Journal of Cryptographic Engineering https://doi.org/10.1007/s13389-018-0180-2 REGULAR PAPER MEAS: memory encryption and authentication secure against side-channel attacks Thomas Unterluggauer1 · Mario Werner1 · Stefan Mangard1 Received: 14 June 2017 / Accepted: 11 January 2018 © The Author(s) 2018. This article is an open access publication Abstract Memory encryption is used in many devices to protect memory content from attackers with physical access to a device. However, many current memory encryption schemes can be broken using differential power analysis (DPA). In this work, we present Meas—the first Memory Encryption and Authentication Scheme providing security against DPA attacks. The scheme combines ideas from fresh re-keying and authentication trees by storing encryption keys in a tree structure to thwart first-order DPA without the need for DPA-protected cryptographic primitives. Therefore, the design strictly limits the use of every key to encrypt at most two different plaintext values. Meas prevents higher-order DPA without changes to the cipher implementation by using masking of the plaintext values. Meas is applicable to all kinds of memory, e.g., NVM and RAM. For RAM, we give two concrete Meas instances based on the lightweight primitives Ascon, PRINCE, and QARMA. We implement and evaluate both instances on a Zynq XC7Z020 FPGA showing that Meas has memory and performance overhead comparable to existing memory authentication techniques without DPA protection. Keywords Side-channel attacks · DPA · Memory · Encryption · Authentication 1 Introduction Contrary to that, in many situations in the Internet of Things (IoT), a physical attacker is in possession of a running Memory encryption is the standard technique to protect device, or can turn a device on. In these cases, the attacker data and code against attackers with physical access to a can, for example, observe and tamper with data in RAM. As memory. It is widely deployed in state-of-the-art systems, a result, memory encryption and tree-based authentication such as in iOS [2], Android [22], Mac OS X [1], Win- techniques, e.g., Merkle trees [40], Parallelizable Authenti- dows [19], and Linux [26,36]. Typical encryption schemes cation Trees [27] (PAT) and Tamper Evident Counter [18] employed in these systems are Cipher-Block-Chaining with (TEC) trees, are increasingly deployed to protect data in Encrypted Salt-Sector IV (CBC-ESSIV) [20], Xor-Encrypt- RAM. As one prominent example, RAM encryption and Xor (XEX) [47], and XEX-based Tweaked codebook mode authentication was only recently adopted in consumer prod- with ciphertext Stealing (XTS) [30]. These schemes success- ucts with Intel SGX [25]. Similarly, there are efforts to fully prevent attackers from accessing memory content when encrypt RAM on AMD [32] and ARM systems [29]aswell. the device is shut off and the encryption key is not present However, whenever a physical attacker has access to a on the device, e.g., an encrypted USB flash drive. running device, the attacker is also capable of performing side-channel attacks. This means that the attacker cannot just read and tamper with the memory, but is also capa- B Thomas Unterluggauer [email protected] ble of measuring side-channel information, such as the power consumption of the hardware, during the encryption Mario Werner [email protected] and authentication of the memory. The attacker can then exploit such side-channel information to learn the secret key Stefan Mangard [email protected] used for memory encryption and authentication. In prac- tice, an attacker performing both passive, e.g., bus probing, 1 Institute for Applied Information Processing and and active, e.g., data spoofing, attacks on the memory, is Communications, Graz University of Technology, also capable of observing side-channel information, e.g., by Inffeldgasse 16a, 8010 Graz, Austria 123 Journal of Cryptographic Engineering attaching an oscilloscope for measuring the power, during the prevent DPA on memory encryption. While re-keying com- actual encryption or authentication process. As such, side- pletely thwarts DPA on the cryptographic key, our major channel attacks are realistic for any physical attacker when result here is that re-keying provides merely first-order DPA given access to a running device. One particularly strong class security for the memory content itself. In particular, we show of side-channel attacks is differential power analysis [34] that the read–modify–write access patterns inevitably occur- (DPA), which allows successful key recovery from observ- ring in encrypted memory allow for profiled, higher-order ing the power consumption during the encryption/decryption DPA attacks that leak constant plaintext data when re-keying of several different data inputs. DPA attacks effectively accu- is applied to memory encryption. mulate side-channel information about the key being used by Second, we build on our analysis and present Meas—the observing multiple encryptions/decryptions under the same first Memory Encryption and Authentication Scheme secure key. against DPA attacks. The scheme is suitable for all kinds However, contemporary memory encryption and authenti- of memory including random access memory (RAM) and cation schemes that protect memory against physical attack- non-volatile memory (NVM). By making use of synergies ers, e.g., [17,25,44,48,54,55], lack the consideration of side- between fresh re-keying and authentication trees [18,27,40], channel attacks and DPA in particular. More concretely, the Meas simultaneously offers security against first-order DPA security of contemporary schemes is built upon the assump- and random access to all memory blocks. In more detail, tion of a microchip that is secure against active and passive Meas uses separate keys for each memory block that are adversaries and which does not leak any information about stored in a tree structure and changed on every write access in the key via side channels. However, as pointed out before, the order to strictly limit the use of each key to the encryption of assumption that side-channel attacks on microchips are infea- two different plaintexts at most. For higher-order DPA secu- sible is too strong. In fact, DPA attacks were quite recently rity, Meas performs data masking by splitting the plaintext shown to pose a serious threat to memory encryption on values into shares and storing the encrypted shares in mem- general-purpose CPUs. While the DPA presented in [57] ory. This allows to flexibly extend DPA protection to higher breaks many contemporary memory encryption schemes, the orders in trade for additional memory. For all DPA protection practical attacks in [5,37,50,57] document the feasibility of levels, Meas does not require DPA-protected implementa- DPA on memory encryption and authentication on state-of- tions of the cryptographic primitives, making Meas suitable the-art systems. for common off-the-shelf (COTS) systems equipped with In principle, there exist techniques to protect crypto- unprotected cryptographic accelerators. However, Meas is graphic primitives against DPA attacks. For example, an also an ideal choice for constructing a DPA-secure system implementation can be protected by changing the hardware from scratch as engineers do not have to cope with complex such as by applying masking techniques [12,23], which use DPA protection mechanisms within the cipher implementa- randomization to make the side-channel information inde- tion. pendent from the actually processed value. However, pro- Third, we give two lightweight Meas instances suitable tecting implementations of cryptographic primitives against for RAM that encrypt and authenticate the tree nodes with DPA is expensive and a tough problem in an active field of strictly bounded data complexity per key. Meas-v1 uses the research existing for almost two decades. The massive over- PRINCE cipher and derives a fresh key for each encryption heads for DPA-protected implementations range between a block using the sponge Ascon. Meas-v2 provides faster tree factor of four and a few hundred [6,10,42,45] and would traversal by using the same key for the encryption of several, thus render current memory encryption and authentication but a sufficiently small number of, e.g., 4 or 8, blocks using schemes in latency sensitive applications impractical. In con- the tweakable cipher QARMA. trast, more efficient solutions are in sight when considering Finally, we implement both Meas instances on the Xil- side-channel protection throughout the cryptographic design inx XC7Z020 System on Chip (SoC) Field Programmable and looking for potential synergies. Gate Array (FPGA) to practically evaluate the performance of RAM encryption and authentication with Meas.1 We show 1.1 Contribution that Meas provides protection against the very powerful DPA attacks, and still features the same performance and memory In this paper, we solve the problem of protecting data in overhead as state-of-the-art memory authentication schemes memory against physical attackers in possession of a running which completely lack side-channel protection. In particu- device. More concretely, we solve the stringent problem of lar, we show that a 4-ary, first-order DPA-secure instance DPA attacks on memory encryption and authentication with- of Meas-v2 is a highly suitable choice for encrypting and out additional memory overhead over conventional schemes. We approach the topic with a detailed analysis of the secu- 1 Both implementations are available at https://github.com/IAIK/ rity of fresh re-keying [33,39] as a promising mechanism to memsec. 123 Journal of Cryptographic Engineering authenticating RAM in practice. Contrary to that, protecting arbitrary data, in splicing attacks, the data at address A is cryptographic implementations against DPA to make use of replaced with the data at address B, and in replay attacks, state-of-the-art schemes would result in massive overheads the data at a given address is replaced with an older version making memory encryption and authentication infeasible.