Collision-Correlation Attack Against a First-Order Masking Scheme for MAC Based on SHA-3

  • Luk BettaleEmail author
  • Emmanuelle Dottax
  • Laurie Genelle
  • Gilles Piret
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8622)


In 2012, Keccak has been selected as the SHA-3 competition winner, and NIST recently announced the standardization of a keyed version for message authentication codes. In this paper, we consider an implementation of this keyed function, protected against first-order side-channel analysis with an efficient masking scheme proposed by the designers. We show that this masking scheme is vulnerable to a non-linear collision-correlation attack. Our attack advantageously needs no assumption on device-depending parameters, and hence constitutes an interesting alternative to second-order differential analysis.


SHA-3 Side-channel analysis Collision attack Masking scheme 


  1. 1.
    Akkar, M.-L., Bévan, R., Dischamp, P., Moyart, D.: Power analysis, what is now possible. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 489–502. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  2. 2.
    Bertoni, G., Daemen, J., Debande, N., Le, T.H., Peeters, M., Van Assche, G.: Power analysis of hardware implementations protected with secret sharing. In: 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops (MICROW). pp. 9–16. IEEE Computer Society (2012)Google Scholar
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Building power analysis resistant implementations of Keccak. In: Second SHA-3 Candidate Conference (2010)Google Scholar
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic Sponge Functions, Version 0.1 (2011)Google Scholar
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak Reference, Version 3.0 (2013)Google Scholar
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak implementation overview, Version 3.2 (2012)Google Scholar
  7. 7.
    Bilgin, B., Daemen, J., Nikov, V., Nikova, S., Rijmen, V., Van Assche, G.: Efficient and first-order DPA resistant implementations of Keccak. In: Francillon, A., Rohatgi, P. (eds.) Smart Card Research and Advanced Applications. LNCS, vol. 8419, pp. 187–199. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  8. 8.
    Biryukov, A., Khovratovich, D.: Two new techniques of side-channel cryptanalysis. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 195–208. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  9. 9.
    Bogdanov, A.: Improved side-channel collision attacks on AES. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 84–95. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  10. 10.
    Bogdanov, A.: Multiple-differential side-channel collision attacks on AES. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 30–44. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  11. 11.
    Bogdanov, A., Kizhvatov, I., Pyshkin, A.: Algebraic methods in side-channel collision attacks and practical collision detection. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 251–265. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  12. 12.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye and Quisquater [19], pp. 16–29Google Scholar
  13. 13.
    Chari, S., Jutla, C., Rao, J., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener [36], pp. 398–412Google Scholar
  14. 14.
    Chari, S., Rao, J., Rohatgi, P.: Template attacks. In: Kaliski Jr, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–29. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  15. 15.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Improved collision-correlation power analysis on first order protected AES. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 49–62. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  16. 16.
    Dabosville, G., Doget, J., Prouff, E.: A new second-order side channel attack based on linear regression. IEEE Trans. Comput. 62(8), 1629–1640 (2013)CrossRefMathSciNetGoogle Scholar
  17. 17.
    Faugère, J.C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999). ( Scholar
  18. 18.
    Briais, S., et al.: 3D hardware canaries. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 1–22. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  19. 19.
    Joye, M., Quisquater, J.-J. (eds.): CHES 2004. LNCS, vol. 3156. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  20. 20.
    Kelsey, J.: SHA3 - past, present, and future. In: Presented at the rump session of CHES 2013 (2013)Google Scholar
  21. 21.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996) Google Scholar
  22. 22.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener [36], pp. 388–397Google Scholar
  23. 23.
    Ledig, H., Muller, F., Valette, F.: Enhancing collision attacks. In: Joye and Quisquater [19], pp. 176–190Google Scholar
  24. 24.
    Mangard, S., Pramstaller, N., Oswald, E.: Successfully attacking masked AES hardware implementations. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 157–171. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  25. 25.
    Messerges, T.S.: Using second-order power analysis to attack DPA resistant software. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  26. 26.
    Moradi, A., Mischke, O., Eisenbarth, T.: Correlation-enhanced power analysis collision attack. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 125–139. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  27. 27.
    Oswald, E., Mangard, S., Herbst, C., Tillich, S.: Practical second-order DPA attacks for masked smart card implementations of block ciphers. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 192–207. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  28. 28.
    Prouff, E., Rivain, M., Bévan, R.: Statistical analysis of second order differential power analysis. IEEE Trans. Comput. 58(6), 799–811 (2009)CrossRefMathSciNetGoogle Scholar
  29. 29.
    Quisquater, J.J., Samyde, D.: A new tool for non-intrusive analysis of smart cards based on electro-magnetic emissions, the SEMA and DEMA methods. In: Presented during EUROCRYPT’00 Rump Session (2000)Google Scholar
  30. 30.
    Roche, T., Lomné, V.: Collision-correlation attack against some 1\(^\text{ st }\)-order boolean masking schemes in the context of secure devices. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 114–136. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  31. 31.
    Schramm, K., Leander, G., Felke, P., Paar, C.: A collision-attack on AES (Combining Side Channel and Differential-Attack). In: Joye and Quisquater [19], pp. 163–175Google Scholar
  32. 32.
    Schramm, K., Wollinger, T., Paar, C.: A new class of collision attacks and its application to DES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 206–222. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  33. 33.
    Standaert, F.-X., Veyrat-Charvillon, N., Oswald, E., Gierlichs, B., Medwed, M., Kasper, M., Mangard, S.: The world is not enough: another look on second-order DPA. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 112–129. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  34. 34.
    Taha, M., Schaumont, P.: Side-channel analysis of MAC-Keccak. In: IEEE International Symposium on Hardware-Oriented Security and Trust - HOST 2013. IEEE Computer Society (2013)Google Scholar
  35. 35.
    Walter, C.D.: Sliding windows succumbs to big mac attack. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 286–299. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  36. 36.
    Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999)zbMATHGoogle Scholar
  37. 37.
    Zohner, M., Kasper, M., Stöttinger, M., Huss, S.A.: Side channel analysis of the SHA-3 finalists. In: Rosenstiel, W., Thiele, L. (eds.) Design, Automation and Test in Europe Conference & Exhibition, DATE 2012, pp. 1012–1017. IEEE Computer Society (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Luk Bettale
    • 1
    Email author
  • Emmanuelle Dottax
    • 1
  • Laurie Genelle
    • 1
  • Gilles Piret
    • 1
  1. 1.Oberthur TechnologiesColombesFrance

Personalised recommendations