Your search keyword '"Standaert, François-Xavier"' showing total 24 results

1. Modeling Soft Analytical Side-Channel Attacks from a Coding Theory Viewpoint

Author

Guo, Qian, Grosso, Vincent, Standaert, François-Xavier, Bronchain, Olivier, Dept. of Electrical and Information Technology, Lund University, Lund University [Lund], Department of Informatics [Bergen] (UiB), University of Bergen (UiB), Université Catholique de Louvain = Catholic University of Louvain (UCL), Centre National de la Recherche Scientifique (CNRS), Laboratoire Hubert Curien [Saint Etienne] (LHC), Institut d'Optique Graduate School (IOGS)-Université Jean Monnet [Saint-Étienne] (UJM)-Centre National de la Recherche Scientifique (CNRS), Fonds de la Recherche Scientifique [FNRS], and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Belief Propagation, 050101 languages & linguistics, lcsh:Computer engineering. Computer hardware, Side-Channel Analysis, Worst-Case Security Evaluations, Horizontal (aka Multi-Target) Attacks, Masking, Shuffling, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, lcsh:TK7885-7895, 02 engineering and technology, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences

Abstract

One important open question in side-channel analysis is to find out whether all the leakage samples in an implementation can be exploited by an adversary, as suggested by masking security proofs. For attacks exploiting a divide-and-conquer strategy, the answer is negative: only the leakages corresponding to the first/last rounds of a block cipher can be exploited. Soft Analytical Side-Channel Attacks (SASCA) have been introduced as a powerful solution to mitigate this limitation. They represent the target implementation and its leakages as a code (similar to a Low Density Parity Check code) that is decoded thanks to belief propagation. Previous works have shown the low data complexities that SASCA can reach in practice. In this paper, we revisit these attacks by modeling them with a variation of the Random Probing Model used in masking security proofs, that we denote as the Local Random Probing Model (LRPM). Our study establishes interesting connections between this model and the erasure channel used in coding theory, leading to the following benefits. First, the LRPM allows bounding the security of concrete implementations against SASCA in a fast and intuitive manner. We use it in order to confirm that the leakage of any operation in a block cipher can be exploited, although the leakages of external operations dominate in known-plaintext/ciphertext attack scenarios. Second, we show that the LRPM is a tool of choice for the (nearly worst-case) analysis of masked implementations in the noisy leakage model, taking advantage of all the operations performed, and leading to new tradeoffs between their amount of randomness and physical noise level. Third, we show that it can considerably speed up the evaluation of other countermeasures such as shuffling., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2020, Issue 4

Published

2020

2. Glitch-Resistant Masking Revisited

Author

Moos, Thorben, Moradi, Amir, Schneider, Tobias, and Standaert, François-Xavier

Subjects

050101 languages & linguistics, Consolidated Masking Scheme, lcsh:Computer engineering. Computer hardware, Threshold Implementations, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, Glitches Composability, lcsh:TK7885-7895, 02 engineering and technology, Hardware Masking, 0202 electrical engineering, electronic engineering, information engineering, Domain-Oriented Masking, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Robust Probing Model

Abstract

Implementing the masking countermeasure in hardware is a delicate task. Various solutions have been proposed for this purpose over the last years: we focus on Threshold Implementations (TIs), Domain-Oriented Masking (DOM), the Unified Masking Approach (UMA) and Generic Low Latency Masking (GLM). The latter generally come with innovative ideas to cope with physical defaults such as glitches. Yet, and in contrast to the situation in software-oriented masking, these schemes have not been formally proven at arbitrary security orders and their composability properties were left unclear. So far, only a 2-cycle implementation of the seminal masking scheme by Ishai, Sahai and Wagner has been shown secure and composable in the robust probing model – a variation of the probing model aimed to capture physical defaults such as glitches – for any number of shares. In this paper, we argue that this lack of proofs for TIs, DOM, UMA and GLM makes the interpretation of their security guarantees difficult as the number of shares increases. For this purpose, we first put forward that the higher-order variants of all these schemes are affected by (local or composability) security flaws in the (robust) probing model, due to insufficient refreshing. We then show that composability and robustness against glitches cannot be analyzed independently. We finally detail how these abstract flaws translate into concrete (experimental) attacks, and discuss the additional constraints robust probing security implies on the need of registers. Despite not systematically leading to improved complexities at low security orders, e.g., with respect to the required number of measurements for a successful attack, we argue that these weaknesses provide a case for the need of security proofs in the robust probing model (or a similar abstraction) at higher security orders., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2019, Issue 2

Published

2019

3. Multi-Tuple Leakage Detection and the Dependent Signal Issue

Author

Bronchain, Olivier, Schneider, Tobias, Standaert, François-Xavier, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

050101 languages & linguistics, lcsh:Computer engineering. Computer hardware, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, Side-Channel Analysis, lcsh:TK7885-7895, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Security Evaluations, 020202 computer hardware & architecture, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Leakage Detection

Abstract

Leakage detection is a common tool to quickly assess the security of a cryptographic implementation against side-channel attacks. The Test Vector Leakage Assessment (TVLA) methodology using Welch’s t-test, proposed by Cryptography Research, is currently the most popular example of such tools, thanks to its simplicity and good detection speed compared to attack-based evaluations. However, as any statistical test, it is based on certain assumptions about the processed samples and its detection performances strongly depend on parameters like the measurement’s Signal-to-Noise Ratio (SNR), their degree of dependency, and their density, i.e., the ratio between the amount of informative and non-informative points in the traces. In this paper, we argue that the correct interpretation of leakage detection results requires knowledge of these parameters which are a priori unknown to the evaluator, and, therefore, poses a non-trivial challenge to evaluators (especially if restricted to only one test). For this purpose, we first explore the concept of multi-tuple detection, which is able to exploit differences between multiple informative points of a trace more effectively than tests relying on the minimum p-value of concurrent univariate tests. To this end, we map the common Hotelling’s T2-test to the leakage detection setting and, further, propose a specialized instantiation of it which trades computational overheads for a dependency assumption. Our experiments show that there is not one test that is the optimal choice for every leakage scenario. Second, we highlight the importance of the assumption that the samples at each point in time are independent, which is frequently considered in leakage detection, e.g., with Welch’s t-test. Using simulated and practical experiments, we show that (i) this assumption is often violated in practice, and (ii) deviations from it can affect the detection performances, making the correct interpretation of the results more difficult. Finally, we consolidate our findings by providing guidelines on how to use a combination of established and newly-proposed leakage detection tools to infer the measurements parameters. This enables a better interpretation of the tests’ results than the current state-of-the-art (yet still relying on heuristics for the most challenging evaluation scenarios)., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2019, Issue 2

Published

2019

4. Towards Globally Optimized Masking: From Low Randomness to Low Noise Rate

Author

Cassiers, Gaëtan and Standaert, François-Xavier

Subjects

050101 languages & linguistics, lcsh:Computer engineering. Computer hardware, lcsh:T58.5-58.64, lcsh:Information technology, 05 social sciences, random probing model, lcsh:TK7885-7895, 02 engineering and technology, horizontal attacks, Masking, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, composability

Abstract

We improve the state-of-the-art masking schemes in two important directions. First, we propose a new masked multiplication algorithm that satisfies a recently introduced notion called Probe-Isolating Non-Interference (PINI). It captures a sufficient requirement for designing masked implementations in a trivial way, by combining PINI multiplications and linear operations performed share by share. Our improved algorithm has the best reported randomness complexity for large security orders (while the previous PINI multiplication was best for small orders). Second, we analyze the security of most existing multiplication algorithms in the literature against so-called horizontal attacks, which aim to reduce the noise of the actual leakages measured by an adversary, by combining the information of multiple target intermediate values. For this purpose, we leave the (abstract) probing model and consider a specialization of the (more realistic) noisy leakage / random probing models. Our (still partially heuristic but quantitative) analysis allows confirming the improved security of an algorithm by Battistello et al. from CHES 2016 in this setting. We then use it to propose new improved algorithms, leading to better tradeoffs between randomness complexity and noise rate, and suggesting the possibility to design efficient masked multiplication algorithms with constant noise rate in F2., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2019, Issue 2

Published

2019

5. Authenticated Encryption with Nonce Misuse and Physical Leakage: Definitions, Separation Results and First Construction - (Extended Abstract)

Author

Guo, Chun, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, Progress in Cryptology - {LATINCRYPT} 2019, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Block cipher mode of operation, Scheme (programming language), Authenticated encryption, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Adversary, Computer security, computer.software_genre, Information leakage, 0202 electrical engineering, electronic engineering, information engineering, NIST, 020201 artificial intelligence & image processing, Leakage (economics), computer, Cryptographic nonce, computer.programming_language

Abstract

We propose definitions of authenticated encryption (AE) schemes that offer security guarantees even in the presence of nonce misuse and side-channel information leakage. This is part of an important ongoing effort to make AE more robust, while preserving appealing efficiency properties. Our definitions consider an adversary enhanced with the leakage of all the computations of an AE scheme, together with the possibility to misuse nonces, be it during all queries (in the spirit of misuse-resistance), or only during training queries (in the spirit of misuse-resilience recently introduced by Ashur et al.). These new definitions offer various insights on the effect of leakage in the security landscape. In particular, we show that, in contrast with the black-box setting, leaking variants of INT-CTXT and IND-CPA security do not imply a leaking variant IND-CCA security, and that leaking variants of INT-PTXT and IND-CCA do not imply a leaking variant of INT-CTXT. They also bring a useful scale to reason about and analyze the implementation properties of emerging modes of operation with different levels of leakage-resistance, such as proposed in the ongoing NIST lightweight cryptography competition. We finally propose the first instance of mode of operation that satisfies our most demanding definitions.

Published

2019

6. Reducing the Cost of Authenticity with Leakages: a $$\mathsf {CIML2}$$ -Secure $$\mathsf {AE}$$ Scheme with One Call to a Strongly Protected Tweakable Block Cipher

Author

Berti, Francesco, Pereira, Olivier, Standaert, François-Xavier, 11th International Conference on Cryptology in Africa - Progress in Cryptology (AFRICACRYPT 2019), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Scheme (programming language), Authenticated encryption, 050101 languages & linguistics, Computer science, Data_MISCELLANEOUS, Data_CODINGANDINFORMATIONTHEORY, 02 engineering and technology, Encryption, 7. Clean energy, Mode (computer interface), Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, 0501 psychology and cognitive sciences, computer.programming_language, Block cipher, Leveled implementation, business.industry, 05 social sciences, Leakage resilience, Leakage-resilience, Ciphertext integrity with misuse and leakage (CIML2), 020201 artificial intelligence & image processing, business, computer, Cryptographic nonce, Computer network

Abstract

This paper presents CONCRETE (Commit − Encrypt − Send − the − Key) a new Authenticated Encryption mode that offers CIML2 security, that is, ciphertext integrity in the presence of nonce misuse and side-channel leakages in both encryption and decryption. CONCRETE improves on a recent line of works aiming at leveled implementations, which mix a strongly protected and energy demanding implementation of a single component, and other weakly protected and much cheaper components. Here, these components all implement a tweakable block cipher TBC. CONCRETE requires the use of the strongly protected TBC only once while supporting the leakage of the full state of the weakly protected components – it achieves CIML2 security in the so-called unbounded leakage model. All previous works need to use the strongly protected implementation at least twice. As a result, for short messages whose encryption and decryption energy costs are dominated by the strongly protected component, we halve the cost of a leakage-resilient implementation. CONCRETE additionally provides security when unverified plaintexts are released, and confidentiality in the presence of simulatable leakages in encryption and decryption.

Published

2019

7. How (Not) to Use Welch’s T-Test in Side-Channel Security Evaluations

Author

Standaert, François-Xavier, 17th International Conference on Smart Card Research and Advanced Applications (CARDIS 2018), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Computer science, Cryptographic implementations, Univariate, 02 engineering and technology, Computer security, computer.software_genre, Welch's t-test, Masking (Electronic Health Record), 020202 computer hardware & architecture, Test vector, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Side channel attack, Security level, computer, Implementation, Side-channel analysis

Abstract

The Test Vector Leakage Assessment (TVLA) methodology is a qualitative tool relying on Welch’s T-test to assess the security of cryptographic implementations against side-channel attacks. Despite known limitations (e.g., risks of false negatives and positives), it is sometimes considered as a pass-fail test to determine whether such implementations are “safe” or not (without clear definition of what is “safe”). In this note, we clarify the limited quantitative meaning of this test when used as a standalone tool. For this purpose, we first show that the straightforward application of this approach to assess the security of a masked implementation is not sufficient. More precisely, we show that even in a simple (more precisely, univariate) case study that seems best suited for the TVLA methodology, detection (or lack thereof) with Welch’s T-test can be totally disconnected from the actual security level of an implementation. For this purpose, we put forward the case of a realistic masking scheme that looks very safe from the TVLA point-of-view and is nevertheless easy to break. We then discuss this result in more general terms and argue that this limitation is shared by all “moment-based” security evaluations. We conclude the note positively, by describing how to use moment-based analyses as a useful ingredient of side-channel security evaluations, to determine a “security order”.

Published

2019

8. SpookChain: Chaining a Sponge-Based AEAD with Beyond-Birthday Security

Author

Cassiers, Gaëtan, Guo, Chun, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, Security, Privacy, and Applied Cryptography Engineering - 9th International Conference, {SPACE} 2019, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Authenticated encryption, Discrete mathematics, 050101 languages & linguistics, Computer science, business.industry, 05 social sciences, Plaintext, Context (language use), 02 engineering and technology, Encryption, Chaining, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Element (category theory), business, Key size, Cryptographic nonce

Abstract

We present \(\mathsf {SpookChain}\), a new online authenticated encryption (OAE) mode that offers several appealing features: \(\mathsf {SpookChain}\) is fully online: it supports the processing of long messages by segments of arbitrary size, and the processing of each segment is online itself, with memory requirements in encryption and decryption being independent of the segment size. \(\mathsf {SpookChain}\) is, to the best of our knowledge, the first concrete mode that is proven to offer \(\mathsf {dOAE}\) security, a requirement for OAE that, at least guarantees security for new segments as soon as one of the previously processed segments contains a fresh element (nonce, plaintext or associated data). \(\mathsf {SpookChain}\) offers beyond birthday multi-user security (w.r.t. the secret key length), a requirement that we define for the first time in the context of OAE, and which is increasingly appealing in a world where communications are encrypted by default. \(\mathsf {SpookChain}\) is also expected to be remarkably lightweight to implement when protection against side-channel attacks is required.

Published

2019

9. Connecting and Improving Direct Sum Masking and Inner Product Masking

Author

Poussier, Romain, Guo, Qian, Standaert, François-Xavier, Carlet, Claude, Guilley, Sylvain, 16th International Conference on Smart Card Research and Advanced Applications (CARDIS 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Security properties, Masking (art), Direct sum, Computer science, Cryptographic implementations, 02 engineering and technology, 020202 computer hardware & architecture, Simple (abstract algebra), Product (mathematics), Direct sum masking, Inner product masking, Hardware_INTEGRATEDCIRCUITS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Relevance (information retrieval), Algorithm

Abstract

Direct Sum Masking (DSM) and Inner Product (IP) masking are two types of countermeasures that have been introduced as alternatives to simpler (e.g., additive) masking schemes to protect cryptographic implementations against side-channel analysis. In this paper, we first show that IP masking can be written as a particular case of DSM. We then analyze the improved security properties that these (more complex) encodings can provide over Boolean masking. For this purpose, we introduce a slight variation of the probing model, which allows us to provide a simple explanation to the \security order ampli cation" for such masking schemes that was put forward at CARDIS 2016. We then use our model to search for new instances of masking schemes that optimize this security order ampli cation. We nally discuss the relevance of this security order ampli cation (and its underlying assumption of linear leakages) based on an experimental case study.

Published

2018

10. Ciphertext Integrity with Misuse and Leakage: Definition and Efficient Constructions with Symmetric Primitives

Author

Berti, Francesco, Koeune, François, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, 2018 Asia Conference on Computer and Communications Security (AsiaCCS 2018), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Authenticated encryption, Computer science, business.industry, 0102 computer and information sciences, 02 engineering and technology, Encryption, Computer security, computer.software_genre, 01 natural sciences, Random oracle, 010201 computation theory & mathematics, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer, Leakage-resilient cryptography, Misuse resistance, Randomness, Leakage (electronics)

Abstract

Leakage resilience (LR) and misuse resistance (MR) are two important properties for the deployment of authenticated encryption (AE) schemes. They aim at mitigating the impact of implementation flaws due to side-channel leakages and misused randomness. In this paper, we discuss the interactions and incompatibilities between these two properties. We start from the usual definition of MR for AE schemes from Rogaway and Shrimpton, and argue that it may be overly demanding in the presence of leakages. As a result, we turn back to the basic security requirements for AE: ciphertext integrity (INT-CTXT) and CPA security, and propose to focus on a new notion of CIML security, which is an extension of INT-CTXT in the presence of misuse and leakages. We discuss the extent to which CIML security is offered by previous proposals of MR AE schemes, conclude by the negative, and propose two new efficient CIML-secure AE schemes: the DTE scheme offers security in the standard model, while the DCE scheme offers security in the random oracle model, but comes with some efficiency benefits. On our way, we observe that these constructions are not trivial, and show for instance that the composition of a LR MAC and a LR encryption scheme, while providing a (traditional) MR AE scheme, can surprisingly lose the MR property in the presence of leakages and does not achieve CIML security. Eventually, we show the LR CPA security of DTE and DCE.

Published

2018

11. Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model

Author

Barthe, Gilles, Dupressoir, François, Faust, Sebastian, Grégoire, Benjamin, Standaert, François-Xavier, Strub, Pierre-Yves, 36th Annual International Conference on the Theory and Applications of cryptographic Techniques (EUROCRYPT 2017), Institute IMDEA Software [Madrid], University of Surrey (UNIS), Ruhr-Universität Bochum [Bochum], Mathematical, Reasoning and Software (MARELLE), Inria Sophia Antipolis - Méditerranée (CRISAM), Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), UCL Crypto Group, Université Catholique de Louvain = Catholic University of Louvain (UCL), École polytechnique (X), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Masking (art), Multiplication algorithm, Theoretical computer science, Computer science, 0102 computer and information sciences, 02 engineering and technology, Computer security model, Formal methods, 01 natural sciences, Moment (mathematics), 010201 computation theory & mathematics, Simple (abstract algebra), Bounded function, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, [INFO]Computer Science [cs], Leakage model, Implementation, Computer Science::Cryptography and Security

Abstract

International audience; In this paper, we provide a necessary clarification of the good security properties that can be obtained from parallel implementations of masking schemes. For this purpose, we first argue that (i) the probing model is not straightforward to interpret, since it more naturally captures the intuitions of serial implementations, and (ii) the noisy leakage model is not always convenient, e.g. when combined with formal methods for the verification of cryptographic implementations. Therefore we introduce a new model, the bounded moment model, that formalizes a weaker notion of security order frequently used in the side-channel literature. Interestingly , we prove that probing security for a serial implementation implies bounded moment security for its parallel counterpart. This result therefore enables an accurate understanding of the links between formal security analyses of masking schemes and experimental security evaluations based on the estimation of statistical moments Besides its consolidating nature, our work also brings useful technical contributions. First, we describe and analyze refreshing and multiplication algorithms that are well suited for parallel implementations and improve security against multivariate side-channel attacks. Second, we show that simple refreshing algorithms (with linear complexity) that are not secure in the continuous probing model are secure in the continuous bounded moment model. Eventually, we discuss the independent leakage assumption required for masking to deliver its security promises, and its specificities related to the serial or parallel nature of an implementation.

Published

2017

12. Inner Product Masking for Bitslice Ciphers and Security Order Amplification for Linear Leakages

Author

Wang, Weijia, Standaert, François-Xavier, Yu, Yu, Pu, Sihang, Liu, Junrong, Guo, Zheng, Gu, Dawu, 15th International Conference on Smart Card Research and Advanced Applications (CARDIS 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Masking (art), 021110 strategic, defence & security studies, Computer science, Algebraic structure, Security order amplification, Galois theory, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, Linear leakages, Bitslice ciphers, Bit (horse), Simple (abstract algebra), Product (mathematics), Information leakage, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Arithmetic, computer, Block cipher

Abstract

Designers of masking schemes are usually torn between the contradicting goals of maximizing the security gains while minimizing the performance overheads. Boolean masking is one extreme example of this tradeo: its algebraic structure is as simple as can be (and so are its implementations), but it typically suers more from implementation weaknesses. For example knowing one bit of each share is enough to know one bit of secret in this case. Inner product masking lies at the other side of this tradeo: its algebraic structure is more involved, making it more expensive to implement (especially at higher orders), but it ensures stronger security guarantees. For example, knowing one bit of each share is not enough to know one bit of secret in this case. In this paper, we try to combine the best of these two worlds, and propose a new masking scheme mixing a single Boolean matrix product (to improve the algebraic complexity of the scheme) with standard additive Boolean masking (to allow ecient higher-order implementations). We show that such a masking is well suited for application to bitslice ciphers. We also conduct a comprehensive security analysis of the proposed scheme. For this purpose, we give a security proof in the probing model, and carry out an information leakage evaluation of an idealized implementation. For certain leakage functions, the latter exhibits surprising observations, namely information leakages in higher statistical moments than guaranteed by the proof in the probing model, which we can connect to the recent literature on low entropy masking schemes. We conclude the paper with a performance evaluation, which conrms that both for security and performance reasons, our new masking scheme (which can be viewed as a variation of inner product masking) compares favorably to state-of-the-art masking schemes for bitslice ciphers.

Published

2017

13. Towards Sound and Optimal Leakage Detection Procedure

Author

Ding, A. Adam, Zhang, Liwei, Durvaux, François, Standaert, François-Xavier, Fei, Yunsi, 16th International Conference on Smart Card Research and Advanced Applications (CARDIS 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Hardware_MEMORYSTRUCTURES, business.industry, Computer science, Side-channel analysis, Leakage detection, Higher criticism, Cryptography, 02 engineering and technology, 01 natural sciences, 010104 statistics & probability, Test vector, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0101 mathematics, business, Algorithm, Leakage (electronics), Statistical hypothesis testing

Abstract

Evaluation of side-channel leakage for cryptographic systems requires sound leakage detection procedures. The commonly used standard approach is the test vector leakage assessment (TVLA) procedure. We first relate TVLA to the statistical minimum p-value (mini-p) procedure, and propose a sound method of deciding leakage existence in the statistical hypothesis setting. An advanced statistical procedure, Higher Criticism (HC), is adopted to improve leakage detection when there are multiple leakage points. The HC-based procedure is optimal in side-channel leakage detection, because for a given number of traces with a given length, it detects the existence of leakage at the signal level as low as possibly detectable by any statistical procedure. Numerical studies show that our HC-based procedure perform as well as the mini-p based procedure when leakage signals are very sparse, and can improve the leakage detection significantly when there are multiple leakages.

Published

2017

14. A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks

Author

Poussier, Romain, Zhou, Yuanyuan, Standaert, François-Xavier, 19th International Conference on Cryptographic Hardware and Embedded Systems (CHES 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Side-channel attacks, side-channel analysis, Computer engineering, Computer science, Scalar (mathematics), 0202 electrical engineering, electronic engineering, information engineering, Elliptic Curve Digital Signature Algorithm, 020201 artificial intelligence & image processing, 02 engineering and technology, Side channel attack, Scalar multiplication, Implementation, 020202 computer hardware & architecture

Abstract

The wide number and variety of side-channel attacks against scalar multiplication algorithms makes their security evaluations complex, in particular in case of time constraints making exhaustive analyses impossible. In this paper, we present a systematic way to evaluate the security of such implementations against horizontal attacks. As horizontal attacks allow extracting most of the information in the leakage traces of scalar multiplications, they are suitable to avoid risks of overestimated security levels. For this purpose, we additionally propose to use linear regression in order to accurately characterize the leakage function and therefore approach worst-case security evaluations. We then show how to apply our tools in the contexts of ECDSA and ECDH implementations, and validate them against two targets: a Cortex-M4 and a Cortex-A8 micro-controllers.

Published

2017

15. Getting the Most Out of Leakage Detection

Author

Merino Del Pozo, Santos, Standaert, François-Xavier, 8th International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Speedup, Computer engineering, 010201 computation theory & mathematics, Computer science, Leakage detection, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0102 computer and information sciences, 02 engineering and technology, Leak detection, 01 natural sciences, Block cipher, Leakage (electronics)

Abstract

In this work, we provide a concrete investigation of the gains that can be obtained by combining good measurement setups and efficient leakage detection tests to speed up evaluation times. For this purpose, we first analyze the quality of various measurement setups. Then, we highlight the positive impact of a recent proposal for efficient leakage detection, based on the analysis of a (few) pair(s) of plaintexts. Finally, we show that the combination of our best setups and detection tools allows detecting leakages for a noisy threshold implementation of the block cipher PRESENT after an intensive measurement phase, while either worse setups or less efficient detection tests would not succeed in detecting these leakages. Overall, our results show that a combination of good setups and fast leakage detection can turn security evaluation times from days to hours (for first-order secure implementations) and even from weeks to days (for higher-order secure implementations).

Published

2017

16. Unknown-Input Attacks in the Parallel Setting: Improving the Security of the CHES 2012 Leakage-Resilient PRF

Author

Medwed, Marcel, Standaert, François-Xavier, Feldhofer, Martin, Nikov, Ventzislav, 22nd International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Security properties, Exploit, Computer science, Key recovery, 0102 computer and information sciences, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Power model, Computer engineering, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Template attack, computer, Implementation, Block cipher, Leakage (electronics)

Abstract

In this work we present a leakage-resilient PRF which makes use of parallel block cipher implementations with unknown-inputs. To the best of our knowledge this is the first work to study and exploit unknown-inputs as a form of key-dependent algorithmic noise. It turns out that such noise renders the problem of side-channel key recovery intractable under very little and easily satisfiable assumptions. That is, the construction stays secure even in a noise-free setting and independent of the number of traces and the used power model. The contributions of this paper are as follows. First, we present a PRF construction which offers attractive security properties, even when instantiated with the AES. Second, we study the effect of unknown-input attacks in parallel implementations. We put forward their intractability and explain it by studying the inevitable model errors obtained when building templates in such a scenario. Third, we compare the security of our construction to the CHES 2012 one and show that it is superior in many ways. That is, a standard block cipher can be used, the security holds for all intermediate variables and it can even partially tolerate local EM attacks and some typical implementation mistakes or hardware insufficiencies. Finally, we discuss the performance of a standard-cell implementation.

Published

2016

17. Towards Sound Fresh Re-Keying with Hard (Physical) Learning Problems

Author

Dziembowski, Stefan, Faust, Sebastian, Herold, Gottfried, Journault, Anthony, Masny, Daniel, Standaert, François-Xavier, Advances in Cryptology - 36th International Cryptology Conference (CRYPTO 2016), and UCL - SST/ICTM/ELEN-Pôle en ingénierie électrique

Subjects

Theoretical computer science, Computer science, Cryptography, 0102 computer and information sciences, 02 engineering and technology, Side-channel attacks, Encryption, Leakage-resilient cryptographic constructions, 01 natural sciences, Secret sharing, Random oracle, Public-key cryptography, Pseudorandom function family, 0202 electrical engineering, electronic engineering, information engineering, Cryptographic constructions, Security level, Stream cipher, Leakage parity, AKA, Block cipher, business.industry, Homomorphic encryption, Fresh re-keying, Symmetric-key algorithm, 010201 computation theory & mathematics, Authentication protocol, 020201 artificial intelligence & image processing, business

Abstract

Most leakage-resilient cryptographic constructions aim at limiting the information adversaries can obtain about secret keys. In the case of asymmetric algorithms, this is usually obtained by secret sharing (aka masking) the key, which is made easy by their algebraic properties. In the case of symmetric algorithms, it is rather key evolution that is exploited. While more efficient, the scope of this second solution is limited to stateful primitives that easily allow for key evolution such as stream ciphers. Unfortunately, it seems generally hard to avoid the need of (at least one) execution of a stateless primitive, both for encryption and authentication protocols. As a result, fresh re-keying has emerged as an alternative solution, in which a block cipher that is hard to protect against side-channel attacks is re-keyed with a stateless function that is easy to mask. While previous proposals in this direction were all based on heuristic arguments, we propose two new constructions that, for the first time, allow a more formal treatment of fresh re-keying. More precisely, we reduce the security of our re-keying schemes to two building blocks that can be of independent interest. The first one is an assumption of Learning Parity with Leakage, which leverages the noise that is available in side-channel measurements. The second one is based on the Learning With Rounding assumption, which can be seen as an alternative solution for low-noise implementations. Both constructions are efficient and easy to mask, since they are key homomorphic or almost key homomorphic.

Published

2016

18. Score-Based vs. Probability-Based Enumeration - A Cautionary Note

Author

Choudary, Marios O., Poussier, Romain, Standaert, François-Xavier, 17th International Conference in Cryptology in India - Progress in cryptology (INDIACRYPT 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Exploit, Computer science, Heuristic, Bayesian probability, Rank (computer programming), Context (language use), 02 engineering and technology, Side-channel attacks, 020202 computer hardware & architecture, Probability-based enumeration, Linear regression, Statistics, 0202 electrical engineering, electronic engineering, information engineering, Enumeration, Key (cryptography), 020201 artificial intelligence & image processing, Score-based enumeration

Abstract

The fair evaluation of leaking devices generally requires to come with the best possible distinguishers to extract and exploit side-channel information. While the need of a sound model for the leakages is a well known issue, the risks of additional errors in the post-processing of the attack results (with key enumeration/key rank estimation) are less investigated. Namely, optimal post-processing is known to be possible with distinguishers outputting probabilities (e.g. template attacks), but the impact of a deviation from this context has not been quantified so far. We therefore provide a consolidating experimental analysis in this direction, based on simulated and actual measurements. Our main conclusions are twofold. We first show that the concrete impact of heuristic scores such as produced with a correlation power analysis can lead to non-negligible post-processing errors. We then show that such errors can be mitigated in practice, with Bayesian extensions or specialized distinguishers (e.g. on-the-fly linear regression).

Published

2016

19. Towards Easy Leakage Certification

Author

Durvaux, François, Standaert, François-Xavier, Merino Del Pozo, Santos, 18th International Conference on Cryptographic hardware and Embedded Systems (CHES 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Exploit, Computer science, business.industry, Cryptography, 02 engineering and technology, Certification, Side-channel attacks, 020202 computer hardware & architecture, Reliability engineering, Leakage certification, Information sensitivity, Power analysis, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Leakage, Leakage (electronics)

Abstract

Side-channel attacks generally rely on the availability of good leakage models to extract sensitive information from cryptographic implementations. The recently introduced leakage certification tests aim to guarantee that this condition is fulfilled based on sound statistical arguments. They are important ingredients in the evaluation of leaking devices since they allow a good separation between engineering challenges (how to produce clean measurements) and cryptographic ones (how to exploit these measurements). In this paper, we propose an alternative leakage certification test that is significantly simpler to implement than the previous proposal from Eurocrypt 2014. This gain admittedly comes at the cost of a couple of heuristic (yet reasonable) assumptions on the leakage distribution. To confirm its relevance, we first show that it allows confirming previous results of leakage certification. We then put forward that it leads to additional and useful intuitions regarding the information losses caused by incorrect assumptions in leakage modeling.

Published

2016

20. Towards Securing Low-Power Digital Circuits with Ultra-Low-Voltage Vdd Randomizers

Author

Kamel, Dina, de Streel, Guerric, Merino Del Pozo, Santos, Nawaz, Kashif, Standaert, François-Xavier, Flandre, Denis, Bol, David, 6th International Conference on Security, privacy, and Applied Cryptographic Engineering (SPACE 2016), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Digital electronics, Signal processing, business.industry, Computer science, Linear regulator, Electrical engineering, 02 engineering and technology, Noise (electronics), Multiplicative noise, 020202 computer hardware & architecture, CMOS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Sensitivity (control systems), business, Low voltage

Abstract

With the exploding number of connected objects and sensitive applications, security against side-channel attacks becomes critical in low-cost and low-power IoT applications. For this purpose, established mathematical countermeasures such as masking and shuffling always require a minimum amount of noise in the adversary’s measurements, that may not be guaranteed by default because of good measurement setups and powerful signal processing. In this paper, we propose to improve the protection of sensitive digital circuits by operating them at a random ultra-low voltage (ULV) supplied by a \(V_{dd}\) randomizer. As the \(V_{dd}\) randomization modulates the switching current, it results in a multiplicative noise on both the current consumption amplitude and its time dependence. As ULV operation increases the sensitivity of the current on the supply voltage, it magnifies the generated noise while reducing the side-channel information signal thanks to the switching current reduction. As a proof-of-concept, we prototyped a simple \(V_{dd}\) randomizer based on a low-quiescent-current linear regulator with a digitally-controlled resistive feedback divider on which we apply a 4-bit random number stream. Using an information theoretic metric, the measurement results obtained in 65 nm low-power CMOS confirm that such randomizers can significantly improve the security of cryptographic implementations against standard side-channel attacks in case of low physical noise in the attacks’ setups, hence enabling the use of mathematical countermeasures.

Published

2016

21. Compact Implementation and Performance Evaluation of Block Ciphers in ATtiny Devices

Author

Eisenbarth, Thomas, Gong, Zheng, Güneysu, Tim, Heyse, Stefan, Indesteege, Sebastiaan, Kerckhof, Stéphanie, Koeune, François, Nad, Topmislav, Plos, Thomas, Regazzoni, Francesco, Standaert, François-Xavier, van Oldeneel tot Oldenzeel, Loïc, 5th International Conference on Cryptology in Africa (AFRICACRYPT 2012), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Source code, business.industry, Computer science, media_common.quotation_subject, 020206 networking & telecommunications, 02 engineering and technology, Microcontroller, Open source, Embedded system, block ciphers, Web page, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, License, Implementation, media_common, Block cipher

Abstract

The design of lightweight block ciphers has been a very active research topic over the last years. However, the lack of comparative source codes generally makes it hard to evaluate the extent to which different ciphers actually reach their low-cost goals, on different platforms. This paper reports on an initiative aimed to partially relax this issue. First, we implemented 12 block ciphers on an ATMEL ATtiny45 device, and made the corresponding source code available on a webpage, with an open-source license. Common design goals and interface have been sent to all designers in order to enhance the comparability of the implementation results. Second, we evaluated the performances of these implementations according to different metrics, including energy-consumption measurements. Although inherently limited by slightly different design choices, we hope this initiative can trigger more work in this direction, e.g. by extending the list of implemented ciphers, or adding countermeasures against physical attacks in the future.

Published

2012

22. Security Analysis of Image-Based PUFs for Anti-counterfeiting

Author

Shariati, Saloomeh, Koeune, François, Standaert, François-Xavier, Communications and Multimedia Security: 13th IFIP TC 6/TC 11 International Conference (CMS 2012), UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique, Université Catholique de Louvain = Catholic University of Louvain (UCL), Bart Decker, David W. Chadwick, TC 6, and TC 11

Subjects

Scheme (programming language), Security analysis, Computer science, Anti-counterfeiting, Physical unclonable function, 02 engineering and technology, Computer security, computer.software_genre, PUFs, Signature (logic), 020202 computer hardware & architecture, Image (mathematics), [INFO.INFO-NI]Computer Science [cs]/Networking and Internet Architecture [cs.NI], Phisically Unclonable Functions, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, [INFO]Computer Science [cs], computer, Protocol (object-oriented programming), Image based, computer.programming_language

Abstract

Part 1: Research Papers; International audience; Physically Unclonable Functions are a promising tool to protect against counterfeiting attacks. Yet, as with any security system, it is important to embed them in a sound protocol, ensuring that no unexpected weakness is present in the “mortar” binding the components together. This paper proposes an anti-counterfeiting protocol that provably reduces to natural properties of its underlying components, namely an image-based Physical Function System bearing physical unclonability and an existentially unforgeable signature scheme. Experiments confirm the practical feasibility of our construction.

Published

2012

23. Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks

Author

Medwed, Marcel, Petit, Christophe, Regazzoni, Francesco, Renauld, Mathieu, Standaert, François-Xavier, 10th IFIP WG 8.8/11.2 International Conference (CARDIS 2011), Université Catholique de Louvain = Catholic University of Louvain (UCL), Emmanuel Prouff, TC 8, TC 11, WG 8.8, WG 11.2, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

Scheme (programming language), Computer science, media_common.quotation_subject, [SHS.INFO]Humanities and Social Sciences/Library and information sciences, Automotive industry, 02 engineering and technology, Side-channel attacks, Fault (power engineering), Computer security, computer.software_genre, Masking (Electronic Health Record), 0202 electrical engineering, electronic engineering, information engineering, Shuffling, Relevance (information retrieval), [INFO]Computer Science [cs], Side channel attack, media_common, computer.programming_language, Shuing, business.industry, Payment, Fault attacks, 020202 computer hardware & architecture, Microcontroller, Masking, Re-keying, 020201 artificial intelligence & image processing, business, computer

Abstract

Part 3: New Algorithms and Protocols; International audience; Security-aware embedded systems are widespread nowadays and many applications, such as payment, pay-TV and automotive applications rely on them. These devices are usually very resource constrained but at the same time likely to operate in a hostile environment. Thus, the implementation of low-cost protection mechanisms against physical attacks is vital for their market relevance. An appealing choice, to counteract a large family of physical attacks with one mechanism, seem to be protocol-level countermeasures. At last year’s Africacrypt, a fresh re-keying scheme has been presented which combines the advantages of re-keying with those of classical countermeasures such as masking and hiding. The contribution of this paper is threefold: most importantly, the original fresh re-keying scheme was limited to one low-cost party (e.g. an RFID tag) in a two party communication scenario. In this paper we extend the scheme to n low-cost parties and show that the scheme is still secure. Second, one unanswered question in the original paper was the susceptibility of the scheme to algebraic SPA attacks. Therefore, we analyze this property of the scheme. Finally, we implemented the scheme on a common 8-bit microcontroller to show its efficiency in software.

Published

2011

24. Very High Order Masking: Efficient Implementation and Security Evaluation

Author

Journault, Anthony, Standaert, François-Xavier, 19th International Conference on Cryptographic Hardware and Embedded Systems (CHES 2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects

business.industry, Computer science, Advanced Encryption Standard, 02 engineering and technology, Computer security model, Masking (Electronic Health Record), 020202 computer hardware & architecture, Embedded software, Cipher, Computer engineering, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, High order, business, Security level, Implementation, Security evaluation

Abstract

In this paper, we study the performances and security of recent masking algorithms specialized to parallel implementations in a 32-bit embedded software platform, for the standard AES Rijndael and the bitslice cipher Fantomas. By exploiting the excellent features of these algorithms for bitslice implementations, we first extend the recent speed records of Goudarzi and Rivain (presented at Eurocrypt 2017) and report realistic timings for masked implementations with 32 shares. We then observe that the security level provided by such implementations is uneasy to quantify with current evaluation tools. We therefore propose a new “multi-model” evaluation methodology which takes advantage of different (more or less abstract) security models introduced in the literature. This methodology allows us to both bound the security level of our implementations in a principled manner and to assess the risks of overstated security based on well understood parameters. Concretely, it leads us to conclude that these implementations withstand worst-case adversaries with \(>\!2^{64}\) measurements under falsifiable assumptions.