Advertisement

Higher-Order DCA against Standard Side-Channel Countermeasures

  • Andrey Bogdanov
  • Matthieu Rivain
  • Philip S. Vejre
  • Junwei WangEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11421)

Abstract

At CHES 2016, Bos et al. introduced differential computational analysis (DCA) as an attack on white-box software implementations of block ciphers. This attack builds on the same principles as DPA in the classical side-channel context, but uses computational traces consisting of plain values computed by the implementation during execution. It was shown to be able to recover the key of many existing AES white-box implementations.

The DCA adversary is passive, and so does not exploit the full power of the white-box setting, implying that many white-box schemes are insecure even in a weaker setting than the one they were designed for. It is therefore important to develop implementations which are resistant to this attack. We investigate the approach of applying standard side-channel countermeasures such as masking and shuffling. Under some necessary conditions on the underlying randomness generation, we show that these countermeasures provide resistance to standard (first-order) DCA. Furthermore, we introduce higher-order DCA, along with an enhanced multivariate version, and analyze the security of the countermeasures against these attacks. We derive analytic expressions for the complexity of the attacks – backed up through extensive attack experiments – enabling a designer to quantify the security level of a masked and shuffled implementation in the (higher-order) DCA setting.

Keywords

White-box cryptography Higher-order DCA Masking Shuffling 

Notes

Acknowledgment

The fourth author was supported by European Union’s Horizon 2020 research and innovation program under the Marie Skłodowska-Curie grant agreement No. 643161.

References

  1. 1.
    CHES 2017 Capture the Flag Challenge - The WhibOx Contest, An ECRYPT White-Box Cryptography Competition. https://whibox.cr.yp.to/. Accessed Oct 2017
  2. 2.
    Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a white box AES implementation. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 227–240. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30564-4_16CrossRefGoogle Scholar
  3. 3.
    Biryukov, A., Udovenko, A.: Attacks and countermeasures for white-box designs. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 373–402. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03329-3_13CrossRefGoogle Scholar
  4. 4.
    Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 215–236. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2_11CrossRefGoogle Scholar
  5. 5.
    Bringer, J., Chabanne, H., Dottax, E.: Perturbing and protecting a traceable block cipher. In: Leitold, H., Markatos, E.P. (eds.) CMS 2006. LNCS, vol. 4237, pp. 109–119. Springer, Heidelberg (2006).  https://doi.org/10.1007/11909033_10CrossRefGoogle Scholar
  6. 6.
    Bringer, J., Chabanne, H., Dottax, E.: White box cryptography: another attempt. IACR Cryptology ePrint Archive 2006, 468 (2006)Google Scholar
  7. 7.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_26CrossRefGoogle Scholar
  8. 8.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36400-5_3CrossRefGoogle Scholar
  9. 9.
    Chow, S., Eisen, P., Johnson, H., van Oorschot, P.C.: A white-box DES implementation for DRM applications. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 1–15. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-44993-5_1CrossRefGoogle Scholar
  10. 10.
    Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36492-7_17CrossRefzbMATHGoogle Scholar
  11. 11.
    Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_25CrossRefGoogle Scholar
  12. 12.
    Coron, J.-S., Kizhvatov, I.: Analysis and improvement of the random delay countermeasure of CHES 2009. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 95–109. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15031-9_7CrossRefzbMATHGoogle Scholar
  13. 13.
    Coron, J.-S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_21CrossRefGoogle Scholar
  14. 14.
    Fisher, R.A., Yates, F., et al.: Statistical tables for biological, agricultural and medical research. Statistical tables for biological, agricultural and medical research (1938)Google Scholar
  15. 15.
    Goubin, L., Paillier, P., Rivain, M., Wang, J.: How to reveal the secrets of an obscure white-box implementation. Cryptology ePrint Archive, Report 2018/098 (2018). https://eprint.iacr.org/2018/098
  16. 16.
    Goubin, L., Patarin, J.: DES and differential power analysis the “Duplication” method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48059-5_15CrossRefzbMATHGoogle Scholar
  17. 17.
    Karroumi, M.: Protecting white-box AES with dual ciphers. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 278–291. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-24209-0_19CrossRefGoogle Scholar
  18. 18.
    Kerckhoffs, A.: La cryptographic militaire. J. Sci. Mil. IX, 5–38 (1883). https://www.petitcolas.net/kerckhoffs/crypto_militaire_1.pdf
  19. 19.
    Lepoint, T., Rivain, M., De Mulder, Y., Roelse, P., Preneel, B.: Two attacks on a white-box AES implementation. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 265–285. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43414-7_14CrossRefGoogle Scholar
  20. 20.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks - Revealing Thesecrets of Smart Cards. Springer, Boston (2007).  https://doi.org/10.1007/978-0-387-38162-6CrossRefzbMATHGoogle Scholar
  21. 21.
    Michiels, W., Gorissen, P., Hollmann, H.D.L.: Cryptanalysis of a generic class of white-box implementations. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 414–428. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04159-4_27CrossRefGoogle Scholar
  22. 22.
    De Mulder, Y., Roelse, P., Preneel, B.: Cryptanalysis of the Xiao – Lai white-box AES implementation. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 34–49. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-35999-6_3CrossRefGoogle Scholar
  23. 23.
    De Mulder, Y., Wyseur, B., Preneel, B.: Cryptanalysis of a perturbated white-box AES implementation. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 292–310. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17401-8_21CrossRefGoogle Scholar
  24. 24.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15031-9_28CrossRefGoogle Scholar
  25. 25.
    Rivain, M., Prouff, E., Doget, J.: Higher-order masking and shuffling for software implementations of block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 171–188. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04138-9_13CrossRefzbMATHGoogle Scholar
  26. 26.
    Strobel, D., Paar, C.: An efficient method for eliminating random delays in power traces of embedded software. In: Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 48–60. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-31912-9_4CrossRefGoogle Scholar
  27. 27.
    Tolhuizen, L.: Improved cryptanalysis of an AES implementation. In: Proceedings of the 33rd WIC Symposium on Information Theory, 2012. WIC (Werkgemeenschap voor Inform.-en Communicatietheorie) (2012)Google Scholar
  28. 28.
    Veyrat-Charvillon, N., Medwed, M., Kerckhof, S., Standaert, F.-X.: Shuffling against side-channel attacks: a comprehensive study with cautionary note. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 740–757. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34961-4_44CrossRefGoogle Scholar
  29. 29.
    Xiao, Y., Lai, X.: A secure implementation of white-box AES. In: Computer Science and its Applications, CSA 2009, pp. 1–6. IEEE (2009)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Andrey Bogdanov
    • 1
  • Matthieu Rivain
    • 2
  • Philip S. Vejre
    • 1
  • Junwei Wang
    • 2
    • 3
    • 4
    Email author
  1. 1.Technical University of DenmarkKongens LyngbyDenmark
  2. 2.CryptoExpertsParisFrance
  3. 3.University of LuxembourgEsch-sur-AlzetteLuxembourg
  4. 4.University Paris 8Saint-DenisFrance

Personalised recommendations