Volker Krummel

Provably secure masking of AES

A general method to secure cryptographic algorithms against side-channel attacks is the use of randomization techniques and, in particular, masking. Roughly speaking, using random values unknown to an adversary one masks the input to a cryptographic algorithm. As a result, the intermediate results in the algorithm computation are uncorrelated to the input and the adversary cannot obtain any useful information from the side-channel. Unfortunately, previous AES randomization techniques have based their security on heuristics and experiments. Thus, flaws have been found which make AES randomized implementations still vulnerable to side-channel cryptanalysis. In this paper, we provide a formal notion of security for randomized maskings of arbitrary cryptographic algorithms. Furthermore, we present an AES randomization technique that is provably secure against side-channel attacks if the adversary is able to access a single intermediate result. Our randomized masking technique is quite general and it can be applied to arbitrary algorithms using only arithmetic operations over some finite field. To our knowledge this is the first time that a randomization technique for the AES has been proven secure in a formal model.

Fault based collision attacks on AES

In this paper we present a new class of collision attacks that are based on inducing faults into the encryption process. We combine the classical fault attack of Biham and Shamir with the concept of collision attacks of Schramm et al. Unlike previous fault attacks by Blomer and Seifert our new attacks only need bit flips not bit resets. Furthermore, the new attacks do not need the faulty ciphertext to derive the secret key. We only need the weaker information whether a collision has occurred or not. This is an improvement over previous attacks presented for example by Dusart, Letourneux and Vivolo, Giraud, Chen and Yen or Piret and Quisquater. As it turns out the new attacks are very powerful even against sophisticated countermeasures like error detection and memory encryption.

Analysis of countermeasures against access driven cache attacks on AES

Cache based attacks (CBA) exploit the different access times of main memory and cache memory to determine information about internal states of cryptographic algorithms. CBAs turn out to be very powerful attacks even in practice. In this paper we present a general and strong model to analyze the security against CBAs. We introduce the notions of information leakage and resistance to analyze the security of several implementations of AES. Furthermore, we analyze how to use random permutations to protect against CBAs. By providing a successful attack on an AES implementation protected by random permutations we show that random permutations used in a straightforward manner are not enough to protect against CBAs. Hence, to improve upon the security provided by random permutations, we describe the property a permutation must have in order to prevent the leakage of some key bits through CBAs.

Attribute-Based Encryption as a Service for Access Control in Large-Scale Organizations

In this work, we propose a service infrastructure that provides confidentiality of data in the cloud. It enables information sharing with fine-grained access control among multiple tenants based on attribute-based encryption. Compared to the standard approach based on access control lists, our encryption as a service approach allows us to use cheap standard cloud storage in the public cloud and to mitigate a single point of attack. We use hardware security modules to protect long-term secret keys in the cloud. Hardware security modules provide high security but only relatively low performance. Therefore, we use attribute-based encryption with outsourcing to integrate hardware security modules into our micro-service oriented cloud architecture. As a result, we achieve elasticity, high performance, and high security at the same time.

Implementing Cryptographic Pairings on Accumulator Based Smart Card Architectures

In this paper, we show how bilinear pairings can be implemented on modern smart card architectures. We do this by providing a memory-efficient implementation of the eta pairing on accumulator based cryptographic coprocessors. We provide timing results for different key-sizes on a state of the art smart card, the Infineon SLEi¾?78. On one hand, our results show that pairings can efficiently be computed on smart cards. On the other hand, our results identify bottlenecks that have to be considered for future smart card designs.