Why Cryptography Should Not Rely on Physical Attack Complexity

This book presents two practical physical attacks. It shows how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these attacks, and presents countermeasures on the software and the hardware level that can help to prevent them in the future. Though their theory has been known for several years now, since neither attack has yet been successfully implemented in practice, they have generally not been considered a serious threat. In short, their physical attack complexity has been overestimated and the implied security threat has been underestimated. First, the book introduces the photonic side channel, which offers not only temporal resolution, but also the highest possible spatial resolution. Due to the high cost of its initial implementation, it has not been taken seriously. The work shows both simple and differential photonic side channel analyses. Then, it presents a fault attack against pairing-based cryptography. Due to the need for at least two independent precise faults in a single pairing computation, it has not been taken seriously either. Based on these two attacks, the book demonstrates that the assessment of physical attack complexity is error-prone, and as such cryptography should not rely on it. Cryptographic technologies have to be protected against all physical attacks, whether they have already been successfully implemented or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is sufficiently understood

Quantum Indistinguishability for Public Key Encryption

In this work we study the quantum security of public key encryption schemes (PKE). Boneh and Zhandry (CRYPTO'13) initiated this research area for PKE and symmetric key encryption (SKE), albeit restricted to a classical indistinguishability phase. Gagliardoni et al. (CRYPTO'16) advanced the study of quantum security by giving, for SKE, the first definition with a quantum indistinguishability phase. For PKE, on the other hand, no notion of quantum security with a quantum indistinguishability phase exists. Our main result is a novel quantum security notion (qIND-qCPA) for PKE with a quantum indistinguishability phase, which closes the aforementioned gap. We show a distinguishing attack against code-based schemes and against LWE-based schemes with certain parameters. We also show that the canonical hybrid PKE-SKE encryption construction is qIND-qCPA-secure, even if the underlying PKE scheme by itself is not. Finally, we classify quantum-resistant PKE schemes based on the applicability of our security notion. Our core idea follows the approach of Gagliardoni et al. by using so-called type-2 operators for encrypting the challenge message. At first glance, type-2 operators appear unnatural for PKE, as the canonical way of building them requires both the secret and the public key. However, we identify a class of PKE schemes - which we call recoverable - and show that for this class type-2 operators require merely the public key. Moreover, recoverable schemes allow to realise type-2 operators even if they suffer from decryption failures, which in general thwarts the reversibility mandated by type-2 operators. Our work reveals that many real-world quantum-resistant PKE schemes, including most NIST PQC candidates and the canonical hybrid construction, are indeed recoverable

Security of Public Key Encryption against Resetting Attacks

Ciphertext indistinguishability under chosen plaintext attacks is a standard security notion for public key encryption. It crucially relies on the usage of good randomness and is trivially unachievable if the randomness is known by the adversary. Yilek (CT-RSA\u2710) defined security against resetting attacks, where randomness might be reused but remains unknown to the adversary. Furthermore, Yilek claimed that security against adversaries making a single query to the challenge oracle implies security against adversaries making multiple queries to the challenge oracle. This is a typical simplification for indistinguishability security notions proven via a standard hybrid argument. The given proof, however, was pointed out to be flawed by Paterson, Schuldt, and Sibborn (PKC\u2714). Prior to this work, it has been unclear whether this simplification of the security notion also holds in case of resetting attacks. We remedy this state of affairs as follows. First, we show the strength of resetting attacks by showing that many public key encryption schemes are susceptible to these attacks. As our main contribution, we show that the simplification to adversaries making only one query to the challenge oracle also holds in the light of resetting attacks. More precisely, we show that the existing proof can not be fixed and give a different proof for the claim. Finally, we define real-or-random security against resetting attacks and prove it equivalent to the notion by Yilek which is of the form left-or-right

Application of Automorphic Forms to Lattice Problems

In this paper, we propose a new approach to the study of lattice problems used in cryptography. We specifically focus on module lattices of a fixed rank over some number field. An essential question is the hardness of certain computational problems on such module lattices, as the additional structure may allow exploitation. The fundamental insight is the fact that the collection of those lattices are quotients of algebraic manifolds by arithmetic subgroups. Functions on these spaces are studied in mathematics as part of number theory. In particular, those form a module over the Hecke algebra associated with the general linear group. We use results on these function spaces to define a class of distributions on the space of lattices. Using the Hecke algebra, we define Hecke operators associated with collections of prime ideals of the number field and show a criterion on distributions to converge to the uniform distribution, if the Hecke operators are applied to the chosen distribution. Our approach is motivated by the work of de Boer, Ducas, Pellet-Mary, and Wesolowski (CRYPTO\u2720) on self-reduction of ideal lattices via Arakelov divisors

On Quantum Ciphertext Indistinguishability, Recoverability, and OAEP

The qINDqCPA security notion for public-key encryption schemes by Gagliardoni et al. (PQCrypto\u2721) models security against adversaries which are able to obtain ciphertexts in superposition. Defining this security notion requires a special type of quantum operator. Known constructions differ in which keys are necessary to construct this operator, depending on properties of the encryption scheme. We argue—for the typical setting of securing communication between Alice and Bob—that in order to apply the notion, the quantum operator should be realizable for challengers knowing only the public key. This is already known to be the case for a wide range of public-key encryption schemes, in particular, those exhibiting the so-called recoverability property which allows to recover the message from a ciphertext using the randomness instead of the secret key. The open question is whether there are real-world public-key encryption schemes for which the notion is not applicable, considering the aforementioned observation on the keys known by the challenger. We answer this question in the affirmative by showing that applying the qINDqCPA security notion to the OAEP construction requires the challenger to know the secret key. We conclude that the qINDqCPA security notion might need to be refined to eventually yield a universally applicable PKE notion of quantum security with a quantum indistinguishability phase

Fault Attacks on UOV and Rainbow

Multivariate cryptography is one of the main candidates for creating post-quantum public key cryptosystems. Especially in the area of digital signatures, there exist many practical and secure multivariate schemes. The signature schemes UOV and Rainbow are two of the most promising and best studied multivariate schemes which have proven secure for more than a decade. However, so far the security of multivariate signature schemes towards physical attacks has not been appropriately assessed. Towards a better understanding of the physical security of multivariate signature schemes, this paper presents fault attacks against SingleField schemes, especially UOV and Rainbow. Our analysis shows that although promising attack vectors exist, multivariate signature schemes inherently offer a good protection against fault attacks

Avaliação dos programas de residência da Universidade Federal do Rio Grande do Sul na percepção dos residentes

Introduction: The multi-professional residencies in the Health area started to improve after the Law n° 11.129 of 2005. They are a modality of Latu-sensu graduate education, with the purpose of training professionals to work in the National Unified Health System (SUS). Objective: This study aimed to investigate the current situation, from a perspective of satisfaction with the training in Residency courses, with the residents of the Federal University of Rio Grande do Sul. Material and method: It is a study with a mixed-methods approach. The quantitative section was conducted through the application of a questionnaire to all residents participating in the UFRGS Residency Programs in 2018. The qualitative part was conducted using the focus group technique. Result: There were 81 participants in the quantitative component, and 14 residents of the Oral Health program participated in the focus groups. The quantitative results showed that residents received little or no guidance at the beginning of the program. The qualitative results showed questions that allow inferences about residents' dissatisfaction and lack of knowledge about the functioning of the Programs. Conclusion: Residents recognize that there are still issues with program administration to be improved, and more especially, the recognition of the importance of the Residency Programs within the University.Introdução: As residências multiprofissionais em área profissional da saúde ganharam espaço a partir da Lei n°11.129 de 2005. Constituem-se como uma modalidade de ensino de pós-graduação Latu-sensu, com a intenção de capacitar profissionais para trabalhar no Sistema Único de Saúde (SUS). Objetivo: Este estudo teve por objetivo investigar a atual situação, desde uma perspectiva de satisfação com a formação, com cursos de Residência, dos residentes da Universidade Federal do Rio Grande do Sul. Material e método: Constitui-se de um estudo com abordagem mista. O segmento quantitativo ocorreu através da aplicação de um questionário para todos os residentes participantes do Programa de Residência da UFRGS no ano de 2018. O estudo de abordagem qualitativa foi realizado através da técnica de grupos focais. Resultado: Totalizaram 81 participantes na abordagem quantitativa e nos grupos focais participaram 14 residentes, pertencentes ao programa de Saúde Bucal. Os resultados quantitativos representam que os residentes receberam pouca ou nenhuma orientação no início do programa. Os resultados qualitativos apresentam questões que permitem fazer inferências acerca da insatisfação e desconhecimento dos residentes acerca do funcionamento dos Programas. Conclusão: Destaca-se que os residentes reconhecem que há ainda questões de gestão do programa a serem aprimoradas, bem como de reconhecimento da sua importância dentro da Universidade

qTESLA: Practical Implementations of a Quantum Attack Resistant Signature Scheme

Due to the advent of quantum computers, the security of existing public-key cryptography is threatened since quantum computers are expected to be able to solve the underlying mathematical problems efficiently. Hence, quantum resistant alternatives are required. Consequently, about 70 post-quantum scheme candidates were submitted to the National Institute of Standards and Technology (NIST) standardization effort. One candidate is the qTESLA signature scheme. We present an efficient shared-memory parallelization of qTESLA’s core routines, analyze the speedup in-depth and show that it can compete with the two most commonly used signature schemes RSA and ECDSA which are quantum-vulnerable. The speed is further increased by semi-automatic tuning of qTESLA’s configuration parameters based on results of multi-parameter performance models. We show how to considerably increase qTESLA’s usability through the Java Native Interface (JNI) without performance penalty. The analysis on x86 and ARM architecture employing three operating systems demonstrates the achieved portability. The enhanced performance, its straight forward usability and the high portability of our implementation make it a quantum-safe replacement for the state-of-the-art schemes

Committing Authenticated Encryption: Sponges vs. Block-Ciphers in the case of the NIST LWC Finalists

Committing security has gained considerable attention in the field of authenticated encryption (AE). This can be traced back to a line of recent attacks, which suggests that AE schemes used in practice should not only provide confidentiality and authenticity, but also committing security. Roughly speaking, a committing AE scheme guarantees that ciphertexts will decrypt only for one key. Despite the recent research effort in this area, the finalists of the NIST lightweight cryptography standardization process have not been put under consideration yet. We close this gap by providing an analysis of these schemes with respect to their committing security. Despite the structural similarities the finalists exhibit, our results are of a quite heterogeneous nature: We break four of the schemes with effectively no costs, while for two schemes our attacks are costlier, yet still efficient. For the remaining three schemes ISAP, Ascon, and (a slightly modified version of) Schwaemm, we give formal security proofs. Our analysis reveals that sponges—due to their large states—are more favorable for committing security compared to block-ciphers