synthesis tools for white box implementations
play

Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, - PowerPoint PPT Presentation

Feb 16, 2023 •382 likes •690 views

Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, University of Luxembourg WhibOx Workshop May 19, 2019 Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction

  1. Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, University of Luxembourg WhibOx Workshop May 19, 2019

  2. Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction Compilation Attacks Conclusion 0 / 18

  3. Introduction Circuit Construction Compilation Attacks Conclusion This talk: • Python-based framework for practical white-box implementations • Easy to use • For research purposes • ... and the WhibOx contest 1 / 18

  4. Introduction Circuit Construction Compilation Attacks Conclusion Circuit Implementations + simple framework, both – slow (1 bit / register, for synthesis and analysis unless batch execution) + existing literature on – large code size hardware design (storing circuit) + easy to simulate – the power of everywhere Random Access Machine is not fully utilised (though simulation can be obfuscated on top) 2 / 18

  5. Introduction Circuit Construction Compilation Attacks Conclusion Framework for Circuit WB Synthesis • easy implementations (bitwise are simple, for S-boxes a circuit is needed) • easy masking (linear + nonlinear) • starting point for further obfuscation • included: • batch circuit tracing • basic DCA-like analysis (correlation, exact matches, linear algebra attack) 3 / 18

  6. Introduction Circuit Construction Compilation Attacks Conclusion Framework for Circuit WB Synthesis • easy implementations (bitwise are simple, for S-boxes a circuit is needed) • easy masking (linear + nonlinear) • starting point for further obfuscation • included: • batch circuit tracing • basic DCA-like analysis (correlation, exact matches, linear algebra attack) • convenient C code generation for the WhibOx contest contest 3 / 18

  7. Introduction Circuit Construction Compilation Attacks Conclusion A Quick Teaser NR = 10 1 KEY = "MySecretKey!2019" 2 3 pt = Bit.inputs("pt", 128) 4 ct, k10 = BitAES(pt, Bit.consts(str2bin(KEY)), nr=NR) 5 6 prng = LFSR(taps=[0, 2, 5, 18, 39, 100, 127], 7 state=BitAES(pt, pt, nr=2)[0]) 8 rand = Pool(n=128, prng=prng).step 9 10 ct = mask_circuit(ct, MINQ(rand=rand)) 11 ct = mask_circuit(ct, DOM(rand=rand, nshares=2)) 12 13 whibox_generate(ct, "build/submit.c", "Hello, world!") 14 AES circuit with configurable masking (quadratic MINQ + linear DOM-indep) 4 / 18

  8. Introduction Circuit Construction Compilation Attacks Conclusion A Quick Teaser NR = 10 1 KEY = "MySecretKey!2019" 2 3 pt = Bit.inputs("pt", 128) 4 ct, k10 = BitAES(pt, Bit.consts(str2bin(KEY)), nr=NR) 5 6 prng = LFSR(taps=[0, 2, 5, 18, 39, 100, 127], 7 state=BitAES(pt, pt, nr=2)[0]) 8 rand = Pool(n=128, prng=prng).step 9 10 ct = mask_circuit(ct, MINQ(rand=rand)) 11 ct = mask_circuit(ct, DOM(rand=rand, nshares=2)) 12 13 whibox_generate(ct, "build/submit.c", "Hello, world!") 14 AES circuit with configurable masking Whib0x CTF - ready :) (quadratic MINQ + linear DOM-indep) 4 / 18

  9. Introduction Circuit Construction Compilation Attacks Conclusion A Quick Teaser NR = 10 1 KEY = "MySecretKey!2019" 2 3 pt = Bit.inputs("pt", 128) 4 ct, k10 = BitAES(pt, Bit.consts(str2bin(KEY)), nr=NR) 5 6 prng = LFSR(taps=[0, 2, 5, 18, 39, 100, 127], 7 state=BitAES(pt, pt, nr=2)[0]) 8 rand = Pool(n=128, prng=prng).step 9 10 ct = mask_circuit(ct, MINQ(rand=rand)) 11 ct = mask_circuit(ct, DOM(rand=rand, nshares=2)) 12 13 whibox_generate(ct, "build/submit.c", "Hello, world!") 14 AES circuit with configurable masking Whib0x CTF - ready :) (quadratic MINQ + linear DOM-indep) (ouch, no fault protection...) 4 / 18

  10. Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction Compilation Attacks Conclusion 4 / 18

  11. Introduction Circuit Construction Compilation Attacks Conclusion Circuit Construction • Bit : a circuit node, operations are overloaded: x = Bit.input("x") 1 y = Bit.input("y") 2 print ~(x & y) ^ y 3 Output: (~(x & y) ^ y) 4 5 / 18

  12. Introduction Circuit Construction Compilation Attacks Conclusion Circuit Construction • Bit : a circuit node, operations are overloaded: x = Bit.input("x") 1 y = Bit.input("y") 2 print ~(x & y) ^ y 3 Output: (~(x & y) ^ y) 4 • Vector : a list that propagates operations to its elements. • (Keyless) Simon: pt = Vector(Bit.inputs("pt", 32)) 1 l, r = pt.split() 2 for round in xrange(32): 3 r ^= (l.rol(1) & l.rol(8)) ^ l.rol(2) 4 l, r = r, l 5 ct = l.concat(r) 6 5 / 18

  13. Introduction Circuit Construction Compilation Attacks Conclusion AES Circuit (1/2) • AES-128 circuit included ( ≈ 31000 gates); based on Canright’s S-Box. key = Bit.consts(str2bin("MySecreyKey!2019")) 1 pt = Bit.inputs("pt", 128) 2 ct, k10 = BitAES(pt, key, nr=10) 3 # k10 is the last subkey 4 6 / 18

  14. Introduction Circuit Construction Compilation Attacks Conclusion AES Circuit (2/2) • Clean and modular internal structure, easy to modify. • Rect : representation of rectangular (AES-like) states. def BitAES(plaintext, key, rounds=10): 1 bx = Vector(plaintext).split(16) 2 bk = Vector(key).split(16) 3 state = Rect(bx, w=4, h=4).transpose() 4 kstate = Rect(bk, w=4, h=4).transpose() 5 for rno in xrange(rounds): 6 state = AK(state, kstate) 7 state = SB(state) 8 state = SR(state) 9 if rno < rounds-1: 10 state = MC(state) 11 kstate = KS(kstate, rno) 12 state = AK(state, kstate) 13 bits = sum( map(list, state.transpose().flatten()), []) 14 kbits = sum( map(list, kstate.transpose().flatten()), []) 15 return bits, kbits 16 7 / 18

  15. Introduction Circuit Construction Compilation Attacks Conclusion Masking (1/3) class DOM(MaskingScheme): 1 def encode(self, s): 2 x = [self.rand() for _ in xrange(self.nshares-1)] 3 x.append(reduce(xor, x) ^ s) 4 return tuple(x) 5 def decode(self, x): 6 return reduce(xor, x) 7 def XOR(self, x, y): 8 return tuple(xx ^ yy for xx, yy in zip(x, y)) 9 def AND(self, x, y): 10 matrix = [[xx & yy for yy in y] for xx in x] 11 for i in xrange(1, self.nshares): 12 for j in xrange(i + 1, self.nshares): 13 r = self.rand() 14 matrix[i][j] ^= r 15 matrix[j][i] ^= r 16 return tuple(reduce(xor, row) for row in matrix) 17 def NOT(self, x): 18 return (~x[0],) + tuple(x[1:]) 19 Hannes Groß, Stefan Mangard, Thomas Korak: (TIS@CCS 2016: 3) Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order. 8 / 18

  16. Introduction Circuit Construction Compilation Attacks Conclusion Masking (2/3) Linear Masking: s = x 0 ⊕ x 1 ⊕ . . . ⊕ x r − 1 Minimalist Quadratic Masking: s = x 0 x 1 ⊕ x 2 Alex Biryukov, Aleksei Udovenko (ASIACRYPT 2018) Attacks and Countermeasures for White-box Designs. 9 / 18

  17. Introduction Circuit Construction Compilation Attacks Conclusion Masking (3/3) def mask_circuit(circuit, scheme, encode=True, decode=True): 1 """ Mask a given @circuit with a given masking @scheme. 2 Arguments @encode and @decode specify 3 whether encoding and decoding steps should be added. """ 4 ... 5 pt = Bit.inputs("pt", 128) 6 ct, _ = BitAES(pt, ..., rounds=NR) 7 8 # define a PRNG initialized with plaintext, also a circuit! 9 # here we use 2-round AES for initialization 10 # and LFSR for further generation 11 prng = LFSR(taps=[0, 2, 5, 18, 39, 100, 127], 12 state=BitAES(pt, pt, rounds=2)[0]) 13 rand = Pool(n=128, prng=prng).step 14 15 # nested masking 16 ct = mask_circuit(ct, MINQ(rand=rand)) 17 ct = mask_circuit(ct, DOM(rand=rand, nshares=2)) 18 10 / 18

  18. Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction Compilation Attacks Conclusion 10 / 18

  19. Introduction Circuit Construction Compilation Attacks Conclusion typedef uint16_t A; 1 switch (op) { 2 case XOR: 3 a = *((A *)p); pop(); 4 b = *((A *)p); pop(); • C code for simulation 5 ram[dst] = ram[a] ^ ram[b]; 6 • requires some encoding of the break; 7 case AND: 8 circuit a = *((A *)p); pop(); 9 b = *((A *)p); pop(); • easier to encode more compact 10 ram[dst] = ram[a] & ram[b]; 11 than by a compiler break; 12 case OR: 13 • usecase 1: local tracing/analysis a = *((A *)p); pop(); 14 b = *((A *)p); pop(); • usecase 2: PoC generation 15 ram[dst] = ram[a] | ram[b]; 16 break; 17 case NOT: 18 a = *((A *)p); pop(); 19 ram[dst] = ~ram[a]; 20 break; 21 case RANDOM: 22 ram[dst] = rand(); 23 break; 24 default: return; 25 } 26 11 / 18

  20. Introduction Circuit Construction Compilation Attacks Conclusion Compile and Run KEY = "MySecretKey!2019" 1 2 pt = Bit.inputs("pt", 128) 3 ct, k10 = BitAES(pt, Bit.consts(str2bin(KEY)), rounds=10) 4 5 # Encode circuit to file 6 RawSerializer().serialize_to_file(ct, "circuits/aes10.bin") 7 8 # Python API for C simulator 9 C = FastCircuit("circuits/aes10.bin") 10 11 ciphertext = C.compute_one("my_plaintext_abc") 12 13 # Verify correctness 14 from Crypto.Cipher import AES 15 ciphertext2 = AES.new(KEY).encrypt(plaintext) 16 assert ciphertext == ciphertext2 17 12 / 18

  21. Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction Compilation Attacks Conclusion 12 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A DFA attack on White-box implementations of AES with external encoding WhibOx 2019: White-Box

A DFA attack on White-box implementations of AES with external encoding WhibOx 2019: White-Box

A DFA attack on White-box implementations of AES with external encoding WhibOx 2019: White-Box Cryptography and Obfuscation, 18-19/05/2019, Darmstadt Alessandro Amadori , Wil Michiels and Peter Roelse Department of Mathematics and Computer

655 views • 26 slides
Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur,

Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur,

Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur, Wil Michiels, Paul Gorissen, Bart Preneel COSIC K.U.Leuven and Philips Research March 27 2007 White-Box Attack Context key key ke y

555 views • 10 slides
Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei Wang Joint work with Matthieu Rivain WhibOx 2019, May 18, 2019 Overview 1 White-Box Context 2 DCA against Internal Encodings 3 Collision

539 views • 26 slides
Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs Michael J. Wiener 2016 August 14 1 Outline Why do we bother with white-box cryptography (WBC)? The origins of WBC Attacks and

379 views • 34 slides
Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 Architecture F elix Carvalho

Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 Architecture F elix Carvalho

Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 Architecture F elix Carvalho Rodrigues, H. Fujii, A. C. Serpa, G. Sider, R. Dahab, J. L opez October 3, 2019 Laboratory of Security and Cryptography, Institute of

597 views • 42 slides
VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas COSIC, KULeuven Joint work with Vincent Rijmen (KU Leuven), Felix Wegener, Amir Moradi (RU Bochum) 1 Verification Tools Why do we need

782 views • 50 slides
Why Again Logic Synthesis Giovanni De Micheli Why again logic synthesis? Strong

Why Again Logic Synthesis Giovanni De Micheli Why again logic synthesis? Strong

Why Again Logic Synthesis Giovanni De Micheli Why again logic synthesis? Strong intellectual value associated with logic synthesis and optimization Problems are far from being solved Current methods and tools grew out of control

372 views • 24 slides
Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

468 views • 34 slides
Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06

Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06

Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06 June 2014, ibenik, Croatia P. 1 Why Electronic Design Automation? Surely the purpose of science is to ease human hardship Galileo,

846 views • 82 slides
The Synthesis and Improvement of Quantum Circuits and Programs David R. White &amp; John A. Clark

The Synthesis and Improvement of Quantum Circuits and Programs David R. White &amp; John A. Clark

The Synthesis and Improvement of Quantum Circuits and Programs David R. White &amp; John A. Clark Dept. of Computer Science University of She ffi eld, UK With acknowledgements to Susan Stepney and Paul Massey Image Credit NIST:

828 views • 56 slides
On Recovering Affine Encodings in White-Box Implementations Patrick Derbez 1 , Pierre-Alain Fouque

On Recovering Affine Encodings in White-Box Implementations Patrick Derbez 1 , Pierre-Alain Fouque

On Recovering Affine Encodings in White-Box Implementations Patrick Derbez 1 , Pierre-Alain Fouque 1 , Baptiste Lambin 1 , Brice Minaud 2 1 Univ Rennes, CNRS, IRISA 2 Royal Holloway University of London Baptiste Lambin On Recovering Affine

591 views • 21 slides
Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box

Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box

Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations Matthieu Rivain 1 Junwei Wang 1,2,3 1 CryptoExperts 2 University of Luxembourg 3 University Paris 8 CHES 2019, Atalanta White-Box

800 views • 43 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools

1.24k views • 97 slides
Logic Synthesis Overview Design flow Principles of logic synthesis Logic

Logic Synthesis Overview Design flow Principles of logic synthesis Logic

Logic Synthesis Overview Design flow Principles of logic synthesis Logic Synthesis with the common tools Conclusions 2 System Design Flow Electronic System Level (ESL) flow System C TLM, Verification, Profiling

1.12k views • 28 slides
Introduction Lijun Zhang zlj@nju.edu.cn http://cs.nju.edu.cn/zlj Outline Mathematical

Introduction Lijun Zhang zlj@nju.edu.cn http://cs.nju.edu.cn/zlj Outline Mathematical

Introduction Lijun Zhang zlj@nju.edu.cn http://cs.nju.edu.cn/zlj Outline Mathematical Optimization Least-squares Linear Programming Convex Optimization Nonlinear Optimization Summary Outline Mathematical Optimization

749 views • 38 slides
Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Key bits where all known attacks take 2 operations (naive serial attack metric,

412 views • 16 slides
3/18/2018 [1] PE Prof. Mor M. Peretz Analog Electronic Circuits 361-1-3671 M I C T HE C

3/18/2018 [1] PE Prof. Mor M. Peretz Analog Electronic Circuits 361-1-3671 M I C T HE C

3/18/2018 [1] PE Prof. Mor M. Peretz Analog Electronic Circuits 361-1-3671 M I C T HE C ENTER FOR P OWER E LECTRONICS AND M IXED -S IGNAL IC, B EN -G URION U NIVERSITY BGU Analog Electronic Circuits Prof. Mor M. Peretz The Center for

475 views • 8 slides
Amortized Resource Analysis Martin Hofmann Ludwig-Maximilians-Universit at M unchen EWSCS

Amortized Resource Analysis Martin Hofmann Ludwig-Maximilians-Universit at M unchen EWSCS

Amortized Resource Analysis Martin Hofmann Ludwig-Maximilians-Universit at M unchen EWSCS Winter School 2011, Palmse, Estonia mh (lmumun) Amortized Resource Analysis 28.02.-04.03.2011 1 / 72 Why resource analysis Computing under

1.16k views • 72 slides
Lecture 25: Autoencoders Kernel PCA Aykut Erdem January 2017 Hacettepe University Today

Lecture 25: Autoencoders Kernel PCA Aykut Erdem January 2017 Hacettepe University Today

Lecture 25: Autoencoders Kernel PCA Aykut Erdem January 2017 Hacettepe University Today Motivation PCA algorithms Applications PCA shortcomings Autoencoders Kernel PCA 2 Autoencoders 3

550 views • 34 slides
Space charge studies based on beta measurement in J-PARC MR K. Ohmi KEK, Accelerator Lab Dec.

Space charge studies based on beta measurement in J-PARC MR K. Ohmi KEK, Accelerator Lab Dec.

Space charge studies based on beta measurement in J-PARC MR K. Ohmi KEK, Accelerator Lab Dec. 10, 2015, talk at Fermilab K. Ohmi (KEK) Space charge on measured beta Dec. 10, 2015, talk at Fermilab 1 / 36 Overview Hamiltonian and Resonances

632 views • 37 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Early Dark Energy and the BAO Matt Francis (SISSA) with Eric Linder (LBNL) Early Dark Energy

Early Dark Energy and the BAO Matt Francis (SISSA) with Eric Linder (LBNL) Early Dark Energy

Early Dark Energy and the BAO Matt Francis (SISSA) with Eric Linder (LBNL) Early Dark Energy Can arise for instance in quintessence models with attractor solutions and coupled dark energy models Even percent levels of e could have a

330 views • 10 slides

More recommend