Differential Power Analysis of HMAC SHA-2 in the Hamming Weight Model Sonia Belaid, Luk Bettale, Emmanuelle Dottax, Laurie Genelle, Franck Rondepierre
To cite this version:
Sonia Belaid, Luk Bettale, Emmanuelle Dottax, Laurie Genelle, Franck Rondepierre. Differential Power Analysis of HMAC SHA-2 in the Hamming Weight Model. SECRYPT 2013 - 10th International Conference on Security and Cryptography, Jul 2013, Reykjavik, Iceland. hal-00872410
HAL Id: hal-00872410 https://hal.inria.fr/hal-00872410 Submitted on 12 Oct 2013
HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Differential Power Analysis of HMAC SHA-2 in the Hamming Weight Model
Sonia Bela¨ıd12 ∗, Luk Bettale3, Emmanuelle Dottax3, Laurie Genelle3 and Franck Rondepierre3 1Ecole´ Normale Superieure,´ 45 rue d’Ulm, 75005 Paris, France 2Thales Communications & Security, 4 Avenue des Louvresses, 92230 Gennevilliers, France 3Oberthur Technologies, Cryptography Group, 420 rue d’Estienne d’Orves, 92700 Colombes, France [email protected], {l.bettale, e.dottax, l.genelle, f.rondepierre}@oberthur.com
Keywords: Side Channel Analysis : Differential Power Analysis : Hamming Weight : HMAC : SHA-2
Abstract: As any algorithm manipulating secret data, HMAC is potentially vulnerable to side channel attacks. In 2007, McEvoy et al. proposed a differential power analysis attack against HMAC instantiated with hash functions from the SHA-2 family. Their attack works in the Hamming distance leakage model and makes strong as- sumptions on the target implementation. In this paper, we present an attack on HMAC SHA-2 in the Hamming weight leakage model, which advantageously can be used when no information is available on the targeted implementation. Furthermore, our attack can be adapted to the Hamming distance model with weaker assump- tions on the implementation. We show the feasibility of our attack on simulations, and we study its overall cost and success rate. We also provide an evaluation of the performance overhead induced by the countermeasures necessary to avoid the attack.
1 INTRODUCTION Analysis (SCA) attacks. Those attacks take advantage of statistical dependencies that exist between a physi- With the expansion of internet communications, on- cal leakage (e.g., the power consumption, the electro- line transactions and the transfer of confidential data magnetic emanations) produced during the execution in general, ensuring the integrity and the authenticity of a cryptographic algorithm and the intermediate val- of transmitted information is a prime necessity. To ues manipulated. In the family of side channel analy- this end, a Message Authentication Code (MAC) is ses, Differential Power Analysis (DPA) is of particular generally used. A MAC algorithm accepts as input a interest [Kocher et al., 1999]. The principle is the fol- secret key – shared between senders and receivers – lowing. The attacker executes the cryptographic al- and an arbitrarily long message. The output is a short gorithm several times with different inputs and gets a bit-string which is jointly transmitted with the mes- set of power consumption traces, each trace being as- sage. It allows the receiver to verify that the message sociated to one value known by the attacker. At some has not been altered by an attacker. points in the algorithm execution, sensitive variables Several MAC constructions exist, and the most are manipulated, i.e., variables that can be expressed common ones are based on block-ciphers or on hash as a function of the secret key and the known value. functions. Among the hash-based MAC algorithms, These sensitive values are targeted as follows: the HMAC [Bellare et al., 1996] is the most widely attacker makes hypotheses about the secret key and used. Today it is a standardized algorithm [FIPS predicts the sensitive values and the corresponding 198-1, 2008] and it is used by several protocols leakages. Then, a statistical tool is used to compute running on embedded devices [Haverinen and Sa- the correlation between these predictions and the ac- lowey, 2006, Arkko and Haverinen, 2006]. The use quired power consumption traces. The obtained cor- of HMAC in such a context leads the research com- relation values allow the attacker to (in)validate some munity to study its vulnerability against Side Channel hypotheses. In order to map the hypothetical sensitive value towards an estimated leakage, a model function ∗This work was essentially done while this author was a must be chosen. The Hamming Distance (HD) and member of the Cryptography Group of Oberthur Technolo- the Hamming Weight (HW) models are the most com- gies. monly used by attackers to simulate the power con- This work was presented at SECRYPT 2013 http://www.secrypt.icete.org/
sumption of an embedded device. In the HW model, Section 3 discusses the interest of our attack and de- the leakage is assumed to rely on the number of bits scribes the details. Section 4 exhibits the results of that are set in the handled data. It is considered as a simulations and evaluates the efficiency of the new special case of the HD model, which assumes that the attack on unprotected implementations. Eventually, leakage depends on the bits switching from one state Sect. 5 deals with the protections required to secure to the next one. The latter is usually considered to a HMAC implementation against our attack, and no- better integrate the behavior of CMOS circuits, how- tably it evaluates the impact on performances. ever it requires significant knowledge of the imple- mentation. As for the HW model, it can always be used and gives valid results for a large number of de- 2 TECHNICAL BACKGROUND vices [Kocher et al., 1999, Messerges, 2000, Mangard et al., 2007]. 2.1 The HMAC Construction Related Works. Several DPA scenarios have been proposed in the literature to attack the HMAC al- The HMAC cryptographic algorithm involves a hash gorithm. Okeya et al. addressed in several papers function H in combination with a secret key k. Ac- [Okeya, 2006, Gauravaram and Okeya, 2007, Gau- cording to [FIPS 198-1, 2008], it is defined as follows: ravaram and Okeya, 2008] the question of protect- HMACk : ing HMAC against DPA. They focused their study on ∗ h block-cipher based hash functions. As well, [Zhang {0,1} −→ {0,1} and Shi, 2011] dealt with HMAC based on Whirlpool. m −→ H((k ⊕ opad) H((k ⊕ ipad) m)) , In [Lemke et al., 2004], Lemke et al. described a the- where ⊕ denotes the bitwise exclusive or, denotes oretical attack on HMAC based on the hash func- the concatenation, and opad and ipad are two pub- tions RIPEMD-160 and SHA-1 in the HW model. lic fixed constant. We call inner hash the first hash McEvoy et al. [McEvoy et al., 2008] proposed an at- computation H((k ⊕ ipad) m) and the second one is tack against HMAC based on SHA-2 functions. They referred to as the outer hash. chose the HD model to characterize the physical leak- In this paper, we focus on HMAC instantiated age of the device. The paper [Fouque et al., 2009] with a hash function H based on the Merkle-Damgard˚ presents a template attack on HMAC SHA-1, which construction [Merkle, 1989, Damgard,˚ 1989] (MD5, implies a more powerful adversary than DPA [Chari SHA-1 and SHA-2 are among the most widely used). et al., 2002]. More recently, DPA on keyed versions An overview of this construction is given in Fig. 1. of KECCAK have been explored in [Zohner et al., The input message m is first padded using a specific 2012,Bertoni et al., 2013]. procedure to obtain N blocks of bit-length n denoted Contributions. In this paper, we improve the state by m1,...,mN. Then each block mi is processed with of the art on the security of HMAC against DPA by a h-bit chaining value CVi−1 through a one-way com- proposing an attack in the HW model. Contrary to pression function F that outputs a new h-bit chaining [McEvoy et al., 2008], our attack can be used even value CVi. The chaining value CV0, also denoted by when no information about the HMAC implemen- k1, is fixed and depends only on the secret key k. It is tation is available. Moreover, our attack can easily computed as F(IV,k ⊕ ipad), with IV being the pub- be adapted to the HD model, and it turns out that lic Initial Value of the hash function. The final chain- the resulting attack requires weaker assumptions on ing value CVN, also denoted by z, is the input of the the HMAC implementation than the ones made in outer hash. It is processed with a second fixed key- [McEvoy et al., 2008]. Indeed, the attack by McEvoy dependent value k0 = F(IV,k ⊕ opad) in the last call et al. relies on a constraining HMAC implementation, of the compression function that outputs the MAC. So which reduces the scope of their attack. We also study we rewrite the HMAC procedure as follows: the cost and the success rate of the attack, that leads to HMAC (m)= the first complete study of a full DPA attack complex- k ity on HMAC. We focus our study on HMAC based F(k0,F(...F(F(k1,m1),m2),...,mN) pad) , on SHA-256, however our work can be straightfor- where pad is the bit-string used to pad the input of wardly adapted to all SHA-2 family functions, and to the outer hash. For the sake of simplicity and without RIPEMD-160, MD5 and SHA-1 with small modifica- loss of generality, we omit this value in the following. tions. In the rest of the paper we make our analysis on Paper Organisation. The rest of the paper is or- the HMAC algorithm based on SHA-256. We assume ganized as follows. Section 2 introduces the neces- F to be the SHA-256 compression function. A brief sary background on HMAC and SHA-256 algorithms. description is given in the next section.
2 This work was presented at SECRYPT 2013 http://www.secrypt.icete.org/
inner hash ... Algorithm 1 SHA-256 Compression Function k ⊕ ipad m1 mN Inputs: the data block M = (M1,...,M16), the chaining value V =(V1,...,V8) IV ... F k1 F CV1 CVN−1 F CVN = z Output: the chaining value F(V,M) 1: W W M M outer hash ( 1,..., 16) ← ( 1,..., 16) k ⊕ opad 2: for t = 17 to 64 do ⊲ Message Expansion 3: Wt ← σ1 (Wt−2) ⊞Wt−7 ⊞ σ0 (Wt−15) ⊞Wt−16 IV MAC 4: end for F k0 F 5: (A,B,C,D,E,F,G,H) ← (V1,...,V8) Figure 1: HMAC using a Merkle-Damgard˚ hash function 6: for t = 1 to 64 do ⊲ Main Loop 7: T1 ← H ⊞ Σ1 (E) ⊞ Ch(E,F,G) ⊞ Kt ⊞Wt 2.2 The SHA-256 Compression 8: T2 ← Σ0 (A) ⊞ Maj(A,B,C) 9: H ← G Function 10: G ← F 11: F ← E The SHA-256 compression function F is described in 12: E ← D ⊞ T1 Alg. 1. It accepts as input a 512-bit message block M 13: D ← C and a 256-bit chaining value V (i.e., parameters n and 14: C ← B h in Sect. 2.1 equal 512 and 256 respectively). The 15: B ← A function iterates 64 times the same round transforma- 16: A ← T1 ⊞ T2 tion on an internal state. The state is represented by 17: end for eight 32-bit words A,B,C,D,E,F,G and H initially 18: return (V1 ⊞ A, ..., V8 ⊞ H) ⊲ Final Addition filled with V =(V1,...,V8). The round is a composi- tion of 32-bit modular additions, denoted by ⊞, with boolean operations which are defined on 32-bit words u, v and w as follows: (only) of the input messages. They consider an im- Ch(u,v,w)=(u ∧ v) ⊕ (¬u ∧ w) , plementation that strictly follows Alg. 1, and in par- ticular they make the following assumptions. Firstly, Maj u v w u v u w v w , ( , , )=( ∧ ) ⊕ ( ∧ ) ⊕ ( ∧ ) the variables A,B,...,H are initialized with the input Σ0 (u)=(u 2) ⊕ (u 13) ⊕ (u 22) , chaining value and T1 is initialized with an unknown but constant value. Secondly, each one of the vari- Σ1 (u)=(u 6) ⊕ (u 11) ⊕ (u 25) , ables T ,T ,A,B,...,H is updated with its value at the and 1 2 where ∧ denotes the bitwise , ¬ denotes the bit- next round. It means that for each of these variables, wise complement and x j denotes a rotation of j the HD between its value at round t − 1 and its value bits to the right on x. at round t is leaked at each round t, for t = 1,...,64. The message expansion splits the message block Under these assumptions, the authors present an at- M M M into 32-bit words 1,..., 16, and expands it into tack wich consists in a succession of DPAs. Each one W 64 words t by using the following additional 32-bit allows the attacker to recover either a part of the se- words operations: cret key or an intermediate result, and these results are σ0 (u)=(u 7) ⊕ (u 18) ⊕ (u ≫ 3) , re-used in the following DPAs to recover the remain-
σ1 (u)=(u 17) ⊕ (u 19) ⊕ (u ≫ 10) , ing secrets. It is worth noticing that these assumptions are quite strong and could prevent applying the attack where x j denotes a shift of j bits to the right on x. ≫ on some implementations. For instance, a software In Alg. 1, the values K K are public constants. 1,..., 64 implementation would probably avoid updating reg- isters value (steps 9 to 16 of Alg. 1) and rather choose to directly update the pointers, which would clearly 3 DPA ON HMAC SHA-256 be more efficient. In this paper, we propose an attack on the com- 3.1 Related Work and Contribution pression function that targets different steps in the al- gorithm compared to [McEvoy et al., 2008]. This new In [McEvoy et al., 2008], the authors propose to at- method brings two main advantages. First, our new tack the SHA-256 compression function to recover k0 attack benefits from the feature to work in the HW and k1. The authors mount their attack in the HD model in which the power consumption is assumed to leakage model, and they assume to have knowledge be proportional to the number of non-zero bits of the
3 This work was presented at SECRYPT 2013 http://www.secrypt.icete.org/
processed values. Therefore our proposal can be ap- pression function whose input is the known and vari- plied on devices that leak in this model, and also when able value z. the attacker has no information about the implementa- Another way for the attacker to obtain the secret tion, as stated in [Mangard et al., 2007]. Secondly, we value k is to target the last call of the compression show in Sect. 3.3 that our proposal can also be turned 0 function focussing on the MAC value which is known into an attack in the HD model but with less restric- and variable. We refer to this attack path as Path 3. tive assumptions than [McEvoy et al., 2008], which advantageously extends the scope of the attack. Definition 3 (Path 3: Outer hash - DPA with known output.). The attacker targets the last compression 3.2 New Attack in the Hamming Weight function execution whose output is the known and Model variable MAC. 3.2.1 Path 1 To forge MACs for arbitrary messages, the attacker needs either to recover the secret key k or both val- ues k0 and k1. As seen in Fig. 1, the attacker can- We depict here the attack following Path 1, i.e., on the not target directly the secret key k since it is never computation F(k1,m1). In this context, the attacker combined with variable and known data. On the con- aims at recovering the secret value k1. We completely (i) trary, k0 and k1 may potentially be recovered by the develop this attack in Table 1. The notation X attacker. In the following, we define the three paths refers to a given intermediate variable X computed (0) the attacker can follow to recover k1 and k0 (they are at round i. Variables denoted by X correspond shown by Fig. 2). Then, Sect. 3.2.1, 3.2.2 and 3.2.3 to the input chaining value of the compression func- give the detailed steps of the attacks following respec- tion. For the sake of simplicity, δ(i) denotes the sum (i) (i) (i) (i) (i) tively Path 1, 2 and 3. H ⊞ Σ1 E ⊞ Ch E ,F ,G ⊞ Ki+1. Even- tually, X denotes a variable controlled by the attacker, inner hash ... k ⊕ ipad m1 mN meaning that she can predict its value when the mes- E sage changes. Path 1 Each line of the table describes a DPA attack. The IV F F ... F k1 CV1 CVN−1 CVN = z column Hyp indicates the secret value which is the target of the attack Attack in the operation Targeted outer hash k ⊕ opad Operation. In each targeted operation, the hat indi- EPath 2 cates the variable that is controlled (modified) by the
attacker. The column Result lists the useful variables
IV F F MAC k0 E on which the attacker gains control after the attack (it Path 3 includes, but is not limited to, the target secret vari- Figure 2: Attack paths on HMAC ables). Eventually, the double line separates the at- tacks executed in Round 1 from the ones processed in As already noted, the value k1 may be obtained Round 2. when it is combined with the known and variable data The attacker progresses line after line and fi- m1 in the compression function. This attack path is nally recovers the following parts of the secret: referred to as Path 1. A(0),B(0),D(0),E(0),F(0),G(0). The last remaining parts H(0) and C(0) can be recovered by making sub- Definition 1 (Path 1: Inner hash - DPA with known stitutions in Alg. 1: in Step 7 of round 1, where H(0) input.). The attacker targets the compression function is the only unknown variable, and similarly in Step 8 whose input is the first message block m to recover 1 of round 1 where C(0) is the only unknown variable. the secret value k1.
Once k1 is known, the attacker is able to compute the inner hash result z = H(k1||m) for all input mes- Remark. DPA 8 involves the message block W2. sages m. She can thus mount a DPA on the outer hash The attacker has two possibilities to mount this attack: compression function execution whose input is z to 1. She can fix the first message block W1 and thus recover the constant value k0. This path is denoted by makes hypotheses on the whole constant sum δ(1), Path 2. (1) while modifying W2. She obtains the value of δ Definition 2 (Path 2: Outer hash - DPA with known and deduces the secret H(1) from the knowledge input.). The attacker targets the last call of the com- of the other values.
4 This work was presented at SECRYPT 2013 http://www.secrypt.icete.org/
Table 1: DPA attack on SHA-256 compression function us- ing HW leakage model covering the same secret value k0 but focuses on the output of the compression function. Indeed in the Attack Targeted Operation Hyp Result HMAC algorithm, the last call to the compression 1 1 function outputs the MAC value R. This final value is DPA 1 T ( ) ← δ(0) ⊞W δ(0) T ( ),δ(0) 1 1 1 obtained by performing a final addition between the (1) (1) (0) (1) (0) E , secret chaining input V = k and the output of a 64- DPA 2 E ← D ⊞ T D 0 1 D(0) round process. Thus we have: (1) (1) ⊞ (1) (1) (1 ) (1) (64) DPA 3 A ← T1 T 2 T2 A ,T2 A = R1 ⊟V1 , F(1) = B(64) R ⊟V , DPA 4 E(1) ∧ F (1) in Ch F(1) = 2 2 E(0) ... G(1) = DPA 5 E (1) ∧ G(1) in Ch G(1) (64) F(0) H = R8 ⊟V8 , (1) where ⊟ is the modular subtraction on 32 bits. In (1) (1) (1) B = DPA 6 A ∧ B in Maj B (0) A these final operations, the (Ri)1 i 8 are known and C(1) = variable and the (Vi)1 i 8 are constant parts of the DPA 7 A (1) ∧C(1) in Maj C(1) (64) (64) B(0) secret k0, thus the values A , ..., H are sensitive. (2) Eight DPA attacks can thus be mounted to recover the T1 ← H(1) = eight 32-bit parts (Vi)1 i 8 of the secret k0. DPA 8 H(1) ⊞ Σ E(1) ⊞ H(1) 1 G(0) Ch⊞K2 ⊞W2 3.2.4 Full Attack