Security Assessment of White-Box Design Submissions of the CHES 2017 CTF Challenge

In 2017, the first CHES Capture the Flag Challenge was organized in an effort to promote good design candidates for white-box cryptography. In particular, the challenge assessed the security of the designs with regard to key extraction attacks. A total of 94 candidate programs were submitted, and all of them were broken eventually. Even though most candidates were broken within a few hours, some candidates remained robust against key extraction attacks for several days, and even weeks. In this paper, we perform a qualitative analysis on all candidates submitted to the CHES 2017 Capture the Flag Challenge. We test the robustness of each challenge against different types of attacks, such as automated attacks, extensions thereof and reverse engineering attacks. We are able to classify each challenge depending on their robustness against these attacks, highlighting how challenges vulnerable to automated attacks can be broken in a very short amount of time, while more robust challenges demand for big reverse engineering efforts and therefore for more time from the adversaries. Besides classifying the robustness of each challenge, we also give data regarding their size and efficiency and explain how some of the more robust challenges could actually provide acceptable levels of security for some real-life applications

Protecting the most significant bits in scalar multiplication algorithms

The Montgomery Ladder is widely used for implementing the scalar multiplication in elliptic curve cryptographic designs. This algorithm is efficient and provides a natural robustness against (simple) side-channel attacks. Previous works however showed that implementations of the Montgomery Ladder using Lopez-Dahab projective coordinates easily leak the value of the most significant bits of the secret scalar, which led to a full key recovery in an attack known as LadderLeak. In light of such leakage, we analyse further popular methods for implementing the Montgomery Ladder. We first consider open source software implementations of the X25519 protocol which implement the Montgomery Ladder based on the ladderstep algorithm from Düll et al. [15]. We confirm via power measurements that these implementations also easily leak the most significant scalar bits, even when implementing Z-coordinate ran- domisations. We thus propose simple modifications of the algorithm and its handling of the most significant bits and show the effectiveness of our modifications via experimental results. Particularly, our re-designs of the algorithm do not incurring significant efficiency penalties. As a second case study, we consider open source hardware implementations of the Montgomery Ladder based on the complete addition formulas for prime order elliptic curves, where we observe the exact same leakage. As we explain, the most significant bits in implementations of the complete addition formulas can be protected in an analogous way as we do for Curve25519 in our first case study

On Provable White-Box Security in the Strong Incompressibility Model

Incompressibility is a popular security notion for white-box cryptography and captures that a large encryption program cannot be compressed without losing functionality. Fouque, Karpman, Kirchner and Minaud (FKKM) defined strong incompressibility, where a compressed program should not even help to distinguish encryptions of two messages of equal length. Equivalently, the notion can be phrased as indistinguishability under chosen-plaintext attacks and key-leakage (LK-IND-CPA), where the leakage rate is high. In this paper, we show that LK-IND-CPA security with superlogarithmic-length leakage, and thus strong incompressibility, cannot be proven under standard (i.e. single-stage) assumptions, if the encryption scheme is key-fixing, i.e. a polynomial number of message-ciphertext pairs uniquely determine the key with high probability. Our impossibility result refutes a claim by FKKM that their big-key generation mechanism achieves strong incompressibility when combined with any PRG or any conventional encryption scheme, since the claim is not true for encryption schemes which are key-fixing (or for PRGs which are injective). In particular, we prove that the cipher block chaining (CBC) block cipher mode is key-fixing when modelling the cipher as a truly random permutation for each key. Subsequent to and inspired by our work, FKKM prove that their original big-key generation mechanism can be combined with a random oracle into an LK-IND-CPA-secure encryption scheme, circumventing the impossibility result by the use of an idealised model. Along the way, our work also helps clarifying the relations between incompressible white-box cryptography, big-key symmetric encryption, and general leakage resilient cryptography, and their limitations

Breaking DPA-protected Kyber via the pair-pointwise multiplication

We present a new template attack that allows us to recover the secret key in Kyber directly from the polynomial multiplication in the decapsulation process. This multiplication corresponds to pair-pointwise multiplications between the NTT representations of the secret key and an input ciphertext. For each pair-point multiplication, a pair of secret coefficients are multiplied in isolation with a pair of ciphertext coefficients, leading to side-channel information which depends solely on these two pairs of values. Hence, we propose to exploit leakage coming from each pair-point multiplication and use it for identifying the values of all secret coefficients. Interestingly, the same leakage is present in DPA-protected implementations. Namely, masked implementations of Kyber simply compute the pair-pointwise multiplication process sequentially on secret shares, allowing us to apply the same strategy for recovering the secret coefficients of each share of the key. Moreover, as we show, our attack can be easily extended to target designs implementing shuffling of the polynomial multiplication. We also show that our attacks can be generalised to work with a known ciphertext rather than a chosen one. To evaluate the effectiveness of our attack, we target the open source implementation of masked Kyber from the mkm4 repository. We conduct extensive simulations which confirm high success rates in the Hamming weight model, even when running the simplest versions of our attack with a minimal number of templates. We show that the success probabilities of our attacks can be increased exponentially only by a linear (in the modulus q) increase in the number of templates. Additionally, we provide partial experimental evidence of our attack’s success. In fact, we show via power traces that, if we build templates for pairs of coefficients used within a pair-point multiplication, we can perform a key extraction by simply calculating the difference between the target trace and the templates. Our attack is simple, straightforward and should not require any deep learning or heavy machinery means for template building or matching. Our work shows that countermeasures such as masking and shuffling may not be enough for protecting the polynomial multiplication in lattice-based schemes against very basic side-channel attacks

Vulnerability assessment of an IHP ECC implementation

Mathematically, cryptographic approaches are secure. This means that the time an attacker needs for finding the secret by brute forcing these approaches is about the time of the existence of our world. Practically, an algorithm implemented in hardware is a device that generates a lot of additional data during calculation. Its power consumption, electromagnetic radiation etc. can be measured, saved and analysed for the key extraction. Such attacks - the side channel analysis attacks (SCA attacks) - are significant threats when applying cryptographic algorithms. By taking the issue of physical attacks into consideration when implementing a cryptographic algorithm, it is possible to design an implementation that is resilient - at least to a certain extend - against side channel analyses. In this report, we give implementation details of the IHP accelerator for the elliptic curve point multiplication. We analysed the implemented algorithm ow and its power consumption using simulated power traces for the 130nm CMOS IHP technology. We made a horizontal power analysis attack using the difference-of-means test with the goal of finding potential SCA leakage sources, i.e. finding the operations in the algorithmic ow that are responsible for the correct extraction of the cryptographic key

SCA resistent implementation of the Montgomery kP-algorithm

Mathematically, cryptographic approaches are secure. This means that the time an attacker needs for finding the secret by brute forcing these approaches is about the time of the existence of our world. Practically, an algorithm implemented in hardware is a device that generates a lot of additional data during the calculation process. Its power consumption, electromagnetic radiation, etc. can be measured, saved and analysed for key extraction. Such attacks are called side channel analysis attacks and are significant threats when applying cryptographic algorithms. By considering these attacks when implementing a cryptographic algorithm, it is possible to design an implementation that is more resistant against them. The goal of this thesis was to design a methodology to securely implement the Montgomery kP-operation using an IHP implementation as a starting point. In addition, the area and energy consumption of the secure Montgomery kP-multiplier should still be highly efficient. The resistance against power analysis attacks of two different IHP ECC implementations was analysed in this thesis. A horizontal power analysis attack using the difference-of-means test was performed with the goal of finding potential leakage sources exploited in side channel analysis attacks, i.e. finding the reasons of a correct extraction of the cryptographic key. For both analysed ECC designs, four key candidates were extracted with a correctness of 90% or more. Through analysis of the implemented Montgomery kP-algorithm’s functionality and its power consumption, it was established that the algorithm’s operation execution flow was the main cause of the implementations’ vulnerability. Thus, a design methodology consisting in changing the Montgomery kP-algorithm operation flow was developed. As a result, the re-designed implementations do not deliver any correctly extracted key candidates whenever the difference-of-means test is performed on them. These re-designs implied an increase on the chip area by about 5% for each implementation. The execution time needed for performing a complete kP-operation was reduced for both designs. Thereby one implementation’s execution time was reduced by 12% in comparison to its original version and even though its power consumption was increased by 9%, its energy consumption per kP-operation was reduced by 4.5%.Standardisierte kryptographische Algorithmen sind aus mathematischer Sicht sicher. Dies bedeutet, dass ein Brute-Force-Angriff zur Bestimmung des geheimen Schlüssels einen Zeitaufwand von der Dauer der Existenz unserer Welt hat. In Hardware implementierte Algorithmen generieren aber während des Berechnungsvorganges eine große Menge zusätzlicher Daten. U.a. können der Energieverbrauch des Gerätes sowie seine elektromagnetische Strahlung gemessen, gespeichert und analysiert werden, um den privaten Schlüssel zu extrahieren. Solche Angriffe werden Seitenkanalangriffe genannt und sind erhebliche Bedrohungen für die Sicherheit kryptographischer Algorithmen. Die vorliegende Arbeit hatte das Ziel, eine Methodik zur Implementierung der Montgomery kP-Operation zu entwickeln, welche Resistenz gegen Seitenkanalangriffe lieferte. Dabei wurde eine IHP Implementierung als Ausgangspunkt benutzt. Zusätzlich sollten die Fläche und der Energieverbrauch der sicheren Montgomery kP-Multiplizierer hoch effizient sein. Im Rahmen dieser Masterarbeit wurde die Resistenz gegen Seitenkanalangriffe zweier unterschiedlicher IHP ECC Implementierungen analysiert. Ein Power-Analysis-Angriff wurde anhand des difference-of-means Testes (DoMT) durchgeführt, um mögliche Sicherheitslücken im Bezug auf Seitenkanalangriffe zu finden, d. h. um die Gründe einer erfolgreichen Schlüssel-Extrahierung festzustellen. Für beide Implementierungen wurden vier Schlüsselkandidaten mit einer Korrektheit von mindestens 90% extrahiert. Nach Analyse der Funktionalität des implementierten Montgomery kP-Algorithmus und seines Momentanleistungsverbrauchs wurde festgestellt, dass die Ausführungseihenfolge der Operationen des Algorithmus die Hauptursache des erfolgreichen Angriffes war. Hierauf aufbauend ist eine neue Methodik zur Implementierung des Montgomery kP-Algorithmus entwickelt worden. Diese Methodik basiert auf einer neuen Ausführungsreihenfolge der einzelnen Operationen im Algorithmus. Nach diesen Änderungen konnten mit dem DoMT keine Schlüssel mehr erfolgreich extrahiert werden. Die Änderungen verursachten eine Erhöhung der Implementierungsflächen um ca. 5%. Die Ausführungszeit einer kompletten kP-Operation ist für beide Implementierungen reduziert worden. Dabei wurde die Ausführungszeit z. B. einer Implementierung im Vergleich zur originalen Version um 12% reduziert und obwohl ihre durchschnittliche Leistung um 9% erhöht wurde, ist ihr Energieverbrauch pro kP-Operation um 4,5% reduziert worden

On Provable White-Box Security in the Strong Incompressibility Model

Publisher Copyright: © 2023, Ruhr-University of Bochum. All rights reserved.Incompressibility is a popular security notion for white-box cryptography and captures that a large encryption program cannot be compressed without losing functionality. Fouque, Karpman, Kirchner and Minaud (FKKM) defined strong incompressibility, where a compressed program should not even help to distinguish encryptions of two messages of equal length. Equivalently, the notion can be phrased as indistinguishability under chosen-plaintext attacks and key-leakage (LK-IND-CPA), where the leakage rate is high. In this paper, we show that LK-IND-CPA security with superlogarithmic-length leakage, and thus strong incompressibility, cannot be proven under standard (i.e. single-stage) assumptions, if the encryption scheme is key-fixing, i.e. a polynomial number of message-ciphertext pairs uniquely determine the key with high probability. Our impossibility result refutes a claim by FKKM that their big-key generation mechanism achieves strong incompressibility when combined with any PRG or any conventional encryption scheme, since the claim is not true for encryption schemes which are key-fixing (or for PRGs which are injective). In particular, we prove that the cipher block chaining (CBC) block cipher mode is key-fixing when modelling the cipher as a truly random permutation for each key. Subsequent to and inspired by our work, FKKM prove that their original big-key generation mechanism can be combined with a random oracle into an LK-IND-CPA-secure encryption scheme, circumventing the impossibility result by the use of an idealised model. Along the way, our work also helps clarifying the relations between incompressible white-box cryptography, big-key symmetric encryption, and general leakage resilient cryptography, and their limitations.Peer reviewe

On the Security Goals of White-Box Cryptography

We discuss existing and new security notions for white-box cryptography and comment on their suitability for Digital Rights Management and Mobile Payment Applications, the two prevalent use-cases of white-box cryptography. In particular, we put forward indistinguishability for white-box cryptography with hardware-binding (IND-WHW) as a new security notion that we deem central. We also discuss the security property of application-binding and explain the issues faced when defining it as a formal security notion. Based on our proposed notion for hardware-binding, we describe a possible white-box competition setup which assesses white-box implementations w.r.t. hardware-binding. Our proposed competition setup allows us to capture hardware-binding in a practically meaningful way.While some symmetric encryption schemes have been proven to admit plain white-box implementations, we show that not all secure symmetric encryption schemes are white-boxeable in the plain white-box attack scenario, i.e., without hardware-binding. Thus, even strong assumptions such as indistinguishability obfuscation cannot be used to provide secure white-box implementations for arbitrary ciphers. Perhaps surprisingly, our impossibility result does not carry over to the hardware-bound scenario. In particular, Alpirez Bock, Brzuska, Fischlin, Janson and Michiels (ePrint 2019/1014) proved a rather general feasibility result in the hardware-bound model. Equally important, the apparent theoretical distinction between the plain white-box model and the hardware-bound white-box model also translates into practically reduced attack capabilities as we explain in this paper

On the ineffectiveness of internal encodings - Revisiting the DCA attack on white-box cryptography

The goal of white-box cryptography is to implement cryptographic algorithms securely in software in the presence of an adversary that has complete access to the software’s program code and execution environment. In particular, white-box cryptography needs to protect the embedded secret key from being extracted. Bos et al. (CHES 2016) introduced differential computational analysis (DCA), the first automated attack on white-box cryptography. The DCA attack performs a statistical analysis on execution traces. These traces contain information such as memory addresses or register values, that is collected via binary instrumentation tooling during the encryption process. The white-box implementations that were attacked by Bos et al., as well as white-box implementations that have been described in the literature, protect the embedded key by using internal encodings techniques introduced by Chow et al. (SAC 2002). Thereby, a combination of linear and non-liner nibble encodings is used to protect the secret key. In this paper we analyse the use of such internal encodings and prove rigorously that they are too weak to protect against DCA. We prove that the use of non-linear nibble encodings does not hide key dependent correlations, such that a DCA attack succeeds with high probability

On Provable White-Box Security in the Strong Incompressibility Model

Incompressibility is a popular security notion for white-box cryptography and captures that a large encryption program cannot be compressed without losing functionality. Fouque, Karpman, Kirchner and Minaud (FKKM) defined strong incompressibility, where a compressed program should not even help to distinguish encryptions of two messages of equal length. Equivalently, the notion can be phrased as indistinguishability under chosen-plaintext attacks and key-leakage (LK-IND-CPA), where the leakage rate is high.In this paper, we show that LK-IND-CPA security with superlogarithmic-length leakage, and thus strong incompressibility, cannot be proven under standard (i.e. single-stage) assumptions, if the encryption scheme is key-fixing, i.e. a polynomial number of message-ciphertext pairs uniquely determine the key with high probability. Our impossibility result refutes a claim by FKKM that their big-key generation mechanism achieves strong incompressibility when combined with any PRG or any conventional encryption scheme, since the claim is not true for encryption schemes which are key-fixing (or for PRGs which are injective). In particular, we prove that the cipher block chaining (CBC) block cipher mode is key-fixing when modelling the cipher as a truly random permutation for each key. Subsequent to and inspired by our work, FKKM prove that their original big-key generation mechanism can be combined with a random oracle into an LK-IND-CPA-secure encryption scheme, circumventing the impossibility result by the use of an idealised model.Along the way, our work also helps clarifying the relations between incompressible white-box cryptography, big-key symmetric encryption, and general leakage resilient cryptography, and their limitations