Block Cipher introduction DES Description Feistel Sbox Exhaustive
Block Cipher- introduction DES ü Description: Feistel, S-box ü Exhaustive Search, DC and LC AES ü Description: SPN, Branch number ü Security and Efficiency Modes of Operation Side Channel Attack 1
DES (Data Encryption Standard) http: //en. wikipedia. org/wiki/Data_Encryption_Standard 2
“Communication Theory for Secrecy System “, C. Shannon, 1949 � Confusion: üThe ciphertext statistics should depend on the plaintext statistics in a manner too complicated to be exploited by the enemy cryptanalyst � Diffusion: üEach digit of the plaintext should influence many digits of the ciphertext, and/or üEach digit of the secret key should influence many digits of the ciphertext. � Block cipher: ◦ A repetition of confusion(Substitution) and diffusion(Permutation) ◦ Iteration: Weak Strong Claude Shannon 3
News on Shannon’s Death 4
Block Cipher Definition: • Let Bn denote the set of bit strings of length n. • A block cipher is an encryption algorithm E such that EK is a permutation of Bn for each key K Characteristics ◦ ◦ ◦ Based on Shannon’s Theorem(1949) Same P => Same C {|P| = |C|} 64 bit, |P| |K| 56 bit Memoryless configuration Operate as stream cipher depending on mode Shortcut cryptanalysis (DC, LC etc) in 90’s * DC: Differential Cryptanalysis, LC: Linear Cryptanalysis 5
DES(Data Encryption Standard) Based on Lucifer (1972) Developed by IBM and intervened by NSA Adopted Federal Standard by NIST, revised every 5 years (~’ 98), 64 bit block cipher, 56 bit key 16 Round, Nonlinearity : S-box Cryptanalysis like DC, LC, etc. after 1992 * DC: Differential Cryptanalysis, LC : Linear Cryptanalysis 6
Design Criteria - DES � Provide a high level of security � Completely specify and easy to understand � Security must depend on hidden key, not algorithm � Available to all users � Adaptable for use in diverse applications � Economically implementable in electronic device � Efficient to use � Able to be validated � Exportable * Federal Register, May 15, 1973 7
Involution structure If we apply its operation 2 times, it returns to the original value, e. g. , f(f(x)) = x. Type of f-1(x) = f(x) x 1 x 2 x 1 (d) (c) (b) (a) x 2 x 1 x 2 y 1 y 2 y 1=x 1 x 2 x 1 y 2 = x 2 g y 1=x 1 g(x 2) y 2 = x 2 or x 1 g(x 2, k) 8
2 Main Block of DES K P 64 PC-1 56 IP R 0(32) PC-2 L 0(32) Rot f 16 Round PC-2 R 16 L 16 FP 64 Round function Key Scheduling C 9
16 Rounds of DES * Decryption is done by executing round key in the reverse order. !! 10
Initial Permutation & Final Permutation : Linear !! FP= IP-1 IP 58 60 62 64 57 59 61 63 50 52 54 56 49 51 53 55 42 44 46 48 41 43 45 47 34 36 38 40 33 35 37 39 26 28 30 32 25 27 29 31 18 20 22 24 17 19 21 23 10 12 14 16 9 11 13 15 2 4 6 8 1 3 5 7 40 39 38 37 36 35 34 33 8 7 6 5 4 3 2 1 48 47 46 45 44 43 42 41 16 56 15 55 14 54 13 53 12 52 11 51 10 50 9 49 24 23 22 21 20 19 18 17 64 63 62 61 60 59 58 57 32 31 30 29 28 27 26 25 cf. ) The 58 th bit of x is the first bit of IP(x) IP & FP have no cryptanalytic significance. 11
f-function : Nonlinear! 12
Key Scheduling: Injective ! 13
DES S-boxes 8 S-boxes (6 -> 4 bits) each row : permutation of 0 -15 4 rows : choose by MSB & LSB of input some known design criteria ◦ ◦ ◦ not linear (affine) Any one bit of the inputs changes at least two output bits S(x) and S(x 001100) differs at least 2 bits S(x) S(x 11 ef 00) for any ef={00. 01. 10. 11} Resistance against DC etc. The actual design principles have never been revealed (U. S. classified information) 14
DES S-boxes(I) Input values mapping order L R 0 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 1 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 m. S 1(1 0111 0)=11=(1011)2 15
DES S-boxes(II) � S 1 -box 14 4 13 1 2 15 11 8 0 15 7 4 14 4 1 14 8 13 15 12 8 2 4 � S 2 -box 15 1 8 3 13 4 0 14 7 13 8 10 3 10 6 12 5 9 0 7 2 13 1 10 6 12 11 9 5 3 8 6 2 11 15 12 9 7 3 10 5 0 9 1 7 5 11 3 14 10 0 6 13 14 6 11 7 15 2 11 10 4 1 3 15 3 8 13 4 4 9 7 2 13 12 0 14 12 0 1 10 6 9 1 5 8 12 6 9 3 2 11 6 7 12 0 5 5 10 11 5 2 15 14 9 e. g. ) S 2(010010)= ? 16
DES S-boxes(III) � S 3 -box 10 13 13 1 � 0 7 6 10 S 4 -box 9 0 4 13 14 9 9 0 6 3 3 4 8 15 6 9 15 6 3 8 5 10 0 7 1 2 11 4 13 12 7 11 8 5 14 12 1 2 12 5 15 14 3 11 7 13 14 3 0 6 9 10 1 13 8 11 5 6 15 0 3 4 10 6 9 0 12 11 7 13 15 0 6 10 1 13 8 9 2 7 1 4 4 11 10 5 2 15 14 2 8 1 7 12 8 5 11 12 4 15 2 12 1 10 14 9 3 14 5 2 8 4 5 11 12 7 2 14 S 4 -box is most linear than others. !!! 17
Criticism of DES Short key size : 112 -> 56 bits by NSA Classified design criteria Revision of standard every 5 yrs after 1977 by NIST Useless, but good example of Feistel Network 18
Cryptographic prop. of DES (P, C) dependency with fixed Key : after 5 round (K, C) dependency with fixed plaintext : after 5 round Avalanche effect Cyclic Test : Random function Algebraic structure : Not a group i. e. , E(K 1, E(K 2, P)) E(K 3, P) 19
Known Weakness of DES Complementary Prop. üIf C= E(K, P), C = E(K, P) Weak Key : 4 keys üE(K, P))=P Semi-weak Keys : 12 keys (6 pairs) üE(K 1, E(K 2, P))=P Key Exhaustive Search : 255 20
DES-Challenge(I) RSA Data Security Inc’s protest against US’s export control(‘ 97) ◦ $10, 000(‘ 97) award ◦ Key search machine by Internet Loveland’s Rocker Verser ◦ 60. 1 Billion/1 day key search, succeeded in 18 quadrillion operations and 96 days ü 25% of Total 72 quadrillion (1 q=1015 =0. 1 kyung) ü 90 MHz, 16 MB Memory Pentium(700 Million/sec) ◦ http: //www. rsa. com/des/ 21
DES-Challenge(II, III) Distributed. Net + EFF ◦ 100, 000 PC on Network ◦ 56 hr EFF(Electronic Frontier Foundation) ◦ http: //www. eff. org/DESc racker ◦ Specific tools ◦ 22 hr 15 min ◦ 250, 000$ P. Kocher 22
COPACOBANA Cost-Optimized Parallel Code Breaker Machine by Univ. of Bochum, Germany and Kiel Commercially available 120 FPGA’s of type XILINX Spartan 3 -1000 run in parallel 10, 000$ of ¼ of EFF project http: //www. copacobana. org 23
Comparison of Block Ciphers Algorithm Year Country Pt/Ct Key Round DES 1977 USA 64 56 16 FEAL 1987 Japan 64 64 4, 8, 16, 32 GOST 1989 Russia 64 256 32 IDEA 1990 Swiss 64 128 8 LOKI 1991 Australia 64 64 16 SKIPJACK 1990 USA 64 80 32 MISTY 1996 Japan 64 128 >8 SEED 1998 Korea 128 16 24
Other Block ciphers TEA (Tiny Encryption Algorithm) for RFID/USN, XTEA, XXTEA ARIA, Serpent, Baseking, BATON, BEAR&LION, C 2, Camellia, CAST-128, 256, CIPHERUNICORN, CMEA, Cobra, Coconut 98, Crypton, DEAL, E 2, FROG, G-DES, Hasty Pudding Cipher, Hierocrypt, MUITL 2, New Data Seal, SAFER-64, 128, SHACAL, Square, Xenon, etc. AES 25
AES (Rijndael) Joan Daemen and Vincent Rijmen, “The Design of Rijndael, AES – The Advanced Encryption Standard”, Springer, 2002, ISBN 3 -540 -42580 -2 FIPS Pub 197, Advanced Encryption Standard (AES), December 04, 2001 Rijndael : variable, AES : fixed Vincent 26
AES- Requirements. Block cipher ◦ 128 -bit blocks ◦ 128/192/256 -bit keys Worldwide-royalty free More secure than Triple DES More efficient than Triple DES 27
AES Calendar ◦ Jan. 2, 1997 : Announcement of intent to develop AES and request for comments ◦ Sep. 12, 1997 : Formal call for candidate algorithms ◦ Aug. 20 -22, 1998 : First AES Candidate Conference and beginning of Round 1 evaluation (15 algorithms), Rome, Italy ◦ Mar. 22 -23, 1999 : Second AES Candidate Conference, NY, USA ◦ Sep. 2000 : Final AES selection (Rijndael !) Jan. 1997 Call for algorithms Aug. 1998 AES 1 15 algorithms Mar. 1999 AES 2 5 algorithms selected Apr. 2000 AES 3 Announce winner in Sep, 2000 28
AES Round 1 algorithms 15 algorithms are proposed at AES 1 conference 29
AES Round 2 Algorithms After AES 2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm. Cipher Submitter Structure Nonlinear Component MARS IBM Feistel structure Sbox DD-Rotation RC 6 RSA Lab. Feistel structure Rotation Rijndael Daemen, Rijmen SPN structure Sbox Serpent Anderson, Biham, Knudsen SPN structure Sbox Twofish Schneier et. al Feistel structure Sbox 30
Security of AES Candidates Alg. (Round) Structure MARS 16 Core (C) 16 Mixing (M) RC 6(20) Rijndael 10 (128) 12 (192) 14 (256) Serpent(32) Twofish(16) Feistel SPN Feistel Rounds (Key size) Type of Attack Texts Mem. Bytes Ops 11 C Amp. Boomerang 265 270 2229 16 M, 5 C Diff. M-i-M Amp. Boomerang 250 269 2197 273 2247 2197 14 Stat. Disting. 2118 2112 2122 12 15 (256) Stat. Disting. 294 2119 242 2138 2119 2215 6 Truncated Diff. 232 7*232 272 7 8 (256) 9 (256) Truncated Diff. Related Key 2128~ 2119 277 261 2101 NA 2120 2204 2224 8 (192, 256) Amp. Boomerang 2113 2119 2179 6 (256) 6 7 (256) 8 (192, 256) 9 (256) Meet-in-Middle Differential Boomerang Amp. Boomerang 512 271 241 2122 2110 2246 275 2126 2133 2212 2247 2103 2248 2163 2252 6 (256) Impossible Diff. NA NA 2256 31
Rijndael - Overview Proposed by Joan Daemen, Vincent Rijmen(Belgium) Design choices – Square type – Three distinct invertible uniform transformations(Layers) u u u Linear mixing layer : guarantee high diffusion Non-linear layer : parallel application of S-boxes Key addition layer : XOR the round key to the intermediate state – Initial key addition, final key addition Representation of state and key – – Rectangular array of bytes with 4 rows (square type) Nb : number of column of the state (4~8) Nk : number of column of the cipher key (4~8) Nb is independent from Nk 32
Rijndael - States State (Nb=6) Key (Nk=4) Number of rounds (Nr) 33
AES Architecture • SPN-type block cipher • Block size = 128 bits • Key size / No. round – 128 bits 10 rounds – 192 bits 12 rounds – 256 bits 14 rounds • Round transformation – Sub. Bytes – Shift. Row – Mix. Column – Add. Round. Key Plaintext Initial Key Add. Round. Key Sub. Byte Shift. Row Mix. Column Round key Repeat N-1 rounds Add. Round. Key Sub. Byte Final round Shift. Row Final round key Add. Round. Key Ciphertext 34
Round Transformation S-box c(x) a 00 a 01 a 02 a 03 b 00 b 01 b 02 b 03 a 00 a 0 j a 02 a 03 b 00 b 0 j b 02 b 03 a 10 a 11 a 12 a 13 b 10 b 11 b 12 b 13 a 10 a 1 j a 12 a 13 b 10 b 1 j b 12 b 13 a 20 a 21 a 22 a 23 b 20 b 21 b 22 b 23 a 20 a a 22 a 23 2 j b 20 b b 22 b 23 2 j a 30 a 31 a 32 a 33 b 30 b 31 b 32 b 33 a 30 a a 32 a 33 3 j b 30 b b 32 b 33 3 j aij bij Sub. Bytes a 00 a 01 a 02 a 03 a 10 a 11 a 12 a 13 a 20 a 21 a 22 a 23 No shift Cyclic shift by 1 byte Cyclic shift by 2 byte Cyclic shift by 3 byte a 30 a 31 a 32 a 33 Shift. Rows Mix. Columns a 00 a 01 a 02 a 03 a 11 a 12 a 13 a 10 a 22 a 23 a 20 a 21 The input block is XOR-ed with the round key Add. Round. Key a 33 a 30 a 31 a 32 35
Properties Substitution-Permutation Network (SPN) ◦ (Invertible) Nonlinear Layer: Confusion ◦ (Invertible) Linear Layer: Diffusion Branch Number ◦ ◦ ◦ Measure Diffusion Power of Linear Layer Let F be a linear transformation on n words. W(a): the number of nonzero words in a. (F) = mina 0 {W(a) + W(F(a))} Rijndael: branch number =5 36
Security Goals K-secure ◦ No shortcut attacks key-recover attack faster than key-exhaustive search ◦ No symmetry property such as complementary in DES ◦ No non-negligible classes of weak key as in IDEA ◦ No Related-key attacks Hermetic ◦ No weakness found for the majority of block ciphers with same block and key length Rijndael is k-secure and hermetic 37
Mode of Operations 38
Mode of operation (I) ECB (Electronic Code. Book) mode C P n n K K E If Pi = Pj, EK(Ci) = EK(Cj) D n n C P i) Encryption ii) Decryption 39
Mode of operation (II) CBC (Cipher Block Chaining) P 1 P 2 Pl IV IV : Initialization Vector E K K IV Fixed Pattern, Public/ Secret K E C 1 C 2 Cl K D P 1 K D P 2 Ci = EK(Pi Ci-1) Pi = DK(Ci) Ci-1 - 2 block Error Prog. - self-sync - If |Pl| ≠ |P|, Padding req’d D Pl 40
Mode of operation (III) m-bit OFB (Output Feed. Back) IV IV Ci = Pi O(EK) Pi = Ci O(EK) K E Pi m-bit Ci I) Encryption m-bit E K Ci - No Error Prog. - Req’d external sync - Stream cipher Pi - EK or DK II) Decryption 41
Mode of operation (IV) m-bit CFB (Cipher Feed. Back) IV K IV E Pi Ci I) Encryption m-bit Ci = Pi EK(Ci-1) Pi = Ci EK(Ci-1) E K - Error prog. till an error disappears in the buffer - self-sync - EK or DK Pi Ci II) Decryption 42
Mode of operation (V) Counter mode ctr K E K C 1 ctr K E E K P 1 E C 2 Cm-1 ctr+m-1 E C 2 C 1 K Pm-1 P 2 P 1 ctr+m-1 ctr+1 K Ci = Pi EK(Ti) Pi = Ci EK(Ti) Ti = ctr+i -1 mod 2 m |P|, |ctr|= m, Parallel computation E Cm-1 P 2 Pm-1 43
Mode of Operation -CCM 44
Mode of Operation-CSM P 1 Pn-1 Pn 00… 0 IV K E C 1 . . . Cn X K D IV E P 1 Cn-1 C 1 . . . X D E Pn ü Adopted in H. 235 as one of operating modes for block ciphers Cn D Cn 00… 0 ü Eliminates the padding requirement for block ciphers ü The same as CBC mode, except for the encryption/decryption of the last two blocks (one complete block and the remaining partial block) E E Ø Ciphertext Stealing Mode X Cn-2 E * H. 235 covers security and encryption for H. 323 and other H. 245 based terminals. * H. 323 covers multimedia communication on any packet network Pn-1 45
Mode of operation - summary Use of mode ◦ ECB : key management, useless for file encryption ◦ CBC : File encryption, useful for MAC ◦ m-bit CFB : self-sync, impossible to use channel with low BER ◦ m-bit OFB : external-sync. m= 1, 8 or n ◦ Ctr : secret ctr, parallel computation ◦ CCM : authenticated encryption ◦ CSM: Special for H. 323 ◦ Performance Degradation/ Cost Tradeoff 46
Differential Cryptanalysis 47
DC(Differential Cryptanalysis) Introduction ◦ ◦ ◦ Biham and Shamir : CR 90, CR 92 Efficient than Key Exhaustive Search Chosen Plaintext Attack O(Breaking DES 16) ~ 247 Utilize the probabilistic distribution between input XOR and output XOR values Iteratively ◦ Stimulate to announce hidden criteria of DES [Cop 92] ◦ Apply to other DES-like Ciphers * E. Biham, A. Shamir, ”Differential Cryptanalysis of the Data Encryption Standard”, Springer. Verlag, 1993 48
DC on DES Discard linear components(IP, FP) Properties of XOR (X’ = X X* ) ◦ {E, P, IP} : (P(X))’=P(X) P(X*)=P(X’) ◦ XOR : (X Y)’=(X Y) (X* Y*)=X’ Y’ ◦ Mixing key : (X K)’=(X K) (X* K)=X’ ◦ Differences(=xor) are linear in linear operation and in particular the result is key independent. 49
XOR Distribution Table X X* X’ Si-box XDT Y Si-box Y’ Y* X’ = {0, 1, … 63}, Y’= {0, 1, … 15} w For a given S-box, pre-compute the number of count of X’ and Y’ in a table * % of entry in DES S-boxes : 75 ~ 80% w 50
XOR Distribution Table of S 4 box 51
Differential Characteristic 2 -round characteristic in S 1 box (0 Cx --> Ex with 14/64) (00 80 82 00 60 00 00 00 x) A’=00808200 =P(E 0000000 xx) B’=0 x F F a’=60000000 x b’=0 x p=14/64 p=1 (60 00 00 x) ü 60 x ( 0110 b ) after EXP -> 0 Cx=001100 b to S 1 -box 1110 b ( Ex ) after P 00808200 x 52
Searching Way for round keys (1) Choose suitable Plaintext (Pt) XOR. (2) Get 2 Pts for a chosen Pt and obtain the corresponding Ct by encryption (3) From Pt XOR and pair of Ct, get the expected output XOR for the S-boxes of final round. (4) Count the maximum potential key at the final round using the estimated key (5) Right key is a subkey of having large number of pairs of expected output XOR 53
Iterative Characteristic Self-concatenating probability Best iterative char. of DES (19 60 00 00 00 x) A’=0 x B’=0 x F F a’=0 x b’=19 60 00 00 x E(b)=03 32 2 C 00 00 00 x p 1=1 p 2 =14 x 8 x 10 / 643 = 1/234 (00 00 19 60 00 00 x) 54
Linear Cryptanalysis 55
LC(Linear Cryptanalysis) Introduction ◦ Matsui : EC 931, CR 942 ◦ Known Plaintext Attack ◦ O(Breaking DES 16) ~ 243 § 12 HP W/S, 50 -day operation ◦ Utilize the probabilistic distribution between input linear sum and output linear sum values Iteratively ◦ Duality to DC : XOR branch vs. three-forked branch ◦ Apply to other DES-like cryptosytems 1. M. Matsui, ”Linear Cryptanalysis Method for DES Cipher”, Proc. Of Eurocrypt’ 93, LNCS 765, pp. 386 -397 2. M. Matsui, ”The First Experimental Cryptanalysis of the Data Encryption Standard”, Proc. Of Crypto’ 94, LNCS 839, pp. 1 -11. 56
XOR branch vs. 3 -forked branch 57
Basic principle of LC (Goal) : Find linear approximation P[i 1, i 2, …, ia] C[j 1, j 2, …, jb]=K[k 1, k 2, …, kc] with significant prob. p ( ½) where A[i, j, …, k]=A[i] A[j] … A[k] (Algorithm)MLE(Maximum Likelihood Estimation) (Step 1) For given P and C, compute X=P[i 1, i 2, …, ia] C[j 1, j 2, …, jb], let N = # of Pt given, (Step 2) if |X=0| > N/2 K[k 1, k 2, …, Kc]=0 else 1. if |X=0| < N/2 K[k 1, k 2, …, kc]=1 else 0. 58
Linear Distribution Table(I) For a S-box Sa, (a=1, 2, …, 8) of DES NSa( , )= #{x | 0 x < 64, parity(x ) = parity(S(x) )} 1 63 , 1 15, : dot product (bitwise AND) Ex) NS 5(16, 15) =12 ◦ The 5 -th input bit at S 5 -box is equal to the linear sum of 4 output bits with probability 12/64. ◦ X[15] F(X, K)[7, 18, 24, 29]=K[22] with 0. 19 ◦ X[15] F(X, K)[7, 18, 24, 29]=K[22] 1 with 1 -0. 19=0. 81 (Note) least significant at the right and index 0 at the least significant bit (Little endian) 59
Linear Distribution Table(II) 60
3 -round DES by LC P PH PL [22] [7, 18, 24, 29] [15] F 1 K 1 X 2[7, 18, 24, 29] PH[7, 18, 24, 29] PL[15] = K 1[22] ----- (1) p 1=12/64 K 2 X 2 F 2 [22] CH [7, 18, 24, 29] F 3 C [15] K 3 X 2[7, 18, 24, 29] CH[7, 18, 24, 29] CL[15] = K 3[22] ----- (2) p 3=12/64 CL (1) (2) => X 2[7, 18, 24, 29] C H[7, 18, 24, 29] C L[15] X 2[7, 18, 24, 29] PH[7, 18, 24, 29] P L[15] = K 1[22] K 3[22] holding prob. = (p 1 * p 3 ) + (1 - p 1) *(1 -p 3) * ignore IP and FP like DC 61
Piling-up lemma in LC If independent prob. value, Xi ‘s ( 1 i n ) have prob pi to value 0, (1 -pi) to value 1, p = { Pr(X 1 X 2 … Xn ) = 0} = 2 n-1 i=1 n(pi - 1/2) +1/2. The number of known pt req’d for LC with success prob. 97. 7% is |p - 1/2|-2 62
Strengthening DES Key size expansion ◦ Double Encryption ü ek: E 2(K 2, E 1(K 1, P)), dk: D 1(K 1, D 2(K 2, C)) ü Meet-in-the-middle attack ü No effectiveness ◦ Triple Encryption ü ek: E(K 1, D(K 2, E(K 1, P))), dk: D(K 1, E(K 2, D(K 1, C))) ü ek: E(K 1, D(K 2, E(K 3, P))), dk: D(K 3, E(K 2, D(K 1, C))) ü 112 or 168 bits 63
Variation of DC and LC Multiple LC : Kaliski & Robshaw [CR 94] Differential-Linear Cryptanalysis : Langford & Hellman [CR 94] Truncated and Higher order DC : Knudsen [FSE 95] Nonlinear Approximation in LC : Knudsen [EC 96] Partitioning Cryptanalysis : Harpes & Massey [FSE 97] Interpolation Attack : Jakobsen & Knudsen [FSE 97] Differential Attack with Impossible Characteristics : Biham [EC 99], etc. Related-key Attack : Kelsey, Schneier, Wagner [CR 96] 64
Side Channel Attack 65
Side Channel Traditional Cryptographic Model vs. Side Channel Power Consumption / Timing / EM Emissions / Acoustic Attacker C=E(P, Ke) P E() P=D(C, Kd) C Insecure channel D Kd Ke Key D() Secure channel Radiation / Temperature / Power Supply / Clock Rate, etc. 66
Model of Attack -Embedded security (Ex) http: //www. cs. washington. edu/research/systems/privacy. html http: //tweakers. net/reviews/683 67
Concept: Origin Due to instruction which is executed Due to the date which is processed Due to some physical effects which are often not well understood, often called noise 68
Classifications Active vs. Passive ◦ Active: Power glitches or laser pulses ◦ Passive: EM-radiation Invasive vs. Non-invasive ◦ Invasive: bus probing ◦ Non-Invasive: Power measurements Side Channel: passive and non-invasive ◦ Very difficult to detect ◦ Often cheap to set-up ◦ Mostly: need lots of measurements Analysis capabilites ◦ “Simple” attacks: one measurements-visual inspection ◦ “Differential” and “Higher” Multiple measurements-signal processing 69
Attacking Scenario 70
Side Channel Attack Lounge 71
Timing Analysis Paul C. Kocher, “Timing Attacks on Implementations of Diffie—Hellman, RSA, DSS, and Other Systems”, Advances in Cryptology - CRYPTO '96, Springer-Verlag, 1996 , LNCS , Vol. 1109 , pp. 104 -113. Cryptosystems can take different amounts of time to process different inputs. ◦ ◦ Performance optimizations in software Branching/conditional statements Caching in RAM Variable length instructions (multiply, divide) Countermeasures ◦ Make all operations run in same amount of time Set all operations by the slowest one ◦ Add random delays ◦ Blind signature technique 72
Fault Analysis D. Boneh, R. De. Millo, and R. Lipton, “On the importance of checking cryptographic protocols for faults”, Journal of Cryptology, Springer-Verlag, Vol. 14, No. 2, pp. 101 -119, 2001 Aim to cause errors during the processing of a cryptographic device ◦ Simple Fault Analysis ◦ Differential Fault Analysis Countermeasures ◦ Verify correctness of output before transmitting it to the external ◦ Make devices tamper resistant (strong shielding, detect supply voltages and clock speeds) 73
Power Analysis Paul C. Kocher and Joshua Jaffe and Benjamin Jun “Differential Power Analysis”, Advances in Cryptology -CRYPTO '99, Springer-Verlag, 1999 , LNCS , Vol. 1666 , pp. 388 -397 The power consumed by a cryptographic device was analyzed during the processing of the cryptographic operation ◦ Simple Power Analysis ◦ Differential Power Analysis Countermeasures ◦ ◦ ◦ Don’t use secret values in conditionals/loops Ensure little variation in power consumption between instructions Reducing power variations (shielding, balancing) Randomness (power, execution, timing) + counters on card Algorithm redesign (non-linear key update, blinding) Hardware redesign (decouple power supply, gate level design) 74
EM Emissions D. Agrawal and B. Archambeault and J. R. Rao and P. Rohatgi “The EM Side-Channel(s)”, Cryptographic Hardware and Embedded Systems - CHES 2002, Springer-Verlag, 2003 , LNCS , Vol. 2523 , pp. 29 -45 1950 s TEMPEST EM side channels include a higher variety of information and can be additionally applied from a certain distance. Countermeasures ◦ Redesign circuits ◦ Shielding ◦ EM noise 75
Acoustic Analysis ◦ Keyboard Acoustic Emanations, Dmitri Asonov and Rakesh Agrawal, IBM Almaden Research Center, 2004. ◦ Acoustic cryptanalysis - On noisy people and noisy machines by Adi Shamir and Eran Tromer 76
- Slides: 76