论文信息 - Side Channel Attacks Against HMACs Based on Block-Cipher Based Hash Functions

Side Channel Attacks Against HMACs Based on Block-Cipher Based Hash Functions

HMAC is one of the most famous keyed hash functions, and widely utilized. In order to design secure hash functions, we often use PGV construction consisting of 64 schemes, each of which utilizes a block cipher. If the underlying block cipher is ideal, 12 schemes are proven to be secure. In this paper, we evaluate the security of these schemes in view of side channel attacks. As it turns out, HMACs based on 11 out of 12 secure PGV schemes are vulnerable to side channel attacks, even if the underlying block cipher is secure against side channel attacks. These schemes are classified into two groups based on their vulnerabilities. For the first group which contains 8 schemes, we show that the attacker can reveal the whole key of HMAC, and selectively forge in consequence. For the other group which contains 3 schemes, we specify the importance of the execution sequence for the inner operations of the scheme, and refine it. If wrong orders of operations are used, the attacker can reveal a portion of the key of HMAC. Hence, the use of HMACs based on such PGV schemes as they are is not recommended when the resistance against side channel attacks is necessary.

Katsuyuki Okeya

[1] Paul C. Kocher,et al. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[2] Tetsu Iwata,et al. Side Channel Attacks on Message Authentication Codes , 2005, ESAS.

[3] Thomas S. Messerges,et al. Investigations of Power Analysis Attacks on Smartcards , 1999, Smartcard.

[4] Ralph C. Merkle,et al. One Way Hash Functions and DES , 1989, CRYPTO.

[5] Ronald L. Rivest,et al. The MD5 Message-Digest Algorithm , 1992, RFC.

[6] Thomas S. Messerges,et al. Securing the AES Finalists Against Power Analysis Attacks , 2000, FSE.

[7] Hugo Krawczyk,et al. Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[8] Christof Paar,et al. DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA, RC6, and the HMAC-Construction , 2004, CHES.

[9] Bruce Schneier. One-way hash functions , 1991 .

[10] Siva Sai Yerubandi,et al. Differential Power Analysis , 2002 .

[11] Ivan Damgård,et al. A Design Principle for Hash Functions , 1989, CRYPTO.

[12] Thomas S. Messerges,et al. Using Second-Order Power Analysis to Attack DPA Resistant Software , 2000, CHES.

[13] Joos Vandewalle,et al. Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[14] Bart Preneel,et al. RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[15] John Black,et al. Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.