Professional Documents
Culture Documents
Iccd 2016 7753323
Iccd 2016 7753323
santosh.ghosh@intel.com
Abstract—Side-channel attacks are a potent threat to the secu- The main factor in quantifying the security of an imple-
rity of devices implementing cryptographic algorithms. Designing mentation against side-channel attacks is the number of traces
lightweight countermeasures against side-channel analysis that required to recover the secret key. Hence, to protect against
can run on resource constrained devices is a major challenge.
One such lightweight countermeasure is shuffling, in which the these attacks, several countermeasures have been proposed to
designer randomly permutes the order of execution of potentially increase the data complexity. One of the approaches often
vulnerable operations. State of the art shuffling countermeasures employed here is to decrease the signal-to-noise ratio (SNR)
advocate shuffling a set of independent operations in a single (i.e., the ratio of the variance of the leakage signal to the
round of a cryptographic algorithm, but are often found to be variance of the noise present in the device) by adding noise
insufficient as standalone countermeasures. In this paper, we
propose a two-round version of the shuffling countermeasure, [5], [6]. However, these countermeasures are generally ad-hoc
and test its security when applied to a serialized implementation and hence provide only limited resistance. On the other hand,
of AES-128 using Test Vector Leakage Assessment (TVLA). Our the countermeasures based on randomizing the intermediate
results show that the required number of traces to break AES-128 variables (called Masking) had shown to be highly resistant
implemented using our proposed countermeasure is significantly against DPA attacks [7], [8], [9]. However, the cost of
larger than the implementations using simple one-round shuffling.
Furthermore, the new shuffling method has significantly lower implementing masking is at least twice compared to a naive
overhead of around 1.3 times, as compared to other side-channel implementation and hence is not suitable for highly resource
countermeasures such as masking that have an overhead of constrained devices.
approximately two times.
A. Shuffling
I. I NTRODUCTION Shuffling is a lightweight countermeasure which can amplify
the device noise [10], [11], [12]. In shuffling, a set of
Several side-channels such as timing, power and elec- sensitive operations in a cryptographic algorithm are randomly
tromagnetic emission have been successfully exploited from permuted in terms of their execution order, while ensuring the
the devices implementing cryptographic algorithms to recover overall correctness of the algorithm. An important aspect of
the secret key [1], [2], [3], [4]. One of the most powerful a shuffled implementation of any algorithm is the shuffling
among them is the Differential Power Analysis (DPA) attack, range, that is, the set of operations shuffled in time. All the
which consists of a four step procedure. In the first step, the shuffling based countermeasures appeared in the literature
attacker records the power consumption of the device while it permute a set of independent sensitive operations such as
is performing cryptographic operations at different instances in S-box computations within a single round of the cryptographic
time (samples) for a number of random inputs (traces). Next, algorithm. This ensures that the additional cost of implementing
they compute the value of a chosen intermediate variable for the countermeasure is relatively less compared to masking.
all the possible key candidates. Note that in a DPA attack we However, shuffling within a single round is often not enough
use divide-and-conquer approach and hence the brute-force as a standalone countermeasure to resist side-channel attacks
search here is limited to a part of the full key (e.g. 8-bits in [10], [13], [14].
case of AES). Then, they map the hypothetical intermediate
values computed in Step 2 to the hypothetical power values B. Our Contributions
using a suitable power model (e.g. Hamming weight, Hamming The contributions of this paper may be summarized as
distance). Finally, a statistical distinguisher (such as distance- follows:
of-means and Pearson’s correlation coefficient) is used to
1) In this paper, we explore the possibility of enhancing the
distinguish between the correct and wrong key candidates.
shuffling range to operations spanning multiple rounds
of a cryptographic algorithm, instead of a single round
1. The authors would like to acknowledge Intel Corporation, Intel Labs for
partial funding of the work under the project ”LightCrypto: Ultra-Light-weight as is prevalent in the current literature. We present a
Robust Crypto-Architectures for Performance and Energy”. general analysis of the security of such schemes against
978-1-5090-5142-7/16/$31.00 2016
c IEEE 440
a powerful SCA adversary capable of mounting higher Algorithm 1 TRShuffling
order or integrated DPA attacks, which can serve as a Require: A set of N independent operations SI and N
design guideline for countermeasure designers. dependent operations SD , a parameter m where every
N
2) We propose a novel countermeasure for block ciphers partition of SD : SD,j such that |SD,j | = m ∀j ∈ {1, m }
that shuffles a set of sensitive operations (e.g. S-box depends on exactly one partition of SI : SI,j such that
N
computation) spanning across two consecutive rounds |SI,j | = m ∀j ∈ {1, m }, Function RInd (P, start, end)
r − 1 and r of a cryptographic algorithm, instead of which returns a random index j such that start ≤ j ≤ end
shuffling the operations within only one round r. The and P [j] = −1, and Function FindRearInd (P, m, l)
main advantage of this approach is that it increases which returns the index j such that there are exactly m
side-channel resistance by forcing the adversary to positions in (P [j + 1], P [end]) such that P [l] = −1 (for
enumerate a larger number of possible permutations j + 1 ≤ l ≤ end)
before mounting an attack. Additionally, it is still a Ensure: A shuffled permutation P of 2N operations respecting
lightweight countermeasure since it requires roughly the the dependency constraints
same number of calls to a random number generator 1: start ← 1
as in the case of one-round shuffling to generate the 2: end ← 2N − m
permutations. 3: P [2N ] ← {−1, · · · , −1}
N
3) We implement AES-128 using our proposed counter- 4: Create random permutation p1 for the set {1, · · · , m }
measure. We establish via simulation studies as well as 5: Create random permutation p2 for the set {1, · · · , m}
N
experiments on FPGA-based implementations that our 6: for i := 1 to m do
proposed countermeasure affords significantly greater 7: max empty pos ← 0
security than standard one-round shuffling based counter- 8: for j := 1 to m do
measures, while maintaining competitive area and timing 9: empty pos ← RInd (P, start, end)
overheads for lightweight applications. 10: P [empty pos] ← SI,p1 (i) [p2 (j)]
Thus, given a block cipher parameterized by (N, m), our 11: if empty pos > max empty pos then
aforementioned analysis allows us to evaluate a lower bound on 12: max empty pos ← empty pos
the side-channel security afforded by shuffling across k rounds. 13: end if
Finally, we point out that shuffling beyond 3 rounds becomes 14: end for
too computationally expensive to be useful as a lightweight 15: start ← max empty pos + 1
countermeasure. Hence, in the fothcoming section, we present 16: end ← 2n
our proposed countermeasure design using shuffling range 17: for j := 1 to m do
k = 2. 18: empty pos ← RInd (P, start, end)
19: P [empty pos] ← SD,p1 (i) [p2 (j)]
20: end for
II. O UR P ROPOSED C OUNTERMEASURE : A T WO -ROUND 21: start ← 1
S HUFFLING ALGORITHM 22: end ← FindRearInd (P, m, 2N )
23: end for
In this section, we introduce our proposed countermeasure 24: return P
against side-channel attacks: a two-round shuffling algorithm.
We first present our idea using a simple example and then
provide a formal description in Algorithm 1. Next, as a case B. Algorithm Description
study we consider AES-128 and describe how we can protect
it using our countermeasure. Algorithm 1 gives our proposed two-round shuffling coun-
termeasure against side-channel attacks. Given a set of N
independent operations SI and N dependent operations SD ,
A. Notations a parameter m where every partition of SD : SD,j such that
N
Let a cryptographic algorithm consists of R rounds, each |SD,j | = m ∀j ∈ {1, m } depends on exactly N
one partition
with N operations. For each pair of consecutive rounds (r − of S I : S I,j such that |S I,j | = m ∀j ∈ {1, m }, the algorithm
1, r), where 2 ≤ r ≤ R/2, we denote by SI the set of N outputs a shuffled permutation P of 2N operations respecting
independent operations in the first of these rounds, and by the dependency constraints.
SD the set of N dependent operations in the second of these
C. Security Analysis: Comparison with No Shuffling and One
rounds. Note that in this context, an independent operation
Round Shuffling
is one that does not depend on any of the other operations
in these two rounds only. Also, let the sets SI and SD be This section presents a comparison of our proposed two-
partitioned such that every partition of SD : SD,j such that round shuffling countermeasure with an unprotected imple-
n
|SD,j | = m ∀j ∈ {1, m } depends on exactly one partition of mentation as well as an implementation protected using the
n
SI : SI,j such that |SI,j | = m ∀j ∈ {1, m }. standard one-round shuffling. Note that we have the following
(a) Noise Variance = 500 (b) Noise Variance = 550 (c) Noise Variance = 600
using leakages estimated from simulated power traces. Our Technology: Coding and Computing, 2005. ITCC 2005. International
experiments illustrate that the leakage from our proposed Conference on, vol. 1. IEEE, 2005, pp. 562–567.
[9] H. Maghrebi, J.-L. Danger, F. Flament, S. Guilley, and L. Sauvage,
method is significantly lower compared to state of the art “Evaluation of countermeasure implementations based on boolean masking
one-round shuffling algorithms, with a resource overhead less to thwart side-channel attacks,” in Signals, Circuits and Systems (SCS),
than two times. 2009 3rd International Conference on. IEEE, 2009, pp. 1–6.
[10] N. Veyrat-Charvillon, M. Medwed, S. Kerckhof, and F.-X. Standaert,
“Shuffling against side-channel attacks: A comprehensive study with
R EFERENCES cautionary note,” in Advances in Cryptology–ASIACRYPT 2012. Springer,
2012, pp. 740–757.
[1] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Advances [11] T. Güneysu and A. Moradi, “Generic side-channel countermeasures
in Cryptology, CRYPTO99. Springer, 1999, pp. 388–397. for reconfigurable devices,” in Cryptographic Hardware and Embedded
[2] J.-F. Dhem, F. Koeune, P.-A. Leroux, P. Mestré, J.-J. Quisquater, and J.-L. Systems–CHES 2011. Springer, 2011, pp. 33–48.
Willems, “A practical implementation of the timing attack,” in Smart [12] M. Rivain, E. Prouff, and J. Doget, “Higher-order masking and shuffling
Card Research and Applications. Springer, 1998, pp. 167–182. for software implementations of block ciphers,” in Cryptographic
[3] E. De Mulder, P. Buysschaert, S. B. Örs, P. Delmotte, B. Preneel, Hardware and Embedded Systems-CHES 2009. Springer, 2009, pp.
G. Vandenbosch, and I. Verbauwhede, “Electromagnetic analysis attack on 171–188.
an fpga implementation of an elliptic curve cryptosystem,” in Computer [13] A. Moradi and A. Poschmann, “Lightweight cryptography and dpa
as a Tool, 2005. EUROCON 2005. The International Conference on, countermeasures: A survey,” in Financial Cryptography and Data
vol. 2. IEEE, 2005, pp. 1879–1882. Security. Springer, 2010, pp. 68–79.
[4] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi, “The EM [14] S. Tillich and C. Herbst, “Attacking state-of-the-art software countermea-
side-channel(s),” in Cryptographic Hardware and Embedded Systems - sures - a case study for aes,” in Cryptographic Hardware and Embedded
CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, Systems–CHES 2008. Springer, 2008, pp. 228–243.
August 13-15, 2002, Revised Papers, 2002, pp. 29–45. [15] J. Cooper, E. De Mulder, G. Goodwill, J. Jaffe, G. Kenworthy, P. Rohatgi
[5] L. Benini, A. Macii, E. Macii, E. Omerbegovic, F. Pro, and M. Poncino, et al., “Test vector leakage assessment (tvla) methodology in practice,”
“Energy-aware design techniques for differential power analysis protec- in International Cryptographic Module Conference, 2013.
tion,” in Proceedings of the 40th Design Automation Conference, DAC [16] T. Schneider and A. Moradi, “Leakage assessment methodology,” in
2003, Anaheim, CA, USA, June 2-6, 2003, 2003, pp. 36–41. Cryptographic Hardware and Embedded Systems–CHES 2015. Springer,
[6] S. Yang, W. Wolf, N. Vijaykrishnan, D. N. Serpanos, and Y. Xie, “Power 2015, pp. 495–513.
attack resistant cryptosystem design: A dynamic voltage and frequency
switching approach,” in 2005 Design, Automation and Test in Europe
Conference and Exposition (DATE 2005), 7-11 March 2005, Munich,
Germany, 2005, pp. 64–69.
[7] M.-L. Akkar and C. Giraud, “An implementation of des and aes,
secure against some attacks,” in Cryptographic Hardware and Embedded
SystemsCHES 2001. Springer, 2001, pp. 309–318.
[8] F.-X. Standaert, E. Peeters, and J.-J. Quisquater, “On the masking
countermeasure and higher-order power analysis attacks,” in Information