Correlation Power Analysis of Lightweight Block Ciphers From Theory to Practice Alex Biryukov Daniel Dinu Johann Großschädl SnT, University of Luxembourg ESC 2017 (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 1 / 21
Outline 1 Motivation 2 Theory Selection Function Correlation Power Analysis (CPA) 3 Practice Evaluation Framework Quantifying the Leakage Results 4 Conclusion (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 2 / 21
Motivation Theory many theoretical metrics for the SCA resistance of S-boxes: Nonlinearity (NL) Transparency Order (TO) Improved Transparency Order (ITO) DPA Signal-to-Noise Ratio (SNR)... SCA resistance is often associated with low nonlinearity (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 3 / 21
Motivation Theory many theoretical metrics for the SCA resistance of S-boxes: Nonlinearity (NL) Transparency Order (TO) Improved Transparency Order (ITO) DPA Signal-to-Noise Ratio (SNR)... SCA resistance is often associated with low nonlinearity Practice how good are these theoretical metrics to quantify the SCA leakage? which are the best targets for SCA attacks? (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 3 / 21
Selection Function x known part of the input of the round function k unknown part of the round key Definition (Selection Function) In the context of side-channel attacks, a selection function gives the intermediate result, also referred to as sensitive value φ k, which is used by the attacker to recover the secret key. ϕ : F n 2 F m 2 φ k = ϕ(x, k) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 4 / 21
Correlation Power Analysis (CPA) φ k = ϕ(x, k) sensitive value used by the attacker to recover the secret key x known part of the input of the round function k unknown part of the round key Definition (Correlation Power Analysis (CPA)) Given a set of power traces and the corresponding sets of intermediate values φ 1, φ 2,...φ 2 k, Correlation Power Analysis (CPA) aims at recovering the secret subkey k using a correlation factor between the measured power samples and the power model of the computed sensitive values. (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 5 / 21
Evaluation Framework Measurement Setup target board: 8-bit AVR ATmega2561 oscilloscope: LeCroy waverunner 104MXi noise reduction: Farday cage, regulated power supply, fiber-optic communication (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 6 / 21
Evaluation Framework Measurement Setup target board: 8-bit AVR ATmega2561 oscilloscope: LeCroy waverunner 104MXi noise reduction: Farday cage, regulated power supply, fiber-optic communication Metrics Success Rate (SR) Guessing Entropy (GE) average over 100 experiments up to 2000 traces per experiment (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 6 / 21
Quantifying the Leakage Which assembly instruction leaks more? register-only instructions: and, add memory access instructions: lpm, ld, st (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 7 / 21
Quantifying the Leakage Which assembly instruction leaks more? register-only instructions: and, add memory access instructions: lpm, ld, st Which selection function leaks more? logical operations: AND ( ), OR ( ), XOR ( ) modular addition: ADD ( ), ADC ( ) S-boxes: AES, LBlock, Piccolo, PRINCE L-boxes: Fantomas (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 7 / 21
Correlation Coefficient Difference (δ) Definition (Correlation Coefficient Difference) The difference between the correlation coefficient of the correct key k, i.e. c k, and the correlation coefficient of the most likely key guess k, i.e. c k, with k k. Leaks less δ = c k c k 0 Leaks more (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 8 / 21
Correlation Coefficient Difference (δ) Definition (Correlation Coefficient Difference) The difference between the correlation coefficient of the correct key k, i.e. c k, and the correlation coefficient of the most likely key guess k, i.e. c k, with k k. Leaks less δ < 0 δ = c k c k 0 Leaks more several guesses c k c k δ (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 8 / 21
Correlation Coefficient Difference (δ) Definition (Correlation Coefficient Difference) The difference between the correlation coefficient of the correct key k, i.e. c k, and the correlation coefficient of the most likely key guess k, i.e. c k, with k k. Leaks less δ < 0 δ = c k c k 0 δ > 0 Leaks more several guesses 1 guess c k c k δ c k c k δ (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 8 / 21
Understanding the Device s Leakage 0.8 0.6 Cor. Coef. Diff. (δ) 0.4 0.2 0-0.2-0.4 and add -0.6 lpm ld st -0.8 0x00 0x01 0x03 0x07 0x0F 0x1F 0x3F 0x7F 0xFF Correct Key register-only instructions: and, add memory instructions: lpm, ld, st (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 9 / 21
Comparison of Different Selection Functions target st instruction 4 groups of selection functions: logical operations: AND ( ), OR ( ), XOR ( ) modular addition: ADD ( ), ADC ( ) S-boxes: AES, LBlock, Piccolo, PRINCE L-boxes: Fantomas (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 10 / 21
1. Logical Operations 0.1 0.05 Cor. Coef. Diff. (δ) 0-0.05-0.1-0.15-0.2 ϕ 1 ϕ 2 ϕ 3-0.25 0x00 0x01 0x03 0x07 0x0F 0x1F 0x3F 0x7F 0xFF Correct Key ϕ 1 (x, k) = x k ϕ 2 (x, k) = x k ϕ 3 (x, k) = x k (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 11 / 21
2. Modular Addition 0.2 ϕ 4 ϕ 5 Cor. Coef. Diff. (δ) 0.15 0.1 0.05 0 0x00 0x01 0x03 0x07 0x0F 0x1F 0x3F 0x7F 0xFF Correct Key ϕ 4 (x, k) = x k ϕ 5 (x, k, c) = x k c (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 12 / 21
3. S-boxes 0.7 Cor. Coef. Diff. (δ) 0.6 0.5 0.4 0.3 ϕ 6 ϕ 7 ϕ 8 ϕ 9 ϕ 10 ϕ 11 ϕ 12 0.2 0.1 0x00 0x01 0x03 0x07 0x0F 0x1F 0x3F 0x7F 0xFF Correct Key 8-bit: ϕ 6 = S AES (x k) 4-bit: ϕ 7 = S LBlock (x k), ϕ 9 = S Piccolo (x k), ϕ 11 = S PRINCE (x k) 8-bit: ϕ 8 = S LBlock (x k), ϕ 10 = S Piccolo (x k), ϕ 12 = S PRINCE (x k) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 13 / 21
4. L-boxes Cor. Coef. Diff. (δ) 0.2 0.15 0.1 0.05 ϕ 13 ϕ 14 ϕ 15 ϕ 16 0 0x00 0x01 0x03 0x07 0x0F 0x1F 0x3F 0x7F 0xFF Correct Key ϕ 13 = LSB(L 1 1,Fantomas (x k)), ϕ 14 = MSB(L 1 1,Fantomas (x k)), ϕ 15 = LSB(L 1 2,Fantomas (x k)), ϕ 16 = MSB(L 1 2,Fantomas (x k)) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 14 / 21
Comparison of Different Selection Functions Selection function n m NL δ ϕ 1 (x, k) = x k 16 8 16384-0.005 ϕ 2 (x, k) = x k 16 8 16384-0.018 ϕ 3 (x, k) = x k 16 8 0-0.153 ϕ 4 (x, k) = x k 16 8 0 0.127 ϕ 6 (x k) = S AES (x k) 8 8 112 0.586 ϕ 7 (x k) = S LBlock (x k) 4 4 4 0.342 ϕ 8 (x k) = S LBlock (x k) 8 8 64 0.235 ϕ 15 (x k) = LSB(L 1 2,Fantomas (x k)) 8 8 0 0.136 sometimes nonlinearity (NL) fails to quantify resilience to CPA: (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 15 / 21
Comparison of Different Selection Functions Selection function n m NL δ ϕ 1 (x, k) = x k 16 8 16384-0.005 ϕ 2 (x, k) = x k 16 8 16384-0.018 ϕ 3 (x, k) = x k 16 8 0-0.153 ϕ 4 (x, k) = x k 16 8 0 0.127 ϕ 6 (x k) = S AES (x k) 8 8 112 0.586 ϕ 7 (x k) = S LBlock (x k) 4 4 4 0.342 ϕ 8 (x k) = S LBlock (x k) 8 8 64 0.235 ϕ 15 (x k) = LSB(L 1 2,Fantomas (x k)) 8 8 0 0.136 sometimes nonlinearity (NL) fails to quantify resilience to CPA: biwtwise operations (AND, OR) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 15 / 21
Comparison of Different Selection Functions Selection function n m NL δ ϕ 1 (x, k) = x k 16 8 16384-0.005 ϕ 2 (x, k) = x k 16 8 16384-0.018 ϕ 3 (x, k) = x k 16 8 0-0.153 ϕ 4 (x, k) = x k 16 8 0 0.127 ϕ 6 (x k) = S AES (x k) 8 8 112 0.586 ϕ 7 (x k) = S LBlock (x k) 4 4 4 0.342 ϕ 8 (x k) = S LBlock (x k) 8 8 64 0.235 ϕ 15 (x k) = LSB(L 1 2,Fantomas (x k)) 8 8 0 0.136 sometimes nonlinearity (NL) fails to quantify resilience to CPA: biwtwise operations (AND, OR) 4-bit vs. 8-bit S-layer (e.g. LBlock) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 15 / 21
Comparison of Different Selection Functions Selection function n m NL δ ϕ 1 (x, k) = x k 16 8 16384-0.005 ϕ 2 (x, k) = x k 16 8 16384-0.018 ϕ 3 (x, k) = x k 16 8 0-0.153 ϕ 4 (x, k) = x k 16 8 0 0.127 ϕ 6 (x k) = S AES (x k) 8 8 112 0.586 ϕ 7 (x k) = S LBlock (x k) 4 4 4 0.342 ϕ 8 (x k) = S LBlock (x k) 8 8 64 0.235 ϕ 15 (x k) = LSB(L 1 2,Fantomas (x k)) 8 8 0 0.136 sometimes nonlinearity (NL) fails to quantify resilience to CPA: biwtwise operations (AND, OR) 4-bit vs. 8-bit S-layer (e.g. LBlock) L-layer (e.g. Fantomas) (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 15 / 21
Analysed Ciphers Selection criteria: good software performance in the Triathlon competition 1 variety of design constructions Cipher Block Size Key Size Attacked Structure (bits) (bits) Operation AES 128 128 SPN S-box lookup Fantomas 128 128 SPN L-box lookup LBlock 64 80 Feistel S-box lookup Piccolo 64 80 Feistel S-box lookup PRINCE 64 128 SPN S-box lookup RC5 64 128 Feistel modular addition Simon 64 96 Feistel bitwise AND Speck 64 96 Feistel modular subtraction 1 https://www.cryptolux.org/index.php/felics (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 16 / 21
Properties of S-boxes Cipher S-box NL TO ITO SNR δ SE δ AES S 112 7.860 6.916 9.600 0.586 0.008 LBlock S 0 4 3.667 2.567 2.946 0.342 0.008 Piccolo S 4 3.667 2.567 3.108 0.339 0.019 PRINCE S 4 3.400 2.333 2.129 0.269 0.010 (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 17 / 21
Properties of S-boxes Cipher S-box NL TO ITO SNR δ SE δ AES S 112 7.860 6.916 9.600 0.586 0.008 LBlock S 0 4 3.667 2.567 2.946 0.342 0.008 Piccolo S 4 3.667 2.567 3.108 0.339 0.019 PRINCE S 4 3.400 2.333 2.129 0.269 0.010 NL could not differentiate between LBlock, Piccolo and PRINCE (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 17 / 21
Properties of S-boxes Cipher S-box NL TO ITO SNR δ SE δ AES S 112 7.860 6.916 9.600 0.586 0.008 LBlock S 0 4 3.667 2.567 2.946 0.342 0.008 Piccolo S 4 3.667 2.567 3.108 0.339 0.019 PRINCE S 4 3.400 2.333 2.129 0.269 0.010 NL could not differentiate between LBlock, Piccolo and PRINCE TO, ITO could not differentiate between LBlock and Piccolo (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 17 / 21
Properties of S-boxes Cipher S-box NL TO ITO SNR δ SE δ AES S 112 7.860 6.916 9.600 0.586 0.008 LBlock S 0 4 3.667 2.567 2.946 0.342 0.008 Piccolo S 4 3.667 2.567 3.108 0.339 0.019 PRINCE S 4 3.400 2.333 2.129 0.269 0.010 NL could not differentiate between LBlock, Piccolo and PRINCE TO, ITO could not differentiate between LBlock and Piccolo SNR differentiates between LBlock, Piccolo and PRINCE (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 17 / 21
Properties of S-boxes Cipher S-box NL TO ITO SNR δ SE δ AES S 112 7.860 6.916 9.600 0.586 0.008 LBlock S 0 4 3.667 2.567 2.946 0.342 0.008 Piccolo S 4 3.667 2.567 3.108 0.339 0.019 PRINCE S 4 3.400 2.333 2.129 0.269 0.010 NL could not differentiate between LBlock, Piccolo and PRINCE TO, ITO could not differentiate between LBlock and Piccolo SNR differentiates between LBlock, Piccolo and PRINCE δ no clear differentiation between LBlock and Piccolo (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 17 / 21
Measurement Setup High-cost (> $5, 000) custom measurement board LeCroy waverunner 104MXi noise reduction (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 18 / 21
Measurement Setups High-cost (> $5, 000) Low-cost (< $300) custom measurement board Arduino Uno LeCroy waverunner 104MXi Digilent Analog Discovery noise reduction no noise reduction (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 18 / 21
Results Cipher High-cost Setup Low-cost Setup # Traces GE # Traces GE (SR 80%) (2000 Traces) (SR 80%) (2000 Traces) AES 30 0 61 0 Fantomas 74 0 3.354 LBlock 316 0 0.974 Piccolo 1215 0 8.627 PRINCE 76 0 106 0 RC5 5.672 25.349 Simon 10.486 16.973 Speck 2.544 15.288 recover 32 bits of the round key K = 0x01234567 (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 19 / 21
Results Recap two main classes of lightweight ciphers with respect to their implementations resistance against CPA First Class ciphers that use lookup tables full key recovery (GE = 0) 8-bit S-box: AES 4-bit S-box: LBlock, Piccolo, PRINCE L-box: Fantomas Second Class ARX designs partial key recovery (GE 0) RC5, Simon, Speck (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 20 / 21
Conclusion practical approach to evaluate SCA leakage (theory practice) nonlinearity should not be used to estimate SCA resilience avoid lookup tables and memory instructions (ldm, ld, st) implementation tricks to increase SCA resilience ARX designs show a certain level of intrinsic resilience against CPA (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 21 / 21
Conclusion practical approach to evaluate SCA leakage (theory practice) nonlinearity should not be used to estimate SCA resilience avoid lookup tables and memory instructions (ldm, ld, st) implementation tricks to increase SCA resilience ARX designs show a certain level of intrinsic resilience against CPA Thank you! (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 21 / 21
Results Random Key Cipher High-cost Setup Low-cost Setup # Traces GE # Traces GE (SR 80%) (2000 Traces) (SR 80%) (2000 Traces) AES 30 0 69 0 Fantomas 52 0 3.293 LBlock 742 0 0.858 Piccolo 1962 0 9.148 PRINCE 52 0 70 0 RC5 6.741 24.093 Simon 28.254 27.942 Speck 27.824 25.213 recover 32 bits of the round key K = 0xd749715b (University of Luxembourg) CPA of Lightweight Block Ciphers ESC 2017 1 / 0