Implementing Practical leakage-resilient symmetric cryptography. University of Illinois at Chicago, Technische Universiteit Eindhoven

Size: px

Start display at page:

Download "Implementing Practical leakage-resilient symmetric cryptography. University of Illinois at Chicago, Technische Universiteit Eindhoven"

Janel Jenkins
5 years ago
Views:

1 Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven

2 CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust, Pietrzak, Schipper) explains how to protect against realistic side-channel attacks.

3 CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust, Pietrzak, Schipper) explains how to protect against realistic side-channel attacks. Sounds great! But is it secure?

4 CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust, Pietrzak, Schipper) explains how to protect against realistic side-channel attacks. Sounds great! But is it secure? Will an implementor doing what this paper says actually end up with a side-channel-protected cipher?

5 The TCC view: What do you mean? It s provably secure! We have proofs and theorems!

6 The TCC view: What do you mean? It s provably secure! We have proofs and theorems! Macbeth s view: It is a tale told by an idiot, full of sound and fury, signifying nothing.

7 The TCC view: What do you mean? It s provably secure! We have proofs and theorems! Macbeth s view: It is a tale told by an idiot, full of sound and fury, signifying nothing. My view: Carefully evaluating side-channel security requires an implementation. ) Let s implement the cipher.

8 Prerequisite: F, a PRF (or a weak PRF ) mapping a k-bit key and an `-bit nonce to a 2k-bit output.

9 Prerequisite: F, a PRF (or a weak PRF ) mapping a k-bit key and an `-bit nonce to a 2k-bit output. Hmmm, this is vague. What s k? `? F? Practical cryptography requires complete specification.

10 Prerequisite: F, a PRF (or a weak PRF ) mapping a k-bit key and an `-bit nonce to a 2k-bit output. Hmmm, this is vague. What s k? `? F? Practical cryptography requires complete specification. My best guesses: k = 128; ` = 127; F K (p) = AES K (0p) AES K (1p).

11 First-level cipher Γ: Input: 128-bit key K; standard random bit string p = (p0; p1; : : : ; p255; p256); 256-bit nonce n = (n0; n1; : : : ; n255).

12 First-level cipher Γ: Input: 128-bit key K; standard random bit string p = (p0; p1; : : : ; p255; p256); 256-bit nonce n = (n0; n1; : : : ; n255). Compute X0 = K, X1 = AES X 0 (n 0p0), X2 = AES X 1 (n 1p1), : : :, X256 = AES X 255 (n 255p255).

13 First-level cipher Γ: Input: 128-bit key K; standard random bit string p = (p0; p1; : : : ; p255; p256); 256-bit nonce n = (n0; n1; : : : ; n255). Compute X0 = K, X1 = AES X 0 (n 0p0), X2 = AES X 1 (n 1p1), : : :, X256 = AES X 255 (n 255p255). Output: 256-bit string AES X 256 (p 2560) AES X 256 (p 2561).

14 The final cipher: Input: 384-bit key K0; K1; K2; 512-bit plaintext (a0; b0).

15 The final cipher: Input: 384-bit key K0; K1; K2; 512-bit plaintext (a0; b0). Compute (a1; b1) = (a0; b0 Γ K 0 (a 0)); (a2; b2) = (a1 Γ K 1 (b 1); b1); (a3; b3) = (a2; b2 Γ K 2 (a 2)).

16 The final cipher: Input: 384-bit key K0; K1; K2; 512-bit plaintext (a0; b0). Compute (a1; b1) = (a0; b0 Γ K 0 (a 0)); (a2; b2) = (a1 Γ K 1 (b 1); b1); (a3; b3) = (a2; b2 Γ K 2 (a 2)). Output: 512-bit ciphertext (a3; b3).

17 I implemented this cipher during a talk this morning.

18 I implemented this cipher during a talk this morning. Code simplicity?

19 I implemented this cipher during a talk this morning. Code simplicity? Not bad, assuming AES is provided. I used AES from OpenSSL.

20 I implemented this cipher during a talk this morning. Code simplicity? Not bad, assuming AES is provided. I used AES from OpenSSL. Validation status?

21 I implemented this cipher during a talk this morning. Code simplicity? Not bad, assuming AES is provided. I used AES from OpenSSL. Validation status? Bad. Surely there are bugs. Practical cryptography requires test vectors.

22 I implemented this cipher during a talk this morning. Code simplicity? Not bad, assuming AES is provided. I used AES from OpenSSL. Validation status? Bad. Surely there are bugs. Practical cryptography requires test vectors. Source of random p?

23 I implemented this cipher during a talk this morning. Code simplicity? Not bad, assuming AES is provided. I used AES from OpenSSL. Validation status? Bad. Surely there are bugs. Practical cryptography requires test vectors. Source of random p? Bad. I used C s random().

24 I implemented this cipher during a talk this morning. Code simplicity? Not bad, assuming AES is provided. I used AES from OpenSSL. Validation status? Bad. Surely there are bugs. Practical cryptography requires test vectors. Source of random p? Bad. I used C s random(). I m going to hell.

25 Code availability?

26 Code availability? Good. cr.yp.to/aesgonewild.html

27 Code availability? Good. cr.yp.to/aesgonewild.html Speed?

28 Code availability? Good. cr.yp.to/aesgonewild.html Speed? Horrifying. Encrypting 64 bytes: close to 1 million cycles on one core of my laptop.

29 Code availability? Good. cr.yp.to/aesgonewild.html Speed? Horrifying. Encrypting 64 bytes: close to 1 million cycles on one core of my laptop. But faster than FHE.

30 Code availability? Good. cr.yp.to/aesgonewild.html Speed? Horrifying. Encrypting 64 bytes: close to 1 million cycles on one core of my laptop. But faster than FHE. Security? Unclear! Try hyperthreading, DPA, etc. Maybe chosen-n templates will discover secret n? Don t let slow ciphers evade security evaluation.

Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Goals of authenticated encryption Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven More details, credits: competitions.cr.yp.to /features.html Encryption sender