06987331

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015 519

Key Updating for Leakage Resiliency WithApplication to AES Modes of Operation

Mostafa Taha, Member, IEEE, and Patrick Schaumont, Senior Member, IEEE

Abstract— Side-channel analysis (SCA) exploits theinformation leaked through unintentional outputs (e.g., powerconsumption) to reveal the secret key of cryptographic modules.The real threat of SCA lies in the ability to mount attacksover small parts of the key and to aggregate information overdifferent encryptions. The threat of SCA can be thwarted bychanging the secret key at every run. Indeed, many contributionsin the domain of leakage resilient cryptography tried to achievethis goal. However, the proposed solutions were computationallyintensive and were not designed to solve the problem of thecurrent cryptographic schemes. In this paper, we propose ageneric framework of lightweight key updating that can protectthe current cryptographic standards and evaluate the minimumrequirements for heuristic SCA-security. Then, we propose acomplete solution to protect the implementation of any standardmode of Advanced Encryption Standard. Our solution maintainsthe same level of SCA-security (and sometimes better) as thestate of the art, at a negligible area overhead while doublingthe throughput of the best previous work.

Index Terms— Hardware security (side channels).

I. INTRODUCTION

S IDE-CHANNEL analysis (SCA) is an implementationattack that targets recovering the key of cryptographic

modules by monitoring side-channel outputs which include,but are not limited to, electromagnetic radiation, executiontime, acoustic waves, photonic emissions and many more. Thereal threat of SCA is that the adversary (Eve) can mountattacks over small parts of the key, and to aggregate theinformation leakage over different runs to recover the fullsecret. SCA attacks are commonly based on three pillars, asshown in Fig. 1:

1) Sensitive variables affect leakage traces.2) Eve can calculate hypothetical sensitive variables.3) She can combine information from different traces.

The design of countermeasures against SCA attacks isa vast research field. Contributions in this regard fall intothree categories: Hiding, Masking and Leakage Resiliency.

Manuscript received April 26, 2014; revised August 18, 2014 andOctober 21, 2014; accepted November 29, 2014. Date of publicationDecember 18, 2014; date of current version February 2, 2015. This workwas supported in part by the Virginia Tech-Middle East and North AfricaProgram, Egypt, and in part by the National Science Foundation under Grant1115839. The associate editor coordinating the review of this manuscript andapproving it for publication was Prof. Ozgur Sinanoglu.

The authors are with the Department of Electrical and ComputerEngineering, Virginia Tech, Blacksburg, VA 24061 USA (e-mail:[email protected]; [email protected]).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TIFS.2014.2383359

Fig. 1. Pillars of SCA attacks.

Our focus in this paper is to design a countermeasure forhardware cryptographic modules at a small implementationcost (area and performance).

Hiding depends on breaking the link between intermedi-ate variables and the observable leakage by minimizing thesignal-to-noise ratio within the trace. This can be achievedusing balanced circuits and/or noise generators. Unfortunately,cryptographic modules with hiding require more than doublethe area (see [1]).

Masking depends on breaking Eve’s ability to calculatehypothetical intermediate variables, by splitting the usefulinformation into n shares based on random variable(s).The random variables are generated on-the-fly and discardedafterwards. Each share is processed independently. The finaloutputs (of each share) are combined to retrieve the originaloutput. Similarly, cryptographic modules supported withmasking require more than double the area (see [2]).

Leakage resiliency depends on using a fresh key for everyexecution of the cryptographic module hence, preventsaggregating information about any secret. Leakageresiliency is achieved by utilizing a key-updating mechanism(aka re-keying or key-rolling). Although leakage resilientprimitives can be implemented using unprotected cores, theoverall performance is at least halved (see [3]).

Most contributions in leakage resiliency focused ondesigning new cryptographic primitives [4]–[7] however, theproposed solutions were computationally intensive and do notsolve the problem of the current cryptographic schemes. Othercontributions focused on supporting a current primitive withan SCA-secure key-updating scheme (as reviewed in Sec. IV).The contribution in this paper follows the latter approach.We propose a heuristically SCA-secure key-updating schemefor the hardware implementation of AES running in any modeof operation. We focus on achieving a sound security at thesmallest implementation cost (area and performance).To achieve this goal, we propose a generic framework for light-weight key-updating and evaluate the minimum requirements

1556-6013 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

520 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015

for SCA-security. Then, we propose a solution that maintainsthe same level of SCA-security (and sometimes better) as thestate of the art, at a negligible area overhead while doublingthe throughput of the best previous work.

The rest of the paper is organized as follows. Sec. IIdiscusses the considered threat model and introduces a briefbackground about leakage resiliency. Sec. III highlights thesystem overview of our solution, the generic framework forkey-updating and the key-updating minimal requirements.Sec. IV discusses the proposed solution for AES and itspractical security analysis. Sec. V shows the implementationdetails and the comparison with previous work. Sec. VIconcludes the paper.

II. BACKGROUND

The threat considered in this paper is that Eve recovers thesecret key of a hardware implementation of AES. Classicalcryptography assumes that Eve can choose the input plain-text and the output ciphertext. SCA further assumes thatEve knows the underlying implementation and can capturethe instantaneous power consumption. In the domain ofleakage resiliency, it is also assumed that Eve can runany polynomial-time function (called leakage function)on the power consumption to recover some bits of thesecret key.

Leakage resiliency, being a protocol level protection, cannotprotect the underlying implementation against Simple PowerAttacks (SPA), where one execution of the leakage functioncan recover the full secret. Hence, the typical assumption isthat the leakage function can recover a small part λ < |k| ofthe secret key. This is a reasonable assumption in hardwaremodules, where the high parallelism and the measurementnoise prevents any polynomial-time function from recoveringthe full secret. Differential Power Analysis (DPA) isrepresented by executing the leakage function over differentexecutions (exactly �|k|/λ�), until the full secret key isrevealed.

Leakage resiliency depends on changing the secret keyafter every execution. The updating function should possess aminimum set of requirements in order to prevent DPA attacks.For example, if the updating mechanism is linear or simple(e.g. a counter), Eve can build her hypothesis based on a keyguess that follows the same updating mechanism, removingthe effect of key-updating at all. This attack is called future-computation attack, because it is modeled as if the leakagefunction can recover some bits of a key that will show upin the future. Future-computation attack represents the mainthreat addressed by all leakage resilient cryptography. The restof this section reviews the two categories of key-updating andthe notable contributions in each one. At the end of eachsubsection, we discuss how our solution improves over thecurrent ones.

The two categories of key-updating are stateless and state-ful. One mechanism or the other is sufficient for a limitedset of applications. However, the two mechanisms are bothrequired for a complete and generic solution. For example,Fig. 2 shows how the two mechanisms complement each otherfor the application of data encryption. After exchanging a

Fig. 2. Stateless and stateful key-updating, as shown for the example of dataencryption.

public nonce, a stateless key-updating is used to generate apseudorandom secret state. Then, a stateful key-updating isused to generate fresh running keys (k1 : k∞).

A. Stateless Key-Updating

Stateless key-updating assumes that the two communicatingparties share only the secret key and a public variable (nonce)i.e. there is no shared secret state between them. This updatingmechanism is required whenever there is no synchronizationbetween the two communicating parties e.g. during initializa-tion of a secret channel. Stateless key-updating provides acomplete solution for applications with single cryptographicexecution e.g. challenge response protocols.

There is no provably secure construction that supportsstateless key-updating [3]. Intuitively speaking, the secret keycannot be updated to a new key unless a public variable isused (assuming no synchronization). Once a public variableinteracts with a secret key, SCA will be possible. Somecontributions tried to secure the stateless key-updating mech-anism through hiding and masking [8], [9]. Although thisapproach limits the implementation overhead exclusively tothe key-updating mechanism, allowing the use of unprotectedcryptographic cores, the overall overhead is still significant(more than 100% [8]).

On the other hand, leakage resiliency can be used tominimize the number of instances where a secret key isbeing used. This can be achieved using the tree structure(as proposed by Goldreich, Goldwasser and Micali, knownas GGM structure [10]), where the secret key is updated to anew secret through a series of sequential randomization steps.Each step involves processing one bit of a public nonce and isresponsible for randomizing the new key. Hence, after anystep, Eve will face a new secret with no way to combinethe extracted information. The GGM structure was provensecure against SCA attacks by realizing a pseudorandomfunction (PRF) with a fresh random variable per step [11].Later, Medwed et al. improved the performance of the PRFby processing 8-bits of the nonce per step, while supporting theimplementation of each step with key-dependent algorithmicnoise [12]. Although these PRFs are SCA-secure, they canonly be efficient in developing new cryptographic primitive,but not to protect the current modes of AES where the finaloutput of the PRF is to be protected by a cryptographically-

TAHA AND SCHAUMONT: KEY UPDATING FOR LEAKAGE RESILIENCY 521

strong pseudo-random permutation PRP (AES in some modeof operation).

In contrast, our target is to protect the standard modes ofAES with minimal overhead. Hence, we designed a statelessfunction that is only SCA-secured, but not a PRF. The entropyof the master key is passed over as-is to the encryption keys.Our view is that, SCA-protection is not meant to correct theentropy of the input key. This can be achieved more efficientlyby improving the cryptographic structure of the cipher. Hence,our paper and [12] have different design goals, and hencedifferent security requirements. By removing the need forextra randomness and keeping only SCA-security, our solutionis 3.2 times faster than the best previous solution for statelesskey-updating (that of [12]).

B. Stateful Key-Updating

Stateful key-updating assumes that the two communicatingparties share a common secret state (other than the key). Theyboth can update the secret key into a new key without requiringany external variables. This scheme can provide a completesolution for synchronized applications e.g. key-fobs.

The first provably secure construction for statefulkey-updating was the alternating structure [6], [11]. In thisstructure, two different keys are used in an alternating fashion.Hence, the computation of a future key depends not only on thecurrent execution but also on another value that is not currentlywithin the system. Unfortunately, this structure is inefficient,as it requires doubling the key size. Also, it assumes that Evecannot combine the leakage from the two computing parts,which is not a realistic assumption. Then, a direct structurewas proposed replacing the alternating structure by using afresh random variable at every key-update [5]. Unfortunately,requiring a fresh random variable at every key-update is notpractical. Later, an efficient direct structure was proposedusing only one random variable under the assumption thatthe leakage function is non-adaptive i.e. the leakage functionis fixed and selected prior to or independent of the randomvariable [13].

In contrast, some contributions proposed heuristically securestateful functions that do not require any source of random-ness [9], [14]. In these contributions, a full-features one-wayfunction is used to update the secret key.

Although using a one-way key-updating function supportsforward security, SCA-protection is not meant to add forwardsecurity. This can be achieved more efficiently by improvingthe cryptographic structure of the underlying cipher. Hence, westudied the requirements for only SCA-security and proposeda solution that is 2 times faster than the best previous workfor stateful key-updating (that of [9] and [13]).

III. FRAMEWORK FOR KEY-UPDATING

The proposed solution at the system level works as follows.We assume that an application on Device A needs to sendsecure data to an application on Device B. Both devices sharea secret key, which we name master key. They can initiate thechannel by exchanging a public nonce, and send the securedata using any cryptographic primitive (AES) running in a

Fig. 3. Our solution: A tree structure for stateless key-updating and a chainof whitening functions for Stateful key-updating.

mode of operation. Although the black-box security of thesemodes is guaranteed by the cryptographic primitive, security isnot guaranteed if Eve can monitor Device A. Here, we targetprotecting the master key against any SCA attack.

Device A starts with a stateless key-updating mechanism tocompute a pseudorandom secret state out of the master keyand the nonce. Then, the stateful key-updating is executed, tocompute running keys. Finally, the actual cryptographic modeis called using the input data and the same previously usednonce.

Our solution honors the tree structure for the statelesskey-updating. Each step of the tree involves processing a singlebit of the nonce through a lightweight whitening function(Wt: whitening in the tree). The tree starts from the masterkey, and ends with a pseudorandom secret state. For thestateful key-updating, we use a chain of whitening functions(Wc: whitening in the chain). Every execution of the whiten-ing function generates a new running key. Our solution ishighlighted in Fig. 3.

A. Assumptions

During design of the proposed solution, we follow theseassumptions

1) Parallel Hardware: We assume that all the non-linearelements (S-boxes) are processed in parallel. Hence, thesystem power consumption is the aggregation of all theleakages. This assumption is required to exploit the key-dependent algorithmic noise, which supports SCA security inthe stateless key-updating.

2) Only Current and Previous Iterations Leak: This is avery logical assumption, as the power leakage is a physicalquantity. The module as a physical entity does not have anyclue about the next input message block. It is only Eve whocan link future computations to the current leakage using thealgorithm and the future inputs. Although a similar assumptionwas used in [3] (Only Current Iterations Leak), we includeleakage of previous iterations. Indeed, the use of HammingDistance leakage function may reveal some information aboutthe previously processed iteration. This assumption does notexclude future computation attack, but only breaks the direct(and mysterious) link between future computations and currentleakage.


B. Key-Updating Requirements

For the highlighted tree structure to be lightweight andsecure against SCA, Wt function is required to be (inspiredfrom [8]):

1) Non-linearity with balanced full-diffusion.2) Resist Simple Power Analysis.3) Resist 2-traces Differential Power Analysis.4) At small area and performance overheads.

Full diffusion means that each bit of a new key depends onevery bit of an old key. Balanced full-diffusion means thatflipping any bit of an old key flips all the bits of a new keywith equal probability. Non-linearity means that one bit ofa new key depends on a non-linear function of the previouskey bits.

The Wc function should possess the same set of require-ments except resistant against 2-traces DPA attacks which isprevented by design.

C. Security Analysis

In this section, we show that the key-updating requirementsdiscussed in the previous section are necessary for a secureleakage resiliency. The core idea of leakage resiliency is tolimit the use of any secret value to encrypt only one messageblock. Thereafter, the secret value has to be updated to a newsecret. That said, leakage resiliency cannot prevent Eve fromattacking the leakage of encrypting one message block (usingmeans of Simple Power Analysis). However, leakage resilientcryptographic schemes can prevent Eve from including morethan one leakage trace in any attack, i.e. prevent DifferentialPower Analysis.

Also, the key-updating function cannot prevent Eve fromusing the partially recovered information, using only oneleakage trace, to reduce the search space of the new secretvalue. However, if the partially recovered information is small(λ < |k|), the key-updating function can prevent Eve fromexcluding parts of the new secret value, i.e. Eve cannot makeuse of the partially recovered information unless she enumerateall the search space of the new secret value. In other words,leakage resiliency can prevent applying the divide-and-conquerprinciple across key-updating.

Focusing on the role of key-updating in leakageresilient cryptographic schemes, high-diffusion was proposedas the only mathematical condition required for securekey-updating [8], [15]. Here, we show that this condition is notsufficient with a counter example, and propose new conditions.In the next section, we propose a lightweight realization of asecure key-updating function using the structure of Rijndaelalgorithm.

Let the key-updating function be:

k ′i = ki ⊕

|k|∑

j=1

k j ; for i = 1 : |k|

where k is the old key, k ′ is the new key, and k j is one bit of thekey. The function computes the binary xor between a bit fromthe old key and the parity of the entire old key. This updatingfunction fulfills the high-diffusion requirement of [8] and [15]

in their definition that one bit of the new key depends on manybits of the old key. In fact, this function posses full-diffusionin the definition that one bit of the new key depends on all thebits of the old key. However, this function cannot not preventDPA attacks.

Note that, if the parity of the old key is one, i.e. odd numberof ones in its binary representation, the entire key will beflipped with the parity of the new key is also one (assumingthe bit-length of the key is even). If the parity is zero, thenew key will equals the old key and the parity will stay zero.In this case, Eve will put two hypotheses for each key-guess.One hypothesis with flipping the key-guess between traces.The other hypothesis with a fixed key-guess. Here, Eve canovercome this kind of leakage resiliency by doubling the sizeof hypotheses e.g. from 256 to 512 for guessing one byte of themaster key. We acknowledge that, this counterexample doesnot harm the practical instances proposed by [8] and [15].We only highlight limitation in the proposed conditions forsecurity.

To prevent such attack we require that the old key isprocessed by a non-linear function before generating a newsecret key. The non-linearity will ensure that Eve cannot makea hypothesis over a small part of the secret key that affectsthe sensitive variable of different traces. Needless to say that,Eve cannot make a hypothesis over the full secret key due tocomputation complexity.

Also, in case of recovering a small number of bits of one key(λ < |k|), the key-updating function should prevent Eve fromexcluding any key hypothesis. Keeping in mind that, a keyhypothesis is typically put for a small part of the secret key(one or two bytes), this requirement means that Eve cannotmap the recovered information from old key to a small partof the new key. Ideally, one-bit of uncertainty in an old keyshould generate two keys with an average Hamming Distanceof 50%. At a finer granularity, one-bit of uncertainty in an oldkey should flip each bit of a new key with probability 50%.We define a key-updating function that has such property asa balanced function.

1) Extension to Stateless Key-Updating: At the start ofevery session, the first execution of Wt will always processthe master key. As we discussed, leakage resiliency cannotprevent Eve from exploiting the leakage of one trace. Hence,we require that Wt be protected against simple poweranalysis (SPA) attacks.

Also, key-updating protects cryptographic implementationsagainst DPA attacks only after being initialized to a securepseudorandom state, when no public inputs are furtherused. However, while initializing new sessions (statelesskey-updating), Wt processes the master key and a publicnonce. Although, the tree structure limits the effect of thepublic nonce to only one bit at a time, Eve can still mount DPAattack against the two cases of the public nonce-bit (0 and 1).Hence, we also require that Wt be protected against DPAattacks using two differential traces.

If these requirements are met, the tree structure willguarantee that:

• Each nonce will generate unique secret state.If full-diffusion is achieved, different values of the


nonce (by definition) will result in different finaloutputs.

• SCA attack against any step is prevented. If each step isprotected against SPA attacks, the entire structure will beprotected by induction.

Extension to Stateful Key-Updating: Once the treestructure has securely executed, the two communicating partieswill have a common pseudorandom secret state. The pre-viously discussed requirements (non-linearity with balancedfull-diffusion) will prevent DPA attacks across key-updates.Also, protection against 2-traces DPA attacks is not requiredas there is no further inputs.

D. Discussions

1) A Lightweight tree, not a GGM:: The GGM structure(the original idea for the tree) is a method to realize securepseudorandom functions (PRFs) from sequential steps ofrandomization e.g. block-cipher encryptions using plaintextsof random values. Hence, the final output of GGM is requiredto be pseudorandom. Most leakage resilient stateless key-updating used the GGM to achieve protection against bothblack-box attacks and side-channel attacks, where the finaloutput is observable by Eve and used as a key-stream [3], [12].However, we use a lightweight realization of the tree toachieve protection against exclusively side-channel attacks.The final output of the tree cannot be used as a key-streamfor stream ciphers, but only as a key to the underlyingblock cipher. As discussed, the output is still secured with acryptographically sound block-cipher. The black-box securityof our solution is maintained by the underlying mode.

This domain change allowed two modifications:1) In our solution, the decision bit (n(i)) selects between

two fixed inputs (all 0’s or all 1’s) instead of selectingbetween two random variables. In this way, we lost thesource of randomization. But, we kept the whiteningfunction as a source of non-linear, balanced diffu-sion between key-bits which is the main ingredient ofSCA protection. Here, protection against SCA attacks isactually improved by allowing only two differentialtraces (at n(i) = 0 and n(i) = 1).

2) The whitening function is not required to exhibit strongblack-box security but rather to only prevent futurecomputation attacks.

For these modification, we called our structure a tree ratherthan a GGM.

2) The Stateful Function is Not Forward Secure: Forwardsecurity is a property of key-agreement protocols requiringthat, if the current key is recovered, all the previous sessionsare still secured. Contradicting the previous work of usingone-way functions, our stateful key-updating function is bijec-tive and invertible hence, it does not add forward security tothe underlying cipher. We believe that, forward security canbe achieved more efficiently by improving the cryptographicstructure, not only as a by-product of adding SCA-security.

3) Protocol Level Protection: Our solutions is a proto-col level protection against SCA, where the final outputdepends on the key-updating mechanism. Hence, the two

TABLE I

PREVIOUS WORK

communicating parties have to follow the same key-updatingmechanism, even if one of them is physically secured (e.g.server). This is not the case for hiding or masking, where thefinal output is not affected by the protection mechanism.

IV. APPLICATION TO AES MODES OF OPERATION

AES modes of operation are algorithms used to extendcapabilities of AES to cover plaintext of arbitrary length.Here, we propose solutions to protect the implementationof any standard mode. The considered modes are CipherBlock Chaining (CBC), Cipher Feedback (CFB), OutputFeedback (OFB), and Counter (CTR) modes for dataencryption and Counter with CBC-MAC (CCM),Galois/Counter (GCM) and Offset Codebook (OCB) modesfor authenticated encryption [16], [17].

These modes assume that Alice and Bob are willing toexchange some data messages, and that they have a sharedsecret key K . For every new message, aka session, theyinitiate the mode with a public nonce variable (also calledinitialization vector or counter). For CBC and CFB, the nonceneeds to be unpredictable by Eve and unique. For the othermodes, the nonce only needs to be unique. The length of nonceis fixed to 128 bits for CBC, CFB, OFB and CTR while it isvariable for CCM, GCM and OCB. The maximum number ofbytes to be encrypted in a single message is usually less thanthe birthday boundary of AES (264).

Every mode has a different way of connecting theinput/output of the block cipher between different executions,however, they all have in common that they use the samesecret key for all block cipher executions. Indeed, they employa fixed secret key, so that the implementation requires onlyone execution of the key-schedule algorithm (see [18]). Directapplication of a key-updating scheme will require re-executingthe key-schedule at every encryption, which is not compatiblewith the current implementations. Our key-update mechanismis supported with an implementation trick to inject runningkeys directly instead of round keys. Hence, our solution iscompatible with current implementations and does not requirere-executing the key-schedule.

A. Related Work

Previous contributions that used key-updating schemes withone public variable are shown in Table I.

One of the early works that used key-updating is the work ofKocher [19], which is entirely based on DES. Unfortunately,the scheme has two drawbacks: it does not incorporate a nonce,


Fig. 4. High-level representation of the proposed scheme.

and every key update requires two executions of the under-lying DES. Without using nonce, the running keys will begenerated in the same sequence in every session, which makesit vulnerable to SCA over different sessions. Two recent worksproposed modular multiplication between the secret key andthe nonce as an easy-to-protect key-updating primitive [8], [9].They used practical countermeasures (e.g., hiding andmasking) to protect the modular multiplication primitive.

The other contributions used GGM construction, which isthe best practice in leakage resiliency. The randomizationfunction at each step used was either a full-featuredhashing function (SHA-256) [14], or full-featured Blockcipher (AES) [12]. A recent contribution studied the minimumSP network that can provide heuristic security againstSCA attacks [15].

Most key-updating contributions in the table focus onlyon the stateless key-updating. Under the conditions of directconstruction and one public variable, we found only fewcontributions for stateful key updating. Some contributionsachieve heuristically secure constructions using either hashingfunctions or block ciphers [9], [14], [19], and one provableconstruction [13].

B. Proposed Solution

Fig. 4 shows a high-level representation of our solution.The secret key is used as a master key. The master keyand the nonce (n) are processed with a leak-proof key-updating scheme. The key-updating scheme is composed oftwo phases. The stateless key-updating protects the master keyagainst SCA and key-recovery attacks and generates a uniquepseudorandom secret state. The stateful key updating startsfrom the secret state and generates session key and runningkeys. The session key is used in the key-schedule algorithm togenerate round keys as shown in the figure. The running keys(in groups of two) are used to directly replace the first and lastround keys of each encryption. In the figure, we did not showthe connection between nonce, plaintext and ciphertext forspecific mode as our scheme is compatible with any standardmode.

Also, the Wt and Wc functions are defined asfollows.

1) Definition of Wt: Let Encrk(p) denote the applicationof the first AddRoundKey and two rounds of AES to theplaintext p under the key k, i.e. a round-reduced version of

Fig. 5. Replacing the first and last round keys by fresh running keys.

AES. Let n denote a nonce, and n(i) denote bit i of the nonce.Assuming K is the master key, the stateless key-updating startsby initializing K 0 = K . Then, one step of the tree will bedefined as:

K i+1 = Wtn(i)(K i ) :={

Encr1128(K i ), if n(i) = 1

Encr0128(K i ), if n(i) = 0

i.e. Wt is the application of a round reduced version of AESto the previous key under the key of all zeros or all ones(depending on the bit value of the nonce). Note that, themaster key (and later keys) are used as the plaintext, anda fixed input is used as the key. Also, capital letters Kdenote the master key, or any key within the tree, while smallletters k denote running keys. Finally, the pseudorandom secretstate will be s = K |n|−1, where |n| is the bit-length of thenonce n.

2) Definition of Wc: The running key chain starts byinitializing the first running key to the secret state: k0 = s.Then, each new running key will be generated by apply-ing the Wc function on the previous key. Wc will be awhitening function realized by Encr with the key fixed to allzeros:

ki+1 = Wc(ki ) := Encr0128(ki )

3) Interaction With the Underlying Mode of AES: The typ-ical implementation of any standard AES mode of operationstarts by running the key-schedule algorithm over the secretkey to generate round keys. Then, the round keys are storedto be used in all AES encryptions.

Here, we use the first running key (which is the secretstate) as a session key. Hence, the key-schedule will runover k0 to generate round keys. Then, instead of directlyusing round keys in AES encryptions, each group of tworunning keys (ki and ki+1 starting from i = 1) will replacethe first and last round keys of each encryption as shownin Fig. 5.

C. Security of the Practical Scheme

In this section, we will show how the proposed key-updatingfunctions fulfills the required properties in Sec. III-B.


Fig. 6. Probability density function of the Hamming Distance between theinput and output in response to a bit-flip.

1) Non-Linearity With Balanced Full-Diffusion:Non-linearly of the key-updating function is guaranteed bythe S-box layer of two AES rounds. The full-diffusion isexpected as the mathematical structure of Rijndael, especiallythe ShiftRows and MixColumns steps, requires that each bit ofthe input affects the entire state after two rounds [20]. In orderto prove that the functions have a full, balanced diffusion, weconducted a diffusion test.

The diffusion test measures how each bit of the input affectsthe output bits. The test involves one million experimentsover Wt. In each experiment, we select a random key andcompute the output of the function Wt at either n(0) = 1or n(0) = 0 (randomly). Then, we randomly flip one-bit ofthe key and re-compute the output. Finally, we compute andrecord the Hamming Distance between the two outputs. Also,for individual bit-positions, we accumulate the number ofinstances when the bit-value is different between the outputs,and divide the number by the total number of experiments.

The distribution of the Hamming Distance is shownin Fig. 6. The average Hamming Distance is 50.16%, witha 95% confidence intervals of 0.025%. The probability offlipping individual bits of the output has a minimum valueof 50.03% and a maximum value of 50.33%. This indi-cates that all the bits contributed equally to the overalldiffusion.

Note that Wc is essentially Wt with the nonce-bit input isset to n(0) = 0. Hence, the previous results applies equally tothe Wc function.

2) Resistant Against Side Channel Analysis: First of all,although the master key is used in the data path and thefixed input is used as the key (which removes the need ofkey-schedule for the tree itself), this change is transparent toSCA analysis, as the two values are xored to each other.

Under parallel hardware implementations, the systempower consumption of 16 parallel S-boxes at noiselessmeasurement is:

L j =16∑

i=0

l(S(p j (i) ⊕ k(i))),

where j is the trace number, p j (i) is the fixed input byteat trace number j , and k(i) is the secret key byte at locationi ∈ [1 : 16]. Also, S is the S-box function, and l is the leakagefunction.

In the following, we study the security of our solution underthe worst case attack, which is the template subset-sum attack.In this attack, Eve tries to recover all the secret key bytes atthe same time, i.e. tries to find the combination of 16 key bytesthat satisfies the above equation. For the worst attack scenario,we assume a perfect profiling phase where the leakage of everyoutput of the S-box has its distinct value, i.e. l(x) = x .

a) Resistant against SPA: Considering SPA attacks (usingonly one equation), Eve’s problem is to find a subset Kof 16 elements from the set [0 : 255], such that the previ-ous equality holds. This problem is actually the well-knownsubset sum problem, which is NP-complete. Although manyalgorithms were proposed to find a correct solution (e.g. theLLL algorithm [21]), our problem is more complicated. Here,Eve is required to find all the correct solutions (not only anycorrect one), and test them all, including all the permutations,searching for the correct secret key.

b) Resistant against 2-traces DPA: The problem oftesting all the correct solutions can be eased by consideringtwo differential traces with a DPA-like attack, i.e. at twodifferent inputs similar to our tree construction. Now, Eve willonly need to find a subset K that shows correct result for bothtraces. Here, we are interested in computing (or estimating)the computational complexity in the solution. We define thecomputational complexity in the correct solution as the numberof correct K’s that Eve will have to test in order to find thecorrect secret key.

Given that the original problem is NP-complete, we couldnot find exact bounds for the computational complexity.Hence, we tried to estimate it using simulation over a smallpart of the key-space. Precisely, we did the following test.First, we generated N random keys, as the key-space. Then,we selected a secret key from the key-space and computedthe corresponding power consumption at the output of theS-box (assuming that l(x) = x) using the two inputs (all0’s and all 1’s). Finally, we counted the number of keys inthe key-space that could have the exact power consumptionusing the same inputs. We did the previous experiment atdifferent sizes of the key-space N ∈ [100K : 50M], onlylimited by the available memory at our workstation. Theaverage computational complexity (over 500 experiments foreach value of N) is shown in Fig. 7.

The 95% confidence intervals shown in the figure arecomputed with the bootstrapping method, as the probabilitydensity function of the average value did not match anystandard distribution. The figure shows an almost-linearrelationship. We acknowledge that we cannot extrapolate thesenumbers to a key-space size of 2128. However, the figuresuggests a very high computational complexity at the fullkey-space.

Our analysis shows that, following a noiseless perfectlyprofiled attack, the parallel hardware is SCA-secured. Indeed,one research showed that the computational complexity isestimated to become one, assuming a random key, only after


Fig. 7. The average computational complexity of the solution of a 2-tracesDPA attack under different key-space sizes.

128 equations differential trace [22], which is not allowed inour solution by design.

3) Interaction With the Underlying Mode: Replacing tworound keys with two running keys does not affect theblack-box security of the underlying block cipher (AES), asthe running keys are pseudorandom and unknown. Moreover,it allows the Electronic Codebook (ECB) mode to generateindistinguishable ciphertexts.

D. Trading SCA-Security for Performance

It is commonly agreed that if Eve acquires a cryptographicmodule and she has adequate resources, she can break themodule one way or the other (e.g. using invasive attacks).The whole point of a SCA-countermeasure is to exclude SCAfrom being the weakest point in the chain of security. Indeed,practical markets will not employ high cost countermeasuresin low end devices, e.g. metro tickets.

For this reason, we design our scheme to be flexible withthe ability to trade some SCA security for a better perfor-mance. The reported performance overhead of the statelesskey-updating structures targets the best possible protectionagainst SCA. Here, our scheme uses one bit of the nonce ateach step of the tree for a maximum of two differential traces.Indeed, limiting Eve by two differential traces exhibit math-ematically secure implementations, however, most practicalmarkets can trade some SCA security for a better performance.

The performance of our structures can be improved byusing s bits of the nonce in each step of the tree. Insteadof repeating the nonce bit (0 or 1) over all the fixed inputbits (result in all 0’s or all 1’s), we repeat blocks of n bitsof the nonce. Here, s is a security parameter for tradingmarginal SCA-security for performance. Using a securitylevel of s allows Eve to collect 2s differential traces. So far,we designed our scheme at the best SCA-security (s = 1).However, lower security bounds can be adopted for low-costapplications. For example, s = 8 was the security leveltolerated in the design of [12]. Also, s = 4 (using PRESENT

TABLE II

COMPARISON BETWEEN THE IMPLEMENTATION OVERHEAD OF THE

KEY-UPDATING SCHEMES. s IS THE SECURITY PARAMETER

S-box [24]) was the security level tolerated in the designof [15]. The exact change in SCA-security can only bemeasured with leakage quantification using a practical setupas in [25]. We leave the exact measure of how s affectsSCA-security as future work, because any results,although time consuming, will be applicable to only oneimplementation.

V. IMPLEMENTATION

To enable a round-reduced option in the hardware imple-mentation, we add a mode input. If the mode input is set,the output is ready after two rounds, otherwise the output isready after ten rounds. We implemented the two cores usingSynopsys Design Compiler at UMC 130nm technology, wherethe difference was only two gates at 3.7 Gate Equivalent (GE).

All executions of Wt and Wc use only two keys (all 0’sor all 1’s), hence the key-schedule algorithm will run onlytwo times to output, and store a total of four round keys.The Wt function requires two clock cycles, plus two cycles toload the key and the fixed input (assuming that the fixed inputchanges at every step). Therefore, the complete performanceoverhead of the stateless key-updating is |n| ∗ 4 clock cycles.Assuming the use of 128 bits nonce, which is a fixed valuefor most modes, the performance overhead will be 512 clockcycles. Also, function Wc requires two clock cycles, plusone cycle to load the key (the input in fixed to all 0’s).Every encryption requires two running keys, hence the totalperformance overhead for the stateful key-updating is 6 clockcycles.

By changing the security parameter s, the performanceoverhead is reduced by s times. In this case, the entiretree structure will consume (|n|/s) ∗ 4 clock cycles. Theperformance of Wc will not change as it does not accept anyinput.

A. Comparison

A comparison between the implementation overhead of theproposed scheme and that of the previous work is shown


Fig. 8. The implementation overhead of the different techniques used forthe stateless key-updating.

Fig. 9. The implementation overhead of the different techniques used forthe stateful key-updating.

in Table II. In the table, we focus only on the encryptionpass, neglecting the effect of executing the key schedulingalgorithm. Here, we assume that the bit-length of the nonceis 128 bits. Note that, we do not report any area overhead forAES related schemes, because they utilize the same underlyingcore. The results of [8] are taken at the first-order maskedimplementation. The results of the minimum SP networkin [15] are taken from the implementation that is compatiblewith AES (128-bit key and 128-bit nonce). For comparisonat small area, we use the currently smallest implementationof AES in [2] and that of SHA-256 in [26]. For comparisonat fast computation, we use the AES core in [12] and theSHA-256 core in [27].

Fig. 8 shows the implementation overhead for the state-less key-updating schemes. The key-updating schemes thatuse SHA-256 and AES-Small are not shown in the figurefor having excessive implementation overhead. The solutionsin [8] and [15] used dedicated updating circuits to achieve

Fig. 10. Relative throughput of the available re-keying schemes.

comparable performance overheads. The performance over-head of our RR-AES structure at s = 8 is only 64 cycles,which is 3.2 times faster than the best previous solution at noarea overhead (that of [12]).

The implementation overhead of different techniques usedfor the stateful key-updating is shown in Fig. 9. The schemethat uses SHA-256-Fast is not shown for having excessive areaoverhead. Our solution is two times faster than the currentlybest direct constructions of [9] and [13]. The figure alsoshows a state-of-are masking scheme. The smallest thresholdimplementation (to prevent leakage caused by glitches) of AESrequires 8,393 GE of area overhead and works at 266 cyclesper encryption [2]. The threshold implementation is shown onthe stateful key-updating figure, as the performance overheadof stateless key-updating is a one-time overhead (once permessage), and can be trivialized at long message lengths.

Finally, we compare the relative throughput of the availablesolutions. The relative throughput of a protected module isthe ratio between its throughput to the throughput of theunprotected module. The throughput is the number of messageblocks that are processed per clock cycle. Due to the one-timeoverhead of the stateless key-updating, the relative throughputof protected modules increases by increasing the message size.Here, we assume that the unprotected AES core (one messageblock per 12 cycles) is our reference. Also, we assumeusing a serialized implementation for the re-keying schemes,i.e. re-keying and encryption are done in separate clockcycles. This assumption supports the no-area-overhead targetof our solutions. Fig. 10 shows the relative throughput of ano-protection core, the AES-Fast solution from [14], combin-ing the fast solutions from [12] and [9] and our recommendedRR-AES solutions at s = 1 and s = 8. It is clear thatour solution at s = 8 has the absolute highest throughput.Also our solution at s = 1 achieves higher throughput thatthe previous best solution (the combination of [9] and [12])after 52 message blocks. This means that, for messages longerthan 832 bytes, our RR-AES solution with s = 1 achieveshigher throughput and better security guarantees than the bestprevious work.


VI. CONCLUSION

In this paper, we proposed a lightweight key-updatingframework for efficient leakage resiliency. We proposed theminimum requirements for heuristically secure structures.We proposed a complete solution to protect the implemen-tation of any AES mode of operation. Our solution utilizedtwo rounds of the underlying AES itself achieving negligiblearea overhead and very small performance overhead.

REFERENCES

[1] K. Tiri et al., “Prototype IC with WDDL and differential routing—DPAresistance assessment,” in Cryptographic Hardware and EmbeddedSystems. Berlin, Germany: Springer-Verlag, 2005, pp. 354–365.

[2] A. Moradi, A. Poschmann, S. Ling, C. Paar, and H. Wang, “Pushingthe limits: A very compact and a threshold implementation of AES,”in Advances in Cryptology. Berlin, Germany: Springer-Verlag, 2011,pp. 69–88.

[3] F.-X. Standaert, O. Pereira, Y. Yu, J.-J. Quisquater, M. Yung, andE. Oswald, “Leakage resilient cryptography in practice,” in TowardsHardware-Intrinsic Security. Berlin, Germany: Springer-Verlag, 2010,pp. 99–134.

[4] Y. Dodis and K. Pietrzak, “Leakage-resilient pseudorandom functionsand side-channel attacks on Feistel networks,” in Proc. 30th CRYPTO,2010, pp. 21–40.

[5] S. Faust, K. Pietrzak, and J. Schipper, “Practical leakage-resilientsymmetric cryptography,” in Cryptographic Hardware and EmbeddedSystems. Berlin, Germany: Springer-Verlag, 2012, pp. 213–232.

[6] S. Dziembowski and K. Pietrzak, “Leakage-resilient cryptography,” inProc. IEEE 49th Annu. IEEE Symp. Found. Comput. Sci. (FOCS),Oct. 2008, pp. 293–302.

[7] D. Martin, E. Oswald, and M. Stam, “A leakage resilient MAC,”Dept. Comput. Sci., Univ. Bristol, Bristol, U.K., Tech. Rep. 2013/292,2013. [Online]. Available: http://eprint.iacr.org/

[8] M. Medwed, F.-X. Standaert, J. Großschädl, and F. Regazzoni, “Freshre-keying: Security against side-channel and fault attacks for low-costdevices,” in Progress in Cryptology. Berlin, Germany: Springer-Verlag,2010, pp. 279–296.

[9] B. Gammel, W. Fischer, and S. Mangard, “Generating a session keyfor authentication and secure data transfer,” U.S. Patent 20 100 316 217,Dec. 16, 2010.

[10] O. Goldreich, S. Goldwasser, and S. Micali, “How to construct randomfunctions,” J. ACM, vol. 33, no. 4, pp. 792–807, Oct. 1986.

[11] K. Pietrzak, “A leakage-resilient mode of operation,” in Advances inCryptology. Berlin, Germany: Springer-Verlag, 2009, pp. 462–482.

[12] M. Medwed, F.-X. Standaert, and A. Joux, “Towards super-exponential side-channel security with efficient leakage-resilient PRFs,”in Cryptographic Hardware and Embedded Systems. Berlin, Germany:Springer-Verlag, 2012, pp. 193–212.

[13] Y. Yu and F.-X. Standaert, “Practical leakage-resilient pseudorandomobjects with minimum public randomness,” in Topics in Cryptology.Berlin, Germany: Springer-Verlag, 2013, pp. 223–238.

[14] P. Kocher, “Complexity and the challenges of securing SoCs,” inProc. 48th ACM/EDAC/IEEE Design Autom. Conf. (DAC), Jun. 2011,pp. 328–331.

[15] S. Belaïd et al., “Towards fresh re-keying with leakage-resilient PRFs:Cipher design principles and analysis,” J. Cryptograph. Eng., vol. 4,no. 3, pp. 157–171, Sep. 2014.

[16] M. Dworkin, “NIST special publication 800-38A, recommendation forblock cipher modes of operation: Methods and techniques.”

[17] Information Technology, Security Techniques, Authenticated Encryption,document ISO/IEC 19772:2009, Mar. 2013.

[18] M. Mozaffari-Kermani and A. Reyhani-Masoleh, “Efficient and high-performance parallel hardware architectures for the AES-GCM,” IEEETrans. Comput., vol. 61, no. 8, pp. 1165–1178, Aug. 2012.

[19] P. C. Kocher, “Leak-resistant cryptographic indexed key update,”U.S. Patent 6 539 092, Mar. 25, 2003.

[20] J. Daemen and V. Rijmen, The Design of Rijndael. Secaucus, NJ, USA:Springer-Verlag, 2002.

[21] A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovász, “Factoring polynomialswith rational coefficients,” Math. Ann., vol. 261, no. 4, pp. 515–534,Dec. 1982.

[22] O. L. Mangasarian and B. Recht, “Probability of unique integer solutionto a system of linear equations,” Eur. J. Oper. Res., vol. 214, no. 1,pp. 27–30, Oct. 2011.

[23] J. Blömer, J. Guajardo, and V. Krummel, “Provably secure masking ofAES,” in Selected Areas in Cryptography, vol. 3357. Berlin, Germany:Springer-Verlag, 2005, pp. 69–83.

[24] A. Bogdanov et al., “PRESENT: An ultra-lightweight block cipher,”in Cryptographic Hardware and Embedded Systems, vol. 4727. Berlin,Germany: Springer-Verlag, 2007, pp. 450–466.

[25] B. J. G. Goodwill, J. Jaffe, and P. Rohatgi, “A testing methodology forside-channel resistance validation,” in Proc. NIST Non-Invasive AttackTesting Workshop, 2011.

[26] X. Cao and M. O’Neill, “Application-oriented SHA-256 hardware designfor low-cost RFID,” in Proc. IEEE Int. Symp. Circuits Syst. (ISCAS),May 2012, pp. 1412–1415.

[27] X. Guo et al., “ASIC implementations of five SHA-3 finalists,” inProc. Design, Autom. Test Eur. Conf. Exhibit. (DATE), Mar. 2012,pp. 1006–1011.

Mostafa Taha (S’12–M’14) is currently aPost-Doctoral Fellow with the Department ofElectronics and Communication Engineering,Worcester Polytechnic Institute, Worcester,MA, USA. He received the B.E. and M.S. degreesin electrical engineering from Assiut University,Assiut, Egypt, in 2004 and 2008, respectively,and the Ph.D. degree in computer engineeringfrom the Virginia Polytechnic Institute and StateUniversity, Blacksburg, VA, USA, in 2014. Hisresearch interests include hardware security and

implementation attacks. He served as an academic reviewer for severalconferences in this field, including CHES, COSADE, CARDIS, and HOST,and several journals, including the IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN, the IEEE TRANSACTIONS ON COMPUTERS, the IEEETRANSACTIONS ON VERY LARGE SCALE INTEGRATION SYSTEMS, and theIACR Journal of Cryptographic Engineering. He is a member of the IEEEand the International Association for Cryptologic Research

Patrick Schaumont (SM’06) is currently anAssociate Professor of Computer Engineeringwith the Virginia Polytechnic Institute and StateUniversity, Blacksburg, VA, USA. He received thePh.D. degree in electrical engineering from theUniversity of California at Los Angeles,Los Angeles, CA, USA, in 2004. His researchinterests include cryptographic engineering andits applications to embedded computing. He hasserved on the Program Committee of internationalconferences in this field, such as CHES, DATE,

DAC, IEEE, and HOST. He is an Associate Editor of several journals inthis field, including the IEEE TRANSACTIONS ON COMPUTERS, the IACRJournal of Cryptographic Engineering, the ACM Transactions on DesignAutomation of Electronic Systems, and the ACM Transactions on EmbeddedComputing Systems. He is a senior member of the IEEE and the InternationalAssociation for Cryptologic Research

06987331

Documents

Transcript of 06987331