Formal Analysis of CRT-RSA Vigilant's Countermeasure Against the BellCoRe Attack: A Pledge for Formal Methods in the Field of Implementation Security

In our paper at PROOFS 2013, we formally studied a few known countermeasures to protect CRT-RSA against the BellCoRe fault injection attack. However, we left Vigilant's countermeasure and its alleged repaired version by Coron et al. as future work, because the arithmetical framework of our tool was not sufficiently powerful. In this paper we bridge this gap and then use the same methodology to formally study both versions of the countermeasure. We obtain surprising results, which we believe demonstrate the importance of formal analysis in the field of implementation security. Indeed, the original version of Vigilant's countermeasure is actually broken, but not as much as Coron et al. thought it was. As a consequence, the repaired version they proposed can be simplified. It can actually be simplified even further as two of the nine modular verifications happen to be unnecessary. Fortunately, we could formally prove the simplified repaired version to be resistant to the BellCoRe attack, which was considered a "challenging issue" by the authors of the countermeasure themselves.Comment: arXiv admin note: substantial text overlap with arXiv:1401.817

A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA

In this article, we describe a methodology that aims at either breaking or proving the security of CRT-RSA implementations against fault injection attacks. In the specific case-study of the BellCoRe attack, our work bridges a gap between formal proofs and implementation-level attacks. We apply our results to three implementations of CRT-RSA, namely the unprotected one, that of Shamir, and that of Aum\"uller et al. Our findings are that many attacks are possible on both the unprotected and the Shamir implementations, while the implementation of Aum\"uller et al. is resistant to all single-fault attacks. It is also resistant to double-fault attacks if we consider the less powerful threat-model of its authors.Comment: PROOFS, Santa Barbara, CA : United States (2013

On the Machine Learning Techniques for Side-channel Analysis

Side-channel attacks represent one of the most powerful category of attacks on cryptographic devices with profiled attacks in a prominent place as the most powerful among them. Indeed, for instance, template attack is a well-known real-world attack that is also the most powerful attack from the information theoretic perspective. On the other hand, machine learning techniques have proven their quality in a numerous applications where one is definitely side-channel analysis, but they come with a price. Selecting the appropriate algorithm as well as the parameters can sometimes be a difficult and time consuming task. Nevertheless, the results obtained until now justify such an effort. However, a large part of those results use simplification of the data relation from the one perspective and extremely powerful machine learning techniques from the other side. In this paper, we concentrate first on the tuning part, which we show to be of extreme importance. Furthermore, since tuning represents a task that is time demanding, we discuss how to use hyperheuristics to obtain good results in a relatively short amount of time. Next, we provide an extensive comparison between various machine learning techniques spanning from extremely simple ones ( even without any parameters to tune), up to methods where previous experience is a must if one wants to obtain competitive results. To support our claims, we give extensive experimental results and discuss the necessary conditions to conduct a proper machine learning analysis. Besides the machine learning algorithms' results, we give results obtained with the template attack. Finally, we investigate the influence of the feature (in)dependence in datasets with varying amount of noise as well as the influence of feature noise and classification noise. In order to strengthen our findings, we also discuss provable machine learning algorithms, i.e., PAC learning algorithms

Higher-order CIS codes

We introduce {\bf complementary information set codes} of higher-order. A binary linear code of length $tk$ and dimension $k$ is called a complementary information set code of order $t$ ($t$-CIS code for short) if it has $t$ pairwise disjoint information sets. The duals of such codes permit to reduce the cost of masking cryptographic algorithms against side-channel attacks. As in the case of codes for error correction, given the length and the dimension of a $t$-CIS code, we look for the highest possible minimum distance. In this paper, this new class of codes is investigated. The existence of good long CIS codes of order $3$ is derived by a counting argument. General constructions based on cyclic and quasi-cyclic codes and on the building up construction are given. A formula similar to a mass formula is given. A classification of 3-CIS codes of length $\le 12$ is given. Nonlinear codes better than linear codes are derived by taking binary images of $\Z_4$-codes. A general algorithm based on Edmonds' basis packing algorithm from matroid theory is developed with the following property: given a binary linear code of rate $1/t$ it either provides $t$ disjoint information sets or proves that the code is not $t$-CIS. Using this algorithm, all optimal or best known $[tk, k]$ codes where $t=3, 4, \dots, 256$ and $1 \le k \le \lfloor 256/t \rfloor$ are shown to be $t$-CIS for all such $k$ and $t$, except for $t=3$ with $k=44$ and $t=4$ with $k=37$.Comment: 13 pages; 1 figur

Social Status and Mortality With Activity of Daily Living Disability in Later Life

Objectives. The aim of this study was to assess which social status factors predispose a person to dying with activity of daily living (ADL) disability in later life. Methods. We followed 243 deceased members of the Swiss Interdisciplinary Longitudinal Study on the Oldest Old annually up to 8 years before their deaths. Using a multilevel regression, we analyzed age at death, gender, occupational category, and geographic area as potential factors predisposing a person to ending life with ADL disability. Results. Disability scores showed a substantial increase as death approached. Individuals from a lower occupational category were at higher risk of ADL disability and experienced a greater functional decline prior to death compared to those from higher occupational categories. Discussion. Consistent with the cumulative disadvantage theoretical framework, the health differential between the occupational categories seems to be exacerbated prior to deat

Health: support provided and received in advanced old age: A five-year follow-up

Abstract : While research focuses mainly on support provided to the elderly, this paper deals with the very old as a support provider to his family as much as a care recipient from both his family and a formal network. We hypothesize that elders with declining health will try to maintain the provision of services, even when they require and receive help. A total of 340 octogenarians from the Swiss Interdisciplinary Longitudinal Study on the Oldest Old (SWILSOO) were interviewed up to five times over five years (N=1225 interviews). A multilevel model was applied to assess the effects of health, controlled for socio-demographic and family network variables, on the frequency of services that the old persons provided to their family and received from their family and formal networks. Health is operationalized in three statuses: ADL-dependent, ADL-independent frail, and robust. While the recourse to the informal network increased progressively with the process of frailty, the recourse to the formal network drastically increased for ADL-dependent individuals. Being ADL-dependent seriously altered the capacity to provide services, but ADL-independent frail persons were providers with the same frequency as the robust oldest old, showing their ability to preserve a principle of reciprocity in their exchanges with their family network. This continuity of roles may help frail persons to maintain their self-esteem and well-bein

Integrating a QPSK Quantum Key Distribution Link

We present the integration of the optical and electronic subsystems of a BB84-QKD fiber link. A highspeed FPGA MODEM generates the random QPSK sequences for a fiber-optic delayed self-homodyne scheme using APD detectors.Comment: 2 pages, 4 figures, European Conference on Optical Communication 200

Explointing FPGA block memories for protected cryptographic implementations

Modern Field Programmable Gate Arrays (FPGAs) are power packed with features to facilitate designers. Availability of features like huge block memory (BRAM), Digital Signal Processing (DSP) cores, embedded CPU makes the design strategy of FPGAs quite different from ASICs. FPGA are also widely used in security-critical application where protection against known attacks is of prime importance. We focus ourselves on physical attacks which target physical implementations. To design countermeasures against such attacks, the strategy for FPGA designers should also be different from that in ASIC. The available features should be exploited to design compact and strong countermeasures. In this paper, we propose methods to exploit the BRAMs in FPGAs for designing compact countermeasures. BRAM can be used to optimize intrinsic countermeasures like masking and dual-rail logic, which otherwise have significant overhead (at least 2X). The optimizations are applied on a real AES-128 co-processor and tested for area overhead and resistance on Xilinx Virtex-5 chips. The presented masking countermeasure has an overhead of only 16% when applied on AES. Moreover Dual-rail Precharge Logic (DPL) countermeasure has been optimized to pack the whole sequential part in the BRAM, hence enhancing the security. Proper robustness evaluations are conducted to analyze the optimization for area and security