Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 Architecture F´ elix Carvalho Rodrigues, H. Fujii, A. C. Serpa, G. Sider, R. Dahab, J. L´ opez October 3, 2019 Laboratory of Security and Cryptography, Institute of Computing, University of Campinas (Unicamp) This research was partially supported by Samsung Eletrˆ onica da Amazˆ onia Ltda., through the “White Box Cryptography” project, within the scope of the Informatics Law No. 8248/91. 1
Index Introduction Dedicated Ciphers SPACE WEM SPNbox Implementation Optimizing SPNbox Results 2
Introduction
White-box threat model: direct access to environment Black-Box: • Access only to • No leakage • No access to plaintexts and from executing ciphertexts implementation environment 3
White-box threat model: direct access to environment Grey-Box (hardware side-channel): • Some leakage • No (direct) • Timing analysis, from access to Power analysis implementation executing available environment 3
White-box threat model: direct access to environment In a White-Box context, an attacker can: • Access the • Manipulate the • Analyze binary memory execution code 3
White-box threat model: direct access to environment 01010101 11110101 01000001 11011011 10101010 Access to: Access to: Access to: ◦ plaintext ◦ plaintext ◦ plaintext ◦ ciphertext ◦ ciphertext ◦ ciphertext ◦ side channel ◦ side channel information information ◦ execution environment (a) Black Box Model (b) Grey Box Model (c) White Box Model In a White-Box context, an attacker can: • Access the • Manipulate the • Analyze binary memory execution code How to protect against such powerful adversaries? 3
White-Box Cryptography: first attempts White-Box Cryptography: • Design and secure the implementations of cryptographic algorithms running in untrusted environments First attempt: standard block cipher (e.g., AES): • Protect implementation through a network of lookup tables • Several proposed implementations [Chow et al., 2003, Bringer et al., 2006, Xiao and Lai, 2009, Karroumi, 2011] • Academic proposals mostly broken: [Billet et al., 2005, Goubin et al., 2007, Michiels et al., 2009, De Mulder et al., 2010, Lepoint et al., 2014, De Mulder et al., 2013] • Some hope? CHES 2019 white-box challenge [WhibOx, 2019] had three implementations which are still unbroken! 4
White-Box Cryptography: first attempts White-Box Cryptography: • Design and secure the implementations of cryptographic algorithms running in untrusted environments First attempt: standard block cipher (e.g., AES): • Protect implementation through a network of lookup tables • Several proposed implementations [Chow et al., 2003, Bringer et al., 2006, Xiao and Lai, 2009, Karroumi, 2011] • Academic proposals mostly broken: [Billet et al., 2005, Goubin et al., 2007, Michiels et al., 2009, De Mulder et al., 2010, Lepoint et al., 2014, De Mulder et al., 2013] • Some hope? CHES 2019 white-box challenge [WhibOx, 2019] had three implementations which are still unbroken! BROKEN! AES seems to be hard to protect in a white-box context... 4
Dedicated Ciphers
Dedicated White-Box Block Ciphers Idea: • Design a block cipher from the ground up to be “secure” in a white-box context Focus of currently proposed dedicated ciphers: • Unbreakability • Protection against key extraction • Given access to a white-box implementation, the attacker must not be able to extract the secret key embedded in the cipher • Incompressibility 5
Dedicated White-Box Block Ciphers Idea: • Design a block cipher from the ground up to be “secure” in a white-box context Focus of currently proposed dedicated ciphers: • Unbreakability • Incompressibility • Mitigation against code lifting • Given full access to a white-box cipher implementation, the attacker must not be able to produce a smaller implementation • Given “almost full” access to a white-box cipher implementation, the attacker must not be able to encrypt or decrypt any message with a significant probability 5
Proposals considered in this work Proposals: • SPACE [Bogdanov and Isobe, 2015] • SPNbox [Bogdanov et al., 2016a] • WEM [Cho et al., 2017]. Parameters: • n in : determines lookup table input size of ciphers: • SPACE-16 ≡ SPACE instantiated with n in = 16 • We consider n in either 8 or 16 in this work • R : number of rounds of cipher No complete comparisons were made in relation to each other in previous works! 6
SPACE Family of Ciphers • Based on a Feistel Network • Number of rounds: • R = 128 for n in = 16 • In each round, the state is • R = 300 for n in = 8 rotated left Example: single round of SPACE-16 7
SPACE-16: Feistel function In the black-box: • Extract 16 bits from state and concatenate with zero vector • Encrypt with AES and master key • Discard 16 bits from output and return the remaining 112 bits In the white-box: • Extract 16 bits from state • Encrypt with a lookup table of 16-to-112 bits For both: after result add round constant 8
White-box Even-Mansour ciphers ⇒ Based on the Even-Mansour scheme: • Keys are replaced by incompressible S-boxes • Public permutation is defined as 5 rounds of AES with a zeroed key • The proposed cipher uses 12 rounds 9
WEM: S-box generation To generate each m -to- m S-box: • Generate long sequence of pseudo-random bits from secret key k • Generate sequence T = ( 0 , . . . , 2 m ) • Shuffle T using the generated pseudo-random bits from k 10
SPNbox Family of Ciphers One round of SPNBox-16’s outer cipher Algorithm: • Substitution Layer ( S n in ) : divide state into n in -bit blocks and run a mini block cipher for each block with secret key • Permutation Layer ( θ ) : multiply state by a matrix in GF ( 2 n in ) • Affine Layer ( σ ) : add round constant • Repeat for 10 rounds 11
SPNbox: small inner cipher One round of SPNbox-32’s inner cipher • Smaller SPN guarantees the substitution phase of its bigger counterpart • Repurposes some AES operations: • SB uses SubBytes operation from AES • MC uses the MixColumns operation from AES • AK is a simple key addition • Number of rounds depends on its size n in • In a white-box context, this inner SPN cipher becomes a lookup table 12
Implementation
ARMv8-A Architecture • 32 SIMD/NEON 128-bit registers (NEON mode): • each register can be interpreted as 16 bytes, 8 halfwords, 4 words or 2 doublewords • Cortex-A75: • Two 8 stage NEON instruction pipeline • One separate load/store pipeline for NEON instructions • Important NEON instructions: tbl/tbx, rev, ext; 13
Pipeline Vs Cache Optimization Pipelined implementation (4-way): 14
Pipeline Vs Cache Optimization Horizontal implementation (“all blocks”-way): 15
SPACE and WEM Implementation details WEM : SPACE : • Both horizontal and • Benefits from a pipelined intercalated strategies have memory access merit • For a single block, only a • For pipelined implementation, couple of NEON operations: we separated the 16-to-16 • A couple of eor additions lookup tables as two 16-to-8 • A byte rotation with an ext tables: • Favors large pipelined • This allows for a lookup implementations, less suitable table to fit into a L2 cache for H-way on lower end hardware • Pad lookup table for better • Use hardware crypto memory alignment extensions (AES functions) 16
SPNbox Optimizations • Allows for greater optimization opportunities • Four main implementations: One block, multiple blocks (transposed), lookup table multiplications and horizontal • Main point for optimization: its matrix multiplication ( θ layer) 17
Single Block: Permutations and Multiplications where • Let T i ( S ) = S × i : • Multiplication of state S by a polynomial i translates to a series of constant-time polynomial additions and multiplications by x in GF(2 16 ): sshr v2.8h,v0.8h, #15 // v0 is the state shl v0.8h,v0.8h, #1 // v1 is the mask 0x002B and v2.8h,v1.8h,v2.8h eor v0.8h,v0.8h,v2.8h • The result of R = M 16 × S can be written as: R = T 1 ( S ) ⊕ P 1 ( T 3 ( S )) ⊕ P 2 ( T 4 ( S )) ⊕ P 3 ( T 5 ( S )) ⊕ � � P 4 T 6 ( S ) ⊕ P 1 ( T 8 ( S )) ⊕ P 2 ( T B ( S )) ⊕ P 3 ( T 7 ( S )) 18
Transposing Multiple Blocks By transposing blocks we can eliminate permutations: The result R i , for i from 0 to 7, can be seen as: R i = T a i , 0 ( S ′ 0 ) ⊕ T a i , 1 ( S ′ 1 ) ⊕ T a i , 2 ( S ′ 2 ) ⊕ T a i , 3 ( S ′ 3 ) ⊕ T a i , 4 ( S ′ 4 ) ⊕ T a i , 5 ( S ′ 5 ) ⊕ T a i , 6 ( S ′ 6 ) ⊕ T a i , 7 ( S ′ 7 ) , 19
Recommend
More recommend