Security and Communication Networks

Volume 2018, Article ID 2483619, 13 pages

https://doi.org/10.1155/2018/2483619

## A Novel Multiple-Bits Collision Attack Based on Double Detection with Error-Tolerant Mechanism

^{1}Tsinghua National Laboratory for Information Science and Technology, Tsinghua University, Beijing 10084, China^{2}Institute of Microelectronics, Tsinghua University, Beijing 10084, China

Correspondence should be addressed to Liji Wu; nc.ude.auhgnist@uwijil

Received 3 November 2017; Revised 6 April 2018; Accepted 3 May 2018; Published 5 June 2018

Academic Editor: Umar M. Khokhar

Copyright © 2018 Ye Yuan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Side-channel collision attacks are more powerful than traditional side-channel attack without knowing the leakage model or establishing the model. Most attack strategies proposed previously need quantities of power traces with high computational complexity and are sensitive to mistakes, which restricts the attack efficiency seriously. In this paper, we propose a multiple-bits side-channel collision attack based on double distance voting detection (DDVD) and also an improved version, involving the error-tolerant mechanism, which can find all 120 relations among 16 key bytes when applied to AES (Advanced Encryption Standard) algorithm. In addition, we compare our collision detection method called DDVD with the Euclidean distance and the correlation-enhanced collision method under different intensity of noise, which indicates that our detection technique performs better in the circumstances of noise. Furthermore, 4-bit model of our collision detection method is proven to be optimal in theory and in practice. Meanwhile the corresponding practical attack experiments are also performed on a hardware implementation of AES-128 on FPGA board successfully. Results show that our strategy needs less computation time but more traces than LDPC method and the online time for our strategy is about 90% less than CECA and 96% less than BCA with 90% success rate.

#### 1. Introduction

Although modern cryptographic algorithms have been proven to be safe mathematically, this does not mean that the physical implementation is safe enough, where attacker can obtain some physical information from side channel. Side-channel attack (SCA) was proposed almost 20 years ago, which was first put forward in 1996 by Kocher [1] and became a powerful cryptanalysis technique. Power consumption analyses are widely used in SCA, which utilizes the relation between power consumption or electromagnetic signal of the executing device and processed data in order to recover the key value. Since Differential Power Analysis (DPA) was proposed in 1997 [2], whose distinguisher is the difference of the mean traces, various distinguishers have been designed and improved to enhance attack ability and efficiency, for example, Pearson correlation coefficient as a distinguisher for Correlation Power Analysis (CPA)[3], mutual information for Mutual Information Analysis (MIA)[4], and maximum likelihood for Template Attack [5, 6] (TA) and Template Based DPA [7]. However, the necessity of estimating and establishing the leakage model has been a serious restriction for SCA, which collision attack can ignore. Collision attack was first proposed to analyze Hash algorithm [8] and has become a branch of mathematical cryptanalysis, but it only reveals relation between input and output without exploiting internal information as SCA.

As a combination of SCA and collision attack, side-channel collision attack can exploit the information of internal leakage without a large number of power traces as well as the knowledge of the leakage model. Side-channel collision attack showed strong ability of attack, when first presented [9] against Data Encryption Standard (DES) by Schramm et al., which was applied to AES [10] successfully later. Then all kinds of improved versions [11–17] of side-channel collision attack sprang up, and most of these methods show high sensitivity to errors, where the recovered key is totally wrong even when error occurs only in 1 bit under the high noise level circumstance, leading to a low efficiency. Bogdanov presented some voting detection methods that seemed to be more practical [14], but they need too many traces in a profiling phase and encrypting the same plaintexts repeatedly for decreasing the influence of noise may not be realistic. In 2010, Moradi proposed a correlation-enhanced method [15] that improves the probability of collision, but it may need lots of average power traces to process an attack and is sensitive to errors. In 2011, Bogdanov proposed an attack strategy [17] that uses the results of DPA to test chain separately. This method can improve the success probability in a sense that it cannot check the mistakes in collision detection which highly impact the attack results. Then Gérard et al. combined Low Density Parity Check (LDPC) decoding with correlation-enhanced and Euclidean Distance detection method in 2012 [16], which can be a globally efficient attack strategy in noisy settings. Two side-channel collision attack procedures based on bitwise collision detection were proposed, respectively, by Ren et al [18] in 2015 and by Wang et al [19] in 2017, which may have a poor performance on the detection success rate with high level noise. However, efficiency of collision detection and lack of error-tolerant and check mechanism are two main issues of existing side-channel collision attack.

*Our Contribution*. In this paper, we propose a novel multiple-bits collision attack framework. In particular, double distance voting detection (DDVD) and the error-tolerant and check mechanism are presented to ensure the high accuracy. In addition, we compare our collision detection method called DDVD with the Euclidean Distance and the correlation-enhanced collision methods under different intensity of noise, which indicates that our detection technique has a better performance in the circumstances of noise. Furthermore, 4-bit collision attack is proven to be optimal in theory and experiments. Practical attack experiments are performed successfully on a hardware implementation of AES in FPGA board.

The remainder of this paper is organized as follows. In Section 2, for a better understanding, we introduce some notations of our method as well as the basic linear collision attacks and then review the binary and ternary voting detection methods, correlation-enhanced collision attack, and LDPC decoding method in collision attack. In Section 3, a novel framework of multiple-bits collision attack is presented and we take the 4-bit model as an example to explain the attack procedure. In Section 4, we propose an improved version with an error-tolerant and check mechanism. In Section 5, we compare our collision detection method with other widely used detection techniques under different intensity of noise and analyze our model, and the experiments as well as the comparisons are also shown. Finally, we give the conclusion in Section 6.

#### 2. Preliminaries

In order to understand the strategy easily, AES is chosen as the target block cipher to perform the attack method. As for the hardware implementation of this paper, it operates each of 16 S-boxes, which are used for the SubBytes operation, sequentially one by one. The following proposed statements and techniques can be successfully utilized in other cryptographic symmetric algorithms.

##### 2.1. Notations

For a better description of the proposed method, we define some notations as follows. First we use letters k and p for 16-byte plaintext and first round subkey, with subscripts indicating a particular byte: Then we use the superscripts letters m and l for the 4 most significant bits and 4 least significant bits separately, meaning that Next, the attacker is able to choose the value of plaintext with key value all the same. The superscripts and state that the 4 most significant bits and 4 least significant bits are equal to values and in decimal format: Each trace acquired corresponding to first-round encryption contains 16 subtraces due to 16 sequential S-boxes, with subscripts indicating a particular S-box and each subtrace contains a number p of points, which are denoted by the subscripts:Furthermore, we use () to denote the power trace corresponding to the plaintext, where the value of 4 most (least) significant bits of all 16 bytes is* f (*) in decimal format; namely, .

However, if the superscript is a certain digit, it shows that the plaintext is this value or power trace is corresponding to the plaintext with this value. For example, means that the first byte of plaintext equals 128 in decimal format and is denoted as the power trace of the first S-box operation with the corresponding plaintext byte being 128. Meanwhile, we use and for the* nth* acquisition of power traces and plaintexts, respectively.

##### 2.2. Linear Collision Attack

The internal collision was first presented for attacking DES [9]. It is based on the fact that if a collision on a key-dependent function can be detected, the attacker can acquire some relations between the different inputs.

Linear collision is based on the internal collision. When it is applied to AES, if a collision between two S-boxes operations of the first round is detected (e.g., the collision between the* ith* and the* jth S-boxes* in Figure 1), it is obvious that (4) is tenable:Then one can obtain a linear equation about the relation between plaintexts and first round subkey:If the attacker can find all possible relations among 16 key bytes by detecting the collision of* S-boxes*, then he will obtain an equation set about the key bytes of the first round containing 15 linear equations: Note that all the equations in the set are relevant, and there is only one free variable. Thus, this equation set only has 2^{8} possible solutions, which means that we just need to enumerate all 256 possible candidates of 1 key byte to recover the whole key value.