Side-Channel Analysis of Keymill

One prominent countermeasure against side-channel attacks, especially differential power analysis (DPA), is fresh re-keying. In such schemes, the so-called re-keying function takes the burden of protecting a cryptographic primitive against DPA. To ensure the security of the scheme against side-channel analysis, the used re-keying function has to withstand both simple power analysis (SPA) and differential power analysis (DPA). Recently, at SAC 2016, Keymill---a side-channel resilient key generator (or re-keying function)---has been proposed, which is claimed to be inherently secure against side-channel attacks. In this work, however, we present a DPA attack on Keymill, which is based on the dynamic power consumption of a digital circuit that is tied to the $0\rightarrow1$ and $1\rightarrow0$ switches of its logical gates. Hence, the power consumption of the shift-registers used in Keymill depends on the $0\rightarrow1$ and $1\rightarrow0$ switches of its internal state. This information is sufficient to obtain the internal differential pattern (up to a small number of bits, which have to be brute-forced) of the 4 shift-registers of Keymill after the nonce (or $IV$) has been absorbed. This leads to a practical key-recovery attack on Keymill

Differential Power Analysis on (Non-)Linear Feedback Shift Registers

Differential power analysis (DPA) is a statistical analysis of the power traces of cryptographic computations. DPA has many applications including key-recovery on linear feedback shift register based stream ciphers. In 2017, Dobraunig et. al. presented a DPA on Keymill to uncover the bit relations of neighbouring bits in the shift registers, effectively reduces the internal state guessing space to 4-bit. In this work, we generalise the analysis methodology to uncover more bit relations on both linear feedback shift registers (LFSRs) and non-linear feedback shift registers (NLFSRs) and with application to fresh re-keying scheme --- LR-Keymill. In addition, we improve the DPA on Keymill by halving the data resources needed for the attack

DAPA: Differential Analysis aided Power Attack on (Non-)Linear Feedback Shift Registers (Extended version)

Differential power analysis (DPA) is a form of side-channel analysis (SCA) that performs statistical analysis on the power traces of cryptographic computations. DPA is applicable to many cryptographic primitives, including block ciphers, stream ciphers and even hash-based message authentication code (HMAC). At COSADE 2017, Dobraunig~et~al. presented a DPA on the fresh re-keying scheme Keymill to extract the bit relations of neighbouring bits in its shift registers, reducing the internal state guessing space from 128 to 4 bits. In this work, we generalise their methodology and combine with differential analysis, we called it differential analysis aided power attack (DAPA), to uncover more bit relations and take into account the linear or non-linear functions that feedback to the shift registers (i.e. LFSRs or NLFSRs). Next, we apply our DAPA on LR-Keymill, the improved version of Keymill designed to resist the aforementioned DPA, and breaks its 67.9-bit security claim with a 4-bit internal state guessing. We experimentally verified our analysis. In addition, we improve the previous DPA on Keymill by halving the amount of data resources needed for the attack. We also applied our DAPA to Trivium, a hardware-oriented stream cipher from the eSTREAM portfolio and reduces the key guessing space from 80 to 14 bits

Keymill: Side-Channel Resilient Key Generator

In the crypto community, it is widely acknowledged that any cryptographic scheme that is built with no countermeasure against side-channel analysis (SCA) can be easily broken. In this paper, we challenge this intuition. We investigate a novel approach in the design of cryptographic primitives that promotes inherent security against side-channel analysis without using redundant circuits. We propose Keymill, a new keystream generator that is immune against SCA attacks. Security of the proposed scheme depends on mixing key bits in a special way that expands the size of any useful key hypothesis to the full entropy, which enables SCA-security that is equivalent to the brute force. Doing so, we do not propose a better SCA countermeasure, but rather a new one. The current solution focuses exclusively on side-channel analysis and works on top of any unprotected block cipher for mathematical security. The proposed primitive is generic and can turn any block cipher into a protected mode using only 775 equivalent NAND gates, which is almost half the area of the best countermeasure available in the literature

Some Applications of Hamming Weight Correlations

It is a well-known fact that the power consumption during certain stages of a cryptographic algorithm exhibits a strong correlation with the Hamming Weight of its underlying variables. This phenomenon has been widely exploited in the cryptographic literature in various attacks targeting a broad range of schemes such as block ciphers or public-key cryptosystems. A common way of breaking this correlation is through the inclusion of countermeasures involving additional randomness into the computation in the form of hidden (undisclosed) component functions or masking strategies that complicate the inference of any sensitive information from the gathered power traces. In this work, we revisit the tight correlation between the Hamming Weight and the observed power consumption of an algorithm and demonstrate, in the first part, a practical reverse-engineering attack of proprietary AES-like constructions with secret internal components like the SubBytes, MixColumns and ShiftRows functions. This approach is used in some commercial products such as the Dynamic Encryption package from the communication services provider Dencrypt as an extra layer of security. We recover the encryption key alongside the hidden substitution and permutation layer as well as the MixColumns matrix on both 8-bit and 32-bit architectures. In a second effort, we shift our attention to a masked implementation of AES, specifically the secAES proposal put forward by the French National Cybersecurity Agency (ANSSI) that concisely combines several side-channel countermeasure techniques. We show its insecurity in a novel side-channel-assisted statistical key-recovery attack that only necessitates a few hundreds of collected power traces

Saidoyoki: Evaluating side-channel leakage in pre- and post-silicon setting

Predicting the level and exploitability of side-channel leakage from complex SoC design is a challenging task. We present Saidoyoki, a test platform that enables the assessment of side-channel leakage under two different settings. The first is pre-silicon side-channel leakage estimation in SoC, and it requires the use of fast side-channel leakage estimation from a high level design description. The second is post-silicon side-channel leakage measurement and analysis in SoC, and it requires a hardware prototype that reflects the design description. By designing an in-house SoC and next building a side-channel leakage analysis environment around it, we are able to evaluate design-time (pre-silicon) side-channel leakage estimates as well as prototype (post-silicon) side-channel leakage measurements. The Saidoyoki platform hosts two different SoC, one based on a 32-bit RISC-V processor and a second based on a SPARC V8 processor. In this contribution, we highlight our design decisions and design flow for side-channel leakage simulation and measurement, and we present preliminary results and analysis using the Saidoyoki platform. We highlight that, while the post-silicon setting provides more side-channel leakage detail than the pre-silicon setting, the latter provides significantly enhanced test resolution and root cause analysis support. We conclude that pre-silicon side-channel leakage assessment can be an important tool for the security analysis of modern Security SoC

Modeling attack resistant strong physical unclonable functions : design and applications

Physical unclonable functions (PUFs) have great promise as hardware authentication primitives due to their physical unclonability, high resistance to reverse engineering, and difficulty of mathematical cloning. Strong PUFs are distinguished by an exponentially large number of challenge-response pairs (CRPs), in contrast with weak PUFs that have a smaller CRP set. Because the adversary cannot create an enumeration clone by recording all CRPs even when in physical possession of a PUF, strong PUFs enable secure direct authentication, that does not require cryptography and are thus attractive to low-energy and IoT applications. The first contribution of this dissertation is the design of a strong silicon PUF resistant to machine learning (ML) attacks. For a strong PUF to be an effective security primitive, the CRPs need to be unpredictable: given a set of known CRPs, it should be difficult to predict the unobserved CRPs. Otherwise, an adversary can succeed in an attack based on building a model of the PUF. Early strong PUFs have shown vulnerability to ML based attacks. We take advantage of the strongly nonlinear I -- V property of MOSFETs operating in subthreshold region to introduce a highly unpredictable PUF. The PUF, termed the subthreshold current array PUF (SCA-PUF), consists of a pair of two-dimensional transistor arrays, a circuit stabilizing the PUF output, and a low-offset comparator. The proposed 65-bit SCA-PUF is fabricated in a 130nm process and allows 2⁶⁵ CRPs. It consumes 68nW and 11pJ/bit while exhibiting high uniqueness, uniformity, and randomness. It achieves bit error rate (BER) of 5.8% for the temperature range of -20 to +80°C and supply voltage variation of ±10%. A calibration-based CRP selection method is developed to improve BER to 0.4% with a 42% loss of CRPs. When subjected to ML attacks, the prediction error stays over 40% on 10⁴ training points, which shows negligible loss in PUF unpredictability and about 100X higher resilience than the 65-bit arbiter PUF, 3-XOR PUF, and 3-XOR lightweight PUF. The second contribution is the application of a strong PUF in a secure key update scheme. Side-channel attacks on cryptographic implementations threaten system security via the loss of the secret key. The adversary can recover the key by analyzing side-channel analog behavior of a cryptographic device, such as power consumption. Fresh re-keying techniques aim to mitigate these attacks by regularly updating the key, so that the side-channel exposure of each key is minimized. Existing key update schemes generate fresh keys by processing a root key using arithmetic operations. Unfortunately, such techniques have been demonstrated to also be vulnerable to side-channel attacks. We propose a novel approach to fresh re-keying that replaces the arithmetic key update function with a strong PUF. We show that the security of our scheme hinges on the resilience of the PUF to a power side-channel attack and propose a realization based on the SCA-PUF. We show that the SCA-PUF is resistant to simple power analysis and a modeling attack that uses ML on the power side-channel. We target an insecure device and secure server encryption scenario for which we provide an efficient and scalable method of PUF enrollment. Finally, we develop an end-to-end encryption system with PUF-based fresh re-keying, using a reverse fuzzy extractor construction. The third contribution is the implementation of a strong PUF provably secure against ML attacks. The security is derived from cryptographic hardness of learning decryption functions of semantically secure public-key cryptosystems within the probably approximately correct framework. The proposed PUF, termed the lattice PUF, compactly realizes the decryption function of the learning-with-errors (LWE) public-key cryptosystem as the core block. The lattice PUF is lightweight and fully digital. It is constructed using a weak PUF, as a physically obfuscated key (POK), an LWE decryption function block, a pseudo-random number generator in the form of a linear-feedback shift register (LFSR), a self-incrementing counter, and a control block. The POK provides the secret key of the LWE decryption function. A fuzzy extractor is utilized to ensure stability of the POK. The proposed lattice PUF significantly improves upon a direct implementation of LWE decryption function in terms of challenge transfer cost by exploiting distributional relaxations allowed by recent work in space-efficient LWEs. Specifically, only a small challenge-seed is transmitted while the full-length challenge is re-generated by the LFSR resulting in a 100X reduction of communication cost. To prevent an active attack in which arbitrary challenges can be submitted, the value of a self-incrementing counter is embedded into the challenge seed. We construct a lattice PUF that realizes a challenge-response pair space of size 2¹³⁶, requires 1160 POK bits, and guarantees 128-bit ML resistance. Assuming a bit error rate of 5% for SRAM-based POK, 6.5K SRAM cells are needed. The PUF shows excellent uniformity, uniqueness, and reliability. We implement the PUF on a Spartan 6 FPGA. It requires only 45 slices for the lattice PUF proper and 233 slices for the fuzzy extractorElectrical and Computer Engineerin

Circuit-Variant Moving Target Defense for Side-Channel Attacks on Reconfigurable Hardware

With the emergence of side-channel analysis (SCA) attacks, bits of a secret key may be derived by correlating key values with physical properties of cryptographic process execution. Power and Electromagnetic (EM) analysis attacks are based on the principle that current flow within a cryptographic device is key-dependent and therefore, the resulting power consumption and EM emanations during encryption and/or decryption can be correlated to secret key values. These side-channel attacks require several measurements of the target process in order to amplify the signal of interest, filter out noise, and derive the secret key through statistical analysis methods. Differential power and EM analysis attacks rely on correlating actual side-channel measurements to hypothetical models. This research proposes increasing resistance to differential power and EM analysis attacks through structural and spatial randomization of an implementation. By introducing randomly located circuit variants of encryption components, the proposed moving target defense aims to disrupt side-channel collection and correlation needed to successfully implement an attac

DAPA: Differential Analysis aided Power Attack on (Non-) Linear Feedback Shift Registers

Differential power analysis (DPA) is a form of side-channel analysis (SCA) that performs statistical analysis on the power traces of cryptographic computations. DPA is applicable to many cryptographic primitives, including block ciphers, stream ciphers and even hash-based message authentication code (HMAC). At COSADE 2017, Dobraunig et al. presented a DPA on the fresh re-keying scheme Keymill to extract the bit relations of neighbouring bits in its shift registers, reducing the internal state guessing space from 128 to 4 bits. In this work, we generalise their methodology and combine with differential analysis, we called it differential analysis aided power attack (DAPA), to uncover more bit relations and take into account the linear or non-linear functions that feedback to the shift registers (i.e. LFSRs or NLFSRs). Next, we apply our DAPA on LR-Keymill, the improved version of Keymill designed to resist the aforementioned DPA, and breaks its 67.9-bit security claim with a 4-bit internal state guessing. We experimentally verified our analysis. In addition, we improve the previous DPA on Keymill by halving the amount of data resources needed for the attack. We also applied our DAPA to Trivium, a hardware-oriented stream cipher from the eSTREAM portfolio and reduces the key guessing space from 80 to 14 bits