Correlation Power Attack on Hardware Implementation of OCB Authenticated Cipher

Document Type : Original Article

Authors

1 PhD student, Imam Hossein Comprehensive University

2 Faculty member

3 Lavizan

Abstract

Authenticated encryption schemes provide both confidentiality and integrity services simultaneously. To design such schemes, the CAESAR competition was being held with six winners. One of the criteria for evaluation theses ciphers, besides general security, is the security against side-channel attacks, which has been studied less so far. The OCB authenticated cipher, one of the CAESAR’s winners, has special security properties such as a tweakable block cipher based construction that makes the side-channel attacks challenging. In this paper, for the first time, a 7-stage correlation power analysis (CPA) attack on nonce processing time is presented to indicate its vulnerability. For this purpose, OCB cipher is implemented on a SAKURA-G board. By measuring and collecting the power traces on S-box, a successful CPA attack with a zero-value power model is mounted and all bytes of the key are recovered.

Keywords
Authenticated encryption (AE) scheme, OCB scheme, Correlation power analysis, CAESAR competition, SAKURA-G.

Keywords

Main Subjects

References

 

[1]    D. Whiting, R. Housley, and N. Ferguson, “Counter with cbc-mac (ccm), RFC3610,” 2003.
[2]    T. Krovetz and P. Rogaway, “The OCB authenticated-encryption algorithm, RFC 7253,” 2014. [Online]. Available: https://tools.ietf.org/html/rfc7253.
[3]    D. McGrew and J. Viega, “The Galois/counter mode of operation (GCM),” Submiss. to NIST Modes Oper. Process, vol. 20, 2004.
[4]    N. Ferguson, “Authentication weaknesses in GCM,” Comments submitted to NIST Modes of Operation Process, 2005. [Online]. Available: https://csrc.nist.gov/csrc/media /projects/block-cipher-techniques/documents /bcm/comments/cwc-gcm/ferguson2.pdf.
[5]    H. Böck, A. Zauner, S. Devlin, J. Somorovsky, and P. Jovanovic, “Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS.,” IACR Cryptology ePrint Archive, Report 2016/475, 2016. [Online]. Available: https://eprint.iacr.org /2016/475.
[6]    “CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustnes.” [Online]. Available: http:// competitions.cr.yp.to/caesar.html.
[7]    H. Wu, “ACORN: a lightweight authenticated cipher (v3),” Candidate for the CAESAR Competition, 2016. [Online]. Available: http://competitions.cr.yp.to/round3/acornv3.pdf.
[8]    C. Dobraunig, M. Eichlseder, F. Mendel, and M. Schläffer, “Ascon v1.2,” Submission to the CAESAR Competition, 2016. [Online]. Available: http://competitions.cr.yp.to/round3/asconv1.2.pdf.
[9]    A. Baksi, V. Pudi, S. Mandal, and A. Chattopadhyay, “Lightweight ASIC Implementation of AEGIS-128,” in 2018 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), 2018, pp. 251–256.
[10]  E. T. and K. Y. A. Elena, A. Bogdanov, N. Datta, A. Luykx, B. Mennink, M. Nandi, “COLM v1.,” CAESAR competition proposal, 2016. [Online]. Available: https:// competitions.cr.yp.to/round3/colmv1.pdf.
[11]  A. Mehrdad, F. Moazami, and H. Soleimany, “Impossible differential cryptanalysis on Deoxys-BC-256,” ISC Int. J. Inf. Secur., vol. 10, no. 2, pp. 93–105, 2018.
[12]  A. Adomnicai, J. J. Fournier, and L. Masson, “Masking the Lightweight Authenticated Ciphers ACORN and Ascon in Software,” Cryptogr. Inf. Secur. Balk. Springer Int. Publ. Cham, 2018.
[13]  N. Samwel and J. Daemen, “DPA on hardware implementations of Ascon and Keyak,” in Proceedings of the Computing Frontiers Conference, 2017, pp. 415–424.
[14]  G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, and R. Van Keer, “Keyak v2,” CAESAR Submiss., 2015. [Online]. Available:http://competitions.cr.yp.to/round3/keyakv22.pdf
[15]  H. Gross, E. Wenger, C. Dobraunig, and C. Ehrenhöfer, “Ascon hardware implementations and side-channel evaluation,” Microprocess. Microsyst., vol. 52, pp. 470–479, 2017.
[16]  W. Diehl and K. Gaj, “RTL implementations and FPGA benchmarking of selected CAESAR Round Two authenticated ciphers,” Microprocess. Microsyst., vol. 52, pp. 202–218, 2017.
[17]  A. E. Mode, “The JAMBU Lightweight Authentication Encryption Mode (v2. 1),” CAESAR competition proposal, 2016. [Online]. Available: http://competitions.cr. yp.to/round3/jambuv21.pdf.
[18]  T. Iwata, K. Minematsu, J. Guo, and E. Kobayashi, “CLOC and SILC,” CAESAR competition proposal, 2016. [Online]. Available: http://competitions.cr.yp.to/round3 /clocsilcv3.pdf.
[19]  R. V. K. Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche, “Ketje v2,” CAESAR Submiss., 2015. [Online]. Available: http://competitions.cr.yp.to/round3 /ketjev2.pdf .
[20]  P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Annual International Cryptology Conference, 1999, pp. 388–397.
[21]  E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with a leakage model,” in International workshop on cryptographic hardware and embedded systems, 2004, pp. 16–29.
[22]  D. Agrawal, J. R. Rao, and P. Rohatgi, “Multi-channel attacks,” in International Workshop on Cryptographic Hardware and Embedded Systems, 2003, pp. 2–16.
[23]  B. Gierlichs, L. Batina, P. Tuyls, and B. Preneel, “Mutual information analysis,” in International Workshop on Cryptographic Hardware and Embedded Systems, 2008, pp. 426–442.
[24]  B. Hettwer, S. Gehrer, and T. Güneysu, “Applications of machine learning techniques in side-channel attacks: a survey,” J. Cryptogr. Eng., pp. 1–28, 2019.
[25]  S. Mangard, E. Oswald, and T. Popp, “Power analysis attacks: Revealing the secrets of smart cards,” vol. 31. Springer Science & Business Media, 2008.
[26]  P. Rogaway, M. Bellare, J. Black, and T. Krovetz, “OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption,” in Proceedings of the 8th ACM conference on Computer and Communications Security, 2001, pp. 196-205.
[27]  W. Stallings, “The offset codebook (OCB) block cipher mode of operation for authenticated encryption,” Cryptologia, vol. 42, no. 2, pp. 135–145, 2018.
[28]  J. Jaffe, “A first-order DPA attack against AES in counter mode with unknown initial counter,” in International Workshop on Cryptographic Hardware and Embedded Systems, 2007, pp. 1–13.
[29]  H. Gross, S. Mangard, and T. Korak, “Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order.,” IACR Cryptology ePrint Archive, Report 2016/486, 2016. [Online]. Available: https://eprint. iacr.org/2016/486.
[30]  “Side-channel AttacK User Reference Architecture.” [Online]. Available: http:// satoh.cs.uec.ac.jp/SAKURA/hardware.html.
[31] [Online]. Available: “https://github.com/ newaetech/chipwhisperer.”.
[32]  م. معصومی، ع. دهقان منشادی، ا. مددی و س.    ساعی­مقدم، "یک روش جدید و کارآمد نقاب‌گذاری جمعی و ارزیابی مقاومت آن در برابر تحلیل توان"، پدافند الکترونیکی و سایبری، جلد 6، شماره 2، صفحه 123-134، 1396.
 

Files

History

  • Receive Date: 16 July 2019
  • Revise Date: 07 December 2019
  • Accept Date: 20 February 2020
  • First Publish Date: 20 April 2020

Share

How to cite

Statistics