An Analytic Attack Against ARX Addition Exploiting Standard Side-Channel Leakage

An Analytic Attack against ARX Addition Exploiting Standard Side-channel Leakage

Yan Yan1, Elisabeth Oswald1 and Srinivas Vivek2 1University of Klagenfurt, Klagenfurt, Austria 2IIIT Bangalore, India

Keywords: ARX Construction, Side-channel Analysis, Hamming Weight, Chosen Plaintext Attack.

Abstract: In the last few years a new design paradigm, the so-called ARX (modular addition, rotation, exclusive-or) ciphers, have gained popularity in part because of their non-linear operation’s seemingly ‘inherent resilience’ against Differential Power Analysis (DPA) Attacks: the non-linear modular addition is not only known to be a poor target for DPA attacks, but also the computational complexity of DPA-style attacks grows exponentially with the operand size and thus DPA-style attacks quickly become practically infeasible. We however propose a novel DPA-style attack strategy that scales linearly with respect to the operand size in the chosen-message attack setting.

1 INTRODUCTION ever are different: they offer a potentially ‘high reso- lution’ for the adversary. In principle, under suitably Ciphers that base their round function on the sim- strong assumptions, adversaries can not only observe ple combination of modular addition, rotation, and leaks for all instructions that are executed on a proces- exclusive-or, (short ARX) have gained recent popu- sor, but indeed attribute leakage points (more or less larity for their lightweight implementations that are accurately) to instructions (Mangard et al., 2007). suitable for resource constrained devices. Some re- Achieving security in this scenario has proven to cent examples include Chacha20 (Nir and Langley, be extremely challenging, and countermeasures such 2015) and Salsa20 (Bernstein, 2008) family stream as masking (secret sharing) are well understood but ciphers, SHA-3 finalists BLAKE (Aumasson et al., costly (Schneider et al., 2015). In the case of ARX 2008) and SKEIN (Ferguson et al., 2010), as well as constructions one has to cope with the fact that there other block ciphers such as SPECK (Beaulieu et al., are Boolean operations (requiring Boolean masking 2015), SPARX (Dinu et al., 2016) and the related or secret sharing) and arithmetic operations (requir- SPARKLE (Beierle et al., 2008) which made into the ing arithmetic masking or secret sharing). Thus se- second round of the NIST lightweight cipher compe- curing ARX ciphers against power (and EM) attacks tition. Another second round candidate of the NIST is potentially very costly; unless, it could be argued lightweight competition Gimli (Bernstein et al., 2017) that they are inherently ‘secure enough’ against such also proposed a variation, namely Gimli-SPARX, that attacks that “non-provable” countermeasures (such as has adopted the ARX paradigm. hiding via randomisation of instructions, etc.) could The fact that the round function has an efficient possibly suffice. The most recent work on securing and simple expression via functions that are typi- ARX implementations is (Jungk et al., 2018). cally available as instructions on small embedded de- It is well known that completely linear targets such vices enables excellent performance with respect to as the rotation and the exclusive-or operation are dif- code size, execution time and energy consumption. ficult to attack with differential (power or EM) anal- Any implementation on an embedded device however ysis (DPA for short): attacks on such targets require also needs to be able to withstand the threat of Side- many more traces than attacks on highly non-linear Channel (timing, power, EM, cache) Attacks (SCA, target functions, and even with a very large number for short). The absence of key dependent loops, or of leakage traces there remains some keys that cannot indeed tables, implies resistance to timing and cache be distinguished from each other (Prouff, 2005). attacks. Power (and synonymously EM) attacks how-

Yan, Y., Oswald, E. and Vivek, S. An Analytic Attack against ARX Addition Exploiting Standard Side-channel Leakage. DOI: 10.5220/0010223600890097 In Proceedings of the 7th International Conference on Information Systems Security and Privacy (ICISSP 2021), pages 89-97 ISBN: 978-989-758-491-6 Copyright c 2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved

ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

1.1 Background and Related Work on To date, the Butterfly attack (Zohner et al., 2012) SCA on ARX Ciphers remains the most effective result in attacking modular addition. This attack demonstrated that it is possi- The idea of combining addition modulo 2n, exclusive- ble to improve on straightforward DPA-style attacks or, and rotation as a round function, has been sug- when targeting modular additions by testing pairs of gested as early as 1987 in the block cipher FEAL correlations induced by the symmetrical structure of (Shimizu and Miyaguchi, 1988). Since NIST kick- modular additions. However Butterfly attacks are started its lightweight cryptography project in 2015, constrained by the fact that knowledge of one adder is the interest in ARX constructions has received re- required which does not hold for some ARX ciphers newed interest. The ciphers SIMON and SPECK such as SPECK (Beaulieu et al., 2015) and SPARX (Beaulieu et al., 2015), which were submitted to the (Dinu et al., 2016). first of the two workshops hosted by NIST, gained a considerable amount of interest from within the 1.2 Our Contribution crypto community. In 2016 the SPARX family of ciphers was introduced (Dinu et al., 2016). In this paper we propose a novel attack strategy The appeal of the ARX construction is primarily against the modular addition in ARX-Boxes. Our in the fact that when choosing n equal to the word size method, in comparison to previous work, requires no of a processor, software implementations gain consid- knowledge of the adders and thus is more generally erable speedups. Furthermore, because the non-linear applicable on targets where a Butterfly attack is not component is given by the addition modulo 2n, it does an option, such as SPECK (Beaulieu et al., 2015) and not need to be encoded as a table lookup which sig- SPARX (Dinu et al., 2016). nificantly reduces the memory usage. The absence Our method requires to obtain the leakage from of lookup tables is also perceived as a distinctive ad- the result of the modular addition only, which we need vantage when the threats of various side channel at- to be a bit-linear function (e.g. Hamming Weight, or tacks are considered (Biryukov et al., 2016; Biryukov weighted Hamming weight with positive weights of and Perrin, 2017; Dinu et al., 2016). The absence similar magnitude). We only need to be able to ob- of cache also implies that the instructions are always serve if the leakage increases, decreases, or remains performed in a constant time and thus there is unlikely the same upon a single-bit flip in the plaintext. Based any key dependent leakage exploitable in the execu- on this information, we show how to reconstruct the tion time (Dinu et al., 2016). Being free from the ta- adder output. With the adder output, and based on a bles also significantly reduces the number of mem- further related plaintext, we then show how to recon- ory accesses as these instructions have shown to be struct the secret key. the most exploitable targets in power analysis attacks We consider our novel methodology of indepen- (Biryukov et al., 2016). dent theoretical interest as we leverage minimal side However, it has been shown in (Yan and Os- channel leakage to perform a cryptanalytic-style anal- wald, 2019) that na¨ıve implementations of ARX ci- ysis for ARX constructions. phers may still leave vulnerabilities easily exploitable. In (Yan and Oswald, 2019), the authors simply 1.3 Organisation of the Paper attempted straightforward correlation power analysis attacks on the reference implementation of the In Section 2 we formalise our attack on ARX-Boxes SPARX cipher (Dinu et al., 2016) on some real plat- as the (Noisy) Hidden Adder Problem, (N)HAP, and forms, and found that the key was efficiently recov- propose its sub-problem the (Noisy) Hidden Sum ered exploiting the leakage amplified by consecutive Problem, (N)HSP. In Section 3 we explain how HSP XOR and shifting instructions. can be solved, then use the solution to solve HAP in Nevertheless, for the modular addition in ARX- Section 4 thus providing a full key recovery attack Boxes, the authors of (Yan and Oswald, 2019) re- given ideal leakage. Section 5 completes the attack by ported unsuccessful attacks targeting the addition in- adapting the attack to noisy leakage. We present sim- struction which coincide with the previous results re- ulation results in Section 5.1 and also discuss practical ported by (Biryukov et al., 2016) and that align with considerations. (Yan and Oswald, 2019; Zohner et al., 2012; Dinu et al., 2016): their argument is that the weak non- 1.4 Notation linearity of modular addition leaves a relatively lower margin in distinguishing the keys comparing to a typ- In this work we frequently use both the integer and the ical S-Box instruction. binary representation of operands. The notation [x]

90 An Analytic Attack against ARX Addition Exploiting Standard Side-channel Leakage

indicates the binary representation of a non-negative 2.1 Outline of Our Attack integer x: n−1 In a nutshell, there are two steps in our attack strat- i x = [x]n−1[x]n−2...[x]1[x]0 = ∑ 2 [x]i, egy. The first step is to recover the sum s(x,y) from i=0 the leakage. From there, we then recover the subkeys hence [x]i denotes the i-th bit of [x]. The notation [x][y] (α,β) by solving equations involving x,y and s(x,y). implies the concatenation of two bit strings [x] and We begin by explaining how the attack works in an [y]. The notation [x]k denotes k times repetition of [x]. ideal world where the adversary observes ideal leak- Specifically, [∗]k denotes an arbitrary k-bit string. age without the Gaussian noise e, and then we show In this paper we assume that all integers are drawn how such solution can be adapted to realistic noisy + from Z2n , where n ∈ N . The denotes modular ad- leakage by using statistical methods. To this end, we dition over Z2n . HW(x) denotes the Hamming weight define the following problems: of [x]. For a n-bit integer x, xe refers to the (one’s) Definition 1 (Hidden Adder Problem (HAP)). Let complement of x, where all the bits are flipped. That (α,β) be randomly chosen from Z2n × Z2n . The ad- is, versary chooses as many pairs x,y ∈ Z2n and obtains x = x ⊕ ( n − ). e 2 1 leakage of the form HW(s(x,y)) = HW((x⊕α)(y⊕ We often require to be able to change the value of β)) for each pair. The adversary must then recover a single bit to its complement (i.e. we flip a bit, but (α,β). leave all other bits unchanged). For this purpose we Definition 2 (Noisy Hidden Adder Problem define the flip function Fi(x) which returns x with the (NHAP)). Let (α,β) be randomly chosen from i-th bit flipped: Z2n × Z2n . The adversary chooses as many pairs i Fi(x) = x ⊕ 2 . x,y ∈ Z2n and obtains leakage of the form Lα,β(x,y) = HW(s(x,y)) + e = HW((x ⊕ α) (y ⊕ β)) + e where e ∼ N (0,σ2). The adversary must then recover 2 PROBLEM DESCRIPTION (α,β). Note that HAP (and so is NHAP) reflects the ul- In this work we explore alternative SCA strategies timate goal of the adversary to reveal the subkeys when targeting the modular addition in a more gen- (α,β). To explain our attack, we further define eral setting as described by the generalised ARX-Box two sub-problems of HAP and NHAP called Hidden in (Yan and Oswald, 2019): Sum Problem (HSP) and Noisy Hidden Sum Problem (NHSP): s(x,y) := (x ⊕ α) (y ⊕ β), (1) where (x,y) are some known input values and (α,β) Definition 3 (Hidden Sum Problem (HSP)). Let are the unknown sub-keys. All x,y,α,β and s(x,y) are (α,β) be randomly chosen from Z2n × Z2n . The ad- n-bit variables. We further assume an adversary who versary chooses as many pairs x,y ∈ Z2n and obtains is able to choose input pairs (x,y), and observe the leakage of the form HW(s(x,y)) = HW((x⊕α)(y⊕ (noisy) leakage of s(x,y). For simplicity we assume β)) for each pair. The adversary must then recover that the (noisy) leakage is the Hamming weight with s(x,y). Gaussian noise, which is the most commonly consid- Definition 4 (Noisy Hidden Sum Problem (NHSP)). ered leakage model in side-channel literature: Let (α,β) be randomly chosen from Z2n × Z2n . The adversary chooses pairs x,y ∈ Z2n and obtains L(x,y) = HW(s(x,y))+e = HW((x⊕α)(y⊕β))+e, leakage of the form Lα,β(x,y) = HW(s(x,y)) + e = where the Gaussian noise e ∼ (0,σ2). We note that N HW((x ⊕ α) (y ⊕ β)) + e where e ∼ (0,σ2). The our statements also hold for a more general bit-linear N adversary must then recover s(x,y). model assuming that all coefficients have the same sign. The adversaries in the problems HSP and NHSP The goal of the adversary is to recover the subkeys are given exactly the same form of leakage as the (α,β) given a set of chosen inputs (x,y) and their as- adder problems (HAP and NHAP). Only their goals sociated leakage L(x,y). Later in Section 5 we ex- are changed to recover the sum s(x,y) in the sum plain that how the chosen inputs requirement can be problems rather than the sub-keys in the adder prob- relaxed in different settings. lems. We model our attack that exploits ideal and noisy In this paper, we always consider the general case leakage as the Hidden Adder Problem (HAP) and where n ≥ 2. For the special case where n = 1, we Noisy Hidden Adder Problem (NHAP), respectively, have as formalised in Definition 1 and Definition 2. HW(s(x,y)) = s(x,y) = x ⊕ α ⊕ y ⊕ β

91 ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

which immediately gives α ⊕ β given HW(s(x,y)),x Also, and y. It should also be noted that as shown in (Yan s0 ≡ ∆s ([x] ) + s and Oswald, 2019), any side-channel attack target- n−1 y n−1 n−2 ing the modular addition of the generalised ARX-Box n−1 i n will yield at least two pairs of the subkeys. Conse- ≡ ∆sy([x]n−1) + [s]n−12 + ∑ [s]i · 2 (mod 2 ). i=0 quently, as we will see later in Section 4, all the above (5) problems have at least two pairs of solutions in (α,β). Note that [s]n−1 ∈ {0,1}, ∆sy([x]n−1) ∈ {+2n−1,−2n−1} according to Equation (2), and −2n−1 mod 2n = +2n−1. Equation (5) can, there- 3 SOLVING THE HIDDEN SUM fore, be categorised into four cases: n−1 PROBLEM 1. If [s]n−1 = 0, ∆sy([x]n−1) = +2 , then

Our solution to the HSP recovers s(x,y) one bit at a n−2 s0 = (+2n−1 + 0 · 2n−1 + [s] 2i)(mod 2n) time. Starting from the MSB down to the LSB, we flip n−1 ∑ i i=0 each bit of x and observe the resulting differences in = [1][s] ...[s] [s] . the Hamming weight leakage. In the end we recover n−2 1 0 all bits of the hidden sum s(x,y). We abbreviate s := 2. If [s] = 0, ∆s ([x] ) = −2n−1, then 0 n−1 y n−1 s(x,y) and si := s(Fi(x),y), which are the sum, and n−2 the sum with [x]i flipped, respectively. 0 n−1 n−1 i n s = (−2 + 0 · 2 + [s]i2 )(mod 2 ) Since flipping [x]i also flips the bit [x ⊕ α]i, this n−1 ∑ i= effectively changes the sum by ±2i due to commuta- 0 tivity of addition. In the following sections we explain = [1][s]n−2...[s]1[s]0. how to exploit this property of s(x,y) to solve HSP. n−1 3. If [s]n−1 = 1, ∆sy([x]n−1) = +2 , then Define ∆sy([x]i) to be the difference in s(x,y) in- [x] n−2 duced by flipping i. We have: 0 n−1 n−1 i n sn− = (+2 + 1 · 2 + [s]i2 )(mod 2 ) i n 1 ∑ ∆sy([x]i) ≡ s(Fi(x),y) − s(x,y) ≡ ±2 (mod 2 ). i=0 (2) = [0][s]n−2...[s]1[s]0. Equivalently, 4. If [s] = 1, s ([x] ) = −2n−1, then i n−1 ∆ y n−1 s(Fi(x),y) = s(x,y) ± 2 . (3) n−2 0 n−1 n−1 i n 3.1 Recovering the MSB sn−1 = (−2 + 1 · 2 + ∑ [s]i2 )(mod 2 ) i=0 = [0][s] ...[s] [s] . In this section we give a solution that recovers the n−2 1 0 MSB of s, which is the base case for our algorithm. Observe that in Cases 1 and 2, where [s]n−1 = 0, Note that the MSB of s can be reduced to XORing we have c 0 the carry bit from the sum of the lower-order bits, sn−1 = [1][s]n−2...[s]1[s]0. and the MSBs of x ⊕ α and y ⊕ β. Because flipping Similarly, in Cases 3 and 4 where [s]n−1 = 1, we have [x]n−1 flips [x ⊕ α]n−1 and thus [s]n−1, the adversary 0 can determine that [s]n−1 = 0 if the Hamming weight sn−1 = [0][s]n−2...[s]1[s]0. increases (from 0 to 1) and vice versa. Therefore, we obtain Lemma 1. Given x, y, Hamming weights of the sums HW(s0 ) = s(x,y) and s(Fn−1(x),y), the MSB of the sum s is: n−1 HW(1) + HW([s]n−2[s]n−3...[s]1[s]0)if [s]n−1 = 0, ( 0 HW(0) + HW([s] [s] ...[s] [s] )if [s] = 1. 0 if HW(sn−1) − HW(s) > 0, n−2 n−3 1 0 n−1 [s]n−1 = 0 (6) 1 if HW(sn−1) − HW(s) < 0. Denote by ∆HWn−1 the (signed) difference in 0 Proof. We can write HW(s) as: Hamming weight between s to sn−1. Subtracting Equation (6) by Equation (4), we have: HW(s) = HW([s]n−1) + HW([s]n−2[s]n−3...[s]1[s]0). 0 (4) ∆HWn−1 = HW(sn−1) − HW(s) HW(1) − HW(0) = +1 if [s]n− = 0, (7) = 1 HW(0) − HW(1) = −1 if [s]n−1 = 1.

92 An Analytic Attack against ARX Addition Exploiting Standard Side-channel Leakage

Algorithm 1: Compute MSB of s. • Whether there exists or not a carry bit (either positive or negative), function [s]n−1 = GetMsb(x,y) 0 • ∆HW = HW(sn−1) − HW(s); If there exists a carry bit, then if ∆HW > 0 then – Whether the carry triggers an overflow (and return 0; hence modular reduction). else return 1; We next analyse each of the above cases. end if No Carry Bit. In the following conditions there is no end function carry bit: n−m 1. If [s]n−m = 0 and ∆sy([x]n−m) = +2 , then Observing Equation (7), we can see that the sign ∆HWn−m = +1. n−m of ∆HWn−1 solely depends on [s]n−1. Since both 2. If [s]n−m = 1 and ∆sy([x]n−m) = −2 , then 0 HW(sn−1) and HW(s) can be obtained as (ideal) ∆HWn−m = −1. leakage, we can thus recover [s]n−1 by computing Otherwise there must exist a carry bit. ∆HW and then applying Equation (7). n−1 Carry Bit. The existence of a carry bit implies either Algorithm 1 provides the pseudo code for recov- one of the following conditions: n−m ering the MSB. • Case C1 : [s]n−m = 1 and ∆sy([x]n−m) = +2 . n−m • Case C2 : [s]n−m = 0 and ∆sy([x]n−m) = −2 . 3.2 Recovering the m-th Bit is satisfied. This can be further categorised into: In Section 3.1 we explained how the MSB of s = Overflow. In this case, all the bits of sknown are s(x,y) can be recovered by the noiseless Hamming flipped after the addition: weight leakage. We now show how to recover the 1. In the Case C1, it is required that sknown = m−1 remaining bits. [1] . The propagation results in sknown m−1 flipped to [0] , with ∆HWn−m = −m. Lemma 2. Suppose we flip the bit [x]n−m. If: 2. In the Case C2, it is required that sknown = 0 m−1 • HW(sn−m) > HW(s), then [s]n−m = 0, [0] . The propagation results in sknown m−1 0 flipped to [1] , with ∆HWn−m = +m. • HW(sn−m) = HW(s), then [s]n−m = [es]n−(m−1), 0 No Overflow. In this case, only a part of sknown is • HW(sn−m) < HW(s), then [s]n−m = 1, flipped after adding ∆sy([x]n−m). Denote by k ∈ for 2 ≤ m ≤ n. [0,m − 2] the number of bits flipped in sknown Proof. We assume that the higher-order m − 1 bits of before the carry propagation terminates, then s: 1. In the Case C1, the carry propagation terminates at the least significant [0] of s which sknown = [s]n−1[s]n−2...[s]n−(m−1) known is required to have the form has been determined. The goal is then to recover k the next bit [s]n−m. According to Equation (3), when sknown = [s]n−1...[s]n−(m−(k+2))[0][1] . [x] is flipped, we have the flipped sum s0 : n−m n−m n−m After the addition with ∆sy([x]n−m) = +2 , 0 s changes to sn−m = s + ∆sy([x]n−m) (8) known n−m k where ∆sy([x]n−m) = ±2 . [s]n−1...[s]n−(m−(k+2))[1][0] . In the RHS of Equation (8), bits “lower” than Therefore ∆HWn−m = −k. [s]n−m is unchanged after the addition operation and thus does not affect the Hamming weight. On the 2. The Case C2 is just the opposite of C1 with other hand, the addition to (or subtraction from) ∆HWn−m = +k. [s]n−m may potentially generate a carry bit that propa- Table 1 summarises the above scenarios. It is s gates through bits “higher” than [ ]n−m and result into shown that positive ∆HWn−m implies [s]n−m = [0] a change of Hamming weight. and negative ∆HWn−m implies [s]n−m = [1] as both HW Let ∆ n−m be the (signed) change of Hamming m,k ≥ 0. The case ∆HWn−m = 0 is only possible when weight induced by flipping [x]n−m: k = 0, which indicates a carry bit exists without over- 0 flow. In such a case sknown is required to be either: ∆HWn−m = HW(sn−m) − HW(s). (9) m−2 • sknown = [∗] [1], for [s]n−m = 0, or We can categorise ∆HWn−m by:

93 ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

Table 1: ∆HW under different conditions, where 2 ≤ m ≤ n, Algorithm 3: Compute s. 0 ≤ k ≤ m. function s = GetSum(x,y) Conditions ∆HWn−m . We initialise the sum to its MSB [s]n−m ∆sy([x]n−m) Overﬂow? sknown s = GetMsb(x,y); +2n−m No [∗]m−1 +1 [0] Yes [0]m−1 +m . Recover one bit at a time from 2nd MSB to −2n−m No [∗]m−(k+2)[1][0]k +k LSB Yes [1]m−1 -m +2n−m for (m = 2;m ≤ n;m + +) do [1] No [∗]m−(k+2)[0][1]k -k n−m m−1 s = [s][GetNextBit(x,y,m,s)]; −2 No [∗] -1 end for return s; Algorithm 2: Compute m-th signiﬁcant bit [s]n−m (2 ≤ m ≤ end function n).

function [s]n−m = Lemma 3. Let ∆ := ((s(x,y) − s(x,y) − 1) n e GetNextBit(x,y,m,[s]n−1[s]n−2...[s]n−(m−1)) (mod 2 )) 1 (here refers to the right shift 0 ∆HW = HW(sn−1) − HW(s); operator). if ∆HW > 0 then The solutions to HAP are: return 0; α = ∆ ⊕ x else if ∆HW < 0 then n return 1; β = y ⊕ ((s(x,y) − ∆)(mod 2 )) else . ∆HW == 0 or if [s] == 0 then ( n−m+1 α = (∆ 2n−1) ⊕ x return 1; else β = y ⊕ ((s(x,y) − (∆ + 2n−1)) (mod 2n)), return 0; for arbitrary x,y ∈ n . end if Z2 end if Proof. Observe that for any x ∈ Z2n , we have end function n xe⊕ α = x]⊕ α = 2 − 1 − (x ⊕ α). m−2 • sknown = [∗] [0], for [s]n−m = 1. Hence

In either case, [s]n−m can be determined by the LSB of sknown. s(x,y) − s(xe,y) To summarise, given HW , we can uniquely n ∆ n−m = ((x ⊕ α) + (y ⊕ β)) − ((xe⊕ α) + (y ⊕ β)) (mod 2 ), determine [s]n−m. = (x ⊕ α) − (2n − 1 − (x ⊕ α)) (mod 2n), Algorithm 2 provides the pseudo code that com- = 2(x ⊕ α) + 1 (mod 2n). putes s for 2 ≤ m ≤ n. n−m Note that we have already computed the values s(x,y) 3.3 Complete Solution to HSP and s(xe,y) in Section 3. Since 2 is not co-prime to the modulo 2n, there are exactly two values of x ⊕ α that satisfy the above equation: ∆ and ∆ 2n−1. Hence the Combining the methods described in Section 3.1 and lemma follows. Section 3.2, we now have a full solution to the HSP, as summarised in Algorithm 3. Notice that the same Algorithm 4 provides the pseudo code for solving HW(s) can indeed be reused in Algorithm 1 and Al- HAP. The algorithm has trace complexity O(n) - re- gorithm 2 ; hence Algorithm 3 only needs n+1 traces quiring 2n + 2 calls to the (ideal) leakage function. to recover s(x,y).

5 CONVERTING TO NOISY 4 SOLVING HAP LEAKAGE

In this section we show how HAP (cf. Deﬁnition 1) In a real world attack setting an adversary is unlikely can be solved using a solution to HSP (cf. Section 3). to have noise free leakages. We thus now consider how to translate the developed attack strategy into a more realistic setting.

94 An Analytic Attack against ARX Addition Exploiting Standard Side-channel Leakage

Algorithm 4: Compute (α,β). Algorithm 5: Determine sign of ∆HW.

function (α,β) = GetAlphaBeta(void) function ∆HW = CompareHW(S1,S2) Pick arbitrary (x,y); (t, p) = test(S1,S2) if p/2 ≥ Signi ficanceLevel then . Accept . Compute s(x,y) and s(xe,y) by Algorithm 3 S0 = GetSum(x,y); ∆HW = 0 return 0 S1 = GetSum(xe,y); . Recover (α,β) using Lemma 3 else a1 = ((S0 − S1 − 1)(mod 2n)) >> 1; if t > 0 then . +1 for positive ∆HW. a2 = a1 ⊕ 2n−1; return +1 b1 = y ⊕ ((S0 − a1) mod 2n); else . −1 for negative ∆HW. b2 = y ⊕ ((S0 − a2) mod 2n); return −1 return {(a1,b1),(a2,b2)}; end if end function end if end function In principle, the reduction explained in Section 4 also holds for NHAP to NHSP, as long as the adver- plaintexts are known to the adversary and for each bit sary is able to recover s(x,y) given the noisy leak- the adversary can induce an i-th bit flip of either x, y, age in NHSP. Further examining the HSP solution α or β. in Section 3, we see it is indeed sufficient to solve Checking the Recovered Key-pair. In many attacks HSP given only the signs of the difference ∆HWi = utilising side channel information another practically 0 HW(si) − HW(s),i ∈ [0,n − 1]. In the case of noisy relevant question is that of which part of the side leakages we can reveal this difference by sampling the channel trace to use (often not just a single value is leakage function (i.e. the device) multiple times on available but a vector of leakages). Typical side chan- the same input. We thus get two sets of leakages: nel attacks proceed via applying the analysis to all leakage points independently (this lends itself to an S = {HW(s0) + e}, 1 i efficiently parallelisable algorithm). This technique S2 = {HW(s) + e}. applies also to our attack: each leakage point eventu- Clearly by subtracting the averages of these sets, we ally gives one key pair. We can test each key pair via can recover ∆HWi also in the noisy case. Moreover a pair of known plaintext and ciphertext. In case of a because we are only interested in the sign of ∆HWi, plaintext only attack, another test would be possible: we can hope that in practice we don’t require ‘large’ if we set x = α and y = β then both adder inputs are sets. To add a bit more rigour, we opted to implement equal to 0 which can be detected by a collision anal- a standard two-tailed t-test in our experiments. A two- ysis (Schramm et al., 2004; Bogdanov, 2007; Moradi tailed test can tell us if et al., 2010). 0 • HW(si) = HW(s), 0 5.1 Experiments • HW(si) > HW(s), or 0 • HW(si) < HW(s). Attack simulations are a valuable tool because they Algorithm 5 summarises the pseudo code that de- enable us to produce results quickly for different sets termines the sign of ∆HW. It first conducts a two- of parameter choices. In the absence of detailed char- tailed test: acterisations of devices and their actual power mod- H0 : S1 = S2 els, one cannot fall back on established statistical techniques such as a power-based sample size anal- H : S 6= S 1 1 2 ysis to derive how many leakage traces are necessary using a set significance level, and interprets the result in practice to conduct successful attacks. Thus simu- in terms of the sign of ∆HWi. lations are the established ‘workaround’ when exam- Alternative to Chosen Input Requirement. Due to ining new attack techniques. The attack is mainly af- the symmetric structure of Equation (1), Lemma 2 fected by three parameters in practice. These are the also applies when the i-th bit of y is flipped. It should noise distribution (characterised by σ), the number of also be noted that flipping the i-th bit of α is effec- repeat queries to the leakage function N, and the sig- tively equivalent of flipping the i-th bit of x: nificance level of the two-tailed test. It is well under- x ⊕ Fi(α) = Fi(x) ⊕ α = Fi(x ⊕ α) stood that these three quantities jointly determine how well a test performs, and thus in turn, how often our and vice versa for y and β. Therefore our attack can attack succeeds. also be achieved in a fault attack set up where the

95 ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

6 CONCLUSIONS

We present a novel theoretical concept to attack the modular addition in the context of ARX ciphers using side channel leakage. Our assumptions are minimal w.r.t. the leakage because we only require to observe a change in the leakage magnitude relating to the adder output in an implementation. Our paper de- (a) Significance level of 0.01 tails the mathematical idea using idealised Hamming weight leakage information at first, and then discusses an adaptation to cope with a noisy leakage function. To ascertain the impact of noise we provide a case study and via simulations we demonstrate the impact and trade-off between noise and significance level that would need to be considered in practice. Purely from a practical perspective, there exists a more powerful attack for ARX ciphers on a spe- (b) Significance level of 0.05 cific class of devices as described in (Yan and Os- Figure 1: Simulation results for the attack. The left figure wald, 2019). They observe a device specific effect shows the success rate as a function of the number of leak- called leakage amplification that makes the attack on age traces (per query) when choosing a significance of 0.01. the rotation very trace efficient on a specific type of The right figure is identical but for a significance of 0.05. device. We are not aware of any successful attack We simulated the attack with 16-bit word size however, beyond the Butterfly attack that requires a (n = 16) which has been chosen in certain ARX ci- known adder input, on the modular addition in the phers such as SPARX. Algorithm 5 is implemented context of an ARX cipher. 1 Thus we believe our contribution is of general using a t-test . S1 and S2 are chosen to have the same sample size for simplicity. We simulated the attack cryptanalytic interest because it opens up a new av- using different configurations where σ ∈ [0.1,6] and enue for analysing modular additions utilising rather N ∈ [100,1000]. Recall that N is the number of sam- generic leakage from the adder output. ples used for each tests. A complete attack hence uses 2N(n + 1) traces. The result follows our expectations in general. For ACKNOWLEDGEMENTS the same choice of significance level, the number of traces required to achieve the same success rate in- This work has been funded in parts by the European creases as the noise variance increases. This directly Union (EU) via the ERC project 725042 (acronym derives from the fact that the power of t-test weak- SEAL). The third author’s work was funded by the ens as the noise variance increases. With the same INSPIRE Faculty Award (DST, Govt. of India). amount of traces and the same noise level, the significance level of 0.05 has a lower success rate cap than 0.01, which are around 0.74 and 0.96, respectively. REFERENCES But in return the former also showed a better noise tolerance than the latter. Since the significance level Aumasson, J.-P., Henzen, L., Meier, W., and Phan, R. C.- of 0.05 implies a higher rate of false positives in re- W. (2008). SHA-3 proposal BLAKE. Submission to turn for less traces required; thus the results follow an NIST. expected and natural trend. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., and Wingers, L. (2015). The SIMON and SPECK lightweight block ciphers. In Proceedings of the 52nd Annual Design Automation Conference, San Francisco, CA, USA, June 7-11, 2015, pages 175:1– 175:6. ACM. Beierle, C., Biryukov, A., dos Santos, L. C., Großschadl,¨ 1We follow the assumption of Gaussian noise, which J., Perrin, L., Udovenko, A., Velichkov, V., and Wang, motivates the choice of the t-test. Thus if noise follows a Q. (2008). SchwaemmandEsch: Lightweight Authen- different distribution, then a different two-tailed test could ticated Encryption andHashing using the Sparkle Per- Inf. Comput. be used. mutation Family. , 206(2-4):378–401.

96 An Analytic Attack against ARX Addition Exploiting Standard Side-channel Leakage

Bernstein, D. J. (2008). The Salsa20 Family of Stream Ci- Prouff, E. (2005). DPA attacks and s-boxes. In Fast Soft- phers. In Robshaw, M. J. B. and Billet, O., editors, ware Encryption: 12th International Workshop, FSE New Stream Cipher Designs - The eSTREAM Final- 2005, Paris, France, February 21-23, 2005, Revised ists, volume 4986 of Lecture Notes in Computer Sci- Selected Papers, pages 424–441. ence, pages 84–97. Springer. Schneider, T., Moradi, A., and Guneysu,¨ T. (2015). Arith- Bernstein, D. J., Kolbl,¨ S., Lucks, S., Massolino, P. M. C., metic addition over boolean masking - towards first- Mendel, F., Nawaz, K., Schneider, T., Schwabe, P., and second-order resistance in hardware. In Applied Standaert, F.-X., Todo, Y., and Viguier, B. (2017). Cryptography and Network Security - 13th Interna- Gimli : A cross-platform permutation. In Fischer, tional Conference, ACNS 2015, New York, NY, USA, W. and Homma, N., editors, Cryptographic Hardware June 2-5, 2015, Revised Selected Papers, pages 559– and Embedded Systems – CHES 2017, pages 299– 578. 320, Cham. Springer International Publishing. Schramm, K., Leander, G., Felke, P., and Paar, C. (2004). Biryukov, A., Dinu, D., and Großschadl,¨ J. (2016). Cor- A collision-attack on AES: combining side channel- relation power analysis of lightweight block ciphers: and differential-attack. In Joye, M. and Quisquater, J., From theory to practice. In Manulis, M., Sadeghi, editors, Cryptographic Hardware and Embedded Sys- A., and Schneider, S., editors, Applied Cryptogra- tems - CHES 2004: 6th International Workshop Cam- phy and Network Security - 14th International Confer- bridge, MA, USA, August 11-13, 2004. Proceedings, ence, ACNS 2016, Guildford, UK, June 19-22, 2016. volume 3156 of Lecture Notes in Computer Science, Proceedings, volume 9696 of Lecture Notes in Com- pages 163–175. Springer. puter Science, pages 537–557. Springer. Shimizu, A. and Miyaguchi, S. (1988). FEAL - fast data Biryukov, A. and Perrin, L. (2017). State of the art in encipherment algorithm. Systems and Computers in lightweight symmetric cryptography. IACR Cryptol- Japan, 19(7):20–34. ogy ePrint Archive, 2017:511. Yan, Y. and Oswald, E. (2019). Examining the practical Bogdanov, A. (2007). Improved side-channel collision at- side channel resilience of ARX-boxes. In Palumbo, tacks on AES. In Adams, C. M., Miri, A., and Wiener, F., Becchi, M., Schulz, M., and Sato, K., editors, Pro- M. J., editors, Selected Areas in Cryptography, 14th ceedings of the 16th ACM International Conference International Workshop, SAC 2007, Ottawa, Canada, on Computing Frontiers, CF 2019, Alghero, Italy, August 16-17, 2007, Revised Selected Papers, volume April 30 - May 2, 2019., pages 373–379. ACM. 4876 of Lecture Notes in Computer Science, pages Zohner, M., Kasper, M., and Stottinger,¨ M. (2012). 84–95. Springer. Butterfly-attack on Skein’s modular addition. In Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Schindler, W. and Huss, S. A., editors, Construc- Großschadl,¨ J., and Biryukov, A. (2016). Design tive Side-Channel Analysis and Secure Design - Third strategies for ARX with provable bounds: SPARX International Workshop, COSADE 2012, Darmstadt, and LAX. In Cheon, J. H. and Takagi, T., editors, Germany, May 3-4, 2012. Proceedings, volume 7275 Advances in Cryptology - ASIACRYPT 2016 - 22nd of Lecture Notes in Computer Science, pages 215– International Conference on the Theory and Applica- 230. Springer. tion of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I, volume 10031 of Lecture Notes in Computer Science, pages 484–513. Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bel- lare, M., Kohno, T., Callas, J., and Walker, J. (2010). The Skein hash function family. Submission to NIST (round 3), 7(7.5):3. Jungk, B., Petri, R., and Stottinger,¨ M. (2018). Effi- cient side-channel protections of ARX ciphers. IACR Transactions on Cryptographic Hardware and Em- bedded Systems, 2018(3):627–653. Mangard, S., Oswald, E., and Popp, T. (2007). Power analysis attacks - revealing the secrets of smart cards. Springer. Moradi, A., Mischke, O., and Eisenbarth, T. (2010). Correlation-enhanced power analysis collision attack. In Mangard, S. and Standaert, F., editors, Crypto- graphic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings, volume 6225 of Lecture Notes in Computer Science, pages 125–139. Springer. Nir, Y. and Langley, A. (2015). ChaCha20 and Poly1305 for IETF Protocols. RFC 7539 (Informational).