Introduction to Software Countermeasures For Embedded Cryptography
Size: px
Start display at page:

Download "Introduction to Software Countermeasures For Embedded Cryptography"

Transcription

1 Introduction to Software Countermeasures For Embedded Cryptography David Vigilant UMPC Master, 1 st December, 2017

2 Outline 1 Context and Motivations 2 Basic Rules and Countermeasures Examples Regarding Timing Attacks Regarding SPA-SEMA Regarding Statistical Side-Channel Attacks Regarding Fault Attacks 3 Application Examples for some Cryptographic Algorithms Application examples for RSA-CRT Application examples for AES Conclusion 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 2 / 89

3 Outline 1 Context and Motivations 2 Basic Rules and Countermeasures Examples Regarding Timing Attacks Regarding SPA-SEMA Regarding Statistical Side-Channel Attacks Regarding Fault Attacks 3 Application Examples for some Cryptographic Algorithms Application examples for RSA-CRT Application examples for AES Conclusion 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 3 / 89

4 Resistance of Embedded Implementations Given a key size, the cryptographic algorithm has an inherent theoretical resistance to cryptanalysis But One implementation on one machine has its own resistance regarding implementation attacks 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 4 / 89

5 Attacks on Embedded Implementations Different techniques may be use to infer sensitive data of a cryptographic implementation: Timing Attacks (TA) Simple Side-Channel Attacks (SSCA) Statistical Side-Channel Attacks (DSCA) Fault Attacks (FA) ) Attack set up may be easier to put in place on embedded implementation, since the attacker has the device in hand 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 5 / 89

6 Attacks on Embedded Implementations Timing Attacks (TA) : Measure the crypto process timing for several input values ) From timing exploitation, sensitive data may be inferred 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 6 / 89

7 Attacks on Embedded Implementations Simple Side-Channel Attacks (SSCA) : Simple Power Analysis (SPA) : Measure power consumption of devices Simple ElectroMagnetism Analysis (SEMA) : Measure electromagnetic field emanated from devices ) From the exploitation of a trace of one execution, sensitive data may be inferred 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 7 / 89

8 Attacks on Embedded Implementations Statistical Side-Channel Attacks (DSCA) : Differential Power Analysis (DPA/DEMA) Correlation Power Analysis (CPA/CEMA) Linear Regression Analysis (LRA) Template Analysis (TPA) / Deep Learning Attacks (DLA) ) From traces of several executions, statistics may be exploited to deduce information about sensitive data 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 8 / 89

9 Attacks on Embedded Implementations Fault Attacks (FA) : Disturb the computation (Program flow or Data) by different ways Temperature Voltage/Clock Glitch EM injection Laser... ) From the exploitation of faulty (and correct) results or behaviors, sensitive data may be inferred 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 9 / 89

10 Hardware Limitations It seems difficult to implement protections all in hardware (HW): Surface limitation: ) Implementing insecure crypto algorithms all in HW can even be too costly HW imperfection (increased under extreme conditions): ) The combination of HW and software(sw) countermeasures(cms) may give more confidence Remark A lot of very efficient HW countermeasures exist, they are not discussed here 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 10 / 89

11 Embedded Crypto - Hardware Architecture Example of architecture in embedded devices: ) Coprocessor may implement arithmetic operations (e.g modular multiplication) ) Coprocessor may implement block ciphers with some CMs 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 11 / 89

12 Embedded Crypto - Hardware Architecture Embedded devices have typically limited resources: CPU: 8, 16, or 32 bits instructions Frequency: several dozens of Megahertz RAM: 1 or 2 Kbytes at most for crypto implementation NVM reserved for constants and program: several dozens of Kbytes ) The overhead added by the countermeasure must be monitored carefully 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 12 / 89

13 Certification and Resistance Assessment In the context of the certification (Common Criteria, EMVCo,...) of a product: Source code may be audited to detect weaknesses Implementation attacks may be tested in practice by mandated labs Vulnerabilities may lead to the failure of certification 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 13 / 89

14 Countermeasures and Intellectual Property Innovative countermeasures may be patented: It may protect from counterfeit Its usage may be licensed 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 14 / 89

15 Out of scope Definition White Box Crypto (WBC) is the name for embedded crypto running in an environment totally manageable by the attacker. In particular, the attacker has access to and has control of: Every processor register (including Program Counter) Every memory cell Code execution (i.e. complete debuging capability) ) WBC implementations need dedicated countermeasures ) WBC countermeasures are out of the scope of this presentation 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 15 / 89

16 Outline 1 Context and Motivations 2 Basic Rules and Countermeasures Examples Regarding Timing Attacks Regarding SPA-SEMA Regarding Statistical Side-Channel Attacks Regarding Fault Attacks 3 Application Examples for some Cryptographic Algorithms Application examples for RSA-CRT Application examples for AES Conclusion 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 16 / 89

17 Avoid Vulnerabilities regarding TA Rule Avoid any timing difference linked to input data and/or internal sensitive data that could lead to the secret recovery Countermeasure Balanced Branches: Balance sensitive "if...then..." branches by injecting events Countermeasure No Branch: Eliminate branches and design programs with constant timing 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 17 / 89

18 Avoid Vulnerabilities regarding TA Example: A user must be authenticated by entering a 8 byte key The program grants access to the user only if the key value is the expected one The program runs on an 8-bit CPU Remark: The expected security strength is st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 18 / 89

19 Avoid Vulnerabilities regarding TA Example (continued): Entered Key : x0 x1 x2 x3 x4 x5 x6 x7 Expected Key : k0 k1 k2 k3 k4 k5 k6 k7 Naive program: if x0 = k0 then if x1 = k1 then if x2 = k2 then if x3 = k3 then if x4 = k4 then if x5 = k5 then if x6 = k6 then if x7 = k7 then "user granted" else "failure" Each byte is compared one by one by the program 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 19 / 89

20 Avoid Vulnerabilities regarding TA Example (continued): Entered Key : x0 x1 x2 x3 x4 x5 x6 x7 Expected Key : k0 k1 k2 k3 k4 k5 k6 k7 Naive program: if x0 = k0 then if x1 = k1 then if x2 = k2 then if x3 = k3 then if x4 = k4 then if x5 = k5 then if x6 = k6 then if x7 = k7 then "user granted" else "failure" Each byte is compared one by one by the program 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 19 / 89

21 Avoid Vulnerabilities regarding TA Example (continued): Entered Key : x0 x1 x2 x3 x4 x5 x6 x7 Expected Key : k0 k1 k2 k3 k4 k5 k6 k7 Naive program: if x0 = k0 then if x1 = k1 then if x2 = k2 then if x3 = k3 then if x4 = k4 then if x5 = k5 then if x6 = k6 then if x7 = k7 then "user granted" else "failure" The attacker tries the 2 8 possible values for the i th byte, i starting from 0 The attacker measures the process timing 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 20 / 89

22 Avoid Vulnerabilities regarding TA Example (continued): Entered Key : x0 x1 x2 x3 x4 x5 x6 x7 Expected Key : k0 k1 k2 k3 k4 k5 k6 k7 Naive program: if x0 = k0 then if x1 = k1 then if x2 = k2 then if x3 = k3 then if x4 = k4 then if x5 = k5 then if x6 = k6 then if x7 = k7 then "user granted" else "failure" The attacker tries the 2 8 possible values for the i th byte, i starting from 0 The attacker measures the process timing 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 21 / 89

23 Avoid Vulnerabilities regarding TA Example (continued): Entered Key : x0 x1 x2 x3 x4 x5 x6 x7 Expected Key : k0 k1 k2 k3 k4 k5 k6 k7 Naive program: if x0 = k0 then if x1 = k1 then if x2 = k2 then if x3 = k3 then if x4 = k4 then if x5 = k5 then if x6 = k6 then if x7 = k7 then "user granted" else "failure" The attacker tries the 2 8 possible values for the i th byte, i starting from 0 The attacker measures the process timing If the guess is incorrect, the program ends after the comparison Shorter timing 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 22 / 89

24 Avoid Vulnerabilities regarding TA Example (continued): Entered Key : x0 x1 x2 x3 x4 x5 x6 x7 Expected Key : k0 k1 k2 k3 k4 k5 k6 k7 Naive program: if x0 = k0 then if x1 = k1 then if x2 = k2 then if x3 = k3 then if x4 = k4 then if x5 = k5 then if x6 = k6 then if x7 = k7 then "user granted" else "failure" The attacker tries the 2 8 possible values for the i th byte, i starting from 0 The attacker measures the process timing If the guess is correct, the program executes the next comparison Longer timing 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 23 / 89

25 Avoid Vulnerabilities regarding TA Example (continued): Entered Key : x0 x1 x2 x3 x4 x5 x6 x7 Expected Key : k0 k1 k2 k3 k4 k5 k6 k7 Naive program: if x0 = k0 then if x1 = k1 then if x2 = k2 then if x3 = k3 then if x4 = k4 then if x5 = k5 then if x6 = k6 then if x7 = k7 then "user granted" else "failure" The attacker tries the 2 8 possible values for the i th byte, i starting from 0 The attacker measures the process timing ) The security strength can be decreased to = 2 11!! 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 24 / 89

26 Avoid Vulnerabilities regarding TA Countermeasure Balanced Branches: Balance sensitive "if...then..." branches by injecting events Equal = 0, Difference = 1, Status = 0 for (i from 0 to 7) do { if xi = ki then Status = Equal else Status = Difference } if Status = Equal then "user granted" else "failure" (Timing balance to be verified practically) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 25 / 89

27 Avoid Vulnerabilities regarding TA Countermeasure No Branch: Eliminate branches and design programs with constant timing Status = 0 for (i from 0 to 7) do Status = Status (xi ki) if Status = 0 then "user granted" else "failure" 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 26 / 89

28 Avoid Vulnerabilities regarding SPA-SEMA Rule Avoid any flow difference (leading to a difference in the trace) linked to input data and/or internal sensitive data that could lead to the secret recovery Countermeasure Balanced Branches: Introduce or Modify events to remove differences in the flow Countermeasure No Branch: Eliminate branches and design programs with constant flow 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 27 / 89

29 Avoid Vulnerabilities regarding SPA-SEMA Example: Implementation of a binary exponentiation algorithm Compute S = m d mod N, d =(d 0, d 1,...,d L 1 ) 2 Naive Binary Algorithm: A = 1 for (i from 0 to L 1) do { A = A A mod N if d i = 1 then A = A m mod N } return(a) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 28 / 89

30 Avoid Vulnerabilities regarding SPA-SEMA Example: Implementation of a binary exponentiation algorithm Compute S = m d mod N, d =(d 0, d 1,...,d L 1 ) 2 Naive Binary Algorithm Trace: 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 29 / 89

31 Avoid Vulnerabilities regarding SPA-SEMA Example: Implementation of a binary exponentiation algorithm Compute S = m d mod N, d =(d 0, d 1,...,d L 1 ) 2 Naive Binary Algorithm Trace: 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 30 / 89

32 Avoid Vulnerabilities regarding SPA-SEMA Example (Continued): Countermeasure Balanced Branches: Introduce events to remove differences in the flow Square and Multiply Always Algorithm: A = 1 for (i from 0 to L 1) do { A = A A mod N if d i = 1 then A = A m mod N else B = A m mod N} (Dummy Multiplication) return(a) +33% process timing compared to naive method (Flow balance to be verified practically) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 31 / 89

33 Avoid Vulnerabilities regarding SPA-SEMA Example (Continued): Countermeasure No Branch: Design programs with constant flow Montgomery Ladder Algorithm: A 0 = 1, A 1 = m for (i from 0 to L 1) do { A d i = A d i A di mod N A di = A 2 d i mod N } return(a 0 ) +33% process timing compared to naive method (Flow balance to be verified practically) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 32 / 89

34 Avoid Vulnerabilities regarding DSCA Rule Given the power of an attacker, detect and remove the appearance of all intermediate sensitive values, that could lead to the secret recovery 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 33 / 89

35 Avoid Vulnerabilities regarding DSCA Example: The attacker is able to exploit a hamming weight leakage by CPA The attacker can choose the value of a byte X In the algorithm, X should be XORed with a sensitive byte Y 1 The attacker acquires power traces for different input values 2 The attacker localizes the targeted XOR, and synchronizes curves on this operation 3 For each of the 2 8 guesses, the attacker calculates the correlation coefficient between the hamming weight of XOR result, and the samples of the power traces acquired 4 The attacker can reduce the space of possible values for Y, if the correct guess gives one of the best scores 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 34 / 89

36 Avoid Vulnerabilities regarding DSCA Countermeasure Secret Sharing: If the attacker has the power to realize a DSCA of order n 1 If a sensitive value X is targeted The sensitive value X can be split in n random shares, X 0, X 1, X n 1 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 35 / 89

37 Avoid Vulnerabilities regarding DSCA Countermeasure Secret Sharing: If the attacker has the power to realize a DSCA of order n 1 If a sensitive value X is targeted The sensitive value X can be split in n random shares, X 0, X 1, X n 1 Example: Additive sharing X = X 1 + X 2, where X 1 and X 2 are random values Only X 1 and X 2 are manipulated in the implementation 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 36 / 89

38 Avoid Vulnerabilities regarding DSCA Countermeasure Secret Sharing: If the attacker has the power to realize a DSCA of order n 1 If a sensitive value X is targeted The sensitive value X can be split in n random shares, X 0, X 1, X n 1 Example: Boolean sharing X = X 1 X 2 X 3, where X 1, X 2 and X 3 are random values Only X 1, X 2 and X 3 are manipulated in the implementation 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 37 / 89

39 Avoid Vulnerabilities regarding DSCA Example: The attacker is able to exploit a hamming weight leakage by CPA The attacker can choose the value of a byte X In the algorithm, X should be XORed with a sensitive byte Y Program using the secret sharing countermeasure: Generate a random byte Z 0 Z 1 = Y Z 0 Z 1 = Z 1 X store Z 0 in RAM store Z 1 in RAM... ) the sensitive value Z is shared among Z 0 and Z 1 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 38 / 89

40 Avoid Vulnerabilities regarding DSCA Example: The attacker is able to exploit a hamming distance (HD) leakage by CPA The attacker can choose the value of a byte X In the algorithm, X should be XORed with a sensitive byte Y Program using the secret sharing countermeasure: Generate a random byte Z 0 Z 1 = Y Z 0 Z 1 = Z 1 X store Z 0 in RAM store Z 1 in RAM Z 0 and Z 1 transit on the BUS successively, BUS would pass from Z 0 to Z 1, HD = Z... 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 39 / 89

41 Avoid Vulnerabilities regarding DSCA Example: The attacker is able to exploit a hamming distance (HD) leakage by CPA The attacker can choose the value of a byte X In the algorithm, X should be XORed with a sensitive byte Y Program using the secret sharing countermeasure: Generate a random byte Z 0 Z 1 = Y Z 0 Z 1 = Z 1 X store Z 0 in RAM store Z 1 in RAM Z 0 and Z 1 transit on the BUS successively, BUS would pass from Z 0 to Z 1, HD = Z... 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 39 / 89

42 Avoid Vulnerabilities regarding DSCA Countermeasure Blinding - Randomization (Mathematical Context): Randomize a variable X into a random data X 0 such that good mathematical properties are kept (result can be recovered), and the targeted value does not appear. 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 40 / 89

43 Avoid Vulnerabilities regarding DSCA Example: Group exponentiation in ((Z/NZ), ), S = m d mod N, d is sensitive The attacker is able to choose values for m The attacker is able to exploit a hamming weight model leakage on successive powers of m mod N The attacker performs a DPA for each bit of d, building 2 sets depending on the hamming weight (high or small) of some bytes of the targeted intermediate powers of m Program using the Blinding countermeasure: Generate R a random number N 0 = N R S 0 = m d mod N 0 S = S 0 mod N 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 41 / 89

44 Avoid Vulnerabilities regarding DSCA Example: We define a group G as follows: : { (x, y) 2 (F p F p ) y 2 = x 3 + ax + b mod p } with p prime, and 4a b 2 mod p 6= 0 We define an addition law over : P + Q = R if P 6= Q, R is the intersection of the line passing through P and Q with, R is the opposite of R regarding the x axis if P = Q, R is the intersection of the tangent of in P, R is the opposite of R regarding the x axis We define 1 such that P + 1 = P, 8P 2. If the line passing through P and Q has no other intersection with, then P + Q = 1 (or P + P = 1) G, G =< g >, s.t. n.g = 1, n large prime These groups are commonly used in cryptography 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 42 / 89

45 Avoid Vulnerabilities regarding DSCA Example (continued): We consider the point multiplication S = d.m, d is a sensitive value M 2 G, d 2 N The attacker is able to choose values for the point M The attacker is able to exploit a hamming weight model leakage of the x-coordinate of successive multiples of M The attacker performs a DPA for each bit of d, building 2 sets depending on the x-coordinate hamming weight (high or small) on some bytes of the targeted intermediate multiples of M Program using the Blinding countermeasure: Generate r a random number d 0 = d +(n r) S = d 0.M 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 43 / 89

46 Avoid Vulnerabilities regarding DSCA Coming back to Previous Example: 1 The attacker acquires power traces for different input values 2 The attacker localizes the targeted XOR operation, and synchronizes curves on this operation 3 For each of the 2 8 guesses, the attacker calculates the correlation coefficient between the hamming weight of XOR result, and the power traces acquired 4 The attacker can reduce the space of possible values for Y, if the correct guess gives one of the best scores ) One critical step for the attacker is the timing localization of a specific sensitive operation, and its synchronization over multiple traces 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 44 / 89

47 Avoid Vulnerabilities regarding DSCA Rule Remove the possibility for an attacker to find "easily" a sensitive manipulation. Remove also the possibility to synchronize "easily" this manipulation over multiple traces 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 45 / 89

48 Avoid Vulnerabilities regarding DSCA Countermeasure Desynchronization: Introduce dummy events of random duration, before and/or after the targeted manipulation. Example: Program using the desynchronization (sensitive XOR X Generate a random R i=0 while ((+ + i)! = R) dummy operation Z = X Y... Y): 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 46 / 89

49 Avoid Vulnerabilities regarding DSCA Countermeasure Order Randomization of Operations: Perform operations in an unpredictable order, different each time, to avoid an easy synchronization on sensitive events Example: Program using the Order Randomization of Operations (sensitive XORs X i Y i, i = 0...7): for i from 0 to 7 in random order Z i = X i Y i ) Harder for the attacker to locate the XOR for a specific index 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 47 / 89

50 Avoid Vulnerabilities regarding FA-DFA Example: Program disturbance Program for a PIN verification: if ENTERED_PIN = STORED_PIN then GrantAccess() else Mute() 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 48 / 89

51 Avoid Vulnerabilities regarding FA-DFA Example: Program disturbance Normal behavior: The user enters a wrong PIN Program for a PIN verification: if ENTERED_PIN = STORED_PIN then GrantAccess() else Mute() 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 49 / 89

52 Avoid Vulnerabilities regarding FA-DFA Example: Program disturbance Faulty behavior: The user enters a wrong PIN, program is disturbed Program for a PIN verification: if ENTERED_PIN = STORED_PIN then ( Fault injected GrantAccess() else Mute() 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 50 / 89

53 Avoid Vulnerabilities regarding FA-DFA Rule Remove the possibility for an attacker to find "easily" the key timing in the program for an exploitable fault injection See previous countermeasures 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 51 / 89

54 Avoid Vulnerabilities regarding FA-DFA Rule Warning when executing or not fake operations depending on the secret value 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 52 / 89

55 Avoid Vulnerabilities regarding FA-DFA Example: Square and Multiply Always Algorithm: A = 1 for (i from 0 to L 1) do { A = A A mod N if d i = 1 then A = A m mod N else B = A m mod N } return(a) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 53 / 89

56 Avoid Vulnerabilities regarding FA-DFA Example: Square and Multiply Always Algorithm: A = 1 for (i from 0 to L 1) do { A = A A mod N if d i = 1 then A = A m mod N ( Fault Injected else B = A m mod N } return(a) If the attacker introduces a fault in a real multiplication, result is faulty 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 54 / 89

57 Avoid Vulnerabilities regarding FA-DFA Example: Square and Multiply Always Algorithm: A = 1 for (i from 0 to L 1) do { A = A A mod N if d i = 1 then A = A m mod N else B = A m mod N ( Fault Injected } return(a) If the attacker introduces a fault in a fake multiplication, result is safe 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 55 / 89

58 Avoid Vulnerabilities regarding FA-DFA Rule Put error detectors in the code to guarantee the correct execution of the program 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 56 / 89

59 Avoid Vulnerabilities regarding DSCA Countermeasure Consistency check: Use verifications of consistency. Check that the program executes and ends as expected Example: Program using consistency check (inverse operation): C = AES 128 encrypt(p, K) X = AES 128 decrypt(c, K) if X 6= P "Fault Detected" There are many ways of checking consistency 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 57 / 89

60 Outline 1 Context and Motivations 2 Basic Rules and Countermeasures Examples Regarding Timing Attacks Regarding SPA-SEMA Regarding Statistical Side-Channel Attacks Regarding Fault Attacks 3 Application Examples for some Cryptographic Algorithms Application examples for RSA-CRT Application examples for AES Conclusion 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 58 / 89

61 RSA-CRT system RSA-CRT parameters: (N, e) Public key (p, q, d p, d q, i q ) Private key 8 N = p q, (p, q large primes) gcd((p 1), e) =1 >< gcd((q 1), e) =1 such that d p = e 1 mod (p 1) d q = e >: 1 mod (q 1) i q = q 1 mod p 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 59 / 89

62 Application examples for RSA-CRT Process of a naive RSA-CRT signature Input: m, p, q, d p, d q, i q, N m p = m mod p S p = m dp p mod p m q = m mod q S q = m dq q mod q S = S q + q (i q (S p S q ) mod p) return S 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 60 / 89

63 Application examples for RSA-CRT Process of a naive RSA-CRT signature Input: m, p, q, d p, d q, i q, N m p = m mod p S p = m dp p mod p m q = m mod q S q = m dq q mod q S = S q + q (i q (S p S q ) mod p) return S 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 61 / 89

64 Application examples for RSA-CRT Process of a naive RSA-CRT signature Input: m, p, q, d p, d q, i q, N m p = m mod p Vulnerability to TA S p = m dp p mod p m q = m mod q Vulnerability to TA S q = m dq q mod q S = S q + q (i q (S p S q ) mod p) return S An attacker could proceed by dichotomy to find min(p, q) ) If m < min(p, q), no modular reduction ) If m min(p, q), modular reduction 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 62 / 89

65 Application examples for RSA-CRT Process of a naive RSA-CRT signature (+Vulnerability Corrected) Input: m, p, q, d p, d q, i q, N m = m + N m p = m mod p S p = m dp p mod p m q = m mod q S q = m dq q mod q S = S q + q (i q (S p S q ) mod p) return S ) whatever m, modular reduction 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 63 / 89

66 Application examples for RSA-CRT Process of a naive RSA-CRT signature Input: m, p, q, d p, d q, i q, N m p = m mod p S p = m dp p mod p m q = m mod q S q = m dq q mod q = i q (S p S q ) mod p S = S q + q RETURN(S) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 64 / 89

67 Application examples for RSA-CRT Process of a naive RSA-CRT signature Input: m, p, q, d p, d q, i q, N m p = m mod p S p = m dp p mod p m q = m mod q S q = m dq q mod q = i q (S p S q ) mod p S = S q + q ( Let us considering sensitivity to DSCA RETURN(S) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 65 / 89

68 Application examples for RSA-CRT DSCA on the recombination in RSA-CRT 1 The attacker makes several acquisitions and collects the signature results 2 The attacker tries to discover q byte per byte from MSB to LSB (most to least significant) 3 The attacker makes an hypothesis for the i th byte : b = 2 8 b + hypothesis(q i ) (Starting from b = 0) 4 The attacker computes! = S/b 5 The attacker tries to correlate! with when it is manipulated in the recombination 6 If the guess for the byte is correct,! values are highly correlated with 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 66 / 89

69 Application examples for RSA-CRT Process of a naive RSA-CRT signature (+Vulnerability Corrected) Input: m, p, q, d p, d q, i q, N, e m p = m mod p S p = m dp p mod p m q = m mod q S q = m dq q mod q i p = p 1 mod q S = p i p S q + q i q S p mod N RETURN(S) ) Remove the appearance of by using Gauss formula for the recombination 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 67 / 89

70 Application examples for RSA-CRT Process of a naive RSA-CRT signature Input: m, p, q, d p, d q, i q, N m p = m mod p S p = m dp p mod p m q = m mod q S q = m dq q mod q S = S q + q (i q (S p S q ) mod p) return S 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 68 / 89

71 Application examples for RSA-CRT Process of a naive RSA-CRT signature (with FA effect) Input: m 2 Z N, p, q, d p, d q, i q m p = m mod p S p = m dp mod p ( Fault Injection m q = m mod q S q = m dq mod q S = S q + q (i q (S p S q ) mod p) return S ) Vulnerability to FA: gcd(s S mod N, N) =q 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 69 / 89

72 Application examples for RSA-CRT Process of a naive RSA-CRT signature (with FA effect) Why gcd(s S mod N, N) =q?? ( S S mod q S is s.t. S 6= S mod p ( S S mod N 0 mod q S S mod N is s.t. S S mod N 6= 0 mod p ) S S mod N is a multiple of q 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 70 / 89

73 Application examples for RSA-CRT Process of a naive RSA-CRT signature (+Vulnerability Corrected) Input: m, p, q, d p, d q, i q, N, e m p = m mod p S p = m dp p mod p m q = m mod q S q = m dq q mod q S = S q + q (i q (S p S q ) mod p) if (S e mod N = m) RETURN(S) else "Fault Detected" Use a consistency check with inverse operation 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 71 / 89

74 Application examples for RSA-CRT Process of a naive RSA-CRT signature (+ Shamir CM FA), e not available Input: m, p, q, d p, d q, i q, N select t a small random Compute d s.t. d mod (p 1) =d p and d mod (q 1) =d q m p = m mod pt S pt = m d p mod pt m q = m mod qt S qt = m d q mod qt S p = S pt mod p, S q = S qt mod q, S = S q + q (i q (S p S q ) mod p) if (S pt mod t = S qt mod t) RETURN(S) else "Fault Detected" Use a consistency check with modulus extension 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 72 / 89

75 Application examples for AES-128 Process of a naive AES-128 Input: K = 16 byte Key P = 16 byte Plaintext State P RoundKey K AddRoundKey(State, RoundKey) Round 0 while(round < 9) { SubBytes(State) ShiftRow(State) MixColumn(State) KeySchedule(RoundKey, Round) AddRoundKey(State, RoundKey) Round ++ } SubBytes(State) ShiftRow(State) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 73 / 89

76 Application examples for AES-128 Process of a naive AES-128 Input: K = 16 byte Key P = 16 byte Plaintext State P RoundKey K AddRoundKey(State, RoundKey) ( Considering sensitivity to DSCA Round 0 while(round < 9) { SubBytes(State) ShiftRow(State) MixColumn(State) KeySchedule(RoundKey, Round) AddRoundKey(State, RoundKey) Round ++ } SubBytes(State) ShiftRow(State) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 74 / 89

77 Application examples for AES-128 Secret sharing and AddRoundKey: Split the state S = S 0, S 1,...,S 15 into 2 shares: S1 and S2 s.t. S = S1 S2 Thus AddRoundKey operation on state S = S 0, S 1,...,S 15 can be performed for one of the 2 shares: e.g. S1 = S1 Values of S1 and S2 before and after AddRoundKey not predictable K 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 75 / 89

78 Application examples for AES-128 Process of a naive AES-128 Input: K = 16 byte Key P = 16 byte Plaintext State P RoundKey K AddRoundKey(State, RoundKey) Round 0 while(round < 9) { SubBytes(State) ShiftRow(State) MixColumn(State) KeySchedule(RoundKey, Round) AddRoundKey(State, RoundKey) Round ++ } SubBytes(State) ShiftRow(State) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 76 / 89

79 Application examples for AES-128 Process of a naive AES-128 Input: K = 16 byte Key P = 16 byte Plaintext State P RoundKey K AddRoundKey(State, RoundKey) Round 0 while(round < 9) { SubBytes(State) ( Considering sensitivity to DSCA at round 0 ShiftRow(State) MixColumn(State) KeySchedule(RoundKey, Round) AddRoundKey(State, RoundKey) Round ++ } SubBytes(State) ShiftRow(State) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 77 / 89

80 Application examples for AES-128 The SubBytes operation: Aply 16 times (each byte) a non linear operation: {0, 1} 8!{0, 1} 8 Can be seen as an inversion composed with an affine transformation in GF(2 8 ) Can be implemented as a Look Up Table (LUT) of 256 bytes 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 78 / 89

81 Application examples for AES-128 Secret sharing and SubBytes with LUT: The basic method Split the 16-byte state S = S 0 S 1... S 15 into 2 shares maskeds and T: S = maskeds with 16-byte parameter T = X X... X, X 2 [0, 255] SubBytes operation on state S = S 0, S 1,...,S 15 can be performed on the share maskeds but with a modified Substitution Box (pre-computation): for y from 0 to 255 Sbox 0 [y X] =Sbox[y] X T ) Requires 256 extra bytes in RAM ) There are much more elaborate methods 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 79 / 89

82 Outline 1 Context and Motivations 2 Basic Rules and Countermeasures Examples Regarding Timing Attacks Regarding SPA-SEMA Regarding Statistical Side-Channel Attacks Regarding Fault Attacks 3 Application Examples for some Cryptographic Algorithms Application examples for RSA-CRT Application examples for AES Conclusion 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 80 / 89

83 Conclusion It is not always easy to verify that a countermeasure is efficient By Code Audit But Compiler could remove countermeasures But Cache could create vulnerabilities Practical Realization of the Attacks May be costly to realize all possible attacks But if no vulnerability found, was the attack set up efficient? 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 81 / 89

84 Conclusion It is not always easy to verify that a countermeasure is efficient Hand Methods List exhaustively all intermediate variables (regarding DSCA) List exhaustively all fault effects (regarding FA) How to be confident that the list is exhaustive? Towards the usage of Formal Methods Use trusted provers to prove the resistance For now, mainly used for fault resistance assessment only ) Difficult to guarantee that the abstraction level is correct ) Proof is often correct only for a specific implementation (HW specific) 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 82 / 89

85 Conclusion It is not always easy to identify the assets Assets may be different depending on the application RSA signature S = m d mod N RSA decipher S = m d mod N 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 83 / 89

86 Conclusion It is not always easy to identify the assets Assets may be different depending on the application RSA signature S = m d mod N RSA decipher S = m d mod N 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 84 / 89

87 Conclusion It is not always easy to identify the assets Assets may be different depending on the application RSA cipher m = S e mod N RSA verification m = S e mod N 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 85 / 89

88 Conclusion It is not always easy to identify the assets Assets may be different depending on the application RSA cipher m = S e mod N RSA verification m = S e mod N Comparison that comes after 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 86 / 89

89 Conclusion It is not always easy to identify all attack paths All existing attacks should be considered: the list is huge Attacks are always in motion, new ones appear regularly 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 87 / 89

90 Some must references (not exhaustive) On the Importance of Eliminating Errors in Cryptographic Computations, Boneh et al., BellCore Report, 96 Method and apparatus for protecting PK schemes from timing and fault attacks, Shamir 97 DPA, Kocher et al. CHES 99 Timing Attacks on Implementations of DH, RSA, DSS, and Other Systems, Kocher et al, 99 DES and DPA: the "Duplication" Method, Goubin et al., CHES 99 Resistance against DPA for ECC, Coron et al, CHES 99 1 st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 88 / 89

91 Some must references (not exhaustive) PKCS#1: RSA Cryptographic Standard, RSA Laboratory ANSI X9.63, Public Key Cryptography for the financial Industry FIPS 197: AES, NIST, 01 A Sound Method for Switching between Boolean and Arithmetic Masking, Goubin et al., CHES 01 The Montgomery Powering Ladder, Joye et al., CHES 02 DFA on AES, Dusart et al, 03 CPA with a leakage model, Brier et al., CHES st December, 2017 Introduction to Software Countermeasures For Embedded Cryptography 89 / 89

Similar documents

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and

More information

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:

More information

Blind Differential Cryptanalysis for Enhanced Power Attacks

Blind Differential Cryptanalysis for Enhanced Power Attacks Blind Differential Cryptanalysis for Enhanced Power Attacks Bart Preneel COSIC K.U.Leuven - Belgium bart.preneel(at)esat.kuleuven.be Joint work with Helena Handschuh Concept Differential cryptanalysis

More information

FDTC 2010 Fault Diagnosis and Tolerance in Cryptography. PACA on AES Passive and Active Combined Attacks

FDTC 2010 Fault Diagnosis and Tolerance in Cryptography. PACA on AES Passive and Active Combined Attacks FDTC 21 Fault Diagnosis and Tolerance in Cryptography PACA on AES Passive and Active Combined Attacks Christophe Clavier Benoît Feix Georges Gagnerot Mylène Roussellet Limoges University Inside Contactless

More information

The Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab

The Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab The Davies-Murphy Power Attack Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab Introduction Two approaches for attacking crypto devices traditional cryptanalysis Side Channel Attacks

More information

Software Engineering Aspects of Elliptic Curve Cryptography. Joppe W. Bos Real World Crypto 2017

Software Engineering Aspects of Elliptic Curve Cryptography. Joppe W. Bos Real World Crypto 2017 Software Engineering Aspects of Elliptic Curve Cryptography Joppe W. Bos Real World Crypto 2017 1. NXP Semiconductors Operations in > 35 countries, more than 130 facilities 45,000 employees Research &

More information

HOST Differential Power Attacks ECE 525

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately, cryptographic

More information

Fault injection attacks on cryptographic devices and countermeasures Part 1

Fault injection attacks on cryptographic devices and countermeasures Part 1 Fault injection attacks on cryptographic devices and countermeasures Part 1 Israel Koren Department of Electrical and Computer Engineering University of Massachusetts Amherst, MA Outline Introduction -

More information

Practical Electromagnetic Template Attack on HMAC

Practical Electromagnetic Template Attack on HMAC Practical Electromagnetic Template Attack on HMAC Pierre Alain Fouque 1 Gaétan Leurent 1 Denis Réal 2,3 Frédéric Valette 2 1ENS,75Paris,France. 2CELAR,35Bruz,France. 3INSA-IETR,35Rennes,France. September

More information

Security against Timing Analysis Attack

Security against Timing Analysis Attack International Journal of Electrical and Computer Engineering (IJECE) Vol. 5, No. 4, August 2015, pp. 759~764 ISSN: 2088-8708 759 Security against Timing Analysis Attack Deevi Radha Rani 1, S. Venkateswarlu

More information

A New Attack with Side Channel Leakage during Exponent Recoding Computations

A New Attack with Side Channel Leakage during Exponent Recoding Computations A New Attack with Side Channel Leakage during Exponent Recoding Computations Yasuyuki Sakai 1 and Kouichi Sakurai 2 1 Mitsubishi Electric Corporation, 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan ysakai@iss.isl.melco.co.jp

More information

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck What is RSA? As we all know, RSA (Rivest Shamir Adleman) is a really secure algorithm for public-key cryptography.

More information

ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.

ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard. Building Secure Hardware ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria Stefan Mangard Infineon Technologies, Munich, Germany Stefan.Mangard@infineon.com Outline Assets and Requirements

More information

Power Analysis Attacks

Power Analysis Attacks Power Analysis Attacks Elisabeth Oswald Computer Science Department Crypto Group eoswald@cs.bris.ac.uk Elisabeth.Oswald@iaik.tugraz.at Outline Working principle of power analysis attacks DPA Attacks on

More information

Masking as a Side-Channel Countermeasure in Hardware

Masking as a Side-Channel Countermeasure in Hardware Masking as a Side-Channel Countermeasure in Hardware 6. September 2016 Ruhr-Universität Bochum 1 Agenda Physical Attacks and Side Channel Analysis Attacks Measurement setup Power Analysis Attacks Countermeasures

More information

Side-Channel Attack against RSA Key Generation Algorithms

Side-Channel Attack against RSA Key Generation Algorithms Side-Channel Attack against RSA Key Generation Algorithms CHES 2014 Aurélie Bauer, Eliane Jaulmes, Victor Lomné, Emmanuel Prouff and Thomas Roche Agence Nationale de la Sécurité des Systèmes d Information

More information

0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ Attacking Cryptographic Schemes Cryptanalysis Find mathematical weaknesses in constructions

More information

External Encodings Do not Prevent Transient Fault Analysis

External Encodings Do not Prevent Transient Fault Analysis External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20

More information

Fault-Based Attack of RSA Authentication

Fault-Based Attack of RSA Authentication Fault-Based Attack of RSA Authentication, Valeria Bertacco and Todd Austin 1 Cryptography: Applications 2 Value of Cryptography $2.1 billions 1,300 employees $1.5 billions 4,000 employees $8.7 billions

More information

Breaking Korea Transit Card with Side-Channel Attack

Breaking Korea Transit Card with Side-Channel Attack Breaking Korea Transit Card with Side-Channel Attack -Unauthorized Recharging- Black Hat Asia 2017 Tae Won Kim, Tae Hyun Kim, and Seokhie Hong Outline 1. Attack Goal & Scenario 2. Target Device Details

More information

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50 Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested

More information

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a

More information

Computer Security 3/23/18

Computer Security 3/23/18 s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks

More information

Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18

Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18 Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn 4/12/18 Contents Side-Channel Attack Power Analysis Simple Power Analysis (SPA) Differential Power Analysis (DPA)

More information

Riscure Inspector Release Notes

Riscure Inspector Release Notes Date 15 January 2018 Modified behavior Issue number INS-7594 INS-7593 INS-7709 INS-7620 INS-7427 INS-7576 Description Modified behavior: During module execution it was possible to start another module

More information

DFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France.

DFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France. DFA on AES Christophe Giraud Oberthur Card Systems, 25, rue Auguste Blanche, 92800 Puteaux, France. c.giraud@oberthurcs.com Abstract. In this paper we describe two different DFA attacks on the AES. The

More information

Part VI. Public-key cryptography

Part VI. Public-key cryptography Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel

More information

Fault Sensitivity Analysis

Fault Sensitivity Analysis Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing

More information

WhoamI. Attacking WBC Implementations No con Name 2017

WhoamI. Attacking WBC Implementations No con Name 2017 Attacking WBC Implementations No con Name 2017 1 WHO I AM EDUCATION: Computer Science MSc in IT security COMPANY & ROLES: HCE Security Evaluator R&D Engineer WBC project Responsible of Android security

More information

Fault-based Cryptanalysis on Block Ciphers

Fault-based Cryptanalysis on Block Ciphers LIRMM / university of Montpellier COSADE 2017, Thursday April 13 2017, Paris, France 1/ 62 Outline 1 2 Fault Model Safe Error Attack DFA Statistical Fault Attack 3 Analog Level Digital Level Application

More information

A physical level perspective

A physical level perspective UMass CS 660 Advanced Information Assurance Spring 2011Guest Lecture Side Channel Analysis A physical level perspective Lang Lin Who am I 5 th year PhD candidate in ECE Advisor: Professor Wayne Burleson

More information

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 2 Cryptographic Tools First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Cryptographic Tools cryptographic algorithms

More information

Unboxing the whitebox. Jasper van CTO Riscure North America ICMC 16

Unboxing the whitebox. Jasper van CTO Riscure North America ICMC 16 Unboxing the whitebox Jasper van Woudenberg @jzvw CTO Riscure North America ICMC 16 Riscure Certification Pay TV, EMVco, smart meter, CC Evaluation & consultancy Mobile (TEE/HCE/WBC) Secure architecture

More information

Provably Secure and Efficient Cryptography

Provably Secure and Efficient Cryptography Provably Secure and Efficient Cryptography Tsuyoshi TAKAGI TU Darmstadt ttakagi@cdc.informatik.tu-darmstadt.de http://www.informatik.tu-darmstadt.de/ti/ Contents Overview NICE Cryptosystem Provable Security

More information

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography

More information

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d) Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key

More information

Secure Smartcard Design against Laser Fault Injection. FDTC 2007, September 10 th Odile DEROUET

Secure Smartcard Design against Laser Fault Injection. FDTC 2007, September 10 th Odile DEROUET Secure Smartcard Design against Laser Fault Injection FDTC 2007, September 10 th Odile DEROUET Agenda Fault Attacks on Smartcard Laser Fault Injection Our experiment Background on secure hardware design

More information

Non-Profiled Deep Learning-Based Side-Channel Attacks

Non-Profiled Deep Learning-Based Side-Channel Attacks Non-Profiled Deep Learning-Based Side-Channel Attacks Benjamin Timon UL Transaction Security, Singapore benjamin.timon@ul.com Abstract. Deep Learning has recently been introduced as a new alternative to

More information

Side-Channel Cryptanalysis. Joseph Bonneau Security Group

Side-Channel Cryptanalysis. Joseph Bonneau Security Group Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored

More information

Public Key Cryptography and RSA

Public Key Cryptography and RSA Public Key Cryptography and RSA Major topics Principles of public key cryptosystems The RSA algorithm The Security of RSA Motivations A public key system is asymmetric, there does not have to be an exchange

More information

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest 1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published

More information

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES

More information

On-Line Self-Test of AES Hardware Implementations

On-Line Self-Test of AES Hardware Implementations On-Line Self-Test of AES Hardware Implementations G. Di Natale, M. L. Flottes, B. Rouzeyre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier Université Montpellier II / CNRS

More information

Simplified Adaptive Multiplicative Masking for AES

Simplified Adaptive Multiplicative Masking for AES Simplified Adaptive Multiplicative Masking for AES Elena Trichina, Domenico De Seta, and Lucia Germani Cryptographic Design Center, Gemplus Technology R& D Via Pio Emanuelli, 0043 Rome, Italy {elena.trichina,domenico.deseta,lucia.germani}@gemplus.com

More information

SIDE CHANNEL ANALYSIS : LOW COST PLATFORM. ETSI SECURITY WEEK Driss ABOULKASSIM Jacques FOURNIERI

SIDE CHANNEL ANALYSIS : LOW COST PLATFORM. ETSI SECURITY WEEK Driss ABOULKASSIM Jacques FOURNIERI SIDE CHANNEL ANALYSIS : LOW COST PLATFORM ETSI SECURITY WEEK Driss ABOULKASSIM Jacques FOURNIERI THE CEA Military Applications Division (DAM) Nuclear Energy Division (DEN) Technological Research Division

More information

Side Channel Analysis of an Automotive Microprocessor

Side Channel Analysis of an Automotive Microprocessor ISSC 2008, Galway. June 18 19 Side Channel Analysis of an Automotive Microprocessor Mark D. Hamilton, Michael Tunstall,EmanuelM.Popovici, and William P. Marnane Dept. of Microelectronic Engineering, Dept.

More information

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some 3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption

More information

Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers

Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers Israel Koren Department of Electrical and Computer Engineering Univ. of Massachusetts, Amherst, MA collaborating with Luca Breveglieri,

More information

«Safe (hardware) design methodologies against fault attacks»

«Safe (hardware) design methodologies against fault attacks» «Safe (hardware) design methodologies against fault attacks» Bruno ROBISSON Assia TRIA SESAM Laboratory (joint R&D team CEA-LETI/EMSE), Centre Microélectronique de Provence Avenue des Anémones, 13541 Gardanne,

More information

Area Optimization in Masked Advanced Encryption Standard

Area Optimization in Masked Advanced Encryption Standard IOSR Journal of Engineering (IOSRJEN) ISSN (e): 2250-3021, ISSN (p): 2278-8719 Vol. 04, Issue 06 (June. 2014), V1 PP 25-29 www.iosrjen.org Area Optimization in Masked Advanced Encryption Standard R.Vijayabhasker,

More information

Chapter 9 Public Key Cryptography. WANG YANG

Chapter 9 Public Key Cryptography. WANG YANG Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext

More information

Technological foundation

Technological foundation Technological foundation Carte à puce et Java Card 2010-2011 Jean-Louis Lanet Jean-louis.lanet@unilim.fr Cryptology Authentication Secure upload Agenda Cryptology Cryptography / Cryptanalysis, Smart Cards

More information

Countermeasures against EM Analysis

Countermeasures against EM Analysis Countermeasures against EM Analysis Paolo Maistri 1, SebastienTiran 2, Amine Dehbaoui 3, Philippe Maurine 2, Jean-Max Dutertre 4 (1) (2) (3) (4) Context Side channel analysis is a major threat against

More information

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 ISSN 0976 6464(Print)

More information

CS669 Network Security

CS669 Network Security UNIT II PUBLIC KEY ENCRYPTION Uniqueness Number Theory concepts Primality Modular Arithmetic Fermet & Euler Theorem Euclid Algorithm RSA Elliptic Curve Cryptography Diffie Hellman Key Exchange Uniqueness

More information

Piret and Quisquater s DFA on AES Revisited

Piret and Quisquater s DFA on AES Revisited Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université

More information

Design of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures

Design of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures Design of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures 1 Suresh Sharma, 2 T S B Sudarshan 1 Student, Computer Science & Engineering, IIT, Khragpur 2 Assistant

More information

Applying TVLA to Public Key Cryptographic Algorithms. Michael Tunstall Gilbert Goodwill

Applying TVLA to Public Key Cryptographic Algorithms. Michael Tunstall Gilbert Goodwill Applying TVLA to Public Key Cryptographic Algorithms Michael Tunstall Gilbert Goodwill Introduction Test Vector Leakage Assessment (TVLA) was proposed in 2012 Efficient in evaluating the presence of leakage

More information

Lowering the Bar: Deep Learning for Side Channel Analysis. Guilherme Perin, Baris Ege, Jasper van December 4, 2018

Lowering the Bar: Deep Learning for Side Channel Analysis. Guilherme Perin, Baris Ege, Jasper van December 4, 2018 Lowering the Bar: Deep Learning for Side Channel Analysis Guilherme Perin, Baris Ege, Jasper van Woudenberg @jzvw December 4, 2018 1 Before Signal processing Leakage modeling 2 After 3 Helping security

More information

On Boolean and Arithmetic Masking against Differential Power Analysis

On Boolean and Arithmetic Masking against Differential Power Analysis On Boolean and Arithmetic Masking against Differential Power Analysis [Published in Ç.K. Koç and C. Paar, Eds., Cryptographic Hardware and Embedded Systems CHES 2000, vol. 1965 of Lecture Notes in Computer

More information

SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation

SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation Roman Novak Jozef Stefan Institute, Jamova 39, 00 Ljubljana, Slovenia, Roman.Novak@ijs.si Abstract. 1 We describe an adaptive chosen-ciphertext

More information

White-Box Cryptography

White-Box Cryptography Based on: J. W. Bos, C. Hubain, W. Michiels, P. Teuwen. In CHES 2016: Differential computation analysis: Hiding your white-box designs is not enough. White-Box Cryptography Don't Forget About Grey Box

More information

Memory Address Side-Channel Analysis on Exponentiation

Memory Address Side-Channel Analysis on Exponentiation Memory Address Side-Channel Analysis on Exponentiation Chien-Ning Chen Physical Analysis & Cryptographic Engineering (PACE) Nanyang Technological University, Singapore chienning@ntu.edu.sg Abstract. Side-channel

More information

The Montgomery Powering Ladder

The Montgomery Powering Ladder The Montgomery Powering Ladder Marc Joye Gemplus Card International Gémenos, France marc.joye@gemplus.com http://www.geocities.com/marcjoye/ Sung-Ming Yen LCIS, National Central University Chung-Li, Taiwan

More information

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Gemalto, 6 rue de la Verrerie, 92197 Meudon Cedex, France blandine.debraize@gemalto.com Abstract.

More information

D eepa.g.m 3 G.S.Raghavendra 4

D eepa.g.m 3 G.S.Raghavendra 4 Volume 3, Issue 5, May 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Breaking Cryptosystem

More information

Synthesis of Fault-Attack Countermeasures for Cryptographic Circuits

Synthesis of Fault-Attack Countermeasures for Cryptographic Circuits Synthesis of Fault-Attack Countermeasures for Cryptographic Circuits Hassan Eldib, Meng Wu, and Chao Wang CAV, July 23, 2016 Cryptographic Algorithm: an example Plaintext Chip Ciphertext 0110 1001 1011

More information

Keywords Security, Cryptanalysis, RSA algorithm, Timing Attack

Keywords Security, Cryptanalysis, RSA algorithm, Timing Attack Volume 4, Issue 1, January 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Performance

More information

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Gemalto, 6 rue de la Verrerie, 92197 Meudon Cedex, France blandine.debraize@gemalto.com Abstract.

More information

Introduction to Side-Channel Analysis: Basic Concepts and Techniques

Introduction to Side-Channel Analysis: Basic Concepts and Techniques Introduction to Side-Channel Analysis: Basic Concepts and Techniques Hardware security, Spring 2018 Lejla Batina March 8, 2018 Institute for Computing and Information Sciences Radboud University 1 Outline

More information

RSA POWER ANALYSIS OBFUSCATION: A DYNAMIC FPGA ARCHITECTURE THESIS. John W. Barron, Captain, USAF AFIT/GE/ENG/12-02

RSA POWER ANALYSIS OBFUSCATION: A DYNAMIC FPGA ARCHITECTURE THESIS. John W. Barron, Captain, USAF AFIT/GE/ENG/12-02 RSA POWER ANALYSIS OBFUSCATION: A DYNAMIC FPGA ARCHITECTURE THESIS John W. Barron, Captain, USAF AFIT/GE/ENG/12-02 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson

More information

A Fault Attack Against the FOX Cipher Family

A Fault Attack Against the FOX Cipher Family A Fault Attack Against the FOX Cipher Family L. Breveglieri 1,I.Koren 2,andP.Maistri 1 1 Department of Electronics and Information Technology, Politecnico di Milano, Milano, Italy {brevegli, maistri}@elet.polimi.it

More information

A practical integrated device for lowoverhead, secure communications.

A practical integrated device for lowoverhead, secure communications. A practical integrated device for lowoverhead, secure communications. Gord Allan Matt Lewis Design Goals Versatility Mobility Security -can be used in a range of devices -compatibility, low/no infrastructure

More information

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on Computer and Network Security Used in asymmetric crypto. RSA (material drawn from Avi Kak (kak@purdue.edu) Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto. protocols The RSA algorithm is based on the following property

More information

A Template Attack on Elliptic Curves using Classification methods

A Template Attack on Elliptic Curves using Classification methods Technische Universiteit Eindhoven Master Thesis A Template Attack on Elliptic Curves using Classification methods Author: Elif Özgen Supervisors: Lejla Batina Berry Schoenmakers A thesis submitted in fulfillment

More information

Block Ciphers Introduction

Block Ciphers Introduction Technicalities Block Models Block Ciphers Introduction Orr Dunkelman Computer Science Department University of Haifa, Israel March 10th, 2013 Orr Dunkelman Cryptanalysis of Block Ciphers Seminar Introduction

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5a January 29, 2013 CPSC 467b, Lecture 5a 1/37 Advanced Encryption Standard AES Alternatives CPSC 467b,

More information

Efficient DPA Attacks on AES Hardware Implementations

Efficient DPA Attacks on AES Hardware Implementations I. J. Communications, Network and System Sciences. 008; : -03 Published Online February 008 in SciRes (http://www.srpublishing.org/journal/ijcns/). Efficient DPA Attacks on AES Hardware Implementations

More information

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Public Key Cryptography Modular Arithmetic RSA

More information

Syrvey on block ciphers

Syrvey on block ciphers Syrvey on block ciphers Anna Rimoldi Department of Mathematics - University of Trento BunnyTn 2012 A. Rimoldi (Univ. Trento) Survey on block ciphers 12 March 2012 1 / 21 Symmetric Key Cryptosystem M-Source

More information

Encryption Details COMP620

Encryption Details COMP620 Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more

More information

Secure Multiple SBoxes Implementation with Arithmetically Masked Input

Secure Multiple SBoxes Implementation with Arithmetically Masked Input Secure Multiple SBoxes Implementation with Arithmetically Masked Input Luk Bettale Oberthur Technologies 71-73 rue des Hautes Pâtures 92726 Nanterre Cedex - France l.bettale@oberthur.com Abstract The building

More information

White-Box Cryptography State of the Art. Paul Gorissen

White-Box Cryptography State of the Art. Paul Gorissen White-Box Cryptography State of the Art Paul Gorissen paul.gorissen@philips.com Outline Introduction Attack models White-box cryptography How it is done Interesting properties State of the art Conclusion

More information

A Countermeasure Circuit for Secure AES Engine against Differential Power Analysis

A Countermeasure Circuit for Secure AES Engine against Differential Power Analysis A Countermeasure Circuit for Secure AES Engine against Differential Power Analysis V.S.Subarsana 1, C.K.Gobu 2 PG Scholar, Member IEEE, SNS College of Engineering, Coimbatore, India 1 Assistant Professor

More information

Differential Fault Analysis on the AES Key Schedule

Differential Fault Analysis on the AES Key Schedule ifferential Fault Analysis on the AES Key Schedule Junko TAKAHASHI and Toshinori FUKUNAGA NTT Information Sharing Platform Laboratories, Nippon Telegraph and Telephone Corporation, {takahashi.junko, fukunaga.toshinori}@lab.ntt.co.jp

More information

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher

More information

Parallelizing Cryptography. Gordon Werner Samantha Kenyon

Parallelizing Cryptography. Gordon Werner Samantha Kenyon Parallelizing Cryptography Gordon Werner Samantha Kenyon Outline Security requirements Cryptographic Primitives Block Cipher Parallelization of current Standards AES RSA Elliptic Curve Cryptographic Attacks

More information

Fault Attacks on Public Keys

Fault Attacks on Public Keys Fault Attacks on Public Keys Ce cile Canovas and Alexandre Berzati CEA-LETI Minatec et Universite de Versailles 5 Juin 2009 Outline 1 Introduction 2 IFP-based algorithms 3 DLP-based algorithms 4 ECDLP-based

More information

Side-channel Analysis of Grøstl and Skein

Side-channel Analysis of Grøstl and Skein 2012 IEEE IEEE Symposium CS Security on Security and Privacy and Workshops Privacy Workshops Side-channel Analysis of Grøstl and Skein Christina Boura, Sylvain Lévêque, David Vigilant Gemalto 6 rue de

More information

Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation

Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation Air Force Institute of Technology AFIT Scholar Theses and Dissertations 9-13-2012 Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation Eric A. Koziel

More information

Content of this part

Content of this part UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this

More information

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 5 More About Block Ciphers ver. November 26, 2010 Last modified 10-2-17

More information

Power Analysis Side Channel Attacks: The Processor Design-level Context

Power Analysis Side Channel Attacks: The Processor Design-level Context Power Analysis Side Channel Attacks: The Processor Design-level Context Jude Angelo Ambrose Submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy March 2009 School

More information

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7 Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:

More information

Micro-Architectural Attacks and Countermeasures

Micro-Architectural Attacks and Countermeasures Micro-Architectural Attacks and Countermeasures Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 25 Contents Micro-Architectural Attacks Cache Attacks Branch Prediction Attack

More information

CSC 474/574 Information Systems Security

CSC 474/574 Information Systems Security CSC 474/574 Information Systems Security Topic 2.5 Public Key Algorithms CSC 474/574 Dr. Peng Ning 1 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature

More information

Hardware Security. Debdeep Mukhopadhyay

Hardware Security. Debdeep Mukhopadhyay Hardware Security Debdeep Mukhopadhyay Secured Embedded Architecture Laboratory (SEAL) Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Kharagpur, West Bengal, INDIA

More information

Fault Sensitivity Analysis

Fault Sensitivity Analysis Fault Sensitivity Analysis Yang Li 1, Kazuo Sakiyama 1, Shigeto Gomisawa 1, Toshinori Fukunaga 2, Junko Takahashi 1,2, and Kazuo Ohta 1 1 Department of Informatics, The University of Electro-Communications

More information

THE FINITE LAB-TRANSFORM (FLT) Peter Lablans

THE FINITE LAB-TRANSFORM (FLT) Peter Lablans THE FINITE LAB-TRANSFORM (FLT) Peter Lablans Warning: The subject matter of this article is, at least partially, protected by Copyright Registration and by issued patents and pending patent applications.

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback