A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery

Size: px

Start display at page:

Download "A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery"

Gavin Fields
6 years ago
Views:

1 A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery Christophe Petit 1, François-Xavier Standaert 1, Olivier Pereira 1, Tal G. Malkin 2, Moti Yung 2 1, Université catholique de Louvain. 2 Dept. of Computer Science, Columbia University. Microelectronics Laboratory Christophe Petit, March

2 Physical Security Security is usually proved in an idealized model Microelectronics Laboratory Christophe Petit, March

3 Physical Security Security is usually proved in an idealized model While implemented, many secure cryptographic protocols are vulnerable to side-channel attacks (SC) Microelectronics Laboratory Christophe Petit, March

4 Physical Security Security is usually proved in an idealized model While implemented, many secure cryptographic protocols are vulnerable to side-channel attacks (SC) Issue : partial information on the SECRET is leaked by physical media Microelectronics Laboratory Christophe Petit, March

5 Physical Security Security is usually proved in an idealized model While implemented, many secure cryptographic protocols are vulnerable to side-channel attacks (SC) Issue : partial information on the SECRET is leaked by physical media By recovering many pieces of partial info, one can recover the whole secret key Microelectronics Laboratory Christophe Petit, March

6 Physical Security How to deal with leakages? (Try to) remove them by electronic countermeasures (masking, noise addition, dual-rails,...) Microelectronics Laboratory Christophe Petit, March

7 Physical Security How to deal with leakages? (Try to) remove them by electronic countermeasures (masking, noise addition, dual-rails,...) Assume some perfect component (e.g. Katz non-tamperable device) Microelectronics Laboratory Christophe Petit, March

8 Physical Security How to deal with leakages? (Try to) remove them by electronic countermeasures (masking, noise addition, dual-rails,...) Assume some perfect component (e.g. Katz non-tamperable device) Re-design algorithms Microelectronics Laboratory Christophe Petit, March

9 Physical Security Re-design algorithms Do not only prevent leakages from occuring Make their combination hard Microelectronics Laboratory Christophe Petit, March

10 Physical Security Re-design algorithms Do not only prevent leakages from occuring Make their combination hard Model the leakages Micali-Reyzin model Microelectronics Laboratory Christophe Petit, March

11 Physical Security Re-design algorithms Do not only prevent leakages from occuring Make their combination hard Model the leakages Micali-Reyzin model Case Study : Pseudo-Random Number Generator (PRNG) Microelectronics Laboratory Christophe Petit, March

12 Case Study: PRNG Black-Box security (BB) : PRNG Grey-Box security (GB): prevent traditional SC cryptanalysis Microelectronics Laboratory Christophe Petit, March

13 Talk Overview Introduction PRNG Construction BB model & security GB model & security PRNG summary Conclusion and further work Microelectronics Laboratory Christophe Petit, March

14 Construction (Public IV, secret keys) Microelectronics Laboratory Christophe Petit, March

15 Construction (Public IV, secret keys) First idea (in BB): if E1 and E 2 are good, then the y i s should be PRNs. Microelectronics Laboratory Christophe Petit, March

16 Construction (Public IV, secret keys) First idea (in BB): if E1 and E 2 are good, then the y i s should be PRNs. But (in GB) successive leakages allow recovering the whole secret. Microelectronics Laboratory Christophe Petit, March

17 The construction So key update : k i+1 = k i m i and k i+1 = k i m i Microelectronics Laboratory Christophe Petit, March

18 The construction So key update : k i+1 = k i m i and k i+1 = k i m i Each running key ki, k i is used to encrypt only one message. Microelectronics Laboratory Christophe Petit, March

19 Black-Box Model Ideal cipher model E : K M M (Here K = M) for each key k K, the function Ek ( ) = E(k, ) is a random permutation on M Microelectronics Laboratory Christophe Petit, March

20 Black-Box Model PRNG : Deterministic algorithm G : K ˆK (with K < ˆK ) Microelectronics Laboratory Christophe Petit, March

21 Black-Box Model PRNG : Deterministic algorithm G : K ˆK (with K < ˆK ) For any adversary A : ˆK {0, 1}, let Succ prng 1 G,A = Pr[A(ˆk) = 1 : ˆk R ˆK], Succ prng 0 G,A = Pr[A(ˆk) = 1 : ˆk G(k); k R K], Adv prng G,A = Succ prng 1 G,A Succ prng 0 G,A. Microelectronics Laboratory Christophe Petit, March

22 Black-Box Model PRNG : Deterministic algorithm G : K ˆK (with K < ˆK ) For any adversary A : ˆK {0, 1}, let Succ prng 1 G,A = Pr[A(ˆk) = 1 : ˆk R ˆK], Succ prng 0 G,A = Pr[A(ˆk) = 1 : ˆk G(k); k R K], Adv prng G,A = Succ prng 1 G,A Succ prng 0 G,A. G is a PRNG if for any A, Adv prng G,A 0. Microelectronics Laboratory Christophe Petit, March

23 Black-Box Analysis Proof: study security of one round and extend it to multiple rounds by hybrid argument Microelectronics Laboratory Christophe Petit, March

24 Black-Box Analysis Proof: study security of one round and extend it to multiple rounds by hybrid argument For each X M = K, let G X : K K K K K G X (K, K ) = (E K (X ) K, E K (X ) K, E K (E K (X ))). Microelectronics Laboratory Christophe Petit, March

25 Black-Box Analysis Security of a single round By definition, Succ prng 0 G X,A = Pr[A(ˆk) = 1 : (k, k ) R K K; ˆk G X (k, k )] Microelectronics Laboratory Christophe Petit, March

26 Black-Box Analysis Security of a single round By definition, Succ prng 0 G X,A = Pr[A(ˆk) = 1 : (k, k ) R K K; ˆk G X (k, k )] Recalling what G X (k, k ) is, Microelectronics Laboratory Christophe Petit, March

27 Black-Box Analysis Security of a single round Recalling what G X (k, k ) is, Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; m E k (X ); k 1 m k; k 1 m k ; y E k (m)] Microelectronics Laboratory Christophe Petit, March

28 Black-Box Analysis Security of a single round Recalling what G X (k, k ) is, Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; m E k (X ); k 1 m k; k 1 m k ; y E k (m)] Now using the ideal cipher model for E k and E k, Microelectronics Laboratory Christophe Petit, March

29 Black-Box Analysis Security of a single round Now using the ideal cipher model for E k and E k, Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; P R Perm(K); P m P(X ); R Perm(K); k 1 m k; k 1 m k ; y P (m)] Microelectronics Laboratory Christophe Petit, March

30 Black-Box Analysis Security of a single round Now using the ideal cipher model for E k and E k, Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; P R Perm(K); P m P(X ); R Perm(K); k 1 m k; k 1 m k ; y P (m)] Choosing random permutation and then applying to X is equivalent to choosing random element, so Microelectronics Laboratory Christophe Petit, March

31 Black-Box Analysis Security of a single round Choosing random permutation and then applying to X is equivalent to choosing random element, so Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; m R K; k 1 m k; k 1 m k ; y R K] Microelectronics Laboratory Christophe Petit, March

32 Black-Box Analysis Security of a single round Choosing random permutation and then applying to X is equivalent to choosing random element, so Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k R K; k R K; m R K; k 1 m k; k 1 m k ; y R K] So, each of the inputs of A looks random Microelectronics Laboratory Christophe Petit, March

33 Black-Box Analysis Security of a single round So, each of the inputs of A looks random Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k 1 R K; k 1 y R K] R K; Microelectronics Laboratory Christophe Petit, March

34 Black-Box Analysis Security of a single round So, each of the inputs of A looks random Succ prng 0 G X,A = Pr[A(k 1, k 1, y) = 1 : k 1 R K; k 1 y R K] = Succ prng 1 G X,A R K; Microelectronics Laboratory Christophe Petit, March

35 Black-Box Analysis Security of G q (q rounds of G): hybrid argument Consider hybrid algorithms on q rounds Microelectronics Laboratory Christophe Petit, March

36 Black-Box Analysis Security of G q (q rounds of G): hybrid argument Consider hybrid algorithms on q rounds The i th hybrid has i single G rounds, followed by q i rounds of truly random generators Microelectronics Laboratory Christophe Petit, March

37 Black-Box Analysis Security of G q (q rounds of G): hybrid argument Consider hybrid algorithms on q rounds The i th hybrid has i single G rounds, followed by q i rounds of truly random generators The i + 1 th hybrid differs from the i th hybrid only by one round Microelectronics Laboratory Christophe Petit, March

38 Black-Box Analysis Security of G q (q rounds of G): hybrid argument Consider hybrid algorithms on q rounds The i th hybrid has i single G rounds, followed by q i rounds of truly random generators The i + 1 th hybrid differs from the i th hybrid only by one round prng If there is A such that Adv G q,a > ɛ, then there is A such that Adv prng > ɛ G,A q for one of the rounds Microelectronics Laboratory Christophe Petit, March

39 Grey-Box Model Microelectronics Laboratory Christophe Petit, March

40 Grey-Box Model Now recall that physical means leak information on the keys Microelectronics Laboratory Christophe Petit, March

41 Grey-Box Model Now recall that physical means leak information on the keys Implementation = algorithm + (probabilistic) leakage function of the keys P q (K, K ) = (G q (K, K ), L q (K, K )) Microelectronics Laboratory Christophe Petit, March

42 Grey-Box Model Now recall that physical means leak information on the keys Implementation = algorithm + (probabilistic) leakage function of the keys P q (K, K ) = (G q (K, K ), L q (K, K )) We show the available information does not permit recovering the secret Microelectronics Laboratory Christophe Petit, March

43 Grey-Box Model Side-channel key recovery adversary Succ sc kr δ(k,k ) P q (K,K ),A = Pr[A(P q (k, k )) = δ(k, k ) : δ(k, K ) is part of the key (e.g., 1 byte) k R K; k R K] Microelectronics Laboratory Christophe Petit, March

44 Grey-Box Model Side-channel key recovery adversary Succ sc kr δ(k,k ) P q (K,K ),A = Pr[A(P q (k, k )) = δ(k, k ) : δ(k, K ) is part of the key (e.g., 1 byte) If δ(k, K ) = K [0 7] k R K; k R K] Succ sc kr K P q (K,K ),A = (Succsc kr K [0 7] P q (K,K ),A )n/8 Microelectronics Laboratory Christophe Petit, March

45 Grey-Box Model Assumptions : Fixed IV Leakages on the mi s, k i s (and ki s) Cannot be related but by the rekeying relations k j i+1 = kj i m i Microelectronics Laboratory Christophe Petit, March

46 Grey-Box Model Additional assumptions Iterative BC, no key schedule The adversary targets first round key L(ki ) = L(ki 0) Form of leakage functions : HW, GHW, NI Microelectronics Laboratory Christophe Petit, March

47 Grey-Box Analysis With observed leakages l q = {L(k i ), L(m i )} and relations k i+1 = k i m i, the best guess is k guess := arg max Pr[K = k L q = l q ] k Microelectronics Laboratory Christophe Petit, March

48 Grey-Box Analysis With observed leakages l q = {L(k i ), L(m i )} and relations k i+1 = k i m i, the best guess is k guess := arg max Pr[K = k L q = l q ] k We derive formulae for the success rate Succ sc kr K 0 P q (K,K ),A = f (q, {L(k i), L(m i )}) Microelectronics Laboratory Christophe Petit, March

49 Grey-Box Analysis With observed leakages l q = {L(k i ), L(m i )} and relations k i+1 = k i m i, the best guess is k guess := arg max Pr[K = k L q = l q ] k We derive formulae for the success rate Succ sc kr K 0 P q (K,K ),A = f (q, {L(k i), L(m i )}) Goal : show that SR remains small as q increases Microelectronics Laboratory Christophe Petit, March

50 Hamming Weight Leakages Hamming weight leakages L(x) = W H (x) = i x i (relevant in power consumption measures) Microelectronics Laboratory Christophe Petit, March

51 Hamming Weight Leakages Hamming weight leakages L(x) = W H (x) = i x i (relevant in power consumption measures) In this case we compute : Succ sc kr K 0 P q (K,K ),A = n+1 2 n High security, independently of q Microelectronics Laboratory Christophe Petit, March

52 Noisy Identity Leakages Here the above formulae are hard to evaluate analytically Monte-Carlo simulations success rate AES 128, 8 bit architecture AES 128, 32 bit architecture AES 128, 128 bit architecture AES 256, 256 bit architecture number of PRNG rounds Microelectronics Laboratory Christophe Petit, March

53 Noisy Identity Leakages Here the above formulae are hard to evaluate analytically Monte-Carlo simulations success rate AES 128, 8 bit architecture AES 128, 32 bit architecture AES 128, 128 bit architecture AES 256, 256 bit architecture number of PRNG rounds Succ sc-kr-k AES256,A (0.08) 32 = Microelectronics Laboratory Christophe Petit, March

54 PRNG Summarized BB : secure in the ideal cipher model Microelectronics Laboratory Christophe Petit, March

55 PRNG Summarized BB : secure in the ideal cipher model GB : SC Key Recovery prevented by the rekeying process Some practically relevant leakages are investigated and SR 1 even if q increases Microelectronics Laboratory Christophe Petit, March

56 PRNG Summarized BB : secure in the ideal cipher model GB : SC Key Recovery prevented by the rekeying process Some practically relevant leakages are investigated and SR 1 even if q increases With other countermeasures, leakages on more rounds means better attack Microelectronics Laboratory Christophe Petit, March

57 Conclusion and Further Work Re-design strategy to be used with other countermeasures Microelectronics Laboratory Christophe Petit, March

58 Conclusion and Further Work Re-design strategy to be used with other countermeasures Need of theoretical framework for SC unify BB and GB... define physical primitives compose primitives Microelectronics Laboratory Christophe Petit, March

59 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March

60 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March

61 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March

62 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March

63 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March

64 Thank you Thank you for attention Microelectronics Laboratory Christophe Petit, March

65 Secure initialization of the PRNG with a public seed ki ki * IV0 IV1 zi xi E1 mi E2 yi r(i) ki+1 = ki mi ki+1 * = ki * mi Microelectronics Laboratory Christophe Petit, March

66 Secure initialization of the PRNG with a public seed ki ki * IV0 IV1 zi xi E1 mi E2 yi r(i) ki+1 = ki mi ki+1 * = ki * mi Microelectronics Laboratory Christophe Petit, March

67 Secure initialization of the PRNG with a public seed ki ki * IV0 IV1 zi xi E1 mi E2 yi r(i) ki+1 = ki mi ki+1 * = ki * mi Microelectronics Laboratory Christophe Petit, March

68 Secure initialization of the PRNG with a public seed ki ki * IV0 IV1 zi xi E1 mi E2 yi r(i) ki+1 = ki mi ki+1 * = ki * mi Microelectronics Laboratory Christophe Petit, March

69 Grey-Box Model Assumptions : Fixed IV (removed further) Leakages on the mi s, k i s (and ki s) Cannot be related but by the rekeying relations k j i+1 = kj i m i Microelectronics Laboratory Christophe Petit, March

70 Grey-Box Model Additional assumptions Iterative BC, no key schedule The adversary targets first round key L(ki ) = L(ki 0)) Form of leakage functions : HW, GHW, NI We suppose Bayesian adversary Microelectronics Laboratory Christophe Petit, March

71 Discussion about Grey-Box assumptions Many assumptions make the proofs cleaner......but are not essential. Relaxations same qualitative conclusions key schedule adapt the leakage model L(ki ) targeting not only the first iteration of the PRNG may increase SR, but qualitative results remains Microelectronics Laboratory Christophe Petit, March

Pseudorandom Number Generation and Stream Ciphers

Pseudorandom Number Generation and Stream Ciphers Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/