Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient - - PowerPoint PPT Presentation

side channel plaintext recovery attacks on leakage
SMART_READER_LITE
LIVE PREVIEW

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient - - PowerPoint PPT Presentation

Jun 02, 2023 44 likes •286 views

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

slide-1
SLIDE 1

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption

Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology

  • 30. March 2017
slide-2
SLIDE 2

Content

Differential power analysis for key recovery Re-keying countermeasure: few data inputs Summary: Re-keying induces DPA that allows to recover constant plaintexts Streaming mode: first-order DPA Block mode: profiled second-order DPA Multi-party communication, memory encryption

Particularly critical for long-term keys

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

2

slide-3
SLIDE 3

Motivation

Symmetric cryptography, e.g., block cipher E Key K used for multiple pi, ci Differential Power Analysis (DPA) n encryptions: EK(pi) Observe power consumption Statistical analysis reveals K

K

E

pi ci

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

3

slide-4
SLIDE 4

Motivation

Protect implementation (masking) Change key frequently (re-keying) Reduce input data complexity Leakage-resilient encryption Protects the key Plaintext?

ki

E

pi ci

i

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

4

slide-5
SLIDE 5

Leakage-Resilient Encryption

Extends re-keying to messages of arbitrary length Secure (leak-free) initialization Derive session key ki from master key K Security proof: Assumption: bounded side-channel leakage of the used primitive Scheme’s total leakage on the key is bounded

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

5

slide-6
SLIDE 6

Leakage-Resilient Streaming Mode [SPY+10]

k0

E

CA c0 k1

E

p0 y0 … CB

E

CA c1 k2

E

p1 y1

g

n CB K

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

6

slide-7
SLIDE 7

Leakage-Resilient Block Mode [TS15]

k0

E

CA c0 k1

E

p0 …

E

CA k2

g

n K c1

E

p1

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

7

slide-8
SLIDE 8

DPA on Leakage-Resilient Encryption

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

8

slide-9
SLIDE 9

DPA on Streaming Mode (1)

k0

E

CA c0 k1

E

p0 y0 … CB

E

CA c1 k2

E

p1 y1

g

n CB K

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

9

slide-10
SLIDE 10

DPA on Streaming Mode (2)

Encryption of constant p0 with different keys k0, k′

0, k ′′

Leakage model for y0 = c0 ⊕ p0, e.g., HW Compute leakage for all possible values of p0 Statistical distinguisher to get correct p0

E

p0 y0 CB c0 k0

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

10

slide-11
SLIDE 11

DPA on Streaming Mode (3)

Standard DPA on XOR Applies to all stream ciphers Key stream always changes:

pad must not be reused

Encryption of the same plaintext...

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

11

slide-12
SLIDE 12

DPA on Streaming Mode: Evaluation

Implementation of LR streaming mode Single AES core with one round per cycle Multiplexing: pad computation and key update Apply 128-bit pad to plaintext in parallel Sakura G board Spartan 6 LX75 FPGA @ 24 MHz Hardware trigger LeCroy WP725Zi @ 250 MS Correlation with byte-wise hypotheses

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

12

slide-13
SLIDE 13

DPA on Streaming Mode: Evaluation

10,000 20,000 30,000 40,000 0.05 0.1 0.15

Number of Traces Correlation

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

13

slide-14
SLIDE 14

DPA on Block Mode (1)

k0

E

CA c0 k1

E

p0 …

E

CA k2

g

n K c1

E

p1

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

14

slide-15
SLIDE 15

DPA on Block Mode (2)

Encryption of constant p0 with different keys k0, k′

0, k ′′

Block cipher: no simple leakage model using p0 Unknown Plaintext Template Attacks [HTM09] Constant key and varying, unknown plaintext Idea: switch roles of key and plaintext c0

E

p0 k0

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

15

slide-16
SLIDE 16

DPA on Block Mode (3)

Profiling phase: templates for k0,0 and v0 Attack phase: Probabilities for k0,0 and v0 Joint probability of k0,0 and v0 → p0,0 Many different keys to get unique p0,0 c0

E

p0 k0 p0,0 k0,0

S

… v0

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

16

slide-17
SLIDE 17

DPA on Block Mode: Evaluation

Implementation of LR block mode AES: Byte-oriented C Implementation (AVR-Crypto-Lib) ChipWhisperer-Lite Atmel XMEGA128D4-U @ 7.4 MHz Sampling on board 29.5 MS Template building using 30 000 traces Hamming weight of a byte (key / sbox) Multivariate Gaussian templates (50 POI)

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

17

slide-18
SLIDE 18

DPA on Block Mode: Evaluation

500 1,000 1,500 2,000 2,500 3,000 1 2 3 ·10−4

Sample Variance S-box Key

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

18

slide-19
SLIDE 19

DPA on Block Mode: Evaluation

1,000 2,000 3,000 4,000 5,000 0.2 0.4 0.6 0.8 1

Number of Traces Probability Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

19

slide-20
SLIDE 20

Applications

Leakage rises with the amount of processed data Mixing constant with varying data Key vs. plaintext leakage Communication protocols SSL: fresh session key

Download static file from, e.g., webserver

LR encryption: transmission errors

Constrained resources: re-encryption

Key wrapping insufficient

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

20

slide-21
SLIDE 21

Application: Memory Encryption

RAM encryption: fresh key on startup, e.g., Intel SGX Critical if long-term key is loaded into RAM

Plaintext recovery = key recovery

Storage with LR encryption: Read-modify-write operations

Key update when a part changes E.g., 1 byte in 128-bit block

RAM encryption using counter mode: Pad computed from address and block counter Key changes on every copy and write-back

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

21

slide-22
SLIDE 22

Conclusion

Security of re-keying in LR encryption Protects the key from SCA Vulnerability: re-encryption of constant plaintexts 1st order DPA on stream cipher 2nd order template attack on block mode Classical setting: mixing constant with varying data Relevance: memory encryption and multi-party communication Use masking in these applications

Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

22

slide-23
SLIDE 23

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption

Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology

  • 30. March 2017
slide-24
SLIDE 24

References

[HTM09] Neil Hanley, Michael Tunstall, and William P . Marnane. Unknown plaintext template attacks. In WISA 2009, pages 148–162, 2009. [SPY+10] Franc ¸ois-Xavier Standaert, Olivier Pereira, Yu Yu, Jean-Jacques Quisquater, Moti Yung, and Elisabeth Oswald. Leakage resilient cryptography in practice. In Towards Hardware-Intrinsic Security – Foundations and Practice, pages 99–134. 2010. [TS15] Mostafa M. I. Taha and Patrick Schaumont. Key updating for leakage resiliency with application to AES modes of operation. IEEE Trans. Information Forensics and Security, 10(3):519–528, 2015. Thomas Unterluggauer, Graz University of Technology

  • 30. March 2017

24