Horizontal Side-Channel Vulnerabilities of Post-Quantum Key Exchange and Encapsulation Protocols

Key exchange protocols and key encapsulation mechanisms establish secret keys to communicate digital information confidentially over public channels. Lattice-based cryptography variants of these protocols are promising alternatives given their quantum-cryptanalysis resistance and implementation efficiency. Although lattice cryptosystems can be mathematically secure, their implementations have shown side-channel vulnerabilities. But such attacks largely presume collecting multiple measurements under a fixed key, leaving the more dangerous single-trace attacks unexplored. This article demonstrates successful single-trace power side-channel attacks on lattice-based key exchange and encapsulation protocols. Our attack targets both hardware and software implementations of matrix multiplications used in lattice cryptosystems. The crux of our idea is to apply a horizontal attack that makes hypotheses on several intermediate values within a single execution all relating to the same secret, and to combine their correlations for accurately estimating the secret key. We illustrate that the design of protocols combined with the nature of lattice arithmetic enables our attack. Since a straightforward attack suffers from false positives, we demonstrate a novel extend-and-prune procedure to recover the key by following the sequence of intermediate updates during multiplication. We analyzed two protocols, Frodo and FrodoKEM , and reveal that they are vulnerable to our attack. We implement both stand-alone hardware and RISC-V based software realizations and test the effectiveness of the proposed attack by using concrete parameters of these protocols on physical platforms with real measurements. We show that the proposed attack can estimate secret keys from a single power measurement with over 99% success rate.

Download Full-text

Horizontal side-channel vulnerabilities of post-quantum key exchange protocols

2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) ◽

10.1109/hst.2018.8383894 ◽

2018 ◽

Cited By ~ 11

Author(s):

Aydin Aysu ◽

Youssef Tobah ◽

Mohit Tiwari ◽

Andreas Gerstlauer ◽

Michael Orshansky

Keyword(s):

Key Exchange ◽

Side Channel ◽

Key Exchange Protocols ◽

Horizontal Side

Download Full-text

Single Trace Analysis on Constant Time CDT Sampler and Its Countermeasure

Applied Sciences ◽

10.3390/app8101809 ◽

2018 ◽

Vol 8 (10) ◽

pp. 1809 ◽

Cited By ~ 4

Author(s):

Suhri Kim ◽

Seokhie Hong

Keyword(s):

Gaussian Elimination ◽

Cumulative Distribution ◽

Constant Time ◽

Key Generation ◽

Secret Key ◽

Secret Keys ◽

Open Issue ◽

Single Trace ◽

Lattice Based Cryptography ◽

Timing Attacks

The Gaussian sampler is an integral part in lattice-based cryptography as it has a direct connection to security and efficiency. Although it is theoretically secure to use the Gaussian sampler, the security of its implementation is an open issue. Therefore, researchers have started to investigate the security of the Gaussian sampler against side-channel attacks. Since the performance of the Gaussian sampler directly affects the performance of the overall cryptosystem, countermeasures considering only timing attacks are applied in the literature. In this paper, we propose the first single trace power analysis attack on a constant-time cumulative distribution table (CDT) sampler used in lattice-based cryptosystems. From our analysis, we were able to recover every sampled value in the key generation stage, so that the secret key is recovered by the Gaussian elimination. By applying our attack to the candidates submitted to the National Institute of Standards and Technology (NIST), we were able to recover over 99% of the secret keys. Additionally, we propose a countermeasure based on a look-up table. To validate the efficiency of our countermeasure, we implemented it in Lizard and measure its performance. We demonstrated that the proposed countermeasure does not degrade the performance.

Download Full-text

Modeling advanced security aspects of key exchange and secure channel protocols

it - Information Technology ◽

10.1515/itit-2020-0029 ◽

2020 ◽

Vol 62 (5-6) ◽

pp. 287-293

Author(s):

Felix Günther

Keyword(s):

Building Blocks ◽

Key Exchange ◽

Internet Security ◽

Streaming Data ◽

Transport Layer ◽

Security Model ◽

Secret Key ◽

Multi Stage ◽

Key Exchange Protocols ◽

Secure Channel

AbstractSecure connections are at the heart of today’s Internet infrastructure, protecting the confidentiality, authenticity, and integrity of communication. Achieving these security goals is the responsibility of cryptographic schemes, more specifically two main building blocks of secure connections. First, a key exchange protocol is run to establish a shared secret key between two parties over a, potentially, insecure connection. Then, a secure channel protocol uses that shared key to securely transport the actual data to be exchanged. While security notions for classical designs of these components are well-established, recently developed and standardized major Internet security protocols like Google’s QUIC protocol and the Transport Layer Security (TLS) protocol version 1.3 introduce novel features for which supporting security theory is lacking.In my dissertation [20], which this article summarizes, I studied these novel and advanced design aspects, introducing enhanced security models and analyzing the security of deployed protocols. For key exchange protocols, my thesis introduces a new model for multi-stage key exchange to capture that recent designs for secure connections establish several cryptographic keys for various purposes and with differing levels of security. It further introduces a formalism for key confirmation, reflecting a long-established practical design criteria which however was lacking a comprehensive formal treatment so far. For secure channels, my thesis captures the cryptographic subtleties of streaming data transmission through a revised security model and approaches novel concepts to frequently update key material for enhanced security through a multi-key channel notion. These models are then applied to study (and confirm) the security of the QUIC and TLS 1.3 protocol designs.

Download Full-text

A Prototype Model of Virtual Authenticated Key Exchange Mechanism over Secured Channel in Ad-Hoc Environment

International Journal of Recent Technology and Engineering - 2 ◽

10.35940/ijrte.e6684.018520 ◽

2020 ◽

Vol 8 (5) ◽

pp. 5526-5532

Keyword(s):

Ad Hoc ◽

Vital Role ◽

Key Exchange ◽

Exchange Mechanism ◽

Prototype Model ◽

Secret Key ◽

Private Key ◽

Computational Overhead ◽

Key Exchange Protocols ◽

Symmetric Key

Key exchange protocols play a vital role in symmetric key cryptography. The transfer of private key through the secured medium is a challenging task because every day the intruders are evolved and the attacks are increasing constantly. The existing key exchange protocols such as Diffie-Hellman, Elgamal, and MQV, etc. are the old methods and many attacks happened on those protocols. That challenges demanding new protocol or methodology of transferring secret key between the parties. The paper proposes a new, secured, less computational overhead key exchange mechanism using short message service available in the cellular networks. GSM-SMS is a highly established secured channel and the research uses this facility to transfer the key between senders to a receiver of the symmetric key cryptosystem. The private key no need to reveal to third parties or even the receiver because the sender can directly communicate to the decryption system through the mobile SMS. After the decryption process, the secret key will be destroyed immediately. There is no possible attack during the key transfer and loss and error of the communication are very less.

Download Full-text

Asymmetric Secret Key Transfer Scheme over an Open Channel in K-Deterministic Groups with the Conditions C (3) –T (6)

Mathematics and Mathematical Modeling ◽

10.24108/mathm.0618.0000151 ◽

2019 ◽

pp. 88-111

Author(s):

N. V. Bezverkhniy ◽

M. V. Nikitina

Keyword(s):

Communication Channel ◽

Inverse Function ◽

Recognition Algorithm ◽

Key Exchange ◽

Secret Key ◽

Open Communication ◽

Transfer Scheme ◽

Secret Keys ◽

The One ◽

One Way Function

The article solves a problem of developing a scheme to provide a secret key exchange over an open communication channel. The basic idea of creating such a scheme is well known. It is based on a concept of the one-way function. This refers to the functions whose values are calculated much easier than the inverse function values. When developing the one-way functions a recognition algorithm of words equality in groups with conditions of small cancellation C (3) - T (6) is used. In this case, the group is represented by a set of its generating and determining relations. All the work to accomplish development of algorithms and evaluate their complexity is carried out using the group diagrams of equality. The existence of such diagrams is proved in the well-known van Campen lemma. The paper result is that the proposed scheme for the exchange of secret keys has the following properties. Direct algorithms have a linear complexity, and a complexity of the inverse algorithms is exponential. It should be noted that the algorithms complexity was estimated by the areas of the corresponding group diagrams, which are determined by the number of areas they include. The constructed secret key represents some element of a pre-selected group with conditions C (3) – T (6). It can be represented in an infinite number of ways by words in the alphabet from the generators of the group. Thus, the remaining obstacle to the practical application of the key exchange scheme developed is the ambiguity of the secret key record. Finding a common representative as the lexicographically shortest word in the class of equal words turns out to be too difficult. Thus, this question remains open. Although the task of exchanging secret keys itself can be formally considered as solved.

Download Full-text

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis?

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2020.i4.49-85 ◽

2020 ◽

pp. 49-85

Author(s):

Anh-Tuan Hoang ◽

Neil Hanley ◽

Maire O’Neill

Keyword(s):

Neural Networks ◽

Deep Learning ◽

Large Body ◽

Side Channel ◽

Secret Key ◽

Side Channel Analysis ◽

Filter Kernel ◽

Secret Keys ◽

Channel Analysis ◽

Template Attacks

Deep learning (DL) has proven to be very effective for image recognition tasks, with a large body of research on various model architectures for object classification. Straight-forward application of DL to side-channel analysis (SCA) has already shown promising success, with experimentation on open-source variable key datasets showing that secret keys can be revealed with 100s traces even in the presence of countermeasures. This paper aims to further improve the application of DL for SCA, by enhancing the power of DL when targeting the secret key of cryptographic algorithms when protected with SCA countermeasures. We propose a new model, CNN-based model with Plaintext feature extension (CNNP) together with multiple convolutional filter kernel sizes and structures with deeper and narrower neural networks, which has empirically proven its effectiveness by outperforming reference profiling attack methods such as template attacks (TAs), convolutional neural networks (CNNs) and multilayer perceptron (MLP) models. Our model generates state-of-the art results when attacking the ASCAD variable-key database, which has a restricted number of training traces per key, recovering the key within 40 attack traces in comparison with order of 100s traces required by straightforward machine learning (ML) application. During the profiling stage an attacker needs no additional knowledge on the implementation, such as the masking scheme or random mask values, only the ability to record the power consumption or electromagnetic field traces, plaintext/ciphertext and the key. Additionally, no heuristic pre-processing is required in order to break the high-order masking countermeasures of the target implementation.

Download Full-text

One-Round Attribute-Based Key Exchange in the Multi-Party Setting

International Journal of Foundations of Computer Science ◽

10.1142/s0129054117400159 ◽

2017 ◽

Vol 28 (06) ◽

pp. 725-742 ◽

Cited By ~ 1

Author(s):

Yangguang Tian ◽

Guomin Yang ◽

Yi Mu ◽

Shiwei Zhang ◽

Kaitai Liang ◽

...

Keyword(s):

Random Oracle Model ◽

Random Oracle ◽

Key Exchange ◽

Secret Key ◽

Security Issue ◽

User Privacy ◽

Session Key ◽

Shared Secret ◽

Key Exchange Protocols ◽

Straightforward Approach

Attribute-based authenticated key exchange (AB-AKE) is a useful primitive that allows a group of users to establish a shared secret key and at the same time enables fine-grained access control. A straightforward approach to design an AB-AKE protocol is to extend a key exchange protocol using an attribute-based authentication technique. However, insider security is a challenge security issue for AB-AKE in the multi-party setting and cannot be solved using the straightforward approach. In addtion, many existing key exchange protocols for the multi-party setting (e.g., the well-known Burmester-Desmedt protocol) require multiple broadcast rounds to complete the protocol. In this paper, we propose a novel one-round attribute-based key exchange (OAKE) protocol in the multi-party setting. We define the formal security models, including session key security, insider security and user privacy, for OAKE, and prove the security of the proposed protocol under some standard assumptions in the random oracle model.

Download Full-text

AN APPLICATION OF ST-NUMBERING TO SECRET KEY AGREEMENT

International Journal of Foundations of Computer Science ◽

10.1142/s0129054111008659 ◽

2011 ◽

Vol 22 (05) ◽

pp. 1211-1227 ◽

Cited By ~ 2

Author(s):

TAKAAKI MIZUKI ◽

SATORU NAKAYAMA ◽

HIDEAKI SONE

Keyword(s):

Probability Distribution ◽

Key Agreement ◽

Key Exchange ◽

Secret Key ◽

Exchange Graph ◽

Secret Keys ◽

Shared Secret ◽

Secret Key Agreement

Assume that there are players and an eavesdropper Eve, where several pairs of players have shared secret keys beforehand. We regard each player as a vertex of a graph and regard each pair of players sharing a key as an edge. Consider the case where Eve knows some of the keys according to a certain probability distribution. In this paper, applying the technique of st-numbering, we propose a protocol which allows any two designated players to agree on a secret key through such a "partially leaked key exchange graph." Our protocol is optimal in the sense that Eve's knowledge about the secret key agreed on by the two players is as small as possible.

Download Full-text

On the leakage-resilient key exchange

Journal of Mathematical Cryptology ◽

10.1515/jmc-2016-0003 ◽

2017 ◽

Vol 11 (4) ◽

Cited By ~ 2

Author(s):

Janaka Alawatugoda

Keyword(s):

Key Exchange ◽

Authenticated Key Exchange ◽

Key Exchange Protocol ◽

Security Models ◽

Public Keys ◽

Secret Keys ◽

Key Exchange Protocols ◽

Leakage Resilient ◽

Secure Channels

AbstractTypically, secure channels are constructed from an authenticated key exchange (AKE) protocol, which authenticates the communicating parties based on long-term public keys and establishes secret session keys. In this paper we address the partial leakage of long-term secret keys of key exchange protocol participants due to various side-channel attacks. Security models for two-party authenticated key exchange protocols have been developed over time to provide security even when the adversary learns certain secret values. This paper combines and extends the advances of security modelling for AKE protocols addressing more granular partial leakage of long-term secrets of protocol participants. Further, we fix some flaws in security proofs of previous leakage-resilient key exchange protocols.

Download Full-text

Key Bit-Dependent Side-Channel Attacks on Protected Binary Scalar Multiplication †

Applied Sciences ◽

10.3390/app8112168 ◽

2018 ◽

Vol 8 (11) ◽

pp. 2168 ◽

Cited By ~ 2

Author(s):

Bo-Yeon Sim ◽

Junki Kang ◽

Dong-Guk Han

Keyword(s):

Success Rate ◽

Electromagnetic Emission ◽

Scalar Multiplication ◽

Statistical Characteristics ◽

Side Channel ◽

Secret Key ◽

Side Channel Analysis ◽

Software Implementations ◽

Channel Analysis ◽

Single Trace

Binary scalar multiplication, which is the main operation of elliptic curve cryptography, is vulnerable to side-channel analysis. It is especially vulnerable to side-channel analysis using power consumption and electromagnetic emission patterns. Thus, various countermeasures have been reported. However, they focused on eliminating patterns of conditional branches, statistical characteristics according to intermediate values, or data inter-relationships. Even though secret scalar bits are directly loaded during the check phase, countermeasures for this phase have not been considered. Therefore, in this paper, we show that there is side-channel leakage associated with secret scalar bit values. We experimented with hardware and software implementations, and experiments were focused on the Montgomery–López–Dahab ladder algorithm protected by scalar randomization in hardware implementations. We show that we could extract secret key bits with a 100% success rate using a single trace. Moreover, our attack did not require sophisticated preprocessing and could defeat existing countermeasures using a single trace. We focused on the key bit identification functions of mbedTLS and OpenSSL in software implementations. The success rate was over 94%, so brute-force attacks could still be able to recover the whole secret scalar bits. We propose a countermeasure and demonstrate experimentally that it can be effectively applied.

Download Full-text