dpa protected authenticated encryption
play

DPA-Protected Authenticated Encryption Mostafa Taha and Patrick - PowerPoint PPT Presentation

May 19, 2023 •153 likes •636 views

A Key Management Scheme for DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech DIAC-2013 This research was supported in part by the VT-MENA program of Egypt, and by NSF grant no. 1115839. Leakage-Resilient

  1. A Key Management Scheme for DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech DIAC-2013 This research was supported in part by the VT-MENA program of Egypt, and by NSF grant no. 1115839.

  2. Leakage-Resilient Cryptography Classical Cryptography Algorithm Input Output Key 2

  3. Leakage-Resilient Cryptography Side-Channel Analysis Algorithm Input Output Key Execution Time Power Consumption Electromagnetic Radiation Acoustic Waves Photonic Emission Fault Detection 3

  4. Leakage-Resilient Cryptography Side-Channel Analysis Algorithm Input Output Key Execution Time Power Consumption Electromagnetic Radiation Is this a problem? Acoustic Waves Photonic Emission Fault Detection 3

  5. Differential Power Analysis P S K • The key in DPA is to find a sensitive intermediate variable that depends on: – a controllable/observable input. – and a fixed unknown. Where the unknown is affected by a small part of the key. 4

  6. Leakage-Resilient Cryptography 1- Hardware Protection Algorithm Input Output Key 5

  7. Leakage-Resilient Cryptography 1- Hardware Protection Algorithm Input Output Key • Typically at High Cost (typically 2x). 5

  8. Leakage-Resilient Cryptography 2- Leakage-Resilient Cryptography Algorithm Input Output Key 6

  9. Leakage-Resilient Cryptography 2- Leakage-Resilient Cryptography Algorithm Input Output Key New Primitive Special Mode of operation (compatible with current modes) 6

  10. Leakage-Resilient Cryptographic Primitive • Stream Ciphers: [DP08, P09, YSPY10] • Block Ciphers: [FPS12] • Digital Signatures: [BSW11] • Public-Key Encryption: [NS12] and many more 7

  11. Leakage-Resilient Cryptographic Primitive • Stream Ciphers: [DP08, P09, YSPY10] • Block Ciphers: [FPS12] • Digital Signatures: [BSW11] • Public-Key Encryption: [NS12] and many more However: • The assumptions used are controversial. • High-overhead initialization procedure. • Not a current solution (still needs standardization). 7

  12. Leakage-Resilient Mode of Operation • Are current modes DPA-protected? 8

  13. Leakage-Resilient Mode of Operation • Are current modes DPA-protected? • No – Different design requirement. – The IV/nonce is not secret, hence the same attack methodology can be used. 8

  14. Leakage-Resilient Mode of Operation • Are current modes DPA-protected? • No – Different design requirement. – The IV/nonce is not secret, hence the same attack methodology can be used. • Research Goals: – Current: Design a compatible DPA-protection add-on. – Future: Include the DPA-protection in a new AE mode. 8

  15. Outline Introduction • Design Model • Security Requirements of the New Scheme • Previous Work • NLFSR-Based Scheme • Concluding Remarks 9

  16. Design Model Encryption Key Propagation Initialization Master Initialization Key Vector Session Key K1 K2 K3 In Out In Out In Out AES AES AES 10

  17. Design Model Encryption Key Propagation Initialization Master Initialization Key Vector Session Key K1 K2 K3 In Out In Out In Out AES AES AES Goal: protection against any “differential” attack. This is NOT shifting the problem, but separating it. 10

  18. Design Model Encryption Key Propagation Initialization Master Initialization Key Vector Direct Leakage Session Key K1 K2 K3 In Out In Out In Out AES AES AES Goal: protection against any “differential” attack. This is NOT shifting the problem, but separating it. 10

  19. Design Model Encryption Key Propagation Initialization Master Initialization Key Vector Direct Leakage Session Key K1 K2 K3 In Out In Out In Out AES AES AES Combined Information Leakage Goal: protection against any “differential” attack. This is NOT shifting the problem, but separating it. 10

  20. Design Model Encryption Key Propagation Initialization Master Initialization Key Vector Direct Leakage Session Key K1 K2 K3 In Out In Out In Out AES AES AES Combined Information Leakage Goal: protection against any “differential” attack. This is NOT shifting the problem, but separating it. 10

  21. Design Model Encryption Key Propagation Initialization Master Initialization Key Vector Direct Leakage Session Key K1 K2 K3 In Out In Out In Out AES AES AES Combined Information Leakage Goal: protection against any “differential” attack. This is NOT shifting the problem, but separating it. 10

  22. Security Requirements • Initialization: – Maximum Diffusion. – Compatible with current AES modes . (no additional secrets or exchanged variables) – One-wayness. – DPA-hard, without depending on the Hardware. – Small hardware overhead. Master Initialization Key Vector Session Key 11

  23. Security Requirements • Key Propagation: – Non-linearity. – Prevent divide-and-conquer. – Forward Security (better). – Small hardware overhead. K1 K2 K3 Session Key 12

  24. Previous Work Contribution Initialization Propagation [Kocher03] DES DES [MSGR10] Modular Multiplication [GFM10] NLM and AES AES [Kocher11] Tree structure of Hashing Hashing [MSJ12] Improved tree of AES [BSH..13] Minimum SP Network Current Proposal NLFSR-based scheme • They are all: – High cost. – Or, depend on other hardware protections. 13

  25. Current Proposal • Why NLFSR? – High DPA-attack complexity. Current DPA attack on Grain leaves 30 bits of the key for exhaustive search [FGKV07]. – High diffusion and one-wayness. – High non-linearity. – Low hardware overhead, as learned from the eSTREAM results. • What are the preferred properties of the NLFSR for the best DPA-protection? 14

  26. DPA of a Generic LFSRs I 0 I 1 I 2 C C C C C C I n 15

  27. DPA of a Generic LFSRs I 0 I 1 I 2 C C C C C C I n • 1 st input bit: – One sensitive variable of high leakage. The output of the feedback function can be found. 15

  28. DPA of a Generic LFSRs I 0 I 1 I 2 C C C C C C I n • 1 st input bit. • 2 nd input bit: 16

  29. DPA of a Generic LFSRs I 0 I 1 I 2 C C C C C C I n • 1 st input bit. • 2 nd input bit: – Sensitive variable of high leakage. The output of the feedback function can be found. 16

  30. DPA of a Generic LFSRs I 0 I 1 I 2 C C C C C C I n • 1 st input bit. • 2 nd input bit: – Sensitive variable of high leakage. The output of the feedback function can be found. – Sensitive variable of low leakage. Intermediate unknown can be found. 16

  31. DPA of a Generic LFSRs I 0 I 1 I 2 C C C C C C I n • 1 st input bit. • 2 nd input bit: – Sensitive variable of high leakage. The output of the feedback function can be found. – Sensitive variable of low leakage. Intermediate unknown can be found. Is it useful? depends on the computational hierarchy. 16

  32. DPA of a Generic LFSRs I 0 I 1 I 2 C C C C C C I n • 1 st input bit. • 2 nd input bit. • n th input bit: – A linear equation of n unknowns. 17

  33. DPA of a Generic LFSRs I 0 I 1 I 2 C C C C C C I n • 1 st input bit. • 2 nd input bit. • n th input bit: – A linear equation of n unknowns. LFSRs are directly breakable after reaching all state bits 17

  34. DPA of a Generic NLFSRs I 0 I 1 Non-linear function I 2 I n 18

  35. DPA of a Generic NLFSRs I 0 I 1 Non-linear function I 2 I n • 1 st input bit: – One sensitive variable of high leakage. The output of the feedback function can be found. 18

  36. DPA of a Generic LFSRs I 0 I 1 Non-linear function I 2 I n • 1 st input bit. • 2 nd input bit: Operation at the known bit: 19

  37. DPA of a Generic LFSRs I 0 I 1 Non-linear function I 2 I n • 1 st input bit. • 2 nd input bit: Operation at the known bit: – XOR: The output of the feedback function can be found. Intermediate unknown can be found. Is it useful? – AND: Only the intermediate unknown (low leakage) can be found. Is it useful? depends on the computational hierarchy. 19

  38. DPA of a Generic LFSRs I 0 I 1 Non-linear function I 2 I n • 1 st input bit. • 2 nd input bit: Operation at the known bit: – XOR: The output of the feedback function can be found. Intermediate unknown can be found. Is it useful? – AND: Only the intermediate unknown (low leakage) can be found. Is it useful? depends on the computational hierarchy. 19

  39. DPA of a Generic LFSRs I 0 I 1 Non-linear function I 2 I n • 1 st input bit. • 2 nd input bit. • n th input bit: – Only an intermediate variable within the feedback function 20

  40. DPA of a Generic LFSRs I 0 I 1 Non-linear function I 2 I n • 1 st input bit. • 2 nd input bit. • n th input bit: – Only an intermediate variable within the feedback function NLFSRs can still be broken by focusing on small operations within the feedback function 20

  41. DPA of a Generic LFSRs I 0 I 1 Non-linear function I 2 I n • Solution: Implement the feedback function in memory. 21

  42. DPA of a Generic NLFSRs • Preferred properties: – Large internal state. – High number of feedback taps. – Feedback function includes the first state bit. – Either: • The first bit is ANDed at the top of computational hierarchy. • Or, the feedback function is implemented using memory. – Maximum period. 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

562 views • 38 slides
On-off Control: Audio Applications Graham C. Goodwin Day 4: Lecture 3 16th September 2004

On-off Control: Audio Applications Graham C. Goodwin Day 4: Lecture 3 16th September 2004

On-off Control: Audio Applications Graham C. Goodwin Day 4: Lecture 3 16th September 2004 International Summer School Grenoble, France Centre for Complex Dynamic Systems and Control 1 Background In this lecture we address the issue of

632 views • 51 slides
6.003: Signals and Systems Signals and Systems September 8, 2011 1 6.003: Signals and Systems

6.003: Signals and Systems Signals and Systems September 8, 2011 1 6.003: Signals and Systems

6.003: Signals and Systems Signals and Systems September 8, 2011 1 6.003: Signals and Systems Todays handouts: Single package containing Slides for Lecture 1 Subject Information & Calendar Lecturer: Denny Freeman Instructors: Elfar

508 views • 37 slides
Resonance Control of Cavities Jeremiah Holzbauer PIP-II Machine Advisory Committee 10 April 2017

Resonance Control of Cavities Jeremiah Holzbauer PIP-II Machine Advisory Committee 10 April 2017

Resonance Control of Cavities Jeremiah Holzbauer PIP-II Machine Advisory Committee 10 April 2017 Resonance Control Group Relevant Group Publications (Inspirehep.net) Group Members: 1) Investigation of Thermal Acoustic Effects on SRF

486 views • 23 slides
Hybrid/Tandem models + TDNNs + Intro to RNNs Lecture 8 CS 753 Instructor: Preethi Jyothi

Hybrid/Tandem models + TDNNs + Intro to RNNs Lecture 8 CS 753 Instructor: Preethi Jyothi

Hybrid/Tandem models + TDNNs + Intro to RNNs Lecture 8 CS 753 Instructor: Preethi Jyothi Feedback from in-class quiz 2 (on FSTs) Common mistakes Forgetting to consider subset of input alphabet Not careful about only accepting

557 views • 23 slides
Lecture 11 Waves and Interference The Final Piece of Classical Physics: Announcements Waves L

Lecture 11 Waves and Interference The Final Piece of Classical Physics: Announcements Waves L

Lecture 11 Waves and Interference The Final Piece of Classical Physics: Announcements Waves L i Today: Waves and Light g h t Final part of Classical Mechanics Many Kinds of Waves - light, sound, strings, ... Ether?

186 views • 4 slides
MAS.S61: Emerging Wireless & Mobile Technologies aka The Extreme IoT Class Lecture 3:

MAS.S61: Emerging Wireless & Mobile Technologies aka The Extreme IoT Class Lecture 3:

MAS.S61: Emerging Wireless & Mobile Technologies aka The Extreme IoT Class Lecture 3: Fundamentals of Wireless Sensing & Localization (Cont) Fundamentals of Communications & Connectivity Lecturers Fadel Adib (fadel@mit.edu)

834 views • 80 slides
The Effect of Ionic Composition on Acoustic Phonon Speeds in Hybrid Perovskites Irina Kabakova

The Effect of Ionic Composition on Acoustic Phonon Speeds in Hybrid Perovskites Irina Kabakova

The Effect of Ionic Composition on Acoustic Phonon Speeds in Hybrid Perovskites Irina Kabakova School of Mathematical and Physical Sciences University of Technology Sydney UNSW, Sydney 17 May 2018 Motivation Hybrid organic-inorganic

366 views • 21 slides

More recommend