In this work, template attacks that aimed to leak the nonce were performed on 256-bit ECDSA hardware to evaluate the resistance against side-channel attacks. The target hardware was an ASIC and was revealed to be vulnerable to the combination of template attacks and lattice attacks. Furthermore, the attack result indicated it was not enough to fix the MSB of the nonce to 1 which is a common countermeasure. Also, the success rate of template attacks was estimated by simulation. This estimation does not require actual hardware and enables us to test the security of the implementation in the design phase. To clarify the acceptable amount of the nonce leakage, the computational cost of lattice attacks was compared to that of ρ method which is a cryptanalysis method. As a result, the success rate of 2-bit leakage of the nonce must be under 62% in the case of 256-bit ECDSA. In other words, SNR must be under 2-4 in our simulation model.

Deep learning side-channel attacks (DL-SCAs) have been actively studied in recent years. In the DL-SCAs, deep neural networks (DNNs) are trained to predict the internal states of the cryptographic operation from the side-channel information such as power traces. It is important to select suitable DNN output labels expressing an internal states for successful DL-SCAs. We focus on the multi-label method proposed by Zhang et al. for the hardware-implemented advanced encryption standard (AES). They used the power traces supplied from the AES-HD public dataset, and reported to reveal a single key byte on conditions in which the target key was the same as the key used for DNN training (profiling key). In this paper, we discuss an improvement for revealing all the 16 key bytes in practical conditions in which the target key is different from the profiling key. We prepare hardware-implemented AES without SCA countermeasures on ASIC for the experimental environment. First, our experimental results show that the DNN using multi-label does not learn side-channel leakage sufficiently from the power traces acquired with only one key. Second, we report that DNN using multi-label learns the most of side-channel leakage by using three kinds of profiling keys, and all the 16 target key bytes are successfully revealed even if the target key is different from the profiling keys. Finally, we applied the proposed method, DL-SCA using multi-label and three profiling keys against hardware-implemented AES with rotating S-boxes masking (RSM) countermeasures. The experimental result shows that all the 16 key bytes are successfully revealed by using only 2,000 attack traces. We also studied the reasons for the high performance of the proposed method against RSM countermeasures and found that the information from the weak bits is effectively exploited.

With the rising importance of information security, the necessity of implementing better security measures in the physical layer as well as the upper layers is becoming increasing apparent. Given the development of more accurate and less expensive measurement devices, high-performance computers, and larger storage devices, the threat of advanced attacks at the physical level has expanded from the military and governmental spheres to commercial products. In this paper, we review the issue of information security degradation through electromagnetic (EM)-based compromising of security measures in the physical layer (i.e., EM information security). Owing to the invisibility of EM radiation, such attacks can be serious threats. We first introduce the mechanism of information leakage through EM radiation and interference and then present possible countermeasures. Finally, we explain the latest research and standardization trends related to EM information security.

This paper explores the feasibility of power analysis attacks against low-latency block ciphers implemented with unrolled architectures capable of encryption/decryption in a single clock cycle. Unrolled architectures have been expected to be somewhat resistant against side-channel attacks compared to typical loop architectures because of no memory (i.e. register) element storing intermediate results in a synchronous manner. In this paper, we present a systematic method for selecting Points-of-Interest for power analysis on unrolled architectures as well as calculating dynamic power consumption at a target function. Then, we apply the proposed method to PRINCE, which is known as one of the most efficient low-latency ciphers, and evaluate its validity with an experiment using a set of unrolled PRINCE processors implemented on an FPGA. Finally, a countermeasure against such analysis is discussed.

This paper proposes a new accurate evaluation method for examining the resistance of cryptographic implementations against access-driven cache attacks (CAs). We show that a mathematical correlation method between the sets of measured access time and the ideal data, which depend on the guessed key, can be utilized to evaluate quantitatively the correct key in access-driven CAs. We show the effectiveness of the proposed method using the access time measured in noisy environments. We also estimate the number of key candidates based on mathematical proof while considering memory allocation. Furthermore, based on the proposed method, we analyze quantitatively how the correlation values change with the number of plaintexts for a successful attack.

LED (Light Encryption Device) block cipher, one of lightweight block ciphers, is very compact in hardware. Its encryption process is composed of AES-like rounds. Recently, a scan-based side-channel attack is reported which retrieves the secret information inside the cryptosystem utilizing scan chains, one of design-for-test techniques. In this paper, a scan-based attack method on the LED block cipher using scan signatures is proposed. In our proposed method, we focus on a particular 16-bit position in scanned data obtained from an LED LSI chip and retrieve its secret key using scan signatures. Experimental results show that our proposed method successfully retrieves its 64-bit secret key using 36 plaintexts on average if the scan chain is only connected to the LED block cipher. These experimental results also show the key is successfully retrieved even if the scan chain includes additional 130,000 1-bit data.

Trivium is a synchronous stream cipher using three shift registers. It is designed to have a simple structure and runs at high speed. A scan-based side-channel attack retrieves secret information using scan chains, one of design-for-test techniques. In this paper, a scan-based side-channel attack method against Trivium using scan signatures is proposed. In our method, we reconstruct a previous internal state in Trivium one by one from the internal state just when a ciphertext is generated. When we retrieve the internal state, we focus on a particular 1-bit position in a collection of scan chains and then we can attack Trivium even if the scan chain includes other registers than internal state registers in Trivium. Experimental results show that our proposed method successfully retrieves a plaintext from a ciphertext generated by Trivium.

This paper presents a chosen-IV (Initial Vector) correlation power analysis on the international standard stream cipher KCipher-2 together with an effective countermeasure. First, we describe a power analysis technique which can reveal the secret key (initial key) of KCipher-2 and then evaluate the validity of the CPA with experiments using both FPGA and ASIC implementations of KCipher-2 processors. This paper also proposes a masking-based countermeasure against the CPA. The concept of the proposed countermeasure is to mask intermediate data which pass through the non-linear function part including integer addition, substitution functions, and internal registers L1 and L2. We design two types of masked integer adders and two types of masked substitution circuits in order to minimize circuit area and delay, respectively. The effectiveness of the countermeasure is demonstrated through an experiment on the same FPGA platform. The performance of the proposed method is evaluated through the ASIC fabricated by TSMC 65nm CMOS process technology. In comparison with the conventional design, the design with the countermeasure can be achieved by the area increase of 1.6 times at most.

This paper presents a possibility of Electromagnetic (EM) analysis against cryptographic modules outside their security boundaries. The mechanism behind the information leakage is explained from the view point of Electromagnetic Compatibility: electric fluctuation released from cryptographic modules can conduct to peripheral circuits based on ground bounce, resulting in radiation. We demonstrate the consequence of the mechanism through experiments where the ISO/IEC standard block cipher AES (Advanced Encryption Standard) is implemented on an FPGA board and EM radiations from power and communication cables are measured. Correlation Electromagnetic Analysis (CEMA) is conducted in order to evaluate the information leakage. The experimental results show that secret keys are revealed even though there are various disturbing factors such as voltage regulators and AC/DC converters between the target module and the measurement points. We also discuss information-suppression techniques as electrical-level countermeasures against such CEMAs.

This paper proposes the countermeasures against an improved fault sensitivity analysis. Our countermeasure is proposed based on the WDDL technique due to its built-in resistance against both the power-based attack and differential fault analysis. At CHES 2010, Li et al. proposed the FSA attack on WDDL-AES. The vulnerability of WDDL-AES in their attack mainly comes from the implementation deficiency rather than the WDDL technique itself. This paper first proposes an improved fault sensitive analysis that can threat a well-implemented WDDL-AES based on the input-data dependency for the critical path delay of WDDL S-box. Then we discuss the possibility of efficient countermeasures by modifying the WDDL circuit with a limited overhead. The countermeasures are discussed based on either modifying the dual-rail to single-rail converter or the introduction of the enable signal.

A design methodology of Random Switching Logic (RSL) using CMOS standard cell libraries is proposed to counter power analysis attacks against cryptographic hardware modules. The original RSL proposed in 2004 requires a unique RSL-gate for random data masking and glitch suppression to prevent secret information leakage through power traces. In contrast, our new methodology enables to use general logic gates supported by standard cell libraries. In order to evaluate its practical performance in hardware size and speed as well as resistance against power analysis attacks, an AES circuit with the RSL technique was implemented as a cryptographic LSI using 130-nm and 90-nm CMOS standard cell library. From the results of attack experiments that used a million traces, we confirmed that the RSL-AES circuit has very high DPA and CPA resistance thanks to the contributions of both the masking function and the glitch suppressing function.

This paper proposes a constant-power adder based on multiple-valued logic and its application to cryptographic processors being resistant to side-channel attacks. The proposed adder is implemented in Multiple-Valued Current-Mode Logic (MV-CML). The important feature of MV-CML is that the power consumption can be constant regardless of input values, which makes it possible to prevent power-analysis attacks using dependencies between power consumption and intermediate values or operations of the executed cryptographic algorithms. In this paper, we focus on a multiple-valued Binary Carry-Save adder based on the Positive-Digit (PD) number system and its application to RSA processors. The power characteristic of the proposed design is evaluated with HSPICE simulation using 90 nm process technology. The result shows that the proposed design can achieve constant power consumption with lower performance overhead in comparison with the conventional binary design.

In recent years, certain countermeasures against differential power analysis (DPA) at the logic level have been proposed. Recently, Popp and Mangard proposed a new countermeasure-masked dual-rail pre-charge logic (MDPL); this countermeasure combines dual-rail circuits with random masking to improve the wave dynamic differential logic (WDDL). They claimed that it could implement secure circuits using a standard CMOS cell library without special constraints for the place-and-route method because the difference between the loading capacitances of all the pairs of complementary logic gates in MDPL can be compensated for by the random masking. In this paper, we particularly focus on the signal transition of MDPL gates and evaluate the DPA-resistance of MDPL in detail. Our evaluation results reveal that when the input signals have different delay times, leakage occurs in the MDPL as well as WDDL gates, even if MDPL is effective in reducing the leakage caused by the difference in loading capacitances. Furthermore, in order to validate our evaluation, we demonstrate a problem with different input signal delays by conducting measurements for an FPGA.

This paper presents an enhanced side-channel attack using a phase-based waveform matching technique. Conventionally, side-channel attacks such as Simple Power Analysis (SPA) and Differential Power Analysis (DPA) capture signal waveforms (e.g., power traces) with a trigger signal or a system clock, and use a statistical analysis of the waveforms to reduce noise and to retrieve secret information. However, the waveform data often includes displacement errors, and this degrades the accuracy of the statistical analysis. The use of a Phase-Only Correlation (POC) technique makes it possible to estimate the displacements between the signal waveforms with higher resolution than the sampling resolution. The accuracy of side-channel attacks can be enhanced using the POC-based matching method. Also, a popular DPA countermeasure of creating distorted waveforms with random delays can be defeated by our method. In this paper, we demonstrate the advantages of the proposed method in comparison with conventional approaches of experimental DPA and Differential ElectroMagnetic Analysis (DEMA) against DES software and hardware implementations.

This paper proposes a new countermeasure, Random Switching Logic (RSL), against DPA (Differential Power Analysis) and Second-Order DPA at the logic level. RSL makes a signal transition uniform at each gate and suppresses the propagation of glitch to allow power consumption to be independent of predictable data. Furthermore, we implement basic logic circuits on the FPGA (Field Programmable Gate Array) by using RSL, and evaluate the effectiveness. As a result, we confirm the fact that the secure circuit can be structured against DPA and Second-Order DPA.

In this paper, we propose new models for directly evaluating DPA leakage from logic information in CMOS circuits. These models are based on the transition probability for each gate, and are naturally applicable to various actual devices for simulating power analysis. Furthermore, we demonstrate the weakness of previously known hardware countermeasures for both our model and FPGA and suggest secure conditions for the hardware countermeasure.