Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18

Transcription

1 Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn 4/12/18

2 Contents Side-Channel Attack Power Analysis Simple Power Analysis (SPA) Differential Power Analysis (DPA) Correlation Power Analysis (CPA) Keccak DPA Against MAC-Keccak (Software) CPA Against MAC-Keccak (Hardware) Counter Measures Masking Keccak-MAC (KMAC) Conclusion References

3 Side-Channel Attack Mathematical - weak algorithm, cryptanalysis, etc. Software - incorrect implementation Hardware - side-channel: unintended information leaked by a device upon which a cryptographic operation has been implemented

4 Power Analysis leverage measurements of a target device s power consumption to extract secret keys. Power used is influenced by data Trace - a sequence of measurements taken across a cryptographic operation. Ex: 5000 samples/sec while performing AES-128 encryption (see picture).

5 Simple Power Analysis (SPA) Focuses on features that are directly visible in a power trace Analyze power trace and draw inferences of the operation (ex. conditional branches) Compare seemingly similar segments Pros: effective and efficient for most devices Cons: Severely affected by noise in the data

6 Differential Power Analysis (DPA) Statistical method for analyzing sets of power traces Selection function: Uses an educated guess of the possible values of one or more unknown, intermediate variables of a cryptographic operation to partition a set of power traces. Selection function = D( C i, K n ), where C i is the set of known and unknown values for trace T i at time j ( T i [j] ) and K n is the candidate value(s) for the unknown value(s). The selection function targets an operation that mixes known and unknown information.

7 DPA Basic Idea 1. Partition a set of m power traces according to D( C i, K n ) 2. Take the average of the partitions 3. Take the difference of the averages D ; if K n is correlated, than D will contain large spikes (non-zero values) 4. The candidate with the greatest spikes/non-zero values in its corresponding D is most likely the correct value D [j] = σ m i=1 D(Ci, K n )Ti [j] m D(Ci, K n ) σ i=1 - σ i=1 m (1 D(Ci, K n ) )Ti [ j] m (1 D(Ci, K n )) σ i=1

8 Example: AES-128

9 Correlation Power Analysis (CPA) Statistical method that uses correlation coefficients Selection function computes correlation between Hamming Distance (HD) or Hamming Weight (HW) of a candidate value and the actual power consumption. HD and HW are computed in the following manner: H( D R ) where D are the known values, R is a candidate value for the unknown(s), and H computes HD or HW. The candidate with the highest correlation must be correct

10 Keccak (SHA-3) Sponge construction: internal state is larger than output; security equivalent to that of a random oracle Keccak function (f) Recommended internal state size of 5x5x64 bits (1600 bits total)

11 Keccak State

12 Keccak Function - Diffusion; every bit is XOR d with the parity bit of two columns 4 4 S(x,y,z) = S(x,y,z) ( i=0 S(x-1,i,z)) ( i=0 S(x+1,i,z-1)) and - Shuffle lanes - Non-linearity; flips state bit according to values of two other bits in the same row S(x,y,z) = S(x,y,z) ( S(x + 1, y, z) * S(x+2,y,z) ) - Every bit is XOR d with a round constant Note: x and y are done mod 5, z is done mod 64

13 DPA Attack Against MAC-Keccak DPA against MAC-Keccak is difficult since: 1. The length of the key is not fixed 2. The size of the internal state is larger than either the input or the output 3. The target operations are located deep within the operation Steps: 1. Determine length of key 2. Target and operations with multiple passes of DPA

14 DPA Attack Against MAC-Keccak Step 1: Determine Key Length Retrieve the key by performing CPA upon every message bit HW( M i c ), where M i are the message bits processed so far and c is a 0 or 1. Once there is no correlation, we have recovered the portion of the bitrate (initial state) that contains the key

15 DPA Attack Against MAC-Keccak Step 2: Recover Key (General Idea) 1. Add all known bits to the set V 2. Calculate all variables that depend upon currently known bits, add to V 3. Target an operation that processes k V and an unknown bit, run DPA to recover the unknown and add it to V 4. Repeat 2 and 3 until the key is recovered

16 DPA Attack Against MAC-Keccak Step 2: Recover Key (Targeting ) Consider as two operations: Calculates plane (x,z) = ( i=0 S(x,i,z)) for (x-1,z) and (x+1,z-1) 2 - Calculates S(x,y,z) = S(x,y,z) plane (x-1,z) plane (x+1,z-1) If key length 320, then 1 calculates the parity of four message bits and one key bit; trivial to find value of key bit with DPA If key length > 320, then 1 calculates the parity of three message bits and two key bits; find XOR of key bits with DPA, calculate parity, find key bit at (x,y,z) in 2 with DPA, add to V, repeat.

17 DPA Attack Against MAC-Keccak Step 2: Recover Key (Targeting ) If key bits and message bits are interleaved: 1. Partially recover plane and add to V 2. Trace bits through and 3. Recover unknown using DPA against 4. Use recovered value to trace backwards and recover key S(x,y,z) = S(x,y,z) ( S(x + 1, y, z) * S(x+2,y,z) )

18 DPA Results Easily recovers keys of length less than 321 bits For longer keys, success appears to taper off According to the chart, only 90% of the key bits can be recovered for a key of length 768. That leaves 77 bits unknown and 2 77 possibilities.

19 CPA Attack Against MAC-Keccak Target output of first round R 1 = output of first round I = state of register before end of first round (assume 0) Strong correlation between HW(R 1 ) and power consumption

20 CPA Attack Against MAC-Keccak First Approach: Bit-by-bit Use one bit R 1 (x,y,z) Selection function: HD(I(x,y,z), R 1 (x,y,z)) = HW(R 1 (x,y,z)) R 1 = out, furthermore by reversing and, we have: out = out (x 1,y 1,z 1 ) ( out (x 2,y 2,z 2 )* out (x 3,y 3,z 3 ) ) For every out we have: if y=0, then S(x,0,z) S(x-1,0,z) S(x+1,0,z-1) if y=1, then S(x-1,0,z) S(x+1,0,z-1) Issues: Redundancy and too many traces required because of low Signal-to-Noise-Ration (SNR)

21 CPA Attack Against MAC-Keccak Second Approach: Row-by-row Solution: Attack row-by-row. Fewer traces needed, higher SNR, only 320 rows versus 1600 bits. Selection function: HD(I(X,y,z), R 1 (X,y,z)) = HW(R 1 (X,y,z)), X=[0:4], y {0,,4}, z {0,,63}

22 CPA Against MAC-Keccak Correlations

23 CPA Results 320 bit key (shown) Can use attack against rows for keys of length less than 641 Keys longer than 640 cannot be found in a row-by-row manner

24 Counter Measures to Power Analysis Transistor level: gates and circuits are built such that leakage is reduced Program level: random insertion of dummy instructions or randomized order of operations; increases difficulty of aligning traces Algorithmic level: operations of cryptographic algorithm are computed in a manner that reduces leakage Protocol level: reduce number of computations an attacker can execute

25 Masking (Algorithmic level) Represent key or data words by two or more shares within a cryptographic primitive The shares are used in such a way that there is never any correlation to the original value At least one share must be randomly generated for every execution of the cryptographic primitive Ex. x = x + r x If the operation is a group operation, we can treat the shares separately: a = a + r a c = a + b b = b + r b r c = r a + r b

26 ARX (Addition-Rotation-XOR) Masking Arithmetic: x = x + r x (addition or subtraction) Boolean: x = x r x (XOR, shift, or rotate) Issue: A value is in arithmetic form but we need to perform a Boolean operation (or vice versa) Solution: Convert, securely, between different forms with elementary operations and/or lookup tables. Greatly increases the number of elementary operations and/or memory.

27 Keccak-MAC (KMAC) Keyed hash function with a variable length output No nested construction Uses Keccak at its core to hash the message and key

28 Keccak-MAC (KMAC) cont. Parameters: K secret key, X message, L desired output length, S optional customization bit string, N function name bit string KMAC128( K, X, L, S ): newx = byte_pad(encode_string(k),168) X right_encode(l) return cshake128(newx, L, KMAC, S) cshake128( X, L, N, S ): if N= && S= : return SHAKE(X, L) else: return KECCAK[256]=(byte_pad(encode_string(N) encode_string(s), 168) X 00, L)

29 Keccak-MAC (KMAC) cont. encode_string(s) = left_encode(len(s)) S left_encode(x) = encodes X as a byte string byte_pad(x,w) = z = left_encode(w) X while len(z) mod 8 0: z = z 0 while (len(z)/8) mod w 0: z = z return z left_encode(168) left_encode(len(k)) K 0 0

30 Conclusion Are these attacks practical? Many assumptions are made in regards to DPA and CPA against MAC-Keccak: That we have access to the device running MAC-Keccak That we can gather the necessary number of traces That the key is directly prepended to the message KMAC, as recommended by NIST, may make it too difficult to find the key using power analysis

31 References [1] National Institute of Technology and Information, FIPS PUB 198: The Keyed-Hash Message Authentication Code (HMAC). National Institute of Technology and Information, Gaithersburg, [2] National Institute of Technology and Information, FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. National Institute of Technology and Information, Gaithersburg, [3] National Institute of Technology and Information, NIST Special Publication : SHA-3 Derived Functions. National Institute of Technology and Information, Gaithersburg, [4] Stinson, D. R., Crytography: Theory and Practice, 3rd Ed.. Chapman & Hall/CRC, Boca Raton, [5] Lynn, B. Pseudo-Random Functions. Retrieved Feb 20, 2018: [6] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and Van Keer, R. TeamKeccak. Retrieved Februrary 5, 2018: [7] Bertoni, G., Daemen, J., Peeters, M., and Van Assche, G. The KECCAK SHA-3 Submission [8] Bertoni, G., Daemen, J., Peeters, M., and Van Assche, G. The KECCAK Reference [9] Bertoni, G., Daemen, J., Peeters, M., and Van Assche, G. Cryptographic Sponge Functions [10] Kocher, P., Jaffe, J., Jun, B., and Rohatgi, P. Introduction to Differential Power Analysis. Springer, Heidelberg [11] Taha, M., and Schaumont, P. Differential Power Analysis of MAC-Keccak at Any Key-Length. Springer, Heidelberg [12] Brier, E., Clavier, C., and Olivier F. Correlation Power Analysis with a Leakage Model. Springer, Heidelberg, [13] Zohner, M., Kasper, M., Stottinger, M., and Huss, S. Side Channel Analysis of the SHA-3 Finalists. Design, Automation Test in Europe Conference Exhibitions, pp , [14] Tran, X. Power Analysis Attacks on Keccak. RIT Scholar Works, [15] Note on side-channel attacks and their countermeasures. Retrieved March 19, 2018: [16] Luo et. al. Side-Channel Analysis of MAC-Keccak Hardware Implementations. In Proceedings of the Fourth Workshop on Hardware and Architectural Support for Security and Privacy (HASP 15), 2015.