Communications in Cryptology IACR CiC

Algebraic Side-Channel Attacks against ISAP's Re-Keying: one Ascon Round May not be Enough for Serial Implementations

Authors

Vincent Grosso, François-Xavier Standaert
Vincent Grosso ORCID
Université Jean Monnet Saint-Etienne, CNRS, Institut d Optique Graduate School, Laboratoire Hubert Curien UMR 5516, F-42023, SAINT-ETIENNE, France, Saint-Étienne, France
vincent dot grosso at univ-st-etienne dot fr
François-Xavier Standaert ORCID
UCLouvain, ICTEAM Institute, Crypto Group, Louvain-la-Neuve, Belgium
Keywords: Algebraic Side-Channel Attacks (ASCA) Lightweight Cryptography ISAP Authenticated Encryption Re-keying Leakage-Resistance

Abstract

We investigate the side-channel security of ISAP against Algebraic Side-Channel Attacks (ASCA) in a simulated setting where the Hamming weight leakages of its intermediate computations can be recovered. For this purpose, we first describe how these attacks, so far only used to target 8-bit implementations, can be applied to 16-bit or 32-bit implementations. We then use ASCA to discuss the side-channel security claims of ISAP's re-keying, where a single bit of nonce is absorbed per permutation call. Theoretically, this re-keying aims to ensure that attacking more than one permutation call jointly does not improve over attacking the same number of permutation calls independently. Yet, while this expectation is expected to be met for ISAP's conservative parameters (where permutation calls are made of 12 Ascon rounds), the extent to which it does (not) hold for ISAP's aggressive parameters (where permutation calls are made of a single Ascon round) remains an open question. We contribute to this question by showing that for 16-bit implementations, combining the leakages of multiple permutation calls can improve over attacking the same number of permutation calls independently, which contradicts ISAP's (theoretical) leakage-resistance claims. By contrast, for 32-bit leakages, we only show similar weaknesses by guessing a large part of the target state (i.e., more than 128 bits), which only impacts the initialization of ISAP's re-keying and does not contradict its security reduction. These results confirm that for hardware implementations with a sufficient level of parallelism, ISAP's aggressive parameters are probably sufficient, but that for more serial (e.g., software) implementations, slightly more conservative parameters, or the addition of implementation-level countermeasures, are needed.

References

[BBC+20]
Davide Bellizia, Olivier Bronchain, Gaëtan Cassiers, Vincent Grosso, Chun Guo, Charles Momin, Olivier Pereira, Thomas Peters, and François-Xavier Standaert. Mode-Level vs. Implementation-Level Physical Security in Symmetric Cryptography - A Practical Guide Through the Leakage-Resistance Jungle. In CRYPTO (1), volume 12170 of Lecture Notes in Computer Science, pages 369–400. 2020. Springer. DOI: 10.1007/978-3-030-56784-2_13
Google Scholar ePrint
[BDPA11]
Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Cryptographic Sponge Functions. 2011.
Google Scholar ePrint
[BSH+14]
Sonia Belaïd, Fabrizio De Santis, Johann Heyszl, Stefan Mangard, Marcel Medwed, Jörn-Marc Schmidt, François-Xavier Standaert, and Stefan Tillich. Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis. J. Cryptogr. Eng., 4(3):157–171, 2014. DOI: 10.1007/s13389-014-0079-5
Google Scholar ePrint
[CDSU23]
Gaëtan Cassiers, Henri Devillez, François-Xavier Standaert, and Balazs Udvarhelyi. Efficient Regression-Based Linear Discriminant Analysis for Side-Channel Security Evaluations Towards Analytical Attacks against 32-bit Implementations. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2023(3):270–293, 2023. DOI: 10.46586/tches.v2023.i3.270-293
Google Scholar ePrint
[DEM+17]
Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, and Thomas Unterluggauer. ISAP - Towards Side-Channel Secure Authenticated Encryption. IACR Trans. Symmetric Cryptol., 2017(1):80–105, 2017. DOI: 10.13154/tosc.v2017.i1.80-105
Google Scholar ePrint
[DEM+20]
Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Bart Mennink, Robert Primas, and Thomas Unterluggauer. Isap v2.0. IACR Trans. Symmetric Cryptol., 2020(S1):390–416, 2020. DOI: 10.13154/tosc.v2020.iS1.390-416
Google Scholar ePrint
[DEMS21]
Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer. Ascon v1.2: Lightweight Authenticated Encryption and Hashing. J. Cryptol., 34(3):33, 2021. DOI: 10.1007/s00145-021-09398-9
Google Scholar ePrint
[DJS19]
Jean Paul Degabriele, Christian Janson, and Patrick Struck. Sponges Resist Leakage: The Case of Authenticated Encryption. In ASIACRYPT (2), volume 11922 of Lecture Notes in Computer Science, pages 209–240. 2019. Springer. DOI: 10.1007/978-3-030-34621-8_8
Google Scholar ePrint
[DM19]
Christoph Dobraunig and Bart Mennink. Leakage Resilience of the Duplex Construction. In ASIACRYPT (3), volume 11923 of Lecture Notes in Computer Science, pages 225–255. 2019. Springer. DOI: 10.1007/978-3-030-34618-8_8
Google Scholar ePrint
[GPPS20]
Chun Guo, Olivier Pereira, Thomas Peters, and François-Xavier Standaert. Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction. IACR Trans. Symmetric Cryptol., 2020(1):6–42, 2020. DOI: 10.46586/tosc.v2020.i1.6-42
Google Scholar ePrint
[KPP20]
Matthias J. Kannwischer, Peter Pessl, and Robert Primas. Single-Trace Attacks on Keccak. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2020(3):243–268, 2020. DOI: 10.1007/978-3-030-97348-3_1
Google Scholar ePrint
[OKPW10]
Yossef Oren, Mario Kirschbaum, Thomas Popp, and Avishai Wool. Algebraic Side-Channel Analysis in the Presence of Errors. In Stefan Mangard and François-Xavier Standaert, editors, Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings, volume 6225 of Lecture Notes in Computer Science, pages 428–442. 2010. Springer. DOI: 10.1007/978-3-642-15031-9_29
Google Scholar ePrint
[ORSW12]
Yossef Oren, Mathieu Renauld, François-Xavier Standaert, and Avishai Wool. Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model. In CHES, volume 7428 of Lecture Notes in Computer Science, pages 140–154. 2012. Springer. DOI: 10.1007/978-3-642-33027-8_9
Google Scholar ePrint
[RS09]
Mathieu Renauld and François-Xavier Standaert. Algebraic Side-Channel Attacks. In Feng Bao, Moti Yung, Dongdai Lin, and Jiwu Jing, editors, Information Security and Cryptology - 5th International Conference, Inscrypt 2009, Beijing, China, December 12-15, 2009. Revised Selected Papers, volume 6151 of Lecture Notes in Computer Science, pages 393–410. 2009. Springer. DOI: 10.1007/978-3-642-16342-5_29
Google Scholar ePrint
[RSV09]
Mathieu Renauld, François-Xavier Standaert, and Nicolas Veyrat-Charvillon. Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA. In CHES, volume 5747 of Lecture Notes in Computer Science, pages 97–111. 2009. Springer. DOI: 10.1007/978-3-642-04138-9_8
Google Scholar ePrint
[Sin05]
Carsten Sinz. Towards an Optimal CNF Encoding of Boolean Cardinality Constraints. In Peter van Beek, editor, Principles and Practice of Constraint Programming - CP 2005, 11th International Conference, CP 2005, Sitges, Spain, October 1-5, 2005, Proceedings, volume 3709 of Lecture Notes in Computer Science, pages 827–831. 2005. Springer. DOI: 10.1007/11564751_73
Google Scholar ePrint
[Tse83]
Grigori S Tseitin. On the complexity of derivation in propositional calculus. In Automation of reasoning, pages 466–483. Springer 1983.
Google Scholar ePrint
[UBS21]
Balazs Udvarhelyi, Olivier Bronchain, and François-Xavier Standaert. Security Analysis of Deterministic Re-keying with Masking and Shuffling: Application to ISAP. In COSADE, volume 12910 of Lecture Notes in Computer Science, pages 168–183. 2021. Springer. DOI: 10.1007/978-3-030-89915-8_8
Google Scholar ePrint
[VGS14]
Nicolas Veyrat-Charvillon, Benoît Gérard, and François-Xavier Standaert. Soft Analytical Side-Channel Attacks. In ASIACRYPT (1), volume 8873 of Lecture Notes in Computer Science, pages 282–296. 2014. Springer. DOI: 10.1007/978-3-662-45611-8_15
Google Scholar ePrint
[YK21]
Shih-Chun You and Markus G. Kuhn. Single-Trace Fragment Template Attack on a 32-Bit Implementation of Keccak. In CARDIS, volume 13173 of Lecture Notes in Computer Science, pages 3–23. 2021. Springer. DOI: 10.1007/978-3-030-97348-3_1
Google Scholar ePrint
[YSPY10]
Yu Yu, François-Xavier Standaert, Olivier Pereira, and Moti Yung. Practical leakage-resilient pseudorandom generators. In CCS, pages 141–151. 2010. ACM. DOI: 10.1145/1866307.1866324
Google Scholar ePrint
[ZWG+11]
Xinjie Zhao, Tao Wang, Shize Guo, Fan Zhang, Zhijie Shi, Huiying Liu, and Kehui Wu. SAT Based Error Tolerant Algebraic Side-Channel Attacks. 2011.
Google Scholar ePrint

PDFPDF Open access

DOI: https://doi.org/10.62056/aesgvurzn
History
Submitted: 2025-01-13
Accepted: 2025-03-11
Published: 2025-04-08
How to cite

Vincent Grosso and François-Xavier Standaert, Algebraic Side-Channel Attacks against ISAP's Re-Keying: one Ascon Round May not be Enough for Serial Implementations. IACR Communications in Cryptology, vol. 2, no. 1, Apr 08, 2025, doi: 10.62056/aesgvurzn.

License

Copyright is held by the author(s)

This work is licensed under a Creative Commons Attribution (CC BY) license.