Side-channel Attacks And Countermeasures Of KLEIN And QUAD

Internet of Things(IoT) is a novel paradigm that is rapidly gaining ground in information technology. The basic idea of this concept is the pervasive devices around us, which are able to interact with each other and cooperate with their neighbors to reach common goals, through unique addressing schemes. Increasingly everyday items are enhanced to pervasive devices by embedding computing power, such as Radio-Frequency IDentification(RFID) tags, sensors, ASICs and smart cards, which have harsh cost constraints in terms of area, memory, computing power, battery supply. Although the mass deployment of pervasive devices promises many benefits, when it comes to many applications that are security and privacy sensitive(military and financial applications, etc), security and privacy are striving issues.As security component, lightweight cryptography is equipped to secure such applications. Traditional block ciphers such as DES and AES, could be too expensive. Therefore, topic of lightweight ciphers is a pressing issue, and several lightweight ciphers have been published so far, such as PRESENT, LED, KLEIN and QUAD. To meet the requirement of limited resources, lightweight cryptography is much simpler and serialized. Even worse, pervasive devices are deployed in a hostile environment, i.e. an adversary has physical access to or control over the devices, which poses a serious practical threat to these security components. It has been con-clusively proven that unprotected cryptographic implementations are vulnerable to side-channel attacks.During the last ten years, there have been many endeavors to develop effective counter-measures against DPA attacks, including two major countermeasures:hiding and masking. The latter is the most widespread, thanks to its relatively low overhead, low performance loss and robustness against first-order attacks. In this article, we are going to evaluate the side-channel attacks vulnerability of lightweight cryptography KLEIN and QUAD, and address the issue of lightweight side-channel countermeasures of KLEIN and QUAD.KLEIN is a new family of lightweight block cipher that has advantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. The structure of KLEIN is a typical Substitution-Permutation Network(SPN), which is also used in many advanced block ciphers, e.g. AES. We find that the hamming-weight of S- box input at the first round can be utilized to reveal the secret key. We utilize this leakage model to successfully perform differential power analysis(DPA) attack and correlation power analysis (CPA) attack. Approximately 6,200 power traces are sufficient for DPA attack to reveal the secret key of KLEIN-64, while CPA attack requires less than 2,000 traces.GLUT based masking countermeasure is low cost and secure against first-order DPA, there-fore is more suitable for lightweight ciphers in resource-constrained devices. We propose an ultra-lightweight GLUT based masked KLEIN-64, whose parallel implementation only requires 1.66 times the area of the unprotected one. Meanwhile, serial masked implementation requires 1.55 times the area and 1.33 times the time of the unprotected one. Our experimental results show that GLUT based masked KLEIN is secure against first-order DPA and CPA attacks.We also propose a lightweight secret-sharing based masked KLEIN-64, whose parallel im-plementation requires 6.18 times the area and 2.5 times the time of the unprotected one. Mean-while, serial masked implementation requires 2.58 times the area and 2.17 times the time of the unprotected implementation.The most important contribution of this thesis is that we first found the side-channel leak-age of multivariate cryptographic algorithms, and first successfully performed the side-channel attacks against multivariate cryptographic algorithm. QUAD is a stream cipher whose prov-able security relies on the hardness of solving systems of multivariate quadratic equations(MQ problem). Besides of resistance of quantum attacks and low cost, multivariate cryptographic al-gorithms are believed to have strong natural resistance to side-channel attacks, because of their long length of key and inexistence of leaking operations. However, our research finds that the serial implementations of multivariate cryptographic algorithms would leak the secret informa-tion when computing monomials and restoring the results to the register. Taking advantage of this side-channel leakage, adversary could compromise multivariate cryptographic algorithm-s. We define a single-bit side-channel leakage model of QUAD, with which we successfully perform single-bit correlation power analysis(CPA) attack against QUAD.Our proposed single-bit correlation power analysis attack requires a threshold to find whether there is a peak in the CPA traces, which is difficult in practice. Therefore, we de-fine a multi-bit side-channel leakage model, and propose multi-bit correlation power analysis attack against QUAD, which is much more practical and efficient.Different from block ciphers, QUAD renews its secret each iteration, which means that an adversary could acquire much fewer power traces. Taking QUAD(160,160) for example, adversary only could acquire 320 power traces, which require much more efficient attacking method. We present template attack and template-based DPA attack against QUAD, which only require several power traces, thus are much more practical.After designing a masked multiplier, we present a generic masking countermeasure of mul-tivariate cryptographic algorithms, which is well resistant to our proposed power analysis at-tacks. The masked implementation requires 1.83 times the area and 1.125 times the time of the unprotected one.Meanwhile, since the computation of monomials in polynomials could be disordered, we propose a ultra lightweight shuffling countermeasure of multivariate cryptographic algorithms. Our shuffling countermeasure is concise and ultra low cost, the shuffling implementation of QUAD only requires 1.119 times the area and 1.125 times the time of the unprotected one.