Enhanced DES Implementation Secure against High-Order Differential Power Analysis in Smartcards? Jiqiang Lv and Yongfei Han ONETS Wireless&Internet Security Tech. Co., LTD. No.29, East Chuangye Road, Shangdi Information Industry Base, Haidian District, Beijing, China 100085 lvjiqiang AT hotmail.com, yongfei han AT onets.com.cn

Abstract. Since Differential Power Analysis (DPA) on DES in smartcards was firstly published by Kocher et al. in 1999, many countermeasures have been proposed to protect cryptographic algorithms from the attack, of which masking is an efficient and easily implemented method. In this paper, after showing some attacks on Akkar et al. ’s improved DES implementation from FSE’04, we list and prove some basic requirements for a DES implementation using masking methods to defense High-Order DPA attacks, then present an enhancement of Akkar et al. ’s DES implementation, which requires only three random 32-bit masks and six additional S-Boxes to be generated every computation. Finally, we prove that three random 32-bit masks and six additional S-Boxes are the minimal cost for a DES implementation masking all the outputs of the S-Boxes of the sixteen rounds to be secure against High-Order DPA attacks.

Key words: Smart-cards; DES; Simple power analysis (SPA); (High-Order) Differential power analysis (DPA); Boolean masking

1

Introduction

Differential Power Analysis (DPA)[9, 10] was introduced by Kocher et al. in 1998 and subsequently published in 1999. It starts from the fact that the attacker can get much more information than the knowledge of the inputs and the outputs during the execution of the algorithm, such as the electric consumption or electromagnetic radiations of the circuit devices, then tries to extract information about the secret key of a cryptographic algorithm by studying the power consumption of the electronic devices during the execution of the algorithm. To secure cryptographic algorithms against DPA attacks, two main categories of countermeasures have been presented by now. In one direction, Goubin et al. ?

This paper was published in Proceedings of ACISP’05 — The Tenth Australian Conference on Information Security and Privacy, Brisbane, AUSTRALIA, C. Boyd and J.M. Gonz´ alez Nieto (eds), Volume 3574 of Lecture Notes in Computer Science, pp. 195–206, Springer-Verlag, 2005

2

[7] and Char et al. [4] described a generic countermeasure consisting in ”splitting” all the intermediate variables using some secret sharing principle. Its drawback is that it greatly increases the computation time and the memory required, which is a weakness in some constrained environments such as smart-cards. In the other direction, Messerges [12] proposed a general method that ”masks” all the intermediate data, which is possible if all the fundamental operations used in a given algorithm can be rewritten with masked input data, giving masked output data. Since the masking method is easy and efficient to be implemented in some algorithms, namely DES, it has received extensive research [1, 5, 6, 8]. Both the two main methods have been proven secure against the initial DPA attacks, however, they do not take into consideration more elaborated attacks called High-Order DPA attacks that consist in studying correlations between the secret data and several points of the electric consumption curves [10, 11]. To protect some secret-key cryptographic algorithms against High-Order DPA attacks, Akkar and Giraud introduced a new countermeasure called Unique Masking Method, and applied it to DES implementation [2]. Unfortunately, based on the fact that the output of the S-Box of the second round is unmasked, Akkar, B´evan and Goubin recently presented an enhanced DPA attack on Akkar and Giraud’s DES implementation using Unique Masking Method and they finally gave an improved DES implementation using Unique Masking Method to avoid this enhanced DPA attack [3]. In this paper, after briefly describing DPA and High-Order DPA attacks in Section 2, we show in Section 3 that Akkar et al. ’s improved DES implementation is still vulnerable to High-Order DPA attacks. Following, to achieve perfect security and performances, we list and prove some basic requirements for a DES implementation using masking methods to defense (High-Order) DPA attacks in Section 4. In Section 5, we present an enhancement of Akkar et al. ’s DES implementation, which requires only three random 32-bit masks and six additional S-Boxes to be generated every computation. In addition, we prove that three random 32-bit masks and six additional S-Boxes are the minimal cost for a DES implementation masking all the outputs of the S-Boxes of the sixteen rounds to be secure against High-Order DPA attacks. In Section 6, we discuss the security and performance of the enhanced DES implementation. Conclusion and future works will be made in Section 7.

2

DPA and High-Order DPA

The DPA attack initially focuses was on DES[13], which can be performed as follows (cited from [7]): Step 1: We measure the consumption on the first round, for 1000 (for example) DES computations. We denote by M1 , · · · , M1000 the input values of those 1000 computations and C1 , · · · , C1000 the 1000 electric consumption curves measured during the computations. We also compute the mean curve M C of those 1000 consumption curves. Step 2: We focus for instance on the first output bit (as the target bit) of the

3

first S-Box during the first round. Let b be the value of that bit. It is easy to see that b depends on only 6 bits of the secret key. We make an hypothesis on the involved 6 bits. We compute the expected (theoretical) values for b from those 6 bits and from the Mi (i = 1, · · · , 1000). This enables us to separate the 1000 inputs M1 , · · · , M1000 into two categories: those giving b = 0 and those giving b = 1. Step 3: We now compute the mean M C0 of the curves corresponding to inputs of the first category. If M C and M C0 show an appreciable difference much greater than the standard deviation of the measured noise in a statistical meaning, we consider that the chosen values for the 6 key bits were correct. If M C and M C0 do not show any sensible difference, we repeat step 2 with another choice for the 6 bits. Step 4: We repeat steps 2 and 3 with a ”target” bit b in the second S-Box, the third, · · ·, until the eighth S-Box. As a result, we finally obtain 48 bits of the secret key. Step 5: The remaining 8 bits can be found by exhaustive search. This attack relies on the following fundamental hypothesis [2]: Fundamental Hypothesis (Order 1) There exists an intermediate variable, that appears during the computation of the algorithm, such that knowing a few key bits (in practice less than 32 bits) allows to decide whether two inputs (respectively two outputs) give or not the same value for a known function of this variable. High-Order DPA attacks generalize the DPA: the attacker now compute statistical correlations between the electrical consumptions considered at several instants. More precisely, an n-th order DPA attack takes into account n values of the consumption signal, which correspond to n intermediate values occurring during the computation. These attacks now rely on the following fundamental hypothesis [2], Fundamental Hypothesis (Order n) There exists a set of n intermediate variables, that appear during the computation of the algorithm, such that knowing a few key bits (in practice less than 32 bits) allows to decide whether two inputs (respectively two outputs) give or not the same value for a known function of these n variables.

3

Attacks on Akkar, B´ evan and Goubin’s Improved DES Implementation Using Unique Masking Method

In this section, we will briefly review Akkar et al. ’s improved DES implementation using Unique Masking Method, and then show our attacks. 3.1

Akkar, B´ evan and Goubin’s Improved DES Implementation Using Unique Masking Method

Unique Masking Method [2] aims at providing a generic protection against any order DPA. The two principles of this method is firstly to mask only the values

4

that depend on less than 32 bits of the key in order to prevent DPA, and secondly intermediate independent variables depending on less than 32 bits of the key should not be masked by the same value in order to thwart High-Order DPA. After generating a 32-bit value α according to their proposed method, Akkar b and S2 b based on the original DES et al. firstly defined two new functions S1 S-Boxes function S: ( ∀x ∈ [0, 1]48 : Sb1 (x) = S(x ⊕ E(α)) . ∀x ∈ [0, 1]48 : Sb2 (x) = S(x) ⊕ P −1 (α) Then, they defined fKi to be the composition of E, the XOR with the i-th round subkey Ki the S-Box and the permutation P . Finally, they defined fb1,Ki and fb2,Ki by replacing S in fKi with Sb1 and Sb2 , respectively. Using the function f , fb1,Ki and fb2,Ki , they obtained 5 types of different rounds using masked or unmasked values: – A-type: The left and the right parts of the input are unmasked, and the function is f . Therefore, the left and the right parts of the output will also be unmasked. – B-type: The left and the right parts of the input are unmasked, but the function is fb2 . Therefore, the left part of the output will be unmasked, but the right part will be masked. – C-type: The left part of the input is unmasked, but the right part is masked, and the function is fb1 . Therefore, the left part of the output will be masked while the right part will be unmasked. – D-type: The left part of the input is masked, but the right part is unmasked, and the function is f . Therefore, the left part of the output will be unmasked while the right part will be masked. – E-type: The left part of the input is masked, but the right part is unmasked, and the function is fb2 . Therefore, the left or the right part of the output will be unmasked. To defense any order DPA attack, they gave a compatible 16 round DES implementation as follows, IP − Bα1 Cα1 Dα1 Cα1 Dα1 Cα1 Eα1 Bα2 Cα2 Dα2 Cα2 Dα2 Cα2 Dα2 Cα2 Eα2 − F P , where F P represents the final permutation of DES without countermeasures and Bα1 (et al.) denotes that the round is a B-type with the mask α1 . Furthermore, they pointed out that if one wants the mask never to appear several times, even on values depending on more than 36 bits of the key, one can use the following combination instead of the above one: IP −Bα1 Cα1 Eα1 AAAAA AAAAABα2 Cα2 Eα2 −F P . It is even possible to add two new masks and to mask every values depending on less than 56 bits of the key. However, Akkar, B´evan and Goubin [3] pointed out in FSE’04 that for all the proposed sequences of rounds above, the second round is always a ”C”-type round and the output of the S-Box of this second round is S (E(P (S(K1 ⊕ E(IP (M )32−63 ))) ⊕ IP (M )0−31 ⊕ α1 ) ⊕ K2 ⊕ E(α1 )) = S(E(P (S(K1 ⊕ E(IP (M )32−63 )))) ⊕ K2 ⊕ E(IP (M )0−31 )).

5

It is unmasked and stay unmasked after being XORed with the left part of the message, which will be vulnerable to the attack shown in [3]. Finally, to improve the DES implementation by masking the output of the second round, they pointed out that one can use a different mask but the use of α1 is not forbidden since the bits that are masked by the same value depends on 42 bits of the key, so they defined one more function fb3,Ki with the modified S-Boxes Sb3 (x) such that ∀x ∈ [0, 1]48 : Sb3 (x ⊕ E(α1 )) = S(x) ⊕ P −1 (α1 ). Hereafter, the output of the S-Boxes of the second round in the improved DES implementation will be S (E(P (S(K1 ⊕ E(IP (M )32−63 ))) ⊕ IP (M )0−31 ⊕ α1 ) ⊕ K2 ) = S(E(P (S(K1 ⊕ E(IP (M )32−63 )))) ⊕ E(IP (M )0−31 ) ⊕ E(α1 ) ⊕ K2 ) = S(E(P (S(K1 ⊕ E(IP (M )32−63 )))) ⊕ K2 ⊕ E(IP (M )0−31 )) ⊕ P −1 (α1 ).(1) Note that every encryption there will be a random and different value P −1 (α1 ) that is unknown to the attacker in Eqn.(1), so the attacker cannot any longer classify correctly the messages into two groups, which disables the above attack. 3.2

Our Attacks

Our attacks are based on the fact that there is the same mask in the outputs of the S-Boxes of the first two rounds in Akkar et al.’s improved DES implementation using Unique Masking Method. During Akkar et al.’s improved DES implementation using Unique Masking Method in Section 3.1, one can see that: Step 1: The output of the S-Box of the first round is S(K1 ⊕ E(IP (M )32−63 )) ⊕ P −1 (α1 ).

(2)

Step 2: The output of the S-Box of the second round is Eqn.(1). Step 3: By taking XOR of the outputs of S-Boxes of the first two rounds in this DES implementation (that is the XOR of Eqn. (1) and (2)) , we can get a value Tb as Tb = S(E(P (S(K1 ⊕ E(IP (M )32−63 )))) ⊕ K2 ⊕ E(IP (M )0−31 )) ⊕ S(K1 ⊕ E(IP (M )32−63 )).

(3)

Note that the random value P −1 (α1 ) vanishes in Eqn.(3), and hereafter we have two methods to perform an attack. The first one: By fixing the right 32 bits of each message after IP to some arbitrary value and letting the left 32 bits change to get the enough inputs, we can correctly get the underlined value in Eqn.(3), and K1 simultaneously by performing a High-Order DPA attack similar to Akkar and Giraud’s superposition attack in [2]. The second one: Note that after making an hypothesis on K1 , if IP (M )32−63 is set to some arbitrary but fixed value, then S(K1 ⊕ E(IP (M )32−63 )) will also

6

be fixed. Following, if we classify the 1000 electric consumption curves corresponding to some 1000 inputs (the right 32 bits of each message after IP is fixed to a constant and the left 32 bits different) according to some target bit in Tb, we can also classify correctly them to the same two groups according to the corresponding bit in S(E(P (S(K1 ⊕ E(IP (M )32−63 )))) ⊕ K2 ⊕ E(IP (M )0−31 )). Therefore, after fixing the right 32 bits of each message after IP to some constant MA and letting the left part change to get the enough inputs, we can perform a DPA attack with some chosen messages to acquire the value θA = K2 ⊕ E(P (S(K1 ⊕ E(MA )))). Again, after fixing the right 32 bits of each message after IP to another value MB different from MA , we can then perform another DPA attack with some other chosen messages to acquire a similar value θB = K2 ⊕E(P (S(K1 ⊕E(MB )))). After taking XOR of the two acquired values, θA and θB , we can finally get the equation S (K1 ⊕ E(MA )) ⊕ S(K1 ⊕ E(MB )) = P −1 (E −1 (θA ⊕ θB )), where E −1 is the inverse of E. The differential properties of S will give us about 4 possibilities for each subkey. Since there are 8 subkeys and furthermore, we also need to find the 8 bits which are not in K1 , this gives us 48 · 28 = 224 possibilities on the key, which can be finished in several seconds on a PC.

4 4.1

Basic Requirements for DES Implementation Using Masking Methods to Be Secure against DPA Attacks Basic Requirements

Due to the diffusion property of E and P permutations and S-Boxes in the DES, the DPA attacks make use of the two first and the two last rounds. For a DES implementation using masking methods to defense (High-Order) DPA attacks, at least the following five requirements should be met, – Req. 1. Every crucial intermediate value should be masked by some random integer. – Req. 2. The XORed value of the outputs of the S-Boxes of the first and the last rounds of the DES implementation using masking method should be masked by some random integer. – Req. 3. The XORed value of the outputs of the S-Boxes of the first two (the last two) rounds of the DES implementation using masking method should be masked by some random integer. – Req. 4. The XORed value of the outputs of the S-Boxes of the second round and the last round (the first round and the last second round) of the DES implementation using masking method should be masked by some random integer. – Req. 5. The XORed value of the outputs of the S-Boxes of the first two rounds and the last round (the first round and the last two rounds) of the DES implementation using masking method should be masked by some random integer.

7

4.2

Proof

From the existing literatures, we can learn why Req.(1) and (2) should be met. Let’s just show why Req.(3)-(5) should be satisfied one by one in the following: Req. 3: From Section 3.2, we can learn why the case of the first two rounds should be satisfied to defense high-order DPA attacks. The similar attacks are with the case of the last two rounds, except that we should get the enough outputs that have the same right 32 bits, which may be impossible in practice, but in theory it is feasible. Req. 4: Suppose there exists a DES implementation using masking method during which Req. (4) is not satisfied, that is, the XORed value of the outputs of the S-Boxes of the second and the last rounds (or the first and the last second rounds) is unmasked by a random integer. Let’s show the attack in the case of the second round and the last round. We assume that C is the output corresponding to the input M in this supposed DES implementation. Then the value before the Final Permutation is F P −1 (C), therefore we can get RoriDES16 = F P −1 (C)0−31 , LoriDES16(= RoriDES15) = F P −1 (C)32−63 ,

(4)

where RoriDES(i) and LoriDES(i) denote the right and left 32 bits of the final result of the i-th round in the DES without countermeasures, respectively. Finally, we can deduce L oriDES15(RoriDES14) = P (S(K16 ⊕ E(F P −1 (C)32−63 ))) ⊕ F P −1 (C)0−31 , L oriDES14 = P (S(E(P (S(K16 ⊕ E(F P −1 (C)32−63 )))) ⊕ K15 ⊕ E(F P −1 (C)0−31 ))) ⊕ F P −1 (C)32−63 . (5) By using Eqn.(4), we can get the XORed value of the outputs of S-Boxes of the second and the last rounds as follows, S (K2 ⊕ E(RoriDES1)) ⊕ S(K16 ⊕ E(RoriDES15)) = S(K2 ⊕ E(P (S(K1 ⊕ E(IP (M )32−63 )))) ⊕ E(IP (M )0−31 )) ⊕ S(K16 ⊕ E(F P −1 (C)32−63 )).

(6)

Then, after by fixing the right 32 bits of each message after IP to some arbitrary value and letting the left 32 bits change to get the enough inputs, we can easily get the correct underlined value in Eqn.(6) and K16 simultaneously by performing a High-Order DPA attack similar to Akkar and Giraud’s superposition attack in [2] if we could choose the inputs and get their respective outputs. The case of the first and the last second rounds is similar except that we should get the enough ciphertexts that have the same right 32 bits, which may be impossible in practice, but in theory it is feasible. Note: The DES implementation in [1] will be vulnerable to the corresponding attacks above, besides Akkar and Giraud’s superposition attack in [2].

8

Req. 5: Suppose there exists a DES implementation using masking method during which Req. (5) is not satisfied, that is, the XORed value of the outputs of the S-Boxes of the first two rounds and the last round (the first round and the last two rounds) of the DES implementation is unmasked by a random integer. Then by taking XOR of the outputs of S-Boxes of the first two rounds and the last round in this DES implementation, we can get the following value, S (E(P (S(K1 ⊕ E(IP (M )32−63 )))) ⊕ K2 ⊕ E(IP (M )0−31 )) ⊕ S(K1 ⊕ E(IP (M )32−63 )) ⊕ S(K16 ⊕ E(F P −1 (C)32−63 )).

(7)

If we could choose the inputs and get their respective outputs, then, after by fixing the right 32 bits of each message after IP to some arbitrary value and letting the left 32 bits change to get the enough inputs, we can easily get the correct underlined value in Eqn.(7), K1 and K16 simultaneously by performing a High-Order DPA attack similar to Akkar and Giraud’s superposition attack in [2], except that here we get three 6-bit values instead of two each time. The case of the first round and the last two rounds is similar except that we should get the enough ciphertexts that have the same right 32 bits.

5 5.1

Enhanced DES Implementation Secure against High-Order Differential Power Analysis Enhanced DES implementation

The proposed enhancement requires only three random masks and six additional S-Boxes to be generated every computation, and except the S-Box in each of the sixteen rounds, it is same as the DES without countermeasures. After generating three different random 32-bit values X1 X2 and X3 , we firstly define six new S-Boxes based on the original DES S-Boxes function S. For ∀x ∈ [0, 1]48 , the S-Box S(x) of every round is as follows:  Round     Round    Round  Round     Round   Round

1, 6, 11, 12 : S(x) = S(x) ⊕ P −1 (X1 ) 2, 5, 10, 13 : S(x) such that S(x ⊕ E(X1 )) = S(x) ⊕ P −1 (X2 ) 3, 4 : S(x) such that S(x ⊕ E(X2 )) = S(x) ⊕ P −1 (X1 ⊕ X2 ) . 7, 16 : S(x) = S(x) ⊕ P −1 (X3 ) 8, 15 : S(x) such that S(x ⊕ E(X3 )) = S(x) ⊕ P −1 (X2 ) 9, 14 : S(x) such that S(x ⊕ E(X2 )) = S(x) ⊕ P −1 (X1 ⊕ X3 )

Then, we define fj,Kj by replacing S in fKj with the S-Box of the j-th round, for j = 1, · · ·, 16. Finally, we can get the enhanced DES implementation by replacing the original Feistel function with the new one fj,Kj in the j-th round of Akkar et al.’s DES implementation. It is easy to see that the enhanced DES implementation meets all the requirements in Section 4.1.

9

5.2

Why three 32-bit random masks and six additional S-Boxes are the minimal cost for a secure DES implementation masking all the outputs of the S-Boxes of the sixteen rounds ?

Theorem 1. To defense high-order DPA attacks for a DES implementation with all the outputs of the S-Boxes of the sixteen rounds masked, the minimal number of the required random masks is 3. Proof : (trivial, can be easily drawn from Req.(2)-(5)) Theorem 2. To defense high-order DPA attacks for a DES implementation with all the outputs of the S-Boxes of the sixteen rounds masked, the minimal number of the additional S-Boxes required to be generated from the S-Box of the DES without countermeasures is 6. The details of Theorem 2 is shown in the Appendix.

6 6.1

Discussion of Proposed Enhanced DES Implementation Security

Needless to show in details, one can deduce that the output of the S-Box of every round is masked by some mask. Therefore, the proposed DES implementation could thwart SPA and 1-st order DPA attacks. Let’s consider the security related to High-Order DPA attacks. From the fundamental hypothesis of order n in Section 2, one can learn that, to perform a n-order DPA attack, an attacker should know n intermediate values such that knowing a few key bits (in practice less than 32 bits) allows him to decide whether two inputs (respectively two outputs) give or not the same value for a known function of these n variables. Due to the diffusion property of E and P permutations and S-Boxes in the DES, therefore, the possible intermediate values to perform a High-Order DPA attack will be the following combinations, the outputs of S-Boxes of the first two (or the last two) rounds, the outputs of S-Boxes of the first and the last rounds, the outputs of S-Boxes of the second and the last (or the first and the fifteenth) rounds, the outputs of S-Boxes of the first two rounds and the last round (the first round and the last two rounds), which are corresponding to Req.(2)-(5), respectively. All the other combinations will violate the fundamental hypothesis (in practise less than 32 bits) in Section 2. Note that each of the XORed values of the above combinations has always some random mask, i.e. P −1 (X1 ⊕ X2 ) (P −1 (X2 ⊕ X3 )), P −1 (X1 ⊕ X3 ), P −1 (X2 ⊕ X3 ) (P −1 (X1 ⊕ X2 )), and P −1 (X1 ⊕ X2 ⊕ X3 ), respectively. Since the masks will change every encryption, so the attacker cannot correctly decide whether two inputs or outputs give or not the same value. Therefore, the enhanced DES implementation could also defense High-Order DPA attacks. As for the other security discussion, please refer to Akkar et al.’s DES implementation in [2, 3].

10

6.2

Performance

The proposed enhanced DES implementation requires six additional S-Boxes to be generated from the original S-Box in advance, which requires 288 ” ⊕ ” operations and 338 ” = ” operations every computation. In [2], Akkar and Giraud presented a DES implementation that has four additional S-Boxes to be generated and requires 192 ” ⊕ ” operations and 192 ” = ” operations. The following executions is the same as the proposed enhancement, both executing as the DES without countermeasures. Akkar and Giraud showed that the execution time of their DES implementation on an ST19 component is about 40 ms every encryption. Therefore, the proposed enhanced DES implementation would be more than 40 ms, but less than 338/192 times of 40 ms at the worst case, if it was also implemented on an ST19 component, which shows that it is applicable in a smart-card environment. But, as what we show in Section 3.2, Akkar et al.’s DES implementation [2] and their recent improved DES implementation [3] are both vulnerable to High-Order DPA attacks.

7

Conclusion and Future Works

Masking is an efficient and easily implemented method to counteract the DPA attack. In this paper, we firstly show some attacks on Akkar et al. ’s improved DES implementation presented in FSE’04. Following, we list and prove some basic requirements for a DES implementation using masking methods to defense (High-Order) DPA attacks, and then present an enhancement of Akkar et al. ’s DES implementation, which requires only three random 32-bit masks and six additional S-Boxes to be generated every computation. However, the paper does not consider the DES implementation with some inner rounds unmasked, for it is easy to deduce some variants from the enhanced DES implementation. Though we proved that three random 32-bit masks and six additional S-Boxes are the minimal cost for a DES implementation masking all the outputs of the S-Boxes of the sixteen rounds to be secure against HighOrder DPA attacks, we do not prove what is the minimal cost for a secure DES implementation, i.e., masking which of the sixteen rounds is enough to be secure against High-order DPA attacks. Acknowledgements The authors would sincerely thank to the anonymous referees for their helpful advice to improve this paper.

References 1. M. Akkar and C. Giraud, An Implementation of DES and AES Secure against Some Attack, Proceedings of CHES’01, LNCS 2162, Springer-Verlag, 2001. 2. M. Akkar and L. Goubin, A Generic Protection against High-Order Dierential Power Analysis, Proceedings of FSE’03, LNCS 2887, Springer-Verlag, 2003. 3. M. Akkar, R. B´evan and L. Goubin, Two Power Analysis Attacks against One Mask Method, Proceedings of FSE’04, LNCS 3017, Springer-Verlag, 2004.

11 4. S. Char, C. Jutla, J. Rao and R. Rohatgi, Towards Sound Approaches to Counteract Power-Analysis Attacks, Proceedings of Advances in Cryptology-CRYPTO’99, LNCS 1666, Springer-Verlag,1999. 5. J. Coron and L. Goubin, On Boolean and Arithmetic Masking against Differential Power Analysis, Proceedings of CHES’00, LNCS 1965, Springer-Verlag, 2000. 6. J. Coron and A. Tchulkine, A New Algorithm for Switching from Arithmetic to Boolean Masking, Proceedings of CHES’03, LNCS 2779, Springer-Verlag, 2003. 7. L. Goubin and J. Patarin, DES and Differential Power Analysis -The Duplication Method, Proceedings of CHES’99, LNCS 1717, Springer-Verlag, 1999. 8. L. Goubin, A Sound Method for Switching between Boolean and Arithmetic Masking, Proceedings of CHES’01, LNCS 2162, Springer-Verlag, 2001. 9. P. Kocher, J. Jaffe and B. Jun, Introduction to Differential Power Analysis and Related Attacks, Technical Report, Cryptography Research Inc., 1998. Available from http://www.cryptography.com/dpa/technical/index.html 10. P. Kocher, J. Jaffe and B. Jun, Differential Power Analysis, Proceedings of of Advances in Cryptology- CRYPTO’99, LNCS 1666, Springer-Verlag, 1999. 11. T.Messerges, Using Second-Order Power Analysis to Attack DPA Resistant Software, Proceedings of CHES’2000, LNCS 1965, Springer-Verlag, 2000. 12. T. Messerges, Securing the AES Finalists Against Power Analysis Attacks, Proceedings of FSE’00, LNCS 1978, Springer-Verlag, 2001. 13. National Bereau of Standards, Data Encryption Standard, Federal Information Processing Standards Publication 46, January, 1977.

Appendix: Proof of Theorem 2 If we prove that a DES implementation with all the outputs of the S-Boxes of the sixteen rounds masked cannot be implemented with 5 or less additional S-Boxes, then since the proposed enhanced DES implementation requires six, therefore, Theorem 2 will be proved. Assume one can implement DES masking all the outputs of the S-Boxes of the sixteen rounds with 5 or less additional S-Boxes. Step 1. From Theorem 1, we know that the three masks in the outputs of the S-Boxes of the first two rounds and the last round should be different each other, namely X1 , X2 and X3 . Then, we can conclude that, 1. The right 32 bits of the final result of the first round will be masked by X1 , and the left 32 bits will be unmasked; 2. The left 32 bits of the final result of the second round will be X1 , and the right 32 bits will be masked by X2 ; 3. The left 32 bits of the final result of the third round will be X2 , and the mask in the left 32 bits will be undetermined; 4. The left 32 bits of the final result of the fifteenth round will be masked by X3 , and the right 32 bits will be unmasked; 5. The right 32 bits of the final result of the fourteenth round will be masked by X3 , and the mask in the right 32 bits will be undetermined. Therefore, four different additional S-Boxes will need to be generated from the S-Box of the DES without countermeasures by now, that is, F irst round : S(x) = S(x) ⊕ P −1 (X1 ), Second round : S(x) such that S(x ⊕ E(X1 )) = S(x) ⊕ P −1 (X2 ),

(8) (9)

12

T hird round : S(x) such that S(x ⊕ E(X2 )) = S(x) ⊕ P −1 (X1 ⊕ Y1 ), (10) Sixteenth round : S(x) = S(x) ⊕ P −1 (X3 ), (11) where Y1 is the mask in the right 32 bits of the final result of the third round. Y1 cannot be X1 , otherwise, the output of the S-Box of the third round will be unmasked. Therefore, Y1 ∈ {X2 , X3 , N U LL}, where ”N U LL” means there is no mask or the mask is a 32-bit string of ”0”. Step 2. Consequently, to implement a DES using these three masks and meet the requirements in Section 4.1 simultaneously, we can see that the mask in the output of the S-Box of the fifteenth round can only be X2 . Sequently, since the right 32 bits of the final result of the fifteenth round is unmasked, therefore, the mask in the left 32 bits of the final result of the fourteenth round can only be X2 , which means that the mask in the right 32 bits of the final result of the thirteenth round will also be X2 . The mask in the left 32 bits of the final result of the thirteenth round will be undetermined. Therefore, the S-Box S(x) of the fifteenth round is such that S(x ⊕ E(X3 )) = S(x) ⊕ P −1 (X2 ),

(12)

and the S-Box of the fourteenth round is such that S(x ⊕ E(X2 )) = S(x) ⊕ P −1 (X3 ⊕ Y2 ),

(13)

where Y2 is the mask in the left 32 bits of the final result of the thirteenth round. Similarly, Y2 ∈ {X1 , X2 , N U LL}. Step 3. Obviously, Eqn.(8),(9),(11) and (12) have different formats each other. Therefore, to implement a DES masking all the outputs of the S-Boxes of the sixteen rounds with 5 additional S-Boxes is to make Eqn.(10) and Eqn.(13) identical, that is, Y1 = X3 and Y2 = X1 . Following, we can determine that the 64-bit mask in the final result of every of the first to the tenth rounds is N U LL||X1 , X1 ||X2 , X2 ||X3 , X3 ||N U LL, N U LL|| N U LL, N U LL||X1 (orX3 ), X1 (X3 , respectively)||X2 , X2 ||X3 (X1 , respectively), X3 (X1 , respectively)||N U LL, N U LL||N U LL, and the 64-bit mask in the final result of every of the sixteen to the eleventh rounds is N U LL||N U LL, X3 ||N U LL, X2 ||X3 , X1 ||X2 , N U LL||X1 , N U LL||N U LL, respectively. Therefore, there will be no mask in the final result of either the tenth round or the eleventh round, which means that the output of the S-Box of the eleventh round will be unmasked. So a DES implementation with all the outputs of the S-Boxes of the sixteen rounds masked cannot be implemented with 5 additional S-Boxes. On the other hand, since the proposed enhanced DES implementation needs six additional S-Boxes, one can learn that Theorem 2 holds.

Enhanced DES Implementation Secure against High ...

Key words: Smart-cards; DES; Simple power analysis (SPA); (High-Order). Differential .... More precisely, an n-th order DPA attack takes into account n values.
Download PDF
166KB Sizes 0 Downloads 167 Views
Report

Recommend Documents

Enhanced DES Implementation Secure against High ...
Since Differential Power Analysis (DPA) on DES in smart- cards was ..... T.Messerges, Using Second-Order Power Analysis to Attack DPA Resistant Soft- ware ...
On Two DES Implementations Secure against ...
Oct 9, 2007 - To defend differential power analysis attacks, Akkar and ... its software or hardware implementations into consideration. However, electronic ...
An Enhanced Approach to Providing Secure Point-to ...
emerging wireless technology that provides robustness, low power-consumption ..... operation flawless, we have three different options for prior link keys, like wise, .... Applications and the Internet Workshops (SAINT'03),. 2003. [6] Creighton T.
A Secure and Robust Authentication Scheme against ...
Hyderabad, Andhra Pradesh, India [email protected]. 2Assistant Professor, Department of MCA, Teegala Krishna Reddy Engineering College. Hyderabad, Andhra Pradesh, India [email protected]. Abstract. The pollution attacks are amplified by t
A Secure and Robust Authentication Scheme against ...
content distribution in peer-to-peer networks to distributed file storage systems. .... swarming with network coding,” Microsoft Research, Cambridge, U.K. [Online].
The Implementation of Secure and Efficient Digital ...
A cloud server can make a decision that some digital goods contain specific keywords assigned by the buyer, but can not know any information about the ...
Secure your commercial areas with high-quality ...
Secure your commercial areas with high-quality Electric Window shutters.pdf. Secure your commercial areas with high-quality Electric Window shutters.pdf.
high speed and secure data transmission using ...
in the amount of digital data transmitted via the Internet, representing text .... each word with an approximate signature pattern for the word opposed to an actual.
Secure your commercial areas with high-quality Electric Window ...
respective websites. The benefit is they are always available online. Page 1 of 1. Secure your commercial areas with high-quality Electric Window shutters.pdf.
High-quality JPEG2000* software with enhanced server platform
As the world's leading JPEG2000 developer ... Entertainment/Media .... Intel encourages all of its customers to visit the referenced Web sites or others where ...
High-resolution saline lake sediments as enhanced tools for relating ...
(CA) and detrended correspondence analysis (DCA)) have been used to point out the mineral successions of ... Lake sediment records are useful tools that have.
Enhanced Capacity and High Security Data Steganography: A ... - IJRIT
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 8, ... of Computer Science Engineering, IES College of Technology(Bhopal), INDIA .... provides the best carrier for steganography is that which stored with ...
Cheating complaints against builders not civil in nature High Court.pdf ...
... Downloaded on - 11/05/2018 12:45:52 ::: Page 2 of 2. Main menu. Displaying Cheating complaints against builders not civil in nature High Court.pdf. Page 1 ...
High-quality JPEG2000* software with enhanced server platform
Kakadu Software, a business of New South Innovations based at the University ... Software Development Kit (SDK)* is a comprehensive, heavily optimized, fully ...
(FUSI) gates and high-k dielectrics. enhanced ...
IBM Semiconductor Research and Development Center (SRDC), IBM T.J. Watson Research Center,. Yorktown Heights, NY 10598, USA. 'IBM Microelectronic ...
Enhanced Capacity and High Security Data Steganography: A ... - IJRIT
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 8, .... provides the best carrier for steganography is that which stored with ...
design and implementation of a high spatial resolution remote sensing ...
Therefore, the object-oriented image analysis for extraction of information from remote sensing ... Data Science Journal, Volume 6, Supplement, 4 August 2007.
practical implementation of liquid cooling of high heat flux ...
practical implementation of liquid cooling of high heat flux electronics.pdf. practical implementation of liquid cooling of high heat flux electronics.pdf. Open.
Design and Implementation of High Performance and Availability Java ...
compute engine object that is exported by one JAVA RMI (JRMI) server, it will take ... addition, to build such a system, reliable multicast communication, grid ...
design and implementation of a high spatial resolution remote sensing ...
Aug 4, 2007 - 3College of Resources Science and Technology, Beijing Normal University, Xinjiekou Outer St. 19th, Haidian ..... 02JJBY005), and the Research Foundation of the Education ... Photogrammetric Record 20(110): 162-171.
design and implementation of a high spatial resolution remote sensing ...
Aug 4, 2007 - 3College of Resources Science and Technology, Beijing Normal University, ..... 02JJBY005), and the Research Foundation of the Education.
Design and Implementation of High Performance and Availability Java ...
compute engine object that is exported by one JAVA RMI (JRMI) server, it will take .... Test an application, such as a huge computation on this system. 2. Test the ...