Papers & Abstract

These are the links to some of my project related papers. I personally have their copies as well. This page is an advance recap version

of my usual weblog (discluding the chronoligical data). Along with it are my comments (useful insights for me)

However, I disclaim everything regardless its good will purpose. Use it at your own risk! J

bandono132@yahoo.com

Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems

Abstract. By carefully measuring the amount of time required to perform private key operations, attackers may be able to find fixed DiffieHellman exponents, factor RSA keys, and break other cryptosystems. Against a vulnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing... .

Abstract. The paper presents actual results from monitoring smartcard power signals and introduces techniques that help maximize such side-channel information... .

Schematic of power consumption measuring connections. A number of 8-bit uC-based smartcards were examined in this setup. Bit changes are observed at Vscope point of the setup.

The corresponding: bit transitions versus power consumption are presented as Hamming weight showing how the data affect power levels.

Abstract.This note gives some background information relevant to recent claims of key recovery attacks on the AES.

There has been much recent speculation about the potential for key recovery attackson the AES and the possible work effort that might be required for any such efforts.This speculation arises from two recent developments.

Abstract. Smartcards are widely known for their tamper resistance, but only contain a small amount of memory. Though very small, this memory often contains highly valuable information (identification data, cryptographic key, etc). This is why it is subject to many attacks, as the other parts of the smartcard, and thus requires appropriately chosen protections.

The use of memories in smartcards induces security problems, but also other more particular ones. The main constraint is naturally the limited physical expansion and integration, but fault level, aging and power consumption are not to be discarded. Indeed, deducing the context of a ROM using a microscope has been proven to work. Interactions with light or eddy current on silicon can produce faults that might reveal important information, as well.

This article details the role of memory in smartcard industries, in current context and future perspectives of smartcards and their applications. It then gives a survey of published physical attacks targeting memory and all the existing techniques to counter them.

Great efforts are under taken by industries and academics to tackle specific memory problems introducing hardware and software countermeasures in the designs.

Leakage of information: Those so-called side-channels consider the processor under test as a blackbox where the attacker can only measure external signals: execution duration, power consumption, electromagnetic radiation, local temperature and any external manifestation of the internal processes.

Abstract (informally). This thesis surveys the techniques of side channel cryptanalysis developed by Kocher [1996], Boneh, DeMillo and Lipton [1997], and Kocher, Jaffe and Jun [1999] and shows how side channel information can be used to break implementations of DES and RSA. Some specific techniques covered include the timing attack, differential fault analysis, simple power analysis and differential power analysis. Possible defenses against each of these side channel attacks are also discussed.

Illustrate real world model in replace for the traditional Alice and Bob cryptographic model where sidechannels are added: timing attack, differential fault analysis, simple power analysis, and differential power analysis. The thesis website is last updated in Mar 2004.

Abstract. Very recently a new class of attack was proposed against DES which combines internal collisions with side-channe linformation leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES).

Abstract. ...the attack is based upon an efficient distinguisher between 3 Rijndael inner rounds and a random permutation... we construct an efficient distinguisher... by exploiting the existence of collisions between some partial functions induced by the cipher. ... minimal number of rounds... is 10, our attack does not endangered the security of the cipher....improvements of the previously known cryptanalytic results on Rijndael.

Abstract. WinZip is a popular compression utility for MicrosoftWindows computers,the latest version of which is advertised as having “easy-to-use AES encryption to protect your sensitive data." We exhibit several attacks against WinZip's new encryption method, dubbed “AE-2" or “Advanced Encryption, version two." We then discuss secure alternatives. Since at a high level the underlying WinZip encryption method appears secure (the core is exactly Encrypt-then-Authenticate using AES-CTR and HMAC-SHA1), and since one of our attacks was made possible because of the way that WinZip Computing, Inc. decided to
fix a different security problem with its previous encryption method AE-1, our attacks further underscore the subtlety of designing cryptographically secure software.

“WinZip 9.0 Now with AES Encryption,” as quoted from the ads banner. http://www.winzip.com/aes_info.htm

Abstract. The recently proposed multiplicative masking countermeasure against power analysis attacks on AES is interesting as it does not require the costly recomputation and RAM storage of S-boxes for every run of AES. This is important for applications where the available space is very limited such as the smartcard applications. Unfortunately,it is here shown that this method is in fact inherently vulnerable to differential power analysis. However, it is also shown that the multiplicative masking method can be modified so as to provide resistance to differential power analysis of non ideal but controllable security level, at the expense of increased computational complexity. Other possible random masking methods are also discussed.

The multiplicative masking is done by altering the inversion step in S-Box through the use of modified inverse GF(2^8) where masks are introduced with additions. The Hamming weight is used as a model for the power consumption used for DPA attack. Also mentioned here: the previous methods of masking using data splitting and random masks.

Abstract (shorten). Major credit card companies are planning to convert most of credit cards with magnetic stripe into smartcards within a few years. And usage of smartcards are increasing in such ﬁelds like transportation, electronic money, ID cards, etc.

In this thesis, simple ﬁxed-value masking method that is resistant to SODPA and more effcient than previous methods is proposed and analyzed. The required memory for storing mask is 33% of previous method and the number of XOR operation for applying mask is 18% of previous method. In practice, the reduction of memory usage will not affect the overall algorithm size much. But reducing the number of XOR operations can improve the algorithm performance by about 10% in 32 bit smartcards optimized for speed. To prevent SODPA, we can make it hard for an attacker to catch the time when the mask is accessed and select mask for each round. In analysis process, the required properties of the generated masks, the appropriate number of masks, the required additional processing and memory for implementing the proposed counter measure, and the security of the proposed method are suggested.

A master thesis. Simple ﬁxed-value masking method an improvement from the Jovan Golic et al. multiplicative masking. Itoh et al. referenced here suggest fixed-value masking, fixed masks and modified

Abstract . Since Di erential Power Analysis (DPA) has been announced, many counter measures and improved DPAs have been proposed for many algorithms. For securing AES, masking methods were proposed as countermeasures. But all the previous masking methods have been shown to be vulnerable to second order DPA (SODPA). We propose a masking method that is resistant to SODPA and more efficient than previous methods in respect to required memory and additional processing.

"…A signal that is Pure Noise is thermodynamically indistinguishable from a perfectly encoded and compressed semantic message: they both look like a varying signal in which you could not predict one bit of the signal based on the previous ones…"

La Mantia did some noise purity tests on AES candidates back then (1999). No cryptanalysis will be found here, it is based on the realistic view: practice is far from theory. The tests are purely a demonstration of each of the candidates practical differences.

Multiple randomness tests were performed on non-linear data input after 1 to 8 rounds of encryption with a constant key (NICK). In this test the same 128 bit key consisting of all 0s was used for data encryption. Input data consisted of all combinations of 4 bit 1 and 124 bit 0 out of 128 bit of the data block, therefore giving 10,668,000 combinations or 170,688,000 byte of input data for encryption and for noise purity analysis.

Possible flaw in Rijndael: input data whitening XOR does not make absolutely any difference. Also 6 and 7 rounds of encryption produce exactly the same output (!?).

I think: It isn't a full practical attack to Rijndael either. The possible flaw on 7 round was mentioned also in Henri Gilbert paper but AES is 10 rounds of Rijndael. The statement below still disclaims Rijndael weakness.

"However, there is no panic yet since the discussion around AES’s vulnerability is entirely theoretical," as quoted from Bruce Schneier's cryptogram.

Schneier is a world-renowned cryptographer, author of "Applied Cryptography: Protocols, Algorithm, and Source Code in C", "Secret & Lies: Digital Security in a Networked World". We can find these quoted in Budi Rahardjo's handbook of security (in Bahasa Indonesia).