DOAJ (DOAJ: Directory of Open Access Journals), Jun 1, 2020
Since Kocher (CRYPTO'96) proposed timing attack, side channel analysis (SCA) has shown great pote... more Since Kocher (CRYPTO'96) proposed timing attack, side channel analysis (SCA) has shown great potential to break cryptosystems via physical leakage. Recently, deep learning techniques are widely used in SCA and show equivalent and even better performance compared to traditional methods. However, it remains unknown why and when deep learning techniques are effective and efficient for SCA. Masure et al. (IACR TCHES 2020(1):348-375) illustrated that deep learning paradigm is suitable for evaluating implementations against SCA from a worst-case scenario point of view, yet their work is limited to balanced data and a specific loss function. Besides, deep learning metrics are not consistent with side channel metrics. In most cases, they are deceptive in foreseeing the feasibility and complexity of mounting a successful attack, especially for imbalanced data. To mitigate the gap between deep learning metrics and side channel metrics, we propose a novel Cross Entropy Ratio (CER) metric to evaluate the performance of deep learning models for SCA. CER is closely related to traditional side channel metrics Guessing Entropy (GE) and Success Rate (SR) and fits to deep learning scenario. Besides, we show that it works stably while deep learning metrics such as accuracy becomes rather unreliable when the training data tends to be imbalanced. However, estimating CER can be done as easy as natural metrics in deep learning algorithms with low computational complexity. Furthermore, we adapt CER metric to a new kind of loss function, namely CER loss function, designed specifically for deep learning in side channel scenario. In this way, we link directly the SCA objective to deep learning optimization. Our experiments on several datasets show that, for SCA with imbalanced data, CER loss function outperforms Cross Entropy loss function in various conditions.
In recent years, various deep learning techniques have been exploited in side channel attacks, wi... more In recent years, various deep learning techniques have been exploited in side channel attacks, with the anticipation of obtaining more appreciable attack results. Most of them concentrate on improving network architectures or putting forward novel algorithms, assuming that there are adequate profiling traces available to train an appropriate neural network. However, in practical scenarios, profiling traces are probably insufficient, which makes the network learn deficiently and compromises attack performance. In this paper, we investigate a kind of data augmentation technique, called mixup, and first propose to exploit it in deeplearning based side channel attacks, for the purpose of expanding the profiling set and facilitating the chances of mounting a successful attack. We perform Correlation Power Analysis for generated traces and original traces, and discover that there exists consistency between them regarding leakage information. Our experiments show that mixup is truly capable of enhancing attack performance especially for insufficient profiling traces. Specifically, when the size of the training set is decreased to 30% of the original set, mixup can significantly reduce acquired attacking traces. We test three mixup parameter values and conclude that generally all of them can bring about improvements. Besides, we compare three leakage models and unexpectedly find that least significant bit model, which is less frequently used in previous works, actually surpasses prevalent identity model and hamming weight model in terms of attack results. Index Terms-side channel attacks, deep learning, mixup, leakage model
The Rivest–Shamir–Adleman (RSA) cryptosystem is currently the most influential and commonly used ... more The Rivest–Shamir–Adleman (RSA) cryptosystem is currently the most influential and commonly used algorithm in public-key cryptography. Whether the security of RSA is equivalent to the intractability of the integer factorization problem is an interesting issue in mathematics and cryptography. Coron and May solved the above most fundamental problem and proved the polynomial-time equivalence of computing the RSA secret key and factoring. They demonstrated that the RSA modulus N=pq can be factored in polynomial time when given RSA key information (N,e,d). The CRT-RSA variant is a fast technical implementation of RSA using the Chinese Remainder Theorem (CRT), which aims to speed up the decryption process. We focus on the polynomial-time equivalence of computing the CRT-RSA secret key and factoring in this paper. With the help of the latest partial key exposure attack on CRT-RSA, we demonstrate that there exists a polynomial-time algorithm outputting the factorization of N=pq for edp,edq
On an attack on RSA with small CRT-exponents SCIENTIA SINICA Informationis 41, 173 (2011); Struct... more On an attack on RSA with small CRT-exponents SCIENTIA SINICA Informationis 41, 173 (2011); Structure and prime decomposition law and relative extensions of abelian fields with prime power degree * Science in China Series A-Mathematics 42, 816 (1999);. RESEARCH PAPER .
In this paper, we study the security of multi-prime RSA with small prime difference and propose t... more In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks. The modulus involved in this variant is the product of r distinct prime factors of the same bit-size. Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA. In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations. The first attack is to combine all the equations and solve one multivariate equation by generic lattice approaches. Since the equation form is similar to multi-prime Φ-hiding problem, we propose the second attack by applying the optimal linearization technique. We also show that our attacks can achieve better bounds in the experiments.
In recent years, the convolutional neural networks (CNNs) have received a lot of interest in the ... more In recent years, the convolutional neural networks (CNNs) have received a lot of interest in the side-channel community. The previous work has shown that CNNs have the potential of breaking the cryptographic algorithm protected with masking or desynchronization. Before, several CNN models have been exploited, reaching the same or even better level of performance compared to the traditional side-channel attack (SCA). In this paper, we investigate the architecture of Residual Network and build a new CNN model called attention network. To enhance the power of the attention network, we introduce an attention mechanism - Convolutional Block Attention Module (CBAM) and incorporate CBAM into the CNN architecture. CBAM points out the informative points of the input traces and makes the attention network focus on the relevant leakages of the measurements. It is able to improve the performance of the CNNs. Because the irrelevant points will introduce the extra noises and cause a worse perform...
In this paper, we study the security of multi-prime RSA whose modulus is N = p1p2 pr for r 3 with... more In this paper, we study the security of multi-prime RSA whose modulus is N = p1p2 pr for r 3 with small prime difference of size N . In ACISP 2013, Zhang and Takagi showed a Fermat-like factoring attack, which can directly factor N for < 1 r2. We improve this bound to theoretically achieve < 2 r(r+2) by a new factoring attack. Furthermore, we also analyse specific MPRSA with imbalanced prime factors. Experimental results are provided to show the efficiency of our attack.
We revisit the factoring with known bits problem on general RSA moduli in the forms of N = p r q ... more We revisit the factoring with known bits problem on general RSA moduli in the forms of N = p r q s for r, s ≥ 1, where two primes p and q are of the same bit-size. The relevant moduli are inclusive of pq, p r q for r > 1, and p r q s for r, s > 1, which are used in the standard RSA scheme and other RSA-type variants. Previous works acquired the results mainly by solving univariate modular equations. In contrast, we investigate how to efficiently factor N = p r q s with given leakage of the primes by the integer method using the lattice-based technique in this paper. More precisely, factoring general RSA moduli with known most significant bits (MSBs) of the primes can be reduced to solving bivariate integer equations, which was first proposed by Coppersmith to factor N = pq with known high bits. Our results provide a unifying solution to the factoring with known bits problem on general RSA moduli. Furthermore, we reveal that there exists an improved factoring attack via the integer method for particular RSA moduli like p 3 q 2 and p 5 q 3 .
Numerous previous works have studied deep learning algorithms applied in the context of side-chan... more Numerous previous works have studied deep learning algorithms applied in the context of side-channel attacks, which demonstrated the ability to perform successful key recoveries. These studies show that modern cryptographic devices are increasingly threatened by side-channel attacks with the help of deep learning. However, the existing countermeasures are designed to resist classical side-channel attacks, and cannot protect cryptographic devices from deep learning based side-channel attacks. Thus, there arises a strong need for countermeasures against deep learning based side-channel attacks. Although deep learning has the high potential in solving complex problems, it is vulnerable to adversarial attacks in the form of subtle perturbations to inputs that lead a model to predict incorrectly. In this paper, we propose a kind of novel countermeasures based on adversarial attacks that is specifically designed against deep learning based side-channel attacks. We estimate several models ...
2018 IEEE Third International Conference on Data Science in Cyberspace (DSC)
Quadratic functions F_p,n defined from F_p^n to F_p with coefficients in F_p, have been studied i... more Quadratic functions F_p,n defined from F_p^n to F_p with coefficients in F_p, have been studied in several papers. In 2014, Meidl, Roy and Topuzoğlu gave three methods for enumeration of such functions with prescribed Walsh spectrum. They obtained the generating functions for the counting functions when n is odd and relatively prime to p, or when n = 2m for odd m and p = 2. In 2015, Cesmelioğlu and Meidl presented the generating functions when n is even and relatively prime to p for odd p. In this paper, we extend previous results and propose the generic generating functions for the counting functions for arbitrary n and p. In particular, the respective numbers of bent functions and semi-bent functions are determined.
In this paper, we study the security of multi-prime RSA whose modulus is N = p1p2 · · · pr for r ... more In this paper, we study the security of multi-prime RSA whose modulus is N = p1p2 · · · pr for r ≥ 3 with small prime difference of size N . In ACISP 2013, Zhang and Takagi showed a Fermat-like factoring attack, which can directly factor N for γ < 1 r2 . We improve this bound to theoretically achieve γ < 2 r(r+2) by a new factoring attack. Furthermore, we also analyse specific MPRSA with imbalanced prime factors. Experimental results are provided to show the efficiency of our attack.
Persistent Fault Attack (PFA) is a recently proposed Fault Attack (FA) method in CHES 2018. It is... more Persistent Fault Attack (PFA) is a recently proposed Fault Attack (FA) method in CHES 2018. It is able to recover full AES secret key in the Single-Byte-Fault scenario. It is demonstrated that classical FA countermeasures, such as Dual Modular Redundancy (DMR) and mask protection, are unable to thwart PFA. In this paper, we propose a fast-detection and faultcorrection algorithm to prevent PFA. We construct a fixed input and output pair to detect faults rapidly. Then we build two extra redundant tables to store the relationship between the adjacent elements in the S-box, by which the algorithm can correct the faulty elements in the S-box. Our experimental results show that our algorithm can effectively prevent PFA in both Single-ByteFault and Multiple-Bytes-Faults scenarios. Compared with the classical FA countermeasures, our algorithm has a much better effect against PFA. Further, the time cost of our algorithm is 40% lower than the classical FA countermeasures.
DOAJ (DOAJ: Directory of Open Access Journals), Jun 1, 2020
Since Kocher (CRYPTO'96) proposed timing attack, side channel analysis (SCA) has shown great pote... more Since Kocher (CRYPTO'96) proposed timing attack, side channel analysis (SCA) has shown great potential to break cryptosystems via physical leakage. Recently, deep learning techniques are widely used in SCA and show equivalent and even better performance compared to traditional methods. However, it remains unknown why and when deep learning techniques are effective and efficient for SCA. Masure et al. (IACR TCHES 2020(1):348-375) illustrated that deep learning paradigm is suitable for evaluating implementations against SCA from a worst-case scenario point of view, yet their work is limited to balanced data and a specific loss function. Besides, deep learning metrics are not consistent with side channel metrics. In most cases, they are deceptive in foreseeing the feasibility and complexity of mounting a successful attack, especially for imbalanced data. To mitigate the gap between deep learning metrics and side channel metrics, we propose a novel Cross Entropy Ratio (CER) metric to evaluate the performance of deep learning models for SCA. CER is closely related to traditional side channel metrics Guessing Entropy (GE) and Success Rate (SR) and fits to deep learning scenario. Besides, we show that it works stably while deep learning metrics such as accuracy becomes rather unreliable when the training data tends to be imbalanced. However, estimating CER can be done as easy as natural metrics in deep learning algorithms with low computational complexity. Furthermore, we adapt CER metric to a new kind of loss function, namely CER loss function, designed specifically for deep learning in side channel scenario. In this way, we link directly the SCA objective to deep learning optimization. Our experiments on several datasets show that, for SCA with imbalanced data, CER loss function outperforms Cross Entropy loss function in various conditions.
In recent years, various deep learning techniques have been exploited in side channel attacks, wi... more In recent years, various deep learning techniques have been exploited in side channel attacks, with the anticipation of obtaining more appreciable attack results. Most of them concentrate on improving network architectures or putting forward novel algorithms, assuming that there are adequate profiling traces available to train an appropriate neural network. However, in practical scenarios, profiling traces are probably insufficient, which makes the network learn deficiently and compromises attack performance. In this paper, we investigate a kind of data augmentation technique, called mixup, and first propose to exploit it in deeplearning based side channel attacks, for the purpose of expanding the profiling set and facilitating the chances of mounting a successful attack. We perform Correlation Power Analysis for generated traces and original traces, and discover that there exists consistency between them regarding leakage information. Our experiments show that mixup is truly capable of enhancing attack performance especially for insufficient profiling traces. Specifically, when the size of the training set is decreased to 30% of the original set, mixup can significantly reduce acquired attacking traces. We test three mixup parameter values and conclude that generally all of them can bring about improvements. Besides, we compare three leakage models and unexpectedly find that least significant bit model, which is less frequently used in previous works, actually surpasses prevalent identity model and hamming weight model in terms of attack results. Index Terms-side channel attacks, deep learning, mixup, leakage model
The Rivest–Shamir–Adleman (RSA) cryptosystem is currently the most influential and commonly used ... more The Rivest–Shamir–Adleman (RSA) cryptosystem is currently the most influential and commonly used algorithm in public-key cryptography. Whether the security of RSA is equivalent to the intractability of the integer factorization problem is an interesting issue in mathematics and cryptography. Coron and May solved the above most fundamental problem and proved the polynomial-time equivalence of computing the RSA secret key and factoring. They demonstrated that the RSA modulus N=pq can be factored in polynomial time when given RSA key information (N,e,d). The CRT-RSA variant is a fast technical implementation of RSA using the Chinese Remainder Theorem (CRT), which aims to speed up the decryption process. We focus on the polynomial-time equivalence of computing the CRT-RSA secret key and factoring in this paper. With the help of the latest partial key exposure attack on CRT-RSA, we demonstrate that there exists a polynomial-time algorithm outputting the factorization of N=pq for edp,edq
On an attack on RSA with small CRT-exponents SCIENTIA SINICA Informationis 41, 173 (2011); Struct... more On an attack on RSA with small CRT-exponents SCIENTIA SINICA Informationis 41, 173 (2011); Structure and prime decomposition law and relative extensions of abelian fields with prime power degree * Science in China Series A-Mathematics 42, 816 (1999);. RESEARCH PAPER .
In this paper, we study the security of multi-prime RSA with small prime difference and propose t... more In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks. The modulus involved in this variant is the product of r distinct prime factors of the same bit-size. Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA. In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations. The first attack is to combine all the equations and solve one multivariate equation by generic lattice approaches. Since the equation form is similar to multi-prime Φ-hiding problem, we propose the second attack by applying the optimal linearization technique. We also show that our attacks can achieve better bounds in the experiments.
In recent years, the convolutional neural networks (CNNs) have received a lot of interest in the ... more In recent years, the convolutional neural networks (CNNs) have received a lot of interest in the side-channel community. The previous work has shown that CNNs have the potential of breaking the cryptographic algorithm protected with masking or desynchronization. Before, several CNN models have been exploited, reaching the same or even better level of performance compared to the traditional side-channel attack (SCA). In this paper, we investigate the architecture of Residual Network and build a new CNN model called attention network. To enhance the power of the attention network, we introduce an attention mechanism - Convolutional Block Attention Module (CBAM) and incorporate CBAM into the CNN architecture. CBAM points out the informative points of the input traces and makes the attention network focus on the relevant leakages of the measurements. It is able to improve the performance of the CNNs. Because the irrelevant points will introduce the extra noises and cause a worse perform...
In this paper, we study the security of multi-prime RSA whose modulus is N = p1p2 pr for r 3 with... more In this paper, we study the security of multi-prime RSA whose modulus is N = p1p2 pr for r 3 with small prime difference of size N . In ACISP 2013, Zhang and Takagi showed a Fermat-like factoring attack, which can directly factor N for < 1 r2. We improve this bound to theoretically achieve < 2 r(r+2) by a new factoring attack. Furthermore, we also analyse specific MPRSA with imbalanced prime factors. Experimental results are provided to show the efficiency of our attack.
We revisit the factoring with known bits problem on general RSA moduli in the forms of N = p r q ... more We revisit the factoring with known bits problem on general RSA moduli in the forms of N = p r q s for r, s ≥ 1, where two primes p and q are of the same bit-size. The relevant moduli are inclusive of pq, p r q for r > 1, and p r q s for r, s > 1, which are used in the standard RSA scheme and other RSA-type variants. Previous works acquired the results mainly by solving univariate modular equations. In contrast, we investigate how to efficiently factor N = p r q s with given leakage of the primes by the integer method using the lattice-based technique in this paper. More precisely, factoring general RSA moduli with known most significant bits (MSBs) of the primes can be reduced to solving bivariate integer equations, which was first proposed by Coppersmith to factor N = pq with known high bits. Our results provide a unifying solution to the factoring with known bits problem on general RSA moduli. Furthermore, we reveal that there exists an improved factoring attack via the integer method for particular RSA moduli like p 3 q 2 and p 5 q 3 .
Numerous previous works have studied deep learning algorithms applied in the context of side-chan... more Numerous previous works have studied deep learning algorithms applied in the context of side-channel attacks, which demonstrated the ability to perform successful key recoveries. These studies show that modern cryptographic devices are increasingly threatened by side-channel attacks with the help of deep learning. However, the existing countermeasures are designed to resist classical side-channel attacks, and cannot protect cryptographic devices from deep learning based side-channel attacks. Thus, there arises a strong need for countermeasures against deep learning based side-channel attacks. Although deep learning has the high potential in solving complex problems, it is vulnerable to adversarial attacks in the form of subtle perturbations to inputs that lead a model to predict incorrectly. In this paper, we propose a kind of novel countermeasures based on adversarial attacks that is specifically designed against deep learning based side-channel attacks. We estimate several models ...
2018 IEEE Third International Conference on Data Science in Cyberspace (DSC)
Quadratic functions F_p,n defined from F_p^n to F_p with coefficients in F_p, have been studied i... more Quadratic functions F_p,n defined from F_p^n to F_p with coefficients in F_p, have been studied in several papers. In 2014, Meidl, Roy and Topuzoğlu gave three methods for enumeration of such functions with prescribed Walsh spectrum. They obtained the generating functions for the counting functions when n is odd and relatively prime to p, or when n = 2m for odd m and p = 2. In 2015, Cesmelioğlu and Meidl presented the generating functions when n is even and relatively prime to p for odd p. In this paper, we extend previous results and propose the generic generating functions for the counting functions for arbitrary n and p. In particular, the respective numbers of bent functions and semi-bent functions are determined.
In this paper, we study the security of multi-prime RSA whose modulus is N = p1p2 · · · pr for r ... more In this paper, we study the security of multi-prime RSA whose modulus is N = p1p2 · · · pr for r ≥ 3 with small prime difference of size N . In ACISP 2013, Zhang and Takagi showed a Fermat-like factoring attack, which can directly factor N for γ < 1 r2 . We improve this bound to theoretically achieve γ < 2 r(r+2) by a new factoring attack. Furthermore, we also analyse specific MPRSA with imbalanced prime factors. Experimental results are provided to show the efficiency of our attack.
Persistent Fault Attack (PFA) is a recently proposed Fault Attack (FA) method in CHES 2018. It is... more Persistent Fault Attack (PFA) is a recently proposed Fault Attack (FA) method in CHES 2018. It is able to recover full AES secret key in the Single-Byte-Fault scenario. It is demonstrated that classical FA countermeasures, such as Dual Modular Redundancy (DMR) and mask protection, are unable to thwart PFA. In this paper, we propose a fast-detection and faultcorrection algorithm to prevent PFA. We construct a fixed input and output pair to detect faults rapidly. Then we build two extra redundant tables to store the relationship between the adjacent elements in the S-box, by which the algorithm can correct the faulty elements in the S-box. Our experimental results show that our algorithm can effectively prevent PFA in both Single-ByteFault and Multiple-Bytes-Faults scenarios. Compared with the classical FA countermeasures, our algorithm has a much better effect against PFA. Further, the time cost of our algorithm is 40% lower than the classical FA countermeasures.
Uploads
Papers by Mengce Zheng