in runtime and 27.1% in additional energy consumption for the implementation of the following cryptographic algorithms: RSA, RC4, IDEA, TrippleDES, Rijndael, ...
Side Channel Attacks: Measures and Countermeasures Isuru Herath Roshan G. Ragel Department of Computer Engineering, Faculty of Engineering, University of Peradeniya, PERADENIYA CP 20400 SRI LANKA. {isuru,roshanr}@ce.pdn.ac.lk
Abstract— The main focus of modern cryptanalysis is on breaking the implementation of cryptographic algorithms as opposed to traditional attacks which primarily target on mathematically breaking the algorithms. For over the last decade these new trend of attacks, Side Channel Attacks (SCAs), are becoming increasingly popular and pose a serious threat to cryptographic devices. Researchers proposing countermeasures and adversaries findingout new means of access to the system ultimately made this a continuous race. To best of our knowledge, not a perfect solution exists to counter all such attacks. However, by using appropriate countermeasures it is possible to make the task of the attacker harder. This paper analyzes the prevailing vulnerabilities in side channels considering their destructive effects and critically evaluates the proposed countermeasures.
G ENERAL T ERMS Algorithms, Design, Measurement, Security K EYWORDS Side Channel Attacks, Countermeasures, Cache Based Attacks, Timing Attacks, Power Analysis Attacks I. I NTRODUCTION Cryptographic protocols are designed such that it is computationally unrealistic to discover the secret keys by using bruteforce techniques, or even by differential [4] and linear [16] cryptanalysis. However, the specification of a cryptographic protocol, used for various encryptions in a computing system, is independent of the implementation of the same protocol. Due to this limitation, it is burdensome to define the boundaries of a cryptographic system. These systems are no longer the traditional black boxes that take plain text and convert them into the cipher text. For instance, measuring the consumption of power enables the outsiders some means of access to the system [15]. Another one is the usage of electromagnetic emissions from a device to correlate with the internal computations of the same device [25]. Such access points are called side channels and the gathering of unauthorized information from these channels for cryptanalysis are known as side channel attacks (SCA). The cryptanalysis is made possible as there is correlation between the physical measurements taken at different points of operation and the internal states of the processing device. This is evidenced by the use of these physical measurements
in extracting the secret keys of cryptographic applications implemented around popular algorithms such as DES, AES, RSA, SEAL, etc. As indicated in [31] the first SCA (it was not referred to as SCA at that point of time) was reported in year 1965 by Wright where MI5, the British intelligence agency, was able to break the cipher used by Egyptian embassy by placing a microphone near the rotor-cipher machine and spying the click sound that the machine produced. However, modern computing systems are sophisticated and complex. Therefore, it is unrealistic to assume the same kind of techniques used in rotor-cipher in current systems. This position paper however argues the availability of side channel attacks in modern computing devices and details potential countermeasures by giving evidences from various research avenues. In section II of this paper the authors describe the classification of side channel attacks and in section III the focus is on known SCAs and techniques involved. Then in section IV the available countermeasures and their applicability is being discussed. Finally section V concludes the paper. II. SCA C LASSIFICATION SCA can be classified along the following orthogonal axes considering various parameters such as how the information is accessed, how they are processed, etc.: • Control over the computation process: based on this, SCAs could be divided into two categories namely passive attacks (attacker does not noticeably interfere with the system) and active attacks (adversary has some influence on the behavior of the target system); • Way of accessing the cryptographic module: the system comprises of a set of physical, electrical and logical interfaces which enables invasive (attacker dismantles and gets direct access to the system), semi-invasive (attacker engages with the system by only means of accessing the authorized layers) and non-invasive (attacker observes the operation of the device and exploits the unintentionally leaked information) attacks on the system; and • Method used in the analysis process of information: in this arena, SCA can be divided into two categories namely Simple Side Channel Attacks, SSCA, (attacker exploits the relationship between executed instructions
and the side channel information) and Differential Side Channel Attacks, DSCA, (attacker uses the correlation between the processed data and side channel information). III. K NOWN S IDE C HANNEL ATTACKS A well established cryptographic algorithm will not guarantee the security of the application system implemented around this algorithm. This is because of these applications leak information such as processing time [7], power consumption [15] and electromagnetic radiation [25] to the environment. In this section we will review the known techniques employed in side channel attacks and their destructive effects. A. Timing attack Crypto-systems take different amount of time to process different inputs due to reasons like cache hits, instruction that run in non-fixed time, branching and conditional statements, etc. This enables an attacker to use this timing information to predict the type of operation taking place in a cryptosystem and therefore attack that system. For example, in RSA algorithm, private key operation consist of computing R = y x modn where n is public, y can be found and the goal of an attacker is to find x, the secret key. In [13], Kocher describes cryptanalysis of simple modular exponentiation using which the attacker will be able to find out the secret key. Algorithm 1 shows the modular exponentiation algorithm which computes R = y x modn, where x is w bits long. Since the attacker could record the message received and the time taken to respond to each y, it is possible to predict the operations of the algorithm. Algorithm 1 Modular Exponentiation Algorithm Let S0 = 1 for k = 0 to w − 1 do if (bit k of x) is 1 then Let Rk = ( Sk ∗ y ) mod n else Let Rk = Sk end if Let Sk+1 = Rk2 mod n end for Return Rw−1 The attack described by Kocher allows someone who knows exponent bits 0..(b − 1) to find the bit b. This is because when the first b bits are known the attacker can compute the first b iterations of the For loop to find the value of Sb (see Algorithm 1). In the next iteration first unknown bit will be tested. If it is set, Rb = (Sb ∗ y) mod n will be computed else that operation will be skipped. If the total modular exponentiation time for the iteration is faster when Rb = (Sb ∗y)modn is slow then bit b must be zero. Conversely, if the modular exponentiation time is slower then the bit must be set. Then the same set of timing measurement can be used to determine the rest of the exponentiation bits.
The Chinese reminder theorem (CRT) is also used in RSA private key operations. In CRT (y mod p) and (y mod q) are computed where y is the message. Using the timing measurements it can be guessed whether y is closer to p or q. In [13], Kocher shows that y chosen randomly between 0 and 2p takes an average of 42.1s if y < p, where as 73.9s if y > p in his working environment. These timing measurements from many messages (ys) could be used to approximate p. B. Fault Attack Faulty outputs produced by crypto-systems increase the vulnerability of the systems with regards to side channel attacks. The types of SCAs which make use of faulty output of systems are known as fault attacks. There exist two major kinds of fault attacks. In the first type, the channel information is being extracted from computational faults occurring during the operation where as in the second type the attacker intentionally sends incorrect data to the attacked module. Typically, a successful fault attack comprises of two steps, the fault injection and the fault exploitation. Fault injection is done by acting on the environment of the device and putting it into abnormal conditions like high or low voltage, temperature, radiations, etc. and the erroneous result is being analyzed. The fault attacks were first considered by Boneh et al. [5], where they showed how an attack can be performed on RSA with or without CRT. When RSA is implemented using CRT, let y be the message and R = y x mod n is the valid RSA signature of y. Let Sˆ be a faulty signature. R is computed by R1 = y x mod p and R2 = y x mod q where n = p ∗ q. Similarly Sˆ is computed from Sˆ 1 and Sˆ 2 . Suppose a hardware fault occurs during the computation of Sˆ 1 and no error occurred for Sˆ 2 . Then R = Sˆ mod q and R 6= Sˆ mod p. Therefore gcd ( R − Sˆ , n ) = q and so n can easily be factored. C. Power Analysis Attack The power consumption of a cryptographic device may provide necessary information regarding the operations took place and involved parameters. This is the motivation of power analysis attack. Power analysis attacks could be divided into Simple and Differential Power Analysis (SPA and DPA respectively) attacks. In SPA, the objective is to guess the instruction being executed and the input/output values from the power trace. For example, if the adversary could identify the places where certain instructions (such as XOR, ADD, LOAD) are executed in the power sequence, the secret data processed at that point can be predicted [18] based on the magnitude which reveals the hamming weight (denotes the number of bits set to one during an instruction execution [6]). Therefore knowledge of the implementation is required for SCA attacks. In DPA attacks, the adversary looks at the statistical correlation between the secret bits and power consumption. SPA and DPA were first introduced by Kocher et al. [12]. 1) Simple Power Analysis: SPA concerns the power consumption measurements collected during the cryptographic operations and yield information about the operation of the
device [12]. A power trace refers to a set of power consumption measurements taken across a cryptographic operation.
Fig. 1.
information is being used to discover the secret information. In [26] Shamir et al. provided a proof of concept demonstration that showed how acoustic information leaked by the CPU provide information about the state of the computation. Acoustic cryptanalysis has become plausible because each different CPU operation has a different characteristic sound signature. In this manner it is possible to discover when certain operations are performed by the CPU and thus initiate a timing attack. In the research performed by Shamir et al. they place a recording device closer to the computer, one with case opened and fans disconnected and other with case closed. They were able to record sounds in 0 Hz to 48 KHz region. The first observed result is that the noise cause from fans and outside does not distort the signal transmitted by CPU. It is also determined that the sleep state produced the highest detectable noise caused by the HALT instruction. Therefore it is easier to detect when a computation begins and when it ends.
SPA trace showing individual clock cycles
Figure 1 shows traces of power consumption through two regions, each of seven clock cycles at 3.5714M Hz and the visible variation is due to power consumption in different microprocessor instructions being executed.In clock cycle six the upper trace shows where a jump instruction is performed and lower trace shows a case where the same jump is not taken. Because SPA can reveal the sequence of instructions executed, it can be used to break cryptographic implementations in which the execution path depends on the data being processed. For example DES key schedule involves rotating 28 bit registers. A conditional branch is being used to check the bit shifted off and the resulting power consumption traces for ’1’ bit and ’0’ bit will contain different SPA features. 2) Differential Power Analysis: DPA [18]–[20], [24] is more powerful than SPA and it uses statistical analysis to predict the information. The principle behind the statistical analysis is that there is a significant power variation between manipulating 0’s and 1’s [12]. In DPA adversary collects large set of ,{T, C}, trace-cipher text pairs [2], [12]. The adversary also takes a selection function D that takes a cipher text and a guess part of the key and outputs one bit. That means if the guess is right this bit reflects something that actually shows up in the computation. The adversary makes a guess Kg and uses this selection function D to partition the set of traces into two sets: the one for which D( Ci , Kg ) = 0 and other for which D ( Ci , Kg ) = 1. Then the traces in each set are being averaged and difference is being taken. If Kg was wrong difference reaches zero else computed value for selection function will equal the actual value of target bit. D. Acoustic Attack The intercepting of transmitted sounds has always been the most important method of gathering secret information. History has proved the worth of acoustic analysis. As indicated in [31] Wright used the sound produced by rotor machine to cryptanalysis cipher text transmitted from Egyptian embassy. This can be considered as the first occasion where the sound
Fig. 2.
Acoustic results for [26]
Figure 2 depicts GnuPG 1.2.4 RSA signing sessions preceded and followed by sleep states. The main computational steps of RSA are the exponentiation of modulo p and modulo q. Therefore, using the knowledge about the algorithm, an attacker could determine the different steps in the algorithm and the steps correspondent with certain sound segments over time. E. Visible Light Attack Kuhn [14] showed that the average luminosity of a diffuse reflection of the CRT off of a wall could be sufficient to reconstruct the signal displayed on the screen. The main advantage of this attack is that it is not detectable and no physical access is required. In [14] Kuhn, with the aid of photo sensor, has successfully reconstructed the original CRT disply blocked by a wall. F. EM Attack As all the cryptographic devices comprises of electrical components, they generate electromagnetic radiation when operate. An adversary can use these emanations to understand computation being performed and data involved. Eck [29]
has showed that the electromagnetic radiation produced by video display units (VDU) leak the information about what is being displayed on a VDU. Which means an eavesdropper can reconstruct the same video signal without being noticed. Figure 3 shows the test setup used in [29]. Dipole antenna
VDU
Measuring receiver
Magnetic loop antenna (15-256kHz) Sync. Recovery circuit
•
IF output Mixer VHF channel
Combined synchronization signals
TV receiver
Number of screen lines Fig. 3.
Measurement setup for [29]
In Figure 3 the signal from a calibrated measuring antenna is fed into a receiver suitable for measurement in the range of 30 to 1000 MHz. The IF (Intermediate Frequency) signal of the measuring receiver is used as an input to the TV receiver, thus using the former as a frequency converter. If the TV receiver is tuned to this IF, it is possible to observe whether reconstruction of information from the received signal is feasible. More interested readers are directed to the comprehensive research carried out by Agrawal et al. in [1]. G. Cache based Attack Cache based attacks involve monitoring the movement of data into and out of the cache. Cache profiles could be an aid in recovering the secret key information of a cryptographic algorithm. Such attack usually consists of a collection phase that provides the attacker with profiles of execution, and an analysis phase which recovers the secret information. Cache based attacks could be categorized as trace driven attacks [21] or time driven attacks [27], [28]. • Trace Driven Attacks: Trace driven attacks such as one shown in [21] rely on the ability of the attacker to capture a profile of cache activity that results from running the algorithm. That is, in order to perform a successful attack, the adversary needs a cache trace which shows cache hits or misses for every memory access. For example, the following shows accesses to the eight S-boxes1 in three rounds of DES algorithm, where M and H denote cache misses and hits respectively. MMMMMMMM HHMMMMMH HMHHMMHH 1 a fixed or a dynamic mapping table that returns values for cipher text, based on the plain text and decides the strength of the encryption algorithm
From the above example, an attacker might assume that the accesses to S-box zero in rounds zero and one are equal since observed hit means they map to the same cache line. By adapting the plain text fed into the algorithm and analyzing different cache access patterns, the attacker can reveal the values of key dependent variables. Time Driven Attacks: The execution time is mainly affected by memory accesses, as cache hits results in a lower execution time and cache misses results in comparably a higher execution time. This principle governs the time driven attacks. In [27], [28] the authors have shown cryptanalysis of DES and block ciphers with the aid of timing information caused by cache misses. In [3] Bernstein applied timing attack with the aid of cache hits and misses to an AES implementation and showed that such an attack can be mounted remotely yielding a greater security risk. The attack was based on measuring the time variances for encryption of various inputs under a known key and comparing these with time variances under an unknown key. In the first stage a replica server is being created that is running the same AES as the victim server, but with a known key. From another machine packets of random length are being sent to the server and encrypted. The time taken to encrypt each packet is recorded and used to build a time pattern for each input bit. During the next stage victim server is targeted. First encrypted zero is obtained and recorded for later usage. Then packets of varying length are being sent to the victim server and time taken for the encryption is recorded. Finally the timing measurements from victim server and replica server are being compared to produce set of possible key bits. The set of possibilities are searched until a combination has been found that produces the encrypted zero bit obtained earlier. This combination is the AES key of the victim machine. IV. C OUNTERMEASURES
Side channel attacks primarily focus on the implementation of the cryptographic algorithm for extracting unauthorized information. Eventhough all parts of the system are not susceptible for SCA, it is not straightforward to specify which parts are secure and which are not. Therefore, countermeasures to SCA should be designed and implemented with a proper quantitative evaluation of their effect on overall security of the system. We can classify the proposed countermeasures into the folowing categories. • De-correlate the output trace on individual runs; • Replace critical assembler instructions with ones whose consumption signature is hard to analyze or re-engineer the critical circuitry which performs arithmetic operations or memory transfers; and • Make algorithmic changes to the cryptographic primitives so that attacks are provably inefficient on the obtained implementation. Proposing countermeasures for side channel attacks are not challenging tasks, the real challenge is to propose a
secure implementation with a little extra cost and without jeopardizing the performance. In this section we will review the known countermeasures proposed against side channel attacks and their undermining issues. A. Duplication Method In [8] Goubin et al. have proposed a solution for DPA based on non-linear transformations. The idea is to replace each intermediate variable V , occurring during the computations, by k variables V1 ..., Vk such that V1 , V2 ..., Vk helps to retrieve V . More precisely a function f is chosen satisfying V = f (V1 ..., Vk ) together with the following conditions. Condition 1 From the knowledge of a value v and for any fixed value i, 1 ≤ i ≤ k; it is not feasible to deduce information about the set of values vi such that there exist (k-1) equations satisfying f (v1 ..., vk ) = v Condition 2 The function f is such that the transformations to be performed on V1 , V2 ...orVk during the computation can be implemented without calculating V
(v1′ , v2′ ) = S ′ (v1 , v2 ) = A(v1 , v2 ), S(v1 ⊕v2 )⊕A(v1 , v2 ) (1) where A denotes randomly chosen secret transformation from 12 bits to 4 bits. The first S-box corresponds to the transformation (v1 , v2 ) 7→ A(v1 , v2 ) and the second one corresponds to the transformation (v1 , v2 ) 7→ S(v1 ⊕v2 )⊕A(v1 , v2 ). B. Random Code Injection Against Power Analysis Attacks In [10] for the first time Ambrose et al. introduce a hardware software randomized instruction injection method, RIJID, which scrambles the power wave so that the adversary is unable to identify the encryption rounds within the power wave. Their solution uses real instruction at random places instead of dummy instructions at fixed places. Figure 5 shows the power trace after the injection of dummy and real instructions.
Fig. 5.
Fig. 4.
Duplication Method
In [8], the authors have shown an example implementation of differential power analysis attack resistance. In their experiment instead of using the non linear transformation, v ′ = S(v), given under the form of a S-box they implemented the transformation (v1′ , v2′ ) = S ′ (v1 , v2 ) by using two new Sboxes, as shown in figure 4 both sending 12 bits into 4 bits. In order to keep the identity f (v1′ , v2′ ) = v ′ they have chosen the following relation in their example:
Dummy Vs. Real Instruction Injection
Figure 5 (a) shows the original power wave and Figure 5 (b) shows power dissipation when dummy instructions are being injected. As the figure shows the injections are distinguishable since the patterns remain same. Simple time shifting can be applied to eliminate these dummy instructions and to recover the original power trace. Figure 5 (c) shows the dissipated power wave when RIJID is applied. There no patterns can be spotted, hence no instruction can be determined. The cause for this is that RIJID uses real instructions and these instructions will also change the power dissipated by neighboring instructions due to the pipelining in the processor. The proposed processor model costs 1.9% of area in addition for a simplescaler processor as in [23], and costs on average 29.8% in runtime and 27.1% in additional energy consumption for the implementation of the following cryptographic algorithms: RSA, RC4, IDEA, TrippleDES, Rijndael, Blowfish. In [11], the same authors have shown how the whole process of random instruction injection could be automated without loosing its protection coverage. C. Preventing Timing Attacks In [13], Kocher describes a methodology for preventing timing attack based on the techniques used for blinding signature. There his approach is to choose a random pair (vi , vf ) such that vf−1 = vix mod n. Before the modular
exponentiation operation, the input message should be multiplied with vf (modn), and afterwards the result is corrected by again multiplying with vf (mod n). The (vi , vf ) pair should not be reused since they themselves might be compromised to timing attacks. An efficient solution to this problem is to update vi and vf before each modular exponentiation step. If (vi , vf ) is secret, attacker has no useful knowledge about the input to the modular exponentiator.
•
D. Preventing Cache Based Attacks Page in [21] proposes several countermeasures for cache based attacks. As stated by him, the best way to prevent these attack is to remove the cache from the processor design. However this would degrade the performance of the system. In [30] Wang et al. proposes two approaches to overcome cache based SCAs. One of the solutions is to have partition based approach to eliminate cache interference and other is based on randomizing cache interference guaranteeing zero information leakage. The authors have also presented new security aware cache design which comprises of Partition Locked cache (PLcache) and Random Permutation cache (RPcache). In this section we will detail the above mentioned solutions elaborating their effects on the system. • Full or Random Cache Warming: The idea in [21] is to change the source code of the algorithm in order to change the profile of cache hits and misses of that particular algorithm. This may range from fully loading S-boxes to cache to eliminate cache misses, to randomly loading S-boxes such that the confidence gained from the cache is reduced. But random loading doesnot guarantee protection because it only masks the original access if we warmed the cache with the right entry. Therefore to guarantee this as an effective countermeasure the cache should be warmed with the entirety of all the S-boxes. This could easily be done with modifying the program with following code snippet. for( index = 0; index < sbox_size; index++ ) { dummy=sbox[index]; }
•
This is an effective measurement against time and trace driven attacks since any time difference is not caused by memory accesses and traced behavior is constant. But this solution is unattractive in terms of performance. Warming all S-boxes into cache makes it a small memory and it may impact adversely on cache performance of other data items. Non-deterministic Access Ordering: The original idea is taken from non-deterministic processors in which instructions run in random order maintaining the dependencies. This ultimately results in a power profile which will change on each run of the algorithm [17]. The same principle is being applied to prevent cache based attacks by allowing memory access to occur out of order in the same way as in non-deterministic processor. Although dependencies between instructions need to be observed to prevent write after read or write after write hazards,
•
list of consecutive reads to memory could be reordered producing a different cache profile per-ordering. If the scheme in [21] is to be implemented as an extension to a non deterministic processor it could significantly reduce the determinism of a captured cache profile and make cache based attack much harder. Minimize Timing Accuracy: Attacks based on timing information depend on the ability to measure execution time with a higher degree of accuracy. One way to defend against these attacks is to deny attackers the ability to measure time to such accuracy. Solution in [22] denies access to clock activity by removing globally clocked circuitry. This type of solution may have the additional benefit of low power consumption. When this type of processor is used, it is harder for the attacker to monitor clock cycles, since there are effectively none to monitor. Maximize Line Size: One of the limiting factors of the cache based side channel attacks is how much attacker can infer from the occurrence of cache hit or miss. For example, consider two accesses to memory through an empty cache using addresses a and b, where access a produces a miss and b a hit. If the line size was one element, the attacker could assume that a and b were equal. But if a larger cache line is used, the attacker can only assume that a and b map to same line. This mapping only allows the attacker to determine bits excluding bits used for determining the location of each address. These unknown bits are a problem in both trace and time driven attacks. Considering this idea Page in [22] suggests to have larger cache lines to overcome such attack.
E. Preventing Fault Attacks In [9] Hamid et al. have proposed many different countermeasures against fault attacks. They are summarized in this section. •
Simple Duplication with Comparison (SDC) : The
Fig. 6.
Simple Duplication with Comparison
strategy is to duplicate hardware blocks followed by a comparator to test the results. When results do not match an alert signal will be transmitted to a decision block leading to hardware reset or activation of an interrupt that triggers dedicated countermeasures. This protects against single focused errors and their detection.
•
As shown in Figure 6 block 1 and block 2 redundantly carryout the computation and both the results are been fed in to comparator. If a fault is detected during comparison a signal will be sent to decision block to make a hardware reset or to activate an interrupt signal. Otherwise the result is produced at the output of comparator. Simple Duplication with Complementary Redundancy (SDCR): The solution as shown in Figure 7 is based on
Fig. 9. Fig. 7.
Simple Duplication with Complementary Redundancy •
•
Recomputing with Shifted Operands: As shown in
the same principle as SDC but the two blocks store complemented data. When the results of two blocks match, the comparison block transmits an alert signal to the system that triggers a hardware reset or an interrupt. This protects against multiple focused errors since it is difficult to inject two different errors with complementary effects. The result produced by the block having complemented data is sent through a NOT gate before feeding in to the comparator. Afterwards the operation is similar to SDC. Simple Time Redundancy with Comparison: This Fig. 10.
Fig. 8.
•
Dynamic Duplication
Simple Time Redundancy with Comparison
solution as depicted in Figure 8 consists of processing each operation twice and comparing the results. This protects against single and multiple time synchronized errors but is only able to detect faults and reaction is limited to discarding results. Dynamic Duplication: The idea here is to have multiple redundancies with a decision module, as depicted in Figure 9, commanding a data switch upon fault detection. The switch transmits the correct result as instructed by the comparator and corrupted blocks are disabled and results discarded. This type of implementation permits detection and subsequent reaction to the detected error.
•
Recomputing with Shifted Operand
Figure 10, one data line carries the original data to the block and other carries the data which are being shifted by a given number of bits. The result produced by shifted operands is then shifted backwards the same number of bits. Then both the results are being fed to the comparator for comparison. Afterwards the operation is similar to SDC. Re-computing with Swapped Operands: The strategy
Fig. 11.
Recomputing with Swapped Operand
used here is to recompute the results with little endian and big endian bits of the operand being swapped as shown
in Figure 11. Then the result is re-swapped and compared to detect potential errors. This type of protection has the advantage of de-synchronizing two different processors and make fault attack very difficult. This countermeasure protects against single and multiple time synchronized errors. V. C ONCLUSIONS Cryptology is seen as a continuous struggle between cryptographers and cryptanalysts. Focusing on cryptographic algorithms while ignoring other aspects of security (such as side channels) is like defending a house with a high secured combination lock on the front door and imagining that burglars will try out all the possible combinations instead of breaking through the window. Almost all the known security attacks on cryptographic systems has targeted the weaknesses in the implementation and in the algorithm [31]. Side channel attacks or the attacks targeting the implementation are becoming increasingly popular and more threat to cryptographic devices. With the cryptanalysis of rotor-cipher used by Egyptian embassy side channel attacks has been developed in compare to the advancement of technology being used. Although above mentioned countermeasures are being proposed for the previously stated attacks it is impossible to assume that the cryptographic devices are free of side channel attacks since all the side channels are still not known to anyone and its a matter of time and effort to reveal another way of intruding into the system. R EFERENCES [1] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi. The EM sidechannel(s): Attacks and assessment methodologies. Technical Report 2001/037, IBM Watson Research Center, 2001. [2] J. bastien Coron. Resistance against differential power analysis for elliptic curve cryptosystems. In CHES’99: proceedings of the first international workshop on cryptographic hardware and embedded systems, pages 292–302, London, UK, 1999. Springer-Verlag. [3] Bernstein D. J. Cache-timing attacks on AES. Available at http://cr.yp.to/papers.html#cachetiming, 2004. [4] E. Biham and A. Shamir. Differential cryptanalysis of des-like cryptosystems. In CRYPTO’90: Proceedings of the 10th annual international cryptology conference on advances in cryptology, pages 2–21, London, UK, 1991. Springer-Verlag. [5] D. Boneh, R. A. DeMillo, and R. J. Lipton. On the importance of eliminating errors in cryptographic computations. Journal of Cryptology: the journal of the International Association for Cryptologic Research, 14(2):101–119, 2001. [6] E. Brier, C. Clavier, and F. Olivier. Correlation power analysis with a leakage model. In M. Joye and J.-J. Quisquater, editors, Proceedings of CHES’04, volume 3156 of Lecture Notes in Computer Science, pages 16–29. Springer, 2004. [7] D. Brumley and D. Boneh. Remote timing attacks are practical. Computer Networks, 48(5):701–716, 2005. [8] L. Goubin and J. Patarin. DES and differential power analysis (The Duplication Method). In Cryptographic Hardware and Embedded Systems, pages 158–172, 1999. [9] H. B.-E. Hamid. The sorcerer’s apprentice guide to fault attacks. [10] Jude A. Ambrose, Roshan G. Ragel, and Sri Parameswaran. RIJID: Random Code Injection to Mask Power Analysis Based Side Channel Attacks. In The 44th Design Automation Conference, 2007 (DAC’07), San Francisco, California, USA, 2007. ACM Press, New York, USA. [11] Jude A. Ambrose, Roshan G.Ragel, and Sri Parameswaran. A Smart Random Code Injection Method to mask Power Analysis Based Side Channel Attacks. In in Proceedings of the 5th CODES+ISSS, Salzburg, Austria, 2007. ACM Press, New York, USA.
[12] P. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. Lecture Notes in Computer Science, 1666:388–397, 1999. [13] P. C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. Lecture Notes in Computer Science, 1109:104–113, 1996. [14] M. G. Kuhn. Optical Time-domain Eavesdropping Risks of CRT Displays. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 3–18, 2002. [15] S. Mangard. A Simple Power-Analysis (SPA) Attack on Implementations of the AES Key Expansion. In P. J. Lee and C. H. Lim, editors, Proceedings of the 5th international conference on Information security and cryptology, volume 2587 of Lecture Notes in Computer Science, pages 343–358. Springer, 2003. [16] M. Matsui. Linear cryptanalysis method for des cipher. In EUROCRYPT ’93: Workshop on the theory and application of cryptographic techniques on Advances in cryptology, pages 386–397, Secaucus, NJ, USA, 1994. Springer-Verlag New York, Inc. [17] D. May, H. L. Muller, and N. P. Smart. Non-deterministic processors. In ACISP ’01: Proceedings of the 6th Australasian Conference on Information Security and Privacy, pages 115–129, London, UK, 2001. Springer-Verlag. [18] T. S. Messerges, E. A. Dabbish, and R. H. Sloan. Examining smartcard security under the threat of power analysis attacks. IEEE Trans. Comput., 51(5):541–552, 2002. [19] S. B. Ors, F. G¨urkaynak, E. Oswald, and B. Preneel. Power-Analysis Attack on an ASIC AES implementation. In ITCC ’04: Proceedings of the International Conference on Information Technology: Coding and Computing, number 0-7695-2108-8, page 546, Washington, DC, USA, 2004. IEEE Computer Society. [20] E. Oswald, S. Mangard, C. Herbst, and S. Tillich. Practical secondorder dpa attacks for masked smart card implementations of block ciphers. In Proceedings in Topics in Cryptology - CT-RSA 2006, The Cryptographers’ Track at the RSA Conference , February 13-17, 2006,, pages 192–207, San Jose, CA, USA,, 2006. Springer. [21] D. Page. Theoretical use of cache memory as a cryptanalytic sidechannel. Technical Report CSTR-02-003, Computer Science Department, University of Bristol, 2002. [22] D. Page. Defending against cache based side-channel attacks. Information Security Technical Report, 8(1):30–44, April 2003. [23] J. Peddersen, S. L. Shee, A. Janapsatya, and S. Parameswaran. Rapid Embedded Hardware/Software System Generation. In Proceedings of the 18th International Conference on VLSI Design held jointly with 4th International Conference on Embedded Systems Design (VLSID’05), pages 111–116, January 2005. [24] E. Peeters, F.-X. Standaert, N. Donckers, and J.-J. Quisquater. Improved higher-order side-channel attacks with fpga experiments. In Proceedings of the 7th International Workshop on Cryptographic Hardware and Embedded Systems - CHES 2005, pages 309–323, Edinburgh, UK, 2005. [25] J.-J. Quisquater and D. Samyde. Electromagnetic Analysis (EMA): Measures and Counter-measures for Smart Cards. In Proceedings of the International Conference on Research in Smart Cards, pages 200– 210, London, UK, 2001. Springer-Verlag. [26] A. Shamir and E. Tromer. Acoustic cryptanalysis. Available at http://theory.csail.mit.edu/ tromer/acoustic/, 2004. [27] Tsunoo Y., Tsujihara E., Minematsu K., and Miyauchi H. Cryptanalysis of Block Ciphers Implemented on Compuiters with Cache. In International Symposium on Information Theory and Its Applications (ISITA), 2002. [28] Tsunoo Y., Tsujihara E., Minematsu K., and Miyauchi H. Cryptanalysis of DES Implemented on Computers with Cache. LECTURE NOTES IN COMPUTER SCIENCE, (ISSU 2779):pages 62–76, 2003. [29] W. van Eck. Electromagnetic Radiation from Video Display Units: an Eavesdropping Risk. Computers & Security, 4:269–286, 1985. [30] Z. Wang and R. B. Lee. New cache designs for thwarting software cache-based side channel attacks. In Proceedings of the 34th Annual International Conference on Computer Architecture, pages 494–505, New York, NY, USA, 2007. ACM Press. [31] Y. Zhou and D. Feng. Side-channel attacks: Ten years after its publication and the impacts on cryptographic module security testing. Cryptology ePrint Archive, Report 2005/388, 2005. http://eprint. iacr.org/.