single trace side channel attacks on masked lattice based
play

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption - PowerPoint PPT Presentation

Mar 19, 2023 •168 likes •753 views

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

  1. S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017, September 28 www.iaik.tugraz.at

  2. www.iaik.tugraz.at Outlook Single-trace SCA on masked asymmetric lattice-based encryption Combination of template attack (TA) with: Belief Propagation Lattice Decoding Primas 2 CHES 2017, September 28

  3. www.iaik.tugraz.at Outlook Single-trace SCA on masked asymmetric lattice-based encryption Combination of template attack (TA) with: Belief Propagation Lattice Decoding ⇒ Full private key recovery Primas 2 CHES 2017, September 28

  4. www.iaik.tugraz.at Motivation Lattice-based cryptography is a promising PQ candidate Quantum computer resistant Many efficient schemes available Not a lot analysis of implementation security Primas 3 CHES 2017, September 28

  5. www.iaik.tugraz.at Motivation Lattice-based cryptography is a promising PQ candidate Quantum computer resistant Many efficient schemes available Not a lot analysis of implementation security ⇒ First single-trace SCA for lattice-based crypto Primas 3 CHES 2017, September 28

  6. www.iaik.tugraz.at Ring-LWE Encryption Proposed by Lyubashevsky, Peikert and Regev[LPR10] Based on Learning with Errors Problem Operates on polynomials in the ring: Z q [ x ] / ( x n + 1 ) In our setting: q = 7681 , n = 256 Primas 4 CHES 2017, September 28

  7. www.iaik.tugraz.at Ring-LWE Encryption r 2 ( a , p ) m ( private key ) ( encoded message ) ( public key ) alice bob * calculations are in Z q [ x ] / ( x n + 1 ) Primas 5 CHES 2017, September 28

  8. www.iaik.tugraz.at Ring-LWE Encryption r 2 ( a , p ) m ( private key ) ( encoded message ) ( public key ) e 1 , e 2 , e 3 ← X n alice bob * calculations are in Z q [ x ] / ( x n + 1 ) Primas 5 CHES 2017, September 28

  9. www.iaik.tugraz.at Ring-LWE Encryption r 2 ( a , p ) m ( private key ) ( encoded message ) ( public key ) e 1 , e 2 , e 3 ← X n c 1 = ae 1 + e 2 ← − − − − − − − − − ( cipher text 1 ) alice bob * calculations are in Z q [ x ] / ( x n + 1 ) Primas 5 CHES 2017, September 28

  10. www.iaik.tugraz.at Ring-LWE Encryption r 2 ( a , p ) m ( private key ) ( encoded message ) ( public key ) e 1 , e 2 , e 3 ← X n c 1 = ae 1 + e 2 ← − − − − − − − − − ( cipher text 1 ) c 2 = pe 1 + e 3 + m ← − − − − − − − − − − − − alice ( cipher text 2 ) bob * calculations are in Z q [ x ] / ( x n + 1 ) Primas 5 CHES 2017, September 28

  11. www.iaik.tugraz.at Ring-LWE Decryption m = c 1 r 2 + c 2 alice * calculations are in Z q [ x ] / ( x n + 1 ) Primas 6 CHES 2017, September 28

  12. www.iaik.tugraz.at Ring-LWE Decryption m = c 1 r 2 + c 2 alice ⇒ Inefficient: > O ( n 2 ) due to polynomial division * calculations are in Z q [ x ] / ( x n + 1 ) Primas 6 CHES 2017, September 28

  13. www.iaik.tugraz.at Number Theoretic Transform (NTT) Efficient polynomial multiplication in certain rings, e.g.: Z q [ x ] / ( x n + 1 ) Similar to FFT: ab = INTT ( NTT( a ) ∗ NTT ( b ) ) Features butterfly network Primas 7 CHES 2017, September 28

  14. www.iaik.tugraz.at NTT - Butterfly 2-coefficients + x x 0 , 0 1 , 0 ω 0 n x x 0 , 1 1 , 1 - Primas 8 CHES 2017, September 28

  15. www.iaik.tugraz.at NTT - Butterfly Network 4-coefficients + + x x x 0 , 0 1 , 0 2 , 0 + x x x 0 , 1 1 , 1 2 , 1 - + x x x 0 , 2 1 , 2 2 , 2 - x x x 0 , 3 1 , 3 2 , 3 - - Primas 9 CHES 2017, September 28

  16. www.iaik.tugraz.at NTT - Butterfly Network 256-coefficients + + x x x 0 , 0 1 , 0 2 , 0 ω 0 + n x x x 0 , 1 1 , 1 2 , 1 - + ω 0 n x x x 0 , 2 1 , 2 2 , 2 - ω 0 ω 1 n n x x x 0 , 3 1 , 3 2 , 3 - - Primas 10 CHES 2017, September 28

  17. www.iaik.tugraz.at Efficient Ring-LWE Decryption m = c 1 r 2 + c 2 m = INTT ( ˜ c 1 ∗ ˜ r 2 + ˜ c 2 ) alice * calculations are in Z q [ x ] / ( x n + 1 ) * ˜ x is the NTT transformed of x Primas 11 CHES 2017, September 28

  18. www.iaik.tugraz.at Efficient Ring-LWE Decryption m = c 1 r 2 + c 2 m = INTT ( ˜ c 1 ∗ ˜ r 2 + ˜ c 2 ) alice ⇒ Faster: O ( n log n ) * calculations are in Z q [ x ] / ( x n + 1 ) * ˜ x is the NTT transformed of x Primas 11 CHES 2017, September 28

  19. www.iaik.tugraz.at Attack Idea Given the ciphertext ( ˜ c 1 , ˜ c 2 ) and private key ˜ r 2 , decryption is defined as: m = INTT ( ˜ c 1 ∗ ˜ r 2 + ˜ c 2 ) mod q � �� � I INTT * public * ˜ x is the NTT transformed of x Primas 12 CHES 2017, September 28

  20. www.iaik.tugraz.at Attack Idea Given the ciphertext ( ˜ c 1 , ˜ c 2 ) and private key ˜ r 2 , decryption is defined as: m = INTT ( ˜ c 1 ∗ ˜ r 2 + ˜ c 2 ) mod q � �� � I INTT Thus ˜ r 2 can be expressed as: c − 1 ˜ r 2 = ( I INTT − ˜ c 2 ) ∗ ˜ mod q 1 * public * ˜ x is the NTT transformed of x Primas 12 CHES 2017, September 28

  21. www.iaik.tugraz.at Attack Strategy Steps: 1. Single-trace TA on the INTT operation 2. Leakage combination via Belief Propagation (BP) 3. Key recovery via lattice decoding Primas 13 CHES 2017, September 28

  22. www.iaik.tugraz.at Step 1: Template Attack Efficient SW implementation by de Clercq et al. [dCRVV15] Texas Instruments MSP432 (ARM Cortex-M4F) EM-side-channel of power regulation circuitry Observed traces are expected to be close to power consumption Primas 14 CHES 2017, September 28

  23. www.iaik.tugraz.at Step 1: Template Attack Target: Modular multiplication in each butterfly + x x 0 , 0 1 , 0 One factor of multiplication is always known ( ω x n ) x x 0 , 1 1 , 1 - Additional exploitation of timing information Goal: Probability distribution over each observed coefficient Primas 15 CHES 2017, September 28

  24. www.iaik.tugraz.at Step 1: Template Attack Target: Modular multiplication in each butterfly + + x x x 0 , 0 1 , 0 2 , 0 One factor of multiplication is + always known ( ω x x x x n ) 0 , 1 1 , 1 2 , 1 - + Additional exploitation of timing x x x 0 , 2 1 , 2 2 , 2 - information x x x 0 , 3 1 , 3 2 , 3 - - Goal: Probability distribution over each observed coefficient Primas 16 CHES 2017, September 28

  25. www.iaik.tugraz.at Step 2: Belief Propagation Iterative algorithm Calculate marginal distributions Combine leakage information + x x 0 , 0 1 , 0 Usage in SCA first proposed by ω 0 Veyrat-Charvillon [VGS14] n x x 0 , 1 1 , 1 - Primas 17 CHES 2017, September 28

  26. www.iaik.tugraz.at Step 2: Belief Propagation Iterative algorithm Calculate marginal distributions Combine leakage information + x x 0 , 0 1 , 0 Usage in SCA first proposed by ω 0 Veyrat-Charvillon [VGS14] n x x 0 , 1 1 , 1 - Primas 18 CHES 2017, September 28

  27. www.iaik.tugraz.at Step 2: Belief Propagation Iterative algorithm Calculate marginal distributions Combine leakage information + x x 0 , 0 1 , 0 Usage in SCA first proposed by ω 0 Veyrat-Charvillon [VGS14] n x x 0 , 1 1 , 1 - Primas 19 CHES 2017, September 28

  28. www.iaik.tugraz.at Step 2: Belief Propagation Iterative algorithm Calculate marginal distributions Combine leakage information + x x 0 , 0 1 , 0 Usage in SCA first proposed by ω 0 Veyrat-Charvillon [VGS14] n x x 0 , 1 1 , 1 - Primas 20 CHES 2017, September 28

  29. www.iaik.tugraz.at Step 2: Belief Propagation Iterative algorithm Calculate marginal distributions Combine leakage information + x x 0 , 0 1 , 0 Usage in SCA first proposed by ω 0 Veyrat-Charvillon [VGS14] n x x 0 , 1 1 , 1 - Primas 21 CHES 2017, September 28

  30. www.iaik.tugraz.at MUL No MUL Step 2: Belief Propagation 0 32 Considerations: 64 Uneven distribution of side-channel information 96 Variable Index Bad TA performance in first layer ( ω 0 n = 1) 128 160 192 224 255 1 2 3 4 5 6 7 8 Layer Index Primas 22 CHES 2017, September 28

  31. www.iaik.tugraz.at FG 1 FG 2 FG 3 Step 2: Belief Propagation 0 32 Solution: 64 Perform BP on 3 Sub-Networks: 96 Variable Index Ignore areas with: 128 No / little side-channel information 160 Comparably noisy side-channel information 192 Not all inputs can be recovered → Step 3: 224 255 1 2 3 4 5 6 7 8 Layer Index Primas 23 CHES 2017, September 28

  32. www.iaik.tugraz.at Entropy 0 13 Step 2: Belief Propagation 0 32 Variable Index Iteration 0 64 96 127 2 3 4 5 6 7 8 Layer Index Primas 24 CHES 2017, September 28

  33. www.iaik.tugraz.at Entropy 0 13 Step 2: Belief Propagation 0 32 Variable Index Iteration 1 64 96 127 2 3 4 5 6 7 8 Layer Index Primas 24 CHES 2017, September 28

  34. www.iaik.tugraz.at Entropy 0 13 Step 2: Belief Propagation 0 32 Variable Index Iteration 2 64 96 127 2 3 4 5 6 7 8 Layer Index Primas 24 CHES 2017, September 28

  35. www.iaik.tugraz.at Entropy 0 13 Step 2: Belief Propagation 0 32 Variable Index Iteration 3 64 96 127 2 3 4 5 6 7 8 Layer Index Primas 24 CHES 2017, September 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology Side-Channel Attacks on Hash

569 views • 39 slides
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
Analyzing the Shuffling Side-Channel Countermeasure for Lattice-Based Signatures Peter Pessl

Analyzing the Shuffling Side-Channel Countermeasure for Lattice-Based Signatures Peter Pessl

S C I E N C E P A S S I O N T E C H N O L O G Y Analyzing the Shuffling Side-Channel Countermeasure for Lattice-Based Signatures Peter Pessl IAIK, Graz University of Technology, Austria Indocrypt 2016, December 12

522 views • 25 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

562 views • 38 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

1.03k views • 66 slides
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS In` es Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz

271 views • 25 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
FPGA-Based Remote Power Side Channel Attacks By Mark Zhao and G. Edward Suh Presented by

FPGA-Based Remote Power Side Channel Attacks By Mark Zhao and G. Edward Suh Presented by

FPGA-Based Remote Power Side Channel Attacks By Mark Zhao and G. Edward Suh Presented by Maitreyi Ashok Motivation FPGAs are used in most cloud computing environments for hardware acceleration The SoCs used for these can have multiple

390 views • 22 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 ,

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 ,

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 , , Jihoon Kwon 2 , Kyu Young Choi 2 , Jihoon Cho 2 , Aesun Park 3, , and Dong-Guk Han 1,3, 1 Department of Mathematics, Kookmin University,

881 views • 58 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis Benjamin Timon

Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis Benjamin Timon

Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis Benjamin Timon August 28, 2019 Python notebook presentation for CHES 2019 1 Introduction & Motivation Profiled vs Non-Profiled attacks Machine Learning trend

407 views • 14 slides
Publishing while female Are women held to higher standards? Evidence from peer review. Erin

Publishing while female Are women held to higher standards? Evidence from peer review. Erin

Publishing while female Are women held to higher standards? Evidence from peer review. Erin Hengel University of Liverpool Gender and Career Progression Conference 14 May 2018 Background Women are underrepresented in economics (2016):

811 views • 44 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security Prof. David Wagner April 1,

DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security Prof. David Wagner April 1,

DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security Prof. David Wagner April 1, 2016 16 bits 16 bits DNS Blind Spoofing, cont. SRC=53 DST=53 checksum length Once we randomize the Identification Flags Identification,

768 views • 53 slides
Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work with Ben Kreuter, Tancrde Lepoint, Mariana Raykova ia.cr/2020/072 1 Definition Anonymous tokens are lightweight, single-use anonymous credentials.

657 views • 61 slides
Practical Object Detection and Segmentation Vincent Chen and Edward Chou Agenda Why would

Practical Object Detection and Segmentation Vincent Chen and Edward Chou Agenda Why would

Practical Object Detection and Segmentation Vincent Chen and Edward Chou Agenda Why would understanding different architectures be useful? Modular Frameworks Describe Modern Frameworks Detection Segmentation

641 views • 38 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
VerMI & VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI & VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI & VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas COSIC, KULeuven Joint work with Vincent Rijmen (KU Leuven), Felix Wegener, Amir Moradi (RU Bochum) 1 Verification Tools Why do we need

782 views • 50 slides
Fast Software Cache Design for Network Appliances Dong Zhou, Huacheng Yu, Michael Kaminsky,

Fast Software Cache Design for Network Appliances Dong Zhou, Huacheng Yu, Michael Kaminsky,

Fast Software Cache Design for Network Appliances Dong Zhou, Huacheng Yu, Michael Kaminsky, David G. Andersen Flow Caching in Open vSwitch Microflow Cache Exact Match Single Hash Table 2 Flow Caching in Open vSwitch srcAddr=10.1.2.3,

570 views • 28 slides

More recommend