A First Step to Provable Securityin Block Ciphers against Side Channel Attacks *

Wei Li, Dawu GuDepartment of Computer Science and Engineering

Shanghai Jiao Tong UniversityShanghai 200240, China

{liwei2003, dwgu}@sjtu.edu.cn

Abstract

Security notions for block ciphers have been defined ina concrete security framework. Yet, a cryptosystem againstside channel attacks has no appropriate secure goals andadversary models for some reason currently. This paperpresents some security notions for block ciphers againstside channel attack. Based on these definitions, we establishthe relationship between them by reduction on the successof adversaries as a function of their resources. It providesa general theoretical methodfor block ciphers against sidechannel attacks.

1 Introduction

How do we decide whether a block cipher is secure?How do we design good ciphers? These two questions arecentral to the study of block ciphers, and yet, after decadesof research, definitive answers remain elusive. For the mo-ment, the art of cipher evaluation boils down to two keytasks: we strive to identify as many novel cryptanalytic at-tacks on block ciphers as we can, and we evaluate new de-signs by how well they resist known attacks.

The research community has been very successful at thistask. We have accumulated a large variety of different at-tack techniques: differential cryptanalysis, linear cryptanal-ysis, differential-linear attack, truncated differential crypt-analysis etc. So the security of block ciphers builds onthe ability against threats of classical cryptanalysis. Yet,since 1996 a kind of cryptanalysis on the implementationof cryptosystem has been proposed, which is called sidechannel attacks[ 1, 2]. On the development of one decade, itcontains timing attack[l], fault analysis[3, 4], power analy-

*This work is supported by the National Natural Science Foundation ofChina under Grant No.60573031 and New Century Excellent Talent Pro-gram of Education Ministry of China under Grant NCET-05-0398.

sis[5] etc. It has threatened a cryptosystem with timing in-formation, power consumption or fault etc so that the crypt-analyst could break the cryptosystem regardless of elegantdesigning principles of block ciphers. How do we makesense of this list? Are there common connection betweenside channel attacks and those classical attacks together?

As one of security goals, indistinguishability of encryp-tions (IND), formalizes that an adversary's inability to learninformation about the plaintext given a challenge cipher-text[6]. It captures a strong notion of privacy. Connect-ing an ability of an adversary with chosen-ciphertext orchosen-plaintext attacks leads to two security notions IND-CCA and IND-CPA[7]. Likewise, as a kind of cryptanal-ysis, side channel attacks does not violate this definitionas above[8, 9]. However, there is no counterpart of secu-rity goals and adversary models to define a cryptosystemagainst side channel attacks, because side channel attackstargets specific implementation details. As a result, thesecurity goals and adversary models should be consideredfrom other directions. The best we can hope to do is tocombine the security of designing with that of implementa-tion.

So we consider two notions of privacy for block ciphers.UB-SCA (unbreakabiliy in side channel attacks) requiresthat it be computationally infeasible in the implementationto produce a key given side channel oracle, and IND-CCA-SCA (indistinguishability of chosen ciphertext attacks andside channel attacks) requires that it be computational in-feasible to distinguish two messages given the decryptionoracle and side channel oracle. The former notion describesthe security of a block cipher against side channel attacks inimplementation, while the latter notion gives us a notion fora secure block cipher both in designing and implementation.So designing and implementation for a secure cryptosystemare not independent. Furthermore this paper seeks unifyingthemes that can put these attacks to a common foundation.

The rest of this paper is organized as follows: section

2 has a brief description of block ciphers. In section 3 wepresent security notions UB-SCA and IND-CCA-SCA forblock ciphers based on IND-CCA. Then we further general-ize the relations by reductions in section 4. Finally, section5 summarizes this paper.

The advantage of the adversaries is defined via

Adv nd-cca (k) Pr[Expindcca1A (k)Pr [ExpindAcca 0 (k)

The advantage function of the scheme is defined as follows.For any integers t, qe,, ue, qd, Ud,2. Preliminaries

2.1. Syntax of Block CiphersAdvr (k, t, qe, Ue,, d, Ud) max{AdvSiAc (k)},

ACCa<I ,

A block cipher S8=(P, C, IC, 8, D) consists of threealgorithms. The randomized key generation algorithm ICtakes a security parameter k C N as its input and returns

a key K, denoted K -R /C(k). The encryption algorithmcould be randomized or stateful. It takes the key K and

a plaintext P to return a ciphertext C, denoted as C8K(P). The decryption algorithm D is deterministic andstateless. It takes the key K and a string C to return eitherthe corresponding plaintext P or the symbol I, denoted as

X <- DK(C) where x C {O, 1}* U{LI}. It is required that

DK(8K(P)) = P for all P C{O, 1}

2.2. Privacy of Block Ciphers

The privacy of block ciphers is measured by indistin-guishability of the "real-or-random" model of [7], whichmeans that an adversary cannot distinguish a message froman equal-length random string in the decryption, which iscalled IND-CCA. Define the real-or-random encryptionoracle SK(RR(., b)) to take the input x where b C {O, 1}

as follows:

If b 1

then it computes C <- 8K (x) and return C;else it computes C <- SK(r) where r <- {O, I}xI and

returns C.

The encryption scheme is "good" if no "reasonable" ad-versary can obtain "significant" advantage in distinguishingthe cases b = 0 and b = 1 given access to the oracle.

Definition 1 (Indistinguishability of block ciphers) LetS8=(P, C, IC, 8, D) be a block cipher Let A be an

adversary that has access to the oracles SK(RR(. ,b))and DK(.), b C {0, 1} and k C N. Now, the followingexperiment is considered:

Experiment EXPjA b(k)

K AR (k)

d ASK(RR(*,b)),DK( ) (k)

Return d

where the maximum is over Acca with time complexity t,making at most q, and qd queries to the SEK(RR(., b)) andDK (.) oracles, totaling ue and Ud bits at most, respectively.The scheme is said to be IND-CCA secure if the functionAdv`iAcca(.) is negligible for any adversary AAcca whosetime complexity is polynomial in k.

Here some important conventions are discussed. Thetime-complexity mentioned above is the worst case total ex-

ecution time of the experiment in some fixed RAM modelof computation, plus the size of the code of the adversary.The total execution time of the experiment is more than therunning time of the adversary. It contains the time of all op-

erations in the experiment, including the time for key gen-

eration and the computation of answers to oracle queries.Thus, the time complexity is polynomially bounded, so are

the other parameters. This convention for measuring timecomplexity and other resources of an adversary is used forall definitions in this paper.

Another convention is that length of a query to an en-

cryption oracle is denoted as Mo or Ml 1. In other word,it is the length of message. This convention is used in mea-suring the parameter 1e.

The advantage function is the maximum probability,which means that the security of the scheme SS can becompromised by an adversary in the indicated resources.

It is also used for concrete security analysis.

3. Secure Notions against Side Channel At-tacks

3.1. Implementation Privacy of Block Ci-phers

Now we specify security definitions for one implementa-tion of a symmetric encryption scheme SS=(P, C, S, C, 8,

D) with side channel information S. It is convenient to de-fine an algorithm K' <-SK (.), whose input is side channelinformation S and output is key K' C {O, 1} U{I-}.

The scheme is "good" in implementation if no "reason-able" adversary can obtain "significant" advantage to breakthe total key given access to the oracles. Here, "UB" means

"unbreakability of key".

1111.

Definition 2 (UB-SCA) Let SS=(P, C, S, IC, 8, D) be theimplementation ofa symmetric encryption scheme with sidechannel information S. Let b C {O, 1} and k C N. Let Ascabe an adversary that has access to the oracle SK(.). Now,the following experiment is considered:

Experiment Exp b s<ca (k)

KARC(k)K' A S (k)IfK= K' thenreturnl

else return 0

The advantage of the adversaries is defined via

Adv jAsc, (k) Pr[ExpnscA (k) = 1].The advantage function of the scheme is defined as follows.For any integers k, t, qe, ue, qs, us

Adv d-sca(k t, q, ue, qs, us) maX{AdvSdA5ca(k)},se A~~~~~~~~~scaA,,

where the maximum is over all Asca with time complexityt, making at most q, encryption queries to the 8K ) ora-cle, totaling ule bits at most, and at most qs implementationqueries to the SK (.), totalling us bits at most. The schemeis said to be UB-SCA secure if the function Advinsdsa(c)is negligible for any adversary Asca whose time complexityis polynomial in k.

3.2. Privacy of Block Ciphers in both De-signing and Implementation

We specify IND-CCA-SCA that an adversary cannotdistinguish a message from an equal-length string ofgarbage against side channel attacks in the implementationof encryption. Formally, we define an SCA oracle S* and areal-or-random oracle SK(RR( ,b)), where b C {0, 1}, totake input x and do the following:

If b 1then it computes C <- S* (x) and return C;else it computes C <- s* (.)(r) where r 0-{U, x}I

and returns C.

The scheme is "good" in designing and implementationif no "reasonable" adversary can obtain "significant" advan-tage in distinguishing the cases b = 0 and b = 1 givenaccess to the oracles.

Definition 3 (IND-CCA-SCA) Let S8=(P, C, S, IC, 8,D) be a block cipher with side channel information. Letb C {0,1} and k C N. Let Acca-sca to be an adversarythat has access to the oracles SK(RRQ ,b)) and SK(.)*Now, the following experiment is considered:

Experiment EXp jAjC< sca (k)

K4/C(k)d X- ASK (RR (., b)) ,DK(),SK( ) (k)Return d

The advantage of the adversaries is defined via

Adq-jcca- sca(k)AdvSEA,,-,,CA' Pr[ExpSinA-casca1 (k) 1]

-Pr [ExpinEdAcca sca-0 (k) = 11.

The advantage function of the scheme is defined as follows.For any integers t, qe , u. , qd, UdLd qs, us,

Ad.d-cca-sca(t q )Adv"g (k,tqm,{eAVe qs: us)= max {AdvsidcA -sca (k)},ACC<I-SC<I )A c -e

where the maximum is over all Acca-sca with time com-plexity t, each making at most q, and qd queries to the8K (RR(., b)) and DK (.) oracles, totaling at most ule andULd bits respectively, also making at most qs queries to theSK(.), totalling at most u5. The scheme is said to be IND-CCA-SCA secure if the function Ad nd-Asca (.) is negligi-ble for any adversary Acca-sca whose time complexity ispolynomial in k.

3.3. Notation for Adversary Execution

In reduction we often make an adversary A' executinganother adversary A. The adversary A' maintains theexecution state of A. Whenever A makes an oracle query,A' stops A, returns a reply to this oracle query, and thencontinues running A. We give some program for A' asfollows:

Fori 1,...,qedoWhen A makes oracle query xi

[Some code computing a value yi]A e y

EndWhileA X b

The notation A y#yi means that A is designed a valueyi in response to its oracle query xi. It is assumed here thatA makes a total of q, queries. The notation A e b meansthat A is returning a value b.

4. Reduction among the Notions

Theorem 4 (UB-SCA AIND-CCA- IND-CCA-SCA)For any scheme S8=(P, C, S, IC, 8, D), if SE is IND-CCA secure and UB-SCA secure, then it is IND-CCA-

SCA secure. Concretely,

Adv indccasca(k,t,q,u,qd,Ud,q, < 2 . Advub-sca(k t, qe, ue,

qd, Ud, qs, us) + Adv ind-cca(k t, q., ue, qd, Ud)

such that SK(S) = K. Let Prp[.] denote the probabilityin Expin-cAa-b (k) and Let Pr, [.] denote the probability in

Exp(W cai k).(IWe claim

proof Let SS=(P, C, S, IC, 8, D) be a block cipher imple-mentation. To any adversary A attacking the scheme in theIND-CCA-SCA notion, we associate two adversaries, Ascawhich attacks SE in the UB-SCA sense, and Acca which at-tacks SE in the IND-CCA sense, so that inequation (1) isconcluded. Furthermore, if A runs in time t using q, en-cryption, qd decryption and qs implementation queries to-talling le, Ud and ,us bits respectively, then Asca runs intime t using q, encryption and qs implementation queriestotalling le and ,us bits respectively, and Acca runs in timet using q, encryption and qd decryption queries totalling lieand ,Ud bits, respectively.

The two adversaries Asca and Acca will use A to achievetheir goals. Specifically, Asca, whose goal is to get a keyfrom the oracle SK (.), will simply use A's query to the or-acle SK(.) as its own. Thus if A gets a key, so does Asca.Similarly, Acca, whose goal is to figure out whether the en-cryption of the message or that of the random string of equallength, will directly depend on A to do so.

The constructions for Acca and Asca are as follows.

Adversary A )SKc(a ) (k)b'A {O,i1}For i 1,...,qe+qs doWhen A makes a query Mi,0, Mi,1 to itsencryption oracle doA `# SKA(M,bl)

When A makes a query Si to itsimplementation oracle do

K' <- SK(Si)If K! = K'then A <# L;else stop.

Adversary ASj(RR( Xb)),DK(Mj,b) (k)For i 1,...,qe+qs doWhen A makes a query Mi,0, Mi,1 to itsencryption oracle doA SI8r(RR(Mi,b, b)), D (Mi,b)

When A makes a query Si to its oracle doA<=I

A => b'Return b'.

Now we prove inequation (1). Let Pr[.] denote the prob-ability in Expn-cAa-sca-b (k) where b C {0, 1} and let b' de-note the bit output by A in this experiment. Let F denotethe event that A makes at least one query, i.e. a query S

Pr[b' = b A F] < Pr[F]= Prs [Ascasucceeds]= Advub-sca (k) (2)

and

Pr[b'= bA-F] < Prp[b = b]I

ln2d-cca(+2AdvS,-A,,a () + 2. (3)

We finish the proof given this and then return to the jus-tification. That is,

2 iVngd-cca-sca k+2Advsd cc C(k) +2= Pr [b' = b]= Pr[b' = b A F] + Pr[b' = b A -F]

< Advu cC(k) + lAdv nd CCa(k) + 1SE,A,, 2 se 2

Some algebraic manipulation leads to inequation (1). Wejustify the claimed inequations (2) and (3) by analyzingeach of them in turn.

To justify the inequations (2), we observe that Asca sim-ulates A in the exact same environment as that of the ex-periment Expjind-cca-sca-b (k). Therefore, if A submits avalid S as a oracle query (i.e. the event F occurs), Ascauses this S as a query to its oracle, and so inequation (2)follows. (Once this output equals K, Asca stops and thesimulation does not accurate more.) Similarly, for the in-equation (3), when the event F does not occur, Acca simu-lates A in the exact same environment as that of the exper-iment Expind-ccascab (k). Therefore, if A is able to guessthe correct bit b' = b, so is Acca, and inequation (3) follows.This concludes the proof for inequation (1).

To justify the claimed resource complexities of Asca andAcca, each of Asca and Acca uses the same number ofqueries as that of A. For time complexity, we measure thetime for each entire experiment. There, inequation (1) leadsto Theorem 5.

Theorem 5 (IND-CCA-SCA - IND-CCA) For anyscheme S8=(P, C, S, IC, 8, D), if SE is IND-CCA-SCAsecure, then it is IND-CCA secure. Concretely,

Advin-cca(k, t,q, ue,qd, Ud) <

Adv ccasca(k, t,q6,U6,qd,Udq5,U) (4)

Proof The adversary A will depend on Acca to achieveits goal. Specifically, A's goal is to figure out whether the

message or the random string has been encrypted in an im-plementation.

The constructions for A are as follows.

Adversary ASK (RR(. b)),SK )(k)For i l,...,qe+qd doWhen Acca makes a query Mi,0, Mi,1 to itsencryption oracle do

Acca e SIC (RR(Mi,b, b)), Dk (Mi,b)Acca X b'Return b'.

For Acca-sca's advantage, we have

Advind- cca-sca (k)

> Pr[EXpind[ccA-1 (k)

= Adv ngd-cca (k).

1 Pr[Expjd-cca 0 (k)

Since Acca is an arbitrary adversary, the claimed relationof the advantage follows.

Theorem 6 (IND-CCA-SCA UB-SCA) For any

scheme SS=(P, C, S, IC, £E, D), if SS is IND-CCA-SCAsecure, then it is UB-SCA secure. Concretely,

Adv'b-sca(k, t, qe, Ue, qd, Ud) <

Advdccasca (k,t,qe, ue,qd, Ud,qsuas) (5)

Proof. The adversary A will depend on Asca to achieve itsgoal. Specifically, A whose goal is to figure out whetherthe message or the random string has been encrypted in an

implantation.The constructions for A are as follows.

Adversary ASK (RR( ,b)),SK ( ) (k)For i = e1,..q.,sq+q doWhen Asca makes a query M0,o, Mi,to its encryption oracle doA ICS (RR(Mi,b, b))

When Asca makes a query Si to itsimplementation oracle do

KI <- SK(Si)If K! = K'then Asca <# L;else stop.

Asca A b'Return b'.

For Acca-sca's advantage, we have

Advind-cca-sca(k)> Pr[Expind-sAca(k) = 1] = Advub-s-ca (k).

Since Asca is an arbitrary adversary, the claimed relation ofthe advantage follows.

From the reduction as above, we conclude that "IND-CCA + UB-SCA 4 IND-CCA-SCA", and IND-CCA-SCAnotion is stronger than IND-CCA or UB-SCA. Our resultshas not only theoretical interest but also can be useful whenone prove the IND-CCA-SCA security of a symmetric en-cryption scheme implementation.

5. Conclusion

In this paper, we study the relationship in secure no-tions between classical attacks and side channel attacks Wepresent security notions UB-SCA and IND-CCA-SCA forblock ciphers based on IND-CCA by generalizing the re-lations by reductions. So we conclude that "IND-CCA +UB-SCA 4 IND-CCA-SCA". That is, a block cipher

11 which is IND-CCA secure and UB-SCA implementationsecure, is IND-CCA-SCA secure. And we also show thatIND-CCA-SCA notion is stronger than IND-CCA or UB-SCA. As a final conclusion, we hope that this first steptowards real-world implementations will be a motivatingstarting-point for further research in these important fields.

Acknowledgement

The authors wish to acknowledge the anonymous refer-ees for helpful suggestions.

References

[1] P. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other systems", Crypto '96, Vol.1109 of LNCS, pp.'04-113, 1996.

[2] J. Kelsey, B. Schneier, D. Wagner etc. "Side Channel Crypt-analysis of Product Ciphers", ESORICS'98 Proceedings, pp.97-110, 1998.

[3] E. Biham, A. Shamir, "Differential Fault Analysis of SecretKey Cryptosystems", Crypto '97, Vol. 1294 of LNCS, pp. 513-525, 1997.

[4] D. Boneh, R. A. DeMillo, R. J. Lipton, "On the Importance ofChecking Cryptographic Protocols for Faults", EUROCRYPT'97, Volume 1233 of LNCS, pp. 37-51, 1997.

[5] P. Kocher, J. Jaffe, B. Jun, "Differential power analysis," InCRYPTO '99, Vol. 1666 of LNCS, pp. 388-397, 1999.

[6] S. Goldwasser, S. Micali, "Probabilistic Encryption," Journalof Computer and System Sciences, 28(2), pp. 270-299, 1984.

[7] M. Bellare, A. Desai, E. Jokipii etc, "A Concrete SecurityTreatment of Symmetric Encryption," FOCS '97, pp. 394-405,IEEE, 1997.

[8] C. Clavier, M. Joye, "Universal Exponentiation Algorithm,"CHES 2001, Vol. 2162 of LNCS, pp. 300-308, 2001.

[9] F. X. Standaert, E. Peeters, C. Archambeau et al. "TowardsSecurity Limits in Side-Channel Attacks," CHES 2006, Vol.4249 of LNCS, pp. 30-45, 2006.