A Finer-Grain Analysis of the Leakage (Non) Resilience of OCB
OCB3 is one of the winners of the CAESAR competition and is among the most popular authenticated encryption schemes. In this paper, we put forward a fine-grain study of its security against side-channel attacks. We start from trivial key recoveries in settings where the mode can be attacked with st...
Guardado en:
| Autores principales: | , , , , , , |
|---|---|
| Formato: | article |
| Lenguaje: | EN |
| Publicado: |
Ruhr-Universität Bochum
2021
|
| Materias: | |
| Acceso en línea: | https://doaj.org/article/8750016cd0024c20b5e23df3d1103499 |
| Etiquetas: |
Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
|
| id |
oai:doaj.org-article:8750016cd0024c20b5e23df3d1103499 |
|---|---|
| record_format |
dspace |
| spelling |
oai:doaj.org-article:8750016cd0024c20b5e23df3d11034992021-11-19T14:36:07ZA Finer-Grain Analysis of the Leakage (Non) Resilience of OCB10.46586/tches.v2022.i1.461-4812569-2925https://doaj.org/article/8750016cd0024c20b5e23df3d11034992021-11-01T00:00:00Zhttps://tches.iacr.org/index.php/TCHES/article/view/9304https://doaj.org/toc/2569-2925 OCB3 is one of the winners of the CAESAR competition and is among the most popular authenticated encryption schemes. In this paper, we put forward a fine-grain study of its security against side-channel attacks. We start from trivial key recoveries in settings where the mode can be attacked with standard Differential Power Analysis (DPA) against some block cipher calls in its execution (namely, initialization, processing of associated data or last incomplete block and decryption). These attacks imply that at least these parts must be strongly protected thanks to countermeasures like masking. We next show that if these block cipher calls of the mode are protected, practical attacks on the remaining block cipher calls remain possible. A first option is to mount a DPA with unknown inputs. A more efficient option is to mount a DPA that exploits horizontal relations between consecutive input whitening values. It allows trading a significantly reduced data complexity for a higher key guessing complexity and turns out to be the best attack vector in practical experiments performed against an implementation of OCB3 in an ARM Cortex-M0. Eventually, we consider an implementation where all the block cipher calls are protected. We first show that exploiting the leakage of the whitening values requires mounting a Simple Power Analysis (SPA) against linear operations. We then show that despite being more challenging than when applied to non-linear operations, such an SPA remains feasible against 8-bit implementations, leaving its generalization to larger implementations as an interesting open problem. We last describe how recovering the whitening values can lead to strong attacks against the confidentiality and integrity of OCB3. Thanks to this comprehensive analysis, we draw concrete requirements for side-channel resistant implementations of OCB3. Francesco BertiShivam BhasinJakub BreierXiaolu HouRomain PoussierFrançois-Xavier StandaertBalasz UdvarhelyiRuhr-Universität BochumarticleOCBside-channel attackshorizontal DPAworst-case SPAleakage-resilienceComputer engineering. Computer hardwareTK7885-7895Information technologyT58.5-58.64ENTransactions on Cryptographic Hardware and Embedded Systems, Vol 2022, Iss 1 (2021) |
| institution |
DOAJ |
| collection |
DOAJ |
| language |
EN |
| topic |
OCB side-channel attacks horizontal DPA worst-case SPA leakage-resilience Computer engineering. Computer hardware TK7885-7895 Information technology T58.5-58.64 |
| spellingShingle |
OCB side-channel attacks horizontal DPA worst-case SPA leakage-resilience Computer engineering. Computer hardware TK7885-7895 Information technology T58.5-58.64 Francesco Berti Shivam Bhasin Jakub Breier Xiaolu Hou Romain Poussier François-Xavier Standaert Balasz Udvarhelyi A Finer-Grain Analysis of the Leakage (Non) Resilience of OCB |
| description |
OCB3 is one of the winners of the CAESAR competition and is among the most popular authenticated encryption schemes. In this paper, we put forward a fine-grain study of its security against side-channel attacks. We start from trivial key recoveries in settings where the mode can be attacked with standard Differential Power Analysis (DPA) against some block cipher calls in its execution (namely, initialization, processing of associated data or last incomplete block and decryption). These attacks imply that at least these parts must be strongly protected thanks to countermeasures like masking. We next show that if these block cipher calls of the mode are protected, practical attacks on the remaining block cipher calls remain possible. A first option is to mount a DPA with unknown inputs. A more efficient option is to mount a DPA that exploits horizontal relations between consecutive input whitening values. It allows trading a significantly reduced data complexity for a higher key guessing complexity and turns out to be the best attack vector in practical experiments performed against an implementation of OCB3 in an ARM Cortex-M0. Eventually, we consider an implementation where all the block cipher calls are protected. We first show that exploiting the leakage of the whitening values requires mounting a Simple Power Analysis (SPA) against linear operations. We then show that despite being more challenging than when applied to non-linear operations, such an SPA remains feasible against 8-bit implementations, leaving its generalization to larger implementations as an interesting open problem. We last describe how recovering the whitening values can lead to strong attacks against the confidentiality and integrity of OCB3. Thanks to this comprehensive analysis, we draw concrete requirements for side-channel resistant implementations of OCB3.
|
| format |
article |
| author |
Francesco Berti Shivam Bhasin Jakub Breier Xiaolu Hou Romain Poussier François-Xavier Standaert Balasz Udvarhelyi |
| author_facet |
Francesco Berti Shivam Bhasin Jakub Breier Xiaolu Hou Romain Poussier François-Xavier Standaert Balasz Udvarhelyi |
| author_sort |
Francesco Berti |
| title |
A Finer-Grain Analysis of the Leakage (Non) Resilience of OCB |
| title_short |
A Finer-Grain Analysis of the Leakage (Non) Resilience of OCB |
| title_full |
A Finer-Grain Analysis of the Leakage (Non) Resilience of OCB |
| title_fullStr |
A Finer-Grain Analysis of the Leakage (Non) Resilience of OCB |
| title_full_unstemmed |
A Finer-Grain Analysis of the Leakage (Non) Resilience of OCB |
| title_sort |
finer-grain analysis of the leakage (non) resilience of ocb |
| publisher |
Ruhr-Universität Bochum |
| publishDate |
2021 |
| url |
https://doaj.org/article/8750016cd0024c20b5e23df3d1103499 |
| work_keys_str_mv |
AT francescoberti afinergrainanalysisoftheleakagenonresilienceofocb AT shivambhasin afinergrainanalysisoftheleakagenonresilienceofocb AT jakubbreier afinergrainanalysisoftheleakagenonresilienceofocb AT xiaoluhou afinergrainanalysisoftheleakagenonresilienceofocb AT romainpoussier afinergrainanalysisoftheleakagenonresilienceofocb AT francoisxavierstandaert afinergrainanalysisoftheleakagenonresilienceofocb AT balaszudvarhelyi afinergrainanalysisoftheleakagenonresilienceofocb AT francescoberti finergrainanalysisoftheleakagenonresilienceofocb AT shivambhasin finergrainanalysisoftheleakagenonresilienceofocb AT jakubbreier finergrainanalysisoftheleakagenonresilienceofocb AT xiaoluhou finergrainanalysisoftheleakagenonresilienceofocb AT romainpoussier finergrainanalysisoftheleakagenonresilienceofocb AT francoisxavierstandaert finergrainanalysisoftheleakagenonresilienceofocb AT balaszudvarhelyi finergrainanalysisoftheleakagenonresilienceofocb |
| _version_ |
1718420080709074944 |