Power Analysis of MAC-Keccak: A Side Channel Attack

Transcription

1 Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn Professor Stanislaw Radziszowski May 6, Introduction Recently in the spring of 2017, two documents were discovered to have the same hash value when run through the Secure Hashing Algorithm 1 (SHA-1) cryptographic hash algorithm. Although these documents were found through great effort and time, this discovery is an indicator that SHA-1 may not be secure for much longer. One consequence of a general attack upon SHA-1 would be the security of hash-based message authentication codes (HMAC) that use SHA-1 as their hash function. According to the National Institute of Technology and Information s (NIST) FIPS PUB 128, the strength of HMAC is based on reasonable assumptions of the underlying hash function... [10]. Even without a general attack upon SHA-1, the continued security of HMAC is now in question. With the inevitable fall of SHA-1 now much more imminent, many have begun to look towards Keccak. Chosen as the finalist for NIST s SHA-3 competition, Keccak differs from SHA-1 in that it is based upon a sponge construction. Furthermore, when used to produce keyed message authentication codes, it does not require a nested construction as HMAC does to prevent length extension attacks. Until relatively recently, NIST had not issued any recommended algorithm for producing message authentication codes with Keccak. Between the time Keccak was declared as the winner of the SHA-3 competition and NIST s recent publication of a recommended algorithm, a number of attacks have been proposed against Keccak. Perhaps most dangerous amongst these are attacks that glean secret information from the physical effects of running Keccak on a device. These types of attacks are known in general as side channel attacks. This paper will explore a form of side channel attack against Keccak based message authentication codes (MAC-Keccak) known as power analysis. Three types of power analysis shall be introduced: simple, differential, and correlation. A brief overview of Keccak shall then give context to a discussion of a differential power analysis attack against Keccak proposed by Taha et al.[14] and a 1

2 correlation power analysis attack against Keccak by Luo et al.[8]. The results of these attacks shall be analyzed, and then different countermeasures against power analysis shall be introduced before concluding with a discussion of the feasibility of these attacks. 2 Side Channel Attack When attempting to break a cryptographic operation, there are a number of possible avenues of attack. Perhaps the algorithm behind the cryptographic operation is mathematically weak, in which case it is possible to develop an algorithm which can break the operation in a reasonable amount of time. A good example of this would be the use of Index Calculus to break discrete log based cryptographic systems that operate in Z p. Or perhaps the implementation of the cryptographic operation is incorrect and thus vulnerable to attack. Each of these can be easily remedied; discrete log based cryptographic systems can use elliptic curves, thereby preventing the use of Index Calculus, and significant analysis, review, and testing of an implementation before delivery can ensure that the implementation is correct. However, even if cryptographic operations are mathematically strong and implemented without error, it is still possible to break an operation by taking advantage of the physical side effects produced by the execution of the operation on hardware. These physical effects include electromagnetic radiation, thermal radiation, acoustic emanations, and power consumption, and unintentionally leak information about the cryptographic operation. Attacks that gather secret information from these physical affects to break a cryptographic operation are known as side channel attacks. Figure 1: Abstract overview of possible side channels [15] 3 Power Analysis Power analysis is one such side channel attack that leverages the power consumption of a device running a cryptographic operation to retrieve secret information about that operation. This secret information is usually the secret keys 2

3 used by the cryptographic operation to encrypt, sign, or hash. The idea behind power analysis is that the power consumption of a device running a cryptographic operation is influenced by the data being processed by the operation. This influence can be seen in the form of power traces taken while the device is running a cryptographic operation. A power trace is simply a collection of a number of measurements taken per second of a device s power consumption while a cryptographic operation is being performed. When plotted over time, this collection appears as a wave, as seen in figure 2. These power traces can be used in three different types of power analysis; simple power analysis, differential power analysis, and correlation power analysis. Figure 2: Power trace of AES-128 taken across three milliseconds [7] 3.1 Simple Power Analysis (SPA) As its name implies, simple power analysis is a straightforward process that makes little use of mathematical machinery. Here, features of the power trace that are directly visible are analyzed to draw inferences of the cryptographic operation s behavior. For example, in figure 2 the ten rounds of the AES-128 can be clearly seen as ten distinct humps in the power trace. These segments can then be compared to discern secret information. While simple power analysis is effective and efficient for most devices, it is severely affected by noise in the data. Again, as can be seen in figure 2, although the ten rounds of the AES-128 are clearly visible, these is too much noise in the data to make a simple comparison between the different segments meaningful. Because of this, techniques such as differential power analysis and correlation power analysis appear to be more useful as they reduce the role that noise plays in the analysis. 3.2 Differential Power Analysis (DPA) Unlike simple power analysis, differential power analysis makes use of statistical methods to analyze power traces to retrieve secret information. It does so by making use of a selection function to partition a collection of power traces into two sets, and determining secret information through their comparison. 3

4 The selection function makes an educated guess of the possible values of one or more unknown, intermediate values of a cryptographic operation. For example, a selection function for the AES-128 may determine that, based upon the data seen so far in a power trace, that the least significant bit of the encrypted text, after the very first AddRoundKey operation, will be a 0 or 1 [7]. Whether this guess was correct or wrong is used to sort the power traces into two partitions. Mathematically, the selection function can be expressed as: D(C i, K n )[7] where C i is the set of known and unknown values for power trace T i at time j (T i [j]) and K n is the candidate values(s) for the unknown values(s). The selection function should target an operation that mixes known and unknown information, such as in the AddRoundKey example above. Once a set of m power traces is partitioned into two groups according to the selection function, the average of each group is taken and then the difference of the groups is calculated at every j point in time. The idea is that, if the candidate value K n was correct, then the resulting power trace achieved by calculating the difference between the two averaged groups should show a large spike at the guessed location at time j. If the candidate value was not correct, then a relatively flat power trace is expected since the selection function will effectively have separated the set of power traces into two random groups. The difference of the averages of these two random groups will be close to zero all along the power trace. This difference can be mathematically expressed as: D [j] = m i=1 D(Ci,Kn)Ti[j] m i=1 D(Ci,Kn) 1 m i=1 D(Ci,Kn)Ti[j] 1 m i=1 D(Ci,Kn) [7] Figure 3 demonstrates this process. The top two power traces of the figure are the average power traces of the two partitions created by the selection function. If simple power analysis were applied here, it would be difficult to discern any meaningful information. However, by taking their difference and then magnifying, the power trace in the bottom of the figure can be obtained. As can be seen, there are a number of large spikes in the resulting power trace. Because of this, we can assume that the selection function and the candidate value were correct. By looking at figure 4, we can see instances where the resulting power traces were relatively flat for different candidate values. Amongst them, the middle power trace is considered the most likely to be the correct value of the unknown value since it demonstrates the greatest spikes in its power consumption at time j. 4

5 Figure 3: Partition, average, and magnification of AES-128 power traces[7] Figure 4: Resulting differences for values of K n [7] 3.3 Correlation Power Analysis (CPA) Similar to differential power analysis, correlation power analysis makes use of statistical methods. However, in this case correlation coefficients are used to determine the correctness of a candidate value. Once again, a selection function is used but, unlike in differential power analysis where it is used to partition a set of power traces, it is used to compute the correlation between the Hamming Distance or Hamming Weight of a candidate value and the actual power consumption. The Hamming Weight is the number of bits set to 1 in a data word. For example, the Hamming Weight of the data word is four. Similarly, the Hamming Distance is the number of bits that must be flipped to go from an one data word R to another data word D. Conceptually, this is a more general idea of the Hamming Weight[6], where R is assumed to be 0, and so can be expressed as: 5

6 HW (D R)[6] where HW calculates the Hamming Weight of the result of XOR-ing R and D, thereby determining the number of bits that must be flipped to go from R to D. For usage in correlation power analysis, a candidate value R for an unknown value is used alongside known information to calculate either a Hamming Distance or Hamming Weight. The result of either the Hamming Distance or Hamming Weight is then correlated to the actual power consumption of the device. The candidate R that produces the greatest correlation coefficient is considered to be the correct value of the unknown value. 4 Keccak (SHA3) This section serves as a brief introduction to Keccak to provide context to following sections on the power analysis of Keccak. Chosen as the winning algorithm of NIST s SHA-3 competition, Keccak is based upon the sponge construction. This construction is unique in that the size of its internal state is larger than the size of its input or output blocks. In addition, the sponge construction is modular in that the function used to encrypt, sign, or hash can be swapped out. Indeed, the part of the Keccak algorithm that sets it apart from any other sponge based cryptographic operation is the Keccak function. Sponge based cryptographic operations perform by first absorbing blocks of data. Once all of the data has been absorbed, the encrypted data, hash, or signature is squeezed out in blocks. Between every absorbed and squeezed block, the modular function of the sponge construction is run on the internal state. The security of this construction is claimed to be equivalent to that of a random oracle[3]. Figure 5: Overview of the sponge construction[3] 6

7 Figure 6: Overview of the internal state of Keccak[14] Keccak s internal state is imagined as a cube, and is recommended to be (x y z) bits in dimension for a total of 1600 bits of internal state. This cube is then abstractly considered in terms of planes, lanes, sheets, and columns, as shown in figure 6. The Keccak function operates upon this cube between every absorbed and squeezed block. This function is broken down into five steps: θ, ρ, π, χ, and υ. The θ step is responsible for the diffusion of the affects of the characters in the plain text upon the resulting cryptographic hash. It works by taking the parity of two columns and XOR-ing these parity bits with the value of a single bit in the state. This is done for every bit in the state. Mathematically: S(x, y, z) = S(x, y, z) ( 4 i=0 S(x 1, i, z)) ( 4 i=0s(x + 1, i, z 1))[14] Steps ρ and π essentially shuffle the lanes of the state around, while step χ provides non-linearity to the hash. It does this by flipping every bit in the state according to the values of two other bits in its row. This can be expressed as: S(x, y, z) = S(x, y, z) ((1 S(x + 1, y, z)) S(x + 2, y, z))[14] Finally, in the υ step a round constant is XOR-ed with every bit in the state. It is worth noting that every indexing operation done on the x and y dimensions is done modulo 5, while every indexing operation done on the z dimension is done modulo 64. This ensures that none of the steps stray outside of the state. Significant hand waving has been done here in regards to steps ρ, π, and υ. This is not done because these steps are insignificant, but rather because in terms of power analysis we are only interested in steps θ and χ, since it is at these steps that unknown information (a secret key) is mixed with known information (the plain text to be hashed). 5 DPA Against MAC-Keccak Assuming that an attacker is able to gather the information needed to perform power analysis on the power consumption of a device running MAC-Keccak, there are a few hurdles to the success of differential power analysis. First, the 7

8 length of the secret key used is not fixed. Unlike previous message authentication code algorithms, MAC-Keccak does not restrict the key to be of a certain length. In regards to differential power analysis, this makes it difficult to determine where the key ends and the message begins. Second, the target operations, namely steps θ and χ, are located deep within the algorithm. Unlike previous message authentication code algorithms where the key and message are XOR-ed together before entering the function, in MAC-Keccak the key is appended or prepended to the message and is finally mixed with the message at steps θ and χ. While nothing can be done steps θ and χ being located deep within the function, it is possible to discover the length of the key using correlation power analysis. This technique is described by Zohner et al.[16], whereby correlation power analysis is used upon every message bit. The function: HW (M i c)[16] is used to determine correlation where HW is the Hamming Weight, M i are the message bits processed so far and c is a 0 or 1. So long as a correlation is observed, the message bit is added to M i and the process continues. However, once no correlation is observed it must be the case that we have discovered the portion of the initial state that contains the key. Once the length of the key is determined, it is finally possible to begin recovery of the key by means of differential power analysis. Proposed by Taha et al.[14], the general idea is: 1. Add all known bits to a set V 2. Calculate all values that depend upon currently known bits and add them to V 3. Target an operation that processes some element(s) of V and an unknown bit 4. Run differential power analysis against the operation to recover the unknown and add it to V 5. Repeat steps two through four until all unknowns are recovered For most situations, targeting step θ is enough to recover the entire key. To do this, step θ is conceptually broken into two separate steps: θ 1 and θ 2. Step θ 1 calculates the parity of a given column, while θ 2 calculates the XOR of the parity bits of two columns and a bit of the state. For keys of length less than or equal to 320 bits in length, it is enough to target θ 1 since four known message bits are XOR-ed with one unknown key bit. It is trivial in this case to run differential power analysis, targeting the parity of a column, to determine the value of the unknown key bit. If the key is greater than 320 bits in length, than the parity of the columns must be added to V and step θ 2 must be targeted when it is applied to key bits. Here, two known values (the parity bits) are XOR-ed with a single unknown bit. Once again, it is simple to run differential 8

9 power analysis, targeting the result of XOR-ing the parity bits and unknown bit, to find the key bit. Figure 7: Abstract overview of step θ[14] In the unlikely event that the key bits are interleaved with the message bits, it is no longer enough to target step θ. In this case, step χ must be targeted. To do so, the parity bit of the columns with known values are found and added to V. The bits are then traced through steps ρ and π. In step χ, differential power analysis can be run, targeting the result of the XOR operation between a bit and two bits in its row, to recover an unknown bit. It is then necessary to return to step θ and use this recovered value to recover more unknowns. 6 CPA Against MAC-Keccak Unlike the differential power analysis attack described above, the correlation power analysis attack described by Luo et al.[8] is a hardware specific attack that targets the output of the first application of the Keccak function. Here, the output of the function, denoted by R 1, and the state of the register before the end of the first application of the function, denoted by I, are the main focus. The two forms of this attack, bit-by-bit and row-by-row, each take advantage of an observation that there is a strong correlation between HW (R 1 ) (the Hamming Weight of the register) and power consumption. In the bit-by-bit attack, a single bit of the register, denoted R 1 (x, y, z) is used in the correlation power analysis selection function: HD(I(x, y, z), R 1 (x, y, z)) = HW (R 1 (x, y, z))[8] Here, R 1 (x, y, z) is a candidate value for the output of step χ with the round constant added in step υ. However, the output of step χ is decided by three bits which, when traced back through steps ρ and π, are three bits from the output of step θ. These three bits can then be XOR-ed together to reveal secret 9

10 information. The bit-by-bit attack has a few drawbacks. First, the work done ends up being redundant and far too many traces are needed because of a low signal-tonoise ratio. Additionally, this process must be repeated for all 1600 bits of the state. An alternative to this is the row-by-row attack wherein an entire row of values is used, rather than a single bit. This row is denoted R 1 (X, y, z) where X indicates the entire row at x. Unlike the bit-by-bit attack, the row-by-row attack requires fewer power traces because of a higher signal-to-noise ratio and only requires 320 iterations (one for each row in the state) versus the 1600 needed for the bit-by-bit attack. As a result of attacking in this row-by-row fashion, the selection function becomes: HD(I(X, y, z), R 1 (X, y, z)) = HW (R 1 (X, y, z))[8] where the Hamming Distance of a row in the register and a row in the output of the Keccak function is compared to the Hamming Weight of the same row in the output. The idea behind the row-by-row attack is that, because of step π, the five bits in a row of the output of step χ depend upon only five bits of the output of step θ. By attacking the rows, fewer power traces are needed and there is less redundancy. The power of this attack can be seen in the resulting correlation graph. Compared to bit-by-bit, the correlation in row-by-row has less noise. 10

11 Figure 8: Result of row-by-row attack (a) vs. result of bit-by-bit attack (b)[8] 7 Results While these power analyses of Keccak may seem to be extremely powerful attacks against MAC-Keccak, there are a few caveats as shown in the results of the attacks presented by Taha et al.[14] and Luo et al.[8]. The results of these attacks, and their ramifications for MAC-Keccak, are discussed below. 7.1 DPA As demonstrated by Taha et al.[14], it is easy to find keys of length less than 320 bits by targeting the part of step θ designated as θ 1. However, it appears that as the length of the key is increased that the success of this attack decreases. Taha et al.[14] tested this approach on a number of large key lengths; their justification for doing so was that current cryptographic systems such as RSA make use of extremely large keys, so it would not be too far-fetched to imagine MAC-Keccak using a large key. Their results are presented in figure 8 where success rate is the percentage of key bits successfully recovered using their differential power 11

12 analysis attack. Figure 9: Results of DPA against MAC-Keccak using various key lengths[14] As can be seen, for keys of 768 bits, the success rate appears to plateau at a 90% success rate when more than 40,000 power traces are used. At face value, this seems to be quite a step up from not knowing anything at all. But, when we consider that recovery of 90% of 768 bits means that roughly 77 bits are still unknown, this is not much of an improvement. For 77 unknown bits there are 2 77 possible values for those bits; while the birthday paradox reduces the amount of work needed to be done to roughly 2 39, it is still computationally expensive. When we consider the worst case for the attacker when a key of 1024 bits is used, we can see that recovery tapers off at around 45% when more than 20,000 power traces are used. This leaves over 563 bits unknown for a whopping possibilities. Even after applying the birthday paradox, the amount of work needed to find the unknown bits is still over ; this is currently an infeasible amount to brute force on current hardware. 7.2 CPA The success of the correlation power analysis attack against MAC-Keccak, especially the row-by-row attack, is entirely dependent upon the key length. So long as the key is less than or equal to 320 bits in length, the row-by-row attack can be applied to quickly and efficiently recover the secret key. If the key is between 320 and 640 bits, the row-by-row attack must be modified to attack all of the rows of the state after the first round. If, however, the key is greater 12

13 than 640 bits in length, then the row-by-row attack must be abandoned in favor of a bit-by-bit attack. Figure 9 demonstrates the success rate of a row-by-row attack against a key length of 640 bits. As can be seen, this attack is quite effective when 35,000 power traces are used. Unfortunately, no similar graph or data was provided by Luo et al.[8] in regards to the success rate of a bit-by-bit attack against extremely long key lengths. Figure 10: Result of running CPA against MAC-Keccak with a key of 640 bits[8] 8 Counter Measures While differential power analysis and correlation power analysis pose significant threats to the security of MAC-Keccak, there are a number of counter measures to all forms of power analysis beyond simply increasing the length of the key. At the hardware level, gates and circuits can be designed and built in such a way that leakage is reduced. In code, the random insertion of dummy instructions or a randomized order of operations that does not break the behavior of the algorithm can increase the difficulty of aligning the power traces and thereby obfuscate the information. The algorithm of the cryptographic operation can be modified in such a way that operations are computed in a manner that reduces leakage. Finally, and perhaps most simply, the protocol controlling access to the cryptographic operation can be modified to detect an attacker and thereby prevent or reduce the number of times the attacker can run the cryptographic operation to gather power traces. The following sections will focus on counter measures at the algorithmic level, in particular masking, and on Keccak-MAC, a recent MAC algorithm proposed by NIST that uses Keccak. 13

14 8.1 Masking Also known as blinding, masking is a method whereby key or data words are represented using two or more shares. Each of these shares, save one, is generated randomly for every execution of the cryptographic operation. Once generated, these shares are used in such a way that there is never any correlation to the original value. For example, say we have data word x. Then we can generate at least two shares, x and r x, such that: x = x + r x Here, x is referred to as the masked variable and r x is referred to as the mask. We can understand the generation of these shares in the following way: k random shares are generated (ex r 1x, r 2x,..., r kx ) and their sum is applied to x to produce x. The word applied is used here because the operation used between the shares to produce the original is any group operation. This includes addition, subtraction, XOR, bit shift, and rotate. A nice feature of using these group operations is that the shares may be operated upon independently and yet produce the same result as if the original values had been used. For example, say a + b = c. Even if a and b are represented as shares, we can still create c by operating over the shares: a = a + r a c = a + b b = b + r b r c = r a + r b It is then possible to recover c, if we so choose, by combining the shares using the group operation (c = c + r c ). As mentioned by Bertoni el al.[1], there are some issues with using masking. Chiefly, when attempting to perform Boolean operations on shares in arithmetic form (ex. x = x +r x ) or attempting to perform arithmetic operations on shares in Boolean form (ex. x = x r x ). The solution is to convert between the two different forms in a secure manner by using elementary operations (AND, OR, etc.) and/or lookup tables. However, doing so greatly increases the number of elementary operations and/or memory of the cryptographic operation. 8.2 Keccak-MAC Keccak-MAC (KMAC) is a recently recommended hash-based keyed message authentication code algorithm published by NIST alongside other Keccak derived functions. Unlike HMAC which used a nested construction to prevent length extension attacks, KMAC does not require such a construction because of the sponge construction used in Keccak. However, unlike the MAC-Keccak considered so far, KMAC does not simply append or prepend the key to the message. Instead, a series of encodings and paddings are applied to the key before it is prepended to the message. After this, the key-message bit string is encoded and padded even further when it is passed to cshake, an extendable output function that was announced alongside KMAC. The pseudo-code 14

15 for KMAC-128[12] is shown below (note that indicates concatenation): KMAC128(K, X, L, S) : newx = byte pad(encode string(k), 168) X right encode(l) return cshake128(newx, L, KM AC, S) cshake128(x, L, N, S) : if N = ɛ && S = ɛ: return SHAKE(X,L) else: return KECCAK[256] = (byte pad(encode string(n) encode string(s), 168) X 00, L) The parameters to KMAC, K, X, L, and S, are the key, message, desired output length, and a customization bit string, respectively. The parameters to cshake, X, L, N, and S, are the message, desired output length, a function name as a bit string, and a customization bit string, respectively. The encode string function seen above prepends to its argument a byte string encoding of the argument s length as generated by the left encode function (not shown). Similarly, the byte pad function prepends a byte string encoding of its second argument to its first argument, and then appends a number of zeroes to the result until its length in bytes is a multiple of the second argument. Before the key is even prepended to the message in KMAC, it is of the form: left encode(168) left encode(len(k)) K Inside of the cshake function, the key-message-length value is prepended by a padded concatenation of encodings of the customization bit string and the function name bit string. After two zeroes are appended, the entire value is passed to the Keccak hashing algorithm. At this point, the key is buried deep within the value. Both of the power analysis attacks discussed earlier attack the first round of the hashing algorithm. However, as shown in the pseudo-code and has been discussed, the key is prepended by an encoding of the customization bit string and the function name bit string that is some multiple of 168 bytes in length. Assuming it is exactly 168 bytes in length, there are 256 bits left in the state in the first round that most likely contain the key. But, if the length of the bit string and function name bit string encodings and padding is some multiple of 168, say 336 or 504, than the key cannot possibly fit in the state in the first round. While the function name bit string is known ( KMAC ), the customization bit string may not be known. This makes it difficult to simply target a deeper round of the Keccak hashing algorithm since it is unknown how deep the attack will have to be moved. Furthermore, depending on the length of the customization bit string and function name bit string encodings and paddings, it could be the case that key bits are divided across two rounds of the algorithm. As mentioned, KMAC is a recent hash-based keyed message authentication code algorithm published by NIST. The power analysis attacks discussed so far were published before KMAC was announced and have assumed a prepending 15

16 or appending of the secret key to the message without any sort of encodings or paddings. 9 Conclusion In this paper a side channel attack known as power analysis has been discussed that leverages the power consumption of a machine running a cryptographic operation to retrieve secret information. In particular, this paper has looked at applications of differential and correlation power analyses in the retrieval of key bits from a Keccak-based keyed message authentication code algorithm (MAC-Keccak). Methods of countering power analysis of MAC-Keccak, such as masking and NIST s recent Keccak-MAC (KMAC) algorithm have also been looked at. A significant question is whether any of the attacks discussed are practical. The answer is an uninspiring yes and no. To begin with, the power analysis attacks discussed make a few assumptions about an attacker s access to a machine running a cryptographic operation and about the operation itself: that the attacker has physical access to the machine; that the attacker can run the cryptographic operation any number of times to gather the necessary number of power traces; that the MAC-Keccak implementation directly prepends or appends the key to the message without any encoding or padding; and that the secret key is less than 768 bits in length. If all of these assumptions are true, then the attacks described above can recover the secret key; conversely, if any of these assumptions are false, then the attacks become infeasible. While side channel attacks such as power analysis lay upon the edge of possibility, it is incumbent upon developers and implementers of cryptographic systems to keep in mind that implementation or algorithmic weaknesses are not the only ways to break a system. Indeed, as demonstrated by the discussed differential and correlation power analyses against MAC-Keccak, even an extremely strong cryptographic system such as Keccak can be broken without breaking the algorithm. It is necessary, therefor, to keep the physical effects of running a cryptographic operation in mind while designing and implementing cryptographic systems. References [1] Bertoni, G., Daemen, J., Peeters, M., Assche, G. V., and Keer, R. V. Note on side-channel attacks and their countermeasures. [2] Bertoni, G., Daemen, J., Peeters, M., Assche, G. V., and Keer, R. V. Teak keccak. [3] Bertoni, G., Daemen, J., Peeters, M., Assche, G. V., and Keer, R. V. Cryptographic Sponge Functions

17 [4] Bertoni, G., Daemen, J., Peeters, M., Assche, G. V., and Keer, R. V. The KECCAK Reference [5] Bertoni, G., Daemen, J., Peeters, M., Assche, G. V., and Keer, R. V. The KECCAK SHA-3 Submission [6] Brier, E., Clavier, C., and Olivier, F. Correlation Power Analysis with a Leakage Model. Springer, Heidelberg, [7] Kocher, P., Jaffe, J., Jun, B., and Rohatgi, P. Introduction to Differential Power Analysis. Springer, Heidelberg, [8] Luo, P., Fei, Y., Fang, X., Ding, A., Kaeli, D., and Leeser, M. Side-Channel Analysis of MAC-Keccak Hardware Implementations. In Proceedings of the Fourth Workshop on Hardware and Architectural Support for Secuirty and Privacy (2015). [9] Lynn, B. Pseudo-random functions. [10] National Institute of Technology and Information. FIPS PUB 198: The Keyed-Hash Message Authentication Code (HMAC). National Institute of Technology and Information, Gaithersburg, [11] National Institute of Technology and Information. FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. National Institute of Technology and Information, Gaithersburg, [12] National Institute of Technology and Information. MIST Special Publication : SHA-3 Derived Functions. National Institute of Technology and Information, Gaithersburg, [13] Stinson, D. R. Cryptography: Theory and Practice, 3rd Edition. Chapman Hall/CRC. Boca Raton, [14] Taha, M., and Schaumont, P. Differential Power Analysis of MAC- Keccak at Any Key-Length. Springer, Heidelberg, [15] Tran, X. Power Analysis Attacks on Keccak. RIT Scholar Works, Rochester, [16] Zohner, M., Kasper, M., Stottinger, M., and Huss, S. Side Channel Analysis of the SHA-3 Finalists. In Design, Automation Test in Europe Conference Exhibitions (2012), pp