1 of 26

Power Side-Channel Vulnerability Assessment of LightWeight Cryptographic Scheme, XOODYAK

Anupam Golder*, Debayan Das, Santosh Ghosh, Avinash Varna, Majid Sabbagh, Sayak Ray, Rana Elnaggar, Joseph Friel, Daniel Dinu, Jason Fung

*Georgia Institute of Technology

Intel Corporation

2 of 26

Outline

  • Overview of XOODYAK
  • Trace Collection
  • Non-profiled SCA
  • Profiled SCA
  • Summary

3 of 26

Outline

  • Overview of XOODYAK
  • Trace Collection
  • Non-profiled SCA
  • Profiled SCA
  • Summary

4 of 26

Overview of XOODYAK

  • Cryptographic Primitive for:
    • Hashing
    • Encryption
    • MAC (Message Authentication Code)
    • AEAD (Authenticated Encryption with Associated Data)
  • Duplex Construction absorbing arbitrary length string and squeezing arbitrary length output
  • Permutation Function: XOODOO12 (12 rounds of XOODOO)
  • Claimed Security: 128 bits

J. Daemen et al, 2020, Xoodyak, a lightweight cryptographic scheme

5 of 26

Overview of XOODYAK: Decryption

  • During Decryption, the adversary supplies Associated Data (A) and Nonce.

6 of 26

Outline

  • Overview of XOODYAK
  • Trace Collection
  • Non-profiled SCA
  • Profiled SCA
  • Summary

7 of 26

Trace Collection

  • As DUT and Meter Module share the same PDN, the fluctuations caused by DUT in the supply line cause change in the delay of delay buffers in TDC.

R. Elnaggar et. al, DTTC 2021, OPAL: On-the-go Physical Attack Lab to Evaluate Power Side-channel Vulnerabilities on FPGAs 

  • FPGA:
    • Intel® Stratix® 10
  • DUT Frequency:
    • 10MHz
  • Sampling Frequency:
    • 100 MHz

8 of 26

Outline

  • Overview of XOODYAK
  • Trace Collection
  • Non-profiled SCA
  • Profiled SCA
  • Summary

9 of 26

Non-Profiled SCA: t-Test

  • Fixed vs. Random 𝒕-test: |𝒕|-value crosses the threshold of 4.5 🡪 Leakage Exists
  • Leakage is prominent after around ~20 traces.

10 of 26

Non-Profiled SCA: Known Key Correlation

  • High Correlation 🡪 Hamming Distance Leakage Model is valid.
  • Higher Bit Leakage Models 🡪 Higher Correlation 🡪 Costlier Computation

3-bit Leakage Model

Computationally

Infeasible for CPA

Round 1 Update

(Point of Attack)

Round 12

Update

Computationally Infeasible for CPA

11 of 26

Non-Profiled SCA: INITIALIZE phase

Linear Layers

Non-Linear Layer

Equivalent Operation

Linear

Layer

12 of 26

Non-Profiled SCA: CPA of INITIALIZE phase

  • 4-bit Hypothesis is required to model 3-bit Leakage.
  • Most Significant Bit 🡪 Key Hypothesis, Lower 3 bits 🡪 Key Intermediate Hypothesis

13 of 26

Non-Profiled SCA: CPA of INITIALIZE phase

  • Success Rate = Number of Columns Recovered/Total Number of Columns
  • Correct hypothesis emerges from incorrect hypotheses or reaches rank 1 (2nd most likely).

Success Rate = 118/128=92% @20K

# of measurements to disclosure (MTD) = ~13K

~20K

14 of 26

Non-Profiled SCA: ABSORB phase

Linear Layers

Non-Linear Layer

Actual Hardware Implementation

Equivalent Operation

15 of 26

Non-Profiled SCA: CPA of ABSORB phase

  • 6-bit Hypothesis is required to model 3-bit Leakage
  • Upper 3-bits 🡪 Key State Hypothesis, Lower 3 bits 🡪 Key Intermediate Hypothesis

16 of 26

Non-Profiled SCA: CPA of ABSORB phase

  • Redundancy in Hypotheses: 2 Hypotheses will have the same |correlation coefficient|.
  • The correlation peaks are of opposite polarities.

Column Number 1

Hypothesis = 9 (0b001001)

Hypothesis = 49 (0b110001)

Secret Intermediate = (Hypothesis & 0b111) = 1

17 of 26

Non-Profiled SCA: CPA of ABSORB phase

  • For most columns, the correct hypothesis emerges from incorrect hypotheses.
  • The rest of the columns can be recovered by key enumeration techniques.

MTD = ~38K

Success Rate = 82% @90K

~90K

18 of 26

Outline

  • Overview of XOODYAK
  • Trace Collection
  • Non-profiled SCA
  • Profiled SCA
  • Summary

19 of 26

Profiled SCA

  • Profiling Phase: a Model is developed using Known Data and Actual Traces.
  • Typically reduces the number of attack traces due to better modeling.

Profiling Phase

Data

Trigger

Power Trace

Label

0

5

3

Trace

Train

.

.

.

0

1

7

.

.

.

.

.

.

.

.

.

.

.

.

20 of 26

Profiled SCA

  • Attack Phase: the trained model is used to generate probability scores.

Attack Phase

Data

Trigger

Trace

Trained Model

Test

.

.

.

0

1

7

.

.

.

.

.

.

.

.

.

.

.

5

21 of 26

Profiled SCA: 1-D CNN model

  • Pre-processing Steps (Not Shown): Standard Scaling and Min-Max Scaling

G. Zaid et al., CHES2020, Methodology for Efficient CNN Architectures in Profiling Attacks

22 of 26

Profiled SCA: Rank Computation

  • Maximal Product of Probability Scores (after N traces) 🡪 Most Likely Hypothesis

Power Trace

L0=0

L7=7

tr1

p1[0]

p1[7]

tr2

p2[0]

p2[7]

trN

pN[0]

pN[7]

Power Trace

h0

h63

tr1

p1[4]

p1[2]

tr2

p2[0]

p2[2]

trN

p1[7]

pN[1]

g0

g63

g9

max

Probability Scores

From Model Predictions

Hypothesis Candidates

Label for Hypothesis and Known Data

Product of Probability Scores

23 of 26

Profiled SCA: ABSORB phase

  • Hamming Distance Leakage Model 🡪 Class Imbalance Issue
  • Identity Leakage Model 🡪 Uniform Distribution of Classes
  • MTD for Profiled SCA is slightly lower due to better leakage modeling.

24 of 26

Outline

  • Overview of XOODYAK
  • Trace Collection
  • Non-profiled SCA
  • Profiled SCA
  • Summary

25 of 26

Summary

  • 1 Round/Cycle unprotected implementation is susceptible to SCA.

  • Adversary-controlled Nonce and Associated Data 🡪 lead to key recovery by a side-channel adversary.

  • Possible SCA Countermeasures (Future Works):
    • Masking
    • Multiple Rounds/Cycle Implementation
    • Trickled Nonce Absorption

26 of 26

Q & A