| 研究実績の概要 |
Our research focused on clarifying the mechanisms underlying differences in leakage models for the screaming channel, emphasizing software and assembly code. We discovered that non-profiled attacks using the Hamming weight model could recover keys from mbedTLS but required profiling for tinyAES. The key difference between these implementations is the use of T-tables in mbedTLS versus a simple AES implementation in tinyAES. We modified tinyAES’s assembly code, particularly by relocating the S-box from flash to data RAM, and observed that this change allowed key recovery using non-profiled attacks, highlighting the influence of memory type and access frequency on leakage.
Profiling on BLE Nano V2 showed significant leakage in the upper 4 bits of tinyAES’s S-box input, enabling key recovery with reduced profiling steps. Additionally, unnecessary processes in SubBytes assembly were replaced with NOP instructions, supporting the MSB4 model’s applicability. Our findings indicate that on-chip flash contributes to leakage, while off-chip flash does not show detectable leakage at 10 cm distance.
In summary, our achievements include demonstrating the influence of memory placement on leakage characteristics, reducing the profiling steps needed for key recovery, and confirming the conditions under which the MSB4 model is applicable.
|
