Side channel attacks

Side channel attacks usually exploit the information leaked by the physical characteristics of the cryptographic modules during the execution of the algorithm. This extra information can be extracted from timing, power consumption or electromagnetic radiation features. Other forms of side-channel information can be a result of hardware or software failures, changes in frequency or temperature and computational errors. In the following subsections, we briefly review some of the side channel cryptanalytic models.

Fault Analysis: In fault analysis, the cryptanalyst applies some kind of physical influence on the internal state of the cryptosystem, such as ionizing radiation which flips random bits in the memory of the device. By careful study of the results of computations under such faults, an attacker may be able to retrieve information about the secret key. Smartcards are especially susceptible to this kind of attack. Fault attacks were first introduced by Boneh et al. [30] in 1996 where they described attacks that targeted the RSA public key cryptosystem by exploiting a faulty Chinese Remainder Theorem computation to factor the modulus n.

Subsequently, fault analysis attacks were extended to symmetric systems such as DES [19] and later to AES [48] and other primitives. Fault analysis attacks became a more serious threat after cheap and low-tech methods of applying faults were presented (e.g., [6, 126]).

Hoch and Shamir [58] addressed the problem of fault analysis of stream ciphers in 2004. Ciphers based on LSFRs, LILI-128, SOBER-t32 and also RC4 were analyzed and it has been shown that none of these constructions are secure in the random-location fault model, i.e., in the case where the attacker can not choose the exact location of induced faults. As for RC4, the key recovery attack required2¹⁶faults and 2²⁶keystream words.

In [17], Biham et al. assessed the RC4 stream cipher in the chosen-location model, where an attacker chooses a location at which a fault is induced. An interesting idea to push the cipher into a specific state called a Finney state, by means of inducing faults, is used to find the secret internal state of RC4. A Finney state is a state in which RC4 in normal mode of operation, i.e., without faults, can not enter. However, once the internal state is artificially pushed into one of the Finney states, it can not go out anymore, the length of a cycle becomes very small and what is more, the secret S table can be read solely by looking at the keystream output. The attack required 2¹⁶ chosen-location faults. Another, more advanced fault analysis

attack on RC4 which requires2¹⁰faults was also introduced in the same paper.

Timing Analysis: The majority of optimized implementations of cryptographic algorithms execute the computation in a non-constant time. If these operations involve secret parameters, these timing variations can leak some information that can provide enough critical knowledge to recover secret information. Timing attacks were first introduced in 1996 by Kocher [83] who demonstrated the power of these attacks against the RSA cryptosystem. Subsequently, Schindler [4] presented timing attacks on the implementation of RSA exponentiation that employs the Chinese Remainder Theorem. Other uses of timing attacks can be found in [45, 57].

A particular type of timing analysis, called cache-timing analysis was proposed in 2005 by Osvik et al. [113]. A simple cache-timing attack in a scenario where the attacker and the legitimate user share the same CPU, named prime-then-probe, is as follows. First, the attacker fills the cache with data and then stops using the CPU. Then, the legitimate user performs the encryption on the CPU. Finally, the attacker measures loading times and finds which of his data has been removed from the cache. It should be noted that the attacker does not learn the content of the cache registers, but only positions that have been used by the legitimate user. From such information, a cipher’s internal values leak and can lead to the recovery of the secret key. An important example of ciphers particularly vulnerable to cache-timing analysis is the Advanced Encryption Standard (AES) [31, 113]. Bertoni et al. [13] describes how cache misses can be used for cryptanalysis.

As for the stream ciphers, a cache-timing model was applied to analyze the HC-256 stream cipher by Zenner [138], where, given6148 precise cache measurements and computational, effort equivalent to around 2⁵⁵key tries in the brute force setting, the secret internal state of the stream cipher can be recovered. In [88], Leander et al. have shown how to apply cache-timing attacks against Linear Feedback Shift Register based stream ciphers. In particular, it was shown how to recover the secret key for SOSEMANUK [12], another software oriented eStream finalist, given the precise cache measurements in 40 and 60 clocks of the cipher, respectively.

Power Analysis Attacks: Useful information about the operations being executed in cryptographic hard-ware can leak through power consumption information. Power analysis has been shown to be effective against smart cards and embedded devices. In general, power analysis attacks [84] can be either simple power analysis (SPA) or differential power analysis (DPA). In SPA attacks, using the measured power

traces, the attacker guesses what instruction is being carried out at a specific time as well as the input and the output values of the instruction. Such analysis requires the attacker to know the exact structure of the implementation. In contrast, DPA attacks do not require detailed knowledge of the implementation and utilize statistical methods in the process. Experimental results of power analysis against smartcards have been reported in [5, 114].

3

A heuristic for finding compatible differential