Lightweight Cryptography Meets Threshold Implementation: A Case Study for SIMON

Securing data transmission has always been a challenge. While many cryptographic algorithms are available to solve the problem, many applications have tough area constraints while requiring high-level security. Lightweight cryptography aims at achieving high-level security with the benefit of being low cost. Since the late nineties and with the discovery of side channel attacks the approach towards cryptography has changed quite significantly. An attacker who can get close to a device can extract sensitive data by monitoring side channels such as power consumption, sound, or electromagnetic emanation. This means that embedded implementations of cryptographic schemes require protection against such attacks to achieve the desired level of security. In this work we combine a low-cost embedded cipher, Simon, with a stateof-the-art side channel countermeasure called Threshold Implementation (TI). We show that TI is a great match for lightweight cryptographic ciphers, especially for hardware implementation. Our implementation is the smallest TI of a block-cipher on an FPGA. This implementation utilizes 96 slices of a low-cost Spartan-3 FPGA and 55 slices a modern Kintex-7 FPGA. Moreover, we present a higher order TI which is resistant against second order attacks. This implementation utilizes 163 slices of a Spartan-3 FPGA and 95 slices of a Kintex-7 FPGA. We also present a state of the art leakage analysis and, by applying it to the designs, show that the implementations achieve the expected security. The implementations even feature a significant robustness to higher order attacks, where several million observations are needed to detect leakage

Balanced Encoding to Mitigate Power Analysis: A Case Study

Most side channel countermeasures for software implementations of cryptography either rely on masking or randomize the execution order of the cryptographic implementation. This work proposes a countermeasure that has constant leakage in common linear leakage models. Constant leakage is achieved not only for internal state values, but also for their transitions. The proposed countermeasure provides perfect protection in the theoretical leakage model. To study the practical relevance of the proposed countermeasure, it is applied to a software implementation of the block cipher Prince. This case study allows us to give realistic values for resulting implementation overheads as well as for the resulting side channel protection levels that can be achieved in realistic implementation scenarios

Partial Key Exposure in Ring-LWE-Based Cryptosystems: Attacks and Resilience

We initiate the study of partial key exposure in ring-LWE-based cryptosystems. Specifically, we - Introduce the search and decision Leaky-RLWE assumptions (Leaky-SRLWE, Leaky-DRLWE), to formalize the hardness of search/decision RLWE under leakage of some fraction of coordinates of the NTT transform of the RLWE secret and/or error. - Present and implement an efficient key exposure attack that, given certain $1/4$-fraction of the coordinates of the NTT transform of the RLWE secret, along with RLWE instances, recovers the full RLWE secret for standard parameter settings. - Present a search-to-decision reduction for Leaky-RLWE for certain types of key exposure. - Analyze the security of NewHope key exchange under partial key exposure of $1/8$-fraction of the secrets and error. We show that, assuming that Leaky-DRLWE is hard for these parameters, the shared key $v$ (which is then hashed using a random oracle) is computationally indistinguishable from a random variable with average min-entropy $238$, conditioned on transcript and leakage, whereas without leakage the min-entropy is $256$

On the Leakage Resilience of Ring-LWE Based Public Key Encryption

We consider the leakage resilience of the Ring-LWE analogue of the Dual-Regev encryption scheme (R-Dual-Regev for short), originally presented by Lyubashevsky et al.~(Eurocrypt \u2713). Specifically, we would like to determine whether the R-Dual-Regev encryption scheme remains IND-CPA secure, even in the case where an attacker leaks information about the secret key. We consider the setting where $R$ is the ring of integers of the $m$-th cyclotomic number field, for $m$ which is a power-of-two, and the Ring-LWE modulus is set to $q \equiv 1 \mod m$. This is the common setting used in practice and is desirable in terms of the efficiency and simplicity of the scheme. Unfortunately, in this setting $R_q$ is very far from being a field so standard techniques for proving leakage resilience in the general lattice setting, which rely on the leftover hash lemma, do not apply. Therefore, new techniques must be developed. In this work, we put forth a high-level approach for proving the leakage resilience of the R-Dual-Regev scheme, by generalizing the original proof of Lyubashevsky et al.~(Eurocrypt \u2713). We then give three instantiations of our approach, proving that the R-Dual-Regev remains IND-CPA secure in the presence of three natural, non-adaptive leakage classes

A finite element model for the thermo-elastic analysis of functionally graded porous nanobeams

In this study, for the first time, a nonlocal finite element model is proposed to analyse thermo-elastic behaviour of imperfect functionally graded porous nanobeams (P-FG) on the basis of nonlocal elasticity theory and employing a double-parameter elastic foundation. Temperature-dependent material properties are considered for the P-FG nanobeam, which are assumed to change continuously through the thickness based on the power-law form. The size effects are incorporated in the framework of the nonlocal elasticity theory of Eringen. The equations of motion are achieved based on first-order shear deformation beam theory through Hamilton's principle. Based on the obtained numerical results, it is observed that the proposed beam element can provide accurate buckling and frequency results for the P-FG nanobeams as compared with some benchmark results in the literature. The detailed variational and finite element procedure are presented and numerical examinations are performed. A parametric study is performed to investigate the influence of several parameters such as porosity volume fraction, porosity distribution, thermal loading, material graduation, nonlocal parameter, slenderness ratio and elastic foundation stiffness on the critical buckling temperature and the nondimensional fundamental frequencies of the P-FG nanobeams. Based on the results of this study, a porous FG nanobeam has a higher thermal buckling resistance and natural frequency compared to a perfect FG nanobeam. Also, uniform distributions of porosity result in greater critical buckling temperatures and vibration frequencies, in comparison with functional distributions of porosities

Algorithms for Reconstructing Databases and Cryptographic Secret Keys in Entropic Settings

A small amount of information leakage can undermine the security of a design that is otherwise considered secure. Many studies demonstrate how common leakages such as power consumption, electromagnetic emission, and the time required to perform certain operations can reveal information, such as the secret key of a cryptosystem. As a first contribution, in this work, we explore the possibility of cache attacks, a type of timing side-channel attack, in a new setting, namely, data processing. Later we show an improved attack on Learning Parity with Noise problems with a sparse secret. We propose two algorithms that are asymptotically faster than state-of-the-art. Finally, we show that the structure presented in RLWE constructions, in contrast to LWE constructions, opens up new attacks. Constructions based on LWE can be proven secure as long as the secret retains enough entropy. We show, however, that constructions based on RLWE can be completely broken even if the secret key retains 3/4 of its entropy

(In)Security of Ring-LWE Under Partial Key Exposure

We initiate the study of partial key exposure in Ring-LWE (RLWE)-based cryptosystems. Specifically, we (1) Introduce the search and decision Leaky R-LWE assumptions (Leaky R-SLWE, Leaky R-DLWE), to formalize the hardness of search/decision RLWE under leakage of some fraction of coordinates of the NTT transform of the RLWE secret. (2) Present and implement an efficient key exposure attack that, given certain 1/4-fraction of the coordinates of the NTT transform of the RLWE secret, along with samples from the RLWE distribution, recovers the full RLWE secret for standard parameter settings. (3) Present a search-to-decision reduction for Leaky R-LWE for certain types of key exposure. (4) Propose applications to the security analysis of RLWE-based cryptosystems under partial key exposure