ABSTRACT
As Keccak has been selected as the new SHA-3 standard, Message Authentication Code (MAC) (MAC-Keccak) using a secret key will be widely used for integrity checking and authenticity assurance. Recent works have shown the feasibility of side-channel attacks against software implementations of MAC-Keccak to retrieve the key, with the security assessment of hardware implementations remaining an open problem. In this paper, we present a comprehensive and practical side-channel analysis of a hardware implementation of MAC-Keccak on FPGA. Different from previous works, we propose a new attack method targeting the first round output of MAC-Keccak rather than the linear operation θ only. The results on sampled power traces show that the unprotected hardware implementation of MAC-Keccak is vulnerable to side-channel attacks, and attacking the nonlinear operation of MAC-Keccak is very effective. We further discuss countermeasures against side-channel analysis on hardware MAC-Keccak. Finally, we discuss the impact of the key length on side-channel analysis and compare the attack complexity between MAC-Keccak and other cryptographic algorithms.
- Source codes for the SHA-3 round 3 candidates & SHA-2 - the third SHA-3 candidate conference release, March 2012. http://cryptography.gmu.edu/athena/.Google Scholar
- Tescase - testbed for side channel analysis and security evaluation, http://tescase.coe.neu.edu.Google Scholar
- Keccak hardware implementation in vhdl version 3.1. http://keccak.noekeon.org/KeccakVHDL-3.1.zip, 2014 (accessed May 14, 2014).Google Scholar
- G. Bertoni, J. Daemen, M. Peeters, and G. Assche. The Keccak reference. Submission to NIST (Round 3), January, 2011.Google Scholar
- G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche. Keccak sponge function family main document. Submission to NIST (Round 2), 2009.Google Scholar
- G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche. Building power analysis resistant implementations of Keccak. In Second SHA-3 Candidate Conference, 2010.Google Scholar
- B. Bilgin, J. Daemen, V. Nikov, S. Nikova, V. Rijmen, and G. Van Assche. Efficient and first-order DPA resistant implementations of Keccak. In Smart Card Research and Advanced Applications, pages 187--199. 2014.Google ScholarDigital Library
- E. Brier, C. Clavier, and F. Olivier. Correlation power analysis with a leakage model. In Cryptographic Hardware and Embedded Systems - CHES 2004, volume 3156, pages 16--29. 2004.Google ScholarCross Ref
- A. Ding, L. Zhang, Y. Fei, and P. Luo. A statistical model for higher order DPA on masked devices. In Cryptographic Hardware and Embedded Systems - CHES 2014, volume 8731, pages 147--169. 2014. Google ScholarDigital Library
- Y. Fei, A. A. Ding, J. Lao, and L. Zhang. A statistics-based fundamental model for side-channel attack analysis. Cryptology ePrint Archive, Report 2014/152, 2014.Google Scholar
- B. Gierlichs, L. Batina, P. Tuyls, and B. Preneel. Mutual information analysis. In Cryptographic Hardware and Embedded Systems - CHES 2008, volume 5154, pages 426--442. 2008. Google ScholarDigital Library
- K. Kobayashi, J. Ikegami, S. Matsuo, K. Sakiyama, and K. Ohta. Evaluation of hardware performance for the SHA-3 candidates using SASEBO-GII. Cryptology ePrint Archive, Report 2010/010, 2010.Google Scholar
- P. Luo, Y. Fei, X. Fang, A. Ding, M. Leeser, and D. Kaeli. Power analysis attack on hardware implementation of MAC-Keccak on FPGAs. In ReConFigurable Computing and FPGAs (ReConFig), 2014 International Conference on, pages 1--7, Dec 2014.Google ScholarCross Ref
- M. Taha and P. Schaumont. Side-channel analysis of MAC-Keccak. In IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pages 125--130, June 2013.Google ScholarCross Ref
- R. McEvoy, M. Tunstall, C. Murphy, and W. Marnane. Differential power analysis of HMAC based on SHA-2, and countermeasures. In workshop on Information Security Applications, pages 317--332. 2007. Google ScholarDigital Library
- N. F. Pub. DRAFT FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Federal Information Processing Standards Publication, 2014.Google Scholar
- M. Taha and P. Schaumont. Differential power analysis of MAC-Keccak at any key-length. In International Workshop on Security, pages 68--82, Nov. 2013.Google ScholarCross Ref
- M. Zohner, M. Kasper, M. Stottinger, and S. Huss. Side channel analysis of the SHA-3 finalists. In Design, Automation Test in Europe (DATE), pages 1012--1017, March 2012. Google ScholarDigital Library
Index Terms
- Side-channel analysis of MAC-Keccak hardware implementations
Recommendations
Trade-offs in Protecting Keccak Against Combined Side-Channel and Fault Attacks
Constructive Side-Channel Analysis and Secure DesignAbstractWhen deployed in a potentially hostile environment, security-critical devices are susceptible to physical attacks. Consequently, cryptographic implementations need to be protected against side-channel analysis, fault attacks and attacks that ...
DES with any reduced masked rounds is not secure against side-channel attacks
The literature offers several efficient masking methods for providing resistance to side-channel attacks against iterative block ciphers, such as Data Encryption Standard (DES) and Advanced Encryption Standard (AES). One of the proposed methods is to ...
Efficient and First-Order DPA Resistant Implementations of Keccak
Smart Card Research and Advanced ApplicationsAbstractIn October 2012 NIST announced that the SHA-3 hash standard will be based on Keccak. Besides hashing, Keccak can be used in many other modes, including ones operating on a secret value. Many applications of such modes require protection against ...
Comments