towards super exponential side channel security with
play

Towards Super-Exponential Side-Channel Security with Efficient - PowerPoint PPT Presentation

Mar 16, 2023 •139 likes •857 views

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed, F.-X. Standaert , A. Joux NXP & UCL Crypto Group & Univ. Versailles CHES 2012, Leuven, Belgium SCA security (implementation level) 1 SCA

  1. Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed, F.-X. Standaert , A. Joux NXP & UCL Crypto Group & Univ. Versailles CHES 2012, Leuven, Belgium

  2. SCA security (implementation level) 1

  3. SCA security (mathametical level) 1

  4. Limitations of current approaches 1

  5. Direction for improvements #1 1

  6. Direction for improvements #2 1

  7. This work: leakage-resilient PRFs 2 • Why PRFs (not PRPs)? • One of the most important primitives in symmetric cryptography (see Goldreich’s book) • Enough for encryption / authentication • Needed for re-keying / init. of stream ciphers • Stateless primitive! • …

  8. This work: leakage-resilient PRFs 2 • Why PRFs (not PRPs)? • One of the most important primitives in symmetric cryptography (see Goldreich’s book) • Enough for encryption / authentication • Needed for re-keying / init. of stream ciphers • Stateless primitive! • … • Main question: can leakage-resilient PRFs be • Secure ( super-exponential security )? • Efficient (compared to other countermeasures)?

  9. Secure – in what sense? 3 • Main focus so far: # of measurements • e.g. noise addition: # of measurements increases linearly with the noise variance • e.g. masking: # of measurements may increase exponentially with the number of masks • But requires hardware assumptions ( e.g. leakage of shares must be independent )

  10. Secure – in what sense? 3 • Main focus so far: # of measurements • e.g. noise addition: # of measurements increases linearly with the noise variance • e.g. masking: # of measurements may increase exponentially with the number of masks • But requires hardware assumptions ( e.g. leakage of shares must be independent ) • Leakage-resilient PRFs approach: • Bound the data complexity by design • Try to guarantee high time complexity

  11. Outline 1. Tree-based PRF (GGM 86) 2. Is bounded data complexity enough? 3. Efficiently exploiting parallelism 4. Worst case analyses 5. Instantiation issues 6. Conclusions

  12. Outline 1. Tree-based PRF (GGM 86) 2. Is bounded data complexity enough? 3. Efficiently exploiting parallelism 4. Worst case analyses 5. Instantiation issues 6. Conclusions

  13. Tree-based PRF (GGM 86) 4

  14. Tree-based PRF (GGM 86) 4

  15. Tree-based PRF (GGM 86) 4

  16. Tree-based PRF (GGM 86) 4

  17. Tree-based PRF (GGM 86) 4  : 2-bounded data complexity  : 128 AES per 128-bit input

  18. Efficiency / security tradeoff 5  : 16 AES per 128-bit input  : 256-bounded data complexity?

  19. Outline 1. Tree-based PRF (GGM 86) 2. Is bounded data complexity enough? 3. Efficiently exploiting parallelism 4. Worst case analyses 5. Instantiation issues 6. Conclusions

  20. Is bounded data complexity enough? 6 • Template attack against an 8-bit u-controller • Success rate for the first AES S-box

  21. Is bounded data complexity enough? 6 • Template attack against an 8-bit u-controller • Success rate for the first AES S-box • High success rates already for Np=2 

  22. Is bounded data complexity enough? 6 • Template attack against an 8-bit u-controller • Success rate for the first AES S-box • High success rates already for Np=2 

  23. Possible security improvements 7 • Add countermeasures (masking, hiding, …)

  24. Possible security improvements 7 • Add countermeasures (masking, hiding, …) • Bound the number of measurements rather than the data complexity (i.e. prevent averaging) • e.g. store previous paths (but not efficient)

  25. Possible security improvements 7 • Add countermeasures (masking, hiding, …) • Bound the number of measurements rather than the data complexity (i.e. prevent averaging) • e.g. store previous paths (but not efficient) • … • Take advantage of algorithmic noise (parallelism)

  26. Outline 1. Tree-based PRF (GGM 86) 2. Is bounded data complexity enough? 3. Efficiently exploiting parallelism a. Previous leakage-resilient PRFs b. Our tweak: carefully chosen plaintexts 4. Worst case analyses 5. Instantiation issues 6. Conclusions

  27. Algorithmic noise (standard DPA) 8

  28. Algorithmic noise (standard DPA) 8

  29. Algorithmic noise (standard DPA) 8

  30. Random p i ’s => divide & conquer attacks 9

  31. Random p i ’s => divide & conquer attacks 9

  32. Random p i ’s => divide & conquer attacks 9

  33. Single S-box attack results 10

  34. Single S-box attack results 10 • Noise can be averaged by measuring more 

  35. Outline 1. Tree-based PRF (GGM 86) 2. Is bounded data complexity enough? 3. Efficiently exploiting parallelism a. Previous leakage-resilient PRFs b. Our tweak: carefully chosen plaintexts 4. Worst case analyses 5. Instantiation issues 6. Conclusions

  36. Our tweak: carefully chosen plaintexts (I) 11

  37. Our tweak: carefully chosen plaintexts (I) 11

  38. Our tweak: carefully chosen plaintexts (I) 11 e.g. CPA + HW model: same predictions for 16 key bytes

  39. Our tweak: carefully chosen plaintexts (II) 12 • Intuition #1: algorithmic noise is key dependent => Divide & conquer attacks hardly apply

  40. Our tweak: carefully chosen plaintexts (II) 12 • Intuition #1: algorithmic noise is key dependent => Divide & conquer attacks hardly apply • Intuition #2: assume the leakage functions are (roughly) identical for all S-boxes • Then the models in standard DPA attacks are also identical for all S-boxes

  41. Our tweak: carefully chosen plaintexts (II) 12 • Intuition #1: algorithmic noise is key dependent => Divide & conquer attacks hardly apply • Intuition #2: assume the leakage functions are (roughly) identical for all S-boxes • Then the models in standard DPA attacks are also identical for all S-boxes • Even in the (unlikely) situation where the Ns key bytes are rated in the first Ns positions by DPA, it remains to enumerate Ns ! Permutations • e.g. 16!=2^44, 24!=2^79, 32!=2^117

  42. Single S-box attack results 13

  43. Single S-box attack results 13 • Even with 256 meas., noise cannot be averaged 

  44. Outline 1. Tree-based PRF (GGM 86) 2. Is bounded data complexity enough? 3. Efficiently exploiting parallelism a. Previous leakage-resilient PRFs b. Our tweak: carefully chosen plaintexts 4. Worst case analyses 5. Instantiation issues 6. Conclusions

  45. Worst case security evaluations (I) 14 • Standard DPA attacks do not appear very relevant to analyze the security of our tweaked design => We considered two alternatives considering noiseless traces as a first-step investigation

  46. Worst case security evaluations (I) 14 • Standard DPA attacks do not appear very relevant to analyze the security of our tweaked design => We considered two alternatives considering noiseless traces as a first-step investigation 1. Iterative DPA-like attack • For i=1: Ns • Perform a DPA and keep best-rated key • Remove the hypothetical leakage of this key from the actual leakage traces

  47. Worst case security evaluations (II) 15 2. Lattice-based attacks: • Recovering Ns key bytes satisfying this relation for Np plaintexts is a vectorial knapsack problem => We used LLL as a black box for solving it

  48. Worst case security evaluations (II) 15 2. Lattice-based attacks: • Recovering Ns key bytes satisfying this relation for Np plaintexts is a vectorial knapsack problem => We used LLL as a black box for solving it

  49. Outline 1. Tree-based PRF (GGM 86) 2. Is bounded data complexity enough? 3. Efficiently exploiting parallelism a. Previous leakage-resilient PRFs b. Our tweak: carefully chosen plaintexts 4. Worst case analyses 5. Instantiation issues 6. Conclusions

  50. Main question 16 • Do different S-boxes leak the same?

  51. Main question 16 • Do different S-boxes leak the same? • FPGA case study with two types of S-boxes

  52. Main question 16 • Do different S-boxes leak the same? • FPGA case study with two types of S-boxes • Using the RAM blocks of modern FPGAs

  53. Main question 16 • Do different S-boxes leak the same? • FPGA case study with two types of S-boxes • Using the RAM blocks of modern FPGAs • Combinatorial (from Canright, CHES 2005)

  54. Can we exploit different leakage models? 17 • Case study using the Canright S-boxes • Template attacks, correlation attacks • Both using the Ns different models

  55. Can we exploit different leakage models? 17 • Case study using the Canright S-boxes • Template attacks, correlation attacks • Both using the Ns different models

  56. Can we exploit different leakage models? 17 • Case study using the Canright S-boxes • Template attacks, correlation attacks • Both using the Ns different models Main message: the key-dependent algorithmic noise remains hard to exploit 

  57. Outline 1. Tree-based PRF (GGM 86) 2. Is bounded data complexity enough? 3. Efficiently exploiting parallelism a. Previous leakage-resilient PRFs b. Our tweak: carefully chosen plaintexts 4. Worst case analyses 5. Instantiation issues 6. Conclusions

  58. Conclusions (I) 18 Remember back in the days…

  59. Conclusions (I) 18 Remember back in the days… We thought masking was “secure”

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T.

Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T.

Higher-Order Side Channel Security and Mask Refreshing J.-S. Coron,E. Prouff, M. Rivain and T. Roche thomas.roche@ssi.gouv.fr FSE 2013 March 2013 T. Roche, ANSSI Higher-Order Side Channel Security and Mask Refreshing Side Channel Analysis

1.14k views • 75 slides
Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel Snooping Scenario: Ann the Attacker works in a building across the street from Victor the Victim. Late one night Ann can see Victor hard at work in

727 views • 44 slides
Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI Laboratory for Embedded Security Emmanuel Prouff emmanuel.prouff@ssi.gouv.fr Agence Nationale de la S ecurit e des Syst` emes dInformation

790 views • 68 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel Medwed Franois-Xavier Standaert Johann

814 views • 28 slides
LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me PhD student at Hasselt University since 2014 Since 2016 on FWO SBO research grant Researching wireless security Protocol security,

803 views • 57 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G Embedded Security Group Outline

495 views • 26 slides
Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with Emmanuel Prouff EUROCRYPT 2013 May 27th Outline 1 Introduction and Previous Works 2 Our Contribution 3 Model of Leaking Computation 4

526 views • 36 slides
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
Breaking Deployed Crypto The Side Channel Analyst s Way Daniel Moghimi (@danielmgmi)

Breaking Deployed Crypto The Side Channel Analyst s Way Daniel Moghimi (@danielmgmi)

Breaking Deployed Crypto The Side Channel Analyst s Way Daniel Moghimi (@danielmgmi) 04/30/2020 Hardwear.io About Me Daniel Moghimi @danielmgmi Security Researcher PhD Student @ WPI Microarchitectural Security Side

926 views • 69 slides
Generalized Label for Super-Channel Assignment on Flexible Grid

Generalized Label for Super-Channel Assignment on Flexible Grid

Generalized Label for Super-Channel Assignment on Flexible Grid dra<-hussain-ccamp-super-channel-label-02 IETF 82 - Taipei, Taiwan

540 views • 10 slides
En Enhancement hancements s to to th the e Fu Fuel el Cy Cycle le Oversight versight Pr

En Enhancement hancements s to to th the e Fu Fuel el Cy Cycle le Oversight versight Pr

En Enhancement hancements s to to th the e Fu Fuel el Cy Cycle le Oversight versight Pr Process cess Presentation to the Commission November 1, 2011 Ag Agenda enda Program Overview John Kinneman Fuel Facility

291 views • 14 slides
Ontario, Canada: the provincial perspective UICC World Cancer Congress Carol Sawka, MD FRCPC

Ontario, Canada: the provincial perspective UICC World Cancer Congress Carol Sawka, MD FRCPC

Cancer System Performance Measurement, Public Reporting and Quality Improvement in Ontario, Canada: the provincial perspective UICC World Cancer Congress Carol Sawka, MD FRCPC Vice President Clinical Programs and Quality Initiatives Cancer

527 views • 16 slides
Entropy production and efficiency in longitudinal convecting-radiating fins Federico Zullo (joint

Entropy production and efficiency in longitudinal convecting-radiating fins Federico Zullo (joint

Entropy production and efficiency in longitudinal convecting-radiating fins Federico Zullo (joint work with Claudio Giorgi) Universit di Brescia The First World Energies Forum Roma, 14.09.2020-05.10.2020 Entropy production and efficiency

590 views • 20 slides
Precision Measurement of the Precision Measurement of the Monthly Fluxes in Cosmic Rays Monthly

Precision Measurement of the Precision Measurement of the Monthly Fluxes in Cosmic Rays Monthly

Precision Measurement of the Precision Measurement of the Monthly Fluxes in Cosmic Rays Monthly Fluxes in Cosmic Rays with the Alpha Magnetic with the Alpha Magnetic Spectrometer on the ISS Spectrometer on the ISS Cristina Consolandi

480 views • 25 slides
AIRS DETECTOR A/B WEIGHTS - UPDATE Background on degradation in channel noise properties for a

AIRS DETECTOR A/B WEIGHTS - UPDATE Background on degradation in channel noise properties for a

AIRS DETECTOR A/B WEIGHTS POSSIBLE CHANGES FOR IMPROVED NOISE PERFORMANCE Margie Weiler ATK Space Consultant to JPL AIRS Calibration Team NASA Sounder Science Meeting Pasadena, CA May 4, 2009 1 AIRS DETECTOR A/B WEIGHTS - UPDATE

352 views • 12 slides
radiated Noise Based on Improved Intrinsic Time-scale Decomposition and Multiscale Dispersion

radiated Noise Based on Improved Intrinsic Time-scale Decomposition and Multiscale Dispersion

A Novel Improved Feature Extraction Technique for Ship- radiated Noise Based on Improved Intrinsic Time-scale Decomposition and Multiscale Dispersion Entropy Zhaoxi Li 1,* , Yaan Li 1,* , Kai Zhang 2,* , Jianli Guo 3 1 School of Marine Science and

425 views • 15 slides
Embedding Information in Radiation Pattern Fluctuations By: Milad Johnny and Alireza Vahid*

Embedding Information in Radiation Pattern Fluctuations By: Milad Johnny and Alireza Vahid*

Embedding Information in Radiation Pattern Fluctuations By: Milad Johnny and Alireza Vahid* *Alireza Vahid is with the department of Electrical Engineering at the University of Colorado Denver, USA 1 6/9/2020 A story 2 6/9/2020 A story 3

732 views • 25 slides
Radiation Protection at the LHC Lessons Learned D. Forkel-Wirth, D. Perrin, S. Roesler, C. Theis,

Radiation Protection at the LHC Lessons Learned D. Forkel-Wirth, D. Perrin, S. Roesler, C. Theis,

Radiation Protection at the LHC Lessons Learned D. Forkel-Wirth, D. Perrin, S. Roesler, C. Theis, Heinz Vincke, Helmut Vincke, J. Vollaire CERN-SC-RP-SL 13 October 2006, ILC and LHC Forum Lessons learnt about RP involvement into a project

471 views • 30 slides

More recommend