Kerstin Lemke-Rust

Templates vs. stochastic methods

Template Attacks and the Stochastic Model provide advanced methods for side channel cryptanalysis that make use of ‘a-priori’ knowledge gained from a profiling step. For a systematic comparison of Template Attacks and the Stochastic Model, we use two sets of measurement data that originate from two different microcontrollers and setups. Our main contribution is to capture performance aspects against crucial parameters such as the number of measurements available during profiling and classification. Moreover, optimization techniques are evaluated for both methods under consideration. Especially for a low number of measurements and noisy samples, the use of a T-Test based algorithm for the choice of relevant instants can lead to significant performance gains. As a main result, T-Test based Templates are the method of choice if a high number of samples is available for profiling. However, in case of a low number of samples for profiling, stochastic methods are an alternative and can reach superior efficiency both in terms of profiling and classification.

Comparative Evaluation of Rank Correlation Based DPA on an AES Prototype Chip

We propose a new class of distinguishers for differential side-channel analysis based on nonparametric statistics. As an example we use Spearmans rank correlation coefficient. We present a comparative study of several statistical methods applied to real power measurements from an AES prototype chip to demonstrate the effectiveness of the proposed method. Our study shows that Spearmans rank coefficient outperforms all other univariate tests under consideration. In particular we note that Pearsons correlation coefficient requires about three times more samples for reliable key recovery than the method we propose. Further, multivariate methods with a profiling step which are commonly assumed to be the most powerful attacks are not significantly more efficient at key extraction than the attack we propose. Our results indicate that power models which are linear in the transition count are not optimal for the attacked prototype chip.

Differential Cluster Analysis

We propose a new technique called Differential Cluster Analysis for side-channel key recovery attacks. This technique uses cluster analysis to detect internal collisions and it combines features from previously known collision attacks and Differential Power Analysis. It captures more general leakage features and can be applied to algorithmic collisions as well as implementation specific collisions. In addition, the concept is inherently multivariate. Various applications of the approach are possible: with and without power consumption model and single as well as multi-bit leakage can be exploited. Our findings are confirmed by practical results on two platforms: an AVR microcontroller with implemented DES algorithm and an AES hardware module. To our best knowledge, this is the first work demonstrating the feasibility of internal collision attacks on highly parallel hardware platforms. Furthermore, we present a new attack strategy for the targeted AES hardware module.

E-passport: the global traceability or how to feel like a UPS package

Since the introduction of RFID technology there have been public debates on security and privacy concerns. In this context the Machine Readable Travel Document (MRTD), also known as e-passport, is of particular public interest. Whereas strong cryptographic mechanisms for authenticity are specified for MRTDs, the mechanisms for access control and confidentiality are still weak. In this paper we revisit the privacy concerns caused by the Basic Access Control mechanism of MRTDs and consider German e-passports as a use case. We present a distributed hardware architecture that can continuously read and record RF based communication at public places with high e-passport density like airports and is capable of performing cryptanalysis nearly in real-time. For cryptanalysis, we propose a variant of the cost-efficient hardware architecture (COPACOBANA) which has been recently realized. Once, MRTD holder identification data are revealed, this information can be inserted into distributed databases enabling global supervision activities. Assuming RF readers and eavesdropping devices are installed in several different airports or used in other similar places, e.g., in trains, one is able to trace any individual similar to tracing packages sent using postal services such as UPS.

Gaussian Mixture Models for Higher-Order Side Channel Analysis

We introduce the use of multivariate Gaussian mixture models for enhancing higher-order side channel analysis on masked cryptographic implementations. Our contribution considers an adversary with incomplete knowledge at profiling, i.e., the adversary does not know random numbers used for masking. At profiling, the adversary observes a mixture probability density of the side channel leakage. However, the EM algorithm can provide estimates on the unknown parameters of the component densities using samples drawn from the mixture density. Practical results are presented and confirm the usefulness of Gaussian mixture models and the EM algorithm. Especially, success rates obtained by automatic classification based on the estimates of the EM algorithm are very close to success rates of template attacks.

E-Passport: cracking basic access control keys

Since the introduction of the Machine Readable Travel Document (MRTD) that is also known as e-passport for human identification at border control debates have been raised about security and privacy concerns. In this paper, we present the first hardware implementation for cracking Basic Access Control (BAC) keys of the e-passport issuing schemes in Germany and the Netherlands. Our implementation was designed for the reprogrammable key search machine COPACOBANA and achieves a key search speed of 228 BAC keys per second. This is a speed-up factor of more than 200 if compared to previous results and allows for a runtime in the order of seconds in realistic scenarios.

Analyzing side channel leakage of masked implementations with stochastic methods

Side channel cryptanalysis is a collective term for implementation attacks aiming at recovering secret or private keys from a cryptographic module by observing its physical leakage at run-time. Stochastic methods have already been introduced for first order differential side channel analysis. This contribution provides a compendium for the use of stochastic methods on masked implementations, i.e., on implementations that use internal random numbers in order to effectively prevent first order side channel attacks. Practical evidence is given that stochastic methods are also well suited for analyzing masked implementations, especially, as they are capable of combining several chosen components of different internal states for a multivariate side channel analysis.

Efficient implementation of eSTREAM ciphers on 8-bit AVR microcontrollers

This work is motivated by the question of how efficient modern stream ciphers in the eSTREAM project (Profile I) can be implemented on small embedded microcontrollers that are also constrained in memory resources. In response to this question, we present the first implementation results for Dragon, HC-128, LEX, Salsa20, Salsa20/12, and Sosemanuk on 8-bit microcontrollers. These ciphers are definitively free for any use, i.e., their use is not covered by intellectual property rights. For the evaluation process, we follow a two-stage approach and compare with efficient implementations of the AES block cipher. First, the C code implementation provided by the cipherspsila designers was ported to an 8-bit AVR microcontroller and the suitability of these stream ciphers for the use in embedded systems was assessed. In the second stage we implemented Dragon, LEX, Salsa20, Salsa20/12, and Sosemanuk in assembler to tap the full potential of an embedded implementation. Our efficiency metrics are memory usage in flash and SRAM and performance of keystream generation, key setup, and IV setup. Regarding encryption speed, all stream ciphers except for Salsa20 turned out to outperform AES. In terms of memory needs, Salsa20, Salsa20/12, and LEX are almost as compact as AES. In view of the final eSTREAM portfolio (Profile I), Salsa20/12 is the only promising alternative for the AES cipher on memory constrained 8-bit embedded microcontrollers. For embedded applications with high throughput requirements, Sosemanuk is the most suitable cipher if its considerable higher memory needs can be tolerated.

An adversarial model for fault analysis against low-cost cryptographic devices

This contribution presents a unified adversarial model for fault analysis which considers various natures of faults and attack scenarios with a focus on pervasive low-cost cryptographic devices. According to their fault induction techniques we distinguish the non-invasive adversary, the semi-invasive adversary, and the invasive adversary. We introduce an implementation based concept of achievable spatial and time resolution that results from the physical fault induction technique. Generic defense strategies are reviewed.