The Twofish encryption algorithm: a 128-bit block cipher
The Twofish encryption algorithm: a 128-bit block cipher
Towards Sound Approaches to Counteract Power-Analysis Attacks
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
FSE '97 Proceedings of the 4th International Workshop on Fast Software Encryption
Securing the AES Finalists Against Power Analysis Attacks
FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
DES and Differential Power Analysis (The "Duplication" Method)
CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
On Boolean and Arithmetic Masking against Differential Power Analysis
CHES '00 Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems
A Sound Method for Switching between Boolean and Arithmetic Masking
CHES '01 Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems
Electromagnetic Analysis: Concrete Results
CHES '01 Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems
Side channel cryptanalysis of product ciphers
Journal of Computer Security
Hi-index | 0.00 |
It is believed that masking is an effective countermeasure against power analysis attacks: before a certain operation involving a key is performed in a cryptographic chip, the input to this operation is combined with a random value. This has to prevent leaking information since the input to the operation is random.We show that this belief might be wrong. We present a Hamming weight attack on an addition operation. It works with random inputs to the addition circuit, hence masking even helps in the case when we cannot control the plaintext. It can be applied to any round of the encryption. Even with moderate accuracy of measuring power consumption it determines explicitly subkey bits. The attack combines the classical power analysis (over Hamming weight) with the strategy of the saturation attack performed using a random sample.We conclude that implementing addition in cryptographic devices must be done very carefully as it might leak secret keys used for encryption. In particular, the simple key schedule of certain algorithms (such as IDEA and Twofish) combined with the usage of addition might be a serious danger.