Jingqiang Lin

Protecting Private Keys against Memory Disclosure Attacks Using Hardware Transactional Memory

Cryptography plays an important role in computer and communication security. In practical implementations of cryptosystems, the cryptographic keys are usually loaded into the memory as plaintext, and then used in the cryptographic algorithms. Therefore, the private keys are subject to memory disclosure attacks that read unauthorized data from RAM. Such attacks could be performed through software methods (e.g., Open SSL Heart bleed) even when the integrity of the victim systems executable binaries is maintained. They could also be performed through physical methods (e.g., Cold-boot attacks on RAM chips) even when the system is free of software vulnerabilities. In this paper, we propose Mimosa that protects RSA private keys against the above software-based and physical memory attacks. When the Mimosa service is in idle, private keys are encrypted and reside in memory as cipher text. During the cryptographic computing, Mimosa uses hardware transactional memory (HTM) to ensure that (a) whenever a malicious process other than Mimosa attempts to read the plaintext private key, the transaction aborts and all sensitive data are automatically cleared with hardware mechanisms, due to the strong atomicity guarantee of HTM, and (b) all sensitive data, including private keys and intermediate states, appear as plaintext only within CPU-bound caches, and are never loaded to RAM chips. To the best of our knowledge, Mimosa is the first solution to use transactional memory to protect sensitive data against memory disclosure attacks. We have implemented Mimosa on a commodity machine with Intel Core i7 Haswell CPUs. Through extensive experiments, we show that Mimosa effectively protects cryptographic keys against various attacks that attempt to read sensitive data from memory, and it only introduces a small performance overhead.

Offline RFID Grouping Proofs with Trusted Timestamps

With the wide deployment of RFID applications, RFID security issues are drawing more and more attention. The RFID grouping proof aims to provide a verifiable evidence that two or more RFID tags were scanned simultaneously. It extends the yoking proof for two RFID tags, to prove the coexistence of a set of tags (e.g., some drugs can only be sold in the existence of a prescription). In many grouping proof scenarios, the time when the grouping proof was generated is critical to judge whether a transaction is legal or not, and the protocol usually should work in offline mode. Although lots of grouping proof protocols with various features have been proposed, they either work in online mode or have difficulties in generating a grouping proof with the precise transaction time in offline mode. Therefore, we propose a protocol to generate offline RFID grouping proofs with trusted timestamps, where the verifier can obtain the precise transaction time. As far as we know, it is the first practical offline grouping proof protocol that includes the precise transaction time. Properties, performance evaluation and security analysis of our design are also presented in this paper.

Efficient Secret Sharing Schemes

We propose a new XOR-based (k,n) threshold secret SSS, where the secret is a binary string and only XOR operations are used to make shares and recover the secret. Moreover, it is easy to extend our scheme to a multi-secret sharing scheme. When k is closer to n, the computation costs are much lower than existing XOR-based schemes in both distribution and recovery phases. In our scheme, using more shares (≥ k) will accelerate the recovery speed.

Exploiting the Floating-Point Computing Power of GPUs for RSA

Asymmetric cryptographic algorithms (e.g., RSA and ECC) have been implemented on Graphics Processing Units (GPUs) for several years. These implementations mainly exploit the highly parallel GPU architecture and port the integer-based algorithms for common CPUs to GPUs, offering high performance. However, the great potential cryptographic computing power of GPUs, especially by the more powerful floating-point instructions, has not been comprehensively investigated in fact. In this paper, we try to fully exploit the floating-point computing power of GPUs for RSA, by various designs, including the floating-point-based Montgomery multiplication algorithm, the optimization for the fundamental operations and the utilization of the latest thread data sharing instruction shuffle. The experimental result on NVIDIA GTX Titan of 2048-bit RSA decryption reaches a throughput of 38,975 operations per second, achieves 2.21 times performance of the existing fastest integer-based work and outperforms the previous floating-point-based implementation by a large margin.

Using Signaling Games to Model the Multi-step Attack-Defense Scenarios on Confidentiality

In the multi-step attack-defense scenarios (MSADSs), each rational player (the attacker or the defender) tries to maximize his payoff, but the uncertainty about his opponent prevents him from taking the suitable actions. The defender doesn’t know the attacker’s target list, and may deploy unnecessary but costly defenses to protect machines not in the target list. Similarly, the attacker doesn’t know the deployed protections, and may spend lots of time and effort on a well-protected machine. We develop a repeated two-way signaling game to model the MSADSs on confidentiality, and show how to find the actions maximizing the expected payoffs through the equilibrium. In the proposed model, on receiving each intrusion detection system alert (i.e., a signal), the defender follows the equilibrium to gradually reduce the uncertainty about the attacker’s targets and calculate the defenses maximizing his expected payoff.

Efficient Missing Tag Detection in a Large RFID System

Missing tag detection is an important problem for large RFID application systems (e.g., inventory control), and is drawing more and more attention from the research community in recent years. Li et al. proposed the Iterative ID-free Protocol (IIP) to identify the missing tags in a large RFID system, achieving high time efficiency. However, our analysis and experiments show that the time efficiency of IIP drops sharply when the missing rate increases. By exploiting information contained in the expected singleton slots, we propose IIPS to improve IIP, achieving high and steady time efficiency under both high and low missing rates. Furthermore, by identifying the missing tags in the expected collision slots and dynamically computing the missing rate through estimation of the present tags and statistics about the missing tags, we propose IIPS-CP and IIPS-CM, achieving higher time efficiency than IIPS under high missing rates. Our simulations show that, compared with IIP, when the number of total tags is 10000 and the missing rate is 80%, IIPS, IIPS-CP and IIPS-CM reduce the average time for identifying each tag by 84.8%, 88.9% and 89.3%, respectively.

An efficient group-based secret sharing scheme

We propose a new secret sharing scheme which can be computed over an Abelian group, such as (Binary string, XOR) and (Integer, Addition). Therefore, only the XOR or the addition operations are required to implement the scheme. It is very efficient and fits for low-cost low-energy applications such as RFID tags. Making shares has a geometric presentation which makes our scheme be easily understood and analyzed.

Hardware performance optimization and evaluation of SM3 hash algorithm on FPGA

Hash algorithms are widely used for data integrity and authenticity. Chinese government recently published a standard hash algorithm, SM3, which is highly recommended for commercial applications. However, little research of SM3 implementation has been published. We find that the existing optimization techniques cannot be adopted to SM3 efficiently, due to the complex computation and strong data dependency. In this paper, we present our novel optimization techniques: shift initialization and SRL-based implementation. Based on the techniques, we propose two architectures: compact design and high-throughput design, both of which significantly improve the performance on FPGA. As far as we know, our work is the first one to evaluate SM3 hardware performance. The evaluation result suggests that SM3 with low area and high efficiency is suitable for hardware implementations, especially for those resource-limited platforms.

Exploiting the Potential of GPUs for Modular Multiplication in ECC

In traditional multiple precision large integer multiplication algorithm, the required number of additions approximates the number of multiplications needed. In some platforms, the great number of add instructions will occupy about half of computing latency in the overall implementation. In this paper, we propose a multiplication algorithm using separated multiply-add-with-carry instruction supported by NVIDIA GPUs. In the algorithm, we reorder the computational sequence, in which nearly all additions and carry flags handling can be combined with the multiplication instructions. The number of add instructions needed decreases from \(O(n^2)\) in prevailing schoolbook algorithm to \(O(n)\). Our resulting 256-bit modular multiplication and modular square over Mersenne prime respectively achieve 3.3837 billion and 5.9928 billion operations per second and reach 96 % of GPU hardware limitation. An elliptic curve point multiplication implementation using our algorithm achieves 43.6 % speedup compared to the existing fastest work.

RIKE: using revocable identities to support key escrow in PKIs

Public key infrastructures (PKIs) are proposed to provide various security services. Some security services such as confidentiality, require key escrow in certain scenarios; while some others such as non-repudiation, prohibit key escrow. Moreover, these two conflicting requirements can coexist for one user. The common solution in which each user has two certificates and an escrow authority backups all escrowed private keys for users, faces the problems of efficiency and scalability. In this paper, a novel key management infrastructure called RIKE is proposed to integrate the inherent key escrow of identity-based encryption (IBE) into PKIs. In RIKE, a users PKI certificate also serves as a revocable identity to derive the users IBE public key, and the revocation of its IBE key pair is achieved by the certificate revocation of PKIs. Therefore, the certificate binds the user with two key pairs, one of which is escrowed and the other is not. RIKE is an effective certificate-based solution and highly compatible with traditional PKIs.