side channel analysis of six sha 3 candidates in hmac
play

Side-channel analysis of six SHA-3 candidates in HMAC scheme - PowerPoint PPT Presentation

Nov 08, 2023 •728 likes •1.1k views

Background Correlation Analysis Results Conclusion Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Beno t and Thomas Peyrin CHES 2010 Workshop Santa Barbara - August 18, 2010 Background Correlation Analysis

  1. Background Correlation Analysis Results Conclusion Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Benoˆ ıt and Thomas Peyrin CHES 2010 Workshop Santa Barbara - August 18, 2010

  2. Background Correlation Analysis Results Conclusion Outline Background Correlation Analysis Theory Practice Results AES-bases candidates Others Candidates Conclusion

  3. Background Correlation Analysis Results Conclusion Outline Background Correlation Analysis Theory Practice Results AES-bases candidates Others Candidates Conclusion

  4. Background Correlation Analysis Results Conclusion Introduction • NIST launched the SHA-3 competition in order to replace the collision-broken SHA-1 function • 14 candidates are still in the race, the winner will be determined in 2012 • it makes sense to consider side-channel attack on these SHA-3 candidates in the HMAC scheme • Retrieving the key would lead to the ability to forge correct MAC • We will therefore analyse a panel of six candidates deemed representative ECHO Grøstl SHAvite-3 HAMSI BLAKE CubeHash

  5. Background Correlation Analysis Results Conclusion Prior works • DPA on n-bit sized boolean and arithmetic operations and its application to IDEA, RC6, and HMAC construction (CHES 2005), Lemke et al. • Side channel attacks against HMAC based on block-cipher based hash functions (ACISP 2006), Okeya et al. • DPA of HMAC based on SHA-2, and countermeasures (WISA2007), McEvoy et al. • An update on the side channel cyrptanalysis of MAC based on crytopgaphic hash functions (INDOCRYPT 2007), Gauravaram et al. • Practical Electromagnetic Template Attack on HMAC (CHES 2009), Fouque et al.

  6. Background Correlation Analysis Results Conclusion HMAC HMAC ( K , M ) = H (( K ⊕ opad ) || H (( K ⊕ ipad ) || M )) K ⊕ ipad M 1 M k CV in H in CV in 1 0 h h h K ⊕ opad CV out CV out 1 0 H out h h • The possible targets of a side-channel analysis attack are: K , CV in 1 and CV out 1

  7. Background Correlation Analysis Results Conclusion Outline Background Correlation Analysis Theory Practice Results AES-bases candidates Others Candidates Conclusion

  8. Background Correlation Analysis Results Conclusion Correlation • A selection function is defined as w = f ( cv , m ) • The theoretical correlation between a data set x i for a key guess j and the data set y i for an arbitrary real key r is: � ( x i − x )( y i − y ) c ( j , r ) = �� ( x i − x ) 2 . �� ( y i − y ) 2 • Assumming a leakage in the Hamming Weight model: x i = HW ( f ( j , m i )) and y i = HW ( f ( r , m i )) • Given a selection function, it is possible to compute c ( j , r ) for all key guess and look a the correlation contrast between the real key and the wrong keys

  9. Background Correlation Analysis Results Conclusion SHA-3 Selection functions The typical selection functions that will be found in SHA-3 candidates are: • AES sbox (256 → 256 substitution): w = SBOX AES ( cv ⊕ m ) • Modular addition: w = ( cv ⊞ m ) mod 256 • Exclusive OR logic operation: w = cv ⊕ m • HAMSI sbox ( 16 → 16 substitution): w = SBOX HAMSI ( cv i + 1 || m i + 1 || cv i || m i )

  10. Background Correlation Analysis Results Conclusion SHA-3 Selection functions The typical selection functions that will be found in SHA-3 candidates are: • AES sbox (256 → 256 substitution): w = SBOX AES ( cv ⊕ m ) • Modular addition: w = ( cv ⊞ m ) mod 256 • Exclusive OR logic operation: w = cv ⊕ m • HAMSI sbox ( 16 → 16 substitution): w = SBOX HAMSI ( cv i + 1 || m i + 1 || cv i || m i )

  11. Background Correlation Analysis Results Conclusion SHA-3 Selection functions The typical selection functions that will be found in SHA-3 candidates are: • AES sbox (256 → 256 substitution): w = SBOX AES ( cv ⊕ m ) • Modular addition: w = ( cv ⊞ m ) mod 256 • Exclusive OR logic operation: w = cv ⊕ m • HAMSI sbox ( 16 → 16 substitution): w = SBOX HAMSI ( cv i + 1 || m i + 1 || cv i || m i )

  12. Background Correlation Analysis Results Conclusion SHA-3 Selection functions The typical selection functions that will be found in SHA-3 candidates are: • AES sbox (256 → 256 substitution): w = SBOX AES ( cv ⊕ m ) • Modular addition: w = ( cv ⊞ m ) mod 256 • Exclusive OR logic operation: w = cv ⊕ m • HAMSI sbox ( 16 → 16 substitution): w = SBOX HAMSI ( cv i + 1 || m i + 1 || cv i || m i )

  13. Background Correlation Analysis Results Conclusion Selection function efficiency, r = 8 1 correlation ( AES Sbox) j correlation (modular addition) 1 j − 0 . 5 correlation (XOR) 1 j − 1

  14. Background Correlation Analysis Results Conclusion Selection function efficiency • Results for the HAMSI sbox selection function: real and guess key j = 0 j = 1 j = 2 j = 3 r = 0 + 1 . 00 − 0 . 17 − 0 . 56 − 0 . 87 r = 1 − 0 . 17 + 1 . 00 + 0 . 87 − 0 . 09 r = 2 − 0 . 56 + 0 . 87 + 1 . 00 + 0 . 17 r = 3 − 0 . 87 − 0 . 09 + 0 . 17 + 1 . 00

  15. Background Correlation Analysis Results Conclusion Correlation Contrast • The correlation contrast is computed from the highest correlation for a wrong guess ( c w ) selection modular AES HAMSI XOR function Sbox addition Sbox c c = 1 −| c w | | c w | c w 0 . 23 0 . 75 0 . 87 − 1 c c 3 . 34 0 . 33 0 . 15 0 • The selection function efficiency E is linked to the correlation contrast E ( AES Sbox ) > E ( modular addition ) > E ( HAMSI Sbox ) > E ( XOR )

  16. Background Correlation Analysis Results Conclusion Correlation Contrast • The correlation contrast is computed from the highest correlation for a wrong guess ( c w ) selection modular AES HAMSI XOR function Sbox addition Sbox c c = 1 −| c w | | c w | c w 0 . 23 0 . 75 0 . 87 − 1 c c 3 . 34 0 . 33 0 . 15 0 • The selection function efficiency E is linked to the correlation contrast E ( AES Sbox ) > E ( modular addition ) > E ( HAMSI Sbox ) > E ( XOR )

  17. Background Correlation Analysis Results Conclusion Measurement platform • Xilinx Spartan FPGA • Software selection function running on a TSK3000 RISC CPU • 5 GS/s sampling frequency • Homemade EMA sensor • 30db Amplifier (1GHz BdW) • 100.000 curves • 10 curves per message

  18. Background Correlation Analysis Results Conclusion Selection functions implementation

  19. Background Correlation Analysis Results Conclusion CEMA results: correlation curves for correct and wrong guess

  20. Background Correlation Analysis Results Conclusion CEMA results (5 best guess for each target byte)

  21. Background Correlation Analysis Results Conclusion CEMA results versus number of curves

  22. Background Correlation Analysis Results Conclusion Outline Background Correlation Analysis Theory Practice Results AES-bases candidates Others Candidates Conclusion

  23. Background Correlation Analysis Results Conclusion ECHO side channel analysis • Internal state at the end of the first round: w i 0 [ b ] = α · cv ′ i 1 [ b ] ⊕ β · m ′ i 2 [ b ] ⊕ γ · m ′ i 3 [ b ] ⊕ δ · m ′ i 4 [ b ] • Internal state in second round, after AES Sbox operation: w ′ i [ b ] = Sbox ( w i [ b ] ⊕ t i [ b ]) • 64 AES Sbox side-channel attacks to retrieve CV • For each cv ′ i , four selection functions can be exploits

  24. Background Correlation Analysis Results Conclusion Grøstl side channel analysis • Internal state after the AES Sbox operation during first round of P G w ′ [ b ] = Sbox ( m [ b ] ⊕ CV [ b ]) • In this case, CPA is straightforward • 64 AES Sbox side-channel attacks to retrieve CV • It is possible to speed up the attack by a factor 64 by choosing all m [ b ] equals

  25. Background Correlation Analysis Results Conclusion SHAvite-3 side channel analysis • Internal state after the AES Sbox operation during first round of E S w ′ [ b ] = Sbox ( CV R [ b ] ⊕ m 1 0 [ b ]) • Internal state after the AES Sbox operation during second round of E S z ′ [ b ] = Sbox ( CV L [ b ] ⊕ w ′′ [ b ] ⊕ m 2 0 [ b ]) • 32 AES Sbox side-channel attacks to retrieve CV • In order to retrieve CV L , the right part CV R must be found without errors

  26. Background Correlation Analysis Results Conclusion BLAKE description • Overview: CV i + 1 = final ( E B M i ( init ( CV i )) , CV i ) • E B is a block cipher composed of 10 rounds, each consisting of the application of eight 128-bit sub-functions G i Initialisation Finalization M i CV i cv 0 cv 1 cv 2 cv 3 cv 0 cv 1 cv 2 cv 3 cv 4 cv 5 cv 6 cv 7 E B cv 4 cv 5 cv 6 cv 7 t 0 t 1 t 2 t 3 t 4 t 5 t 6 t 7 CV i + 1

  27. Background Correlation Analysis Results Conclusion BLAKE description • One round of E B computes: G 0 ( v 0 , v 4 , v 8 , v 12 ) G 1 ( v 1 , v 5 , v 9 , v 13 ) G 2 ( v 2 , v 6 , v 10 , v 14 ) G 3 ( v 3 , v 7 , v 11 , v 15 ) G 4 ( v 0 , v 5 , v 10 , v 15 ) G 5 ( v 1 , v 6 , v 11 , v 12 ) G 6 ( v 2 , v 7 , v 8 , v 13 ) G 7 ( v 3 , v 4 , v 9 , v 14 ) • The function G s ( a , b , c , d ) processes the following steps: ← ( a ⊞ b ) ⊞ ( m i ⊕ k j ) a d ← ( d ⊕ a ) ≫ 16 c ← ( c ⊞ d ) d ← ( b ⊕ c ) ≫ 12 a ← ( a ⊞ b ) ⊞ ( m j ⊕ k i ) d ← ( d ⊕ a ) ≫ 8 c ← ( c ⊞ d ) d ← ( b ⊕ c ) ≫ 7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015 Montreal, QC. Overview W.t.f is side-channel power analysis (again) Example: IEEE 802.15.4 Node Example: AES-256 Bootloader W.t.f.

633 views • 47 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

620 views • 21 slides
Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22

Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22

Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22 Dec, ASK 2014 @ Chennai, India 1 Overview Introduction to HMAC Pollard Rho Method and Functional Graph Distinguishers, Forgeries and Key

604 views • 34 slides
A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1 Emmanuel Prouff 2, 3 Lo C 1 Univ. Grenoble Alpes, CEA, LETI, DSYS, CESTI, F-38000

1.39k views • 86 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Link with linear cryptanalysis Standard Differential Power Analysis Noise-based security (is

1.17k views • 92 slides
Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to the basics!! details on power / EM leakage (low/high noise scenario) how/where to attack AES? di ff erent attacker models overview of

1.28k views • 74 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

FIRST TALK A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt f r Sicherheit in der Informationstechnik (BSI), Bonn, Germany Barcelona, May 22, 2007 Power attacks on a block cipher

1.13k views • 13 slides
Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

Conference on Cryptographic Hardware and Embedded Systems (CHES) 2020 Strength in Numbers: Improving Generalization with Ensembles in Machine Learning-based Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

468 views • 25 slides
Confusing Information: How Confusion Improves Side-Channel Analysis for Monobit Leakages

Confusing Information: How Confusion Improves Side-Channel Analysis for Monobit Leakages

Confusing Information: How Confusion Improves Side-Channel Analysis for Monobit Leakages Cryptarchi 2018 June 17-19, 2018 Guidel-Plage, France Eloi de Chrisey, Sylvain Guilley & Olivier Rioul Tlcom ParisTech, Universit

559 views • 34 slides
Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high security solutions Rohde & Schwarz SIT GmbH Stuttgart/Germany Dr. Torsten Schtze Workshop on Applied Cryptography Lightweight

595 views • 15 slides
Mind The Portability A Warriors Guide through Realistic Profiled Side-channel Analysis Shivam

Mind The Portability A Warriors Guide through Realistic Profiled Side-channel Analysis Shivam

Mind The Portability A Warriors Guide through Realistic Profiled Side-channel Analysis Shivam Bhasin 1 , Dirmanto Jap 1 , Anupam Chattopadhyay 1 , Stjepan Picek 2 , Annelie Heuser 3 , and Ritu Ranjan Shrivastwa 4 1 NTU, Singapore 2 TU Delft,

335 views • 22 slides
State-of-the-art of international standardisation of side-channel analysis test methodologies and

State-of-the-art of international standardisation of side-channel analysis test methodologies and

State-of-the-art of international standardisation of side-channel analysis test methodologies and calibration of acquisition tools Sylvain GUILLEY sylvain.guilley@TELECOM-ParisTech.fr September 10, 2015, PARIS 1/18 Overview on the workshop

836 views • 25 slides
Connecting EnVision Centers and Housing Counseling Agencies September 24, 2020 OFFICE OF

Connecting EnVision Centers and Housing Counseling Agencies September 24, 2020 OFFICE OF

Connecting EnVision Centers and Housing Counseling Agencies September 24, 2020 OFFICE OF HOUSING COUNSELING 1 Technical Issues? Questions? All participants have been muted. Please do not use video camera to ensure best connection.

586 views • 26 slides
Mutual information deep regularization for semi- supervised segmentation J. Peng, M. Pedersoli,

Mutual information deep regularization for semi- supervised segmentation J. Peng, M. Pedersoli,

MIDL 2020 presentation Mutual information deep regularization for semi- supervised segmentation J. Peng, M. Pedersoli, C. Desrosiers Outline We proposed a semi-supervised segmentation method for medical image regularized by Mutual Information

256 views • 13 slides
Motivational Interviewing Part 1: June 5, 2017 Pam Pietruszewski, MA Integrated Health

Motivational Interviewing Part 1: June 5, 2017 Pam Pietruszewski, MA Integrated Health

Motivational Interviewing Part 1: June 5, 2017 Pam Pietruszewski, MA Integrated Health Consultant National Council for Behavioral Health Housekeeping GoToWebinar INSTRUCTIONS: Join the webinar: How to join

525 views • 29 slides
Overview of the Sixth NTCIR Workshop Noriko Kando National Institute of Informatics

Overview of the Sixth NTCIR Workshop Noriko Kando National Institute of Informatics

Overview of the Sixth NTCIR Workshop Noriko Kando National Institute of Informatics http://research.nii.ac.jp/ntcir/ kando (at) nii. ac. jp ntcir6 2006-05-16 Noriko kando 1 NTCIR Workshop is : A series of evaluation workshops designed to

885 views • 87 slides
Robust Learning from Untrusted Sources Nikola Konstantinov Christoph H. Lampert ICML, June 2019

Robust Learning from Untrusted Sources Nikola Konstantinov Christoph H. Lampert ICML, June 2019

Robust Learning from Untrusted Sources Nikola Konstantinov Christoph H. Lampert ICML, June 2019 Konstantinov, Lampert; IST Austria Robust Learning from Untrusted Sources Poster 156 1 / 13 Motivation Collecting data for machine learning

386 views • 28 slides
A meta-learning system for multi-instance classification Gitte Vanwinckelen and Hendrik Blockeel

A meta-learning system for multi-instance classification Gitte Vanwinckelen and Hendrik Blockeel

A meta-learning system for multi-instance classification Gitte Vanwinckelen and Hendrik Blockeel KU Leuven, Belgium Motivation Performed extensive evaluation of multi-instance (MI) learners on datasets from different domains

330 views • 19 slides
Computational Tools Data Simple Calculator Spreadsheet Processing Complex Hybrid Scripting

Computational Tools Data Simple Calculator Spreadsheet Processing Complex Hybrid Scripting

Computational Tools Data Simple Calculator Spreadsheet Processing Complex Hybrid Scripting (toolbox, Language addon) Structured Unstructured 43 Logistics Software Stack MIP Solver Standard Library Data Report (Gurobi, etc.)

644 views • 18 slides
Noisy matrix completion: Understanding statistical guarantees for convex relaxation via nonconvex

Noisy matrix completion: Understanding statistical guarantees for convex relaxation via nonconvex

Noisy matrix completion: Understanding statistical guarantees for convex relaxation via nonconvex optimization Yuxin Chen EE, Princeton University Cong Ma Yuejie Chi Jianqing Fan Yuling Yan Princeton ORFE CMU ECE Princeton ORFE Princeton

1.48k views • 79 slides

More recommend