more practical single trace attacks on the number
play

More Practical Single-Trace Attacks on the Number Theoretic - PowerPoint PPT Presentation

Jan 20, 2024 •939 likes •1.63k views

SCIENCE PASSION TECHNOLOGY More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas Graz University of Technology LATINCRYPT 2019, October 02 > www.iaik.tugraz.at www.iaik.tugraz.at

  1. SCIENCE PASSION TECHNOLOGY More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas Graz University of Technology LATINCRYPT 2019, October 02 > www.iaik.tugraz.at

  2. www.iaik.tugraz.at  Public-Key Crypto and Side-Channel Attacks  Power consumption trace of RSA decryption   Peter Pessl, Graz University of Technolgy 2 LATINCRYPT 2019, October 02

  3. www.iaik.tugraz.at  Public-Key Crypto and Side-Channel Attacks  Power consumption trace of RSA decryption   Peter Pessl, Graz University of Technolgy 2 LATINCRYPT 2019, October 02

  4. www.iaik.tugraz.at  Public-Key Crypto and Side-Channel Attacks 1 0 0 1 1 0 0 0 1 0 0 1 1 0 0 0  Power consumption trace of RSA decryption   Peter Pessl, Graz University of Technolgy 2 LATINCRYPT 2019, October 02

  5. www.iaik.tugraz.at  Public-Key Crypto and Side-Channel Attacks 1 0 0 1 1 0 0 0 1 0 0 1 1 0 0 0  Power consumption trace of RSA decryption  Single-trace attacks are still a prime threat!  Peter Pessl, Graz University of Technolgy 2 LATINCRYPT 2019, October 02

  6. www.iaik.tugraz.at But RSA is old news anyway. . . Lattice-based cryptography promising post-quantum replacement implementations: fast and constant time / control flow Do we still need to worry about single-trace attacks? no more instruction leakage protection efforts towards differential (multi-trace) attacks Peter Pessl, Graz University of Technolgy 3 LATINCRYPT 2019, October 02

  7. www.iaik.tugraz.at But RSA is old news anyway. . . Lattice-based cryptography promising post-quantum replacement implementations: fast and constant time / control flow Do we still need to worry about single-trace attacks? no more instruction leakage protection efforts towards differential (multi-trace) attacks Peter Pessl, Graz University of Technolgy 3 LATINCRYPT 2019, October 02

  8. www.iaik.tugraz.at Previously: yes, but Our previous work: single-trace attack on the NTT N umber T heoretic T ransform, common in many lattice schemes combine template attacks (device profiling) with belief propagation but. . . attacked variable-time implementation large templating effort ( ≈ a million multivariate templates) Peter Pessl, Graz University of Technolgy 4 LATINCRYPT 2019, October 02

  9. www.iaik.tugraz.at Previously: yes, but Our previous work: single-trace attack on the NTT N umber T heoretic T ransform, common in many lattice schemes combine template attacks (device profiling) with belief propagation but. . . attacked variable-time implementation large templating effort ( ≈ a million multivariate templates) Peter Pessl, Graz University of Technolgy 4 LATINCRYPT 2019, October 02

  10. www.iaik.tugraz.at Previously: yes, but Our previous work: single-trace attack on the NTT N umber T heoretic T ransform, common in many lattice schemes combine template attacks (device profiling) with belief propagation but. . . attacked variable-time implementation large templating effort ( ≈ a million multivariate templates) Can we do better? Peter Pessl, Graz University of Technolgy 4 LATINCRYPT 2019, October 02

  11. www.iaik.tugraz.at Our Contribution Improve upon previous attack several improvements to belief propagation in this context change targets: encryption instead of decryption Attack constant-time ASM-optimized Kyber implementation massively reduced templating effort Peter Pessl, Graz University of Technolgy 5 LATINCRYPT 2019, October 02

  12. www.iaik.tugraz.at Our Contribution Improve upon previous attack several improvements to belief propagation in this context change targets: encryption instead of decryption Attack constant-time ASM-optimized Kyber implementation massively reduced templating effort Peter Pessl, Graz University of Technolgy 5 LATINCRYPT 2019, October 02

  13. www.iaik.tugraz.at Lattice-based Encryption (LPR, NewHope, Kyber, . . . ) "Noisy ElGamal" with polynomials in Z q [ x ] / � x n + 1 � Key Generation: generate small error polynomials s , e t = a · s + e pk = ( a , t ) , sk = s Encryption: generate small error polynomials r , e 1 , e 2 c 1 = a · r + e 1 c 2 = t · r + e 2 + m Decryption: m ≈ c 2 − s · c 1 Peter Pessl, Graz University of Technolgy 6 LATINCRYPT 2019, October 02

  14. www.iaik.tugraz.at Lattice-based Encryption (LPR, NewHope, Kyber, . . . ) "Noisy ElGamal" with polynomials in Z q [ x ] / � x n + 1 � Key Generation: generate small error polynomials s , e t = a · s + e pk = ( a , t ) , sk = s Encryption: generate small error polynomials r , e 1 , e 2 c 1 = a · r + e 1 c 2 = t · r + e 2 + m Decryption: m ≈ c 2 − s · c 1 Peter Pessl, Graz University of Technolgy 6 LATINCRYPT 2019, October 02

  15. www.iaik.tugraz.at Lattice-based Encryption (LPR, NewHope, Kyber, . . . ) "Noisy ElGamal" with polynomials in Z q [ x ] / � x n + 1 � Key Generation: generate small error polynomials s , e t = a · s + e pk = ( a , t ) , sk = s Encryption: generate small error polynomials r , e 1 , e 2 c 1 = a · r + e 1 c 2 = t · r + e 2 + m Decryption: m ≈ c 2 − s · c 1 Peter Pessl, Graz University of Technolgy 6 LATINCRYPT 2019, October 02

  16. www.iaik.tugraz.at Lattice-based Encryption (LPR, NewHope, Kyber, . . . ) "Noisy ElGamal" with polynomials in Z q [ x ] / � x n + 1 � Key Generation: generate small error polynomials s , e t = a · s + e pk = ( a , t ) , sk = s Encryption: generate small error polynomials r , e 1 , e 2 c 1 = a · r + e 1 c 2 = t · r + e 2 + m Decryption: m ≈ c 2 − s · c 1 Peter Pessl, Graz University of Technolgy 6 LATINCRYPT 2019, October 02

  17. www.iaik.tugraz.at Number Theoretic Transform Naive polynomial multiplication: O ( n 2 ) Better: N umber T heoretic T ransform (NTT) ≈ FFT in Z q [ x ] , runtime O ( n log n ) pointwise mult. of NTT-transformed: a · b = INTT ( NTT ( a ) ◦ NTT ( b )) Peter Pessl, Graz University of Technolgy 7 LATINCRYPT 2019, October 02

  18. www.iaik.tugraz.at Number Theoretic Transform Naive polynomial multiplication: O ( n 2 ) Better: N umber T heoretic T ransform (NTT) ≈ FFT in Z q [ x ] , runtime O ( n log n ) pointwise mult. of NTT-transformed: a · b = INTT ( NTT ( a ) ◦ NTT ( b )) Peter Pessl, Graz University of Technolgy 7 LATINCRYPT 2019, October 02

  19. www.iaik.tugraz.at Butterfly 𝑦 0 𝑦 ̂ 0 𝜕 𝑦 1 𝑦 ̂ 1 -1 Butterfly = 2-coefficient NTT Peter Pessl, Graz University of Technolgy 8 LATINCRYPT 2019, October 02

  20. www.iaik.tugraz.at Butterfly Network 𝑦 0 𝑦 ̂ 0 𝜕 n 0 𝑦 2 𝑦 ̂ 1 -1 𝜕 n 0 𝑦 ̂ 2 𝑦 1 -1 0 1 𝜕 n 𝜕 n 𝑦 3 𝑦 ̂ 3 -1 -1 4-coefficient NTT Peter Pessl, Graz University of Technolgy 9 LATINCRYPT 2019, October 02

  21. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 1. Template matching Profile power consumption of mult. 𝜕 Match profiles (templates) for 𝑦 1 𝑦 ̂ 1 probability distribution Peter Pessl, Graz University of Technolgy 10 LATINCRYPT 2019, October 02

  22. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 1. Template matching Profile power consumption of mult. 𝜕 Match profiles (templates) for 𝑦 1 𝑦 ̂ 1 probability distribution Peter Pessl, Graz University of Technolgy 10 LATINCRYPT 2019, October 02

  23. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 1. Template matching Profile power consumption of mult. 𝜕 Match profiles (templates) for 𝑦 1 𝑦 ̂ 1 -1 probability distribution Peter Pessl, Graz University of Technolgy 10 LATINCRYPT 2019, October 02

  24. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 1. Template matching Profile power consumption of mult. 𝜕 Match profiles (templates) for 𝑦 1 𝑦 ̂ 1 -1 probability distribution Peter Pessl, Graz University of Technolgy 10 LATINCRYPT 2019, October 02

  25. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 2. Belief propagation Represent NTT with a graphical model 𝜕 Pass beliefs along edges and update 𝑦 1 𝑦 ̂ 1 Repeat until convergence reached Peter Pessl, Graz University of Technolgy 11 LATINCRYPT 2019, October 02

  26. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 2. Belief propagation Represent NTT with a graphical model 𝜕 Pass beliefs along edges and update 𝑦 1 𝑦 ̂ 1 Repeat until convergence reached Peter Pessl, Graz University of Technolgy 11 LATINCRYPT 2019, October 02

  27. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 2. Belief propagation 𝑦 0 𝑔 𝑦 ̂ 0 add Represent NTT with a graphical model Pass beliefs along edges and update Repeat until convergence reached 𝑦 1 𝑦 ̂ 1 𝑔 sub Peter Pessl, Graz University of Technolgy 11 LATINCRYPT 2019, October 02

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology Side-Channel Attacks on Hash

569 views • 39 slides
Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

753 views • 58 slides
DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon 2014 Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function whiteboxed : AES-CBC

1.43k views • 103 slides
An approach to computing the number of finite field elements with prescribed trace and co-trace

An approach to computing the number of finite field elements with prescribed trace and co-trace

An approach to computing the number of finite field elements with prescribed trace and co-trace Yuri Borissov Institute of Mathematics and Informatics, BAS, Bulgaria joint work with A. Bojilov and L. Borissov Faculty of Mathematics and

756 views • 44 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Introduction Finding Padding Oracles Basic PO attacks Advanced PO attacks Summary Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong Practical Padding Oracle Attacks Introduction Finding Padding

1.33k views • 108 slides
Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

406 views • 29 slides
Practical investigation 2.2 Diffraction through a single slit 1. Investigative question What

Practical investigation 2.2 Diffraction through a single slit 1. Investigative question What

Practical investigation 2.2 Diffraction through a single slit 1. Investigative question What is the relationship between the width of a single slit and the diffraction pattern observed through the single slit? Method Hold a glass

599 views • 14 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Motivation n 802.11-based networks have flourished

389 views • 25 slides
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

956 views • 28 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides
Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Electrical and Computer Engineering Department Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin Soltani, Amir Houmansadr, Dennis Goeckel, Don Towsley University of Massachusetts Amherst Instant

512 views • 40 slides
Stochastic Iterative Hard Thresholding for Graph-Structured Sparsity Optimization Baojian Zhou 1 ,

Stochastic Iterative Hard Thresholding for Graph-Structured Sparsity Optimization Baojian Zhou 1 ,

Stochastic Iterative Hard Thresholding for Graph-Structured Sparsity Optimization Baojian Zhou 1 , Feng Chen 1 , and Yiming Ying 2 1 Department of Computer Science, 2 Department of Mathematics and Statistics, University at Albany, NY, USA

289 views • 7 slides
Comparison of the 2005 Weimer and HAO Empirical High Latitude Models of Energy Transfer in terms

Comparison of the 2005 Weimer and HAO Empirical High Latitude Models of Energy Transfer in terms

Comparison of the 2005 Weimer and HAO Empirical High Latitude Models of Energy Transfer in terms of Poynting Flux Colin Triplett REU-LASP, NCAR-HAO Mentors: Astrid Maute, Yue Deng, Art Richmond Background Two Models Weimer 05

546 views • 29 slides
NSI with ANT ARES data N. R. Khan Chowdhury, T arak Thakore 1 12th Dec. 2019 | N. R. Khan

NSI with ANT ARES data N. R. Khan Chowdhury, T arak Thakore 1 12th Dec. 2019 | N. R. Khan

NSI with ANT ARES data N. R. Khan Chowdhury, T arak Thakore 1 12th Dec. 2019 | N. R. Khan Chowdhury | Weekly Meeting | IFIC | ANT ARES Data ARES (2007-2016) dataset containing CC- events has been used in The official 10 years ANT

231 views • 11 slides
Pi v oting DataFrames MAN IP U L ATIN G DATAFR AME S W ITH PAN DAS Anaconda Instr u ctor

Pi v oting DataFrames MAN IP U L ATIN G DATAFR AME S W ITH PAN DAS Anaconda Instr u ctor

Pi v oting DataFrames MAN IP U L ATIN G DATAFR AME S W ITH PAN DAS Anaconda Instr u ctor Clinical trials data import pandas as pd trials = pd.read_csv('trials_01.csv') print(trials) id treatment gender response 0 1 A F

669 views • 29 slides
The dual Voronoi diagrams with respect to representational Bregman divergences Frank Nielsen and

The dual Voronoi diagrams with respect to representational Bregman divergences Frank Nielsen and

The dual Voronoi diagrams with respect to representational Bregman divergences Frank Nielsen and Richard Nock frank.nielsen@polytechnique.edu Ecole Polytechnique, LIX, France Sony Computer Science Laboratories Inc, FRL, Japan International

437 views • 32 slides
ACESIII Outline Collaborators Design philosophy Mr. Mark Ponton, ACES Q. C.

ACESIII Outline Collaborators Design philosophy Mr. Mark Ponton, ACES Q. C.

ACESIII Outline Collaborators Design philosophy Mr. Mark Ponton, ACES Q. C. (SIP/SIAL/Compiler) Implementation Dr. Norbert Flocke, QTP Results (Integral package) Conclusions Dr. Erik Deumens,

531 views • 30 slides
Se Search arch for for th the e Lep Lepton ton Fl Flavor avor Vio Violating lating De

Se Search arch for for th the e Lep Lepton ton Fl Flavor avor Vio Violating lating De

Se Search arch for for th the e Lep Lepton ton Fl Flavor avor Vio Violating lating De Decay cay in in () Naf afis isa a Tas asne neem em Uni nivers rsity ity of Vic f Victori ria, a, Ca

818 views • 22 slides
Vassil Roussev The Current Forensic Workflow Forensic Target (3TB) Clone Process @150MB/s

Vassil Roussev The Current Forensic Workflow Forensic Target (3TB) Clone Process @150MB/s

Vassil Roussev The Current Forensic Workflow Forensic Target (3TB) Clone Process @150MB/s @10MB/s ~5.5 hrs ~82.5 hrs 129 * We can start working on the case after 88 hours. * http://accessdata.com/distributed-processing 2 Scalable

590 views • 30 slides

More recommend