1. Introduction
Wireless sensor networks (WSN) provide promising solutions in a wide range of applications, such as military, healthy care, industrial monitoring, traget localization and tracing. Sensor nodes that consist the WSN are usually placed in protentially hostile enviremont and face various kinds of challenges [1]-[3]. For the needs of security, cryptographic algorithms are used to implement authentications and encrypted communications in WSN. Advanced Encryption Standard (AES), adopted by USA government in 2002 [4], is ideal for the resources-constrained sensor nodes because of its high speed and low cost. As a standard encryption algorithm in wireless communication [5], AES is widely used in current WSN platforms.
However, wireless sensor nodes are vulnerable to side-channel attacks. Since proposed by Kocher et al. [6], side-channel attacks have been known as efficient to recover the key by eavesdropping the physical information (e.g., power consumption, electro-magnetic radiation) leaked by target devices [7]-[10]. These attacks are more efficient than traditional cryptanalysis. They do not interrupt operations of the target device, so they can be conducted stealthily on wireless sensor nodes without being detected [11],
Side-channel collision attack, as a combination of side-channel attack and cryptanalysis, was proposed in 2003 by Schramm et al. against DES [12], and was applied to AES [13] soon after that. Improved collision attacks were presented subsequently [14]-[17]. Most collision attacks are highly sensitive to errors, namely false positives of collision detections [18], which usually happen when the noise level is high. Gérard et al. [18] introduced Low Density Parity Check (LDPC) decoding approach to deal with errors, which made their work more efficient than previous methods. However, there are two problems for LDPC method. First, the computational complexity of the offline stage is high, due to its framework. Second, the online stage (power acquisition stage) is very time-consuming, because all the acquired power traces need to be saved.
In this paper, we propose an efficient and error robust collision attack. The new framework of our approach is based on a double sieve model, which ensures the efficiency and success rate of attacks. A bitwise collision detection method is proposed, which greatly reduces the time for online stage by reducing the number of saved traces. The computational complexity of the framework is low, so the key can be recovered very fast. Practical attacks on AES and experimental results show that our approach is more efficient than previous methods.
The rest of this paper is organized as follows. In Section 2, we briefly introduce the notations and recall previous collision attacks. In Section 3, we propose the framework of our new collision attack. In Section 4, we describe the bitwise collision detection method. In Section 5, we present the experiments of our new attack. An error-tolerant version of our attack is presented in Section 6, and the efficiency is analyzed in Section 7. Finally, Section 8 concludes the paper.
2. Preliminary
2.1 Notations
The cryptographic algorithm we focus on in this paper is AES. The 16-bytes plaintext and first-round sub key are denoted as P = {p1,⋯,p16} and K = {k1,⋯,k16}. Plaintexts and power traces are numbered by superscript, and the ith plaintext and power trace are written as Pi and Ti. The operations of 16 S-Boxes are handled sequentially, so a power trace can be cut into 16 sections, each of which is composed of l points. The section corresponding to the ath S-Box is denoted as Ta = {ta,1, ta,2,⋯,ta,l}. Averaged power traces are used in our attack, denoted as
2.2 Linear Collision Attack
Collision attack proposed by Schramm et al. [12] is based on the concept of internal collision, where a function produces the same output for two inputs: ϕ(x1)=ϕ(x2)=y . Linear collision attack [17] describes how to recover the key from internal collisions based on linear equations. In AES, if a collision between the computations of S-Box a and b in the first round is detected, the attackers will have the following relation:
A linear equation can be deduced:
A series of linear equations can be built with more collisions detected. Eventually, once 1 key byte is determined, the other 15 key bytes can be decided immediately. As a result, the size of key space is reduced to 28.
2.3 Correlation-Enhanced Collision Attack
Two main approaches have been proposed to detect side-channel collisions [18]: the binary test and the correlation-enhanced method [19]. The former one computes the distance between two power traces. Euclidean distance and absolute deviation [20] are usually used here. A Collision is confirmed if the distance is less than a threshold. However, this technique is a byte wise operation. A collision only indicates HW(pa⊕ka) = HW(pb⊕kb) , and (2) is not necessarily established. This method is also sensitive to false detections of collisions. The correlation-enhanced technique compares two series of (instead of two) power traces with correlation coefficient, and returns a score list of all the guessed value of Δka,b . This allows an improvement: By testing several highest-scored candidates instead of only the first one, the probability of finding a correct collision can be increased. But this approach needs to compute correlation coefficient for every guessed value of Δka,b, so the efficient is a problem.
2.4 LDPC Decoding Problem in Collision Attack
Gérard et al. [18] pointed out that the linear collision attack can be re-written as a LDPC decoding problem, since there exists a relationship:
The set ΔK = {Δka,b|1 ≤ a≠b ≤ 16} can be regarded as a LDPC code, and (2) as parity-check nodes. Finding the correct ΔK is equivalent to decode the LDPC code.
It is noteworthy that (3) provides a solution to find out errors in collision detections. In this paper, we exploit (3) as an error-checking criterion, and detail the procedure in the next section.
3. A Novel Framework for Linear Collision Attack
In this section, we propose a new framework of collision attack. As shown in Fig. 1, the main body of the framework is a loop. Each iteration, called a partial attack, is based on a double sieve model, and contributes a part of information of the key. The loop iterates and accumulates the information until all the bytes of ΔK are determined. Finally 28 candidate keys that are compatible to the set ΔK are tested.
Fig. 1.Work flow of the new framework.
The double sieve model includes two screenings: 1) Collision detection sieves the probable candidate of the ΔK , and saves the result in a 1×120 array DeltaKey1. 2) Error detection screens out the false part of DeltaKey1, and saves the survivals in a 1×120 array DeltaKey2. Accumulated information of ΔK is kept in DeltaKey3.
The work flow of our framework is showed in Algorithm 1. Each partial attack consists of 4 steps. First, power traces are collected and preprocessed in the PreparePowerTraces step. Then in DetectCollision step, these power traces are used to detect collisions. These two steps will be detailed in Section 4.
In the DetectError step, as described in Algorithm 2, we use (3) to check every elements of DeltaKey1. A 1×120 array Errorlist is used to record how many times (3) is not satisfied for every Δka,b . If an equation of (3) is not satisfied, the three involved Δk ’s will be marked. If Errorlist ((a,b)) is larger than a threshold ThEL , Δka,b will be erased. Because there are 14 possible values of c which satisfy the condition (a ≠ c ≠ b) ∧ (1 ≤ c ≤ 16) , every Δka,b has 14 relative equations in (3), so the maximum of Errorlist ((a,b)) is 14. A wrong guess of Δka,b tends to fail in most of the checks, whereas a correct guess has few failures. So we set ThEL as a middle value, for example 7.
Accumulate step compares the newly obtained information in DeltaKey2 and the accumulated information in DeltaKey3. Then DeltaKey3 is refreshed with the union of DeltaKey2 and DeltaKey3. An exception is that for some Δka,b , the corresponding values kept in DeltaKey2 and DeltaKey3 are different. Then they should be erased.
4. Bitwise Collision Detection
Here we detail the bitwise collision detection and the related PreparePowerTraces step. The essential idea is to find the 1-bit collision between two bytes, and to treat other bits as noise by choosing plaintexts and acquiring power traces properly. The input of S-Box, (i.e., K⊕P), is chosen as the attack target, and Hamming Weight is used as the power model. We denote the bits in a plaintext byte and a key byte with u and v :
4.1 Preparation of Power Traces
For a partial attack, 8 power traces will be prepared. We use the most significant bit (i.e., bit 8) as an example to illustrate the process flow of the preparation of power traces:
4.2 Bitwise Collision Detection
As presented in Algorithm 3, we use to detect the ith-bit collision between ka and kb (1 ≤ a≠b ≤ 16) .Function Distance is the Euclidean distance of :
If (5) is less than ThCD , we can guess that ua,i⊕va,i =ub,i⊕vb,i . Since ua,i = ub,i =0, we have D(i)= va,i⊕vb,i =0.
ThCD should be chosen carefully to ensure the accuracy of collision detection. Since the result of Distance follows a chi-square distribution, ThCD is relevant to the noise level. Here is an adaptively strategy to determine it: the median of the results of Distance can be chosen as ThCD to make sure that they are divided into two groups with the similar sizes.
5. Experiments
5.1 Measurement Setup
As shown in Fig. 2, we built an experimental environment to mount the side-channel collision attacks. The target AES is implemented in a low-power, high-performance microcontroller AT89S52, which is suitable for various applications of WSN. A resistance of 10 Ohm is put in the power supply path of the microcontroller. An Agilent MSO-X 3054A oscilloscope with a differential probe is employed to acquire the voltage difference over the resistance which is related to the current consumed by the AT89S52. In our case, each raw power traces contains 10 000 points. For each partial attack, one power trace is averaged from m raw power traces. Here we set m to be 300.
Fig. 2.Measurement setup of collision attacks on AT89S52.
5.2 Bitwise Collision Detection
For each pair of key bytes (ka, ka) , we use bitwise collision detection method to find out Δka,b .
Here we use (k1, k2) as an example to detail how it works, where
Fig. 3. shows the detection results. Fig. 3(a)-(h) correspond to the collision detection results of bit 8-1. For example, Fig. 3(a) shows There exist obvious peaks, because α8≠β8. In Fig. 3(d), the curve is close to zero, suggesting that α5≠β5. Finally, the Euclidean distances of 8 bits and a threshold line ( ThCD ) are plotted in Fig. 3(i). Here we have Δk1,2 =11101001.
Fig. 3.The result of bitwise collision detection between k1 and k2 .
5.3 Error Detection
After collision detection, a guessed ΔK is produced and kept in DeltaKey1. Then the error detection method is used to screen out the wrong part of ΔK . For the sake of simplicity, we focus on the triplet Δk1,2 , Δk1,3 , and Δk2,3 to illustrate the workflow of our framework, where
As shown in Fig. 4, the triplet Δk1,2 , Δk1,3 , and Δk2,3 are recovered within 2 partial attacks. In partial attack 1, the wrong guessed Δk2,3 is discarded after error detection, and Δk1,2 , Δk1,3 are delivered to DeltaKey2. Similarly, in partial attack 2, the false guess of Δk1,3 is discarded. In the Accumulate step, the information of two partial attacks is merged together, then Δk1,2 , Δk1,3 , and Δk2,3 are revealed. All the other parts of ΔK are recovered in the same way, and finally the key of AES is recovered.
Fig. 4.Recovery process of Δk1,2 , Δk1,3 , and Δk2,3.
6. Improved Framework with Error-Tolerant Mechanism
Here we propose an error-tolerant version of our approach. Our original approach is a binary test and has a low cost of computation. The correlation-enhanced method produces a list of candidates of Δka,b , and increases the success rate at the expense of larger computation amount. Our improved approach uses the concept of list to realize an error-tolerant mechanism and keeps the computation amount at a reasonable level. Improvements are mainly made in DetectCollision and DetectError steps:
6.1 Modified Bitwise Collision Detection
To increase the number of candidates of each ΔK , the most straight forward idea is to include the 8 hypothetic values which are one-bit different from the most probable one. The output of the DetectCollision step, DeltaKey1, then becomes a 9×120 matrix. The elements of the matrix are denoted as DeltaKey1 (i(a,b)) (1 ≤ i ≤ 9,1 ≤ a≠b ≤ 16).
6.2 Modified Error Detection
There are two main changes in the modified error detection method as presented in Algorithm 4: 1)The input DeltaKey1 becomes a 9×120 matrix, and the first row of DeltaKey1 is checked in loop 1 (step 2-6); 2) In loop 2, if Errorlist ((a,b))> ThEL, other 8 candidates will be checked in turn, as shown in Algorithm 5. Only if no candidate passes the check will DeltaKey1(1,(a,b)) be erased, or it will be replaced by the candidate which leads to the minimum Errorlist((a,b)) .
7. Efficiency Comparison
We do simulations in MATLAB to compare the efficiency of our attack and the LDPC method. The comparisons include the success rate and time (online time and offline time).
7.1 Online Time vs. Success Rate
We denote the time for the oscilloscope to capture and average a power trace as τA , and the time to save a trace as τS . In our case where one power trace contains 10 000 sample points, τS is roughly 50 times of τA . Let m be the number of power traces to be averaged, n be the number of partial attacks, the total online time τOL is
In Our original version, we fix m = 300 , so
In the error-tolerant version, we set m = 50 , so
In order to assess the efficiency, we plot the success rates of attacks as a function of online time τOL , rather than the number of raw power traces, by sweeping the upper limit of n . As shown in Fig. 5, our original approach (denoted as DS) is more efficient than the LDPC method when the online time is less than 900 τS .The error-tolerant version (denoted as DS-ET) achieves an obvious gain in efficiency. The online time needed to reach a success rate of 0.9 is 90% less than that of LDPC method.
Fig. 5.The success rates as a function of online time τOL.
7.2 Online Time vs. Offline Time
Offline time reflects the computational complexity of the attack algorithm. We examined the operation time for three algorithms (LDPC, DS, and DS-ET) to carry out 1000 attacks. As shown in Fig. 6, the computational complexity of LDPC method is significantly higher than our approaches. The error-tolerant version of our attack needs least offline time to recover the key.
Fig. 6.The offline time as a function of online time τOL.
7.3 Selection of Parameters
The former experiments are done with a fixed m . Here we focus on the impacts of m on the success rates of attacks.
As shown in Fig. 7, the success rate curves reach to a larger upper limit with lager m . However, increasing m also increases the time for each partial attack. So there is no need to increase m once the upper limit of success rate is close to 1. In our case (the error-tolerant version), m = 50 is reasonable.
Fig. 7.The success rates with different average times m as a function of n (the number of partial attacks).
8. Conclusion
We propose a double sieve collision attack based on bitwise collision detection in this paper, and give an error-tolerant version which significantly reduces the time of online stage. Practical attacks are successfully mounted on AES implemented in a real chip which can be used in WSN. We also compare the efficiency of our attack with the work published by Gérard et al. [18]. The experiment result shows our attack saves 90% of time to reach a success rate of 0.9.
Although AES is the target algorithm in this paper, our work can be extended to other symmetry cryptography algorithms that are vulnerable to collision attack.
References
- J. Zheng and A. Jamalipour, Wireless Sensor Networks: A Networking Perspective, Wiley, New York, 2009.
- G. Padmavathi and M. Shanmugapriya, "A survey of attacks, security mechanisms and challenges in wireless sensor networks," arXiv preprint arXiv: 0909.0576, 2009. http://arxiv.org/abs/0909.0576
- C. Krauss, M. Schneider and C. Eckert, "On handling insider attacks in wireless sensor networks," Information Security Technical Report, vol. 13, no. 3, pp. 165-172, August, 2008. https://doi.org/10.1016/j.istr.2008.10.011
- NIST Std. 197, "Announcing the Advanced encryption standard (AES)," 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
- IEEE Std. 802.15.4, "Wireless Medium Access Control (MAC) and Physical Layer (PHY) specifications for Low Rate Wireless Personal Area Networks (LR-WPANS)," 2003. http://ieeexplore.ieee.org/iel5/8762/27762/01237559.pdf
- P. C. Kocher, "Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems," in Proc. of CRYPTO' 1996, LNCS, vol. 1109, pp. 104-113, Springer, Heidelberg, 1996.
- P. C. Kocher, J. Jaffe and B. Jun, "Differential power analysis," in Proc. of CRYPTO' 1999, LNCS, vol. 1666, pp. 388-397, Springer, Heidelberg, 1999.
- S. Chair, J. R. Rao and P. Rohatgi, "Template attacks," in Proc. of CHES 2002, LNCS, vol. 2523, pp. 13-28, Springer, Heidelberg, 2003.
- E. Brier, C. Clavier and F. Olivier, "Correlation power analysis with a leakage model," in Proc. of CHES 2004, LNCS, vol. 3156, pp. 16-29, Springer, Heidelberg, 2004.
- B. Gierlichs, L. Batina, P. Tuyls and B. Preneel, "Mutual information analysis," in Proc. of CHES 2008, LNCS, vol. 5154, pp. 426-442, Springer, Heidelberg, 2008.
- G. de Meulenaer and F. X. Standaert, "Stealthy compromise of wireless sensor nodes with power analysis attacks," Mobile Lightweight Wireless Systems, LNICST, vol. 45, pp. 229-242, Springer, Heidelberg, 2010.
- K. Schramm, T. J. Wollinger and C. Paar, "A new class of collision attacks and its application to DES," in Proc. of 10th Int. Workshop on Fast Software Encryption, LNCS, vol. 2887, pp. 206-222, Springer, Heidelberg, 2003.
- K. Schramm, G. Leander, P. Felke and C. Parr, "A collision-attack on AES: Combining side channel and differential attack," in Proc. of CHES 2004, LNCS, vol. 3156, pp. 163-175, Springer, Heidelberg, 2004.
- H. Ledig, F. Muller and F. Valette, "Enhancing collision attacks," in Proc. of CHES 2004, LNCS, vol. 3156, pp. 176-190, Springer, Heidelberg, 2004.
- A. Bogdanov, "Improved side-channel collision attacks on AES," in Proc. of 14th Int. Workshop on Selected Areas in Cryptography, LNCS, vol. 4876, pp. 84-95, Springer, Heidelberg, 2007.
- .A. Bogdanov, "Multiple-differential side channel collision attacks on AES," in Proc. of CHES 2008, LNCS, vol. 5154, pp. 30-44, Springer, Heidelberg, 2008.
- C. Clavier, B. Feix, G. Gagnerot, M. Roussellet and V. Verneuil, "Improved collision-correlation power analysis on first order protected AES," in Proc. of CHES 2011, LNCS, vol. 6917, pp. 49-62, Springer, Heidelberg, 2011.
- B. Gerard and F. X. Standaert, "Unified and optimized linear collision attacks and their application in a non-profiled setting," in Proc. of CHES 2012, LNCS, vol. 7428, pp. 175-192, Springer, Heidelberg, 2012.
- A. Moradi, O. Mischke and T. Eisenbarth, "Correlation-enhanced power analysis collision attack," in Proc. of CHES 2010, LNCS, vol. 6225, pp. 125-139, Springer, Heidelberg, 2010.
- A. A. Sveshnikov and B. R. Gelbaum (Eds.), Problems in Probability Theory, Mathematical Statistics and Theory of Random Functions, Courier Dover Publications, New York, 1968.
Cited by
- A Novel Multiple-Bits Collision Attack Based on Double Detection with Error-Tolerant Mechanism vol.2018, pp.None, 2018, https://doi.org/10.1155/2018/2483619