more practical single trace attacks on the number
play

More Practical Single-Trace Attacks on the Number Theoretic - PowerPoint PPT Presentation

Jan 20, 2024 •939 likes •1.63k views

SCIENCE PASSION TECHNOLOGY More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas Graz University of Technology LATINCRYPT 2019, October 02 > www.iaik.tugraz.at www.iaik.tugraz.at

  1. SCIENCE PASSION TECHNOLOGY More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas Graz University of Technology LATINCRYPT 2019, October 02 > www.iaik.tugraz.at

  2. www.iaik.tugraz.at  Public-Key Crypto and Side-Channel Attacks  Power consumption trace of RSA decryption   Peter Pessl, Graz University of Technolgy 2 LATINCRYPT 2019, October 02

  3. www.iaik.tugraz.at  Public-Key Crypto and Side-Channel Attacks  Power consumption trace of RSA decryption   Peter Pessl, Graz University of Technolgy 2 LATINCRYPT 2019, October 02

  4. www.iaik.tugraz.at  Public-Key Crypto and Side-Channel Attacks 1 0 0 1 1 0 0 0 1 0 0 1 1 0 0 0  Power consumption trace of RSA decryption   Peter Pessl, Graz University of Technolgy 2 LATINCRYPT 2019, October 02

  5. www.iaik.tugraz.at  Public-Key Crypto and Side-Channel Attacks 1 0 0 1 1 0 0 0 1 0 0 1 1 0 0 0  Power consumption trace of RSA decryption  Single-trace attacks are still a prime threat!  Peter Pessl, Graz University of Technolgy 2 LATINCRYPT 2019, October 02

  6. www.iaik.tugraz.at But RSA is old news anyway. . . Lattice-based cryptography promising post-quantum replacement implementations: fast and constant time / control flow Do we still need to worry about single-trace attacks? no more instruction leakage protection efforts towards differential (multi-trace) attacks Peter Pessl, Graz University of Technolgy 3 LATINCRYPT 2019, October 02

  7. www.iaik.tugraz.at But RSA is old news anyway. . . Lattice-based cryptography promising post-quantum replacement implementations: fast and constant time / control flow Do we still need to worry about single-trace attacks? no more instruction leakage protection efforts towards differential (multi-trace) attacks Peter Pessl, Graz University of Technolgy 3 LATINCRYPT 2019, October 02

  8. www.iaik.tugraz.at Previously: yes, but Our previous work: single-trace attack on the NTT N umber T heoretic T ransform, common in many lattice schemes combine template attacks (device profiling) with belief propagation but. . . attacked variable-time implementation large templating effort ( ≈ a million multivariate templates) Peter Pessl, Graz University of Technolgy 4 LATINCRYPT 2019, October 02

  9. www.iaik.tugraz.at Previously: yes, but Our previous work: single-trace attack on the NTT N umber T heoretic T ransform, common in many lattice schemes combine template attacks (device profiling) with belief propagation but. . . attacked variable-time implementation large templating effort ( ≈ a million multivariate templates) Peter Pessl, Graz University of Technolgy 4 LATINCRYPT 2019, October 02

  10. www.iaik.tugraz.at Previously: yes, but Our previous work: single-trace attack on the NTT N umber T heoretic T ransform, common in many lattice schemes combine template attacks (device profiling) with belief propagation but. . . attacked variable-time implementation large templating effort ( ≈ a million multivariate templates) Can we do better? Peter Pessl, Graz University of Technolgy 4 LATINCRYPT 2019, October 02

  11. www.iaik.tugraz.at Our Contribution Improve upon previous attack several improvements to belief propagation in this context change targets: encryption instead of decryption Attack constant-time ASM-optimized Kyber implementation massively reduced templating effort Peter Pessl, Graz University of Technolgy 5 LATINCRYPT 2019, October 02

  12. www.iaik.tugraz.at Our Contribution Improve upon previous attack several improvements to belief propagation in this context change targets: encryption instead of decryption Attack constant-time ASM-optimized Kyber implementation massively reduced templating effort Peter Pessl, Graz University of Technolgy 5 LATINCRYPT 2019, October 02

  13. www.iaik.tugraz.at Lattice-based Encryption (LPR, NewHope, Kyber, . . . ) "Noisy ElGamal" with polynomials in Z q [ x ] / � x n + 1 � Key Generation: generate small error polynomials s , e t = a · s + e pk = ( a , t ) , sk = s Encryption: generate small error polynomials r , e 1 , e 2 c 1 = a · r + e 1 c 2 = t · r + e 2 + m Decryption: m ≈ c 2 − s · c 1 Peter Pessl, Graz University of Technolgy 6 LATINCRYPT 2019, October 02

  14. www.iaik.tugraz.at Lattice-based Encryption (LPR, NewHope, Kyber, . . . ) "Noisy ElGamal" with polynomials in Z q [ x ] / � x n + 1 � Key Generation: generate small error polynomials s , e t = a · s + e pk = ( a , t ) , sk = s Encryption: generate small error polynomials r , e 1 , e 2 c 1 = a · r + e 1 c 2 = t · r + e 2 + m Decryption: m ≈ c 2 − s · c 1 Peter Pessl, Graz University of Technolgy 6 LATINCRYPT 2019, October 02

  15. www.iaik.tugraz.at Lattice-based Encryption (LPR, NewHope, Kyber, . . . ) "Noisy ElGamal" with polynomials in Z q [ x ] / � x n + 1 � Key Generation: generate small error polynomials s , e t = a · s + e pk = ( a , t ) , sk = s Encryption: generate small error polynomials r , e 1 , e 2 c 1 = a · r + e 1 c 2 = t · r + e 2 + m Decryption: m ≈ c 2 − s · c 1 Peter Pessl, Graz University of Technolgy 6 LATINCRYPT 2019, October 02

  16. www.iaik.tugraz.at Lattice-based Encryption (LPR, NewHope, Kyber, . . . ) "Noisy ElGamal" with polynomials in Z q [ x ] / � x n + 1 � Key Generation: generate small error polynomials s , e t = a · s + e pk = ( a , t ) , sk = s Encryption: generate small error polynomials r , e 1 , e 2 c 1 = a · r + e 1 c 2 = t · r + e 2 + m Decryption: m ≈ c 2 − s · c 1 Peter Pessl, Graz University of Technolgy 6 LATINCRYPT 2019, October 02

  17. www.iaik.tugraz.at Number Theoretic Transform Naive polynomial multiplication: O ( n 2 ) Better: N umber T heoretic T ransform (NTT) ≈ FFT in Z q [ x ] , runtime O ( n log n ) pointwise mult. of NTT-transformed: a · b = INTT ( NTT ( a ) ◦ NTT ( b )) Peter Pessl, Graz University of Technolgy 7 LATINCRYPT 2019, October 02

  18. www.iaik.tugraz.at Number Theoretic Transform Naive polynomial multiplication: O ( n 2 ) Better: N umber T heoretic T ransform (NTT) ≈ FFT in Z q [ x ] , runtime O ( n log n ) pointwise mult. of NTT-transformed: a · b = INTT ( NTT ( a ) ◦ NTT ( b )) Peter Pessl, Graz University of Technolgy 7 LATINCRYPT 2019, October 02

  19. www.iaik.tugraz.at Butterfly 𝑦 0 𝑦 ̂ 0 𝜕 𝑦 1 𝑦 ̂ 1 -1 Butterfly = 2-coefficient NTT Peter Pessl, Graz University of Technolgy 8 LATINCRYPT 2019, October 02

  20. www.iaik.tugraz.at Butterfly Network 𝑦 0 𝑦 ̂ 0 𝜕 n 0 𝑦 2 𝑦 ̂ 1 -1 𝜕 n 0 𝑦 ̂ 2 𝑦 1 -1 0 1 𝜕 n 𝜕 n 𝑦 3 𝑦 ̂ 3 -1 -1 4-coefficient NTT Peter Pessl, Graz University of Technolgy 9 LATINCRYPT 2019, October 02

  21. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 1. Template matching Profile power consumption of mult. 𝜕 Match profiles (templates) for 𝑦 1 𝑦 ̂ 1 probability distribution Peter Pessl, Graz University of Technolgy 10 LATINCRYPT 2019, October 02

  22. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 1. Template matching Profile power consumption of mult. 𝜕 Match profiles (templates) for 𝑦 1 𝑦 ̂ 1 probability distribution Peter Pessl, Graz University of Technolgy 10 LATINCRYPT 2019, October 02

  23. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 1. Template matching Profile power consumption of mult. 𝜕 Match profiles (templates) for 𝑦 1 𝑦 ̂ 1 -1 probability distribution Peter Pessl, Graz University of Technolgy 10 LATINCRYPT 2019, October 02

  24. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 1. Template matching Profile power consumption of mult. 𝜕 Match profiles (templates) for 𝑦 1 𝑦 ̂ 1 -1 probability distribution Peter Pessl, Graz University of Technolgy 10 LATINCRYPT 2019, October 02

  25. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 2. Belief propagation Represent NTT with a graphical model 𝜕 Pass beliefs along edges and update 𝑦 1 𝑦 ̂ 1 Repeat until convergence reached Peter Pessl, Graz University of Technolgy 11 LATINCRYPT 2019, October 02

  26. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 𝑦 0 𝑦 ̂ 0 2. Belief propagation Represent NTT with a graphical model 𝜕 Pass beliefs along edges and update 𝑦 1 𝑦 ̂ 1 Repeat until convergence reached Peter Pessl, Graz University of Technolgy 11 LATINCRYPT 2019, October 02

  27. www.iaik.tugraz.at Previous Single-Trace Attack on the NTT Recover secret NTT input with: 2. Belief propagation 𝑦 0 𝑔 𝑦 ̂ 0 add Represent NTT with a graphical model Pass beliefs along edges and update Repeat until convergence reached 𝑦 1 𝑦 ̂ 1 𝑔 sub Peter Pessl, Graz University of Technolgy 11 LATINCRYPT 2019, October 02

Recommend

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology Side-Channel Attacks on Hash

569 views • 39 slides
Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

753 views • 58 slides
DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon 2014 Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function whiteboxed : AES-CBC

1.43k views • 103 slides
An approach to computing the number of finite field elements with prescribed trace and co-trace

An approach to computing the number of finite field elements with prescribed trace and co-trace

An approach to computing the number of finite field elements with prescribed trace and co-trace Yuri Borissov Institute of Mathematics and Informatics, BAS, Bulgaria joint work with A. Bojilov and L. Borissov Faculty of Mathematics and

756 views • 44 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Introduction Finding Padding Oracles Basic PO attacks Advanced PO attacks Summary Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong Practical Padding Oracle Attacks Introduction Finding Padding

1.33k views • 108 slides
Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

406 views • 29 slides
Practical investigation 2.2 Diffraction through a single slit 1. Investigative question What

Practical investigation 2.2 Diffraction through a single slit 1. Investigative question What

Practical investigation 2.2 Diffraction through a single slit 1. Investigative question What is the relationship between the width of a single slit and the diffraction pattern observed through the single slit? Method Hold a glass

599 views • 14 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Motivation n 802.11-based networks have flourished

389 views • 25 slides
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

956 views • 28 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides
Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Electrical and Computer Engineering Department Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin Soltani, Amir Houmansadr, Dennis Goeckel, Don Towsley University of Massachusetts Amherst Instant

512 views • 40 slides
On evasion attacks against machine learning in practical settings Lujo Bauer Professor,

On evasion attacks against machine learning in practical settings Lujo Bauer Professor,

On evasion attacks against machine learning in practical settings Lujo Bauer Professor, Electrical & Computer Engineering + Computer Science Director, Cyber Autonomy Research Center Collaborators: Mahmood Sharif, Sruti Bhagavatula, Mike

754 views • 31 slides
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg Schwenk 1 , Adam Czubak 2 , Marcin Szymanek 2 1 : Ruhr University Bochum, Germany 2 : University of Opole, Poland 27 TH USENIX SECURITY SYMPOSIUM

476 views • 25 slides
Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao

Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao

Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao Murakami (AIST*, Japan) *AIST: National Institute of Advanced Industrial Science & Technology 1 Outline [Shokri+,S&P11] [Gambs+,JCSS14]

370 views • 19 slides
Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila 1 and Ricardo J. Rodr Jos guez 2 1 DIIS, University of Zaragoza, Spain 2 Research Institute of Applied Sciences in Cybersecurity, University

337 views • 17 slides
Exponentiations vs. Single Trace Analysis COSADE Workshop - Paris, 7 March 2013. Christophe

Exponentiations vs. Single Trace Analysis COSADE Workshop - Paris, 7 March 2013. Christophe

Updated Recommendations for Blinded Exponentiations vs. Single Trace Analysis COSADE Workshop - Paris, 7 March 2013. Christophe Clavier XLIM-CNRS Limoges University, France Benoit Feix UL Security Lab, UK XLIM, Limoges University, France

462 views • 24 slides
Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

995 views • 61 slides
Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias Schulz, Adrian Loch, Matthias Hollick Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias

607 views • 22 slides
Attacks on routing: IP hijacks How Internet number resources are managed

Attacks on routing: IP hijacks How Internet number resources are managed

Attacks on routing: IP hijacks How Internet number resources are managed IANA ARIN LACNIC APNIC RIPE NCC AfriNIC ISP #1 ISP NIC.br NIC.MX LIRs/ISPs

919 views • 40 slides

More recommend