Wide Collisions in Practice

Xin Ye, Thomas EisenbarthFlorida Atlantic University, USA

10th ACNS 2012- Singapore

Overview

• Side Channel Collision Attacks

• Wide Collisions for AES

• Improving Recognition Rates

• Attack Results

Embedded Systems

• Specific purpose device with computing capabilities

• Constrained resources• Many require security

Side Channel Attacks

… leaks additional information via side channel!e.g. power consumption / EM emanation

AESLeakage

plaintext

ciphertext

0 20 40 60 80 100 120 140 160 180 200

-0.2

-0.1

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Time

Corr

ela

tion

right key

wrong keys

Collisions in AES

Collision: Querying same S-box value twice

Collision Attack: Exploiting collision detections to recover secret key

S S S S S S SS S S S S S S

y1 y4 = y1

plaintextAdd_Key

Sub_Bytes

S-box 1 S-box 4

Collision Detection

Collisions are highly frequent:– First round: .41 collisions– One encryption: >40 collisions

Detecting collisions is hard:– One encryption: 12 720 comparisons– Probability of a collision: <0.4%– False positive rate of 1%: >120 faulty detections Should minimize false positives

Wide Collisions (I) Two AES encryptions with chosen inputs Same plaintexts except for diagonals! AddRoundKey, SubBytes -> same difference

Wide Collisions (II)

• ShiftRows aligns differences• MixColumns can result in equal bytes

Collision

Wide Collisions (III) 2nd ShiftRows results in equal columns Full column collides until next ShiftRows! 5 predictable S-Box collisions between 2 encryptions!

Full Column Collision

Collision Detection

• Direct Comparison of two power traces• Ideally only compared in leaking regions

(5 s-Boxes and full MixColumns colliding)

Point selection necessary:– Knowledge of implementation or profiling needed

S-box 4 S-boxes (in round 3)

+ S-box in round 2+ Mix Columns

Key Recovery Phase

• 1st byte after 1st MixColumns:

• 4 collisions reduce key candidates from 232 to 1 candidate per diagonal.

• Full key recovery: 16 distinct collisions.

Avoid false positives

Outlier MethodProcedure:

Find overallMean Trace

Locate Outlier Region

Locate Neighboring

Pairs Mean TraceIndividual Trace

Outlier Region

Outlier Method: Details

Two parameters:• Size of outlier region• Admitted distance between

neighboring points

Both influence• Number of detected collisions• Rate of false positives

Tradeoff depends on implementation

Results

Leaking Points Detected Collisions Correct Detections1 (R = 0.9, dmax = 0.3) 127 23.0%4 (R = 0.9, dmax = 0.3) 46 71.1%8 (R = 0.9, dmax = 0.3) 88 93.7%

Wide Collisions stronger, but knowledge of implementation or profiling needed

Blind Templates (+ PCA) are great for device profiling

• Unprotected SW implementation, 8-bit Smart Card• Results on 3000 power traces:

Optimized Collision Detection

• Targeting Wide Collisions– Strong leakage, easier to detect– Requires chosen inputs

• Using Outlier Detection method:– Reduces overall detection of collisions– Minimizes false positives

Conclusion

• Wide collisions yield feasible power based collision attack

• Outlier Method is a helpful tool for decreasing false positive detections

Thank you very much for your attention!teisenba@fau.edu