290 likes | 302 Views
Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF. Marcel Medwed François-Xavier Standaert Ventzislav Nikov Martin Feldhofer. Outline. SCA Intro Motivation Construction & Effects Analysis Conclusions. SCA Intro.
E N D
Unknown Input Attacks in the Parallel SettingImproving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav Nikov Martin Feldhofer
Outline • SCA Intro • Motivation • Construction & Effects • Analysis • Conclusions AsiaCrypt 2016 -- Marcel Medwed
Attack and Countermeasure Landscape c = Ek(m) Constant Detection Instantaneous Leakage Timing m1 m2 ... ... mn Faults Limit measurements Probing Low SNR Masking Shielding AsiaCrypt 2016 -- Marcel Medwed
The costs of CMs • Masking • O(n^2) costs vs. O(c^n) security • Time randomization (aka shuffling) • O(n) costs vs. O(n) security • Fault protection • O(n) costs vs. O(n) security • Combinations are hard • FTDC2016: More Efficient Private Circuits II Through Threshold Implementations • Key updates to limit measurements AsiaCrypt 2016 -- Marcel Medwed
Key updates help • Only two traces per key • Need for bounded leakage for 2 traces • Security only limited by black box setting • But a stream cipher needs a unique IV • How to seed the PRG securely with bounded leakage? AsiaCrypt 2016 -- Marcel Medwed
How to initialize • Masking and other CMs • Maybe performance gain but no bounded leakage AsiaCrypt 2016 -- Marcel Medwed
How to initialize • Fresh re-keying • Masking much easier, performance gain, still no bounded leakage AsiaCrypt 2016 -- Marcel Medwed
How to initialize • LR-PRF • Attempt to instantiate a bounded leakage scheme • Not provably bounded (no arbitrary adaptive leakage function) • However, experiments suggest bound for practical leakage functions AsiaCrypt 2016 -- Marcel Medwed
DPA: Parallelism and Algorithmic Noise (1) P Independent p16 p1 pi ki k1 k16 SCA S-box S-box S-box Independent Algorithmic Noise Side Channel s1 si s16 C AsiaCrypt 2016 -- Marcel Medwed
DPA: Parallelism and Algorithmic Noise (2) • Parallelism adds algorithmic noise • Blue no noise, green 2 par. S-boxes,..., purple 16 par. S-boxes • But security decreases exponentially • Averaging works only for random plaintexts • Fixing the data complexity to 2allows bounding the leakage • How can it be fixed to 2? AsiaCrypt 2016 -- Marcel Medwed
Using the GGM-PRF construction • Use PRF: y = Fk(x) • k being a n-bit secret key • x = x(0)...x(n-1) being a public input • P0 = {0}128 and P1 = {1}128 • Only 2 plaintexts (many traces though) • But 128 encryptions per operation • How to speed up? AsiaCrypt 2016 -- Marcel Medwed
Speeding up... And loosing security • Only 16 AES encryptions • 256 plaintexts 256 traces per key • No security left • Can we do better? AsiaCrypt 2016 -- Marcel Medwed
Avoiding D&C with carefully chosen PTs (CHES 2012) Plaintext p k1 p k16 p ki S-box S-box S-box SCA Key Dependent Noise s1 s16 Side Channel si Ciphertext AsiaCrypt 2016 -- Marcel Medwed
Carefully Chosen Plaintexts • 16 AES encryptions, 256 plaintexts • As PT bytes are equal, divide-and-conquer does not apply anymore • Noise becomes key dependent, cannot be averaged • Even if all key bytes are recovered, the order remains unknown • But • Ordering 16 bytes is still easy (244) • Properties hold only for first round • 16 S-boxes need same leakage function • Can we do better? AsiaCrypt 2016 -- Marcel Medwed
Our Contribution: Using Unknown Plaintexts • Precomputation of secret plaintexts using LR-PRG • Use bits of x to index table of secret plaintexts AsiaCrypt 2016 -- Marcel Medwed
Avoiding D&C with Unknown PTs (1) Plaintext p1 k1 p16 k16 pi ki Side Channel S-box S-box S-box SCA s1 s16 Side Channel si Ciphertext AsiaCrypt 2016 -- Marcel Medwed
Security of Unknown Plaintexts • Only profiled attacks work • Key dependent noise impacts a two-dimensional distribution (2nd-order SCA) • Key dependent noise is present in the entire algorithm AsiaCrypt 2016 -- Marcel Medwed
Distribution Distances • We match sub key distributions to the device distribution • Carefully chosen plaintexts only prevent ordering (+ some misranking) • For unknown plaintexts the device distribution is much more destorted
Looking at the sub key distributions • Carefully chosen plaintexts • Correct sub keys are ranked first • Best ranked sub key is always one of the correct ones • Worst ranked sub key like to be < rank 20 AsiaCrypt 2016 -- Marcel Medwed
Looking at the sub key distributions • Carefully chosen plaintexts • Unknown plaintexts AsiaCrypt 2016 -- Marcel Medwed
Conclusion (1) • Bounded leakage against realistic attacks with little assumptions • No equal leakage assumption • No randomness needed • Works with plain, parallel AES • Speed up depends on memory • 2m PTs, m times faster AsiaCrypt 2016 -- Marcel Medwed
Conclusion (2) • Lots of analysis done • leakage models • implementation flaws • template building errors • ... • But more needed (for masking it took >10 years to understand most issues) • Security depends on security against 2 noise-free traces (2PRG) • Future work • Localized EM attacks (as they can overcome parallelism) • Use other tools in attack AsiaCrypt 2016 -- Marcel Medwed
Localized EM Attacks • Likely to reduce parallelism • Blue: Attack on 2PRG • Green: Attack on PRF with 16 unknown plaintexts • Red: Attack on secret pllaintexts • At least >2 plaintexts are required uncertainty multiplies AsiaCrypt 2016 -- Marcel Medwed