Higher-order CIS codes

We introduce {\bf complementary information set codes} of higher-order. A binary linear code of length $tk$ and dimension $k$ is called a complementary information set code of order $t$ ($t$-CIS code for short) if it has $t$ pairwise disjoint information sets. The duals of such codes permit to reduce the cost of masking cryptographic algorithms against side-channel attacks. As in the case of codes for error correction, given the length and the dimension of a $t$-CIS code, we look for the highest possible minimum distance. In this paper, this new class of codes is investigated. The existence of good long CIS codes of order $3$ is derived by a counting argument. General constructions based on cyclic and quasi-cyclic codes and on the building up construction are given. A formula similar to a mass formula is given. A classification of 3-CIS codes of length $\le 12$ is given. Nonlinear codes better than linear codes are derived by taking binary images of $\Z_4$-codes. A general algorithm based on Edmonds' basis packing algorithm from matroid theory is developed with the following property: given a binary linear code of rate $1/t$ it either provides $t$ disjoint information sets or proves that the code is not $t$-CIS. Using this algorithm, all optimal or best known $[tk, k]$ codes where $t=3, 4, \dots, 256$ and $1 \le k \le \lfloor 256/t \rfloor$ are shown to be $t$-CIS for all such $k$ and $t$, except for $t=3$ with $k=44$ and $t=4$ with $k=37$.Comment: 13 pages; 1 figur

Higher-Order Threshold Implementation of the AES S-Box

In this paper we present a threshold implementation of the Advanced Encryption Standard’s S-box which is secure against first- and second-order power analysis attacks. This security guarantee holds even in the presence of glitches, and includes resistance against bivariate attacks. The design requires an area of 7849 Gate Equivalents and 126 bits of randomness per S-box execution. The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests

Explointing FPGA block memories for protected cryptographic implementations

Modern Field Programmable Gate Arrays (FPGAs) are power packed with features to facilitate designers. Availability of features like huge block memory (BRAM), Digital Signal Processing (DSP) cores, embedded CPU makes the design strategy of FPGAs quite different from ASICs. FPGA are also widely used in security-critical application where protection against known attacks is of prime importance. We focus ourselves on physical attacks which target physical implementations. To design countermeasures against such attacks, the strategy for FPGA designers should also be different from that in ASIC. The available features should be exploited to design compact and strong countermeasures. In this paper, we propose methods to exploit the BRAMs in FPGAs for designing compact countermeasures. BRAM can be used to optimize intrinsic countermeasures like masking and dual-rail logic, which otherwise have significant overhead (at least 2X). The optimizations are applied on a real AES-128 co-processor and tested for area overhead and resistance on Xilinx Virtex-5 chips. The presented masking countermeasure has an overhead of only 16% when applied on AES. Moreover Dual-rail Precharge Logic (DPL) countermeasure has been optimized to pack the whole sequential part in the BRAM, hence enhancing the security. Proper robustness evaluations are conducted to analyze the optimization for area and security

Side Channel Cryptanalysis

Postranní kanály v oblasti kryptografie zásadním způsobem mění pohled na bezpečnost celého kryptografického systému. Již nestačí analyzovat bezpečnost algoritmu pouze z~matematického hlediska pomocí abstraktních modelů, ale stejný důraz musí být kladen na implementaci algoritmů. Disertační práce v úvodu vysvětluje základní pojmy, princip útoku postranními kanály a jejich základní dělení. V následující části jsou určeny cíle dizertační práce. Hlavním cílem disertační práce je navrhnout a experimentálně ověřit novou metodu analýzy proudovým postranním kanálem, která bude využívat neuronové sítě. Tento hlavní cíl vznikl z rozboru používaných analýz proudovým postranním kanálem uvedených v následujících kapitolách. Tyto kapitoly obsahují podrobný rozbor současně používaných analýz proudovým postranním kanálem a rozbor šifrovacího algoritmu AES. Algoritmus AES byl vybrán, z důvodu odolnosti proti konvenčnímu způsobu analýz. Následující kapitola popisuje získané dílčí experimentální výsledky optimalizace stávajících metod, vliv parametrů ovlivňující proudovou spotřebu a výsledky navržené analýzy pomocí neuronových sítí včetně diskuze získaných výsledků. Tento typ útoku proudovým postranním kanálem nebyl dosud publikován, jedná se tedy o zcela novou myšlenku. Posledním cílem práce bylo shrnutí možných ochran proti analýze a útoku postranním kanálem.Side channels fundamentally changes the view of the cryptographic system security in cryptography. It is not enough to analyze the security algorithm only from a mathematical point of view using abstract models but it is necessary to focus on the implementation of the algorithms. The introduction of the thesis deals with the basic terms, principles of side channel attacks and basic clasification of side channels. The following chapter describes the objectives of the thesis. The main goal of the thesis is to propose and experimentally verify a new power analysis method whish will use the neural network. This main goal was based on the realized analyzes presented in the following chapters. These chapters contain a detailed analysis of currently used power analysis and analysis of AES encryption algorithm. AES was selected becouse the algorithm is resistant to the conventional cryptoanalysis. The following section describes the experimental results of the optimization of existing methods, the influence of the parameters affecting power consumption and the results of the proposed analysis using neural networks. This section includes the discussion of the results. This type of side channel attack has not been published yet thus it is a completely new idea. The final goal of the thesis was to summarize the possible countermeasures protecting against the side channel attacks.

Research on performance enhancement for electromagnetic analysis and power analysis in cryptographic LSI

制度:新 ; 報告番号:甲3785号 ; 学位の種類:博士(工学) ; 授与年月日:2012/11/19 ; 早大学位記番号:新6161Waseda Universit

暗号ハードウェアに対する物理攻撃の安全性評価手法の研究

　高性能な情報機器とブロードバンドネットワークの普及により，暗号技術の利用が急速に拡大している．従来，暗号はアルゴリズムの理論的な安全性の研究が中心であったが，現在は暗号をソフトウェアやハードウェアとして実装した“暗号モジュール”の物理的な弱点を突く攻撃に対する安全性の研究が活溌化している．本研究では，暗号モジュールの演算中の消費電力・放射電磁波・演算時間等を解析してそこに漏洩している秘密情報を抜き出すサイドチャネル攻撃を対象としている．　サイドチャネル攻撃に対する安全性評価手法の国際標準ISO/IEC17825が2016年1月に制定された．その中で共通鍵暗号の漏洩情報の検出には，既知の内部状態に基づいて分類した電力や電磁波形とランダムな波形の間で，平均や標準偏差に有意な差があるかどうかをウェルチのT検定で調べる手法が用いられる．本研究では，CMOSスタンダードセルライブラリで製造された暗号LSI上の様々なAES回路に対して，このT検定を実行し，その有効性を検証した．さらに，内部変数データのハミング重みを意図的偏らせて漏洩情報を強調する手法を導入し，T検定の精度を向上させられることを示した．通常のサイドチャネル攻撃では攻撃者は内部状態を直接観測したり制御することはできないが，安全性評価という観点から，暗号モジュールの開発者や評価者がそれらを自由に設定することができる．つまり，そのような条件で漏洩情報が検出された場合，それが直ちに安全上の問題となるのではなく，漏洩する可能性のあることを意味している．逆にこのように極めて有利な条件による解析で漏洩情報が得られなければ，その暗号モジュールは非常に高い安全性を有しているということになる．本研究の手法は，通常のウェルチのT検定よりもさらに有利な条件を与えるもので，それにより少ない波形で高い精度で漏洩情報が検出でき，つまりサイドチャネル攻撃に対する安全性評価のコストを大幅に削減するものである．電気通信大学201

Towards Secure Cryptographic Software Implementation Against Side-Channel Power Analysis Attacks

Side-channel attacks have been a real threat against many critical embedded systems that rely on cryptographic algorithms as their security engine. A commonly used algorithmic countermeasure, random masking, incurs large execution delay and resource overhead. The other countermeasure, operation shuffling or permutation, can mitigate side-channel leakage effectively with minimal overhead. In this paper, we target utilizing the independence among operations in cryptographic algorithms and randomizing their execution order. We design a tool to automatically detect such independence between statements at the source code level and devise an algorithm for automatic operation shuffling. We test our algorithm on the new SHA3 standard, Keccak. Results show that the tool has effectively implemented operation-shuffling to reduce the side-channel leakage significantly, and therefore can guide automatic secure cryptographic software implementations against differential power analysis attacks

Boosting Higher-Order Correlation Attacks by Dimensionality Reduction

Multi-variate side-channel attacks allow to break higher-order masking protections by combining several leakage samples. But how to optimally extract all the information contained in all possible $d$-tuples of points? In this article, we introduce preprocessing tools that answer this question. We first show that maximizing the higher-order CPA coefficient is equivalent to finding the maximum of the covariance. We apply this equivalence to the problem of trace dimensionality reduction by linear combination of its samples. Then we establish the link between this problem and the Principal Component Analysis. In a second step we present the optimal solution for the problem of maximizing the covariance. We also theoretically and empirically compare these methods. We finally apply them on real measurements, publicly available under the DPA Contest v4, to evaluate how the proposed techniques improve the second-order CPA (2O-CPA)