Differential Computation Analysis against Internally-Encoded - PowerPoint PPT Presentation

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei Wang Joint work with Matthieu Rivain WhibOx 2019, May 18, 2019

Overview 1 � White-Box Context 2 � DCA against Internal Encodings 3 � Collision Attack against Internal Encodings 4 � Can We Do Better? 2

White-Box Threat Model plaintext plaintext plaintext ciphertext ciphertext ciphertext gray-box model white-box model [SAC02] black-box model knowing the cipher + side-channel leakages owning the binary observing I/O behavior (power/EM/time/ · · · ) controlling the environment e.g. linear/differential cryptanalysis e.g. differential power analysis 3

White-Box Threat Model � Goal: to extract a cryptographic key, · · · � Where: from a software impl. of cipher � Who: malwares, co-hosted applications, user themselves, · · · � How: ( by all kinds of means ) ◮ analyze the code ◮ spy on the memory ◮ interfere the execution ◮ · · · No provably secure white-box scheme for standard block ciphers. 4

Typical Applications Digital Content Distribution Host Card Emulation videos, music, games, e-books, · · · mobile payment without a secure element 5

Differential Computation Analysis [CHES16] plaintext plaintext ciphertext ciphertext gray-box model white-box model side-channel leakages ( noisy ) computational leakage ( perfect ) e.g. power/EM/time/ · · · e.g. registers/accessed memory/ · · · 7

Differential Computation Analysis [CHES16] Differential power analysis techniques on computational leakages average trace collect traces group by predictions differential trace 0 = ) · ( ϕ k ϕ k ( · ) = 1 Implying strong linear correlation between the sensitive vari- ables ϕ k and the leaked samples in the computational traces. 8

Internal Encoding Countermeasure [SAC02] . . . R 1 R 2 R r X Y 1 . Represent the cipher into a network of transformations 2 . Obfuscate the network by encoding adjacent transformations 3 . Store the encoded transformations into look-up tables 9

Internal Encoding Countermeasure [SAC02] . . . ε − 1 R 1 ε 1 ε − 1 R 2 ε 2 R r X Y r − 1 1 pairwise annihilating parasitic functions ( e.g. encodings) 1 . Represent the cipher into a network of transformations 2 . Obfuscate the network by encoding adjacent transformations 3 . Store the encoded transformations into look-up tables 9

Internal Encoding Countermeasure [SAC02] . . . ε − 1 R 1 ε 1 ε − 1 R 2 ε 2 R r X Y r − 1 1 pairwise annihilating parasitic look-up tables functions ( e.g. encodings) 1 . Represent the cipher into a network of transformations 2 . Obfuscate the network by encoding adjacent transformations 3 . Store the encoded transformations into look-up tables 9

Internal Encoding Leakage n m m m x ϕ k ( · ) s ε ( · ) v input sensitive variable intermediate variable � A key-dependent ( n , m ) selection function ϕ k in a block cipher � A random selected m -bit bijection ε � ε ◦ ϕ k , as a result of some table look-ups , is leaked in the memory � To exploit the leakage of ε ◦ ϕ k , it is necessary that n > m 10

Understanding of DCA 1 . The seminal work [CHES16] lacks in-depth understanding of DCA 2 . The follow-up analysis [ACNS18] is ◮ partly experimental (in particular for wrong key guesses) ◮ Only known to work on nibble encodings ◮ Only known to work on the first and last rounds ◮ Success probability is unknown 3 . The computational traces are only sub-optimally exploited 11

DCA Analysis against Internal Encoding Based on well-established theory – Boolean correlation , instead of dif- ference of means : for any key guess k � � ρ k = Cor ϕ k ( · )[ i ] , ε ◦ ϕ k ∗ ( · )[ j ] ϕ k ( · ) ε ( · ) DCA success (roughly) requires: � ≥ max � � � � � ρ k ∗ � ρ k × � k × 12

ρ k ∗ and ρ k × : Distributions � � � Ideal assumption: k are mutually independent random ( n , m ) functions ϕ k Correct key guess k ∗ , Incorrect key guess k × , ρ k ∗ = 2 2 − m N ∗ − 1 ρ k × = 2 2 − n N × − 1 where where N ∗ ∼ HG (2 m , 2 m − 1 , 2 m − 1 ) . N × ∼ HG (2 n , 2 n − 1 , 2 n − 1 ) . Only depends on m . Only depends on n . n m m ϕ k ( · ) ε ( · ) 13

Lemma Lemma $ Let B ( n ) be the set of balanced n -bit Boolean function. If f ∈ B ( n ) and g ← − B ( n ) independent of f , then the balanceness of f + g is B ( f + g ) = 4 · N − 2 n where N ∼ HG (2 n , 2 n − 1 , 2 n − 1 ) denotes the size of { x : f ( x ) = g ( x ) = 0 } . With Cor ( f , g ) = 1 2 n B ( f + g ) ⇒ ρ k ∗ = 2 2 − m N ∗ − 1 ρ k × = 2 2 − n N × − 1 and where N ∗ ∼ HG (2 m , 2 m − 1 , 2 m − 1 ) and N × ∼ HG (2 n , 2 n − 1 , 2 n − 1 ) . 14

ρ k ∗ and ρ k × : Distributions 4 , 000 0 . 4 ρ k ∗ simulated ρ k ∗ modeled ρ k × simulated ρ k × modeled 3 , 000 0 . 3 Counts PMF 2 , 000 0 . 2 1 , 000 0 . 1 0 0 -0.75 -0.50 -0.25 0 0.25 0.50 0.75 n = 8 , m = 4 15

DCA Success Rate: | ρ k ∗ | > max k × | ρ k × | � � � � | ρ k ∗ | > max k × | ρ k × | � | ρ k ∗ | > max k × | ρ k × | � | ρ k ∗ | > max k × | ρ k × | m = 4 m = 4 m = 4 m = 5 m = 5 0 . 75 0 . 75 0 . 75 m = 6 m = 7 m = 8 0 . 5 0 . 5 0 . 5 m = 9 m = 10 m = 11 m = 12 0 . 25 0 . 25 0 . 25 Pr Pr Pr 4 4 4 6 6 6 8 8 8 10 10 10 12 12 12 14 14 14 16 16 16 n n n DCA success probability converges towards ≈ 1 − Pr N ∗ � 2 m − 2 � for n ≥ 2 m + 2. 16

Attack a NSC Variant: a White-Box AES � Byte encoding protected � DCA has failed to break it before this work � Our approach: target a output byte of MixColumn in the first round X 1 X 2 ARK,SB SR MC 0 0 ϕ k 1 || k 2 ( x 1 || x 2 ) = 2 · Sbox ( x 1 ⊕ k 1 ) ⊕ 3 · Sbox ( x 2 ⊕ k 2 ) ⊕ Sbox ( k 3 ) ⊕ Sbox ( k 4 ) c ε ′ = ε ◦ ⊕ c , n = 16 , m = 8 , |K| = 2 16 . 17

Attack a NSC Variant: a White-Box AES � Attack results: ∼ 1800 traces � Similar attack can be applied to a “masked” white-box implementation, which intends to resist DCA. 18

Collision Attack � N N inputs & raw traces � collision predictions & traces 2 ψ k ( x 1 , x 2 ) x 1 ψ k ( x 1 , x 3 ) � � Cor ψ k ( · , · ) , x 2 ψ k ( x 1 , x 4 ) x 3 ψ k ( x 2 , x 3 ) x 4 ψ k ( x 2 , x 4 ) ψ k ( x 3 , x 4 ) � � ψ k ( x 1 , x 2 ) := ϕ k ( x 1 ) = ϕ k ( x 2 )

Collision Attack: Explanation Based on the principle: ϕ k ( x 1 ) = ϕ k ( x 2 ) ⇔ ε ◦ ϕ k ( x 1 ) = ε ◦ ϕ k ( x 2 ) Trace Complexity: m � � N = O 2 2 21

Collision Attack: Explanation Predictions 1 2 3 4 5 6 k 1 key guesses k 2 k 3 k 4 k ∗ “ collides ” ∀ k × , k ∗ and k × are not “ isomorphic ” � � m � ⇒ N = O 2 2 22

Correlation Sample Attack the NSC Variant � Same target: a first round MixColumn output byte X 1 X 2 ARK,SB SR MC ARK,SB 0 0 ϕ k 1 || k 2 ( x 1 || x 2 ) = 2 · Sbox ( x 1 ⊕ k 1 ) ⊕ 3 · Sbox ( x 2 ⊕ k 2 ) ε ′ = ε ◦ ⊕ c ε ′′ = ε ◦ Sbox ◦ ⊕ c ⊕ k ′ or 1 � Attack results: 60 traces 1 k × k ∗ 0 . 5 0

Can We Do Better? � YES, WE CAN !!! ARK,SB,SR MC ARK,SB,SR ARK,SB MC � = 2 · Sbox � � � x 1 || x 2 ϕ k 1 || k 2 || c 2 · Sbox ( x 1 ⊕ k 1 ) ⊕ 3 · Sbox ( x 2 ⊕ k 2 ) ⊕ c ε ′ = ε ◦ ⊕ c ′ n = 16 , m = 8 , |K| = 2 24 with and where c ′ = 3 · Sbox ( · · · ) · Sbox ( · · · ) · Sbox ( · · · ) . c = Sbox ( k 3 ) ⊕ Sbox ( k 4 ) ⊕ k ′ and 1

Conclusion � DCA against internal encodings has been analysed in depth ◮ Allows to attack wider encodings � Computation traces have been further exploited ◮ Showcase to attack variables beyond the first round of the cipher ◮ New class of collision attack with very low trace complexity � Hence, protecting AES with internal encodings in the beginning rounds is insufficient 26

Thank You ! ia.cr/2019/076 27