fast white box implementations of dedicated ciphers on
play

Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 - PowerPoint PPT Presentation

Aug 26, 2022 •171 likes •597 views

Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 Architecture F elix Carvalho Rodrigues, H. Fujii, A. C. Serpa, G. Sider, R. Dahab, J. L opez October 3, 2019 Laboratory of Security and Cryptography, Institute of

  1. Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 Architecture F´ elix Carvalho Rodrigues, H. Fujii, A. C. Serpa, G. Sider, R. Dahab, J. L´ opez October 3, 2019 Laboratory of Security and Cryptography, Institute of Computing, University of Campinas (Unicamp) This research was partially supported by Samsung Eletrˆ onica da Amazˆ onia Ltda., through the “White Box Cryptography” project, within the scope of the Informatics Law No. 8248/91. 1

  2. Index Introduction Dedicated Ciphers SPACE WEM SPNbox Implementation Optimizing SPNbox Results 2

  3. Introduction

  4. White-box threat model: direct access to environment Black-Box: • Access only to • No leakage • No access to plaintexts and from executing ciphertexts implementation environment 3

  5. White-box threat model: direct access to environment Grey-Box (hardware side-channel): • Some leakage • No (direct) • Timing analysis, from access to Power analysis implementation executing available environment 3

  6. White-box threat model: direct access to environment In a White-Box context, an attacker can: • Access the • Manipulate the • Analyze binary memory execution code 3

  7. White-box threat model: direct access to environment 01010101 11110101 01000001 11011011 10101010 Access to: Access to: Access to: ◦ plaintext ◦ plaintext ◦ plaintext ◦ ciphertext ◦ ciphertext ◦ ciphertext ◦ side channel ◦ side channel information information ◦ execution environment (a) Black Box Model (b) Grey Box Model (c) White Box Model In a White-Box context, an attacker can: • Access the • Manipulate the • Analyze binary memory execution code How to protect against such powerful adversaries? 3

  8. White-Box Cryptography: first attempts White-Box Cryptography: • Design and secure the implementations of cryptographic algorithms running in untrusted environments First attempt: standard block cipher (e.g., AES): • Protect implementation through a network of lookup tables • Several proposed implementations [Chow et al., 2003, Bringer et al., 2006, Xiao and Lai, 2009, Karroumi, 2011] • Academic proposals mostly broken: [Billet et al., 2005, Goubin et al., 2007, Michiels et al., 2009, De Mulder et al., 2010, Lepoint et al., 2014, De Mulder et al., 2013] • Some hope? CHES 2019 white-box challenge [WhibOx, 2019] had three implementations which are still unbroken! 4

  9. White-Box Cryptography: first attempts White-Box Cryptography: • Design and secure the implementations of cryptographic algorithms running in untrusted environments First attempt: standard block cipher (e.g., AES): • Protect implementation through a network of lookup tables • Several proposed implementations [Chow et al., 2003, Bringer et al., 2006, Xiao and Lai, 2009, Karroumi, 2011] • Academic proposals mostly broken: [Billet et al., 2005, Goubin et al., 2007, Michiels et al., 2009, De Mulder et al., 2010, Lepoint et al., 2014, De Mulder et al., 2013] • Some hope? CHES 2019 white-box challenge [WhibOx, 2019] had three implementations which are still unbroken! BROKEN! AES seems to be hard to protect in a white-box context... 4

  10. Dedicated Ciphers

  11. Dedicated White-Box Block Ciphers Idea: • Design a block cipher from the ground up to be “secure” in a white-box context Focus of currently proposed dedicated ciphers: • Unbreakability • Protection against key extraction • Given access to a white-box implementation, the attacker must not be able to extract the secret key embedded in the cipher • Incompressibility 5

  12. Dedicated White-Box Block Ciphers Idea: • Design a block cipher from the ground up to be “secure” in a white-box context Focus of currently proposed dedicated ciphers: • Unbreakability • Incompressibility • Mitigation against code lifting • Given full access to a white-box cipher implementation, the attacker must not be able to produce a smaller implementation • Given “almost full” access to a white-box cipher implementation, the attacker must not be able to encrypt or decrypt any message with a significant probability 5

  13. Proposals considered in this work Proposals: • SPACE [Bogdanov and Isobe, 2015] • SPNbox [Bogdanov et al., 2016a] • WEM [Cho et al., 2017]. Parameters: • n in : determines lookup table input size of ciphers: • SPACE-16 ≡ SPACE instantiated with n in = 16 • We consider n in either 8 or 16 in this work • R : number of rounds of cipher No complete comparisons were made in relation to each other in previous works! 6

  14. SPACE Family of Ciphers • Based on a Feistel Network • Number of rounds: • R = 128 for n in = 16 • In each round, the state is • R = 300 for n in = 8 rotated left Example: single round of SPACE-16 7

  15. SPACE-16: Feistel function In the black-box: • Extract 16 bits from state and concatenate with zero vector • Encrypt with AES and master key • Discard 16 bits from output and return the remaining 112 bits In the white-box: • Extract 16 bits from state • Encrypt with a lookup table of 16-to-112 bits For both: after result add round constant 8

  16. White-box Even-Mansour ciphers ⇒ Based on the Even-Mansour scheme: • Keys are replaced by incompressible S-boxes • Public permutation is defined as 5 rounds of AES with a zeroed key • The proposed cipher uses 12 rounds 9

  17. WEM: S-box generation To generate each m -to- m S-box: • Generate long sequence of pseudo-random bits from secret key k • Generate sequence T = ( 0 , . . . , 2 m ) • Shuffle T using the generated pseudo-random bits from k 10

  18. SPNbox Family of Ciphers One round of SPNBox-16’s outer cipher Algorithm: • Substitution Layer ( S n in ) : divide state into n in -bit blocks and run a mini block cipher for each block with secret key • Permutation Layer ( θ ) : multiply state by a matrix in GF ( 2 n in ) • Affine Layer ( σ ) : add round constant • Repeat for 10 rounds 11

  19. SPNbox: small inner cipher One round of SPNbox-32’s inner cipher • Smaller SPN guarantees the substitution phase of its bigger counterpart • Repurposes some AES operations: • SB uses SubBytes operation from AES • MC uses the MixColumns operation from AES • AK is a simple key addition • Number of rounds depends on its size n in • In a white-box context, this inner SPN cipher becomes a lookup table 12

  20. Implementation

  21. ARMv8-A Architecture • 32 SIMD/NEON 128-bit registers (NEON mode): • each register can be interpreted as 16 bytes, 8 halfwords, 4 words or 2 doublewords • Cortex-A75: • Two 8 stage NEON instruction pipeline • One separate load/store pipeline for NEON instructions • Important NEON instructions: tbl/tbx, rev, ext; 13

  22. Pipeline Vs Cache Optimization Pipelined implementation (4-way): 14

  23. Pipeline Vs Cache Optimization Horizontal implementation (“all blocks”-way): 15

  24. SPACE and WEM Implementation details WEM : SPACE : • Both horizontal and • Benefits from a pipelined intercalated strategies have memory access merit • For a single block, only a • For pipelined implementation, couple of NEON operations: we separated the 16-to-16 • A couple of eor additions lookup tables as two 16-to-8 • A byte rotation with an ext tables: • Favors large pipelined • This allows for a lookup implementations, less suitable table to fit into a L2 cache for H-way on lower end hardware • Pad lookup table for better • Use hardware crypto memory alignment extensions (AES functions) 16

  25. SPNbox Optimizations • Allows for greater optimization opportunities • Four main implementations: One block, multiple blocks (transposed), lookup table multiplications and horizontal • Main point for optimization: its matrix multiplication ( θ layer) 17

  26. Single Block: Permutations and Multiplications where • Let T i ( S ) = S × i : • Multiplication of state S by a polynomial i translates to a series of constant-time polynomial additions and multiplications by x in GF(2 16 ): sshr v2.8h,v0.8h, #15 // v0 is the state shl v0.8h,v0.8h, #1 // v1 is the mask 0x002B and v2.8h,v1.8h,v2.8h eor v0.8h,v0.8h,v2.8h • The result of R = M 16 × S can be written as: R = T 1 ( S ) ⊕ P 1 ( T 3 ( S )) ⊕ P 2 ( T 4 ( S )) ⊕ P 3 ( T 5 ( S )) ⊕ � � P 4 T 6 ( S ) ⊕ P 1 ( T 8 ( S )) ⊕ P 2 ( T B ( S )) ⊕ P 3 ( T 7 ( S )) 18

  27. Transposing Multiple Blocks By transposing blocks we can eliminate permutations: The result R i , for i from 0 to 7, can be seen as: R i = T a i , 0 ( S ′ 0 ) ⊕ T a i , 1 ( S ′ 1 ) ⊕ T a i , 2 ( S ′ 2 ) ⊕ T a i , 3 ( S ′ 3 ) ⊕ T a i , 4 ( S ′ 4 ) ⊕ T a i , 5 ( S ′ 5 ) ⊕ T a i , 6 ( S ′ 6 ) ⊕ T a i , 7 ( S ′ 7 ) , 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A DFA attack on White-box implementations of AES with external encoding WhibOx 2019: White-Box

A DFA attack on White-box implementations of AES with external encoding WhibOx 2019: White-Box

A DFA attack on White-box implementations of AES with external encoding WhibOx 2019: White-Box Cryptography and Obfuscation, 18-19/05/2019, Darmstadt Alessandro Amadori , Wil Michiels and Peter Roelse Department of Mathematics and Computer

655 views • 26 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast correlation

908 views • 54 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur,

Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur,

Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur, Wil Michiels, Paul Gorissen, Bart Preneel COSIC K.U.Leuven and Philips Research March 27 2007 White-Box Attack Context key key ke y

555 views • 10 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei Wang Joint work with Matthieu Rivain WhibOx 2019, May 18, 2019 Overview 1 White-Box Context 2 DCA against Internal Encodings 3 Collision

539 views • 26 slides
Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs Michael J. Wiener 2016 August 14 1 Outline Why do we bother with white-box cryptography (WBC)? The origins of WBC Attacks and

379 views • 34 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on

Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on

Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on ARM Cortex-M Alexandre Adomnicai 1,2 Zakaria Najm 1,2,3 Thomas Peyrin 1,2 1 Nanyang Technological University, Singapore 2 Temasek Laboratories,

457 views • 34 slides
Decision Tree and Random Forest Implementations for fast Fitlering of Sensor Data Sebastian

Decision Tree and Random Forest Implementations for fast Fitlering of Sensor Data Sebastian

Decision Tree and Random Forest Implementations for fast Fitlering of Sensor Data Sebastian Buschj ager and Katharina Morik TU Dortmund University - Computer Science - Artificial Intelligence Group July 3, 2018 1 So... Distributed

275 views • 16 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
REPRODUCTION Free living Most are Hermaphrodites that reproduce sexually Have both male

REPRODUCTION Free living Most are Hermaphrodites that reproduce sexually Have both male

REPRODUCTION Free living Most are Hermaphrodites that reproduce sexually Have both male and female reproductive organs Eggs are laid in clusters and hatch in a few weeks Asexually reproduce Fission Split in two Each

288 views • 10 slides
Land-based Environmental Regulations in Wales An Overview Julie Bowes MCIEEM Environmental

Land-based Environmental Regulations in Wales An Overview Julie Bowes MCIEEM Environmental

Land-based Environmental Regulations in Wales An Overview Julie Bowes MCIEEM Environmental Impact Ecologist, LNFD, Welsh Government. Welsh Government Regulations : Environmental Impact Assessment (EIA) (Agriculture)(Wales) Regulations

518 views • 33 slides
Cadeias trficas e pescas - - Tpicos Tpicos Cadeias trficas e pescas Dimenses e

Cadeias trficas e pescas - - Tpicos Tpicos Cadeias trficas e pescas Dimenses e

Cadeias trficas e pescas - - Tpicos Tpicos Cadeias trficas e pescas Dimenses e requisitos alimentares Dimenses e requisitos alimentares Transferncia de energia Transferncia de energia Mtodos de pesca

573 views • 32 slides
IST Today! Hw#5: Circuit design in Logisim A circuit for any function can be

IST Today! Hw#5: Circuit design in Logisim A circuit for any function can be

OK Recursing? Jotto Corner Faye / Garrett OKer than before? cs5 guess my guess alien: 1 diner: 2 diner: 0 savvy: 1 party: 0 savvy: 1 judge: 2 ghost: 0 ghost: 2 plumb: ? ????? : ? plumb: ? Submission Site vs. Sakai? Sakai can

1.29k views • 100 slides
About the guy in front Conservation Biology BSC3052 About the guy in front About the guy in

About the guy in front Conservation Biology BSC3052 About the guy in front About the guy in

About the guy in front Conservation Biology BSC3052 About the guy in front About the guy in front About the guy in front About the guy in front PhD 1994 in Switzerland Evolutionary genetics 1994 move to Seattle Theoretical population

290 views • 7 slides
continuum , , of real numbers, and for roughly a century now it has been one of the central

continuum , , of real numbers, and for roughly a century now it has been one of the central

THE ABSOLUTE ARITHMETIC CONTINUUM AND THE UNIFICATION OF ALL NUMBERS GREAT AND SMALL Philip Ehrlich Introduction Bridging the gap between the domains of discreteness and of continuity , or between arithmetic and geometry, is a central,

324 views • 28 slides
In the beginning God created the heavens and the earth. Gen 1:1 IN INTR TRODUCTIO UCTION

In the beginning God created the heavens and the earth. Gen 1:1 IN INTR TRODUCTIO UCTION

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and

652 views • 64 slides
Metapopulations A A metapopulation is a collection (ensemble) of sub t l ti i ll ti (

Metapopulations A A metapopulation is a collection (ensemble) of sub t l ti i ll ti (

Metapopulations A A metapopulation is a collection (ensemble) of sub t l ti i ll ti ( bl ) f b populations connected by migration. Shift in emphasis: Populations as single, well mixed collection of individuals. Populations as

642 views • 9 slides

More recommend