[PPT] - Towards Super-Exponential Side-Channel Security with Efficient PowerPoint Presentation

SLIDE 1

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs

M. Medwed, F.-X. Standaert, A. Joux

NXP & UCL Crypto Group & Univ. Versailles CHES 2012, Leuven, Belgium

SLIDE 2

SCA security (implementation level) 1

SLIDE 3

SCA security (mathametical level) 1

SLIDE 4

Limitations of current approaches 1

SLIDE 5

Direction for improvements #1 1

SLIDE 6

Direction for improvements #2 1

SLIDE 7

This work: leakage-resilient PRFs 2

Why PRFs (not PRPs)?
One of the most important primitives in

symmetric cryptography (see Goldreich’s book)

Enough for encryption / authentication
Needed for re-keying / init. of stream ciphers
Stateless primitive!
…

SLIDE 8

This work: leakage-resilient PRFs 2

Why PRFs (not PRPs)?
One of the most important primitives in

symmetric cryptography (see Goldreich’s book)

Enough for encryption / authentication
Needed for re-keying / init. of stream ciphers
Stateless primitive!
…
Main question: can leakage-resilient PRFs be
Secure (super-exponential security)?
Efficient (compared to other countermeasures)?

SLIDE 9

Secure – in what sense? 3

Main focus so far: # of measurements
e.g. noise addition: # of measurements

increases linearly with the noise variance

e.g. masking: # of measurements may increase

exponentially with the number of masks

But requires hardware assumptions

(e.g. leakage of shares must be independent)

SLIDE 10

Secure – in what sense? 3

Main focus so far: # of measurements
e.g. noise addition: # of measurements

increases linearly with the noise variance

e.g. masking: # of measurements may increase

exponentially with the number of masks

But requires hardware assumptions

(e.g. leakage of shares must be independent)

Leakage-resilient PRFs approach:
Bound the data complexity by design
Try to guarantee high time complexity

SLIDE 11

Outline

1. Tree-based PRF (GGM 86)
2. Is bounded data complexity enough?
3. Efficiently exploiting parallelism
4. Worst case analyses
5. Instantiation issues
6. Conclusions

SLIDE 12

Outline

1. Tree-based PRF (GGM 86)
2. Is bounded data complexity enough?
3. Efficiently exploiting parallelism
4. Worst case analyses
5. Instantiation issues
6. Conclusions

SLIDE 13

Tree-based PRF (GGM 86)

4

SLIDE 14

Tree-based PRF (GGM 86)

4

SLIDE 15

Tree-based PRF (GGM 86)

4

SLIDE 16

Tree-based PRF (GGM 86)

4

SLIDE 17

Tree-based PRF (GGM 86)

4 : 2-bounded data complexity : 128 AES per 128-bit input

SLIDE 18

Efficiency / security tradeoff 5

: 16 AES per 128-bit input : 256-bounded data complexity?

SLIDE 19

Outline

1. Tree-based PRF (GGM 86)
2. Is bounded data complexity enough?
3. Efficiently exploiting parallelism
4. Worst case analyses
5. Instantiation issues
6. Conclusions

SLIDE 20

Is bounded data complexity enough? 6

Template attack against an 8-bit u-controller
Success rate for the first AES S-box

SLIDE 21

Is bounded data complexity enough? 6

Template attack against an 8-bit u-controller
Success rate for the first AES S-box
High success rates already for Np=2 

SLIDE 22

Is bounded data complexity enough? 6

Template attack against an 8-bit u-controller
Success rate for the first AES S-box
High success rates already for Np=2 

SLIDE 23

Possible security improvements 7

Add countermeasures (masking, hiding, …)

SLIDE 24

Possible security improvements 7

Add countermeasures (masking, hiding, …)
Bound the number of measurements rather than

the data complexity (i.e. prevent averaging)

e.g. store previous paths (but not efficient)

SLIDE 25

Possible security improvements 7

Add countermeasures (masking, hiding, …)
Bound the number of measurements rather than

the data complexity (i.e. prevent averaging)

e.g. store previous paths (but not efficient)
…
Take advantage of algorithmic noise (parallelism)

SLIDE 26

Outline

1. Tree-based PRF (GGM 86)
2. Is bounded data complexity enough?
3. Efficiently exploiting parallelism
a. Previous leakage-resilient PRFs
b. Our tweak: carefully chosen plaintexts
4. Worst case analyses
5. Instantiation issues
6. Conclusions

SLIDE 27

Algorithmic noise (standard DPA) 8

SLIDE 28

Algorithmic noise (standard DPA) 8

SLIDE 29

Algorithmic noise (standard DPA) 8

SLIDE 30

Random pi’s => divide & conquer attacks 9

SLIDE 31

Random pi’s => divide & conquer attacks 9

SLIDE 32

Random pi’s => divide & conquer attacks 9

SLIDE 33

Single S-box attack results

10

SLIDE 34

Single S-box attack results

10

Noise can be averaged by measuring more 

SLIDE 35

Outline

1. Tree-based PRF (GGM 86)
2. Is bounded data complexity enough?
3. Efficiently exploiting parallelism
a. Previous leakage-resilient PRFs
b. Our tweak: carefully chosen plaintexts
4. Worst case analyses
5. Instantiation issues
6. Conclusions

SLIDE 36

Our tweak: carefully chosen plaintexts (I) 11

SLIDE 37

Our tweak: carefully chosen plaintexts (I) 11

SLIDE 38

Our tweak: carefully chosen plaintexts (I) 11

e.g. CPA + HW model: same predictions for 16 key bytes

SLIDE 39

Our tweak: carefully chosen plaintexts (II) 12

Intuition #1: algorithmic noise is key dependent

=> Divide & conquer attacks hardly apply

SLIDE 40

Our tweak: carefully chosen plaintexts (II) 12

Intuition #1: algorithmic noise is key dependent

=> Divide & conquer attacks hardly apply

Intuition #2: assume the leakage functions are

(roughly) identical for all S-boxes

Then the models in standard DPA attacks are

also identical for all S-boxes

SLIDE 41

Our tweak: carefully chosen plaintexts (II) 12

Intuition #1: algorithmic noise is key dependent

=> Divide & conquer attacks hardly apply

Intuition #2: assume the leakage functions are

(roughly) identical for all S-boxes

Then the models in standard DPA attacks are

also identical for all S-boxes

Even in the (unlikely) situation where the Ns

key bytes are rated in the first Ns positions by DPA, it remains to enumerate Ns! Permutations

e.g. 16!=2^44, 24!=2^79, 32!=2^117

SLIDE 42

Single S-box attack results 13

SLIDE 43

Single S-box attack results

Even with 256 meas., noise cannot be averaged 

13

SLIDE 44

Outline

1. Tree-based PRF (GGM 86)
2. Is bounded data complexity enough?
3. Efficiently exploiting parallelism
a. Previous leakage-resilient PRFs
b. Our tweak: carefully chosen plaintexts
4. Worst case analyses
5. Instantiation issues
6. Conclusions

SLIDE 45

Worst case security evaluations (I) 14

Standard DPA attacks do not appear very relevant

to analyze the security of our tweaked design => We considered two alternatives considering noiseless traces as a first-step investigation

SLIDE 46

Worst case security evaluations (I) 14

Standard DPA attacks do not appear very relevant

to analyze the security of our tweaked design => We considered two alternatives considering noiseless traces as a first-step investigation

1. Iterative DPA-like attack
For i=1:Ns
Perform a DPA and keep best-rated key
Remove the hypothetical leakage of this

key from the actual leakage traces

SLIDE 47

Worst case security evaluations (II) 15

2. Lattice-based attacks:
Recovering Ns key bytes satisfying this relation

for Np plaintexts is a vectorial knapsack problem => We used LLL as a black box for solving it

SLIDE 48

Worst case security evaluations (II) 15

2. Lattice-based attacks:
Recovering Ns key bytes satisfying this relation

for Np plaintexts is a vectorial knapsack problem => We used LLL as a black box for solving it

SLIDE 49

Outline

1. Tree-based PRF (GGM 86)
2. Is bounded data complexity enough?
3. Efficiently exploiting parallelism
a. Previous leakage-resilient PRFs
b. Our tweak: carefully chosen plaintexts
4. Worst case analyses
5. Instantiation issues
6. Conclusions

SLIDE 50

Main question 16

Do different S-boxes leak the same?

SLIDE 51

Main question 16

Do different S-boxes leak the same?
FPGA case study with two types of S-boxes

SLIDE 52

Main question 16

Do different S-boxes leak the same?
FPGA case study with two types of S-boxes
Using the RAM blocks of modern FPGAs

SLIDE 53

Main question 16

Do different S-boxes leak the same?
FPGA case study with two types of S-boxes
Using the RAM blocks of modern FPGAs
Combinatorial (from Canright, CHES 2005)

SLIDE 54

Can we exploit different leakage models? 17

Case study using the Canright S-boxes
Template attacks, correlation attacks
Both using the Ns different models

SLIDE 55

Can we exploit different leakage models? 17

Case study using the Canright S-boxes
Template attacks, correlation attacks
Both using the Ns different models

SLIDE 56

Can we exploit different leakage models? 17

Case study using the Canright S-boxes
Template attacks, correlation attacks
Both using the Ns different models

Main message: the key-dependent algorithmic noise remains hard to exploit



SLIDE 57

Outline

1. Tree-based PRF (GGM 86)
2. Is bounded data complexity enough?
3. Efficiently exploiting parallelism
a. Previous leakage-resilient PRFs
b. Our tweak: carefully chosen plaintexts
4. Worst case analyses
5. Instantiation issues
6. Conclusions

SLIDE 58

Conclusions (I) 18

Remember back in the days…

SLIDE 59

Conclusions (I) 18

Remember back in the days… We thought masking was “secure”

SLIDE 60

Conclusions (I) 18

Remember back in the days… We thought masking was “secure” Then came HO attacks,

SLIDE 61

Conclusions (I) 18

Remember back in the days… We thought masking was “secure” Then came HO attacks, Then came glitches,

SLIDE 62

Conclusions (I) 18

Remember back in the days… We thought masking was “secure” Then came HO attacks, Then came glitches, Then came early propagation,

SLIDE 63

Conclusions (I) 18

Remember back in the days… We thought masking was “secure” Then came HO attacks, Then came glitches, Then came early propagation, Then came coupling, …

SLIDE 64

Conclusions (I) 18

Remember back in the days… We thought masking was “secure” Then came HO attacks, Then came glitches, Then came early propagation, Then came coupling, … Yet, masking remains one of the frequently used solutions to protect HW and SW implementations!

SLIDE 65

Conclusions (II) 19