Phuong Ha Nguyen

A Biased Fault Attack on the Time Redundancy Countermeasure for AES

In this paper we propose the first practical fault attack on the time redundancy countermeasure for AES using a biased fault model. We develop a scheme to show the effectiveness of a biased fault model in the analysis of the time redundancy countermeasure. Our attack requires only faulty ciphertexts and does not assume strong adversarial powers. We successfully demonstrate our attack on simulated data and 128-bit time redundant AES implemented on Xilinx Spartan-3A FPGA.

Differential attacks against stream cipher ZUC

Stream cipher ZUC is the core component in the 3GPP confidentiality and integrity algorithms 128-EEA3 and 128-EIA3. In this paper, we present the details of our differential attacks against ZUC 1.4. The vulnerability in ZUC 1.4 is due to the non-injective property in the initialization, which results in the difference in the initialization vector being cancelled. In the first attack, difference is injected into the first byte of the initialization vector, and one out of 215.4 random keys result in two identical keystreams after testing 213.3 IV pairs for each key. The identical keystreams pose a serious threat to the use of ZUC 1.4 in applications since it is similar to reusing a key in one-time pad. Once identical keystreams are detected, the key can be recovered with average complexity 299.4. In the second attack, difference is injected into the second byte of the initialization vector, and every key can result in two identical keystreams with about 254 IVs. Once identical keystreams are detected, the key can be recovered with complexity 267. We have presented a method to fix the flaw by updating the LFSR in an injective way in the initialization. Our suggested method is used in the later versions of ZUC. The latest ZUC 1.6 is secure against our attacks.

Enabling 3-Share Threshold Implementations for all 4-Bit S-Boxes

Threshold Implementation (TI) is an elegant and promising lightweight countermeasure for hardware implementations to resist first order Differential Power Analysis (DPA) in the presence of glitches. Unfortunately, in its most efficient version with only three shares, it can only be applied to 50 % of all 4-bit S-boxes so far. In this paper, we introduce a new approach, called factorization, that enables us to protect all 4-bit S-boxes with a 3-share TI. This allows—for the first time—to protect numerous important ciphers to which the 3-share TI countermeasure was previously not applicable, such as CLEFIA, DES, DESL, GOST, HUMMINGBIRD1, HUMMINGBIRD2, LUCIFER, mCrypton, SERPENT, TWINE, TWOFISH among others. We verify the security and correctness with experiments on simulations and real world power traces and finally provide exemplary decompositions of all those S-boxes.

On 3-share threshold implementations for 4-bit s-boxes

One of the most promising lightweight hardware countermeasures against SCA attacks is the so-called Threshold Implementation (TI) [12] countermeasure. In this work we discuss issues towards its applicability and introduce solutions to boost its implementation efficiency. In particular, our contribution is three-fold: first we introduce two methodologies to efficiently implement 3-share TI to a given S-box. Second, as an example, we successfully apply these methodologies to PRESENT and are able to decrease the area requirements of its protected S-box by 37-40%. Third, we present the first successful practical Mutual Information Attack on the original 3-share TI implementation of PRESENT and compare it with a correlation-enhanced collision attack using second-order moments.

Security Analysis of Arbiter PUF and Its Lightweight Compositions Under Predictability Test

Unpredictability is an important security property of Physically Unclonable Function (PUF) in the context of statistical attacks, where the correlation between challenge-response pairs is explicitly exploited. In the existing literature on PUFs, the Hamming Distance Test, denoted by HDT(t), was proposed to evaluate the unpredictability of PUFs, which is a simplified case of the Propagation Criterion test PC(t). The objective of these test schemes is to estimate the output transition probability when there are t or fewer than t bits flips, and ideally this probability value should be 0.5. In this work, we show that aforementioned two test schemes are not enough to ensure the unpredictability of a PUF design. We propose a new test, which is denoted as HDT(e, t). This test scheme is a fine-tuned version of the previous schemes, as it considers the flipping bit pattern vector e along with parameter t. As a contribution, we provide a comprehensive discussion and analytic interpretation of HDT(t), PC(t), and HDT(e, t) test schemes for Arbiter PUF (APUF), Exclusive-OR (XOR) PUF, and Lightweight Secure PUF (LSPUF). Our analysis establishes that HDT(e, t) test is more general in comparison with HDT(t) and PC(t) tests. In addition, we demonstrate a few scenarios where the adversary can exploit the information obtained from the analysis of HDT(e, t) properties of APUF, XOR PUF, and LSPUF to develop statistical attacks on them, if the ideal value of HDT(e, t) = 0.5 is not achieved for a given PUF. We validate our theoretical observations using the simulated and Field Programmable Gate Array (FPGA) implemented APUF, XOR PUF, and LSPUF designs.

Efficient attacks on robust ring oscillator PUF with enhanced challenge-response set

Physically Unclonable Function (PUF) circuits are an important class of hardware security primitives that promise a paradigm shift in applied cryptography. Ring Oscillator PUF (ROPUF) is an important PUF variant, but it suffers from hardware overhead limitations, which in turn restricts the size of its challenge space. To overcome this fundamental shortcoming, improved ROPUF variants based on the subset selection concept have been proposed, which significantly “expand” the challenge space of a ROPUF at acceptable hardware overhead. In this paper, we develop cryptanalytic attacks on a previously proposed low-overhead and robust ROPUF variant. The proposed attacks are practical as they have quadratic time and data complexities in the worst case. We demonstrate the effectiveness of the proposed attack by successfully attacking a public domain dataset acquired from FPGA implementations.

Formalizing the Effect of Feistel Cipher Structures on Differential Cache Attacks

The success of a side-channel attack depends mainly on three factors, namely, the cipher algorithm, the attack platform, and the measurement noise. In this paper, we consider a class of side-channel attacks known as differential cache attacks on Feistel ciphers, and develop a theoretical framework to understand the relationship between the attacks success, the target platform, and the cipher algorithm. The framework allows a comparison of various differential cache attack forms, and is supported by case studies on the block ciphers CLEFIA and CAMELLIA. To understand the effect of noise in the attacks success, the paper uses empirical methods on standard Intel platforms in a time driven side-channel analysis scenario.

Cryptanalysis of Composite PUFs (Extended abstract-invited talk)

In recent years, Physcially Unclonable Functions (PUFs) have become important cryptographic primitive and are used in secure systems to resist physical attacks. Since PUFs have many useful properties such as memory-leakage resilience, unclonablity, tampering-resistance, PUF has drawn great interest in academia as well as industry. As extremely useful hardware security primitives, PUFs are used in various proposed applications such as device authentication and identification, random number generation, and intellectual property protection. One of important requirement to PUFs is that PUFs should have small hardware overhead in order to be utilized in lightweight application such as RFID. To achieve this goal, Composite PUFs are developed and introduced in RECONFIG2013 and HOST2014. In a nutshell, Composite PUFs are built by using many small PUFs primitives. In this talk, we show that Composite PUFs introduced in RECONFIG2013 are not secure by presenting its cryptanalysis.

Minimizing S-Boxes in Hardware by Utilizing Linear Transformations

Countermeasures against side-channel analysis attacks are increasingly considered already during the design/implementation step of cryptographic algorithms for embedded devices. An important challenge is to reduce the overhead (area, time) introduced by the countermeasures, and, consequently, in the past years a lot of progress has been achieved in this direction. In this contribution we propose a further optimization of decomposing 4-bit S-boxes by exploiting affine transformations and a single shared quadratic permutation. Thereby many various S-boxes can be merged into one component and thus reduce the resource overhead. We applied our proposed scheme on a Threshold Implementation masked Present S-box and its inverse in order to construct a merged masked S-box, which can be used for both encryption and decryption. This design saves up to 24% resources on a Virtex-5 FPGA platform and up to 28% for an ASIC implementation compared to previously published designs. It is noteworthy to stress that our technique is not restricted to the TI countermeasure, but also allows to reduce the resource requirements of the non-linear layer of cryptographic algorithms with a set of different S-boxes, such as SERPENT or DES, amongst others.

Improved Differential Cache Attacks on SMS4

Block ciphers that have Feistel structures are prone to a class of cache attacks known as differential cache attacks, which monitor power or timing side-channels to reveal the secret key. Differential cache attacks were first demonstrated on the block cipher CLEFIA, which has a type-2 generalized Feistel structure. In this paper we improve the attack methodology by showing that a sophisticated method of choosing plaintexts can result in a considerable reduction in attack complexity. This coupled with other cryptanalytic techniques, when applied to the block cipher SMS4, requires just 210 plaintexts to recover the SMS4 secret key from power traces for a 64 byte cache line. Further, the attack becomes more dangerous for large cache lines. For example, with a 128 byte cache line, only 52 power traces are required. Experimental validation of the complete attack has been done on an Intel Xeon microprocessor. Further we suggest an alteration to the SMS4 algorithm that can counter this attack.