J. Daemen, V. Rijmen, "Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals," AES'99, Mar. 1999.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....final answer. A different possible response is to design algorithms that, when implemented, will be inherently robust against side channel attacks. For instance, Daemen and Rijmen proposed replacing each wire of a circuit by two wires, one carrying the original bit and the other its complement [15]; Messerges proposed data masking , where each value is split into two shares using a 2 out of 2 secret sharing scheme [27] Goubin and Patarin suggested a duplication method based on similar methods [21] and many other proposals can be found in the literature. However, none of those schemes ....

J. Daemen, V. Rijmen, "Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals," AES'99, Mar. 1999.

....measured power traces link the switching activities of the circuit to the secret key. Different techniques have been proposed to prevent this information leakage. On the algorithmic level, random process interrupts interleave dummy instructions to avoid sequential execution of the algorithm [1] [2]. Integration techniques, however, are able to resynchronize the power traces [3] Masking is a technique that prevents intermediate variables to depend on the knowledge of an easily accessible subset of the secret key [4] DPA has been modified to handle masking [5] On the architectural level, ....

.... power traces [3] Masking is a technique that prevents intermediate variables to depend on the knowledge of an easily accessible subset of the secret key [4] DPA has been modified to handle masking [5] On the architectural level, techniques include adding random power consuming operations [1] [2] and duplicating logic with complementary operations [2] These procedures merely lower the side channel information [1] 4] and might easily be disabled through tampering. Active power signal filtering with power consumption compensation, passive filtering, battery on chip and detachable power ....

[Article contains additional citation context not shown here]

J. Daemen and V. Rijmen, "Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals," in Proc. of the Second Advanced Encryption Standard (AES) Candidate Conf., http:// csrc.nist.gov/encryption/aes/ round1/conf2/aes2conf.htm, March 1999.

....and bitwise boolean operations. Twofish additionally requires 32 bit addition and both MARS and RC6 even require 32 bit multiplication and shifts over data dependent off sets. The presence of these operations makes the latter three algorithms harder to implement in a secure way on smart cards [DaRi99]. 2.3 Adding rounds For all well designed block cipher, the complexity of published cryptanalytic attacks increases with the number of rounds in the cipher. This has already been taken into account in the Rijndael design: the increasing number of rounds for increasing key lengths assures a ....

J. Daemen and V. Rijmen, "Resistance against implementation attacks: a comparative study of the AES proposals", AES 2.

....can t get KA and KB desired, and vice versa, these subkey relations will be very hard to control and predict. 5. 11 Implementation Attacks It is well known that a poor implementation can leak information by timing attacks [16] or power analysis attacks [17] Using the classification proposed in [11], Camellia is in the group of favorable algorithms, since it uses only logical operations and table lookups and fixed rotations. On the other hand, Chari et al. 8] claims that all AES candidates are susceptible to power analysis attacks. As these two papers contradict with each other, how to ....

J. Daemen and V. Rijmen, "Resistance Against Implementation Attacks. A Comparative Study of the AES Proposals," Second Advanced Encryption Standard Candidate Conference, 1999.

....of attacks that look for information about the secret key of a cryptographic algorithm, by studying the electric consumption of the electronic device during the execution of the computation. The initial focus was on symmetrical cryptosystems such as DES (see [10, 14] and the AES candidates (see [1, 3, 6]) but public key cryptosystems have since been shown to be also vulnerable to the DPA attacks (see [15, 5, 9] Therefore, the research for countermeasures has considerably increased. In [6] Daemen and Rijmen proposed several countermeasures, including the insertion of dummy code, power ....

....focus was on symmetrical cryptosystems such as DES (see [10, 14] and the AES candidates (see [1, 3, 6] but public key cryptosystems have since been shown to be also vulnerable to the DPA attacks (see [15, 5, 9] Therefore, the research for countermeasures has considerably increased. In [6], Daemen and Rijmen proposed several countermeasures, including the insertion of dummy code, power consumption randomization and balancing of data. But these methods were proven to be insucient: in [4] Chari and al. suggested that signal processing can be used by clever attackers to remove dummy ....

John Daemen and Vincent Rijmen, \Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals", in Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm, March 1999.

....to power consumption. The attack was successfully applied to a DES implementation; as few as 1000 encryptions were sufficient to recover the secret key [14] More recently, the resistance of smart card implementations of the AES candidates against monitoring power consumption was considered in [1, 3, 5]. The conclusion was that straightforward implementations of AES candidates were highly vulnerable to power analysis. In this paper we show that naive implementations of ECC are also highly vulnerable to power analysis. The paper is organized as follows. After recalling the principle of EC ....

J. Daemen, V. Rijmen. Resistance against implementation attacks A comparative study of the AES proposals, Proceedings of the second AES Candidate Conference, March 1999, pp. 122-132.

....can be masked to some extent by executing the operation twice, employing the complement of the argument(s) during the second execution. A rough summary of the vulnerabilities of the basic operations used by the algorithms and their vulnerabilities to timing and power attacks is as follows [25]: 66 . Table lookup: not vulnerable to timing attacks; relatively easy to effect a defense against power attacks by software balancing of the lookup address. Fixed shifts rotations: not vulnerable to timing attacks; relatively easy to effect a defense against power attacks by software ....

....attack is not an intrinsic algorithm characteristic, but rather is heavily implementation dependent. 3.6.4 Defenses Against Implementation Dependent Attacks Various mechanisms have been proposed to defend against timing and power analysis attacks. Proposed defense mechanisms include (e.g. Ref. [25]) Elimination of branching in program execution, to defend against timing attacks. Software balancing (e.g. using complements of arguments to even out the total power consumed) Algorithm design (e.g. avoiding operations that are difficult to defend, and avoiding implicit key schedule ....

J. Daemen and V. Rijmen, Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals, in The Second AES Candidate Conference, printed by The National Institute of Standards and Technology, Gaithersburg, MD, March 22-23, 1999, pp. 122-132.

....balancing. This technique may be effective for certain operations whose power consumption can be masked to some extent by executing the operation twice, employing the complement of argument(s) the second time. A rough summary of vulnerabilities of the operations used in candidates is as follows [12]: a. Table lookup: not vulnerable to timing attacks. Defense against power attacks may be effected by using the address and its complement. b. Fixed shifts rotations: not vulnerable to timing attacks. Defense against power attacks may be effected by using the contents of the register containing ....

....is not an intrinsic algorithm characteristic, but rather is heavily implementationdependent. 2.5.4 Some Possible Defenses Various mechanisms have been proposed to defend against timing and power analysis attacks, such as those discussed in Sec. 2.5.3. Proposed defense mechanisms include (e.g. [12]) a. Elimination of branching in program execution, to defend against timing attacks. b. Software balancing (e.g. using complements of arguments to even out the total power consumed) c. Algorithm design (e.g. avoiding operations that are difficult to defend, and avoiding implicit key schedule ....

J. Daeman and V. Rijmen, Resistance against implementation attacks: a comparative study of the AES proposals, The Second AES Conference, March 22-23, 1999, pp 122-132. 51

....and bitwise boolean operations. Twofish additionally requires 32 bit addition and both MARS and RC6 even require 32 bit multiplication and shifts over data dependent off sets. The presence of these operations makes the latter three algorithms harder to implement in a secure way on smart cards [DaRi99]. 2.3 Adding rounds For all well designed block cipher, the complexity of published cryptanalytic attacks increases with the number of rounds in the cipher. This has already been taken into account in the Rijndael design: the increasing number of rounds for increasing key lengths assures a ....

J. Daemen and V. Rijmen, "Resistance against implementation attacks: a comparative study of the AES proposals", AES 2.

No context found.

J. Daemen, V. Rijmen, "Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals," AES'99, Mar. 1999.

No context found.

John Daemen and Vincent Rijmen, "Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals", in Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm, March 1999.

No context found.

J. Daemen, V. Rijmen. Resistance against implementation attacks A comparative study of the AES proposals, Proceedings of the second AES Candidate Conference, March 1999, pp. 122-132.

No context found.

J. Daemen, V. Rijmen. Resistance against implementation attacks A comparative study of the AES proposals, Proceedings of the second AES Candidate Conference, March 1999, pp. 122-132.

No context found.

John Daemen and Vincent Rijmen, "Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals", in Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm, March 1999.

No context found.

J. Daemen, V. Rijmen, Resistance Against Implementation Attacks: A Comparative Study of the aes proposals, presented at the Second aes Candidate Conference, Rome, Italy, March 22-23, 1999.

No context found.

Joan Daemen, Vincent Rijmen, Resistance Against Implementation Attacks: A Comparative Study of the aes proposals, presented at the Second aes Candidate Conference, Rome, Italy, March 22-23, 1999.

No context found.

Joan Daemen, Vincent Rijmen, Resistance Against Implementation Attacks: A Comparative Study of the aes proposals, presented at the Second aes Candidate Conference, Rome, Italy, March 22-23, 1999.

No context found.

John Daemen and Vincent Rijmen, "Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals", in Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm, March 1999.

No context found.

Daemen, J. and Rijmen, V., "Resistance Against Implementation Attacks: A Comparative Study of the AES

No context found.

J. Daemen, V. Rijmen. Resistance against implementation attacks A comparative study of the AES proposals, Proceedings of the second AES Candidate Conference, March 1999, pp. 122-132.

No context found.

J. Daemen and V. Rijmen. Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals. In Proceedings of the Second AES Candidate Conference (AES2), Rome, Italy, March 1999. Available at http://csrc.nist.gov/encryption/aes/aes_home.htm.

No context found.

J. Daemen, V. Rijmen. Resistance against implementation attacks A comparative study of the AES proposals, Proceedings of the second AES Candidate Conference, March 1999, pp. 122-132.

No context found.

John Daemen and Vincent Rijmen, "Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals", in Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm, March 1999.

No context found.

Daemen, J. and Rijmen, V., "Resistance Against Implementation Attacks: A Comparative Study of the AES

No context found.

J. Daemen, V. Rijmen. Resistance against implementation attacks A comparative study of the AES proposals, Proceedings of the second AES Candidate Conference, March 1999, pp. 122-132.

No context found.

John Daemen and Vincent Rijmen, "Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals", in Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, http://csrc.nist.gov/encryption/aes/round1/Conf2/aes2conf.htm, March 1999.

No context found.

J. Daemen and V. Rijmen. Resistance against implementation attacks: A comparative study of the AES proposals. In Proceedings of The Second AES Candidate Conference, pages 122#132. March 22-23, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC