Novel Side-channel Attacks On Emerging Cryptographic Algorithms And Computing Systems

of the Dissertation Novel Side-Channel Attacks on Emerging Cryptographic Algorithms and Computing Systems by Chao Luo Doctor of Philosophy in Computer Engineering Northeastern University, December 2018 Dr. Yunsi Fei, Advisor After more than 20 year’s research and development, side-channel attacks are constantly posing serious threats to various computing systems. When targeting crypto-implementations to retrieve the secret, side-channel attacks utilize the peculiarity of the specific implementations, and achieve much better efficiency than brute force attacks and traditional cryptanalysis which attacks the weakness of the cryptographic algorithms themselves. Typical side channels include power consumption, electromagnetic emanation, and execution time. With inherent correlation between these side-channel information and the secret, statistic analysis can be employed to find the secret. However, there are still many challenges presented for side-channel research driven by two trends: new ciphers and emerging computing platforms. New ciphers or variants are being developed to provide higher level of security or get tailored to different applications. For example, XTSAES (XEX-based tweaked-codebook mode with ciphertext stealing AES) is a security-hardened mode of AES for storage systems, which increases the algorithm complexity and hides more systemdependent parameters to users (attackers). Meanwhile, we see more emerging computing platforms, for general purpose computing or specific algorithm acceleration. Graphic Processing Unit (GPU) has been used to run a range of cryptographic algorithms for higher performance. However, the security of GPU when processing sensitive data, especially the highly relevant side-channel vulnerabilities, has received little attention and is vastly unexplored. Yet GPU differs from other computing platforms distinctly in terms of the hardware structure and software programming model, making side-channel attacks on GPU much more challenging. In this dissertation, I propose several novel side-channel attacks, targeting new ciphers including XTS-AES and ECC and also popular accelerators GPUs. Some of our vulnerabilities analysis and

[1]  David R. Kaeli,et al.  A complete key recovery timing attack on a GPU , 2016, 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[2]  Roberto Di Pietro,et al.  CUDA Leaks , 2013, ACM Trans. Embed. Comput. Syst..

[3]  Debdeep Mukhopadhyay,et al.  Secure public key hardware for IoT applications , 2016, 2016 IEEE 59th International Midwest Symposium on Circuits and Systems (MWSCAS).

[4]  Hwajeong Seo,et al.  Memory-Efficient Implementation of Elliptic Curve Cryptography for the Internet-of-Things , 2019, IEEE Transactions on Dependable and Secure Computing.

[5]  D. Chudnovsky,et al.  Sequences of numbers generated by addition in formal groups and new primality and factorization tests , 1986 .

[6]  Heejin Park,et al.  Analysis of the variable length nonzero window method for exponentiation , 1999 .

[7]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[8]  Johann Großschädl,et al.  Energy-Scalable Montgomery-Curve ECDH Key Exchange for ARM Cortex-M3 Microcontrollers , 2018, 2018 6th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW).

[9]  Sri Parameswaran,et al.  Advanced modes in AES: Are they safe from power analysis based side channel attacks? , 2014, 2014 IEEE 32nd International Conference on Computer Design (ICCD).

[10]  Pierre-Alain Fouque,et al.  Side-Channel Analysis of Multiplications in GF(2128) - Application to AES-GCM , 2014, ASIACRYPT.

[11]  Takeshi Sugawara,et al.  Development of side-channel attack standard evaluation environment , 2009, 2009 European Conference on Circuit Theory and Design.

[12]  Henry Stark,et al.  Probability, Statistics, and Random Processes for Engineers , 2011 .

[13]  Bart Preneel,et al.  Power-analysis attack on an ASIC AES implementation , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[14]  S.A. Manavski,et al.  CUDA Compatible GPU as an Efficient Hardware Accelerator for AES Cryptography , 2007, 2007 IEEE International Conference on Signal Processing and Communications.

[15]  Sri Aditya Panda Preventing Man-in-the-Middle Attacks in Near Field Communication by Out-of-Band Key Exchange , 2016 .

[16]  Tao Wang,et al.  Improving timing attack on RSA-CRT via error detection and correction strategy , 2013, Inf. Sci..

[17]  David R. Kaeli,et al.  Power analysis attack on hardware implementation of MAC-Keccak on FPGAs , 2014, 2014 International Conference on ReConFigurable Computing and FPGAs (ReConFig14).

[18]  Robert H. Sloan,et al.  Power Analysis Attacks of Modular Exponentiation in Smartcards , 1999, CHES.

[19]  David R. Kaeli,et al.  Side-channel power analysis of a GPU AES implementation , 2015, 2015 33rd IEEE International Conference on Computer Design (ICCD).

[20]  Cyril Guyot,et al.  The XTS-AES Disk Encryption Algorithm and the Security of Ciphertext Stealing , 2012, Cryptologia.

[21]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[22]  Gorka Irazoqui Apecechea,et al.  Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud , 2015, IACR Cryptol. ePrint Arch..

[23]  Nigel P. Smart,et al.  Toward Acceleration of RSA Using 3D Graphics Hardware , 2007, IMACC.

[24]  Seungyeop Han,et al.  SSLShader: Cheap SSL Acceleration with Commodity Processors , 2011, NSDI.

[25]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[26]  Matthieu Rivain,et al.  Fast and Regular Algorithms for Scalar Multiplication over Elliptic Curves , 2011, IACR Cryptol. ePrint Arch..

[27]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[28]  Sandor Imre,et al.  An advanced timing attack scheme on RSA , 2008, Networks 2008 - The 13th International Telecommunications Network Strategy and Planning Symposium.

[29]  Tim Güneysu,et al.  On the Energy Cost of Channel Based Key Agreement , 2016, TrustED@CCS.

[30]  Aurélien Francillon,et al.  Confidentiality Issues on a GPU in a Virtualized Environment , 2014, Financial Cryptography.

[31]  Jan M. Rabaey,et al.  Digital Integrated Circuits: A Design Perspective , 1995 .

[32]  Christophe Clavier,et al.  Differential Power Analysis in the Presence of Hardware Countermeasures , 2000, CHES.

[33]  Ralf C. Staudemeyer,et al.  Towards quantifying the cost of a secure IoT: Overhead and energy consumption of ECC signatures on an ARM-based device , 2016, 2016 IEEE 17th International Symposium on A World of Wireless, Mobile and Multimedia Networks (WoWMoM).

[34]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[35]  Josh Jae A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter , 2007 .

[36]  Zhi Guan,et al.  Accelerating RSA with Fine-Grained Parallelism Using GPU , 2015, ISPEC.

[37]  Marc Joye,et al.  Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves - (Extended Abstract) , 2010, CHES.

[38]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[39]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[40]  Angelos D. Keromytis,et al.  CryptoGraphics - Exploiting Graphics Cards for Security , 2006, Advances in Information Security.

[41]  Sylvain Guilley,et al.  Dismantling Real-World ECC with Horizontal and Vertical Template Attacks , 2016, COSADE.

[42]  Frédéric Valette,et al.  The Doubling Attack - Why Upwards Is Better than Downwards , 2003, CHES.

[43]  Adi Shamir,et al.  RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis , 2014, CRYPTO.

[44]  Alexander Afanasyev,et al.  The Design and Implementation of the NDN Protocol Stack for RIOT-OS , 2016, 2016 IEEE Globecom Workshops (GC Wkshps).

[45]  E. S. Pearson,et al.  On the Problem of the Most Efficient Tests of Statistical Hypotheses , 1933 .

[46]  Luther Martin,et al.  XTS: A Mode of AES for Encrypting Hard Disks , 2010, IEEE Security & Privacy.

[47]  Amir Moradi,et al.  Side-Channel Security Analysis of Ultra-Low-Power FRAM-Based MCUs , 2015, COSADE.

[48]  Angelos D. Keromytis,et al.  CryptoGraphics: Secret Key Cryptography Using Graphics Cards , 2005, CT-RSA.

[49]  Roberto Di Pietro,et al.  Towards a GPU Cloud: Benefits and Security Issues , 2014 .

[50]  David R. Kaeli,et al.  Heterogeneous Computing with OpenCL - Revised OpenCL 1.2 Edition , 2012 .

[51]  Liwei Zhang,et al.  A statistics-based success rate model for DPA and CPA , 2015, Journal of Cryptographic Engineering.

[52]  Michael Tunstall,et al.  Exploiting Collisions in Addition Chain-Based Exponentiation Algorithms Using a Single Trace , 2015, CT-RSA.

[53]  Alexandros G. Fragkiadakis,et al.  ECDSA on Things: IoT Integrity Protection in Practise , 2016, ICICS.

[54]  Onur Aciiçmez,et al.  Improving Brumley and Boneh timing attack on unprotected SSL implementations , 2005, CCS '05.

[55]  Christof Paar,et al.  A New Class of Collision Attacks and Its Application to DES , 2003, FSE.

[56]  Cyril Arnaud,et al.  Timing Attack against Protected RSA-CRT Implementation Used in PolarSSL , 2013, CT-RSA.

[57]  David R. Kaeli,et al.  A Novel Side-Channel Timing Attack on GPUs , 2017, ACM Great Lakes Symposium on VLSI.

[58]  Morris J. Dworkin SP 800-38E. Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices , 2010 .

[59]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[60]  François-Xavier Standaert,et al.  Algebraic Side-Channel Attacks , 2009, Inscrypt.

[61]  Marc Joye,et al.  Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity , 2004, IEEE Transactions on Computers.

[62]  Ç. Koç Analysis of sliding window techniques for exponentiation , 1995 .

[63]  Erick Nascimento,et al.  Attacking Embedded ECC Implementations Through cmov Side Channels , 2016, SAC.

[64]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[65]  Elisabeth Oswald,et al.  Template Attacks on ECDSA , 2009, WISA.

[66]  Jean-Sébastien Coron,et al.  Improved Side-Channel Analysis of Finite-Field Multiplication , 2015, CHES.

[67]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[68]  Pankaj Rohatgi,et al.  Introduction to differential power analysis , 2011, Journal of Cryptographic Engineering.

[69]  Ingrid Verbauwhede,et al.  Ultra low-power implementation of ECC on the ARM Cortex-M0+ , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[70]  Wen-mei W. Hwu,et al.  GPU Computing Gems Emerald Edition , 2011 .

[71]  Erich Wenger,et al.  Analyzing Side-Channel Leakage of RFID-Suitable Lightweight ECC Hardware , 2013, RFIDSec.

[72]  Bart Preneel,et al.  Power-Analysis Attacks on an FPGA - First Experimental Results , 2003, CHES.

[73]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[74]  Xinxin Mei,et al.  Implementation and Analysis of AES Encryption on GPU , 2012, 2012 IEEE 14th International Conference on High Performance Computing and Communication & 2012 IEEE 9th International Conference on Embedded Software and Systems.

[75]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[76]  Peter Schwabe,et al.  Online template attacks , 2014, Journal of Cryptographic Engineering.

[77]  Bart Preneel,et al.  Mutual Information Analysis , 2008, CHES.

[78]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[79]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[80]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[81]  Thomas Unterluggauer,et al.  Exploiting the Physical Disparity: Side-Channel Attacks on Memory Encryption , 2016, COSADE.

[82]  Chao Luo,et al.  Side-channel power analysis of XTS-AES , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[83]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[84]  Jean-Jacques Quisquater,et al.  Montgomery Exponentiation with no Final Subtractions: Improved Results , 2000, CHES.

[85]  Yuval Yarom,et al.  CacheBleed: a timing attack on OpenSSL constant-time RSA , 2016, Journal of Cryptographic Engineering.

[86]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[87]  Jean-Jacques Quisquater,et al.  A Practical Implementation of the Timing Attack , 1998, CARDIS.

[88]  Tim Güneysu,et al.  Exploiting the Power of GPUs for Asymmetric Cryptography , 2008, CHES.

[89]  Werner Schindler,et al.  A Timing Attack against RSA with the Chinese Remainder Theorem , 2000, CHES.

[90]  Ulrike Meyer,et al.  GPU-Acceleration of Block Ciphers in the OpenSSL Cryptographic Library , 2012, ISC.

[91]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[92]  Éliane Jaulmes,et al.  Horizontal Collision Correlation Attack on Elliptic Curves , 2013, Selected Areas in Cryptography.

[93]  C. D. Walter,et al.  Montgomery exponentiation needs no final subtractions , 1999 .

[94]  Takakazu Kurokawa,et al.  AES Encryption Implementation on CUDA GPU and Its Analysis , 2010, 2010 First International Conference on Networking and Computing.

[95]  Stefan Mangard,et al.  Hardware Countermeasures against DPA ? A Statistical Analysis of Their Effectiveness , 2004, CT-RSA.