Abstract
Leakage-resilient cryptography aims at developing new algorithms for which physical security against side-channel attacks can be formally analyzed. Following the work of Dziembowski and Pietrzak at FOCS 2008, several symmetric cryptographic primitives have been investigated in this setting. Most of them can be instantiated with a block cipher as underlying component. Such an approach naturally raises the question whether certain block ciphers are better suited for this purpose. In order to answer this question, we consider a leakage-resilient re-keying function, and evaluate its security at different abstraction levels. That is, we study possible attacks exploiting specific features of the algorithmic description, hardware architecture and physical implementation of this construction. These evaluations lead to two main outcomes. First, we complement previous works on leakage-resilient cryptography and further specify the conditions under which they actually provide physical security. Second, we take advantage of our analysis to extract new design principles for block ciphers to be used in leakage-resilient primitives. While our investigations focus on side-channel attacks in the first place, we hope these new design principles will trigger the interest of symmetric cryptographers to design new block ciphers combining good properties for secure implementations and security against black box (mathematical) cryptanalysis.
Similar content being viewed by others
Notes
i.e., Side-channel attacks with data complexity 1, essentially.
i.e., Side-channel attacks with larger data complexity, essentially.
The same S-box hypothesis is typically used as a working assumption to mount side-channel collision attacks [35]. By contrast, we use it constructively in this work.
Since for \(b=4\), \(N_\mathrm{t}\) might be not large enough for the formula of Eq. 1 to be accurate, we also performed the following experiment. We uniformly sampled a 16-tuple of 4-bit values as hypothesis for the correct key (A) and simulated the observed signal by adding 15 more random 16-tuples to the first one (B). Then, we sampled \(2^{16}\) tuples of 4-bit values for the incorrect key hypotheses (\(C_i\)). Finally, we applied a Hamming weight leakage function and calculated the \(2^{16}\) correlation coefficients between (A) and (B), and (B) and (\(C_i\)), respectively. The resulting coefficients for the wrong hypotheses lied between \(-0.85\) and 0.85. Furthermore, over 100 experiments we observed that on average 18,000 wrong hypotheses yielded a higher \(\rho \) than the correct key. The observed minimum of favored wrong keys was 209 and the maximum 64,800. This experiment identically suggests that a \(b\) of no more than four should be chosen.
Under the assumption that the S-box does not contain structural weaknesses.
This is realistic as this information mainly depends on the placement of the S-boxes in the implementation. By contrast, the information of the correct subkey ranking depends on the key-dependent algorithmic noise and cannot be considered as constant for all attacks.
References
Archambeau, C., Peeters, E., Standaert, F.X., Quisquater, J.J.: Template attacks in principal subspaces. In: Goubin, L., Matsui, M. (eds.) CHES, LNCS, pp. 1–14. Springer, Berlin (2006)
Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: Present: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES, LNCS, pp. 450–466. Springer, Berlin (2007)
Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.X., Steinberger, J.P., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT, LNCS, pp. 45–62. Springer, Berlin (2012)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES, LNCS, pp. 16–29. Springer, Berlin (2004)
Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M.J. (ed.) CRYPTO, LNCS, pp. 398–412. Springer, Berlin (1999)
Dodis, Y., Pietrzak, K.: Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks. In: Rabin, T. (ed.) CRYPTO, LNCS, pp. 21–40. Springer, Berlin (2010)
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. FOCS, pp. 293–302. IEEE Computer Society, USA (2008)
Elaabid, M., Guilley, S.: Portability of templates. J. Cryptogr. Eng. 2(1), 63–74 (2012). doi:10.1007/s13389-012-0030-6
Faraday Technology Corporation: Faraday FSA0A\_C 0.18 \(\mu \)m ASIC Standard Cell Library (2004). http://www.faraday-tech.com
Faust, S., Pietrzak, K., Schipper, J.: Practical leakage-resilient symmetric cryptography. In: Prouff, E, Schaumont, P (eds.) pp. 213–232
Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES, LNCS, pp. 251–261. Springer, Berlin (2001)
Goubin, L., Patarin, J.: Des and differential power analysis (the “duplication” method). In: Koç, Ç.K., Paar, C. (eds.) CHES, LNCS, pp. 158–172. Springer, Berlin (1999)
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.B.: The led block cipher. In: Preneel, B., Takagi, T. (eds.) CHES, LNCS, pp. 326–341. Springer, Berlin (2011)
Heyszl, J., Mangard, S., Heinz, B., Stumpf, F., Sigl, G.: Localized electromagnetic analysis of cryptographic implementations. In: Dunkelman, O. (ed.) CT-RSA, LNCS, pp. 231–244. Springer, Berlin (2012)
Heyszl, J., Merli, D., Heinz, B., De Santis, F., Sigl, G.: Strengths and limitations of high-resolution electromagnetic field measurements for side-channel analysis. In: Mangard, S. (ed.) CARDIS LNCS. Springer, Berlin (2012)
Joux, A. (ed.): Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26–30, 2009. In: Proceedings of the LNCS, vol. 5479. Springer, Berlin (2009).
Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.): Cryptographic Hardware and Embedded Systems—CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, August 13–15, 2002, Revised Papers, LNCS, vol. 2523. Springer, Berlin (2003).
Kocher, P.C.: Leak resistant cryptographic indexed key update. US Patent
Leander, G.: Small scale variants of the block cipher present. Cryptology ePrint Archive, Report 2010/143 (2010)
MacMahon, P.A.: Percy Alexander MacMahon: Collected Papers—vol. 1: Combinatorics. MIT Press, USA (1978)
Mangard, S.: Hardware countermeasures against dpa—a statistical analysis of their effectiveness. CT-RSA, LNCS, pp. 222–235. Springer, Berlin (2004)
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks—Revealing the Secrets of Smart Cards. Springer, Berlin (2007)
Mangard, S., Oswald, E., Standaert, F.X.: One for all—all for one: unifying standard differential power analysis attacks. IET Inform. Secur. 5(2), 100–110 (2011). http://link.aip.org/link/?IFS/5/100/1
Mangard, S., Popp, T., Gammel, B.M.: Side-channel leakage of masked CMOS gates. In: Menezes, A. (ed.) CT-RSA, LNCS, pp. 351–365. Springer, Berlin (2005)
Medwed, M., Petit, C., Regazzoni, F., Renauld, M., Standaert, F.X.: Fresh re-keying ii: securing multiple parties against side-channel and fault attacks. In: Prouff, E. (ed.) CARDIS, LNCS, pp. 115–132. Springer, Berlin (2011)
Medwed, M., Standaert, F.X., Großschädl, J., Regazzoni, F.: Fresh re-keying: security against side-channel and fault attacks for low-cost devices. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT, LNCS, pp. 279–296. Springer, Berlin (2010)
Medwed, M., Standaert, F.X., Joux, A.: Towards super-exponential side-channel security with efficient leakage-resilient prfs. In: Prouff, E., Schaumont, P. (eds.) pp. 193–212
Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) pp. 462–482
Poucheret, F., Barthe, L., Benoit, P., Torres, L., Maurine, P., Robert, M.: Spatial EM jamming: a countermeasure against EM analysis? In: VLSI-SoC, pp. 105–110. IEEE, New York (2010)
Prouff, E., Schaumont, P. (eds.): Cryptographic Hardware and Embedded Systems—CHES 2012—14th International Workshop, Leuven, Belgium, September 9–12, 2012. In: Proceedings of the LNCS, vol. 7428. Springer, Berlin (2012).
Quisquater, J.J., Samyde, D.: Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In: Attali, I., Jensen, T.P. (eds.) E-smart, LNCS, pp. 200–210. Springer, Berlin (2001)
Renauld, M., Standaert, F.X., Veyrat-Charvillon, N., Kamel, D., Flandre, D.: A formal study of power variability issues and side-channel attacks for nanoscale devices. In: Paterson, K.G. (ed.) EUROCRYPT, LNCS, pp. 109–128. Springer, Berlin (2011)
Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.X. (eds.) CHES, LNCS, pp. 413–427. Springer, Berlin (2010)
Sauvage, L., Guilley, S., Mathieu, Y.: Electromagnetic radiations of fpgas: high spatial resolution cartography and attack on a cryptographic module. ACM Trans. Reconfig. Technol. Syst. 2(1), 4:1–24 (2009). doi:10.1145/1502781.1502785
Schramm, K., Wollinger, T.J., Paar, C.: A new class of collision attacks and its application to DES. In: FSE, pp. 206–222 (2003)
Standaert, F.X., Archambeau, C.: Using subspace-based template attacks to compare and combine power and electromagnetic information leakages. In: Oswald, E., Rohatgi, P. (eds.) CHES, LNCS, pp. 411–425. Springer, Berlin (2008)
Standaert, F.X., Malkin, T., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A (ed.) pp. 443–461
Standaert, F.X., Pereira, O., Yu, Y., Quisquater, J.J., Yung, M., Oswald, E.: Leakage resilient cryptography in practice. In: Sadeghi, A.R., Naccache, D. (eds.) Towards Hardware-Intrinsic Security, Information Security and Cryptography, pp. 99–134. Springer, Berlin (2010)
Standaert, F.X., Veyrat-Charvillon, N., Oswald, E., Gierlichs, B., Medwed, M., Kasper, M., Mangard, S.: The world is not enough: another look on second-order dpa. In: Abe, M. (ed.) ASIACRYPT, LNCS, pp. 112–129. Springer, Berlin (2010)
Veyrat-Charvillon, N., Gerard, B., Renauld, M., Standaert, F.X.: An optimal key enumeration algorithm and its application to side-channel attacks. Cryptology ePrint Archive, Report 2011/610 (2011)
Veyrat-Charvillon, N., Gerard, B., Standaert, F.X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) Advances in Cryptology EUROCRYPT 2013, LNCS, vol. 7881, pp. 126–141. Springer, Berlin (2013)
Yu, Y., Standaert, F.X.: Practical leakage-resilient pseudorandom objects with minimum public randomness. In: Dawson, E. (ed.) CT-RSA, LNCS, pp. 223–238. Springer, Berlin (2013)
Yu, Y., Standaert, F.X., Pereira, O., Yung, M.: Practical leakage-resilient pseudorandom generators. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS, pp. 141–151. ACM, USA (2010)
Acknowledgments
This work has been funded in part by the European Commissions ECRYPT-II NoE (ICT-2007-216676), by the 7th framework European project TAMPRES, by the ERC project 280141 (acronym CRASH) and by the German Federal Ministry of Education and Research project 01IS11035Y (acronym ARAMiS). François-Xavier Standaert is a Research Associate of the Belgian Fund for Scientific Research (FNRS-F.R.S).
Author information
Authors and Affiliations
Corresponding author
Additional information
This research was conducted while Stefan Mangard was with Infineon Technologies AG, Munich, Germany.
Appendices
Appendix A: Impact of key words repetitions
Let us denote by \(\fancyscript{S}\) a multiset of \(N_\mathrm{s}\) key words uniformly distributed in \([0\)...\(2^b-1]\). The number of permutations of these key words, or equivalently the complexity to order them, depends on the multiplicities of these key words in \(\fancyscript{S}\). We denote by \(m_j\) (with \(1\le j \le 2^b-1\)) the multiplicity of value \(j\), i.e., the number of times this value appears in the multiset \(\fancyscript{S}\). For instance, with \(\fancyscript{S}=\{3,3,5,8,8,8\}\) (\(N_\mathrm{s}=6\)), we have \(m_3=2\), \(m_5=1\), \(m_8=3\) and \(m_j=0\), \(\forall j \in [0,2^4-1]\backslash \{3,5,8\}\). Let us additionally denote by \(M_i^q\) the random variable representing the number of multiplicities equal to \(q\) when selecting the \(i\mathrm{th}\) key word (with \(1 \leqslant i \leqslant N\)). We can then write the following recursion formula that, under relevant boundary conditions, gives us the desired probabilities:
From these probabilities, we can deduce those of the time complexities of attacks for various parameters \(N_\mathrm{s}\) and \(b\). In practice, we used Monte Carlo sampling to evaluate the mean complexities thanks to the multiplicities distribution. That is, we drew a large (i.e., sufficient to have accurate estimates) number of independent random variables following a specific law to estimate its expectation using the law of large numbers.
Appendix B: Architecture’s design on a FPGA
Our analysis was conducted on a Xilinx Spartan 3 FPGA device manufactured in a 90 nm technology. We performed localized magnetic field measurements using a coil with a resolution of 100 m very closely positioned to the depackaged circuit’s front side surface. We performed \(27\times 27\) measurements covering the surface area confined by the conjunctions of the bonding wires. The architecture of the design is shown in Fig. 7.
Appendix C: SNR maps of the \(32\) key words over the chip surface
Rights and permissions
About this article
Cite this article
Belaïd, S., De Santis, F., Heyszl, J. et al. Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis. J Cryptogr Eng 4, 157–171 (2014). https://doi.org/10.1007/s13389-014-0079-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-014-0079-5