3

I have read the paper Differential Power Analysis of HMAC SHA-2 in the Hamming Weight Model and I want to understand the DPA Attack. In section 3.2.1 Path 1 (page 4) there is written:

The last remaining parts H$^{(0)}$ and C$^{(0)}$ can be recovered by making substitutions in Alg. 1: in Step 7 of round 1, where H$^{(0)}$ is the only unknown variable, and similarly in Step 8 of round 1 where C$^{(0)}$ is the only unknown variable.

The substitution for $H^{(0)}$ is clear to me:

  • $T_1^{(1)} = \delta^{(0)} \boxplus W_1$ (1)
  • $T_1^{(1)} = H^{(0)} \boxplus \sum_1(E^{(0)}) \boxplus Ch(E^{(0)},F^{(0)},G^{(0)}) \boxplus K_1 \boxplus W_1$ (2)
  • (1) = (2):
  • $\delta^{(0)} \boxplus W_1 = H^{(0)} \boxplus \sum_1(E_0) \boxplus Ch(E^{(0)},F^{(0)},G^{(0)}) \boxplus K_1 \boxplus W_1$
  • $\delta^{(0)} = H^{(0)} \boxplus \sum_1(E^{(0)}) \boxplus Ch(E^{(0)},F^{(0)},G^{(0)}) \boxplus K_1$
  • $H^{(0)} = \delta^{(0)} \boxminus \sum_1(E^{(0)}) \boxminus Ch(E^{(0)},F^{(0)},G^{(0)}) \boxminus K_1$

But for $C^{(0)}$ I don't know how to start and my other problem is that I don't know how to substitute in the function Maj?

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
Zlatan
  • 31
  • 2

1 Answers1

1

I will keep the same notations as in the paper mentioned above.

First, your substitution for $H^{(0)}$ is correct but you could stop to \begin{align*} T_1^{(1)} = H^{(0)}\boxplus \Sigma_1(E^{(0)}) \boxplus Ch(E^{(0)}, F^{(0)}, G^{(0)}) \boxplus K_1 \boxplus W_1 \end{align*} since all values except $H^{(0)}$ are known from previous DPAs.

Regarding $C^{(0)}$, it is a little less straightforward. We have \begin{align*} T_2^{(1)} &= \Sigma_0(A^{(0)}) \boxplus Maj(A^{(0)}, B^{(0)}, C^{(0)})\\ &= \Sigma_0(A^{(0)}) \boxplus \big[(A^{(0)} \wedge B^{(0)}) \oplus (A^{(0)} \wedge C^{(0)}) \oplus(B^{(0)} \wedge C^{(0)})\big] \end{align*} which results in \begin{align*} \big[T_2^{(1)} \boxminus \Sigma_0(A^{(0)})\big] \oplus (A^{(0)} \wedge B^{(0)})&= (A^{(0)} \wedge C^{(0)}) \oplus(B^{(0)} \wedge C^{(0)}) \,. \end{align*} Unfortunately, as bitwise AND operator is not invertible, we don't get $C^{(0)}$ directly. Still, $C^{(0)}$ is the only unknown variable making a bruteforce attack on this 32-bit variable easy in practice.

Raoul722
  • 3,003
  • 3
  • 23
  • 42