (x, k) = x k 16 8 0 0.127 ϕ 6 (x k) = S AES (x k) 8 8 112 0.586 ϕ 7 (x k) = S LBlock (x k) 4 4 4 0.342 ϕ 8 (x k) = S LBlock (x k) 8 8 64 0.235 ϕ 15 (x k) = LSB(L 1 2,Fantomas (x k)) 8 8 0 0.136 sometimes nonlinearity (NL) fails to quantify resilience to CPA: (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 15 / 21

Comparison of Different Selection Functions Selection function n m NL δ ϕ 1 (x, k) = x k 16 8 16384-0.005 ϕ 2 (x, k) = x k 16 8 16384-0.018 ϕ 3 (x, k) = x k 16 8 0-0.153 ϕ 4 (x, k) = x k 16 8 0 0.127 ϕ 6 (x k) = S AES (x k) 8 8 112 0.586 ϕ 7 (x k) = S LBlock (x k) 4 4 4 0.342 ϕ 8 (x k) = S LBlock (x k) 8 8 64 0.235 ϕ 15 (x k) = LSB(L 1 2,Fantomas (x k)) 8 8 0 0.136 sometimes nonlinearity (NL) fails to quantify resilience to CPA: biwtwise operations (AND, OR) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 15 / 21

Comparison of Different Selection Functions Selection function n m NL δ ϕ 1 (x, k) = x k 16 8 16384-0.005 ϕ 2 (x, k) = x k 16 8 16384-0.018 ϕ 3 (x, k) = x k 16 8 0-0.153 ϕ 4 (x, k) = x k 16 8 0 0.127 ϕ 6 (x k) = S AES (x k) 8 8 112 0.586 ϕ 7 (x k) = S LBlock (x k) 4 4 4 0.342 ϕ 8 (x k) = S LBlock (x k) 8 8 64 0.235 ϕ 15 (x k) = LSB(L 1 2,Fantomas (x k)) 8 8 0 0.136 sometimes nonlinearity (NL) fails to quantify resilience to CPA: biwtwise operations (AND, OR) 4-bit vs. 8-bit S-layer (e.g. LBlock) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 15 / 21

Comparison of Different Selection Functions Selection function n m NL δ ϕ 1 (x, k) = x k 16 8 16384-0.005 ϕ 2 (x, k) = x k 16 8 16384-0.018 ϕ 3 (x, k) = x k 16 8 0-0.153 ϕ 4 (x, k) = x k 16 8 0 0.127 ϕ 6 (x k) = S AES (x k) 8 8 112 0.586 ϕ 7 (x k) = S LBlock (x k) 4 4 4 0.342 ϕ 8 (x k) = S LBlock (x k) 8 8 64 0.235 ϕ 15 (x k) = LSB(L 1 2,Fantomas (x k)) 8 8 0 0.136 sometimes nonlinearity (NL) fails to quantify resilience to CPA: biwtwise operations (AND, OR) 4-bit vs. 8-bit S-layer (e.g. LBlock) L-layer (e.g. Fantomas) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 15 / 21

Analysed Ciphers Selection criteria: good software performance in the Triathlon competition 1 variety of design constructions Cipher Block Size Key Size Attacked Structure (bits) (bits) Operation AES 128 128 SPN S-box lookup Fantomas 128 128 SPN L-box lookup LBlock 64 80 Feistel S-box lookup Piccolo 64 80 Feistel S-box lookup PRINCE 64 128 SPN S-box lookup RC5 64 128 Feistel modular addition Simon 64 96 Feistel bitwise AND Speck 64 96 Feistel modular subtraction 1 https://www.cryptolux.org/index.php/felics (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 16 / 21

Properties of S-boxes Cipher S-box NL TO ITO SNR δ SE δ AES S 112 7.860 6.916 9.600 0.586 0.008 LBlock S 0 4 3.667 2.567 2.946 0.342 0.008 Piccolo S 4 3.667 2.567 3.108 0.339 0.019 PRINCE S 4 3.400 2.333 2.129 0.269 0.010 (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 17 / 21

Properties of S-boxes Cipher S-box NL TO ITO SNR δ SE δ AES S 112 7.860 6.916 9.600 0.586 0.008 LBlock S 0 4 3.667 2.567 2.946 0.342 0.008 Piccolo S 4 3.667 2.567 3.108 0.339 0.019 PRINCE S 4 3.400 2.333 2.129 0.269 0.010 NL could not differentiate between LBlock, Piccolo and PRINCE (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 17 / 21

Properties of S-boxes Cipher S-box NL TO ITO SNR δ SE δ AES S 112 7.860 6.916 9.600 0.586 0.008 LBlock S 0 4 3.667 2.567 2.946 0.342 0.008 Piccolo S 4 3.667 2.567 3.108 0.339 0.019 PRINCE S 4 3.400 2.333 2.129 0.269 0.010 NL could not differentiate between LBlock, Piccolo and PRINCE TO, ITO could not differentiate between LBlock and Piccolo (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 17 / 21

Properties of S-boxes Cipher S-box NL TO ITO SNR δ SE δ AES S 112 7.860 6.916 9.600 0.586 0.008 LBlock S 0 4 3.667 2.567 2.946 0.342 0.008 Piccolo S 4 3.667 2.567 3.108 0.339 0.019 PRINCE S 4 3.400 2.333 2.129 0.269 0.010 NL could not differentiate between LBlock, Piccolo and PRINCE TO, ITO could not differentiate between LBlock and Piccolo SNR differentiates between LBlock, Piccolo and PRINCE (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 17 / 21

Properties of S-boxes Cipher S-box NL TO ITO SNR δ SE δ AES S 112 7.860 6.916 9.600 0.586 0.008 LBlock S 0 4 3.667 2.567 2.946 0.342 0.008 Piccolo S 4 3.667 2.567 3.108 0.339 0.019 PRINCE S 4 3.400 2.333 2.129 0.269 0.010 NL could not differentiate between LBlock, Piccolo and PRINCE TO, ITO could not differentiate between LBlock and Piccolo SNR differentiates between LBlock, Piccolo and PRINCE δ no clear differentiation between LBlock and Piccolo (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 17 / 21

Measurement Setup High-cost (> $5, 000) custom measurement board LeCroy waverunner 104MXi noise reduction (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 18 / 21

Measurement Setups High-cost (> $5, 000) Low-cost (< $300) custom measurement board Arduino Uno LeCroy waverunner 104MXi Digilent Analog Discovery noise reduction no noise reduction (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 18 / 21

Results Cipher High-cost Setup Low-cost Setup # Traces GE # Traces GE (SR 80%) (2000 Traces) (SR 80%) (2000 Traces) AES 30 0 61 0 Fantomas 74 0 3.354 LBlock 316 0 0.974 Piccolo 1215 0 8.627 PRINCE 76 0 106 0 RC5 5.672 25.349 Simon 10.486 16.973 Speck 2.544 15.288 recover 32 bits of the round key K = 0x01234567 (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 19 / 21

Results Recap two main classes of lightweight ciphers with respect to their implementations resistance against CPA First Class ciphers that use lookup tables full key recovery (GE = 0) 8-bit S-box: AES 4-bit S-box: LBlock, Piccolo, PRINCE L-box: Fantomas Second Class ARX designs partial key recovery (GE 0) RC5, Simon, Speck (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 20 / 21

Conclusion practical approach to evaluate SCA leakage (theory practice) nonlinearity should not be used to estimate SCA resilience avoid lookup tables and memory instructions (ldm, ld, st) implementation tricks to increase SCA resilience ARX designs show a certain level of intrinsic resilience against CPA (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 21 / 21

Conclusion practical approach to evaluate SCA leakage (theory practice) nonlinearity should not be used to estimate SCA resilience avoid lookup tables and memory instructions (ldm, ld, st) implementation tricks to increase SCA resilience ARX designs show a certain level of intrinsic resilience against CPA Thank you! (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 21 / 21

Results Random Key Cipher High-cost Setup Low-cost Setup # Traces GE # Traces GE (SR 80%) (2000 Traces) (SR 80%) (2000 Traces) AES 30 0 69 0 Fantomas 52 0 3.293 LBlock 742 0 0.858 Piccolo 1962 0 9.148 PRINCE 52 0 70 0 RC5 6.741 24.093 Simon 28.254 27.942 Speck 27.824 25.213 recover 32 bits of the round key K = 0xd749715b (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 1 / 0

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback