single trace attacks on keccak
play

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter - PowerPoint PPT Presentation

May 21, 2023 •174 likes •569 views

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology Side-Channel Attacks on Hash

  1. Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology

  2. Side-Channel Attacks on Hash Functions? ❼ Plain hashing has no secrets, but there are keyed uses ❼ HMAC? Classic DPA setting, threat is obvious. . . ❼ Keccak (SHA3/SHAKE) found ample new uses involving secrets ❼ . . . especially in post-quantum cryptography 1 Single-Trace Attacks on Keccak — CHES 2020

  3. Side-Channel Attacks on Hash Functions? ❼ Keccak uses in PQC include ❼ derivation of a shared secret in a KEM ❼ expansion of a secret seed in KEMs and signatures ❼ hash-based signatures ❼ Above: side-channel attacker is limited to a single execution ❼ at most averaging, but still no DPA Are attacks even possible? Are countermeasures still needed? 2 Single-Trace Attacks on Keccak — CHES 2020

  4. Our Contribution ❼ Practical single-trace attack on Keccak (software) implementations ❼ Soft-analytical side-channel attack (SASCA) 1. Template matching: retrieve probabilities of intermediates 2. Belief propagation: combine all probabilities to infer most likely key ❼ thus far: mainly applied to AES, but Keccak structurally very different ❼ Attack outcome ❼ key-recovery in a large array of settings, countermeasures cannot be omitted ❼ factors influencing the success rate: key size, bit width of device, structure of input 3 Single-Trace Attacks on Keccak — CHES 2020

  5. ❼ ❼ ❼ ❼ ❼ ❼ Keccak m 0 m 1 ❼ Sponge construction, 1600-bit state H 0 H 1 ⊕ ⊕ 0 r ... f f f f 0 c Absorb Squeeze 4 Single-Trace Attacks on Keccak — CHES 2020

  6. ❼ ❼ ❼ ❼ ❼ Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation 4 Single-Trace Attacks on Keccak — CHES 2020

  7. ❼ ❼ ❼ ❼ Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation ❼ θ - add column parities � � � 4 Single-Trace Attacks on Keccak — CHES 2020

  8. ❼ ❼ ❼ Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation ❼ θ - add column parities ❼ ρ - rotate lanes 4 Single-Trace Attacks on Keccak — CHES 2020

  9. ❼ ❼ Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation ❼ θ - add column parities ❼ ρ - rotate lanes ❼ π - reorder lanes 4 Single-Trace Attacks on Keccak — CHES 2020

  10. ❼ Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation ❼ θ - add column parities ❼ ρ - rotate lanes ❼ π - reorder lanes ❼ χ - SBox 4 Single-Trace Attacks on Keccak — CHES 2020

  11. Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation ❼ θ - add column parities ❼ ρ - rotate lanes ❼ π - reorder lanes ❼ χ - SBox ❼ ι - add round constant 4 Single-Trace Attacks on Keccak — CHES 2020

  12. Attack Setting ❼ Unprotected software implementation on a ➭ C ❼ (Part of) the input is secret m 0 m 1 H 0 ❼ and used only once ⊕ ⊕ 0 r ❼ Power measurements of a single execution ... f f f 0 c ❼ no differential SCA ❼ have to use (some sort of) templates 5 Single-Trace Attacks on Keccak — CHES 2020

  13. Template Attacks on Hash Functions ❼ Typical restrictions of template attacks ❼ need templating device with known key ❼ poor portability of templates between devices ❼ Same for Keccak? ❼ often multiple calls inside a PK scheme, some with fully known data ❼ message hash during signing, re-encryption in decapsulation, . . . Profiling directly on target device! no separate profiling device needed, no portability problems 6 Single-Trace Attacks on Keccak — CHES 2020

  14. Step 1: Template Matching ❼ Templating target: all loads/stores ❼ HW leakage along lanes 64 ❼ assign probability vector to each part ❼ Now: combine all side channel info to find most likely key ❼ efficient method: Soft Analytical Side-Channel Attacks (SASCA) [Veyrat-Charvillon et al., ASIACRYPT 2014] 7 Single-Trace Attacks on Keccak — CHES 2020

  15. ❼ ❼ ❼ ❼ Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X Z Y 8 Single-Trace Attacks on Keccak — CHES 2020

  16. ❼ ❼ ❼ ❼ Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z Y 8 Single-Trace Attacks on Keccak — CHES 2020

  17. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  18. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  19. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  20. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  21. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  22. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  23. A First Factor Graph of Keccak ❼ Bitwise description ❼ each bit after each step is a variable ❼ Terrible performance . . . ❼ leakage on bytes/words, not bits ❼ lots of information lost during propagation 9 Single-Trace Attacks on Keccak — CHES 2020

  24. Solution: Clustering ❼ Cluster multiple bits in a single variable node ❼ bits along a lane ❼ ideally: no spreading of side-channel info ❼ Cluster size vs. resource usage 64 ❼ runtime and memory: exp. in cluster size ❼ we support 8-bit and 16-bit clusters 10 Single-Trace Attacks on Keccak — CHES 2020

  25. Clustering: Misalignment ❼ Problem: misalignment of clusters ❼ previous SASCA on AES: operations on bytes A ❼ Keccak operations not aligned ❼ Example: A ⊕ ROT( B , 4) ❼ Need to split clusters ROT(B, 4) ❼ requires extraction of marginals 11 Single-Trace Attacks on Keccak — CHES 2020

  26. Clustering: Handling θ I ❼ Computation of column parity I ❼ 5-input ⊕ node (efficient propagation) ❼ enumeration of all possible values: 2 40 (8-bit cluster) I P ❼ solution: fast convolution of distributions using I Walsh-Hadamard transform I 12 Single-Trace Attacks on Keccak — CHES 2020

  27. ❼ ❼ ❼ Clustering: Further Considerations ❼ Handling χ ❼ break up clusters to deal with invertability 13 Single-Trace Attacks on Keccak — CHES 2020

  28. Clustering: Further Considerations ❼ Handling χ ❼ break up clusters to deal with invertability A B C D ❼ Handling 32-bit leakage ❼ found efficient method to combine leakage ❼ convolution instead of enumeration 13 Single-Trace Attacks on Keccak — CHES 2020

  29. Attack Runtime ❼ Open-source Python implementation of BP on Keccak https://github.com/keccaksasca/keccaksasca ❼ Restriction to first two rounds of Keccak- f ❼ Runtime per BP iteration (updating all nodes once) ❼ 8-bit clusters: ∼ seconds on single core ❼ 16-bit clusters: ∼ 1 minute using 44 cores ❼ 8-bit clusters sufficient in most cases ❼ BP: iterative algorithm, repeat until convergence. ❼ typically < 10 iterations 14 Single-Trace Attacks on Keccak — CHES 2020

  30. Attack Evaluation ❼ Goal: recover secret input of Keccak- f ❼ Evaluation tool: leakage simulations ❼ noisy HW-leakage of loads/stores (at typical locations) ❼ for 8, 16, and 32-bit implementations ❼ vary noise σ , retrieve success rate ❼ Analyze impact of key size ❼ evaluate 128 and 256-bit keys 15 Single-Trace Attacks on Keccak — CHES 2020

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

753 views • 58 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas

More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas

SCIENCE PASSION TECHNOLOGY More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas Graz University of Technology LATINCRYPT 2019, October 02 &gt; www.iaik.tugraz.at www.iaik.tugraz.at

1.63k views • 60 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping Shi and San Ling 10 October, 2018 @ Milano, Italy Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 1 / 41 Outlines 1

603 views • 59 slides
DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon 2014 Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function whiteboxed : AES-CBC

1.43k views • 103 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36 Outline 1 How it all began 2 Introducing Keccak 3

466 views • 42 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Exponentiations vs. Single Trace Analysis COSADE Workshop - Paris, 7 March 2013. Christophe

Exponentiations vs. Single Trace Analysis COSADE Workshop - Paris, 7 March 2013. Christophe

Updated Recommendations for Blinded Exponentiations vs. Single Trace Analysis COSADE Workshop - Paris, 7 March 2013. Christophe Clavier XLIM-CNRS Limoges University, France Benoit Feix UL Security Lab, UK XLIM, Limoges University, France

462 views • 24 slides
rss sst s s

rss sst s s

sst ss srt ts t rs r sts strts rss

312 views • 30 slides
Improving Construction Safety with AI Dmitry Grenader dgrenader@smartvid.io C ONSTRUCTION : H

Improving Construction Safety with AI Dmitry Grenader dgrenader@smartvid.io C ONSTRUCTION : H

Improving Construction Safety with AI Dmitry Grenader dgrenader@smartvid.io C ONSTRUCTION : H IGH - HAZARD I NDUSTRY D RIVERS OF R ISK IN C ONSTRUCTION Cost Schedule Quality Safety F ATALITIES HAVEN T CHANGED IN 10+ YEARS Rate per

400 views • 22 slides
Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp,

Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp,

. . . . . . Permutation Based Cryptography for IoT Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp, November 21 Joan Daemen 1 , Michal Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP

755 views • 41 slides
On-line Construction of Compact Suffix Vectors and Maximal Repeats Elise Prieur and Thierry

On-line Construction of Compact Suffix Vectors and Maximal Repeats Elise Prieur and Thierry

On-line Construction of Compact Suffix Vectors and Maximal Repeats Elise Prieur and Thierry Lecroq elise.prieur@univ-rouen.fr Laboratoire dInformatique de Traitement de lInformation et des Syst` emes. Journ ees Montoises August

787 views • 31 slides
367 $90M 385 $150,000 METRICS Greened Acres Awarded Greened Acres per Greened Acre SPRING

367 $90M 385 $150,000 METRICS Greened Acres Awarded Greened Acres per Greened Acre SPRING

INCENTIVES 367 $90M 385 $150,000 METRICS Greened Acres Awarded Greened Acres per Greened Acre SPRING 2018 complete in progress on average STORMWATER INCENTIVES CASE STUDY Community Ventures Francisville Senior Housing Survey: HAKS

351 views • 20 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
On weakly intersecting pairs of sets Zoltn Kirly 1 Zoltn L. Nagy 1 Dmtr Plvlgyi 1 ,

On weakly intersecting pairs of sets Zoltn Kirly 1 Zoltn L. Nagy 1 Dmtr Plvlgyi 1 ,

Intersecting pairs of sets A new lower bound Summary On weakly intersecting pairs of sets Zoltn Kirly 1 Zoltn L. Nagy 1 Dmtr Plvlgyi 1 , 2 Mirk Visontai 3 1 Etvs University Budapest 2 Ecole Polytechnique Fdrale de

866 views • 47 slides
Non-Headed Structures and Phrasal Constructions Jackendoff (2011) gives the following examples

Non-Headed Structures and Phrasal Constructions Jackendoff (2011) gives the following examples

Unifying Everything: Simpler Syntax, Construction Grammar, Minimalism and HPSG Non-Headed Structures and Phrasal Constructions Non-Headed Structures and Phrasal Constructions Jackendoff (2011) gives the following examples for phrasal

119 views • 9 slides

More recommend