wide collisions in practice xin ye, thomas eisenbarth florida atlantic university, usa 10 th acns...
TRANSCRIPT
![Page 1: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/1.jpg)
Wide Collisions in Practice
Xin Ye, Thomas EisenbarthFlorida Atlantic University, USA
10th ACNS 2012- Singapore
![Page 2: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/2.jpg)
Overview
• Side Channel Collision Attacks
• Wide Collisions for AES
• Improving Recognition Rates
• Attack Results
![Page 3: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/3.jpg)
Embedded Systems
• Specific purpose device with computing capabilities
• Constrained resources• Many require security
![Page 4: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/4.jpg)
Side Channel Attacks
… leaks additional information via side channel!e.g. power consumption / EM emanation
AESLeakage
plaintext
ciphertext
0 20 40 60 80 100 120 140 160 180 200
-0.2
-0.1
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Time
Corr
ela
tion
right key
wrong keys
![Page 5: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/5.jpg)
Collisions in AES
Collision: Querying same S-box value twice
Collision Attack: Exploiting collision detections to recover secret key
S S S S S S SS S S S S S S
y1 y4 = y1
plaintextAdd_Key
Sub_Bytes
S-box 1 S-box 4
![Page 6: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/6.jpg)
Collision Detection
Collisions are highly frequent:– First round: .41 collisions– One encryption: >40 collisions
Detecting collisions is hard:– One encryption: 12 720 comparisons– Probability of a collision: <0.4%– False positive rate of 1%: >120 faulty detections Should minimize false positives
![Page 7: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/7.jpg)
Wide Collisions (I) Two AES encryptions with chosen inputs Same plaintexts except for diagonals! AddRoundKey, SubBytes -> same difference
![Page 8: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/8.jpg)
Wide Collisions (II)
• ShiftRows aligns differences• MixColumns can result in equal bytes
Collision
![Page 9: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/9.jpg)
Wide Collisions (III) 2nd ShiftRows results in equal columns Full column collides until next ShiftRows! 5 predictable S-Box collisions between 2 encryptions!
Full Column Collision
![Page 10: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/10.jpg)
Collision Detection
• Direct Comparison of two power traces• Ideally only compared in leaking regions
(5 s-Boxes and full MixColumns colliding)
Point selection necessary:– Knowledge of implementation or profiling needed
S-box 4 S-boxes (in round 3)
+ S-box in round 2+ Mix Columns
![Page 11: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/11.jpg)
Key Recovery Phase
• 1st byte after 1st MixColumns:
• 4 collisions reduce key candidates from 232 to 1 candidate per diagonal.
• Full key recovery: 16 distinct collisions.
Avoid false positives
![Page 12: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/12.jpg)
Outlier MethodProcedure:
Find overallMean Trace
Locate Outlier Region
Locate Neighboring
Pairs Mean TraceIndividual Trace
Outlier Region
![Page 13: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/13.jpg)
Outlier Method: Details
Two parameters:• Size of outlier region• Admitted distance between
neighboring points
Both influence• Number of detected collisions• Rate of false positives
Tradeoff depends on implementation
![Page 14: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/14.jpg)
Results
Leaking Points Detected Collisions Correct Detections1 (R = 0.9, dmax = 0.3) 127 23.0%4 (R = 0.9, dmax = 0.3) 46 71.1%8 (R = 0.9, dmax = 0.3) 88 93.7%
Wide Collisions stronger, but knowledge of implementation or profiling needed
Blind Templates (+ PCA) are great for device profiling
• Unprotected SW implementation, 8-bit Smart Card• Results on 3000 power traces:
![Page 15: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/15.jpg)
Optimized Collision Detection
• Targeting Wide Collisions– Strong leakage, easier to detect– Requires chosen inputs
• Using Outlier Detection method:– Reduces overall detection of collisions– Minimizes false positives
![Page 16: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/16.jpg)
Conclusion
• Wide collisions yield feasible power based collision attack
• Outlier Method is a helpful tool for decreasing false positive detections
![Page 17: Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d005503460f949d30d0/html5/thumbnails/17.jpg)
Thank you very much for your [email protected]