Low Trace-Count Template Attacks on 32-bit Implementations of ASCON AEAD
The recently adopted Ascon standard by NIST offers a lightweight authenticated encryption algorithm for use in resource-constrained cryptographic devices. To help assess side-channel attack risks of Ascon implementations, we present the first template attack based on analyzing power traces, recorde...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Ruhr-Universität Bochum
2023-08-01
|
| Series: | Transactions on Cryptographic Hardware and Embedded Systems |
| Subjects: | |
| Online Access: | https://tches.iacr.org/index.php/TCHES/article/view/11169 |
| _version_ | 1797718855951319040 |
|---|---|
| author | Shih-Chun You Markus G. Kuhn Sumanta Sarkar Feng Hao |
| author_facet | Shih-Chun You Markus G. Kuhn Sumanta Sarkar Feng Hao |
| author_sort | Shih-Chun You |
| collection | DOAJ |
| description |
The recently adopted Ascon standard by NIST offers a lightweight authenticated encryption algorithm for use in resource-constrained cryptographic devices. To help assess side-channel attack risks of Ascon implementations, we present the first template attack based on analyzing power traces, recorded from an STM32F303 microcontroller board running Weatherley’s 32-bit implementations of Ascon-128. Our analysis combines a fragment template attack with belief-propagation and key-enumeration techniques. The main results are three-fold: (1) we reached 100% success rate from a single trace if the C compiler optimized the unmasked implementation for space, (2) the success rate was about 95% after three traces if the compiler optimized instead for time, and (3) we also attacked a masked version, where the success rate was over 90% with 20 traces of executions with the same key, all after enumerating up to 224 key candidates. These results show that suitably-designed template attacks can pose a real threat to Ascon implementations, even if protected by first-order masking, but we also learnt how some differences in programming style, and even compiler optimization settings, can significantly affect the result.
|
| first_indexed | 2024-03-12T08:56:17Z |
| format | Article |
| id | doaj.art-ef6c29613ffa4741a10d377b9cb48c9e |
| institution | Directory Open Access Journal |
| issn | 2569-2925 |
| language | English |
| last_indexed | 2024-03-12T08:56:17Z |
| publishDate | 2023-08-01 |
| publisher | Ruhr-Universität Bochum |
| record_format | Article |
| series | Transactions on Cryptographic Hardware and Embedded Systems |
| spelling | doaj.art-ef6c29613ffa4741a10d377b9cb48c9e2023-09-02T16:01:05ZengRuhr-Universität BochumTransactions on Cryptographic Hardware and Embedded Systems2569-29252023-08-012023410.46586/tches.v2023.i4.344-366Low Trace-Count Template Attacks on 32-bit Implementations of ASCON AEADShih-Chun You0Markus G. Kuhn1Sumanta Sarkar2Feng Hao3University of Cambridge, Cambridge, UKUniversity of Cambridge, Cambridge, UKUniversity of Warwick, Coventry, UKUniversity of Warwick, Coventry, UK The recently adopted Ascon standard by NIST offers a lightweight authenticated encryption algorithm for use in resource-constrained cryptographic devices. To help assess side-channel attack risks of Ascon implementations, we present the first template attack based on analyzing power traces, recorded from an STM32F303 microcontroller board running Weatherley’s 32-bit implementations of Ascon-128. Our analysis combines a fragment template attack with belief-propagation and key-enumeration techniques. The main results are three-fold: (1) we reached 100% success rate from a single trace if the C compiler optimized the unmasked implementation for space, (2) the success rate was about 95% after three traces if the compiler optimized instead for time, and (3) we also attacked a masked version, where the success rate was over 90% with 20 traces of executions with the same key, all after enumerating up to 224 key candidates. These results show that suitably-designed template attacks can pose a real threat to Ascon implementations, even if protected by first-order masking, but we also learnt how some differences in programming style, and even compiler optimization settings, can significantly affect the result. https://tches.iacr.org/index.php/TCHES/article/view/11169ASCONpower analysistemplate attackSASCA |
| spellingShingle | Shih-Chun You Markus G. Kuhn Sumanta Sarkar Feng Hao Low Trace-Count Template Attacks on 32-bit Implementations of ASCON AEAD Transactions on Cryptographic Hardware and Embedded Systems ASCON power analysis template attack SASCA |
| title | Low Trace-Count Template Attacks on 32-bit Implementations of ASCON AEAD |
| title_full | Low Trace-Count Template Attacks on 32-bit Implementations of ASCON AEAD |
| title_fullStr | Low Trace-Count Template Attacks on 32-bit Implementations of ASCON AEAD |
| title_full_unstemmed | Low Trace-Count Template Attacks on 32-bit Implementations of ASCON AEAD |
| title_short | Low Trace-Count Template Attacks on 32-bit Implementations of ASCON AEAD |
| title_sort | low trace count template attacks on 32 bit implementations of ascon aead |
| topic | ASCON power analysis template attack SASCA |
| url | https://tches.iacr.org/index.php/TCHES/article/view/11169 |
| work_keys_str_mv | AT shihchunyou lowtracecounttemplateattackson32bitimplementationsofasconaead AT markusgkuhn lowtracecounttemplateattackson32bitimplementationsofasconaead AT sumantasarkar lowtracecounttemplateattackson32bitimplementationsofasconaead AT fenghao lowtracecounttemplateattackson32bitimplementationsofasconaead |