Next Article in Journal
Remotely Powered Two-Wire Cooperative Sensors for Bioimpedance Imaging Wearables
Previous Article in Journal
Design and Analysis of a Hand-Held Surgical Forceps with a Force-Holding Function
Previous Article in Special Issue
Lightweight Crypto-Ransomware Detection in Android Based on Reactive Honeyfile Monitoring
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Tiny Security Hole: First-Order Vulnerability of Masked SEED and Its Countermeasure

Department of Financial Information Security, Kookmin University, Seoul 02707, Republic of Korea
*
Author to whom correspondence should be addressed.
Submission received: 13 July 2024 / Revised: 18 August 2024 / Accepted: 9 September 2024 / Published: 11 September 2024
(This article belongs to the Special Issue Security, and Privacy in IoT and 6G Sensor Network)

Abstract

:
Side-channel analysis is a type of cryptanalysis that utilizes the physical leakage of a cryptographic device. An adversary exploits the relationship between a physical leakage and the secret intermediate value of an encryption algorithm. In order to prevent side-channel analysis, the masking method was proposed. Several masking methods of the ISO/IEC 18033-3 standard encryption algorithm SEED have been proposed, as the Korean financial IC (integrated circuit) card standard (CFIP.ST.FINIC-01-2021) mandates using a robust implementation of SEED as an encryption algorithm against side-channel analyses. However, vulnerabilities were reported, except for with only one masking method. This study proposes the first-order vulnerability of that masking method. That is, an adversary is able to perform a side-channel analysis with the same complexity as an unprotected implementation. In order to fix this vulnerability, we revise the masking method with negligible additional overhead. Its vulnerability and security are theoretically verified and experimentally demonstrated. The round key of the existing masking method is revealed with only 210 power consumption traces, while that of the proposed masking method is not disclosed with 10,000 traces.

1. Introduction

The physical leakages of computing devices, such as power consumption or electromagnetic emissions, are related to the data being processed. Hence, a cryptographic device could leak secret information through physical leakage. Side-channel analysis is a type of cryptanalysis that exploits a relationship between a physical leakage and the secret intermediate value of an encryption algorithm [1,2,3,4,5]. For instance, a correlation power analysis (CPA) reveals the secret key by investigating the correlation between power consumption and the hypothetical intermediate value calculated with a guessed key and known information (e.g., plaintext or ciphertext) [6]. Therefore, a security designer should implement an encryption algorithm so that the physical leakage is independent of a secret intermediate value [7,8,9]. Masking is a countermeasure against CPA that splits secret intermediate values using random masks [10]. The cryptographic device computes each share of the intermediate value separately. Hence, an adversary is unable to directly evaluate each guessed key based on the observed power consumption.
SEED is the ISO/IEC 18033-3 standard encryption algorithm developed by the Korea Internet and Security Agency (KISA) for financial applications [11]. Specifically, the Korean financial IC (integrated circuit) card standard mandates the use of a side-channel analysis-resistant SEED as its encryption algorithm [12]. Hence, several SEED masking methods have been proposed. Chang Kyun Kim et al. proposed the first masking method [13]. It was designed for memory efficiency by implementing two S-Boxes with one masked inverse table. To the best of our knowledge, the first-order vulnerability, which is that an intermediate value related to a secret key that is not concealed with a mask, of that masking method has not been reported. HeeSeok Kim et al. enhanced its computational efficiency by modifying the masked S-Box table to reduce the conversion from Boolean masking to arithmetic masking [14]. However, HeeSeok Kim’s masking method could be vulnerable because an adversary is able to reveal the mask by investigating the shape of the side-channel information emitted when calculating carry tables [15]. Therefore, this study inspects the vulnerability of Chang Kyun Kim’s masking method. To the best of our knowledge, the only known attack on a masking method is [16]. They proposed an efficient second-order CPA [17] attack when shuffling [10] and masking countermeasures are implemented.
Most Boolean masking schemes struggle to reduce the overhead related to the substitution operation. Linear operations require a few additional XOR operations because they generally consist of linear operations. In contrast, the substitution operation requires a precomputed table related to the mask. Consequently, the security designer typically focuses on constructing a masking scheme related to the substitution operation; security evaluators also target the substitution operation’s output. Our motivation is that the intermediate value of the linear operation could be exploited to disclose secret information with much lower attack complexity. This security hole could occur while combining substitution layer outputs in linear operations [18].
Our contributions
  • Revealing the first-order vulnerability of the masked SEED:
    We propose the first-order vulnerability of the existing SEED masking method, the only method for which a vulnerability has not been reported. This vulnerability allows an adversary to reveal the secret key of the algorithm with the same difficulty as the unprotected SEED.
  • Presenting a secure first-order SEED masking method:
    We patch the existing masking method to conceal every sensitive intermediate value. The proposed masking method does not use an additional random mask which necessitates a more expensive operation, such as a deterministic random number generator.
  • Demonstrating the vulnerability of the existing countermeasure and the robustness of the proposed countermeasure:
    The methods’ vulnerability and robustness are demonstrated by performing a CPA and test vector leakage assessment (TVLA) [19]. The round keys of the existing masking method are revealed with only 210 traces, whereas the CPA of the proposed method failed to reveal the key with 10,000 traces.

2. Preliminaries

2.1. SEED

SEED is a 128-bit symmetric key encryption algorithm with a 16-round Feistel structure [11]. Figure 1 shows the structure of its Feistel function F. The function first computes the XOR (⊕) between the 32-bit inputs (C and D) and round keys ( K i , 0 and K i , 1 ). Next, it calculates function G and the 32-bit modular addition (⊞) three times. Function G consists of two 8-bit S-Boxes S 1 , S 2 permutated by ANDing with the constants m 0 = 0 x fc , m 1 = 0 xf 3 , m 2 = 0 xcf , and m 3 = 0 x 3 f and XORing four bytes. That is, the permutation is composed of a 6-bit extraction of each of the four S-Box outputs and their XORing. The SEED S-Boxes are defined as follows:
S 1 x = A 1 · x 247 0 xa 9 , S 2 x = A 2 · x 251 0 x 38 ,
where A 1 and A 2 are constant binary matrices and x is an element of the finite field Z 2 8 .

2.2. CPA and TVLA

CPA is a traditional side-channel analysis method that exploits the relationship between the power consumption of a cryptographic device and the intermediate value related to its secret key. An adversary first chooses a proper power model that describes the relationship between the manipulated data and the device’s power consumption. For instance, an adversary may use the Hamming weight model, which assumes that the power consumption is linearly related to the number of bit 1s of data. The power model allows the adversary to estimate the power consumption corresponding to the intermediate value. Thus, the adversary is able to evaluate each candidate key in the keyspace. The adversary calculates the hypothetical intermediate value by assuming that the secret key is the candidate key. Then, the candidate key is evaluated in terms of the linearity between the power consumption and the hypothetical power consumption, which is calculated by inputting the hypothetical intermediate value into the power model. The linearity is measured by the Pearson correlation coefficient. If the candidate key is correct, then the hypothetical power consumption is linearly related to the power consumption; the absolute correlation coefficient is close to 1. If the candidate key is incorrect, then the hypothetical intermediate value is mostly not equal to the actual intermediate value; the correlation coefficient is close to 0. The adversary decides that the candidate key with the highest absolute correlation coefficient is the secret key. In order to evaluate the performance of a CPA, the guessing entropy and the success rate are typically employed [20]. The guessing entropy is defined as the average rank of the secret key when sorting keys by their corresponding correlation coefficients. The success rate is the proportion of attacks where the secret key is sorted first among several attacks. The convergence of the guessing entropy and success rate to 1 indicates that every CPA successfully discloses the secret key.
In order to evaluate CPA resistance, TVLA is generally utilized [19]. TVLA measures whether power consumption depends on a secret intermediate value. An evaluator first divides the power consumption traces into two sets using a sensitive intermediate value. For instance, one set is constructed using traces of specific fixed plaintext, while another is random plaintext traces. Next, the statistical difference between the two sets is measured by Welch’s t-test, a statistical hypothesis test. The null hypothesis of the t-test is that the two population means are equal. Thus, rejecting the null hypothesis suggests that the side-channel trace depends on the secret intermediate value. The statistic T-value is defined as follows:
T = μ A μ B σ A 2 N A + σ B 2 N B ,
where N A , μ A , and σ A are the size, mean, and standard deviation of A, respectively. If the absolute T-value exceeds the threshold, the null hypothesis is rejected in favor of the alternative hypothesis. For instance, if the absolute T-value is greater than 4.5, the null hypothesis is rejected with a confidence level of 99.999%.

2.3. Existing SEED Masking Method

Chang Kyun Kim et al. proposed a memory-efficient masking method that implements two S-Boxes with one masked lookup table M 1 , as illustrated in Figure 2 [11].
The power of x in Equation (1) can be calculated by x 247 = x 255 8 = x 1 8 , x 251 = x 255 4 = x 1 4 because x is an element of the finite field Z 2 8 . Therefore, for constant binary matrices C 1 and C 2 , the S-Boxes are expressed as follows:
S 1 x = A 1 · x 247 0 xa 9 = C 1 · x 1 0 xa 9 , S 2 x = A 2 · x 251 0 x 38 = C 2 · x 1 0 x 38 .
The above equations signify that only the lookup table for the masked inverse operation is required to implement two S-Boxes. The masked inverse lookup table M 1 is defined as follows:
M 1 x M 1 = x 1 M 4 ,
where M 1 and M 4 are random 8-bit numbers. As shown in Figure 2, masked the S-Boxes are calculated as follows:
M a s k e d S 1 x M 1 = C 1 · M 1 x M 1 M 6 = C 1 · x 1 M 4 M 6 = C 1 · x 1 C 1 · M 4 M 6 = C 1 · x 1 M 5 0 xa 9 M 6 = S 1 x M 3 , M a s k e d S 2 x M 1 = C 2 · M 1 x M 1 M 1 = C 2 · x 1 M 4 M 1 = C 2 · x 1 C 2 · M 4 M 1 = C 2 · x 1 M 2 0 x 38 M 1 = S 2 x M 3 ,
where M 2 , M 3 , M 5 , and M 6 are driven masks from M 1 and M 4 and defined as follows:
M 2 = C 2 · M 4 0 x 38 , M 3 = M 1 M 2 , M 5 = C 1 · M 4 0 xa 9 , M 6 = M 3 M 5 .

3. First-Order Vulnerability of Masked SEED

3.1. Theoretical Analysis

The motivation of the proposed method is that the operands of the last XOR operation of the function G are concealed with the same mask, M 3 . As XORing two masked intermediate values induces a canceling of the mask, the adversary is able to exploit the XOR output as an intermediate value of the first-order CPA. Even though the operands are ANDed before the XOR operation, a part of the mask is still canceled. The SEED AND constants m 0 , m 1 , m 2 , and m 3 are designed to extract 6 bits of the S-Box output. Each m i is the left rotation of m i 1 by 2. The binary representation of the constants is presented as follows:
m 0 = 1111 1100 2 , m 1 = 1111 0011 2 , m 2 = 1100 1111 2 , m 3 = 0011 1111 2 .
Let us define m i & j = m i m j and m i j = m i m j ¯ ; the bit of m i j is set as one if, and only if, the corresponding bit of m i is one but the bit of m j is zero. That is, m i j m i & j = 0 and m i j m i & j = m i . Similarly, let us define m i & j & k = m i m j m k and m i & j k = m i & j m k ¯ . The definition of the AND constants directly drives the two properties below:
Property 1.
For all distinct i , j 0 , 1 , 2 , 3 , HW m i & j = 4 and HW m i j = 2 .
Property 2.
For all distinct i , j , k 0 , 1 , 2 , 3 , m i & j k = m i k = m j k .
HW denotes the Hamming weight, the number of 1s in binary representation.
XOR is a binary operator; the last XOR does not calculate four operands simultaneously. In order to investigate intermediate values during the last XOR, we utilize the following property:
Property 3.
A C B C = A B C .
Proof. 
The XOR between A and B can be implemented by AND (∧) and OR (∨) as A B ¯ A ¯ B , where A ¯ is NOT A. Then, the following is derived:
A B C = A B ¯ A ¯ B C = A B ¯ C A ¯ B C = A B ¯ C A ¯ B C 0 = A B ¯ C A ¯ B C A B 0 = A B ¯ C A ¯ B C A B C ¯ C = A B ¯ C A ¯ B C A C ¯ C B C ¯ C = A C B ¯ C ¯ A ¯ C ¯ B C = A C B C ¯ A C ¯ B C = A C B C .
Without a loss of generality, let the XOR calculate four operands in order, from the left to the right of Figure 2. The first operands are S 2 X 3 M 3 m 2 and S 1 X 2 M 3 m 1 . Property 3 enables splitting the output of the first XOR, as shown below:
S 2 X 3 M 3 m 2 S 1 X 2 M 3 m 1 = S 2 X 3 M 3 m 1 & 2 m 2 1 S 1 X 2 M 3 m 1 & 2 m 1 2 = S 2 X 3 M 3 m 1 & 2 S 2 X 3 M 3 m 2 1 S 1 X 2 M 3 m 1 & 2 S 1 X 2 M 3 m 1 2 = S 2 X 3 S 1 X 2 m 1 & 2 S 2 X 3 M 3 m 2 1 S 1 X 2 M 3 m 1 2 .
As the output of AND between any two elements in the set m 1 & 2 , m 2 1 , m 1 2 is zero, Equation (2) drives the following:
S 2 X 3 M 3 m 2 S 1 X 2 M 3 m 1 m 1 & 2 = S 2 X 3 S 1 X 2 m 1 & 2 , S 2 X 3 M 3 m 2 S 1 X 2 M 3 m 1 m 2 1 = S 2 X 3 M 3 m 2 1 , S 2 X 3 M 3 m 2 S 1 X 2 M 3 m 1 m 1 2 = S 1 X 2 M 3 m 1 2 .
The above equations indicate that the first XOR output consists of four bits of the unmasked XORed S-Box outputs S 2 X 3 S 1 X 2 and two bits of the masked S 2 X 3 M 3 and S 1 X 2 M 3 attributed to Property 1.
Likewise, the output of the second XOR, whose operand is the first XOR output and S 2 X 1 M 3 , consists of six bits of the unmasked intermediate value. As the output of AND between any two elements in { m 0 & 1 & 2 , m 0 & 1 2 , m 1 & 2 0 , m 0 & 2 1 } is zero, the second XOR output can be split as shown in Equation (3). The second XOR output consists of two bits of each of the unmasked XORed S-Box outputs S 2 X 3 S 1 X 2 , S 2 X 3 S 2 X 1 , and S 1 X 2 S 2 X 1 and two bits of masked S 2 X 3 S 1 X 2 S 2 X 1 M 3 .
S 2 X 3 S 1 X 2 m 1 & 2 S 2 X 3 M 3 m 2 1 S 1 X 2 M 3 m 1 2 S 2 X 1 M 3 m 0 = S 2 X 3 S 1 X 2 m 1 & 2 0 m 0 & 1 & 2 S 2 X 3 M 3 m 2 1 S 1 X 2 M 3 m 1 2 S 2 X 1 M 3 m 0 = S 2 X 3 S 1 X 2 m 1 & 2 0 S 2 X 3 S 1 X 2 m 0 & 1 & 2 S 2 X 3 M 3 m 2 1 S 1 X 2 M 3 m 1 2 S 2 X 1 M 3 m 0 = S 2 X 3 S 1 X 2 m 1 0 S 2 X 3 S 1 X 2 m 0 & 1 & 2 S 2 X 3 M 3 m 2 1 S 1 X 2 M 3 m 1 2 S 2 X 1 M 3 m 0 Property = S 2 X 3 S 1 X 2 m 1 0 S 2 X 3 S 1 X 2 m 0 & 1 & 2 S 2 X 3 M 3 m 2 1 S 1 X 2 M 3 m 1 2 S 2 X 1 M 3 m 2 1 S 2 X 1 M 3 m 1 2 S 2 X 1 M 3 m 0 & 1 & 2 m 0 = m 0 1 m 0 & 1 = m 0 1 m 0 & 1 2 m 0 & 1 & 2 = m 2 1 m 1 2 m 0 & 1 & 2 = S 2 X 3 S 1 X 2 m 1 0 S 2 X 3 S 1 X 2 S 2 X 1 M 3 m 0 & 1 & 2 S 2 X 3 S 2 X 1 m 2 1 S 1 X 2 S 2 X 1 m 1 2 .
Equations (2) and (3) evidently verify the presence of an unmasked secret intermediate value. Namely, the existing masking method has a first-order vulnerability and enables the adversary to perform a first-order CPA with the XORed S-Box outputs. If the adversary knows the order of the XORs, the adversary can utilize the exact intermediate value, such as S 2 X 3 S 1 X 2 m 1 & 2 in Equation (2). Although the order is unkown to the adversary, the adversary can still perform a first-order CPA with the 8-bit XORed S-Box outputs. The left bits, which are not part of the intermediate value, like S 2 X 3 S 1 X 2 m 1 & 2 ¯ in Equation (2), drop the correlation. However, the 8-bit XORed S-Box outputs are still related to the power consumption.
The limitation of the proposed method is that it may reveal three of four bytes of the round key depending on the order of the XOR operation. Suppose that every four bytes of function G’s output is calculated by XORing four S-Box inputs in the same order. In this case, the round key associated with the last operand is unrelated to the proposed intermediate value, and the adversary reveals only three bytes of the round key; the round key related to the last operand is not revealed. On the other hand, if XOR calculates four operands in a different order, then the adversary reveals four bytes of the round key.

3.2. Experiments

The proposed method is demonstrated using the side-channel evaluation board ChipWhisperer-Lite XMEGA. A SEED compiled by avr-gcc 11.1.0 is executed on an 8-bit microcontroller ATXmega128D4-AU, and its power consumption during the calculation of the first function G is collected. The function G calculates the last XORs, from the left to the right of Figure 2. We measured 10,000 power consumption traces for each of the random plaintext and fixed plaintext encryptions for the TVLA. A CPA was performed ten times with different 10,000 traces to calculate the guessing entropy and success rate.
Figure 3 shows the point-wise T-value and the absolute correlation coefficient of the right intermediate value. The maximum absolute T-value of power consumption during the XOR operation is 76.1, which is considerably higher than the threshold of 4.5 (represented by the red line in the middle subplot of Figure 3). This outcome signifies that the null hypothesis is rejected with a confidence level of 99.999%. That is, the power consumption is related to the input; the mask does not conceal some of the intermediate values related to the input. For the CPA, we assume a practical attacker model in which the adversary does not know the order of the XORs; the 8 bits of the XORed S-Box outputs are used as an intermediate value. The bottom subplot of Figure 3 shows the absolute correlation coefficient of each intermediate value. X 3 , X 2 in the legend indicates that the intermediate value is S 2 X 3 S 1 X 2 . As expected, in Section 3.1, the power consumption is related to the secret intermediate value. The correlation of the intermediate value derived from the front three XOR operands is significantly high. As an example, X 3 , X 2 , X 3 , X 0 , and X 2 , X 1 are the proposed intermediate values for the first XOR operation over four inputs. The correlations of those intermediate values are significantly high during the first XOR operation (from 980 to 1640 points).
Figure 4 shows the absolute correlation coefficient of the correct and other keys according to the number of traces performed. If the number of traces exceeds 210, then the correlation of the correct key is greater than that of the 65,535 other incorrect keys. The correct key is evidently distinguishable if the number of traces exceeds 300. Figure 5 shows a guessing entropy and success rate that converge to one if the number of traces exceeds 210. Each CPA successfully reveals each round key with 210 traces. The CPA results exhibit the presence of a first-order vulnerability in the existing masking scheme.

4. Proposed Masking Scheme

4.1. Masking Scheme

The existing masking method has a first-order vulnerability because its S-Box outputs are concealed with the same mask. We patch this method by concealing the S-Box outputs with different masks. Figure 6 illustrates the proposed masking method. The dissimilarity between the proposed masking method and the existing method is highlighted. The outputs of C 1 and C 2 are already concealed with different masks, M 2 and M 5 , respectively. Therefore, the proposed masking method only remasks the first two bytes by XORing M 1 and M 2 instead of M 1 and M 6 , respectively, where M 1 = C 2 · M 1 and M 2 = C 1 · M 1 . After XORing four S-Box outputs, they are remasked to M 3 by XORing M 3 , M 4 , M 5 , and M 6 , where
M 3 = M 1 M 1 m 2 M 6 M 2 m 1 M 1 m 0 M 6 m 3 , M 4 = M 1 M 1 m 1 M 6 M 2 m 0 M 1 m 3 M 6 m 2 , M 5 = M 1 M 1 m 0 M 6 M 2 m 3 M 1 m 2 M 6 m 1 , M 6 = M 1 M 1 m 3 M 6 M 2 m 2 M 1 m 1 M 6 m 0 .
The proposed masking method does not use an additional random mask. Generating a random mask substantially increases the computational overhead because it requires more expensive operations, such as a deterministic random number generator. The proposed masking method requires only two more XOR operations per function G. The generation of masking requires a supplementary six bytes of memory, 20 XORs, and 16 ANDs. The additional overhead is negligible because the conversion from Boolean masking to arithmetic masking is the primary overhead of the masking method.
In order to validate the security of the proposed masking scheme, Property 4 is defined as follows:
Property 4.
M 2 M 5 and M 1 M 2 are uniformly distributed if M 4 and M 1 are uniformly chosen.
Proof. 
The definitions of C 1 and C 2 drive C 2 · i C 1 · i C 2 · j C 1 · j for any distinct i , j 0 , 1 , , 255 . □
Recall that M 2 = C 2 · M 4 0 x 38 , M 5 = C 1 · M 4 0 xa 9 , M 1 = C 2 · M 1 , and M 2 = C 1 · M 1 . The outputs of XOR between the two masks concealing the S-Box output are as shown below:
M 2 M 1 M 5 M 2 = M 2 M 5 M 1 M 2 , M 2 M 1 M 2 = M 1 , M 2 M 1 M 5 = M 2 M 5 M 1 , M 5 M 2 M 2 = M 2 M 5 M 2 , M 5 M 2 M 5 = M 2 , M 2 M 5 = M 2 M 5 .
The above masks are uniformly distributed because of Property 4. For example, M 2 M 5 and M 1 M 2 are driven by independently chosen masks M 4 and M 1 , respectively, and each is uniformly distributed. Therefore, the XOR output is also uniformly distributed.
The outputs of XOR between three masks concealing the S-Box output are shown below:
M 5 M 2 M 2 M 5 = M 2 M 2 , M 2 M 1 M 2 M 5 = M 1 M 5 , M 2 M 1 M 5 M 2 M 5 = M 2 M 1 M 2 , M 2 M 1 M 5 M 2 M 2 = M 5 M 1 M 2 .
Similarly, M 2 and M 5 are derived from mask M 4 , and M 1 , M 2 , and M 1 M 2 are derived from mask M 1 . Because M 1 and M 4 are independent, the output of XOR between any three masks is uniform.

4.2. Experiments

TVLA and CPA were performed in the same environment as in Section 3. All T-values are less than 4.5, as shown in the middle subplot of Figure 7; the maximum T-value is only 3.9. This result suggests that the difference between the means of the random plaintext traces and the fixed plaintext traces is insignificant. The proposed masking method successfully conceals intermediate values related to the input. In terms of the CPA, while the maximum absolute correlation coefficient of the existing masking method is 0.64, as shown in Figure 3, that of the proposed masking method is only as large as 0.04. This result suggests that the power consumption is unrelated to the proposed intermediate value, as shown in the bottom subplot.
CPA fails to reveal the secret key of the proposed masking method, as shown in Figure 8 and Figure 9. The absolute correlation coefficient of the correct key is less than that of an incorrect key for each S-Box output combination, as shown in Figure 8. Recall that the round key of the existing masking method was revealed with only 210 traces, and the correct key was clearly distinguishable from the incorrect keys, as shown in Figure 4. The correlation of the correct key when using the proposed method is indistinguishable even with 10,000 traces, and increasing the number of traces does not increase the correlation coefficient of the correct key. Each CPA fails to reveal the secret key, as shown in Figure 9. The guessing entropy is around 33,000, which is the expectation when the adversary randomly chooses the key. Moreover, increasing the number of traces does not decrease the guessing entropy. The results suggest that the proposed masking method does not have a first-order vulnerability.
We measured the number of clock cycles for each SEED component to compare the overhead between the existing and proposed countermeasures, as shown in Table 1 The ratio in the table is calculated by dividing the number of clock cycles of the proposed masking method by that of the existing masking method. As discussed in Section 4.1, the increase in overhead is negligible. The conversion from Boolean masking to arithmetic masking primarily contributes to the masking overhead. Although the number of clock cycles for the function G increased by 17 percentage points, the overall increase in encryption, including masking generation, is only 0.75 percentage points.

5. Conclusions

The existing masking method of the SEED has a first-order vulnerability because its S-Box outputs are concealed with the same mask. The mask is inevitably canceled because the function G performs XOR with its S-Box outputs. Hence, a CPA adversary is able to utilize the intermediate value of the last XOR operation and perform a first-order CPA on the masked SEED. That is, the adversary is able to disclose the secret key with the same complexity required as for its unprotected implementation. In order to fix the security hole, we proposed a masking method that concealed each S-Box output with a different mask but required negligible overhead. Its vulnerability and security were theoretically verified and practically demonstrated. A CPA performed on the existing masking method discloses the correct key with only 210 traces, whereas a CPA performed on the proposed masking method failed even with 10,000 traces.
The proposed security hole could also be present in other encryption algorithms. Although the AND operation is insufficient to prevent mask canceling, a security designer might mistakenly design a masking scheme to conceal the XOR operand with the same mask, like SEED. For instance, the block cipher ARIA also performs XOR on four S-Box outputs after the AND operation. Consequently, some ARIA masking methods might also have the same security holes as SEED masking. Our future work will investigate another masking scheme that has the proposed vulnerability and patch it.

Author Contributions

Formal analysis, J.-H.K. and D.-G.H.; Data curation; J.-H.K.; Investigation J.-H.K. and D.-G.H.; Writing—original draft, J.-H.K.; Writing—review and editing D.-G.H. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by the Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (RS-2024-00396269, Development of security verification and vulnerability analysis system for IC chips through fault injection).

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The raw traces used in our demonstrations are available from the following link: https://1drv.ms/f/s!AjgtNjMfEUZWioNDyyzWaH0chGn3FQ?e=f0KP75 (accessed on 8 September 2024).

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
CPAcorrelation power analysis
TVLAtest vector leakage assessment

References

  1. Kocher, P.C. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Proceedings of the Advances in Cryptology—CRYPTO’96, 16th Annual International Cryptology Conference, Santa Barbara, CA, USA, 18–22 August 1996; pp. 104–113. [Google Scholar] [CrossRef]
  2. Kocher, P.C.; Jaffe, J.; Jun, B. Differential Power Analysis. In Proceedings of the Advances in Cryptology—CRYPTO’99, 19th Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 1999; pp. 388–397. [Google Scholar] [CrossRef]
  3. Gandolfi, K.; Mourtel, C.; Olivier, F. Electromagnetic Analysis: Concrete Results. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2001, Third International Workshop, Paris, France, 14–16 May 2001; pp. 251–261. [Google Scholar] [CrossRef]
  4. Genkin, D.; Shamir, A.; Tromer, E. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis. In Proceedings of the Advances in Cryptology—CRYPTO 2014-34th Annual Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 2014; pp. 444–461. [Google Scholar] [CrossRef]
  5. Ferrigno, J.; Hlavác, M. When AES blinks: Introducing optical side channel. IET Inf. Secur. 2008, 2, 94–98. [Google Scholar] [CrossRef]
  6. Brier, E.; Clavier, C.; Olivier, F. Correlation Power Analysis with a Leakage Model. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2004: 6th International Workshop, Cambridge, MA, USA, 11–13 August 2004; pp. 16–29. [Google Scholar] [CrossRef]
  7. Guilley, S.; Hoogvorst, P.; Mathieu, Y.; Pacalet, R. The “Backend Duplication” Method. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2005, 7th International Workshop, Edinburgh, UK, 29 August–1 September 2005; Rao, J.R., Sunar, B., Eds.; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3659, pp. 383–397. [Google Scholar] [CrossRef]
  8. Blömer, J.; Guajardo, J.; Krummel, V. Provably Secure Masking of AES. In Proceedings of the Selected Areas in Cryptography, 11th International Workshop, SAC 2004, Waterloo, ON, Canada, 9–10 August 2004; Revised Selected Papers. Handschuh, H., Hasan, M.A., Eds.; Springer: Berlin/Heidelberg, Germany, 2004; Volume 3357, pp. 69–83. [Google Scholar] [CrossRef]
  9. Coron, J.; Goubin, L. On Boolean and Arithmetic Masking against Differential Power Analysis. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2000, Second International Workshop, Worcester, MA, USA, 17–18 August 2000; Koç, Ç.K., Paar, C., Eds.; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1965, pp. 231–237. [Google Scholar] [CrossRef]
  10. Herbst, C.; Oswald, E.; Mangard, S. An AES Smart Card Implementation Resistant to Power Analysis Attacks. In Proceedings of the Applied Cryptography and Network Security, 4th International Conference, ACNS 2006, Singapore, 6–9 June 2006; pp. 239–252. [Google Scholar] [CrossRef]
  11. Yoon, J.; Lee, S.; Cheon, D.H.; Lee, J.; Lee, H. Information Technology—Security Techniques—Encryption Aalgorithms. 2010. Available online: https://www.iso.org/standard/54531.html (accessed on 8 September 2024).
  12. CFIP. ST.FINIC-01-2021; Standards for Financial IC Cards Specification. Bank of Korea: Seoul, Republic of Korea, 2021.
  13. Kyun, K.C.; Ho, J.C.; Hwan, P.I.; Joong, Y.E. Masking Method of Defending Differential Power Analysis Attack in Seed Encryption Algorithm. U.S. Patent 8 391 476, 11 January 2010. [Google Scholar]
  14. Kim, H.; Cho, Y.; Choi, D.; Han, D.; Hong, S. Efficient masked implementation for SEED based on combined masking. ETRI J. 2011, 33, 267–274. [Google Scholar] [CrossRef]
  15. Kim, T.; Chang, N.S. Analysis on vulnerability of masked seed algorithm. J. Korea Inst. Inf. Secur. Cryptol. 2015, 25, 739–747. [Google Scholar] [CrossRef]
  16. Won, Y.; Park, A.; Han, D. Novel Leakage Against Realistic Masking and Shuffling Countermeasures-Case Study on PRINCE and SEED. In Proceedings of the Information Security and Cryptology—ICISC 2017-20th International Conference, Seoul, Republic of Korea, 29 November–1 December 2017; Revised Selected Papers. Kim, H., Kim, D., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; Volume 10779, pp. 139–154. [Google Scholar] [CrossRef]
  17. Messerges, T.S. Using Second-Order Power Analysis to Attack DPA Resistant Software. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2000, Second International Workshop, Worcester, MA, USA, 17–18 August 2000; Koç, Ç.K., Paar, C., Eds.; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1965, pp. 238–251. [Google Scholar] [CrossRef]
  18. Kim, J.H.; Sim, B.Y.; Han, D.G. SIV: Raise the Correlation of Second-Order Correlation Power Analysis to 1.00. Appl. Sci. 2020, 10, 3394. [Google Scholar] [CrossRef]
  19. Becker, G.T.; Cooper, J.; DeMulder, E.K.; Goodwill, G.; Jaffe, J.; Kenworthy, G.; Kouzminov, T.; Leiserson, A.J.; Marson, M.E.; Rohatgi, P.; et al. Test Vector Leakage Assessment (TVLA) Methodology in Practice; ACM: Beijing, China, 2013. [Google Scholar]
  20. Standaert, F.; Malkin, T.; Yung, M. A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. In Proceedings of the Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, 26–30 April 2009; Joux, A., Ed.; Springer: Berlin/Heidelberg, Germany, 2009; Volume 5479, pp. 443–461. [Google Scholar] [CrossRef]
Figure 1. Structure of the SEED Feistel function F. A rounded rectangle is an operation, and a sharp rectangle is an intermediate value.
Figure 1. Structure of the SEED Feistel function F. A rounded rectangle is an operation, and a sharp rectangle is an intermediate value.
Sensors 24 05894 g001
Figure 2. Masked function G of the existing masking scheme.
Figure 2. Masked function G of the existing masking scheme.
Sensors 24 05894 g002
Figure 3. Point-wise T-values and absolute correlation coefficients of the proposed intermediate value over 10,000 traces. The XOR part is the output byte-wise AND and XOR calculations. (Top: power consumption, middle: absolute T-value, bottom: absolute correlation coefficient of the correct key.)
Figure 3. Point-wise T-values and absolute correlation coefficients of the proposed intermediate value over 10,000 traces. The XOR part is the output byte-wise AND and XOR calculations. (Top: power consumption, middle: absolute T-value, bottom: absolute correlation coefficient of the correct key.)
Sensors 24 05894 g003
Figure 4. Absolute correlation coefficients of the correct key and incorrect keys according to the number of traces used.
Figure 4. Absolute correlation coefficients of the correct key and incorrect keys according to the number of traces used.
Sensors 24 05894 g004
Figure 5. Guessed entropy and success rate derived from 10 CPAs.
Figure 5. Guessed entropy and success rate derived from 10 CPAs.
Sensors 24 05894 g005
Figure 6. Masked function G of the proposed masking scheme.
Figure 6. Masked function G of the proposed masking scheme.
Sensors 24 05894 g006
Figure 7. Point-wise T-values and absolute correlation coefficients of the proposed intermediate value over 10,000 traces. The XOR part is the output byte-wise AND and XOR calculations. The remask part changes the mask to M 3 after XORing the four S-Box outputs. (Top: power consumption, middle: absolute T-value, bottom: absolute correlation coefficient of the correct key.)
Figure 7. Point-wise T-values and absolute correlation coefficients of the proposed intermediate value over 10,000 traces. The XOR part is the output byte-wise AND and XOR calculations. The remask part changes the mask to M 3 after XORing the four S-Box outputs. (Top: power consumption, middle: absolute T-value, bottom: absolute correlation coefficient of the correct key.)
Sensors 24 05894 g007
Figure 8. Absolute correlation coefficients of the correct key and incorrect keys according to the number of traces used.
Figure 8. Absolute correlation coefficients of the correct key and incorrect keys according to the number of traces used.
Sensors 24 05894 g008
Figure 9. Guessed entropy and success rate derived from ten CPAs.
Figure 9. Guessed entropy and success rate derived from ten CPAs.
Sensors 24 05894 g009
Table 1. Number of clock cycles for each SEED component.
Table 1. Number of clock cycles for each SEED component.
Existing Masking
(Clock Cycle)
Proposed Masking
(Clock Cycle)
Ratio
Masking generation71747246101.00%
Function G136160117.65%
Entire encryption153,821154,973100.75%
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kim, J.-H.; Han, D.-G. Tiny Security Hole: First-Order Vulnerability of Masked SEED and Its Countermeasure. Sensors 2024, 24, 5894. https://doi.org/10.3390/s24185894

AMA Style

Kim J-H, Han D-G. Tiny Security Hole: First-Order Vulnerability of Masked SEED and Its Countermeasure. Sensors. 2024; 24(18):5894. https://doi.org/10.3390/s24185894

Chicago/Turabian Style

Kim, Ju-Hwan, and Dong-Guk Han. 2024. "Tiny Security Hole: First-Order Vulnerability of Masked SEED and Its Countermeasure" Sensors 24, no. 18: 5894. https://doi.org/10.3390/s24185894

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop