Abstract
This paper presents the first side-channel analysis (SCA) on polynomial-based message authentication code (MAC) schemes which is applicable to Poly1305. Typical SCAs (e.g., simple power analysis (SPA) and differential power analysis (DPA)) and conventional attacks on GCM/GMAC that focus on the first multiplication result in the universal hashing (i.e., polynomial evaluation) cannot be applied to Poly1305 owing to one-time keys and the structure of prime-field multiplication. On the other hand, the proposed attack retrieves the hash key from a single side-channel trace (e.g., a power/EM trace given by one execution) with a non-negligible probability and is applicable to polynomial-based MAC schemes implemented on an 8-bit micro-controller. The proposed attack allows the attacker to forge the authentication tag even if the hash key is a one-time key. The basic idea of the proposed attack is to exploit the addition in polynomial-based MAC schemes. Since the output or one input of the addition in these MAC schemes is known, we can efficiently estimate the unknown operands of addition, and then retrieve the hash key by the polynomial factorizations with the estimated candidates. This study also shows a cost-effective countermeasure for ChaCha20-Poly1305 using a combination of a lightweight masked Poly1305 and first-order mask conversion from Boolean to arithmetic.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In the case of ChaCha20-Poly1305, if the final blocks of \(\mathcal {D}\) and \(\mathcal {C}\) are given with b bytes shorter than 16 bytes, 0x01 is appended to the \((b+1)\)-th byte and the rest is padded with zeros.
- 2.
On the other hand, if it is required to prevent side-channel leakage of \(H^i\) during the computation of \(H^n\), we should compute \(M_{X_n}^{(\mathbb {F})}\) in the order of \(M_{X_0}^{(\mathbb {F})}H, M_{X_0}^{(\mathbb {F})}H^2, \dots , M_{X_0}^{(\mathbb {F})}H^n\), which is realized by n multiplications.
References
Adomnicai, A., Fournier, J.J.A., Masson, L.: Bricklayer attack: a side-channel analysis on the ChaCha quarter round. In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 65–84. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71667-1_4
Al Fardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy (S&P), pp. 526–540. IEEE (2013)
Risa/Asir (Kobe distribution) download page. http://www.math.kobe-u.ac.jp/Asir/asir.html
Belaïd, S., Coron, J.-S., Fouque, P.-A., Gérard, B., Kammerer, J.-G., Prouff, E.: Improved side-channel analysis of finite-field multiplication. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 395–415. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48324-4_20
Bettale, L., Coron, J.-S., Zeitoun, R.: Improved high-order conversion from Boolean to arithmetic masking. IACR Trans. Cryptogr. Hardware Embed. Syst. (TCHES) 22–45 (2018)
Bernstein, D.J.: Guaranteed message authentication faster than MD5 (1999). http://cr.yp.to/antiforgery/hash127-abs.pdf
Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760_3
Bernstein, D.J.: ChaCha, a variant of Salsa20, October 2018. http://cr.yp.to/chacha/chacha-20080128.pdf
Belaïd, S., Fouque, P.-A., Gérard, B.: Side-channel analysis of multiplications in GF(2\(^{128}\)). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 306–325. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_17
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Bellare, N., Namprempre, C.: Authenticated encryption: relations among notations and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)
Bellare, N., Namprempre, C.: Authenticated encryption: Relations among notations and analysis of the generic composition paradigm (full version), October 2018. https://cseweb.ucsd.edu/~mihir/papers/oem.pdf
Bache, F., Schneider, T., Moradi, A., Güneysu, T.: SPARX–a side-channel protected processor for ARX-based cryptography. In: Design, Automation and Test in Europe Conference and Exhibition (DATE), pp. 990–995. IEEE (2017)
Böck, H., Zauner, A., Devlin, S., Somorovsky, J., Jovanovic, P.: Nonce-disrespecting adversaries: practical forgery attacks on GCM in TLS. In: 10th USENIX Workshop on Offensive Technologies (WOOT 2016), pp. 1–13. USENIX Association (2016)
Clavier, C., Marion, D., Wurcker, A.: Simple power analysis on AES key expansion revisited. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 279–297. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_16
Cryptographic competitions. CAESAR: Competition for authenticated encryption: Security, applicability, and robustness (2016). https://competitions.cr.yp.to/caesar.html
Duong, T., Rizzo, J.: Here come the \(\oplus \) ninjas (2011). https://www.nist.gov/
Drechsler, R. (ed.): Advanced Formal Verification. Kluwer Academic Publishers, Amsterdam (2004)
Dworlin, M.: NIST special publication 800–38D–recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. Technical report, National Institute of Standards and Technology (NIST) (2007). http://dl.acm.org/citation.cfm?id=2206251
Gross, H., Mangard, S.: A unified masking approach. J. Cryptogr. Eng. 8(2), 109–124 (2018). https://doi.org/10.1007/s13389-018-0184-y
Gross, H., Mangard, S., Korak, T.: Domain-oriented masking: compact masked hardware implementations with arbitrary protection order. In: ACM Workshop on Theory of Implementation Security, p. 3 (2016)
Goubin, L.: A sound method for switching between Boolean and arithmetic masking. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 3–15. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_2
Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_9
Hutter, M., Schwabe, P.: NaCl on 8-Bit AVR microcontrollers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 156–172. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_9
Hutter, M., Schwabe, P.: \(\mu \)NaCl–the networking and cryptography library for microcontrollers, May 2019. https://munacl.cryptojedi.org/index.shtml
Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_3
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Jungk, B., Bhasin, S.: Don’t fall into a trap: physical side-channel analysis of ChaCha20-Poly1305. In: Design, Automation and Test in Europe Conference and Exhibition (DATE), pp. 1110–1115. IEEE (2017)
Joux, A.: A authentication failures in NIST version of GCM (2006). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-38_Series-Drafts/GCM/Joux_comments.pdf
Jungk, B., Petri, R., Stöttinger, M.: Efficient side-channel protections of ARX ciphers. IACR Trans. Cryptogr. Hardware Embed. Syst. (TCHES) 627–653 (2018)
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Kawai, W., Ueno, R., Homma, N., Aoki, T., Fukushima, K., Kiyomoto, S.: Practical power analysis on KCipher-2 software on low-end microcontrollers. In: IEEE European Symposium on Security and Privacy Workshops (EuroSPW) on Secuity for Embedded and Mobile Systems (SEMS), pp. 113–121 (2017)
Kohno, T., Viega, J., Whiting, D.: CWC: A high-performance conventional authenticated encryption mode. IACR ePrint Archives: Report 2003/106 (2003). https://eprint.iacr.org/2003/106
Langley, A.: RFC 7539 - ChaCha20 and Poly1305 for IETF protocols - IETF tools (2015). https://tools.ietf.org/html/rfc7539
Mangard, S.: A simple power-analysis (SPA) attack on implementations of the AES key expansion. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 343–358. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36552-4_24
McGrew, D.A., Viega, J.: The Galois/Counter Mode of operation (GCM) (2005). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/gcm-revised-spec.pdf
NIST: Lightweight cryptography (2019). https://csrc.nist.gov/projects/lightweight-cryptography
Oshida, H., Ueno, R., Homma, N., Aoki, T.: On masked Galois-field multiplication for authenticated encryption resistant to side channel analysis. In: Fan, J., Gierlichs, B. (eds.) COSADE 2018. LNCS, vol. 10815, pp. 44–57. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89641-0_3
Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. J. Cryptol. 28(4), 769–795 (2015)
Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_25
Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.3. Internet Engineering Task Force (IETF), RFC 8446, October 2018. https://datatracker.ietf.org/doc/rfc8446/
Renauld, M., Standaert, F.-X.: Algebraic side-channel attacks. In: Bao, F., Yung, M., Lin, D., Jing, J. (eds.) Inscrypt 2009. LNCS, vol. 6151, pp. 393–410. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16342-5_29
Renauld, M., Standaert, F.-X., Veyrat-Charvillon, N.: Algebraic side-channel attacks on the AES: why time also matters in DPA. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 97–111. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04138-9_8
Saarinen, M.-J.O.: SGCM: The Sophie Germain counter mode. IACR ePrint Archives: Report 2011/326 (2011). https://eprint.iacr.org/2011/326
Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 282–296. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_15
Wegman, M.N., Lawrence Carter, J.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: Side-Channel Analysis on Intermediate Addition
Appendix: Side-Channel Analysis on Intermediate Addition
We then describe the attack focusing on the i-th intermediate addition of \(X_{i-1}\) and \(A_{i}\) (i.e., \(W_i = (2^{128} + A_i) + X_{i-1}\)). In contrast to final addition, while the output of i-th addition (i.e., \(W_i\)) is a secret value, the attacker knows \(A_{i}\). Therefore, similarly to Algorithm 3, we can make a list of candidates for \(X_{i-1}\) by calculating \(HW(w_{i, j})\) from \(a_{i,j}\) and guessed \(x_{i-1, j}\) and comparing the hypothetical \(HW(w_{i,j})\) with the estimated one from side-channel information. Algorithm 7 calculates a list of candidates for \(X_{i-1}\). Algorithm 7 is basically derived by inverting the sign of g and \(2^8\) in Algorithm 3 since Algorithm 7 is considered as a variant of Algorithm 3 where \(W_i - X_{i-1} = A_i\) corresponds \(S + U = T\). In addition, the special case \(a_{i,j} = 0\) is removed because \(a'_{i,j}\) at Line 7, which is a value representing that carry-in value is one, is calculated by adding one, but not by subtracting one. At Lines 29–38, we perform the loop for 17th byte. The 17th loop should be simplified because the 17th bytes of \(X_{i}\) and \(W_{i}\) should have limited value represented by only two bits and there should be no carry-propagation/generation to the 18th byte. At Line 39, we combine byte-wise candidates for \(X_{i-1}\) by “CombineByteWiseCandidatesEval,” which basically performs Algorithm 4, but the output is given by \(\varOmega _0 \; \cup \; \varOmega _1\) and Lines 10–16 are skipped because the addition is performed upto the 17th byte. Note that the main loop in Algorithm 7 and CombineByteWiseCandidatesEval is performed until \(j=17\), but the computational cost of Algorithm 7 is almost equal to Algorithm 3.
Major concern about attacking the i-th addition is that the addition is performed over \(GF(2^{130}-5)\), namely, reduction by \(2^{130}-5\) may be applied to the result of addition and we cannot correctly estimate \(W_i\). However, our attack can be still applied to many practical implementation where a reduction is applied only to the multiplication result, but not to the addition result. (Actually, the reduction is not always applied to the result of addition in many practical implementation.)
In addition, some implementation employs an efficient reduction exploiting the property of Mersenne-like prime after multiplication, which indicates that multiplication result is reduced in a kind of lazy manner and \(X_{i-1}\) is given by more-than 130 bits. Let us consider the open-source implementation in [HS19] as well as Section 3.5. The implementation employs a lazy reduction and 133- and 134-bit representation for intermediate values. More precisely, the multiplication result is not fully reduced by \(2^{130}-5\), \(X_{i-1}\) is not given as a 130-bit value as described in Sect. 3.5, but is 133-bit (and \(W_i\) is 134-bit). Our algorithms are still applied to this implementation by modifying the upper bound of d at Line 33 to \(2^5\), because Algorithm 7 only assumes that \(X_{i-1}\) and \(W_i\) are 17-byte values and there should be no carry-propagation/generation to 18-th byte. Due to the redundancy, the number of candidates for \(X_{i-1}\) after applying Algorithm 7 may be greater than the evaluation in Sect. 3.4 (i.e., Fig. 2 and Table 1). However, we confirmed that the number of candidates is only about \(2^2\)–\(2^3\) times greater than that given in Sect. 3.4 in average case by a simulation. Thus, our attack can be still practical and can be performed with a non-negligible complexity according to Eq. (7) (and Table 3).
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Ueno, R., Fukushima, K., Nakano, Y., Kiyomoto, S., Homma, N. (2021). Single-Trace Side-Channel Analysis on Polynomial-Based MAC Schemes. In: Bertoni, G.M., Regazzoni, F. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2020. Lecture Notes in Computer Science(), vol 12244. Springer, Cham. https://doi.org/10.1007/978-3-030-68773-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-68773-1_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-68772-4
Online ISBN: 978-3-030-68773-1
eBook Packages: Computer ScienceComputer Science (R0)