Hannes Gross

An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order

Passive physical attacks, like power analysis, pose a serious threat to the security of digital circuits. In this work, we introduce an efficient side-channel protected Advanced Encryption Standard (AES) hardware design that is completely scalable in terms of protection order. Therefore, we revisit the private circuits scheme of Ishai et al. [13] which is known to be vulnerable to glitches. We demonstrate how to achieve resistance against multivariate higher-order attacks in the presence of glitches for the same randomness cost as the private circuits scheme. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6 kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15\(^{\text {th}}\) protection order.

Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order

Passive physical attacks, like power analysis, pose a serious threat to the security of embedded systems and corresponding countermeasures need to be implemented. In this talk, we demonstrate how the costs for protecting digital circuits against passive physical attacks can be lowered significantly. We introduce a novel masking approach called domain-oriented masking (DOM). Our approach provides the same level of security as threshold implementations (TI), while it requires less chip area and less randomness. DOM can also be scaled easily to arbitrary protection orders for any circuit. To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6 kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order. Beside our theoretical security analysis, we also evaluate the security of the AES implementation with a t-test based side-channel leakage assessments up to the second protection order. To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6~kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order. Beside our theoretical security analysis, we also evaluate the security of the AES implementation with a t-test based side-channel leakage assessments up to the second protection order.

PIONEER—a Prototype for the Internet of Things Based on an Extendable EPC Gen2 RFID Tag

The Internet of Things (IoT) envisions an autonomous network between everyday objects to create real-life services. This enables new applications that necessarily require a high level of security and privacy. In this paper, we present PIONEER—a Prototype for the Internet of Things based on an Extendable EPC Gen2 RFID tag. It is the first prototype that integrates the Internet Protocol Security suite (IPsec) into the new EPC Gen2 Version 2 standard. Furthermore, it integrates all mandatory cryptographic primitives to support IPsec on an RFID tag, i.e., AES-128 for encryption/decryption, 192-bit Elliptic Curve Diffie Hellman (ECDH) for key agreement, and a True Random Number Generator (TRNG). To keep the flexibility high, we further integrated an 8-bit microcontroller that implements the new security features of the EPC Gen2 standard in C code. The entire design was synthesized for a 130 nm CMOS process technology. It requires about 52 kGEs including all necessary components to establish a secure IPsec tunnel between the RFID tag and a client on the Internet. The prototype is fully compliant with already existing Internet and RFID standards and allows first cost estimations for a practical realization of high-security IoT applications.

Reconciling \(d+1\) Masking in Hardware and Software

The continually growing number of security-related autonomous devices requires efficient mechanisms to counteract low-cost side-channel analysis (SCA) attacks. Masking provides high resistance against SCA at an adjustable level of security. A high level of SCA resistance, however, goes hand in hand with an increasing demand for fresh randomness which drastically increases the implementation costs. Since hardware based masking schemes have other security requirements than software masking schemes, the research in these two fields has been conducted quite independently over the last ten years. One important practical difference is that recently published software schemes achieve a lower randomness footprint than hardware masking schemes. In this work we combine existing software and hardware masking schemes into a unified masking algorithm. We demonstrate how to protect software and hardware implementations using the same masking algorithm, and for lower randomness costs than the separate schemes. Especially for hardware implementations the randomness costs can in some cases be halved over the state of the art. Theoretical considerations as well as practical implementation results are then used for a comparison with existing schemes from different perspectives and at different levels of security.

Formal Verification of Masked Hardware Implementations in the Presence of Glitches

Masking provides a high level of resistance against side-channel analysis. However, in practice there are many possible pitfalls when masking schemes are applied, and implementation flaws are easily overlooked. Over the recent years, the formal verification of masked software implementations has made substantial progress. In contrast to software implementations, hardware implementations are inherently susceptible to glitches. Therefore, the same methods tailored for software implementations are not readily applicable.

Sharing is Caring--On the Protection of Arithmetic Logic Units against Passive Physical Attacks

Embedded systems are often used in security-critical scenarios where physical access of an adversary cannot be prevented. An attacker with unrestricted physical access to an embedded device could thus use observation-based attacks like power analysis or chip probing techniques to extract chip-internal secrets. In this work, we investigate how to counteract first-order passive physical attacks on an embedded microcontroller. In particular, we focus on the protection of the central point of data processing in the microcontroller design--the arithmetic logic unit ALU--with the provably secure threshold implementation TI masking scheme. Our results show that the amount of required fresh random bits--a problem many masked implementations suffer from--can be reduced to only one bit per ALU access and clock cycle. The total chip area overhead for implementing the whole microcontroller of our case study as a three-share TI is about a factor of 2.8.

Privacy-Aware Authentication in the Internet of Things ?

Besides the opportunities offered by the all-embracing Internet of Things (IoT) technology, it also poses a tremendous threat to the privacy of the carriers of these devices. In this work, we build upon the idea of an RFID-based IoT realized by means of standardized and well-established Internet protocols. In particular, we demonstrate how the Internet Protocol Security protocol suite (IPsec) can be applied in a privacy-aware manner. Therefore, we introduce a privacy-aware mutual authentication protocol compatible with restrictions imposed by the IPsec standard and analyze its privacy and security properties. With this work, we show that privacy in the IoT can be achieved without proprietary protocols and on the basis of existing Internet standards.

Concept for a security aware automatic fare collection system using HF/UHF dual band RFID transponders

Established automatic fare collection (AFC) solutions for public transport systems that use proximity HF radio frequency identification (RFID) smart cards are lacking a convenient method to determine the alighting point of a passenger. This paper considers an AFC system based on passive HF/UHF dual band RFID transponders. A UHF RFID link is envisaged for remote passenger detection. The paper discusses the general system architecture of the proposed AFC system. Furthermore, an appropriate security layer is introduced that also covers privacy concerns related to the remote passenger detection. We identify that the RF performance of the UHF RFID sub-system of a HF/UHF dual band RFID transponder is critical for the reliability of the remote passenger detection. The architecture and implementation challenges of a corresponding future HF/UHF dual band transponder IC are discussed.

Suit up! -- Made-to-Measure Hardware Implementations of ASCON

Having ciphers that provide confidentiality and authenticity, that are fast in software and efficient in hardware, these are the goals of the CAESAR authenticated encryption competition. In this paper, the promising CAESAR candidate ASCON is implemented in hardware and optimized for different typical applications to fully explore ASCONs design space. Thus, we are able to present hardware implementations of Ascon suitable for RFID tags, Wireless Sensor Nodes, Embedded Systems, and applications that need maximum performance. For instance, we show that an ASCON implementation with a single unrolled round transformation is only 7 kGE large, but can process up to 5.5 Gbit/sec of data (0.75 cycles/byte), which is already enough to encrypt a Gigabit Ethernet connection. Besides, ASCON is not only fast and small, it can also be easily protected against DPA attacks. A threshold implementation of ASCON just requires about 8 kGE of chip area, which is only 3.1 times larger than the unprotected low-area optimized implementation.

Generic Low-Latency Masking in Hardware

In this work, we introduce a generalized concept for low-latency masking that is applicable to any implementation and protection order, and (in its most extreme form) does not require on-the-fly randomness. The main idea of our approach is to avoid collisions of shared variables in nonlinear circuit parts and to skip the share compression. We show the feasibility of our approach on a full implementation of a one-round unrolled Ascon variant and on an AES S-box case study. Additionally, we discuss possible trade-offs to make our approach interesting for practical implementations. As a result, we obtain a first-order masked AES S-box that is calculated in a single clock cycle with rather high implementation costs (60.7 kGE), and a two-cycle variant with much less implementation costs (6.7 kGE). The side-channel resistance of our Ascon S-box designs up to order three are then verified using the formal analysis tool of [BGI + 18]. Furthermore, we introduce a taint checking based verification approach that works specifically for our low-latency approach and allows us to verify large circuits like our low-latency AES S-box design in reasonable time.