Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18
|
|
- Thomasine Smith
- 5 years ago
- Views:
Transcription
1 Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn 4/12/18
2 Contents Side-Channel Attack Power Analysis Simple Power Analysis (SPA) Differential Power Analysis (DPA) Correlation Power Analysis (CPA) Keccak DPA Against MAC-Keccak (Software) CPA Against MAC-Keccak (Hardware) Counter Measures Masking Keccak-MAC (KMAC) Conclusion References
3 Side-Channel Attack Mathematical - weak algorithm, cryptanalysis, etc. Software - incorrect implementation Hardware - side-channel: unintended information leaked by a device upon which a cryptographic operation has been implemented
4 Power Analysis leverage measurements of a target device s power consumption to extract secret keys. Power used is influenced by data Trace - a sequence of measurements taken across a cryptographic operation. Ex: 5000 samples/sec while performing AES-128 encryption (see picture).
5 Simple Power Analysis (SPA) Focuses on features that are directly visible in a power trace Analyze power trace and draw inferences of the operation (ex. conditional branches) Compare seemingly similar segments Pros: effective and efficient for most devices Cons: Severely affected by noise in the data
6 Differential Power Analysis (DPA) Statistical method for analyzing sets of power traces Selection function: Uses an educated guess of the possible values of one or more unknown, intermediate variables of a cryptographic operation to partition a set of power traces. Selection function = D( C i, K n ), where C i is the set of known and unknown values for trace T i at time j ( T i [j] ) and K n is the candidate value(s) for the unknown value(s). The selection function targets an operation that mixes known and unknown information.
7 DPA Basic Idea 1. Partition a set of m power traces according to D( C i, K n ) 2. Take the average of the partitions 3. Take the difference of the averages D ; if K n is correlated, than D will contain large spikes (non-zero values) 4. The candidate with the greatest spikes/non-zero values in its corresponding D is most likely the correct value D [j] = σ m i=1 D(Ci, K n )Ti [j] m D(Ci, K n ) σ i=1 - σ i=1 m (1 D(Ci, K n ) )Ti [ j] m (1 D(Ci, K n )) σ i=1
8 Example: AES-128
9 Correlation Power Analysis (CPA) Statistical method that uses correlation coefficients Selection function computes correlation between Hamming Distance (HD) or Hamming Weight (HW) of a candidate value and the actual power consumption. HD and HW are computed in the following manner: H( D R ) where D are the known values, R is a candidate value for the unknown(s), and H computes HD or HW. The candidate with the highest correlation must be correct
10 Keccak (SHA-3) Sponge construction: internal state is larger than output; security equivalent to that of a random oracle Keccak function (f) Recommended internal state size of 5x5x64 bits (1600 bits total)
11 Keccak State
12 Keccak Function - Diffusion; every bit is XOR d with the parity bit of two columns 4 4 S(x,y,z) = S(x,y,z) ( i=0 S(x-1,i,z)) ( i=0 S(x+1,i,z-1)) and - Shuffle lanes - Non-linearity; flips state bit according to values of two other bits in the same row S(x,y,z) = S(x,y,z) ( S(x + 1, y, z) * S(x+2,y,z) ) - Every bit is XOR d with a round constant Note: x and y are done mod 5, z is done mod 64
13 DPA Attack Against MAC-Keccak DPA against MAC-Keccak is difficult since: 1. The length of the key is not fixed 2. The size of the internal state is larger than either the input or the output 3. The target operations are located deep within the operation Steps: 1. Determine length of key 2. Target and operations with multiple passes of DPA
14 DPA Attack Against MAC-Keccak Step 1: Determine Key Length Retrieve the key by performing CPA upon every message bit HW( M i c ), where M i are the message bits processed so far and c is a 0 or 1. Once there is no correlation, we have recovered the portion of the bitrate (initial state) that contains the key
15 DPA Attack Against MAC-Keccak Step 2: Recover Key (General Idea) 1. Add all known bits to the set V 2. Calculate all variables that depend upon currently known bits, add to V 3. Target an operation that processes k V and an unknown bit, run DPA to recover the unknown and add it to V 4. Repeat 2 and 3 until the key is recovered
16 DPA Attack Against MAC-Keccak Step 2: Recover Key (Targeting ) Consider as two operations: Calculates plane (x,z) = ( i=0 S(x,i,z)) for (x-1,z) and (x+1,z-1) 2 - Calculates S(x,y,z) = S(x,y,z) plane (x-1,z) plane (x+1,z-1) If key length 320, then 1 calculates the parity of four message bits and one key bit; trivial to find value of key bit with DPA If key length > 320, then 1 calculates the parity of three message bits and two key bits; find XOR of key bits with DPA, calculate parity, find key bit at (x,y,z) in 2 with DPA, add to V, repeat.
17 DPA Attack Against MAC-Keccak Step 2: Recover Key (Targeting ) If key bits and message bits are interleaved: 1. Partially recover plane and add to V 2. Trace bits through and 3. Recover unknown using DPA against 4. Use recovered value to trace backwards and recover key S(x,y,z) = S(x,y,z) ( S(x + 1, y, z) * S(x+2,y,z) )
18 DPA Results Easily recovers keys of length less than 321 bits For longer keys, success appears to taper off According to the chart, only 90% of the key bits can be recovered for a key of length 768. That leaves 77 bits unknown and 2 77 possibilities.
19 CPA Attack Against MAC-Keccak Target output of first round R 1 = output of first round I = state of register before end of first round (assume 0) Strong correlation between HW(R 1 ) and power consumption
20 CPA Attack Against MAC-Keccak First Approach: Bit-by-bit Use one bit R 1 (x,y,z) Selection function: HD(I(x,y,z), R 1 (x,y,z)) = HW(R 1 (x,y,z)) R 1 = out, furthermore by reversing and, we have: out = out (x 1,y 1,z 1 ) ( out (x 2,y 2,z 2 )* out (x 3,y 3,z 3 ) ) For every out we have: if y=0, then S(x,0,z) S(x-1,0,z) S(x+1,0,z-1) if y=1, then S(x-1,0,z) S(x+1,0,z-1) Issues: Redundancy and too many traces required because of low Signal-to-Noise-Ration (SNR)
21 CPA Attack Against MAC-Keccak Second Approach: Row-by-row Solution: Attack row-by-row. Fewer traces needed, higher SNR, only 320 rows versus 1600 bits. Selection function: HD(I(X,y,z), R 1 (X,y,z)) = HW(R 1 (X,y,z)), X=[0:4], y {0,,4}, z {0,,63}
22 CPA Against MAC-Keccak Correlations
23 CPA Results 320 bit key (shown) Can use attack against rows for keys of length less than 641 Keys longer than 640 cannot be found in a row-by-row manner
24 Counter Measures to Power Analysis Transistor level: gates and circuits are built such that leakage is reduced Program level: random insertion of dummy instructions or randomized order of operations; increases difficulty of aligning traces Algorithmic level: operations of cryptographic algorithm are computed in a manner that reduces leakage Protocol level: reduce number of computations an attacker can execute
25 Masking (Algorithmic level) Represent key or data words by two or more shares within a cryptographic primitive The shares are used in such a way that there is never any correlation to the original value At least one share must be randomly generated for every execution of the cryptographic primitive Ex. x = x + r x If the operation is a group operation, we can treat the shares separately: a = a + r a c = a + b b = b + r b r c = r a + r b
26 ARX (Addition-Rotation-XOR) Masking Arithmetic: x = x + r x (addition or subtraction) Boolean: x = x r x (XOR, shift, or rotate) Issue: A value is in arithmetic form but we need to perform a Boolean operation (or vice versa) Solution: Convert, securely, between different forms with elementary operations and/or lookup tables. Greatly increases the number of elementary operations and/or memory.
27 Keccak-MAC (KMAC) Keyed hash function with a variable length output No nested construction Uses Keccak at its core to hash the message and key
28 Keccak-MAC (KMAC) cont. Parameters: K secret key, X message, L desired output length, S optional customization bit string, N function name bit string KMAC128( K, X, L, S ): newx = byte_pad(encode_string(k),168) X right_encode(l) return cshake128(newx, L, KMAC, S) cshake128( X, L, N, S ): if N= && S= : return SHAKE(X, L) else: return KECCAK[256]=(byte_pad(encode_string(N) encode_string(s), 168) X 00, L)
29 Keccak-MAC (KMAC) cont. encode_string(s) = left_encode(len(s)) S left_encode(x) = encodes X as a byte string byte_pad(x,w) = z = left_encode(w) X while len(z) mod 8 0: z = z 0 while (len(z)/8) mod w 0: z = z return z left_encode(168) left_encode(len(k)) K 0 0
30 Conclusion Are these attacks practical? Many assumptions are made in regards to DPA and CPA against MAC-Keccak: That we have access to the device running MAC-Keccak That we can gather the necessary number of traces That the key is directly prepended to the message KMAC, as recommended by NIST, may make it too difficult to find the key using power analysis
31 References [1] National Institute of Technology and Information, FIPS PUB 198: The Keyed-Hash Message Authentication Code (HMAC). National Institute of Technology and Information, Gaithersburg, [2] National Institute of Technology and Information, FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. National Institute of Technology and Information, Gaithersburg, [3] National Institute of Technology and Information, NIST Special Publication : SHA-3 Derived Functions. National Institute of Technology and Information, Gaithersburg, [4] Stinson, D. R., Crytography: Theory and Practice, 3rd Ed.. Chapman & Hall/CRC, Boca Raton, [5] Lynn, B. Pseudo-Random Functions. Retrieved Feb 20, 2018: [6] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and Van Keer, R. TeamKeccak. Retrieved Februrary 5, 2018: [7] Bertoni, G., Daemen, J., Peeters, M., and Van Assche, G. The KECCAK SHA-3 Submission [8] Bertoni, G., Daemen, J., Peeters, M., and Van Assche, G. The KECCAK Reference [9] Bertoni, G., Daemen, J., Peeters, M., and Van Assche, G. Cryptographic Sponge Functions [10] Kocher, P., Jaffe, J., Jun, B., and Rohatgi, P. Introduction to Differential Power Analysis. Springer, Heidelberg [11] Taha, M., and Schaumont, P. Differential Power Analysis of MAC-Keccak at Any Key-Length. Springer, Heidelberg [12] Brier, E., Clavier, C., and Olivier F. Correlation Power Analysis with a Leakage Model. Springer, Heidelberg, [13] Zohner, M., Kasper, M., Stottinger, M., and Huss, S. Side Channel Analysis of the SHA-3 Finalists. Design, Automation Test in Europe Conference Exhibitions, pp , [14] Tran, X. Power Analysis Attacks on Keccak. RIT Scholar Works, [15] Note on side-channel attacks and their countermeasures. Retrieved March 19, 2018: [16] Luo et. al. Side-Channel Analysis of MAC-Keccak Hardware Implementations. In Proceedings of the Fourth Workshop on Hardware and Architectural Support for Security and Privacy (HASP 15), 2015.
Power Analysis of MAC-Keccak: A Side Channel Attack
Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn Professor Stanislaw Radziszowski May 6, 2018 1 Introduction Recently in the spring of 2017, two documents were discovered
More informationDifferential Power Analysis of MAC-Keccak at Any Key-Length
Differential Power Analysis of MAC-Keccak at Any Key-Length Mostafa Taha and Patrick Schaumont Secure Embedded Systems Center for Embedded Systems for Critical Applications Bradley Department of ECE Virginia
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationHOST Differential Power Attacks ECE 525
Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately, cryptographic
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationPushing the Limits of SHA-3 Hardware Implementations to Fit on RFID
Motivation Keccak Our Designs Results Comparison Conclusions 1 / 24 Pushing the Limits of SHA-3 Hardware Implementations to Fit on RFID Peter Pessl and Michael Hutter Motivation Keccak Our Designs Results
More informationKeccak discussion. Soham Sadhu. January 9, 2012
Keccak discussion Soham Sadhu January 9, 2012 Keccak (pronounced like Ketchak ) is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Keccak is
More informationThe Customizeable Shake Function (Cshake)
NIST Special Publication 800-XXX The Customizeable Shake Function (Cshake) John Kelsey Computer Security Division Information Technology Laboratory http://dx.doi.org/10.6028/nist.sp.xxx Month and Year
More informationPreimage attacks on the round-reduced Keccak with the aid of differential cryptanalysis
Preimage attacks on the round-reduced Keccak with the aid of differential cryptanalysis Pawe l Morawiecki 1,3, Josef Pieprzyk 2, Marian Srebrny 1,3, and Micha l Straus 1 1 Section of Informatics, University
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationSide-channel Analysis of Grøstl and Skein
2012 IEEE IEEE Symposium CS Security on Security and Privacy and Workshops Privacy Workshops Side-channel Analysis of Grøstl and Skein Christina Boura, Sylvain Lévêque, David Vigilant Gemalto 6 rue de
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationA Countermeasure Circuit for Secure AES Engine against Differential Power Analysis
A Countermeasure Circuit for Secure AES Engine against Differential Power Analysis V.S.Subarsana 1, C.K.Gobu 2 PG Scholar, Member IEEE, SNS College of Engineering, Coimbatore, India 1 Assistant Professor
More informationCSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions
CSCI 454/554 Computer and Network Security Topic 4. Cryptographic Hash Functions Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication Code
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationOutline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question
Hash function lengths Outline AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationOutline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.
AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 22 and 27, 2018 Overview Today: Quiz (based on HW 6) Graded HW 2 due Grad/honors students: Project topic selection
More informationSecurity against Timing Analysis Attack
International Journal of Electrical and Computer Engineering (IJECE) Vol. 5, No. 4, August 2015, pp. 759~764 ISSN: 2088-8708 759 Security against Timing Analysis Attack Deevi Radha Rani 1, S. Venkateswarlu
More informationOverview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 28, 2017 Overview Today: Review Homework 8 solutions Discuss cryptographic hash functions Next: Study for quiz
More informationTowards a Software Approach to Mitigate Correlation Power Analysis
Towards a Software Approach to Mitigate Correlation Power Analysis Ibraheem Frieslaar,2, Barry Irwin 2 Modelling and Digital Science, Council for Scientific and Industrial Research, Pretoria, South Africa.
More informationSecond-Order Power Analysis Attacks against Precomputation based Masking Countermeasure
, pp.259-270 http://dx.doi.org/10.14257/ijsh.2016.10.3.25 Second-Order Power Analysis Attacks against Precomputation based Masking Countermeasure Weijian Li 1 and Haibo Yi 2 1 School of Computer Science,
More informationKeccak specifications
Keccak specifications Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors http://keccak.noekeon.org/ Version 2 September 10, 2009 Keccak
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security CHF-s are used for many authentication, integrity, digital
More informationPermutation-based Authenticated Encryption
Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44 Outline 1 Why
More informationPower Analysis Attacks
Power Analysis Attacks Elisabeth Oswald Computer Science Department Crypto Group eoswald@cs.bris.ac.uk Elisabeth.Oswald@iaik.tugraz.at Outline Working principle of power analysis attacks DPA Attacks on
More informationTowards a Software Approach to Mitigate Correlation Power Analysis
Towards a Software Approach to Mitigate Correlation Power Analysis Ibraheem Frieslaar,2, Barry Irwin 2 Modelling and Digital Science, Council for Scientific and Industrial Research, Pretoria, South Africa.
More informationSIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017
SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and
More informationOn Boolean and Arithmetic Masking against Differential Power Analysis
On Boolean and Arithmetic Masking against Differential Power Analysis [Published in Ç.K. Koç and C. Paar, Eds., Cryptographic Hardware and Embedded Systems CHES 2000, vol. 1965 of Lecture Notes in Computer
More informationThe Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab
The Davies-Murphy Power Attack Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab Introduction Two approaches for attacking crypto devices traditional cryptanalysis Side Channel Attacks
More informationOnce upon a time... A first-order chosen-plaintext DPA attack on the third round of DES
A first-order chosen-plaintext DPA attack on the third round of DES Oscar Reparaz, Benedikt Gierlichs KU Leuven, imec - COSIC CARDIS 2017 Once upon a time... 14 November 2017 Benedikt Gierlichs - DPA on
More informationA New Attack with Side Channel Leakage during Exponent Recoding Computations
A New Attack with Side Channel Leakage during Exponent Recoding Computations Yasuyuki Sakai 1 and Kouichi Sakurai 2 1 Mitsubishi Electric Corporation, 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan ysakai@iss.isl.melco.co.jp
More informationMasking as a Side-Channel Countermeasure in Hardware
Masking as a Side-Channel Countermeasure in Hardware 6. September 2016 Ruhr-Universität Bochum 1 Agenda Physical Attacks and Side Channel Analysis Attacks Measurement setup Power Analysis Attacks Countermeasures
More informationA Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua CHEN
2017 International Conference on Computer, Electronics and Communication Engineering (CECE 2017) ISBN: 978-1-60595-476-9 A Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua
More informationPermutation-based symmetric cryptography
Permutation-based symmetric cryptography Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationPractical Electromagnetic Template Attack on HMAC
Practical Electromagnetic Template Attack on HMAC Pierre Alain Fouque 1 Gaétan Leurent 1 Denis Réal 2,3 Frédéric Valette 2 1ENS,75Paris,France. 2CELAR,35Bruz,France. 3INSA-IETR,35Rennes,France. September
More informationAppendix K SHA-3. William Stallings
Appendix K SHA-3 William Stallings K.1 THE ORIGINS OF SHA-3... 2 K.2 EVALUATION CRITERIA FOR SHA-3... 4 K.3 THE SPONGE CONSTRUCTION... 6 K.4 THE SHA-3 ITERATION FUNCTION f... 13 Structure of f... 14 Theta
More informationSHA-3 vs the world. David Wong
SHA-3 vs the world David Wong Sneru MD4 Sneru MD4 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationNon-Profiled Deep Learning-Based Side-Channel Attacks
Non-Profiled Deep Learning-Based Side-Channel Attacks Benjamin Timon UL Transaction Security, Singapore benjamin.timon@ul.com Abstract. Deep Learning has recently been introduced as a new alternative to
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationThe SHA-3 Process. Keccak & SHA-3 day Brussels, 27 March 2013
The SHA-3 Process Keccak & SHA-3 day Brussels, 27 March 2013 Timeline 05 06 07 08 09 10 11 12 13 Summer 2005: Attacks on MD5, RIPEMD, SHA-0, SHA-1 The Wang effect Before 2005 MD4 (Dobbertin) MD5 (Boss.,
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationSecret Key Cryptography
Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:
More informationDifferential Fault Analysis on the AES Key Schedule
ifferential Fault Analysis on the AES Key Schedule Junko TAKAHASHI and Toshinori FUKUNAGA NTT Information Sharing Platform Laboratories, Nippon Telegraph and Telephone Corporation, {takahashi.junko, fukunaga.toshinori}@lab.ntt.co.jp
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations: Secret Key Systems Encrypting a small block of text (say 64 bits) General Considerations: 1. Encrypted
More informationSimplified Adaptive Multiplicative Masking for AES
Simplified Adaptive Multiplicative Masking for AES Elena Trichina, Domenico De Seta, and Lucia Germani Cryptographic Design Center, Gemplus Technology R& D Via Pio Emanuelli, 0043 Rome, Italy {elena.trichina,domenico.deseta,lucia.germani}@gemplus.com
More informationFAULT DETECTION IN THE ADVANCED ENCRYPTION STANDARD. G. Bertoni, L. Breveglieri, I. Koren and V. Piuri
FAULT DETECTION IN THE ADVANCED ENCRYPTION STANDARD G. Bertoni, L. Breveglieri, I. Koren and V. Piuri Abstract. The AES (Advanced Encryption Standard) is an emerging private-key cryptographic system. Performance
More informationCryptography Research, Inc. http:
Di erential Power Analysis Paul Kocher, Joshua Ja e, and Benjamin Jun Cryptography Research, Inc. 870 Market Street, Suite 1088 San Francisco, CA 94102, USA. http: www.cryptography.com E-mail: fpaul,josh,beng@cryptography.com.
More informationAn Improved DPA Attack on DES with Forth and Back Random Round Algorithm
International Journal of Network Security, Vol.19, No.2, PP.285-294, Mar. 2017 (DOI: 10.6633/IJNS.201703.19(2).13) 285 An Improved DPA Attack on with Forth and Back Random Round Algorithm Cai-Sen Chen
More informationON PRACTICAL RESULTS OF THE DIFFERENTIAL POWER ANALYSIS
Journal of ELECTRICAL ENGINEERING, VOL. 63, NO. 2, 212, 125 129 COMMUNICATIONS ON PRACTICAL RESULTS OF THE DIFFERENTIAL POWER ANALYSIS Jakub Breier Marcel Kleja This paper describes practical differential
More informationA j-lanes tree hashing mode and j-lanes SHA-256
A j-lanes tree hashing mode and j-lanes SHA-5 Shay Gueron 1, 1 Department of Mathematics, University of Haifa, Israel Intel Corporation, Israel Development Center, Haifa, Israel August 1, Abstract. j-lanes
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 17, 2016 Part 3 Modern Crypto SSN Modern Cryptography Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Presentations Minimum
More informationA Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher
A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher Lu Xiao and Howard M. Heys 2 QUALCOMM Incorporated, lxiao@qualcomm.com 2 Electrical and Computer Engineering, Faculty
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationPower Analysis Attacks against FPGA Implementations of the DES
Power Analysis Attacks against FPGA Implementations of the DES François-Xavier Standaert 1, Sıddıka Berna Örs2, Jean-Jacques Quisquater 1, Bart Preneel 2 1 UCL Crypto Group Laboratoire de Microélectronique
More informationHiding of Random Permutated Encrypted Text using LSB Steganography with Random Pixels Generator
Hiding of Random Permutated Encrypted Text using LSB Steganography with Random Pixels Generator Noor Kareem Jumaa Department of Computer Technology Engineering Al-Mansour University College, Iraq ABSTRACT
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationA Key Management Scheme for DPA-Protected Authenticated Encryption
A Key Management Scheme for DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech DIAC-2013 This research was supported in part by the VT-MENA program of Egypt, and by
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationEfficient DPA Attacks on AES Hardware Implementations
I. J. Communications, Network and System Sciences. 008; : -03 Published Online February 008 in SciRes (http://www.srpublishing.org/journal/ijcns/). Efficient DPA Attacks on AES Hardware Implementations
More informationSHA3 Core Specification. Author: Homer Hsing
SHA3 Core Specification Author: Homer Hsing homer.hsing@gmail.com Rev. 0.1 January 29, 2013 This page has been intentionally left blank. www.opencores.org Rev 0.1 ii Rev. Date Author Description 0.1 01/29/2013
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More informationIntroduction to Software Countermeasures For Embedded Cryptography
Introduction to Software Countermeasures For Embedded Cryptography David Vigilant UMPC Master, 1 st December, 2017 Outline 1 Context and Motivations 2 Basic Rules and Countermeasures Examples Regarding
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationCryptographic Algorithms - AES
Areas for Discussion Cryptographic Algorithms - AES CNPA - Network Security Joseph Spring Department of Computer Science Advanced Encryption Standard 1 Motivation Contenders Finalists AES Design Feistel
More informationSilent SIMON: A Threshold Implementation under 100 Slices
Silent SIMON: A Threshold Implementation under 1 Slices Aria Shahverdi, Mostafa Taha and Thomas Eisenbarth Worcester Polytechnic Institute, Worcester, MA 169, USA Email: {ashahverdi, mtaha, teisenbarth}@wpi.edu
More informationDifferential Power Analysis of HMAC SHA-2 in the Hamming Weight Model
Differential Power Analysis of HMAC SHA- in the Hamming Weight Model Sonia Belaid, Luk Bettale, Emmanuelle Dottax, Laurie Genelle, Franck Rondepierre To cite this version: Sonia Belaid, Luk Bettale, Emmanuelle
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationGoals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010
Encryption Details COMP620 Goals for Today Understand how some of the most common encryption algorithms operate Learn about some new potential encryption systems Substitution Permutation Ciphers A Substitution
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationA Weight Based Attack on the CIKS-1 Block Cipher
A Weight Based Attack on the CIKS-1 Block Cipher Brian J. Kidney, Howard M. Heys, Theodore S. Norvell Electrical and Computer Engineering Memorial University of Newfoundland {bkidney, howard, theo}@engr.mun.ca
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationKeeLoq and Side-Channel Analysis Evolution of an Attack
KeeLoq and Side-Channel Analysis Evolution of an Attack Christof Paar, Thomas Eisenbarth, Markus Kasper, Timo Kasper and Amir Moradi Chair for Embedded Security Electrical Engineering and Information Sciences
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationHardware Accelerator for Stream Cipher Spritz
Hardware Accelerator for Stream Cipher Spritz by Debjyoti Bhattacharjee and Anupam Chattopadhyay School of Computer Science and Engineering (SCSE) 26-July-2016 Debjyoti Bhattacharjee and Anupam Chattopadhyay,
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationOn the parallelization of slice-based Keccak implementations on Xilinx FPGAs
On the parallelization of slice-based Keccak implementations on Xilinx FPGAs Jori Winderickx, Joan Daemen and Nele Mentens KU Leuven, ESAT/COSIC & iminds, Leuven, Belgium STMicroelectronics Belgium & Radboud
More informationICT 6541 Applied Cryptography. Hossen Asiful Mustafa
ICT 6541 Applied Cryptography Hossen Asiful Mustafa Encryption & Decryption Key (K) Plaintext (P) Encrypt (E) Ciphertext (C) C = E K (P) Same Key (K) Ciphertext (C) Decrypt (D) Plaintext (P) P = D K (C)
More informationThe road from Panama to Keccak via RadioGatún
The road from Panama to Keccak via RadioGatún Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. In this paper, we explain the
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationA physical level perspective
UMass CS 660 Advanced Information Assurance Spring 2011Guest Lecture Side Channel Analysis A physical level perspective Lang Lin Who am I 5 th year PhD candidate in ECE Advisor: Professor Wayne Burleson
More informationSide Channel Analysis of an Automotive Microprocessor
ISSC 2008, Galway. June 18 19 Side Channel Analysis of an Automotive Microprocessor Mark D. Hamilton, Michael Tunstall,EmanuelM.Popovici, and William P. Marnane Dept. of Microelectronic Engineering, Dept.
More informationMidgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA
Midgame Attacks (and their consequences) Donghoon Chang 1 and Moti Yung 2 1 IIIT-Delhi, India 2 Google Inc. & Columbia U., USA Crypto is a Technical Science As technology moves, so should crypto designs
More informationSide-Channel Attack on Substitution Blocks
Side-Channel Attack on Substitution Blocks Roman Novak Jozef Stefan Institute, Jamova 39, 1000 Ljubljana, Slovenia, Roman.Novak@ijs.si Abstract. 1 We describe a side-channel attack on a substitution block,
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More informationEfficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Gemalto, 6 rue de la Verrerie, 92197 Meudon Cedex, France blandine.debraize@gemalto.com Abstract.
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationEfficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Gemalto, 6 rue de la Verrerie, 92197 Meudon Cedex, France blandine.debraize@gemalto.com Abstract.
More informationAdvanced Encryption Standard
Advanced Encryption Standard Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK) - Krypto Group Faculty of Computer Science Graz University of Technology Outline Modern
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More information