A Key Management Scheme for DPA-Protected Authenticated Encryption

Transcription

1 A Key Management Scheme for DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech DIAC-2013 This research was supported in part by the VT-MENA program of Egypt, and by NSF grant no

2 Leakage-Resilient Cryptography Classical Cryptography Input Key Algorithm Output 2

3 Leakage-Resilient Cryptography Side-Channel Analysis Algorithm Input Key Output Execution Time Power Consumption Electromagnetic Radiation Acoustic Waves Photonic Emission Fault Detection 3

4 Leakage-Resilient Cryptography Side-Channel Analysis Algorithm Input Key Is this a problem? Output Execution Time Power Consumption Electromagnetic Radiation Acoustic Waves Photonic Emission Fault Detection 3

5 Differential Power Analysis P K S The key in DPA is to find a sensitive intermediate variable that depends on: a controllable/observable input. and a fixed unknown. Where the unknown is affected by a small part of the key. 4

6 Leakage-Resilient Cryptography 1- Hardware Protection Input Key Algorithm Output 5

7 Leakage-Resilient Cryptography 1- Hardware Protection Input Key Algorithm Output Typically at High Cost (typically 2x). 5

8 Leakage-Resilient Cryptography 2- Leakage-Resilient Cryptography Algorithm Input Key Output 6

9 Leakage-Resilient Cryptography 2- Leakage-Resilient Cryptography Algorithm Input Key Output New Primitive Special Mode of operation (compatible with current modes) 6

10 Leakage-Resilient Cryptographic Primitive Stream Ciphers: [DP08, P09, YSPY10] Block Ciphers: [FPS12] Digital Signatures: [BSW11] Public-Key Encryption: [NS12] and many more 7

11 Leakage-Resilient Cryptographic Primitive Stream Ciphers: [DP08, P09, YSPY10] Block Ciphers: [FPS12] Digital Signatures: [BSW11] Public-Key Encryption: [NS12] and many more However: The assumptions used are controversial. High-overhead initialization procedure. Not a current solution (still needs standardization). 7

12 Leakage-Resilient Mode of Operation Are current modes DPA-protected? 8

13 Leakage-Resilient Mode of Operation Are current modes DPA-protected? No Different design requirement. The IV/nonce is not secret, hence the same attack methodology can be used. 8

14 Leakage-Resilient Mode of Operation Are current modes DPA-protected? No Different design requirement. The IV/nonce is not secret, hence the same attack methodology can be used. Research Goals: Current: Design a compatible DPA-protection add-on. Future: Include the DPA-protection in a new AE mode. 8

15 Outline Introduction Design Model Security Requirements of the New Scheme Previous Work NLFSR-Based Scheme Concluding Remarks 9

16 Design Model Initialization Encryption Key Propagation Master Key Initialization Vector Session Key K1 K2 K3 In AES Out In AES Out In AES Out 10

17 Design Model Initialization Encryption Key Propagation Master Key Initialization Vector Session Key K1 K2 K3 In AES Out In AES Out In AES Out Goal: protection against any differential attack. This is NOT shifting the problem, but separating it. 10

18 Design Model Initialization Encryption Key Propagation Master Key Initialization Vector Direct Leakage Session Key K1 K2 K3 In AES Out In AES Out In AES Out Goal: protection against any differential attack. This is NOT shifting the problem, but separating it. 10

19 Design Model Initialization Encryption Key Propagation Master Key Initialization Vector Direct Leakage Session Key K1 K2 K3 In AES Out In AES Out In AES Out Combined Information Leakage Goal: protection against any differential attack. This is NOT shifting the problem, but separating it. 10

20 Design Model Initialization Encryption Key Propagation Master Key Initialization Vector Direct Leakage Session Key K1 K2 K3 In AES Out In AES Out In AES Out Combined Information Leakage Goal: protection against any differential attack. This is NOT shifting the problem, but separating it. 10

21 Design Model Initialization Encryption Key Propagation Master Key Initialization Vector Direct Leakage Session Key K1 K2 K3 In AES Out In AES Out In AES Out Combined Information Leakage Goal: protection against any differential attack. This is NOT shifting the problem, but separating it. 10

22 Security Requirements Initialization: Maximum Diffusion. Compatible with current AES modes. (no additional secrets or exchanged variables) One-wayness. DPA-hard, without depending on the Hardware. Small hardware overhead. Master Key Initialization Vector Session Key 11

23 Security Requirements Key Propagation: Non-linearity. Prevent divide-and-conquer. Forward Security (better). Small hardware overhead. Session Key K1 K2 K3 12

24 Previous Work Contribution Initialization Propagation [Kocher03] DES DES [MSGR10] Modular Multiplication [GFM10] NLM and AES AES [Kocher11] Tree structure of Hashing Hashing [MSJ12] [BSH..13] Current Proposal Improved tree of AES Minimum SP Network NLFSR-based scheme They are all: High cost. Or, depend on other hardware protections. 13

25 Current Proposal Why NLFSR? High DPA-attack complexity. Current DPA attack on Grain leaves 30 bits of the key for exhaustive search [FGKV07]. High diffusion and one-wayness. High non-linearity. Low hardware overhead, as learned from the estream results. What are the preferred properties of the NLFSR for the best DPA-protection? 14

26 DPA of a Generic LFSRs I 0 I 1 C C C C C C I 2 I n 15

27 DPA of a Generic LFSRs I 0 I 1 C C C C C C I 2 I n 1 st input bit: One sensitive variable of high leakage. The output of the feedback function can be found. 15

28 DPA of a Generic LFSRs I 0 I 1 C C C C C C I 2 I n 1 st input bit. 2 nd input bit: 16

29 DPA of a Generic LFSRs I 0 I 1 C C C C C C I 2 I n 1 st input bit. 2 nd input bit: Sensitive variable of high leakage. The output of the feedback function can be found. 16

30 DPA of a Generic LFSRs I 0 I 1 C C C C C C I 2 I n 1 st input bit. 2 nd input bit: Sensitive variable of high leakage. The output of the feedback function can be found. Sensitive variable of low leakage. Intermediate unknown can be found. 16

31 DPA of a Generic LFSRs I 0 I 1 C C C C C C I 2 I n 1 st input bit. 2 nd input bit: Sensitive variable of high leakage. The output of the feedback function can be found. Sensitive variable of low leakage. Intermediate unknown can be found. Is it useful? depends on the computational hierarchy. 16

32 DPA of a Generic LFSRs I 0 I 1 C C C C C C I 2 I n 1 st input bit. 2 nd input bit. n th input bit: A linear equation of n unknowns. 17

33 DPA of a Generic LFSRs I 0 I 1 C C C C C C I 2 I n 1 st input bit. 2 nd input bit. n th input bit: A linear equation of n unknowns. LFSRs are directly breakable after reaching all state bits 17

34 DPA of a Generic NLFSRs I 0 Non-linear function I 1 I 2 I n 18

35 DPA of a Generic NLFSRs I 0 Non-linear function I 1 I 2 I n 1 st input bit: One sensitive variable of high leakage. The output of the feedback function can be found. 18

36 DPA of a Generic LFSRs I 0 Non-linear function I 1 I 2 I n 1 st input bit. 2 nd input bit: Operation at the known bit: 19

37 DPA of a Generic LFSRs I 0 Non-linear function I 1 I 2 I n 1 st input bit. 2 nd input bit: Operation at the known bit: XOR: The output of the feedback function can be found. Intermediate unknown can be found. Is it useful? AND: Only the intermediate unknown (low leakage) can be found. Is it useful? depends on the computational hierarchy. 19

38 DPA of a Generic LFSRs I 0 Non-linear function I 1 I 2 I n 1 st input bit. 2 nd input bit: Operation at the known bit: XOR: The output of the feedback function can be found. Intermediate unknown can be found. Is it useful? AND: Only the intermediate unknown (low leakage) can be found. Is it useful? depends on the computational hierarchy. 19

39 DPA of a Generic LFSRs I 0 Non-linear function I 1 I 2 I n 1 st input bit. 2 nd input bit. n th input bit: Only an intermediate variable within the feedback function 20

40 DPA of a Generic LFSRs I 0 Non-linear function I 1 I 2 I n 1 st input bit. 2 nd input bit. n th input bit: Only an intermediate variable within the feedback function NLFSRs can still be broken by focusing on small operations within the feedback function 20

41 DPA of a Generic LFSRs I 0 Non-linear function I 1 I 2 I n Solution: Implement the feedback function in memory. 21

42 DPA of a Generic NLFSRs Preferred properties: Large internal state. High number of feedback taps. Feedback function includes the first state bit. Either: The first bit is ANDed at the top of computational hierarchy. Or, the feedback function is implemented using memory. Maximum period. 22

43 Comparison between NLFSRs Grain Trivium KeeLoq [D12] [RSWZ12] Best Internal State :24 25,27 27 Feedback taps 13 3*5 7 3:7 18:21 21 Include 1 st bit No No Yes Yes Yes Yes 1 st bit ANDed No No Yes No No No Maximum period??? Yes Yes Yes 23

44 Comparison between NLFSRs Grain Trivium KeeLoq [D12] [RSWZ12] Best Internal State :24 25,27 27 Feedback taps 13 3*5 7 3:7 18:21 21 Include 1 st bit No No Yes Yes Yes Yes 1 st bit ANDed No No Yes No No No Maximum period??? Yes Yes Yes The best available NLFSR is still not optimal. 23

45 Current Work Choose a new feedback function. Increase the parallelism. Implementation Practical DPA attack. 24

46 Future Work Include the DPA-protection in a new AE mode Most modes of operation including major AE modes keep the Key as a constant. Updating the Key can provide a free DPA-protection in new designs. 25

47 Concluding Remaks DPA-protection can be achieved by a special mode of operation. We propose a light-weight primitive that can achieve a high level of DPA security. We are working on including the DPA-protection in a new AE mode. Collaborations are welcomed 26

48 Thank You Questions? 27