side channel attacks: a primercse.iitkgp.ac.in/conf/iot/scaseciot_dm.pdf · strong cryptographic...
TRANSCRIPT
1
24/10/2016 SecIoT Workshop IIT
Kharagpur
Side Channel Attacks:
A Primer
Debdeep Mukhopadhyay
Department of Computer Science and Engineering
THE BIRD’S EYE VIEW
“…Of Secrecy I am Silence…”
Bhagavad Gita, Vibhuti Yoga, Sloka 38
3
24/10/2016 SecIoT Workshop IIT
Kharagpur
Cryptographic Communication
Encrypt Decryptplaintext
KbKa
plaintext
ciphertext
A generic use of crypto
4
24/10/2016 SecIoT Workshop IIT
Kharagpur
Cryptographic Threat Model
Assumptions• Only Alice Knows Ka
• Only Bob Knows Kb
• Mallory has access to E, D and the Communication Channel but does not know the decryption key Kb
E
Ka
D
Kb
CommunicationChannel
Message Message
Mallory
Alice Bobleaked Information
Side Channels in the real worldThrough which a cryptographic module
leaks information to its environment
unintentionally
5
24/10/2016 SecIoT Workshop IIT
Kharagpur
Side Channel Attacks
6
24/10/2016 SecIoT Workshop IIT
Kharagpur
Power Attacks
7
24/10/2016 SecIoT Workshop IIT
Kharagpur
Power
consumption
Strong cryptographic algorithms are
just the beginning!
Data input
Data output
Terminal IC chip
Power supply
00111…
Measure power
consumptionGuess secret information
stored on IC chip memory
0 1 1 1Secret
information0 1
8
24/10/2016 SecIoT Workshop IIT
Kharagpur FPGA Board
Cu
rren
t
Pro
be
Vcc
Current
Amplifier
Digital
Oscilloscope
Controller Pin
Controller PC
DES/3-DES/AES
CORE LOGIC
(Implemented on
FPGA)
Experiment Set-up @ IIT KGP
1
2
3
9
24/10/2016 SecIoT Workshop IIT
Kharagpur
Power Attacks
SPA – Simple Power Analysis attacks
◦ Fact exploited - Power consumption at an
instant of time is a function of the operation
being carried out by the device
DPA – Differential Power Analysis
◦ Fact exploited - Power consumption of the
same operation at different instants of time
depends on the data being processed.
10
24/10/2016 SecIoT Workshop IIT
Kharagpur
Simple Power Analysis (SPA)
Directly interprets the power consumption
of the device
Looks for the operations taking place and
also the key!
Trace: A set of power consumptions
across a cryptographic process
1 millisecond operation sampled at 5MHz
yield a trace with 5000 points
11
24/10/2016 SecIoT Workshop IIT
Kharagpur
A Power Trace
Power Trace of a round of AES.
Observe the variation of power values.
The variations occur because of the operation dependence of power: leads to SPA.
The variations also occur because of data dependence of power: leads to DPA.
12
24/10/2016 SecIoT Workshop IIT
Kharagpur
Example of SPA- ECC Double
and Add Algorithm
13
24/10/2016 SecIoT Workshop IIT
Kharagpur
Correlation of Power with bits
Assume power leakage follows Hamming Weight.
Divide the HW(s) into two bins:
◦ 0 bin: when LSB is 0
◦ 1 bin: when LSB is 1
Difference-of-Mean (DoM)=20/8-12/8=1
14
24/10/2016 SecIoT Workshop IIT
Kharagpur
When the partitioning is done
wrt. an uncorrelated bit? Parititioning
done by bits simulated using rand function in C.
Observe the DoM is close to 0, as expected!
15
24/10/2016 SecIoT Workshop IIT
Kharagpur
A Toy DPA
Consider the operation z=yxmod 256
Assume attacker knows first 4 bits of the secret, x.
Probability of guessing the next bit of x is ½ (with no side channel information).
Now we assume, the attacker varies y and obtains several power traces.
◦ We simulate them through Hamming Weights.
16
24/10/2016 SecIoT Workshop IIT
Kharagpur
A Toy DPA
For a given y, the attacker now guesses the next bit and computes the probable s after the 3rd
iteration (note that square and multiply starts from bit 6 to bit 0).
Based on the LSB of y, the corresponding trace is put into the 0 bin or 1 bin.
For every guess (there are 2 guesses) the DoMis computed and plotted.
The correct guess is expected to provide large DoM.
17
24/10/2016 SecIoT Workshop IIT
Kharagpur
A Toy DPA
Correct Key is 0x8F
Next bit is thus 1.
DoM computed after 210 traces.
Significant difference: 0.9 vs 0.2!
18
24/10/2016 SecIoT Workshop IIT
Kharagpur
Key = 39Key = 20
Key = 41Key = 51
0
500
1000
1500
2000
2500
-0.1
0
0.1
Key Guess
Time (s)
DP
A B
ias (
mV
)
Distinguishable Spikes
SBOX – 3 BIT – 3 TRACE COUNT = 4,000
3D Differential Plot
Differential Power Analysis
Attacks on DES
19
24/10/2016 SecIoT Workshop IIT
KharagpurSBOX – 4 BIT – 2 TRACE COUNT = 10,000
3D Differential Plot
Key = 39Key = 20
Key = 19Key = 51
0
500
1000
1500
2000
2500-0.2
-0.1
0
0.1
0.2
Key GuessTime (s)
DP
A B
ias (
mV
)
Distinguishable Spikes
Differential Power Analysis
Attacks on 3-DES
20
24/10/2016 SecIoT Workshop IIT
Kharagpur
Key = 113
Key = 13
Key = 12
Key = 77
0
500
1000
1500
2000
2500
-0.1
0
0.1
Key GuessTime (s)
DP
A B
ias (
mV
)
Distinguishable Spikes
SBOX – 11 BIT – 8 TRACE COUNT = 15,000
3D Differential Plot
Differential Power Analysis
Attacks on AES
21
24/10/2016 SecIoT Workshop IIT
Kharagpur
Differential Power Analysis: A Summary
22
24/10/2016 SecIoT Workshop IIT
Kharagpur
Correlation Power Analysis: An Improved DPA technique
23
24/10/2016 SecIoT Workshop IIT
Kharagpur
Countering DPA
Two broad approaches are taken
◦ Make the power consumption of the device independent of the data processed
Detached power supplies
Logic styles with a data independent power consumption
Noise generators
Insertion of random delays
◦ Methods are costly and not in tune with normal CAD methodologies
24
24/10/2016 SecIoT Workshop IIT
Kharagpur
Countering DPA
(Second Approach)
◦ Second Approach is to randomize the
intermediate results
◦ Based on the principle that the power
consumption of the device processing
randomized data is uncorrelated to the actual
intermediate results
◦ Masking:Can be applied at the algorithm level
or at the gate level
25
24/10/2016 SecIoT Workshop IIT
Kharagpur
Gate Level Masking
No wire stores a value that is correlated
to an intermediate result of the algorithm.
Process of converting an unmasked digital
circuit to a masked version can be
automated
26
24/10/2016 SecIoT Workshop IIT
Kharagpur
Masked AND Gate
( , )
ˆ ( , , , , )
m a
m b
m q
m m a m b q
a a m
b b m
q q m
q f a b
q f a m b m m
27
24/10/2016 SecIoT Workshop IIT
Kharagpur
Masked AND Gate
m ).mm ))a(m ).mb .b(((a
m )m ).(bm (a
m b)(aq
qbambammm
qbmam
qm
28
24/10/2016 SecIoT Workshop IIT
Kharagpur
Masked AND Gate
There are 45=1024 possible input transmissions that can occur.
It turns out that the expected value of the energy required for the processing of q=0 and q=1 are identical.
Thus protected against DPA, under the assumption that the CMOS gates switch only once in one clock cycles.
But we know there are glitches, and so the output of gates swing a number of times before reaching a steady state. Hence... the argument continues.
29
24/10/2016 SecIoT Workshop IIT
Kharagpur
Masked Multiplier
Same Principle may be applied for multiplier circuits.
30
24/10/2016 SecIoT Workshop IIT
Kharagpur
Evaluating Side Channel
Security of Crypto-systems
31
24/10/2016 SecIoT Workshop IIT
Kharagpur
Machine Learning as a
Classifier
1k
||Kk
~
||Kk ~
.
.
.
.
.
.
Given a trace, find the key k used for the
encryption.
?k
32
24/10/2016 SecIoT Workshop IIT
Kharagpur
Develop Suitable Metrics to
Certify Chips Lt =Φt(Sk) + Nt
SNR: Var(E[Lt|Sk])/Var(Lt-E[Lt|Sk])
NICV/SR: Var(E[Lt|Sk])/Var(Lt)
Key Less Evaluation: From impulse response of linear filter which maximizes the leakage
33
24/10/2016 SecIoT Workshop IIT
Kharagpur
Test Vector Leakage
Assessment Pass-Fail test
It is similar to statistical t-test
T=
Safe criteria: C>|T|, C is a predefined safe value
34
24/10/2016 SecIoT Workshop IIT
Kharagpur
Success Rate and Signal Ratio
TVLA, though certifies a chip, it does not quantify how safe or unsafe the chip is
Success rate can be defined in the terms of number of power traces and Signal Ratio (SR)
Success Rate= F(q,SR) where F is the cumulative probability distribution of zero mean gaussian distribution and q is the number of power traces
35
24/10/2016 SecIoT Workshop IIT
Kharagpur
Frequency Dependence of Side
Channel Resistance The table denotes average key ranking
result obtained after executing CPA on AES at different frequency
36
24/10/2016 SecIoT Workshop IIT
Kharagpur
Frequency Dependence of Side
Channel Resistance Tis table denotes average key ranking
result obtained after executing CPA on noisy AES at different frequency
FAULT ATTACKS:
“WHEN A SECRET IS REVEALED, IT IS
THE FAULT OF THE MAN WHO CONFIDED
IT.”
38
24/10/2016 SecIoT Workshop IIT
KharagpurTaken from "The Sorcerer's Apprentice Guide to Fault Attacks”, FDTC 2006
39
24/10/2016 SecIoT Workshop IIT
KharagpurTaken from "The Sorcerer's Apprentice Guide to Fault Attacks”, FDTC 2006
40
24/10/2016 SecIoT Workshop IIT
KharagpurTaken from "The Sorcerer's Apprentice Guide to Fault Attacks”, FDTC 2006
41
24/10/2016 SecIoT Workshop IIT
KharagpurTaken from "The Sorcerer's Apprentice Guide to Fault Attacks”, FDTC 2006
42
24/10/2016 SecIoT Workshop IIT
KharagpurTaken from "The Sorcerer's Apprentice Guide to Fault Attacks”, FDTC 2006
43
24/10/2016 SecIoT Workshop IIT
KharagpurTaken from "The Sorcerer's Apprentice Guide to Fault Attacks”, FDTC 2006
44
24/10/2016 SecIoT Workshop IIT
KharagpurTaken from "The Sorcerer's Apprentice Guide to Fault Attacks”, FDTC 2006
45
24/10/2016 SecIoT Workshop IIT
Kharagpur
Fault Attacks : RSA Cipher
A generate keys:
◦ Select p,q large prime numbers (at least hundred digits) and denote N=pq
◦ Select a small odd integer e relatively prime (only common factor is 1) to
◦ Find integer d so that
◦ (e,N) – public key; (d,N) – private key
B wants to send A a message M
◦ B encrypts M using A's public key
M is restricted to 0 M N-1
◦ A decrypts using private key d -
)1)(1()( qpN
)(mod1 Nde
NMS e mod
MNMNS ded modmod
46
24/10/2016 SecIoT Workshop IIT
Kharagpur
Fault Attacks
Another attack – by injecting faults◦ Vary the supply voltage – generate a spike◦ Vary the clock frequency – generate a glitch◦ Overheat the device◦ Expose to intense light – camera flash or
precise laser beam◦ Faults injected into a byte or a few bits
47
24/10/2016 SecIoT Workshop IIT
Kharagpur
Fault Attacks on RSA
Only decryption is subject to attacks
Assume:
◦ 1. Attacker can flip a single bit in key d 2. S and corresponding message M known to attacker
◦ Decryption device generates satisfying
◦ If then
◦ If then
M̂
NS
S
M
M
i
i
i
i
d
d
modˆ
2
2
NSMMi
mod1ˆ 2
NSMMi
modˆ 20id
1id
48
24/10/2016 SecIoT Workshop IIT
Kharagpur
Fault Attacks on AES
PLAIN TEXT
ENCRYPTION ALGORITHM
FAULT FREECIPHER TEXT
PLAIN TEXT
ENCRYPTION ALGORITHM
FAULTY CIPHER TEXT
ANALYSIS
RANDOM
FAULTS
49
24/10/2016 SecIoT Workshop IIT
Kharagpur
Fault Attacks on RSA
◦ Assume that the attacker flips randomly a bit in d.
Example: (e,N)=(7,77), d=43
◦ Ciphertext=37 producing M=9 if no fault is injected and if a fault is injected
◦ Search for i such that i=3 since
2012345 101011dddddd
67ˆ M
77mod)3767(9 2i
977mod)5367(77mod)3767( 8
)1( 3 d
50
24/10/2016 SecIoT Workshop IIT
Kharagpur
Fault Models
M0: One Diagonal affected.
M1: Two Diagonals affected.
M2: Three Diagonals affected.
M3: Four Diagonals affected.
51
24/10/2016 SecIoT Workshop IIT
Kharagpur
Propagation of Fault Induced
f f’ f’ 2f’
f’
f’
3f’
F1
F2
F3
F4
F1
F2
F3
F4
8th Round
Byte Sub
8th round
ShiftRow
8th Round
MixColumn
9th Round
ByteSub
9th Round
ShiftRow
2F1 F4 F3 3F2
F1 F4 3F3 2F2
F1 3F4 2F3 F2
3F1 2F4 F3 F2
A1 A2 A3 A4
A5 A6 A7 A8
A9 A10 A11 A12
A13 A14 A15 A16
A1 A2 A3 A4
A5A6 A7 A8
A9 A10A11 A12
A16 A15A14A13
9th Round
MixColumn
10th Round
Byte Sub
10th Round
Shift Row
52
24/10/2016 SecIoT Workshop IIT
Kharagpur
Features of the proposed attack
The attack is the strongest of its class in the literature.
Needs just one byte random fault induction.
◦ Previous best attack reduced key space to 240.
◦ Our attack reduced to 232 (revealed in 400 sec on an Intel Xeon Server with 8 cores).
Debdeep Mukhopadhyay, An Improved Fault Based Attack of the Advanced
Encryption Standard. AFRICACRYPT 2009: LNCS 5580, pp 421-434
The work was developed as a project from NTT Laboratory, Japan.
53
24/10/2016 SecIoT Workshop IIT
Kharagpur
DFA with a single Fault!
Current research shows that the AES key size can be reduced from 232 to 28 for a single byte fault.
The small complexity of the attack makes it feasible on real life FPGA implementations of AES using less sophisticated techniques, like clock glitching.
Michael Tunstall and DebdeepMukhopadhyay, Differential Fault Analysis of the Advanced Encryption
Standard using a Single Fault, Cryptology ePrint Archive: Report 2009/575
54
24/10/2016 SecIoT Workshop IIT
Kharagpur
Fault Injection Setup
Tools Used:
◦ AES Core Implemented on Xilinx Spartan 3E.
◦ Agilent Wavefrom (80 MHz)Generator
◦ Xilinx Chipscope Pro Embedded Logic Analyzer.
55
24/10/2016 SecIoT Workshop IIT
Kharagpur
Experimental Results
ATTACK REGIONDhiman Saha, Debdeep Mukhopadhyay, Dipanwita Roy Chowdhury: A Diagonal Fault Attack on
the Advanced Encryption Standard. IACR Cryptology ePrint Archive 2009: 581 (2009)
56
24/10/2016 SecIoT Workshop IIT
Kharagpur
Bypassing the Counter-measures
Parity-1, Parity-16 (linear codes) and Robust Codes (nonlinear codes) all miss some faults!
The missed faults also can lie in the DFA-exploitable space.
•An attacker can operate at a region
where the faults are missed.
•Probability of faults getting missed
is much higher if the fault space is
not uniform.
•Can we have fault tolerance
techniques which have provable
100% security. w.r.t. all the DFA
exploitable faults?
Note that the DFA exploitable space
is quite small…
57
24/10/2016 SecIoT Workshop IIT
Kharagpur
Common Countermeasure
Against Power and Fault
Attack: DRECON
58
24/10/2016 SecIoT Workshop IIT
Kharagpur
Can Side Channels be Eliminated
by design?
59
24/10/2016 SecIoT Workshop IIT
Kharagpur
60
24/10/2016 SecIoT Workshop IIT
Kharagpur
Application of DRECON
61
24/10/2016 SecIoT Workshop IIT
Kharagpur
62
24/10/2016 SecIoT Workshop IIT
Kharagpur
63
24/10/2016 SecIoT Workshop IIT
Kharagpur
64
24/10/2016 SecIoT Workshop IIT
Kharagpur
65
24/10/2016 SecIoT Workshop IIT
Kharagpur
DRECON against Fault Attack
In each execution different S-Box is chosen depending upon tweak.
Differential fault analysis fails due to this different S-Box access
Secured against multiple fault injection also
66
24/10/2016 SecIoT Workshop IIT
Kharagpur
Is that the end?-- Side Channels with Process Scaling
Mathieu Renauld, François-Xavier Standaert, Nicolas Veyrat-Charvillon, Dina Kamel, Denis Flandre: A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices. EUROCRYPT 2011: 109-128
67
24/10/2016 SecIoT Workshop IIT
Kharagpur
Process Scaling and Side
Channels Process variation is a central issue in deep-
submicron technology.
Research shows that the leakage models change: they become non-linear!
In the absence of variations, one can develop a power model, but due to variations one need to infer correct leakage for each chip.
Also, countermeasures assume independent leakage
◦ But below 65nm, there would be cross-talk!
68
24/10/2016 SecIoT Workshop IIT
Kharagpur
A Quick Look into Cache
Attacks
69
24/10/2016 SecIoT Workshop IIT
Kharagpur
Cache Memory Leaks Information
If there is a Cache Hit◦ Access time is less
◦ Power Consumption is less
Microprocessor
Main Memory
Cache Memory
If there is a Cache Miss◦ Access time is more
◦ Power Consumption is more
70
24/10/2016 SecIoT Workshop IIT
Kharagpur
Cache Attacks : The Principle
Power and Time for the second access depends on the previous sbox access.◦ If cache hit :
Since we know P0 and P1, we can determine
…but we need to differentiate between a cache hit and miss.
Sbox
XOR
P0
K0
Sbox
XOR
P1
K1
1010
1100
PPKK
KPKP
10 KK
71
24/10/2016 SecIoT Workshop IIT
Kharagpur
Classes of Cache Attacks
Three ways to identify cache behavior
Cache Trace Attacks
Cache Access Attacks
Cache Timing Attacks
72
24/10/2016 SecIoT Workshop IIT
Kharagpur
Cache Trace Attacks
The Power Profile of the system gives away
cache behavior.
Without Cache Miss
With Cache Miss
73
24/10/2016 SecIoT Workshop IIT
Kharagpur
Cache Access Attacks : Osvik’s Attack
Uses a spy program to determine cache behavior
Microprocessor
Spy
AES
Memory
Cache MemoryPart of the cache memory
occupied by tablesCache Miss
Cache Hit
74
24/10/2016 SecIoT Workshop IIT
Kharagpur
Cache Timing Attack
Based on measuring the total time for encryption.
Used to attack a remote server.
Server running Encryption Software
Remote Attacker
Network
Trigger Encryption &Measure time taken
K *T N *T NTime Execution mmhh
75
24/10/2016 SecIoT Workshop IIT
Kharagpur
Bernstein’s Cache Timing Experiment
AES
RandomP0 = 00 - FF
Cipher Text
Characteristic of Plaintext Byte P0
(Deviation from mean time)EncryptionforTimeObtain
EncryptionAESInvoke
randomlytextsplainremainingtheVary
iterationsFor
P
15
0
2
255to0For
76
24/10/2016 SecIoT Workshop IIT
Kharagpur
Bernstein’s Cache Timing Attack
Put key to all ZEROs and
perform experiment
76
Repeat experiment with
unknown key
Correlate the two results
77
24/10/2016 SecIoT Workshop IIT
Kharagpur
Why Cache Attacks Work on AES
The AES Structure
◦ Add initial Key
◦ Nine Rounds of
Byte Substitution
Shift Row
Mix Column
Add Round Key
◦ Final Round
Byte Substitution
Shift Row
Add Round Key
Substitute 16 bytes from a 256 byte lookup table
Chester Rebeiro, Mainack Mandal, Debdeep Mukhopadhyay, "Pinpointing Cache Timing Attacks on AES",
VLSID 2010,
78
24/10/2016 SecIoT Workshop IIT
Kharagpur
Software Implementations of AES
(OpenSSL) Merges all round operations into 4 lookups.
Uses 4 tables T0, T1, T2, T3 , each of size 1024 byte.
The Software Structure is
78
a0 =T0[b024] ^ T1[b116] ^ T2[b28] ^ T4[b30] ^ rk[4]
a1 =T0[b124] ^ T1[b216] ^ T2[b38] ^ T4[b00] ^ rk[5]
a2 =T0[b224] ^ T1[b316] ^ T2[b08] ^ T4[b10] ^ rk[6]
a3 =T0[b324] ^ T1[b016] ^ T2[b18] ^ T4[b20] ^ rk[7]
b0 =T0[a024] ^ T1[a116] ^ T2[a28] ^ T4[a30] ^ rk[8]
b1 =T0[a124] ^ T1[a216] ^ T2[a38] ^ T4[a00] ^ rk[9]
b2 =T0[a224] ^ T1[a316] ^ T2[a08] ^ T4[a10] ^ rk[10]
b3 =T0[a324] ^ T1[a016] ^ T2[a18] ^ T4[a20] ^ rk[11]
Round 1
Round 2
79
24/10/2016 SecIoT Workshop IIT
Kharagpur
AES Execution Time big and small
Tables
79
Cache Attack works because of
varying execution time.
Cache AttacksBelieved to be not possible
Big Tables
Small Tables
80
24/10/2016 SecIoT Workshop IIT
Kharagpur
Attack of Clefia: A Block cipher
with small tables
Clefia is a block cipher designed by Sony Corporations
It has small tables of 256 bytes.
It was designed specifically to be protected against cache timing attacks.
◦ Our project from NTT Lab, was to analyze cache timing attacks on a Clefia code written by Sony itself..
81
24/10/2016 SecIoT Workshop IIT
Kharagpur
Clefia Attack Results In around 226 Clefia encryptions
the cipher can be shown to break in the face of cache timing attacks
3 GHz Intel Core 2 Duo
32 kB L1 Cache
1 GB RAM
Linux (Ubuntu 8.04)
gcc -4.2.4 with O3 optimization.
Attack Time:◦ First Phase (with known key):
1300 sec
◦ Second Phase (with unknown key): 312.5 sec
Chester Rebeiro, Debdeep Mukhopadhyay, Junko Takahashi and Toshinori Fukunaga, "Cache Timing Attacks on Clefia", Indocrypt 2009.
The work was developed as a project from
NTT Laboratory, Japan.
The attack is mentioned in website of SONY.
82
24/10/2016 SecIoT Workshop IIT
Kharagpur
Correlation Results on CLEFIA
82
83
24/10/2016 SecIoT Workshop IIT
Kharagpur
Conclusions
Side Channel Analysis is an extremely important topic
We have studied some of the well known side channels in cryptography.
Need for development of formalisms:◦ Information Theory
◦ Side Channel Analysis is now not a topic for only engineers: theoreticians are also worried!
A suitable security metric can be used to compare counter-measures:◦ And thus help to develop more robust designs.
84
24/10/2016 SecIoT Workshop IIT
Kharagpur
Moral of the Story
85
24/10/2016 SecIoT Workshop IIT
Kharagpur
References
Dag Arne Osvik and Adi Shamir and Eran Tromer, “Cache attacks and Countermeasures: the Case of AES”, Cryptology ePrint Archive, 2005
Daniel J. Bernstein, “Cache-timing attacks on AES”, 2005, http://cr.yp.to/antiforgery/
Chester Rebeiro and Debdeep Mukhopadhyay, "Pinpointing Cache Timing Attacks on AES", VLSID 2010
Joan Daemen, Vincent Rijmen: The Design of Rijndael: AES - The Advanced Encryption Standard Springer 2002
Gilles Piret and Jean-Jacques Quisquater, A Differential Fault Attack Technique against SPNStructures, with Application to the AES and KHAZAD, CHES 2003
Dan Boneh, Richard A. DeMillo and Richard J. Lipton: On the importance of checking cryptographic protocols for faults, Journal of Cryptology 2001.
Chester Rebeiro, Debdeep Mukhopadhyay, Junko Takahashi and Toshinori Fukunaga, "Cache Timing Attacks on Clefia", To appear Indocrypt 2009.
AES and Combined Encryption/ Authenti-cation Modes, http://gladman.plushost.co. uk/oldsite/AES/index.php
86
24/10/2016 SecIoT Workshop IIT
Kharagpur
Eli Biham, Adi Shamir, “Differential Fault Analysis of Secret Key Cryptosystems”, Crypto 1997.
Oliver Kömmerling and Markus Kuhn “Design Principles for Tamper-Resistant Smartcard Processors”, USENIX 1999.
Sergei P. Skorobogatov and Ross J. Anderson “Optical Fault Induction Attacks”, CHES 2002.
Bar-El, H. Choukri, H. Naccache, D. Tunstall, M. Whelan, C. , “The Sorcerer's Apprentice Guide to Fault Attacks”, FDTC 2006
Debdeep Mukhopadhyay, "An Improved Fault Based Attack of the Advanced Encryption
Standard", Africacrypt 2009
Debdeep Mukhopadhyay, "A New Fault Attack on the Advanced Encryption Standard Hardware", ECCTD 2009, Antalya, Turkey ( Invited Paper ).
Benedikt Gierlichs, Lejla Batina, Pim Tuyls and Bart Preneel, “Mutual Information Analysis - A Generic Side-Channel Distinguisher”, CHES 2008
Stefan Dziembowski and Krzysztof Pietrzak, “Leakage-Resilient Cryptography”, FOCs,
2009
Shay Gueron, Geoffrey Strongin, Jean-Pierre Seifert, Derek Chiou, Resit Sendag, Joshua J.
Yi, “Where does Security Stand? New Vulnerabilities vs. Trusted Computing”, 2007,
IEEE Computer Society...
References