Timing attacks... and what is special with Institut Mines-Telecom DES SBox #5?
R. Pacalet Introduction Side channels DES Timing attacks, the HWSec lab case Outline
Introduction
Side channels
DES
Timing attacks, the HWSec lab case
2/37 April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Outline
Introduction
Side channels
DES
Timing attacks, the HWSec lab case
3/37 April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Auguste Kerckhoffs’ principles (1883)
I The system must be substantially, if not mathematically, undecipherable; I The system must not require secrecy and can be stolen by the enemy without causing trouble; I It must be easy to communicate and remember the keys without requiring written notes, it must also be easy to change or modify the keys with different participants; I The system ought to be compatible with telegraph communication; I The system must be portable, and its use must not require more than one person; I Finally, regarding the circumstances in which such system is applied, it must be easy to use and must neither require stress of mind nor the knowledge of a long series of rules.
4/37 April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case The spirit is strong, the flesh is weak
I Eventually, security is always implemented in hardware
I An Intel Core i7 processor is a piece of hardware
I A smartcard too
I Your brain, a pencil, a piece of paper too I Hardware computes and does also some more...
I Consumes power I Takes time I Emits electromagnetic radiations I Plus heat, noise,...
I While apparently not exploitable these ”side channels” are serious information leaks
5/37 April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Outline
Introduction
Side channels
DES
Timing attacks, the HWSec lab case
6/37 April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Hardware leaks information
I The ”side-channels” are usually correlated with the processing
I In security applications they can be used to retrieve embedded secrets
I Less than 1000 power traces can be sufficient to retrieve a secret key from a theoretically unbreakable system I Unlike in quantum cryptography the information leakage is usually undetectable
I True for time I Almost true for power
7/37 April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case A bit of history
I 1956: MI5 against Egyptian Embassy in London (click-sound of the enciphering machine)
I 1996: P. Kocher time-attacks RSA, DH, DSS (applied with success in 2003 against OpenSSL 0.9.6)
I 1999: P. Kocher power-attacks DES, AES, etc. (SPA, DPA). Successful against smart cards, FPGAs, ...
I 2000-: New attacks (SEMA, DEMA, TPA, MIA,...).
I Importance of hardware security increases (CHES)
8/37 April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Outline
Introduction
Side channels
DES
Timing attacks, the HWSec lab case
9/37 April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case History (1/2)
I Symmetric bloc cipher
I Initial proposal by IBM (Lucifer) in 1975
I Adopted by NSA in 1977 (after some modifications) under the name DES: Data Encryption Standard
I Feistel scheme, 56 bits key, 16 rounds
I Some analytical attacks (differential and linear cryptanalysis), impractical I Brute force attacks became feasible 56 16 I 2 ≈ 7.2 × 10 I About one year on 1000 PCs @ 2GHz, with 800 clock cycles per DES enciphering (OpenSSL, Eric Young)
10/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case History (2/2)
I Triple DES recommended today: TDEA (P) = DES (DES−1(DES (P))) k1,k2,k3 k1 k2 k3 I Some interesting variants:
DES-Xk1,k,k2 (P) = k1 ⊕ DESk (k2 ⊕ P) I Superseded in 2002 by AES: Advanced Encryption Standard I Still in use, probably for some time
I Easy to implement in hardware (small and fast) I In software, AES is simpler to implement (no bitwise permutations)
11/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Algorithm (1/4)
DES: a 16 rounds Input Feistel scheme 64 Initial permutation (64 ⇒ 64) IP 32 32
L0 R0 32 32 48 + F K1
32 32
L1 = R0 R1 = L0 ⊕ f (R0, K1)
+ F Kn
L15 = R14 R15 = L14 ⊕ f (R14, K15)
+ F K16
R16 = L15 ⊕ f (R15, K16) L16 = R15
64 FP 64 Inverse initial permutation (64 ⇒ 64) Output
12/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Algorithm (2/4)
(1) (2) (8) Rn Kn = kn |kn |...|kn 32 The Feistel F function E 48 48 +
48
6666666 6
S1 S2 S3 S4 S5 S6 S7 S8 4 4444444
32 P
32
13/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Algorithm (2/4)
(1) (2) (8) Rn Kn = kn |kn |...|kn 32 The Feistel F function E 48 48 +
48
6666666 6
S1 S2 S3 S4 S5 S6 S7 S8 4 4444444
32 P
32
14/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Algorithm (3/4)
Key schedule: the 16 round keys Key are 48 bits, permutated, subsets of 56 the 56 bits secret key Permutated choice 1 (56 ⇒ 56) PC1
28 56 28
C0 D0
Left shifts (1) Left shifts (1) Rotations to the Permutated choice 2 (56 ⇒ 48) left by one or two positions, depending C1 D1 on the round: Round Left shifts K1 PC2 48 56 1 1 Left shifts (1)Leftshifts (1) 2 1 3 2
Cn Dn 8 2 K PC 9 1 n 2 10 2 Left shifts (1) Left shifts (1) 15 2 16 1 C16 D16
K16 PC2
15/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Algorithm (4/4)
I IP, FP, P and PC1 are pure permutation functions I E is an expansion (32 ⇒ 48) – permutation function
I PC2 is a selection (56 ⇒ 48) – permutation function
I S1, S2, ..., S8 are non-linear, 6 bits to 4 bits, functions: the substitution boxes or ”SBoxes”
I The key-schedule consists in simple or double left circular rotations (specified for each round)
I The decryption function is obtained by inverting the key-schedule (right circular rotations)
16/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Outline
Introduction
Side channels
DES
Timing attacks, the HWSec lab case
17/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case History of timing attacks
I First published by Paul Kocher (CRYPTO’96)
I Implemented by Dhem, Quisquater, et al. (CARDIS’98)
I Used by Canvel, Hiltgen, Vaudenay, and Vuagnoux to attack OpenSSL (CRYPTO’03)
18/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Principle of timing attacks (1/2)
I Crypto function EK use secret key K to compute output C = EK (P) from input P. I Joint exploit of computing time T and output C (or input P, depending on what is known by the attacker)
I Attacher builds partial timing model TMg(C) depending on guessed value g for small part k of secret K
I TMg(C) is an estimate of time taken by an elementary operation of EK when computing C = EK (P)... if guess g is correct...
I ... else TMg(C) is just random
19/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Principle of timing attacks (2/2)
I Run Ci = EK (Pi ) on N random inputs and record {Ci , Ti }, 1 ≤ i ≤ N pairs of {output, computing time} I For each possible value g (guess) of k compute the TMg(Ci ), 1 ≤ i ≤ N...
I ...and estimate correlation Cg between Ti and TMg(Ci ) over the N measurements
I One guess gbest exhibits the best correlation Cgbest ⇒ best guess for k is gbest I Repeat for all (small) parts k of K ⇒ best guess for K
I Same measurements collection can be used for all parts k of K
20/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Example of TA-prone implementation (1/2)
I DES software implementation, used in timing attack lab of HWSec course
I http://soc.eurecom.fr/HWSec/labs/ta.php
I DES software implementation in plain C
I All DES functions based on lookup tables
I Data-independent timing (apart caches and branch prediction)...
I ... but the P permutation...
21/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Example of TA-prone implementation (2/2)
1// The table giving the input positions of each output bit. Output bit #1, for 2// instance, is input bit #16 and output bit #32 is input bit #25. 3 p_table = {16, 7, 20, 21, 4 29,12,28,17, 5 1,15,23,26, 6 5,18,31,10, 7 2,8,24,14, 8 32,27,3,9, 9 19,13,30, 6, 10 22,11, 4,25}; 11 12 p_permutation(val) { 13 res=0;// Initialize the result to all zeros 14 for(i = 1; i <= 32; i++) {// For all 32 input bits... 15 if(get_bit(val, i) == 1) {//... if input bit is set... 16 for(j = 1; j <= 32; j++) {//... for all 32 output positions... 17 if(p_table[j] == i)//... if input position is input bit 18 k=j;// Remember output position 19}//k now contains output position of input bit 20 set_bit(res, k);// Set bit#k of result 21} 22} 23 return res;// Return result 24}
22/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case The timing attack lab of HWSec
I Students run the TA-prone DES on arbitrary large number N of random, unknown, inputs P1≤i≤N
I They record the {Ci , Ti }1≤i≤N pairs (output, computing time)
I They do not know the secret key K
I They must design an attack to recover last round key K16 I Validation: their attack is run with increasing number of measurements until success
I Their score is minimum number of measurements needed (including 100 consecutive positives)
23/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Zoom on last round (known output)
L15 R15 32 32
E
48 + K = k (1)|k (2)|...|k (8) 48 16 16 16 16 48
6666666 6
S1 S2 S3 S4 S5 S6 S7 S8 4 4444444
32 + P 32 32 32 64
FP 64 C
24/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Known and unknown data
L15 R15 32 32
E
48 + K = k (1)|k (2)|...|k (8) 48 16 16 16 16 48
6 6666666
S1 S2 S3 S4 S5 S6 S7 S8 44444444
32 + P 32 32 32 64
FP 64 C
25/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Let us focus on SBox #1
L15 R15 32 32
E
48 + K = k (1)|k (2)|...|k (8) 48 16 16 16 16 48
6 6666666
S1 S2 S3 S4 S5 S6 S7 S8 44444444
32 + P 32 32 32 64
FP 64 C
26/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Let us focus on SBox #1
L15 R15 4 6
E
6 + k (1) 6 16 6
6
S1 4
4 +P 4 4 4 10
FP 10 C
27/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case
Simplify (S1, P)
R15 6
+ k (1) 6 16 6
S1 4
P 6
6 C
28/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case (1) Let us guess k16 (64 cases)
R15 6
+ k (1) 6 16 6
S1 4
P 6
6 C
29/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case
Let us compute the S1 output (P input)
R15 6
+ k (1) 6 16 6
S1 4
P 6
6 C
30/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Summary
I For each known output Ci (N of them)... (1) I for each guess (64 of them) on k16 ... R15 6 I the attacker can compute 4 bits output of
+ k (1) S1 (input of permutation P)... 6 16 6 I and thus estimate computation time of P... S1 4 if the guess is correct P 6 I Example of (simple) timing model: 6 I S1 output = 0b0000 ⇒ P fast C I S1 output = 0b1111 ⇒ P slow
I Same for all SBoxes (8 of them)...
31/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case The simple attack algorithm
1: for s ← 1...8 do . For all SBoxes (s) 2: for g ← 0...63 do . For all guesses on k16 3: tslow ← ∅, tfast ← ∅ . Initialize ”slow” and ”fast” sets 4: for i ← 1...N do . For all measurements 5: v ← Ss(g, Ci ) . Compute output of SBox s in last round 6: if v = 0b0000 then . Four zero-bits 7: tfast ← tfast ∪ {Ti } . Put timing measurement in ”fast” set 8: else if v = 0b1111 then . Four one-bits 9: tslow ← tslow ∪ {Ti } . Put timing measurement in ”slow” set 10: end if 11: end for (s) 12: Cg ← avg(tslow ) − avg(tfast ) . Score of guess g for k16 13: end for (s) (s) 14: k16 = argmaxg (Cg ) . Take best guess g for k16 15: end for (1) (2) (8) 16: return K16 = k16 |k16 |...|k16 . Best guess for last round key K16
32/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Should it work?
I The timing model predicts only a very small part of the total computation time
I Only in one round over 16... I Only in the P permutation... I Only on 4 of the 32 input bits... I Everything else is either
I Uncorrelated (noise) I Correlated I If uncorrelated, the averaging over a large enough number of measurements shall eliminate the noise due to other computations (and measurements errors)... I ... else the proposed attack could (should) fail I By luck (for attackers), this statistical independence holds rather well in cryptography (confusion, diffusion)
33/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Does it work?
I Sometimes, sometimes not (about 50%-50%, depends on secret key K ). Students are frustrated and complain...
I Last year I explained that keeping only v = 0b0000 and v = 0b1111 was discarding too many measurements (7/8), thus degrading the attack’s efficiency
I This year I tried with 1 million measurements and it failed (s) I All 6-bits parts k16 of K16 were recovered with less than (5) 5000 measurements... but k16 (SBox #5) that resisted with any number of measurements
I This year I decided to understand why
34/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? I X0 = X0 ⊕ 0b100110 !
I X1 = X1 ⊕ 0b100110 !!!
Introduction Side channels DES Timing attacks, the HWSec lab case What is special with DES SBox #5?
I I designed statistical tools to check statistical independence
I Statistical independence does not fully hold, there are some singularities (known since linear and differential cryptanalysis) I But there is more: I There are four 6-bits inputs x such that S5(x) = 0b0000 (normal, the DES SBoxes are 6 ⇒ 4 bits and balanced):
I X0 = {0b011010, 0b010011, 0b111100, 0b110101} I There are four 6-bits inputs x such that S5(x) = 0b1111:
I X1 = {0b010110, 0b010101, 0b110000, 0b110011}
35/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? I X1 = X1 ⊕ 0b100110 !!!
Introduction Side channels DES Timing attacks, the HWSec lab case What is special with DES SBox #5?
I I designed statistical tools to check statistical independence
I Statistical independence does not fully hold, there are some singularities (known since linear and differential cryptanalysis) I But there is more: I There are four 6-bits inputs x such that S5(x) = 0b0000 (normal, the DES SBoxes are 6 ⇒ 4 bits and balanced):
I X0 = {0b011010, 0b010011, 0b111100, 0b110101} I There are four 6-bits inputs x such that S5(x) = 0b1111:
I X1 = {0b010110, 0b010101, 0b110000, 0b110011}
I X0 = X0 ⊕ 0b100110 !
35/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case What is special with DES SBox #5?
I I designed statistical tools to check statistical independence
I Statistical independence does not fully hold, there are some singularities (known since linear and differential cryptanalysis) I But there is more: I There are four 6-bits inputs x such that S5(x) = 0b0000 (normal, the DES SBoxes are 6 ⇒ 4 bits and balanced):
I X0 = {0b011010, 0b010011, 0b111100, 0b110101} I There are four 6-bits inputs x such that S5(x) = 0b1111:
I X1 = {0b010110, 0b010101, 0b110000, 0b110011}
I X0 = X0 ⊕ 0b100110 !
I X1 = X1 ⊕ 0b100110 !!!
35/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case What is special with DES SBox #5?
I X0 = X1 ⊕ 0b100110
I X1 = X1 ⊕ 0b100110 (5) I Two values of k exhibit the same ”signature” for simple attack (5) 0 I If g is a good guess for k , g = g ⊕ 0b100110 also is: 0 I ∀ 0 ≤ r ≤ 63, S5(g ⊕ r) = 0b0000 ⇔ S5(g ⊕ r) = 0b0000 0 I ∀ 0 ≤ r ≤ 63, S5(g ⊕ r) = 0b1111 ⇔ S5(g ⊕ r) = 0b1111
I With statistical independence, the attack should indefinitely oscillate between k (5) and k (5) ⊕ 0b100110
I Statistical independence does not really hold ⇒ attack converges towards one or other, depending on actual K
36/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5? Introduction Side channels DES Timing attacks, the HWSec lab case Conclusion, open questions
I Could this S5 property be exploited for new attacks? I Could this kind of properties inspire design of new, naturally TA-resistant, ciphers? I Is this accidental or shall we revisit DES history? I The probability to draw such a ”à-la-DES” SBox is 1/1100.5 I The probability to draw at least one when designing DES is about 1/138 I Could it be that the other SBoxes also have hidden properties? I Sylvain Guilley discovered one on S4 I S5 is also known to be the less non-linear of all I How can it be that after more than 40 years of deep scrutiny we still discover something new about DES? I Is it really new?
37/37April 24, 2018 Institut Mines-Telecom Timing attacks... and what is special with DES SBox #5?