Search

Your search keyword '"Olivier Bronchain"' showing total 47 results
Start Over Author "Olivier Bronchain"
47 results on '"Olivier Bronchain"'

1. Exploiting Small-Norm Polynomial Multiplication with Physical Attacks

Author

Olivier Bronchain, Melissa Azouaoui, Mohamed ElGhamrawy, Joost Renes, and Tobias Schneider

Subjects
Lattice-based Cryptography, Post-Quantum Cryptography, Side- Channel Attacks, Fault Attacks, CRYSTALS-Dilithium, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

We present a set of physical profiled attacks against CRYSTALS-Dilithium that accumulate noisy knowledge on secret keys over multiple signatures, finally leading to a full key recovery attack. The methodology is composed of two steps. The first step consists of observing or inserting a bias in the posterior distribution of sensitive variables. The second step is an information processing phase which is based on belief propagation and effectively exploits that bias. The proposed concrete attacks rely on side-channel information, induced faults or possibly a combination of the two. Interestingly, the adversary benefits most from this previous knowledge when targeting the released signatures, however, the latter are not strictly necessary. We show that the combination of a physical attack with the binary knowledge of acceptance or rejection of a signature also leads to exploitable information on the secret key. Finally, we demonstrate that this approach is also effective against shuffled implementations of CRYSTALS-Dilithium.

Published
2024
Full Text
View/download PDF

2. From MLWE to RLWE: A Differential Fault Attack on Randomized & Deterministic Dilithium

Author

Mohamed ElGhamrawy, Melissa Azouaoui, Olivier Bronchain, Joost Renes, Tobias Schneider, Markus Schönauer, Okan Seker, and Christine van Vredendaal

Subjects
Post-Quantum Cryptography, Differential Fault Attacks, Dilithium, Lattice Reduction, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

The post-quantum digital signature scheme CRYSTALS-Dilithium has been recently selected by the NIST for standardization. Implementing CRYSTALSDilithium, and other post-quantum cryptography schemes, on embedded devices raises a new set of challenges, including ones related to performance in terms of speed and memory requirements, but also related to side-channel and fault injection attacks security. In this work, we investigated the latter and describe a differential fault attack on the randomized and deterministic versions of CRYSTALS-Dilithium. Notably, the attack requires a few instructions skips and is able to reduce the MLWE problem that Dilithium is based on to a smaller RLWE problem which can be practically solved with lattice reduction techniques. Accordingly, we demonstrated key recoveries using hints extracted on the secret keys from the same faulted signatures using the LWE with side-information framework introduced by Dachman-Soled et al. at CRYPTO’20. As a final contribution, we proposed algorithmic countermeasures against this attack and in particular showed that the second one can be parameterized to only induce a negligible overhead over the signature generation.

Published
2023
Full Text
View/download PDF

3. Protecting Dilithium against Leakage

Author

Melissa Azouaoui, Olivier Bronchain, Gaëtan Cassiers, Clément Hoffmann, Yulia Kuzovkova, Joost Renes, Tobias Schneider, Markus Schönauer, François-Xavier Standaert, and Christine van Vredendaal

Subjects
CRYSTALS-Dilithium, Lattice-Based Cryptography, Post-Quantum Cryptography, Signatures, Side-Channel Countermeasures, Masking, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

CRYSTALS-Dilithium has been selected by the NIST as the new standard for post-quantum digital signatures. In this work, we revisit the side-channel countermeasures of Dilithium in three directions. First, we improve its sensitivity analysis by classifying intermediate computations according to their physical security requirements. Second, we provide improved gadgets dedicated to Dilithium, taking advantage of recent advances in masking conversion algorithms. Third, we combine these contributions and report performance for side-channel protected Dilithium implementations. Our benchmarking results additionally put forward that the randomized version of Dilithium can lead to significantly more efficient implementations (than its deterministic version) when side-channel attacks are a concern.

Published
2023
Full Text
View/download PDF

4. Enabling FrodoKEM on Embedded Devices

Author

Joppe W. Bos, Olivier Bronchain, Frank Custers, Joost Renes, Denise Verbakel, and Christine van Vredendaal

Subjects
Post-Quantum Cryptography, Small-stack, FrodoKEM, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

FrodoKEM is a lattice-based Key Encapsulation Mechanism (KEM) based on unstructured lattices. From a security point of view this makes it a conservative option to achieve post-quantum security, hence why it is favored by several European authorities (e.g., German BSI and French ANSSI). Relying on unstructured instead of structured lattices (e.g., CRYSTALS-Kyber) comes at the cost of additional memory usage, which is particularly critical for embedded security applications such as smart cards. For example, prior FrodoKEM-640 implementations (using AES) on Cortex-M4 require more than 80 kB of stack making it impossible to run on some embedded systems. In this work, we explore several stack reduction strategies and the resulting time versus memory trade-offs. Concretely, we reduce the stack consumption of FrodoKEM by a factor 2–3x compared to the smallest known implementations with almost no impact on performance. We also present various time-memory trade-offs going as low as 8 kB for all AES parameter sets, and below 4 kB for FrodoKEM-640. By introducing a minor tweak to the FrodoKEM specifications, we additionally reduce the stack consumption down to 8 kB for all the SHAKE versions. As a result, this work enables FrodoKEM on more resource constrained embedded systems.

Published
2023
Full Text
View/download PDF

5. Bitslicing Arithmetic/Boolean Masking Conversions for Fun and Profit

Author

Olivier Bronchain and Gaëtan Cassiers

Subjects
Masking, Lattice-based KEM, Kyber, Saber, Bitslice, PINI, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

The performance of higher-order masked implementations of lattice-based based key encapsulation mechanisms (KEM) is currently limited by the costly conversions between arithmetic and Boolean masking. While bitslicing has been shown to strongly speed up masked implementations of symmetric primitives, its use in arithmetic-to-Boolean and Boolean-to-arithmetic masking conversion gadgets has never been thoroughly investigated. In this paper, we first show that bitslicing can indeed accelerate existing conversion gadgets. We then optimize these gadgets, exploiting the degrees of freedom offered by bitsliced implementations. As a result, we introduce new arbitrary-order Boolean masked addition, arithmetic-to-Boolean and Boolean-to-arithmetic masking conversion gadgets, each in two variants: modulo 2k and modulo p (for any integers k and p). Practically, our new gadgets achieve a speedup of up to 25x over the state of the art. Turning to the KEM application, we develop the first open-source embedded (Cortex-M4) implementations of Kyber768 and Saber masked at arbitrary order. The implementations based on the new bitsliced gadgets achieve a speedup of 1.8x for Kyber and 3x for Saber, compared to the implementation based on state-of-the-art gadgets. The bottleneck of the bitslice implementations is the masked Keccak-f[1600] permutation.

Published
2022
Full Text
View/download PDF

6. Bitslice Masking and Improved Shuffling

Author

Melissa Azouaoui, Olivier Bronchain, Vincent Grosso, and Kostas Papagiannopoulos

Subjects
Higher-Order Masking, Shuffling, Bitslice implementations, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

We revisit the popular adage that side-channel countermeasures must be combined to be efficient, and study its application to bitslice masking and shuffling. Our main contributions are twofold. First, we improve this combination: by shuffling the shares of a masked implementation rather than its tuples, we can amplify the impact of the shuffling exponentially in the number of shares, while this impact was independent of the masking security order in previous works. Second, we evaluate the masking and shuffling combination’s performance vs. security tradeoff under sufficient noise conditions: we show that the best approach is to mask first (i.e., fill the registers with as many shares as possible) and shuffle the independent operations that remain. We conclude that with moderate but sufficient noise, the “bitslice masking + shuffling” combination of countermeasures is practically relevant, and its interest increases when randomness is expensive and many independent operations are available for shuffling. When these conditions are not met, masking only is the best option. As additional side results, we improve the best known attack against the shuffling countermeasure from ASIACRYPT 2012. We also recall that algorithmic countermeasures like masking and shuffling, and therefore their combination, cannot be implemented securely without a minimum level of physical noise.

Published
2022
Full Text
View/download PDF

7. Improved Leakage-Resistant Authenticated Encryption based on Hardware AES Coprocessors

Author

Olivier Bronchain, Charles Momin, Thomas Peters, and François-Xavier Standaert

Subjects
Leakage-Resilient Cryptography, Authenticated Encryption, Secure Software Updates, Ciphertext Integrity, ARM Cortex, Differental Power Analysis, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

We revisit Unterstein et al.’s leakage-resilient authenticated encryption scheme from CHES 2020. Its main goal is to enable secure software updates by leveraging unprotected (e.g., AES, SHA256) coprocessors available on low-end microcontrollers. We show that the design of this scheme ignores an important attack vector that can significantly reduce its security claims, and that the evaluation of its leakage-resilient PRF is quite sensitive to minor variations of its measurements, which can easily lead to security overstatements. We then describe and analyze a new mode of operation for which we propose more conservative security parameters and show that it competes with the CHES 2020 one in terms of performances. As an additional bonus, our solution relies only on AES-128 coprocessors, an

Published
2021
Full Text
View/download PDF

8. Breaking Masked Implementations with Many Shares on 32-bit Software Platforms

Author

Olivier Bronchain and François-Xavier Standaert

Subjects
Higher-Order Masking, Bitslice Software, Physical Security Evaluations, Profiled Side-Channel Analysis, Dimensionality Reduction, SASCA, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

We explore the concrete side-channel security provided by state-of-theart higher-order masked software implementations of the AES and the (candidate to the NIST Lightweight Cryptography competition) Clyde, in ARM Cortex-M0 and M3 devices. Rather than looking for possibly reduced security orders (as frequently considered in the literature), we directly target these implementations by assuming their maximum security order and aim at reducing their noise level thanks to multivariate, horizontal and analytical attacks. Our investigations point out that the Cortex-M0 device has so limited physical noise that masking is close to ineffective. The Cortex-M3 shows a better trend but still requires a large number of shares to provide strong security guarantees. Practically, we first exhibit a full 128-bit key recovery in less than 10 traces for a 6-share masked AES implementation running on the Cortex-M0 requiring 232 enumeration power. A similar attack performed against the Cortex-M3 with 5 shares require 1,000 measurements with 244 enumeration power. We then show the positive impact of lightweight block ciphers with limited number of AND gates for side-channel security, and compare our attacks against a masked Clyde with the best reported attacks of the CHES 2020 CTF. We complement these experiments with a careful information theoretic analysis, which allows interpreting our results. We also discuss our conclusions under the umbrella of “backwards security evaluations” recently put forwards by Azouaoui et al. We finally extrapolate the evolution of the proposed attack complexities in the presence of additional countermeasures using the local random probing model proposed at CHES 2020.

Published
2021
Full Text
View/download PDF

9. MOE: Multiplication Operated Encryption with Trojan Resilience

Author

Olivier Bronchain, Sebastian Faust, Virginie Lallemand, Gregor Leander, Léo Perrin, and François-Xavier Standaert

Subjects
symmetric encryption, modular multiplication, Trojan-resilience, Computer engineering. Computer hardware, TK7885-7895
Abstract

In order to lower costs, the fabrication of Integrated Circuits (ICs) is increasingly delegated to offshore contract foundries, making them exposed to malicious modifications, known as hardware Trojans. Recent works have demonstrated that a strong form of Trojan-resilience can be obtained from untrusted chips by exploiting secret sharing and Multi-Party Computation (MPC), yet with significant cost overheads. In this paper, we study the possibility of building a symmetric cipher enabling similar guarantees in a more efficient manner. To reach this goal, we exploit a simple round structure mixing a modular multiplication and a multiplication with a binary matrix. Besides being motivated as a new block cipher design for Trojan resilience, our research also exposes the cryptographic properties of the modular multiplication, which is of independent interest.

Published
2021
Full Text
View/download PDF

10. Modeling Soft Analytical Side-Channel Attacks from a Coding Theory Viewpoint

Author

Qian Guo, Vincent Grosso, François-Xavier Standaert, and Olivier Bronchain

Subjects
Side-Channel Analysis, Worst-Case Security Evaluations, Horizontal (aka Multi-Target) Attacks, Belief Propagation, Masking, Shuffling, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

One important open question in side-channel analysis is to find out whether all the leakage samples in an implementation can be exploited by an adversary, as suggested by masking security proofs. For attacks exploiting a divide-and-conquer strategy, the answer is negative: only the leakages corresponding to the first/last rounds of a block cipher can be exploited. Soft Analytical Side-Channel Attacks (SASCA) have been introduced as a powerful solution to mitigate this limitation. They represent the target implementation and its leakages as a code (similar to a Low Density Parity Check code) that is decoded thanks to belief propagation. Previous works have shown the low data complexities that SASCA can reach in practice. In this paper, we revisit these attacks by modeling them with a variation of the Random Probing Model used in masking security proofs, that we denote as the Local Random Probing Model (LRPM). Our study establishes interesting connections between this model and the erasure channel used in coding theory, leading to the following benefits. First, the LRPM allows bounding the security of concrete implementations against SASCA in a fast and intuitive manner. We use it in order to confirm that the leakage of any operation in a block cipher can be exploited, although the leakages of external operations dominate in known-plaintext/ciphertext attack scenarios. Second, we show that the LRPM is a tool of choice for the (nearly worst-case) analysis of masked implementations in the noisy leakage model, taking advantage of all the operations performed, and leading to new tradeoffs between their amount of randomness and physical noise level. Third, we show that it can considerably speed up the evaluation of other countermeasures such as shuffling.

Published
2020
Full Text
View/download PDF

11. Spook: Sponge-Based Leakage-Resistant Authenticated Encryption with a Masked Tweakable Block Cipher

Author

Davide Bellizia, Francesco Berti, Olivier Bronchain, Gaëtan Cassiers, Sébastien Duval, Chun Guo, Gregor Leander, Gaëtan Leurent, Itamar Levi, Charles Momin, Olivier Pereira, Thomas Peters, François-Xavier Standaert, Balazs Udvarhelyi, and Friedrich Wiemer

Subjects
Authenticated encryption, NIST lightweight cryptography standardization effort, leakage-resistance, bitslice ciphers, masking countermeasure, low energy, Computer engineering. Computer hardware, TK7885-7895
Abstract

This paper defines Spook: a sponge-based authenticated encryption with associated data algorithm. It is primarily designed to provide security against side-channel attacks at a low energy cost. For this purpose, Spook is mixing a leakageresistant mode of operation with bitslice ciphers enabling efficient and low latency implementations. The leakage-resistant mode of operation leverages a re-keying function to prevent differential side-channel analysis, a duplex sponge construction to efficiently process the data, and a tag verification based on a Tweakable Block Cipher (TBC) providing strong data integrity guarantees in the presence of leakages. The underlying bitslice ciphers are optimized for the masking countermeasures against side-channel attacks. Spook is an efficient single-pass algorithm. It ensures state-of-the-art black box security with several prominent features: (i) nonce misuse-resilience, (ii) beyond-birthday security with respect to the TBC block size, and (iii) multiuser security at minimum cost with a public tweak. Besides the specifications and design rationale, we provide first software and hardware implementation results of (unprotected) Spook which confirm the limited overheads that the use of two primitives sharing internal components imply. We also show that the integrity of Spook with leakage, so far analyzed with unbounded leakages for the duplex sponge and a strongly protected TBC modeled as leak-free, can be proven with a much weaker unpredictability assumption for the TBC. We finally discuss external cryptanalysis results and tweaks to improve both the security margins and efficiency of Spook.

Published
2020
Full Text
View/download PDF

12. Side-Channel Countermeasures’ Dissection and the Limits of Closed Source Security Evaluations

Author

Olivier Bronchain and François-Xavier Standaert

Subjects
Side-Channel Attacks, Security Evaluations, Certification, Affine Masking, Shuffling, Worst-Case (Multivariate) Analysis, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

We take advantage of a recently published open source implementation of the AES protected with a mix of countermeasures against side-channel attacks to discuss both the challenges in protecting COTS devices against such attacks and the limitations of closed source security evaluations. The target implementation has been proposed by the French ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) to stimulate research on the design and evaluation of side-channel secure implementations. It combines additive and multiplicative secret sharings into an affine masking scheme that is additionally mixed with a shuffled execution. Its preliminary leakage assessment did not detect data dependencies with up to 100,000 measurements. We first exhibit the gap between such a preliminary leakage assessment and advanced attacks by demonstrating how a countermeasures’ dissection exploiting a mix of dimensionality reduction, multivariate information extraction and key enumeration can recover the full key with less than 2,000 measurements. We then discuss the relevance of open source evaluations to analyze such implementations efficiently, by pointing out that certain steps of the attack are hard to automate without implementation knowledge (even with machine learning tools), while performing them manually is straightforward. Our findings are not due to design flaws but from the general difficulty to prevent side-channel attacks in COTS devices with limited noise. We anticipate that high security on such devices requires significantly more shares.

Published
2020
Full Text
View/download PDF

13. Multi-Tuple Leakage Detection and the Dependent Signal Issue

Author

Olivier Bronchain, Tobias Schneider, and François-Xavier Standaert

Subjects
Side-Channel Analysis, Leakage Detection, Security Evaluations, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

Leakage detection is a common tool to quickly assess the security of a cryptographic implementation against side-channel attacks. The Test Vector Leakage Assessment (TVLA) methodology using Welch’s t-test, proposed by Cryptography Research, is currently the most popular example of such tools, thanks to its simplicity and good detection speed compared to attack-based evaluations. However, as any statistical test, it is based on certain assumptions about the processed samples and its detection performances strongly depend on parameters like the measurement’s Signal-to-Noise Ratio (SNR), their degree of dependency, and their density, i.e., the ratio between the amount of informative and non-informative points in the traces. In this paper, we argue that the correct interpretation of leakage detection results requires knowledge of these parameters which are a priori unknown to the evaluator, and, therefore, poses a non-trivial challenge to evaluators (especially if restricted to only one test). For this purpose, we first explore the concept of multi-tuple detection, which is able to exploit differences between multiple informative points of a trace more effectively than tests relying on the minimum p-value of concurrent univariate tests. To this end, we map the common Hotelling’s T2-test to the leakage detection setting and, further, propose a specialized instantiation of it which trades computational overheads for a dependency assumption. Our experiments show that there is not one test that is the optimal choice for every leakage scenario. Second, we highlight the importance of the assumption that the samples at each point in time are independent, which is frequently considered in leakage detection, e.g., with Welch’s t-test. Using simulated and practical experiments, we show that (i) this assumption is often violated in practice, and (ii) deviations from it can affect the detection performances, making the correct interpretation of the results more difficult. Finally, we consolidate our findings by providing guidelines on how to use a combination of established and newly-proposed leakage detection tools to infer the measurements parameters. This enables a better interpretation of the tests’ results than the current state-of-the-art (yet still relying on heuristics for the most challenging evaluation scenarios).

Published
2019
Full Text
View/download PDF

33. Improved Leakage-Resistant Authenticated Encryption based on Hardware AES Coprocessors

Author

Thomas Peters, Charles Momin, Olivier Bronchain, and François-Xavier Standaert

Subjects
Authenticated encryption, Block cipher mode of operation, Scheme (programming language), Computer engineering. Computer hardware, Coprocessor, business.industry, Computer science, Ciphertext Integrity, Information technology, T58.5-58.64, TK7885-7895, Microcontroller, Software, Secure Software Updates, Embedded system, Authenticated Encryption, Differental Power Analysis, ARM Cortex, Leakage-Resilient Cryptography, business, computer, Leakage (electronics), computer.programming_language
Abstract

We revisit Unterstein et al.’s leakage-resilient authenticated encryption scheme from CHES 2020. Its main goal is to enable secure software updates by leveraging unprotected (e.g., AES, SHA256) coprocessors available on low-end microcontrollers. We show that the design of this scheme ignores an important attack vector that can significantly reduce its security claims, and that the evaluation of its leakage-resilient PRF is quite sensitive to minor variations of its measurements, which can easily lead to security overstatements. We then describe and analyze a new mode of operation for which we propose more conservative security parameters and show that it competes with the CHES 2020 one in terms of performances. As an additional bonus, our solution relies only on AES-128 coprocessors, an

Published
2021
Full Text
View/download PDF

35. Reducing risks through simplicity: high side-channel security for lazy engineers

Author

Olivier Bronchain, François-Xavier Standaert, and Tobias Schneider

Subjects
Security analysis, Computer Networks and Communications, business.industry, Computer science, Rounding, AES implementations, Cryptography, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Masking (Electronic Health Record), 020202 computer hardware & architecture, Reliability engineering, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Side channel attack, business, Field-programmable gate array, Computer communication networks, Software
Abstract

Countermeasures against side-channel attacks are in general expensive, and a lot of research has been devoted to the optimization of their security versus performance trade-off. Besides, a wide literature has also shown that implementing such countermeasures is an error-prone task and requires to deal with various engineering challenges (e.g., physical defaults, compositional errors, ...). This work aims to contribute to this second item, by evaluating the extent to which (almost) key-homomorphic primitives, and in particular a recent PRF instance based on the learning with rounding problem, can lead to easy-to-implement and easier-to-evaluate side-channel-secure designs. We confirm these properties by describing an FPGA implementation that does not require complex (compositional) reasoning in its analysis and can be masked securely under simple design conditions, and for which the evaluation directly scales to arbitrary number of shares. We provide a comprehensive performance and (worst-case) security analysis of our design and compare the obtained results with those of an AES implementation protected with the domain-oriented masking scheme. Results show that simplicity has a cost, which becomes less prohibitive as security requirements increase.

Published
2020
Full Text
View/download PDF

36. MOE: Multiplication Operated Encryption with Trojan Resilience

Author

Sebastian Faust, Gregor Leander, François-Xavier Standaert, Léo Perrin, Virginie Lallemand, Olivier Bronchain, UCL Crypto Group, Université Catholique de Louvain = Catholic University of Louvain (UCL), Technische Universität Darmstadt - Technical University of Darmstadt (TU Darmstadt), Cryptology, arithmetic : algebraic methods for better algorithms (CARAMBA), Inria Nancy - Grand Est, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Department of Algorithms, Computation, Image and Geometry (LORIA - ALGO), Laboratoire Lorrain de Recherche en Informatique et ses Applications (LORIA), Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Laboratoire Lorrain de Recherche en Informatique et ses Applications (LORIA), Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS), Horst Görtz Institute for IT-security, Ruhr-Universität Bochum [Bochum], Cryptologie symétrique, cryptologie fondée sur les codes et information quantique (COSMIQ), Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), François-Xavier Standaert is a senior research associate of the Belgian Fund for Scientific Research (FNRS-F.R.S.). This work has been funded in parts by the ERC project 724725 (acronym SWORD). Sebastian Faust was partly funded by the German Research Foundation (DFG) through the Emmy Noether Program FA 1320/1-1. This work was initiated while Virginie Lallemand was with the Horst Görtz Institute for IT Security at the Ruhr-Universität Bochum and was funded by the DFG through LE 3372/4-1. Gregor Leander’s work is partially funded by the DFG, under Germany’s Excellence Strategy -EXC 2092 CASA - 390781972., European Project: 724725,SWORD(2017), Technische Universität Darmstadt (TU Darmstadt), UCL - SST/ICTM - Institute of Information and Communication Technologies, Electronics and Applied Mathematics, Department of Algorithms, Computation, Image and Geometry (LORIA - ALGO), Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Inria Nancy - Grand Est, and Institut National de Recherche en Informatique et en Automatique (Inria)

Subjects
lcsh:Computer engineering. Computer hardware, Computer science, business.industry, Applied Mathematics, Modular multiplication, lcsh:TK7885-7895, Computer security, computer.software_genre, Encryption, Computer Science Applications, Computational Mathematics, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Trojan, Multiplication, business, Resilience (network), Trojan-resilience, computer, Symmetric encryption, Software
Abstract

International audience; In order to lower costs, the fabrication of Integrated Circuits (ICs) is increasingly delegated to offshore contract foundries, making them exposed to malicious modifications, known as hardware Trojans. Recent works have demonstrated that a strong form of Trojan-resilience can be obtained from untrusted chips by exploiting secret sharing and Multi-Party Computation (MPC), yet with significant cost overheads. In this paper, we study the possibility of building a symmetric cipher enabling similar guarantees in a more efficient manner. To reach this goal, we exploit a simple round structure mixing a modular multiplication and a multiplication with a binary matrix. Besides being motivated as a new block cipher design for Trojan resilience, our research also exposes the cryptographic properties of the modular multiplication, which is of independent interest.

Published
2021
Full Text
View/download PDF

37. How to Fool a Black Box Machine Learning Based Side-Channel Security Evaluation

Author

François-Xavier Standaert, Gaëtan Cassiers, Charles-Henry Bertrand Van Ouytsel, Olivier Bronchain, UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique, and UCL - SST/ICTM - Institute of Information and Communication Technologies, Electronics and Applied Mathematics

Subjects
Computer Networks and Communications, Computer science, 0102 computer and information sciences, 02 engineering and technology, Machine learning security, Black box side channel security evaluation, Machine learning, computer.software_genre, 01 natural sciences, Machine Learning, 0202 electrical engineering, electronic engineering, information engineering, Side channel attack, Implementation, Security evaluation, Black box (phreaking), business.industry, Applied Mathematics, Deep learning, 020206 networking & telecommunications, Adversary, Computational Theory and Mathematics, 010201 computation theory & mathematics, Key (cryptography), Artificial intelligence, business, computer
Abstract

Machine learning and deep learning algorithms are increasingly considered as potential candidates to perform black box side-channel security evaluations. Inspired by the literature on machine learning security, we put forward that it is easy to conceive implementations for which such black box security evaluations will incorrectly conclude that recovering the key is difficult, while an informed evaluator / adversary will reach the opposite conclusion (i.e., that the device is insecure given the amount of measurements available).

Published
2021

38. On the Security of Off-the-Shelf Microcontrollers: Hardware Is Not Enough

Author

Antoine van Wassenhove, Balazs Udvarhelyi, François-Xavier Standaert, and Olivier Bronchain

Subjects
Black box (phreaking), Hardware architecture, Computer science, business.industry, Context (language use), 02 engineering and technology, 020202 computer hardware & architecture, Microcontroller, Identification (information), Test vector, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), 020201 artificial intelligence & image processing, business, Continuous wavelet transform, Computer hardware
Abstract

We complete the state-of-the-art on the side-channel security of real-world devices by analysing two 32-bit microcontrollers equipped with an unprotected co-processor. Our results show that (i) the lack of understanding of their hardware architecture can be circumvented with standard detection tools – for this purpose, we combine a simple variation of the Test Vector Leakage Assessment methodology with Signal-to-Noise Ratio estimations, which enables the efficient identification of attack vectors; (ii) standard distinguishers then lead to powerful key recoveries with less than 5,000 traces; and (iii) preprocessing like the continuous wavelet transform can be useful in such a black box evaluation context.

Published
2021
Full Text
View/download PDF

39. Mode-Level vs. Implementation-Level Physical Security in Symmetric Cryptography A Practical Guide Through the Leakage-Resistance Jungle

Author

Chun Guo, Olivier Pereira, Olivier Bronchain, Gaëtan Cassiers, Vincent Grosso, Davide Bellizia, Thomas Peters, Charles Momin, François-Xavier Standaert, Université Catholique de Louvain = Catholic University of Louvain (UCL), Centre National de la Recherche Scientifique (CNRS), Laboratoire Hubert Curien [Saint Etienne] (LHC), Institut d'Optique Graduate School (IOGS)-Université Jean Monnet [Saint-Étienne] (UJM)-Centre National de la Recherche Scientifique (CNRS), Shandong University, Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM), Fonds National de la Recherche Scientifique [Bruxelles] (FNRS), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects
Authenticated encryption, business.industry, Computer science, Cryptography, 0102 computer and information sciences, 02 engineering and technology, Encryption, Mathematical proof, Computer security, computer.software_genre, 01 natural sciences, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Symmetric-key algorithm, 010201 computation theory & mathematics, Software deployment, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Implementation, computer, Physical security
Abstract

International audience; Triggered by the increasing deployment of embedded cryptographic devices (e.g., for the IoT), the design of authentication, encryp-tion and authenticated encryption schemes enabling improved security against side-channel attacks has become an important research direction. Over the last decade, a number of modes of operation have been proposed and analyzed under different abstractions. In this paper, we investigate the practical consequences of these findings. For this purpose, we first translate the physical assumptions of leakage-resistance proofs into minimum security requirements for implementers. Thanks to this (heuris-tic) translation, we observe that (i) security against physical attacks can be viewed as a tradeoff between mode-level and implementation-level protection mechanisms, and (ii) security requirements to guarantee confidentiality and integrity in front of leakage can be concretely different for the different parts of an implementation. We illustrate the first point by analyzing several modes of operation with gradually increased leakage-resistance. We illustrate the second point by exhibiting leveled implementations, where different parts of the investigated schemes have different security requirements against leakage, leading to performance improvements when high physical security is needed. We finally initiate a comparative discussion of the different solutions to instantiate the components of a leakage-resistant authenticated encryption scheme.

Published
2020

40. Spook: Sponge-Based Leakage-Resistant Authenticated Encryption with a Masked Tweakable Block Cipher

Author

Thomas Peters, Balazs Udvarhelyi, Friedrich Wiemer, Charles Momin, Chun Guo, Gregor Leander, Gaëtan Cassiers, Davide Bellizia, Gaëtan Leurent, Sébastien Duval, François-Xavier Standaert, Olivier Bronchain, Itamar Levi, Francesco Berti, Olivier Pereira, Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM), Université Catholique de Louvain = Catholic University of Louvain (UCL), Shandong University, Ruhr-Universität Bochum [Bochum], Cryptologie symétrique, cryptologie fondée sur les codes et information quantique (COSMIQ), Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), This work has been funded in part by European Union and the Walloon Region through the ERC Project 724725 (acronym SWORD), the FEDER Project USERMedia (convention 501907-379156), the H2020 project REASSURE and the Wallinov TRUSTEYE project., European Project: 724725,SWORD(2017), European Project: 731591,REASSURE(2017), and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects
Authenticated encryption, lcsh:Computer engineering. Computer hardware, Computer science, lcsh:TK7885-7895, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, masking countermeasure, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], leakage-resistance, NIST lightweight cryptography standardization effort, 0202 electrical engineering, electronic engineering, information engineering, Leakage (electronics), Block cipher, Leakage-resistance, Bitslice ciphers, Masking countermeasure, Low energy, business.industry, Applied Mathematics, 020202 computer hardware & architecture, Computer Science Applications, low energy, Computational Mathematics, 010201 computation theory & mathematics, Embedded system, bitslice ciphers, business, Software
Abstract

This paper defines Spook: a sponge-based authenticated encryption with associated data algorithm. It is primarily designed to provide security against side-channel attacks at a low energy cost. For this purpose, Spook is mixing a leakageresistant mode of operation with bitslice ciphers enabling efficient and low latency implementations. The leakage-resistant mode of operation leverages a re-keying function to prevent differential side-channel analysis, a duplex sponge construction to efficiently process the data, and a tag verification based on a Tweakable Block Cipher (TBC) providing strong data integrity guarantees in the presence of leakages. The underlying bitslice ciphers are optimized for the masking countermeasures against side-channel attacks. Spook is an efficient single-pass algorithm. It ensures state-of-the-art black box security with several prominent features: (i) nonce misuse-resilience, (ii) beyond-birthday security with respect to the TBC block size, and (iii) multiuser security at minimum cost with a public tweak. Besides the specifications and design rationale, we provide first software and hardware implementation results of (unprotected) Spook which confirm the limited overheads that the use of two primitives sharing internal components imply. We also show that the integrity of Spook with leakage, so far analyzed with unbounded leakages for the duplex sponge and a strongly protected TBC modeled as leak-free, can be proven with a much weaker unpredictability assumption for the TBC. We finally discuss external cryptanalysis results and tweaks to improve both the security margins and efficiency of Spook., IACR Transactions on Symmetric Cryptology, Volume 2020, Special Issue 1

Published
2020
Full Text
View/download PDF

41. Side-Channel Countermeasures’ Dissection and the Limits of Closed Source Security Evaluations

Author

François-Xavier Standaert, Olivier Bronchain, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects
Certification, lcsh:Computer engineering. Computer hardware, lcsh:T58.5-58.64, Computer science, Worst-Case (Multivariate) Analysis, lcsh:Information technology, 020206 networking & telecommunications, lcsh:TK7885-7895, 02 engineering and technology, Dissection (medical), Computer security, computer.software_genre, medicine.disease, Security Evaluations, Side channel countermeasures, Affine Masking, Side-Channel Attacks, Shuffling, Open Source Design, 0202 electrical engineering, electronic engineering, information engineering, medicine, 020201 artificial intelligence & image processing, computer
Abstract

We take advantage of a recently published open source implementation of the AES protected with a mix of countermeasures against side-channel attacks to discuss both the challenges in protecting COTS devices against such attacks and the limitations of closed source security evaluations. The target implementation has been proposed by the French ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) to stimulate research on the design and evaluation of side-channel secure implementations. It combines additive and multiplicative secret sharings into an affine masking scheme that is additionally mixed with a shuffled execution. Its preliminary leakage assessment did not detect data dependencies with up to 100,000 measurements. We first exhibit the gap between such a preliminary leakage assessment and advanced attacks by demonstrating how a countermeasures’ dissection exploiting a mix of dimensionality reduction, multivariate information extraction and key enumeration can recover the full key with less than 2,000 measurements. We then discuss the relevance of open source evaluations to analyze such implementations efficiently, by pointing out that certain steps of the attack are hard to automate without implementation knowledge (even with machine learning tools), while performing them manually is straightforward. Our findings are not due to design flaws but from the general difficulty to prevent side-channel attacks in COTS devices with limited noise. We anticipate that high security on such devices requires significantly more shares., IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2020, Issue 2

Published
2020

42. Efficient Profiled Side-Channel Analysis of Masked Implementations, Extended

Author

Olivier Bronchain, Francois Durvaux, Loic Masure, Francois-Xavier Standaert, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects
Side-Channel Analysis, Masking Countermeasure, Profiled Attacks, Machine Learning, Security Evaluations, Computer Networks and Communications, Safety, Risk, Reliability and Quality
Abstract

—We extend the study of efficient profiled attacks on masking schemes initiated by Lerman and Markowitch (TIFS, 2019) in different directions. First, we study both the profiling complexity and the online attack complexity of different profiled distinguishers. Second, we extend the range of the noise levels of their experiments, in order to cover (higher-noise) contexts where masking is effective. Third, we further contextualize the investigated distinguishers (e.g., in terms of adversarial capabilities and a priori assumptions on the leakage probability density function). Finally, we complete the list of distinguishers considered in this previous work and add expectation-maximization, soft analytical side-channel attacks and multi-layer perceptrons in our comparisons. Our results allow shedding an interesting new light on the respective strengths and weaknesses of these different statistical tools, both in the context of a side-channel security evaluation and for concrete attacks. In particular, they confirm the experimental relevance of evaluation shortcuts leveraging the masking randomness during profiling, in order to speed up the evaluation process.

Published
2020
Full Text
View/download PDF

44. Side-channel analysis of a learning parity with physical noise processor

Author

Dina Kamel, Olivier Bronchain, Davide Bellizia, François-Xavier Standaert, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects
Computer Networks and Communications, Computer science, Gaussian, Open problem, Word error rate, Cryptography, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, symbols.namesake, 0202 electrical engineering, electronic engineering, information engineering, Side channel attack, Randomness, business.industry, Authentication, 020202 computer hardware & architecture, Communication noise, Computer engineering, 010201 computation theory & mathematics, Learning parity with noise, Authentication protocol, symbols, business, Side-channel analysis, Probabilistic computation, Software
Abstract

Learning parity with physical noise (LPPN) has been proposed as an assumption on which to build authentication protocols based on the learning parity with noise (LPN) problem. Its first advantage is to reduce the randomness requirements of standard LPN-based protocols, by directly performing erroneous computations so that no (e.g. Bernoulli-distributed) errors have to be generated on chip. At ASHES 2018, an LPPN processor was presented and confirmed the possibility to efficiently generate erroneous computations with the appropriate error rate. Since LPPN computations are key-homomorphic, they are good candidates for improved side-channel security thanks to masking, since they could theoretically lead to masked implementations with overheads that are linear in the number of shares, the analysis of which was left as an open problem. In this paper, we confirm this good potential by analyzing the side-channel security of an LPPN processor. We (1) evaluate the leakage of different parts of the erroneous computations, (2) conclude that intermediate computations that can be targeted with a divide-and-conquer Gaussian template attack are a sweet spot for side-channel attacks, and (3) show that LPPN computations naturally reach a level of noise that makes masking effective, despite further noise addition could be beneficial to reach higher security at lower implementation cost.

Published
2020
Full Text
View/download PDF

46. Leakage Certification Revisited: Bounding Model Errors in Side-Channel Security Evaluations

Author

Clément Massart, Alex Olshevsky, François-Xavier Standaert, Julien M. Hendrickx, Olivier Bronchain, UCL - SST/ICTM/INMA - Pôle en ingénierie mathématique, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects
Implementation / side-channel analysis, Security evaluations, Mutual information, Computer science, business.industry, side-channel analysis, Estimator, Statistical model, Cryptography, 02 engineering and technology, 020202 computer hardware & architecture, Bounding overwatch, 0202 electrical engineering, electronic engineering, information engineering, Statistical inference, 020201 artificial intelligence & image processing, Side channel attack, business, implementation, mutual information, Algorithm, Random variable, security evaluations
Abstract

Leakage certification aims at guaranteeing that the statistical models used in side-channel security evaluations are close to the true statistical distribution of the leakages, hence can be used to approximate a worst-case security level. Previous works in this direction were only qualitative: for a given amount of measurements available to an evaluation laboratory, they rated a model as “good enough” if the model assumption errors (i.e., the errors due to an incorrect choice of model family) were small with respect to the model estimation errors. We revisit this problem by providing the first quantitative tools for leakage certification. For this purpose, we provide bounds for the (unknown) Mutual Information metric that corresponds to the true statistical distribution of the leakages based on two easy-to-compute information theoretic quantities: the Perceived Information, which is the amount of information that can be extracted from a leaking device thanks to an estimated statistical model, possibly biased due to estimation and assumption errors, and the Hypothetical Information, which is the amount of information that would be extracted from an hypothetical device exactly following the model distribution. This positive outcome derives from the observation that while the estimation of the Mutual Information is in general a hard problem (i.e., estimators are biased and their convergence is distribution-dependent), it is significantly simplified in the case of statistical inference attacks where a target random variable (e.g., a key in a cryptographic setting) has a constant (e.g., uniform) probability. Our results therefore provide a general and principled path to bound the worst-case security level of an implementation. They also significantly speed up the evaluation of any profiled side-channel attack, since they imply that the estimation of the Perceived Information, which embeds an expensive cross-validation step, can be bounded by the computation of a cheaper Hypothetical Information, for any estimated statistical model.

Published
2019

47. Bitslice Masking and Improved Shuffling: How and When to Mix Them in Software?

Author

Melissa Azouaoui, Olivier Bronchain, Vincent Grosso, Kostas Papagiannopoulos, François-Xavier St, aert, and UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique

Subjects
Higher-Order Masking, Shuffling, Bitslice implementations
Abstract

We revisit the popular adage that side-channel countermeasures must be combined to be efficient, and study its application to bitslice masking and shuffling. Our main contributions are twofold. First, we improve this combination: by shuffling the shares of a masked implementation rather than its tuples, we can amplify the impact of the shuffling exponentially in the number of shares, while this impact was independent of the masking security order in previous works. Second, we evaluate the masking and shuffling combination’s performance vs. security tradeoff under sufficient noise conditions: we show that the best approach is to mask first (i.e., fill the registers with as many shares as possible) and shuffle the independent operations that remain. We conclude that with moderate but sufficient noise, the “bitslice masking + shuffling” combination of countermeasures is practically relevant, and its interest increases when randomness is expensive and many independent operations are available for shuffling. When these conditions are not met, masking only is the best option. As additional side results, we improve the best known attack against the shuffling countermeasure from ASIACRYPT 2012. We also recall that algorithmic countermeasures like masking and shuffling, and therefore their combination, cannot be implemented securely without a minimum level of physical noise.

Catalog

Books, media, physical & digital resources
See catalog results