Abstract. Recently a new class of collision attacks which was originally suggested by Hans Dobbertin has been introduced. These attacks use side channel analysis to detect internal collisions and are generally not restricted to a particular cryptographic algorithm. As an example, a collision attack against DES was proposed which combines internal collisions with side channel information leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES). This contribution takes the same basic ideas and develops new optimized attacks against AES. Our major finding is that the new combined analytical and side channel approach reduces the attack effort compared to all other known side channel attacks. We develop several versions and refinements of the attack. First we show that key dependent collisions can be caused in the output bytes of the mix column transformation in the first round. By taking advantage of the birthday paradox, it is possible to cause a collision in an output with as little as 20 measurements. If a SPA leak is present from which collisions can be determined with certainty, then each collision will reveal at least 8 bits of the secret key. Furthermore, in an optimized attack, it is possible to cause collisions in all four output bytes of the mix column transformation with an average of only 31 measurements, which results in knowledge of all 32 key bits. Finally, if collisions are caused in all four columns of the AES in parallel, it is possible to determine the entire 128-bit key with only 40 measurements, which a is a distinct improvement compared to DPA and other side channel attacks.

Abstract. The recent developments of side channel attacks have lead implementers to use more and more sophisticated countermeasures in critical operations such as modular exponentiation, or scalar multiplication in the elliptic curve setting. In this paper, we propose a new attack against a classical implementation of these operations that only requires two queries to the device. The complexity of this so-called “doubling attack ” is much smaller than previously known ones. Furthermore, this approach defeats two of the three countermeasures proposed by Coron at CHES ’99. Keywords. SPA-based analysis, modular exponentiation, scalar multiplication, DPA countermeasures, multiple exponent single data attack. 1

Abstract not found

www.crypto.rub.de Abstract. Side-channel collision attacks were proposed in [1] and applied to AES in [2]. These are based on detecting collisions in certain positions of the internal state after the first AES round for different executions of the algorithm. The attack needs about 40 measurements and 512 MB precomputed values as well as requires the chosen-plaintext possibility. In this paper we show how to mount a collision attack on AES using only 6 measurements and about 2 37.15 offline computational steps working with a probability of about 0.85. Another attack uses only 7 measurements and finds the full encryption key with an offline complexity of about 2 34.74 with a probability of 0.99. All our attacks require a negligible amount of memory only and work in the known-plaintext model. This becomes possible by considering collisions in the S-box layers both for different AES executions and within the same AES run. All the attacks work under the assumption that one-byte collisions are detectable.

Es wird vielfach angenommen, dass die nächste Revolution in der IT-Landschaft durch die Vernetzung von eingebetteten Systemen erfolgen wird. In solche pervasiven Computeranwendungen wird IT-Sicherheit eine extrem wichtige Rolle spielen. Obwohl es starke Indikatoren gibt, dass die eingebettete Sicherheit von grosser Bedeutung sein wird, ist sie als eigenständiges Gebiet bisher kaum betrachtet worden. Ziel des vorliegenden Beitrags ist es, verschiedene Aspekt der eingebetteten Sicherheit in einer Gesamtdarstellung näher zu beleuchten. Insbesondere werden die spezifischen Probleme der eingebetteten Sicherheit näher betrachtet. Anhand von Fallbeispielen im Automobil und in ad-hoc Netzen werden zukünftige Probleme und Möglichkeiten von IT-Sicherheit in eingebetteten Anwendungen verdeutlicht. Zwei wichtige Realisierungsaspekte von sicheren eingebetteten Systemen in der Praxis, nämlich effiziente asymmetrische Verfahren in rechenbeschränkten Umgebungen und Seitenkanalattacken, werden ebenfalls diskutiert. 1 Einleitung In den letzten Jahrzehnten hat das Internet zunehmend Computer vernetzt und hat mit Anwendungen wie dem World Wide Web und Email den Informationsfluss und die Kommunikation in vielen Lebensbereichen dramatisch beeinflusst. Geschäftsabläufe, private Kommunikation, Interaktion zwischen Bürgern

Abstract. This paper presents a new powerful side-channel cryptanalytic method- algebraic collision attacks- representing an efficient class of power analysis being based on both the power consumption information leakage and specific structure of the attacked cryptographic algorithm. This can result in an extremely low measurement count needed for a key recovery. The algebraic collision attacks are well applicable to AES, if one-byte collisions are detectable. For the recovery of the complete AES key, one needs 3 measurements with a probability of 0.42 and 4.24 PC hours postprocessing, 4 measurements with a probability of 0.82 and several seconds of offline computations or 5 measurements with success probability close to 1 and several seconds post-processing.

Abstract. The recent development of side channel attacks has lead implementers to use increasingly sophisticated countermeasures in critical operations such as modular exponentiation, or scalar multiplication on elliptic curves. A new class of countermeasures is based on inserting random decisions when choosing one representation of the secret scalar out of a large set of representations of the same value. For instance, this is the case of countermeasures proposed by Oswald and Aigner, or Ha and Moon, both based on randomized Binary Signed Digit (BSD) representations. Their advantage is to offer excellent speed performances. However, the first countermeasure and a simplified version of the second one were already broken using Markov chain analysis. In this paper, we take a different approach to break the full version of Ha-Moon’s countermeasure using a novel technique based on detecting local collisions in the intermediate states of computation. We also show that randomized BSD representations present some fundamental problems and thus recommend not to use them as a protection against side-channel attacks. 1

Abstract. Previous first-order differential power analysis (DPA) attacks have depended on knowledge of the target algorithm’s input or output. This paper describes a first-order DPA attack against AES in counter mode, in which the initial counter and output values are all unknown. Keywords: power analysis, SPA, DPA, HO-DPA, AES, counter mode. 1

This paper focuses on the usability of the PINPAS tool. The PINPAS tool is an instruction-level interpreter for smartcard assembler languages, augmented with facilities to study side-channel vulnerabilities. The tool can simulate sidechannel leakage and has a suite of utilities to analyze this. The usage of the tool, for the analysis of a cryptographic algorithm is illustrated using the standard AES and RSA. Vulnerabilities of the implementations are identified and protective measures added. It is argued, that the tool can be instrumental for the design and realization of secure smartcard implementations in a systematic way.

Abstract. The McEliece public-key cryptosystem is based on the fact that decoding unknown linear binary codes is an NP-complete problem. The interest on implementing post-quantum cryptographic algorithms, e.g. McEliece, on microprocessor-based platforms has been extremely raised due to the increasing storage space of these platforms. Therefore, their vulnerability and robustness against physical attacks, e.g., stateof-the-art power analysis attacks, must be investigated. In this work, we address mainly two power analysis attacks on various implementations of McEliece on an 8-bit AVR microprocessor. To the best of our knowledge, this is the first time that such side-channel attacks are practically evaluated.