VIET NAM GOVERNMENT INFORMATION SECURITY COMMISSION ACADEMY OF CRYPTOGRAPHY TECHNIQUES NGUYEN THANH TUNG COUNTERMEASURE AGAINST POWER ANALYSIS ATTACK FOR AES ALGORTHM ON SMART CARD BASED ON EMBEDED MASK TECHNOLOGY Specialization: Cryptography Technique Code No: 9520209 ABSTRACT OF DOCTORAL THESIS HANOI – 2021 This thesis has been completed at: ACADEMY OF CRYPTOGRAPHY TECHNIQUES Scientific supervisors: Assoc Prof Dr Nguyen Hong Quang Dr Đang Vu Hoang Reviewer 1: Prof.Dr.Sc Nguyen Van Loi Viettel Research and Development Institute Reviewer 2: Dr Hoang Van Thuc Vietnam Government Information Security Commission Reviewer 3: Assoc Prof Dr Pham Thanh Hiep Military Technical Institute The thesis was defensed in front of Doctoral Evaluating Council at Academy level held at Academy of Cryptography Techniques The thesis can be found at: - Library at Academy of Cryptography Techniques - Vietnam National library INTRODUCTION Motivation Power analysis attacks exploit the fact that the instantaneous power consumption of a cryptographic device depends on the data it processes and on the operation that it performs the secret key Power analysis attacks is kind of attacking danger with features noninvasive, cost is not too much and high efficiency Smart cards are popular used as cryptographic devices to provide strong authentication and security Smart cards are among the most critical components of modern security systems Smart cards that use the AES algorithm for security are commonly using with many advantages However, the smart card is not resistant to power consumption analysis attack Faced with the threat of attack, many countermeasures have been researched and introduced The Countermeasures against power analysis attacks is an aim to make the consumption of the cryptographic devices data become independent or at least to reduce the consumption Masking approach tries to make the power consumption independent is the most discussed approach among the researches Masking means to conceal each intermediate value, call it 𝑣, with a random value 𝑚 that is called mask The masking methods basically use the XOR operation to mask the intermediate value of the algorithm However, in the SubBytes operation of the AES algorithm, the inverse is a nonlinear transformation, so XOR cannot be used for masking The published masking solutions all have non-conformities with the AES algorithm on smart cards such as security, capacity or zero attack To solve the above disadvantages, the thesis develops the theoretical basis and give an embedded mask Embedded mask with change down the degree of data, embedded data from the field into the ring, the projector upside down and use exponentiation replace inverse, combined with full mask Embeded mask can respon the requirements for security against power analysis attack to the AES algorithm, resistant to attack the value of zero, and ensuring the enforcement capacity when perform on smart card environments Summary of new scientific contributions of the thesis Contribution 1: Development of the theoretical basis of embedded masks Developing the theoretical basis, ensuring mathematics to combine the method that to down order of the representing data on 𝐺𝐹(28 ) to 𝐺𝐹((24 )2 ) and handling backwards and the method of mapping data elements on 𝐺𝐹((24 )2 ) to the ring 𝐺𝐹(24 )[𝑥]/𝑃(𝑥)𝑄(𝑥) and projecting backwards, use the multiplication mask method to calculate, combine, adjust mask value for AES algorithm Contribution 2: Propose a field ring transform embedding mask scheme FREM and build AES-EM algorithm Proposing a new countermeasure based on the FREM embedding masking technique combined with full mask method to concealer for the SubBytes transformation Prove the safety and effectiveness of the method; make a new AES algorithm with a mask to ensure safety, performance and suitable when executing on smart cards Contribution 3: Setup, implementation, test, evaluate and compare the effectiveness of the proposed method Deploying the simulation, setup, implementing the algorithm, testing the power analysis attack on the new AES algorithm, evaluating the results, comparing with the theory, and proposing the application direction of the topic The structure of the thesis The thesis is presented in 142 pages, including: Introduction, conclusion, list of abbreviations, list of tables (05 tables), list of figures (39 pictures), references, appendices The main content of the thesis is presented in chapters with 111 pages including: Chapter 1: Evaluation of attack and countermeasures against power analysis attack for AES Algorithm on Smart Cards Chapter 2: Proposed countermeasures against power analysis for AES Algorithm on Smart Cards based on embedded masks attack Chapter 3: Evaluate the implementation efficiency of the application of power analysis attack method based on embedded mask technique for AES algorithm on smart card environment CHAPTER 1: EVALUATION OF ATTACK AND COUNTERMEASURES AGAINST POWER ANALYSIS ATTACK FOR AES ALGORITHM ON SMART CARDS In this chapter, the thesis will evaluate attacks and countermeasures against power analysis attack for AES algorithm on smart cards; analysis of principles, advantages and disadvantages, feasibility of countermeasure methods; thereby finding out the problem, determine the way to solve the problem of the thesis 1.1 Overview about attacks and countermeasures against power analysis attack for AES algorithm on Smart Cards As a device with many security features, the smart card is still facing several types of attacks First, attacks on cryptographic algorithms and the second, attacks on the security mechanisms of applications undertaken by the smart card Among the types of attacks on smart cards, the side channel attack, especially the power analysis attack, is a dangerous and common attack [2, 21, 36, 39, 40, 45] Power analysis attack is a type of side channel attack Power analysis attacks have characteristics is non-invasive, non-damaging, and not change the parameters of a cryptographic device So, it is very difficult to identify the device under attacks 1.1.1 1.1.2 Cryptography and Cryptographic Devices Attack and countermeasure of power analysis attack on cryptographic devices 1.1.3 Attack and countermeasure of power analysis attack on the AES algorithm 1.1.3.1 Power analysis attack on AES algorithm on smart cards Power analysis attack exploits the secret key of the AES algorithm based on the analysis of the power consumption of on a smart card The process of analyzing power differences using correlation coefficients performed according to the 5-step strategy [39, 40, 45], including: Step 1: Choosing an Intermediate Result of the Executed Algorithm The first step of a DPA attack is to choose an intermediate result of the cryptographic algorithm that is executed by the attacked device This intermediate result needs to be a function 𝑓(𝑎, 𝑘), where 𝑎 is a known non-constant data value and 𝑘 is a small part of the key Intermediate results that fulfill this condition can be used to reveal 𝑘 In most attack scenarios, 𝑎 is either the plaintext or the ciphertext In the AES algorithm scheme, the first S-Box output is the normally chosen attack location The S-Box output is a function 𝑓(𝑎, 𝑘) = 𝑆𝑏𝑜𝑥 (𝑎 ⊕ 𝑘) of the data 𝑎 and part of the cryptographic key 𝑘 Step 2: Measuring the Power Consumption The second step of attack is to measure the power consumption of the cryptographic device while it encrypts or decrypts D different data blocks and measures a trace for each of the D data blocks, and hence, the traces can be written as matrix T of size D xT Step 3: Calculating Hypothetical Intermediate Values The next step of the attack is to calculate a hypothetical intermediate value for every possible choice of k We write these possible choices as vector k = (k1,…, kK), where K denotes the total number of possible choices for k In the context of attacks, we usually refer to the elements of this vector as key hypotheses Given the data vector d and the key hypotheses k, an attacker can easily calculate hypothetical intermediate values f(a,k) for all D encryption runs and for all K key hypotheses This calculation results in a matrix V of size D x K The illustrates this calculation step 𝑣𝑖,𝑗 = 𝑓(𝑎𝑖, , 𝑘𝑗 ) 𝑖 = 1, … , 𝐷 and 𝑗 = 1, … , 𝐾 Step 4: Mapping Intermediate Values to Power Consumption Values The next step is to map the hypothetical intermediate values V to a matrix H of hypothetical power consumption values The power consumption of the device for each hypothetical intermediate value 𝑣𝑖,𝑗 is simulated io order to obtain a hypothetical power consumption value ℎ𝑖,𝑗 The illustrates this calculation step: ℎ𝑖,𝑗 = 𝐻𝑊 (𝑣𝑖,𝑗 ) Step 5: Comparing the Hypothetical Power Consumption Values with the Power Traces The final step of attack can be performed In this step, each column ℎ𝑖 of the matrix H is compared with each column 𝑡𝑗 of the matrix T This means that the attacker compares the hypothetical power consumption values of each key hypothesis with the recorded traces at every position The result of this comparison is a matrix R Using correlation coefficients to compare and evaluate secret key mining Continue doing the same until all the secret keys of the algorithm have been exploited 1.1.3.2 Countermeasures against power analysis attacks The main methods of countermeasure against power analysis attack are hiding and masking The purpose of these methods is to break the links between intermediate values and the energy consumption when the device operates cryptographically a / Hiding method The basic idea of hiding is to remove the data dependency of the power consumption This means that either the execution of the algorithm is randomized or the power consumption characteristics of the device are changed in such a way that an attacker cannot easily find a data dependency The power consumption can be changed in two ways to achieve this goal: the device can be built in such a way that every operation requires approximately the same amount of energy, or it can be built in such a way that the power consumption is more or less random b / Masking method Masking is different countermeasure against power analysis attack The basic idea of masking is to randomize the intermediate values that are processed by the cryptographic device The motivation behind this approach is that the power that is needed to process randomized intermediate values is independent of the actual intermediate values A big advantage of masking is that the power consumption characteristics of the device not need to be changed The power consumption can still be data dependent Attacks are prevented because the device processes randomized intermediate values only 1.2 Evaluation of countermeasure against power analysis attack for Smart Card that implement AES Algorithm base on masking 1.2.1 Evaluation of fixed mask Countermeasure against attack power analysis based on the Fixed Mask (FiM) using a random number generator to generate value mask fixed and the value S-box corresponding to perform mask for algorithm, the FiM method can ensure security against power analysis attacking on AES algorithm However, the FiM method takes more time and more memory to compute the masks during the operation of the algorithm Therefore, this solution is not suitable for application with limited resource device such as Smart Card 1.2.2 Evaluation of full mask Method against power analysis attacks based on Full Mask (FuM) used 06 masks When masking all data bytes 256 x 16 (bytes) are required, the full mask for the loops of the algorithm and for the key scheme To solve the nonlinear, which is not using the boolean masked, FuM builds a mask for the SBox However, the method takes up capacity of memory The FuM test will cost 3.79 bytes Rom and 4,250 bytes Ram Thus, the FuM countermeasure is not suitable for resource-limited devices such as Smart Cards 1.2.3 Evaluation of multiplicative mask Method against power analysis attacks based on Multiplicative Mask (MM) This method uses properties of multiplication to perform combined mask allows inverse transform in change SubBytes the AES algorithm However, the diagram MM (both MM adaptive and MM improvements) all have major drawbacks are not resistant of zero value attack 1.2.4 Evaluation of arithmetic mask Another method is Arithmetic Mask (AtM) This method against power analysis base on converts particles on the field into those on 𝐺𝐹(28 ) change the input on the 𝐺𝐹(24 ) The AtM method calculate, transform the in put datas on 𝐺𝐹(28 ) to linear polynomials on 𝐺𝐹(24 ), inverse, or further downgrades to come to 𝐺𝐹(22 ) application boolean mask to concealer the inverse in SubBytes of the AES algorithm However, with the need to transform, lower the field many times, represent different data, inverse many times, mask many different mask values has significantly increased execution time and capacity of the device This solution is also not suitable for installation and implementation on smart cards 1.3 Embedded mask ideas The idea embedded mask was introduced by Christophe Tymen and Jovan Golic in [26] To prevent the zero values attack, the authors presented the idea of mapping the data value on the field 𝐺𝐹(28 ) to the calculation on the ring ℛ = 𝐺𝐹(2)[𝑥]/𝑃𝑄, through the random mapping ρ such that: 𝜌(𝑋) = 𝑋 ⊕ 𝑅𝑃 𝑚𝑜𝑑 𝑃𝑄 With the comment that the value “0” on the field is mapped to 2𝑘 the possible random value, the authors certain that the method will increase the computational complexity of the detection code when performing a zero attack This concept not only protects against power analysis attack but also resisting a zero attack However, the paper has not presented the theoretical basis of the transformations, has not specifically demonstrated for the implementation and evaluation of safety and feasibility 1.4 Conclusion chapter The object of the thesis is to research and propose the methods base on masking for countermeasure power analysis attack on algorithm AES on Smart Card The way to solve this topic is that: construct, developed the theoretical basis for schema embedded mask; make a masking method for AES; end propose an improved algorithm against power analysis attack; proving the safety, efficiency and the ability implement and performance on Smart Card CHAPTER 2: PROPOSED COUNTERMEASURES AGAINST POWER ANALYSIS ATTACK FOR AES ALGORITHM ON SMART CARDS BASED ON EMBEDDED MASKS From the research evaluation results and the problem posed in Chapter 1, masks can be confirmed as an effective solution to combat quantitative analysis attacks However, there is currently no schema mask any suitable against power analysis attack for the AES algorithm on smart cards The proposed schemes also have issues such as masking capacity for the S-box, execution time, or not protection against zero value attacks The embedded masking direction can solve the above problems, but there are no specific and accurate scientific results that have been published With the application of combining mathematical variable masks, nuclear masks and research directions on embedded masks, the graduate student has developed a new masking method In this chapter, the thesis will present research results on this new masking method starting from the mathematical basis development, data transformation, data downgrade, and embedded ring field to build a theoretical basis for the embed mask technique; built a new AES algorithm with new masks to ensure safety and efficiency on smart cards before energy analysis attacks 2.1 Countermeasure against power analysis attack base on masking 2.1.1 Description of the masking method for the AES algorithm 2.1.2 Security of masking method 2.2 Develops the mathematical basis for the embedding masking technique 2.2.1 Method calculated on the finite field, extend field, composite fields 2.2.2 Built facility mathematical for techniques embed for countermeasure against the power analysis attack algorithm AES on Smartcard 2.2.2.1 polynomial ring homomorphism a / Definition Definition 2.5 [26]: Polynomial ring homomorphism variable 𝑥 is ring ℛ = 𝐺𝐹(24 )[𝑥]/𝑃𝑄 with coefficient on 𝐺𝐹(24 ), and modulus is the product of - Multiplication masks, field-embedded transforms in the rim and back-projecting from the rim to the field to increase computational complexity, prevent zero value attacks - The transformation, processing of the power of substitution allows the inverse to ensure that the intermediate value being processed on the ring can be inverse FREM technical scheme includes steps as shown in Figure 2.2 FREM technique maps the data value on 𝐺𝐹(28 ) to the value on 𝐺𝐹(24 ) and the opposite (Step 1, 7); embed the ring field and reverse projection (Steps 2, 6); processing on the ring (Steps 3, 4, 5) With the input as the value 𝑣 ⊕ 𝑚, after performing the FREM, the output is the value 𝑣 −1 ⊕ 𝑚 This value is the input value to the Affine transform of the AES algorithm 2.3.2 Proposing the countermeasure against for the AES algorithm based on the embedded mask power analysis attack 2.3.3 FuFA method The transformations of FuFA are the same as the FuM transformations The difference is that FuFA uses the embedded masking technique FREM which replaces the mask table for the potential box of the AES algorithm in the FuM method The implementation process of the FuFA method is as follows (Fig 2.3): AddRoundKey: At the beginning of each round, mask the plaintext 𝑝 with the values 𝑚𝑖′ (𝑚1′ , 𝑚2′ , 𝑚3′ , 𝑚4′ ), mask the key k with the mask (which is the result of the XOR between 𝑚𝑖′ and 𝑚) The AddRoundKey transform performs an XOR between the plaintext and the key (both masked) The intermediate value (𝑝 ⊕ 𝑘) is masked by the formula: (𝑝  𝑚’𝑖 ) ⊕ (𝑘 ⊕ 𝑚  𝑚’𝑖 ) = (𝑝 ⊕ 𝑘) ⊕ 𝑚 SubBytes: The masked intermediate value (𝑝 ⊕ 𝑘) ⊕ 𝑚 is passed into the FREM 11 Plain text AddRoundKey mask m Mask m’ K Mask m1, m2, m3, m4 round1…9 Mask MC (m1, m2, m3, m4) SubBytes ShiftRow s MixColum ns AddRoundKey K1…K9 Final round SubBytes ShiftRow s AddRoundKey K Cipher text Figure 2.3 Diagram of FuFA method 12 The intermediate value is now the inverse of (𝑝 ⊕ 𝑘) still masked with the mask value 𝑚 as the FuM Next, in the Affine transform, implement the same logic mask as FuM The intermediate value is now masked with the mask value 𝑚’ ShiftRows: With the ShiftRows operation, it permutes the bytes in the state matrix In this diagram, all the algorithm's state bytes are masked with the same mask Therefore, this operation does not affect the masking process After the ShiftRows transform, the intermediate value remains the same as the masked mask value 𝑚’ MixColumns: Before MixColumns, mask with 𝑚1 in the first row, 𝑚2 in the 2nd, 𝑚3 in the 3rd and 𝑚4 in the fourth row The MixColumns transform changes the mask 𝑚𝑖 to 𝑚𝑖′ with 𝑖 =1,…,4 Now the intermediate value is masked with 𝑚𝑖′ This value is used as input for the transformations of the next round up to the last round The last round does not perform the MixColums transformation At the end of the last round, the data value is now masked with the mask 𝑚’ (the value obtained after the SubBytes and ShiftRows steps) At this time, the last ring key is also covered by the mask 𝑚’ When we perform the AddRoundKey operation, we finally get the ciphertext (without the mask) Thus, the mask has been removed at the output of the algorithm for decoding 2.3.4 Propose AES -EM algorithm The next part of the thesis builds an improved AES scheme on smart cards against energy analysis attacks based on FREM embedded masking technique The proposed embedding mask AES algorithm scheme is named AES-EM (AESEMBEDED MASK) AES-EM algorithm INPUT: Plantext 𝑋; 16 bytes 𝑋𝑖 ; 𝑖 = 0: 15; 𝑋𝑖 ∈ 𝐺𝐹(28 ) 11 RoundKeys 𝑅𝐾𝑖 ; 𝑖 = 0: 10; 𝑅𝐾𝑖 is a matrix of size 4x4 and has elements ∈ 𝐺𝐹(28 ) Mapping Function: 𝑓: 𝐺𝐹(28 ) → 𝐺𝐹((24 )2 ) 13 10 11 12 13 14 15 16 17 18 19 20 21 OUTPUT: Ciphertext 𝑌; 16 bytes 𝑌𝑖 ; 𝑖 = 0: 15 Choose different random masks: 𝑚, 𝑚′, 𝑚1 , 𝑚2 , 𝑚3 , 𝑚4 Calculate the masks: 𝑚1′ , 𝑚2′ , 𝑚3′ , 𝑚4′ by: 𝑚1′ 𝑚1 ′ 𝑚2 𝑚2 = 𝑀𝑖𝑥𝐶𝑜𝑙𝑢𝑚𝑠 [𝑚 ] 𝑚3′ 𝑚4 [𝑚4′ ] Set: 𝑋0 𝑋4 𝑋8 𝑋12 𝑌0 𝑌4 𝑌8 𝑌12 𝑋1 𝑋5 𝑋9 𝑋13 𝑌 𝑌 𝑌 𝑌 𝑋=[ 𝑌 = [ 13 ]; ]; 𝑋2 𝑋6 𝑋10 𝑋14 𝑌2 𝑌6 𝑌10 𝑌14 𝑋3 𝑋7 𝑋11 𝑋15 𝑌3 𝑌7 𝑌11 𝑌15 𝑚′1 𝑚′1 𝑚′1 𝑚′1 𝑚1 𝑚1 𝑚1 𝑚1 𝑚2 𝑚2 𝑚2 𝑚2 𝑚′2 𝑚′2 𝑚′2 𝑚′2 𝑀 = [𝑚 𝑚 𝑚 𝑚 ]; 𝑀′ = 𝑚′3 𝑚′3 𝑚′3 𝑚′3 3 3 𝑚4 𝑚4 𝑚4 𝑚4 [𝑚′4 𝑚′4 𝑚′4 𝑚′4 ] 𝑚 𝑚 𝑚 𝑚 𝑚′ 𝑚′ 𝑚′ 𝑚′ 𝑚 𝑚 𝑚 𝑚 𝑚′ 𝑚′ 𝑚′ 𝑚′ 𝒓=[ 𝒓′ = [ ]; ] 𝑚 𝑚 𝑚 𝑚 𝑚′ 𝑚′ 𝑚′ 𝑚′ 𝑚 𝑚 𝑚 𝑚 𝑚′ 𝑚′ 𝑚′ 𝑚′ 𝑌 = 𝑋 ⊕ 𝑀′ 𝑅𝐾0 = 𝑅𝐾0 ⊕ 𝑀′ ⊕ 𝒓 For 𝑖 = 1: 𝑌 = 𝑌 ⊕ 𝑅𝐾𝑖 𝑌 = 𝑓(𝑌) 𝑌 = 𝐹𝑅𝐸𝑀(𝑋, 𝑌, 𝑓(𝑚)) 𝑌 = 𝐴𝑓𝑓𝑖𝑛𝑒(𝑌) 𝑌 = 𝑆ℎ𝑖𝑓𝑡𝑅𝑜𝑤𝑠(𝑌) 𝑌 =𝑌⊕𝑀 𝑌 = 𝑌 ⊕ 𝒓′ 𝑌 = 𝑀𝑖𝑥𝐶𝑜𝑙𝑢𝑚𝑛𝑠(𝑌) 𝑅𝐾_𝑖 = 𝑅𝐾_𝑖 ⊕ 𝑀′ ⊕ 𝒓 End 𝑌 = 𝑌 ⊕ 𝑅𝐾9 𝑌 = 𝑓(𝑌) 𝑌 = 𝐹𝑅𝐸𝑀(𝑋, 𝑌, 𝑓(𝑚)) 𝑌 = 𝐴𝑓𝑓𝑖𝑛𝑒(𝑌) 𝑌 = 𝑆ℎ𝑖𝑓𝑡𝑅𝑜𝑤𝑠(𝑌) 14 22 23 𝑅𝐾10 = 𝑅𝐾10 ⊕ 𝒓′ 𝑌 = 𝑌 ⊕ 𝑅𝐾10 2.4 Evaluation the security, performance of FREM technical and AES-EM algorithm This section assesses the security, performance and feasibility of the FREM embedded mask technique and the AES-EM algorithm on the Smart Card environment 2.4.1 Security This part of the thesis evaluates the security problem of the proposed AES-EM algorithm The AES-EM algorithm's security assessment is based on the security evaluation of the masking technique, the security of the FuM, AtM, MM schemas, and the security assessment for the mathematical transformations of the technique FREM embedding masking technique Masking conceals the cryptographic algorithm's intermediate value with the secret value to prevent the energy analysis attack Confirmation of the safety of the mask was presented in the theoretical basis in Section 2.1, Section 2.1.3 To evaluate security of the AES-EM algorithm, the thesis will prove that the transforming steps of the FREM embedded mask technique are safe The SubByes transform of the AES algorithm consists of two steps: inverse calculations and the Affine transform Affine transforms are masked by logic masks, ensuring safety as stated in Lemma 2.1 (in full thesis) 2.4.1.1 Security of the embed mask technique FREM The transformation steps performed in the embed masking technique FREM include: processing on the field, embedding from field in the ring and reverse projection, processing on the ring To evaluate security for FREM, the thesis will present security assessment method for each class of transformation a Security of processing on the field First of all, is the security of the processing on the field The processes of changing value on 𝐺𝐹(28 ) to 𝐺𝐹(24 ) and vice versa This step have the ability of 15 the mask to resist energy analysis attack (as assessed by Oswald et al [40]) Thus, it can be concluded that the processes on the field can ensure security b Security of field - ring embedding, reverse projection and processing on ring The FREM scheme uses the map 𝜌 embedded data values from 𝐺𝐹((24 )2 ) to ring ℛ = 𝐺𝐹(24 )[𝑥]/𝑃𝑄 and the mapping 𝜌− back from the ring ℛ = 𝐺𝐹(24 )[𝑥]/𝑃𝑄 to the value 𝐺𝐹((24 )2 )), on intermediate values include: (𝑓(𝑣) ⊕ 𝑓(𝑚)) and (𝑋 ⊕ 𝑅𝑃) When FREM processing on ℛ, it has steps, include step 3, step and step of the FREM schema, the intermediate values include: (𝑋 ⊕ 𝑅𝑃), [(𝑋 ⊕ 𝑅𝑃) × 𝑌], [𝑓(𝑣) ⊕ 𝑅𝑃) × 𝑌] In order to prove that the data value is 𝑓(𝑣) independent of the above intermediate values, the research generates the statement and prove the following statements: Proposition 2.1: Cho 𝑣, 𝑚 ∈ 𝐺𝐹(28 ) Suppose 𝑣 is a constant and 𝑚 is a random variable that is evenly distributed over its range (𝑚 = 0,1, … , 𝑀 − 1), then [𝑓(𝑣) ⊕ 𝑓(𝑚)] independent of the intermediate value 𝑣 Proposition 2.2: For 𝑣, 𝑚 ∈ 𝐺𝐹(28 ), we have 𝜌(𝑋) = 𝑋 ⊕ 𝑅𝑃 independent from 𝑓(𝑣) Proposition 2.3: For Cho 𝑣, 𝑚, 𝑌 ∈ 𝐺𝐹(28 ) Suppose 𝑣 is a constant and 𝑚, 𝑌 are the random variables uniformly distributed Then, [(𝑋 ⊕ 𝑅𝑃) × 𝑌] independent with 𝑓(𝑣) and if h +2 < l, then [𝑓(𝑣) ⊕ 𝑅𝑃) × 𝑌] independent with 𝑓(𝑣) 2.4.1.2 Security of AES – EM algorithm Next, the thesis assesses security of AES -EM algorithm: AES-EM applies a full FuM method The FuM method concealer all intermediate values of the algorithm So, AES-EM ensuring security for all transformation steps of the algorithm and key scheme [39] During the operation of the AES-EM algorithm, the transformations and rounds of the AES-128 algorithm are still preserved, including: 10 loops, with 16 AddRoundKeys, SubBytes, ShiftRows and Mixcolumns operations AES-EM still fully preserves the cryptographic properties of the AES algorithm The mask values used in AES-EM have been pre-calculated, ensuring the initiative in the calculation process, combining the mask for the intermediate values of the algorithm Ending algorithm AES-EM, the final value is ciphertext This value has been unmasked, ensuring the algorithm to perform further operations 2.4.2 Performance issue 2.4.2.1 Time complexity algorithm The AES- EM algorithm and the AES- 128 algorithm work on fixed length blocks (128 bits) The time required to encrypt these blocks of the AES-EM algorithm is similar to that of the AES-128 algorithm and is relatively independent of the input So, the computational complexity in terms of time is 𝒪(1) In the case of the cipher mode with long ciphertext 𝑚, the algorithm complexity is 𝒪(𝑚) Schema AES-128 has a total calculation is 190 steps (190 𝒪(1)), while schema AES-EM has a total calculation is 321 steps (321 𝒪(1)) Thus, even though the Frem schema have more computational steps than SubBytes, but it is not very importance So, the computation time complexity between the two schemas is not much different Thus, it can be concluded that AES-EM algorithm has time complexity in the same layer as AES-128 algorithm, so it has equivalent time to AES-128 algorithm The implementation of the AES-EM embedded masking algorithm has increased time but not by too much AES-EM therefore has a time complexity that is suitable for smart card devices 2.4.2.2 The complexity of the algorithm space When using byte of memory per variable, the AES-EM requires 10 bytes more space than the AES-128 algorithm Thus, according to theoretical evaluation, the embedded mask method for AES algorithm implementing AES-EM algorithm ensures the time and capacity of devices with limited resources such as smart cards 17 2.5 Compare embed mask with other masking methods 2.5.1 Comparison with the fixed, full mask methods Compared to the fixed and full mask methods, the embedded mask technique is much better in terms of capacity, ensuring memory performance when executed on smart cards 2.5.2 Compare with the multiplication mask The embedded mask technique is safer than the nuclear mask technique, and is resistant to zero attacks 2.5.3 Compare with the arithmetic transformation mask The embedded mask technique is better than the arithmetic-capacity transformation mask, which can mask the algorithm on a resource-limited device such as a smart card 2.6 Conclusion chapter In Chapter 2, the thesis has described and evaluated the security of the countermeasure against power analysis attack based on embed masked method, built the theoretical basis of the embedded mask theory, proposed a countermeasure against power analysis attack based on the embed masking technique Building a new AES algorithm (AES-EM), evaluating in theoretically the security and the performance of the method CHAPTER 3: IMPLEMENTATION AND EVALUATE THE EFFICIENCY OF THE COUNTERMEASURE AGAIN POWER ANALYSIS ATTACK BASED ON EMBEDDED MASK TECHNIQUE FOR AES ALGORITHM ON SMART CARD ENVIRONMENT In this chapter, the thesis applies and evaluates the effectiveness of the countermeasure against power analysis attack based on the embedded mask technique Experimental attack on AES-128 and AES-EM algorithm 3.1 Implement the experimental system 3.1.1 System model The system components measure the power consumed by a cryptographic device when implementing an encryption algorithm as follows: 18 1) The cryptographic device is supplied with power and a clock signal The device is active and ready to receive commands (1) 2) Next, the computer configures and prepares the oscilloscope (2) 3) The computer sends a command to the cryptographic device to start executing an encryption algorithm (3) 4) The oscilloscope records the energy consumed by the cryptographic device during the execution of the algorithm (4) 5) The computer receives the output of the cryptographic algorithm from the device (5) 6) The computer records the energy trace from the oscilloscope (6) Repeat steps to 6, to perform power analysis attack A typical measurement setup block diagram for power analysis attack is shown in Figure 3.1 Oscilloscope Energy Power measuaring circuit Cryto graphy divice Clock generator Computer Figure: 3.1 Block diagram of measurement setting for power analysis attack 3.1.2 Operation of the system 3.1.3 Devices in the system 3.2 Install and execute experimental programs 3.3 Perform the attack In this part, the thesis uses the system that describe above to attacks on AES128 and AES- EM algorithms that installed on smart card Atmega 8515 19 3.3.1 Attack on AES - 128 Follow steps as presented in theory Step 1: Let the smart card receive data from the PC and perform encryption using the AES-128 algorithm Acquire and construct the actual energy consumption trace set for a particular key Select the output byte of the first S-box in round as the attack point The intermediate result is now a function of the first byte of the plaintext combined with the first byte of the key Next, record the power consumed by the smart card when encoding 480 different plaintexts Thus, the number of traces used for this part is 480 traces, the length of each trace is 85000 samples, As a result, a matrix of energy consumption values [T]D×T is built with the size of 480 × 85000 values Step 2: Calculate assumed intermediate values based on 480 known plaintexts Now perform the value 𝑣𝑖,𝑗 = 𝑓(𝑎𝑖 ⨁𝑘𝑘 ), where 𝑎1 , … , 𝑎480 is the first byte of 480 plaintext and 𝑘 = 0, … , 255 Build into a matrix [V]D×K of size 480 × 256 values Step 3: Map the matrix [V] to the matrix [H] of the assumed power consumption value The thesis uses Hamming weight model to map: [H]=HW([V]), after performing the mapping, we get the matrix [H]D×K Step 4: Calculate the value of correlation coefficient between all columns of matrix [H]D×K and all columns of matrix of power consumption obtained [T]D×T According to the Pearson correlation formula to determine whether two quantities are linearly correlated or not The correlation values are calculated according to the formula: 𝑟𝑖,𝑗 = ̅̅̅ ∑𝐷 𝑎=1(ℎ𝑎,𝑖 −ℎ𝑖 ).(𝑡𝑎,𝑗 −𝑡̅𝑗 ) 𝑛 ̅̅̅ 𝐷 ̅ √∑𝐷 𝑎=1(ℎ𝑎,𝑖 −ℎ𝑖 ) ∑𝑎=1 ∑𝑖=1(𝑡𝑎,𝑗 −𝑡𝑗 ) The results of the above calculation give us the correlation coefficient matrix [R]K×T The attack parameters include 480 plaintexts, 85000 samples each The attack results in finding the secret key of the AES-128 algorithm 20 Correlation graph of the entire hypothetical key space of AES – 128 algorthm was shown in figure 3.8 Figure 3.8 Correlation coefficient plot with hypothetical key space (Key k=63 has spikes, other keys are pretty flat) To compare, visually evaluate the hypothetical keys, the graduate student builds comparison charts of correlation In Figure 3.10, the thesis describes the comparison between the correlation graph of two hypothetical keys k=63 (left) and k=64 (right) the key k=63 (left) has high spikes while the correlation graph of the key k=64 (right) is flat Thereby, it can be concluded that the key k=64 is the key assumed to be false k = 63 k = 64 Figure 3.10 Correlation plot of the correct key k=63 (left) and key k=64 (right) 3.3.2 Attack on AES-EM Follow the same steps to attack AES-128 Attack parameters include 480 plaintexts, each with 85,000 samples The result of the attack could not find the secret key of the 21 AES - EM algorithm Increasing the number of tracks to 1500 and 3000, the result still could not find the algorithm's secret key (figure 3.29) Khóa k = 64 Khóa k = 63 Figure 3.29 Correlation graph with correct key k=63 and key k=64 for AES-EM algorithm (Implemented with 3000 traces) 3.4 Analyze the results 3.4.1 The security Through experimentation, compared with the theoretical contents, there can be assertions: 1/ The purpose of the work to find the secret key in the power analysis attack is exploiting the relationship between the instantaneous power consumption of the device under attack and the data that the device executed AES-EM deleted the relationship So, the number of samples (trace) does not affect the attack 2/ The key finding problem in the power analysis attack can also be considered as the classification problem With the AES-EM algorithm with 256 hypothetical keys, these can be considered as 256 sample features According to machine learning theory, it is common to take samples about 10 times the characteristic number Performing attacks on 3000 marks (plain) has 12 times the feature The experimental results once again confirm the accuracy of the safety assessment of the power analysis attack method based on the embedded mask technique 3.4.2 Performance The execution results of the masking scheme, the time and memory capacity when executing the evaluated schemes include: AES diagram with adaptive MM 22 (with the appearance of value 𝑌) takes 1752 bytes of ROM and 121 bytes of RAM Whereas AES scheme performs improved MM using 732 bytes of ROM and 46 bytes of RAM The two multiplicative mask schemes guarantee performance when executing on smart cards, but the weakness of these two schemes is that they suffer from zero attack AES scheme with FuM (implementing masking tables for S-box) consumes 3795 bytes of ROM and 4250 bytes of RAM Does not meet the capacity requirement, is not suitable for devices with limited resources such as smart cards 3.5 Conclusion of Chapter Chapter 3, the thesis builds and implements an experimental system, installs and implements the AES-128 algorithm and AES-EM algorithm Perform attack on two algorithms AES-128 and AES-EM, analyze the results, evaluate the security and performance of the countermeasure against power analysis based on embedded mask; compared with other countermeasures The attack results show that the AES-EM algorithm ensures security against power analysis attacks, prevents zero-value attacks, and ensures the capacity to install and execute on smart cards CONCLUSION AND RECOMMENDATION 1/ Conclusion Smart cards with convenience, compactness, discreetness and anti-counterfeiting, authentication and security features are being used in a variety and popularity The AES algorithm is a safe, lightweight, simple algorithm suitable for execution on devices with limited resources such as smart cards Smart cards are now facing a particularly dangerous type that is the power analysis attack The countermeasure against power analysis attack methods for AES algorithm on smart cards are not yet secure, not suitable for the capacity of devices with limited resources The thesis "The countermeasure against power analysis attack for AES algorithm on smart cards based on embedded mask technique" have purpose to research, and proposed mask method to protect AES algorithm against power analysis attack The countermeasure in the thesis that has solved this problem 23 The thesis has been completed and achieved the set objectives, specific results and contributions of the thesis include Contribution 1: Development of the theoretical basis of embedded masks Contribution 2: Propose a field ring transform embedding mask scheme FREM and build AES-EM algorithm Contribution 3: Setup, implementation, test, evaluate and compare the effectiveness of the proposed method Practical significance The contributions of the thesis include: FuFA mask method is the basic, comprehensive against energy analysis attack that can be applied to much of cryptographic algorithms; FREM techniques can be applied to mask for nonlinear transfmations such as inverses in SubBytes transfmation of AES algorithm; The AES-EM algorithm ensures the security of the AES algorithm on the smart card device against power analysis attacks 2/ Recommendation Proposing the application of FuFA mask method, proposing the application of AES-EM algorithm to ensure safe smart card device implementation Equipment for smart card security is implemented AES-EM can be used to distribute cryptographic keys, and used in information security of defense security FURTHER RESEARCH With the rapid development of science and technology, after completing the dissertation according to the set purpose, I realize that it is necessary to expand and deepen research on the descending method to mask on the property field proceeding to harden smart card devices against power analysis attacks Besides, it is possible to study and apply FREM techniques to build masking methods for cryptographic algorithms and cryptographic devices In addition, the FuFA masking method can be applied against power analysis attack for cryptographic devices with limited resource equipment 24 LIST OF PUBLISHED PAPERS ARE USED IN THESIS Nguyen Thanh Tung, “Một giải pháp chống công DPA hiệu quả”, Journal of Military Science and Technology, pp 33-41, special issue, May, 2017 Nguyen Thanh Tung, Tran Ngoc Quy, “Mặt nạ nhân chống công DPA lên AES Smart Card” HNUE JOURNAL OF SCIENCE - Natural Sciences, Volume 64, Issue 3, pp 82-88, 2019 Nguyen Thanh Tung, Bui Van Duong, “Một phương pháp hiệu chống công DPA lên AES Smart Card”, Journal of Military Science and Technology, pp 13 - 20, special issue, August, 2019 Nguyen Thanh Tung, “Phân tích, đánh giá hiệu phương pháp mặt nạ chống công DPA cho AES Smart Card”, information security magazine, pp 46 – 52, số CS (11), 2020 Nguyen Thanh Tung, “Nguy cơng giải pháp bảo đảm an tồn môi trường làm việc Cơ yếu”, Crypto Graphy magazine, 2017 ... “Một phương pháp hiệu chống công DPA lên AES Smart Card”, Journal of Military Science and Technology, pp 13 - 20, special issue, August, 2019 Nguyen Thanh Tung, ? ?Phân tích, đánh giá hiệu phương pháp. .. đánh giá hiệu phương pháp mặt nạ chống công DPA cho AES Smart Card”, information security magazine, pp 46 – 52, số CS (11), 2020 Nguyen Thanh Tung, “Nguy công giải pháp bảo đảm an tồn mơi trường... Attack on AES- EM Follow the same steps to attack AES- 128 Attack parameters include 480 plaintexts, each with 85,000 samples The result of the attack could not find the secret key of the 21 AES