Cognitive Modeling of Multimodal Data Intensive Systems for Applications in Nature and Society (COMDICS)
View this Special IssueResearch Article  Open Access
Weijian Li, Xian Huang, Huimin Zhao, Guoliang Xie, Fuxiang Lu, "Fuzzy Matching Template Attacks on Multivariate Cryptography: A Case Study", Discrete Dynamics in Nature and Society, vol. 2020, Article ID 9475782, 11 pages, 2020. https://doi.org/10.1155/2020/9475782
Fuzzy Matching Template Attacks on Multivariate Cryptography: A Case Study
Abstract
Multivariate cryptography is one of the most promising candidates for postquantum cryptography. Applying machine learning techniques in this paper, we experimentally investigate the sidechannel security of the multivariate cryptosystems, which seriously threatens the hardware implementations of cryptographic systems. Generally, registers are required to store values of monomials and polynomials during the encryption of multivariate cryptosystems. Based on maximumlikelihood and fuzzy matching techniques, we propose a templatebased leastsquare technique to efficiently exploit the sidechannel leakage of registers. Using QUAD for a case study, which is a typical multivariate cryptosystem with provable security, we perform our attack against both serial and parallel QUAD implementations on field programmable gate array (FPGA). Experimental results show that our attacks on both serial and parallel implementations require only about 30 and 150 power traces, respectively, to successfully reveal the secret key with a success rate close to 100%. Finally, efficient and lowcost strategies are proposed to resist sidechannel attacks.
1. Introduction
With the upcoming quantum computers, traditional cryptosystems face huge challenges. Publickey cryptosystems such as Rivest–Shamir–Adleman (RSA) and elliptic curve cryptography (ECC), whose security relies on the difficulty of certain number theoretic problems, are under great threat of quantum attack. In as early as 1994, Peter Shor proposed an algorithm on a quantum computer that efficiently solved such number theoretic problems in polynomial time. Afterward, Monz et al. [1] presented the realization of a scalable Shor algorithm in 2016, which means that once largescale quantum computers appear, publickey cryptosystems will become insecure. Meanwhile, for symmetrickey primitives, larger keys are required to resist the quantum attack to some extent.
Since Shor’s discovery, the theory of postquantum cryptography has developed significantly. Many cryptographic schemes proposed in the literature, such as codebased cryptography [2] and latticebased cryptography [3], show great potentiality to resist quantum attacks, while multivariate cryptography is one of the most promising candidates [4]. Afterward, numerous cryptosystems based on multivariate quadratic polynomials have been proposed, such as unbalanced oilandvinegar (UOV) and its variant [5], Rainbow [5, 6], ZHFE [7], and CHNNMVC [8].
At Eurocrypt 2006, Berbain et al. [9] presented the first multivariate stream cipher scheme denoted as QUAD, which is referred to as a practical and provable secure stream cipher, as well as a pseudorandom number generator (PRNG). In 2009, Berbain et al. [10] revisited the stream cipher of QUAD and proposed the provable security arguments supporting its conjectured strength for suitable parameter values. The provable security of QUAD relies on the hardness of solving systems of multivariate quadratic equations. Bardet et al. [11] presented a cryptanalysis algorithm with a complexity bounded by O(2^{134.56}), which means this cryptanalysis method cannot put into practice.
In recent years, GPUs are widely used in cloud computing and blockchain, which faces huge security challenges to guarantee data security and user privacy [12–14]. Several GPU acceleration schemes for multivariate systems are proposed to make it suitable for security of cloud computing and blockchain in the quantum world [15, 16]. In 2014, Tanaka et al. [15] proposed two efficient parallelization algorithms and a GPUbased multivariable quadratic polynomial system. Furthermore, they proposed several effective parallel implementations of QUAD on GPU to accelerate the computing of quadratic polynomials. In 2018, Liao et al. [16] proposed a GPU acceleration framework for highorder multivariate cryptography systems, where the GPU acceleration schemes made multivariate cryptosystems feasible for cloud computing and blockchain.
Moreover, multivariate cryptosystems are in general computationally efficient, which supports the use of the Internet of Things (IoT) devices. IoT is essentially a network of pervasive devices such as RFID tags, sensors, ASICs, and smart cards, which have rigid cost constraints in terms of area, memory, computing power, and battery supply. Traditional cryptosystems are not entirely applicable to the IoT devices since they are too expensive for such pervasive devices. At fast software encryption (FSE) 2010, Billet et al. [17] showed that QUAD can be converted to efficiently construct a privacypreserving authentication protocol for RFID with provable security. Arditti et al. [18] presented a QUAD implementation and regarded it as the smallest provably secure stream cipher so far. The smallest QUAD implementation requires only 2961 GE, which makes it a competitive candidate for IoT security. Also, Hamlet et al. [19] proposed a throughputoptimized parallel implementation of QUAD for more secure application scenarios in 2015.
The implementation of cryptography needs to take a wide range of physical attacks into account, especially sidechannel attacks and fault attacks. Sidechannel attacks exploit the dependency between physical information (e.g., power consumption, electromagnetic leaks, and timing information) and secret key to enable a divideandconquer attack to reveal the key part by part. Typical sidechannel attacks include nonprofiled attacks (e.g., correlation power analysis (CPA) [20], mutual information analysis (MIA) [21]) and profiled attacks (e.g., template attacks (TA) [22–28] and other machine learningbased sidechannel attacks [28–34]). Profiled sidechannel attacks are the most powerful attacks, which received a lot of attention in recent years. Samples of power traces are regarded as features, and feature selection methods are needed to reduce the computational complexity and increase the prediction accuracy [28]. Afterward, machine leaning techniques including maximumlikelihood strategy [22–28], SVM [28–30], random forest (RF) [28, 29], knearest neighbors (KNN) [31], neural networks (NNs) [32], and deep learning (DL) [33, 34] are widely applied to build the prediction model. Profiled sidechannel attacks include a profiling/training phase and a matching/predicting phase. In the profiling/training phase, machine learning algorithms are fed with labelled power traces captured from a reference device to build the prediction model. In the matching/predicting phase, prediction models are used to predict the correct labels for those power traces captured from a target device.
Template attack was first proposed at CHES’02 [22], which efficiently revealed the key by a maximumlikelihood strategy, and was rapidly accepted as the strongest form of sidechannel attack. Original template attack matched only a single power trace, which sometimes failed in the practical attack. Agrawal et al. [23] proposed templatebased DPA attack to accumulate the matching results of power traces, which significantly improved the success rate. Özgen et al. [24] combined classification algorithms with template attacks in the matching phase to improve the efficiency of attacks. Choudary and Kuhn [25] tackled some of the practical obstacles of template attacks, such as pooled covariance matrices, compression methods, and incompatibility of templates across different devices. Zhang [27] theoretically analyzed the exact relationship between the success rate of template attack and values of different parameters, including signaltonoise, number of interesting points, and number of power traces. From the viewpoint of machine learning, Picek et al. [28] adopted feature selection techniques to improve the attack efficiency. They concluded that L1 regularization wrapper and linear SVM hybrid methods performed consistently well for all data sets.
Although sidechannel attacks have been developed over 20 years, research about sidechannel attacks on multivariate cryptosystems is still in the early stages. Several literatures about sidechannel attack on multivariate cryptosystems were published. In as early as 2005, Okeya et al. [35] analyzed the power leakage of addition operations modulo 2^{32} of SHA1 and successfully recovered the secret information of SFLASH, which is the first successful power analysis attack on multivariate cryptography in practice. Later, in 2013, Hashimoto et al. [36] proposed a theoretical method based on fault attack to reveal the partial key of MPKC systems. Yi and Li [37] proposed a fault attack and DPA on ASIC implementation of enTTS scheme in 2017. In 2018, Park et al. [38] presented a correlation power analysis attack against the Rainbow and UOV schemes on an 8bit AVR microcontroller that yields full secret key recoveries. In 2019, based on the work of Hashimoto et al., Krämer and Loiero [39] complemented the research on fault attacks of multivariate signature schemes. However, their attacks do not lead to complete key recovery on Rainbow and UOV. Recently, Li et al. [40] proposed a CPA attack against serial implementation of QUAD on FPGA. Their work efficiently revealed the secret key but still requires further work to improve success rate.
Li et al. proposed the practical CPA cryptanalysis on serial QUAD (2, 160, 160) with a much lower complexity, but the success rate is only around 85%. Because of the low signaltonoise ratio, classic template attack and templateattack DPA attack cannot exactly match the templates to achieve a satisfactory success rate. To tackle this issue, we have proposed templatebased leastsquare power analysis on serial QUAD (2, 160, 160). The main contributions of our paper can be highlighted as follows:(1)By applying the leastsquare technique to enable fuzzy matching of the templates, which can find the best matching via minimizing the squared sum of errors. As a result, the proposed practical can achieve a success rate of nearly 100%.(2)We also extend the templatebased leastsquare power analysis attack to explore the leakage of parallel implementation of QUAD (2, 160, 160), which has successfully and efficiently revealed the secret key with a success rate also close to 100%.(3)For multivariate cryptography, all monomials and polynomials can be computed in an arbitrary order to break the link between the power consumption and the secret key. We propose two lowcost hiding countermeasures for serial and parallel implementations, respectively, which show great potential to resist sidechannel attacks.
The remaining paper is organized as follows: in Section 2, we review the mathematical definition, serial and parallel FPGA implementations of the QUAD stream cipher; in Section 3, the templatebased leastsquare power analysis attacks on the serial and parallel FPGA implementation of the QUAD are presented; experimental results of our attacks are given in Section 4; efficient and lowcost countermeasures to resist sidechannel attacks are discussed in Section 5; and Section 6 concludes the paper.
2. Preliminaries
2.1. Multivariate Cryptography
Generally, the mathematical definition of a multivariate quadratic equation with n variables over GF (q) can be written as follows:where , , and are all coefficients over GF (q). Note that the degree of polynomial is up to 2; otherwise, new variables will be introduced to keep the polynomial of degree 2. A multivariate quadratic system consisting of m multivariate quadratic equations in n variables over GF (q) is defined as
Given a multivariate quadratic system , the MQ problem is defined as to find a value , if any, such that for all . The MQ problem is proved to be NP hard, even in the smallest finite filed GF (2) [10].
A particular QUAD stream cipher in n variables over GF (q) is specified as QUAD (q, n, r), which computes polynomials per round. As shown in Figure 1, QUAD (q, n, r) consists of an output function to produce r outputs as the keystream, and an update function is used to generate n outputs to update X for the next round. The parameters q, n, and r and the coefficients , , and for and are public. The QUAD cipher expands a secret initial state into a sequence of secret states and a sequence of output vectors .
QUAD (2, 160, 160) is a practical version with the security level of at least 2^{80}, which is strongly recommended in [10]. QUAD (2, 160, 160) has 160 variables over GF (2), which outputs 160 bits per round, resulting in a set of 320 multivariate quadratic equations.
From a perspective of implementation, operations over GF (2) are more efficient than those over larger fields. Moreover, the monomial forms and are equal over GF (2); therefore, and can be computed together. In the case of randomly generated and , equations of QUAD over GF (2) can be simplified aswhich brings great benefits in terms of efficiency and security.
2.2. FPGA Serial Implementation of QUAD
Arditti et al. [18] proposed a compact serial implementation of QUAD, which is believed to be the smallest provably secure stream cipher. As shown in Figure 2, the implementation consists of two main components. The first one is a nonlinear feedback shift register (NFSR), in which the coefficients of and are randomly generated. Each monomial of the equation is computed by the second component at every clock tick and accumulated to a result register. Multivariate quadratic equations , , …, are computed sequentially. At every clock tick, the NFSR generates the coefficient. Once a new monomial of polynomial is computed, its contribution will be accumulated to the temporary register . After clock cycles, the polynomial is computed, and the above process is repeated for .
2.3. FPGA Parallel Implementation of QUAD
Hamlet and Brocato [19] presented two throughputoptimized parallel implementations of QUAD for a much higher throughput. A QUAD (2, 128, 128) version with the security level of approximately 2^{64} is considered, which can be easily extended to another version in GF (2) such as QUAD (2, 160, 160). The coefficients and are randomly generated and stored in ROM. Multivariate quadratic equations are still computed sequentially, while n monomials of polynomial are computed in parallel at a time to achieve a higher throughput.
As shown in Figure 3, the FPGA parallel implementation of QUAD (2, 160, 160) is summarized as follows:(1)Sequentially compute the equations , , …, by step (2) to step (6).(2)Initialize the internal state X and rotated X with the secret key and the initialization vector.(3)Calculate simultaneously.(4)Load 160bit coefficients from ROM, feed and into 8input ANDXOR modules to compute , and store M_{c} in temporary register P_{c}.(5)Calculate , , by XOR modules. Compute and store the value in result register Q.(6)Rotate the internal state rotated X by one bit, and go to step 3 to compute next 160 monomials until all monomials of polynomial are completed, which requires loops. Note that, in the last loop, only half of the above modules are enabled to compute the last 80 monomials.(7)Repeat the above steps until all quadratic equations are computed.
3. Proposed Attack on Implementation of QUAD
3.1. Power Leakage Model
A typical CMOS transistor consumes dynamic power when its output signal is converted. Figure 4(a) shows the changing process of a register when the output signal is converted from 0 to 1. A charging current from the power supply to the output capacitance and a transient shortcircuit current from CMOS transistor are generated. On the contrary, Figure 4(b) shows the discharging process when the output signal is converted from 1 to 0. Only the instantaneous shortcircuit current is generated through CMOS transistor.
(a)
(b)
As a result, conversions of the output signal are focused since dynamic power is the major power consumption of the digital logical circuits of ASIC and FPGA. Denote the power consumption of CMOS transistor by when its signal converts from i to j, where i and j equal to 0 or 1. and consume dynamic power, while and consume only static power. As a result, it generally holds that .
Therefore, the power consumption when writing data to a register depends on the number of bitflips. A hamming distance (HD) model well summarizes the power consumption of a register transition from a previous state to a new state.
Regarding multivariate cryptosystems, which consist of a large number of monomials and polynomials, registers are indeed required to store monomial and polynomial values during the encryption. Serial implementation, for instance, monomials are computed sequentially and accumulated to the temporary register , as identified by rectangle in Figure 2.
The value of register changes to for all monomials. The power consumption of register can be concluded as follows:
Consequently, an attacker is possible to predict secret keys x_{i} and x_{j} by observing the power consumption of registers .
Other than serial implementations, parallel implementations compute 160 monomials simultaneously. 4 monomials are accumulated by an ANDXOR module and stored into temporary register . According to the parallel implementation described in Section 2.3, when computing the first 160 monomials, the values , stored into the temporary register are
After rotating the internal state rotated x by one bit to compute the next 160 monomials, the values , stored into registers are
Therefore, the values of registers , change from to , and the power leakage model of parallel implementations can be defined as
3.2. TemplateBased LeastSquare Power Analysis Attack
Classic sidechannel attacks, such as DPA, CPA, and MIA, require a large number of power traces to reveal the key, which means that different plaintexts are needed to be encrypted with the same key for obtaining as much power traces as possible. However, multivariate cryptosystems usually contain limited quadratic equations. Take QUAD as an example, and the key of QUAD is constantly updated after each round of encryption, which only generates power traces with the same key. In this case, machine learningbased sidechannel attacks such as template attack have inherent advantages, which can extract the key with much fewer target power traces.
Machine learningbased sidechannel attacks are the most powerful attacks. Based on a maximumlikelihood strategy, template attacks reveal the secret key efficiently, which consist of a profiling phase and a matching phase. Classic template attacks match only a single power trace and reveal the key by the Bayes theorem in the matching phase. However, there is not enough valuable information in a single power trace to reveal the correct key in practical situation; hence, the classic template attack has little prospect of success rate.
To solve this problem, templatebased DPA attack was proposed as follows [23]:which accumulates the matching degree of each power trace during template matching to improve the success rate.
Unfortunately, due to the low signaltonoise ratio, the accurate matching method of templatebased DPA attack is not applicable. For this reason, we proposed a templatebased leastsquare (LSQ) power analysis attack, which reveals the key by fuzzy matching. As described in Figure 5, the main idea of templatebased LSQ is as follows:(1)Choose a strategy to build templates: according to the power leakage models in equations (4) and (7), two templates need to be built, corresponding to leakage values 0 and 1.(2)Collect power traces to build templates: two groups of power traces are collected according to different leakage values.(3)Select interesting points (features): samples of power traces are regarded as features, which include relevant, irrelevant, and redundant features. Feature selection methods are needed to select the most relevant features to improve the attack efficiency. Feature selection methods [28] such as squared pairwise Tdifferences (SOST), Pearson correlation, principal component analysis (PCA), linear SVM wrapper, and L1 regularization are investigated. In our experiments, the Pearson correlation method is chosen to search interesting points, which can lead to excellent classification performance. 25 interesting points for serial implementation and 35 interesting points for parallel implementation with the highest are selected, where is defined as(4)Build templates with interesting points: two templates corresponding to leakage values 0 and 1 are built, respectively, by covariance matrix and mean vector , where and are defined as(5)Match templates: power traces with the same key are captured from the device under attack to match the templates, respectively. Template that leads to the highest probability indicates the correct leakage value, where is defined as Denote such leakage values corresponding to as .(6)Reveal the correct key. We map the hypothetical intermediate values into leakage values by equation (7) and compare with to reveal the correct key. Taking attack on parallel implementations, for instance, denote the hypothetical leakage values by , where . The leastsquare method defined asis applied to compare the hypothetical leakage values with the leakage values revealed by the template attack, where i is the key hypothesis. Finally, the correct key is revealed by
4. Experimental Results and Discussion
As shown in Figure 6, our experimental setup includes a standard evaluation board SAKURAG, an oscilloscope, and a computer. SAKURAG is designed for hardware security, which equips with two separate Spartan6 FPGA chips. One chip serves as the control chip, while another serves as the cryptographic chip. Cryptographic chip performs encryption operations, while the control chip controls the data flow and communicates with the oscilloscope and computer. During encryption, power consumptions of the cryptographic chip are measured by the oscilloscope which is triggered by the control chip. Finally, power analysis attacks are performed on the computer.
We first perform a sidechannel attack on serial implementation of QUAD (2, 160, 160). In the template building phase, 3000 power traces with different keys and coefficients are captured from a reference device, based on which 25 interesting points are selected by the CPA peak method. Next, we collect two groups of power traces corresponding to leakage values 0 and 1 in equation (4), and each group consists of 25 power traces. Finally, we build two templates, and the result is shown in Figure 7.
In the template matching phase, 320 power traces with the same key are captured from the target device. Template that leads to the highest probability indicates the correct key. The success rate of templatebased LSQ attack on serial implementation is shown in Figure 8. When the number of power traces approach 30, the success rate tends to 100%. Therefore, a successful attack only requires 30 power traces in serial implementation.
To further illustrate the effectiveness of our attack, the time required for our practical attack on serial QUAD is discussed here. Our attack is performed on a personal computer, which integrates an Intel i57500 CPU and 12 GB of RAM. The time for templates building and templates matching depends on the number of power traces for building and matching, respectively. Figure 9 shows the time required for the template building with the number of power traces ranging from 1 to 3000. Figure 10 shows the time required for template matching with the number of power traces ranging from 1 to 30. As our successful attack on the serial implementation of QUAD (2, 160, 160) requires less than 3000 power traces for templates building and 30 power traces for templates matching, the total time required for our successful attack is less than 1010 seconds, according to Figures 9 and 10.
According to the leakage model of parallel implementation in equation (7), 4 bits of the key are simultaneously accumulated into temporary register. Consequently, we need to guess 4 bits at a time. In the template building phase, 10000 power traces with different keys and coefficients are captured from a reference device, based on which 35 interesting points are selected by the CPA peak method. Next, we collect two groups of power traces corresponding to leakage values 0 and 1 in equation (7), and each group consists of 35 power traces. Finally, we build two templates, and the result is shown in Figure 11.
In the template matching phase, 320 power traces with the same key are captured from the target device. Template that leads to the highest probability indicates the correct key. The success rate of templatebased LSQ attack on parallel implementation is shown in Figure 12. When the number of power traces approach 150, the success rate tends to 100%. Therefore, 150 power traces are sufficient for a successful attack in parallel implementation.
Figure 13 shows the time required for the template building with the number of power traces ranging from 1 to 10000. Figure 14 shows the time required for template matching with the number of power traces ranging from 1 to 180. As our successful attack on the parallel implementation of QUAD (2, 160, 160) requires less than 10000 power traces for templates building and 150 power traces for templates matching, the total time required for our successful attack is less than 1977 seconds, according to Figures 13 and 14.
In order to compare the success probability of the attacks, we performed our attack, template attack, and templatebased DPA attacks dozens of times, respectively. We compare the typical results in Table 1, which shows that our proposed attack has the highest accuracy, greatly outperforming template attack, and templatebased DPA attack.

5. Suggested Countermeasures
Sidechannel countermeasures aim at reducing the data dependency between physical information and secret key. Usually, masking and hiding technologies are adopted. For multivariate cryptography, all monomials and polynomials can be computed in an arbitrary order. Therefore, the basic idea of countermeasures for multivariate cryptography is to randomly change the sequence of these operations.
A QUAD (q, n, r) has monomials, which can be randomly computed in orders. However, it is too expensive to implement such algorithm. We propose a lowcost shuffling countermeasure by partially changing the orders of monomials for each polynomial equation . Starting with two randomly generated index , , each polynomial is computed in the order as follows:
A random index generator is required to generate such an order index, as shown in Figure 15, whose implementation requires only 556 GE.
For the parallel implementations, we proposed a lowcost hiding countermeasure by partially randomizing the initial value of rotated x to shuffle the computation orders of monomials. Before each calculation of , the initial value of rotated x is partially randomized with the random starting index i_{s} as follows:
6. Conclusions
Multivariate cryptosystems consist of a large number of monomials and polynomials, where registers are required to store monomial and polynomial values during the encryption. Therefore, a hamming distance (HD) model of the register will leak the secret of the implementation.
By applying the leastsquare technique to enable fuzzy matching of the templates, we propose a practical templatebased leastsquare power analysis, where both the serial and parallel implementations of QUAD (2, 160, 160) can achieve a success rate close to 100%. The proposed two lowcost hiding countermeasures for serial and parallel implementations are also validated to be effective, where all monomials and polynomials can be computed in an arbitrary order to break the link between the power consumption and the secret key in multivariate cryptography. Our proposed attacks require only 30 and 150 power traces, respectively, to successfully reveal the secret key. Future work will focus on lowcost countermeasures of multivariate cryptography for IoT devices to resist sidechannel attacks.
Data Availability
The mat data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
Acknowledgments
This work was supported by the National Natural Science Foundation of China (nos. 61872096, 61672008, and 61772144), Innovation Team Project of the Education Department of Guangdong Province (no. 2017KCXTD021), Guangdong Provincial Key Laboratory of Intellectual Property and Big Data (Grant no. 2018B030322016), Key Laboratory of the Education Department of Guangdong Province (no. 2019KSYS009), and Guangdong Provincial Project of Science and Technology (no. 2016A010101030).
References
 T. Monz, D. Nigg, E. A. Martinez et al., “Realization of a scalable shor algorithm,” Science, vol. 351, no. 6277, pp. 1068–1070, 2016. View at: Publisher Site  Google Scholar
 M. F. Ezerman, H. T. Lee, S. Ling, K. Nguyen, and H. Wang, “Provably secure group signature schemes from codebased assumptions,” IEEE Transactions on Information Theory, p. 1, 2020. View at: Publisher Site  Google Scholar
 H. Nejatollahi, N. Dutt, S. Ray, F. Regazzoni, I. Banerjee, and R. Cammarota, “Postquantum latticebased cryptography implementations,” ACM Computing Surveys, vol. 51, no. 6, pp. 1–41, 2019. View at: Publisher Site  Google Scholar
 T. Takagi, “Recent developments in postquantum cryptography,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E101.A, no. 1, pp. 3–11, 2018. View at: Publisher Site  Google Scholar
 D. H. Duong, L. Van Luyen, and H. T. N. Tran, “Choosing subfields for LUOV and lifting fields for Rainbow,” IET Information Security, vol. 14, no. 2, pp. 196–201, 2020. View at: Publisher Site  Google Scholar
 J. Ding and D. Schmidt, “Rainbow, a new multivariable polynomial signature scheme,” Applied Cryptography and Network Security, Springer, New York, NY, USA, 2005. View at: Publisher Site  Google Scholar
 J. Porras, J. Baena, and J. Ding, “ZHFE, a new multivariate public key encryption scheme,” in Proceedings of the International Workshop on PostQuantum Cryptography, pp. 229–245, Waterloo, ON, Canada, 2014. View at: Google Scholar
 J. Wang, L.M. Cheng, and T. Su, “Multivariate cryptography based on clipped hopfield neural network,” IEEE Transactions on Neural Networks and Learning Systems, vol. 29, no. 2, pp. 353–363, 2018. View at: Publisher Site  Google Scholar
 C. Berbain, H. Gilbert, and J. Patarin, “QUAD: a practical stream cipher with provable security,” in Proceedings of the 24th Annual International Conference on The Theory and Applications of Cryptographic Techniques, pp. 109–128, St. Petersburg, Russia, 2006. View at: Publisher Site  Google Scholar
 C. Berbain, H. Gilbert, and J. Patarin, “QUAD: a multivariate stream cipher with provable security,” Journal of Symbolic Computation, vol. 44, no. 12, pp. 1703–1723, 2009. View at: Publisher Site  Google Scholar
 M. Bardet, J.C. Faugère, B. Salvy, and P.J. Spaenlehauer, “On the complexity of solving quadratic boolean systems,” Journal of Complexity, vol. 29, no. 1, pp. 53–75, 2013. View at: Publisher Site  Google Scholar
 C. Stergiou, K. E. Psannis, B.G. Kim, and B. Gupta, “Secure integration of IoT and cloud computing,” Future Generation Computer Systems, vol. 78, pp. 964–975, 2018. View at: Publisher Site  Google Scholar
 X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen, “A survey on the security of blockchain systems,” Future Generation Computer Systems, vol. 107, pp. 841–853, 2017. View at: Publisher Site  Google Scholar
 Q. Feng, D. He, S. Zeadally, M. K. Khan, and N. Kumar, “A survey on privacy protection in blockchain system,” Journal of Network and Computer Applications, vol. 126, pp. 45–58, 2019. View at: Publisher Site  Google Scholar
 S. Tanaka, C. Cheng, T. Yasuda, and K. Sakurai, “Parallelization of QUAD stream cipher using linear recurring sequences on graphics processing units,” in Proceedings of the 2014 Second International Symposium on Computing and Networking, pp. 543–548, Shizuoka, Japan, 2014. View at: Publisher Site  Google Scholar
 G. Liao, Z. Gong, Z. Huang, and W. Qiu, “A generic optimization method of multivariate systems on graphic processing units,” Soft Computing, vol. 22, no. 23, pp. 7857–7864, 2018. View at: Publisher Site  Google Scholar
 O. Billet, J. Etrog, and H. Gilbert, “Lightweight privacy preserving authentication for RFID using a stream cipher,” in Proceedings of the 17th International Conference on Fast Software Encryption, pp. 55–74, Seoul, South Korea, 2010. View at: Publisher Site  Google Scholar
 D. Arditti, C. Berbain, O. Billet, and H. Gilbert, “Compact FPGA implementations of QUAD,” in Proceedings of the 2nd ACM symposium on Information, computer and communications securityASIACCS ‘07, pp. 347–349, Dallas, TX, USA, 2007. View at: Publisher Site  Google Scholar
 J. R. Hamlet and R. W. Brocato, “Throughputoptimized implementations of QUAD,” Journal of Cryptographic Engineering, vol. 5, no. 4, pp. 245–254, 2015. View at: Publisher Site  Google Scholar
 E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with a leakage model,” in Proceedings of the International workshop on Cryptographic Hardware and Embedded Systems (CHES’04), pp. 16–29, Cambridge, MA, USA, 2004. View at: Google Scholar
 L. Batina, B. Gierlichs, E. Prouff, M. Rivain, F.X. Standaert, and N. VeyratCharvillon, “Mutual information analysis: a comprehensive study,” Journal of Cryptology, vol. 24, no. 2, pp. 269–291, 2011. View at: Publisher Site  Google Scholar
 S. Chari, J. R. Rao, and P. Rohatgi, “Template attacks,” in Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’02), pp. 13–28, San Francisco Bay (Redwood City), CA, USA, 2002. View at: Google Scholar
 D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi, “The EM side—channel(s),” in Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’02), pp. 13–28, San Francisco Bay (Redwood City), CA, USA, 2002. View at: Google Scholar
 E. Özgen, L. Papachristodoulou, and L. Batina, “Template attacks using classification algorithms,” in Proceedings of the IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 242–247, McLean, VA, USA, 2016. View at: Google Scholar
 M. O. Choudary and M. G. Kuhn, “Efficient, portable template Attacks,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 2, pp. 490–501, 2018. View at: Publisher Site  Google Scholar
 L. Lerman, R. Poussier, O. Markowitch, and F.X. Standaert, “Template attacks versus machine learning revisited and the curse of dimensionality in sidechannel analysis: extended version,” Journal of Cryptographic Engineering, vol. 8, no. 4, pp. 301–313, 2018. View at: Publisher Site  Google Scholar
 H. Zhang, “On the exact relationship between the success rate of template attack and different parameters,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 681–694, 2019. View at: Publisher Site  Google Scholar
 S. Picek, A. Heuser, A. Jovic, and L. Batina, “A systematic evaluation of profiling through focused feature selection,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 27, no. 12, pp. 2802–2815, 2019. View at: Publisher Site  Google Scholar
 B. Hettwer, S. Gehrer, and T. Güneysu, “Applications of machine learning techniques in sidechannel attacks: a survey,” Journal of Cryptographic Engineering, vol. 10, no. 2, pp. 135–162, 2019. View at: Publisher Site  Google Scholar
 S. Hou, Y. Zhou, H. Liu, and N. Zhu, “Wavelet support vector machine algorithm in power analysis attacks,” Radioengineering, vol. 26, no. 3, pp. 890–902, 2017. View at: Publisher Site  Google Scholar
 L. Malina, V. Zeman, J. Martinasek, and Z. Martinasek, “Knearest neighbors algorithm in profiling power analysis attacks,” Radioengineering, vol. 25, no. 2, pp. 365–382, 2016. View at: Publisher Site  Google Scholar
 P. Saravanan and P. Kalpana, “A novel approach to attack smartcards using machine learning method,” Journal of Scientific & Industrial Research, vol. 76, no. 2, p. 99, 2017. View at: Google Scholar
 L. Masure, C. Dumas, and E. Prouff, “A comprehensive study of deep learning for sidechannel analysis,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2020, no. 1, pp. 348–375, 2020. View at: Google Scholar
 G. Zaid, L. Bossuet, A. Habrard, and A. Venelli, “Methodology for efficient CNN architectures in profiling attacks,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2020, no. 1, pp. 1–36, 2020. View at: Google Scholar
 K. Okeya, T. Takagi, and C. Vuillaume, “On the importance of protecting in SFLASH against side channel attacks,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E88A, no. 1, pp. 123–131, 2005. View at: Publisher Site  Google Scholar
 Y. Hashimoto, T. Takagi, and K. Sakurai, “General fault attacks on multivariate public key cryptosystems,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E96.A, no. 1, pp. 196–205, 2013. View at: Publisher Site  Google Scholar
 H. Yi and W. Li, “On the importance of checking multivariate public key cryptography for sidechannel attacks: the case of enTTS scheme,” The Computer Journal, vol. 60, no. 8, pp. 1197–1209, 2017. View at: Publisher Site  Google Scholar
 A. Park, K. Shim, N. Koo, and D. Han, “Sidechannel attacks on postquantum signature schemes based on multivariate quadratic equations,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2018, no. 3, pp. 500–523, 2018. View at: Google Scholar
 J. Krämer and M. Loiero, “fault attacks on UOV and rainbow,” in Proceedings of the International Workshop on Constructive SideChannel Analysis and Secure Design, pp. 193–214, Darmstadt, Germany, 2019. View at: Publisher Site  Google Scholar
 W. Li, F. Lu, and H. Zhao, “Power analysis attacks against QUAD,” IAENG International Journal of Computer Science, vol. 46, no. 1, pp. 54–60, 2019. View at: Google Scholar
Copyright
Copyright © 2020 Weijian Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.