On the importance of protecting Δ in SFLASH against side channel attacks

Katsuyuki Okeya, Tsuyoshi Takagi, Camille Vuillaume

Research output: Chapter in Book/Report/Conference proceedingChapter

Abstract

SFLASH was chosen as one of the final selection of the project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, we are able to break the secret key. In this chapter, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s, t) and the random seed △ used for the hash function SHA-1. Whereas many papers discussed the security of (s, t), little is known about that of △. Steinwandt et al. proposed a theoretical DPA which aims at finding △ by observing XOR operations. We propose another DPA on △ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key △, the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, one has to carefully implement SHA-1 in order to resist SCA on SFLASH. Very recently, Courtois et al. have proposed a new version of SFLASH, called SFLASHv3 [2]. However, the attacks described in this chapter are applicable to the new version.

Original languageEnglish
Title of host publicationEmbedded Cryptographic Hardware
Subtitle of host publicationDesign and Security
PublisherNova Science Publishers, Inc.
Pages67-82
Number of pages16
ISBN (Print)1594541450, 9781594541452
Publication statusPublished - 2005
Externally publishedYes

Fingerprint

Data storage equipment
Electronic document identification systems
Hash functions
Seed
Side channel attack

All Science Journal Classification (ASJC) codes

  • Computer Science(all)

Cite this

Okeya, K., Takagi, T., & Vuillaume, C. (2005). On the importance of protecting Δ in SFLASH against side channel attacks. In Embedded Cryptographic Hardware: Design and Security (pp. 67-82). Nova Science Publishers, Inc..

On the importance of protecting Δ in SFLASH against side channel attacks. / Okeya, Katsuyuki; Takagi, Tsuyoshi; Vuillaume, Camille.

Embedded Cryptographic Hardware: Design and Security. Nova Science Publishers, Inc., 2005. p. 67-82.

Research output: Chapter in Book/Report/Conference proceedingChapter

Okeya, K, Takagi, T & Vuillaume, C 2005, On the importance of protecting Δ in SFLASH against side channel attacks. in Embedded Cryptographic Hardware: Design and Security. Nova Science Publishers, Inc., pp. 67-82.
Okeya K, Takagi T, Vuillaume C. On the importance of protecting Δ in SFLASH against side channel attacks. In Embedded Cryptographic Hardware: Design and Security. Nova Science Publishers, Inc. 2005. p. 67-82
Okeya, Katsuyuki ; Takagi, Tsuyoshi ; Vuillaume, Camille. / On the importance of protecting Δ in SFLASH against side channel attacks. Embedded Cryptographic Hardware: Design and Security. Nova Science Publishers, Inc., 2005. pp. 67-82
@inbook{d3e84faf02b64c0ba17a58d0e4934a14,
title = "On the importance of protecting Δ in SFLASH against side channel attacks",
abstract = "SFLASH was chosen as one of the final selection of the project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, we are able to break the secret key. In this chapter, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s, t) and the random seed △ used for the hash function SHA-1. Whereas many papers discussed the security of (s, t), little is known about that of △. Steinwandt et al. proposed a theoretical DPA which aims at finding △ by observing XOR operations. We propose another DPA on △ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key △, the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, one has to carefully implement SHA-1 in order to resist SCA on SFLASH. Very recently, Courtois et al. have proposed a new version of SFLASH, called SFLASHv3 [2]. However, the attacks described in this chapter are applicable to the new version.",
author = "Katsuyuki Okeya and Tsuyoshi Takagi and Camille Vuillaume",
year = "2005",
language = "English",
isbn = "1594541450",
pages = "67--82",
booktitle = "Embedded Cryptographic Hardware",
publisher = "Nova Science Publishers, Inc.",

}

TY - CHAP

T1 - On the importance of protecting Δ in SFLASH against side channel attacks

AU - Okeya, Katsuyuki

AU - Takagi, Tsuyoshi

AU - Vuillaume, Camille

PY - 2005

Y1 - 2005

N2 - SFLASH was chosen as one of the final selection of the project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, we are able to break the secret key. In this chapter, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s, t) and the random seed △ used for the hash function SHA-1. Whereas many papers discussed the security of (s, t), little is known about that of △. Steinwandt et al. proposed a theoretical DPA which aims at finding △ by observing XOR operations. We propose another DPA on △ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key △, the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, one has to carefully implement SHA-1 in order to resist SCA on SFLASH. Very recently, Courtois et al. have proposed a new version of SFLASH, called SFLASHv3 [2]. However, the attacks described in this chapter are applicable to the new version.

AB - SFLASH was chosen as one of the final selection of the project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memory-constrained devices. If the implementation on them is careless, we are able to break the secret key. In this chapter, we experimentally analyze the effectiveness of a side channel attack on SFLASH. There are two different secret keys for SFLASH, namely the proper secret key (s, t) and the random seed △ used for the hash function SHA-1. Whereas many papers discussed the security of (s, t), little is known about that of △. Steinwandt et al. proposed a theoretical DPA which aims at finding △ by observing XOR operations. We propose another DPA on △ using the addition operation modulo 232, and present an experimental result of the DPA. After obtaining the secret key △, the underlying problem of SFLASH can be reduced to the C* problem broken by Patarin. From our simulation, about 1408 pairs of messages and signatures are needed to break SFLASH. Consequently, one has to carefully implement SHA-1 in order to resist SCA on SFLASH. Very recently, Courtois et al. have proposed a new version of SFLASH, called SFLASHv3 [2]. However, the attacks described in this chapter are applicable to the new version.

UR - http://www.scopus.com/inward/record.url?scp=84895358468&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84895358468&partnerID=8YFLogxK

M3 - Chapter

AN - SCOPUS:84895358468

SN - 1594541450

SN - 9781594541452

SP - 67

EP - 82

BT - Embedded Cryptographic Hardware

PB - Nova Science Publishers, Inc.

ER -