Algebraic side‐channel attacks on Trivium stream cipher

IF 1.5 4区计算机科学 Q3 ENGINEERING, ELECTRICAL & ELECTRONIC IET Communications Pub Date : 2024-05-02 DOI:10.1049/cmu2.12752

Wenlong Sun, Jie Guan

{"title":"Algebraic side‐channel attacks on Trivium stream cipher","authors":"Wenlong Sun, Jie Guan","doi":"10.1049/cmu2.12752","DOIUrl":null,"url":null,"abstract":"Algebraic Side‐Channel Attacks (ASCAs), first proposed by Renauld and Standaert in 2009, are a potent cryptanalysis method against block ciphers. In this paper, the authors initially utilize ASCAs to analyze the security of the Trivium stream cipher, given its concise algebraic structure. Considering its efficiency in both hardware and software implementations, the authors deploy ASCAs to target Trivium implemented both in application specific integrated circuit (ASIC) under the Hamming Distance Leakage Model (HDLM) (noted as CASE 1) and in microcontrollers of various buses (i.e. some common 8‐bit, 16‐bit, and 32‐bit architectures, noted as CASE 2, CASE 3, and CASE 4, respectively) under the Hamming Weight Leakage Model (HWLM). Here, the authors’ attacks are conducted on power‐simulated targets and not on real devices. For a single power consumption trace without measurement errors, this paper presents experimental results using MiniSat 2.0. Unfortunately, the authors were unable to break the ASIC implementation of Trivium under HDLM (CASE 1) with a time complexity of 2109 s or so, which is worse than the exhaustive key attack. For CASEs 2 to 4, the authors can find the complete 288‐bit state of Trivium within a reasonable timeframe. Specially, the success rate can reach 100% with an average solving time of less than 1 s when only measuring the leakages of the first eight consecutive rounds for CASE 2. Furthermore, the authors can still successfully recover the internal state even when obtaining leakages of the first 41 rounds with a random loss rate. In fact, it can tolerate a 74% random loss rate for the first 223 rounds. With regard to the potential errors in the measurements, the authors mitigate them using Tolerant ASCA (TASCA). Similarly, CASE 1 cannot be compromised even in error‐free situations, while the authors can still successfully recover the internal state of CASEs 2 to 4 from a single power trace, even with a high error rate, including 100% incorrect measurements. Surprisingly, for CASEs 2 to 4, the authors can recover the internal state with a 100% success rate, regardless of the error rate. As a result, the security of Trivium will not be enhanced when transitioning from a smaller 8‐bit platform to a larger 32‐bit platform. In the end, the authors will consider some more abstract attack models. The results can provide us with additional insights into the security of Trivium from a different perspective.","PeriodicalId":55001,"journal":{"name":"IET Communications","volume":null,"pages":null},"PeriodicalIF":1.5000,"publicationDate":"2024-05-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Communications","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1049/cmu2.12752","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

Abstract

Algebraic Side‐Channel Attacks (ASCAs), first proposed by Renauld and Standaert in 2009, are a potent cryptanalysis method against block ciphers. In this paper, the authors initially utilize ASCAs to analyze the security of the Trivium stream cipher, given its concise algebraic structure. Considering its efficiency in both hardware and software implementations, the authors deploy ASCAs to target Trivium implemented both in application specific integrated circuit (ASIC) under the Hamming Distance Leakage Model (HDLM) (noted as CASE 1) and in microcontrollers of various buses (i.e. some common 8‐bit, 16‐bit, and 32‐bit architectures, noted as CASE 2, CASE 3, and CASE 4, respectively) under the Hamming Weight Leakage Model (HWLM). Here, the authors’ attacks are conducted on power‐simulated targets and not on real devices. For a single power consumption trace without measurement errors, this paper presents experimental results using MiniSat 2.0. Unfortunately, the authors were unable to break the ASIC implementation of Trivium under HDLM (CASE 1) with a time complexity of 2109 s or so, which is worse than the exhaustive key attack. For CASEs 2 to 4, the authors can find the complete 288‐bit state of Trivium within a reasonable timeframe. Specially, the success rate can reach 100% with an average solving time of less than 1 s when only measuring the leakages of the first eight consecutive rounds for CASE 2. Furthermore, the authors can still successfully recover the internal state even when obtaining leakages of the first 41 rounds with a random loss rate. In fact, it can tolerate a 74% random loss rate for the first 223 rounds. With regard to the potential errors in the measurements, the authors mitigate them using Tolerant ASCA (TASCA). Similarly, CASE 1 cannot be compromised even in error‐free situations, while the authors can still successfully recover the internal state of CASEs 2 to 4 from a single power trace, even with a high error rate, including 100% incorrect measurements. Surprisingly, for CASEs 2 to 4, the authors can recover the internal state with a 100% success rate, regardless of the error rate. As a result, the security of Trivium will not be enhanced when transitioning from a smaller 8‐bit platform to a larger 32‐bit platform. In the end, the authors will consider some more abstract attack models. The results can provide us with additional insights into the security of Trivium from a different perspective.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

对 Trivium 流密码的代数侧信道攻击

代数侧信道攻击（ASCAs）由 Renauld 和 Standaert 于 2009 年首次提出，是一种针对块密码的有效密码分析方法。在本文中，作者首先利用 ASCAs 分析了 Trivium 流密码的安全性，因为它具有简洁的代数结构。考虑到其在硬件和软件实现方面的效率，作者部署了 ASCAs 来攻击在汉明距离泄漏模型（HDLM）下在专用集成电路（ASIC）中实现的 Trivium（记为 CASE 1），以及在汉明权重泄漏模型（HWLM）下在不同总线的微控制器（即一些常见的 8 位、16 位和 32 位架构，分别记为 CASE 2、CASE 3 和 CASE 4）中实现的 Trivium。在此，作者的攻击是在功率模拟目标而非真实设备上进行的。对于没有测量误差的单一功耗跟踪，本文介绍了使用 MiniSat 2.0 的实验结果。遗憾的是，作者无法破解 HDLM 下 Trivium 的 ASIC 实现（CASE 1），时间复杂度为 2109 秒左右，比穷举密钥攻击更糟糕。对于 CASE 2 至 4，作者可以在合理的时间范围内找到 Trivium 的完整 288 位状态。特别是，在 CASE 2 中，如果只测量前 8 个连续回合的泄漏，成功率可以达到 100%，平均求解时间小于 1 秒。此外，即使在随机丢失率下获得前 41 个回合的泄漏，作者仍然可以成功恢复内部状态。事实上，它可以容忍前 223 轮 74% 的随机损失率。至于测量中可能出现的误差，作者使用容错 ASCA（TASCA）进行了缓解。同样，CASE 1 即使在无错误的情况下也不会受到损害，而作者仍能从单个功率跟踪成功恢复 CASE 2 至 4 的内部状态，即使错误率很高，包括 100% 的错误测量。令人惊讶的是，对于 CASE 2 至 4，无论错误率如何，作者都能以 100% 的成功率恢复内部状态。因此，当从较小的 8 位平台过渡到较大的 32 位平台时，Trivium 的安全性不会增强。最后，作者将考虑一些更抽象的攻击模型。这些结果可以让我们从不同的角度对 Trivium 的安全性有更多的了解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IET Communications 工程技术-工程：电子与电气

CiteScore

4.30

自引率

6.20%

发文量

220

审稿时长

5.9 months

期刊介绍： IET Communications covers the fundamental and generic research for a better understanding of communication technologies to harness the signals for better performing communication systems using various wired and/or wireless media. This Journal is particularly interested in research papers reporting novel solutions to the dominating problems of noise, interference, timing and errors for reduction systems deficiencies such as wasting scarce resources such as spectra, energy and bandwidth. Topics include, but are not limited to: Coding and Communication Theory; Modulation and Signal Design; Wired, Wireless and Optical Communication; Communication System Special Issues. Current Call for Papers: Cognitive and AI-enabled Wireless and Mobile - https://digital-library.theiet.org/files/IET_COM_CFP_CAWM.pdf UAV-Enabled Mobile Edge Computing - https://digital-library.theiet.org/files/IET_COM_CFP_UAV.pdf