侧通道泄漏感知指令调度

Proceedings of the Fourth Workshop on Cryptography and Security in Computing Systems Pub Date : 2017-01-24 DOI:10.1145/3031836.3031838

Hermann Seuschek, F. D. Santis, O. Guillen

{"title":"侧通道泄漏感知指令调度","authors":"Hermann Seuschek, F. D. Santis, O. Guillen","doi":"10.1145/3031836.3031838","DOIUrl":null,"url":null,"abstract":"Speed-optimized side-channel protected software implementations of block ciphers are important for the security of embedded IoT devices based on general-purpose microcontrollers. The recent work of Schwabe et al. published at SAC 2016 introduced a bit-sliced implementation of AES and a first-order Boolean-masked version of it, targeting ARM Cortex-M CPU cores. The authors claim to be secure against timing as well as first-order power and electromagnetic side-channel attacks. However, the author's security claims are not taking the actual leakage characteristics of the underlying CPU architecture into account, hence making the scheme potentially vulnerable to first-order attacks in practice. In this work we show indeed that such a masking scheme can be attacked very easily by first-order electromagnetic side-channel attacks. In order to fix the issue and provide practical first-order security, we provide a strategy to schedule program instructions in way that the specific leakage of the CPU does not impair the side-channel countermeasure.","PeriodicalId":126518,"journal":{"name":"Proceedings of the Fourth Workshop on Cryptography and Security in Computing Systems","volume":"28 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-01-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"11","resultStr":"{\"title\":\"Side-channel leakage aware instruction scheduling\",\"authors\":\"Hermann Seuschek, F. D. Santis, O. Guillen\",\"doi\":\"10.1145/3031836.3031838\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Speed-optimized side-channel protected software implementations of block ciphers are important for the security of embedded IoT devices based on general-purpose microcontrollers. The recent work of Schwabe et al. published at SAC 2016 introduced a bit-sliced implementation of AES and a first-order Boolean-masked version of it, targeting ARM Cortex-M CPU cores. The authors claim to be secure against timing as well as first-order power and electromagnetic side-channel attacks. However, the author's security claims are not taking the actual leakage characteristics of the underlying CPU architecture into account, hence making the scheme potentially vulnerable to first-order attacks in practice. In this work we show indeed that such a masking scheme can be attacked very easily by first-order electromagnetic side-channel attacks. In order to fix the issue and provide practical first-order security, we provide a strategy to schedule program instructions in way that the specific leakage of the CPU does not impair the side-channel countermeasure.\",\"PeriodicalId\":126518,\"journal\":{\"name\":\"Proceedings of the Fourth Workshop on Cryptography and Security in Computing Systems\",\"volume\":\"28 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-01-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"11\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the Fourth Workshop on Cryptography and Security in Computing Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3031836.3031838\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Fourth Workshop on Cryptography and Security in Computing Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3031836.3031838","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 11

摘要

分组密码的速度优化侧信道保护软件实现对于基于通用微控制器的嵌入式物联网设备的安全性非常重要。Schwabe等人最近在SAC 2016上发表的工作介绍了AES的位切片实现和一阶布尔掩码版本，目标是ARM Cortex-M CPU内核。作者声称，该方法可以防止时序攻击、一阶功率攻击和电磁侧信道攻击。然而，作者的安全声明并没有考虑到底层CPU架构的实际泄漏特性，因此使得该方案在实践中可能容易受到一阶攻击。在这项工作中，我们确实证明了这种掩蔽方案可以很容易地受到一阶电磁侧信道攻击。为了解决这个问题并提供实用的一阶安全性，我们提供了一种策略来调度程序指令，使CPU的特定泄漏不会损害侧信道对策。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Side-channel leakage aware instruction scheduling

Speed-optimized side-channel protected software implementations of block ciphers are important for the security of embedded IoT devices based on general-purpose microcontrollers. The recent work of Schwabe et al. published at SAC 2016 introduced a bit-sliced implementation of AES and a first-order Boolean-masked version of it, targeting ARM Cortex-M CPU cores. The authors claim to be secure against timing as well as first-order power and electromagnetic side-channel attacks. However, the author's security claims are not taking the actual leakage characteristics of the underlying CPU architecture into account, hence making the scheme potentially vulnerable to first-order attacks in practice. In this work we show indeed that such a masking scheme can be attacked very easily by first-order electromagnetic side-channel attacks. In order to fix the issue and provide practical first-order security, we provide a strategy to schedule program instructions in way that the specific leakage of the CPU does not impair the side-channel countermeasure.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the Fourth Workshop on Cryptography and Security in Computing Systems

自引率

0.00%

发文量