Part of the book series:Lecture Notes in Computer Science ((LNSC,volume 8352))
Included in the following conference series:
879Accesses
Abstract
Obfuscation is a software technique aimed at protecting high-value programs against reverse-engineering. In embedded devices, it is harder for an attacker to gain access to the program machine code; of course, the program can still be very valuable, as for instance when it consists in a secret algorithm. In this paper, we investigate how obscurity techniques can be used to protect a secret customization of substitution boxes in symmetric ciphers, when the sole information available by the attacker is a side-channel. The approach relies on a combination of a universal evaluation algorithm for vectorial Boolean functions with indistinguishable opcodes that are randomly shuffled. The promoted solution is based on the noting that different logic opcodes, such as AND/OR or AND/XOR, happen to be very close one from each other from a side-channel leakage point of view. Moreover, our solution is very amenable to masking owing to the fact the substitution boxes are computed (combinationally).
This is a preview of subscription content,log in via an institution to check access.
Access this chapter
Subscribe and save
- Get 10 units per month
- Download Article/Chapter or eBook
- 1 Unit = 1 Article or 1 Chapter
- Cancel anytime
Buy Now
- Chapter
- JPY 3498
- Price includes VAT (Japan)
- eBook
- JPY 5719
- Price includes VAT (Japan)
- Softcover Book
- JPY 7149
- Price includes VAT (Japan)
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This is colloquially known ashardware “camo”; there are many such examples of technologies, such as this patent [12] by IBM and the tens of patents cited by this patent.
- 2.
- 3.
MODELSIM is a commercial tool, sold by Mentor Graphics, capable of simulating a behavioral event-based HDL codes (e.g. VHDL or Verilog codes).
- 4.
Notice that the storage of the sbox result isone option when computed in ANF, whereas it isinherent (i.e. unavoidable) to the computation with a Look-up-Table.
- 5.
The work by Kimet al. [24] has shown that for some specific problems,e.g. when the sbox has a given structure (which is the case of the AES), minor improvements can be got by computing on half-words,e.g. on nibble instead of bytes. But this result does not negate the noting by Rivain and Prouff that computing masking schemes on larger bitwidths is faster than computing at the bit level.
References
Novak, R.: Side-channel attack on substitution blocks. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 307–318. Springer, Heidelberg (2003)
Novak, R.: Sign-based differential power analysis. In: Chae, K.-J., Yung, M. (eds.) WISA 2003. LNCS, vol. 2908, pp. 203–216. Springer, Heidelberg (2004)
Novak, R.: Side-Channel Based Reverse Engineering of Secret Algorithms. In: Zajc, B. (ed.) Proceedings of the Twelfth International Electrotechnical and Computer Science Conference (ERK 2003), pp. 445–448. Ljubljana, Slovenia, Slovenska sekcija IEEE (2003)
Clavier, Ch.: An improved SCARE cryptanalysis against a secret A3/A8 GSM algorithm. In: McDaniel, P., Gupta, S.K. (eds.) ICISS 2007. LNCS, vol. 4812, pp. 143–155. Springer, Heidelberg (2007)
Daudigny, R., Ledig, H., Muller, F., Valette, F.: SCARE of the DES. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 393–406. Springer, Heidelberg (2005)
Fournigault, M., Liardet, P.-Y., Teglia, Y., Trémeau, A., Robert-Inacio, F.: Reverse engineering of embedded software using syntactic pattern recognition. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2006 Workshops. LNCS, vol. 4277, pp. 527–536. Springer, Heidelberg (2006)
Vermoen, D., Witteman, M., Gaydadjiev, G.N.: Reverse engineering java card applets using power analysis. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 138–149. Springer, Heidelberg (2007)
Amiel, F., Feix, B., Villegas, K.: Power analysis for secret recovering and reverse engineering of public key algorithms. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 110–125. Springer, Heidelberg (2007)
Réal, D., Dubois, V., Guilloux, A.-M., Valette, F., Drissi, M.: SCARE of an unknown hardware feistel implementation. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 218–227. Springer, Heidelberg (2008)
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards.http://www.springer.com/ Springer, Heidelberg (2006). ISBN 0-387-30857-1
Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)
Hsu, L.L., Joshi, R.V., Kruger, D.W.: Techniques for impeding reverse engineering (2011) IBM. Patent US 7994042 B2
Brier, E., Fortier, Q., Korkikian, R., Magld, K.W., Naccache, D., de Almeida, G.O., Pommellet, A., Ragab, A.H., Vuillemin, J.: Defensive Leakage Camouflage. In: [33], pp. 277–295
Guilley, S., Sauvage, L., Flament, F., Hoogvorst, P., Pacalet, R.: Evaluation of power-constant dual-rail logics counter-measures against DPA with design-time security metrics. IEEE Trans. Comput.9, 1250–1263 (2010). doi:10.1109/TC.2010.104
Kessner, D.: Free VHDL 6502 core (2000)http://www.free-ip.com/ is no longer available, buthttp://web.archive.org/web/20040603222048/ http://www.free-ip.com/6502/index.html is
Schindler, W., Lemke, K., Paar, Ch.: A stochastic model for differential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005)
Marion, D., Wurcker, A.: Read, Write Signals Reconstruction Using Side Channel Analysis for Reverse Engineering, : COSADE, 2013. Short talk, TELECOM-ParisTech, Paris, France (2013)
Guilley, S., Sauvage, L., Micolod, J., Réal, D., Valette, F.: Defeating any secret cryptography with SCARE attacks. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 273–293. Springer, Heidelberg (2010)
Prouff, E., Rivain, M.: A generic method for secure SBox implementation. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 227–244. Springer, Heidelberg (2008)
Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Trans. Comput.53, 760–768 (2004)
Veyrat-Charvillon, N., Medwed, M., Kerckhof, S., Standaert, F.-X.: Shuffling against side-channel attacks: a comprehensive study with cautionary note. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 740–757. Springer, Heidelberg (2012)
Carlet, C.: Boolean functions for cryptography and error correcting codes. In: Crama, Y., Hammer, P. (eds.) Chapter of the Monography Boolean Models and Methods in Mathematics, Computer Science, and Engineering. cambridge University Press, Cambridge (2010). http://www.math.univ-paris13.fr/carlet/chap-fcts-Bool-corr.pdf
Bernstein, D.J., Chou, T., Schwabe, P.: McBits: fast constant-time code-based cryptography. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 250–272. Springer, Heidelberg (2013)
Kim, H.S., Hong, S., Lim, J.: A fast and provably secure higher-order masking of AES S-Box. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 95–107. Springer, Heidelberg (2011)
Clavier, C., Coron, J.-S., Dabbous, N.: Differential power analysis in the presence of hardware countermeasures. In: Paar, C., Koç, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 252–263. Springer, Heidelberg (2000)
Rivain, M., Prouff, E., Doget, J.: Higher-order masking and shuffling for software implementations of block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 171–188. Springer, Heidelberg (2009)
Durvaux, F., Renauld, M., Standaert, F.X., van Oldeneel tot Oldenzeel, L., Veyrat-Charvillon, N.: Efficient removal of random delays from embedded software implementations using hidden markov models. In: [33], pp. 123–140
TELECOM ParisTech SEN research group: DPA Contest (4th edn.) (2013–2014).http://www.DPAcontest.org/v4/
RCIS-AIST, J.: SASEBO (Side-channel Attack Standard Evaluation Board, Akashi Satoh) development board:http://www.risec.aist.go.jp/project/sasebo/ (2013)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
Bhasin, S., Danger, J.L., Guilley, S., Najm, Z.: A low-entropy first-degree secure provable masking scheme for resource-constrained devices. In: Proceedings of the Workshop on Embedded Systems Security, WESS ’13. ACM, New York (2013)
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002)
Mangard, S. (ed.): CARDIS 2012. LNCS, vol. 7771. Springer, Heidelberg (2013)
Acknowledgments
Parts of this work have been funded by theMARSHAL+ (Mechanisms Against Reverse-engineering for Secure Hardware and Algorithms) FUI #12 project, co-labellized by competitivity clusters System@tic and SCS.
We also thank the audience fromPHISIC ’13 for a positive feedback on this research.
Author information
Authors and Affiliations
TELECOM-ParisTech, COMELEC dpt — UMR CNRS 5141, 39 rue Dareau, 75014, Paris, France
Sylvain Guilley & Zakaria Najm
Secure-IC S.A.S., 80 avenue des Buttes de Coësmes, 35700, Rennes, France
Sylvain Guilley & Youssef Souissi
XLIM — UMR CNRS 7252, 123, avenue Albert Thomas, 87060, Limoges Cedex, France
Damien Marion & Antoine Wurcker
- Sylvain Guilley
You can also search for this author inPubMed Google Scholar
- Damien Marion
You can also search for this author inPubMed Google Scholar
- Zakaria Najm
You can also search for this author inPubMed Google Scholar
- Youssef Souissi
You can also search for this author inPubMed Google Scholar
- Antoine Wurcker
You can also search for this author inPubMed Google Scholar
Corresponding author
Correspondence toSylvain Guilley.
Editor information
Editors and Affiliations
Dept. Commun. & Electronique, Télécom ParisTech, Paris, France
Jean Luc Danger
Concordia Institute for Information Syst Concordia University Research Chair Tier, Concordia University, Montreal, Québec, Canada
Mourad Debbabi
École des Mines, Nancy, France
Jean-Yves Marion
RST Department, Rm A105-2, Télécom SudParis, Evry, France
Joaquin Garcia-Alfaro
Dalhousie University, Halifax, Nova Scotia, Canada
Nur Zincir Heywood
Algorithms Source Code
Algorithms Source Code
It is shown by Carlet in [22, page 11] that there exists a simple divide-and-conquer butterfly algorithm to compute the ANF from the truth-table (or vice-versa). It is called the “Fast Möbius Transform”. An implementation inpython is given in code listing 1.1, for\(n\rightarrow 1\) Boolean functions. As already underlined in Sect. 3.2, the very same code also works for\(n\rightarrow n\) vectorial Boolean functions.
The application of the code listing 1.1 to\(f=\mathtt{{SubBytes}}\) (array notedS_TT) is given asS_AND in the code listing 1.2. The values in the arrayS_TT are\(\{f(y), y\in \mathbb {F}_2^8\}\), in this order, whereas the values in the arrayS_ANF are\(\{a_y, y\in \mathbb {F}_2^8\}\) (recall Eq. (4)). In the same code listing, the functionanti_scare_eval appliesSubBytes on a byte\(x\), with the formula of Eq. (4). Furthermore, in this code, the\(y\)’s are shuffled (See Sect. 3.3) by a simple XOR with a random byte\(r\).
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Guilley, S., Marion, D., Najm, Z., Souissi, Y., Wurcker, A. (2014). Software Camouflage. In: Danger, J., Debbabi, M., Marion, JY., Garcia-Alfaro, J., Zincir Heywood, N. (eds) Foundations and Practice of Security. FPS 2013. Lecture Notes in Computer Science(), vol 8352. Springer, Cham. https://doi.org/10.1007/978-3-319-05302-8_8
Download citation
Published:
Publisher Name:Springer, Cham
Print ISBN:978-3-319-05301-1
Online ISBN:978-3-319-05302-8
eBook Packages:Computer ScienceComputer Science (R0)
Share this paper
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative