Tobias Schneider

Leakage Assessment Methodology

Evoked by the increasing need to integrate side-channel countermeasures into security-enabled commercial devices, evaluation labs are seeking a standard approach that enables a fast, reliable and robust evaluation of the side-channel vulnerability of the given products. To this end, standardization bodies such as NIST intend to establish a leakage assessment methodology fulfilling these demands. One of such proposals is the Welchs t-test, which is being put forward by Cryptography Research Inc., and is able to relax the dependency between the evaluations and the devices underlying architecture. In this talk the theoretical background of the tests different flavors are reviewed, and a roadmap is presented that can be followed by the evaluation labs to efficiently and correctly conduct the tests. More precisely, a stable, robust and efficient way to perform the tests at higher orders is expressed. Further, the test is extended to multivariate settings, and details on how to efficiently and rapidly carry out such a multivariate higher-order test are provided.

Intestinal aspartate proteases TiCatD and TiCatD2 of the haematophagous bug Triatoma infestans (Reduviidae): Sequence characterisation, expression pattern and characterisation of proteolytic activity

Two aspartate protease encoding complementary deoxyribonucleic acids (cDNA) were characterised from the small intestine (posterior midgut) of Triatoma infestans and the corresponding genes were named TiCatD and TiCatD2. The deduced 390 and 393 amino acid sequences of both enzymes contain two regions characteristic for cathepsin D proteases and the conserved catalytic aspartate residues forming the catalytic dyad, but only TiCatD2 possesses an entire C-terminal proline loop. The amino acid sequences of TiCatD and TiCatD2 show 51-58% similarity to other insect cathepsin D-like proteases and, respectively, 88 and 58% similarity to the aspartate protease ASP25 from T. infestans available in the GenBank database. In phylogenetic analysis, TiCatD and ASP25 clearly separate from cathepsin D-like sequences of other insects, TiCatD2 groups with cathepsin D-like proteases with proline loop. The activity of purified TiCatD and TiCatD2 was highest between pH 2 and 4, respectively, and hence, deviate from the pH values of the lumen of the small intestine, which varied in correlation with the time after feeding between pH 5.2 and 6.7 as determined by means of micro pH electrodes. Both cathepsins, TiCatD and TiCatD2, were purified from the lumen of the small intestine using pepstatin affinity chromatography and identified by nanoLC-ESI-MS/MS analysis as those encoded by the cDNAs. The proteolytic activity of the purified enzymes is highest at pH 3 and the respective genes are expressed in the both regions of the midgut, stomach (anterior midgut) and small intestine, not in the rectum, salivary glands, Malpighian tubules or haemocytes. The temporal expression pattern of both genes in the small intestine after feeding revealed a feeding dependent regulation for TiCatD but not for TiCatD2.

Leakage assessment methodology: Extended version

Evoked by the increasing need to integrate side-channel countermeasures into security-enabled commercial devices, evaluation labs are seeking a standard approach that enables a fast, reliable and robust evaluation of the side-channel vulnerability of the given products. To this end, standardization bodies such as NIST intend to establish a leakage assessment methodology fulfilling these demands. One of such proposals is the Welch’s t test, which is being put forward by Cryptography Research Inc. and is able to relax the dependency between the evaluations and the device’s underlying architecture. In this work, we deeply study the theoretical background of the test’s different flavors and present a roadmap which can be followed by the evaluation labs to efficiently and correctly conduct the tests. More precisely, we express a stable, robust and efficient way to perform the tests at higher orders. Further, we extend the test to multivariate settings and provide details on how to efficiently and rapidly carry out such a multivariate higher-order test. Including a suggested methodology to collect the traces for these tests, we point out practical case studies where different types of t tests can exhibit the leakage of supposedly secure designs.

Arithmetic Addition over Boolean Masking

A common countermeasure to thwart side-channel analysis attacks is algorithmic masking. For this, algorithms that mix Boolean and arithmetic operations need to either apply two different masking schemes with secure conversions or use dedicated arithmetic units that can process Boolean masked values. Several proposals have been published that can realize these approaches securely and efficiently in software. But to the best of our knowledge, no hardware design exists that fulfills relevant properties such as efficiency and security at the same time.

ParTI --- Towards Combined Hardware Countermeasures Against Side-Channel and Fault-Injection Attacks

Side-channel analysis and fault-injection attacks are known as major threats to any cryptographic implementation. Hardening cryptographic implementations with appropriate countermeasures is thus essential before they are deployed in the wild. However, countermeasures for both threats are of completely different nature: Side-channel analysis is mitigated by techniques that hide or mask key-dependent information while resistance against fault-injection attacks can be achieved by redundancy in the computation for immediate error detection. Since already the integration of any single countermeasure in cryptographic hardware comes with significant costs in terms of performance and area, a combination of multiple countermeasures is expensive and often associated with undesired side effects. n nIn this work, we introduce a countermeasure for cryptographic hardware implementations that combines the concept of a provably-secure masking scheme i.e., threshold implementation with an error detecting approach against fault injection. As a case study, we apply our generic construction to the lightweight LED cipher. Our LED instance achieves first-order resistance against side-channel attacks combined with a fault detection capability that is superior to that of simple duplication for most error distributions at an increased area demand of 12i¾?%.

Practical CCA2-Secure and Masked Ring-LWE Implementation

During the last years public-key encryption schemes based on the hardness of ring-LWE have gained significant popularity. For real-world security applications assuming strong adversary models, a number of practical issues still need to be addressed. In this work we thus present an instance of ring-LWE encryption that is protected against active attacks (i.e., adaptive chosen-ciphertext attacks) and equipped with countermeasures against side-channel analysis. Our solution is based on a postquantum variant of the Fujisaki-Okamoto (FO) transform combined with provably secure first-order masking. To protect the key and message during decryption, we developed a masked binomial sampler that secures the re-encryption process required by FO. Our work shows that CCA2-secured RLWE-based encryption can be achieved with reasonable performance on constrained devices but also stresses that the required transformation and handling of decryption errors implies a performance overhead that has been overlooked by the community so far. With parameters providing 233 bits of quantum security, our implementation requires 4,176,684 cycles for encryption and 25,640,380 cycles for decryption with masking and hiding countermeasures on a Cortex-M4F. The first-order security of our masked implementation is also practically verified using the non-specific t-test evaluation methodology.

Strong 8-bit Sboxes with Efficient Masking in Hardware

Block ciphers are arguably the most important cryptographic primitive in practice. While their security against mathematical attacks is rather well understood, physical threats such as side-channel analysis (SCA) still pose a major challenge for their security. An effective countermeasure to thwart SCA is using a cipher representation that applies the threshold implementation (TI) concept. However, there are hardly any results available on how this concept can be adopted for block ciphers with large (i.e., 8-bit) Sboxes. In this work we provide a systematic analysis on and search for 8-bit Sbox constructions that can intrinsically feature the TI concept, while still providing high resistance against cryptanalysis. Our study includes investigations on Sboxes constructed from smaller ones using Feistel, SPN, or MISTY network structures. As a result, we present a set of new Sboxes that not only provide strong cryptographic criteria, but are also optimized for TI. We believe that our results will found an inspiring basis for further research on high-security block ciphers that intrinsically feature protection against physical attacks.

Gimli : A Cross-Platform Permutation

This paper presents Gimli, a 384-bit permutation designed to achieve high security with high performance across a broad range of platforms, including 64-bit Intel/AMD server CPUs, 64-bit and 32-bit ARM smartphone CPUs, 32-bit ARM microcontrollers, 8-bit AVR microcontrollers, FPGAs, ASICs without side-channel protection, and ASICs with side-channel protection.

Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series

Since 2012, it is publicly known that the bitstream encryption feature of modern Xilinx FPGAs can be broken by side-channel analysis. Presented at CT-RSA 2012, using graphics processing units (GPUs) the authors demonstrated power analysis attacks mounted on side-channel evaluation boards optimized for power measurements. In this work, we extend such attacks by moving to the EM side channel to examine their practical relevance in real-world scenarios. Furthermore, by following a certain measurement procedure we reduce the search space of each part of the attack from (2^{32}) to (2^8), which allows mounting the attacks on ordinary workstations. Several Xilinx FPGAs from different families – including the 7 series devices – are susceptible to the attacks presented here.

Robust and One-Pass Parallel Computation of Correlation-Based Attacks at Arbitrary Order

The protection of cryptographic implementations against higher-order attacks has risen to an important topic in the side-channel community after the advent of enhanced measurement equipment that enables the capture of millions of power traces in reasonably short time. However, the preprocessing of multi-million traces for such an attack is still challenging, in particular when in the case of (multivariate) higher-order attacks all traces need to be parsed at least two times. Even worse, partitioning the captured traces into smaller groups to parallelize computations is hardly possible with current techniques.