Differential power analysis of HMAC SHA-2 in the Hamming weight model

As any algorithm manipulating secret data, HMAC is potentially vulnerable to side channel attacks. In 2007, McEvoy et al. proposed a differential power analysis attack against HMAC instantiated with hash functions from the SHA-2 family. Their attack works in the Hamming distance leakage model and makes strong assumptions on the target implementation. In this paper, we present an attack on HMAC SHA-2 in the Hamming weight leakage model, which advantageously can be used when no information is available on the targeted implementation. Furthermore, our attack can be adapted to the Hamming distance model with weaker assumptions on the implementation. We show the feasibility of our attack on simulations, and we study its overall cost and success rate. We also provide an evaluation of the performance overhead induced by the countermeasures necessary to avoid the attack.

[1]  Jari Arkko,et al.  Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA') , 2009, RFC.

[2]  Guido Bertoni,et al.  Power analysis of hardware implementations protected with secret sharing , 2012, 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops.

[3]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[4]  Emmanuel Prouff,et al.  Higher-Order Masking and Shuffling for Software Implementations of Block Ciphers , 2009, CHES.

[5]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[6]  Henry Haverinen,et al.  Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM) , 2006, RFC.

[7]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[8]  Praveen Gauravaram,et al.  An Update on the Side Channel Cryptanalysis of MACs Based on Cryptographic Hash Functions , 2007, INDOCRYPT.

[9]  Denis Réal,et al.  Practical Electromagnetic Template Attack on HMAC , 2009, CHES.

[10]  Praveen Gauravaram,et al.  Side Channel Analysis of Some Hash Based MACs: A Response to SHA-3 Requirements , 2008, ICICS.

[11]  William P. Marnane,et al.  Differential Power Analysis of HMAC Based on SHA-2, and Countermeasures , 2007, WISA.

[12]  Henk L. Muller,et al.  Cryptographic Hardware and Embedded Systems — CHES 2001 , 2001, Lecture Notes in Computer Science.

[13]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[14]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[15]  Christof Paar,et al.  DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA, RC6, and the HMAC-Construction , 2004, CHES.

[16]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[17]  Zhijie Jerry Shi,et al.  Differential and Correlation Power Analysis Attacks on HMAC-Whirlpool , 2011, 2011 Eighth International Conference on Information Technology: New Generations.

[18]  Elaine B. Barker,et al.  The Keyed-Hash Message Authentication Code (HMAC) | NIST , 2002 .

[19]  William P. Marnane,et al.  Correlation Power Analysis of Large Word Sizes , 2007 .

[20]  Thomas S. Messerges,et al.  Using Second-Order Power Analysis to Attack DPA Resistant Software , 2000, CHES.

[21]  Sorin A. Huss,et al.  Side channel analysis of the SHA-3 finalists , 2012, 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[22]  Jari Arkko,et al.  Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) , 2006, RFC.

[23]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[24]  Katsuyuki Okeya Side Channel Attacks Against HMACs Based on Block-Cipher Based Hash Functions , 2006, ACISP.

[25]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .