Low confusion coefficient values can make side-channel attacks harder for vector Boolean functions in Block cipher. In this paper, we give new results of confusion coefficient for f ⊞ g, f ⊡ g, f ⊕ g and fg for different Boolean functions f and g, respectively. And we deduce a relationship on the sum-of-squares of the confusion coefficient between one n-variable function and two (n - 1)-variable decomposition functions. Finally, we find that the confusion coefficient of vector Boolean functions is affine invariant.

The notion of the signal-to-noise ratio (SNR), proposed by Guilley, et al. in 2004, is a property that attempts to characterize the resilience of (n, m)-functions F=(f1,...,fm) (cryptographic S-boxes) against differential power analysis. But how to study the signal-to-noise ratio for a Boolean function still appears to be an important direction. In this paper, we give a tight upper and tight lower bounds on SNR for any (balanced) Boolean function. We also deduce some tight upper bounds on SNR for balanced Boolean function satisfying propagation criterion. Moreover, we obtain a SNR relationship between an n-variable Boolean function and two (n-1)-variable decomposition functions. Meanwhile, we give SNR(f⊞g) and SNR(f⊡g) for any balanced Boolean functions f, g. Finally, we give a lower bound on SNR(F), which determined by SNR(fi) (1≤i≤m), for (n, m)-function F=(f1,f2,…,fm).

Side-channel Attack, such as simple power analysis and differential power analysis (DPA), is an efficient method to gather the key, which challenges the security of crypto chips. Side-channel Attack logs the power trace of the crypto chip and speculates the key by statistical analysis. To reduce the threat of power analysis attack, an innovative method based on random execution and register randomization is proposed in this paper. In order to enhance ability against DPA, the method disorders the correspondence between power trace and operands by scrambling the data execution sequence randomly and dynamically and randomize the data operation path to randomize the registers that store intermediate data. Experiments and verification are done on the Sakura-G FPGA platform. The results show that the key is not revealed after even 2 million power traces by adopting the proposed method and only 7.23% slices overhead and 3.4% throughput rate cost is introduced. Compared to unprotected chip, it increases more than 4000× measure to disclosure.

Side channel attacks (SCAs) on security devices have become a major concern for system security. Existing SCA countermeasures are costly in terms of area and power consumption. This paper presents a novel differential power analysis (DPA) countermeasure referred to as short-time three-phase single-rail precharge logic (STSPL). The proposed logic is based on a single-rail three-phase operation scheme providing effective DPA-resistance with low cost. In the scheme, a controller is inserted to discharge logic gates by reusing evaluation paths to achieve more balanced power consumption. This reduces the latency between different phases, increasing the difficult of the adversary to conduct DPA, compared with the state-of-the-art DPA-resistance logics. To verify the chip's power consumption in practice, a 4-bit ripple carry adder and a 4-bit inverter of AES-SBOX were implemented. The testing and simulation results of DPA attacks prove the security and efficiency of the proposed logic.

The implementation security of the RSA cryptosystem, under the threat of side-channel analysis, has attracted the attentions of many researchers. Boer et al. had proposed the MRED-DPA attack on RSA-CRT by choosing ciphertexts of equi-distant data. Their attack can be applied to RSA-OAEP decryption but not RSA-PSS signing because of the PSS random padding. We propose a new DPA attack on an implementation of RSA-CRT, with the Montgomery reduction. The proposed attack assumes only known ciphertexts, and can be applied to both RSA-OAEP decryption and RSA-PSS signing even if a random padding technique is used in practice. This study also presents experimental results to verify the proposed attack. Finally, this study proposes a CRT-based message blinding technique as a low-cost DPA countermeasure.

Information security has been seriously threatened by the differential power analysis (DPA). Delay-based dual-rail precharge logic (DDPL) is an effective solution to resist these attacks. However, conventional DDPL convertors have some shortcomings. In this paper, we propose improved convertor pairs based on dynamic logic and a sense amplifier (SA). Compared with the reference CMOS-to-DDPL convertor, our scheme could save 69% power consumption. As to the comparison of DDPL-to-CMOS convertor, the speed and power performances could be improved by 39% and 54%, respectively.

In this paper we first demonstrate that effective selection functions in power analysis attacks change depending on circuit architectures of a block cipher. We then conclude that the most resistant architecture on its own, in the case of the loop architecture, has two data registers have separate roles: one for storing the plaintext and ciphertext, and the other for storing intermediate values. There, the pre-whitening operation is placed at the output of the former register. The architecture allows the narrowest range of selection functions and thereby has resistance against ordinary CPA. Thus, we can easily defend against attacks by ordinary CPA at the architectural level, whereas we cannot against DPA. Secondly, we propose a new technique called "self-templates" in order to raise the accuracy of evaluation of DPA-based attacks. Self-templates enable to differentiate meaningful selection functions for DPA-based attacks without any strong assumption as in the template attack. We also present the results of attacks to an AES co-processor on an ASIC and demonstrate the effectiveness of the proposed technique.

A design methodology of Random Switching Logic (RSL) using CMOS standard cell libraries is proposed to counter power analysis attacks against cryptographic hardware modules. The original RSL proposed in 2004 requires a unique RSL-gate for random data masking and glitch suppression to prevent secret information leakage through power traces. In contrast, our new methodology enables to use general logic gates supported by standard cell libraries. In order to evaluate its practical performance in hardware size and speed as well as resistance against power analysis attacks, an AES circuit with the RSL technique was implemented as a cryptographic LSI using 130-nm and 90-nm CMOS standard cell library. From the results of attack experiments that used a million traces, we confirmed that the RSL-AES circuit has very high DPA and CPA resistance thanks to the contributions of both the masking function and the glitch suppressing function.

This paper proposes methods for accelerating DPA by using the CPU and the GPU in a parallel manner. The overhead of naive DPA evaluation software increases excessively as the number of points in a trace or the number of traces is enlarged due to the rapid increase of file I/O overhead. This paper presents some techniques, with respect to DPA-arithmetic and file handling, which can make the overhead of DPA software become not extreme but gradual as the increase of the amount of trace data to be processed. Through generic experiments, we show that the software, equipped with the proposed methods, using both CPU and GPU can shorten the time for evaluating the DPA resistance of devices by almost half.

HMAC is one of the most famous keyed hash functions, and widely utilized. In order to design secure hash functions, we often use PGV construction consisting of 64 schemes, each of which utilizes a block cipher. If the underlying block cipher is ideal, 12 schemes are proven to be secure. In this paper, we evaluate the security of these schemes in view of side channel attacks. As it turns out, HMACs based on 11 out of 12 secure PGV schemes are vulnerable to side channel attacks, even if the underlying block cipher is secure against side channel attacks. These schemes are classified into two groups based on their vulnerabilities. For the first group which contains 8 schemes, we show that the attacker can reveal the whole key of HMAC, and selectively forge in consequence. For the other group which contains 3 schemes, we specify the importance of the execution sequence for the inner operations of the scheme, and refine it. If wrong orders of operations are used, the attacker can reveal a portion of the key of HMAC. Hence, the use of HMACs based on such PGV schemes as they are is not recommended when the resistance against side channel attacks is necessary.

In recent years, certain countermeasures against differential power analysis (DPA) at the logic level have been proposed. Recently, Popp and Mangard proposed a new countermeasure-masked dual-rail pre-charge logic (MDPL); this countermeasure combines dual-rail circuits with random masking to improve the wave dynamic differential logic (WDDL). They claimed that it could implement secure circuits using a standard CMOS cell library without special constraints for the place-and-route method because the difference between the loading capacitances of all the pairs of complementary logic gates in MDPL can be compensated for by the random masking. In this paper, we particularly focus on the signal transition of MDPL gates and evaluate the DPA-resistance of MDPL in detail. Our evaluation results reveal that when the input signals have different delay times, leakage occurs in the MDPL as well as WDDL gates, even if MDPL is effective in reducing the leakage caused by the difference in loading capacitances. Furthermore, in order to validate our evaluation, we demonstrate a problem with different input signal delays by conducting measurements for an FPGA.

Advances in smart card technology encourages smart card use in more sensitive applications, such as storing important information and securing application. Smart cards are however vulnerable to side channel attacks. Power consumption and electromagnetic radiation of the smart card can leak information about the secret data protected by the smart card. Our paper describes two possible hardware countermeasures that protect against side channel information leakage. We show that power analysis can be prevented by adopting photo-coupling techniques. This method involves the use of LED with photovoltaic cells and photo-couplers on the power, reset, I/O and clock lines of the smart card. This method reduces the risk of internal data bus leakage on the external data lines. Moreover, we also discuss the effectiveness of reducing electromagnetic radiation by using embedded metal plates.

This paper proposes a new countermeasure, Random Switching Logic (RSL), against DPA (Differential Power Analysis) and Second-Order DPA at the logic level. RSL makes a signal transition uniform at each gate and suppresses the propagation of glitch to allow power consumption to be independent of predictable data. Furthermore, we implement basic logic circuits on the FPGA (Field Programmable Gate Array) by using RSL, and evaluate the effectiveness. As a result, we confirm the fact that the secure circuit can be structured against DPA and Second-Order DPA.

Differential power analysis (DPA) is an effective technique that extracts secret keys from cryptographic systems through statistical analysis of the power traces obtained during encryption and decryption operations. This letter proposes symmetric discharge logic (SDL), a circuit-level countermeasure against DPA, which exhibits uniform power traces for every clock period by maintaining a set of discharge paths independent of input values. This feature minimizes differences in power traces and improves resistance to DPA attacks. HSPICE simulations for the test circuits using 0.18 µm TSMC CMOS process parameters indicate that SDL reduces power differences by an order of magnitude, compared to the existing circuit-level technique.

In this paper, we propose new models for directly evaluating DPA leakage from logic information in CMOS circuits. These models are based on the transition probability for each gate, and are naturally applicable to various actual devices for simulating power analysis. Furthermore, we demonstrate the weakness of previously known hardware countermeasures for both our model and FPGA and suggest secure conditions for the hardware countermeasure.

Differential power analysis (DPA) might break implementations of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using a point (0,y), which is not randomized in Jacobian coordinates or in an isomorphic class. This point often exists in standardized elliptic curves, and we have to care this attack. In this paper, we propose zero-value register attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, auxiliary registers might take zero value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x,y) which cause the zero-value registers, e.g., (1) 3x2 + a = 0,(2) 5x4 + 2ax2 - 4bx + a2 = 0,(3) P is y-coordinate self-collision point, etc. We demonstrate the elliptic curves recommended in SECG that have these points. Interestingly, some conditions required for zero-value register attack depend on explicit implementation of addition formulae -- in order to resist this type of attacks, we have to care how to implement the addition formulae. Finally, we note that Goubin's attack and the proposed attack assume that a base point P can be chosen by attackers and a secret scalar d is fixed, so that they are not applicable to ECDSA.