Josep Balasch

On the Cost of Lazy Engineering for Masked Software Implementations

Masking is one of the most popular countermeasures to mitigate side-channel analysis. Yet, its deployment in actual cryptographic devices is well known to be challenging, since designers have to ensure that the leakage corresponding to different shares is independent. Several works have shown that such an independent leakage assumption may be contradicted in practice, because of physical effects such as “glitches” or “transition-based” leakages. As a result, implementing masking securely can be a time-consuming engineering problem. This is in strong contrast with recent and promising approaches for the automatic insertion of countermeasures exploiting compilers, that aim to limit the development time of side-channel resistant software. Motivated by this contrast, we question what can be hoped for these approaches – or more generally for masked software implementations based on careless assembly generation. For this purpose, our first contribution is a simple reduction from security proofs obtained in a (usual but not always realistic) model where leakages depend on the intermediate variables manipulated by the target device, to security proofs in a (more realistic) model where the transitions between these intermediate variables are leaked. We show that the cost of moving from one context to the other implies a division of the security order by two for masking schemes. Next, our second and main contribution is to provide a comprehensive empirical validation of this reduction, based on two microcontrollers, several (handwritten and compiler-based) ways of generating assembly codes, with and without “recycling” the randomness used for sharing. These experiments confirm the relevance of our analysis, and therefore quantify the cost of lazy engineering for masking.

An In-depth and Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs

The literature about fault analysis typically describes fault injection mechanisms, e.g. glitches and lasers, and cryptanalytic techniques to exploit faults based on some assumed fault model. Our work narrows the gap between both topics. We thoroughly analyse how clock glitches affect a commercial low-cost processor by performing a large number of experiments on five devices. We observe that the effects of fault injection on two-stage pipeline devices are more complex than commonly reported in the literature. While injecting a fault is relatively easy, injecting an exploitable fault is hard. We further observe that the easiest to inject and reliable fault is to replace instructions, and that random faults do not occur. Finally we explain how typical fault attacks can be mounted on this device, and describe a new attack for which the fault injection is easy and the cryptanalysis trivial.

PriPAYD: Privacy-Friendly Pay-As-You-Drive Insurance

Pay-As-You-Drive insurance schemes are establishing themselves as the future of car insurance. However, their current implementations, in which fine-grained location data are sent to insurers, entail a serious privacy risk. We present PriPAYD, a system where the premium calculations are performed locally in the vehicle, and only aggregated data are sent to the insurance company, without leaking location information. Our design is based on well-understood security techniques that ensure its correct functioning. We discuss the viability of PriPAYD in terms of cost, security, and ease of certification. We demonstrate that PriPAYD is possible through a proof-of-concept implementation that shows how privacy can be obtained at a very reasonable extra cost.

DPA, Bitslicing and Masking at 1 GHz

We present DPA attacks on an ARM Cortex-A8 processor running at 1 GHz. This high-end processor is typically found in portable devices such as phones and tablets. In our case, the processor sits in a single board computer and runs a full-fledged Linux operating system. The targeted AES implementation is bitsliced and runs in constant time and constant flow. We show that, despite the complex hardware and software, high clock frequencies and practical measurement issues, the implementation can be broken with DPA starting from a few thousand measurements of the electromagnetic emanation of a decoupling capacitor near the processor. To harden the bitsliced implementation against DPA attacks, we mask it using principles of hardware gate-level masking. We evaluate the security of our masked implementation against first-order and second-order attacks. Our experiments show that successful attacks require roughly two orders of magnitude more measurements.

Theory and practice of a leakage resilient masking scheme

A recent trend in cryptography is to formally prove the leakage resilience of cryptographic implementations --- that is, one formally shows that a scheme remains provably secure even in the presence of side channel leakage. Although many of the proposed schemes are secure in a surprisingly strong model, most of them are unfortunately rather inefficient and come without practical security evaluations nor implementation attempts. In this work, we take a further step towards closing the gap between theoretical leakage resilient cryptography and more practice-oriented research. In particular, we show that masking countermeasures based on the inner product do not only exhibit strong theoretical leakage resilience, but moreover provide better practical security or efficiency than earlier masking countermeasures. We demonstrate the feasibility of inner product masking by giving a secured implementation of the AES for an 8-bit processor.

A Privacy-Preserving Buyer–Seller Watermarking Protocol Based on Priced Oblivious Transfer

Buyer-seller watermarking protocols allow copyright protection of digital goods. To protect privacy, some of those protocols provide buyers with anonymity. However, anonymous e-commerce protocols pose several disadvantages, like hindering customer management or requiring anonymous payment mechanisms. Additionally, no existing buyer-seller watermarking protocol provides fair exchange. We propose a novel approach for the design of privacy-preserving buyer-seller watermarking protocols. In our approach, the seller authenticates buyers but does not learn which items are purchased. Since buyers are not anonymous, customer management is eased and currently deployed methods of payment can be utilized. We define an ideal functionality for privacy-preserving copyright protection protocols. To realize our functionality, a protocol must ensure that buyers pay the right price without disclosing the purchased item, and that sellers are able to identify buyers that released pirated copies. We construct a protocol based on priced oblivious transfer and on existing techniques for asymmetric watermark embedding. Furthermore, we implement and evaluate the efficiency of our protocol, and we explain how to extend it in order to achieve optimistic fair exchange.

Inner Product Masking Revisited

Masking is a popular countermeasure against side channel attacks. Many practical works use Boolean masking because of its simplicity, ease of implementation and comparably low performance overhead. Some recent works have explored masking schemes with higher algebraic complexity and have shown that they provide more security than Boolean masking at the cost of higher overheads. In particular, masking based on the inner product was shown to be practical, albeit not efficient, for a small security parameter, and at the same time provable secure in the domain of leakage resilient cryptography for a large security parameter. In this work we explore a security versus efficiency tradeoff and provide an improved and tweaked inner product masking. Our practical security evaluation shows that it is less secure than the original inner product masking but more secure than Boolean masking. Our performance evaluation shows that our scheme is only four times slower than Boolean masking and more than two times faster than the original inner product masking. Besides the practical security analysis we prove the security of our scheme and its masked operations in the threshold probing model.

Electromagnetic circuit fingerprints for Hardware Trojan detection

Integrated circuit counterfeits, relabeled parts and maliciously modified integrated circuits (so-called Hardware Trojan horses) are a recognized emerging threat for embedded systems in safety or security critical applications. We propose a Hardware Trojan detection technique based on fingerprinting the electromagnetic emanations of integrated circuits. In contrast to most previous work, we do not evaluate our proposal using simulations but we rather conduct experiments with an FPGA. We investigate the effectiveness of our technique in detecting extremely small Hardware Trojans located at different positions within the FPGA. In addition, we also study its robustness to the often neglected issue of variations in the test environment. The results show that our method is able to detect most of our test Hardware Trojans but also highlight the difficulty of measuring emanations of unrealistically tiny Hardware Trojans. The results also confirm that our method is sensitive to changes in the test environment.

An embedded platform for privacy-friendly road charging applications

Systems based on satellite localization are enabling new scenarios for road charging schemes by offering the possibility to charge drivers as a function of their road usage. An in-vehicle installation of a black box with the capabilities of a Location Based Service terminal suffices to deploy such a scheme. In the most straightforward architecture a back-end server collects vehicles location data in order to extract the correct fees. However, with industry, governments and users being more and more aware of privacy issues the deployment of such system seems to be contradictory. Our contribution is the demonstration of a practical and functional road charging system based on PriPAYD [1]. Our black box is built guaranteeing most of the processing of location data in real-time, thus minimizing overheads required to ensure security and privacy. The performance of our software-based prototype is tested and proves that the deployment of a privacy-friendly solution can be achieved within a minimum cost increment compared to existing road charging schemes.

Teaching HW/SW Co-Design With a Public Key Cryptography Application

This paper describes a lab session-based course on hardware/software (HW/SW) co-design. Real problems often need to combine the speed of an HW solution with the flexibility of an SW solution. The goals of this course are to show that there are many alternative solutions in the design space and to teach the fundamental concepts of HW/SW co-design. The sample application for the course project is a basic public key (RSA) application. This application is attractive for pedagogic purposes because its complex arithmetic and large word lengths make it difficult to realize in SW on an embedded microcontroller. However, the alternative of a pure application-specific integrated circuit (ASIC) application is also not a satisfactory solution, as this lacks the flexibility to support multiple public key applications. The project follows a stepwise approach, with assignments that build on each other. Students are required to make their own decisions as to the partitioning between HW and SW, the interface design, and the optimizations goals. Besides imparting hard skills in HW design and embedded SW design, the course inculcates several soft skills-in particular, decision making, presentation skills, teamwork, and design creativity-generally overlooked in engineering.