221 research outputs found
Deep Learning Based Side-Channel Analysis of AES Based on Far Field Electromagnetic Radiation
Advanced Encryption Standard (AES) is a widely accepted encryption algorithm used in Internet-of-Things (IoT) devices such as Bluetooth devices. Although the implementation of AES is complicated enough, attackers can still acquire the cryptographic information generated from the AES execution to perform Side-Channel Attack (SCA). There are two commonly used types of SCA, which are power based attack and Electromagnetic (EM) based attack. However, the acquisition of both power traces and EM near-field traces require close physical contact to the victim devices, which is difficult to attack a well-protected system. In this thesis, we exploit the far-field EM propagation property and train several Deep Learning (DL) models to attack tinyAES algorithm implemented on the victim Bluetooth chip nRF52832 mounted on Nordic nRF52 DK at the distance up to 50cm. To simulate the real attacking scenario, we train our DL models on one nRF52 DK at 30cm and attack another same board at the distance 5cm, 15cm, 30cm and 50cm respectively in an office environment. We restrict the number of attacking traces to 7000. The key byte of all of cases can be recovered successfully by Convolution Neuron Network (CNN) and the best test only need 1848 traces. Our contributions are: (1).We prove it is feasible to attack Bluetooth chip running AES at variation distance by DL; (2).We compare our DL model performance with the classical correlation analysis and find correlation analysis takes far more traces than DL; (3).We propose several countermeasures to protect against the far-field EM SCA.Advanced Encryption Standard (AES) är en allmänt accepterad krypteringsalgoritm som används i Internet-of-Things (IoT) -enheter som Bluetooth-enheter. Även om implementeringen av AES är tillräckligt komplicerad kan angriparna fortfarande förvärva den kryptografiska informationen som genererats från AES-utförandet för att utföra Side-Channel Attack (SCA). Det finns två vanligt förekommande typer av SCA, som är kraftbaserad attack och elektro-magnetisk (EM) baserad attack. Emellertid kräver förvärv av både strömspår och EM-fältspår nära fysisk kontakt med offeranordningarna, vilket är omöjligt att attackera ett välskyddat system. I den här avhandlingen utnyttjar vi EM-förökningsegenskapen för fjärrfältet och utbildar flera Deep Learning (DL) -modeller för att attackera litenAES- algoritm implementerad på offret Bluetooth-chip nRF52832 monterat på Nordic nRF52 DK på avståndet upp till 50 cm. För att simulera det verkliga angreppsscenariot utbildar vi våra DL-modeller på en nRF52 DK vid 30 cm och attackerar en annan samma skiva på avståndet 5 cm, 15 cm, 30 cm respektive 50 cm i en kontorsmiljö. Vi begränsar antalet attackerande spår till 7000. Nyckelbyte i alla fall kan framgångsrikt återvinnas av Convolution Neuron Network (CNN) och det bästa testet behöver endast 1848 spår. Våra bidrag är: (1). Vi bevisar att det är möjligt att attackera Bluetooth-chip som kör AES på variation avstånd av DL; (2). Vi jämför våra DL-modellprestanda med den klassiska korrelationsanalysen och finner korrelationsanalys tar mycket fler spår än DL;(3). Vi tillhandahåller flera motåtgärder mot EM-SCA
Side-Channel Attacks on Post-Quantum PKE/KEMs and Digital Signatures
Traditional public key cryptosystems rely on the hardness of specific mathematical problems, such as integer factorization and discrete logarithm problem. However, these problems can be solved efficiently by Shor's algorithm on a large-scale quantum computer. Although the development of quantum computers has progressed slowly over the past 40 years, it is estimated that a cryptographically relevant quantum computer is likely to be available in 2040, which intensifies the need for quantum-resistant cryptographic algorithms. In response to the quantum threat, in 2016, NIST launched a competition for standardizing post-quantum cryptographic primitives. In August 2024, NIST selected CRYSTALS-Kyber as the public key encryption and key encapsulation standard, and CRYSTALS-Dilithium as the digital signature standard. However, algorithms which are secure from the perspective of conventional cryptanalysis may still be vulnerable to physical attacks, such as side-channel attacks. This thesis evaluates the resilience of software implementations of three lattice-based post-quantum cryptographic algorithms: Saber, CRYSTALS-Kyber, and CRYSTALS-Dilithium to side-channel attacks. The presented results are based on seven appended papers. Two of them focus on side-channel attacks on Saber, four target CRYSTALS-Kyber, and one considers CRYSTALS-Dilithium. The main contributions of the thesis are: We evaluate and compare power side-channel and EM side-channel attacks, pointing that amplitude-modulated EM emissions are typically weaker and require a higher sampling rate for secret recovery. We also investigate the difficulty of performing attacks on protected and unprotected implementations. We propose several methods to improve the attack efficiency. For example, a novel neural network model aggregation technique called threshold voting is introduced for deep learning-based attacks. A higher-order attack on CRYSTALS-Kyber is presented by combining the leakages from Barrett reduction and message decoding. Furthermore, an optimal chosen-ciphertext construction strategy is developed to maximize the probability of secret key recovery given a fixed probability of message bit recovery. We provide a thorough discussion of various attack scenarios, including attacks on encapsulation, decapsulation, and signing procedures. For each scenario, we outline the assumptions and requirements for a successful attack. We present countermeasures to mitigate side-channel attacks at both the algorithmic and hardware levels. We also discuss the limitations of these countermeasures, as well as the challenges associated with deep learning-based attacks. Most of the methods presented in this thesis are not limited to the specific algorithms described in the papers, and can be extended to other algorithms that are similar to Saber, CRYSTALS-Kyber, and CRYSTALS-Dilithium.Traditionella kryptosystem med offentlig nyckel bygger på svårigheten i specifika matematiska problem, såsom faktorisering av heltal och problemet med diskreta logaritmer. Dessa problem kan dock lösas effektivt med Shors algoritm på en storskalig kvantdator. Även om utvecklingen av kvantdatorer har gått långsamt under de senaste 40 åren, beräknas det att en kryptografiskt relevant kvantdator sannolikt kommer att finnas tillgänglig år 2040, vilket ökar behovet av kvantresistenta kryptografiska algoritmer. Som svar på hotet från kvantdatorer lanserade NIST 2016 en tävling för standardisering av kvantdatorsäkra primitiver. I augusti 2024 valde NIST CRYSTALS-Kyber som standard för asymmetrisk kryptering och nyckelinkapsling, och CRYSTALS-Dilithium som standard för digitala signaturer. Algoritmer som är säkra ur konventionell kryptanalytisk synvinkel kan dock fortfarande vara sårbara för fysiska attacker, såsom sidokanalsattacker. Denna avhandling utvärderar motståndskraften hos mjukvaruimplementationer av tre gitterbaserade kvantdatorsäkra algoritmer: Saber, CRYSTALS-Kyber och CRYSTALS-Dilithium mot sidokanalsattacker. De presenterade resultaten baseras på sju bifogade artiklar. Två av dem fokuserar på sidokanalsattacker mot Saber, fyra riktar sig mot CRYSTALS-Kyber, och en behandlar CRYSTALS-Dilithium. Avhandlingens huvudsakliga bidrag är: Vi utvärderar och jämför effektbaserade och EM-baserade sidokanalsattacker, och påpekar att amplitudmodulerade EM-emissioner typiskt är svagare och kräver högre samplingsfrekvens för att återskapa hemligheter. Vi undersöker även svårigheten med att utföra attacker på skyddade och oskyddade implementationer. Vi föreslår flera metoder för att förbättra attackeffektiviteten. Till exempel introduceras en ny teknik för aggregering av neurala nätverksmodeller, kallad “threshold voting”, för attacker baserade på djupinlärning. En högre ordningens attack mot CRYSTALS-Kyber presenteras genom att kombinera läckage från Barrett-reduktion och meddelandede-kodning. Dessutom utvecklas en optimal strategi för valda chiffertextattacker för att maximera sannolikheten för att återskapa en hemlig nyckel givet en fast sannolikhet att återskapa av meddelandebitar. Vi ger en grundlig diskussion av olika attackscenarier, inklusive attacker mot inkapsling, avkapsling och signering. För varje scenario redogör vi för antaganden och krav för en framgångsrik attack. Vi presenterar motåtgärder för att försvåra sidokanalsattacker både på algoritm- och hårdvarunivå. Vi diskuterar också begränsningarna hos dessa motåtgärder samt utmaningarna med attacker baserade på djupinlärning. De flesta metoder som presenteras i denna avhandling är inte begränsade till de specifika algoritmer som beskrivs i artiklarna, utan kan även tillämpas på andra algoritmer som liknar Saber, CRYSTALS-Kyber och CRYSTALS-Dilithium.QC 20251019</p
Side-Channel Attacks on Post-Quantum PKE/KEMs and Digital Signatures
Traditional public key cryptosystems rely on the hardness of specific mathematical problems, such as integer factorization and discrete logarithm problem. However, these problems can be solved efficiently by Shor's algorithm on a large-scale quantum computer. Although the development of quantum computers has progressed slowly over the past 40 years, it is estimated that a cryptographically relevant quantum computer is likely to be available in 2040, which intensifies the need for quantum-resistant cryptographic algorithms. In response to the quantum threat, in 2016, NIST launched a competition for standardizing post-quantum cryptographic primitives. In August 2024, NIST selected CRYSTALS-Kyber as the public key encryption and key encapsulation standard, and CRYSTALS-Dilithium as the digital signature standard. However, algorithms which are secure from the perspective of conventional cryptanalysis may still be vulnerable to physical attacks, such as side-channel attacks. This thesis evaluates the resilience of software implementations of three lattice-based post-quantum cryptographic algorithms: Saber, CRYSTALS-Kyber, and CRYSTALS-Dilithium to side-channel attacks. The presented results are based on seven appended papers. Two of them focus on side-channel attacks on Saber, four target CRYSTALS-Kyber, and one considers CRYSTALS-Dilithium. The main contributions of the thesis are: We evaluate and compare power side-channel and EM side-channel attacks, pointing that amplitude-modulated EM emissions are typically weaker and require a higher sampling rate for secret recovery. We also investigate the difficulty of performing attacks on protected and unprotected implementations. We propose several methods to improve the attack efficiency. For example, a novel neural network model aggregation technique called threshold voting is introduced for deep learning-based attacks. A higher-order attack on CRYSTALS-Kyber is presented by combining the leakages from Barrett reduction and message decoding. Furthermore, an optimal chosen-ciphertext construction strategy is developed to maximize the probability of secret key recovery given a fixed probability of message bit recovery. We provide a thorough discussion of various attack scenarios, including attacks on encapsulation, decapsulation, and signing procedures. For each scenario, we outline the assumptions and requirements for a successful attack. We present countermeasures to mitigate side-channel attacks at both the algorithmic and hardware levels. We also discuss the limitations of these countermeasures, as well as the challenges associated with deep learning-based attacks. Most of the methods presented in this thesis are not limited to the specific algorithms described in the papers, and can be extended to other algorithms that are similar to Saber, CRYSTALS-Kyber, and CRYSTALS-Dilithium.Traditionella kryptosystem med offentlig nyckel bygger på svårigheten i specifika matematiska problem, såsom faktorisering av heltal och problemet med diskreta logaritmer. Dessa problem kan dock lösas effektivt med Shors algoritm på en storskalig kvantdator. Även om utvecklingen av kvantdatorer har gått långsamt under de senaste 40 åren, beräknas det att en kryptografiskt relevant kvantdator sannolikt kommer att finnas tillgänglig år 2040, vilket ökar behovet av kvantresistenta kryptografiska algoritmer. Som svar på hotet från kvantdatorer lanserade NIST 2016 en tävling för standardisering av kvantdatorsäkra primitiver. I augusti 2024 valde NIST CRYSTALS-Kyber som standard för asymmetrisk kryptering och nyckelinkapsling, och CRYSTALS-Dilithium som standard för digitala signaturer. Algoritmer som är säkra ur konventionell kryptanalytisk synvinkel kan dock fortfarande vara sårbara för fysiska attacker, såsom sidokanalsattacker. Denna avhandling utvärderar motståndskraften hos mjukvaruimplementationer av tre gitterbaserade kvantdatorsäkra algoritmer: Saber, CRYSTALS-Kyber och CRYSTALS-Dilithium mot sidokanalsattacker. De presenterade resultaten baseras på sju bifogade artiklar. Två av dem fokuserar på sidokanalsattacker mot Saber, fyra riktar sig mot CRYSTALS-Kyber, och en behandlar CRYSTALS-Dilithium. Avhandlingens huvudsakliga bidrag är: Vi utvärderar och jämför effektbaserade och EM-baserade sidokanalsattacker, och påpekar att amplitudmodulerade EM-emissioner typiskt är svagare och kräver högre samplingsfrekvens för att återskapa hemligheter. Vi undersöker även svårigheten med att utföra attacker på skyddade och oskyddade implementationer. Vi föreslår flera metoder för att förbättra attackeffektiviteten. Till exempel introduceras en ny teknik för aggregering av neurala nätverksmodeller, kallad “threshold voting”, för attacker baserade på djupinlärning. En högre ordningens attack mot CRYSTALS-Kyber presenteras genom att kombinera läckage från Barrett-reduktion och meddelandede-kodning. Dessutom utvecklas en optimal strategi för valda chiffertextattacker för att maximera sannolikheten för att återskapa en hemlig nyckel givet en fast sannolikhet att återskapa av meddelandebitar. Vi ger en grundlig diskussion av olika attackscenarier, inklusive attacker mot inkapsling, avkapsling och signering. För varje scenario redogör vi för antaganden och krav för en framgångsrik attack. Vi presenterar motåtgärder för att försvåra sidokanalsattacker både på algoritm- och hårdvarunivå. Vi diskuterar också begränsningarna hos dessa motåtgärder samt utmaningarna med attacker baserade på djupinlärning. De flesta metoder som presenteras i denna avhandling är inte begränsade till de specifika algoritmer som beskrivs i artiklarna, utan kan även tillämpas på andra algoritmer som liknar Saber, CRYSTALS-Kyber och CRYSTALS-Dilithium.QC 20251019</p
A Side-Channel Secret Key Recovery Attack on CRYSTALS-Kyber Using k Chosen Ciphertexts
At CHES’2021, a chosen ciphertext attack combined with belief propagation which can recover the long-term secret key of CRYSTALS-Kyber from side-channel information of the number theoretic transform (NTT) computations was presented. The attack requires k traces from the inverse NTT step of decryption, where k is the module rank, for a noise tolerance in the Hamming weight (HW) leakage on simulated data. In this paper, we present an attack which can recover the secret key of CRYSTALS-Kyber from k chosen ciphertexts using side-channel information of the Barret reduction and message decoding steps of decryption, for. The key novel idea is to create a unique mapping between the secret key coefficients and multiple intermediate variables of these procedures. The redundancy in the mapping patterns enables us to detect errors in the secret key coefficients recovered from side-channel information. We demonstrate the attack on the example of a software implementation of Kyber-768 in ARM Cortex-M4 CPU using deep learning-based power analysis.</p
A Shared Key Recovery Attack on a Masked Implementation of CRYSTALS-Kyber’s Encapsulation Algorithm
In July 2022, NIST selected CRYSTALS-Kyber as a new post-quantum secure public key encryption and key encapsulation mechanism to be standardized. To safeguard its shared and secret keys from side-channel attacks (SCA), countermeasures such as masking and shuffling are applied. However, the existing SCA-protected implementations of CRYSTALS-Kyber protect the decapsulation algorithm only. The encapsulation algorithm is not covered because single-trace shared key recovery attacks on encapsulation are not considered feasible. Since the same shared key is never encapsulated more than once, the attacker gets only a single trace per shared key from the execution of the encapsulation algorithm. In this paper, we demonstrate a practical single-trace shared key recovery attack on a first-order masked implementation of the encapsulation algorithm of Kyber-768 in ARM Cortex-M4 based on deep learning-assisted power analysis. Our main contribution is a new aggregation method for ensemble learning that enables enumeration during shared key recovery. Our experimental results show that a full shared key can be recovered with a 91% probability on average from a single trace captured from a different from profiling device.</p
TyG-WC Index as a Superior Predictor of Hyperuricemia Risk in the Hypertensive Population: A Prospective Cohort Study
Qin Zhang,1,* Jian Liu,2,* Ruize Zhang,3 Changfen Wang,4 Yanyan Song,5 Xi Wang,2 Fanling Zeng6 1Department of Cardiology, Xi Chang People’s Hospital, Xi Chang, Sichuan Province, 615000, People’s Republic of China; 2Department of Cardiology, The First Affiliated Hospital of Chongqing Medical University, Chongqing, 400016, People’s Republic of China; 3Dougherty Valley High School, San Ramon, CA, 94582, USA; 4Department of Cardiology, People’s Hospital of Qianxinan Prefecture, Guizhou Province, People’s Republic of China; 5Department of Endocrinology, Chongqing Jianshe Hospital, Chongqing, People’s Republic of China; 6Health Management Ctr, The First Affiliated Hospital of Chongqing Medical University, Chongqing, 400016, People’s Republic of China*These authors contributed equally to this workCorrespondence: Xi Wang; Fanling Zeng, The First Affiliated Hospital of Chongqing Medical University, No. 1 Youyi Road, Yuzhong District, Chongqing, 400016, People’s Republic of China, Email [email protected]; [email protected]: To evaluate the predictive value of the triglyceride-glucose waist circumference index (TyG-WC) for hyperuricemia (HUA) risk in the hypertensive population.Methods: This prospective cohort study involved 831 hypertensive patients with normal uric acid levels, who underwent continuous health examinations for five years. Participants were categorized into four groups based on baseline TyG-WC quartiles, and the incidence of hyperuricemia was monitored in each group. Hazard ratios (HRs) and 95% confidence intervals (95% CIs) for HUA incidence were calculated using Cox proportional hazards regression analysis. The predictive ability of various TyG indices for HUA was evaluated using receiver operating characteristic curves.Results: After five years of follow-up, 117 participants developed HUA. The cumulative incidence of HUA was significantly higher in the highest TyG-WC quartile (Q4) compared to the lowest quartile (Q1). The TyG-WC index demonstrated the highest predictive value, with an area under the curve of 0.685 (95% CI: 0.635– 0.734) compared to other obesity-related TyG indices. After adjusting for confounding factors, per standard deviation increase in the TyG-WC index was associated with a 1.28-fold higher risk of developing HUA (95% CI: 1.04– 1.56, P < 0.001).Conclusion: The TyG-WC index is a robust independent predictor of HUA risk in the hypertensive population. It provides a practical, reliable, and cost-effective tool for the early identification of high-risk individuals in this population.Keywords: hypertension, hyperuricemia, TyG-WC index, insulin resistance, obesit
Far Field EM Side-Channel Attack on AES Using Deep Learning
We present the first deep learning-based side-channel attack on AES-128 using far field electromagnetic emissions as a side channel. Our neural networks are trained on traces captured from five different Bluetooth devices at five different distances to target and tested on four other Bluetooth devices. We can recover the key from less than 10K traces captured in an office environment at 15 m distance to target even if the measurement for each encryption is taken only once. Previous template attacks required multiple repetitions of the same encryption. For the case of 1K repetitions, we need less than 400 traces on average at 15 m distance to target. This improves the template attack presented at CHES\u272020 which requires 5K traces and key enumeration up to
Unpacking Needs Protection A Single-Trace Secret Key Recovery Attack on Dilithium
Most of the previous attacks on Dilithium exploit side-channel information which is leaked during the computation of the polynomial multiplication cs1, where s1 is a small-norm secret and c is a verifier\u27s challenge. In this paper, we present a new attack utilizing leakage during secret key unpacking in the signing algorithm. The unpacking is also used in other post-quantum cryptographic algorithms, including Kyber, because inputs and outputs of their API functions are byte arrays. Exploiting leakage during unpacking is more challenging than exploiting leakage during the computation of cs1 since c varies for each signing, while the unpacked secret key remains constant. Therefore, post-processing is required in the latter case to recover a full secret key. We present two variants of post-processing. In the first one, a half of the coefficients of the secret s1 and the error s2 is recovered by profiled deep learning-assisted power analysis and the rest is derived by solving linear equations based on t = As1 + s2, where A and t are parts of the public key. This case assumes knowledge of the least significant bits of t, t0. The second variant uses lattice reduction to derive s1 without the knowledge of t0. However, it needs a larger portion of s1 to be recovered by power analysis. We evaluate both variants on an ARM Cortex-M4 implementation of Dilithium-2. The experiments show that the attack assuming the knowledge of t0 can recover s1 from a single trace captured from a different from profiling device with a non-negligible probability. </p
A Side-Channel Attack on a Hardware Implementation of CRYSTALS-Kyber
CRYSTALS-Kyber has been recently selected by the NIST as a new public-key encryption and key-establishment algorithm to be standardized. This makes it important to assess how well CRYSTALS-Kyber implementations withstand side-channel attacks. Software implementations of CRYSTALS-Kyber have already been analyzed and the discovered vulnerabilities were patched in the subsequently released versions. In this paper, we present a profiling side-channel attack on a hardware implementation of CRYSTALS-Kyber. Since hardware implementations carry out computations in parallel, they are typically more difficult to break than their software counterparts. We demonstrate a successful message (session key) recovery attack on a Xilinx Artix-7 FPGA implementation of CRYSTALS-Kyber by deep learning-based power analysis. Our results indicate that currently available hardware implementations of CRYSTALS-Kyber need better protection against side-channel attacks.QC 20230824</p
- …
