I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017
www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18
www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . Reduce overhead of countermeasures A SCON , K ETJE /K EYAK , PRIMATES, SCREAM, . . . 1 / 18
www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . Reduce overhead of countermeasures A SCON , K ETJE /K EYAK , PRIMATES, SCREAM, . . . Can we do more? LR and MR AE [Ber+16] I SAP 1 / 18
www.iaik.tugraz.at I SAP Authenticated encryption scheme Following requirements of CAESAR call No assumptions on choice of the nonce Provides protection against DPA for: Encryption Decryption Solely based on sponges Limits the attack surface against SPA 2 / 18
www.iaik.tugraz.at SPA and DPA Simple Power Analysis (SPA) Observe device processing the same or a few inputs Techniques directly interpreting measurements Differential Power Analysis (DPA) Observe device processing many different inputs Allows for the use of statistical techniques 3 / 18
www.iaik.tugraz.at Is DPA Still a Threat? A. Moradi and T. Schneider Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series COSADE 2016 E. Ronen, C. O’Flynn, A. Shamir, and A.-O. Weingarten IoT Goes Nuclear: Creating a ZigBee Chain Reaction Cryptology ePrint Archive, Report 2016/1047, 2016 4 / 18
www.iaik.tugraz.at Fresh Re-keying [Med+10] N g g K K K ∗ K ∗ C E − 1 P E P Tag Reader 5 / 18
www.iaik.tugraz.at Fresh Re-keying [Med+11] N b N a g g K K K ∗ K ∗ C E − 1 P E P Party 1 Party 2 6 / 18
www.iaik.tugraz.at What About Storage? N g K Storage K ∗ C P E Device Encryption still fine Decryption causes problems 7 / 18
www.iaik.tugraz.at Multiple Decryption Retain principles of fresh re-keying allowing multiple decryption 8 / 18
www.iaik.tugraz.at Multiple Decryption Retain principles of fresh re-keying allowing multiple decryption DPA protection in storage settings A. Moradi and T. Schneider Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series COSADE 2016 DPA protection in unidirectional/broadcast settings E. Ronen, C. O’Flynn, A. Shamir, and A.-O. Weingarten IoT Goes Nuclear: Creating a ZigBee Chain Reaction Cryptology ePrint Archive, Report 2016/1047, 2016 8 / 18
www.iaik.tugraz.at Priciple of I SAP ’s Decryption “Bind” the session key to the data that is decrypted 9 / 18
www.iaik.tugraz.at Priciple of I SAP ’s Decryption “Bind” the session key to the data that is decrypted H N g g K K N � C MAC T C Dec P 9 / 18
www.iaik.tugraz.at Priciple of I SAP ’s Decryption “Bind” the session key to the data that is decrypted H N g g K K N � C MAC T C Dec P 9 / 18
www.iaik.tugraz.at I SAP ’s Authentication/Verification N C 1 C t K A y g IV p p p K ∗ IV A N C 1 C t T IV p p p p IV 10 / 18
www.iaik.tugraz.at I SAP ’s Authentication/Verification K A y K ∗ A g N C 1 C t T IV p p p p IV 10 / 18
www.iaik.tugraz.at I SAP ’s Authentication/Verification Use suffix MAC instead of hash-then-MAC N � IV 1 C 1 C t K A T y K ∗ A r 1 r 1 k g k k p a p a p a p a c 1 c 1 10 / 18
www.iaik.tugraz.at Possible g to Absorb Key K A Modular multiplication y K ∗ A [Med+10] g p a p a LPL and LWE [Dzi+16] Sponges [TS14] 11 / 18
www.iaik.tugraz.at Absorbing the Key Idea: Reduce rate to a minimum [TS14] Related to the classical GGM construction [GGM86] y 1 y 2 y w K A � IV 2 K ∗ A r 2 r 2 r 2 k p c p c p b p b c 2 c 2 c 2 12 / 18
www.iaik.tugraz.at I SAP ’s En-/Decryption C 1 C v K E � IV 3 N 1 N u P 1 P v r 2 r 2 r 3 r 3 p c p c p c p c p b c 2 c 2 c 3 13 / 18
www.iaik.tugraz.at Sponges and Side-channel Leakage ℓ i ℓ i +1 r r p p c 14 / 18
www.iaik.tugraz.at Sponges and Side-channel Leakage ℓ i ℓ i +1 ℓ i + ℓ i +1 r r r r p p p p c c ′ c ′ = c − ( ℓ i + ℓ i + 1 ) 14 / 18
www.iaik.tugraz.at Instances K ECCAK - p [400, n r ] as permutation [Ber+14] Security level Bit size of Rounds Name k r 1 r 2 r 3 a b c I SAP -128 128 144 1 144 20 12 12 I SAP -128a 128 144 1 144 16 1 8 15 / 18
www.iaik.tugraz.at Implementation One round per cycle Area Initialization Runtime per Block Function [kGE] [cycles] [ µ s] [cycles] [ µ s] I SAP -128 14.0 3 401 20.1 36 0.20 I SAP -128a 14.0 564 3.3 28 0.16 16 / 18
www.iaik.tugraz.at Conclusion AE scheme following requirements of CAESAR call Provides protection against DPA Encryption Decryption Enables several use-cases Multiple decryption of stored data Unidirectional/Broadcast communication 17 / 18
www.iaik.tugraz.at Thank you 18 / 18
www.iaik.tugraz.at References I [Ber+14] G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, and R. Van Keer Ketje Submission to the CAESAR competition: http://competitions.cr.yp.to , 2014 [Ber+16] F. Berti, F. Koeune, O. Pereira, T. Peters, and F.-X. Standaert Leakage-Resilient and Misuse-Resistant Authenticated Encryption Cryptology ePrint Archive, Report 2016/996, 2016 [Dzi+16] S. Dziembowski, S. Faust, G. Herold, A. Journault, D. Masny, and F.-X. Standaert Towards Sound Fresh Re-keying with Hard (Physical) Learning Problems CRYPTO 2016
www.iaik.tugraz.at References II [GGM86] O. Goldreich, S. Goldwasser, and S. Micali How to construct random functions J. ACM 33:4, 1986 [Med+10] M. Medwed, F.-X. Standaert, J. Großsch¨ adl, and F. Regazzoni Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices AFRICACRYPT 2010 [Med+11] M. Medwed, C. Petit, F. Regazzoni, M. Renauld, and F.-X. Standaert Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks CARDIS 2011 [MS16] A. Moradi and T. Schneider Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series COSADE 2016
www.iaik.tugraz.at References III [Ron+16] E. Ronen, C. O’Flynn, A. Shamir, and A.-O. Weingarten IoT Goes Nuclear: Creating a ZigBee Chain Reaction Cryptology ePrint Archive, Report 2016/1047, 2016 [TS14] M. M. I. Taha and P . Schaumont Side-channel countermeasure for SHA-3 at almost-zero area overhead HOST 2014
Recommend
More recommend
