Masking countermeasures, used to thwart side-channel attacks, have been shown to be vulnerable to mask-extraction attacks. State-of-the-art mask-extraction attacks on the Advanced Encryption Standard (AES) algorithm target S-Box recomputation schemes but have not been applied to scenarios where S-Boxes are precomputed offline. We propose an attack targeting precomputed S-Boxes stored in nonvolatile memory. Our attack targets AES implemented in software protected by a low entropy masking scheme and recovers the masks with 91% success rate. Recovering the secret key requires fewer power traces (in fact, by at least two orders of magnitude) compared to a classical second-order attack. Moreover, we show that this attack remains viable in a noisy environment or with a reduced number of leakage points. Eventually, we specify a method to enhance the countermeasure by selecting a suitable coset of the masks set.

+More

secondorder attack encryption standard aes algorithm low entropy masking scheme power traces sbox recomputation schemes nonvolatile maskextraction attacks precomputed sboxes masks countermeasure leakage points

Alexander DeTrano,Naghmeh Karimi,Ramesh Karri,Xiaofei Guo,Claude Carlet,.Exploiting Small Leakages in Masks to Turn a Second-Order Attack into a First-Order Attack and Improved Rotating Substitution Box Masking with Linear Code Cosets. 2015 (),.

Alexander DeTrano,Naghmeh Karimi,Ramesh Karri,Xiaofei Guo,Claude Carlet,"Exploiting Small Leakages in Masks to Turn a Second-Order Attack into a First-Order Attack and Improved Rotating Substitution Box Masking with Linear Code Cosets" 2015

Alexander DeTrano,Naghmeh Karimi,Ramesh Karri,Xiaofei Guo,Claude Carlet,"Exploiting Small Leakages in Masks to Turn a Second-Order Attack into a First-Order Attack and Improved Rotating Substitution Box Masking with Linear Code Cosets"