Professional Documents
Culture Documents
Key Updating For Leakage Resiliency With Application To AES Modes of Operation
Key Updating For Leakage Resiliency With Application To AES Modes of Operation
Key Updating For Leakage Resiliency With Application To AES Modes of Operation
3, MARCH 2015
519
Abstract Side-channel
analysis
(SCA)
exploits
the
information leaked through unintentional outputs (e.g., power
consumption) to reveal the secret key of cryptographic modules.
The real threat of SCA lies in the ability to mount attacks
over small parts of the key and to aggregate information over
different encryptions. The threat of SCA can be thwarted by
changing the secret key at every run. Indeed, many contributions
in the domain of leakage resilient cryptography tried to achieve
this goal. However, the proposed solutions were computationally
intensive and were not designed to solve the problem of the
current cryptographic schemes. In this paper, we propose a
generic framework of lightweight key updating that can protect
the current cryptographic standards and evaluate the minimum
requirements for heuristic SCA-security. Then, we propose a
complete solution to protect the implementation of any standard
mode of Advanced Encryption Standard. Our solution maintains
the same level of SCA-security (and sometimes better) as the
state of the art, at a negligible area overhead while doubling
the throughput of the best previous work.
Index Terms Hardware security (side channels).
I. I NTRODUCTION
Manuscript received April 26, 2014; revised August 18, 2014 and
October 21, 2014; accepted November 29, 2014. Date of publication
December 18, 2014; date of current version February 2, 2015. This work
was supported in part by the Virginia Tech-Middle East and North Africa
Program, Egypt, and in part by the National Science Foundation under Grant
1115839. The associate editor coordinating the review of this manuscript and
approving it for publication was Prof. Ozgur Sinanoglu.
The authors are with the Department of Electrical and Computer
Engineering, Virginia Tech, Blacksburg, VA 24061 USA (e-mail:
mtaha@vt.edu; schaum@vt.edu).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TIFS.2014.2383359
Fig. 1.
1556-6013 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
520
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
Fig. 2. Stateless and stateful key-updating, as shown for the example of data
encryption.
521
Fig. 3. Our solution: A tree structure for stateless key-updating and a chain
of whitening functions for Stateful key-updating.
522
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
B. Key-Updating Requirements
For the highlighted tree structure to be lightweight and
secure against SCA, Wt function is required to be (inspired
from [8]):
1) Non-linearity with balanced full-diffusion.
2) Resist Simple Power Analysis.
3) Resist 2-traces Differential Power Analysis.
4) At small area and performance overheads.
Full diffusion means that each bit of a new key depends on
every bit of an old key. Balanced full-diffusion means that
flipping any bit of an old key flips all the bits of a new key
with equal probability. Non-linearity means that one bit of
a new key depends on a non-linear function of the previous
key bits.
The Wc function should possess the same set of requirements except resistant against 2-traces DPA attacks which is
prevented by design.
C. Security Analysis
In this section, we show that the key-updating requirements
discussed in the previous section are necessary for a secure
leakage resiliency. The core idea of leakage resiliency is to
limit the use of any secret value to encrypt only one message
block. Thereafter, the secret value has to be updated to a new
secret. That said, leakage resiliency cannot prevent Eve from
attacking the leakage of encrypting one message block (using
means of Simple Power Analysis). However, leakage resilient
cryptographic schemes can prevent Eve from including more
than one leakage trace in any attack, i.e. prevent Differential
Power Analysis.
Also, the key-updating function cannot prevent Eve from
using the partially recovered information, using only one
leakage trace, to reduce the search space of the new secret
value. However, if the partially recovered information is small
( < |k|), the key-updating function can prevent Eve from
excluding parts of the new secret value, i.e. Eve cannot make
use of the partially recovered information unless she enumerate
all the search space of the new secret value. In other words,
leakage resiliency can prevent applying the divide-and-conquer
principle across key-updating.
Focusing on the role of key-updating in leakage
resilient cryptographic schemes, high-diffusion was proposed
as the only mathematical condition required for secure
key-updating [8], [15]. Here, we show that this condition is not
sufficient with a counter example, and propose new conditions.
In the next section, we propose a lightweight realization of a
secure key-updating function using the structure of Rijndael
algorithm.
Let the key-updating function be:
ki = ki
|k|
k j ; for i = 1 : |k|
j =1
where k is the old key, k is the new key, and k j is one bit of the
key. The function computes the binary xor between a bit from
the old key and the parity of the entire old key. This updating
function fulfills the high-diffusion requirement of [8] and [15]
in their definition that one bit of the new key depends on many
bits of the old key. In fact, this function posses full-diffusion
in the definition that one bit of the new key depends on all the
bits of the old key. However, this function cannot not prevent
DPA attacks.
Note that, if the parity of the old key is one, i.e. odd number
of ones in its binary representation, the entire key will be
flipped with the parity of the new key is also one (assuming
the bit-length of the key is even). If the parity is zero, the
new key will equals the old key and the parity will stay zero.
In this case, Eve will put two hypotheses for each key-guess.
One hypothesis with flipping the key-guess between traces.
The other hypothesis with a fixed key-guess. Here, Eve can
overcome this kind of leakage resiliency by doubling the size
of hypotheses e.g. from 256 to 512 for guessing one byte of the
master key. We acknowledge that, this counterexample does
not harm the practical instances proposed by [8] and [15].
We only highlight limitation in the proposed conditions for
security.
To prevent such attack we require that the old key is
processed by a non-linear function before generating a new
secret key. The non-linearity will ensure that Eve cannot make
a hypothesis over a small part of the secret key that affects
the sensitive variable of different traces. Needless to say that,
Eve cannot make a hypothesis over the full secret key due to
computation complexity.
Also, in case of recovering a small number of bits of one key
( < |k|), the key-updating function should prevent Eve from
excluding any key hypothesis. Keeping in mind that, a key
hypothesis is typically put for a small part of the secret key
(one or two bytes), this requirement means that Eve cannot
map the recovered information from old key to a small part
of the new key. Ideally, one-bit of uncertainty in an old key
should generate two keys with an average Hamming Distance
of 50%. At a finer granularity, one-bit of uncertainty in an old
key should flip each bit of a new key with probability 50%.
We define a key-updating function that has such property as
a balanced function.
1) Extension to Stateless Key-Updating: At the start of
every session, the first execution of Wt will always process
the master key. As we discussed, leakage resiliency cannot
prevent Eve from exploiting the leakage of one trace. Hence,
we require that Wt be protected against simple power
analysis (SPA) attacks.
Also, key-updating protects cryptographic implementations
against DPA attacks only after being initialized to a secure
pseudorandom state, when no public inputs are further
used. However, while initializing new sessions (stateless
key-updating), Wt processes the master key and a public
nonce. Although, the tree structure limits the effect of the
public nonce to only one bit at a time, Eve can still mount DPA
attack against the two cases of the public nonce-bit (0 and 1).
Hence, we also require that Wt be protected against DPA
attacks using two differential traces.
If these requirements are met, the tree structure will
guarantee that:
Each nonce will generate unique secret state.
If full-diffusion is achieved, different values of the
523
TABLE I
P REVIOUS W ORK
524
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
Fig. 4.
and every key update requires two executions of the underlying DES. Without using nonce, the running keys will be
generated in the same sequence in every session, which makes
it vulnerable to SCA over different sessions. Two recent works
proposed modular multiplication between the secret key and
the nonce as an easy-to-protect key-updating primitive [8], [9].
They used practical countermeasures (e.g., hiding and
masking) to protect the modular multiplication primitive.
The other contributions used GGM construction, which is
the best practice in leakage resiliency. The randomization
function at each step used was either a full-featured
hashing function (SHA-256) [14], or full-featured Block
cipher (AES) [12]. A recent contribution studied the minimum
SP network that can provide heuristic security against
SCA attacks [15].
Most key-updating contributions in the table focus only
on the stateless key-updating. Under the conditions of direct
construction and one public variable, we found only few
contributions for stateful key updating. Some contributions
achieve heuristically secure constructions using either hashing
functions or block ciphers [9], [14], [19], and one provable
construction [13].
B. Proposed Solution
Fig. 4 shows a high-level representation of our solution.
The secret key is used as a master key. The master key
and the nonce (n) are processed with a leak-proof keyupdating scheme. The key-updating scheme is composed of
two phases. The stateless key-updating protects the master key
against SCA and key-recovery attacks and generates a unique
pseudorandom secret state. The stateful key updating starts
from the secret state and generates session key and running
keys. The session key is used in the key-schedule algorithm to
generate round keys as shown in the figure. The running keys
(in groups of two) are used to directly replace the first and last
round keys of each encryption. In the figure, we did not show
the connection between nonce, plaintext and ciphertext for
specific mode as our scheme is compatible with any standard
mode.
Also, the Wt and Wc functions are defined as
follows.
1) Definition of Wt: Let Encrk ( p) denote the application
of the first AddRoundKey and two rounds of AES to the
plaintext p under the key k, i.e. a round-reduced version of
Fig. 5.
Replacing the first and last round keys by fresh running keys.
AES. Let n denote a nonce, and n(i ) denote bit i of the nonce.
Assuming K is the master key, the stateless key-updating starts
by initializing K 0 = K . Then, one step of the tree will be
defined as:
Encr1128 (K i ), if n(i ) = 1
i+1
i
K
= Wtn(i) (K ) :=
Encr0128 (K i ), if n(i ) = 0
i.e. Wt is the application of a round reduced version of AES
to the previous key under the key of all zeros or all ones
(depending on the bit value of the nonce). Note that, the
master key (and later keys) are used as the plaintext, and
a fixed input is used as the key. Also, capital letters K
denote the master key, or any key within the tree, while small
letters k denote running keys. Finally, the pseudorandom secret
state will be s = K |n|1 , where |n| is the bit-length of the
nonce n.
2) Definition of Wc: The running key chain starts by
initializing the first running key to the secret state: k0 = s.
Then, each new running key will be generated by applying the Wc function on the previous key. Wc will be a
whitening function realized by Encr with the key fixed to all
zeros:
ki+1 = Wc(ki ) := Encr0128 (ki )
3) Interaction With the Underlying Mode of AES: The typical implementation of any standard AES mode of operation
starts by running the key-schedule algorithm over the secret
key to generate round keys. Then, the round keys are stored
to be used in all AES encryptions.
Here, we use the first running key (which is the secret
state) as a session key. Hence, the key-schedule will run
over k0 to generate round keys. Then, instead of directly
using round keys in AES encryptions, each group of two
running keys (ki and ki+1 starting from i = 1) will replace
the first and last round keys of each encryption as shown
in Fig. 5.
C. Security of the Practical Scheme
In this section, we will show how the proposed key-updating
functions fulfills the required properties in Sec. III-B.
1) Non-Linearity
With
Balanced
Full-Diffusion:
Non-linearly of the key-updating function is guaranteed by
the S-box layer of two AES rounds. The full-diffusion is
expected as the mathematical structure of Rijndael, especially
the ShiftRows and MixColumns steps, requires that each bit of
the input affects the entire state after two rounds [20]. In order
to prove that the functions have a full, balanced diffusion, we
conducted a diffusion test.
The diffusion test measures how each bit of the input affects
the output bits. The test involves one million experiments
over Wt. In each experiment, we select a random key and
compute the output of the function Wt at either n(0) = 1
or n(0) = 0 (randomly). Then, we randomly flip one-bit of
the key and re-compute the output. Finally, we compute and
record the Hamming Distance between the two outputs. Also,
for individual bit-positions, we accumulate the number of
instances when the bit-value is different between the outputs,
and divide the number by the total number of experiments.
The distribution of the Hamming Distance is shown
in Fig. 6. The average Hamming Distance is 50.16%, with
a 95% confidence intervals of 0.025%. The probability of
flipping individual bits of the output has a minimum value
of 50.03% and a maximum value of 50.33%. This indicates that all the bits contributed equally to the overall
diffusion.
Note that Wc is essentially Wt with the nonce-bit input is
set to n(0) = 0. Hence, the previous results applies equally to
the Wc function.
2) Resistant Against Side Channel Analysis: First of all,
although the master key is used in the data path and the
fixed input is used as the key (which removes the need of
key-schedule for the tree itself), this change is transparent to
SCA analysis, as the two values are xored to each other.
Under parallel hardware implementations, the system
power consumption of 16 parallel S-boxes at noiseless
measurement is:
Lj =
16
i=0
525
526
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
TABLE II
C OMPARISON B ETWEEN THE I MPLEMENTATION OVERHEAD OF THE
K EY-U PDATING S CHEMES . s I S THE S ECURITY PARAMETER
527
Fig. 10.
comparable performance overheads. The performance overhead of our RR-AES structure at s = 8 is only 64 cycles,
which is 3.2 times faster than the best previous solution at no
area overhead (that of [12]).
The implementation overhead of different techniques used
for the stateful key-updating is shown in Fig. 9. The scheme
that uses SHA-256-Fast is not shown for having excessive area
overhead. Our solution is two times faster than the currently
best direct constructions of [9] and [13]. The figure also
shows a state-of-are masking scheme. The smallest threshold
implementation (to prevent leakage caused by glitches) of AES
requires 8,393 GE of area overhead and works at 266 cycles
per encryption [2]. The threshold implementation is shown on
the stateful key-updating figure, as the performance overhead
of stateless key-updating is a one-time overhead (once per
message), and can be trivialized at long message lengths.
Finally, we compare the relative throughput of the available
solutions. The relative throughput of a protected module is
the ratio between its throughput to the throughput of the
unprotected module. The throughput is the number of message
blocks that are processed per clock cycle. Due to the one-time
overhead of the stateless key-updating, the relative throughput
of protected modules increases by increasing the message size.
Here, we assume that the unprotected AES core (one message
block per 12 cycles) is our reference. Also, we assume
using a serialized implementation for the re-keying schemes,
i.e. re-keying and encryption are done in separate clock
cycles. This assumption supports the no-area-overhead target
of our solutions. Fig. 10 shows the relative throughput of a
no-protection core, the AES-Fast solution from [14], combining the fast solutions from [12] and [9] and our recommended
RR-AES solutions at s = 1 and s = 8. It is clear that
our solution at s = 8 has the absolute highest throughput.
Also our solution at s = 1 achieves higher throughput that
the previous best solution (the combination of [9] and [12])
after 52 message blocks. This means that, for messages longer
than 832 bytes, our RR-AES solution with s = 1 achieves
higher throughput and better security guarantees than the best
previous work.
528
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
VI. C ONCLUSION
In this paper, we proposed a lightweight key-updating
framework for efficient leakage resiliency. We proposed the
minimum requirements for heuristically secure structures.
We proposed a complete solution to protect the implementation of any AES mode of operation. Our solution utilized
two rounds of the underlying AES itself achieving negligible
area overhead and very small performance overhead.
R EFERENCES
[1] K. Tiri et al., Prototype IC with WDDL and differential routingDPA
resistance assessment, in Cryptographic Hardware and Embedded
Systems. Berlin, Germany: Springer-Verlag, 2005, pp. 354365.
[2] A. Moradi, A. Poschmann, S. Ling, C. Paar, and H. Wang, Pushing
the limits: A very compact and a threshold implementation of AES,
in Advances in Cryptology. Berlin, Germany: Springer-Verlag, 2011,
pp. 6988.
[3] F.-X. Standaert, O. Pereira, Y. Yu, J.-J. Quisquater, M. Yung, and
E. Oswald, Leakage resilient cryptography in practice, in Towards
Hardware-Intrinsic Security. Berlin, Germany: Springer-Verlag, 2010,
pp. 99134.
[4] Y. Dodis and K. Pietrzak, Leakage-resilient pseudorandom functions
and side-channel attacks on Feistel networks, in Proc. 30th CRYPTO,
2010, pp. 2140.
[5] S. Faust, K. Pietrzak, and J. Schipper, Practical leakage-resilient
symmetric cryptography, in Cryptographic Hardware and Embedded
Systems. Berlin, Germany: Springer-Verlag, 2012, pp. 213232.
[6] S. Dziembowski and K. Pietrzak, Leakage-resilient cryptography, in
Proc. IEEE 49th Annu. IEEE Symp. Found. Comput. Sci. (FOCS),
Oct. 2008, pp. 293302.
[7] D. Martin, E. Oswald, and M. Stam, A leakage resilient MAC,
Dept. Comput. Sci., Univ. Bristol, Bristol, U.K., Tech. Rep. 2013/292,
2013. [Online]. Available: http://eprint.iacr.org/
[8] M. Medwed, F.-X. Standaert, J. Groschdl, and F. Regazzoni, Fresh
re-keying: Security against side-channel and fault attacks for low-cost
devices, in Progress in Cryptology. Berlin, Germany: Springer-Verlag,
2010, pp. 279296.
[9] B. Gammel, W. Fischer, and S. Mangard, Generating a session key
for authentication and secure data transfer, U.S. Patent 20 100 316 217,
Dec. 16, 2010.
[10] O. Goldreich, S. Goldwasser, and S. Micali, How to construct random
functions, J. ACM, vol. 33, no. 4, pp. 792807, Oct. 1986.
[11] K. Pietrzak, A leakage-resilient mode of operation, in Advances in
Cryptology. Berlin, Germany: Springer-Verlag, 2009, pp. 462482.
[12] M. Medwed, F.-X. Standaert, and A. Joux, Towards superexponential side-channel security with efficient leakage-resilient PRFs,
in Cryptographic Hardware and Embedded Systems. Berlin, Germany:
Springer-Verlag, 2012, pp. 193212.
[13] Y. Yu and F.-X. Standaert, Practical leakage-resilient pseudorandom
objects with minimum public randomness, in Topics in Cryptology.
Berlin, Germany: Springer-Verlag, 2013, pp. 223238.
[14] P. Kocher, Complexity and the challenges of securing SoCs, in
Proc. 48th ACM/EDAC/IEEE Design Autom. Conf. (DAC), Jun. 2011,
pp. 328331.
[15] S. Belad et al., Towards fresh re-keying with leakage-resilient PRFs:
Cipher design principles and analysis, J. Cryptograph. Eng., vol. 4,
no. 3, pp. 157171, Sep. 2014.
[16] M. Dworkin, NIST special publication 800-38A, recommendation for
block cipher modes of operation: Methods and techniques.
[17] Information Technology, Security Techniques, Authenticated Encryption,
document ISO/IEC 19772:2009, Mar. 2013.
[18] M. Mozaffari-Kermani and A. Reyhani-Masoleh, Efficient and highperformance parallel hardware architectures for the AES-GCM, IEEE
Trans. Comput., vol. 61, no. 8, pp. 11651178, Aug. 2012.