Your search keyword '"Standaert, François-Xavier"' showing total 163 results

1. Prime-Field Masking in Hardware and its Soundness against Low-Noise SCA Attacks

Author

Cassiers, Gaëtan, Masure, Loïc, Momin, Charles, Moos, Thorben, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Artificial Intelligence, Computer Networks and Communications, Hardware and Architecture, Signal Processing, Side-channel attacks · masking · prime ciphers · low-noise leakages, Computer Graphics and Computer-Aided Design, Software

Abstract

A recent study suggests that arithmetic masking in prime fields leads to stronger security guarantees against passive physical adversaries than Boolean masking. Indeed, it is a common observation that the desired security amplification of Boolean masking collapses when the noise level in the measurements is too low. Arithmetic encodings in prime fields can help to maintain an exponential increase of the attack complexity in the number of shares even in such a challenging context. In this work, we contribute to this emerging topic in two main directions. First, we propose novel masked hardware gadgets for secure squaring in prime fields (since squaring is non-linear in non-binary fields) which prove to be significantly more resource-friendly than corresponding masked multiplications. We then formally show their local and compositional security for arbitrary orders. Second, we attempt to >experimentally evaluate the performance vs. security tradeoff of prime-field masking. In order to enable a first comparative case study in this regard, we exemplarily consider masked implementations of the AES as well as the recently proposed AESprime. AES-prime is a block cipher partially resembling the standard AES, but based on arithmetic operations modulo a small Mersenne prime. We present cost and performance figures for masked AES and AES-prime implementations, and experimentally evaluate their susceptibility to low-noise side-channel attacks. We consider both the dynamic and the static power consumption for our low-noise analyses and emulate strong adversaries. Static power attacks are indeed known as a threat for side-channel countermeasures that require a certain noise level to be effective because of the adversary’s ability to reduce the noise through intra-trace averaging. Our results show consistently that for the noise levels in our practical experiments, the masked prime-field implementations provide much higher security for the same number of shares. This compensates for the overheads prime computations lead to and remains true even if / despite leaking each share with a similar Signal-to-Noise Ratio (SNR) as their binary equivalents. We hope our results open the way towards new cipher designs tailored to best exploit the advantages of prime-field masking.

Published

2023

2. Optimally Secure Tweakable Block Ciphers with a Large Tweak from n-bit Block Ciphers

Author

Shen, Yaobin and Standaert, François-Xavier

Subjects

Tweakable Block Cipher, Large Tweak, Optimal (n-bit) Security

Abstract

We consider the design of a tweakable block cipher from a block cipher whose inputs and outputs are of size n bits. The main goal is to achieve 2n security with a large tweak (i.e., more than n bits). Previously, Mennink at FSE’15 and Wang et al. at Asiacrypt’16 proposed constructions that can achieve 2n security. Yet, these constructions can have a tweak size up to n-bit only. As evident from recent research, a tweakable block cipher with a large tweak is generally helpful as a building block for modes of operation, typical applications including MACs, authenticated encryption, leakage-resistant cryptography and full-disk encryption.We begin with how to design a tweakable block cipher with 2n-bit tweak and n-bit security from two block cipher calls. For this purpose, we do an exhaustive search for tweakable block ciphers with 2n-bit tweaks from two block cipher calls, and show that all of them suffer from birthday-bound attacks. Next, we investigate the possibility to design a tweakable block cipher with 2n-bit tweak and n-bit security from three block cipher calls. We start with some conditions to build such a tweakable block cipher and propose a natural construction, called G̃1, that likely meets them. After inspection, we find a weakness in G̃1 which leads to a birthday-bound attack. Based on G̃1, we then propose another construction, called G̃2, that can avoid this weakness. We finally prove that G̃2 can achieve n-bit security with 2n-bit tweak.

Published

2023

3. TIPECS : A corpus cleaning method using machine learning and qualitative analysis

Author

Bogaert, Jérémie, Escouflaire, Louis, de Marneffe, Marie-Catherine, Descampe, Antonin, Standaert, François-Xavier, Fairon, Cédrick, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

machine learning, corpus linguistics, corpus cleaning, transformers

Abstract

We present TIPECS ("Train, Infer Predictions, Explain, Clean, Start again"), a corpus cleaning method relying on a mixed approach between machine learning and manual analysis. The aim of our dataset cleaning approach is to remove tokens or segments that are considered as discriminant features by a classification model trained on a given dataset for a given task, but that cannot be generalized to other similar tasks or datasets.

Published

2023

4. Secure Message Authentication in the Presence of Leakage and Faults

Author

Berti, Francesco, Guo, Chun, Peters, Thomas, Shen, Yaobin, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Computational Mathematics, Faults, Mode-Level Protections, Applied Mathematics, Combine Attacks, Leakage, Software, Computer Science Applications

Abstract

Security against side-channels and faults is a must for the deployment of embedded cryptography. A wide body of research has investigated solutions to secure implementations against these attacks at different abstraction levels. Yet, to a large extent, current solutions focus on one or the other threat. In this paper, we initiate a mode-level study of cryptographic primitives that can ensure security in a (new and practically-motivated) adversarial model combining leakage and faults. Our goal is to identify constructions that do not require a uniform protection of all their operations against both attack vectors. For this purpose, we first introduce a versatile and intuitive model to capture leakage and faults. We then show that a MAC from Asiacrypt 2021 natively enables a leveled implementation for fault resilience where only its underlying tweakable block cipher must be protected, if only the tag verification can be faulted. We finally describe two approaches to amplify security for fault resilience when also the tag generation can be faulted. One is based on iteration and requires the adversary to inject increasingly large faults to succeed. The other is based on randomness and allows provable security against differential faults.

Published

2023

5. Towards Case-Optimized Hybrid Homomorphic Encryption - Featuring the Elisabeth Stream Cipher

Author

Cosseron, Orel, Hoffmann, Clément, Méaux, Pierrick, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Published

2023

6. Optimally Secure Tweakable Block Ciphers with a Large Tweak

Author

Shen, Yaobin, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Tweakable block cipher, large tweak, optimal security

Abstract

We consider the design of a tweakable block cipher from a block cipher whose inputs and outputs are of size n bits. The main goal is to achieve 2n security with a large tweak (more than n bits). Previously, Mennink at FSE’15 and Wang et al. at Asiacrypt’16 proposed constructions that can achieve 2n security. Yet, these constructions can have a tweak size up to n-bit. As evident from recent research, a tweakable block cipher with a large tweak is generally helpful as a building block for modes of operation, typical applications including MACs, authenticated encryption and full-disk encryption when sector ID is more than n bits. We begin with how to design a tweakable block cipher with 2n-bit tweak and n-bit security from two block cipher calls. For this purpose, we do an exhaustive search for tweakable block ciphers with 2n-bit tweaks from two block cipher calls, and show that all of them suffer from birthday-bound attacks. Next, we investigate the possibility to design a tweakable block cipher with 2n-bit tweak and n-bit security from three block cipher calls. We start with some conditions to build a such tweakable block cipher and propose a natural construction, called eG1, that likely meets them. After inspection, we find a weakness on eG1 which leads to a birthday-bound attack. Based on eG1, we then propose another construction, called eG2, that can avoid this weakness. We finally prove that eG2 can achieve n-bit security with 2n-bit tweak.

Published

2023

7. Multiplex: TBC-based Authenticated Encryption with Sponge-Like Rate

Author

Peters, Thomas, Shen, Yaobin, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Abstract

Authenticated Encryption (AE) modes of operation based on Tweakable Block Ciphers (TBC) usually measure efficiency in the number of calls to the underlying primitive per message block. On the one hand, many existing solutions reach a primitive-rate of 1, meaning that each n-bit block of message asymptotically needs a single call to the TBC with output length n. On the other hand, while these modes look optimal in a blackbox setting, they become less attractive when leakage comes into play, since all these calls must then be equally well protected to maintain security. Leakage-resistant modes improve this situation, by generating ephemeral keys every constant number of calls. However, rekeying is inherently suboptimal in primitive-rate, since a TBC call can only be used either to refresh a key or to encrypt a block. Even worse, existing solutions achieving almost n bits of security for n-bit secret keys have at most a primitive-rate 2/3. Hence the question: Can we design a highly-secure TBC-based rekeying mode with “nearly optimal” primitive-rate? We answer this question positively with Multiplex, a new mode that has primitive-rate d/(d+1) given a TBC with a dn-bit tweak. Multiplex achieves n−log(n) bits of security for both (i) misuse-resilience CCA security in the blackbox setting and (ii) Ciphertext Integrity with Misuse-resistant and unbounded Leakage in encryption and decryption (CIML2). It also provides (iii) confidentiality with leakage up to the birthday bound. Furthermore, Multiplex can run d + 1 calls in parallel in each iteration. The combination of these features gives a mode of operation that inherits most of the good implementation features and flexibility of a Duplex sponge – therefore paving the way towards sound comparisons between TBC-based and permutation-based AE.

Published

2023

8. A Third is All You Need: Extended Partial Key Exposure Attack on (CRT-RSA) with Additive Exponent Blinding

Author

Zhou, Yuanyuan, van de Pol, Joop, Yu, Yu, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Published

2023

9. MCRank: Monte Carlo Key Rank Estimation for Side-Channel Security Evaluations

Author

Camurati, Giovanni, Dell’Amico, Matteo, and Standaert, François-Xavier

Subjects

Key rank estimation, Side channel attacks, Monte Carol methods, Artificial Intelligence, Computer Networks and Communications, Hardware and Architecture, Key rank estimation, Side channel attacks, Monte Carlo methods, Signal Processing, Monte Carlo methods, Computer Graphics and Computer-Aided Design, Software

Abstract

Key rank estimation provides a measure of the effort that the attacker has to spend bruteforcing the key of a cryptographic algorithm, after having gained some information from a side channel attack. We present MCRank, a novel method for key rank estimation based on Monte Carlo sampling. MCRank provides an unbiased estimate of the rank and a confidence interval. Its bounds rapidly become tight for increasing sample size, with a corresponding linear increase of the execution time. When applied to evaluate an AES-128 implementation, MCRank can be orders of magnitude faster than the state-of-the-art histogram-based enumeration method for comparable bound tightness. It also scales better than previous work for large keys, up to 2048 bytes. Besides its conceptual simplicity and efficiency, MCRank can assess for the first time the security of large keys even if the probability distributions given the side channel leakage are not independent between subkeys, which occurs, for example, when evaluating the leakage security of an AES-256 implementation., IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023 (1), ISSN:2569-2925

Published

2022

10. Towards Globally Optimized Hybrid Homomorphic Encryption - Featuring the Elisabeth Stream Cipher

Author

Cosseron, Orel, Hoffmann, Clément, Méaux, Pierrick, Standaert, François-Xavier, Arithmétiques des ordinateurs, méthodes formelles, génération de code (ARIC), Laboratoire de l'Informatique du Parallélisme (LIP), École normale supérieure de Lyon (ENS de Lyon)-Université Claude Bernard Lyon 1 (UCBL), Université de Lyon-Université de Lyon-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-École normale supérieure de Lyon (ENS de Lyon)-Université Claude Bernard Lyon 1 (UCBL), Université de Lyon-Université de Lyon-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-Inria Lyon, Institut National de Recherche en Informatique et en Automatique (Inria), Laboratoire Traitement et Communication de l'Information (LTCI), Institut Mines-Télécom [Paris] (IMT)-Télécom Paris, Université Catholique de Louvain = Catholic University of Louvain (UCL), University of Luxembourg [Luxembourg], and Stehle, Damien

Subjects

[INFO]Computer Science [cs], [INFO] Computer Science [cs]

Abstract

International audience

Published

2022

11. Handcrafting: Improving Automated Masking in Hardware with Manual Optimizations

Author

Momin, Charles, Cassiers, Gaëtan, Standaert, François-Xavier, Constructive Side-Channel Analysis and Secure Design - 13th International Workshop, {COSADE}, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Published

2022

12. Analyzing the Leakage Resistance of the NIST’s Lightweight Crypto Competition’s Finalists

Author

Verhamme, Corentin, Cassiers, Gaëtan, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Abstract

We investigate the security of the NIST Lightweight Crypto Competition’s Finalists against side-channel attacks. We start with a mode-level analysis that allows us to put forward three candidates (As- con, ISAP and Romulus-T) that stand out for their leakage properties and do not require a uniform protection of all their computations thanks to (expensive) implementation-level countermeasures. We then imple- ment these finalists and evaluate their respective performances. Our re- sults confirm the interest of so-called leveled implementations (where only the key derivation and tag generation require security against dif- ferential power analysis). They also suggest that these algorithms differ more by their qualitative features (e.g., two-pass designs to improve confi- dentiality with decryption leakage vs. one-pass designs, flexible overheads thanks to masking vs. fully mode-level, easier to implement, schemes) than by their quantitative features, which all improve over the AES and are quite sensitive to security margins against cryptanalysis.

Published

2022

13. Bitslice Masking and Improved Shuffling: How and When to Mix Them in Software?

Author

Azouaoui, Melissa, Bronchain, Olivier, Grosso, Vincent, Papagiannopoulos, Kostas, Standaert, François-Xavier, NXP Semiconductors, Université Catholique de Louvain = Catholic University of Louvain (UCL), Centre National de la Recherche Scientifique (CNRS), Laboratoire Hubert Curien [Saint Etienne] (LHC), Université Jean Monnet [Saint-Étienne] (UJM)-Centre National de la Recherche Scientifique (CNRS)-Institut d'Optique Graduate School (IOGS), and University of Amsterdam [Amsterdam] (UvA)

Subjects

[INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR]

Abstract

Pre-prints; We revisit the popular adage that side-channel countermeasures must be combined to be efficient, and study its application to bitslice masking and shuffling. Our contributions are threefold. First, we improve this combination: by shuffling the shares of a masked implementation rather than its tuples, we can amplify the impact of the shuffling exponentially in the number of shares, while this impact was independent of the masking security order in previous works. Second, we evaluate the masking and shuffling combination's performance vs. security tradeoff under sufficient noise conditions: we show that the best approach is to mask first (i.e., fill the registers with as many shares as possible) and shuffle the independent operations that remain. Third, we discuss the challenges for implementing masking and shuffling under low noise conditions: we recall that such algorithmic countermeasures cannot be implemented securely without a minimum level of physical noise. We conclude that with moderate but sufficient noise, the bitslice masking + shuffling combination is relevant, and its interest increases when randomness is expensive and many independent operations are available for shuffling. When these conditions are not met, masking only is the best option. As a side result, we improve the best known attack against shuffling from Asiacrypt 2012, which we use in our concrete evaluations.

Published

2021

14. Understanding screaming channels: From a detailed analysis to improved attacks

Author

Camurati, Giovanni, Francillon, Aurélien, Standaert, François-Xavier, Camurati, Giovanni, Francillon, Aurélien, and Standaert, François-Xavier

Subjects

Side-Channel Attacks, Screaming Channels, Electromagnetic Leakage

Published

2020

15. Breaking Masked Implementations with Many Shares on 32-bit Software Platforms

Author

Bronchain, Olivier and Standaert, François-Xavier

Subjects

TK7885-7895, Computer engineering. Computer hardware, SASCA, Higher-Order Masking, Information technology, T58.5-58.64, Profiled Side-Channel Analysis, Dimensionality Reduction, Bitslice Software, Physical Security Evaluations

Abstract

We explore the concrete side-channel security provided by state-of-theart higher-order masked software implementations of the AES and the (candidate to the NIST Lightweight Cryptography competition) Clyde, in ARM Cortex-M0 and M3 devices. Rather than looking for possibly reduced security orders (as frequently considered in the literature), we directly target these implementations by assuming their maximum security order and aim at reducing their noise level thanks to multivariate, horizontal and analytical attacks. Our investigations point out that the Cortex-M0 device has so limited physical noise that masking is close to ineffective. The Cortex-M3 shows a better trend but still requires a large number of shares to provide strong security guarantees. Practically, we first exhibit a full 128-bit key recovery in less than 10 traces for a 6-share masked AES implementation running on the Cortex-M0 requiring 232 enumeration power. A similar attack performed against the Cortex-M3 with 5 shares require 1,000 measurements with 244 enumeration power. We then show the positive impact of lightweight block ciphers with limited number of AND gates for side-channel security, and compare our attacks against a masked Clyde with the best reported attacks of the CHES 2020 CTF. We complement these experiments with a careful information theoretic analysis, which allows interpreting our results. We also discuss our conclusions under the umbrella of “backwards security evaluations” recently put forwards by Azouaoui et al. We finally extrapolate the evolution of the proposed attack complexities in the presence of additional countermeasures using the local random probing model proposed at CHES 2020.

Published

2021

16. Advances in Cryptology – EUROCRYPT 2021 - Part I

Author

Canteaut, Anne, Standaert, François-Xavier, Cryptologie symétrique, cryptologie fondée sur les codes et information quantique (COSMIQ), Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), and Université Catholique de Louvain = Catholic University of Louvain (UCL)

Subjects

[INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], ComputingMilieux_MISCELLANEOUS

Abstract

International audience

Published

2021

17. Security Analysis of Deterministic Re-Keying with Masking & Shuffling: Application to ISAP

Author

Udvarhelyi, Balazs, Bronchain, Olivier, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Abstract

Single-trace side-channel attacks are important attack vectors against the security of authenticated encryption schemes relying on an internal re-keying process, such as the NIST Lightweight Cryptography finalist ISAP. In a recent work of Kannwischer et al., it was suggested to mitigate such single-trace attacks with masking and shuffling. In this work, we first show that combining masking and re-keying is conceptually useless since this combination can always be attacked with a complexity that is just the sum of the complexities to attack a masked implementation (without re-keying) and a re-keyed implementation (without masking). We then show that combining shuffling and re-keying is theoretically founded but can be practically challenging: in low-cost embedded devices (e.g., ARM Cortex-M0) that are the typical targets of single-trace attacks, the noise level of the leakages is such that multivariate attacks can be powerful enough to recover the shuffling permutation in one trace. This second result does not prevent the shuffling + re-keying combination to be effective in more noisy contexts, but it suggests that the best use cases for leakage-resilient PRFs as used by ISAP remain the ones where no additional countermeasures are needed.

Published

2021

18. Advances in Cryptology – EUROCRYPT 2021 - Part III

Author

Canteaut, Anne, Standaert, François-Xavier, Cryptologie symétrique, cryptologie fondée sur les codes et information quantique (COSMIQ), Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), and Université Catholique de Louvain = Catholic University of Louvain (UCL)

Subjects

[INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], ComputingMilieux_MISCELLANEOUS

Abstract

International audience

Published

2021

19. Transparents mais corruptibles : les algorithmes au défi des comportements « adversariaux » dans le domaine journalistique

Author

Descampe, Antonin, Standaert, François-Xavier, UCL - SSH/ILC/PCOM - Pôle de recherche en communication, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Abstract

Dans le domaine du journalisme computationnel, l’automatisation de la production de l’information invite à s’interroger sur la pertinence des décisions automatiques et les moyens de la garantir. Cette « responsabilité algorithmique » est souvent ramenée à une question de transparence, garantissant qu’un algorithme a été conçu de manière conforme à l’intention affichée. Deux études de cas impliquant une catégorisation automatique d’articles de presse montrent pourtant que la transparence n’est pas suffisante : des exemples « adversariaux » sont en mesure de détourner un algorithme de son comportement attendu. Ce constat appelle à inclure dans l’évaluation de la performance d’un algorithme la robustesse face à d’éventuels comportements « adversariaux ». Les difficultés techniques posées par cette robustesse plaident notamment pour une implication accrue des journalistes comme garants des décisions automatiques.

Published

2021

20. Advances in Cryptology – EUROCRYPT 2021 - Part II

Author

Canteaut, Anne, Standaert, François-Xavier, Cryptologie symétrique, cryptologie fondée sur les codes et information quantique (COSMIQ), Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), and Université Catholique de Louvain = Catholic University of Louvain (UCL)

Subjects

[INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], ComputingMilieux_MISCELLANEOUS

Abstract

International audience

Published

2021

21. Unprotected and masked hardware implementations of spook v2

Author

Momin, Charles, Cassiers, Gaëtan, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Abstract

We describe FPGA implementations of the Spook candidate to the NIST lightweight cryptography competition in two flavors. First, unprotected implementations that exhibit the excellent throughput and energy consumption for the area target specified by the NIST benchmark- ing initiative. Second, protected implementations leveraging the leveled implementation concept that the Spook design enables and confirming the significant performance gains that it enables.

Published

2021

22. Leakage Detection with the x2-Test

Author

Moradi, Amir, Richter, Bastian, Schneider, Tobias, and Standaert, François-Xavier

Subjects

lcsh:Computer engineering. Computer hardware, lcsh:T58.5-58.64, lcsh:Information technology, statistical moments, SCA evaluation, 0202 electrical engineering, electronic engineering, information engineering, lcsh:TK7885-7895, t-test, SCA distinguisher, 020206 networking & telecommunications, 02 engineering and technology, 020202 computer hardware & architecture

Abstract

We describe how Pearson’s χ2-test can be used as a natural complement to Welch’s t-test for black box leakage detection. In particular, we show that by using these two tests in combination, we can mitigate some of the limitations due to the moment-based nature of existing detection techniques based on Welch’s t-test (e.g., for the evaluation of higher-order masked implementations with insufficient noise). We also show that Pearson’s χ2-test is naturally suited to analyze threshold implementations with information lying in multiple statistical moments, and can be easily extended to a distinguisher for key recovery attacks. As a result, we believe the proposed test and methodology are interesting complementary ingredients of the side-channel evaluation toolbox, for black box leakage detection and non-profiled attacks, and as a preliminary before more demanding advanced analyses., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2018, Issue 1

Published

2018

23. Secure and Efficient Masking of Lightweight Ciphers in Software and Hardware (with Application to the Spook AEAD)

Author

Bronchain, Olivier, Cassiers, Gaëtan, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Abstract

Security against side-channel attacks has been explicitly mentioned by the NIST as a target in the ongoing standardization process for lightweight cryp- tography. Many candidates to the competition took this criteria into account by minimizing the number of non-linear operations (e.g., AND gates) in their algorithms, which is in general beneficial to the masking countermeasure. In this talk, we will discuss: – The gains that lightweight ciphers can offer over the AES for masking, – The various challenges that the secure implemention of masking raises in software and in hardware, and tracks to solve them efficiently. For this purpose, we will leverage state-of-the-art results from the masking litera- ture [1, 2] and illustrate them thanks to the side-channel cryptanalysis challenge against masked Spook implementations that is (resp., was) running for CHES 2021 (resp., 2020). See https://ctf.spook.dev/ for the details. We will conclude by discussing the extent to which similar conclusions hold for other lightweight ciphers with similar non-linear complexity, and suggesting directions for a fair evaluation and comparison of masked implementations.

Published

2020

24. Modeling Soft Analytical Side-Channel Attacks from a Coding Theory Viewpoint

Author

Guo, Qian, Grosso, Vincent, Standaert, François-Xavier, Bronchain, Olivier, Dept. of Electrical and Information Technology, Lund University, Lund University [Lund], Department of Informatics [Bergen] (UiB), University of Bergen (UiB), Université Catholique de Louvain = Catholic University of Louvain (UCL), Centre National de la Recherche Scientifique (CNRS), Laboratoire Hubert Curien [Saint Etienne] (LHC), Institut d'Optique Graduate School (IOGS)-Université Jean Monnet [Saint-Étienne] (UJM)-Centre National de la Recherche Scientifique (CNRS), Fonds de la Recherche Scientifique [FNRS], and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Belief Propagation, 050101 languages & linguistics, lcsh:Computer engineering. Computer hardware, Side-Channel Analysis, Worst-Case Security Evaluations, Horizontal (aka Multi-Target) Attacks, Masking, Shuffling, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, lcsh:TK7885-7895, 02 engineering and technology, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences

Abstract

One important open question in side-channel analysis is to find out whether all the leakage samples in an implementation can be exploited by an adversary, as suggested by masking security proofs. For attacks exploiting a divide-and-conquer strategy, the answer is negative: only the leakages corresponding to the first/last rounds of a block cipher can be exploited. Soft Analytical Side-Channel Attacks (SASCA) have been introduced as a powerful solution to mitigate this limitation. They represent the target implementation and its leakages as a code (similar to a Low Density Parity Check code) that is decoded thanks to belief propagation. Previous works have shown the low data complexities that SASCA can reach in practice. In this paper, we revisit these attacks by modeling them with a variation of the Random Probing Model used in masking security proofs, that we denote as the Local Random Probing Model (LRPM). Our study establishes interesting connections between this model and the erasure channel used in coding theory, leading to the following benefits. First, the LRPM allows bounding the security of concrete implementations against SASCA in a fast and intuitive manner. We use it in order to confirm that the leakage of any operation in a block cipher can be exploited, although the leakages of external operations dominate in known-plaintext/ciphertext attack scenarios. Second, we show that the LRPM is a tool of choice for the (nearly worst-case) analysis of masked implementations in the noisy leakage model, taking advantage of all the operations performed, and leading to new tradeoffs between their amount of randomness and physical noise level. Third, we show that it can considerably speed up the evaluation of other countermeasures such as shuffling., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2020, Issue 4

Published

2020

25. Automated Verification of Higher-Order Masking in Presence of Physical Defaults

Author

Barthe, Gilles, Belaïd, Sonia, Cassiers, Gaëtan, Fouque, Pierre-Alain, Grégoire, Benjamin, Standaert, François-Xavier, Institute IMDEA Software [Madrid], Max Planck Institute for Security and Privacy [Bochum] (MPI Security and Privacy), CryptoExperts, Université Catholique de Louvain = Catholic University of Louvain (UCL), EMbedded SEcurity and Cryptography (EMSEC), SYSTÈMES LARGE ÉCHELLE (IRISA-D1), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS), Mathematical, Reasoning and Software (MARELLE), Inria Sophia Antipolis - Méditerranée (CRISAM), Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), Sûreté du logiciel et Preuves Mathématiques Formalisées (STAMP), Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), and Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)

Subjects

Automated verification, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Physical Defaults, Side-Channel Attacks, Maskverif, Composability, Glitches, Masking Countermeasure

Abstract

International audience; Power and electromagnetic based side-channel attacks are serious threats against the security of cryptographic embedded devices. In order to mitigate these attacks, implementations use countermeasures, among which masking is currently the most investigated and deployed choice. Unfortunately, commonly studied forms of masking rely on underlying assumptions that are difficult to satisfy in practice. This is due to physical defaults, such as glitches or transitions, which can recombine the masked data in a way that concretely reduces an implementation's security. We develop and implement an automated approach for verifying security of masked implementations in presence of physical defaults (glitches or transitions). Our approach helps to recover the main strengths of masking: rigorous foundations, composability guarantees, automated verification under more realistic assumptions. Our work follows the approach of (Barthe et al, EUROCRYPT 2015) and thus contributes to demonstrate the benefits of language-based approaches (specifically probabilistic information flow) for masking.

Published

2019

26. Glitch-Resistant Masking Revisited

Author

Moos, Thorben, Moradi, Amir, Schneider, Tobias, and Standaert, François-Xavier

Subjects

050101 languages & linguistics, Consolidated Masking Scheme, lcsh:Computer engineering. Computer hardware, Threshold Implementations, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, Glitches Composability, lcsh:TK7885-7895, 02 engineering and technology, Hardware Masking, 0202 electrical engineering, electronic engineering, information engineering, Domain-Oriented Masking, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Robust Probing Model

Abstract

Implementing the masking countermeasure in hardware is a delicate task. Various solutions have been proposed for this purpose over the last years: we focus on Threshold Implementations (TIs), Domain-Oriented Masking (DOM), the Unified Masking Approach (UMA) and Generic Low Latency Masking (GLM). The latter generally come with innovative ideas to cope with physical defaults such as glitches. Yet, and in contrast to the situation in software-oriented masking, these schemes have not been formally proven at arbitrary security orders and their composability properties were left unclear. So far, only a 2-cycle implementation of the seminal masking scheme by Ishai, Sahai and Wagner has been shown secure and composable in the robust probing model – a variation of the probing model aimed to capture physical defaults such as glitches – for any number of shares. In this paper, we argue that this lack of proofs for TIs, DOM, UMA and GLM makes the interpretation of their security guarantees difficult as the number of shares increases. For this purpose, we first put forward that the higher-order variants of all these schemes are affected by (local or composability) security flaws in the (robust) probing model, due to insufficient refreshing. We then show that composability and robustness against glitches cannot be analyzed independently. We finally detail how these abstract flaws translate into concrete (experimental) attacks, and discuss the additional constraints robust probing security implies on the need of registers. Despite not systematically leading to improved complexities at low security orders, e.g., with respect to the required number of measurements for a successful attack, we argue that these weaknesses provide a case for the need of security proofs in the robust probing model (or a similar abstraction) at higher security orders., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2019, Issue 2

Published

2019

27. Multi-Tuple Leakage Detection and the Dependent Signal Issue

Author

Bronchain, Olivier, Schneider, Tobias, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

050101 languages & linguistics, lcsh:Computer engineering. Computer hardware, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, Side-Channel Analysis, lcsh:TK7885-7895, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Security Evaluations, 020202 computer hardware & architecture, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Leakage Detection

Abstract

Leakage detection is a common tool to quickly assess the security of a cryptographic implementation against side-channel attacks. The Test Vector Leakage Assessment (TVLA) methodology using Welch’s t-test, proposed by Cryptography Research, is currently the most popular example of such tools, thanks to its simplicity and good detection speed compared to attack-based evaluations. However, as any statistical test, it is based on certain assumptions about the processed samples and its detection performances strongly depend on parameters like the measurement’s Signal-to-Noise Ratio (SNR), their degree of dependency, and their density, i.e., the ratio between the amount of informative and non-informative points in the traces. In this paper, we argue that the correct interpretation of leakage detection results requires knowledge of these parameters which are a priori unknown to the evaluator, and, therefore, poses a non-trivial challenge to evaluators (especially if restricted to only one test). For this purpose, we first explore the concept of multi-tuple detection, which is able to exploit differences between multiple informative points of a trace more effectively than tests relying on the minimum p-value of concurrent univariate tests. To this end, we map the common Hotelling’s T2-test to the leakage detection setting and, further, propose a specialized instantiation of it which trades computational overheads for a dependency assumption. Our experiments show that there is not one test that is the optimal choice for every leakage scenario. Second, we highlight the importance of the assumption that the samples at each point in time are independent, which is frequently considered in leakage detection, e.g., with Welch’s t-test. Using simulated and practical experiments, we show that (i) this assumption is often violated in practice, and (ii) deviations from it can affect the detection performances, making the correct interpretation of the results more difficult. Finally, we consolidate our findings by providing guidelines on how to use a combination of established and newly-proposed leakage detection tools to infer the measurements parameters. This enables a better interpretation of the tests’ results than the current state-of-the-art (yet still relying on heuristics for the most challenging evaluation scenarios)., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2019, Issue 2

Published

2019

28. Towards Globally Optimized Masking: From Low Randomness to Low Noise Rate

Author

Cassiers, Gaëtan and Standaert, François-Xavier

Subjects

050101 languages & linguistics, lcsh:Computer engineering. Computer hardware, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, random probing model, lcsh:TK7885-7895, 02 engineering and technology, horizontal attacks, Masking, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, composability

Abstract

We improve the state-of-the-art masking schemes in two important directions. First, we propose a new masked multiplication algorithm that satisfies a recently introduced notion called Probe-Isolating Non-Interference (PINI). It captures a sufficient requirement for designing masked implementations in a trivial way, by combining PINI multiplications and linear operations performed share by share. Our improved algorithm has the best reported randomness complexity for large security orders (while the previous PINI multiplication was best for small orders). Second, we analyze the security of most existing multiplication algorithms in the literature against so-called horizontal attacks, which aim to reduce the noise of the actual leakages measured by an adversary, by combining the information of multiple target intermediate values. For this purpose, we leave the (abstract) probing model and consider a specialization of the (more realistic) noisy leakage / random probing models. Our (still partially heuristic but quantitative) analysis allows confirming the improved security of an algorithm by Battistello et al. from CHES 2016 in this setting. We then use it to propose new improved algorithms, leading to better tradeoffs between randomness complexity and noise rate, and suggesting the possibility to design efficient masked multiplication algorithms with constant noise rate in F2., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2019, Issue 2

Published

2019

29. TEDT, a Leakage-Resilient AEAD mode for High (Physical) Security Applications

Author

Berti, Francesco, Guo, Chun, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Authenticated encryption, Re-keying, Tweakable block cipher, Beyond-birthday bound, Multi-user security, Side-channel security, Key-dependent messages security, Leveled implementations, Low energy implementations

Abstract

We propose TEDT, a new Authenticated Encryption with Associated Data (AEAD) mode leveraging Tweakable Block Ciphers (TBCs). TEDT provides the following features: (i) It offers asymptotically optimal security in the multi-user setting. (ii) It offers nonce misuse-resilience, that is, the repetition of nonces does not impact the security of ciphertexts produced with fresh nonces. (iii) It offers KDM security in the multi-user setting, that is, its security is maintained even if key-dependent messages are encrypted. (iv) It offers full leakage-resilience, that is, it limits the exploitability of physical leakages via side-channel attacks, even if these leakages happen during every message encryption and decryption operation. (v) It can be implemented with a remarkably low energy cost when strong resistance to side-channel attacks is needed, supports online encryption and handles static & incremental associated data efficiently. Concretely, TEDT encourages leveled implementations, in which two TBCs are implemented: one needs strong and energy demanding protections against side-channel attacks but is used in a limited way, while the other only requires weak and energy efficient protections and performs the bulk of the computation. As a result, TEDT leads to considerably more energy efficient implementations compared to traditional AEAD schemes, whose side-channel security requires to uniformly protect every (T)BC execution.

Published

2019

30. Authenticated Encryption with Nonce Misuse and Physical Leakage: Definitions, Separation Results and First Construction - (Extended Abstract)

Author

Guo, Chun, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, Progress in Cryptology - {LATINCRYPT} 2019, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Block cipher mode of operation, Scheme (programming language), Authenticated encryption, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Adversary, Computer security, computer.software_genre, Information leakage, 0202 electrical engineering, electronic engineering, information engineering, NIST, 020201 artificial intelligence & image processing, Leakage (economics), computer, Cryptographic nonce, computer.programming_language

Abstract

We propose definitions of authenticated encryption (AE) schemes that offer security guarantees even in the presence of nonce misuse and side-channel information leakage. This is part of an important ongoing effort to make AE more robust, while preserving appealing efficiency properties. Our definitions consider an adversary enhanced with the leakage of all the computations of an AE scheme, together with the possibility to misuse nonces, be it during all queries (in the spirit of misuse-resistance), or only during training queries (in the spirit of misuse-resilience recently introduced by Ashur et al.). These new definitions offer various insights on the effect of leakage in the security landscape. In particular, we show that, in contrast with the black-box setting, leaking variants of INT-CTXT and IND-CPA security do not imply a leaking variant IND-CCA security, and that leaking variants of INT-PTXT and IND-CCA do not imply a leaking variant of INT-CTXT. They also bring a useful scale to reason about and analyze the implementation properties of emerging modes of operation with different levels of leakage-resistance, such as proposed in the ongoing NIST lightweight cryptography competition. We finally propose the first instance of mode of operation that satisfies our most demanding definitions.

Published

2019

31. Reducing the Cost of Authenticity with Leakages: a $$\mathsf {CIML2}$$ -Secure $$\mathsf {AE}$$ Scheme with One Call to a Strongly Protected Tweakable Block Cipher

Author

Berti, Francesco, Pereira, Olivier, Standaert, François-Xavier, 11th International Conference on Cryptology in Africa - Progress in Cryptology (AFRICACRYPT 2019), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Scheme (programming language), Authenticated encryption, 050101 languages & linguistics, Computer science, Data_MISCELLANEOUS, Data_CODINGANDINFORMATIONTHEORY, 02 engineering and technology, Encryption, 7. Clean energy, Mode (computer interface), Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, 0501 psychology and cognitive sciences, computer.programming_language, Block cipher, Leveled implementation, business.industry, 05 social sciences, Leakage resilience, Leakage-resilience, Ciphertext integrity with misuse and leakage (CIML2), 020201 artificial intelligence & image processing, business, computer, Cryptographic nonce, Computer network

Abstract

This paper presents CONCRETE (Commit − Encrypt − Send − the − Key) a new Authenticated Encryption mode that offers CIML2 security, that is, ciphertext integrity in the presence of nonce misuse and side-channel leakages in both encryption and decryption. CONCRETE improves on a recent line of works aiming at leveled implementations, which mix a strongly protected and energy demanding implementation of a single component, and other weakly protected and much cheaper components. Here, these components all implement a tweakable block cipher TBC. CONCRETE requires the use of the strongly protected TBC only once while supporting the leakage of the full state of the weakly protected components – it achieves CIML2 security in the so-called unbounded leakage model. All previous works need to use the strongly protected implementation at least twice. As a result, for short messages whose encryption and decryption energy costs are dominated by the strongly protected component, we halve the cost of a leakage-resilient implementation. CONCRETE additionally provides security when unverified plaintexts are released, and confidentiality in the presence of simulatable leakages in encryption and decryption.

Published

2019

32. How (Not) to Use Welch’s T-Test in Side-Channel Security Evaluations

Author

Standaert, François-Xavier, 17th International Conference on Smart Card Research and Advanced Applications (CARDIS 2018), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Computer science, Cryptographic implementations, Univariate, 02 engineering and technology, Computer security, computer.software_genre, Welch's t-test, Masking (Electronic Health Record), 020202 computer hardware & architecture, Test vector, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Side channel attack, Security level, computer, Implementation, Side-channel analysis

Abstract

The Test Vector Leakage Assessment (TVLA) methodology is a qualitative tool relying on Welch’s T-test to assess the security of cryptographic implementations against side-channel attacks. Despite known limitations (e.g., risks of false negatives and positives), it is sometimes considered as a pass-fail test to determine whether such implementations are “safe” or not (without clear definition of what is “safe”). In this note, we clarify the limited quantitative meaning of this test when used as a standalone tool. For this purpose, we first show that the straightforward application of this approach to assess the security of a masked implementation is not sufficient. More precisely, we show that even in a simple (more precisely, univariate) case study that seems best suited for the TVLA methodology, detection (or lack thereof) with Welch’s T-test can be totally disconnected from the actual security level of an implementation. For this purpose, we put forward the case of a realistic masking scheme that looks very safe from the TVLA point-of-view and is nevertheless easy to break. We then discuss this result in more general terms and argue that this limitation is shared by all “moment-based” security evaluations. We conclude the note positively, by describing how to use moment-based analyses as a useful ingredient of side-channel security evaluations, to determine a “security order”.

Published

2019

33. Simplified Single-Trace Side-Channel Attacks on Elliptic Curve Scalar Multiplication using Fully Convolutional Networks

Author

Zhou, Yuanyuan, Standaert, François-Xavier, 40th WIC Symposium on Information Theory in the Benelux, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

ECC, ScalarMultiplication, Deeplearning, Side-channel attack, Fully Convolutional Networks

Abstract

We aim to simplify the worst-case horizontal attack on scalar multiplication published at CHES 2017 [1] by making use of deep learning techniques, and to automate the critical steps of this previous work, namely the information identification, information extraction and information combination steps. For this purpose, we gradually increase the number of automated steps, targeting a very challenging assembly-level regular Montgomery ladder scalar multiplication implementation on a BeagleBone Black (BBB) Board running at 1 GHz. Our results demonstrate that the latter two steps can be simplified using deep learning techniques and lead to similar results as previous work. By contrast, the first step still requires some additional engineering. By showing that points of interest (POIs) selection can play an important (sometimes necessary) role for attacking asymmetric cryptography algorithms using deep learning techniques, we bring a more contrasted view on the advantage and limitations of such techniques. To the best of our knowledge, this is the first public report of deep learning based attack on ECC implementations. Besides, we propose the use of Fully Convolutional Networks as an alternative (deep) learning tool for side-channel analysis.

Published

2019

34. Towards Long-Term Privacy Bounds in Open Data Publishing

Author

Massart, Clément, Standaert, François-Xavier, 40th WIC Symposium on Information Theory in the Benelux, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Open data publishing

Abstract

Previous works showed that privacy-preserving open data publishing is a challenging (if achievable at all) goal. Risks are in general hard to quantify and may in particular vary significantly in case databases are extended over time with new data (or are merged). In this paper, we show that the risks of re-identification due to the predictive power of the data can be bounded under reasonable assumptions, thanks to recently introduced information theoretic tools. We illustrate our methodology on a Netflix dataset that was shown to raise privacy issues by Narayanan and Shmatikov (S&P 2008) and motivate a simple protection mechanism based on data swappings as an insufficient but utility-preserving improvement.

Published

2019

35. SpookChain: Chaining a Sponge-Based AEAD with Beyond-Birthday Security

Author

Cassiers, Gaëtan, Guo, Chun, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, Security, Privacy, and Applied Cryptography Engineering - 9th International Conference, {SPACE} 2019, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Authenticated encryption, Discrete mathematics, 050101 languages & linguistics, Computer science, business.industry, 05 social sciences, Plaintext, Context (language use), 02 engineering and technology, Encryption, Chaining, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Element (category theory), business, Key size, Cryptographic nonce

Abstract

We present \(\mathsf {SpookChain}\), a new online authenticated encryption (OAE) mode that offers several appealing features: \(\mathsf {SpookChain}\) is fully online: it supports the processing of long messages by segments of arbitrary size, and the processing of each segment is online itself, with memory requirements in encryption and decryption being independent of the segment size. \(\mathsf {SpookChain}\) is, to the best of our knowledge, the first concrete mode that is proven to offer \(\mathsf {dOAE}\) security, a requirement for OAE that, at least guarantees security for new segments as soon as one of the previously processed segments contains a fresh element (nonce, plaintext or associated data). \(\mathsf {SpookChain}\) offers beyond birthday multi-user security (w.r.t. the secret key length), a requirement that we define for the first time in the context of OAE, and which is increasingly appealing in a world where communications are encrypted by default. \(\mathsf {SpookChain}\) is also expected to be remarkably lightweight to implement when protection against side-channel attacks is required.

Published

2019

36. Towards an Open Approach to Side-Channel Resistant Authenticated Encryption

Author

Standaert, François-Xavier, Workshop on Attacks and Solutions in Hardware Security Workshop (ASHES@CCS 2019), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Authenticated encryption, Hardware security module, Exploit, Computer science, Encryption, Side channel attack, Design strategy, Computer security, computer.software_genre, Secret sharing, computer, Physical security, Block cipher

Abstract

In this talk, I will discuss how recent advances in side-channel analysis and leakage-resilience could lead to both stronger security properties and improved confidence in cryptographic implementations. For this purpose, I will start by describing how side-channel attacks exploit physical leakages such as an implementation's power consumption or electromagnetic radiation. I will then discuss the definitional challenges that these attacks raise, and argue why heuristic hardware-level countermeasures are unlikely to solve the problem convincingly. Based on these premises, and focusing on the symmetric setting, securing cryptographic implementations can be viewed as a tradeoff between the design of modes of operation, underlying primitives and countermeasures. Regarding modes of operation, I will describe a general design strategy for leakage-resilient authenticated encryption, propose models and assumptions on which security proofs can be based, and show how this design strategy encourages so-called leveled implementations, where only a part of the computation needs strong (hence expensive) protections against side-channel attacks. Regarding underlying primitives and countermeasures, I will first emphasize the formal and practically-relevant guarantees that can be obtained thanks to masking (i.e., secret sharing at the circuit level), and how considering the implementation of such countermeasures as an algorithmic design goal (e.g., for block ciphers) can lead to improved performances. I will then describe how limiting the leakage of the less protected parts in a leveled implementations can be combined with excellent performances, for instance with respect to the energy cost. I will conclude by putting forward the importance of sound evaluation practices in order to empirically validate (by lack of falsification) the assumptions needed both for leakage-resilient modes of operation and countermeasures like masking, and motivate the need of an open approach for this purpose. That is, by allowing adversaries and evaluators to know implementation details, we can expect to enable a better understanding of the fundamentals of physical security, therefore leading to improved security and efficiency in the long term.

Published

2019

37. A Transient Noise Analysis of Secured Dual-rail based Logic Style

Author

Nawaz, Kashif, Levi, Itamar, Standaert, François-Xavier, Flandre, Denis, 2nd New Generation of Circuits & Systems Conference (NGCAS 2018), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Hardware_INTEGRATEDCIRCUITS, Hardware_LOGICDESIGN

Abstract

Dual-rail logic circuits have been used as an effective countermeasure towards a more secure circuit design. However, with technology scaling and lowering of VDD they lose interest as the signal reduction is less significant compared to CMOS. In this work, we revisit dual-rail logic designs (more specifically DDSLL) while focusing on intrinsic physical device noise using a transient noise analysis methodology and show that there exists a potential for such circuits to reduce the signal and concretely increase the noise. Our analysis, which extends to meaningful cryptographic figures-of-merit (FoMs) such as the SNR (Signal-to-Noise ratio) and Mutual-Information (MI), better clarifies the potential of DDSLL circuits to leverage the noise.

Published

2018

38. Demonstrating an LPPN Processor (Short Paper)

Author

Kamel, Dina, Bellizia, Davide, Standaert, François-Xavier, Flandre, Denis, Bol, David, 2018 Workshop on Attacks and Solutions in Hardware Security (ASHES@CCS 2018), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Authentication, Learning Parity with Noise (LPN), Probabilistic Computations, Side-Channel, Fault Attacks

Abstract

Secure authentication is a necessary feature for the deployment of low-cost IoT devices. Due to their conceptual simplicity, protocols based on the Learning Parity with Noise (LPN) problem have been proposed as promising candidates for this purpose. However, recent research has shown that some implementation issues may limit the practical relevance of such protocols. First, they require a (Pseudo) Random number Generator (RNG) which may be expensive. Second, this RNG may be an easy target for side-channel analysis. The recently introduced Learning with Physical Noise (LPPN) assumption aims at mitigating these two issues. It removes the need of an RNG by directly performing erroneous computations, which is expected to lead to more efficient implementations and improved side-channel security. So far, the LPPN assumption has only been analyzed mathematically, and its feasibility discussed based on simulations, putting forward the possibility to control the error rate of an implementation thanks to frequency/voltage overscaling. In this paper, we confirm these promises by demonstrating a first prototype implementation of LPPN in a 28nm FDSOI CMOS technology which occupies an area of 19,400 µm2. We used a mixed 512-bit parallel/serial architecture in order to limit the exploitation of data-dependent errors with so-called filtering attacks. We additionally designed an on-chip feedback loop that adjusts a variable delay line in order to control the error rate, which prevents other attacks altering external parameters such as the supply voltage, operating temperature and clock frequency. Measurement results show that a simple authentication protocol based on LPPN would consumes 1 µJ per authentication at 0.45V supply. Combined with the excellent algorithmic properties of LPPN regarding security against side-channel and fault attacks, these concrete feasibility results therefore open the way towards the design of full authentication systems with high physical security, at lower cost than standard solutions based on block ciphers.

Published

2018

39. Connecting and Improving Direct Sum Masking and Inner Product Masking

Author

Poussier, Romain, Guo, Qian, Standaert, François-Xavier, Carlet, Claude, Guilley, Sylvain, 16th International Conference on Smart Card Research and Advanced Applications (CARDIS 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Security properties, Masking (art), Direct sum, Computer science, Cryptographic implementations, 02 engineering and technology, 020202 computer hardware & architecture, Simple (abstract algebra), Product (mathematics), Direct sum masking, Inner product masking, Hardware_INTEGRATEDCIRCUITS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Relevance (information retrieval), Algorithm

Abstract

Direct Sum Masking (DSM) and Inner Product (IP) masking are two types of countermeasures that have been introduced as alternatives to simpler (e.g., additive) masking schemes to protect cryptographic implementations against side-channel analysis. In this paper, we first show that IP masking can be written as a particular case of DSM. We then analyze the improved security properties that these (more complex) encodings can provide over Boolean masking. For this purpose, we introduce a slight variation of the probing model, which allows us to provide a simple explanation to the \security order ampli cation" for such masking schemes that was put forward at CARDIS 2016. We then use our model to search for new instances of masking schemes that optimize this security order ampli cation. We nally discuss the relevance of this security order ampli cation (and its underlying assumption of linear leakages) based on an experimental case study.

Published

2018

40. Ciphertext Integrity with Misuse and Leakage: Definition and Efficient Constructions with Symmetric Primitives

Author

Berti, Francesco, Koeune, François, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, 2018 Asia Conference on Computer and Communications Security (AsiaCCS 2018), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Authenticated encryption, Computer science, business.industry, 0102 computer and information sciences, 02 engineering and technology, Encryption, Computer security, computer.software_genre, 01 natural sciences, Random oracle, 010201 computation theory & mathematics, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer, Leakage-resilient cryptography, Misuse resistance, Randomness, Leakage (electronics)

Abstract

Leakage resilience (LR) and misuse resistance (MR) are two important properties for the deployment of authenticated encryption (AE) schemes. They aim at mitigating the impact of implementation flaws due to side-channel leakages and misused randomness. In this paper, we discuss the interactions and incompatibilities between these two properties. We start from the usual definition of MR for AE schemes from Rogaway and Shrimpton, and argue that it may be overly demanding in the presence of leakages. As a result, we turn back to the basic security requirements for AE: ciphertext integrity (INT-CTXT) and CPA security, and propose to focus on a new notion of CIML security, which is an extension of INT-CTXT in the presence of misuse and leakages. We discuss the extent to which CIML security is offered by previous proposals of MR AE schemes, conclude by the negative, and propose two new efficient CIML-secure AE schemes: the DTE scheme offers security in the standard model, while the DCE scheme offers security in the random oracle model, but comes with some efficiency benefits. On our way, we observe that these constructions are not trivial, and show for instance that the composition of a LR MAC and a LR encryption scheme, while providing a (traditional) MR AE scheme, can surprisingly lose the MR property in the presence of leakages and does not achieve CIML security. Eventually, we show the LR CPA security of DTE and DCE.

Published

2018

41. Let’s make it Noisy: A Simulation Methodology for adding Intrinsic Physical Noise to Cryptographic Designs

Author

Nawaz, Kashif, Van Brandt, Léopold, Standaert, François-Xavier, Flandre, Denis, 14th Conference on PhD Research in Microelectronics and Electronics, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Abstract

Noise in digital circuits for the sake of performance has always been minimized in typical designs. However, for cryptographic applications, increased noise could be beneficial. It can be used effectively to reduce the mathematical SNR (signal-to-noise ratio) further and make it more difficult for the adversary to gather useful information from the side channel leakage data. In this paper, we introduce a methodology to exploit the intrinsic physical noise (i.e. flicker and thermal noise) at the circuit level and use the obtained values in a relevant cryptographic context. Our simulations show that the calculated cryptographic noise values are in close agreement with the noise levels extracted from noisy distributions using transient noise analysis. Consequently, this noise is shown to increase with the number of transistors or the supply voltage.

Published

2018

42. Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model

Author

Barthe, Gilles, Dupressoir, François, Faust, Sebastian, Grégoire, Benjamin, Standaert, François-Xavier, Strub, Pierre-Yves, 36th Annual International Conference on the Theory and Applications of cryptographic Techniques (EUROCRYPT 2017), Institute IMDEA Software [Madrid], University of Surrey (UNIS), Ruhr-Universität Bochum [Bochum], Mathematical, Reasoning and Software (MARELLE), Inria Sophia Antipolis - Méditerranée (CRISAM), Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), UCL Crypto Group, Université Catholique de Louvain = Catholic University of Louvain (UCL), École polytechnique (X), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Masking (art), Multiplication algorithm, Theoretical computer science, Computer science, 0102 computer and information sciences, 02 engineering and technology, Computer security model, Formal methods, 01 natural sciences, Moment (mathematics), 010201 computation theory & mathematics, Simple (abstract algebra), Bounded function, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, [INFO]Computer Science [cs], Leakage model, Implementation, Computer Science::Cryptography and Security

Abstract

International audience; In this paper, we provide a necessary clarification of the good security properties that can be obtained from parallel implementations of masking schemes. For this purpose, we first argue that (i) the probing model is not straightforward to interpret, since it more naturally captures the intuitions of serial implementations, and (ii) the noisy leakage model is not always convenient, e.g. when combined with formal methods for the verification of cryptographic implementations. Therefore we introduce a new model, the bounded moment model, that formalizes a weaker notion of security order frequently used in the side-channel literature. Interestingly , we prove that probing security for a serial implementation implies bounded moment security for its parallel counterpart. This result therefore enables an accurate understanding of the links between formal security analyses of masking schemes and experimental security evaluations based on the estimation of statistical moments Besides its consolidating nature, our work also brings useful technical contributions. First, we describe and analyze refreshing and multiplication algorithms that are well suited for parallel implementations and improve security against multivariate side-channel attacks. Second, we show that simple refreshing algorithms (with linear complexity) that are not secure in the continuous probing model are secure in the continuous bounded moment model. Eventually, we discuss the independent leakage assumption required for masking to deliver its security promises, and its specificities related to the serial or parallel nature of an implementation.

Published

2017

43. Side-Channel Attacks Against the Human Brain: the PIN Code Case Study

Author

Lange, Joseph, Massart, Clément, Mouraux, André, Standaert, François-Xavier, 8th International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

0301 basic medicine, High probability, The PIN code case, Computer science, Side-channel attacks, Computer security, computer.software_genre, 03 medical and health sciences, Adversarial system, 030104 developmental biology, 0302 clinical medicine, Entropy (information theory), Side channel attack, computer, 030217 neurology & neurosurgery, Brain–computer interface

Abstract

We revisit the side-channel attacks with Brain-Computer Interfaces (BCIs) first put forward by Martinovic et al. at the USENIX 2012 Security Symposium. For this purpose, we propose a comprehensive investigation of concrete adversaries trying to extract a PIN code from electroencephalogram signals. Overall, our results confirm the possibility of partial PIN recovery with high probability of success in a more quantified manner (i.e., entropy reductions), and put forward the challenges of full PIN recovery. They also highlight that the attack complexities can significantly vary in function of the adversarial capabilities (e.g., supervised/profiled vs. unsupervised/non-profiled), hence leading to an interesting tradeoff between their efficiency and practical relevance. We then show that similar attack techniques can be used to threat the privacy of BCI users. We finally use our experiments to discuss the impact of such attacks for the security and privacy of BCI applications at large, and the important emerging societal challenges they raise.

Published

2017

44. Ridge-Based Profiled Differential Power Analysis

Author

Wang, Weijia, Yu, Yu, Standaert, François-Xavier, Gu, Dawu, Sen, XU, Zhang, Chi, Topics in Cryptology (CT-RSA) 2017 - The Cryptographers' Track at the RSA Conference 2017, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Side-channel attack, Ridge regression, Profiled DPA, Cross-validation, Linear regression

Abstract

Profiled DPA is an important and powerful type of side-channel attacks (SCAs). Thanks to its profiling phase that learns the leakage features from a controlled device, profiled DPA outperforms many other types of SCA and are widely used in the security evaluation of cryptographic devices. Typical profiling methods (such as linear regression based ones) suffer from the overfitting issue which is often neglected in previous works, i.e., the model characterizes details that are specific to the dataset used to build it (and not the distribution we want to capture). In this paper, we propose a novel profiling method based on ridge regression and investigate its generalization ability (to mitigate the overfitting issue) theoretically and by experiments. Further, based on cross-validation, we present a parameter optimization method that finds out the most suitable parameter for our ridge-based profiling. Finally, the simulation-based and practical experiments show that ridge-based profiling not only outperforms `classical' and linear regression-based ones (especially for nonlinear leakage functions), but also is a good candidate for the robust profiling.

Published

2017

45. Inner Product Masking for Bitslice Ciphers and Security Order Amplification for Linear Leakages

Author

Wang, Weijia, Standaert, François-Xavier, Yu, Yu, Pu, Sihang, Liu, Junrong, Guo, Zheng, Gu, Dawu, 15th International Conference on Smart Card Research and Advanced Applications (CARDIS 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Masking (art), 021110 strategic, defence & security studies, Computer science, Algebraic structure, Security order amplification, Galois theory, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, Linear leakages, Bitslice ciphers, Bit (horse), Simple (abstract algebra), Product (mathematics), Information leakage, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Arithmetic, computer, Block cipher

Abstract

Designers of masking schemes are usually torn between the contradicting goals of maximizing the security gains while minimizing the performance overheads. Boolean masking is one extreme example of this tradeo: its algebraic structure is as simple as can be (and so are its implementations), but it typically suers more from implementation weaknesses. For example knowing one bit of each share is enough to know one bit of secret in this case. Inner product masking lies at the other side of this tradeo: its algebraic structure is more involved, making it more expensive to implement (especially at higher orders), but it ensures stronger security guarantees. For example, knowing one bit of each share is not enough to know one bit of secret in this case. In this paper, we try to combine the best of these two worlds, and propose a new masking scheme mixing a single Boolean matrix product (to improve the algebraic complexity of the scheme) with standard additive Boolean masking (to allow ecient higher-order implementations). We show that such a masking is well suited for application to bitslice ciphers. We also conduct a comprehensive security analysis of the proposed scheme. For this purpose, we give a security proof in the probing model, and carry out an information leakage evaluation of an idealized implementation. For certain leakage functions, the latter exhibits surprising observations, namely information leakages in higher statistical moments than guaranteed by the proof in the probing model, which we can connect to the recent literature on low entropy masking schemes. We conclude the paper with a performance evaluation, which conrms that both for security and performance reasons, our new masking scheme (which can be viewed as a variation of inner product masking) compares favorably to state-of-the-art masking schemes for bitslice ciphers.

Published

2017

46. Towards Sound and Optimal Leakage Detection Procedure

Author

Ding, A. Adam, Zhang, Liwei, Durvaux, François, Standaert, François-Xavier, Fei, Yunsi, 16th International Conference on Smart Card Research and Advanced Applications (CARDIS 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Hardware_MEMORYSTRUCTURES, business.industry, Computer science, Side-channel analysis, Leakage detection, Higher criticism, Cryptography, 02 engineering and technology, 01 natural sciences, 010104 statistics & probability, Test vector, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0101 mathematics, business, Algorithm, Leakage (electronics), Statistical hypothesis testing

Abstract

Evaluation of side-channel leakage for cryptographic systems requires sound leakage detection procedures. The commonly used standard approach is the test vector leakage assessment (TVLA) procedure. We first relate TVLA to the statistical minimum p-value (mini-p) procedure, and propose a sound method of deciding leakage existence in the statistical hypothesis setting. An advanced statistical procedure, Higher Criticism (HC), is adopted to improve leakage detection when there are multiple leakage points. The HC-based procedure is optimal in side-channel leakage detection, because for a given number of traces with a given length, it detects the existence of leakage at the signal level as low as possibly detectable by any statistical procedure. Numerical studies show that our HC-based procedure perform as well as the mini-p based procedure when leakage signals are very sparse, and can improve the leakage detection significantly when there are multiple leakages.

Published

2017

47. A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks

Author

Poussier, Romain, Zhou, Yuanyuan, Standaert, François-Xavier, 19th International Conference on Cryptographic Hardware and Embedded Systems (CHES 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Side-channel attacks, side-channel analysis, Computer engineering, Computer science, Scalar (mathematics), 0202 electrical engineering, electronic engineering, information engineering, Elliptic Curve Digital Signature Algorithm, 020201 artificial intelligence & image processing, 02 engineering and technology, Side channel attack, Scalar multiplication, Implementation, 020202 computer hardware & architecture

Abstract

The wide number and variety of side-channel attacks against scalar multiplication algorithms makes their security evaluations complex, in particular in case of time constraints making exhaustive analyses impossible. In this paper, we present a systematic way to evaluate the security of such implementations against horizontal attacks. As horizontal attacks allow extracting most of the information in the leakage traces of scalar multiplications, they are suitable to avoid risks of overestimated security levels. For this purpose, we additionally propose to use linear regression in order to accurately characterize the leakage function and therefore approach worst-case security evaluations. We then show how to apply our tools in the contexts of ECDSA and ECDH implementations, and validate them against two targets: a Cortex-M4 and a Cortex-A8 micro-controllers.

Published

2017

48. Towards Easy Leakage Certification

Author

Durvaux, François, Standaert, François-Xavier, Merino Del Pozo, Santos, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Side-channel analysis, Security evaluations

Abstract

Side-channel attacks generally rely on the availability of good leakage models to extract sensitive information from cryptographic implementations. The recently introduced leakage certification tests aim to guarantee that this condition is fulfilled based on sound statistical arguments. They are important ingredients in the evaluation of leaking devices since they allow a good separation between engineering challenges (how to produce clean measurements) and cryptographic ones (how to exploit these measurements). In this paper, we propose an alternative leakage certification test that is significantly simpler to implement than the previous proposal from Eurocrypt 2014. This gain admittedly comes at the cost of a couple of heuristic (yet reasonable) assumptions on the leakage distribution. To confirm its relevance, we first show that it allows confirming previous results of leakage certification. We then put forward that it leads to additional and useful intuitions regarding the information losses caused by incorrect assumptions in leakage modeling.

Published

2017

49. Getting the Most Out of Leakage Detection

Author

Merino Del Pozo, Santos, Standaert, François-Xavier, 8th International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Speedup, Computer engineering, 010201 computation theory & mathematics, Computer science, Leakage detection, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0102 computer and information sciences, 02 engineering and technology, Leak detection, 01 natural sciences, Block cipher, Leakage (electronics)

Abstract

In this work, we provide a concrete investigation of the gains that can be obtained by combining good measurement setups and efficient leakage detection tests to speed up evaluation times. For this purpose, we first analyze the quality of various measurement setups. Then, we highlight the positive impact of a recent proposal for efficient leakage detection, based on the analysis of a (few) pair(s) of plaintexts. Finally, we show that the combination of our best setups and detection tools allows detecting leakages for a noisy threshold implementation of the block cipher PRESENT after an intensive measurement phase, while either worse setups or less efficient detection tests would not succeed in detecting these leakages. Overall, our results show that a combination of good setups and fast leakage detection can turn security evaluation times from days to hours (for first-order secure implementations) and even from weeks to days (for higher-order secure implementations).

Published

2017

50. Taylor Expansion of Maximum Likelihood Attacks for Masked and Shuffled Implementations

Author

Bruneau, Nicolas, Guilley, Sylvain, Heuser , Annelie, Rioul, Olivier, Standaert, François-Xavier, Teglia, Yannick, Secure and Safe Hardware (SSH), Laboratoire Traitement et Communication de l'Information (LTCI), Institut Mines-Télécom [Paris] (IMT)-Télécom Paris-Institut Mines-Télécom [Paris] (IMT)-Télécom Paris, Département Communications & Electronique (COMELEC), Télécom ParisTech, Communications Numériques (COMNUM), and Université Catholique de Louvain = Catholic University of Louvain (UCL)

Subjects

[INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], [MATH.MATH-ST]Mathematics [math]/Statistics [math.ST], [MATH.MATH-IT]Mathematics [math]/Information Theory [math.IT], ComputingMilieux_MISCELLANEOUS

Abstract

International audience

Published

2016