Your search keyword '"Standaert, François-Xavier"' showing total 34 results

1. Leakage Detection with the x2-Test

Author

Moradi, Amir, Richter, Bastian, Schneider, Tobias, and Standaert, François-Xavier

Subjects

lcsh:Computer engineering. Computer hardware, lcsh:T58.5-58.64, lcsh:Information technology, statistical moments, SCA evaluation, 0202 electrical engineering, electronic engineering, information engineering, lcsh:TK7885-7895, t-test, SCA distinguisher, 020206 networking & telecommunications, 02 engineering and technology, 020202 computer hardware & architecture

Abstract

We describe how Pearson’s χ2-test can be used as a natural complement to Welch’s t-test for black box leakage detection. In particular, we show that by using these two tests in combination, we can mitigate some of the limitations due to the moment-based nature of existing detection techniques based on Welch’s t-test (e.g., for the evaluation of higher-order masked implementations with insufficient noise). We also show that Pearson’s χ2-test is naturally suited to analyze threshold implementations with information lying in multiple statistical moments, and can be easily extended to a distinguisher for key recovery attacks. As a result, we believe the proposed test and methodology are interesting complementary ingredients of the side-channel evaluation toolbox, for black box leakage detection and non-profiled attacks, and as a preliminary before more demanding advanced analyses., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2018, Issue 1

Published

2018

2. Modeling Soft Analytical Side-Channel Attacks from a Coding Theory Viewpoint

Author

Guo, Qian, Grosso, Vincent, Standaert, François-Xavier, Bronchain, Olivier, Dept. of Electrical and Information Technology, Lund University, Lund University [Lund], Department of Informatics [Bergen] (UiB), University of Bergen (UiB), Université Catholique de Louvain = Catholic University of Louvain (UCL), Centre National de la Recherche Scientifique (CNRS), Laboratoire Hubert Curien [Saint Etienne] (LHC), Institut d'Optique Graduate School (IOGS)-Université Jean Monnet [Saint-Étienne] (UJM)-Centre National de la Recherche Scientifique (CNRS), Fonds de la Recherche Scientifique [FNRS], and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Belief Propagation, 050101 languages & linguistics, lcsh:Computer engineering. Computer hardware, Side-Channel Analysis, Worst-Case Security Evaluations, Horizontal (aka Multi-Target) Attacks, Masking, Shuffling, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, lcsh:TK7885-7895, 02 engineering and technology, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences

Abstract

One important open question in side-channel analysis is to find out whether all the leakage samples in an implementation can be exploited by an adversary, as suggested by masking security proofs. For attacks exploiting a divide-and-conquer strategy, the answer is negative: only the leakages corresponding to the first/last rounds of a block cipher can be exploited. Soft Analytical Side-Channel Attacks (SASCA) have been introduced as a powerful solution to mitigate this limitation. They represent the target implementation and its leakages as a code (similar to a Low Density Parity Check code) that is decoded thanks to belief propagation. Previous works have shown the low data complexities that SASCA can reach in practice. In this paper, we revisit these attacks by modeling them with a variation of the Random Probing Model used in masking security proofs, that we denote as the Local Random Probing Model (LRPM). Our study establishes interesting connections between this model and the erasure channel used in coding theory, leading to the following benefits. First, the LRPM allows bounding the security of concrete implementations against SASCA in a fast and intuitive manner. We use it in order to confirm that the leakage of any operation in a block cipher can be exploited, although the leakages of external operations dominate in known-plaintext/ciphertext attack scenarios. Second, we show that the LRPM is a tool of choice for the (nearly worst-case) analysis of masked implementations in the noisy leakage model, taking advantage of all the operations performed, and leading to new tradeoffs between their amount of randomness and physical noise level. Third, we show that it can considerably speed up the evaluation of other countermeasures such as shuffling., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2020, Issue 4

Published

2020

3. Glitch-Resistant Masking Revisited

Author

Moos, Thorben, Moradi, Amir, Schneider, Tobias, and Standaert, François-Xavier

Subjects

050101 languages & linguistics, Consolidated Masking Scheme, lcsh:Computer engineering. Computer hardware, Threshold Implementations, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, Glitches Composability, lcsh:TK7885-7895, 02 engineering and technology, Hardware Masking, 0202 electrical engineering, electronic engineering, information engineering, Domain-Oriented Masking, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Robust Probing Model

Abstract

Implementing the masking countermeasure in hardware is a delicate task. Various solutions have been proposed for this purpose over the last years: we focus on Threshold Implementations (TIs), Domain-Oriented Masking (DOM), the Unified Masking Approach (UMA) and Generic Low Latency Masking (GLM). The latter generally come with innovative ideas to cope with physical defaults such as glitches. Yet, and in contrast to the situation in software-oriented masking, these schemes have not been formally proven at arbitrary security orders and their composability properties were left unclear. So far, only a 2-cycle implementation of the seminal masking scheme by Ishai, Sahai and Wagner has been shown secure and composable in the robust probing model – a variation of the probing model aimed to capture physical defaults such as glitches – for any number of shares. In this paper, we argue that this lack of proofs for TIs, DOM, UMA and GLM makes the interpretation of their security guarantees difficult as the number of shares increases. For this purpose, we first put forward that the higher-order variants of all these schemes are affected by (local or composability) security flaws in the (robust) probing model, due to insufficient refreshing. We then show that composability and robustness against glitches cannot be analyzed independently. We finally detail how these abstract flaws translate into concrete (experimental) attacks, and discuss the additional constraints robust probing security implies on the need of registers. Despite not systematically leading to improved complexities at low security orders, e.g., with respect to the required number of measurements for a successful attack, we argue that these weaknesses provide a case for the need of security proofs in the robust probing model (or a similar abstraction) at higher security orders., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2019, Issue 2

Published

2019

4. Multi-Tuple Leakage Detection and the Dependent Signal Issue

Author

Bronchain, Olivier, Schneider, Tobias, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

050101 languages & linguistics, lcsh:Computer engineering. Computer hardware, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, Side-Channel Analysis, lcsh:TK7885-7895, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Security Evaluations, 020202 computer hardware & architecture, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Leakage Detection

Abstract

Leakage detection is a common tool to quickly assess the security of a cryptographic implementation against side-channel attacks. The Test Vector Leakage Assessment (TVLA) methodology using Welch’s t-test, proposed by Cryptography Research, is currently the most popular example of such tools, thanks to its simplicity and good detection speed compared to attack-based evaluations. However, as any statistical test, it is based on certain assumptions about the processed samples and its detection performances strongly depend on parameters like the measurement’s Signal-to-Noise Ratio (SNR), their degree of dependency, and their density, i.e., the ratio between the amount of informative and non-informative points in the traces. In this paper, we argue that the correct interpretation of leakage detection results requires knowledge of these parameters which are a priori unknown to the evaluator, and, therefore, poses a non-trivial challenge to evaluators (especially if restricted to only one test). For this purpose, we first explore the concept of multi-tuple detection, which is able to exploit differences between multiple informative points of a trace more effectively than tests relying on the minimum p-value of concurrent univariate tests. To this end, we map the common Hotelling’s T2-test to the leakage detection setting and, further, propose a specialized instantiation of it which trades computational overheads for a dependency assumption. Our experiments show that there is not one test that is the optimal choice for every leakage scenario. Second, we highlight the importance of the assumption that the samples at each point in time are independent, which is frequently considered in leakage detection, e.g., with Welch’s t-test. Using simulated and practical experiments, we show that (i) this assumption is often violated in practice, and (ii) deviations from it can affect the detection performances, making the correct interpretation of the results more difficult. Finally, we consolidate our findings by providing guidelines on how to use a combination of established and newly-proposed leakage detection tools to infer the measurements parameters. This enables a better interpretation of the tests’ results than the current state-of-the-art (yet still relying on heuristics for the most challenging evaluation scenarios)., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2019, Issue 2

Published

2019

5. Towards Globally Optimized Masking: From Low Randomness to Low Noise Rate

Author

Cassiers, Gaëtan and Standaert, François-Xavier

Subjects

050101 languages & linguistics, lcsh:Computer engineering. Computer hardware, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, random probing model, lcsh:TK7885-7895, 02 engineering and technology, horizontal attacks, Masking, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, composability

Abstract

We improve the state-of-the-art masking schemes in two important directions. First, we propose a new masked multiplication algorithm that satisfies a recently introduced notion called Probe-Isolating Non-Interference (PINI). It captures a sufficient requirement for designing masked implementations in a trivial way, by combining PINI multiplications and linear operations performed share by share. Our improved algorithm has the best reported randomness complexity for large security orders (while the previous PINI multiplication was best for small orders). Second, we analyze the security of most existing multiplication algorithms in the literature against so-called horizontal attacks, which aim to reduce the noise of the actual leakages measured by an adversary, by combining the information of multiple target intermediate values. For this purpose, we leave the (abstract) probing model and consider a specialization of the (more realistic) noisy leakage / random probing models. Our (still partially heuristic but quantitative) analysis allows confirming the improved security of an algorithm by Battistello et al. from CHES 2016 in this setting. We then use it to propose new improved algorithms, leading to better tradeoffs between randomness complexity and noise rate, and suggesting the possibility to design efficient masked multiplication algorithms with constant noise rate in F2., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2019, Issue 2

Published

2019

6. Authenticated Encryption with Nonce Misuse and Physical Leakage: Definitions, Separation Results and First Construction - (Extended Abstract)

Author

Guo, Chun, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, Progress in Cryptology - {LATINCRYPT} 2019, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Block cipher mode of operation, Scheme (programming language), Authenticated encryption, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Adversary, Computer security, computer.software_genre, Information leakage, 0202 electrical engineering, electronic engineering, information engineering, NIST, 020201 artificial intelligence & image processing, Leakage (economics), computer, Cryptographic nonce, computer.programming_language

Abstract

We propose definitions of authenticated encryption (AE) schemes that offer security guarantees even in the presence of nonce misuse and side-channel information leakage. This is part of an important ongoing effort to make AE more robust, while preserving appealing efficiency properties. Our definitions consider an adversary enhanced with the leakage of all the computations of an AE scheme, together with the possibility to misuse nonces, be it during all queries (in the spirit of misuse-resistance), or only during training queries (in the spirit of misuse-resilience recently introduced by Ashur et al.). These new definitions offer various insights on the effect of leakage in the security landscape. In particular, we show that, in contrast with the black-box setting, leaking variants of INT-CTXT and IND-CPA security do not imply a leaking variant IND-CCA security, and that leaking variants of INT-PTXT and IND-CCA do not imply a leaking variant of INT-CTXT. They also bring a useful scale to reason about and analyze the implementation properties of emerging modes of operation with different levels of leakage-resistance, such as proposed in the ongoing NIST lightweight cryptography competition. We finally propose the first instance of mode of operation that satisfies our most demanding definitions.

Published

2019

7. Reducing the Cost of Authenticity with Leakages: a $$\mathsf {CIML2}$$ -Secure $$\mathsf {AE}$$ Scheme with One Call to a Strongly Protected Tweakable Block Cipher

Author

Berti, Francesco, Pereira, Olivier, Standaert, François-Xavier, 11th International Conference on Cryptology in Africa - Progress in Cryptology (AFRICACRYPT 2019), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Scheme (programming language), Authenticated encryption, 050101 languages & linguistics, Computer science, Data_MISCELLANEOUS, Data_CODINGANDINFORMATIONTHEORY, 02 engineering and technology, Encryption, 7. Clean energy, Mode (computer interface), Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, 0501 psychology and cognitive sciences, computer.programming_language, Block cipher, Leveled implementation, business.industry, 05 social sciences, Leakage resilience, Leakage-resilience, Ciphertext integrity with misuse and leakage (CIML2), 020201 artificial intelligence & image processing, business, computer, Cryptographic nonce, Computer network

Abstract

This paper presents CONCRETE (Commit − Encrypt − Send − the − Key) a new Authenticated Encryption mode that offers CIML2 security, that is, ciphertext integrity in the presence of nonce misuse and side-channel leakages in both encryption and decryption. CONCRETE improves on a recent line of works aiming at leveled implementations, which mix a strongly protected and energy demanding implementation of a single component, and other weakly protected and much cheaper components. Here, these components all implement a tweakable block cipher TBC. CONCRETE requires the use of the strongly protected TBC only once while supporting the leakage of the full state of the weakly protected components – it achieves CIML2 security in the so-called unbounded leakage model. All previous works need to use the strongly protected implementation at least twice. As a result, for short messages whose encryption and decryption energy costs are dominated by the strongly protected component, we halve the cost of a leakage-resilient implementation. CONCRETE additionally provides security when unverified plaintexts are released, and confidentiality in the presence of simulatable leakages in encryption and decryption.

Published

2019

8. How (Not) to Use Welch’s T-Test in Side-Channel Security Evaluations

Author

Standaert, François-Xavier, 17th International Conference on Smart Card Research and Advanced Applications (CARDIS 2018), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Computer science, Cryptographic implementations, Univariate, 02 engineering and technology, Computer security, computer.software_genre, Welch's t-test, Masking (Electronic Health Record), 020202 computer hardware & architecture, Test vector, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Side channel attack, Security level, computer, Implementation, Side-channel analysis

Abstract

The Test Vector Leakage Assessment (TVLA) methodology is a qualitative tool relying on Welch’s T-test to assess the security of cryptographic implementations against side-channel attacks. Despite known limitations (e.g., risks of false negatives and positives), it is sometimes considered as a pass-fail test to determine whether such implementations are “safe” or not (without clear definition of what is “safe”). In this note, we clarify the limited quantitative meaning of this test when used as a standalone tool. For this purpose, we first show that the straightforward application of this approach to assess the security of a masked implementation is not sufficient. More precisely, we show that even in a simple (more precisely, univariate) case study that seems best suited for the TVLA methodology, detection (or lack thereof) with Welch’s T-test can be totally disconnected from the actual security level of an implementation. For this purpose, we put forward the case of a realistic masking scheme that looks very safe from the TVLA point-of-view and is nevertheless easy to break. We then discuss this result in more general terms and argue that this limitation is shared by all “moment-based” security evaluations. We conclude the note positively, by describing how to use moment-based analyses as a useful ingredient of side-channel security evaluations, to determine a “security order”.

Published

2019

9. SpookChain: Chaining a Sponge-Based AEAD with Beyond-Birthday Security

Author

Cassiers, Gaëtan, Guo, Chun, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, Security, Privacy, and Applied Cryptography Engineering - 9th International Conference, {SPACE} 2019, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Authenticated encryption, Discrete mathematics, 050101 languages & linguistics, Computer science, business.industry, 05 social sciences, Plaintext, Context (language use), 02 engineering and technology, Encryption, Chaining, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Element (category theory), business, Key size, Cryptographic nonce

Abstract

We present \(\mathsf {SpookChain}\), a new online authenticated encryption (OAE) mode that offers several appealing features: \(\mathsf {SpookChain}\) is fully online: it supports the processing of long messages by segments of arbitrary size, and the processing of each segment is online itself, with memory requirements in encryption and decryption being independent of the segment size. \(\mathsf {SpookChain}\) is, to the best of our knowledge, the first concrete mode that is proven to offer \(\mathsf {dOAE}\) security, a requirement for OAE that, at least guarantees security for new segments as soon as one of the previously processed segments contains a fresh element (nonce, plaintext or associated data). \(\mathsf {SpookChain}\) offers beyond birthday multi-user security (w.r.t. the secret key length), a requirement that we define for the first time in the context of OAE, and which is increasingly appealing in a world where communications are encrypted by default. \(\mathsf {SpookChain}\) is also expected to be remarkably lightweight to implement when protection against side-channel attacks is required.

Published

2019

10. Connecting and Improving Direct Sum Masking and Inner Product Masking

Author

Poussier, Romain, Guo, Qian, Standaert, François-Xavier, Carlet, Claude, Guilley, Sylvain, 16th International Conference on Smart Card Research and Advanced Applications (CARDIS 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Security properties, Masking (art), Direct sum, Computer science, Cryptographic implementations, 02 engineering and technology, 020202 computer hardware & architecture, Simple (abstract algebra), Product (mathematics), Direct sum masking, Inner product masking, Hardware_INTEGRATEDCIRCUITS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Relevance (information retrieval), Algorithm

Abstract

Direct Sum Masking (DSM) and Inner Product (IP) masking are two types of countermeasures that have been introduced as alternatives to simpler (e.g., additive) masking schemes to protect cryptographic implementations against side-channel analysis. In this paper, we first show that IP masking can be written as a particular case of DSM. We then analyze the improved security properties that these (more complex) encodings can provide over Boolean masking. For this purpose, we introduce a slight variation of the probing model, which allows us to provide a simple explanation to the \security order ampli cation" for such masking schemes that was put forward at CARDIS 2016. We then use our model to search for new instances of masking schemes that optimize this security order ampli cation. We nally discuss the relevance of this security order ampli cation (and its underlying assumption of linear leakages) based on an experimental case study.

Published

2018

11. Ciphertext Integrity with Misuse and Leakage: Definition and Efficient Constructions with Symmetric Primitives

Author

Berti, Francesco, Koeune, François, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, 2018 Asia Conference on Computer and Communications Security (AsiaCCS 2018), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Authenticated encryption, Computer science, business.industry, 0102 computer and information sciences, 02 engineering and technology, Encryption, Computer security, computer.software_genre, 01 natural sciences, Random oracle, 010201 computation theory & mathematics, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer, Leakage-resilient cryptography, Misuse resistance, Randomness, Leakage (electronics)

Abstract

Leakage resilience (LR) and misuse resistance (MR) are two important properties for the deployment of authenticated encryption (AE) schemes. They aim at mitigating the impact of implementation flaws due to side-channel leakages and misused randomness. In this paper, we discuss the interactions and incompatibilities between these two properties. We start from the usual definition of MR for AE schemes from Rogaway and Shrimpton, and argue that it may be overly demanding in the presence of leakages. As a result, we turn back to the basic security requirements for AE: ciphertext integrity (INT-CTXT) and CPA security, and propose to focus on a new notion of CIML security, which is an extension of INT-CTXT in the presence of misuse and leakages. We discuss the extent to which CIML security is offered by previous proposals of MR AE schemes, conclude by the negative, and propose two new efficient CIML-secure AE schemes: the DTE scheme offers security in the standard model, while the DCE scheme offers security in the random oracle model, but comes with some efficiency benefits. On our way, we observe that these constructions are not trivial, and show for instance that the composition of a LR MAC and a LR encryption scheme, while providing a (traditional) MR AE scheme, can surprisingly lose the MR property in the presence of leakages and does not achieve CIML security. Eventually, we show the LR CPA security of DTE and DCE.

Published

2018

12. Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model

Author

Barthe, Gilles, Dupressoir, François, Faust, Sebastian, Grégoire, Benjamin, Standaert, François-Xavier, Strub, Pierre-Yves, 36th Annual International Conference on the Theory and Applications of cryptographic Techniques (EUROCRYPT 2017), Institute IMDEA Software [Madrid], University of Surrey (UNIS), Ruhr-Universität Bochum [Bochum], Mathematical, Reasoning and Software (MARELLE), Inria Sophia Antipolis - Méditerranée (CRISAM), Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), UCL Crypto Group, Université Catholique de Louvain = Catholic University of Louvain (UCL), École polytechnique (X), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Masking (art), Multiplication algorithm, Theoretical computer science, Computer science, 0102 computer and information sciences, 02 engineering and technology, Computer security model, Formal methods, 01 natural sciences, Moment (mathematics), 010201 computation theory & mathematics, Simple (abstract algebra), Bounded function, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, [INFO]Computer Science [cs], Leakage model, Implementation, Computer Science::Cryptography and Security

Abstract

International audience; In this paper, we provide a necessary clarification of the good security properties that can be obtained from parallel implementations of masking schemes. For this purpose, we first argue that (i) the probing model is not straightforward to interpret, since it more naturally captures the intuitions of serial implementations, and (ii) the noisy leakage model is not always convenient, e.g. when combined with formal methods for the verification of cryptographic implementations. Therefore we introduce a new model, the bounded moment model, that formalizes a weaker notion of security order frequently used in the side-channel literature. Interestingly , we prove that probing security for a serial implementation implies bounded moment security for its parallel counterpart. This result therefore enables an accurate understanding of the links between formal security analyses of masking schemes and experimental security evaluations based on the estimation of statistical moments Besides its consolidating nature, our work also brings useful technical contributions. First, we describe and analyze refreshing and multiplication algorithms that are well suited for parallel implementations and improve security against multivariate side-channel attacks. Second, we show that simple refreshing algorithms (with linear complexity) that are not secure in the continuous probing model are secure in the continuous bounded moment model. Eventually, we discuss the independent leakage assumption required for masking to deliver its security promises, and its specificities related to the serial or parallel nature of an implementation.

Published

2017

13. Inner Product Masking for Bitslice Ciphers and Security Order Amplification for Linear Leakages

Author

Wang, Weijia, Standaert, François-Xavier, Yu, Yu, Pu, Sihang, Liu, Junrong, Guo, Zheng, Gu, Dawu, 15th International Conference on Smart Card Research and Advanced Applications (CARDIS 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Masking (art), 021110 strategic, defence & security studies, Computer science, Algebraic structure, Security order amplification, Galois theory, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, Linear leakages, Bitslice ciphers, Bit (horse), Simple (abstract algebra), Product (mathematics), Information leakage, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Arithmetic, computer, Block cipher

Abstract

Designers of masking schemes are usually torn between the contradicting goals of maximizing the security gains while minimizing the performance overheads. Boolean masking is one extreme example of this tradeo: its algebraic structure is as simple as can be (and so are its implementations), but it typically suers more from implementation weaknesses. For example knowing one bit of each share is enough to know one bit of secret in this case. Inner product masking lies at the other side of this tradeo: its algebraic structure is more involved, making it more expensive to implement (especially at higher orders), but it ensures stronger security guarantees. For example, knowing one bit of each share is not enough to know one bit of secret in this case. In this paper, we try to combine the best of these two worlds, and propose a new masking scheme mixing a single Boolean matrix product (to improve the algebraic complexity of the scheme) with standard additive Boolean masking (to allow ecient higher-order implementations). We show that such a masking is well suited for application to bitslice ciphers. We also conduct a comprehensive security analysis of the proposed scheme. For this purpose, we give a security proof in the probing model, and carry out an information leakage evaluation of an idealized implementation. For certain leakage functions, the latter exhibits surprising observations, namely information leakages in higher statistical moments than guaranteed by the proof in the probing model, which we can connect to the recent literature on low entropy masking schemes. We conclude the paper with a performance evaluation, which conrms that both for security and performance reasons, our new masking scheme (which can be viewed as a variation of inner product masking) compares favorably to state-of-the-art masking schemes for bitslice ciphers.

Published

2017

14. Towards Sound and Optimal Leakage Detection Procedure

Author

Ding, A. Adam, Zhang, Liwei, Durvaux, François, Standaert, François-Xavier, Fei, Yunsi, 16th International Conference on Smart Card Research and Advanced Applications (CARDIS 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Hardware_MEMORYSTRUCTURES, business.industry, Computer science, Side-channel analysis, Leakage detection, Higher criticism, Cryptography, 02 engineering and technology, 01 natural sciences, 010104 statistics & probability, Test vector, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0101 mathematics, business, Algorithm, Leakage (electronics), Statistical hypothesis testing

Abstract

Evaluation of side-channel leakage for cryptographic systems requires sound leakage detection procedures. The commonly used standard approach is the test vector leakage assessment (TVLA) procedure. We first relate TVLA to the statistical minimum p-value (mini-p) procedure, and propose a sound method of deciding leakage existence in the statistical hypothesis setting. An advanced statistical procedure, Higher Criticism (HC), is adopted to improve leakage detection when there are multiple leakage points. The HC-based procedure is optimal in side-channel leakage detection, because for a given number of traces with a given length, it detects the existence of leakage at the signal level as low as possibly detectable by any statistical procedure. Numerical studies show that our HC-based procedure perform as well as the mini-p based procedure when leakage signals are very sparse, and can improve the leakage detection significantly when there are multiple leakages.

Published

2017

15. A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks

Author

Poussier, Romain, Zhou, Yuanyuan, Standaert, François-Xavier, 19th International Conference on Cryptographic Hardware and Embedded Systems (CHES 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Side-channel attacks, side-channel analysis, Computer engineering, Computer science, Scalar (mathematics), 0202 electrical engineering, electronic engineering, information engineering, Elliptic Curve Digital Signature Algorithm, 020201 artificial intelligence & image processing, 02 engineering and technology, Side channel attack, Scalar multiplication, Implementation, 020202 computer hardware & architecture

Abstract

The wide number and variety of side-channel attacks against scalar multiplication algorithms makes their security evaluations complex, in particular in case of time constraints making exhaustive analyses impossible. In this paper, we present a systematic way to evaluate the security of such implementations against horizontal attacks. As horizontal attacks allow extracting most of the information in the leakage traces of scalar multiplications, they are suitable to avoid risks of overestimated security levels. For this purpose, we additionally propose to use linear regression in order to accurately characterize the leakage function and therefore approach worst-case security evaluations. We then show how to apply our tools in the contexts of ECDSA and ECDH implementations, and validate them against two targets: a Cortex-M4 and a Cortex-A8 micro-controllers.

Published

2017

16. Getting the Most Out of Leakage Detection

Author

Merino Del Pozo, Santos, Standaert, François-Xavier, 8th International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Speedup, Computer engineering, 010201 computation theory & mathematics, Computer science, Leakage detection, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0102 computer and information sciences, 02 engineering and technology, Leak detection, 01 natural sciences, Block cipher, Leakage (electronics)

Abstract

In this work, we provide a concrete investigation of the gains that can be obtained by combining good measurement setups and efficient leakage detection tests to speed up evaluation times. For this purpose, we first analyze the quality of various measurement setups. Then, we highlight the positive impact of a recent proposal for efficient leakage detection, based on the analysis of a (few) pair(s) of plaintexts. Finally, we show that the combination of our best setups and detection tools allows detecting leakages for a noisy threshold implementation of the block cipher PRESENT after an intensive measurement phase, while either worse setups or less efficient detection tests would not succeed in detecting these leakages. Overall, our results show that a combination of good setups and fast leakage detection can turn security evaluation times from days to hours (for first-order secure implementations) and even from weeks to days (for higher-order secure implementations).

Published

2017

17. Private Circuits III

Author

Dziembowski, Stefan, Faust, Sebastian, Standaert, François-Xavier, 23rd ACM Conference on Computer and Communications Security, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

021110 strategic, defence & security studies, medicine.medical_specialty, Cryptographic primitive, Computer science, Distributed computing, 0211 other engineering and technologies, Computer security compromised by hardware failure, 02 engineering and technology, Adversary, computer.software_genre, 020202 computer hardware & architecture, Countermeasure, Trojan, Hardware Trojan, Threat model, 0202 electrical engineering, electronic engineering, information engineering, medicine, Concrete security, Compiler, State (computer science), computer

Abstract

Security against hardware trojans is currently becoming an essential ingredient to ensure trust in information systems. A variety of solutions have been introduced to reach this goal, ranging from reactive (i.e., detection-based) to preventive (i.e., trying to make the insertion of a trojan more difficult for the adversary). In this paper, we show how testing (which is a typical detection tool) can be used to state concrete security guarantees for preventive approaches to trojan-resilience. For this purpose, we build on and formalize two important previous works which introduced ``input scrambling" and ``split manufacturing" as countermeasures to hardware trojans. Using these ingredients, we present a generic compiler that can transform any circuit into a trojan-resilient one, for which we can state quantitative security guarantees on the number of correct executions of the circuit thanks to a new tool denoted as ``testing amplification". Compared to previous works, our threat model covers an extended range of hardware trojans while we stick with the goal of minimizing the number of honest elements in our transformed circuits. Since transformed circuits essentially correspond to redundant multiparty computations of the target functionality, they also allow reasonably efficient implementations, which can be further optimized if specialized to certain cryptographic primitives and security goals.

Published

2016

18. Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts

Author

Pierrick, Méaux, Journault, Anthony, Standaert, François-Xavier, Carlet, Claude, Advances in Cryptology - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2016), Construction and Analysis of Systems for Confidentiality and Authenticity of Data and Entities (CASCADE), Département d'informatique - ENS Paris (DI-ENS), École normale supérieure - Paris (ENS-PSL), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-École normale supérieure - Paris (ENS-PSL), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-Centre National de la Recherche Scientifique (CNRS)-Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria), Université Paris sciences et lettres (PSL), Laboratoire d'informatique de l'école normale supérieure (LIENS), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS), Université Catholique de Louvain = Catholic University of Louvain (UCL), Université Paris 8 Vincennes-Saint-Denis - Département de Mathématiques, Université Paris 8 Vincennes-Saint-Denis (UP8), Laboratoire Analyse, Géométrie et Applications (LAGA), Université Paris 8 Vincennes-Saint-Denis (UP8)-Université Paris 13 (UP13)-Institut Galilée-Centre National de la Recherche Scientifique (CNRS), Marc Fischlin, Jean-Sébastien Coron, Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-Département d'informatique de l'École normale supérieure (DI-ENS), École normale supérieure - Paris (ENS Paris), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-École normale supérieure - Paris (ENS Paris), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Centre National de la Recherche Scientifique (CNRS), Université Paris 8 Vincennes-Saint-Denis (UP8)-Centre National de la Recherche Scientifique (CNRS)-Institut Galilée-Université Paris 13 (UP13), UCL - SST/ICTM/ELEN-Pôle en ingénierie électrique, Centre National de la Recherche Scientifique (CNRS)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Paris (ENS Paris), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Centre National de la Recherche Scientifique (CNRS)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Paris (ENS Paris), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Centre National de la Recherche Scientifique (CNRS)-Inria de Paris, and Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)

Subjects

Differential cryptanalysis, Theoretical computer science, Ciphers, Computer science, T-function, Stream cipher attack, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, Stream ciphers, 01 natural sciences, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], 010201 computation theory & mathematics, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, Fully Homomorphic Encryption (FHE), Correlation attack, Stream cipher, Block size, Key schedule, Computer Science::Cryptography and Security

Abstract

International audience; Symmetric ciphers purposed for Fully Homomorphic Encryption FHE have recently been proposed for two main reasons. First, minimizing the implementation time and memory overheads that are inherent to current FHE schemes. Second, improving the homomorphic capacity, i.e. the amount of operations that one can perform on homomorphic ciphertexts before bootstrapping, which amounts to limit their level of noise. Existing solutions for this purpose suggest a gap between block ciphers and stream ciphers. The first ones typically allow a constant but small homomorphic capacity, due to the iteration of rounds eventually leading to complex Boolean functions hence large noise. The second ones typically allow a larger homomorphic capacity for the first ciphertext blocks, that decreases with the number of ciphertext blocks due to the increasing Boolean complexity of the stream ciphers' output. In this paper, we aim to combine the best of these two worlds, and propose a new stream cipher construction that allows constant and smaller noise. Its main idea is to apply a Boolean filter function to a public bit permutation of a constant key register, so that the Boolean complexity of the stream cipher outputs is constant. We also propose an instantiation of the filter function designed to exploit recent 3rd-generation FHE schemes, where the error growth is quasi-additive when adequately multiplying ciphertexts with the same amount of noise. In order to stimulate further investigation, we then specify a few instances of this stream cipher, for which we provide a preliminary security analysis. We finally highlight the good properties of our stream cipher regarding the other goal of minimizing the time and memory complexity of calculus delegation for 2nd-generation FHE﾿schemes. We conclude the paper with open problems related to the large design space opened by these new constructions.

Published

2016

19. Unknown-Input Attacks in the Parallel Setting: Improving the Security of the CHES 2012 Leakage-Resilient PRF

Author

Medwed, Marcel, Standaert, François-Xavier, Feldhofer, Martin, Nikov, Ventzislav, 22nd International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Security properties, Exploit, Computer science, Key recovery, 0102 computer and information sciences, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Power model, Computer engineering, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Template attack, computer, Implementation, Block cipher, Leakage (electronics)

Abstract

In this work we present a leakage-resilient PRF which makes use of parallel block cipher implementations with unknown-inputs. To the best of our knowledge this is the first work to study and exploit unknown-inputs as a form of key-dependent algorithmic noise. It turns out that such noise renders the problem of side-channel key recovery intractable under very little and easily satisfiable assumptions. That is, the construction stays secure even in a noise-free setting and independent of the number of traces and the used power model. The contributions of this paper are as follows. First, we present a PRF construction which offers attractive security properties, even when instantiated with the AES. Second, we study the effect of unknown-input attacks in parallel implementations. We put forward their intractability and explain it by studying the inevitable model errors obtained when building templates in such a scenario. Third, we compare the security of our construction to the CHES 2012 one and show that it is superior in many ways. That is, a standard block cipher can be used, the security holds for all intermediate variables and it can even partially tolerate local EM attacks and some typical implementation mistakes or hardware insufficiencies. Finally, we discuss the performance of a standard-cell implementation.

Published

2016

20. Towards Sound Fresh Re-Keying with Hard (Physical) Learning Problems

Author

Dziembowski, Stefan, Faust, Sebastian, Herold, Gottfried, Journault, Anthony, Masny, Daniel, Standaert, François-Xavier, Advances in Cryptology - 36th International Cryptology Conference (CRYPTO 2016), and UCL - SST/ICTM/ELEN-Pôle en ingénierie électrique

Subjects

Theoretical computer science, Computer science, Cryptography, 0102 computer and information sciences, 02 engineering and technology, Side-channel attacks, Encryption, Leakage-resilient cryptographic constructions, 01 natural sciences, Secret sharing, Random oracle, Public-key cryptography, Pseudorandom function family, 0202 electrical engineering, electronic engineering, information engineering, Cryptographic constructions, Security level, Stream cipher, Leakage parity, AKA, Block cipher, business.industry, Homomorphic encryption, Fresh re-keying, Symmetric-key algorithm, 010201 computation theory & mathematics, Authentication protocol, 020201 artificial intelligence & image processing, business

Abstract

Most leakage-resilient cryptographic constructions aim at limiting the information adversaries can obtain about secret keys. In the case of asymmetric algorithms, this is usually obtained by secret sharing (aka masking) the key, which is made easy by their algebraic properties. In the case of symmetric algorithms, it is rather key evolution that is exploited. While more efficient, the scope of this second solution is limited to stateful primitives that easily allow for key evolution such as stream ciphers. Unfortunately, it seems generally hard to avoid the need of (at least one) execution of a stateless primitive, both for encryption and authentication protocols. As a result, fresh re-keying has emerged as an alternative solution, in which a block cipher that is hard to protect against side-channel attacks is re-keyed with a stateless function that is easy to mask. While previous proposals in this direction were all based on heuristic arguments, we propose two new constructions that, for the first time, allow a more formal treatment of fresh re-keying. More precisely, we reduce the security of our re-keying schemes to two building blocks that can be of independent interest. The first one is an assumption of Learning Parity with Leakage, which leverages the noise that is available in side-channel measurements. The second one is based on the Learning With Rounding assumption, which can be seen as an alternative solution for low-noise implementations. Both constructions are efficient and easy to mask, since they are key homomorphic or almost key homomorphic.

Published

2016

21. Score-Based vs. Probability-Based Enumeration - A Cautionary Note

Author

Choudary, Marios O., Poussier, Romain, Standaert, François-Xavier, 17th International Conference in Cryptology in India - Progress in cryptology (INDIACRYPT 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Exploit, Computer science, Heuristic, Bayesian probability, Rank (computer programming), Context (language use), 02 engineering and technology, Side-channel attacks, 020202 computer hardware & architecture, Probability-based enumeration, Linear regression, Statistics, 0202 electrical engineering, electronic engineering, information engineering, Enumeration, Key (cryptography), 020201 artificial intelligence & image processing, Score-based enumeration

Abstract

The fair evaluation of leaking devices generally requires to come with the best possible distinguishers to extract and exploit side-channel information. While the need of a sound model for the leakages is a well known issue, the risks of additional errors in the post-processing of the attack results (with key enumeration/key rank estimation) are less investigated. Namely, optimal post-processing is known to be possible with distinguishers outputting probabilities (e.g. template attacks), but the impact of a deviation from this context has not been quantified so far. We therefore provide a consolidating experimental analysis in this direction, based on simulated and actual measurements. Our main conclusions are twofold. We first show that the concrete impact of heuristic scores such as produced with a correlation power analysis can lead to non-negligible post-processing errors. We then show that such errors can be mitigated in practice, with Bayesian extensions or specialized distinguishers (e.g. on-the-fly linear regression).

Published

2016

22. Towards Easy Leakage Certification

Author

Durvaux, François, Standaert, François-Xavier, Merino Del Pozo, Santos, 18th International Conference on Cryptographic hardware and Embedded Systems (CHES 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Exploit, Computer science, business.industry, Cryptography, 02 engineering and technology, Certification, Side-channel attacks, 020202 computer hardware & architecture, Reliability engineering, Leakage certification, Information sensitivity, Power analysis, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Leakage, Leakage (electronics)

Abstract

Side-channel attacks generally rely on the availability of good leakage models to extract sensitive information from cryptographic implementations. The recently introduced leakage certification tests aim to guarantee that this condition is fulfilled based on sound statistical arguments. They are important ingredients in the evaluation of leaking devices since they allow a good separation between engineering challenges (how to produce clean measurements) and cryptographic ones (how to exploit these measurements). In this paper, we propose an alternative leakage certification test that is significantly simpler to implement than the previous proposal from Eurocrypt 2014. This gain admittedly comes at the cost of a couple of heuristic (yet reasonable) assumptions on the leakage distribution. To confirm its relevance, we first show that it allows confirming previous results of leakage certification. We then put forward that it leads to additional and useful intuitions regarding the information losses caused by incorrect assumptions in leakage modeling.

Published

2016

23. An Analysis of the Learning Parity with Noise Assumption Against Fault Attacks

Author

Berti, Francesco, Standaert, François-Xavier, 15th International Conference on Smart Card Research and Advanced Applications (CARDIS 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Theoretical computer science, Cryptographic primitive, Algebraic structure, Computer science, Fault attack, 0102 computer and information sciences, 02 engineering and technology, Adversary, 01 natural sciences, Fault attacks, 020202 computer hardware & architecture, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Fault model, Parity (mathematics), Implementation, Block cipher

Abstract

We provide a first security evaluation of LPN-based implementations against fault attacks. Our main result is to show that such implementations inherently have good features to resist these attacks. First, some prominent fault models (e.g. where an adversary flips bits in an implementation) are ineffective against LPN. Second, attacks taking advantage of more advanced fault models (e.g. where an adversary sets bits in an implementation) require significantly more samples than against standard symmetric cryptographic primitives such as block ciphers. Furthermore, the sampling complexity of these attacks strongly suffers from inaccurate fault insertion. Combined with the previous observation that the inner products computed in LPN implementations have an interesting algebraic structure for side-channel resistance via masking, these results therefore suggest LPN-based primitives as interesting candidates for physically secure implementations.

Published

2016

24. Moments-Correlating DPA

Author

Moradi, Amir, Standaert, François-Xavier, Theory of Implementations (TI 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Exploit, Computer science, media_common.quotation_subject, 0102 computer and information sciences, 02 engineering and technology, Collision, 01 natural sciences, Confidence interval, 020202 computer hardware & architecture, Moment (mathematics), Power analysis, 010201 computation theory & mathematics, Simple (abstract algebra), 0202 electrical engineering, electronic engineering, information engineering, Simplicity, Lying, Algorithm, Simulation, media_common

Abstract

We generalize correlation-enhanced power analysis collision attacks into moments-correlating DPA. The resulting distinguisher is applicable to the profiled and non-profiled (collision) settings and is able to exploit information lying in any statistical moment. It also benefits from a simple rule-of-thumb to estimate its data complexity. Experimental results show that such a tool allows answering with confidence to some important questions regarding the design of side-channel countermeasures (e.g. what is the most informative statistical moment in the leakages of a threshold implementation). We further argue that moments-correlating DPA is a natural candidate for leakage detection tests, enjoying the simplicity of correlation power analysis and advanced features for the evaluation of higher-order attacks with an easy-to-compute confidence level.

Published

2016

25. Towards Securing Low-Power Digital Circuits with Ultra-Low-Voltage Vdd Randomizers

Author

Kamel, Dina, de Streel, Guerric, Merino Del Pozo, Santos, Nawaz, Kashif, Standaert, François-Xavier, Flandre, Denis, Bol, David, 6th International Conference on Security, privacy, and Applied Cryptographic Engineering (SPACE 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Digital electronics, Signal processing, business.industry, Computer science, Linear regulator, Electrical engineering, 02 engineering and technology, Noise (electronics), Multiplicative noise, 020202 computer hardware & architecture, CMOS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Sensitivity (control systems), business, Low voltage

Abstract

With the exploding number of connected objects and sensitive applications, security against side-channel attacks becomes critical in low-cost and low-power IoT applications. For this purpose, established mathematical countermeasures such as masking and shuffling always require a minimum amount of noise in the adversary’s measurements, that may not be guaranteed by default because of good measurement setups and powerful signal processing. In this paper, we propose to improve the protection of sensitive digital circuits by operating them at a random ultra-low voltage (ULV) supplied by a \(V_{dd}\) randomizer. As the \(V_{dd}\) randomization modulates the switching current, it results in a multiplicative noise on both the current consumption amplitude and its time dependence. As ULV operation increases the sensitivity of the current on the supply voltage, it magnifies the generated noise while reducing the side-channel information signal thanks to the switching current reduction. As a proof-of-concept, we prototyped a simple \(V_{dd}\) randomizer based on a low-quiescent-current linear regulator with a digitally-controlled resistive feedback divider on which we apply a 4-bit random number stream. Using an information theoretic metric, the measurement results obtained in 65 nm low-power CMOS confirm that such randomizers can significantly improve the security of cryptographic implementations against standard side-channel attacks in case of low physical noise in the attacks’ setups, hence enabling the use of mathematical countermeasures.

Published

2016

26. Block Ciphers that are Easier to Mask: How Far Can we Go?

Author

Gérard, Benoît, Grosso, Vincent, Naya Plasencia, Maria, Standaert, François-Xavier, Cryptographic Hardware and Embedded Systems - CHES 2013 - 15th International Workshop, Université Catholique de Louvain = Catholic University of Louvain (UCL), Security, Cryptology and Transmissions (SECRET), Inria Paris-Rocquencourt, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Theoretical computer science, Differential cryptanalysis, Computer science, business.industry, Algorithm analysis and problem complexity, Hash function, Advanced Encryption Standard, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Data encryption, 020202 computer hardware & architecture, law.invention, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Cipher, Systems and data security, 010201 computation theory & mathematics, law, 0202 electrical engineering, electronic engineering, information engineering, Cryptanalysis, business, Key schedule, Block cipher

Abstract

International audience; The design and analysis of lightweight block ciphers has been a very active research area over the last couple of years, with many innovative proposals trying to optimize di erent performance gures. However, since these block ciphers are dedicated to low-cost embedded devices, their implementation is also a typical target for side-channel adversaries. As preventing such attacks with countermeasures usually implies signi cant performance overheads, a natural open problem is to propose new algorithms for which physical security is considered as an optimization criteria, hence allowing better performances again. We tackle this problem by studying how much we can tweak standard block ciphers such as the AES Rijndael in order to allow e cient masking (that is one of the most frequently considered solutions to improve security against side-channel attacks). For this purpose, we rst investigate alternative S- boxes and round structures. We show that both approaches can be used separately in order to limit the total number of non-linear operations in the block cipher, hence allowing more e cient masking. We then combine these ideas into a concrete instance of block cipher called Zorro. We further provide a detailed security analysis of this new cipher taking its design speci cities into account, leading us to exploit innovative techniques borrowed from hash function cryptanalysis (that are sometimes of independent interest). Eventually, we conclude the paper by evaluating the e ciency of masked Zorro implementations in an 8-bit microcontroller, and exhibit their interesting performance gures.

Published

2013

27. Masking vs. Multiparty Computation: How Large Is the Gap for AES?

Author

Grosso, Vincent, Standaert, François-Xavier, Faust, Sebastian, Cryptographic Hardware and Embedded Systems - CHES 2013 - 15th International Workshop, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Multiplication algorithm, Speedup, Computer Networks and Communications, business.industry, Computer science, Computation, Cryptography, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Secret sharing, Masking (Electronic Health Record), Data encryptation, Systems and data security, MPC, 010201 computation theory & mathematics, 020204 information systems, Algorithm analysis problem complexity, MultiParty Computation, 0202 electrical engineering, electronic engineering, information engineering, business, Implementation, Algorithm, Software, Randomness

Abstract

In this paper, we evaluate the performances of state-of-the-art higher order masking schemes for the AES. Doing so, we pay a particular attention to the comparison between specialized solutions introduced exclusively as countermeasures against side-channel analysis, and a recent proposal by Roche and Prouff exploiting multiparty computation (MPC) techniques. We show that the additional security features this latter scheme provides (e.g., its glitch-freeness) come at the cost of large performance overheads. We then study how exploiting standard optimization techniques from the MPC literature can be used to reduce this gap. In particular, we show that “packed secret sharing” based on a modified multiplication algorithm can speed up MPC-based masking when the order of the masking scheme increases. Eventually, we discuss the randomness requirements of masked implementations. For this purpose, we first show with information theoretic arguments that the security guarantees of masking are only preserved if this randomness is uniform, and analyze the consequences of a deviation from this requirement. We then conclude the paper by including the cost of randomness generation in our performance evaluations. These results should help actual designers to choose a masking scheme based on security and performance constraints.

Published

2013

28. Compact Implementation and Performance Evaluation of Block Ciphers in ATtiny Devices

Author

Eisenbarth, Thomas, Gong, Zheng, Güneysu, Tim, Heyse, Stefan, Indesteege, Sebastiaan, Kerckhof, Stéphanie, Koeune, François, Nad, Topmislav, Plos, Thomas, Regazzoni, Francesco, Standaert, François-Xavier, van Oldeneel tot Oldenzeel, Loïc, 5th International Conference on Cryptology in Africa (AFRICACRYPT 2012), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Source code, business.industry, Computer science, media_common.quotation_subject, 020206 networking & telecommunications, 02 engineering and technology, Microcontroller, Open source, Embedded system, block ciphers, Web page, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, License, Implementation, media_common, Block cipher

Abstract

The design of lightweight block ciphers has been a very active research topic over the last years. However, the lack of comparative source codes generally makes it hard to evaluate the extent to which different ciphers actually reach their low-cost goals, on different platforms. This paper reports on an initiative aimed to partially relax this issue. First, we implemented 12 block ciphers on an ATMEL ATtiny45 device, and made the corresponding source code available on a webpage, with an open-source license. Common design goals and interface have been sent to all designers in order to enhance the comparability of the implementation results. Second, we evaluated the performances of these implementations according to different metrics, including energy-consumption measurements. Although inherently limited by slightly different design choices, we hope this initiative can trigger more work in this direction, e.g. by extending the list of implemented ciphers, or adding countermeasures against physical attacks in the future.

Published

2012

29. Security Analysis of Image-Based PUFs for Anti-counterfeiting

Author

Shariati, Saloomeh, Koeune, François, Standaert, François-Xavier, Communications and Multimedia Security: 13th IFIP TC 6/TC 11 International Conference (CMS 2012), UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique, Université Catholique de Louvain = Catholic University of Louvain (UCL), Bart Decker, David W. Chadwick, TC 6, and TC 11

Subjects

Scheme (programming language), Security analysis, Computer science, Anti-counterfeiting, Physical unclonable function, 02 engineering and technology, Computer security, computer.software_genre, PUFs, Signature (logic), 020202 computer hardware & architecture, Image (mathematics), [INFO.INFO-NI]Computer Science [cs]/Networking and Internet Architecture [cs.NI], Phisically Unclonable Functions, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, [INFO]Computer Science [cs], computer, Protocol (object-oriented programming), Image based, computer.programming_language

Abstract

Part 1: Research Papers; International audience; Physically Unclonable Functions are a promising tool to protect against counterfeiting attacks. Yet, as with any security system, it is important to embed them in a sound protocol, ensuring that no unexpected weakness is present in the “mortar” binding the components together. This paper proposes an anti-counterfeiting protocol that provably reduces to natural properties of its underlying components, namely an image-based Physical Function System bearing physical unclonability and an existentially unforgeable signature scheme. Experiments confirm the practical feasibility of our construction.

Published

2012

30. Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs

Author

Medwed, Marcel, Standaert, François-Xavier, Joux, Antoine, Proceedings of the 14th International Workshop on Cryptographic Hardware and Embedded Systems (CHES 2012), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Pseudorandom number generator, Computer science, Distributed computing, Initialization, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, 020202 computer hardware & architecture, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Side channel attack, Lattice reduction, Stream cipher, Security parameter, Block cipher

Abstract

Leakage-resilient constructions have attracted significant attention over the last couple of years. In practice, pseudorandom functions are among the most important such primitives, because they are stateless and do not require a secure initialization as, e.g. stream ciphers. However, their deployment in actual applications is still limited by security and efficiency concerns. This paper contributes to solve these issues in two directions. On the one hand, we highlight that the condition of bounded data complexity, that is guaranteed by previous leakage-resilient constructions, may not be enough to obtain practical security. We show experimentally that, if implemented in an 8-bit microcontroller, such constructions can actually be broken. On the other hand, we present tweaks for tree-based leakage-resilient PRFs that improve their efficiency and their security, by taking advantage of parallel implementations. Our security analyses are based on worst-case attacks in a noise-free setting and suggest that under reasonable assumptions, the side-channel resistance of our construction grows super-exponentially with a security parameter that corresponds to the degree of parallelism of the implementation. In addition, it exhibits that standard DPA attacks are not the most relevant tool for evaluating such leakage-resilient constructions and may lead to overestimated security. As a consequence, we investigate more sophisticated tools based on lattice reduction, which turn out to be powerful in the physical cryptanalysis of these primitives. Eventually, we put forward that the AES is not perfectly suited for integration in a leakage-resilient design. This observation raises interesting challenges for developing block ciphers with better properties regarding leakage-resilience.

Published

2012

31. Compact FPGA Implementations of the Five SHA-3 Finalists

Author

Kerckhof, Stéphanie, Durvaux, François, Veyrat-Charvillon, Nicolas, Regazzoni, Francesco, Meurice de Dormale, Guerric, Standaert, François-Xavier, 10th Smart Card Research and Advanced Application Conference (CARDIS 2011), Université Catholique de Louvain = Catholic University of Louvain (UCL), MuElec, Emmanuel Prouff, TC 8, TC 11, WG 8.8, WG 11.2, UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique, and MuElec, Belgium

Subjects

Computer science, Cycles per instruction, business.industry, [SHS.INFO]Humanities and Social Sciences/Library and information sciences, 020208 electrical & electronic engineering, 02 engineering and technology, 020202 computer hardware & architecture, Computer architecture, SHA-3, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, [INFO]Computer Science [cs], Field-programmable gate array, business, Throughput (business), Block cipher

Abstract

Part 5: Implementations and Hardware Security 2; International audience; Allowing good performances on different platforms is an important criteria for the selection of the future sha-3 standard. In this paper, we consider the compact implementations of blake, Grøstl, jh, Keccak and Skein on recent fpga devices. Our results bring an interesting complement to existing analyzes, as most previous works on fpga implementations of the sha-3 candidates were optimized for high throughput applications. Following recent guidelines for the fair comparison of hardware architectures, we put forward clear trends for the selection of the future standard. First, compact fpga implementations of Keccak are less efficient than their high throughput counterparts. Second, Grøstl shows interesting performances in this setting, in particular in terms of throughput over area ratio. Third, the remaining candidates are comparably suitable for compact fpga implementations, with some slight contrasts (in area cost and throughput).

Published

2011

32. Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks

Author

Medwed, Marcel, Petit, Christophe, Regazzoni, Francesco, Renauld, Mathieu, Standaert, François-Xavier, 10th IFIP WG 8.8/11.2 International Conference (CARDIS 2011), Université Catholique de Louvain = Catholic University of Louvain (UCL), Emmanuel Prouff, TC 8, TC 11, WG 8.8, WG 11.2, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Scheme (programming language), Computer science, media_common.quotation_subject, [SHS.INFO]Humanities and Social Sciences/Library and information sciences, Automotive industry, 02 engineering and technology, Side-channel attacks, Fault (power engineering), Computer security, computer.software_genre, Masking (Electronic Health Record), 0202 electrical engineering, electronic engineering, information engineering, Shuffling, Relevance (information retrieval), [INFO]Computer Science [cs], Side channel attack, media_common, computer.programming_language, Shuing, business.industry, Payment, Fault attacks, 020202 computer hardware & architecture, Microcontroller, Masking, Re-keying, 020201 artificial intelligence & image processing, business, computer

Abstract

Part 3: New Algorithms and Protocols; International audience; Security-aware embedded systems are widespread nowadays and many applications, such as payment, pay-TV and automotive applications rely on them. These devices are usually very resource constrained but at the same time likely to operate in a hostile environment. Thus, the implementation of low-cost protection mechanisms against physical attacks is vital for their market relevance. An appealing choice, to counteract a large family of physical attacks with one mechanism, seem to be protocol-level countermeasures. At last year’s Africacrypt, a fresh re-keying scheme has been presented which combines the advantages of re-keying with those of classical countermeasures such as masking and hiding. The contribution of this paper is threefold: most importantly, the original fresh re-keying scheme was limited to one low-cost party (e.g. an RFID tag) in a two party communication scenario. In this paper we extend the scheme to n low-cost parties and show that the scheme is still secure. Second, one unanswered question in the original paper was the susceptibility of the scheme to algebraic SPA attacks. Therefore, we analyze this property of the scheme. Finally, we implemented the scheme on a common 8-bit microcontroller to show its efficiency in software.

Published

2011

33. Very High Order Masking: Efficient Implementation and Security Evaluation

Author

Journault, Anthony, Standaert, François-Xavier, 19th International Conference on Cryptographic Hardware and Embedded Systems (CHES 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

business.industry, Computer science, Advanced Encryption Standard, 02 engineering and technology, Computer security model, Masking (Electronic Health Record), 020202 computer hardware & architecture, Embedded software, Cipher, Computer engineering, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, High order, business, Security level, Implementation, Security evaluation

Abstract

In this paper, we study the performances and security of recent masking algorithms specialized to parallel implementations in a 32-bit embedded software platform, for the standard AES Rijndael and the bitslice cipher Fantomas. By exploiting the excellent features of these algorithms for bitslice implementations, we first extend the recent speed records of Goudarzi and Rivain (presented at Eurocrypt 2017) and report realistic timings for masked implementations with 32 shares. We then observe that the security level provided by such implementations is uneasy to quantify with current evaluation tools. We therefore propose a new “multi-model” evaluation methodology which takes advantage of different (more or less abstract) security models introduced in the literature. This methodology allows us to both bound the security level of our implementations in a principled manner and to assess the risks of overstated security based on well understood parameters. Concretely, it leads us to conclude that these implementations withstand worst-case adversaries with \(>\!2^{64}\) measurements under falsifiable assumptions.

34. Implementing Trojan-Resilient Hardware from (Mostly) Untrusted Components Designed by Colluding Manufacturers

Author

Bronchain, Olivier, Dassy, Louis, Faust, Sebastian, Standaert, François-Xavier, 2018 Workshop on Attacks and Solutions in Hardware Security (ASHES@CCS 2018), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

0301 basic medicine, Hardware Trojans, Trojan-Resilience, Multi-Party Computation, Exploit, Computer science, business.industry, 02 engineering and technology, computer.software_genre, 020202 computer hardware & architecture, 03 medical and health sciences, 030104 developmental biology, Trojan, 0202 electrical engineering, electronic engineering, information engineering, Compiler, Communication complexity, business, Field-programmable gate array, Throughput (business), computer, Protocol (object-oriented programming), Computer hardware, Block cipher

Abstract

At CCS 2016, Dziembowski et al. proved the security of a generic compiler able to transform any circuit into a Trojan-resilient one based on a (necessary) number of trusted gates. Informally, it exploits techniques from the Multi-Party Computation (MPC) literature in order to exponentially reduce the probability of a successful Trojan attack. As a result, its concrete relevance depends on ( i ) the possibility to reach good performances with affordable hardware, and ( ii ) the actual number of trusted gates the solution requires. In this paper, we assess the practicality of the CCS 2016 Trojan-resilient compiler based on a block cipher case study, and optimize its performances in different directions. From the algorithmic viewpoint, we use a recent MPC protocol by Araki et al. (CCS 2016) in order to increase the throughput of our implementations, and we investigate various block ciphers and S-box representations to reduce their communication complexity. From a design viewpoint, we develop an architecture that balances the computation and communication cost of our Trojan-resilient circuits. From an implementation viewpoint, we describe a prototype hardware combining several commercial FPGAs on a dedicated printed circuit board. Thanks to these advances, we exhibit realistic performances for a Trojan-resilient circuit purposed for high-security applications, and confirm that the amount of trusted gates required by the CCS 2016 compiler is well minimized.