fresh re keying
play

Fresh Re-Keying: Security against Side-Channel and Fault Attacks - PowerPoint PPT Presentation

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel Medwed Franois-Xavier Standaert Johann


  1. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel Medwed François-Xavier Standaert Johann Großschädl Francesco Regazzoni http://www.iaik.tugraz.at TU Graz / IAIK / VLSI TU Graz / IAIK / VLSI AFRICACRYPT 2010 AFRICACRYPT 2010 1 1

  2.  Implementation Attacks  Fresh Re-keying  Hardware Architecture  Security Analysis  Further research and Conclusions

  3. Attack S imple D ifferential D ifferential P ower P ower F ault A nalysis A nalysis A nalysis # Invocations One or few power 10s - 100s power 2+ encryptions traces traces under the same key and plaintext Extract Hamming Exhaustively Reduce key Goals weights of recover sub-keys entropy to allow (In symmetric setup) intermediate exhaustive search values Uses… Profiling and good Divide-and- knowledge about conquer approach implementation and statistics

  4.  Input m  Output { c,r }  f k* is e.g. AES with session key  g k (r) does the re-keying  Just shift the problem to g k (r) ?  Yes, but g k (r) will be easy to protect

  5.  P1: Diffusion  P2: No need for synchronization  P3: No additional key material  P4: Little hardware overhead  P5: Easy to protect against SCA  P6: Regularity k * = Hash k (r) k * = k xor r k * = k * r (mod GF(2 8 )[y]/y 16 +1)

  6.  Implementation Attacks  Fresh Re-keying  Hardware Architecture  Shuffling  Secure Logic  Blinding  Post synthesis results  Security Analysis  Further research and Conclusions

  7. r 2 r 1 r 0 k 2 k 1 k 0 r 2 k 0 r 1 k 0 r 0 k 0 r 1 k 1 r 0 k 1 r 2 k 1 r 0 k 2 r 2 k 2 r 1 k 2 * k 2 k 1* k 0 *

  8.  Use randomized, redundant representation of data  Addition and multiplication are distributive  k * = k * r = (k+b) * r + b * r  Allows arbitrary blinding order

  9. 25 20 Area (kGE) 15 g+AES g-pMAC+AES 10 pAES AES 5 0 0 1 2 3 Blinding order

  10.  Implementation Attacks  Fresh Re-keying  Hardware Architecture  Security Analysis  Choice of k  Security against DFA  Component-wise Security (SPA and DPA)  Security of the Complete Scheme (D&C)  Further research and Conclusions

  11.  Not every ring element is a unit  Choosing a multiple of (y+1) leads to a reduced session-key space  Accounts for a loss of entropy of 0.0056 bits out of 128

  12.  DFA needs 2+ encryptions under the same key  Re-keying thus provides a solid protection

  13.  SPA and DPA against g  Blinding  Shuffling  Secure Logic  An adversary might get Hamming weights of result digits with unknown indices  SPA on AES  Shuffling

  14.  One bit of k * depends on HW( r ) bits of k   #bits for hypothesis usually >1  #traces for attack usually >1  #bits in total 

  15.  Observe traces with HW( r ) less equal 15  Need to record ~ n t* 2 44 traces

  16.  Observe traces with HW( r ) less equal 15  Need to record ~ n t* 2 44 traces  Set n t =5 and n g =1  2 60 Hypotheses

  17.  Implementation Attacks  Fresh Re-keying  Hardware Architecture  Security Analysis  Further research and Conclusions  Algebraic Side-Channel Attacks  The best Choice for g  Two parties

  18.  g has a simple structure  Thus ASCA is likely to apply  Shuffling thwarts basic ASCA  Topic is recent, needs further investigation

  19.  We picked g since it fulfills the minimum requirements  There might be better choices  Randomness extractors?

  20.  How to extend the scheme to two parties  Restrict the choice of r  Does coding theory help?

  21.  Fresh re-keying separates the system in an SCA target and a cryptanalysis target  SCA target generates session key, is small and is easy to protect  Complete solution is more efficient than previous proposals (area and security)  Only one party can be protected  Lots of further research…

  22. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel Medwed François-Xavier Standaert Johann Großschädl Francesco Regazzoni http://www.iaik.tugraz.at TU Graz / IAIK / VLSI TU Graz / IAIK / VLSI AFRICACRYPT 2010 AFRICACRYPT 2010 28 28

Recommend


More recommend