On the (in)Security of ChaCha20 against Physical Attacks

Shivam Bhasin

The stream cipher ChaCha20 and the Poly1305 authentication are adopted in several products including Google Chrome, or OpenSSL etc. For instance, Google Chome often uses ChaCha20 for secure communication when the underlying platform lacks hardware support for AES. The two algorithms have potential to be adopted across multiple domains in the future. The ChaCha20-Poly1305 cipher suite is advertised as being easier to implement in a side-channel resistant way , especially compared to ciphers based on substitution permutation networks. However, the side-channel security claim is only limited to timing based leakage. In this talk, we investigate the security of ChaCha20 against two commonly known physical attacks: side-channel attacks and fault attacks. The first part focuses on power or electromagnetic based side-channels. The development of the omnipresent Internet of Things (IoT), or the connected car increases the amount of embedded appliances, which can be attacked using these side-channels. Hence, it is important to understand the security of deployed cryptographic algorithms not only against attacks on the timing side-channels but a wider attack suite. We analyze the stream cipher ChaCha20 and show how the secret key can be completely extracted. While first attack recovers the key from initial round of ChaCha20, another attack demonstrates key retrieval exploiting the final addition. The second part will look into active attacks realised using fault injection. Often stream ciphers are believed to be harder to attack against fault injection attacks owing to the complexity of the required offline analysis. We propose four differential fault analysis (DFA) attacks on ChaCha20 running on a low cost microcontroller, using the instruction skip and instruction replacement fault models. The attacks target the keystream generation module at the decryption site, and entirely avoid nonce misuse. We practically demonstrate our proposed attacks using a laser fault injection setup. The talk is based on recent joint works. The part on side-channel attack is based on recent work with Bernhard Jungk from NTU, Singapore . Fault attacks was investigated with co-authors from IIT Kharagpur, India and NTU, Singapore .