High-Resolution EM Attacks Against Leakage-Resilient PRFs Explained - And An Improved Construction

Achieving side-channel resistance through Leakage Resilience (LR) is highly relevant for embedded devices where requirements of other countermeasures such as e.g. high quality random numbers are hard to guarantee. The main challenge of LR lays in the initialization of a secret pseudorandom state from a long-term key and public input. Leakage-Resilient Pseudo-Random Functions (LR-PRFs) aim at solving this by bounding side-channel leakage to non-exploitable levels through frequent re-keying. Medwed et al. recently presented an improved construction at ASIACRYPT 2016 which uses \u27unknown-inputs\u27 in addition to limited data complexity and correlated algorithmic noise from parallel S-boxes. However, a subsequent investigation uncovered a vulnerability to high-precision EM analysis on FPGA. In this paper, we follow up on the reasons why such attacks succeed on FPGAs. We find that in addition to the high spatial resolution, it is mainly the high temporal resolution which leads to the reduction of algorithmic noise from parallel S-boxes. While spatial resolution is less threatening for smaller technologies than the used FPGA, temporal resolution will likely remain an issue since balancing the timing behavior of signals in the nanosecond range seems infeasible today. Nonetheless, we present an improvement of the ASIACRYPT 2016 construction to effectively protect against EM attacks with such high spatial and high temporal resolution. We carefully introduce additional key entropy into the LR-PRF construction to achieve a high remaining security level even when implemented on FPGAs. With this improvement, we finally achieve side-channel secure LR-PRFs in a practical and simple way under verifiable empirical assumptions

An adaptive measurement protocol for fine-grained electromagnetic side-channel analysis of cryptographic modules

An adaptive measurement protocol is presented to increase effectiveness of fine-grained electromagnetic side-channel analysis (EM SCA) attacks that attempt to extract the information that is unintentionally leaked from physical implementations of cryptographic modules. Because measured fields vary with probe parameters as well as the data being encrypted, identifying the optimal configurations requires searching among a large number of possible configurations. The proposed protocol is a multi-step acquisition that corresponds to a greedy search in a 4-D configuration space consisting of probe’s on-chip coordinates, orientation, and number of signals acquired. This 4-D space can be extended to a 6-D space by repeating the protocol for different probe sizes and heights. This approach is presented as an alternative to current fine-grained EM SCA techniques that perform exhaustive full-chip scans to isolate information leaking locations. To demonstrate the feasibility of the approach, the protocol is tested by performing EM SCA attacks for different configurations and identifying the best attack configuration for two realizations of the advanced encryption standard (AES), subject to the precision of the measurement equipment. It is found that the protocol requires ~20× to ~25× less acquisition time compared to an exhaustive search for the optimal attack configuration.Electrical and Computer Engineerin

Fine-grained methods for using EM fields measured near computing chips to evaluate data leakage

This thesis presents novel fine-grained methods that show electromagnetic (EM) fields measured near chips during computations can be effectively used to evaluate data leakage. Several near-field measurement techniques combined with appropriate statistical analyses are introduced in the dissertation. The proposed EM side-channel analysis (SCA) methods are used to rapidly localize information leakage on the chip, identify optimal reusable measurement setups to minimize marginal cost of future evaluations, and infer the data values of interest. These methods are used to perform measurement-based evaluations of data leakage from several embedded system applications: (i) Using encryption keys of the advanced encryption standard (AES) algorithm as the data of interest, a multi-stage measurement protocol is introduced to rapidly identify chip locations which are most likely to leak the key, as well as the actual key value; the method was found to be ~2× to ~37× faster than alternatives while using them to evaluate the SCA resilience of several baseline and hardened implementations of AES; (ii) Assuming processor instructions as the data of interest, a hierarchical disassembler is developed to recover the execution trace of programs from a general-purpose micro-controller; the method was found to recover ~97% instructions from several application benchmarks; (iii) Using Bluetooth payload as the data of interest, vulnerable locations on a Bluetooth Low Energy server implementation are isolated, and the data values of the payload are estimated; while the exact data values were not found, the Hamming Weight (HW) of test data was identified with 100% accuracy. These methods provide feasible alternatives to an exhaustive evaluation where data is recovered after measuring all possible computations at every single probe configuration. The feasibility of these methods is inherently dependent on the restrictions placed on evaluators, i.e., the threat model. Thus, a systematic study of protocols suited for different threat models are performed, which also includes the marginal cost comparisons of different SCA attack modalities. Finally, the thesis also introduces novel metrics and modelling methods that improve potency of side-channel security evaluations.Electrical and Computer Engineerin

Dissecting leakage resilient PRFs with multivariate localized EM attacks: A practical security evaluation on FPGA

In leakage-resilient symmetric cryptography, two important concepts have been proposed in order to decrease the success rate of differential side-channel attacks. The first one is to limit the attacker’s data complexity by restricting the number of observable inputs; the second one is to create correlated algorithmic noise by using parallel S-boxes with equal inputs. The latter hinders the typical divide and conquer approach of differential side-channel attacks and makes key recovery much more difficult in practice. The use of localized electromagnetic (EM) measurements has already been shown to limit the effectiveness of such measures in previous works based on PRESENT S-boxes and 90 nm FPGAs. However, it has been left for future investigation in recent publications based on AES S-boxes. We aim at providing helpful results and insights from LDA-preprocessed, multivariate, localized EM attacks against a 45 nm FPGA implementation using AES S-boxes. We show, that even in the case of densely placed S-boxes (with identical routing constraints), and even when limiting the data complexity to the minimum of only two inputs, the guessing entropy of the key is reduced to only 248, which remains well within the key enumeration capabilities of today’s adversaries. Relaxing the S-box placement constraints further reduces the guessing entropy. Also, increasing the data complexity for efficiency, decreases it down to a direct key recovery. While our results are empirical and reflective of one device and implementation, they emphasize the threat of multivariate localized EM attacks to such AES-based leakage-resilient constructions, more than currently believed