Abstract
Single-trace side-channel attacks are important attack vectors against the security of authenticated encryption schemes relying on an internal re-keying process, such as the NIST Lightweight Cryptography finalist ISAP. In a recent work of Kannwischer et al., it was suggested to mitigate such single-trace attacks with masking and shuffling. In this work, we first show that combining masking and re-keying is conceptually useless since this combination can always be attacked with a complexity that is just the sum of the complexities to attack a masked implementation (without re-keying) and a re-keyed implementation (without masking). We then show that combining shuffling and re-keying is theoretically founded but can be practically challenging: in low-cost embedded devices (e.g., ARM Cortex-M0) that are the typical targets of single-trace attacks, the noise level of the leakages is such that multivariate attacks can be powerful enough to recover the shuffling permutation in one trace. This second result does not prevent the shuffling + re-keying combination to be effective in more noisy contexts, but it suggests that the best use cases for leakage-resilient PRFs as used by ISAP remain the ones where no additional countermeasures are needed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
By DPA (resp., SPA), we mean side-channel attacks where the adversary can observe the leakage of many (resp., a few) different inputs of the leaking primitive.
- 3.
Concretely, it could even make the situation worse since the computational overheads of some masked computations (e.g., multiplications) could even increase the signal, which we do not investigate since quite implementation-specific and leading to the same conclusion that masking and re-keying do not combine well..
- 4.
If \(\boldsymbol{W}\) is the identity, this is equivalent to standard Gaussian templates attacks [8].
- 5.
The realisation x may not always be a long term secret. For example, when targeting a block cipher, x is usually an intermediate value that is bijectively mapped to a secret key byte k with the relation \(x = \mathrm {Sbox}(k \oplus p)\), with p a public plaintext.
- 6.
In this work, we assume that \(\mathrm {gen\_perm}(\cdot ,\cdot )\) is pre-computed and the permutation is stored in memory. It can also be generated on-the-fly if needed.
- 7.
It is not always possible to find 25 independent operations within the Keccak round function. Yet, we will show that even in this best case (for the designer) where there are 25 independent operations, shuffling is ineffective.
References
ISAP code package. https://github.com/isap-lwc/isap-code-package. Accessed 10 Mar 2013
Belaïd, S., Grosso, V., Standaert, F.-X.: Masking and leakage-resilient primitives: one, the other(s) or both? Cryptogr. Commun. 7(1), 163–184 (2014). https://doi.org/10.1007/s12095-014-0113-6
Bellizia, D., et al.: Mode-level vs. implementation-level physical security in symmetric cryptography. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 369–400. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_13
Bertoni, C., Daemen, J., Peeters, M., Van Assche, G.: The KECCAK reference. https://keccak.team/files/Keccak-reference-3.0.pdf
Bronchain, O., Momin, C., Peters, T., Standaert, F.: Improved leakage-resistant authenticated encryption based on hardware AES coprocessors. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(3), 641–676 (2021)
Bronchain, O., Standaert, F.-X.: Side-channel countermeasures’ dissection and the limits of closed source security evaluations. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(2), 1–25 (2020)
Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_26
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_3
Dobraunig, C., et al.: ISAP v2.0. IACR Trans. Symmetric Cryptol. 2020(S1), 390–416 (2020)
Dobraunig, C., Eichlseder, M., Mangard, S., Mendel, F., Unterluggauer, T.: ISAP - towards side-channel secure authenticated encryption. IACR Trans. Symmetric Cryptol. 2017(1), 80–105 (2017)
Dodis, Y., Pietrzak, K.: Leakage-resilient pseudorandom functions and side-channel attacks on Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 21–40. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_2
Duc, A., Faust, S., Standaert, F.-X.: Making masking security proofs concrete. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 401–429. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_16
Faust, S., Pietrzak, K., Schipper, J.: Practical leakage-resilient symmetric cryptography. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 213–232. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_13
Groß, H., Schaffenrath, D., Mangard, S.: Higher-order side-channel protected implementations of KECCAK. In: DSD, pp. 205–212. IEEE Computer Society (2017)
Grosso, Vincent, Poussier, Romain, Standaert, François-Xavier., Gaspar, Lubos: Combining leakage-resilient PRFs and shuffling. In: Joye, Marc, Moradi, Amir (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 122–136. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16763-3_8
Herbst, C., Oswald, E., Mangard, S.: An AES smart card implementation resistant to power analysis attacks. In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol. 3989, pp. 239–252. Springer, Heidelberg (2006). https://doi.org/10.1007/11767480_16
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Kannwischer, M.J., Pessl, P., Primas, R.: Single-trace attacks on Keccak. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(3), 243–268 (2020)
Mangard, S.: Hardware countermeasures against DPA – a statistical analysis of their effectiveness. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 222–235. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24660-2_18
Pereira, O., Standaert, F., Vivek, S.: Leakage-resilient authentication and encryption from symmetric cryptographic primitives. In: CCS, pp. 96–108. ACM (2015)
Rivain, M., Prouff, E., Doget, J.: Higher-order masking and shuffling for software implementations of block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 171–188. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04138-9_13
Standaert, F.-X., Archambeau, C.: Using subspace-based template attacks to compare and combine power and electromagnetic information leakages. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 411–425. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85053-3_26
Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_26
Standaert, F.X., Pereira, O., Yu, Y., Quisquater, J.J., Yung, M., Oswald, E.: Leakage resilient cryptography in practice. In: Sadeghi, A.R., Naccache, D. (eds.) Towards Hardware-Intrinsic Security. Information Security and Cryptography, pp. 99–134. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14452-3_5
Unterstein, F., Schink, M., Schamberger, T., Tebelmann, L., Ilg, M., Heyszl, J.: Retrofitting leakage resilient authenticated encryption to microcontrollers. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(4), 365–388 (2020)
Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An optimal key enumeration algorithm and its application to side-channel attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6_25
Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 282–296. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_15
Veyrat-Charvillon, N., Medwed, M., Kerckhof, S., Standaert, F.-X.: Shuffling against side-channel attacks: a comprehensive study with cautionary note. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 740–757. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_44
Acknowledgments
François-Xavier Standaert is a senior research associate of the Belgian Fund for Scientific Research (F.R.S.-FNRS). This work has been funded in parts by the European Union through the ERC project SWORD.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Udvarhelyi, B., Bronchain, O., Standaert, FX. (2021). Security Analysis of Deterministic Re-keying with Masking and Shuffling: Application to ISAP. In: Bhasin, S., De Santis, F. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2021. Lecture Notes in Computer Science(), vol 12910. Springer, Cham. https://doi.org/10.1007/978-3-030-89915-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-89915-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-89914-1
Online ISBN: 978-3-030-89915-8
eBook Packages: Computer ScienceComputer Science (R0)