200 research outputs found
A MAC Mode for Lightweight Block Ciphers
status: accepte
Profiling Good Leakage Models For Masked Implementations
Leakage model plays a very important role in side channel attacks. An accurate leakage model greatly improves the efficiency of attacks. However, how to profile a good enough leakage model, or how to measure the accuracy of a leakage model, is seldom studied. Durvaux et al. proposed leakage certification tests to profile good enough leakage model for unmasked implementations. However, they left the leakage model profiling for protected implementations as an open problem. To solve this problem, we propose the first practical higher-order leakage model certification tests for masked implementations. First and second order attacks are performed on the simulations of serial and parallel implementations of a first-order fixed masking. A third-order attack is performed on another simulation of a second-order random masked implementation. The experimental results show that our new tests can profile the leakage models accurately
Cryptanalysis of the Randomized Version of a Lattice-Based Signature Scheme from PKC'08
International audienceIn PKC'08, Plantard, Susilo and Win proposed a lattice-based signature scheme, whose security is based on the hardness of the closest vector problem with the infinity norm (CVP∞). This signature scheme was proposed as a countermeasure against the Nguyen-Regev attack, which improves the security and the efficiency of the Goldreich, Goldwasser and Halevi scheme (GGH). Furthermore, to resist potential side channel attacks, the authors suggested modifying the determinis-tic signing algorithm to be randomized. In this paper, we propose a chosen message attack against the randomized version. Note that the randomized signing algorithm will generate different signature vectors in a relatively small cube for the same message, so the difference of any two signature vectors will be relatively short lattice vector. Once collecting enough such short difference vectors, we can recover the whole or the partial secret key by lattice reduction algorithms, which implies that the randomized version is insecure under the chosen message attack
SoK : Remote Power Analysis
In recent years, numerous attacks have appeared that aim to steal secret information from their victim using the power side-channel vector, yet without direct physical access. These attacks are called Remote Power Attacks or Remote Power Analysis, utilizing resources that are natively present inside the victim environment. However, there is no unified definition about the limitations that a power attack requires to be defined as remote. This paper aims to propose a unified definition and concrete threat models to clearly differentiate remote power attacks from non-remote ones. Additionally, we collect the main remote power attacks performed so far from the literature, and the principal proposed countermeasures to avoid them. The search of such countermeasures denoted a clear gap in preventing remote power attacks at the technical level. Thus, the academic community must face an important challenge to avoid this emerging threat, given the clear room for improvement that should be addressed in terms of defense and security of devices that work with private information.acceptedVersionPeer reviewe
High-Performance Ideal Lattice-Based Cryptography on 8-bit ATxmega Microcontrollers
Over the last years lattice-based cryptography has received much attention due to versatile average-case problems like Ring-LWE or Ring-SIS that appear to be intractable by quantum computers. But despite of promising constructions, only few results have been published on implementation issues on very constrained platforms. In this work we therefore study and compare implementations of Ring-LWE encryption and the bimodal lattice signature scheme (BLISS) on an 8-bit Atmel ATxmega128 microcontroller. Since the number theoretic transform (NTT) is one of the core components in implementations of lattice-based cryptosystems, we review the application of the NTT in previous implementations and present an improved approach that significantly lowers the runtime for polynomial multiplication. Our implementation of Ring-LWE encryption takes 27 ms for encryption and 6.7 ms for decryption. To compute a BLISS signature, our software takes 329 ms and 88 ms for verification. These results outperform implementations on similar platforms and underline the feasibility of lattice-based cryptography on constrained devices
Blockcipher-based MACs: Beyond the Birthday Bound without Message Length
We present blockcipher-based MACs (Message Authentication Codes) that have beyond the birthday bound security without message length in the sense of PRF (Pseudo-Random Function) security. Achieving such security is important in constructing MACs using blockciphers with short block sizes (e.g., 64 bit).
Luykx et al. (FSE2016) proposed LightMAC, the first blockcipher-based MAC with such security and a variant of PMAC, where for each -bit blockcipher call, an -bit counter and an -bit message block are input. By the presence of counters, LightMAC becomes a secure PRF up to tagging queries. Iwata and Minematsu (TOSC2016, Issue1) proposed F_t, a keyed hash function-based MAC, where a message is input to keyed hash functions (the hash function is performed times) and the outputs are input to the xor of keyed blockciphers. Using the LightMAC\u27s hash function, F_t becomes a secure PRF up to tagging queries. However, for each message block of bits, it requires blockcipher calls.
In this paper, we improve F_t so that a blockcipher is performed only once for each message block of bits. We prove that our MACs with are secure PRFs up to tagging queries. Hence, our MACs with are more efficient than F_t while keeping the same level of PRF-security
Set It and Forget It! Turnkey ECC for Instant Integration
Historically, Elliptic Curve Cryptography (ECC) is an active field of applied
cryptography where recent focus is on high speed, constant time, and formally
verified implementations. While there are a handful of outliers where all these
concepts join and land in real-world deployments, these are generally on a
case-by-case basis: e.g.\ a library may feature such X25519 or P-256 code, but
not for all curves. In this work, we propose and implement a methodology that
fully automates the implementation, testing, and integration of ECC stacks with
the above properties. We demonstrate the flexibility and applicability of our
methodology by seamlessly integrating into three real-world projects: OpenSSL,
Mozilla's NSS, and the GOST OpenSSL Engine, achieving roughly 9.5x, 4.5x,
13.3x, and 3.7x speedup on any given curve for key generation, key agreement,
signing, and verifying, respectively. Furthermore, we showcase the efficacy of
our testing methodology by uncovering flaws and vulnerabilities in OpenSSL, and
a specification-level vulnerability in a Russian standard. Our work bridges the
gap between significant applied cryptography research results and deployed
software, fully automating the process
A Systematic Appraisal of Side Channel Evaluation Strategies
In this paper we examine the central question that is how well do side channel evaluation regimes capture the true security level of a product. Concretely, answering this question requires considering the optimality of the attack/evaluation strategy selected by the evaluator, and the various steps to instantiate it. We draw on a number of published works and discuss whether state-of-the-art solutions for the different steps of a side-channel security evaluation offer bounds or guarantees of optimality, or if they are inherently heuristic. We use this discussion to provide an informal rating of the steps\u27 optimality and to put forward where risks of overstated security levels remain
SoK: Privacy-Preserving Signatures
Modern security systems depend fundamentally on the ability of users to authenticate their communications to other parties in a network. Unfortunately, cryptographic authentication can substantially undermine the privacy of users. One possible solution to this problem is to use privacy-preserving cryptographic authentication. These protocols allow users to authenticate their communications without revealing their identity to the verifier. In the non-interactive setting, the most common protocols include blind, ring, and group signatures, each of which has been the subject of enormous research in the security and cryptography literature. These primitives are now being deployed at scale in major applications, including Intel\u27s SGX software attestation framework. The depth of the research literature and the prospect of large-scale deployment motivate us to systematize our understanding of the research in this area. This work provides an overview of these techniques, focusing on applications and efficiency
- …