Received: 26 November 2019 | Revised: 9 September 2020 | Accepted: 5 October 2020 DOI: 10.4218/etrij.2019-0539 ORIGINAL ARTICLE Key- dependent side- channel cube attack on CRAFT Kok- An Pang | Shekh Faisal Abdul- Latip INSFORNET, Centre for Advanced Computing Technology (C- ACT), Fakulti Abstract Teknologi Maklumat dan Komunikasi, CRAFT is a tweakable block cipher introduced in 2019 that aims to provide strong Universiti Teknikal Malaysia Melaka, protection against differential fault analysis. In this paper, we show that CRAFT Melaka, Malaysia is vulnerable to side- channel cube attacks. We apply side-channel cube attacks to Correspondence CRAFT with the Hamming weight leakage assumption. We found that the first half Kok- An Pang and Shekh Faisal Abdul- of the secret key can be recovered from the Hamming weight leakage after the first Latip, INSFORNET, Centre for Advanced Computing Technology (C- ACT), Fakulti round. Next, using the recovered key bits, we continue our attack to recover the sec- Teknologi Maklumat dan Komunikasi, ond half of the secret key. We show that the set of equations that are solvable varies Universiti Teknikal Malaysia Melaka, depending on the value of the key bits. Our result shows that 99.90% of the key space Melaka, Malaysia. Email: [email protected] (Kok- An Pang), can be fully recovered within a practical time. [email protected] (Shekh Faisal Abdul- Latip) KEYWORDS Block cipher, CRAFT, cryptanalysis, cube attack, side- channel attack Funding information This research was supported by the UTeM Zamalah Scheme and Fundamental Research Grant Scheme (FRGS) of Universiti Teknikal Malaysia Melaka (FRGS/1/2015/ICT05/FTMK/02/ F00293) funded by the Ministry of Higher Education, Malaysia 1 | INTRODUCTION attacks varies depending on the implementation, even if the same cipher is adopted. Nevertheless, it is important to study Resistance against known standard attacks has become one the capabilities of available ciphers to protect communications of the criteria for measuring the security of a block cipher. across various devices. Unfortunately, not all ciphers are de- Cryptanalytic attacks such as linear and differential cryptan- signed to resist side-channel attacks. In practice, additional alysis [1,2] have been used widely to facilitate such security countermeasures against side- channel attacks are implemented, evaluations [3– 7]. However, a cipher that can resist standard which are mostly inefficient and costly [24]. Resistance against attacks may not necessarily be secure against side- channel side- channel attacks at the algorithmic level helps reduce im- attacks, which exploits the weaknesses in its physical imple- plementation costs by avoiding extra countermeasures, as can mentation. Leaked information such as timing information [8], be seen in ciphers such as PICARO [25], ZORRO [26], and power consumption [9,10], and electromagnetic leaks [11] can FIDES [27], where countermeasures against side-channel anal- be exploited for key recovery. Ciphers which can resist stan- ysis are defined at the algorithmic level. dard attacks [12] are not necessarily secure. They can be bro- CRAFT [24] is a new tweakable block cipher introduced ken from the weaknesses of their implementation, Which have in 2019, which can resist differential fault analysis. CRAFT been shown in [17]. However, the feasibility of side- channel is also resistant to various known standard attacks [1,28– 31]. This is an Open Access article distributed under the term of Korea Open Government License (KOGL) Type 4: Source Indication + Commercial Use Prohibition + Change Prohibition (https://www.kogl.or.kr/info/license.do#05-tab). 1225-6463/$ © 2020 ETRI 344 | wileyonlinelibrary.com/journal/etrij ETRI Journal. 2021;43(2):344–356. PANG AND ABDUL- LATIP | 345 Moreover, the CRAFT algorithm is nearly involutory. The TABLE 1 Notation encryption algorithm of CRAFT can be turned into decryp- ki The i- th bit of the secret key tion with minimal area cost. ti The i- th bit of the tweak ℛ In this paper, we analyze the security of the CRAFT im- i The round function at round i plementation against side- channel cube attacks using the Vi The plaintext nibble (v4i, v4i + 1, v4i + 2, v4i + 3) Hamming weight leakage model. The cube attack used in Ti The tweak nibble (t , t , t , t ) this study is key- dependent, that is, the superpoly equations 4i 4i + 1 4i + 2 4i + 3 Er ( er , er , er , er ) ℛ used vary depending on the secret key. The selection of su- i The state nibble 4i 4i + 1 4i + 2 4i + 3 before r K perpoly equations depends on the value of their right-hand The secret key 0 sides, which are known during the online phase. Moreover, V The plaintext, also known as E the recovery of the second half of the secret key depends on C The ciphertext, also known as E32 the first half of the secret key. T The tweak r The superpoly equations obtained during the preprocessing E The internal state after r rounds phase are sufficient for recovering all secret key bits within a K0 The first half of K consists of (k0, k1, …, k63) practical time with a success probability of 0.9990. According K1 The second half of K consists of (k64, k65, …, k127) to Liskov and colleagues in Ref. [31], the additional tweak on n Key size a tweakable block cipher should not be considered as another D Degree of superpoly uncertainty to the adversary. Furthermore, the security of a I block cipher should not be compromised even if the adversary The set of cube indices |I| has control of the tweak. However, our result shows that the se- CI The |I|- dimensional Boolean cube of 2 vectors cret key of CRAFT can be recovered using side- channel cube (p,i,j) The set of integers {i, i + p, i + 2p, …, q} for any attacks when an adversary has control of its tweak. 0 < j − q ≤ p Our Contribution. We analyze the security of CRAFT HW(X) Hamming weight of any vector X against side- channel cube attacks with the Hamming leakage assumption. Although the algorithm of CRAFT is claimed by the designers to be resistant to differential fault analysis, which is a type of side- channel attack, our work shows that CRAFT is not secure against cube attacks within the side- channel attack model. To the best of our knowledge, our attack on CRAFT is the first attack on CRAFT within a side- FIGURE 1 State of CRAFT channel attack model. We point out that most of the key space (that is, 99.90%) can be recovered within a practical time, but the remaining 0.1% can only be recovered with a complexity significant bit of a vector is labeled with index 0. Throughout faster than brute force. this paper, capital letters are used to represent vectors, unless Organization of the Paper. In Section 2, we describe otherwise stated. For representing terms in a polynomial, bold the notation used in this study. In Section 3, we briefly re- letters are used. Let B denote a vector and b be a polynomial view the design of the CRAFT block cipher. Section 4 pres- term. Next, we denote Bi as the i- th bit of B and b i as the i- th ents an outline of a side-channel cube attack. Sections 5 bit of b, respectively, unless otherwise stated. and 6 show the application of side-channel cube attacks on CRAFT and describe the result of our work. Section 7 concludes the paper. 3 | BRIEF DESCRIPTION OF THE CRAFT BLOCK CIPHER 2 | NOTATION In this section, we briefly describe the structure of CRAFT. For details on the design rationale, performance, and security ℤ We distinguish between the addition of 2 and the addition of evaluation of CRAFT, please refer to [24]. ℤ , and we use ⊕ as the addition of 2 and + as the addition of CRAFT operates with a 64- bit block size, a 128- bit secret , respectively. For summation, we denote ∑ as the summation key, and a 64-bit tweak. During the encryption, a plaintext is ℤ of , whereas ⊕ is the summation of 2. Table 1 shows the no- divided into 16 nibbles, which are grouped as a matrix similar tation used in this study, unless otherwise stated. Note that all to the Advanced Encryption Standard (AES) [32]. Figure 1 indexing in this paper is based on zero-based numbering (that shows the AES- like representation for the internal state of ℛ is, 0 is the first round). Bit positions in a vector are labeled CRAFT, where each number 0 ≤ i ≤ 15 in each square box r in Big Endian with zero-based numbering, that is, the most represents Ei for any 0 ≤ r ≤ 32. 346 | PANG AND ABDUL- LATIP MC is a MixColumn function, which multiplies the state i matrix E for any 0 ≤ i ≤ 32 with an involutory matrix ℳ such i + 1 i that E = MC(E ) = ℳ⋅E, where. 1011 0101 ℳ = . ⎡0010⎤ ⎢ ⎥ FIGURE 2 Encryption in CRAFT ⎢0001⎥ ⎢ ⎥ ⎢ ⎥ Further, ARCi is the addition of the i- th round constant RCi ⎣ i⎦+ 1 i (refer to Table 2), with the state E = E ⊕ RCi, whereas i ATKi is the addition of the i- th round tweakey TKi with E i + 1 i such that E = E ⊕ TKi. Although there are 32 rounds in CRAFT, the same set of round keys are used periodically every four rounds. The round key for each round is generated as follows. ℛ TKi = K0 ⊕ T, FIGURE 3 The i- th round function i of CRAFT TABLE 2 Round constants in hexadecimal for each round TKi+1 = K1 ⊕ T, Round Round constant Round Round constant TKi+2 = K0 ⊕ Q(T), 0 0 × 11 16 0 × 82 1 0 × 84 17 0 × 45 TKi+3 = K1 ⊕ Q(T).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages13 Page
-
File Size-