Single-Trace Side-Channel Attacks on Masked …Single-Trace Side-Channel Attacks on Masked...
Transcript of Single-Trace Side-Channel Attacks on Masked …Single-Trace Side-Channel Attacks on Masked...
S C I E N C E P A S S I O N T E C H N O L O G Y
www.iaik.tugraz.at
Single-Trace Side-Channel Attacks onMasked Lattice-Based EncryptionRobert Primas, Peter Pessl, Stefan MangardIAIK, Graz University of Technology, Austria
CHES 2017, September 28
www.iaik.tugraz.at
Outlook
Single-trace SCA on masked asymmetric lattice-based encryption
Combination of template attack (TA) with:
Belief Propagation
Lattice Decoding
⇒ Full private key recovery
PrimasCHES 2017, September 282
www.iaik.tugraz.at
Outlook
Single-trace SCA on masked asymmetric lattice-based encryption
Combination of template attack (TA) with:
Belief Propagation
Lattice Decoding
⇒ Full private key recovery
PrimasCHES 2017, September 282
www.iaik.tugraz.at
Motivation
Lattice-based cryptography is a promising PQ candidate
Quantum computer resistant
Many efficient schemes available
Not a lot analysis of implementation security
⇒ First single-trace SCA for lattice-based crypto
PrimasCHES 2017, September 283
www.iaik.tugraz.at
Motivation
Lattice-based cryptography is a promising PQ candidate
Quantum computer resistant
Many efficient schemes available
Not a lot analysis of implementation security
⇒ First single-trace SCA for lattice-based crypto
PrimasCHES 2017, September 283
www.iaik.tugraz.at
Ring-LWE Encryption
Proposed by Lyubashevsky, Peikert and Regev[LPR10]
Based on Learning with Errors Problem
Operates on polynomials in the ring: Zq[x ]/(xn + 1)
In our setting: q = 7681,n = 256
PrimasCHES 2017, September 284
www.iaik.tugraz.at
Ring-LWE Encryption
* calculations are in Zq[x ]/(xn + 1)
r2( private key )
alice
(a,p)( public key )
m( encoded message )
bob
e1,e2,e3 ← X n
c1 = ae1 + e2←−−−−−−−−−( cipher text 1 )
c2 = pe1 + e3 + m←−−−−−−−−−−−−( cipher text 2 )
PrimasCHES 2017, September 285
www.iaik.tugraz.at
Ring-LWE Encryption
* calculations are in Zq[x ]/(xn + 1)
r2( private key )
alice
(a,p)( public key )
m( encoded message )
bob
e1,e2,e3 ← X n
c1 = ae1 + e2←−−−−−−−−−( cipher text 1 )
c2 = pe1 + e3 + m←−−−−−−−−−−−−( cipher text 2 )
PrimasCHES 2017, September 285
www.iaik.tugraz.at
Ring-LWE Encryption
* calculations are in Zq[x ]/(xn + 1)
r2( private key )
alice
(a,p)( public key )
m( encoded message )
bob
e1,e2,e3 ← X n
c1 = ae1 + e2←−−−−−−−−−( cipher text 1 )
c2 = pe1 + e3 + m←−−−−−−−−−−−−( cipher text 2 )
PrimasCHES 2017, September 285
www.iaik.tugraz.at
Ring-LWE Encryption
* calculations are in Zq[x ]/(xn + 1)
r2( private key )
alice
(a,p)( public key )
m( encoded message )
bob
e1,e2,e3 ← X n
c1 = ae1 + e2←−−−−−−−−−( cipher text 1 )
c2 = pe1 + e3 + m←−−−−−−−−−−−−( cipher text 2 )
PrimasCHES 2017, September 285
www.iaik.tugraz.at
Ring-LWE Decryption
* calculations are in Zq[x ]/(xn + 1)
alice
m = c1r2 + c2
⇒ Inefficient: > O(n2) due to polynomial division
PrimasCHES 2017, September 286
www.iaik.tugraz.at
Ring-LWE Decryption
* calculations are in Zq[x ]/(xn + 1)
alice
m = c1r2 + c2
⇒ Inefficient: > O(n2) due to polynomial division
PrimasCHES 2017, September 286
www.iaik.tugraz.at
Number Theoretic Transform (NTT)
Efficient polynomial multiplication in certain rings, e.g.:
Zq[x ]/(xn + 1)
Similar to FFT:ab = INTT( NTT(a) ∗ NTT(b) )
Features butterfly network
PrimasCHES 2017, September 287
www.iaik.tugraz.at
NTT - Butterfly
2-coefficients +x0,0x0,1 -ω n0 x1,0x1,1PrimasCHES 2017, September 288
www.iaik.tugraz.at
NTT - Butterfly Network
4-coefficients
+x0,0x0,1 -+
--
+x0,2x0,3 -
+x1,0x1,1x1,2x1,3
x2,0x2,1x2,2x2,3PrimasCHES 2017, September 289
www.iaik.tugraz.at
NTT - Butterfly Network
256-coefficients
+x0,0x0,1 -+
--
+x0,2x0,3 -
+ω n0ω n0 ω n1ω n
0
x1,0x1,1x1,2x1,3
x2,0x2,1x2,2x2,3PrimasCHES 2017, September 2810
www.iaik.tugraz.at
Efficient Ring-LWE Decryption
* calculations are in Zq[x ]/(xn + 1) * x is the NTT transformed of x
alice
m = c1r2 + c2
m = INTT( c1 ∗ r2 + c2 )
⇒ Faster: O(n log n)
PrimasCHES 2017, September 2811
www.iaik.tugraz.at
Efficient Ring-LWE Decryption
* calculations are in Zq[x ]/(xn + 1) * x is the NTT transformed of x
alice
m = c1r2 + c2
m = INTT( c1 ∗ r2 + c2 )
⇒ Faster: O(n log n)
PrimasCHES 2017, September 2811
www.iaik.tugraz.at
Attack Idea
* public * x is the NTT transformed of x
Given the ciphertext (c1, c2) and private key r2, decryption is defined as:
m = INTT(c1 ∗ r2 + c2︸ ︷︷ ︸I INTT
) mod q
Thus r2 can be expressed as:
r2 = (I INTT − c2) ∗ c−11 mod q
PrimasCHES 2017, September 2812
www.iaik.tugraz.at
Attack Idea
* public * x is the NTT transformed of x
Given the ciphertext (c1, c2) and private key r2, decryption is defined as:
m = INTT(c1 ∗ r2 + c2︸ ︷︷ ︸I INTT
) mod q
Thus r2 can be expressed as:
r2 = (I INTT − c2) ∗ c−11 mod q
PrimasCHES 2017, September 2812
www.iaik.tugraz.at
Attack Strategy
Steps:
1. Single-trace TA on the INTT operation
2. Leakage combination via Belief Propagation (BP)
3. Key recovery via lattice decoding
PrimasCHES 2017, September 2813
www.iaik.tugraz.at
Step 1: Template Attack
Efficient SW implementation byde Clercq et al. [dCRVV15]
Texas Instruments MSP432(ARM Cortex-M4F)
EM-side-channel of powerregulation circuitry
Observed traces are expected tobe close to power consumption
PrimasCHES 2017, September 2814
www.iaik.tugraz.at
Step 1: Template Attack
Target: Modular multiplication ineach butterfly
One factor of multiplication isalways known (ωx
n )
Additional exploitation of timinginformation
Goal: Probability distribution overeach observed coefficient
+x0,0x0,1 -x1,0x1,1
PrimasCHES 2017, September 2815
www.iaik.tugraz.at
Step 1: Template Attack
Target: Modular multiplication ineach butterfly
One factor of multiplication isalways known (ωx
n )
Additional exploitation of timinginformation
Goal: Probability distribution overeach observed coefficient
+x0,0x0,1 -+
--
+x0,2x0,3 -
+x1,0x1,1x1,2x1,3
x2,0x2,1x2,2x2,3PrimasCHES 2017, September 2816
www.iaik.tugraz.at
Step 2: Belief Propagation
Iterative algorithm
Calculate marginal distributions
Combine leakage information
Usage in SCA first proposed byVeyrat-Charvillon [VGS14]
+x0,0x0,1 -ω n0 x1,0x1,1PrimasCHES 2017, September 2817
www.iaik.tugraz.at
Step 2: Belief Propagation
Iterative algorithm
Calculate marginal distributions
Combine leakage information
Usage in SCA first proposed byVeyrat-Charvillon [VGS14]
+x0,0x0,1 -ω n0 x1,0x1,1PrimasCHES 2017, September 2818
www.iaik.tugraz.at
Step 2: Belief Propagation
Iterative algorithm
Calculate marginal distributions
Combine leakage information
Usage in SCA first proposed byVeyrat-Charvillon [VGS14]
+x0,0x0,1 -ω n0 x1,0x1,1PrimasCHES 2017, September 2819
www.iaik.tugraz.at
Step 2: Belief Propagation
Iterative algorithm
Calculate marginal distributions
Combine leakage information
Usage in SCA first proposed byVeyrat-Charvillon [VGS14]
+x0,0x0,1 -ω n0 x1,0x1,1PrimasCHES 2017, September 2820
www.iaik.tugraz.at
Step 2: Belief Propagation
Iterative algorithm
Calculate marginal distributions
Combine leakage information
Usage in SCA first proposed byVeyrat-Charvillon [VGS14]
+x0,0x0,1 -ω n0 x1,0x1,1PrimasCHES 2017, September 2821
www.iaik.tugraz.at
Step 2: Belief Propagation
Considerations:
Uneven distribution of side-channel information
Bad TA performance in first layer (ω0n = 1)
Layer Index1 2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
128
160
192
224
255
MUL No MUL
PrimasCHES 2017, September 2822
www.iaik.tugraz.at
Step 2: Belief Propagation
Solution:
Perform BP on 3 Sub-Networks:
Ignore areas with:
No / little side-channel information
Comparably noisy side-channel information
Not all inputs can be recovered→ Step 3:
Layer Index1 2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
128
160
192
224
255
FG 1 FG 2 FG 3
PrimasCHES 2017, September 2823
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 0
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 1
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 2
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 3
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 4
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 5
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 6
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 7
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 8
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 9
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 10
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 11
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 12
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 13
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 14
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 15
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 16
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 17
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 18
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration 19
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Iteration ≥ 20
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2824
www.iaik.tugraz.at
Step 2: Belief Propagation
Still a lot of uncertainty in the input layerof all 3 Sub-Networks...
We can exploit linearity of INTTto recover 192/256 inputs
Brute forcing the remaining coefficientsis still infeasible:
768164 ≈ 2826
Full key recovery still possible!
Layer Index2 3 4 5 6 7 8
Var
iable
Index
0
32
64
96
127
Entropy0 13
PrimasCHES 2017, September 2825
www.iaik.tugraz.at
Step 3: Key Recovery
Setup equation system that relates the 192 recoveredcoefficients to the private key r2
Combine the equation system with the public key
Recover r2 by solving a reduced rank (256− 192 = 64) SVP problem
BKZ Basis Reduction
Success rate of lattice decoding is 1
PrimasCHES 2017, September 2826
www.iaik.tugraz.at
Attack on masked implementation
Proposed by Reparaz [RRdC+16]
Private key r2 is split into r ′2 and r ′′2 s.t.:
r2 = r ′2 + r ′′2 mod q
Recover 192 coefficients of one layerfor both INTTs
Perform pairwise addition of coefficients
Proceed with Step 3 in unmaskedscenario
PrimasCHES 2017, September 2827
www.iaik.tugraz.at
Results
Step 1: Obtain leakage of intermediate coefficients
Step 2: Reliable recovery of coefficients in Sub-Networks
Step 3: Lattice-decoding success rate is 1
⇒ Attack success rate is 1
Same holds for masked implementations
Also evaluated for simulated noisy-HW leakage model
PrimasCHES 2017, September 2828
S C I E N C E P A S S I O N T E C H N O L O G Y
www.iaik.tugraz.at
Single-Trace Side-Channel Attacks onMasked Lattice-Based EncryptionRobert Primas, Peter Pessl, Stefan MangardIAIK, Graz University of Technology, Austria
CHES 2017, September 28
www.iaik.tugraz.at
Bibliography I
[dCRVV15] Ruan de Clercq, Sujoy Sinha Roy, Frederik Vercauteren, and Ingrid Verbauwhede. Efficient software implementation of ring-lweencryption. In Wolfgang Nebel and David Atienza, editors, DATE 2015, pages 339–344. ACM, 2015.
[LPR10] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with errors over rings. In Henri Gilbert, editor,EUROCRYPT 2010, volume 6110 of LNCS, pages 1–23. Springer, 2010.
[RRdC+16] Oscar Reparaz, Sujoy Sinha Roy, Ruan de Clercq, Frederik Vercauteren, and Ingrid Verbauwhede. Masking ring-lwe. J. CryptographicEngineering, 6(2):139–153, 2016. Extended journal version of [RRVV15].
[RRVV15] Oscar Reparaz, Sujoy Sinha Roy, Frederik Vercauteren, and Ingrid Verbauwhede. A masked ring-lwe implementation. In Tim Guneysuand Helena Handschuh, editors, CHES 2015, volume 9293 of LNCS, pages 683–702. Springer, 2015.
[VGS14] Nicolas Veyrat-Charvillon, Benoıt Gerard, and Francois-Xavier Standaert. Soft analytical side-channel attacks. In Palash Sarkar andTetsu Iwata, editors, ASIACRYPT 2014, volume 8873 of LNCS, pages 282–296. Springer, 2014.
PrimasCHES 2017, September 2830