Christophe Clavier

Correlation Power analysis with a leakage model

A classical model is used for the power consumption of cryptographic devices. It is based on the Hamming distance of the data handled with regard to an unknown but constant reference state. Once validated experimentally it allows an optimal attack to be derived called Correlation Power Analysis. It also explains the defects of former approaches such as Differential Power Analysis.

Differential Power Analysis in the Presence of Hardware Countermeasures

The silicon industry has lately been focusing on side channel attacks, that is attacks that exploit information that leaks from the physical devices. Although different countermeasures to thwart these attacks have been proposed and implemented in general, such protections do not make attacks infeasible, but increase the attackers experimental (data acquisition) and computational (data processing) workload beyond reasonable limits. This paper examines different ways to attack devices featuring random process interrupts and noisy power consumption.

Cryptographic Hardware and Embedded Systems - CHES 2009

Software Implementations.- Faster and Timing-Attack Resistant AES-GCM.- Accelerating AES with Vector Permute Instructions.- SSE Implementation of Multivariate PKCs on Modern x86 CPUs.- MicroEliece: McEliece for Embedded Devices.- Invited Talk 1.- Physical Unclonable Functions and Secure Processors.- Side Channel Analysis of Secret Key Cryptosystems.- Practical Electromagnetic Template Attack on HMAC.- First-Order Side-Channel Attacks on the Permutation Tables Countermeasure.- Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA.- Differential Cluster Analysis.- Side Channel Analysis of Public Key Cryptosystems.- Known-Plaintext-Only Attack on RSA-CRT with Montgomery Multiplication.- A New Side-Channel Attack on RSA Prime Generation.- Side Channel and Fault Analysis Countermeasures.- An Efficient Method for Random Delay Generation in Embedded Software.- Higher-Order Masking and Shuffling for Software Implementations of Block Ciphers.- A Design Methodology for a DPA-Resistant Cryptographic LSI with RSL Techniques.- A Design Flow and Evaluation Framework for DPA-Resistant Instruction Set Extensions.- Invited Talk 2.- Crypto Engineering: Some History and Some Case Studies.- Pairing-Based Cryptography.- Hardware Accelerator for the Tate Pairing in Characteristic Three Based on Karatsuba-Ofman Multipliers.- Faster -Arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves.- Designing an ASIP for Cryptographic Pairings over Barreto-Naehrig Curves.- New Ciphers and Efficient Implementations.- KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers.- Programmable and Parallel ECC Coprocessor Architecture: Tradeoffs between Area, Speed and Security.- Elliptic Curve Scalar Multiplication Combining Yaos Algorithm and Double Bases.- TRNGs and Device Identification.- The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators.- Low-Overhead Implementation of a Soft Decision Helper Data Algorithm for SRAM PUFs.- CDs Have Fingerprints Too.- Invited Talk 3.- The State-of-the-Art in IC Reverse Engineering.- Hot Topic Session: Hardware Trojans and Trusted ICs.- Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering.- MERO: A Statistical Approach for Hardware Trojan Detection.- Theoretical Aspects.- On Tamper-Resistance from a Theoretical Viewpoint.- Mutual Information Analysis: How, When and Why?.- Fault Analysis.- Fault Attacks on RSA Signatures with Partially Unknown Messages.- Differential Fault Analysis on DES Middle Rounds.

Universal Exponentiation Algorithm A First Step towards Provable SPA-Resistance

Very few countermeasures are known to protect an exponentiation against simple side-channel analyses. Moreover, all of them are heuristic.

Passive and Active Combined Attacks on AES Combining Fault Attacks and Side Channel Analysis

Tamper resistance of hardware products is currently a very popular subject for researchers in the security domain. Since the first Kocher side-channel (passive)attack, the Bellcore researchers and Biham and Shamir fault (active) attacks, many other side-channel and fault attacks have been published. The design of efficient countermeasures still remains a difficult task for IC designers and manufacturers as they must also consider the attacks which combine active and passive threats. It has been shown previously that combined attacks can defeat RSA implementations if side-channel countermeasures and fault protections are developed separately instead of being designed together. This paper demonstrates that combined attacks are also effective on symmetric cryptosystems and shows how they may jeopardize a supposedly state of the art secure AES implementation.

Why one should also secure RSA public key elements

It is well known that a malicious adversary can try to retrieve secret information by inducing a fault during cryptographic operations. Following the work of Seifert on fault inductions during RSA signature verification, we consider in this paper the signature counterpart. Our article introduces the first fault attack applied on RSA in standard mode. By only corrupting one public key element, one can recover the private exponent. Indeed, similarly to Seifert’s attack, our attack is done by modifying the modulus. One of the strong points of our attack is that the assumptions on the induced faults’ effects are relaxed. In one mode, absolutely no knowledge of the fault’s behavior is needed to achieve the full recovery of the private exponent. In another mode, based on a fault model defining what is called dictionary, the attack’s efficiency is improved and the number of faults is dramatically reduced. All our attacks are very practical. Note that those attacks do work even against implementations with deterministic (e.g., RSA-FDH) or random (e.g., RSA-PFDH) paddings, except for cases where we have signatures with randomness recovery (such as RSA-PSS). The results finally presented on this paper lead us to conclude that it is also mandatory to protect RSA’s public parameters against fault attacks.

Fault analysis study of IDEA

We present a study of several fault attacks against the block cipher IDEA. Such a study is particularly interesting because of the target ciphers specific property to employ operations on three different algebraic groups while not using substitution tables. We observe that the attacks perform very different in terms of efficiency. Although requiring a restrictive fault model, the first attack can not reveal a sufficient amount of key material to pose a real threat, while the second attack requires a large number of faults in the same model to achieve this goal. In the general random fault model, i.e. we assume that the fault has a random and a priori unknown effect on the target value, the third attack, which is the first Differential Fault Analysis of IDEA to the best of our knowledge, recovers 93 out of 128 key bits exploiting about only 10 faults. For this particular attack, we can also relax the assumption of cycle accurate fault injection to a certain extend.

An improved SCARE cryptanalysis against a secret A3/A8 GSM algorithm

Side-channel analysis has been recognized for several years as a practical and powerful means to reveal secret keys of publicly known cryptographic algorithms. Rarely this kind of cryptanalysis has been applied to reverse engineer a non-trivial part of the specifications of a proprietary algorithm. The target here is no more ones secret key value but the undisclosed specifications of the cryptographic algorithm itself. In [8], Novak described how to recover the content of one (out of two) substitution table of a secret instance of the A3/A8 algorithm, the authentication and session key generation algorithm for GSM networks. His attack presents however two drawbacks from a practical viewpoint. First, in order to retrieve one substitution table (T2), the attacker must know the content of an other one (T1). Second, the attacker must also know the value of the secret key K. In this paper, we improve on Novaks cryptanalysis and show how to retrieve both substitution tables (T1 and T2) without any prior knowledge about the secret key. Furthermore, our attack also recovers the secret key. With this contribution, we intend to present a practical SCARE (Side Channel Analysis for Reverse Engineering) attack, anticipate a growing interest for this new area of side-channel signal exploitation, and remind, if needed, that security cannot be achieved by obscurity alone.

Fault analysis of DPA-Resistant algorithms

In this paper several attacks are presented that allow information to be derived on faults injected at the beginning of cryptographic algorithm implementations that use Boolean masking to defend against Differential Power Analysis (DPA). These attacks target the initialisation functions that are used to enable the algorithm to be protected, allowing a fault attack even in the presence of round redundancy. A description of the experiments leading to the development of these attacks is also given.

Case study of a fault attack on asynchronous DES crypto-processors

This paper proposes a practical fault attack on two asynchronous DES crypto-processors, a reference version and a hardened version, using round reduction. Because of their specific architecture, asynchronous circuits have a very specific behavior in the presence of faults. Previous works show that they are an interesting alternative to design robust systems. However, this paper demonstrates that there are weaknesses left, and that we are able both to identify and exploit them. The effect of the fault is to reduce the number of rounds by corrupting the multi-rail round counter protected by alarm cells. The fault injection mean is a laser. A description of the fault injection process is presented, followed by how the results can be used to retrieve the key. Weaknesses are theoretically identified and analyzed. Finally, possible counter-measures are described.