Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption

Thomas Unterluggauer, Mario Werner, Stefan Mangard

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

Differential power analysis (DPA) is a powerful tool to extract the key of a cryptographic implementation from observing its power consumption during the en-/decryption of many different inputs. Therefore, cryptographic schemes based on frequent re-keying such as leakage-resilient encryption aim to inherently prevent DPA on the secret key by limiting the amount of data being processed under one key. However, the original asset of encryption, namely the plaintext, is disregarded.
This paper builds on this observation and shows that the re-keying countermeasure does not only protect the secret key, but also induces another DPA vulnerability that allows for plaintext recovery. Namely, the frequent re-keying in leakage-resilient streaming modes causes constant plaintexts to be attackable through first-order DPA. Similarly, constant plaintexts can be revealed from re-keyed block ciphers using templates in a second-order DPA.
Such plaintext recovery is particularly critical whenever long-term key material is encrypted and thus leaked. Besides leakage-resilient encryption, the presented attacks are also relevant for a wide range of other applications in practice that implicitly use re-keying, such as multi-party communication and memory encryption with random initialization for the key. Practical evaluations on both an FPGA and a microcontroller support the feasibility of the attacks and thus suggest the use of cryptographic implementations protected by mechanisms like masking in scenarios that require data encryption with multiple keys.
Original languageEnglish
Title of host publicationDesign, Automation & Test in Europe Conference - DATE 2017
PublisherInstitute of Electrical and Electronics Engineers
DOIs
Publication statusPublished - 15 May 2017
EventDesign, Automation & Test in Europe Conference 2017 - Lausanne, Switzerland
Duration: 27 Mar 201731 Mar 2017

Conference

ConferenceDesign, Automation & Test in Europe Conference 2017
Abbreviated titleDATE
CountrySwitzerland
CityLausanne
Period27/03/1731/03/17

Fingerprint

Cryptography
Recovery
Microcontrollers
Field programmable gate arrays (FPGA)
Electric power utilization
Data storage equipment
Communication

Keywords

  • differential power-analysis
  • side-channel attack
  • leakage-resilient encryption
  • re-keying

Cite this

Unterluggauer, T., Werner, M., & Mangard, S. (2017). Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption. In Design, Automation & Test in Europe Conference - DATE 2017 Institute of Electrical and Electronics Engineers. https://doi.org/10.23919/DATE.2017.7927197

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption. / Unterluggauer, Thomas; Werner, Mario; Mangard, Stefan.

Design, Automation & Test in Europe Conference - DATE 2017. Institute of Electrical and Electronics Engineers, 2017.

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Unterluggauer, T, Werner, M & Mangard, S 2017, Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption. in Design, Automation & Test in Europe Conference - DATE 2017. Institute of Electrical and Electronics Engineers, Design, Automation & Test in Europe Conference 2017, Lausanne, Switzerland, 27/03/17. https://doi.org/10.23919/DATE.2017.7927197
Unterluggauer T, Werner M, Mangard S. Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption. In Design, Automation & Test in Europe Conference - DATE 2017. Institute of Electrical and Electronics Engineers. 2017 https://doi.org/10.23919/DATE.2017.7927197
Unterluggauer, Thomas ; Werner, Mario ; Mangard, Stefan. / Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption. Design, Automation & Test in Europe Conference - DATE 2017. Institute of Electrical and Electronics Engineers, 2017.
@inproceedings{1f66fa9c8f2d4c408082e68e95a19f3f,
title = "Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption",
abstract = "Differential power analysis (DPA) is a powerful tool to extract the key of a cryptographic implementation from observing its power consumption during the en-/decryption of many different inputs. Therefore, cryptographic schemes based on frequent re-keying such as leakage-resilient encryption aim to inherently prevent DPA on the secret key by limiting the amount of data being processed under one key. However, the original asset of encryption, namely the plaintext, is disregarded.This paper builds on this observation and shows that the re-keying countermeasure does not only protect the secret key, but also induces another DPA vulnerability that allows for plaintext recovery. Namely, the frequent re-keying in leakage-resilient streaming modes causes constant plaintexts to be attackable through first-order DPA. Similarly, constant plaintexts can be revealed from re-keyed block ciphers using templates in a second-order DPA.Such plaintext recovery is particularly critical whenever long-term key material is encrypted and thus leaked. Besides leakage-resilient encryption, the presented attacks are also relevant for a wide range of other applications in practice that implicitly use re-keying, such as multi-party communication and memory encryption with random initialization for the key. Practical evaluations on both an FPGA and a microcontroller support the feasibility of the attacks and thus suggest the use of cryptographic implementations protected by mechanisms like masking in scenarios that require data encryption with multiple keys.",
keywords = "differential power-analysis, side-channel attack, leakage-resilient encryption, re-keying",
author = "Thomas Unterluggauer and Mario Werner and Stefan Mangard",
year = "2017",
month = "5",
day = "15",
doi = "10.23919/DATE.2017.7927197",
language = "English",
booktitle = "Design, Automation & Test in Europe Conference - DATE 2017",
publisher = "Institute of Electrical and Electronics Engineers",
address = "United States",

}

TY - GEN

T1 - Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption

AU - Unterluggauer, Thomas

AU - Werner, Mario

AU - Mangard, Stefan

PY - 2017/5/15

Y1 - 2017/5/15

N2 - Differential power analysis (DPA) is a powerful tool to extract the key of a cryptographic implementation from observing its power consumption during the en-/decryption of many different inputs. Therefore, cryptographic schemes based on frequent re-keying such as leakage-resilient encryption aim to inherently prevent DPA on the secret key by limiting the amount of data being processed under one key. However, the original asset of encryption, namely the plaintext, is disregarded.This paper builds on this observation and shows that the re-keying countermeasure does not only protect the secret key, but also induces another DPA vulnerability that allows for plaintext recovery. Namely, the frequent re-keying in leakage-resilient streaming modes causes constant plaintexts to be attackable through first-order DPA. Similarly, constant plaintexts can be revealed from re-keyed block ciphers using templates in a second-order DPA.Such plaintext recovery is particularly critical whenever long-term key material is encrypted and thus leaked. Besides leakage-resilient encryption, the presented attacks are also relevant for a wide range of other applications in practice that implicitly use re-keying, such as multi-party communication and memory encryption with random initialization for the key. Practical evaluations on both an FPGA and a microcontroller support the feasibility of the attacks and thus suggest the use of cryptographic implementations protected by mechanisms like masking in scenarios that require data encryption with multiple keys.

AB - Differential power analysis (DPA) is a powerful tool to extract the key of a cryptographic implementation from observing its power consumption during the en-/decryption of many different inputs. Therefore, cryptographic schemes based on frequent re-keying such as leakage-resilient encryption aim to inherently prevent DPA on the secret key by limiting the amount of data being processed under one key. However, the original asset of encryption, namely the plaintext, is disregarded.This paper builds on this observation and shows that the re-keying countermeasure does not only protect the secret key, but also induces another DPA vulnerability that allows for plaintext recovery. Namely, the frequent re-keying in leakage-resilient streaming modes causes constant plaintexts to be attackable through first-order DPA. Similarly, constant plaintexts can be revealed from re-keyed block ciphers using templates in a second-order DPA.Such plaintext recovery is particularly critical whenever long-term key material is encrypted and thus leaked. Besides leakage-resilient encryption, the presented attacks are also relevant for a wide range of other applications in practice that implicitly use re-keying, such as multi-party communication and memory encryption with random initialization for the key. Practical evaluations on both an FPGA and a microcontroller support the feasibility of the attacks and thus suggest the use of cryptographic implementations protected by mechanisms like masking in scenarios that require data encryption with multiple keys.

KW - differential power-analysis

KW - side-channel attack

KW - leakage-resilient encryption

KW - re-keying

U2 - 10.23919/DATE.2017.7927197

DO - 10.23919/DATE.2017.7927197

M3 - Conference contribution

BT - Design, Automation & Test in Europe Conference - DATE 2017

PB - Institute of Electrical and Electronics Engineers

ER -