synthesis tools for white box implementations
play

Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, - PowerPoint PPT Presentation

Feb 16, 2023 •382 likes •690 views

Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, University of Luxembourg WhibOx Workshop May 19, 2019 Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction

  1. Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, University of Luxembourg WhibOx Workshop May 19, 2019

  2. Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction Compilation Attacks Conclusion 0 / 18

  3. Introduction Circuit Construction Compilation Attacks Conclusion This talk: • Python-based framework for practical white-box implementations • Easy to use • For research purposes • ... and the WhibOx contest 1 / 18

  4. Introduction Circuit Construction Compilation Attacks Conclusion Circuit Implementations + simple framework, both – slow (1 bit / register, for synthesis and analysis unless batch execution) + existing literature on – large code size hardware design (storing circuit) + easy to simulate – the power of everywhere Random Access Machine is not fully utilised (though simulation can be obfuscated on top) 2 / 18

  5. Introduction Circuit Construction Compilation Attacks Conclusion Framework for Circuit WB Synthesis • easy implementations (bitwise are simple, for S-boxes a circuit is needed) • easy masking (linear + nonlinear) • starting point for further obfuscation • included: • batch circuit tracing • basic DCA-like analysis (correlation, exact matches, linear algebra attack) 3 / 18

  6. Introduction Circuit Construction Compilation Attacks Conclusion Framework for Circuit WB Synthesis • easy implementations (bitwise are simple, for S-boxes a circuit is needed) • easy masking (linear + nonlinear) • starting point for further obfuscation • included: • batch circuit tracing • basic DCA-like analysis (correlation, exact matches, linear algebra attack) • convenient C code generation for the WhibOx contest contest 3 / 18

  7. Introduction Circuit Construction Compilation Attacks Conclusion A Quick Teaser NR = 10 1 KEY = "MySecretKey!2019" 2 3 pt = Bit.inputs("pt", 128) 4 ct, k10 = BitAES(pt, Bit.consts(str2bin(KEY)), nr=NR) 5 6 prng = LFSR(taps=[0, 2, 5, 18, 39, 100, 127], 7 state=BitAES(pt, pt, nr=2)[0]) 8 rand = Pool(n=128, prng=prng).step 9 10 ct = mask_circuit(ct, MINQ(rand=rand)) 11 ct = mask_circuit(ct, DOM(rand=rand, nshares=2)) 12 13 whibox_generate(ct, "build/submit.c", "Hello, world!") 14 AES circuit with configurable masking (quadratic MINQ + linear DOM-indep) 4 / 18

  8. Introduction Circuit Construction Compilation Attacks Conclusion A Quick Teaser NR = 10 1 KEY = "MySecretKey!2019" 2 3 pt = Bit.inputs("pt", 128) 4 ct, k10 = BitAES(pt, Bit.consts(str2bin(KEY)), nr=NR) 5 6 prng = LFSR(taps=[0, 2, 5, 18, 39, 100, 127], 7 state=BitAES(pt, pt, nr=2)[0]) 8 rand = Pool(n=128, prng=prng).step 9 10 ct = mask_circuit(ct, MINQ(rand=rand)) 11 ct = mask_circuit(ct, DOM(rand=rand, nshares=2)) 12 13 whibox_generate(ct, "build/submit.c", "Hello, world!") 14 AES circuit with configurable masking Whib0x CTF - ready :) (quadratic MINQ + linear DOM-indep) 4 / 18

  9. Introduction Circuit Construction Compilation Attacks Conclusion A Quick Teaser NR = 10 1 KEY = "MySecretKey!2019" 2 3 pt = Bit.inputs("pt", 128) 4 ct, k10 = BitAES(pt, Bit.consts(str2bin(KEY)), nr=NR) 5 6 prng = LFSR(taps=[0, 2, 5, 18, 39, 100, 127], 7 state=BitAES(pt, pt, nr=2)[0]) 8 rand = Pool(n=128, prng=prng).step 9 10 ct = mask_circuit(ct, MINQ(rand=rand)) 11 ct = mask_circuit(ct, DOM(rand=rand, nshares=2)) 12 13 whibox_generate(ct, "build/submit.c", "Hello, world!") 14 AES circuit with configurable masking Whib0x CTF - ready :) (quadratic MINQ + linear DOM-indep) (ouch, no fault protection...) 4 / 18

  10. Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction Compilation Attacks Conclusion 4 / 18

  11. Introduction Circuit Construction Compilation Attacks Conclusion Circuit Construction • Bit : a circuit node, operations are overloaded: x = Bit.input("x") 1 y = Bit.input("y") 2 print ~(x & y) ^ y 3 Output: (~(x & y) ^ y) 4 5 / 18

  12. Introduction Circuit Construction Compilation Attacks Conclusion Circuit Construction • Bit : a circuit node, operations are overloaded: x = Bit.input("x") 1 y = Bit.input("y") 2 print ~(x & y) ^ y 3 Output: (~(x & y) ^ y) 4 • Vector : a list that propagates operations to its elements. • (Keyless) Simon: pt = Vector(Bit.inputs("pt", 32)) 1 l, r = pt.split() 2 for round in xrange(32): 3 r ^= (l.rol(1) & l.rol(8)) ^ l.rol(2) 4 l, r = r, l 5 ct = l.concat(r) 6 5 / 18

  13. Introduction Circuit Construction Compilation Attacks Conclusion AES Circuit (1/2) • AES-128 circuit included ( ≈ 31000 gates); based on Canright’s S-Box. key = Bit.consts(str2bin("MySecreyKey!2019")) 1 pt = Bit.inputs("pt", 128) 2 ct, k10 = BitAES(pt, key, nr=10) 3 # k10 is the last subkey 4 6 / 18

  14. Introduction Circuit Construction Compilation Attacks Conclusion AES Circuit (2/2) • Clean and modular internal structure, easy to modify. • Rect : representation of rectangular (AES-like) states. def BitAES(plaintext, key, rounds=10): 1 bx = Vector(plaintext).split(16) 2 bk = Vector(key).split(16) 3 state = Rect(bx, w=4, h=4).transpose() 4 kstate = Rect(bk, w=4, h=4).transpose() 5 for rno in xrange(rounds): 6 state = AK(state, kstate) 7 state = SB(state) 8 state = SR(state) 9 if rno < rounds-1: 10 state = MC(state) 11 kstate = KS(kstate, rno) 12 state = AK(state, kstate) 13 bits = sum( map(list, state.transpose().flatten()), []) 14 kbits = sum( map(list, kstate.transpose().flatten()), []) 15 return bits, kbits 16 7 / 18

  15. Introduction Circuit Construction Compilation Attacks Conclusion Masking (1/3) class DOM(MaskingScheme): 1 def encode(self, s): 2 x = [self.rand() for _ in xrange(self.nshares-1)] 3 x.append(reduce(xor, x) ^ s) 4 return tuple(x) 5 def decode(self, x): 6 return reduce(xor, x) 7 def XOR(self, x, y): 8 return tuple(xx ^ yy for xx, yy in zip(x, y)) 9 def AND(self, x, y): 10 matrix = [[xx & yy for yy in y] for xx in x] 11 for i in xrange(1, self.nshares): 12 for j in xrange(i + 1, self.nshares): 13 r = self.rand() 14 matrix[i][j] ^= r 15 matrix[j][i] ^= r 16 return tuple(reduce(xor, row) for row in matrix) 17 def NOT(self, x): 18 return (~x[0],) + tuple(x[1:]) 19 Hannes Groß, Stefan Mangard, Thomas Korak: (TIS@CCS 2016: 3) Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order. 8 / 18

  16. Introduction Circuit Construction Compilation Attacks Conclusion Masking (2/3) Linear Masking: s = x 0 ⊕ x 1 ⊕ . . . ⊕ x r − 1 Minimalist Quadratic Masking: s = x 0 x 1 ⊕ x 2 Alex Biryukov, Aleksei Udovenko (ASIACRYPT 2018) Attacks and Countermeasures for White-box Designs. 9 / 18

  17. Introduction Circuit Construction Compilation Attacks Conclusion Masking (3/3) def mask_circuit(circuit, scheme, encode=True, decode=True): 1 """ Mask a given @circuit with a given masking @scheme. 2 Arguments @encode and @decode specify 3 whether encoding and decoding steps should be added. """ 4 ... 5 pt = Bit.inputs("pt", 128) 6 ct, _ = BitAES(pt, ..., rounds=NR) 7 8 # define a PRNG initialized with plaintext, also a circuit! 9 # here we use 2-round AES for initialization 10 # and LFSR for further generation 11 prng = LFSR(taps=[0, 2, 5, 18, 39, 100, 127], 12 state=BitAES(pt, pt, rounds=2)[0]) 13 rand = Pool(n=128, prng=prng).step 14 15 # nested masking 16 ct = mask_circuit(ct, MINQ(rand=rand)) 17 ct = mask_circuit(ct, DOM(rand=rand, nshares=2)) 18 10 / 18

  18. Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction Compilation Attacks Conclusion 10 / 18

  19. Introduction Circuit Construction Compilation Attacks Conclusion typedef uint16_t A; 1 switch (op) { 2 case XOR: 3 a = *((A *)p); pop(); 4 b = *((A *)p); pop(); • C code for simulation 5 ram[dst] = ram[a] ^ ram[b]; 6 • requires some encoding of the break; 7 case AND: 8 circuit a = *((A *)p); pop(); 9 b = *((A *)p); pop(); • easier to encode more compact 10 ram[dst] = ram[a] & ram[b]; 11 than by a compiler break; 12 case OR: 13 • usecase 1: local tracing/analysis a = *((A *)p); pop(); 14 b = *((A *)p); pop(); • usecase 2: PoC generation 15 ram[dst] = ram[a] | ram[b]; 16 break; 17 case NOT: 18 a = *((A *)p); pop(); 19 ram[dst] = ~ram[a]; 20 break; 21 case RANDOM: 22 ram[dst] = rand(); 23 break; 24 default: return; 25 } 26 11 / 18

  20. Introduction Circuit Construction Compilation Attacks Conclusion Compile and Run KEY = "MySecretKey!2019" 1 2 pt = Bit.inputs("pt", 128) 3 ct, k10 = BitAES(pt, Bit.consts(str2bin(KEY)), rounds=10) 4 5 # Encode circuit to file 6 RawSerializer().serialize_to_file(ct, "circuits/aes10.bin") 7 8 # Python API for C simulator 9 C = FastCircuit("circuits/aes10.bin") 10 11 ciphertext = C.compute_one("my_plaintext_abc") 12 13 # Verify correctness 14 from Crypto.Cipher import AES 15 ciphertext2 = AES.new(KEY).encrypt(plaintext) 16 assert ciphertext == ciphertext2 17 12 / 18

  21. Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction Compilation Attacks Conclusion 12 / 18

Recommend

A DFA attack on White-box implementations of AES with external encoding WhibOx 2019: White-Box

A DFA attack on White-box implementations of AES with external encoding WhibOx 2019: White-Box

A DFA attack on White-box implementations of AES with external encoding WhibOx 2019: White-Box Cryptography and Obfuscation, 18-19/05/2019, Darmstadt Alessandro Amadori , Wil Michiels and Peter Roelse Department of Mathematics and Computer

655 views • 26 slides
Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur,

Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur,

Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur, Wil Michiels, Paul Gorissen, Bart Preneel COSIC K.U.Leuven and Philips Research March 27 2007 White-Box Attack Context key key ke y

555 views • 10 slides
Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei

Differential Computation Analysis against Internally-Encoded White-Box Implementations Junwei Wang Joint work with Matthieu Rivain WhibOx 2019, May 18, 2019 Overview 1 White-Box Context 2 DCA against Internal Encodings 3 Collision

539 views • 26 slides
Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs Michael J. Wiener 2016 August 14 1 Outline Why do we bother with white-box cryptography (WBC)? The origins of WBC Attacks and

379 views • 34 slides
Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 Architecture F elix Carvalho

Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 Architecture F elix Carvalho

Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 Architecture F elix Carvalho Rodrigues, H. Fujii, A. C. Serpa, G. Sider, R. Dahab, J. L opez October 3, 2019 Laboratory of Security and Cryptography, Institute of

598 views • 42 slides
VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas

VerMI &amp; VerFI Verification Tools for Masked Implementations Svetla Nikova, Victor Arribas COSIC, KULeuven Joint work with Vincent Rijmen (KU Leuven), Felix Wegener, Amir Moradi (RU Bochum) 1 Verification Tools Why do we need

782 views • 50 slides
Why Again Logic Synthesis Giovanni De Micheli Why again logic synthesis? Strong

Why Again Logic Synthesis Giovanni De Micheli Why again logic synthesis? Strong

Why Again Logic Synthesis Giovanni De Micheli Why again logic synthesis? Strong intellectual value associated with logic synthesis and optimization Problems are far from being solved Current methods and tools grew out of control

372 views • 24 slides
Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

468 views • 34 slides
Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06

Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06

Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06 June 2014, ibenik, Croatia P. 1 Why Electronic Design Automation? Surely the purpose of science is to ease human hardship Galileo,

846 views • 82 slides
The Synthesis and Improvement of Quantum Circuits and Programs David R. White &amp; John A. Clark

The Synthesis and Improvement of Quantum Circuits and Programs David R. White &amp; John A. Clark

The Synthesis and Improvement of Quantum Circuits and Programs David R. White &amp; John A. Clark Dept. of Computer Science University of She ffi eld, UK With acknowledgements to Susan Stepney and Paul Massey Image Credit NIST:

828 views • 56 slides
On Recovering Affine Encodings in White-Box Implementations Patrick Derbez 1 , Pierre-Alain Fouque

On Recovering Affine Encodings in White-Box Implementations Patrick Derbez 1 , Pierre-Alain Fouque

On Recovering Affine Encodings in White-Box Implementations Patrick Derbez 1 , Pierre-Alain Fouque 1 , Baptiste Lambin 1 , Brice Minaud 2 1 Univ Rennes, CNRS, IRISA 2 Royal Holloway University of London Baptiste Lambin On Recovering Affine

591 views • 21 slides
Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box

Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box

Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations Matthieu Rivain 1 Junwei Wang 1,2,3 1 CryptoExperts 2 University of Luxembourg 3 University Paris 8 CHES 2019, Atalanta White-Box

800 views • 43 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools

1.24k views • 97 slides
Logic Synthesis Overview Design flow Principles of logic synthesis Logic

Logic Synthesis Overview Design flow Principles of logic synthesis Logic

Logic Synthesis Overview Design flow Principles of logic synthesis Logic Synthesis with the common tools Conclusions 2 System Design Flow Electronic System Level (ESL) flow System C TLM, Verification, Profiling

1.12k views • 28 slides
Lecture 17: LPC speech synthesis and autocorrelation- based pitch tracking ECE 401, Signal and

Lecture 17: LPC speech synthesis and autocorrelation- based pitch tracking ECE 401, Signal and

Lecture 17: LPC speech synthesis and autocorrelation- based pitch tracking ECE 401, Signal and Image Analysis November 5, 2020 Outline The LPC-10 speech synthesis model The LPC-10 excitation model: white noise, pulse train Linear

517 views • 36 slides
Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of Recurrence Sets via Constraint Solving Andreas Podelski January 17, 2012 1 Program Verification and Constraints Reasoning about program

422 views • 28 slides
FLOSS Tools for High Level Synthesis Integrating the FPGA into the Operating System Javier D.

FLOSS Tools for High Level Synthesis Integrating the FPGA into the Operating System Javier D.

FLOSS Tools for High Level Synthesis Integrating the FPGA into the Operating System Javier D. Garcia Lasheras GL Research (Spain) jgarcia@gl-research.com FOSDEM 2017 State of the Art A new generation of algorithms demanding for extreme

284 views • 13 slides
Synthesis and Review Week 8 7 March, 2016 Prof. Robin Harding Nice tools, but what do we do

Synthesis and Review Week 8 7 March, 2016 Prof. Robin Harding Nice tools, but what do we do

Synthesis and Review Week 8 7 March, 2016 Prof. Robin Harding Nice tools, but what do we do with them? As students of social science in tutorial and exam essays, As social scientists in original research, And beyond

663 views • 27 slides
Crossing the SDN/NFV Deployment Chasm Initiation -&gt; Ideation -&gt; Implementation? NFV white

Crossing the SDN/NFV Deployment Chasm Initiation -&gt; Ideation -&gt; Implementation? NFV white

Getting past Ideation; Crossing the SDN/NFV Deployment Chasm Initiation -&gt; Ideation -&gt; Implementation? NFV white paper published in October 2012 implementations globally, at scale remains a successfully initiated the SDN/NFV industry and

277 views • 3 slides
Reviewing Your Data at Upload: Tools Within the RSR Web System Ryan White Services Report (RSR)

Reviewing Your Data at Upload: Tools Within the RSR Web System Ryan White Services Report (RSR)

Reviewing Your Data at Upload: Tools Within the RSR Web System Ryan White Services Report (RSR) Health Resources and Services Administration HIV/AIDS Bureau March 11, 2020 Welcome to todays Webcast. Thank you so much for joining us today!

763 views • 48 slides
Viable Paths Towards Graphene Circuits: Implementation Styles and Logic Synthesis Tools Sandeep

Viable Paths Towards Graphene Circuits: Implementation Styles and Logic Synthesis Tools Sandeep

Viable Paths Towards Graphene Circuits: Implementation Styles and Logic Synthesis Tools Sandeep Miryala, Valerio Tenace, Andrea Calimera, Enrico Macii, Massimo Poncino DAUIN Dipartimento di Automatica e Informatica enrico.macii@polito.it 1

829 views • 28 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides

More recommend