A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher

Similar documents
HOST Differential Power Attacks ECE 525

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Software Performance Characterization of Block Cipher Structures Using S-boxes and Linear Mappings

A Weight Based Attack on the CIKS-1 Block Cipher

Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge

Linear Cryptanalysis of Reduced Round Serpent

Differential-Linear Cryptanalysis of Serpent

A Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua CHEN

A Lightweight AES Implementation Against Bivariate First-Order DPA Attacks Weize Yu and Selçuk Köse

Integral Cryptanalysis of the BSPN Block Cipher

Elastic Block Ciphers: The Feistel Cipher Case

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Efficient DPA Attacks on AES Hardware Implementations

Area Optimization in Masked Advanced Encryption Standard

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

A Fault Attack Against the FOX Cipher Family

Security against Timing Analysis Attack

DFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France.

Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

International Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES

On the Design of Secure Block Ciphers

The Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab

A SIMPLIFIED IDEA ALGORITHM

Computer and Data Security. Lecture 3 Block cipher and DES

Second-Order Power Analysis Attacks against Precomputation based Masking Countermeasure

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Fault Detection of the Camellia Cipher against Single Byte Differential Fault Analysis

A Methodology for Differential-Linear Cryptanalysis and Its Applications

Lecture 3: Block Ciphers and the Data Encryption Standard. Lecture Notes on Computer and Network Security. by Avi Kak

Power-Analysis Attack on an ASIC AES implementation

The MESH Block Ciphers

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Elastic Block Ciphers: The Feistel Cipher Case

CIS 6930/4930 Computer and Network Security. Project requirements

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

Test Vector Leakage Assessment (TVLA) Derived Test Requirements (DTR) with AES

Blind Differential Cryptanalysis for Enhanced Power Attacks

A Related Key Attack on the Feistel Type Block Ciphers

Differential Fault Analysis on the AES Key Schedule

EEC-484/584 Computer Networks

Fundamentals of Cryptography

Multi-Stage Fault Attacks

Secret Key Algorithms (DES)

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

A Meet-in-the-Middle Attack on 8-Round AES

DESIGNING S-BOXES FOR CIPHERS RESISTANT TO DIFFERENTIAL CRYPTANALYSIS (Extended Abstract)

Improved Integral Attacks on MISTY1

DeKaRT: A New Paradigm for Key-Dependent Reversible Circuits

Efficient Implementation of Grand Cru with TI C6x+ Processor

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

A Cautionary Note on Weak Implementations of Block Ciphers

Two Attacks on Reduced IDEA (Extended Abstract)

Symmetric Cryptography. Chapter 6

On the Security of the 128-Bit Block Cipher DEAL

Secret Key Cryptography

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Differential Power Analysis in AES: A Crypto Anatomy

Cryptographic Algorithms - AES

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

Complementing Feistel Ciphers

Blow-CAST-Fish: A New 64-bit Block Cipher

Cryptography and Network Security. Sixth Edition by William Stallings

A New Meet-in-the-Middle Attack on the IDEA Block Cipher

Chosen Ciphertext Attack on SSS

PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems

Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers

Power Analysis Attacks against FPGA Implementations of the DES

COSADE Conference Series

On-Line Self-Test of AES Hardware Implementations

On the Applicability of Distinguishing Attacks Against Stream Ciphers

Analysis of Involutional Ciphers: Khazad and Anubis

Modern Block Ciphers

Key Separation in Twofish

New Cryptanalytic Results on IDEA

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

A Meet in the Middle Attack on Reduced Round Kuznyechik

IPA: A New Class of Power Attacks

The Rectangle Attack

Side-Channel Attack on Substitution Blocks

Susceptibility of estream Candidates towards Side Channel Analysis

A New Technique for Sub-Key Generation in Block Ciphers

AES Advanced Encryption Standard

Power Analysis Attacks

Differential Cryptanalysis

Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18

Chosen-IV Correlation Power Analysis on KCipher-2 and a Countermeasure

A New ShiftColumn Transformation: An Enhancement of Rijndael Key Scheduling

Countermeasures against EM Analysis

Biclique Attack of the Full ARIA-256

A Countermeasure Circuit for Secure AES Engine against Differential Power Analysis

A New Attack with Side Channel Leakage during Exponent Recoding Computations

CIS 4360 Secure Computer Systems Symmetric Cryptography

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 2: Secret Key Cryptography

A Related-Key Attack on TREYFER

Computer Security 3/23/18

New Cryptanalytic Results on IDEA

Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers

D eepa.g.m 3 G.S.Raghavendra 4

Transcription:

A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher Lu Xiao and Howard M. Heys 2 QUALCOMM Incorporated, lxiao@qualcomm.com 2 Electrical and Computer Engineering, Faculty of Engineering and Applied Science, Memorial University of Newfoundland, howard@engr.mun.ca Abstract This paper presents a simple power analysis attack against the key schedule of Camellia. The attack works for the smart card environment which leaks the Hamming weight of data being processed, making use of the Hamming weight to deduce all key bits. It is shown that determining the cipher key given accurate power analysis data is very fast and does not require any pair of plaintext and ciphertext. Introduction Camellia [] is a 28-bit block cipher with a Feistel round structure and supports 28-, 92-, and 256- bit keys. In February 2003, Camellia was included together with Advanced Encryption Standard (AES) into the NESSIE portfolio of 28-bit block ciphers [2]. Both the encryption and key schedule of Camellia can be easily implemented on an 8-bit platform []. This paper explores Camellia s potential vulnerability to a simple power analysis attack when implemented in an 8-bit smart card environment. A general description of power analysis attacks is available in references [3] and [4]. Using the Hamming weight information leakage model of [4], our attack on Camellia runs faster than the attack on AES and does not require any pairs of plaintext and ciphertext. The attack presented only considers a theoretical, idealized simple power analysis. Further details on the effects of real measurement noise on the applicability of the attack are discussed in [5].

K L T 9 T 0 = T 8 T 5 T = T 4 T 0 T Σ T 2 T 3 T 4 Σ 3 T 0 T T 2 T 5 Σ 2 T 6 T 7 T 8 T 0 T 3 Σ 4 T 4 T 5 T 6 T 8 T 7 T 3 T 9 T 5 K A Figure : Camellia s 28-bit Key Schedule 2 Description of Camellia s 28-Bit Key Schedule Camellia s 28-bit key schedule generates 26 subkeys of 64 bits from the original key K L and another derived key K A of 28 bits. K A is derived from K L as shown in Figure, where Σ i is unique for each round i, performs byte-wise substitution, and performs a linear transformation. Each subkey can be obtained as one half of K L or K A after they are left rotated for a specific number of bits. This number can be 0, 5, 30 (only for K A ), 45, 60, 77 (only for K L ), 94, or, depending on the round number. 3 Hamming Weight Attack To attack a block cipher with a 28-bit key running on an 8-bit processor, the leakage of Hamming weight information for each key byte as determined by the measurement of power consumption straightforwardly enables attackers to reduce the possible key space from 2 28 to 2 90.43, as discussed in [6]. However, depending on the nature of a block cipher, the implementation of a Hamming weight attack could be much simpler than this reduced workload. For example, our attack exploits the redundancy in the key schedule of Camellia and determines all key bits without knowledge of any plaintext and ciphertext pair. 2

K L[0,, 7] 0 0 0 0 0 0 0 0 0 2 3 4 5 6 7 0 0 0 0 8 9 A B 0 0 0 0 C D E F 0 2 3 4 left rotation 5 6 7 8 K L <<<45 K L (6 bytes) 0 0 0 0 0 3 4 5 6 7 0 0 8 9 0 0 0 A B C 0 D 0 0 E F 0 2 3 4 5 6 7 8 Figure 2: An Example of Subkey Generation (gray bits: assumed (8m+4)-bit chunk where m=2) 3. Requirements for the Attack The attack works with three prerequisites: ) access to the power consumption information, 2) the ability to identify the clock cycles for individual steps in the key schedule (e.g., using the method suggested in [3]), and 3) a monotonic relation between power and Hamming weight. 3.2 Attack Against Subkey Generation Our attack is implemented through two steps. The first step exploits the rotational relations between K L and the resultant subkeys; the second step will exploit relations in the derivation of K A from K L. Several 64-bit subkeys are derived from K L through left rotation for a certain number of bit positions (denoted by <<< ). Since attackers can only check the Hamming weight of each byte, the rotation offsets (5, 45, 60, 77, 94, ) provide information determined by the equivalent shift in bit positions as given by the remainder when the rotation offset is divided by 8. As shown in Figure 2, each rotation of K L gives a chance to consider bits with a different byte partition due to the shift of bit-positions with bytes. Assuming 8m+4 adjacent bits of K L are unknown, up to 5m Hamming weights collected through power measurement can be used to validate candidates for these key bits. Based on these checks, a dynamic pruning method can be used to reduce the search space over all 8m+4 bits. The key K L may be divided into 4 overlapped parts K L[24 27,0 3], K L[28 63], K L[60 95], and K L[92 27] so that they can be processed quickly and independently. Each part produces a number of 36-bit candidates (i.e., m = 4). Any four candidates from these four parts can be joined into one K L guess when their overlapped bits are consistent. When applied to Camellia s key 3

schedule with 20 randomly generated cipher keys, an average of about 2 38 candidates of the full K L pass this step. 3.3 Attack Against the Derivation of K A In this section, we examine the second step in the attack, which gains more key information from the steps involved in the derivation of key K A. In the first round illustrated in Figure, each byte of K L s left half (denoted as T 0 ), is XORed with constant Σ. The result is denoted as T 2 = T 0 Σ. The following is byte-wise substitution, denoted as T 3 = S(T 2 ). If we still use K L[24 27,0 3] and K L[28 63] separately to prune partial key space, two more Hamming weight checks for each hypothetical byte can be performed by comparing the Hamming weights in T 2 and T 3 with the corresponding values from measurement. Each output byte of the (denoted as T 4 = P(T 3 )) depends on at least 5 input bytes. To continue the candidate pruning, we combine any two candidates of K L[24 27,0 3] and K L[28 63] with consistent overlapped bit values to form 8 byte guesses of K L s left half K L[0 63], denoted as T 0. The output of round function with input T 0 is denoted as T 4. If T 0 = T 0, then T 4 = T 4. Because the Hamming weight per byte in T 4 is known, another 8 Hamming weight checks can be performed to examine each T 0. In most cases, only or 2 possible candidates of the left half of K L can pass this step. For each T 0 remaining, the right half of K L (denoted as T ) is guessed. The second Feistel round in Figure is expressed as: T 5 = T 4 T, T 6 = T 5 Σ 2, T 7 = S(T 6 ), T 8 = P(T 7 ). Similarly to the left half guess, K L[60 95] and K L[92 27] can be considered separately to prune the partial key space by using three more Hamming weight checks for each byte in T 5 T 7. Then, any two candidates of K L[64 99] and K L[96 28,0 3] with consistent overlapped bit values are combined to form a candidate of K L s right half K L[64 27], denoted as T. The output of the round function with input T 0 T 4 is denoted as T 8. If T 0 = T 0 and T = T, then T 8 = T 8. Thus, another 8 Hamming weight checks can be performed to validate each T candidate. Similarly, Hamming weight checks can be applied from T 9 to T 7. We applied this attack to Camellia s 28-bit key schedule with 0,000 randomly generated sample keys. The experimental results listed in Table show that 2 rounds of Hamming weight checks in K A s derivation is enough for unique key identification in most cases. The attack can be 4

easily extended to 92-bit and 256-bit key schedules [5]. Table : Experimental Attack Results with 0 4 Samples of 28-Bit Camellia Cipher Keys Scope of HW checks T 0 T 7 T 0 T 8 T 0 T 9 T 0 T 0 Cases with unique key identification 4.04 % 97.49 % 99.98 % 00 % Ave. # of spurious keys 5.3588 0.0264 0.0002 0 4 Conclusion When Camellia is implemented in a device with Hamming weight leakage due to power measurements, it is very important for implementors to consider appropriate countermeasures. The vulnerability of many ciphers to similar attacks and practical countermeasures have been discussed in [5]. References [] K. Aoki et al., Camellia: a 28-bit block cipher suitable for multiple platforms - design and analysis, SAC 2000, LNCS 202, pp. 39 56, Springer-Verlag, 200. [2] New European Schemes for Signatures Integrity and Encryption (NESSIE) website. Available at www.cosic.esat.kuleuven.ac.be/nessie. [3] E. Biham and A. Shamir, Power analysis of the key scheduling of the AES candidates, Second Advanced Encryption Standard (AES) Candidate Conference, Rome, Italy, 999. [4] S. Mangard, A Simple Power-Analysis (SPA) attack on implementations of the AES key expansion, ICISC 2002, LNCS 2587, pp. 343 358, Springer-Verlag, 2002. [5] L. Xiao, Implementation Analysis of Block Cipher Components and Structures. PhD thesis, Memorial University of Newfoundland, 2003. [6] T. S. Messerges, E. Dabbish, and R. Sloan, Examining smart-card security under the threat of power analysis attacks, IEEE Trans. on Computers, vol. 5, pp. 54 552, April 2002. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback