Paper 2021/611

Some Applications of Hamming Weight Correlations

Fatih Balli, Andrea Caforio, and Subhadeep Banik

Abstract

It is a well-known fact that the power consumption during certain stages of a cryptographic algorithm exhibits a strong correlation with the Hamming Weight of its underlying variables. This phenomenon has been widely exploited in the cryptographic literature in various attacks targeting a broad range of schemes such as block ciphers or public-key cryptosystems. A common way of breaking this correlation is through the inclusion of countermeasures involving additional randomness into the computation in the form of hidden (undisclosed) component functions or masking strategies that complicate the inference of any sensitive information from the gathered power traces. In this work, we revisit the tight correlation between the Hamming Weight and the observed power consumption of an algorithm and demonstrate, in the first part, a practical reverse-engineering attack of proprietary AES-like constructions with secret internal components like the SubBytes, MixColumns and ShiftRows functions. This approach is used in some commercial products such as the Dynamic Encryption package from the communication services provider Dencrypt as an extra layer of security. We recover the encryption key alongside the hidden substitution and permutation layer as well as the MixColumns matrix on both 8-bit and 32-bit architectures. In a second effort, we shift our attention to a masked implementation of AES, specifically the secAES proposal put forward by the French National Cybersecurity Agency (ANSSI) that concisely combines several side-channel countermeasure techniques. We show its insecurity in a novel side-channel-assisted statistical key-recovery attack that only necessitates a few hundreds of collected power traces.