Yet another side-channel attack: Multi-linear Power Analysis attack - PowerPoint PPT Presentation

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C´ edric Tavernier Laboratoire LIG, Grenoble, France. Communications and Systems, Le Plessis Robinson, France. Cryptopuces Porquerolles 8 juin 2009

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Plan 1 List decoding of the First order Reed-Muller codes and Multi-linear cryptanalysis Multi-linear cryptanalysis List Decoding of RM(1,m) codes Complexity 2 Application to Power Analysis attacks : MLPA MLPA attack MLPA vs Other approaches A template-like attack 3 Conclusion and Open perspectives

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Multi-linear cryptanalysis Symmetric cipher (4-bits plaintexts, 4-bits key) P K E C

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Multi-linear cryptanalysis Symmetric cipher (4-bits plaintexts, 4-bits key) p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Multi-linear cryptanalysis Linear approximations p 3 ⊕ p 1 ⊕ k 2 ⊕ k 0 p 2 p 0 k 3 k 1 E c 2 c 3 ⊕ c 1 ⊕ c 0 linear approximation p 1 ⊕ p 3 ⊕ k 0 ⊕ k 2 = c 0 ⊕ c 1 ⊕ c 3 hold with probability p = 1 / 2 + ǫ .

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Multi-linear cryptanalysis Multi-linear cryptanalysis  k 0 ⊕ k 2 = p 1 ⊕ p 3 ⊕ c 0 ⊕ c 1 ⊕ c 3 p = 1 / 2 + ǫ 1   k 0 ⊕ k 1 ⊕ k 2 = p 0 ⊕ p 2 ⊕ c 2 ⊕ c 3 p = 1 / 2 + ǫ 2  k 1 ⊕ k 3 = p 2 ⊕ p 3 ⊕ c 1 ⊕ c 3 p = 1 / 2 + ǫ 3   k 1 ⊕ k 2 ⊕ k 3 = p 0 ⊕ p 1 ⊕ p 2 ⊕ p 3 ⊕ c 2 ⊕ c 3 p = 1 / 2 + ǫ 4  Complexity of the attack [Biry 04] Given n linear approximations � α i , P � ⊕ � µ i , K � = � β i , E ( P , K ) � 1 # Plaintexts = O ( i ) ) i ( ǫ 2 P

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Multi-linear cryptanalysis Multi-linear cryptanalysis  k 0 ⊕ k 2 = p 1 ⊕ p 3 ⊕ c 0 ⊕ c 1 ⊕ c 3 p = 1 / 2 + ǫ 1   k 0 ⊕ k 1 ⊕ k 2 = p 0 ⊕ p 2 ⊕ c 2 ⊕ c 3 p = 1 / 2 + ǫ 2  k 1 ⊕ k 3 = p 2 ⊕ p 3 ⊕ c 1 ⊕ c 3 p = 1 / 2 + ǫ 3   k 1 ⊕ k 2 ⊕ k 3 = p 0 ⊕ p 1 ⊕ p 2 ⊕ p 3 ⊕ c 2 ⊕ c 3 p = 1 / 2 + ǫ 4  Complexity of the attack [Biry 04] Given n linear approximations � α i , P � ⊕ � µ i , K � = � β i , E ( P , K ) � 1 # Plaintexts = O ( i ) ) i ( ǫ 2 P

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Multi-linear cryptanalysis Multivariate degree 1 polynomial reconstruction P K E C � α, P � ⊕ � µ, K � = � β, E ( P , K ) �

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp List Decoding of RM(1,m) codes Reed-Muller code properties Definition of RM (1 , m ) RM (1 , m ) = { f ∈ GF (2) (1) [ x 1 , x 2 , · · · , x m ] } ; Usual representation : ( f (0) , f (1) , · · · , f (2 m − 1)) ; Boolean representation : f = f 1 x 1 ⊕ f 2 x 2 ⊕ · · · ⊕ f m x m code of lenght n = 2 m and minimal distance d = n / 2. Classical Problem Given a Boolean function g , we want to construct the list { f ∈ RM (1 , m ) | d H ( f , g ) ≤ n (1 / 2 − ǫ ) } , which is equivalent to x ∈ GF (2) m ( − 1) f ( x ) ⊕ g ( x ) ≥ 2 ǫ n } . L g ( ǫ ) = { f ∈ RM (1 , m ) | l ( g ) ( f ) = � Johnson Bound 1 In fact � L g ( ǫ ) � ≤ 4 ǫ 2

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp List Decoding of RM(1,m) codes List Decoding Algorithms A simple idea r ∈ GF (2) i ( − 1) g ( r , s ) ⊕ f ( i ) ( r ) | where 2 ǫ n ≤ | l ( g ) ( f ) | ≤ s ∈ GF (2) m − i | � � f ( i ) = f 1 x 1 ⊕ · · · ⊕ f i x i . Screnning process : we suggest f i and we check if the inequality is satisfied. ⇒ L ( i ) r ∈ GF (2) i ( − 1) g ( r , s ) ⊕ f ( r ) | ≥ 2 ǫ n } . g ( ǫ ) = { f ∈ RM (1 , i ) | � | � s In fact M = � L ( i ) 4 ǫ 2 . With E = L ( i ) 1 g ( ǫ ) � ≤ g ( ǫ ) r ∈ GF (2) i ( − 1) g ( r , s ) ⊕ a ( i ) ( r ) ⊕ g ( r , s ) ⊕ b ( i ) ( r ) | ≤ n . 4 n ǫ 2 M ≤ � � � | � a ∈ E b ∈ E s

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Complexity Complexity Worst case complexity The complexity of this algorithm is in O ( n log 2 2 ( ǫ )) [I Du 07]. The complexity of the prob. version is in O ( m 2 /ǫ 6 ) [Kaba 04]. The size of the result can be of size m / 2 ǫ 2 , thus optimal complexity could be in O ( m /ǫ 2 ). Optimal complexity In fact Goldreich and Levin algorithm : O ( m /ǫ 4 ). I. Dumer, G. Kabatiansky and C. Tavernier, not yet published : O ( m /ǫ 2 )

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Plan 1 List decoding of the First order Reed-Muller codes and Multi-linear cryptanalysis Multi-linear cryptanalysis List Decoding of RM(1,m) codes Complexity 2 Application to Power Analysis attacks : MLPA MLPA attack MLPA vs Other approaches A template-like attack 3 Conclusion and Open perspectives

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Side channel measurements p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Side channel measurements p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp MLPA attack Linear approximations and Power Analysis p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0 HD and HW models Leaked information related to the Hamming weight of the manipulated data.

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp MLPA attack Linear approximations and Power Analysis p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 ∼ HW () h 2 h 1 E h 0 c 3 c 2 c 1 c 0 HD and HW models Leaked information related to the Hamming weight of the manipulated data.

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp MLPA attack Attack algorithm and results on DPA-contest traces 1 Offline static computation : Find many and good approximations of the intermediate data Hamming weight (for every output mask). 2 Online attack : multi-linear cryptanalysis assuming ”Leaked information = Hamming distance”. From traces "secmatv1 2006 04 0809" http://www.dpacontest.org/ Cipher rounds # linear equ. # key bits # traces DES 1 84 20 1000 DES 1 84 45 20000 DES 2 163 10 1000 DES 2 163 47 36000 Tab. : Attack on DPA-contest traces Results

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp MLPA attack Approximation examples Output Mask (in binary) : 100000 Bias Equations (plain part) Equations (key part) 0.0215 1 + P[5, 26, 27, 31, 45, 53, 61]+ K[6, 7, 29, 38, 52] 0.0134 0 + P[28, 29, 31, 37, 45, 53]+ K[6, 7, 29, 61] 0.0156 1 + P[5, 28, 29, 31, 37, 45]+ K[6, 29, 38, 61] 0.0189 1 + P[5, 28, 29, 31, 37, 53]+ K[7, 29, 38, 61] 0.0163 0 + P[5, 8, 9, 37, 45, 53, 61]+ K[6, 7, 38, 52, 61] 0.0223 0 + P[5, 14, 15, 31, 37, 45, 61]+ K[6, 29, 38, 52, 61] 0.0182 0 + P[5, 28, 29, 31, 37, 53, 61]+ K[7, 29, 38, 52, 61] 0.0157 1 + P[5, 26, 27, 31, 37, 53, 61]+ K[7, 29, 38, 52, 61] 0.0191 0 + P[5, 26, 27, 31, 37, 45, 53, 61]+ K[6, 7, 29, 38, 52, 61]

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp MLPA vs Other approaches Classical Power Analysis attacks p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0 Limitations Intermediate data should be dependent to less than 32 key-bits.

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp MLPA vs Other approaches Classical Power Analysis attacks p 3 p 2 p 1 p 0 k 3 k 2 k 1 k 0 E c 3 c 2 c 1 c 0 Limitations Intermediate data should be dependent to less than 32 key-bits.