On The Need of Physical Security For Small Embedded Devices: A Case Study With COMP128-1 Implementations in SIM Cards (Long Version)
On The Need of Physical Security For Small Embedded Devices: A Case Study With COMP128-1 Implementations in SIM Cards (Long Version)
On The Need of Physical Security For Small Embedded Devices: A Case Study With COMP128-1 Implementations in SIM Cards (Long Version)
1 Introduction
Protecting present information systems requires considering both hardware and
software security issues, with their specific risks and constraints. In general,
software attacks are cheaper and tools for performing them can be rapidly dis-
seminated. Yet, they are also easier to patch with code updates. By contrast,
hardware attacks are more difficult to perform, as they require laboratory equip-
ment that ranges from low-cost to highly expensive. But they can be more diffi-
cult to fix a posteriori, as hardware updates imply more expensive development
processes, and usually take place in the longer term. Hence, finding the best
balance between hardware and software security is a difficult task for system de-
signers. This concern is particularly critical with cryptographic implementations
that may be the target of fault insertion attacks [7] and side-channel attacks [26,
27, 44]. In the latter case (that will be our focus in this paper), the adversary
exploits physical information leakage such as the power consumption of the de-
vice running a cryptographic algorithm, in order to extract secret information
such as secret keys. As the power consumption of a device is expected to be
correlated with the data it manipulates, these attacks essentially proceed by
comparing key-dependent leakage predictions with actual measurements. When
no particular care is taken, cryptographic implementations frequently turn out
to be highly susceptible to side-channel attacks, as recently exhibited with re-
sults against the KeeLoq remote keyless entry systems (at CRYPTO 2009 [18]),
the Mifare DESFire contactless smart cards (at CHES 2011 [38]), or Xilinx’s
FPGA bitstream encryption mechanisms (at ACM CCS 2011 [35]).
The important conclusions of this work are methodological. First, our results
exhibit the long term nature of physical security concerns. While cryptographic
implementations are not deployed as long as algorithms, they may remain in
service for a couple of years, and are not straightforward to upgrade. This ob-
servation makes a case for considering physical security as an important feature
of small embedded devices in general. Technical solutions exist to make side-
channel attacks significantly more difficult to perform, e.g. the previously men-
tioned masking and hiding. But they work best if considered early in a design
process. Second, we observe that public standards for cryptographic algorithms
are useful to improve the efficiency of countermeasures against physical attacks.
By contrast, the closed-source nature of COMP128-1 has significantly limited the
amount of research about its secure implementations. Finally, transparent and
reproducible (possibly standardized) methodologies for physical security evalu-
ations are required, in order to quantify physical security on a sound basis.
The rest of the paper is organized as follows. Background about the GSM
infrastructure, the COMP128-1 hash algorithm and side-channel attacks is given
in Section 2. Section 3 contains the technical description of the different attacks
we mounted, as well as our experimental results. Countermeasures are briefly
discussed in Section 4. Eventually, we conclude the paper in Section 5, by dis-
cussing lessons learned and possible directions for future research.
Contact with the operators. Our experiments have been performed in 2010.
The different operators exploiting the SIM cards that we discuss in this paper
have been contacted before publication of our results. Updates towards imple-
mentations of COMP128-2 and COMP128-3, including protections against side-
channel attacks, are under development (or maybe already deployed).
SIM GSM Network AuC
(IMSI,KI) {(IMSI,KI)} for all subscribers
IMSI IMSI (identifying KI)
RAND RAND Pick random RAND;
KI KI
A8 A3 COMP128-1 A3 A8
SRES SRES0
KC SRES =? KC
Reject if ‘6=’
A5 A5
Encrypted (under KC) communication
Fig. 1. Illustration of the protocol between a SIM card and an authentication center.
2 Background
The algorithm first loads RAND into the upper half of a 32-byte vector X[],
namely X[16−31]. Then it iterates eight rounds, where one loads KI into X[0−15]
and compresses the 32-byte X[0 − 31] into 16 bytes (i.e. after compression each
X[j] consists of 4 useful bits), which are then assembled by FormBitsFromBytes
into X[16 − 31], followed by a permutation on X[16 − 31] (except for the last
round). The first 12 bytes of X[16 − 31] are produced as output. For all known
attacks (and our DPA attacks), it is sufficient to consider the code up to the first
invocation of the compression function. As detailed in the pseudo-code below
and illustrated in Figure 7 (in Appendix), the compression function consists of
5 (sub-)rounds of table look-ups using S-boxes T0 [512], T1 [256], T2 [128], T3 [64]
and T4 [32] respectively, where each Tj replaces (9 − j)-bit strings with (8 − j)-
bit ones. We often refer to the pairwise substitution structure as “butterfly”. In
each of the 5 levels, compression is performed on 2 equal sized sections, and two
input bytes are used to calculate the index for the table. The result is the output
byte. More precisely, at each (sub-)round j + 1, for every pair of X[m] and X[n]
with n = m + 44−j , two intermediate values y and z are computed as in the
pseudo-code, and the values of X[m] and X[n] are replaced by Tj [y] and Tj [z].
function Compress(X[0 − 31])
begin
for j = 0 to 4 do {5 sub-rounds in Figure 7}
for k = 0 to 2j − 1 do
for l = 0 to 24−j − 1 do
begin
m := l + k·25−j ;
n := m + 24−j ;
y := (X[m] + 2·X[n]) mod 29−j ;
z := (2·X[m] + X[n]) mod 29−j ;
X[m] := Tj [y];
X[n] := Tj [z];
end;
end;
Cryptanalysis of COMP128-1 and A5. The most severe cryptanalytic weak-
ness in the GSM infrastructure was identified together with the reverse engi-
neering of the algorithm in 1998 [8]. Briceno et al. showed that COMP128-1
was fatally flawed due to a lack of diffusion in its compression function, which
leads to a collision attack (also called Narrow Pipe Attack). It takes roughly
131, 000 challenge-response pairs to recover KI, and about 7.5 hours to acquire
the necessary data given physical access to the SIM. Quite naturally, recovering
the key identifier completely cancels the security of the infrastructure. As a re-
action, the GSM association developed newer (but still proprietary 1 ) versions,
namely COMP128-2 and COMP128-3. While these newer versions are already
widely deployed in Europe, many SIM cards implementing COMP128-1 remain
in service in other countries. Besides, several strong cryptanalysis results have
also been published against various versions of the A5 algorithm, including [3–6,
34], leading to real-time and low-cost attacks demonstrated by Karsten Nohl and
Sylvain Munaut at the 2010 Chaos Communication Congress. Here as well, the
move towards adopting the A5/3 algorithm is slowly taking place [42].
SIM Cloning Fraud and Countermeasures. For unprotected (and weakly
protected) implementations of COMP128-1, SIM card cloning kits are available
from eBay for about $10 which typically include a USB SIM reader/writer, a
programmable wafer card, and a software tool, where the tool extracts the KI
by realizing collision attacks. Depending on the key recovery tools (“SimScan”,
“WoronScan”, “SimMaster” to name a few) and their randomized computation,
the time spent on key extraction can range from half an hour to 36 hours. Al-
though physical access to the SIM is required, a practical scenario could be that
a retailer makes duplicates of the SIMs in stock, and later makes fraudulent
calls and payments. Alternative scenarios include access to security sensitive lo-
cations, where guests are required to hand over their mobile phones to a security
officer, and get them back when checking out. Beyond the direct consequences of
cloning for the security of the GSM communications, one can mention possible
consequences for other security infrastructures relying on SIM card security. As
a typical illustration, and as part of the multi-factor authentication for Internet
banking, some commercial banks send one-time passwords to customers’ mobile
phones rather than to issue additional secure hardware tokens. In order to pre-
vent frauds, most SIM cards implementing COMP128-1 are now deployed with
a combination of protections against cloning attacks based on collisions.
1
We recall the Kerckhoffs’ principle that a cryptosystem should be secure even if
everything about the algorithm, except the secret key, is public knowledge. In this
respect, an advantage of the 3G technology (over GSM) is that its authentication
protocol is based on the (public and well-studied) Advanced Encryption Standard.
For this purpose, a natural measure is to set a maximal number of challenge
requests before the SIM locks itself. However, this limit has to be above the
number of requests a SIM receives during its lifetime (under normal operation)
in order not to trouble legitimate users. For example, it is set to 65,535 by many
U.S. operators [24]. Hence and as a complement, the so-called “Indexed Chal-
lenges” can be implemented: it essentially pre-stores a few byte patterns that
cause 2R-collisions, and upon successful pattern-match of a requested challenge,
proceeds with the computation by replacing the true KI with a fake one (pre-
stored on the SIM) which will eventually lead to a false output. These Indexed
Challenges turn out to be insufficient as they neither “punish” any suspected
malicious behavior, nor do they handle any collision attacks beyond the second
sub-round. To address this problem, from 2009 some operators started to put
in place a new countermeasure referred to as “Collision Free” in the rest of the
paper. In this case, the SIM stores N (e.g. 50, typically) records of previously
queried challenges in an Elementary File (EF). In case the current challenge
RAND matches any record in 5 or more bytes (which presumably captures the
characteristics of collision attacks at 2R, 3R and above), it is counted as an at-
tack. The SIM is locked if more than 255 attacks are detected. Otherwise, RAND
is passed to COMP128-1 as input. A Random Number Generator (RNG) is used
to provide randomness for deciding whether to store each challenge RAND or not,
and which existing record to replace with. This countermeasure considers not
only 2R- collision attacks, but also those at subsequent sub-rounds, with a good
chance of causing a SIM lock. To the best of our knowledge, it is the start-of-art
countermeasure to deter SIM cloning attacks on COMP128-1 implementations.
k∗ ∗ k
− mk ) · (lik − l )
P
i (mi
k̃ = argmax q , (1)
k∗ ∗ ∗ k
k − mk )2 · i (lik − l )2
P P
i (mi
∗ k
where mk and l are the sample means of the models and leakage samples.
By repeating this procedure for every subkey, the complete master key is finally
recovered. Other distinguishers will be discussed in Section 3.4.
The situation slightly differs for SIM cards #3 and #4, where the Collision
Free countermeasure was implemented. As illustrated in Figure 4 (and Figure 8
in Appendix), it is again possible to identify the COMP128-1 operations (as
Fig. 3. Zoom on a power trace from SIM#2.
well as the Indexed Challenges) in the power traces. Yet, the Collision Free
countermeasure includes a randomized memory writing operation (i.e. it uses
randomness to decide whether to store a current request or not). Therefore, the
length of the power traces varies for different inputs, which requires special care
for aligning the traces after acquisition. In order to deal with this situation, a
simple solution is to apply pattern matching techniques. That is, we selected a
characteristic pattern including the samples of interest for our DPA attacks, and
then systematically identified them in following traces using cross-correlation. As
the noise level in our measurements was relatively low, such a simple heuristic
was sufficient for performing successful key recoveries, as will be described next.
For each 0 ≤ m ≤ 15, we built predictions for the 256 possible values of KI[m]
and performed the comparison. The result of such a comparison for one of the 16
COMP128-1 subkeys is given in Figure 5 for SIM#2 (and in Appendix, Figure 5
for SIM#1). The figures plot the value of Pearson’s correlation coefficient over
time, using y as a target value. We observe that a significant peak is distin-
guishable at the time samples where the computation of y actually takes place,
and this peak only appears for the correct subkey candidate. As expected, the
situation is slightly more challenging for SIM#3 (for which the result is given
in Figure 6) and SIM#4 (for which the result is given in Appendix, Figure 10).
This is due to more noisy traces and the previously mentioned synchronization
issue. Yet, in both cases, a DPA peak remained clearly distinguishable, and we
could always identify the COMP128-1 subkeys. Finally, we consistently recov-
ered the full key of SIM#1 and SIM#2 with an amount of traces in the hundreds
range, and this number extends to the thousands range for SIM#3 and SIM#4.
4 Countermeasures
Numerous solutions to improve the security of embedded devices against side-
channel have been proposed in the open literature. In general, the state-of-the-
art intuition is that none of them is sufficient to completely prevent the threat
of physical adversaries. Hence, modern security chips usually combine different
types of protections, at different abstraction levels. From the application and
usability point of view, these countermeasures can roughly be classified among
two essentially orthogonal axes. On the one hand, they can be hardware or
software. Hardware-based countermeasures offer the most direct way to prevent
the leakage, as they tackle the problem directly where it lies. Examples include
the dual-rail logic styles introduced in [54], or masked computations [11]. The
main limitation of these solutions is the difficulty to control the design process,
e.g. in order to balance the capacitances of rails in a logic style [22, 55], or to
avoid detrimental effects such as glitches that may lead to easy-to-exploit leak-
ages in masked implementations [31, 32]. Hence, software-based countermeasures
bring a more flexible complement, e.g. exploiting time randomizations [16, 23]
or data masking [39, 47], at the cost of possibly higher performance overheads.
Both for hardware and software countermeasures, security evaluations usually
reveal that attacks remain possible if high number of measurements are available
(see, e.g. [43, 52] for the case of masking). On the other hand, protections can be
more or less transparent to the global infrastructure. For example, the previously
listed countermeasures aim to protect cryptographic algorithms, independent of
the protocol using them. But in order to prevent the exploitation of side-channel
leakages, it is ultimately useful to also limit the number of times a secret key is
manipulated to encrypt with leakage. Modes of operation that ensure such a con-
dition have been considered early after the publications of side-channel attacks,
e.g. by Paul Kocher [40]. They are also at the cores of several recent leakage-
resilient constructions, e.g. [41, 59]. Summarizing, the public literature contains
a wide range of techniques for improving the security of cryptogaphic imple-
mentations that could apply to SIM cards. Yet, improving the understanding of
their strength and weaknesses in order to obtain the best security with minimum
performance overheads remains an important scope for further research.
References
1. ANSSI. Agence nationale de la securite des systemes d’information,
http://www.ssi.gouv.fr/en/products/certified-products/, retrieved on feb. 1, 2012.
2. Archambeau, C., Peeters, E., Standaert, F.-X., and Quisquater, J.-J.
Template attacks in principal subspaces. In CHES (2006), L. Goubin and M. Mat-
sui, Eds., vol. 4249 of Lecture Notes in Computer Science, Springer, pp. 1–14.
3. Barkan, E., Biham, E., and Keller, N. Instant ciphertext-only cryptanalysis
of gsm encrypted communication. In CRYPTO (2003), D. Boneh, Ed., vol. 2729
of Lecture Notes in Computer Science, Springer, pp. 600–616.
4. Biham, E., and Dunkelman, O. Cryptanalysis of the a5/1 gsm stream cipher.
In INDOCRYPT (2000), B. K. Roy and E. Okamoto, Eds., vol. 1977 of Lecture
Notes in Computer Science, Springer, pp. 43–51.
5. Biryukov, A., Shamir, A., and Wagner, D. Real time cryptanalysis of a5/1
on a pc. In FSE (2000), B. Schneier, Ed., vol. 1978 of Lecture Notes in Computer
Science, pp. 1–18.
6. Bogdanov, A., Eisenbarth, T., and Rupp, A. A hardware-assisted realtime
attack on a5/2 without precomputations. In CHES (2007), P. Paillier and I. Ver-
bauwhede, Eds., vol. 4727 of LNCS, Springer, pp. 394–412.
7. Boneh, D., DeMillo, R. A., and Lipton, R. J. On the importance of checking
cryptographic protocols for faults (extended abstract). In EUROCRYPT (1997),
W. Fumy, Ed., vol. 1233 of Lecture Notes in Computer Science, Springer, pp. 37–51.
8. Briceno, M., Goldberg, I., and Wagner, D. GSM Cloning. http://www.
isaac.cs.berkeley.edu/isaac/gsm-faq.html, 1998. Retrieved on Oct. 14, 2011.
9. Brier, E., Clavier, C., and Olivier, F. Correlation power analysis with a
leakage model. In CHES (2004), M. Joye and J.-J. Quisquater, Eds., vol. 3156 of
Lecture Notes in Computer Science, Springer, pp. 16–29.
10. BSI. Federal office for information security, https://www.bsi.bund.de/
en/topics/certification/certification node.html, retrieved on feb. 1, 2012.
11. Chari, S., Jutla, C., Rao, J. R., and Rohatgi, P. Towards sound approaches
to counteract power analysis attacks. In Wiener [58], pp. 398–412.
12. Chari, S., Rao, J. R., and Rohatgi, P. Template attacks. In CHES (2002),
B. S. K. Jr., Çetin Kaya Koç, and C. Paar, Eds., vol. 2523 of Lecture Notes in
Computer Science, Springer, pp. 13–28.
13. CHES. Workshop on cryptographic hardware and embedded systems,
http://www.chesworkshop.org/.
14. Clavier, C., Coron, J.-S., and Dabbous, N. Differential power analysis in the
presence of hardware countermeasures. In CHES (2000), Çetin Kaya Koç and
C. Paar, Eds., vol. 1965 of LNCS, Springer, pp. 252–263.
15. Common Criteria. http://www.commoncriteriaportal.org/. Retrieved on Febru-
ary 20, 2012.
16. Coron, J.-S., and Kizhvatov, I. Analysis and improvement of the random delay
countermeasure of ches 2009. In Mangard and Standaert [33], pp. 95–109.
17. Doget, J., Prouff, E., Rivain, M., and Standaert, F.-X. Univariate side
channel attacks and leakage modeling. J. Cryptographic Engineering 1, 2 (2011),
123–144.
18. Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., and
Shalmani, M. T. M. On the power of power analysis in the real world: A complete
break of the keeloqcode hopping scheme. In CRYPTO (2008), D. Wagner, Ed.,
vol. 5157 of Lecture Notes in Computer Science, Springer, pp. 203–220.
19. EMVco. http://www.emvco.com/. Retrieved on April 11, 2012.
20. Extreme Tech. http://www.extremetech.com/mobile/105683-nfc-enabled-sim-
cards-to-become-a-worldwide-standard. Retrieved on February 18, 2012.
21. Goubin, L., and Patarin, J. Des and differential power analysis (the ”duplica-
tion” method). In CHES (1999), Çetin Kaya Koç and C. Paar, Eds., vol. 1717 of
Lecture Notes in Computer Science, Springer, pp. 158–172.
22. Guilley, S., Hoogvorst, P., Mathieu, Y., and Pacalet, R. The ”backend
duplication” method. In Rao and Sunar [46], pp. 383–397.
23. Herbst, C., Oswald, E., and Mangard, S. An aes smart card implementation
resistant to power analysis attacks. In ACNS (2006), J. Zhou, M. Yung, and F. Bao,
Eds., vol. 3989 of Lecture Notes in Computer Science, pp. 239–252.
24. Hulton, D. Smart card security (by h1kari). DEFCON 2004, http://www.
defcon.org/html/links/dc-archives/dc-12-archive.html. Retrieved on Oc-
tober 14, 2011.
25. Joux, A., Ed. Advances in Cryptology - EUROCRYPT 2009, 28th Annual Inter-
national Conference on the Theory and Applications of Cryptographic Techniques,
Cologne, Germany, April 26-30, 2009. Proceedings (2009), vol. 5479 of Lecture
Notes in Computer Science, Springer.
26. Kocher, P. Timing attacks on implementations of Diffie-Hellman, RSA, DSS,
and other systems. In Advances in Cryptology—CRYPTO ’96 (18–22 Aug. 1996),
N. Koblitz, Ed., vol. 1109 of LNCS, Springer-Verlag, pp. 104–113.
27. Kocher, P., Jaffe, J., and Jun, B. Differential power analysis. In Wiener [58],
pp. 388–397.
28. Mangard, S. Hardware countermeasures against dpa ? a statistical analysis of
their effectiveness. In CT-RSA (2004), T. Okamoto, Ed., vol. 2964 of Lecture Notes
in Computer Science, Springer, pp. 222–235.
29. Mangard, S., Oswald, E., and Popp, T. Power analysis attacks - revealing the
secrets of smart cards. Springer, 2007.
30. Mangard, S., Oswald, E., and Standaert, F.-X. One for all – all for one:
unifying standard differential power analysis attacks. IET Information Security 5,
2 (2011), 100–110.
31. Mangard, S., Popp, T., and Gammel, B. M. Side-channel leakage of masked
cmos gates. In CT-RSA (2005), A. Menezes, Ed., vol. 3376 of Lecture Notes in
Computer Science, Springer, pp. 351–365.
32. Mangard, S., Pramstaller, N., and Oswald, E. Successfully attacking masked
aes hardware implementations. In Rao and Sunar [46], pp. 157–171.
33. Mangard, S., and Standaert, F.-X., Eds. Cryptographic Hardware and Embed-
ded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA,
August 17-20, 2010. Proceedings (2010), vol. 6225 of Lecture Notes in Computer
Science, Springer.
34. Maximov, A., Johansson, T., and Babbage, S. An improved correlation attack
on a5/1. In Selected Areas in Cryptography (2004), H. Handschuh and M. A. Hasan,
Eds., vol. 3357 of Lecture Notes in Computer Science, Springer, pp. 1–18.
35. Moradi, A., Barenghi, A., Kasper, T., and Paar, C. On the vulnerability
of fpga bitstream encryption against power analysis attacks: extracting keys from
xilinx virtex-ii fpgas. In ACM CCS (2011), Y. Chen, G. Danezis, and V. Shmatikov,
Eds., ACM, pp. 111–124.
36. National Institute of Standards and Technologies. http://csrc.
nist.gov/publications/PubsDrafts.html. Retrieved on March 25, 2012.
37. NetworkWorld. http://www.networkworld.com/news/2012/ 012612-rsa-
crypto-keys-255379.html, retrieved on february 13, 2012.
38. Oswald, D., and Paar, C. Breaking mifare desfire mf3icd40: Power analysis and
templates in the real world. In CHES (2011), B. Preneel and T. Takagi, Eds.,
vol. 6917 of Lecture Notes in Computer Science, Springer, pp. 207–222.
39. Oswald, E., and Schramm, K. An efficient masking scheme for aes software
implementations. In WISA (2005), J. Song, T. Kwon, and M. Yung, Eds., vol. 3786
of Lecture Notes in Computer Science, Springer, pp. 292–305.
40. Paul Kocher. Leak resistant cryptographic indexed key update. US Patent
6539092.
41. Pietrzak, K. A leakage-resilient mode of operation. In Joux [25], pp. 462–482.
42. Preneel, B. The cryptographic year in review. isse 2011 keynote talk, available
from http://homes.esat.kuleuven.be/preneel/preneel isse11v1.pdf.
43. Prouff, E., Rivain, M., and Bevan, R. Statistical analysis of second order
differential power analysis. IEEE Trans. Computers 58, 6 (2009), 799–811.
44. Quisquater, J.-J., and Samyde, D. Electromagnetic analysis (EMA): Measures
and counter-measures for smart cards. In Smart Card Programming and Security
(E-smart 2001) Cannes, France (Sept. 2001), vol. 2140 of LNCS, pp. 200–210.
45. Rao, J. R., Rohatgi, P., Scherzer, H., and Tinguely, S. Partitioning attacks:
Or how to rapidly clone some gsm cards. In IEEE Symposium on Security and
Privacy (2002), pp. 31–44.
46. Rao, J. R., and Sunar, B., Eds. Cryptographic Hardware and Embedded Systems
- CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September
1, 2005, Proceedings (2005), vol. 3659 of LNCS, Springer.
47. Rivain, M., and Prouff, E. Provably secure higher-order masking of aes. In
Mangard and Standaert [33], pp. 413–427.
48. Schindler, W., Lemke, K., and Paar, C. A stochastic model for differential
side channel cryptanalysis. In Rao and Sunar [46], pp. 30–46.
49. Standaert, F.-X. Some hints on the evaluation metrics & tools for side-channel
attacks. proceedings of the nist non-invasive attacks testing workshop, nara, japan,
september 2011.
50. Standaert, F.-X., and Archambeau, C. Using subspace-based template attacks
to compare and combine power and electromagnetic information leakages. In CHES
(2008), E. Oswald and P. Rohatgi, Eds., vol. 5154 of Lecture Notes in Computer
Science, Springer, pp. 411–425.
51. Standaert, F.-X., Malkin, T., and Yung, M. A unified framework for the
analysis of side-channel key recovery attacks. In Joux [25], pp. 443–461.
52. Standaert, F.-X., Veyrat-Charvillon, N., Oswald, E., Gierlichs, B., Med-
wed, M., Kasper, M., and Mangard, S. The world is not enough: Another look
on second-order dpa. In ASIACRYPT (2010), M. Abe, Ed., vol. 6477 of Lecture
Notes in Computer Science, Springer, pp. 112–129.
53. The Global mobile Suppliers Association (GSA). GSM Market Share.
http://www.gsacom.com/gsm_3g/market_update.php4, March 2011. Retrieved on
October 14, 2011.
54. Tiri, K., and Verbauwhede, I. Securing encryption algorithms against dpa
at the logic level: Next generation smart card technology. In CHES (2003), C. D.
Walter, Çetin Kaya Koç, and C. Paar, Eds., vol. 2779 of Lecture Notes in Computer
Science, Springer, pp. 125–136.
55. Tiri, K., and Verbauwhede, I. Place and route for secure standard cell design.
In CARDIS (2004), J.-J. Quisquater, P. Paradinas, Y. Deswarte, and A. A. E.
Kalam, Eds., Kluwer, pp. 143–158.
56. van Woudenberg, J. G. J., Witteman, M. F., and Bakker, B. Improving
differential power analysis by elastic alignment. In CT-RSA (2011), A. Kiayias,
Ed., vol. 6558 of Lecture Notes in Computer Science, Springer, pp. 104–119.
57. Veyrat-Charvillon, N., Gerard, B., Renauld, M., and Standaert, F.-X.
An optimal key enumeration algorithm and its application to side-channel attacks.
Cryptology ePrint Archive, Report 2011/610, 2011. http://eprint.iacr.org/.
58. Wiener, M., Ed. Advances in Cryptology—CRYPTO ’99 (15–19 Aug. 1999),
vol. 1666 of LNCS, Springer-Verlag.
59. Yu, Y., Standaert, F.-X., Pereira, O., and Yung, M. Practical leakage-
resilient pseudorandom generators. In ACM Conference on Computer and Com-
munications Security (2010), E. Al-Shaer, A. D. Keromytis, and V. Shmatikov,
Eds., ACM, pp. 141–151.
Sub-round 1 ···
T0T0 T0T0
7 8
Sub-round 2 ···
T1T1 T1T1
3 4
Sub-round 3 ···
T2T2 T2T2
2 3
Sub-round 4 ···
T3T3T3T3
Sub-round 5 ···
T4T4T4T4