Zhijie Jerry Shi

Studying Software Implementations of Elliptic Curve Cryptography

Elliptic curve cryptography (ECC) provides a similar level of security to conventional integer-based public-key algorithms, but with much shorter keys. ECC over binary field is of special interest because the operations in binary field are thought more space and time efficient. However, the software implementations of ECC over binary field are still slow, especially on low-end processors that are used in small computing devices such as sensor nodes. In this paper, we study the software implementations of ECC on processors with different word sizes. With a set of algorithms that we identified, we can perform 163-bit ECC in 13.9 seconds on an 8-bit processor at a clock rate of 8 MHz

Fault-tolerant monitor placement for out-of-band wireless sensor network monitoring

Abstract Monitoring a sensor network to quickly detect faults is important for maintaining the health of the network. Out-of-band monitoring, i.e., deploying dedicated monitors and transmitting monitoring traffic using a separate channel, does not require instrumenting sensor nodes, and hence is flexible (can be added on top of any application) and energy conserving (not consuming resources of the sensor nodes). In this paper, we study fault-tolerant out-of-band monitoring for wireless sensor networks. Our goal is to place a minimum number of monitors in a sensor network so that all sensor nodes are monitored by k distinct monitors, and each monitor serves no more than w sensor nodes. We prove that this problem is NP-hard. For small-scale network, we formulate the problem as an Integer Linear Programming (ILP) problem, and obtain the optimal solution. For large-scale network, the ILP is not applicable, and we propose two algorithms to solve it. The first one is a ln( kn ) approximation algorithm, where n is the number of sensor nodes. The second is a simple heuristic scheme that has much shorter running time. We evaluate our algorithms using extensive simulation. In small-scale networks, the latter two algorithms provide results close to the optimal solution from the ILP for relatively dense networks. In large-scale networks, the performance of these two algorithms are similar, and for relatively dense networks, the number of monitors required by both algorithms is close to a lower bound.

Delay monitoring for wireless sensor networks: An architecture using air sniffers

Wireless sensor networks have been used for many delay-sensitive applications, e.g., emergency response and plant automation. In such networks, delay measurement is important for a number of reasons, e.g., real-time control of the networked system, and abnormal delay detection. In this paper, we propose a measurement architecture using distributed air sniffers, which provides convenient delay measurement, and requires no clock synchronization or instrumentation at the sensor nodes. One challenge in deploying this architecture is how to place the sniffers for efficient delay measurement. We prove the sniffer placement problem is NP-hard and develop two algorithms to solve it. Using a combination of small-scale testbed experiments and large-scale simulation, we demonstrate that our architecture leads to accurate delay monitoring and is effective in detecting abnormal delays, and furthermore, the number of sniffers required by our sniffer placement algorithms is close to the minimum required value.

Exploiting the Incomplete Diffusion Feature: A Specialized Analytical Side-Channel Attack Against the AES and Its Application to Microcontroller Implementations

Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Gröbner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.

An Efficient Window-Based Countermeasure to Power Analysis of ECC Algorithms

Elliptic curve cryptography (ECC) has been adopted in many systems because it requires shorter keys than traditional public-key algorithms in primary fields. However, power analysis attacks can exploit the power consumption of ECC devices to retrieve secret keys. In this paper, we propose an efficient window-based countermeasure that is secure against existing power analysis attacks. Compared to previous counter- measures, our method has low memory overhead, requiring only a table of w+1 entries when the window size is w bits. It also has better performance than many algorithms that perform one point addition or subtraction for every bit in the scalar.

Compiler-assisted architectural support for program code integrity monitoring in application-specific instruction set processors

(ASIPs) are being increasingly used in mobile embedded systems, the ubiquitous networking connections have exposed these systems under various malicious security attacks, which may alter the program code running on the systems. In addition, soft errors in microprocessors can also change program code and result in system malfunction. At the instruction level, all code modifications are manifested as bit flips. In this work, we present a generalized methodology for monitoring code integrity at run-time in ASIPs, where both the instruction set architecture (ISA) and the underlying microarchitecture can be customized for a particular application domain. Based on the microoperation-based monitoring architecture that we have presented in previous work, we propose a compiler-assisted and application-controlled management approach for the monitoring architecture. Experimental results show that compared with the OS-managed scheme and other compiler-assisted schemes, our approach can detect program code integrity compromises with much less performance degradation.

Differential and Correlation Power Analysis Attacks on HMAC-Whirlpool

In cryptography, a keyed-Hash Message Authentication Code (HMAC) is a type of message authentication code(MAC) calculated with a cryptographic hash function and a secret key. The security of the HMAC relies on the underlying hash function and the secret key. Whirlpool is a block cipher based hash algorithm that has been in public for about ten years. So far no effective attacks have been found on Whirlpool. As a result, HMAC with Whirlpool, i.e., HMAC-Whirlpool, is supposed to be secure. In this paper, we demonstrate that HMAC-Whirlpool is vulnerable to power analysis attacks. We designed two types of attacks: one is based on Differential Power Analysis (DPA) and the other on Correlation Power Analysis (CPA). We successfully launched the attacks at HMAC-Whirlpool running on an Atmel AVR processor. We also compared the attacks in terms of the number of power traces needed.

Algebraic Fault Analysis on GOST for Key Recovery and Reverse Engineering

GOST is a well-known block cipher as the official encryption standard for the Russian Federation. A special feature of GOST is that its eight S-boxes can be secret. However, most of the researches on GOST assume that the design of these S-boxes is known. In this paper, the security of GOST against side-channel attacks is examined with algebraic fault analysis (AFA), which combines the algebraic cryptanalysis with the fault attack. Three AFAs on GOST, which have different attack goals in different scenarios, are investigated. The results show that 8 fault injections are required to recover the secret key when the full design of GOST is known, which is less than 64 fault injections required in previous work. 64 fault injections are required to recover the eight unknown S-boxes assuming the key is known. 270 fault injections are required to recover the key and the eight S-boxes when both are unknown. The results prove that AFA is very effective and keeping some components in a cipher secret cannot guarantee its security against fault attacks.

Power Analysis Attacks on ECC Randomized Automata

Power analysis can exploit the instantaneous power consumptions of elliptic curve cryptography (ECC) devices and retrieve secret keys. Many countermeasures have been proposed to make ECC implementations secure. One of the approaches is the randomized algorithms proposed by Oswald et al., which combine two scalar point multiplication algorithms and use random variables to decide which algorithm to follow at different stages of the computation. In this paper, we describe a power analysis attack that can break randomized automata proposed by Oswald et al. effectively, even with a small number of power traces

Chord-Based Key Establishment Schemes for Sensor Networks

Because of limited resources at sensor nodes, sensor networks typically adopt symmetric-key algorithms to provide security functions such as protecting communications between nodes. In order to use symmetric-key algorithms, two nodes need to establish a secret session key first. In this paper, we propose a novel chord-based key establishment (CBKE) protocol that allows any pair of nodes in a sensor network to establish a secret session key. CBKE is a generalized deterministic key establishment scheme that provides great flexibility for balancing memory overhead, reliability, and communication cost. We analyze the properties of CBKE and explore the performance tradeoffs using simulation.