introduction
play

Introduction Problem: side-channel attacks Countermeasures: hiding, - PowerPoint PPT Presentation

May 24, 2023 •138 likes •476 views

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

  1. I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017

  2. www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

  3. www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . Reduce overhead of countermeasures A SCON , K ETJE /K EYAK , PRIMATES, SCREAM, . . . 1 / 21

  4. www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . Reduce overhead of countermeasures A SCON , K ETJE /K EYAK , PRIMATES, SCREAM, . . . Can we do more? LR and MR AE [Ber+16] I SAP 1 / 21

  5. www.iaik.tugraz.at I SAP Authenticated encryption scheme Following requirements of CAESAR call No assumptions on choice of the nonce Provides protection against DPA for: Encryption Decryption Solely based on sponges Limits the attack surface against SPA 2 / 21

  6. www.iaik.tugraz.at SPA and DPA Simple Power Analysis (SPA) Observe device processing the same or a few inputs Techniques directly interpreting measurements Differential Power Analysis (DPA) Observe device processing many different inputs Allows for the use of statistical techniques 3 / 21

  7. www.iaik.tugraz.at Is DPA Still a Threat? A. Moradi and T. Schneider Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series COSADE 2016 E. Ronen, C. O’Flynn, A. Shamir, and A.-O. Weingarten IoT Goes Nuclear: Creating a ZigBee Chain Reaction Cryptology ePrint Archive, Report 2016/1047, 2016 4 / 21

  8. www.iaik.tugraz.at What to do Against DPA? Implementation Hiding Masking Threshold implementations Scheme Fresh re-keying Leakage resilient cryptography 5 / 21

  9. www.iaik.tugraz.at Fresh Re-keying [Med+10] N g g K K K ∗ K ∗ C E − 1 P E P Tag Reader 6 / 21

  10. www.iaik.tugraz.at Fresh Re-keying [Med+11] N b N a g g K K K ∗ K ∗ C E − 1 P E P Party 1 Party 2 7 / 21

  11. www.iaik.tugraz.at What About Storage? N g K Storage K ∗ C P E Device Encryption still fine Decryption causes problems 8 / 21

  12. www.iaik.tugraz.at How to Protect Decryption? Solely rely on implementation countermeasures Costly Makes re-keying for encryption kind of obsolete Limit to one decryption Keep track of the nonce Re-encrypt data Time consuming Damaging 9 / 21

  13. www.iaik.tugraz.at Multiple Decryption Retain principles of fresh re-keying allowing multiple decryption 10 / 21

  14. www.iaik.tugraz.at Multiple Decryption Retain principles of fresh re-keying allowing multiple decryption DPA protection in storage settings A. Moradi and T. Schneider Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series COSADE 2016 DPA protection in unidirectional/broadcast settings E. Ronen, C. O’Flynn, A. Shamir, and A.-O. Weingarten IoT Goes Nuclear: Creating a ZigBee Chain Reaction Cryptology ePrint Archive, Report 2016/1047, 2016 10 / 21

  15. www.iaik.tugraz.at Priciple of I SAP ’s Decryption “Bind” the session key to the data that is decrypted 11 / 21

  16. www.iaik.tugraz.at Priciple of I SAP ’s Decryption “Bind” the session key to the data that is decrypted H N g g K K N � C MAC T C Dec P 11 / 21

  17. www.iaik.tugraz.at Priciple of I SAP ’s Decryption “Bind” the session key to the data that is decrypted H N g g K K N � C MAC T C Dec P 11 / 21

  18. www.iaik.tugraz.at I SAP ’s Authentication/Verification N C 1 C t K A y g IV p p p K ∗ IV A N C 1 C t T IV p p p p IV 12 / 21

  19. www.iaik.tugraz.at I SAP ’s Authentication/Verification K A y K ∗ A g N C 1 C t T IV p p p p IV 12 / 21

  20. www.iaik.tugraz.at I SAP ’s Authentication/Verification Use suffix MAC instead of hash-then-MAC N � IV 1 C 1 C t K A T y K ∗ A r 1 r 1 k g k k p a p a p a p a c 1 c 1 12 / 21

  21. www.iaik.tugraz.at Possible g to Absorb Key K A Modular multiplication y K ∗ A [Med+10] g p a p a LPL and LWE [Dzi+16] Sponges [TS14] 13 / 21

  22. www.iaik.tugraz.at Absorbing the Key Idea: Reduce rate to a minimum [TS14] Related to the classical GGM construction [GGM86] y 1 y 2 y w K ∗ K A � IV 2 A r 2 r 2 r 2 k p c p c p b p b c 2 c 2 c 2 14 / 21

  23. www.iaik.tugraz.at I SAP ’s En-/Decryption C 1 C v K E � IV 3 N 1 N u P 1 P v r 2 r 2 r 3 r 3 p c p b p c p c p c c 2 c 2 c 3 15 / 21

  24. www.iaik.tugraz.at Benefits of Sponges Well-studied and analyzed Allows to implement a wide range of primitives No inverse building blocks (permutation) needed No key schedule, key is injected once 16 / 21

  25. www.iaik.tugraz.at Sponges and Side-channel Leakage ℓ i ℓ i +1 r r p p c 17 / 21

  26. www.iaik.tugraz.at Sponges and Side-channel Leakage ℓ i ℓ i +1 ℓ i + ℓ i +1 r r r r p p p p c c ′ c ′ = c − ( ℓ i + ℓ i + 1 ) 17 / 21

  27. www.iaik.tugraz.at Instances K ECCAK - p [400, n r ] as permutation [Ber+14] Security level Bit size of Rounds Name k r 1 r 2 r 3 a b c I SAP -128 128 144 1 144 20 12 12 T RUMPF -128 128 144 1 144 16 1 8 18 / 21

  28. www.iaik.tugraz.at Implementation One round per cycle Area Initialization Runtime per Block Function [kGE] [cycles] [ µ s] [cycles] [ µ s] I SAP -128 14.0 3 401 20.1 36 0.20 T RUMPF -128 14.0 564 3.3 28 0.16 19 / 21

  29. www.iaik.tugraz.at Conclusion AE scheme following requirements of CAESAR call Provides protection against DPA Encryption Decryption Enables several use-cases Multiple decryption of stored data Unidirectional/Broadcast communication 20 / 21

  30. www.iaik.tugraz.at Thank you http://eprint.iacr.org/2016/952 21 / 21

  31. www.iaik.tugraz.at References I [Ber+14] G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, and R. Van Keer Ketje Submission to the CAESAR competition: http://competitions.cr.yp.to , 2014 [Ber+16] F. Berti, F. Koeune, O. Pereira, T. Peters, and F.-X. Standaert Leakage-Resilient and Misuse-Resistant Authenticated Encryption Cryptology ePrint Archive, Report 2016/996, 2016 [Dzi+16] S. Dziembowski, S. Faust, G. Herold, A. Journault, D. Masny, and F. Standaert Towards Sound Fresh Re-keying with Hard (Physical) Learning Problems CRYPTO 2016

  32. www.iaik.tugraz.at References II [GGM86] O. Goldreich, S. Goldwasser, and S. Micali How to construct random functions J. ACM 33:4, 1986 [Med+10] M. Medwed, F.-X. Standaert, J. Großsch¨ adl, and F. Regazzoni Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices AFRICACRYPT 2010 [Med+11] M. Medwed, C. Petit, F. Regazzoni, M. Renauld, and F.-X. Standaert Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks CARDIS 2011 [MS16] A. Moradi and T. Schneider Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series COSADE 2016

  33. www.iaik.tugraz.at References III [Ron+16] E. Ronen, C. O’Flynn, A. Shamir, and A.-O. Weingarten IoT Goes Nuclear: Creating a ZigBee Chain Reaction Cryptology ePrint Archive, Report 2016/1047, 2016 [TS14] M. M. I. Taha and P . Schaumont Side-channel countermeasure for SHA-3 at almost-zero area overhead HOST 2014

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION

INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION

TRAINING COURSE ON SOCIAL PROTECTION & FORMALIZATION TRINIDAD AND TOBAGO MARCH 15, 2017 INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION Design of the NIS Assistance from the

547 views • 23 slides
INTRODUCTION Introduction 2/42 INTRODUCTION Alternations I am giving bread to the

INTRODUCTION Introduction 2/42 INTRODUCTION Alternations I am giving bread to the

Patterns of variation in the expression of case and agreement Andrs Brny Leiden University Centre for Linguistics 9 November 2019, BaSIS Workshop a.barany@hum.leidenuniv.nl INTRODUCTION Introduction 2/42 INTRODUCTION

1.37k views • 42 slides
Introduction Introduction Introduction Introduction Outline Motivation Failures

Introduction Introduction Introduction Introduction Outline Motivation Failures

Introduction Introduction Introduction Introduction Outline Motivation Failures Definition and concepts Process and product properties Principles SE Approaches Motivation Software and the economy The economies of

1.03k views • 49 slides
Introduction Introduction Introduction Nationwide Cause for Concern 1

Introduction Introduction Introduction Nationwide Cause for Concern 1

Introduction Introduction Introduction Nationwide Cause for Concern 1 https://www.cdc.gov/std/stats17/infographic.htm Introduction Epidemiology in Western Colorado CPHE Surveillance Data Report, May 2018 Chlamydia Epidemiology in Western

977 views • 39 slides
DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every

DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every

DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every meeting (2) Some ideas of diagrams for section 7.1 (Introduction) of TP. Giles Barr 25 Jan 2018, Pembroke College On DUNE, the reality is there is a

474 views • 10 slides
INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

ADVANCED COMPUTER SECURITY INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT IS SECURITY? A systems security policies describe What the system is supposed to do Store and provide access

479 views • 16 slides
Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL

Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL

Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL Writing a SMIL file Adding Media Objects Martin Halvey Clipping media files January 2008 Timing and Synchronising Layout World Wide

387 views • 14 slides
14 Introduction Introduction Bad guys can put malware into Example: hosts

14 Introduction Introduction Bad guys can put malware into Example: hosts

Introduction Introduction source Encapsulation ISO/OSI reference model message M application segment H t H t M transport network datagram H n H n H t M presentation: allow applications to frame link H l H n H t M interpret

583 views • 4 slides
Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL

Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL

Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL Writing a SMIL file Adding Media Objects Martin Halvey Clipping media files January 2008 Timing and Synchronising Layout

322 views • 8 slides
Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Introduction Zynq Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL Processing System Processor Peripherals Data Buses AXI Bus Conclusion BTE5380 - Embedded Systems Octobre 2014 Andreas Habegger

1.81k views • 30 slides
2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04

2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04

2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04 Project References S E 5 PART.1 SMILE5 Introduction M I L Introduction STORION-SMILE5 Residential Energy Storage System Inverter 5kW Output Input

1.06k views • 25 slides
Introduction to CICS Course introduction Course introduction What is CICS? What is an

Introduction to CICS Course introduction Course introduction What is CICS? What is an

Introduction to CICS Course introduction Course introduction What is CICS? What is an application server? Why use an application server? Course introduction Services provided by CICS How CICS applications are defined Scaling CICS to meet

1.84k views • 146 slides
Network Visualization Introduction Presented by Shahed Introduction Introduction Basic

Network Visualization Introduction Presented by Shahed Introduction Introduction Basic

Network Visualization Introduction Presented by Shahed Introduction Introduction Basic building blocks Node Links (relationship between nodes) Spatial information Network data

584 views • 9 slides
Introduction Introduction (1) Main argument of the paper: universities are not only

Introduction Introduction (1) Main argument of the paper: universities are not only

Le jugement des pairs comme outil de management des universits Peer-review as a management tool Christine Musselin (CSO, Sciences Po et CNRS) Avril 2013, Lirrsistible ascension du capitalisme acadmique Introduction Introduction (1)

590 views • 28 slides
Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Moreno Baricevic Gilberto Daz Axel Kohlmeyer Stefano Cozzini ULA ICTP CNR-IOM DEMOCRITOS Merida, VENEZUELA Trieste, ITALY Trieste, ITALY Introduction Introduction to storage and to storage and filesystems filesystems Introduction

1.19k views • 51 slides
JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of

JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of

JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of the brand new JA-100 alarm system Visions Basic architecture System components Setting Help us with final validations You are the FIRST ones

1.69k views • 111 slides
Process: From Question to Solution Develop Questions (Accomplished in a summer work session with

Process: From Question to Solution Develop Questions (Accomplished in a summer work session with

11/29/16 Science Program Review Board Update November 2016 Dr. Kevin McColgan STEM Coordinator Monica Bowman High School Science Teacher WHY National Research Council 2012 Findings on the State of Science Education and a

203 views • 7 slides
6 th July 2012 Implications of Financial Institution Downgrades on Global Structured Practice

6 th July 2012 Implications of Financial Institution Downgrades on Global Structured Practice

6 th July 2012 Implications of Financial Institution Downgrades on Global Structured Practice Group: Structured Finance Finance Markets By Simon Mabin (Dubai), Neil Campbell (Hong Kong), Sean Crosky, Paul Matthews, Stephen Moller (London),

350 views • 8 slides
A NEW METHOD FOR REGULATORY ANTITRUST ANALYSIS? VERIZON COMMUNICATIONS INC. v. TRINKO James E.

A NEW METHOD FOR REGULATORY ANTITRUST ANALYSIS? VERIZON COMMUNICATIONS INC. v. TRINKO James E.

Richmond Journal of Law & Technology Volume XII, Issue 1 A NEW METHOD FOR REGULATORY ANTITRUST ANALYSIS? VERIZON COMMUNICATIONS INC. v. TRINKO James E. Scheuermann & William D. Semins* Kirkpatrick & Lockhart Nicholson Graham LLP

479 views • 27 slides
I NVESTOR PRESENTATION September 2016 I NVESTOR PRESENTATION S TPHAN SONNEVILLE S . A . C HIEF E

I NVESTOR PRESENTATION September 2016 I NVESTOR PRESENTATION S TPHAN SONNEVILLE S . A . C HIEF E

I NVESTOR PRESENTATION September 2016 I NVESTOR PRESENTATION S TPHAN SONNEVILLE S . A . C HIEF E XECUTIVE O FFICER S IDNEY D. BENS C HIEF F INANCIAL O FFICER September 2016 Overview 1. E XECUTIVE SUMMARY 2. S HAREHOLDERS & O RGANISATION 3.

1.28k views • 49 slides
Shielding Network Function on a Multi-Operator System using SGX FINSE May 9, 2018 Enio Marku

Shielding Network Function on a Multi-Operator System using SGX FINSE May 9, 2018 Enio Marku

Shielding Network Function on a Multi-Operator System using SGX FINSE May 9, 2018 Enio Marku Joint work with Gergely Biczok Outline Introduction Motivation Methodology Current work Future work 2 Introduction Phd at

784 views • 25 slides
Optimal round VSS with a non-interactive Dealer: VSS as a special case of VSR Yvo Desmedt The

Optimal round VSS with a non-interactive Dealer: VSS as a special case of VSR Yvo Desmedt The

Optimal round VSS with a non-interactive Dealer: VSS as a special case of VSR Yvo Desmedt The University of Texas at Dallas, USA and University College London,UK May 31, 2016 Yvo Desmedt c This is joint work with Kirill Morozov (Tokyo

762 views • 36 slides
Second year review WP3 overview HW/SW-based methods Trento October 17th, 2008 Goal

Second year review WP3 overview HW/SW-based methods Trento October 17th, 2008 Goal

Second year review WP3 overview HW/SW-based methods Trento October 17th, 2008 Goal Investigate the combination of hardware- and software based software protection techniques in order to implement the remote entrusting principle 2

705 views • 48 slides
GILL, GODLONTON & GERRANS The Insurers obligations in relation to the rights of third

GILL, GODLONTON & GERRANS The Insurers obligations in relation to the rights of third

GILL, GODLONTON & GERRANS The Insurers obligations in relation to the rights of third parties with specific reference to Life and motor-vehicle insurance policies. (Prepared by Herbert Mutasa-LLB (Hons) Zim, LLM (Insurance and Banking)

106 views • 7 slides

More recommend