Constructive Side-Channel Analysis and Secure Design

Persistent fault analysis (PFA) consists in guessing block cipher secret keys by biasing their substitution box. This paper improves the original attack of Zhang et al. on AES-128 presented at CHES 2018. By a thorough analysis, the exact probability distribution of the ciphertext (under a uniformly distributed plaintext) is derived, and the maximum likelihood key recovery estimator is computed exactly. Its expression is turned into an attack algorithm, which is shown to be twice more efficient in terms of number of required encryptions than the original attack of Zhang et al. This algorithm is also optimized from a computational complexity standpoint. In addition, our optimal attack is naturally amenable to key enumeration, which expedites full 16-bytes key extraction. Various tradeoffs between data and computational complexities are investigated.

We present an enumeration procedure based on a template attack to recover the complete input text of a SHA-3 implementation on an 8-bit microprocessor from a single trace of a power-analysis side channel. This attack targets 600 bytes of triple-redundant internal state in each invocation of the permutation used by SHA-3. We first build templates that can generate for each of these bytes a rank table of all 256 candidates. The templates we obtained for our 8-bit target CPU nearly identified the correct value of most target bytes directly, rather than just gathering information about their Hamming weights. We then search the full intermediate state of the Keccak permutation to eliminate remaining uncertainties about the recovered byte values. From the resulting intermediate states we finally reconstruct both the input and output of SHA-3 and verify the output. In our experimental evaluation of this procedure we achieved success rates higher than 99%.

This paper presents the first side-channel analysis (SCA) on polynomial-based message authentication code (MAC) schemes which is applicable to Poly1305. Typical SCAs (e.g., simple power analysis (SPA) and differential power analysis (DPA)) and conventional attacks on GCM/GMAC that focus on the first multiplication result in the universal hashing (i.e., polynomial evaluation) cannot be applied to Poly1305 owing to one-time keys and the structure of prime-field multiplication. On the other hand, the proposed attack retrieves the hash key from a single side-channel trace (e.g., a power/EM trace given by one execution) with a non-negligible probability and is applicable to polynomial-based MAC schemes implemented on an 8-bit micro-controller. The proposed attack allows the attacker to forge the authentication tag even if the hash key is a one-time key. The basic idea of the proposed attack is to exploit the addition in polynomial-based MAC schemes. Since the output or one input of the addition in these MAC schemes is known, we can efficiently estimate the unknown operands of addition, and then retrieve the hash key by the polynomial factorizations with the estimated candidates. This study also shows a cost-effective countermeasure for ChaCha20-Poly1305 using a combination of a lightweight masked Poly1305 and first-order mask conversion from Boolean to arithmetic.

Recent works in side-channel analysis have been fully relying on training classification models to recover sensitive information from traces. However, the knowledge of an attacker or an evaluator is not taken into account and poorly captured by solely training a classifier on signals. This paper proposes to inject prior information in preprocessing and classification in order to increase the performance of side-channel attacks (SCA). First we propose to use the Wavelet Scattering Transform, recently proposed by Mallat, for mapping traces into a time-frequency space which is stable under small translation and diffeomorphism. That way, we address the issues of desynchronization and deformation generally present in signals for SCA. The second part of our paper extends the canonical attacks over byte and Hamming weight by introducing a more general attack. Classifiers are trained on different labelings of the sensitive variable and combined by minimizing a cross-entropy criterion so as to find the best labeling strategy. With these two key ideas, we successfully increase the performance of Template Attacks on artificially desynchronized traces and signals from a jitter-protected implementation.

Scatter is a multivariate transform proposed in combination with the Chi\(^2\) and MIA distinguishers at COSADE 2018. Its primary motivation is to inherently deal with the misalignment and synchronization issues that may decrease the efficiency of concrete side-channel attacks. In this paper, we first show empirically that when compared to natural competitors for first-order multivariate attacks (e.g., exploiting linear regression on-the-fly), it does not bring improvements in the (simulated and actual) implementation settings studied by its authors. We then show that the same holds in the higher-order case: in most practically-relevant settings, Scatter works best when combined with a combination function mixing the leakage samples in a non-linear manner, bringing it back to a situation where it does not improve standard distinguishers.

Side-channel leakage detection methods based on statistical tests, such as t-test or \(\chi ^2\)-test, provide a high confidence in the presence of leakage with a large number of traces. However, practical limitations on testing time and equipment may set an upper-bound on the number of traces available, turning the number of traces into a limiting factor in side-channel leakage detection. We describe a statistical technique, based on statistical bootstrapping, that significantly improves the effectiveness of leakage detection using a limited set of traces. Bootstrapping generates additional sample sets from an initial set by assuming that it is representative of the entire population. The additional sample sets are then used to conduct additional leakage detection tests, and we show how to combine the results of these tests. The proposed technique, applied to side-channel leakage detection, can significantly reduce the number of traces required to detect leakage by one, or more orders of magnitude. Furthermore, for an existing measured sample set, the method can significantly increase the confidence of existing leakage hypotheses over a traditional (non-bootstrap) leakage detection test. This paper introduces the bootstrapping technique for leakage detection, applies it to three practical cases, and describes techniques for its efficient computation.

In 2017, the first CHES Capture the Flag Challenge was organized in an effort to promote good design candidates for white-box cryptography. In particular, the challenge assessed the security of the designs with regard to key extraction attacks. A total of 94 candidate programs were submitted, and all of them were broken eventually. Even though most candidates were broken within a few hours, some candidates remained robust against key extraction attacks for several days, and even weeks. In this paper, we perform a qualitative analysis on all candidates submitted to the CHES 2017 Capture the Flag Challenge. We test the robustness of each challenge against different types of attacks, such as automated attacks, extensions thereof and reverse engineering attacks. We are able to classify each challenge depending on their robustness against these attacks, highlighting how challenges vulnerable to automated attacks can be broken in a very short amount of time, while more robust challenges demand for big reverse engineering efforts and therefore for more time from the adversaries. Besides classifying the robustness of each challenge, we also give data regarding their size and efficiency and explain how some of the more robust challenges could actually provide acceptable levels of security for some real-life applications.

Cryptographic protocol implementations in both software and hardware leak sensitive information during their execution. Side-channel attacks (SCA) consist in analyzing this information in order to reveal the secret parameters of the protocols. Among the different SCA introduced in the literature, the Linear Regression Analysis (LRA) has been argued to be particularly interesting when few information is available on the hardware architecture of the device executing the protocol (e.g. if the so called Hamming weight model does not hold).

However, the computing complexity of the existing LRA implementation is high, which explains why other techniques like e.g. the Correlation Power Analysis (CPA) is often preferred in practice.

While several works have explored the application of deep learning for efficient profiled side-channel analysis, explainability, or, in other words, what neural networks learn remains a rather untouched topic. As a first step, this paper explores the Singular Vector Canonical Correlation Analysis (SVCCA) tool to interpret what neural networks learn while training on different side-channel datasets, by concentrating on deep layers of the network. Information from SVCCA can help, to an extent, with several practical problems in a profiled side-channel analysis like portability issue and criteria to choose a number of layers/neurons to fight portability, provide insight on the correct size of training dataset and detect deceptive conditions like over-specialization of networks.

Deep learning based side-channel analysis has seen a rise in popularity over the last few years. A lot of work is done to understand the inner workings of the neural networks used to perform the attacks and a lot is still left to do. However, finding a metric suitable for evaluating the capacity of the neural networks is an open problem that is discussed in many articles. We propose an answer to this problem by introducing an online evaluation metric dedicated to the context of side-channel analysis and use it to perform early stopping on existing convolutional neural networks found in the literature. This metric compares the performance of a network on the training set and on the validation set to detect underfitting and overfitting. Consequently, we improve the performance of the networks by finding their best training epoch and thus reduce the number of traces used by 30%. The training time is also reduced for most of the networks considered.

The design of software countermeasures against active and passive adversaries is a challenging problem that has been addressed by many authors in recent years. The proposed solutions adopt a theoretical foundation (such as a leakage model) but often do not offer concrete reference implementations to validate the foundation. Contributing to the experimental dimension of this body of work, we propose a customized processor called SKIVA that supports experiments with the design of countermeasures against a broad range of implementation attacks. Based on bitslice programming and recent advances in the literature, SKIVA offers a flexible and modular combination of countermeasures against power-based and timing-based side-channel leakage and fault injection. Multiple configurations of side-channel protection and fault protection enable the programmer to select the desired number of shares and the desired redundancy level for each slice. Recurring and security-sensitive operations are supported in hardware through custom instruction-set extensions. The new instructions support bitslicing, secret-share generation, redundant logic computation, and fault detection. We demonstrate and analyze multiple versions of AES from a side-channel analysis and a fault-injection perspective, in addition to providing a detailed performance evaluation of the protected designs. To our knowledge, this is the first validated end-to-end implementation of a modular bitslice-oriented countermeasure.

One major advance in software security would be to use robust processors which could assist the code developer to thwart both cyber and physical attacks. This paper presents a hardware-based solution which increases the security by checking the integrity of executed code on any microcontroller. Unlike other Control Flow Integrity (CFI) protections, this solution does not require modifications of the CPU pipeline, but relies on monitoring the interface between the processor and its instruction cache. The integrity of the execution flow and the instruction sequences (called Basic Blocks) is checked by hardware with precomputed metadata. Another module is dedicated to speed up the access to these metadata. This paper shows the effectiveness of the solution as the impact is as much as 21% in average on the execution time at the price of using memory space to store metadata along with the code.

The design of digital systems has its mainstay in the electronic design automation flows which act as crucial instruments to reduce the effort to realize complex computing platforms. In this work, we investigate the possibility of integrating side channel security analyses within the existing FPGA design flow, to provide a feedback to the hardware designer in a prompt and effective way. To this end, we realize an analysis framework which detects side channel leakage on the power consumption side channel at two well established checkpoints in hardware design, i.e., post synthesis and post implementation. We report the results of the proposed framework when integrated within the commercial Xilinx Vivado design toolchain. As a case study, we employ an open source SoC running a software version of the AES block cipher and provide a taxonomy of the side channel information leakage. The reported results highlight how our approach is able to provide precise insights on the sources of information leakage in the hardware design at hand. In particular, we show that the results of the simulations at post synthesis and post implementation stages provide complementary sets of insights on the information leakage, which, thanks to our methodology, can be traced back to architectural components which are the culprits of the said leakage.

In this work we study the leakage resilience of authenticated encryption schemes. We show that, if one settles for non-adaptive leakage, leakage-resilient authenticated encryption schemes can be built from leakage-resilient pseudorandom functions.

Degabriele et al. (ASIACRYPT 2019) introduce the \({ \textsc {FGHF}}^{\prime }\) construction which allows to build leakage-resilient authenticated encryption schemes from functions which, under leakage, retain both pseudorandomness and unpredictability. We revisit their construction and show the following. First, pseudorandomness and unpredictability do not imply one another in the leakage setting. Unfortunately, this entails that any instantiation of the \({ \textsc {FGHF}}^{\prime }\) construction indeed seems to require a function that is proven both pseudorandom and unpredictable under leakage. Second, however, we show that the unpredictability requirement is an artefact that stems from the underlying composition theorem of the \({ \textsc {N2}}\) construction given by Barwell et al. (ASIACRYPT 2017). By recasting this composition theorem, we show that the unpredictability requirement is unnecessary for the \({ \textsc {FGHF}}^{\prime }\) construction. Thus, leakage-resilient AEAD schemes can be obtained by instantiating the \({ \textsc {FGHF}}^{\prime }\) construction with functions that are solely pseudorandom under leakage.