single trace attacks on keccak
play

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter - PowerPoint PPT Presentation

May 21, 2023 •174 likes •569 views

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology Side-Channel Attacks on Hash

  1. Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology

  2. Side-Channel Attacks on Hash Functions? ❼ Plain hashing has no secrets, but there are keyed uses ❼ HMAC? Classic DPA setting, threat is obvious. . . ❼ Keccak (SHA3/SHAKE) found ample new uses involving secrets ❼ . . . especially in post-quantum cryptography 1 Single-Trace Attacks on Keccak — CHES 2020

  3. Side-Channel Attacks on Hash Functions? ❼ Keccak uses in PQC include ❼ derivation of a shared secret in a KEM ❼ expansion of a secret seed in KEMs and signatures ❼ hash-based signatures ❼ Above: side-channel attacker is limited to a single execution ❼ at most averaging, but still no DPA Are attacks even possible? Are countermeasures still needed? 2 Single-Trace Attacks on Keccak — CHES 2020

  4. Our Contribution ❼ Practical single-trace attack on Keccak (software) implementations ❼ Soft-analytical side-channel attack (SASCA) 1. Template matching: retrieve probabilities of intermediates 2. Belief propagation: combine all probabilities to infer most likely key ❼ thus far: mainly applied to AES, but Keccak structurally very different ❼ Attack outcome ❼ key-recovery in a large array of settings, countermeasures cannot be omitted ❼ factors influencing the success rate: key size, bit width of device, structure of input 3 Single-Trace Attacks on Keccak — CHES 2020

  5. ❼ ❼ ❼ ❼ ❼ ❼ Keccak m 0 m 1 ❼ Sponge construction, 1600-bit state H 0 H 1 ⊕ ⊕ 0 r ... f f f f 0 c Absorb Squeeze 4 Single-Trace Attacks on Keccak — CHES 2020

  6. ❼ ❼ ❼ ❼ ❼ Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation 4 Single-Trace Attacks on Keccak — CHES 2020

  7. ❼ ❼ ❼ ❼ Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation ❼ θ - add column parities � � � 4 Single-Trace Attacks on Keccak — CHES 2020

  8. ❼ ❼ ❼ Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation ❼ θ - add column parities ❼ ρ - rotate lanes 4 Single-Trace Attacks on Keccak — CHES 2020

  9. ❼ ❼ Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation ❼ θ - add column parities ❼ ρ - rotate lanes ❼ π - reorder lanes 4 Single-Trace Attacks on Keccak — CHES 2020

  10. ❼ Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation ❼ θ - add column parities ❼ ρ - rotate lanes ❼ π - reorder lanes ❼ χ - SBox 4 Single-Trace Attacks on Keccak — CHES 2020

  11. Keccak ❼ Sponge construction, 1600-bit state ❼ Keccak- f permutation ❼ θ - add column parities ❼ ρ - rotate lanes ❼ π - reorder lanes ❼ χ - SBox ❼ ι - add round constant 4 Single-Trace Attacks on Keccak — CHES 2020

  12. Attack Setting ❼ Unprotected software implementation on a ➭ C ❼ (Part of) the input is secret m 0 m 1 H 0 ❼ and used only once ⊕ ⊕ 0 r ❼ Power measurements of a single execution ... f f f 0 c ❼ no differential SCA ❼ have to use (some sort of) templates 5 Single-Trace Attacks on Keccak — CHES 2020

  13. Template Attacks on Hash Functions ❼ Typical restrictions of template attacks ❼ need templating device with known key ❼ poor portability of templates between devices ❼ Same for Keccak? ❼ often multiple calls inside a PK scheme, some with fully known data ❼ message hash during signing, re-encryption in decapsulation, . . . Profiling directly on target device! no separate profiling device needed, no portability problems 6 Single-Trace Attacks on Keccak — CHES 2020

  14. Step 1: Template Matching ❼ Templating target: all loads/stores ❼ HW leakage along lanes 64 ❼ assign probability vector to each part ❼ Now: combine all side channel info to find most likely key ❼ efficient method: Soft Analytical Side-Channel Attacks (SASCA) [Veyrat-Charvillon et al., ASIACRYPT 2014] 7 Single-Trace Attacks on Keccak — CHES 2020

  15. ❼ ❼ ❼ ❼ Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X Z Y 8 Single-Trace Attacks on Keccak — CHES 2020

  16. ❼ ❼ ❼ ❼ Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z Y 8 Single-Trace Attacks on Keccak — CHES 2020

  17. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  18. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  19. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  20. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  21. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  22. Step 2: SASCA / Belief Propagation 1. model implementation as a factor graph ❼ variable nodes ❼ factor nodes ❼ example: X ⊕ Y = Z X 2. incorporate leakage information in graph Z 3. run Belief Propagation Y ❼ goal: find marginals of variables ❼ message passing principle ❼ simplest version: enumerate inputs ❼ important: avoid circular reasoning 8 Single-Trace Attacks on Keccak — CHES 2020

  23. A First Factor Graph of Keccak ❼ Bitwise description ❼ each bit after each step is a variable ❼ Terrible performance . . . ❼ leakage on bytes/words, not bits ❼ lots of information lost during propagation 9 Single-Trace Attacks on Keccak — CHES 2020

  24. Solution: Clustering ❼ Cluster multiple bits in a single variable node ❼ bits along a lane ❼ ideally: no spreading of side-channel info ❼ Cluster size vs. resource usage 64 ❼ runtime and memory: exp. in cluster size ❼ we support 8-bit and 16-bit clusters 10 Single-Trace Attacks on Keccak — CHES 2020

  25. Clustering: Misalignment ❼ Problem: misalignment of clusters ❼ previous SASCA on AES: operations on bytes A ❼ Keccak operations not aligned ❼ Example: A ⊕ ROT( B , 4) ❼ Need to split clusters ROT(B, 4) ❼ requires extraction of marginals 11 Single-Trace Attacks on Keccak — CHES 2020

  26. Clustering: Handling θ I ❼ Computation of column parity I ❼ 5-input ⊕ node (efficient propagation) ❼ enumeration of all possible values: 2 40 (8-bit cluster) I P ❼ solution: fast convolution of distributions using I Walsh-Hadamard transform I 12 Single-Trace Attacks on Keccak — CHES 2020

  27. ❼ ❼ ❼ Clustering: Further Considerations ❼ Handling χ ❼ break up clusters to deal with invertability 13 Single-Trace Attacks on Keccak — CHES 2020

  28. Clustering: Further Considerations ❼ Handling χ ❼ break up clusters to deal with invertability A B C D ❼ Handling 32-bit leakage ❼ found efficient method to combine leakage ❼ convolution instead of enumeration 13 Single-Trace Attacks on Keccak — CHES 2020

  29. Attack Runtime ❼ Open-source Python implementation of BP on Keccak https://github.com/keccaksasca/keccaksasca ❼ Restriction to first two rounds of Keccak- f ❼ Runtime per BP iteration (updating all nodes once) ❼ 8-bit clusters: ∼ seconds on single core ❼ 16-bit clusters: ∼ 1 minute using 44 cores ❼ 8-bit clusters sufficient in most cases ❼ BP: iterative algorithm, repeat until convergence. ❼ typically < 10 iterations 14 Single-Trace Attacks on Keccak — CHES 2020

  30. Attack Evaluation ❼ Goal: recover secret input of Keccak- f ❼ Evaluation tool: leakage simulations ❼ noisy HW-leakage of loads/stores (at typical locations) ❼ for 8, 16, and 32-bit implementations ❼ vary noise σ , retrieve success rate ❼ Analyze impact of key size ❼ evaluate 128 and 256-bit keys 15 Single-Trace Attacks on Keccak — CHES 2020

Recommend

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

753 views • 58 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas

More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas

SCIENCE PASSION TECHNOLOGY More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas Graz University of Technology LATINCRYPT 2019, October 02 &gt; www.iaik.tugraz.at www.iaik.tugraz.at

1.63k views • 60 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping Shi and San Ling 10 October, 2018 @ Milano, Italy Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 1 / 41 Outlines 1

603 views • 59 slides
DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon 2014 Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function whiteboxed : AES-CBC

1.43k views • 103 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36 Outline 1 How it all began 2 Introducing Keccak 3

466 views • 42 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Exponentiations vs. Single Trace Analysis COSADE Workshop - Paris, 7 March 2013. Christophe

Exponentiations vs. Single Trace Analysis COSADE Workshop - Paris, 7 March 2013. Christophe

Updated Recommendations for Blinded Exponentiations vs. Single Trace Analysis COSADE Workshop - Paris, 7 March 2013. Christophe Clavier XLIM-CNRS Limoges University, France Benoit Feix UL Security Lab, UK XLIM, Limoges University, France

462 views • 24 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Trace Caches and optimizations therein CSE 240C - Rushi Chakrabarti - Winter 2009 Trace Caches

Trace Caches and optimizations therein CSE 240C - Rushi Chakrabarti - Winter 2009 Trace Caches

Trace Caches and optimizations therein CSE 240C - Rushi Chakrabarti - Winter 2009 Trace Caches [Rotenberg96] Trace Caches For those not in the know: I$ that captures dynamic instruction sequences trace n instructions (cache

432 views • 41 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Assessing the Performance of MPI Applications Through Time-Independent Trace Replay . Desprez 1

Assessing the Performance of MPI Applications Through Time-Independent Trace Replay . Desprez 1

Introduction and motivation Time-Independent Trace Format Trace Acquisition Process Trace Replay with SimGrid Experimental Evaluation Conclusion and Assessing the Performance of MPI Applications Through Time-Independent Trace Replay .

370 views • 24 slides
Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ecrypt II summer school, Albena June 2, 2011 1 / 46 1 STMicroelectronics 2 NXP

774 views • 52 slides
DIV 26000 AND HEAT TRACE FOR MECHANICAL SYSTEMS ACE/ASM DOS AND DONTS OF HEAT TRACE IN

DIV 26000 AND HEAT TRACE FOR MECHANICAL SYSTEMS ACE/ASM DOS AND DONTS OF HEAT TRACE IN

DIV 26000 AND HEAT TRACE FOR MECHANICAL SYSTEMS ACE/ASM DOS AND DONTS OF HEAT TRACE IN CHAPTER 149 FROM A DIV 26000 ELECTRICAL CONTRACTOR PROSPECTIVE Dos: Donts: Give us a heat trace spec in DIV26 Double spec it with

492 views • 4 slides
TRACE Why Opensource Lets A Broadcaster Sleep At Night Emmanuel ALDEGUER, January The

TRACE Why Opensource Lets A Broadcaster Sleep At Night Emmanuel ALDEGUER, January The

TRACE Why Opensource Lets A Broadcaster Sleep At Night Emmanuel ALDEGUER, January The 31st, Brussels, ealdeguer@trace.tv October 2013 1 What is TRACE 4 Pay TV linear Music 1 sports entertainment channels channel 1 FM radio station

293 views • 10 slides
Trace Elements in igneous petrology Abundances of trace elements are used to test petrogenetic

Trace Elements in igneous petrology Abundances of trace elements are used to test petrogenetic

Trace Elements in igneous petrology Abundances of trace elements are used to test petrogenetic hypotheses No universal definition of TE: Concentration usually less than 100 ppm, often &lt; 10 ppm Useful trace elements: a)First

650 views • 8 slides

More recommend