Berndt Gammel

Side-channel leakage of masked CMOS gates

There are many articles and patents on the masking of logic gates. However, the existing publications assume that a masked logic gate switches its output no more than once per clock cycle. Unfortunately, this assumption usually does not hold true in practice. In this article, we show that glitches occurring in circuits of masked gates make these circuits susceptible to classical first-order DPA attacks. Besides a thorough theoretical analysis of the DPA-resistance of masked gates in the presence of glitches, we also provide simulation results that confirm the theoretical elaborations. Glitches occur in every CMOS circuit. Consequently, the currently known masking schemes for CMOS gates do not prevent DPA attacks.

An NLFSR-based stream cipher

We propose a hardware oriented 80-bit-key binary additive stream cipher. The keystream generator consists of ten nonlinear feedback shift registers whose output sequences are combined by a Boolean function of algebraic degree four. The design size of the keystream generator is about 2200 GE. In 130nm CMOS-technology, a throughput of more than 1 Gbps can be achieved. The length of the initial value used for resynchronization can be any multiple of eight between zero and eighty. The maximum amount of keystream that can be used between two resynchronization steps is 268 bits. A parallel implementation of the stream cipher produces one byte of keystream per clock cycle

Masking at gate level in the presence of glitches

It has recently been shown that logic circuits in the implementation of cryptographic algorithms, although protected by “secure” random masking schemes, leak side-channel information, which can be exploited in differential power attacks [14]. The leak is due to the fact that the mathematical models describing the gates neglected multiple switching of the outputs of the gates in a single clock cycle. This effect, however, is typical for CMOS circuits and known as glitching. Hence several currently known masking schemes are not secure in theory or practice. Solutions for DPA secure circuits based on logic styles which do not show glitches have several disadvantages in practice. In this paper, we refine the model for the power consumption of CMOS gates taking into account the side-channel of glitches. It is shown that for a general class of gate-level masking schemes a universal set of masked gates does not exist. However, there is a family of masked gates which is theoretically secure in the presence of glitches if certain practically controllable implementation constraints are imposed. This set of gates should be suitable for automated CMOS circuit synthesis.

On the frame length of Achterbahn-128/80

In this paper we examine a correlation attack against combination generators introduced by Meier et al. in 2006 and extended to a more powerful tool by Naya-Plasencia. The method has been used in the cryptanalysis of the stream ciphers Achterbahn and Achterbahn-128/80. No mathematical proofs for the method were given. We show that rigorous proofs can be given in an appropriate model, and that the implications derived from that model are in accordance with experimental results obtained from a true combination generator. We generalize the new correlation attack and, using that generalization, show that the internal state of Achterbahn-128 can be recovered with complexity 2119 using 248.54 consecutive keystream bits. In order to investigate a lower bound for the frame length of Achterbahn-128 we consider another application of the generalized correlation attack. This attack has complexity 2136 (higher than brute force) and requires 244.99 keystream bits. Similar results hold for Achterbahn-128. Due to these findings our new recommendation for the frame length of Achterbahn-128 and Achterbahn-80 is 244 bits.

On the Duality of Probing and Fault Attacks

In this work we investigate the problem of simultaneous privacy and integrity protection in cryptographic circuits. We consider a white-box scenario with a powerful, yet limited attacker. A concise metric for the level of probing and fault security is introduced, which is directly related to the capabilities of a realistic attacker. In order to investigate the interrelation of probing and fault security we introduce a common mathematical framework based on the formalism of information and coding theory. The framework unifies the known linear masking schemes. We proof a central theorem about the properties of linear codes which leads to optimal secret sharing schemes. These schemes provide the lower bound for the number of masks needed to counteract an attacker with a given strength. The new formalism reveals an intriguing duality principle between the problems of probing and fault security, and provides a unified view on privacy and integrity protection using error detecting codes. Finally, we introduce a new class of linear tamper-resistant codes. These are eligible to preserve security against an attacker mounting simultaneous probing and fault attacks.

Linear filtering of nonlinear shift-register sequences

Nonlinear n-stage feedback shift-register sequences over the finite field

Microprocessor configuration with encryption

\mathbb{F}_q

Device and method for determining a physical address from a virtual address, using a hierarchical mapping rule comprising compressed nodes

of period qn–1 are investigated under linear operations on sequences. We prove that all members of an easily described class of linear combinations of shifted versions of these sequences possess useful properties for cryptographic applications: large periods, large linear complexities and good distribution properties. They typically also have good maximum order complexity values as has been observed experimentally. A running key generator is introduced based on certain nonlinear feedback shift registers with modifiable linear feedforward output functions.