Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

Similar documents
A first-order chosen-plaintext DPA attack on the third round of DES

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Power Analysis Attacks

Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge

The Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab

Attacks on Advanced Encryption Standard: Results and Perspectives

Symmetric Cryptography. Chapter 6

Security against Timing Analysis Attack

Syrvey on block ciphers

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

HOST Differential Power Attacks ECE 525

Blind Differential Cryptanalysis for Enhanced Power Attacks

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

External Encodings Do not Prevent Transient Fault Analysis

7. Symmetric encryption. symmetric cryptography 1

Practical Electromagnetic Template Attack on HMAC

Complementing Feistel Ciphers

A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher

BLIND FAULT ATTACK AGAINST SPN CIPHERS FDTC 2014

Computer and Data Security. Lecture 3 Block cipher and DES

ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.

Cryptography [Symmetric Encryption]

Secret Key Algorithms (DES)

Correlated Keystreams in Moustique

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

A New Attack with Side Channel Leakage during Exponent Recoding Computations

FDTC 2010 Fault Diagnosis and Tolerance in Cryptography. PACA on AES Passive and Active Combined Attacks

Cryptography (cont.)

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

An Improved Truncated Differential Cryptanalysis of KLEIN

Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18

A Weight Based Attack on the CIKS-1 Block Cipher

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Masking as a Side-Channel Countermeasure in Hardware

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Fundamentals of Cryptography

Introduction to Modern Symmetric-Key Ciphers

Side-Channel Attack against RSA Key Generation Algorithms

Chapter 3 Block Ciphers and the Data Encryption Standard

Power Analysis of Atmel CryptoMemory Recovering Keys from Secure EEPROMs

Evaluating memory protection of smartcards and similar devices. Wolfgang Killmann, T-Systems GEI GmbH

Outline. Embedded Security. Black-box Security. B. Gierlichs CryptArchi, Trégastel, June 2008

Cryptography and Network Security. Sixth Edition by William Stallings

Few Other Cryptanalytic Techniques

Applying TVLA to Public Key Cryptographic Algorithms. Michael Tunstall Gilbert Goodwill

New Attacks on Feistel Structures with Improved Memory Complexities

Cache Timing Analysis of LFSR-based Stream Ciphers

CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

Defeating Embedded Cryptographic Protocols by Combining Second-Order with Brute Force

Some Aspects of Block Ciphers

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

Analysis of Involutional Ciphers: Khazad and Anubis

Cryptanalysis of Lightweight Block Ciphers

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSC 474/574 Information Systems Security

Lowering the Bar: Deep Learning for Side Channel Analysis. Guilherme Perin, Baris Ege, Jasper van December 4, 2018

Lecture 4: Symmetric Key Encryption

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE

Test Vector Leakage Assessment (TVLA) Derived Test Requirements (DTR) with AES

in a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2015 AEGIS 1

A physical level perspective

CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS54 All bytes in odd positions of the shift register are XORed and used as an index into a f

Cryptanalysis. Ed Crowley

Block Encryption and DES

Solutions to exam in Cryptography December 17, 2013

Fault Analysis Study of IDEA

3 rd SKINNY Breaking Competition

Security of Block Ciphers Beyond Blackbox Model

Cryptography ThreeB. Ed Crowley. Fall 08

Attack on DES. Jing Li

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

Full Plaintext Recovery Attack on Broadcast RC4

A Cache Timing Analysis of HC-256

Adaptive Chosen-Message Side-Channel Attacks

A Lightweight AES Implementation Against Bivariate First-Order DPA Attacks Weize Yu and Selçuk Köse

Cryptography: Symmetric Encryption [continued]

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Efficient Practical Key Recovery for Side- Channel Attacks

On the Applicability of Distinguishing Attacks Against Stream Ciphers

Improved Attacks on Full GOST

Lecture 3: Symmetric Key Encryption

Fault Sensitivity Analysis

Multi-Stage Fault Attacks

Cryptography and Network Security. Sixth Edition by William Stallings

International Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES

Symmetric Encryption Algorithms

Non-Profiled Deep Learning-Based Side-Channel Attacks

Computer Security: Principles and Practice

Narrow-Bicliques: Cryptanalysis of Full IDEA. Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT

Side-Channel Cryptanalysis. Joseph Bonneau Security Group

Cache Timing Attacks on estream Finalists

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Transcription:

A first-order chosen-plaintext DPA attack on the third round of DES Oscar Reparaz, Benedikt Gierlichs KU Leuven, imec - COSIC CARDIS 2017 Once upon a time... 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 2

Divide and conquer in DPA Implementations of cryptographic algorithms slowly mix the input with the key Example: block cipher AES-128 128 16 24 32 1 8 (illustration) rounds 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 3 Divide and conquer in DPA DPA on first (last) two rounds is easier than cryptanalysis First (last) two rounds need to be protected Inner rounds? Countermeasures are expensive. 128 16 24 32 1 8 1 2 rounds (illustration) 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 4

Attacks on inner rounds Based on detecting collisions Different intermediates have the same value Some form of cryptanalysis All rounds of DES and AES have to be protected Not DPA! Requires strong leakage from inner rounds Based on deactivating part of the state Fix part of inputs to a constant Fix p2, p3 and p4 Reduce effort from 2 4w to 2 2w 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 5 What about DPA on DES? 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 6

DES [image source: wikipedia] 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 7 What about DPA on DES? First round S-box outputs depend on 6 key bits Second round S-box outputs depend on 36 key bits Third round S-box output depends on... DPA on first (last) two rounds is easier than cryptanalysis No need to protect inner rounds against DPA? 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 8

Contribution We present A first-order chosen-plaintext DPA attack on the third round of DES Requires ability to choose inputs Otherwise standard DPA attack Complexity is that of 2-3 DPA attacks on the first round of DES + some minimal differential cryptanalysis Two steps DPA with chosen inputs to deactivate part of the state and Jaffe s trick to push unknown constants into the key guess Recovers blinded round 2 keys Differential cryptanalysis to recover round 1 keys Unblind round 2 keys Invert key schedule 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 9 Step 1 Target leakge of L3 Choose inputs s.t. L0 varies and R0 const Recover blinded round 2 key Repeat with different const R0 and R0 Recover also 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 10

Step 2: untangle terms k1 and E(C) Classic differential attack on 1 round Feistel to recover k0 Consider differences First round output differences after E (invertible) We know the input difference R0 R0 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 11 Step 2: untangle terms k1 and E(C) Given input and output difference, key recovery differential attack for K0 Divide and conquer: S-box by S-box, simple For one S-box Guess on 6-bit key Compute S-box output difference for R0 and R0 Apply E Equals corresponding part of? Discard key guess if not. Repeat for other output differences and Intersection of key candidates is expected to yield unique and correct K0 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 12

Step 2: untangle terms k1 and E(C) Given K0 compute And unblind the DPA recovered Invert DES key schedule to obtain DES key 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 13 Validation Unprotected SW DES on 8-bit µc, 200 measurements 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 14

Validation Step 1 Step 2 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 15 Validation Step 2 does not yield a unique result Solutions Perform step1 with more different constants Check if K0 and K1 are compatible with DES key schedule Invert key schedule for each (K0,K1) pair and check resulting DES key with a plaintext / ciphertext pair DES key 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 16

Discussion Distance leakage: hardware implementation leaks HD(L2,L3) No problem Optimization: how to choose input differences to minimize key candidates after step 2 All first round S-boxes should be active (non-zero difference) How many different inputs do we need? For just two, we get < 2 28 keys after step 2 Can be filtered with consistency check / brute force Influence of the key schedule DES round keys K0 and K1 are strongly correlated We did not exploit this fact attack applies to any key schedule If two rounds keys are not sufficient, peel off 2 rounds and proceed 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 17 Summary A first-order chosen-plaintext DPA attack on the third round of DES Simple Resilient to noise (it is DPA; we do not use collisions) Recovers full DES keys Remind once again that outer and inner rounds of Feistel ciphers must be protected 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 18

Thank you for your attention 14 November 2017 Benedikt Gierlichs - DPA on 3rd round of DES 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback