TY - GEN
T1 - Single-Trace Side-Channel Analysis on Polynomial-Based MAC Schemes
AU - Ueno, Rei
AU - Fukushima, Kazuhide
AU - Nakano, Yuto
AU - Kiyomoto, Shinsaku
AU - Homma, Naofumi
N1 - Publisher Copyright:
© 2021, Springer Nature Switzerland AG.
PY - 2021
Y1 - 2021
N2 - This paper presents the first side-channel analysis (SCA) on polynomial-based message authentication code (MAC) schemes which is applicable to Poly1305. Typical SCAs (e.g., simple power analysis (SPA) and differential power analysis (DPA)) and conventional attacks on GCM/GMAC that focus on the first multiplication result in the universal hashing (i.e., polynomial evaluation) cannot be applied to Poly1305 owing to one-time keys and the structure of prime-field multiplication. On the other hand, the proposed attack retrieves the hash key from a single side-channel trace (e.g., a power/EM trace given by one execution) with a non-negligible probability and is applicable to polynomial-based MAC schemes implemented on an 8-bit micro-controller. The proposed attack allows the attacker to forge the authentication tag even if the hash key is a one-time key. The basic idea of the proposed attack is to exploit the addition in polynomial-based MAC schemes. Since the output or one input of the addition in these MAC schemes is known, we can efficiently estimate the unknown operands of addition, and then retrieve the hash key by the polynomial factorizations with the estimated candidates. This study also shows a cost-effective countermeasure for ChaCha20-Poly1305 using a combination of a lightweight masked Poly1305 and first-order mask conversion from Boolean to arithmetic.
AB - This paper presents the first side-channel analysis (SCA) on polynomial-based message authentication code (MAC) schemes which is applicable to Poly1305. Typical SCAs (e.g., simple power analysis (SPA) and differential power analysis (DPA)) and conventional attacks on GCM/GMAC that focus on the first multiplication result in the universal hashing (i.e., polynomial evaluation) cannot be applied to Poly1305 owing to one-time keys and the structure of prime-field multiplication. On the other hand, the proposed attack retrieves the hash key from a single side-channel trace (e.g., a power/EM trace given by one execution) with a non-negligible probability and is applicable to polynomial-based MAC schemes implemented on an 8-bit micro-controller. The proposed attack allows the attacker to forge the authentication tag even if the hash key is a one-time key. The basic idea of the proposed attack is to exploit the addition in polynomial-based MAC schemes. Since the output or one input of the addition in these MAC schemes is known, we can efficiently estimate the unknown operands of addition, and then retrieve the hash key by the polynomial factorizations with the estimated candidates. This study also shows a cost-effective countermeasure for ChaCha20-Poly1305 using a combination of a lightweight masked Poly1305 and first-order mask conversion from Boolean to arithmetic.
KW - Authenticated encryption
KW - ChaCha20-Poly1305
KW - Message authentication code
KW - Polynomial hash function
KW - Side-channel analysis
UR - http://www.scopus.com/inward/record.url?scp=85102295323&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85102295323&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-68773-1_3
DO - 10.1007/978-3-030-68773-1_3
M3 - Conference contribution
AN - SCOPUS:85102295323
SN - 9783030687724
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 43
EP - 67
BT - Constructive Side-Channel Analysis and Secure Design - 11th International Workshop, COSADE 2020, Revised Selected Papers
A2 - Bertoni, Guido Marco
A2 - Regazzoni, Francesco
PB - Springer Science and Business Media Deutschland GmbH
T2 - 11th International Workshop on Constructive Side-Channel Analysis and Secure Design, COSADE 2020
Y2 - 1 April 2020 through 3 April 2020
ER -