Invited Talk #1: Side-Channel Resistance Engineering

Speaker
	Pankaj Rohatgi

Schedule
Date	2010/02/04
Start time	10:30
Duration	01:00

Downloads & Links
Slides	PDF

Pankaj Rohatgi
Cryptography Research Inc., San Francisco, CA
Technical Director, Hardware Security Solutions

Abstract:

Speaker
	Paul Duplys

Schedule
Date	2010/02/04
Start time	11:30
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Oliver Schimmel, Technical University Darmstadt, Germany
Paul Duplys, Robert Bosch GmbH, Germany
Eberhard Boehl, Robert Bosch GmbH, Germany
Jan Hayek, Robert Bosch GmbH, Germany
Wolfgang Rosenstiel, University of Tübingen, Germany

Abstract:

In this work we introduce a power analysis attack in frequency domain called Correlation Power Frequency Analysis (CPFA). Our attack is based on power spectral density of the signal and – unlike public state-of-the-art frequency domain attacks – uses correlation coefficient for key hypothesis verification. This allows us to utilize measurements more efficiently than differential power analysis attacks in frequency domain. We demonstrate the feasibility of our attack and compare it with time domain correlation power analysis in respect to noise impact.

Speaker
	Philippe Hoogvorst

Schedule
Date	2010/02/04
Start time	12:00
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Philippe Hoogvorst
LTCI-CNRS, TELECOM ParisTech

Abstract:

The side-channel attacks are a serious threat to secrets protected by cryptographic functions implemented in electronic devices. The threat is serious when the crytographic operations are performed using a PC but is yet more dangerous for embedded devices for which the various side-channels are more easily available to the attacker. This article describes a generalisation of the dpa and cpa which not only finds the secret key in used but gives the attacker a lot of informations about the internals of the target system, which enables her to optimize other attacks. The attack can also be used as a characterization tool by the designer of the embedded system to check that his countermeasures work as expected in a more precise way than performing an attack and obtaining a yes/no answer.

Speaker
	Sylvain Guilley

Schedule
Date	2010/02/04
Start time	13:30
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Sylvain Guilley, Olivier Meynard, Laurent Sauvage, and Jean-Luc Danger, Telecom ParisTech, France

Abstract:

Side-channel analyses are powerful techniques to extract secrets from a circuit handling sensitive information. We discuss in this paper the optimal way to conduct side-channel attacks, based on the extensive knowledge of the circuit's leakage. This approach allows to unify two attack methodologies: those requiring a pre-characterization step (such as template or stochastic attacks) and those based on a known or on-line discovered model (DPA, CPA or MIA). The computation or measurement of an exhaustive behavior is a costly investment.  However, it is non-recurrent; therefore, afterwards, optimal attacks can be realized with a considerable speed-up.

The first contribution of this paper is to put forward that an exhaustive characterization of the leakage indeed brings an advantage in terms of attacks. We notably, for the first time, bring practical and theoretical evidences of the origin of the deviation from an incomplete characterization or an incomplete model. More precisely, we prove that the most important cause for non-optimality is logical and not technological. Indeed, the non-linearity of the functionality is the first reason for the partial templates or models to be approximate. 

The technological effects, such as cross-talk between adjacent wires or intra-die electrical characteristics variations account only as second order contributions. We advocate that the deeper the non-linear combinatorial gates are, the worse the incomplete pre-characterizations or the partially parameterized models will match the actual leakage. Therefore, for a fair evaluation of parallel implementations that compute one or more rounds per clock period, we recommend building and using rainbow tables (exhaustive or close to exhaustive precharacterization

Speaker
	Florent Flament

Schedule
Date	2010/02/04
Start time	14:00
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Florent Flament, Houssem Maghrebi, Moulay Aziz Elabid, Jean-Luc Danger, Sylvain Guilley, and Laurent Sauvage 
Telecom ParisTech, France

Abstract:

The side-channel attacks are a serious threat to secrets
protected by cryptographic functions implemented in electronic devices. The threat is serious when the crytographic operations are performed using a PC but is yet more dangerous for embedded devices for which the various side-channels are more easily available to the attacker.
This article describes a generalisation of the dpa and cpa which not only finds the secret key in used but gives the attacker a lot of informations about the internals of the target system, which enables her to optimize other attacks. The attack can also be used as a characterization tool by the designer of the embedded system to check that his countermeasures work as expected in a more precise way than performing an attack and obtaining a yes/no answer.

Speaker
	Falko Strenzke

Schedule
Date	2010/02/04
Start time	14:30
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Pierre-Louis Cayrel, CASED, Germany
Falko Strenzke, FlexSecure GmbH, Germany

Abstract:

The McEliece and the Niederreiter public key cryptosystems (PKC) are supposed secure in a post quantum world because there is no efficient quantum algorithm for the underlying problems upon which these cryptosystems are built. The CFS, Stern and KKS signature schemes are post-quantum secure because they are based on hard problems of coding theory. The purpose of this article is to describe what kind of attacks have been proposed against code-based constructions and what is missing.

Invited Talk #2: Constructive Side Channel Analysis and Secure Design for novel Design Platforms and Design Environments

Speaker
	Ingrid Verbauwhede

Schedule
Date	2010/02/04
Start time	15:30
Duration	01:00

Downloads & Links
Slides	PDF

Ingrid Verbauwhede
Katholieke Universiteit Leuven, Belgium,
ESAT/COSIC

Abstract:

The goal of this presentation is to give an overview of novel design platforms and novel design methods to make next generation embedded systems. Next generation embedded systems are complex and very heterogeneous systems-on-chip.

They combine full-custom building blocks, embedded controllers, many different types of memory, remote reconfigurable building blocks and many forms of hardware and software. They also adapt to changing environmental conditions or workloads.

Providing side-channel security in this context is a challenge. Therefore, novel design methods to make COSADE possible will be needed. In this presentation, an overview of design trends, challenges and open problems for side-channel security will be given.

Speaker
	Daniel Shumow

Schedule
Date	2010/02/04
Start time	16:30
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Daniel Shumow and Peter Montgomery, 
Microsoft Research, USA

Abstract:

Testing cryptographic implementations for side channel leakage is a difficult and important problem. The techniques used to uncover side channel leakage are more involved than the usual methodologies of software testing, for example sometimes involving physical measurements of hardware. As such, it is difficult to work this sort of analysis into the usual software testing process. To this end we have developed the Side Channel Profiler. This is an extensible framework for capturing dynamic execution of cryptographic code and applying side channel analysis regardless of underlying architecture.  This tool can be used to selectively emulate different hardware components, or apply other side channel leakage criteria. We also demonstrate how the tool can be used to analyze an implementation of naive square and multiply modular exponentiation.

Speaker
	Naofomi Homma

Schedule
Date	2010/02/04
Start time	17:00
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Toshihiro Katashita, Akashi Satoh, Katsuya Kikuchi, Hiroshi Nakagawa, Masahiro Aoyagi
National Institute of Advanced Industrial Science and Technology, AIST/RCIS, Japan

Abstract:

For development of a secure cryptographic hardware against power analysis attacks, security evaluation methodologies based on simulation is required before its manufacturing to reduce concern about redesign. In order to create an appropriate simulation model for the security evaluation and to investigate leakage mechanism of side-channel information, we conducted DPA on a newly developed SASEBO-GII board, and evaluate signal-to-noise ratio of side-channel information with changing amount of decoupling capacitances on a power line. The impedance characteristics of SASEBO-GII were also measured for the modeling.

Speaker
	Colin Walter

Schedule
Date	2010/02/05
Start time	10:30
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Colin Walter, Royal Holloway, United Kingdom

Abstract:

The most recent left-to-right and right-to-left multibase exponentiation methods are compared for elliptic curve and modular residue groups to gauge the value and cost of switching from the normal left-to-right mode to the more side channel resistant right-to-left direction.

Speaker
	Christof Paar

Schedule
Date	2010/02/05
Start time	11:00
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Georg T. Becker, Markus Kasper and Christof Paar
Ruhr-Universität Bochum, Germany

Abstract:

Copyright violations are an increasing problem for hardware designers. Illegal copies of IP cores can cost manufactures millions of dollars. As one possi- ble solution to this problem, digital watermarking for integrated circuits has been proposed in the past. We propose a new watermarking mechanism that is based on side-channels and that can easily and reliably be detected. The idea is to embed a unique signal into a side-channel of the device that serves as a watermark, similar to a side-channel based hardware Trojan. This enables the owner of the watermark to check ICs for their code using the established side-channel. But detecting the illegal use of code in a hardware design is only the first step. With watermarking the owner can also proof towards a third party (e.g a judge) that the code was illegally reused.

Speaker
	Johann Großschädl

Schedule
Date	2010/02/04
Start time	17:00
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Johann Großschädl,
University of Luxembourg, Luxembourg

Abstract:

The SSL/TLS protocol is the de-facto standard for secure Internet communications, and supported by virtually all modern e-mail clients and Web browsers. With more and more PDAs and cell phones providing wireless e-mail and Web access, there is an increasing demand for establishing secure SSL/TLS connections on devices that are relatively constrained in terms of computational resources. Therefore, the efficient implementation of the cryptographic primitives executed on the client side of the SSL/TLS protocol is essential for the emergence of a wireless Internet with strong end-to-end security. In addition, the cryptographic primitives need to be protected against side-channel analysis since an attacker may be able to monitor, for example, electromagnetic emanations from a mobile device. Using an RSA-based cipher suite has the advantage that all modular exponentiations on the client side are carried out with public exponents, which is uncritical in terms of performance and side-channel leakage. However, the current migration to AES-equivalent security levels makes a good case for using an Elliptic Curve Cryptography (ECC)-based cipher suite. We demonstrate in this paper that, for high security levels, ECC-based cipher suites outperform their RSA counterparts on the client side, even though they require the integration of diverse countermeasures against side-channel attacks. In addition, we propose a new countermeasure to protect the symmetric encryption of application messages (i.e. bulk data) against Differential Power Analysis (DPA) attacks. This new countermeasure, which we call inter-block shuffling, is based on an "interleaved" encryption of several 128-bit blocks of data (using, for example, the AES), and randomizes the order in which the individual rounds of the individual blocks are executed. Our experimental results show that inter-block shuffling is a highly effective countermeasure as it provides excellent DPA-protection at the expense of a slight degradation in performance.

Speaker
	Marcel Medwed

Schedule
Date	2010/02/05
Start time	15:30
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Christoph Herbst and Marcel Medwed 
IAIK ,TU Graz, Austria

Abstract:

For a long time multiplicative masking together with highly
regular exponentiation algorithms was believed to thwart all side-channel based threats. Recent research results showed that the multiplicative masking itself can be attacked in order to recover the used masks. In this paper we propose a countermeasure which closes this security gap. The basic idea is to protect the masking step by introducing a randomized multiplication. The proposed method is cheap in terms of performance overhead. The memory overhead is reasonable.

Speaker
	Ange Martinelli

Schedule
Date	2010/02/05
Start time	13:30
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Guillaume Fumaroli, Sylvain Lachartre and Ange Martinelli
Thales, France
Louis Goubin, Université Versailles Saint-Quentin, France

Abstract:

Side Channel Analysis (SCA for short) exploits the information leaked during the execution of a cryptographic algorithm to mount efficient key-recovery attacks.
Typical countermeasures against SCA consists in splitting all the intermediate data in two or more random parts or masks that are manipulated at different times while maintaining some consistency relation throughout the execution. The main issue in designing such a countermeasure is to devise a suitable algorithm for implementing functions that are non-linear with respect to the masking scheme without introducing a flaw in the scheme. An implementation is said to be resistant to d-th order SCA (dO-DPA resistant for short) if any d-tuple of its intermediate variables is independent of sensitive data. While proper dO-SCA resistance non-linear function implementation have been proposed for d<2, it still remains an open problem for d>2. This paper extends the 2O-SCA resistant table recomputation of to provide close to 3O-SCA resistance.

Invited Talk #3: Constructive Power Analysis in Practice

Speaker
	Stefan Mangard

Schedule
Date	2010/02/05
Start time	14:00
Duration	01:00

Downloads & Links
Slides	PDF

Stefan Mangard
Infineon Technologies AG, Munich, Germany
Security Innovation Research Group

Abstract:

This talk focuses the challenge of how to find and fix DPA problems in practice. First, the differences between finding functional problems of a design and finding security problems are discussed.
The talk then explores how DPA attacks can be used to pinpoint the cause of DPA problems. In this context, the effect of the inputs and parameters of the attacks are discussed: the choice of the hypotheses, the choice of the distinguisher and the simulation or measurement of the power traces. In the second part of the talk, a concrete example is given. Starting with power traces of a chip, the DPA leakage is analyzed one step after the other until the exact transistors are known that cause the leakage. 

Speaker
	Yongdae Kim

Schedule
Date	2010/02/05
Start time	13:00
Duration	00:30

Downloads & Links
Extended Abstract	PDF
Slides	PDF

Authors:

Yongdae Kim, Akeshi Sugawara, Naofumi Homma and Takafumi Aoki, Graduate School of Information Sciences, Tohoku University, Japan Akashi Satoh, National Institute of Advanced Industrial Science and Technology, Japan

Abstract:

In this paper, we present a selection method of power traces to improve the efficiency of power analysis attacks. The proposed method improves the correlation factor by biasing distribution of power traces. The biasing is to select a subset from many traces. We demonstrate our method through correlation power analysis (CPA) experiments using two different devices. The results clearly show that the selection of power traces has a significant impact on the results of CPAs. Based on the selection method, an evaluation method to detect such biasing in power traces is also proposed. The method can be used to achieve fair comparison of statistical distinguishers for power analysis attacks.