attacks and countermeasures for white box designs
play

Attacks and Countermeasures for White-box Designs Alex Biryukov, - PowerPoint PPT Presentation

Aug 31, 2022 •257 likes •797 views

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

  1. Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018

  2. Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0 / 19

  3. White-box Implementation fully available, secret key unextractable Extra : one-wayness, incompressibility, traitor traceability, ... 1 / 19

  4. White-box Implementation fully available, secret key unextractable Extra : one-wayness, incompressibility, traitor traceability, ... The most challenging direction (this talk): white-box implementations of existing symmetric primitives, e.g. the AES “Cryptographic obfuscation” 1 / 19

  5. White-box: Industry vs Academia 2 / 19

  6. White-box: Industry vs Academia many applications strong need for practical white-box industry does WB: hidden designs 2 / 19

  7. White-box: Industry vs Academia theory : approaches using iO/FE, currently many applications impractical strong need for practical practical WB-AES : few attempts white-box (2002-2017), industry does WB: all broken hidden designs powerful DCA attack (CHES 2016) 2 / 19

  8. White-Box: Differential Computation Analysis (DCA) DCA = Differential Power Analysis (DPA) applied to white-box implementations Most of the implementations broken automatically 3 / 19

  9. White-Box: Differential Computation Analysis (DCA) DCA = Differential Power Analysis (DPA) applied to white-box implementations Most of the implementations broken automatically Side-Channel protection: masking schemes 3 / 19

  10. White-Box: Differential Computation Analysis (DCA) DCA = Differential Power Analysis (DPA) applied to white-box implementations Most of the implementations broken automatically Side-Channel protection: masking schemes this talk : Can we apply the masking protection for white-box impl.? 3 / 19

  11. General Setting Boolean circuits Obfuscated reference implementation 4 / 19

  12. General Setting Boolean circuits Obfuscated reference implementation Predictable values : computations from ref. impl., e.g. s = Bit 1 ( SBox ( pt 1 ⊕ k 1 )) 4 / 19

  13. General Setting Boolean circuits Obfuscated reference implementation Predictable values : computations from ref. impl., e.g. s = Bit 1 ( SBox ( pt 1 ⊕ k 1 )) Masking : ∃ v 1 , . . . , v t nodes ( shares ), f : F t 2 → F 2 s.t. for any encryption f ( v 1 , . . . , v t ) = s 4 / 19

  14. Masking Schemes Example: Boolean masking: linear decoder f = ⨁︁ i v i Example: FHE: non-linear decoder f 5 / 19

  15. Masking Schemes Example: Boolean masking: linear decoder f = ⨁︁ i v i Example: FHE: non-linear decoder f Aim for efficient schemes: relatively small t (number of shares) 5 / 19

  16. Masking Schemes Example: Boolean masking: linear decoder f = ⨁︁ i v i Example: FHE: non-linear decoder f Aim for efficient schemes: relatively small t (number of shares) ⇒ can be secure only if the locations of the shares in the circuit are unknown! this talk : exploring this possibility 5 / 19

  17. Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 5 / 19

  18. Attacks I Combinatorial attacks: (partially) guess locations of the shares probabilistic : correlation with predictable values exact : time-memory trade-off 6 / 19

  19. Attacks I Combinatorial attacks: (partially) guess locations of the shares probabilistic : correlation with predictable values exact : time-memory trade-off Fault attacks: new application: recover locations of the shares 1- and 2- share fault injections applicability depends on protections 6 / 19

  20. Attacks II (Generalized) Differential Computation Analysis (DCA): 7 / 19

  21. Attacks II (Generalized) Differential Computation Analysis (DCA): 7 / 19

  22. Attacks II (Generalized) Differential Computation Analysis (DCA): 7 / 19

  23. The Linear Algebra Attack (1) consider the Boolean masking (the linear decoder) matching with a predictable value s : a basic linear algebra problem: M × z = s , M = [ v 1 | . . . | v n ] 8 / 19

  24. The Linear Algebra Attack (1) consider the Boolean masking (the linear decoder) matching with a predictable value s : a basic linear algebra problem: M × z = s , M = [ v 1 | . . . | v n ] v i is the vector of values computed in the node i of the circuit z is a vector indicating locations of shares among nodes of the circuit higher-order masking does not help... 8 / 19

  25. The Linear Algebra Attack (2) Generalizations: nonlinear decoders , through linearization technique approximately linear decoders , through LPN algorithms 9 / 19

  26. The Linear Algebra Attack (2) Generalizations: nonlinear decoders , through linearization technique approximately linear decoders , through LPN algorithms semi-linear decoders: 1 assume s · r is computed/shared in the circuit, where 2 s is a predictable value 3 r is unpredictable (pseudorandom, ≈ uniform) 9 / 19

  27. The Linear Algebra Attack (2) Generalizations: nonlinear decoders , through linearization technique approximately linear decoders , through LPN algorithms semi-linear decoders: 1 assume s · r is computed/shared in the circuit, where 2 s is a predictable value 3 r is unpredictable (pseudorandom, ≈ uniform) 4 choose plaintexts p 1 , . . . , p D such that: s ( p i ) = 0 for 1 ≤ i ≤ D − 1 , s ( p i ) = 1 for i = D . 5 s · r will be equal to ( 0 , 0 , . . . , 0 , 1 ) with Pr = 1 / 2 6 if s is guessed wrong, such vector is unlikely to be a solution 9 / 19

  28. Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 9 / 19

  29. Our Framework: Two Components Value Hiding Structure Hiding 10 / 19

  30. Our Framework: Two Components Value Hiding Structure Hiding 1 DCA side-channel attack 2 (new) linear algebra attack 10 / 19

  31. Our Framework: Two Components Value Hiding Structure Hiding 1 circuit analysis / simplification 1 DCA side-channel attack 2 fault injections 2 (new) linear algebra attack 3 pseudorandomness removal 4 etc. 10 / 19

  32. Our Framework: Two Components Value Hiding Structure Hiding 1 circuit analysis / simplification 1 DCA side-channel attack 2 fault injections 2 (new) linear algebra attack 3 pseudorandomness removal 4 etc. (hopefully) easier to solve independently 10 / 19

  33. Value Hiding Our solution for value hiding: 1 non-linear masking (vs linear algebra attack) 2 classic linear masking (vs DCA correlation attack) 3 provable security against the linear algebra attack 11 / 19

  34. Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 11 / 19

  35. Algebraic Security (1/2) Security Model: 1 random bits allowed as in classic masking model unpredictability in WB impl. as pseudorandom 12 / 19

  36. Algebraic Security (1/2) Security Model: 1 random bits allowed as in classic masking model unpredictability in WB impl. as pseudorandom 2 Goal: any f ∈ span { v i } is unpredictable 12 / 19

  37. Algebraic Security (1/2) Security Model: 1 random bits allowed as in classic masking model unpredictability in WB impl. as pseudorandom 2 Goal: any f ∈ span { v i } is unpredictable 3 isolated from obfuscation problems 12 / 19

  38. Algebraic Security (2/2) Adversary: 1 chooses plaintext/key pairs 13 / 19

  39. Algebraic Security (2/2) Adversary: 1 chooses plaintext/key pairs 2 chooses f ∈ span { v i } 13 / 19

  40. Algebraic Security (2/2) Adversary: 1 chooses plaintext/key pairs 2 chooses f ∈ span { v i } 3 tries to predict values of this function (i.e. before random bits are sampled) 13 / 19

  41. Algebraic Security (2/2) Adversary: 1 chooses plaintext/key pairs 2 chooses f ∈ span { v i } 3 tries to predict values of this function (i.e. before random bits are sampled) 4 succeeds, if only f matches 13 / 19

  42. Algebraic Security (3/3) Proposition Let F = { f ( x , · , · ) | f ( x , r e , r c ) ∈ span { v i } , x ∈ F N 2 } . Let ε = max f ∈ F bias ( f ) , e = − log 2 ( 1 / 2 + ε ) . Then for any adversary 𝒝 choosing Q inputs Adv [ 𝒝 ] ≤ min ( 2 Q −| r c | , 2 − eQ ) . 14 / 19

  43. Algebraic Security (3/3) Proposition Let F = { f ( x , · , · ) | f ( x , r e , r c ) ∈ span { v i } , x ∈ F N 2 } . Let ε = max f ∈ F bias ( f ) , e = − log 2 ( 1 / 2 + ε ) . Then for any adversary 𝒝 choosing Q inputs Adv [ 𝒝 ] ≤ min ( 2 Q −| r c | , 2 − eQ ) . Corollary Let k be a positive integer. Then for any adversary 𝒝 Adv [ 𝒝 ] ≤ 2 − k if e > 0 and | r c | ≥ k · ( 1 + 1 e ) . 14 / 19

  44. Algebraic Security (3/3) Proposition Let F = { f ( x , · , · ) | f ( x , r e , r c ) ∈ span { v i } , x ∈ F N 2 } . Let ε = max f ∈ F bias ( f ) , e = − log 2 ( 1 / 2 + ε ) . Then for any adversary 𝒝 choosing Q inputs Adv [ 𝒝 ] ≤ min ( 2 Q −| r c | , 2 − eQ ) . Corollary Let k be a positive integer. Then for any adversary 𝒝 Adv [ 𝒝 ] ≤ 2 − k if e > 0 and | r c | ≥ k · ( 1 + 1 e ) . Information-theoretic security 14 / 19

Recommend

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs Michael J. Wiener 2016 August 14 1 Outline Why do we bother with white-box cryptography (WBC)? The origins of WBC Attacks and

379 views • 34 slides
White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

Based on: J. W. Bos, C. Hubain, W. Michiels, P. Teuwen. In CHES 2016: Differential computation analysis: Hiding your white-box designs is not enough . White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

477 views • 29 slides
I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

This time Continuing with Software Getting insane with Security I n p u t sanitization); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web architecture Client

1.22k views • 102 slides
EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies

679 views • 22 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies Alternatives 2 ENSM.SE Ecole Nationale

456 views • 22 slides
Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

T-79.194 Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner presentation by Maarit Hietalahti Helsinki University of Technology Laboratory for Theoretical Computer Science

298 views • 14 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group Marcel.medwed@uclouvain.be Design and Security of Cryptographic Algorithms and Devices 1 Albena, May 2011 Outline 1. Motivation & general

787 views • 40 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
Attacks & Countermeasures of Ultrasonic Cross-Device Tracking Federico ico Maggi Vasil

Attacks & Countermeasures of Ultrasonic Cross-Device Tracking Federico ico Maggi Vasil

Talking Behind Your Back Attacks & Countermeasures of Ultrasonic Cross-Device Tracking Federico ico Maggi Vasil ilio ios Mavroud udis is Assistant Professor POLIMI Doctoral Researcher UCL Visiting Researcher UCSB Who we are The

811 views • 67 slides
Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world

Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world

Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world crypto and privacy ibenik, Croatia Secure Crypto Research over the past decades has produced several secure crypto algorithms: AES-256 block

1.04k views • 85 slides
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr guilley@enst.fr pablo.rauzy.name perso.enst.fr/ guilley Telecom ParisTech CNRS LTCI / COMELEC / SEN FDTC 2014 Eleventh

460 views • 43 slides
Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box

Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box

Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations Matthieu Rivain 1 Junwei Wang 1,2,3 1 CryptoExperts 2 University of Luxembourg 3 University Paris 8 CHES 2019, Atalanta White-Box

800 views • 43 slides
A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr sylvain.guilley@enst.fr pablo.rauzy.name perso.enst.fr/~guilley Telecom ParisTech LTCI / COMELEC / SEN August 24, 2013

711 views • 47 slides

More recommend