Post on 31-Jul-2020
On the Simplicity of Converting Leakages from Multivariate to Univariate
21. Aug. 2013
Amir Moradi, Oliver MischkeEmbedded Security Group + Hardware Security GroupRuhr University Bochum, Germany
2
Embedded Security Group
Outline Definitions, Masking, etc. Target masking scheme The story behind our findings Practical issues
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
3
Embedded Security Group
Masking Well‐known SCA countermeasure
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
4
Embedded Security Group
Masking Well‐known SCA countermeasure to make the SC leakages independent of expected intermediate values
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
5
Embedded Security Group
Masking Well‐known SCA countermeasure to make the SC leakages independent of expected intermediate values Randomness is required
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
6
Embedded Security Group
Masking Well‐known SCA countermeasure to make the SC leakages independent of expected intermediate values Randomness is required Let’s consider the most common one, Boolean Masking
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
7
Embedded Security Group
Masking Well‐known SCA countermeasure to make the SC leakages independent of expected intermediate values Randomness is required Let’s consider the most common one, Boolean Masking
Sbox
kp S(p⊕k)
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
8
Embedded Security Group
Masking Well‐known SCA countermeasure to make the SC leakages independent of expected intermediate values Randomness is required Let’s consider the most common one, Boolean Masking
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
9
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
10
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
11
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
12
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
13
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
14
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
DPA/CPA/MIA
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
15
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
DPA/CPA/MIA bivariate MIA
combining: DPA/CPA
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
16
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
DPA/CPA/MIA bivariate MIA
combining: DPA/CPA
multiply: 2nd order bivariate
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
17
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
DPA/CPA/MIA bivariate MIA
combining: DPA/CPA
multiply: 2nd order bivariatesquaring: 2nd order univariate
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
18
Embedded Security Group
Univariate vs. Multivariate Attacks
Sbox
kp S(p⊕k) masked
Sbox
kp
m
S(p⊕k)⊕m'm m'→
DPA/CPA/MIA bivariate MIA
combining: DPA/CPA
multiply: 2nd order bivariate
addition: 1st order bivariate
squaring: 2nd order univariate
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
19
Embedded Security Group
Masking in Hardware
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
20
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
21
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
22
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
23
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
24
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes Processing the mask (m) and masked data (i⊕m) simultaneously
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
25
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes Processing the mask (m) and masked data (i⊕m) simultaneously
– joint distribution of SC leakages mainly because of GLITCHES– possible attacks
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
26
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes Processing the mask (m) and masked data (i⊕m) simultaneously
– joint distribution of SC leakages mainly because of GLITCHES– possible attacks
Systematic schemes
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
27
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes Processing the mask (m) and masked data (i⊕m) simultaneously
– joint distribution of SC leakages mainly because of GLITCHES– possible attacks
Systematic schemes– Threshold Implementation, Security against 1st order attacks
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
28
Embedded Security Group
Masking in Hardware Pre‐computing the masked tables in software
– Sequential operations, Time consuming, Low efficiency High efficiency is desired in HARDWARE
– amongst the main reasons ad‐hoc/heuristic schemes Processing the mask (m) and masked data (i⊕m) simultaneously
– joint distribution of SC leakages mainly because of GLITCHES– possible attacks
Systematic schemes– Threshold Implementation, Security against 1st order attacks
Desired: security against univariate attacks of any order
maskedSbox
m
i⊕m S(i)⊕m'
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
29
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011.
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
30
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011. Multi‐party computation + Shamir’s secret sharing
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
31
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011. Multi‐party computation + Shamir’s secret sharing Basic GF(28) operations, e.g., addition is easy
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
32
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011. Multi‐party computation + Shamir’s secret sharing Basic GF(28) operations, e.g., addition is easy
– Multiplication needs more effort
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
33
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011. Multi‐party computation + Shamir’s secret sharing Basic GF(28) operations, e.g., addition is easy
– Multiplication needs more effort An Sbox computation
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
34
Embedded Security Group
Target Scheme Prouff, Roche: Higher‐Order Glitches Free Implementation of the AES
Using Secure Multi‐party Computation Protocols. CHES 2011. Multi‐party computation + Shamir’s secret sharing Basic GF(28) operations, e.g., addition is easy
– Multiplication needs more effort An Sbox computation
Our goal– Hardware implementation using minimum settings– Using a Virtex‐5 FPGA (SASEBO‐GII)
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
35
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
36
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
37
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
38
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
39
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
40
Embedded Security Group
Target Scheme ‐ Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
41
Embedded Security Group
Target Scheme ‐ Performance
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
42
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
43
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
44
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
45
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
46
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
47
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
Hard to convince the industry sector?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
48
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
Hard to convince the industry sector? getting close to software?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
49
Embedded Security Group
Target Scheme ‐ Performance 66 clock cycles for Inversion, 66 clock cycles for Affine
– One Sbox in 132 clock cycles One full SubBytes in 132 × 16 = 2112 clock cycles One full MixColumns + AddRoundKey in 12 × 16 = 192 clock cycles
Hard to convince the industry sector? getting close to software? Gaining univariate resistance at what price?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
50
Embedded Security Group
Target Scheme ‐ Evaluation
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
51
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
52
Embedded Security Group
Target Scheme ‐ Evaluation
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
53
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
54
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
55
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
56
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
57
Embedded Security Group
Target Scheme ‐ Evaluation A variant by processing all three shares at the same time
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
58
Embedded Security Group
Target Scheme ‐ Evaluation Original Design, 3MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
59
Embedded Security Group
Target Scheme ‐ Evaluation Original Design, 3MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
60
Embedded Security Group
Target Scheme ‐ Evaluation Original Design, 3MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
61
Embedded Security Group
Target Scheme ‐ Evaluation Original Design, 3MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
62
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
63
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
64
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
65
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
66
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
67
Embedded Security Group
Measurement Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
68
Embedded Security Group
Measurement Setup
Standard Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
69
Embedded Security Group
Measurement Setup
Standard SetupAmplified Setup
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
70
Embedded Security Group
Target Scheme – Evaluation (Standard Setup) Original Design, 3MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
71
Embedded Security Group
Standard vs. Amplified Setup Exemplary Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
72
Embedded Security Group
Standard vs. Amplified Setup Exemplary Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
73
Embedded Security Group
Standard vs. Amplified Setup Exemplary Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
74
Embedded Security Group
Standard vs. Amplified Setup Exemplary Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
75
Embedded Security Group
Standard vs. Amplified Setup Exemplary Design
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
76
Embedded Security Group
SAKURA‐G
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
77
Embedded Security Group
SAKURA‐G
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
78
Embedded Security Group
Efficiency as a Factor
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
79
Embedded Security Group
Efficiency as a Factor
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
80
Embedded Security Group
Efficiency as a Factor Original Design, Standard Setup, 24MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
81
Embedded Security Group
Efficiency as a Factor Original Design, Standard Setup, 24MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
82
Embedded Security Group
Efficiency as a Factor Original Design, Standard Setup, 24MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
83
Embedded Security Group
Efficiency as a Factor Original Design, Standard Setup, 24MHz
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
84
Embedded Security Group
Summing Up / Future Issues
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
85
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
86
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
87
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?– slowly reaching the software performance?
• making a processor by giant hardware?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
88
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?– slowly reaching the software performance?
• making a processor by giant hardware?– relatively easy ways to combine the leakages
• measurement setup & high clock freq.
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
89
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?– slowly reaching the software performance?
• making a processor by giant hardware?– relatively easy ways to combine the leakages
• measurement setup & high clock freq.
What to do when evaluating a countermeasure / product?
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
90
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?– slowly reaching the software performance?
• making a processor by giant hardware?– relatively easy ways to combine the leakages
• measurement setup & high clock freq.
What to do when evaluating a countermeasure / product?– without any addition/modification on measurement setup?
• not fair, the attacker may do it
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
91
Embedded Security Group
Summing Up / Future Issues Cost of univariate resistance
– security‐performance tradeoff– processing the shares consecutively
a light at the end of the tunnel by [pure] masking in hardware?– slowly reaching the software performance?
• making a processor by giant hardware?– relatively easy ways to combine the leakages
• measurement setup & high clock freq.
What to do when evaluating a countermeasure / product?– without any addition/modification on measurement setup?
• not fair, the attacker may do it
– with any sophisticated measurement setup?• not fair, its security relies on a univariate leak‐free scheme
CHES 2013 | Santa Barbara | 21. Aug 2013 Amir Moradi
92
Embedded Security Group
Thanks!Any questions?
Embedded Security Group, Ruhr University Bochum, Germany
amir.moradi@rub.de