Towards testability in smart card operating system design

The operating system of a smart card is a safety critical system. Distributed in millions, smart cards with their small 8-bit CPU support applications where transferred values are only protected by the strength of a cryptographic protocol. This strength goes no further than the implementation of the software in the card and terminal allows. Because of its complexity, to guarantee absolute reliability of the smart card software is prohibitively expensive. Obtaining a high level of confidence in the implementation of a smart card application is essential for their widespread acceptance. A highly structured design of the smart card operating system gives the designer control over the complexity of the system. A functional language has been used to prototype a smart card operating system. The prototype has the same structure as the real operating systemand it offersmost of the functionality of the real system. The well defined semantics of pure functional languages and their compositionality in particular are instrumental to the structuring of the prototype. With the functional language implementation as reference, the reliability of the implementation can be assessed in detail

Dual EC: a standardized back door

Dual EC is an algorithm to compute pseudorandom numbers starting from some random input. Dual EC was standardized by NIST, ANSI, and ISO among other algorithms to generate pseudorandom numbers. For a long time this algorithm was considered suspicious – the entity designing the algorithm could have easily chosen the parameters in such a way that it can predict all outputs – and on top of that it is much slower than the alternatives and the numbers it provides are more biased, i.e., not random. The Snowden revelations, and in particular reports on Project Bullrun and the SIGINT Enabling Project, have indicated that Dual EC was part of a systematic effort by NSA to subvert standards. This paper traces the history of Dual EC including some suspicious changes to the standard, explains how the back door works in real-life applications, and explores the standardization and patent ecosystem in which the standardized back door stayed under the radar

Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches

Hardware implementations of cryptographic algorithms are vulnerable to side-channel attacks. Side-channel attacks that are based on multiple measurements of the same operation can be countered by employing masking techniques. Many protection measures depart from an idealized hardware model that is very expensive to meet with real hardware. In particular, the presence of glitches causes many masking techniques to leak information during the computation of nonlinear functions. We discuss a recently introduced masking method which is based on secret sharing and multi-party computation methods. The approach results in implementations that are provably resistant against a wide range of attacks, while making only minimal assumptions on the hardware. We show how to use this method to derive secure implementations of some nonlinear building blocks for cryptographic algorithms. Finally, we provide a provable secure implementation of the block cipher Noekeon and verify the results by means of low-level simulations

Improved Generic Algorithms for 3-Collisions

An $r$-collision for a function is a set of $r$ distinct inputs with identical outputs. Actually finding $r$-collisions for a random map over a finite set of cardinality $N$ requires at least about $N^{(r-1)/r}$ units of time on a sequential machine. For $r$=2, memoryless and well-parallelisable algorithms are known. The current paper describes memory-efficient and parallelisable algorithms for $r \ge 3$. The main results are: (1)~A sequential algorithm for 3-collisions, roughly using memory $N^\alpha$ and time $N^{1-\alpha}$ for $\alpha\le1/3$. I.e., given $N^{1/3}$ units of storage, on can find 3-collisions in time $N^{2/3}$. Note that there is a time-memory tradeoff which allows to reduce the memory consumption. (2)~A parallelisation of this algorithm using $N^{1/3}$ processors running in time $N^{1/3}$. Each single processor only needs a constant amount of memory. (3)~An generalisation of this second approach to $r$-collisions for $r \ge3$: given $N^s$ parallel processors, on can generate $r$-collisions roughly in time $N^{((r-1)/r)-s}$, using memory $N^{((r-2)/r)-s}$ on every processor