attacks and countermeasures for white box designs
play

Attacks and Countermeasures for White-box Designs Alex Biryukov, - PowerPoint PPT Presentation

Aug 31, 2022 •257 likes •797 views

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

  1. Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018

  2. Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0 / 19

  3. White-box Implementation fully available, secret key unextractable Extra : one-wayness, incompressibility, traitor traceability, ... 1 / 19

  4. White-box Implementation fully available, secret key unextractable Extra : one-wayness, incompressibility, traitor traceability, ... The most challenging direction (this talk): white-box implementations of existing symmetric primitives, e.g. the AES “Cryptographic obfuscation” 1 / 19

  5. White-box: Industry vs Academia 2 / 19

  6. White-box: Industry vs Academia many applications strong need for practical white-box industry does WB: hidden designs 2 / 19

  7. White-box: Industry vs Academia theory : approaches using iO/FE, currently many applications impractical strong need for practical practical WB-AES : few attempts white-box (2002-2017), industry does WB: all broken hidden designs powerful DCA attack (CHES 2016) 2 / 19

  8. White-Box: Differential Computation Analysis (DCA) DCA = Differential Power Analysis (DPA) applied to white-box implementations Most of the implementations broken automatically 3 / 19

  9. White-Box: Differential Computation Analysis (DCA) DCA = Differential Power Analysis (DPA) applied to white-box implementations Most of the implementations broken automatically Side-Channel protection: masking schemes 3 / 19

  10. White-Box: Differential Computation Analysis (DCA) DCA = Differential Power Analysis (DPA) applied to white-box implementations Most of the implementations broken automatically Side-Channel protection: masking schemes this talk : Can we apply the masking protection for white-box impl.? 3 / 19

  11. General Setting Boolean circuits Obfuscated reference implementation 4 / 19

  12. General Setting Boolean circuits Obfuscated reference implementation Predictable values : computations from ref. impl., e.g. s = Bit 1 ( SBox ( pt 1 ⊕ k 1 )) 4 / 19

  13. General Setting Boolean circuits Obfuscated reference implementation Predictable values : computations from ref. impl., e.g. s = Bit 1 ( SBox ( pt 1 ⊕ k 1 )) Masking : ∃ v 1 , . . . , v t nodes ( shares ), f : F t 2 → F 2 s.t. for any encryption f ( v 1 , . . . , v t ) = s 4 / 19

  14. Masking Schemes Example: Boolean masking: linear decoder f = ⨁︁ i v i Example: FHE: non-linear decoder f 5 / 19

  15. Masking Schemes Example: Boolean masking: linear decoder f = ⨁︁ i v i Example: FHE: non-linear decoder f Aim for efficient schemes: relatively small t (number of shares) 5 / 19

  16. Masking Schemes Example: Boolean masking: linear decoder f = ⨁︁ i v i Example: FHE: non-linear decoder f Aim for efficient schemes: relatively small t (number of shares) ⇒ can be secure only if the locations of the shares in the circuit are unknown! this talk : exploring this possibility 5 / 19

  17. Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 5 / 19

  18. Attacks I Combinatorial attacks: (partially) guess locations of the shares probabilistic : correlation with predictable values exact : time-memory trade-off 6 / 19

  19. Attacks I Combinatorial attacks: (partially) guess locations of the shares probabilistic : correlation with predictable values exact : time-memory trade-off Fault attacks: new application: recover locations of the shares 1- and 2- share fault injections applicability depends on protections 6 / 19

  20. Attacks II (Generalized) Differential Computation Analysis (DCA): 7 / 19

  21. Attacks II (Generalized) Differential Computation Analysis (DCA): 7 / 19

  22. Attacks II (Generalized) Differential Computation Analysis (DCA): 7 / 19

  23. The Linear Algebra Attack (1) consider the Boolean masking (the linear decoder) matching with a predictable value s : a basic linear algebra problem: M × z = s , M = [ v 1 | . . . | v n ] 8 / 19

  24. The Linear Algebra Attack (1) consider the Boolean masking (the linear decoder) matching with a predictable value s : a basic linear algebra problem: M × z = s , M = [ v 1 | . . . | v n ] v i is the vector of values computed in the node i of the circuit z is a vector indicating locations of shares among nodes of the circuit higher-order masking does not help... 8 / 19

  25. The Linear Algebra Attack (2) Generalizations: nonlinear decoders , through linearization technique approximately linear decoders , through LPN algorithms 9 / 19

  26. The Linear Algebra Attack (2) Generalizations: nonlinear decoders , through linearization technique approximately linear decoders , through LPN algorithms semi-linear decoders: 1 assume s · r is computed/shared in the circuit, where 2 s is a predictable value 3 r is unpredictable (pseudorandom, ≈ uniform) 9 / 19

  27. The Linear Algebra Attack (2) Generalizations: nonlinear decoders , through linearization technique approximately linear decoders , through LPN algorithms semi-linear decoders: 1 assume s · r is computed/shared in the circuit, where 2 s is a predictable value 3 r is unpredictable (pseudorandom, ≈ uniform) 4 choose plaintexts p 1 , . . . , p D such that: s ( p i ) = 0 for 1 ≤ i ≤ D − 1 , s ( p i ) = 1 for i = D . 5 s · r will be equal to ( 0 , 0 , . . . , 0 , 1 ) with Pr = 1 / 2 6 if s is guessed wrong, such vector is unlikely to be a solution 9 / 19

  28. Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 9 / 19

  29. Our Framework: Two Components Value Hiding Structure Hiding 10 / 19

  30. Our Framework: Two Components Value Hiding Structure Hiding 1 DCA side-channel attack 2 (new) linear algebra attack 10 / 19

  31. Our Framework: Two Components Value Hiding Structure Hiding 1 circuit analysis / simplification 1 DCA side-channel attack 2 fault injections 2 (new) linear algebra attack 3 pseudorandomness removal 4 etc. 10 / 19

  32. Our Framework: Two Components Value Hiding Structure Hiding 1 circuit analysis / simplification 1 DCA side-channel attack 2 fault injections 2 (new) linear algebra attack 3 pseudorandomness removal 4 etc. (hopefully) easier to solve independently 10 / 19

  33. Value Hiding Our solution for value hiding: 1 non-linear masking (vs linear algebra attack) 2 classic linear masking (vs DCA correlation attack) 3 provable security against the linear algebra attack 11 / 19

  34. Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 11 / 19

  35. Algebraic Security (1/2) Security Model: 1 random bits allowed as in classic masking model unpredictability in WB impl. as pseudorandom 12 / 19

  36. Algebraic Security (1/2) Security Model: 1 random bits allowed as in classic masking model unpredictability in WB impl. as pseudorandom 2 Goal: any f ∈ span { v i } is unpredictable 12 / 19

  37. Algebraic Security (1/2) Security Model: 1 random bits allowed as in classic masking model unpredictability in WB impl. as pseudorandom 2 Goal: any f ∈ span { v i } is unpredictable 3 isolated from obfuscation problems 12 / 19

  38. Algebraic Security (2/2) Adversary: 1 chooses plaintext/key pairs 13 / 19

  39. Algebraic Security (2/2) Adversary: 1 chooses plaintext/key pairs 2 chooses f ∈ span { v i } 13 / 19

  40. Algebraic Security (2/2) Adversary: 1 chooses plaintext/key pairs 2 chooses f ∈ span { v i } 3 tries to predict values of this function (i.e. before random bits are sampled) 13 / 19

  41. Algebraic Security (2/2) Adversary: 1 chooses plaintext/key pairs 2 chooses f ∈ span { v i } 3 tries to predict values of this function (i.e. before random bits are sampled) 4 succeeds, if only f matches 13 / 19

  42. Algebraic Security (3/3) Proposition Let F = { f ( x , · , · ) | f ( x , r e , r c ) ∈ span { v i } , x ∈ F N 2 } . Let ε = max f ∈ F bias ( f ) , e = − log 2 ( 1 / 2 + ε ) . Then for any adversary 𝒝 choosing Q inputs Adv [ 𝒝 ] ≤ min ( 2 Q −| r c | , 2 − eQ ) . 14 / 19

  43. Algebraic Security (3/3) Proposition Let F = { f ( x , · , · ) | f ( x , r e , r c ) ∈ span { v i } , x ∈ F N 2 } . Let ε = max f ∈ F bias ( f ) , e = − log 2 ( 1 / 2 + ε ) . Then for any adversary 𝒝 choosing Q inputs Adv [ 𝒝 ] ≤ min ( 2 Q −| r c | , 2 − eQ ) . Corollary Let k be a positive integer. Then for any adversary 𝒝 Adv [ 𝒝 ] ≤ 2 − k if e > 0 and | r c | ≥ k · ( 1 + 1 e ) . 14 / 19

  44. Algebraic Security (3/3) Proposition Let F = { f ( x , · , · ) | f ( x , r e , r c ) ∈ span { v i } , x ∈ F N 2 } . Let ε = max f ∈ F bias ( f ) , e = − log 2 ( 1 / 2 + ε ) . Then for any adversary 𝒝 choosing Q inputs Adv [ 𝒝 ] ≤ min ( 2 Q −| r c | , 2 − eQ ) . Corollary Let k be a positive integer. Then for any adversary 𝒝 Adv [ 𝒝 ] ≤ 2 − k if e > 0 and | r c | ≥ k · ( 1 + 1 e ) . Information-theoretic security 14 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs Michael J. Wiener 2016 August 14 1 Outline Why do we bother with white-box cryptography (WBC)? The origins of WBC Attacks and

379 views • 34 slides
White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

Based on: J. W. Bos, C. Hubain, W. Michiels, P. Teuwen. In CHES 2016: Differential computation analysis: Hiding your white-box designs is not enough . White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

477 views • 29 slides
I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

This time Continuing with Software Getting insane with Security I n p u t sanitization); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web architecture Client

1.22k views • 102 slides
EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies

679 views • 22 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies Alternatives 2 ENSM.SE Ecole Nationale

456 views • 22 slides
Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
GAN-based Photo Video Synthesis Summary of Generative Adversarial Nets Lei Zhang What is

GAN-based Photo Video Synthesis Summary of Generative Adversarial Nets Lei Zhang What is

GAN-based Photo Video Synthesis Summary of Generative Adversarial Nets Lei Zhang What is Generative Adversarial Networks (GAN)? Generative - creating new data that depends on the choice of the training set Adversarial - competitive

894 views • 9 slides
50 Fake Planes: Finding enough elements of Donald Cartwright, University of Sydney Tim

50 Fake Planes: Finding enough elements of Donald Cartwright, University of Sydney Tim

50 Fake Planes: Finding enough elements of Donald Cartwright, University of Sydney Tim Steger, Universit` a degli Studi di Sassari completing a project started by Gopal Prasad, University of Michigan Sai-Kee Yeung, Purdue University 25

478 views • 10 slides
Lower Rio Grande Settlement Framework John W. Utton Utton & Kery, P.A. Santa Fe, New Mexico

Lower Rio Grande Settlement Framework John W. Utton Utton & Kery, P.A. Santa Fe, New Mexico

Lower Rio Grande Settlement Framework John W. Utton Utton & Kery, P.A. Santa Fe, New Mexico October 18, 2018 History of LRG Water Appropriation and Administration Rio Grande Project Notices 1906/08 Elephant Butte Dam - 1916

423 views • 23 slides
8/21/2012 Pre-Co Pre-Contra ract Ph Phase ase Con Contract ct Ph Phas ase/Co

8/21/2012 Pre-Co Pre-Contra ract Ph Phase ase Con Contract ct Ph Phas ase/Co

8/21/2012 Pre-Co Pre-Contra ract Ph Phase ase Con Contract ct Ph Phas ase/Co Contract Te Terms Statutory Assistance Statutory Assistance on on Fe Federa d d eral Project l l Projects Liens Liens Post Con Post

222 views • 9 slides
Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

468 views • 34 slides
CACM Network Code SEM Market Integration Workshop III 9 February 2012 Mark Lane Overview of

CACM Network Code SEM Market Integration Workshop III 9 February 2012 Mark Lane Overview of

CACM Network Code SEM Market Integration Workshop III 9 February 2012 Mark Lane Overview of current Network Code development Important Consultations for SEM CACM Network Code Legally Binding Requirements for SEM Governance Guideline

99 views • 7 slides
Collaboration to secure new sources of water 12 th February 2015 Alan Turner Economic and

Collaboration to secure new sources of water 12 th February 2015 Alan Turner Economic and

Collaboration to secure new sources of water 12 th February 2015 Alan Turner Economic and Spatial Development Officer Kent County Council alan.turner@kent.gov.uk Contents Introduction Range of supply options Advantages and

415 views • 24 slides
LOCAL FLA OCAL FLAVOR LITIGA OR LITIGATION: TION: WHATS THE SCOOP? THE THE PUBLIC PUBLIC

LOCAL FLA OCAL FLAVOR LITIGA OR LITIGATION: TION: WHATS THE SCOOP? THE THE PUBLIC PUBLIC

LOCAL FLA OCAL FLAVOR LITIGA OR LITIGATION: TION: WHATS THE SCOOP? THE THE PUBLIC PUBLIC HEAL HEALTH TH LA LAW W CENTER CENTER 11/12/2020 2 COMMER COMMERCIA CIAL L TOB OBACCO C CCO CONTR ONTROL TEAM OL TEAM 11/12/2020 3

659 views • 39 slides

More recommend