An Analytic Attack Against ARX Addition Exploiting Standard Side-Channel Leakage Yan Yan1, Elisabeth Oswald1 and Srinivas Vivek2 1University of Klagenfurt, Klagenfurt, Austria 2IIIT Bangalore, India fyan.yan, [email protected], [email protected] Keywords: ARX construction, Side-channel analysis, Hamming weight, Chosen plaintext attack Abstract: In the last few years a new design paradigm, the so-called ARX (modular addition, rotation, exclusive-or) ciphers, have gained popularity in part because of their non-linear operation’s seemingly ‘inherent resilience’ against Differential Power Analysis (DPA) Attacks: the non-linear modular addition is not only known to be a poor target for DPA attacks, but also the computational complexity of DPA-style attacks grows exponentially with the operand size and thus DPA-style attacks quickly become practically infeasible. We however propose a novel DPA-style attack strategy that scales linearly with respect to the operand size in the chosen-message attack setting. 1 Introduction ever are different: they offer a potentially ‘high reso- lution’ for the adversary. In principle, under suitably Ciphers that base their round function on the sim- strong assumptions, adversaries can not only observe ple combination of modular addition, rotation, and leaks for all instructions that are executed on a proces- exclusive-or, (short ARX) have gained recent popu- sor, but indeed attribute leakage points (more or less larity for their lightweight implementations that are accurately) to instructions (Mangard et al., 2007). suitable for resource constrained devices. Some re- Achieving security in this scenario has proven to cent examples include Chacha20 (Nir and Langley, be extremely challenging, and countermeasures such 2015) and Salsa20 (Bernstein, 2008) family stream as masking (secret sharing) are well understood but ciphers, SHA-3 finalists BLAKE (Aumasson et al., costly (Schneider et al., 2015). In the case of ARX 2008) and SKEIN (Ferguson et al., 2010), as well as constructions one has to cope with the fact that there other block ciphers such as SPECK (Beaulieu et al., are Boolean operations (requiring Boolean masking 2015), SPARX (Dinu et al., 2016) and the related or secret sharing) and arithmetic operations (requir- SPARKLE (Beierle et al., 2008) which made into the ing arithmetic masking or secret sharing). Thus se- second round of the NIST lightweight cipher compe- curing ARX ciphers against power (and EM) attacks tition. Another second round candidate of the NIST is potentially very costly; unless, it could be argued lightweight competition Gimli (Bernstein et al., 2017) that they are inherently ‘secure enough’ against such also proposed a variation, namely Gimli-SPARX, that attacks that “non-provable” countermeasures (such as has adopted the ARX paradigm. hiding via randomisation of instructions, etc.) could The fact that the round function has an efficient possibly suffice. The most recent work on securing and simple expression via functions that are typi- ARX implementations is (Jungk et al., 2018). cally available as instructions on small embedded de- vices enables excellent performance with respect to It is well known that completely linear targets such code size, execution time and energy consumption. as the rotation and the exclusive-or operation are dif- Any implementation on an embedded device however ficult to attack with differential (power or EM) anal- also needs to be able to withstand the threat of Side- ysis (DPA for short): attacks on such targets require Channel (timing, power, EM, cache) Attacks (SCA, many more traces than attacks on highly non-linear for short). The absence of key dependent loops, or target functions, and even with a very large number indeed tables, implies resistance to timing and cache of leakage traces there remains some keys that cannot attacks. Power (and synonymously EM) attacks how- be distinguished from each other (Prouff, 2005). 1.1 Background and Related Work on To date, the Butterfly attack (Zohner et al., 2012) SCA on ARX Ciphers remains the most effective result in attacking modular addition. This attack demonstrated that it is possi- n ble to improve on straightforward DPA-style attacks The idea of combining addition modulo 2 , exclusive- when targeting modular additions by testing pairs of or, and rotation as a round function, has been sug- correlations induced by the symmetrical structure of gested as early as 1987 in the block cipher FEAL modular additions. However Butterfly attacks are (Shimizu and Miyaguchi, 1988). Since NIST kick- constrained by the fact that knowledge of one adder is started its lightweight cryptography project in 2015, required which does not hold for some ARX ciphers the interest in ARX constructions has received re- such as SPECK (Beaulieu et al., 2015) and SPARX newed interest. The ciphers SIMON and SPECK (Dinu et al., 2016). (Beaulieu et al., 2015), which were submitted to the first of the two workshops hosted by NIST, gained a considerable amount of interest from within the 1.2 Our Contribution crypto community. In 2016 the SPARX family of ci- phers was introduced (Dinu et al., 2016). In this paper we propose a novel attack strategy The appeal of the ARX construction is primarily against the modular addition in ARX-Boxes. Our in the fact that when choosing n equal to the word size method, in comparison to previous work, requires no of a processor, software implementations gain consid- knowledge of the adders and thus is more generally erable speedups. Furthermore, because the non-linear applicable on targets where a Butterfly attack is not component is given by the addition modulo 2n, it does an option, such as SPECK (Beaulieu et al., 2015) and not need to be encoded as a table lookup which sig- SPARX (Dinu et al., 2016). nificantly reduces the memory usage. The absence Our method requires to obtain the leakage from of lookup tables is also perceived as a distinctive ad- the result of the modular addition only, which we need vantage when the threats of various side channel at- to be a bit-linear function (e.g. Hamming Weight, or tacks are considered (Biryukov et al., 2016; Biryukov weighted Hamming weight with positive weights of and Perrin, 2017; Dinu et al., 2016). The absence similar magnitude). We only need to be able to ob- of cache also implies that the instructions are always serve if the leakage increases, decreases, or remains performed in a constant time and thus there is unlikely the same upon a single-bit flip in the plaintext. Based any key dependent leakage exploitable in the execu- on this information, we show how to reconstruct the tion time (Dinu et al., 2016). Being free from the ta- adder output. With the adder output, and based on a bles also significantly reduces the number of mem- further related plaintext, we then show how to recon- ory accesses as these instructions have shown to be struct the secret key. the most exploitable targets in power analysis attacks We consider our novel methodology of indepen- (Biryukov et al., 2016). dent theoretical interest as we leverage minimal side channel leakage to perform a cryptanalytic-style anal- However, it has been shown in (Yan and Os- ysis for ARX constructions. wald, 2019) that na¨ıve implementations of ARX ci- phers may still leave vulnerabilities easily exploitable. In (Yan and Oswald, 2019), the authors simply 1.3 Organisation of the Paper attempted straightforward correlation power analy- sis attacks on the reference implementation of the In Section 2 we formalise our attack on ARX-Boxes SPARX cipher (Dinu et al., 2016) on some real plat- as the (Noisy) Hidden Adder Problem, (N)HAP, and forms, and found that the key was efficiently recov- propose its sub-problem the (Noisy) Hidden Sum ered exploiting the leakage amplified by consecutive Problem, (N)HSP. In Section 3 we explain how HSP XOR and shifting instructions. can be solved, then use the solution to solve HAP in Nevertheless, for the modular addition in ARX- Section 4 thus providing a full key recovery attack Boxes, the authors of (Yan and Oswald, 2019) re- given ideal leakage. Section 5 completes the attack by ported unsuccessful attacks targeting the addition in- adapting the attack to noisy leakage. We present sim- struction which coincide with the previous results re- ulation results in Section 5.1 and also discuss practical ported by (Biryukov et al., 2016) and that align with considerations. (Yan and Oswald, 2019; Zohner et al., 2012; Dinu et al., 2016): their argument is that the weak non- 1.4 Notation linearity of modular addition leaves a relatively lower margin in distinguishing the keys comparing to a typ- In this work we frequently use both the integer and the ical S-Box instruction. binary representation of operands. The notation [x] indicates the binary representation of a non-negative 2.1 Outline of Our Attack integer x: n−1 In a nutshell, there are two steps in our attack strat- i x = [x]n−1[x]n−2:::[x]1[x]0 = ∑ 2 [x]i; egy. The first step is to recover the sum s(x;y) from i=0 the leakage. From there, we then recover the subkeys hence [x]i denotes the i-th bit of [x]. The notation [x][y] (a;b) by solving equations involving x;y and s(x;y). implies the concatenation of two bit strings [x] and We begin by explaining how the attack works in an [y]. The notation [x]k denotes k times repetition of [x]. ideal world where the adversary observes ideal leak- Specifically, [∗]k denotes an arbitrary k-bit string. age without the Gaussian noise e, and then we show In this paper we assume that all integers are drawn how such solution can be adapted to realistic noisy + from Z2n , where n 2 N .