23 research outputs found
A Side-Channel Attack Against the Secret Permutation on an Embedded McEliece Cryptosystem
International audience—In this paper, based on a thorough analysis of the state of the art, we point out a missing solution for embedded devices to secure the syndrome computation. We show that this weakness can open the door to a side-channel attack targeting the secret permutation. Indeed, brute-force attack iterations are dramatically decreased when the secret permutation is recovered. We demonstrate the feasibility of this attack against the McEliece cryptosystem implemented on an ARM Cortex-M3 microprocessor using Goppa codes. We explain how to recover the secret permutation on a toy example. Finally, we propose a promising countermeasure, which can be implemented in embedded devices to prevent this attack
Countermeasure against the SPA attack on an embedded McEliece cryptosystem
International audience—In this paper, we present a novel countermeasure against a simple power analysis based side channel attack on a software implementation of the McEliece public key cryptosys-tem. First, we attack a straightforward C implementation of the Goppa codes based McEliece decryption running on an ARM Cortex-M3 microprocessor. Next, we demonstrate on a realistic example that using a " chosen ciphertext attack " method, it is possible to recover the complete secret permutation matrix. We show that this matrix can be completely recovered by an analysis of a dynamic power consumption of the microprocessor. Then, we estimate the brute-force attack complexity reduction depending on the knowledge of the permutation matrix. Finally, we propose an efficient software countermeasure having low computational complexity. Of course, we provide all the necessary details regarding the attack implementation and all the consequences of the proposed countermeasure especially in terms of power consumption
Algorithmic Security is Insufficient: A Comprehensive Survey on Implementation Attacks Haunting Post-Quantum Security
This survey is on forward-looking, emerging security concerns in post-quantum
era, i.e., the implementation attacks for 2022 winners of NIST post-quantum
cryptography (PQC) competition and thus the visions, insights, and discussions
can be used as a step forward towards scrutinizing the new standards for
applications ranging from Metaverse, Web 3.0 to deeply-embedded systems. The
rapid advances in quantum computing have brought immense opportunities for
scientific discovery and technological progress; however, it poses a major risk
to today's security since advanced quantum computers are believed to break all
traditional public-key cryptographic algorithms. This has led to active
research on PQC algorithms that are believed to be secure against classical and
powerful quantum computers. However, algorithmic security is unfortunately
insufficient, and many cryptographic algorithms are vulnerable to side-channel
attacks (SCA), where an attacker passively or actively gets side-channel data
to compromise the security properties that are assumed to be safe
theoretically. In this survey, we explore such imminent threats and their
countermeasures with respect to PQC. We provide the respective, latest
advancements in PQC research, as well as assessments and providing visions on
the different types of SCAs
Implementation Attacks on Post-Quantum Cryptographic Schemes
Post-quantum cryptographic schemes have been developed in the last decade in response to the rise of quantum computers. Fortunately, several schemes have been developed with quantum resistance. However, there is very little effort in evaluating and comparing these schemes in the embedded settings. Low cost embedded devices represents a highly-constraint environment that challenges all post-quantum cryptographic schemes. Moreover, there are even fewer efforts in evaluating the security of these schemes against implementation attacks including side-channel and fault attacks. It is commonly accepted that, any embedded cryptographic module that is built without a sound countermeasure, can be easily broken. Therefore, we investigate the question: Are we ready to implement post-quantum cryptographic schemes on embedded systems? We present an exhaustive survey of research efforts in designing embedded modules of post-quantum cryptographic schemes and the efforts in securing these modules against implementation attacks. Unfortunately, the study shows that: we are not ready yet to implement any post-quantum cryptographic scheme in practical embedded systems. There is still a considerable amount of research that needs to be conducted before reaching a satisfactory level of security
HLS-based HW/SW co-design of the post-quantum classic McEliece cryptosystem
While quantum computers are rapidly becoming more powerful, the current cryptographic infrastructure is imminently threatened. In a preventive manner, the U.S. National Institute of Standards and Technology (NIST) has initiated a process to evaluate quantum-resistant cryptosystems, to form the first post-quantum (PQ) cryptographic standard. Classic McEliece (CM) is one of the most prominent cryptosystems considered for standardization in NIST’s PQ cryptography contest. However, its computational cost poses notable challenges to a big fraction of existing computing devices. This work presents an HLS-based, HW/SW co-design acceleration of the CM Key Encapsulation Mechanism (CM KEM). We demonstrate significant maximum speedups of up to 55.2 ×, 3.3 ×, and 8.7 × in the CM KEM algorithms of key generation, encapsulation, and decapsulation respectively, comparing to a SW-only scalar implementation.This research was supported by the European Union Regional Development Fund within the framework of the ERDF Operational Program of Catalonia 2014-2020 with a grant of 50% of the total cost eligible, under the DRAC project [001- P-001723]. It was also supported by the Spanish goverment (grant RTI2018-095094-B-C21 “CONSENT”), by the Spanish Ministry of Science and Innovation (contracts PID2019- 107255GB-C21, PID2019-107255GB-C21) and by the Catalan Government (contracts 2017-SGR-1414, 2017-SGR-705). This work has also received funding from the European Union Horizon 2020 research and innovation programme under grant agreement No. 871467. V. Kostalabros has been partially supported by the Agency for Management of University and Research Grants (AGAUR) of the Government of Catalonia under "Ajuts per a la contractació de personal investigador novell" fellowship No. 2019FI B01274. M. Moreto was also partially supported by the Spanish Ministry of Economy, Industry and Competitiveness under "Ramón y Cajal" fellowship No. RYC-2016-21104.Peer ReviewedPostprint (author's final draft
Horizontal Correlation Attack on Classic McEliece
As the technical feasibility of a quantum computer becomes more and more likely, post-quantum cryptography algorithms are receiving particular attention in recent years. Among them, code-based cryptosystems were first considered unsuited for hardware and embedded software implementations because of their very large key sizes. However, recent work has shown that such implementations are practical, which also makes them susceptible to physical attacks. In this article, we propose a horizontal correlation attack on the Classic McEliece cryptosystem, more precisely on the matrix-vector multiplication over that computes the shared key in the encapsulation process. The attack is applicable in the broader context of Niederreiter-like code-based cryptosystems and is independent of the code structure, i.e. it does not need to exploit any particular structure in the parity check matrix. Instead, we take advantage of the constant time property of the matrix-vector multiplication over . We extend the feasibility of the basic attack by leveraging information-set decoding methods and carry it out successfully on the reference embedded software implementation. Interestingly, we highlight that implementation choices, like the word size or the compilation options, play a crucial role in the attack success, and even contradict the theoretical analysis
Design and analysis of efficient and secure elliptic curve cryptoprocessors
Elliptic Curve Cryptosystems have attracted many researchers and have been included in many standards such as IEEE, ANSI, NIST, SEC and WTLS. The ability to use smaller keys and computationally more efficient algorithms compared with earlier public key cryptosystems such as RSA and ElGamal are two main reasons why elliptic curve cryptosystems are becoming more popular. They are considered to be particularly suitable for implementation on smart cards or mobile devices. Power Analysis Attacks on such devices are considered serious threat due to the physical characteristics of these devices and their use in potentially hostile environments. This dissertation investigates elliptic curve cryptoprocessor architectures for curves defined over GF(2m) fields. In this dissertation, new architectures that are suitable for efficient computation of scalar multiplications with resistance against power analysis attacks are proposed and their performance evaluated. This is achieved by exploiting parallelism and randomized processing techniques. Parallelism and randomization are controlled at different levels to provide more efficiency and security. Furthermore, the proposed architectures are flexible enough to allow designers tailor performance and hardware requirements according to their performance and cost objectives. The proposed architectures have been modeled using VHDL and implemented on FPGA platform
Fast and Secure Root Finding for Code-based Cryptosystems
In this work we analyze five previously published respectively trivial
approaches and two new hybrid variants for the task of finding the roots of the error locator polynomial
during the decryption operation of code-based encryption schemes. We compare
the performance of these algorithms and show that optimizations concerning
finite field element representations
play a key role for the speed of software implementations.
Furthermore, we point out a number of timing attack vulnerabilities that
can arise in root-finding algorithms, some aimed at recovering the message,
others at the secret support. We give experimental results of software
implementations showing that
manifestations of these vulnerabilities are present in straightforward
implementations of most of the root-finding variants presented in this
work.
As a result, we find that one of the variants provides security with respect to
all vulnerabilities as well as competitive computation time for code parameters that minimize the public key size
Efficiency and Implementation Security of Code-based Cryptosystems
This thesis studies efficiency and security problems of implementations of code-based
cryptosystems. These cryptosystems, though not currently used in the field, are of great
scientific interest, since no quantum algorithm is known that breaks them essentially
faster than any known classical algorithm. This qualifies them as cryptographic schemes
for the quantum-computer era, where the currently used cryptographic schemes are
rendered insecure.
Concerning the efficiency of these schemes, we propose a solution for the handling of
the public keys, which are, compared to the currently used schemes, of an enormous size.
Here, the focus lies on resource-constrained devices, which are not capable of storing a
code-based public key of communication partner in their volatile memory. Furthermore,
we show a solution for the decryption without the parity check matrix with a passable
speed penalty. This is also of great importance, since this matrix is of a size that is
comparable to that of the public key. Thus, the employment of this matrix on memory-constrained devices
is not possible or incurs a large cost.
Subsequently, we present an analysis of improvements to the generally most
time-consuming part of the decryption operation, which is the determination of the roots of
the error locator polynomial. We compare a number of known algorithmic variants and
new combinations thereof in terms of running time and memory demands. Though the
speed of pure software implementations must be seen as one of the strong sides of code-based schemes,
the optimisation of their running time on resource-constrained devices
and servers is of great relevance.
The second essential part of the thesis studies the side channel security of these
schemes. A side channel vulnerability is given when an attacker is able to retrieve
information about the secrets involved in a cryptographic operation by measuring physical
quantities such as the running time or the power consumption during that operation.
Specifically, we consider attacks on the decryption operation, which either target the
message or the secret key. In most cases, concrete countermeasures are proposed and
evaluated. In this context, we show a number of timing vulnerabilities that are linked to
the algorithmic variants for the root-finding of the error locator polynomial mentioned
above. Furthermore, we show a timing attack against a vulnerability in the Extended
Euclidean Algorithm that is used to solve the so-called key equation during the decryption
operation, which aims at the recovery of the message. We also present a related
practical power analysis attack. Concluding, we present a practical timing attack that
targets the secret key, which is based on the combination of three vulnerabilities, located
within the syndrome inversion, a further suboperation of the decryption, and the already
mentioned solving of the key equation.
We compare the attacks that aim at the recovery of the message with the analogous
attacks against the RSA cryptosystem and derive a general methodology for the discovery
of the underlying vulnerabilities in cryptosystems with specific properties.
Furthermore, we present two implementations of the code-based McEliece cryptosystem:
a smart card implementation and flexible implementation, which is based on a
previous open-source implementation. The previously existing open-source implementation
was extended to be platform independent and optimised for resource-constrained
devices. In addition, we added all algorithmic variants presented in this thesis, and
we present all relevant performance data such as running time, code size and memory
consumption for these variants on an embedded platform. Moreover, we implemented
all side channel countermeasures developed in this work.
Concluding, we present open research questions, which will become relevant once
efficient and secure implementations of code-based cryptosystems are evaluated by the
industry for an actual application