Analysis and Improvement of Differential Computation Attacks against - PowerPoint PPT Presentation

Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations Matthieu Rivain 1 Junwei Wang 1,2,3 1 CryptoExperts 2 University of Luxembourg 3 University Paris 8 CHES 2019, Atalanta

White-Box Threat Model � Goal: to extract a cryptographic key, · · · � Where: from a software impl. of cipher � Who: malwares, co-hosted applications, user themselves, · · · � How: ( by all kinds of means ) ◮ analyze the code ◮ spy on the memory ◮ interfere the execution ◮ · · · 2

White-Box Threat Model � Goal: to extract a cryptographic key, · · · � Where: from a software impl. of cipher � Who: malwares, co-hosted applications, user themselves, · · · � How: ( by all kinds of means ) ◮ analyze the code ◮ spy on the memory ◮ interfere the execution ◮ · · · In theory: no provably secure white-box scheme for standard block ciphers. 2

Typical Applications Digital Content Distribution Host Card Emulation videos, music, games, e-books, · · · mobile payment without a secure element

Typical Applications Digital Content Distribution Host Card Emulation videos, music, games, e-books, · · · mobile payment without a secure element In practice: heuristic solutions / security through obscurity

Internal Encoding Countermeasure [SAC02] . . . R 1 R 2 R r X Y 1 . Represent the cipher into a network of transformations 4

Internal Encoding Countermeasure [SAC02] . . . ε − 1 R 1 ε 1 ε − 1 R 2 ε 2 R r X Y r − 1 1 pairwise annihilating parasitic functions ( e.g. encodings) 1 . Represent the cipher into a network of transformations 2 . Obfuscate the network by encoding adjacent transformations 4

Internal Encoding Countermeasure [SAC02] . . . ε − 1 R 1 ε 1 ε − 1 R 2 ε 2 R r X Y r − 1 1 pairwise annihilating parasitic look-up tables functions ( e.g. encodings) 1 . Represent the cipher into a network of transformations 2 . Obfuscate the network by encoding adjacent transformations 3 . Store the encoded transformations into look-up tables 4

Attacks in This Talk 1 � Differential Computation Analysis 2 � Collision Attack 5

Differential Computation Analysis [CHES16] plaintext plaintext ciphertext ciphertext gray-box model white-box model side-channel leakages ( noisy ) computational leakage ( perfect ) e.g. power/EM/time/ · · · e.g. registers/accessed memory/ · · · 6

Differential Computation Analysis [CHES16] Differential power analysis techniques on computational leakages average trace collect traces group by predictions differential trace 0 = ) · ( ϕ k ϕ k ( · ) = 1 Implying strong linear correlation between the sensitive vari- ables and the leaked samples in the computational traces. 7

DCA Attack Limitations 1 . The seminal work [CHES16] lacks in-depth understanding of DCA 2 . The follow-up analysis [ACNS18] is ◮ partly experimental (in particular for wrong key guesses) ◮ Only known to work on nibble encodings ◮ Only known to work on the first and last rounds ◮ Success probability is unknown 3 . The computational traces are only sub-optimally exploited 8

Internal Encoding Leakage n m m m x ϕ k ( · ) s ε ( · ) v input sensitive variable intermediate variable � A key-dependent ( n , m ) selection function ϕ k in a block cipher � A random selected m -bit bijection ε � ε ◦ ϕ k , as a result of some table look-ups , is leaked in the memory � To exploit the leakage of ε ◦ ϕ k , it is necessary that n > m 9

DCA Analysis Based on well-established theory – Boolean correlation , instead of dif- ference of means : for any key guess k � � ρ k = Cor , ϕ k ( · ) ε ( · ) 10

DCA Analysis Based on well-established theory – Boolean correlation , instead of dif- ference of means : for any key guess k � � ρ k = Cor ϕ k ( · )[ i ] , ϕ k ( · ) ε ( · ) 10

DCA Analysis Based on well-established theory – Boolean correlation , instead of dif- ference of means : for any key guess k � � ρ k = Cor ϕ k ( · )[ i ] , ε ◦ ϕ k ∗ ( · )[ j ] ϕ k ( · ) ε ( · ) 10

DCA Analysis Based on well-established theory – Boolean correlation , instead of dif- ference of means : for any key guess k � � ρ k = Cor ϕ k ( · )[ i ] , ε ◦ ϕ k ∗ ( · )[ j ] ϕ k ( · ) ε ( · ) DCA success (roughly) requires: � > max � � � � � ρ k ∗ � ρ k × � k × 10

ρ k ∗ and ρ k × : Distributions � � � Ideal assumption: k are mutually independent random ( n , m ) functions ϕ k 11

ρ k ∗ and ρ k × : Distributions � � � Ideal assumption: k are mutually independent random ( n , m ) functions ϕ k Correct key guess k ∗ , ρ k ∗ = 2 2 − m N ∗ − 1 where N ∗ ∼ HG (2 m , 2 m − 1 , 2 m − 1 ) . Only depends on m . n m m ϕ k ( · ) ε ( · ) 11

ρ k ∗ and ρ k × : Distributions � � � Ideal assumption: k are mutually independent random ( n , m ) functions ϕ k Correct key guess k ∗ , Incorrect key guess k × , ρ k ∗ = 2 2 − m N ∗ − 1 ρ k × = 2 2 − n N × − 1 where where N ∗ ∼ HG (2 m , 2 m − 1 , 2 m − 1 ) . N × ∼ HG (2 n , 2 n − 1 , 2 n − 1 ) . Only depends on m . Only depends on n . n m m ϕ k ( · ) ε ( · ) 11

Lemma Lemma $ Let B ( n ) be the set of balanced n -bit Boolean function. If f ∈ B ( n ) and g ← − B ( n ) independent of f , then the balanceness of f + g is B ( f + g ) = 4 · N − 2 n where N ∼ HG (2 n , 2 n − 1 , 2 n − 1 ) denotes the size of { x : f ( x ) = g ( x ) = 0 } . With Cor ( f + g ) = 1 2 n B ( f + g ) ⇒ ρ k ∗ = 2 2 − m N ∗ − 1 ρ k × = 2 2 − n N × − 1 and where N ∗ ∼ HG (2 m , 2 m − 1 , 2 m − 1 ) and N × ∼ HG (2 n , 2 n − 1 , 2 n − 1 ) . 12

ρ k ∗ and ρ k × : Distributions 0 . 4 ρ k ∗ modeled ρ k × modeled 0 . 3 PMF 0 . 2 0 . 1 0 -0.75 -0.50 -0.25 0 0.25 0.50 0.75 n = 8 , m = 4 13

ρ k ∗ and ρ k × : Distributions 4 , 000 0 . 4 ρ k ∗ simulated ρ k ∗ modeled ρ k × simulated ρ k × modeled 3 , 000 0 . 3 Counts PMF 2 , 000 0 . 2 1 , 000 0 . 1 0 0 -0.75 -0.50 -0.25 0 0.25 0.50 0.75 n = 8 , m = 4 13

DCA Success Rate: | ρ k ∗ | > max k × | ρ k × | � � | ρ k ∗ | > max k × | ρ k × | m = 4 0 . 75 0 . 5 0 . 25 Pr 4 6 8 10 12 14 16 n DCA success probability converges towards ≈ 1 − Pr N ∗ � 2 m − 2 � for n ≥ 2 m + 2. 14

DCA Success Rate: | ρ k ∗ | > max k × | ρ k × | � � | ρ k ∗ | > max k × | ρ k × | m = 4 m = 5 0 . 75 m = 6 m = 7 m = 8 m = 9 0 . 5 m = 10 m = 11 m = 12 0 . 25 Pr 4 6 8 10 12 14 16 n DCA success probability converges towards ≈ 1 − Pr N ∗ � 2 m − 2 � for n ≥ 2 m + 2. 14

Attack a NSC Variant: a White-Box AES � Byte encoding protected � DCA has failed to break it before this work 15

Attack a NSC Variant: a White-Box AES � Byte encoding protected � DCA has failed to break it before this work � Our approach: target a output byte of MixColumn in the first round X 1 X 2 0 0 x 1 x 2 15

Attack a NSC Variant: a White-Box AES � Byte encoding protected � DCA has failed to break it before this work � Our approach: target a output byte of MixColumn in the first round X 1 X 2 ARK,SB 0 0 Sbox ( x 1 ⊕ k 1 ) Sbox ( x 2 ⊕ k 2 ) Sbox ( k 3 ) Sbox ( k 4 ) 15

Attack a NSC Variant: a White-Box AES � Byte encoding protected � DCA has failed to break it before this work � Our approach: target a output byte of MixColumn in the first round X 1 X 2 ARK,SB SR 0 0 Sbox ( x 1 ⊕ k 1 ) Sbox ( x 2 ⊕ k 2 ) Sbox ( k 3 ) Sbox ( k 4 ) 15

Attack a NSC Variant: a White-Box AES � Byte encoding protected � DCA has failed to break it before this work � Our approach: target a output byte of MixColumn in the first round X 1 X 2 ARK,SB SR MC 0 0 2 · Sbox ( x 1 ⊕ k 1 ) ⊕ 3 · Sbox ( x 2 ⊕ k 2 ) ⊕ Sbox ( k 3 ) ⊕ Sbox ( k 4 ) 15

Attack a NSC Variant: a White-Box AES � Byte encoding protected � DCA has failed to break it before this work � Our approach: target a output byte of MixColumn in the first round X 1 X 2 ARK,SB SR MC 0 0 2 · Sbox ( x 1 ⊕ k 1 ) ⊕ 3 · Sbox ( x 2 ⊕ k 2 ) ⊕ c 15

Attack a NSC Variant: a White-Box AES � Byte encoding protected � DCA has failed to break it before this work � Our approach: target a output byte of MixColumn in the first round X 1 X 2 ARK,SB SR MC 0 0 ϕ k 1 || k 2 ( x 1 || x 2 ) = 2 · Sbox ( x 1 ⊕ k 1 ) ⊕ 3 · Sbox ( x 2 ⊕ k 2 ) ε ′ = ε ◦ ⊕ c , n = 16 , m = 8 , |K| = 2 16 . 15

Attack a NSC Variant: a White-Box AES � Attack results: ∼ 1800 traces � Similar attack can be applied to a “masked” white-box implementation, which intends to resist DCA. 16

Attacks in This Talk 1 � Differential Computation Analysis 2 � Collision Attack 17

Collision Attack N inputs & raw traces x 1 x 2 x 3 x 4

Collision Attack � N N inputs & raw traces � collision predictions & traces 2 ψ k ( x 1 , x 2 ) x 1 ψ k ( x 1 , x 3 ) x 2 ψ k ( x 1 , x 4 ) x 3 ψ k ( x 2 , x 3 ) x 4 ψ k ( x 2 , x 4 ) ψ k ( x 3 , x 4 ) � � ψ k ( x 1 , x 2 ) := ϕ k ( x 1 ) = ϕ k ( x 2 )