These are the links to some of my project related papers. I personally have their copies as well. This page is an advance recap version

of my usual weblog (discluding the chronoligical data). Along with it are my comments (useful insights for me)

However, I disclaim everything regardless its good will purpose. Use it at your own risk! J

**Timing Attacks on
Implementations of Diffie-Hellman, RSA, DSS, and Other Systems**

Paul C. Kocher 1996

** Abstract**. By carefully measuring the amount
of time required to perform private key operations, attackers may be able to
find fixed DiffieHellman exponents, factor RSA keys, and break other
cryptosystems. Against a vulnerable system, the attack is computationally
inexpensive and often requires only known ciphertext. Actual systems are
potentially at risk, including cryptographic tokens, network-based
cryptosystems, and other applications where attackers can make reasonably
accurate timing... .

Early work on timing analysis which is followed by other papers.

**Investigations **
**of Power Analysis on Smartcards**

Thomas S. Messerges et al. May 1999

** Abstract**. The paper presents actual results
from monitoring smartcard power signals and introduces techniques that help
maximize such side-channel information... .

Schematic of **power consumption measuring**
connections. A number of 8-bit uC-based smartcards were examined in this setup.
Bit changes are observed at Vscope point of the setup.

The corresponding: **bit transitions versus power
consumption** are presented as **Hamming weight **showing how the data
affect power levels.

**Comments on the Security
of the AES and the XSL Technique**

S. Murphy and M.J.B. Robshaw

** Abstract**.This note gives some background
information relevant to recent claims of key recovery attacks on the AES.

There has been
much **recent speculation** about the potential for key recovery attackson
the AES and the possible work effort that might be required for any such
efforts.This speculation arises from two recent developments.

http://www.dice.ucl.ac.be/~mneve/document/Publications/sisw03.pdf

**Memories: A Survey of
Their Secure Uses in Smartcards**

Michael Neve et al.

** Abstract**. Smartcards are widely known for
their tamper resistance, but only contain a small amount of memory. Though very
small, this memory often contains highly valuable information (identification
data, cryptographic key, etc). This is why it is subject to many attacks, as the
other parts of the smartcard, and thus requires appropriately chosen
protections.

The use of memories in smartcards induces security problems, but also other more particular ones. The main constraint is naturally the limited physical expansion and integration, but fault level, aging and power consumption are not to be discarded. Indeed, deducing the context of a ROM using a microscope has been proven to work. Interactions with light or eddy current on silicon can produce faults that might reveal important information, as well.

This article details the role of memory in smartcard industries, in current context and future perspectives of smartcards and their applications. It then gives a survey of published physical attacks targeting memory and all the existing techniques to counter them.

Great efforts are under taken by industries and academics to tackle specific memory problems introducing hardware and software countermeasures in the designs.

3 classes in the **taxonomy** of attackers.

Leakage of information: Those so-called **side-channels**
consider the processor under test as a blackbox where the attacker can only
measure external signals: execution** duration**, **power** consumption,
electromagnetic **radiation**, local **temperature** and any external
manifestation of the internal processes.

http://www.math.uwaterloo.ca/~jamuir/sidechannel.htm

http://www.math.uwaterloo.ca/~jamuir/papers/mmthesis-side-channel.pdf

**Techniques of Side
Channel Cryptanalysis**

J. A. Muir 2001

** Abstract **(informally). This thesis surveys
the techniques of side channel cryptanalysis developed by Kocher [1996], Boneh,
DeMillo and Lipton [1997], and Kocher, Jaffe and Jun [1999] and shows how side
channel information can be used to break implementations of DES and RSA. Some
specific techniques covered include the timing attack, differential fault
analysis, simple power analysis and differential power analysis. Possible
defenses against each of these side channel attacks are also discussed.

Illustrate real world model in replace for the traditional
**Alice and Bob** cryptographic model where **sidechannels** are added: **
timing** attack, **differential fault** analysis, **simple power**
analysis, and **differential power** analysis. The thesis website is last
updated in Mar 2004.

http://www.crypto.ruhr-uni-bochum.de/Publikationen/texte/aes_collisions.ps

**A Collision-Attack on
AES Combining Sidechannel-and Diﬀerential-Attack**

No author given

** Abstract**. Very recently a new class of attack
was proposed against DES which combines internal collisions with side-channe
linformation leakage. It had not been obvious, however, how this attack applies
to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption
Standard (AES).

**Collisions** occur when two different inputs can produce the
same output.
http://www.itsecurity.com/dictionary/dictionary.htm

Does collision exists in AES? http://www.mail-archive.com/cryptography@wasabisystems.com/msg03602.html

http://csrc.nist.gov/encryption/aes/round2/conf3/papers/11-hgilbert.pdf

**A Collision Attack on **
**7 Rounds of Rijndael**

Henri Gilbert et al.

** Abstract**. ...the attack is based upon an
efficient

http://www.cse.ucsd.edu/users/tkohno/papers/WinZip/winzip.pdf

**Analysis of the WinZip
Encryption Method**

Tadayoshi Kohno Mei 8, 2004

** Abstract**. WinZip is a popular compression
utility for MicrosoftWindows computers,the latest version of which is advertised
as having “easy-to-use AES encryption to protect your sensitive data." We
exhibit several attacks against WinZip's new encryption method, dubbed “AE-2" or
“Advanced Encryption, version two." We then discuss secure alternatives. Since
at a high level the underlying WinZip encryption method appears secure (the core
is exactly Encrypt-then-Authenticate using AES-CTR and HMAC-SHA1), and since one
of our attacks was made possible because of the way that
WinZip Computing, Inc. decided to

fix a different security problem with its previous encryption method AE-1, our attacks further underscore the subtlety of designing cryptographically secure software.

“**WinZip 9.0**
Now with AES Encryption,” as quoted from the ads banner.
http://www.winzip.com/aes_info.htm

http://www.gemplus.com/smart/r_d/publications/pdf/GT03perm.pdf

**Multiplicative Masking
and Power Analysis of AES**

Jovan Dj.Golić et al. 2003

** Abstract**. The recently proposed
multiplicative masking countermeasure against power analysis attacks on AES is
interesting as it does not require the costly recomputation and RAM storage of
S-boxes for every run of AES. This is important for applications where the
available space is very limited such as the smartcard applications.
Unfortunately,it is here shown that this method is in fact inherently vulnerable
to differential power analysis. However, it is also shown that the
multiplicative masking method can be modified so as to provide resistance to
differential power analysis of non ideal but controllable security level, at the
expense of increased computational complexity. Other possible random masking
methods are also discussed.

The **multiplicative masking** is done by altering the
inversion step in S-Box through the use of modified inverse GF(2^8) where masks
are introduced with **additions**. The **Hamming weight** is used as a model for the power
consumption used for DPA attack. Also mentioned here: the previous methods of
masking using **data splitting** and **random masks**.

http://caislab.icu.ac.kr/pub/down/2004/w20022122_chs.pdf

**Master Thesis: A Study
on Securing AES against Differential Power Analysis**

Hwasun Chang Dec 29, 2003

** Abstract **(shorten). Major credit card
companies are planning to convert most of credit cards with magnetic stripe into
smartcards within a few years. And usage of smartcards are increasing in such ﬁelds
like transportation, electronic money, ID cards, etc.

In this thesis, simple ﬁxed-value masking method that is resistant to SODPA and more effcient than previous methods is proposed and analyzed. The required memory for storing mask is 33% of previous method and the number of XOR operation for applying mask is 18% of previous method. In practice, the reduction of memory usage will not affect the overall algorithm size much. But reducing the number of XOR operations can improve the algorithm performance by about 10% in 32 bit smartcards optimized for speed. To prevent SODPA, we can make it hard for an attacker to catch the time when the mask is accessed and select mask for each round. In analysis process, the required properties of the generated masks, the appropriate number of masks, the required additional processing and memory for implementing the proposed counter measure, and the security of the proposed method are suggested.

A master thesis. **Simple ﬁxed-value masking** method an
improvement from the Jovan Golic et al. **multiplicative masking**. Itoh et
al. referenced here suggest fixed-value masking, fixed masks and modified

S-Box are stored in ROM. Below is the paper version of the thesis.

http://caislab.icu.ac.kr/paper/2003/CSS2003/CSS2003hschang.pdf

**Securing AES against
Second-Order DPA by Simple Fixed-Value Masking**

Hwasun Chang et al.

** Abstract **. Since Di erential Power Analysis (DPA)
has been announced, many counter measures and improved DPAs have been proposed
for many algorithms. For securing AES, masking methods were proposed as
countermeasures. But all the previous masking methods have been shown to be
vulnerable to second order DPA (SODPA). We propose a masking method that is
resistant to SODPA and more efficient than previous methods in respect to
required memory and additional processing.

http://www.purenoise.com/html/aes_tests.html

**AES Noise Purity Tests
Results**

nonpaper:Matt La Mantia 1999

"…A signal that is **Pure Noise** is thermodynamically
**in**distinguishable from a perfectly encoded and compressed semantic
message: they both look like a varying signal in which you could not predict one
bit of the signal based on the previous ones…"

La Mantia did some noise purity tests on AES candidates
back then (1999). **No cryptanalysis** will be found here, it is based on the
realistic view: practice is far from theory. The tests are purely a
demonstration of each of the candidates practical differences.

Multiple randomness tests were performed on non-linear data input after 1 to 8 rounds of encryption with a constant key (NICK). In this test the same 128 bit key consisting of all 0s was used for data encryption. Input data consisted of all combinations of 4 bit 1 and 124 bit 0 out of 128 bit of the data block, therefore giving 10,668,000 combinations or 170,688,000 byte of input data for encryption and for noise purity analysis.

**Possible flaw** in **Rijndael**: input data
whitening XOR does not make absolutely any difference. Also 6 and 7 rounds of
encryption produce exactly the same output (!?).

I think: It isn't a full practical attack to Rijndael either. The possible flaw on 7 round was mentioned also in Henri Gilbert paper but AES is 10 rounds of Rijndael. The statement below still disclaims Rijndael weakness.

http://www.csoonline.com.au/index.php?id=652061604&fp=8&fpid=5

**Crypto Is Key to Data
Control**

nonpaper:Chris Conrath April 7, 2003

Whitfield Diffie, "Whenever you have a secret, you have a vulnerability."

"However, there is no panic yet since the discussion around AES’s vulnerability is entirely theoretical," as quoted from Bruce Schneier's cryptogram.

Schneier is a world-renowned cryptographer, author of "Applied Cryptography: Protocols, Algorithm, and Source Code in C", "Secret & Lies: Digital Security in a Networked World". We can find these quoted in Budi Rahardjo's handbook of security (in Bahasa Indonesia).

Nowadays, it seems that Rijndael is still **strong enough**.