Takaaki Mizuki

Analysis of Electromagnetic Information Leakage From Cryptographic Devices With Different Physical Structures

This paper presents a novel analysis of electromagnetic (EM) information leakage from cryptographic devices, based on the electromagnetic interference (EMI) theory. In recent years, side-channel attack using side-channel information (e.g., power consumption and EM radiation) is of major concern for designers of cryptographic devices. However, few studies have been conducted to investigate how EM information leakage changes according to devices physical parameters. In this paper, we introduce a cryptographic device model to analyze EM information leakage based on the EMI theory in a systematic manner. This device model makes it possible to acquire the frequency characteristics of EM radiation depending on physical parameters, such as board size and power-line length, accurately. The analysis results show that EM information leakage can be explained by the major EMI parameters such as board size and cable length attached to the board. In addition, we demonstrate that the intensity of EM information leakage from a generic device is also explained by board size and cable length.

A formalization of card-based cryptographic protocols via abstract machine

Consider a face-down card lying on the table such that we do not know whether its suit color is black or red. Then, how do we make identical copies of the card while keeping its color secret? A partial solution has been devised: using a number of additional black and red cards, Niemi and Renvall proposed an excellent protocol which can copy a face-down card while allowing only a small probability of revealing its color. In contrast, this paper shows the nonexistence of a perfect solution, namely, the impossibility of copying a face-down card with perfect secrecy. To prove such an impossibility result, we construct a rigorous mathematical model of card-based cryptographic protocols; giving this general computational model is the main result of this paper.

Non-invasive EMI-based fault injection attack against cryptographic modules

In this paper, we introduce a new type of intentional electromagnetic interference (IEMI) which causes information leakage in electrical devices without disrupting their operation or damaging their physical structure. Such IEMI could pose a severe threat to a large number of electrical devices with cryptographic modules since it can be used for performing fault injection attacks, which in turn allows for obtaining faulty outputs (i.e., ciphertexts) from cryptographic modules and exploiting them to reveal information about secret keys. Such faulty outputs are usually generated by inducing faults into target modules through modification or invasion of the modules themselves. In contrast, IEMI-based fault injection can be performed on the target modules from a distance by using an off-the-shelf injection probe without leaving any hard evidence of the attack. We demonstrate fault injection attacks based on the above IEMI through experiments using an Advanced Encryption Standard (AES) module implemented on a standard evaluation board (SASEBO). The experimental results indicate that generating effective faults is feasible and, therefore, such IEMI presents a tangible threat to many existing electrical devices and systems that use cryptographic modules for secure communication and transactions.

Voting with a Logarithmic Number of Cards

Consider an election where there are two candidates and several voters. Such an election usually requires the same number of ballot papers as the number of voters. In this paper, we show that such an election can be conducted using only a logarithmic number of cards with two suits—black and red—with identical backs. That is, we can securely compute the summation of a number of inputs (0s and 1s) using a logarithmic number of cards with respect to the number of inputs.

Mechanism behind Information Leakage in Electromagnetic Analysis of Cryptographic Modules

This paper presents radiation mechanism behind Electromagnetic Analysis (EMA) from remote locations. It has been widely known that electromagnetic radiation from a cryptographic chip could be exploited to conduct side-channel attacks, yet the mechanism behind the radiation has not been intensively studied. In this paper, the mechanism is explained from the view point of Electromagnetic Compatibility (EMC): electric fluctuation released from a cryptographic chip can conduct to peripheral circuits based on ground bounce, resulting in radiation. We demonstrate the consequence of the mechanism through experiments. For this purpose, Simple Electromagnetic Analysis (SEMA) and Differential Electromagnetic Analysis (DEMA) are conducted on FPGA implementations of RSA and AES, respectively. In the experiments, radiation from power and communication cables attached to the FPGA platform is measured. The result indicates, the information leakage can extend beyond security boundaries through such cables, even if the module implements countermeasures against invasive attacks to deny access at its boundary. We conclude that the proposed mechanism can be used to predict circuit components that cause information leakage. We also discuss advanced attacks and noise suppression technologies as countermeasures.

Card-Based Protocols for Any Boolean Function

Card-based protocols that are based on a deck of physical cards achieve secure multi-party computation with information-theoretic secrecy. Using existing AND, XOR, NOT, and copy protocols, one can naively construct a secure computation protocol for any given (multivariable) Boolean function as long as there are plenty of additional cards. However, an explicit sufficient number of cards for computing any function has not been revealed thus far. In this paper, we propose a general approach to constructing an efficient protocol so that six additional cards are sufficient for any function to be securely computed. Further, we prove that two additional cards are sufficient for any symmetric function.

Securely Computing the Three-Input Majority Function with Eight Cards

Assume that Alice, Bob and Carol, each of whom privately holds a one-bit input, want to learn the value of the majority function of their inputs without revealing more of their own secret inputs than is necessary. In this paper, we show that such a secure majority computation can be done with a deck of real cards; specifically, the three players can learn only the majority of their inputs using eight physical cards—four black cards and four red cards—with identical backs.

Practical Card-Based Cryptography

It is known that secure multi-party computations can be achieved using a number of black and red physical cards (with identical backs). In previous studies on such card-based cryptographic protocols, typically an ideal situation where all players are semi-honest and all cards of the same suit are indistinguishable from one another was assumed. In this paper, we consider more realistic situations where, for example, some players possibly act maliciously, or some cards possibly have scuff marks, so that they are distinguishable, and propose methods to maintain the secrecy of players’ private inputs even under such severe conditions.

Efficient Evaluation of EM Radiation Associated With Information Leakage From Cryptographic Devices

This paper presents an efficient map generation technique for evaluating the intensity of electromagnetic (EM) radiation associated with information leakage for cryptographic devices at the printed circuit board level. First, we investigate the relation between the intensity of the overall EM radiation and the intensity of EM information leakage on a cryptographic device. For this purpose, we prepare a map of the magnetic field on the device by using an EM scanning system, after which we perform correlation electromagnetic analysis (CEMA) at all measurement points on the device, including points above the cryptographic module. The examined device is a standard evaluation board for cryptographic modules (side-channel attack standard evaluation board), where a cryptographic circuit is implemented on one of the field-programmable gate arrays on the board. With this experiment, we demonstrate that both an EM radiation map and an information leakage map can be generated simultaneously by scanning the board only once. We also confirm that the generated map is in good agreement with the corresponding map obtained from exhaustive CEMAs.

A complete characterization of a family of key exchange protocols

Abstract.Using a random deal of cards to players and a computationally unlimited eavesdropper, all players wish to share a one-bit secret key which is information-theoretically secure from the eavesdropper. This can be done by a protocol to make several pairs of players share one-bit secret keys so that all these pairs form a tree over players. In this paper we obtain a necessary and sufficient condition on the number of cards for the existence of such a protocol.