[PPT] - Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter PowerPoint Presentation

SLIDE 1

Single-Trace Attacks on Keccak

Matthias J. Kannwischer1, Peter Pessl2, Robert Primas3

1Radboud University, Nijmegen 2Graz University of Technology (now with Infineon Technologies) 3Graz University of Technology

SLIDE 2

Side-Channel Attacks on Hash Functions?

❼ Plain hashing has no secrets, but there are keyed uses

❼ HMAC? Classic DPA setting, threat is obvious. . .

❼ Keccak (SHA3/SHAKE) found ample new uses involving secrets

❼ . . . especially in post-quantum cryptography

1 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 3

Side-Channel Attacks on Hash Functions?

❼ Keccak uses in PQC include

❼ derivation of a shared secret in a KEM ❼ expansion of a secret seed in KEMs and signatures ❼ hash-based signatures

❼ Above: side-channel attacker is limited to a single execution

❼ at most averaging, but still no DPA

Are attacks even possible? Are countermeasures still needed?

2 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 4

Our Contribution

❼ Practical single-trace attack on Keccak (software) implementations ❼ Soft-analytical side-channel attack (SASCA)

1. Template matching: retrieve probabilities of intermediates
2. Belief propagation: combine all probabilities to infer most likely key

❼ thus far: mainly applied to AES, but Keccak structurally very different

❼ Attack outcome

❼ key-recovery in a large array of settings, countermeasures cannot be omitted ❼ factors influencing the success rate: key size, bit width of device, structure of input

3 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 5

Keccak

❼ Sponge construction, 1600-bit state ❼

❼ ❼ ❼ ❼ ❼ 0r 0c f f f f

⊕

m0

⊕

m1 H0 H1 ... Absorb Squeeze

4 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 6

Keccak

❼ Sponge construction, 1600-bit state ❼ Keccak-f permutation

❼ ❼ ❼ ❼ ❼

4 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 7

Keccak

❼ Sponge construction, 1600-bit state ❼ Keccak-f permutation

❼ θ - add column parities ❼ ❼ ❼ ❼

4

Single-Trace Attacks on Keccak — CHES 2020

SLIDE 8

Keccak

❼ Sponge construction, 1600-bit state ❼ Keccak-f permutation

❼ θ - add column parities ❼ ρ - rotate lanes ❼ ❼ ❼

4 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 9

Keccak

❼ Sponge construction, 1600-bit state ❼ Keccak-f permutation

❼ θ - add column parities ❼ ρ - rotate lanes ❼ π - reorder lanes ❼ ❼

4 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 10

Keccak

❼ Sponge construction, 1600-bit state ❼ Keccak-f permutation

❼ θ - add column parities ❼ ρ - rotate lanes ❼ π - reorder lanes ❼ χ - SBox ❼

4 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 11

Keccak

❼ Sponge construction, 1600-bit state ❼ Keccak-f permutation

❼ θ - add column parities ❼ ρ - rotate lanes ❼ π - reorder lanes ❼ χ - SBox ❼ ι - add round constant

4 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 12

Attack Setting

❼ Unprotected software implementation on a ➭C ❼ (Part of) the input is secret

❼ and used only once

❼ Power measurements of a single execution

❼ no differential SCA ❼ have to use (some sort of) templates 0r 0c f f f

⊕

m0

⊕

m1 H0 ...

5 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 13

Template Attacks on Hash Functions

❼ Typical restrictions of template attacks

❼ need templating device with known key ❼ poor portability of templates between devices

❼ Same for Keccak?

❼ often multiple calls inside a PK scheme, some with fully known data ❼ message hash during signing, re-encryption in decapsulation, . . .

Profiling directly on target device! no separate profiling device needed, no portability problems

6 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 14

Step 1: Template Matching

❼ Templating target: all loads/stores

❼ HW leakage along lanes ❼ assign probability vector to each part

64

❼ Now: combine all side channel info to find most likely key

❼ efficient method: Soft Analytical Side-Channel Attacks (SASCA) [Veyrat-Charvillon et al., ASIACRYPT 2014]

7 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 15

Step 2: SASCA / Belief Propagation

1. model implementation as a factor graph

❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z ❼ ❼ ❼ ❼ X Y Z

8 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 16

Step 2: SASCA / Belief Propagation

1. model implementation as a factor graph

❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z

2. incorporate leakage information in graph

❼ ❼ ❼ ❼ X Y Z

8 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 17

Step 2: SASCA / Belief Propagation

1. model implementation as a factor graph

❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z

2. incorporate leakage information in graph
3. run Belief Propagation

❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning X Y Z

8 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 18

Step 2: SASCA / Belief Propagation

1. model implementation as a factor graph

❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z

2. incorporate leakage information in graph
3. run Belief Propagation

❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning Z Y X

8 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 19

Step 2: SASCA / Belief Propagation

1. model implementation as a factor graph

❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z

2. incorporate leakage information in graph
3. run Belief Propagation

❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning X Z Y

8 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 20

Step 2: SASCA / Belief Propagation

1. model implementation as a factor graph

❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z

2. incorporate leakage information in graph
3. run Belief Propagation

❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning Y Z X

8 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 21

Step 2: SASCA / Belief Propagation

1. model implementation as a factor graph

❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z

2. incorporate leakage information in graph
3. run Belief Propagation

❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning Y Z X

8 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 22

Step 2: SASCA / Belief Propagation

1. model implementation as a factor graph

❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z

2. incorporate leakage information in graph
3. run Belief Propagation

❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning Z Y X

8 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 23

A First Factor Graph of Keccak

❼ Bitwise description

❼ each bit after each step is a variable

❼ Terrible performance. . .

❼ leakage on bytes/words, not bits ❼ lots of information lost during propagation

9 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 24

Solution: Clustering

❼ Cluster multiple bits in a single variable node

❼ bits along a lane ❼ ideally: no spreading of side-channel info

❼ Cluster size vs. resource usage

❼ runtime and memory: exp. in cluster size ❼ we support 8-bit and 16-bit clusters

64

10 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 25

Clustering: Misalignment

❼ Problem: misalignment of clusters

❼ previous SASCA on AES: operations on bytes ❼ Keccak operations not aligned

❼ Example: A ⊕ ROT(B, 4) ❼ Need to split clusters

❼ requires extraction of marginals

ROT(B, 4) A

11 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 26

Clustering: Handling θ

❼ Computation of column parity

❼ 5-input ⊕ node (efficient propagation) ❼ enumeration of all possible values: 240 (8-bit cluster) ❼ solution: fast convolution of distributions using Walsh-Hadamard transform

I I I I I P

12 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 27

Clustering: Further Considerations

❼ Handling χ

❼ break up clusters to deal with invertability

❼

❼ ❼

13 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 28

Clustering: Further Considerations

❼ Handling χ

❼ break up clusters to deal with invertability

❼ Handling 32-bit leakage

❼ found efficient method to combine leakage ❼ convolution instead of enumeration

A B C D

13 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 29

Attack Runtime

❼ Open-source Python implementation of BP on Keccak https://github.com/keccaksasca/keccaksasca ❼ Restriction to first two rounds of Keccak-f ❼ Runtime per BP iteration (updating all nodes once)

❼ 8-bit clusters: ∼ seconds on single core ❼ 16-bit clusters: ∼ 1 minute using 44 cores ❼ 8-bit clusters sufficient in most cases

❼ BP: iterative algorithm, repeat until convergence.

❼ typically < 10 iterations

14 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 30

Attack Evaluation

❼ Goal: recover secret input of Keccak-f ❼ Evaluation tool: leakage simulations

❼ noisy HW-leakage of loads/stores (at typical locations) ❼ for 8, 16, and 32-bit implementations ❼ vary noise σ, retrieve success rate

❼ Analyze impact of key size

❼ evaluate 128 and 256-bit keys

15 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 31

On the Impact of the Input State

❼ Keccak-f input: part secret, part known ❼ Content of public part impacts success rate! ❼ All-zero public input

❼ state = secret || 0000... ❼ example: SHAKE(128-bit seed)

❼ Random public input

❼ state = secret || rand ❼ example: H(msg || key)

❼ Attacks with Random public input work much better!

0r 0c f f f

⊕

m0

⊕

m1 H0 ...

16 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 32

But why though?

❼ Reason: ⊕ of θ-effect T ❼ Observation: knowing T allows key recovery ❼

❼ ❼

❼

❼ ❼ I I I I I O O O O O secret

known known known known

T

θ - effect

17 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 33

But why though?

❼ Reason: ⊕ of θ-effect T ❼ Observation: knowing T allows key recovery ❼ All-zero public input

❼ T added 4 times to 0 ❼ same operation 4 times, averaging

❼

❼ ❼ I I I I I O O O O O secret T θ - effect

17 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 34

But why though?

❼ Reason: ⊕ of θ-effect T ❼ Observation: knowing T allows key recovery ❼ All-zero public input

❼ T added 4 times to 0 ❼ same operation 4 times, averaging

❼ Random public input

❼ T added to 4 different values ❼ similar to a DPA using 4 traces I I I I I O O O O O secret

0xAB 0x81 0x09 0x29

T

θ - effect

17 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 35

Results: 8-bit Device

8-bit HW leakage, real σ ≈ 0.5 (XMEGA128D4)

1 2 3 0.5 1

Success Rate

128bit 256bit

Random public input

1 2 3 0.5 1

Success Rate

128bit 256bit

All-zero public input

18 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 36

Results: 16-bit Device

16-bit HW leakage, real σ ≈ ?

1 2 3 0.5 1

Success Rate

128bit 256bit

Random public input

1 2 3 0.5 1

Success Rate

128bit

All-zero public input

19 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 37

Results: 32-bit Device

32-bit HW leakage, real σ ≈ 0.4 - 3 (STM32F303)

1 2 3 0.5 1

Success Rate

128bit

Random public input

20 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 38

Conclusion

Single-trace attacks are a considerable threat . . . ❼ especially for 8/16-bit implementations, situation less clear for 32-bit devices But . . . ❼ we used a simple leakage model (simulations with univariate HW templates) ❼ more sophisticated attacker will fare better (remember: on-device profiling) Must always include (basic) countermeasures . . . ❼ hiding (shuffling, dummy operations, etc.) effective ❼ masking also an option, but some restrictions

21 Single-Trace Attacks on Keccak — CHES 2020

SLIDE 39