On the construction of
Side-Channel Attack resilient S-boxes
Nikita Veshchikov
Collaboration with Liran Lerman, Stjepan Picek and Olivier Markowitch
Université Libre de Bruxelles, Belgium
Paris, COSADE
13/04/2017
Intro
1 / 30
Classical cryptanalysis
2 / 30
Designing a block cipher
3 / 30
Side-channel attacks
4 / 30
Power analysis
5 / 30
Properties of S-boxes
6 / 30
Properties of S-boxes: SCA
7 / 30
Let’s build S-boxes!
8 / 30
Let’s build S-boxes!
9 / 30
Let’s compare S-boxes!
10 / 30
New S-boxes!
11 / 30
Design scope
I
Genetic algorithms
I
Success rate of CPA (HW) & TA (ATmega328)
I
4 × 4 and 5 × 5 S-boxes
12 / 30
Success rates of CPA against S-boxes
1.0
Success rate
0.9
0.8
0.7
0.6
PRESENT
PRINCE
0.5
0
10
20
30
40
KLEIN
50
60
Number of traces
13 / 30
Success rates of CPA against S-boxes II
1.0
Success rate
0.9
0.8
0.7
PRESENT
PRINCE
KLEIN
0.6
0.5
0
10
20
30
40
EvolvedCC
EvolvedTO
50
60
Number of traces
14 / 30
Success rate: here is a new one!
1.0
Success rate
0.9
0.8
0.7
PRESENT
PRINCE
KLEIN
0.6
0.5
0
10
20
30
40
EvolvedCC
EvolvedTO
EvolvedSR1
50
60
Number of traces
15 / 30
Success rate: Present S-box
1.0
Success rate
0.9
0.8
0.7
0.6
PRESENT
0.5
0
10
20
30
40
50
60
Number of traces
16 / 30
Forward vs. Inverse
1.0
Success rate
0.9
0.8
0.7
0.6
PRESENTinv
PRESENT
0.5
0
10
20
30
40
50
60
Number of traces
17 / 30
Success rates for S-boxes
1.0
Success rate
0.9
0.8
0.7
PRESENT
PRINCE
KLEIN
EvolvedCC
0.6
0.5
0
10
20
30
40
EvolvedTO
EvolvedSR1
EvolvedSR2
50
60
Number of traces
18 / 30
Success rates for S-boxes−1
1.0
Success rate
0.9
0.8
0.7
PRESENT
PRINCE
KLEIN
EvolvedCC
0.6
0.5
0
10
20
30
40
EvolvedTO
EvolvedSR1
EvolvedSR2
50
60
Number of traces
19 / 30
Max of success rates
1.0
Success rate
0.9
0.8
0.7
PRESENT
PRINCE
KLEIN
EvolvedCC
0.6
0.5
0
10
20
30
40
EvolvedTO
EvolvedSR1
EvolvedSR2
50
60
Number of traces
20 / 30
Kleptographic S-box
1.0
Success rate
0.9
0.8
0.7
PRESENT
PRINCE
KLEIN
EvolvedCC
0.6
0.5
0
10
20
30
40
EvolvedTO
EvolvedSR1
EvolvedSR2
EvolvedK
50
60
Number of traces
21 / 30
How good is it?
1.0
◦
◦
Success rate
0.9
SR = 0.9820
0.8
SR = 0.9605
0.7
0.6
PRESENT
0.5
0
10
20
30
40
EvolvedK
50
60
Number of traces
22 / 30
Success rate of a full attack
One nibble of 4 bits
I
Present : SR = 0.9605
I
EvolvedK : SR = 0.9820
Assmuing independent nibbles..
80-bit key
I
Present : SR = (0.9605)20 ≈ 0.45
I
EvolvedK : SR = (0.9820)20 ≈ 0.70
128-bit key
I
Present : SR = (0.9605)32 ≈ 0.28
I
EvolvedK : SR = (0.9820)32 ≈ 0.56
23 / 30
Success rate of a full attack
One nibble of 4 bits
I
Present : SR = 0.9605
I
EvolvedK : SR = 0.9820
Assmuing independent nibbles..
80-bit key
I
Present : SR = (0.9605)20 ≈ 0.45
I
EvolvedK : SR = (0.9820)20 ≈ 0.70
128-bit key
I
Present : SR = (0.9605)32 ≈ 0.28
I
EvolvedK : SR = (0.9820)32 ≈ 0.56
24 / 30
Success rate of a full attack
One nibble of 4 bits
I
Present : SR = 0.9605
I
EvolvedK : SR = 0.9820
Assmuing independent nibbles..
80-bit key
I
Present : SR = (0.9605)20 ≈ 0.45
I
EvolvedK : SR = (0.9820)20 ≈ 0.70
128-bit key
I
Present : SR = (0.9605)32 ≈ 0.28
I
EvolvedK : SR = (0.9820)32 ≈ 0.56
25 / 30
Conclusions & Future works
26 / 30
Conclusion I
Now you have a new way of generating S-boxes!
27 / 30
Conclusion II
1.0
Success rate
0.9
0.8
0.7
0.6
PRESENTinv
PRESENT
0.5
0
10
20
30
40
50
60
Number of traces
28 / 30
What’s next?
I
I
I
More properties!
More leakage models!
“Easy-to-mask” S-boxes?
29 / 30
Warning!
Kleptographic S-box!
0x0,0xF,0x1,0x9,0xB,0x5,0x8,0x2
0xE,0x3,0xC,0x6,0xD,0x4,0xA,0x7
If you see it in a cryptographic primitive immediately contact [email protected]
30 / 30