Investigating profiled side-channel attacks against the DES key schedule

被引：0

作者：

Heyszl J. ^{[1
]}

Miller K. ^{[1
]}

Unterstein F. ^{[1
]}

Schink M. ^{[1
]}

Wagner A. ^{[1
]}

Gieser H. ^{[2
]}

Freud S. ^{[3
]}

Damm T. ^{[3
]}

Klein D. ^{[3
]}

Kügler D. ^{[3
]}

机构：

[1] Fraunhofer Institute for Applied and Integrated Security (AISEC), Germany

[2] Fraunhofer Research Institution for Microsystems and Solid State Technologies (EMFT), Germany

[3] Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany

来源：

IACR Transactions on Cryptographic Hardware and Embedded Systems | 2020年 / 2020卷 / 03期

关键词：

3-DES; DES; Key schedule; SCA; Side-channel attack; Weak keys;

D O I：

10.13154/tches.v2020.i3.22-72

中图分类号：

学科分类号：

摘要：

Recent publications describe profiled single trace side-channel attacks (SCAs) against the DES key-schedule of a “commercially available security controller”. They report a significant reduction of the average remaining entropy of cryptographic keys after the attack, with surprisingly large, key-dependent variations of attack results, and individual cases with remaining key entropies as low as a few bits. Unfortunately, they leave important questions unanswered: Are the reported wide distributions of results plausible-can this be explained? Are the results device-specific or more generally applicable to other devices? What is the actual impact on the security of 3-key triple DES? We systematically answer those and several other questions by analyzing two commercial security controllers and a general purpose microcontroller. We observe a significant overall reduction and, importantly, also observe a large key-dependent variation in single DES key security levels, i.e. 49.4 bit mean and 0.9 % of keys < 40 bit (first investigated security controller; other results similar). We also observe a small fraction of keys with exceptionally low security levels that can be called weak keys. It is unclear, whether a device’s side-channel security should be assessed based on such rare weak key outliers. We generalize results to other leakage models by attacking the hardware DES accelerator of a general purpose microcontroller exhibiting a different leakage model. A highly simplified leakage simulation also confirms the wide distribution and shows that security levels are predictable to some extend. Through extensive investigations we find that the actual weakness of keys mainly stems from the specific switching noise they cause. Based on our investigations we expect that widely distributed results and weak outliers should be expected for all profiled attacks against (insufficiently protected) key-schedules, regardless of the algorithm and specific implementation. Finally, we describe a sound approach to estimate actual 3-key triple-DES security levels from empirical single DES results and find that the impact on the security of 3-key triple-DES is limited, i.e. 96.1 bit mean and 0.24 % of key-triples < 80 bit for the same security controller. © 2020, Ruhr-University of Bochum. All rights reserved.

引用

页码：22 / 72

页数：50

共 33 条

[1]

Bruneau Nicolas, Guilley Sylvain, Heuser Annelie, Marion Damien, Rioul Olivier, Less is more, Cryptographic Hardware and Embedded Systems – CHES 2015, pp. 22-41, (2015)

[2]

BSI-Technische Richtlinie. Kryptographische Verfahren: Empfehlungen und Schlüssellängen, (2019)

[3]

Choudary Omar, Kuhn Markus G, Efficient template attacks, International Conference on Smart Card Research and Advanced Applications, pp. 253-270, (2013)

[4]

Diffie Whitfield, Hellman Martin E., Special feature exhaustive crypt-analysis of the NBS data encryption standard, IEEE Computer, 10, 6, pp. 74-84, (1977)

[5]

Durvaux Francois, Standaert Francois-Xavier, From improved leakage detection to the detection of points of interests in leakage traces, Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 240-262, (2016)

[6]

Goodwill Benjamin Jun Gilbert, Jaffe Josh, Rohatgi Pankaj, Et al., A testing methodology for side-channel resistance validation, NIST non-invasive attack testing workshop, (2011)

[7]

Glowacz Cezary, Grosso Vincent, Poussier Romain, Schuth Joachim, Standaert Francois-Xavier, Simpler and more efficient rank estimation for side-channel security assessment, Fast Software Encryption, pp. 117-129, (2015)

[8]

Grosso Vincent, Standaert Francois-Xavier, ASCA, SASCA and DPA with enumeration: Which one beats the other and when?, International Conference on the Theory and Application of Cryptology and Information Security, pp. 291-312, (2014)

[9]

Heyszl Johann, Merli Dominik, Heinz Benedikt, De Santis Fabrizio, Sigl Georg, Strengths and limitations of high-resolution electromagnetic field measurements for side-channel analysis, Smart Card Research and Advanced Applications, Lecture Notes in Computer Science, (2012)

[10]

Hu Yongbo, Zhang Chen, Zheng Yeyang, Wagner Mathias, Ciphertext and plaintext leakage reveals the entire TDES key, Cryptology ePrint Archive, (2016)

← 1 2 3 4 →