Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav Nikov Martin Feldhofer

Outline SCA Intro Motivation Construction & Effects Analysis Conclusions AsiaCrypt 2016 -- Marcel Medwed

SCA Intro

Attack and Countermeasure Landscape Constant Detection Instantaneous Leakage m1 m2 ... mn Timing Limit measurements c = Ek(m) Faults Probing Low SNR Masking Shielding AsiaCrypt 2016 -- Marcel Medwed

The costs of CMs Masking Time randomization (aka shuffling) O(n^2) costs vs. O(c^n) security Time randomization (aka shuffling) O(n) costs vs. O(n) security Fault protection Combinations are hard FTDC2016: More Efficient Private Circuits II Through Threshold Implementations Key updates to limit measurements AsiaCrypt 2016 -- Marcel Medwed

Motivation

Key updates help Only two traces per key Need for bounded leakage for 2 traces Security only limited by black box setting But a stream cipher needs a unique IV How to seed the PRG securely with bounded leakage? AsiaCrypt 2016 -- Marcel Medwed

How to initialize Masking and other CMs Maybe performance gain but no bounded leakage AsiaCrypt 2016 -- Marcel Medwed

How to initialize Fresh re-keying Masking much easier, performance gain, still no bounded leakage AsiaCrypt 2016 -- Marcel Medwed

How to initialize LR-PRF Attempt to instantiate a bounded leakage scheme Not provably bounded (no arbitrary adaptive leakage function) However, experiments suggest bound for practical leakage functions AsiaCrypt 2016 -- Marcel Medwed

Construction & Effects

DPA: Parallelism and Algorithmic Noise (1) Key Score 00 0,12 01 0,21 02 0,11 ... 45 0,95 46 0,23 FD 0,15 FE 0,16 FF 0,18 Independent S-box p1 k1 s1 S-box pi ki si S-box p16 k16 s16 SCA Side Channel Independent Algorithmic Noise P known, K and S unknown D&C, only look at one S-box at a time 2 dim distribution with P and S, defined by key In a profiled attack, 2^8 such distributions are known. Sample device and compare. S-boxes are processed in parallel. Not targeted ones will generate noise. Independent P, independent noise, only more traces Eventually find key C AsiaCrypt 2016 -- Marcel Medwed

DPA: Parallelism and Algorithmic Noise (2) Parallelism adds algorithmic noise Blue  no noise, green  2 par. S-boxes,..., purple  16 par. S-boxes But security decreases exponentially Averaging works only for random plaintexts Fixing the data complexity to 2 allows bounding the leakage How can it be fixed to 2? AsiaCrypt 2016 -- Marcel Medwed

Using the GGM-PRF construction Use PRF: y = Fk(x) k being a n-bit secret key x = x(0)...x(n-1) being a public input P0 = {0}128 and P1 = {1}128 Only 2 plaintexts (many traces though) But 128 encryptions per operation How to speed up? Color secret portions red AsiaCrypt 2016 -- Marcel Medwed

Speeding up... And loosing security Only 16 AES encryptions 256 plaintexts  256 traces per key No security left Can we do better? Color secret portions red Somewhere we need to introduce the model error concept AsiaCrypt 2016 -- Marcel Medwed

Avoiding D&C with carefully chosen PTs (CHES 2012) Plaintext Key Score 00 0,41 01 0,40 02 0,27 ... 45 0,37 46 0,23 FD 0,20 FE 0,10 FF 0,15 p k1 p ki p k16 S-box S-box S-box SCA Side Channel s1 Key Dependent Noise si s16 Noise does not marginalize anymore  distribution is key dependent Attack all keys at the same time Ciphertext AsiaCrypt 2016 -- Marcel Medwed

Carefully Chosen Plaintexts 16 AES encryptions, 256 plaintexts As PT bytes are equal, divide-and-conquer does not apply anymore Noise becomes key dependent, cannot be averaged Even if all key bytes are recovered, the order remains unknown But Ordering 16 bytes is still easy (244) Properties hold only for first round 16 S-boxes need same leakage function Can we do better? AsiaCrypt 2016 -- Marcel Medwed

Our Contribution: Using Unknown Plaintexts Precomputation of secret plaintexts using LR-PRG Use bits of x to index table of secret plaintexts AsiaCrypt 2016 -- Marcel Medwed

Avoiding D&C with Unknown PTs (1) Plaintext Key Score 00 0,41 01 0,40 02 0,27 ... 45 0,37 46 0,23 FD 0,20 FE 0,10 FF 0,15 Side Channel p1 k1 pi ki p16 k16 S-box S-box S-box SCA Side Channel s1 si s16 Attack all at the same time  key dependent noise Second order attack  much more sensitive to noise Only profiled attacks work (no info on p) Ciphertext AsiaCrypt 2016 -- Marcel Medwed

Security of Unknown Plaintexts Only profiled attacks work Key dependent noise impacts a two-dimensional distribution (2nd-order SCA) Key dependent noise is present in the entire algorithm AsiaCrypt 2016 -- Marcel Medwed

Analysis

Distribution Distances We match sub key distributions to the device distribution Carefully chosen plaintexts only prevent ordering (+ some misranking) For unknown plaintexts the device distribution is much more destorted

Looking at the sub key distributions Carefully chosen plaintexts Correct sub keys are ranked first Best ranked sub key is always one of the correct ones Worst ranked sub key like to be < rank 20 AsiaCrypt 2016 -- Marcel Medwed

Looking at the sub key distributions Carefully chosen plaintexts Unknown plaintexts   AsiaCrypt 2016 -- Marcel Medwed

Conclusions

Conclusion (1) Bounded leakage against realistic attacks with little assumptions No equal leakage assumption No randomness needed  Works with plain, parallel AES Speed up depends on memory 2m PTs, m times faster AsiaCrypt 2016 -- Marcel Medwed

Conclusion (2) Lots of analysis done leakage models implementation flaws template building errors ... But more needed (for masking it took >10 years to understand most issues) Security depends on security against 2 noise-free traces (2PRG) Future work Localized EM attacks (as they can overcome parallelism) Use other tools in attack AsiaCrypt 2016 -- Marcel Medwed

Localized EM Attacks Likely to reduce parallelism Blue: Attack on 2PRG Green: Attack on PRF with 16 unknown plaintexts Red: Attack on secret pllaintexts At least >2 plaintexts are required  uncertainty multiplies AsiaCrypt 2016 -- Marcel Medwed