|
Lightweight Cryptography Primitives
|
|
Lightweight Cryptography Primitives
|
This page describes the utilities in the library that support the implementation of masked ciphers in plain C.
R. Cramer, I. Damgård, and Y. Ishai. Share Conversion, Pseudorandom Secret-Sharing and Applications to Secure Computation. In J. Kilian, editor, Theory of Cryptography Conference – TCC 2005, volume 3378 of Lecture Notes in Computer Science, pages 342–362. Springer, 2005, PDF.
Matthieu Rivain and Emmanuel Prouff. Provably secure higher-order masking of AES. In Stefan Mangard and François-Xavier Standaert, editors, CHES, volume 6225 of Lecture Notes in Computer Science, pages 413–427.Springer, 2010, PDF.
Applications in embedded devices may encrypt or decrypt many times with the same key, either because the key is fixed into the device, or the same key is used on every packet in a session.
Each time the key is used, the power consumption of the device will fluctuate slightly based on the 0 and 1 bits from the key and the plaintext data. Over time it is possible to build up a statistical profile of a particular key's power consumption compared with other keys.
In the simplest form, encrypting with a 1 bit from the key uses a different amount of power than encrypting with a 0 bit. If the power consumption can be measured accurately enough, it may be possible to simply read the bits from the power consumption trace. This is called Simple Power Analysis (SPA).
SPA has historically been used to break RSA encryption on embedded devices. A zero bit involves a square operation, and a 1 bit involves square-and-multiply. The difference in power consumption means that the 0 and 1 bits of the RSA key can be literally read straight off an oscilloscope's screen.
A more powerful technique is Differential Power Analysis (DPA) which can pull useful information out of otherwise noisy data given enough statistical samples. The power consumption will bias one way or the other based on the key in a manner that DPA can detect.
More information on power analysis: https://en.wikipedia.org/wiki/Power_analysis
Masking is a technique to mitigate against power analysis side channels. For a traditional block cipher, the key and the plaintext input are split up into multiple random "shares", the cipher is applied to each of the shares, and then the results are combined to produce the expected result.
Consider a classical block cipher operation E(K, P) which encrypts a plaintext P under a key K. We can split this into three shares as follows:
Because the values K2, K3, P2, and P3 are different every time the block operation is invoked, it is difficult for SPA and DPA to collect usable statistical data and the attack is mitigated. There may still be other ways to recover the key, such as directly hacking into the device and stealing it, but power analysis is made more difficult.
The complexity of masking comes in the fourth step above: computing the three block operations in parallel. If the block cipher involves only XOR, rotate, and shift operations, then it truly can be computed in parallel with no interaction between the shares until the results are combined at the end.
However, all secure ciphers will also include AND and OR operations to mix the data more thoroughly. As we'll see below, this introduces some complexity into the calculations. The utilities in this library handle the complexity to make it easier to write plain C code that uses masking.
We begin with an example of converting parts of the bit-sliced version of GIFT-128 into masked form.
At the start of a GIFT-128 encryption operation, the 128-bit plaintext input and the 128-bit key are loaded into 32-bit registers from the big-endian input buffers:
Using the masking utilities, this becomes:
The mask_uint32_t type contains the shares for a masked 32-bit word. The default implementation of this type has 4 shares:
The mask_input() macro generates random material and masks the value:
The aead_random_generate_32() function is internal to the library and generates a random 32-bit value each time it is called. Recent 32-bit ARM and other microcontrollers come with an instruction or peripheral register that provides a random 32-bit value, so obtaining random data is not hard.
Note: You need to call aead_random_init() before any use of the masking utilities to initialize the random number source. But that can be placed into your application's startup code or your AEAD mode's setup phase.
The masking is repeated for the other plaintext and key words. Later, we compute the bit-sliced GIFT-128 S-box as follows:
Using the masking utilities, this becomes:
As can be seen, the structure of the masked version of the S-box is very similar to the original, which aids in debugging the implementation during development.
Finally, once encryption is complete, we need to store the ciphertext to the output buffer in big-endian order:
After macro expansion, this is equivalent to:
The library provides explicit types for 2, 3, 4, 5, and 6 share versions of 16-bit, 32-bit, and 64-bit words:
The library also contains the following generic types:
The generic types are defined to one of the previous types based on the value of AEAD_MASKING_SHARES. For example, if the number of shares is 3, then the generic types are mapped as follows:
Your code can use the explicit versions if you need an exact number of shares, or you can use the generic types for the default number of shares that is specified by AEAD_MASKING_SHARES, usually 4. Using the generic types is recommended because then it is easy to recompile your code to use a different sharing ratio.
The following generic macros are defined to assist with working with masked words. The equivalent plain C operation is shown on the right:
These operations will work on 16-bit, 32-bit, and 64-bit masked words, adapting automatically to the underlying masked word type.
There are also versions of these macros for each explcit sharing ratio between 2 and 6. For example, if you wanted to force the use of the 3-share versions, you would use the following macros instead of the generic ones:
This section provides details on how each of the operations are defined, and how that leads to an effective masked implementation. For simplicity, we will use the 3-share versions unless otherwise stated.
The input to a cipher must be masked and converted into shares before any other operations can be performed:
Behind the scenes, mask_x3_input() expands to:
As can be seen, masking involves generating random values for the second and subsequent shares and then XOR'ing it with the input to create the first share. After masking, the original value is no longer operative; w.a, w.b, and w.c are all randomized. For the 4-share and higher variants, more random words are generated and XOR'ed with x.
To recover the results at the end of the cipher, the shares are recombined using mask_x3_output():
This expands to:
XOR operations are very simple. The mask_x3_xor() macro applies XOR to each of the shares individually:
Things are slightly different when XOR'ing round constants into a masked word:
Here, only the first share in the masked word is updated. The rest of the shares are left as-is. To show why we only update the first share, let's see what happens with the 2-share version if we were to XOR the constant with all shares instead of just the first:
We expected "x ^ c" at the end, not x. The constant cancelled itself out when the final state was unmasked. If we only XOR the round constant into the first share, we get:
This gives us the result we wanted.
Finally, mask_xor3() can be used to XOR three masked words together:
The 3-word version of XOR can be more efficient than two separate calls to mask_xor() because the intermediate values for each share can be kept in registers longer.
NOT operations are a special case of XOR'ing with the all-1's round constant. The following are equivalent for 32-bit masked words:
The mask_x3_not() function is more convenient because it works on 16-bit, 32-bit, and 64-bit words without the programmer having to supply an all-1's constant of the right size.
Let's expand mask_x3_not() and see what it is doing:
The AND operation is the most complex of the masked operations. Here is the 4-share version:
Essentially this is performing a diagonal matrix operation where each share is mixed with all of the shares below it and to the right. At each step, a new random number is generated and mixed into the state.
Note: The mask_and(), mask_and_not(), and mask_or() macros require a local variable called "temp" in the current scope that is of type uint16_t, uint32_t, or uint64_t depending upon the type of masked word you are operating on.
For a masked word with N shares, each AND operation requires (N² - N) / 2 random number generator calls and mix operations. This has a significant impact on performance compared with the non-masked version of AND. The higher the number of shares, or the higher the number of AND operations, the slower the masked cipher will become.
A common variant of AND is to invert the first argument. For example, here is step chi of Xoodoo:
While it is possible to create temporaries to hold the NOT-inverted intermediate values, it is easier and more memory-efficient to use mask_and_not():
The OR operation is implemented in terms of AND using DeMorgan's Law: (A | B) = ~(~(A) & ~(B)). The 4-share version of OR is:
As mentioned previously, the NOT operation only affects the first share, so only some of the terms need to be inverted to convert OR into AND.
The mask_x3_shl(), mask_x3_shr(), mask_x3_rol(), and mask_x3_ror() functions perform a left shift, right shift, left rotate, and right rotate respectively. Like mask_x3_xor(), they operate on each share individually.
The first two arguments can be the same masked word for in-place shift and rotate operations:
The mask_swap() function swaps two masked words and the mask_swap_move() function performs a swap on some of the bits in two masked words.
1.8.6
