On Side-Channel Vulnerabilities of Bit Permutations: Key Recovery and Reverse Engineering

Lightweight block ciphers rely on simple operations to allow compact implementation. Thanks to its efficiency, bit permutation has emerged as an optimal choice for state-wise diffusion. It can be implemented by simple wiring or shifts. However, as recently shown by Spectre and Meltdown attacks, efficiency and security often go against each other. In this work, we show how bit permutations introduce a side-channel vulnerability that can be exploited to extract the secret key from the cipher. Such vulnerabilities are specific to bit permutations and do not occur in other state-wise diffusion alternatives. We propose Side-Channel Assisted Differential-Plaintext Attack (SCADPA) which targets this vulnerability in bit permutation operation. SCADPA is experimentally demonstrated on PRESENT-80 on an 8-bit microcontroller, with the best case key recovery in 17 encryptions. The attack is then extended to latest bit-permutation based cipher GIFT, allowing full key recovery in 36 encryptions. We also propose and experimentally verify an automatic threshold method which can be easily applied to SCADPA, allowing automation of the attack. Moreover, SCADPA on bit permutations has other applications. Application for reverse engineering secret sboxes in PRESENT-like proprietary ciphers is shown. We also highlight a special case, where fixing one vulnerability opens another one. This is shown by applying SCADPA on some assembly level fault attack countermeasures, rendering it less secure than unprotected implementations. Lastly, we also provide several different attack scenarios, such as targeting different encryption modes

My traces learn what you did in the dark: recovering secret signals without key guesses

In side channel attack (SCA) studies, it is widely believed that unprotected implementations leak information about the intermediate states of the internal cryptographic process. However, directly recovering the intermediate states is not common practice in today\u27s SCA study. Instead, most SCAs exploit the leakages in a guess-and-determine way, where they take a partial key guess, compute the corresponding intermediate states, then try to identify which one fits the observed leakages better. In this paper, we ask whether it is possible to take the other way around---directly learning the intermediate states from the side channel leakages. Under certain circumstances, we find that the intermediate states can be efficiently recovered with the well-studied Independent Component Analysis (ICA). Specifically, we propose several methods to convert the side channel leakages into effective ICA observations. For more robust recovery, we also present a specialized ICA algorithm which exploits the specific features of circuit signals. Experiments confirm the validity of our analysis in various circumstances, where most intermediate states can be correctly recovered with only a few hundred traces. To our knowledge, this is the first attempt to directly recover the intermediate states in a completely non-profiled setting. Our approach brings new possibilities to the current SCA study, including building an alternative SCA distinguisher, directly attacking the middle encryption rounds and reverse engineering with fewer restrictions. Considering its potential in more advanced applications, we believe our ICA-based SCA deserves more research attention in the future study

Multi-operation data encryption mechanism using dynamic data blocking and randomized substitution

Existing cryptosystems deal with static design features such as fixed sized data blocks, static substitution and apply identical set of known encryption operations in each encryption round. Fixed sized blocks associate several issues such as ineffective permutations, padding issues, deterministic brute force strength and known-length of bits which support the cracker in formulating of modern cryptanalysis. Existing static substitution policies are either not optimally fit for dynamic sized data blocks or contain known S-box transformation and fixed lookup tables. Moreover, static substitution does not directly correlate with secret key due to which it has not been shown safer especially for Advanced Encryption Standard (AES) and Data Encryption Standard (DES). Presently, entire cryptosystems encrypt each data block with identical set of known operations in each iteration, thereby lacked to offer dynamic selection of encryption operation. These discussed, static design features are fully known to the cracker, therefore caused the practical cracking of DES and undesirable security pitfalls against AES as witnessed in earlier studies. Various studies have reported the mathematical cryptanalysis of AES up to full of its 14 rounds. Thus, this situation completely demands the proposal of dynamic design features in symmetric cryptosystems. Firstly, as a substitute to fixed sized data blocks, the Dynamic Data Blocking Mechanism (DDBM) has been proposed to provide the facility of dynamic sized data blocks. Secondly, as an alternative of static substitution approach, a Randomized Substitution Mechanism (RSM) has been proposed which can randomly modify session-keys and plaintext blocks. Finally, Multi-operation Data Encryption Mechanism (MoDEM) has been proposed to tackle the issue of static and identical set of known encryption operations on each data block in each round. With MoDEM, the encryption operation can dynamically be selected against the desired data block from the list of multiple operations bundled with several sub-operations. The methods or operations such as exclusive-OR, 8-bit permutation, random substitution, cyclic-shift and logical operations are used. Results show that DDBM can provide dynamic sized data blocks comparatively to existing approaches. Both RSM and MoDEM fulfill dynamicity and randomness properties as tested and validated under recommended statistical analysis with standard tool. The proposed method not only contains randomness and avalanche properties but it also has passed recommended statistical tests within five encryption rounds (significant than existing). Moreover, mathematical testing shows that common security attacks are not applicable on MoDEM and brute force attack is significantly resistive

On the Design of Bit Permutation Based Ciphers - The Interplay Among S-box, Bit Permutation and Key-addition

Bit permutation based block ciphers, like PRESENT and GIFT, are well-known for their extreme lightweightness in hardware implementation. However, designing such ciphers comes with one major challenge - to ensure strong cryptographic properties simply depending on the combination of three components, namely S-box, a bit permutation and a key addition function. Having a wrong combination of components could lead to weaknesses. In this article, we studied the interaction between these components, improved the theoretical security bound of GIFT and highlighted the potential pitfalls associated with a bit permutation based primitive design. We also conducted analysis on TRIFLE, a first-round candidate for the NIST lightweight cryptography competition, where our findings influenced the elimination of TRIFLE from second-round of the NIST competition. In particular, we showed that internal state bits of TRIFLE can be partially decrypted for a few rounds even without any knowledge of the key

Design and Cryptanalysis of Symmetric-Key Algorithms in Black and White-box Models

Cryptography studies secure communications. In symmetric-key cryptography, the communicating parties have a shared secret key which allows both to encrypt and decrypt messages. The encryption schemes used are very efficient but have no rigorous security proof. In order to design a symmetric-key primitive, one has to ensure that the primitive is secure at least against known attacks. During 4 years of my doctoral studies at the University of Luxembourg under the supervision of Prof. Alex Biryukov, I studied symmetric-key cryptography and contributed to several of its topics. Part I is about the structural and decomposition cryptanalysis. This type of cryptanalysis aims to exploit properties of the algorithmic structure of a cryptographic function. The first goal is to distinguish a function with a particular structure from random, structure-less functions. The second goal is to recover components of the structure in order to obtain a decomposition of the function. Decomposition attacks are also used to uncover secret structures of S-Boxes, cryptographic functions over small domains. In this part, I describe structural and decomposition cryptanalysis of the Feistel Network structure, decompositions of the S-Box used in the recent Russian cryptographic standard, and a decomposition of the only known APN permutation in even dimension. Part II is about the invariant-based cryptanalysis. This method became recently an active research topic. It happened mainly due to recent extreme cryptographic designs, which turned out to be vulnerable to this cryptanalysis method. In this part, I describe an invariant-based analysis of NORX, an authenticated cipher. Further, I show a theoretical study of linear layers that preserve low-degree invariants of a particular form used in the recent attacks on block ciphers. Part III is about the white-box cryptography. In the white-box model, an adversary has full access to the cryptographic implementation, which in particular may contain a secret key. The possibility of creating implementations of symmetric-key primitives secure in this model is a long-standing open question. Such implementations have many applications in industry; in particular, in mobile payment systems. In this part, I study the possibility of applying masking, a side-channel countermeasure, to protect white-box implementations. I describe several attacks on direct application of masking and provide a provably-secure countermeasure against a strong class of the attacks. Part IV is about the design of symmetric-key primitives. I contributed to design of the block cipher family SPARX and to the design of a suite of cryptographic algorithms, which includes the cryptographic permutation family SPARKLE, the cryptographic hash function family ESCH, and the authenticated encryption family SCHWAEMM. In this part, I describe the security analysis that I made for these designs

Creating Knowledge, volume 8, 2015

Dear reader, I am delighted to introduce this eighth volume of Creating Knowledge: The LAS Journal of Undergraduate Scholarship. This volume features 19 essays and 14 art works, representing advanced coursework produced in twenty different departments and programs during the 2014-2015 academic year. Several of the essays have been honored with department awards and several draw on research supported by undergraduate research grants. Many were originally written in senior capstone seminars, research-intensive seminars, and independent studies, and many were presented in some form at one of the numerous conferences and showcases sponsored by departments and programs throughout the year. All have been selected by department-based faculty committees as the best of the year’s student research writing and all have been revised for submission under the supervision of faculty. (The first footnote to each essay provides information about the class in which it was written and the processes of selection and revision.) Together they represent the rich variety of research questions, methods and materials used in the arts, humanities, social sciences and interdisciplinary studies. The readers of this volume are also many and various. They include the faculty who taught the classes in which this work was produced and encouraged their students to submit it for publication, the faculty who reviewed and selected the work and those who assisted with the editing, the proud parents, siblings, and classmates, and, of course, the featured students themselves. The volume’s readers also include alumni and supporters of the college and, perhaps most important of all, future student scholars—prospective students and recently admitted students who are curious about what advanced work in this or that field looks like: What does a sociology, Latino and Latin American studies, or philosophy major do? What are the key research questions and ways of thinking or writing or knowing in history of art and architecture or Italian or women’s and gender studies? For these students, this volume provides a vivid and inspiring illustration of what they have to look forward to as they embark upon their chosen courses of study. Many thanks and hearty congratulations are due to the student scholars for their contributions to this volume and also to the more than 60 faculty who supported, reviewed, selected, and helped to edit these students’ work. Thanks are also due to the three Department of Art, Media and Design faculty who served as jurors of the art work and the three masters in writing and publication students who proofread the volume. Most of all, thanks are due to Warren Schultz, associate dean of undergraduate studies in the College of Liberal Arts and Social Sciences, who serves as editor of the volume, putting out the call for submissions, supporting the faculty work of reviewing, selecting, and editing the student essays, and coordinating the production of the print and digital editions. To all, congratulations! And to you, dear reader, enjoy. Lucy Rinehart, PhD Interim Deanhttps://via.library.depaul.edu/ckgallery/1007/thumbnail.jp

SCARE of Secret Ciphers with SPN Structures ⋆

Abstract. Side-Channel Analysis (SCA) is commonly used to recover secret keys involved in the implementation of publicly known cryptographic algorithms. On the other hand, Side-Channel Analysis for Reverse Engineering (SCARE) considers an adversary who aims at recovering the secret design of some cryptographic algorithm from its implementation. Most of previously published SCARE attacks enable the recovery of some secret parts of a cipher design –e.g. the substitution box(es) – assuming that the rest of the cipher is known. Moreover, these attacks are often based on idealized leakage assumption where the adversary recovers noise-free side-channel information. In this paper, we address these limitations and describe a generic SCARE attack that can recover the full secret design of any iterated block cipher with common structure. Specifically we consider the family of Substitution-Permutation Networks with either a classical structure (as the AES) or with a Feistel structure. Based on a simple and usual assumption on the side-channel leakage we show how to recover all parts of the design of such ciphers. We then relax our assumption and describe a practical SCARE attack that deals with noisy side-channel leakages.

'Estes Sons, esta Linguagem'

Writing musicological studies always entails writing about the history of musicology itself. Our Festschrift aims in the first place to develop knowledge on a wide range of musical topics and to stimulate scientific discourse. It is also meant as a contribution to the tradition of honouring prominent academics by means of a celebratory publication – a long-established practice in German-speaking countries, and one which has become widespread internationally. Thus, it is our intention to dedicate the present volume to a scholar, lecturer and intellectual whose lifetime’s work has had a major impact on the consolidation of modern musicology at the Faculdade de Ciências Sociais e Humanas, Universidade Nova de Lisboa: Mário Vieira de Carvalho. A Festschrift usually reflects the dedicatee’s scholarly fields and research interests. Our Essays on Music, Meaning and Society encompass some core issues in areas of research close to Mário Vieira de Carvalho’s own. His work has consistently explored the relations between musical phenomena and their social environment. For Mário Vieira de Carvalho music and society cannot be viewed as separate realms: they belong together and interact in multiple ways. It follows from this that musicology must devise ever more refined approaches to the interrelation of social and musical processes and practices. The chapter Social Existence Determines Human Consciousness: Interdependencies between Music, Society, and Technology addresses precisely those questions. The implications of Mário Vieira de Carvalho’s work for music analysis, criticism and aesthetics are manifold. Differentiations in musical reception or musical behaviour respond to differentiations in musical structure, which in turn reflect the musical intentions of the composer – a view developed by Mário Vieira de Carvalho since the time of his encounter with Christian Kaden as a former doctoral supervisor, and brought to fruition in his well-known studies on the music of Fernando Lopes-Graça, among other composers. Interrelations between composition, performance and reception are outlined in our chapters Analysing Music and Musicians: Text – Performance – Context and The Meaning of Meaning: Music, Discourse, and Silence