Abstract
Over the past two decades, cache attacks have been identified as a threat to the security of cipher implementations. These attacks recover secret information by combining observations of the victim cache accesses with the knowledge of the internal structure of the cipher. So far, cache attacks have been applied to ciphers that have fixed state transformations, leaving open the question of whether using secret, key-dependent transformations enhances the security against such attacks. In this paper we investigate this question. We look at an implementation of the North Korean cipher Pilsung, as reverse-engineered by Kryptos Logic. Like AES, Pilsung is a permutation-substitution cipher, but unlike AES, both the substitution and the permutation steps in Pilsung depend on the key, and are not known to the attacker. We analyze Pilsung and design a cache-based attack. We improve the state of the art by developing techniques for reversing secret-dependent transformations. Our attack, which requires an average of eight minutes on a typical laptop computer, demonstrates that secret transformations do not necessarily protect ciphers against side channel attacks.
Highlights
The seminal work of Kocher [Koc96], demonstrated the need to protect cryptographic primitives against implementation attacks
We extend the works on misaligned tables [SP13; ZW10] and show how the alignment of the tables affects the amount of information leaked
Noting that the misaligned tables may be an artifact of the reverse engineering of Pilsung rather than a flaw in the original implementation, we present an attack on Pilsung when the tables are properly aligned with cache lines
Summary
The seminal work of Kocher [Koc96], demonstrated the need to protect cryptographic primitives against implementation attacks. Side channel attacks leak information from the implementation of a cryptographic primitive through its interaction with the environment. Since the first attacks [OST06; Per; TSS+03; TTMH02], multiple attack techniques have been developed, exploiting leaks from implementations of symmetric ciphers [IAES15; IAIES14; OST06; SP13; TSS+03; TTMH02; ZW10], pre- and post-quantum public key systems [BBG+17; BH09; GBK11; GPTY18; GVY17; PBY17; Per; PGBY16; YF14; ZJRR12], and other cryptographic primitives [DDME+18]. Multiple techniques for exploiting this timing difference have been developed, showing the effectiveness of cache attacks in recovering keys of symmetric ciphers [AK06; Ber; BM06; IAES15; IAIES14; MIE17; NRMW12; NS06; NSW06; OST06; PDR11; RM11; RMTF09; SP13; TSS+03; TTMH02; ZW10; ZWZ09], public key ciphers [BBG+17; BH09; GBK11; LYG+15; Per; RGG+19; YF14; ZJRR12], digital signature schemes [BPSY14; PBY17; PGBY16], zero-knowledge proofs [DDME+18] and hybrid schemes [GVY17]. Cache attacks have been shown to be effective in recovering sensitive information from non-cryptographic software [BMD+17; GSM15; RTSS09; SKH+19; YFT18]
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have