how to mask s boxes of a block cipher against side
play

How to mask S-Boxes of a block cipher against side channel attacks. - PowerPoint PPT Presentation

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation


  1. Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on ”Square and Multiply” and addition chains Method based on the tower field representation Conclusion How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha¨ el Quisquater University of Versailles (UVSQ), France July 4th, 2013 Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  2. Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on ”Square and Multiply” and addition chains Method based on the tower field representation Conclusion Introduction 1 Block Cipher Logical Attacks Side Channel Attacks SPA DPA Masking Masking based on Look-up tables 2 How to mask (additively) basic operations? 3 Masking linear transformation Masking translation Masking multiplication Method based on multiplicative masking 4 Multiplicative masking Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  3. Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on ”Square and Multiply” and addition chains Method based on the tower field representation Conclusion Akkar and Giraud Zero-attack Trichina, De Seta and Germani Attacks by Akkar, B´ evan and Goubin Genelle, Prouff and Q. Extension at order d: Genelle, Prouff and Q. Method based on ”Square and Multiply” and addition chains 5 ”Square & Multiply”: BMK and addition chains 6 Method based on the tower field representation Finite Fields Oswald, Mangard, Pramstaller and Rijmen Kim, Hong and Lim Conclusion 7 Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  4. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Block Cipher Key scheduling Rounds Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  5. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Block cipher: SP network Addition of the key S-Boxes LT: Linear transformation Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  6. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Logical Attacks Available data : plaintexts and/or ciphertexts Goal : estimation of the key used to generate the data. Exemples: Exhaustive search Linear and differential cryptanalysis Slide attack Algebraic attack ... Counter-measure : use components with good cryptographic properties in the design of the algorithm Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  7. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Side Channel Attacks Available data : plaintexts and/or ciphertexts + physical measures corresponding to the execution of the algorithm on those data. Goal : estimation of the key used to generate the data. Examples: Timing attacks Acoustical attacks Electromagnetic attacks (Differential) Power attacks ... Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  8. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Power attacks Computation = modification of the state of a logical gate. Logical gate = transistor circuit. Consumption of a transistor depends on its state (or the transition between states). CCL: consumption of the execution of an algorithm depends on the values of the data, instructions (logical gates) and noise. Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  9. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion SPA (Simple Power Analysis) Example: execution of the RSA Instructions that are executed depend on the value of the key (exponent): 1 ⇒ ”square and multiply” 0 ⇒ ”square” Correlation between the shape of the electrical consumption signal and the value of the key bits of the exponent Example above : (0, 1, 0, 1 ,1 ,0). Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  10. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion DPA (Differential power analysis) Let us apply the SPA to the DES: Clear distinction of the computation of IP , the 16 rounds and IPinv. Dependency between the signal and the used key seems less obvious comparing to the case of RSA ⇒ other method = Differential Power Analysis. Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  11. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Principle of the DPA The evaluation of a block cipher A K ( x ) (encryption or decryption) may be considered as a sequence of intermediate results: I 1 ( x , k ) , I 2 ( x , k ) , . . . , I t ( x , k ) The DPA focus on the power consumption related to some of these intermediated (target) values. Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  12. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Principle of the DPA (cont.) Idea of the DPA (order 1) : For each guess ˆ K on a part K of the key, build two subsets, i.e. S 0 ( ˆ K ) et S 1 ( ˆ K ) , from the available data (plaintext, ciphertext or parts of them) such that: If ˆ K = K , the average of the power consumption related to 1 the target value taken on the data S 0 ( ˆ K ) is greater than the one taken on the data S 1 ( ˆ K ) ⇒ Right Guess If ˆ K � = K the averages are indistinguable ⇒ Wrong Guess 2 Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

  13. Introduction Block Cipher Masking based on Look-up tables Logical Attacks How to mask (additively) basic operations? Side Channel Attacks Method based on multiplicative masking SPA Method based on ”Square and Multiply” and addition chains DPA Method based on the tower field representation Masking Conclusion Counter-measure against DPA: Masking (cont.) Counter-measures: to thwart the ability to build the sets ( S 1 ( ˆ K ) , S 2 ( ˆ K )) with the required properties. ⇒ Masking = introduce randomness in the targets. Examples based on the one time pad : Additive masking: replace I ( x , s ) by I ( x , s ) ⊕ r ( r is random) if I ( x , s ) belongs to an additive group. Multiplicative masking: replace I ( x , s ) by I ( x , s ) ⊗ r ( r is random) if I ( x , s ) belongs to a multiplicative group. Micha¨ el Quisquater How to mask S-Boxes of a block cipher against side channel attac

Recommend


More recommend