scare of secret ciphers with spn structures
play

SCARE of Secret Ciphers with SPN Structures Matthieu Rivain Joint - PowerPoint PPT Presentation

SCARE of Secret Ciphers with SPN Structures Matthieu Rivain Joint work with Thomas Roche (ANSSI) ASIACRYPT 2013 December 3rd Outline 1 Introduction 2 Substitution-Permutation Networks 3 Basic SCARE of Classical SPN Structures 4


  1. SCARE of Secret Ciphers with SPN Structures Matthieu Rivain Joint work with Thomas Roche (ANSSI) ASIACRYPT 2013 – December 3rd

  2. Outline 1 � Introduction 2 � Substitution-Permutation Networks 3 � Basic SCARE of Classical SPN Structures 4 � SCARE in the Presence of Noisy Leakage 5 � Attack Experiments

  3. Outline 1 � Introduction 2 � Substitution-Permutation Networks 3 � Basic SCARE of Classical SPN Structures 4 � SCARE in the Presence of Noisy Leakage 5 � Attack Experiments

  4. Introduction SCARE : Side-Channel Analysis for Reverse Engineering • private code recovery • secret crypto design recovery

  5. Introduction SCARE : Side-Channel Analysis for Reverse Engineering • private code recovery • secret crypto design recovery ⇐ This paper

  6. Introduction SCARE : Side-Channel Analysis for Reverse Engineering • private code recovery • secret crypto design recovery ⇐ This paper • usual in mobile SIM / pay-TV cards

  7. Previous works [Novak. ACNS 2003] • secret instance of the GSM A3/A8 algorithm • side-channel assumption: detection of colliding s-boxes • recovery of one secret s-box [Clavier. ePrint 2004/ICISS 2007] • recovery of the two s-boxes and the secret key

  8. Limitations • Target: specific cipher structure • Assumption: idealized leakage model ⇒ perfect collision detection Our work • Consider a generic class of ciphers: Substitution-Permutation Networks (SPN) • Relax the idealized leakage assumption ◮ consider noisy leakages ◮ experiments in a practical leakage model

  9. Further works [Daudigny et al. ACNS 2005] (DES) [R´ eal et al. CARDIS 2008] (hardware Feistel) [Guilley et al. LATINCRYPT 2010] (stream ciphers) [Clavier et al. INDOCRYPT 2013] (modified AES)

  10. Outline 1 � Introduction 2 � Substitution-Permutation Networks 3 � Basic SCARE of Classical SPN Structures 4 � SCARE in the Presence of Noisy Leakage 5 � Attack Experiments

  11. Substitution-Permutation Networks k 1 k 2 k r ... p ρ ρ ρ c We consider two types of round functions: • Classical SPN structures • Feistel structures

  12. Substitution-Permutation Networks k 1 k 2 k r ... p ρ ρ ρ c We consider two types of round functions: • Classical SPN structures ⇐ This talk • Feistel structures

  13. Classical SPN Structure k i S • State: n × m bits S • n s-box computations λ • m -bits s-box inputs S       x 1 a 1 , 1 a 1 , 2 a 1 ,n x 1 · · ·       x 2 a 2 , 1 a 2 , 2 a 2 ,n x 2 · · ·       λ : with a i,j ∈ F 2 m .  �→ . . .  · . ...     . . . . . . . . . . x n a n, 1 a n, 2 a n,n x n · · ·

  14. Outline 1 � Introduction 2 � Substitution-Permutation Networks 3 � Basic SCARE of Classical SPN Structures 4 � SCARE in the Presence of Noisy Leakage 5 � Attack Experiments

  15. Attacker Model Basic assumption: Colliding s-box computations can be detected from the side-channel leakage. Specifically, we assume that the attacker is able to (i) identify the s-box computations in the side-channel leakage trace and extract the leakage corresponding to each s-box computation, (ii) decide whether two s-box computations y 1 ← S ( x 1 ) and y 2 ← S ( x 2 ) are such that x 1 = x 2 or not from their respective leakages.

  16. Equivalent Representations One cipher has several representations 1 . Change the s-box: S ′ ( x ) = S ( x ⊕ δ ) and the round keys: k ′ i = ( k i, 1 ⊕ δ, k i, 2 ⊕ δ, . . . , k i,n ⊕ δ )

  17. Equivalent Representations One cipher has several representations 1 . Change the s-box: S ′ ( x ) = S ( x ⊕ δ ) and the round keys: k ′ i = ( k i, 1 ⊕ δ, k i, 2 ⊕ δ, . . . , k i,n ⊕ δ ) 2 . Change the s-box: S ′ ( x ) = α · S ( x ) i,j = a i,j and the matrix coefficients: a ′ α

  18. Equivalent Representations One cipher has several representations 1 . Change the s-box: S ′ ( x ) = S ( x ⊕ δ ) and the round keys: k ′ i = ( k i, 1 ⊕ δ, k i, 2 ⊕ δ, . . . , k i,n ⊕ δ ) 2 . Change the s-box: S ′ ( x ) = α · S ( x ) i,j = a i,j and the matrix coefficients: a ′ α The attack can recover the cipher up to equivalent representations

  19. Equivalent Representations One cipher has several representations 1 . Change the s-box: S ′ ( x ) = S ( x ⊕ δ ) and the round keys: k ′ i = ( k i, 1 ⊕ δ, k i, 2 ⊕ δ, . . . , k i,n ⊕ δ ) 2 . Change the s-box: S ′ ( x ) = α · S ( x ) i,j = a i,j and the matrix coefficients: a ′ α The attack can recover the cipher up to equivalent representations We fix a representation by setting k 1 , 1 = 0 and a 1 , 1 = 1

  20. Stage 1: Recovering k 1 k 1 k 1 p 1 p 0 S S 1 p 2 p 0 S S 2 p 0 p n S S n

  21. Stage 1: Recovering k 1 k 1 k 1 p 1 p 0 S S 1 p 2 p 0 S S 2 collision p 0 p n S S n

  22. Stage 1: Recovering k 1 k 1 k 1 p 1 p 0 S S 1 p 2 p 0 S S 2 collision p 0 p n S S n p 1 ⊕ k 1 , 1 = p ′ 2 ⊕ k 1 , 2

  23. Stage 1: Recovering k 1 k 1 k 1 p 1 p 0 S S 1 p 2 p 0 S S 2 collision p 0 p n S S n p 1 ⊕ k 1 , 1 = p ′ 2 ⊕ k 1 , 2

  24. Stage 1: Recovering k 1 k 1 k 1 p 1 p 0 S S 1 p 2 p 0 S S 2 collision p 0 p n S S n p 1 ⊕ k 1 , 1 = p ′ k 1 , 2 = p 1 ⊕ p ′ 2 ⊕ k 1 , 2 2 ⊕ k 1 , 1 ⇒

  25. Stage 1: Recovering k 1 k 1 k 1 p 1 p 0 S S 1 p 2 p 0 S S 2 collision p 0 p n S S n p 1 ⊕ k 1 , 1 = p ′ k 1 , 2 = p 1 ⊕ p ′ 2 ⊕ k 1 , 2 2 ⊕ k 1 , 1 ⇒

  26. Stage 1: Recovering k 1 k 1 k 1 p 1 p 0 S S 1 p 2 p 0 S S 2 collision p 0 p n S S n p 1 ⊕ k 1 , 1 = p ′ k 1 , 2 = p 1 ⊕ p ′ 2 ⊕ k 1 , 2 2 ⊕ k 1 , 1 ⇒ p 2 ⊕ k 1 , 2 = p ′ n ⊕ k 1 ,n

  27. Stage 1: Recovering k 1 k 1 k 1 p 1 p 0 S S 1 p 2 p 0 S S 2 collision p 0 p n S S n p 1 ⊕ k 1 , 1 = p ′ k 1 , 2 = p 1 ⊕ p ′ 2 ⊕ k 1 , 2 2 ⊕ k 1 , 1 ⇒ p 2 ⊕ k 1 , 2 = p ′ n ⊕ k 1 ,n

  28. Stage 1: Recovering k 1 k 1 k 1 p 1 p 0 S S 1 p 2 p 0 S S 2 collision p 0 p n S S n p 1 ⊕ k 1 , 1 = p ′ k 1 , 2 = p 1 ⊕ p ′ 2 ⊕ k 1 , 2 2 ⊕ k 1 , 1 ⇒ p 2 ⊕ k 1 , 2 = p ′ k 1 ,n = p 1 ⊕ p ′ n ⊕ k 1 ,n n ⊕ k 1 , 2 ⇒ and so on ...

  29. Stage 2: Recovering λ , S and k 2 0 S leakage basis

  30. Stage 2: Recovering λ , S and k 2 0 S 1 S leakage basis

  31. Stage 2: Recovering λ , S and k 2 0 S 1 S 2 S 2 m − 1 S leakage basis

  32. Stage 2: Recovering λ , S and k 2 k 2 0 S w 1 S 1 S w 2 S 2 S w n 2 m − 1 S S leakage basis 2nd round

  33. Stage 2: Recovering λ , S and k 2 k 2 0 S w 1 S collision 1 S w 2 S 2 S w n 2 m − 1 S S leakage basis 2nd round

  34. Stage 2: Recovering λ , S and k 2 k 2 0 S w 1 S S 1 w 2 S collision S 2 w n 2 m − 1 S S leakage basis 2nd round

  35. Stage 2: Recovering λ , S and k 2 k 2 0 S w 1 S S 1 w 2 S S 2 collision w n 2 m − 1 S S leakage basis 2nd round

  36. Stage 2: Recovering λ , S and k 2 k 2 0 S w 1 S 1 S w 2 S 2 S w n 2 m − 1 S S leakage basis 2nd round

  37. Stage 2: Recovering λ , S and k 2 k 2 0 S w 1 S collision w 1 ⊕ k 2 , 1 = β 1 1 S w 2 S 2 S w n 2 m − 1 S S leakage basis 2nd round

  38. Stage 2: Recovering λ , S and k 2 k 2 0 S w 1 S w 1 ⊕ k 2 , 1 = β 1 S 1 w 2 S w 2 ⊕ k 2 , 2 = β 2 collision S 2 w n 2 m − 1 S S leakage basis 2nd round

  39. Stage 2: Recovering λ , S and k 2 k 2 0 S w 1 S w 1 ⊕ k 2 , 1 = β 1 S 1 w 2 S w 2 ⊕ k 2 , 2 = β 2 . S 2 . . collision w n ⊕ k 2 ,n = β n w n 2 m − 1 S S leakage basis 2nd round

  40. Stage 2: Recovering λ , S and k 2 We have       w 1 k 2 , 1 β 1       w 2 k 2 , 2 β 2        =       . .  ⊕ . . . .     . . . w n k 2 ,n β n

  41. Stage 2: Recovering λ , S and k 2 We have           w 1 k 2 , 1 β 1 a 1 , 1 a 1 , 2 a 1 ,n S ( p 1 ⊕ k 1 , 1 ) · · ·           w 2 k 2 , 2 β 2 a 2 , 1 a 2 , 2 a 2 ,n S ( p 2 ⊕ k 1 , 2 ) · · ·            =  =           . .  ⊕ . . . .  · . ... . . . . . . .       . . . . . . . w n k 2 ,n β n a n, 1 a n, 2 a n,n S ( p n ⊕ k 1 ,n ) · · ·

  42. Stage 2: Recovering λ , S and k 2 We have           w 1 k 2 , 1 β 1 a 1 , 1 a 1 , 2 a 1 ,n S ( p 1 ⊕ k 1 , 1 ) · · ·           w 2 k 2 , 2 β 2 a 2 , 1 a 2 , 2 a 2 ,n S ( p 2 ⊕ k 1 , 2 ) · · ·            =  =           . .  ⊕ . . . .  · . ... . . . . . . .       . . . . . . . w n k 2 ,n β n a n, 1 a n, 2 a n,n S ( p n ⊕ k 1 ,n ) · · ·

Recommend


More recommend