Laboratoř vestavné bezpečnosti (EmbeddedSecurityLab)

Publikace

Versatile Hardware Framework for Elliptic Curve Cryptography

Autoři
Mašek, V.; Novotný, M.
Rok
2022
Publikováno
Proceedings of the 2022 25th International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS). Piscataway: IEEE, 2022. p. 80-83. ISSN 2473-2117. ISBN 978-1-6654-9431-1.
Typ
Stať ve sborníku
Anotace
We propose versatile hardware framework for ECC. The framework supports arithmetic operations over P-256, Ed25519 and Curve25519 curves, enabling easy implementation of various ECC algorithms. Framework finds its application area e.g. in FIDO2 attestation or in nowadays rapidly expanding field of hardware wallets. As the design is intended to be ASIC-ready, we designed it to be area efficient. Hardware units are reused for calculations in several finite fields, and some of them are superior to previously designed circuits in terms of time-area product. The framework implements several attack countermeasures. It enables implementation of certain countermeasures even in later stages of design. The design was validated on SoC FPGA.

Influence of Synthesis Parameters on Vulnerability to Side-Channel Attacks

Autoři
Balihar, T.; Novotný, M.
Rok
2021
Publikováno
Proceedings of the 10th Mediterranean Conference on Embedded Computing (MECO'2020). Institute of Electrical and Electronics Engineers, Inc., 2021. p. 735-740. ISSN 2637-9511. ISBN 978-0-7381-3361-4.
Typ
Stať ve sborníku
Anotace
Every cryptographic design has to be secure to fulfil its function properly. As side-channel attacks are becoming easier and easier to perform, designers of secure circuits must pay attention to implementing various countermeasures against these attacks. However, in some cases, their hard work can be thwarted if automatic optimizations invalidate the defences. This work explores the effect of synthesis parameters settings on the vulnerability of the cryptographic designs implemented in FPGAs to side-channel attacks. It focuses on the implementation of Advanced Encryption Standard (AES) with multiple countermeasures against attacks and evaluates the effect of parameters settings on security using Test Vector Leakage Assessment based on Welch’s t-test.

Secure and dependable: Area-efficient masked and fault-tolerant architectures

Rok
2021
Publikováno
Proceedings of the 2021 24th Euromicro Conference on Digital System Design. Los Alamitos: IEEE Computer Society, 2021. p. 333-338. ISBN 978-1-6654-2703-6.
Typ
Stať ve sborníku
Anotace
Masking is a powerful instrument for protecting cryptographic devices against side-channel analysis. Multiple masking schemes were introduced providing provable security against attacks of arbitrary order even in the presence of glitches. When a device is a part of some safety-critical system, it needs to meet dependability requirements; therefore, it should be protected against spontaneously occurring faults. Existing commonly used fault-tolerance architectures involve high area overhead as so as the masking schemes do. In this paper, we propose architectures meeting dependability properties of simple modular-redundancy schemes and SCA resistance of masking schemes, but decreasing the area overhead utilizing the randomness involved in the masking schemes. We compare our Masked Duplex architecture with Triple Modular Redundancy. While using one less redundant module, our architecture saves around 20% of the area in comparison with TMR in the case of Threshold Implementation of PRESENT cipher, promising more savings for more complex cryptographic schemes

Side-channel attack on Rainbow post-quantum signature

Rok
2021
Publikováno
Proceedings of the 2021 Design, Automation & Test in Europe (DATE). New Jersey: IEEE, 2021. p. 565-568. ISSN 1558-1101. ISBN 978-3-9819263-5-4.
Typ
Stať ve sborníku
Anotace
Rainbow, a layered multivariate quadratic digital signature, is a candidate for standardization in a competition-like process organized by NIST. In this paper, we present a CPA side-channel attack on the submitted 32-bit reference implementation. We evaluate the attack on an STM32F3 ARM microcontroller,successfully revealing the full private key. Furthermore, we propose a simple masking scheme with minimum overhead.

High-level synthesis, cryptography, and side-channel countermeasures: A comprehensive evaluation

Rok
2021
Publikováno
Microprocessors and Microsystems. 2021, 85 1-13. ISSN 0141-9331.
Typ
Článek
Anotace
Side-channel attacks pose a severe threat to both software and hardware cryptographic implementations. Current literature presents various countermeasures against these kinds of attacks, based on approaches such as hiding or masking, implemented either in software, or on register-transfer level or gate level in hardware. However, emerging trends in hardware design lean towards a system-level approach, allowing for faster, less error-prone, design process, an efficient hardware/software co-design, or sophisticated validation, verification, and (co)simulation strategies. In this paper, we propose a Boolean masking scheme suitable for high-level synthesis of substitution-permutation network-based encryption. We implement both unprotected and protected PRESENT, AES/Rijndael and Serpent encryption in C language, utilizing the concept of dynamic logic reconfiguration, synthesize it for Xilinx FPGA, and we compare our results regarding time and area utilization. We evaluate the effectiveness of proposed countermeasures using both specific and non-specific t-test leakage assessment methodology. We discuss the leakage assessment results, and we identify and discuss the related limitations of the system-level approach and the high-level synthesis.

Exploiting Linearity in White-Box AES with Differential Computation Analysis

Autoři
Klemsa, J.; Novotný, M.
Rok
2020
Publikováno
Proceedings of the 2020 Computing Conference, Volume 3. Basel: Springer Nature Switzerland AG, 2020. p. 404-419. ISSN 2194-5357. ISBN 978-3-030-52242-1.
Typ
Stať ve sborníku
Anotace
Not only have all current scientific white-box AES schemes been mathematically broken, they also face a family of attacks derived from traditional Side Channel Attacks, e.g., Differential Computation Analysis (DCA) introduced by Bos et al. Such attacks are very universal and easy-to-mount – they require neither knowledge of the implementation, nor use of reverse engineering. In this paper, we particularly focus on DCA against white-box AES by Chow et al. which shows lower than 100% success rate as opposed to other schemes studied by Bos et al. We provide an explanation of this phenomenon while unraveling another weakness in the design of white-box AES by Chow et al. Based on our theoretical results, we propose an extension of the original DCA attack which has a higher chance of key recovery and might be adapted for other schemes.

WTFHE: neural-netWork-ready Torus Fully Homomorphic Encryption

Autoři
Klemsa, J.; Novotný, M.
Rok
2020
Publikováno
Proceedings of the 9th Mediterranean Conference on Embedded Computing - MECO'2020. Institute of Electrical and Electronics Engineers, Inc., 2020. p. 434-438. ISSN 2637-9511. ISBN 978-1-7281-6949-1.
Typ
Stať ve sborníku
Anotace
We are currently witnessing two arising trends, which have a huge potential to threaten our privacy: the invasive sensors of the Internet of Things (IoT), and the powerful data mining techniques, in particular we focus on Neural Networks (NN's). For this reason, powerful countermeasures must be called for service: namely end-to-end encryption. Such an approach however requires an encryption scheme that enables processing of the encrypted data - this is known as the Fully Homomorphic Encryption (FHE). In this paper, we revisit an FHE scheme named TFHE, which is suitable for evaluation of NN's over encrypted input data, and we suggest to incorporate a verifiability feature to the evaluation process. Since there already exist other variants of the original TFHE scheme-currently only implemented in C++, which is rigid-we further introduce a library for rapid prototyping of new concepts related to TFHE. Our library is implemented in Ruby, which is an interpreted language and which goes with an interactive shell. Hence any new method can be speedily verified before implemented as a high-performance library.

Security Notions for the VeraGreg Framework and Their Reductions

Autoři
Klemsa, J.; Trummová, I.
Rok
2020
Publikováno
ISEA-ISAP 2020. IEEE Xplore, 2020. p. 8-20. ISBN 978-1-7281-6708-4.
Typ
Stať ve sborníku
Anotace
Homomorphic encryption enables computations with encrypted data, however, in its plain form, it does not guarantee that the computation has been performed honestly. For the Fully Homomorphic Encryption (FHE), a verifiable variant emerged soon after the introduction of FHE itself, for a single-operation homomorphic encryption (HE), particular verifiable variant has been introduced recently, called the VeraGreg Framework. In this paper, we identify a weakness of List Non-Malleability as defined for the VeraGreg framework—an analogy to the classical Non-Malleability—and define a stronger variant, which addresses the weakness and which we show not to be strengthenable any more. Next, we suggest a decomposition of the abstract VeraGreg framework, introduce novel notions of security for the resulting components and show some reductions between them and/or their combinations. We conjecture that VeraGreg achieves the strongest (and desirable) security guarantee if and only if its building blocks achieve certain, much more tangible properties. Finally, we suggest a simplification to the original VeraGreg instantiation, which now relies on hardness of particular kind of the famous Shortest Vector Problem for lattices.

Novel Dummy Rounds Schemes as a DPA Countermeasure in PRESENT Cipher

Autoři
Rok
2020
Publikováno
Proceedings of the 23rd International Symposium on Design and Diagnostics of Electronic Circuits and Systems. Piscataway, NJ: IEEE, 2020. p. 1-4. ISSN 2334-3133. ISBN 978-1-7281-9938-2.
Typ
Stať ve sborníku
Anotace
The Dummy Rounds Side-Channel Attacks countermeasure scheme for digital design has been proposed in earlier work. Its experimental evaluation and analysis revealed weaknesses that resulted in the proposal of an enhanced Dummy Rounds scheme. In this paper, we present the implementation of the proposed enhancement of Dummy Rounds scheme in PRESENT cipher and provide its experimental evaluation using Welch’s t-test. We further propose several novel modifications of dummy Rounds scheme as a solution to other security problems we have encountered. Novel Dummy Rounds scheme, namely its modifications proposed in this paper, are superior to earlier proposed schemes in terms of side-channel leakage prevention.

Novel Controller for Dummy Rounds Scheme DPA Countermeasure

Autoři
Rok
2020
Publikováno
Proceedings of the 23rd Euromicro Conference on Digital Systems Design. Los Alamitos, CA: IEEE Computer Soc., 2020. p. 281-284. ISBN 978-1-7281-9535-3.
Typ
Stať ve sborníku
Anotace
In our previous work, we developed the Dummy Rounds countermeasure to protect the hardware design against side-channel attacks. The scheme employs hiding in time and hiding in consumption. After several improvements of the datapath, the leakage has been minimized significantly. In this paper, we present the enhancement of the Dummy Rounds controller. This enhancement enables further reduction of the leakage. We tested the method on PRESENT cipher implemented in the Sakura-G board. The design was evaluated using Welch's t-test.

Towards High-Level Synthesis of Polymorphic Side-Channel Countermeasures

Rok
2020
Publikováno
Proceedings of the 23rd Euromicro Conference on Digital Systems Design. Los Alamitos, CA: IEEE Computer Soc., 2020. p. 193-199. ISBN 978-1-7281-9535-3.
Typ
Stať ve sborníku
Anotace
Side-channel attacks pose a severe threat to both software and hardware cryptographic implementations. Current literature presents various countermeasures against these kinds of attacks, based on approaches such as hiding or masking, implemented either in software, or on register-transfer or gate-level in hardware. However, emerging trends in hardware design lean towards a system-level approach, allowing for faster, less error-prone, design process, an efficient hardware/software co-design, or sophisticated validation, verification, and (co)simulation strategies. In this paper, we propose a Boolean masking scheme suitable for high-level synthesis. We implement a protected PRESENT encryption in C language, utilizing the concept of dynamic logic reconfiguration, synthesize it for Xilinx Artix 7 FPGA, and we compare our results regarding clock cycle latency and area utilization. We evaluate the effectiveness of proposed countermeasures using specific t-test leakage assessment methodology. We show that our high-level synthesis implementation successfully conceals the side-channel leakage while maintaining reasonable area and latency overhead.

Side-channel countermeasures utilizing dynamic logic reconfiguration: Protecting AES/Rijndael and Serpent encryption in hardware

Autoři
Socha, P.; Brejník, J.; Balasch, J.; Novotný, M.; Mentens, N.
Rok
2020
Publikováno
Microprocessors and Microsystems. 2020, 78 1-10. ISSN 0141-9331.
Typ
Článek
Anotace
Dynamic logic reconfiguration is a concept that allows for efficient on-the-fly modifications of combinational circuit behavior in both ASIC and FPGA devices. The reconfiguration of Boolean functions is achieved by modification of their generators (e.g., shift register-based look-up tables) and it can be controlled from within the chip, without the necessity of any external intervention. This hardware polymorphism can be utilized for the implementation of side-channel attack countermeasures, as demonstrated by Sasdrich et al. for the lightweight cipher PRESENT. In this work, we adapt these countermeasures to two of the AES finalists, namely Rijndael and Serpent. Just like PRESENT, both Rijndael and Serpent are block ciphers based on a substitution-permutation network. We describe the countermeasures and adjustments necessary to protect these ciphers using the resources available in modern Xilinx FPGAs. We describe our implementations and evaluate the side-channel leakage and effectiveness of different countermeasures combinations using a methodology based on Welch’s t-test. Furthermore, we attempt to break the protected AES/Rijndael implementation using second-order DPA/CPA attacks. We did not detect any significant first-order leakage from the fully protected versions of our implementations. Using one million power traces, we detect second-order leakage from Serpent encryption, while AES encryption second-order leakage is barely detectable. We show that the countermeasures proposed by Sasdrich et al. are, with some modifications, successfully applicable to AES and Serpent.

Analyzing and Optimizing the Dummy Rounds Scheme

Rok
2019
Publikováno
Proceedings of the 22nd International Symposium on Design and Diagnostics of Electronic Circuits and Systems. Piscataway, NJ: IEEE, 2019. p. 1-4. ISBN 978-1-7281-0073-9.
Typ
Stať ve sborníku
Anotace
The dummy rounds protection scheme, intendedto offer resistance against Side Channel Attacks to Feisteland SP ciphers, has been introduced in earlier work. Itsexperimental evaluation revealed weaknesses, most notablyin the first and last round. In this contribution, we showthat the situation can be greatly improved by controllingthe transition probabilities in the state space of the algo-rithm. We derived necessary and sufficient conditions forthe round execution probabilities to be uniform and hencethe minimum possible. The optimum trajectories over thestate space are regular and easy to implement.

Multiprecision ANSI C Library for Implementation of Cryptographic Algorithms on Microcontrollers

Autoři
Říha, J.; Klemsa, J.; Novotný, M.
Rok
2019
Publikováno
Proceedings of the 8th Mediterranean Conference on Embedded Computing - MECO'2019. Institute of Electrical and Electronics Engineers, Inc., 2019. p. 275-278. ISSN 2377-5475. ISBN 978-1-7281-1739-3.
Typ
Stať ve sborníku vyzvaná či oceněná
Anotace
Current cryptographic algorithms work with operands that are several times wider than the machine word, e.g., the still popular RSA algorithm shall use at least 2 048-bit keys. Such algorithms therefore require libraries that implement multiprecision arithmetic. Existing libraries are either not tailored for microcontrollers, or they implement an incomplete set of multiprecision operations, which limits the implementation of some unusual cryptographic algorithms on microcontrollers. In this work, we present a novel ANSI C library that implements also some less common operations like, e.g., multiprecision integer division. The library was designed with respect to the use on microcontrollers and has been tested on ARM M4-based microcontroller Microchip CEC1302.

Dynamic Logic Reconfiguration Based Side-Channel Protection of AES and Serpent

Autoři
Socha, P.; Brejník, J.; Jeřábek, S.; Novotný, M.; Mentens, N.
Rok
2019
Publikováno
Proceedings of the 22nd Euromicro Conference on Digital Systems Design. Los Alamitos, CA: IEEE Computer Soc., 2019. p. 277-282. ISBN 978-1-7281-2861-0.
Typ
Stať ve sborníku
Anotace
Dynamic logic reconfiguration is a concept which allows for efficient on-the-fly modifications of combinational circuit behaviour in both ASIC and FPGA devices. The reconfiguration of Boolean functions is achieved by modification of their generators (e.g. shift register-based look-up tables) and it can be controlled from within the chip, without the necessity of any external intervention. This hardware polymorphism can be utilized for the implementation of side-channel attack countermeasures, as demonstrated by Sasdrich et al. for the lightweight cipher PRESENT. In this work we adopt these countermeasures to two of the AES finalists, namely Rijndael and Serpent. Just like PRESENT, both Rijndael and Serpent are block ciphers based on a substitution-permutation network. We describe the countermeasures and adjustments necessary to protect these ciphers using the resources available in modern Xilinx FPGAs. We describe our VHDL implementations and evaluate the side-channel leakage and effectiveness of different countermeasure combinations using a methodology based on Welch’s t-test. We did not detect any significant leakage from the fully protected versions of our implementations. We show that the countermeasures proposed by Sasdrich et al. are, with some modifications compared to the protected PRESENT implementation, successfully applicable to AES and Serpent.

First-Order and Higher-Order Power Analysis: Computational Approaches and Aspects

Rok
2019
Publikováno
Proceedings of the 8th Mediterranean Conference on Embedded Computing - MECO'2019. Institute of Electrical and Electronics Engineers, Inc., 2019. p. 83-87. ISSN 2377-5475. ISBN 978-1-7281-1739-3.
Typ
Stať ve sborníku
Anotace
Side-channel analysis pose a serious threat to many modern cryptosystems. Using Correlation power analysis, attacker may be able to recover the cipher key and therefore jeopardize the whole cryptosystem, which is why many countermeasures are being developed. These countermeasures are typically effective against first-order attacks. However, protected implementations may still be vulnerable to higher-order analysis. In this paper, we compare different approaches to the higher-order analysis regarding their mathematical and performance properties. We focus on Correlation power analysis attack and the test vector leakage assesment using Welch’s t-test, we optimize and accelerate discussed algorithms using CPU and GPU, and we present our experimental results and remarks

SICAK: An open-source SIde-Channel Analysis toolKit

Rok
2019
Publikováno
8th Workshop on Trustworthy Manufacturing and Utilization of Secure Devices (TRUDEVICE 2019). Karlsruhe Institute of Technology, 2019.
Typ
Stať ve sborníku
Anotace
Side-channel cryptanalysis pose a serious threat to many modern cryptographic systems. Typical scenario of a side-channel attack consists of an active phase, where data are acquired, and of an analytical phase, where the data get examined and evaluated. This work presents a software toolkit which includes support for both phases of the side-channel attack. The toolkit consists of non-interactive text-based utilities with modular plug-in architecture. The measurement utility supports different oscilloscopes, target interfaces and measurement scenarios. The evaluation utilities include support for the test vector leakage assessment and the CPA attack. Different approaches to the algorithmical evaluation of the attack are implemented in order to extract the cipher key. The visualisation utility allows for the visual examination of the attack results by the user. The toolkit aims to be multiplatform and it is written using C/C++ with performance in mind. Time-demanding operations (such as the statistical analysis) are accelerated using OpenMP and OpenCL for an efficient computation on both CPU and GPU devices.

Efficient algorithmic evaluation of correlation power analysis: Key distinguisher based on the correlation trace derivative

Rok
2019
Publikováno
Microprocessors and Microsystems. 2019, 2019(71), 1-8. ISSN 0141-9331.
Typ
Článek
Anotace
Correlation power analysis (CPA) is one of the most common side-channel attacks today, posing a threat to many modern ciphers, including AES. In the final step of this attack, the cipher key is usually extracted by the attacker by visually examining the correlation traces for each key guess. The naïve way to extract the correct key algorithmically is selecting the key guess with the maximum Pearson correlation coefficient. We propose another key distinguisher based on a significant change in the correlation trace rather than on the absolute value of the coefficient. Our approach performs better than the standard maximization, especially in the noisy environment, and it allows to significantly reduce the number of acquired power traces necessary to successfully mount an attack in noisy environment, and in some cases make the attack even feasible.

Dummy Rounds as a DPA countermeasure in hardware

Rok
2018
Publikováno
Proceedings of the 21st Euromicro Conference on Digital System Design. Piscataway: IEEE, 2018. p. 523-528. ISBN 978-1-5386-7376-8.
Typ
Stať ve sborníku
Anotace
This paper describes the technique of Dummy Rounds as a countermeasure against DPA in hardware implementation of round-based ciphers. Its principle is inspired by several well-known countermeasures used in hardware as Hiding and Dynamic Reconfiguration as well as countermeasures used in software implementations as Dummy cycles, Random order execution or Hiding in time. Being inspired by countermeasures based on dynamic reconfiguration, this method combines hiding of power consumption with hiding in time. In this work we also discuss the amount of randomness available for the control of the computation.

Speeding up differential power analysis using integrated power traces

Rok
2018
Publikováno
2018 7th Mediterranean Conference on Embedded Computing (MECO). Piscataway: IEEE, 2018. p. 19-23. ISBN 978-1-5386-5683-9.
Typ
Stať ve sborníku
Anotace
Side-channel attacks, including differential power analysis (DPA), are still an emerging topic. To make a deep research about DPA, one needs to be able to perform it as fast as possible. There are many possible ways to decrease the time of the attack. In this paper, we propose a way to decrease the duration of the correlation computations of this kind of attack by decreasing the number of samples per a power trace using an integration based aggregation method. We comprehensively describe this idea and present the results of an experimental evaluation focusing on the time efficiency of this approach.

Correlation Power Analysis Distinguisher Based on the Correlation Trace Derivative

Rok
2018
Publikováno
Proceedings of the 21st Euromicro Conference on Digital System Design. Piscataway: IEEE, 2018. p. 565-568. ISBN 978-1-5386-7376-8.
Typ
Stať ve sborníku
Anotace
Correlation power analysis (CPA) is one of the most common side channel attacks today, posing a threat to many modern ciphers, including AES. The simplest method to extract the correct key guess is selecting the guess with the maximum Pearson correlation coefficient. We propose another distinguisher based on a significant change in the correlation trace rather than on the absolute value of the coefficient. Our approach performs better than the standard CPA, especially in the noisy environment.

Practical Session: Differential Power Analysis for Beginners

Autoři
Buček, J.; Novotný, M.; Štěpánek, F.
Rok
2017
Publikováno
Hardware Security and Trust. Springer International Publishing, 2017. p. 77-91. ISBN 978-3-319-44316-4.
Typ
Kapitola v knize
Anotace
This tutorial will introduce you to the basics of the DPA (Differential Power Analysis) – a technique that exploits the dependency of the processed data on the power trace of the device to extract some secret information that would not be otherwise available. During the session you will learn how to process the power trace of the implementation of the AES encryption algorithm using an algebraic system (in our case Matlab), create the power hypothesis, extract the secret information and also how to measure the power consumption of the embedded system (smart card) in order to obtain the power traces. The first part of the tutorial Differential Power Analysis – Key Recovery is aimed at explaining the creation of the power hypothesis and the use of algebraic systems. The second part of the tutorial DPA – measurement with an oscilloscope covers the practical part of the exercise - the measurement of the power consumption using the PicoScope.

Emulator of Contactless Smart Cards in FPGA

Rok
2017
Publikováno
Proceedings of the 6th Mediterranean Conference on Embedded Computing (MECO 2017). IEEE (Institute of Electrical and Electronics Engineers), 2017. p. 96-99. ISBN 978-1-5090-6741-1.
Typ
Stať ve sborníku
Anotace
This paper describes implementation of contactless smart card emulator compliant with ISO/IEC 14443 in Field Programmable Gate Array (FPGA). Systems using contactless smart cards are widely used and some of these systems are not secured properly. For example in many such systems smart card Unique Identifier (UID) is used as the only one authentication mean. As the UID is not encrypted and is read from the card in plain, it is easy to make a copy of the smart card and use the clone as the original card. In this work we describe emulator of a smart card implemented in FPGA which is able to spoof some genuine smart card. Emulator described in this work emulates protocol described in ISO/IEC 14443 standard, which in detail describes all aspects of RFID smart cards (from physical attributes of both - cards and readers - to communication by digital signals). The emulator is able to come through the whole card selection process and to spoof the real smart card with given UID. Moreover emulator can be selected also for higher application layer protocol communication. If we know the proprietary application layer protocol, emulator is able to spoof communication on this protocol with data recorded in it. This functionality was successfully tested on systems used at Czech Technical University in Prague, where the weak implementation of UID as the only one authentication mean is used. Emulator is responding faster than most of other existing smart card emulators thanks to high efficient implementation in hardware.

Differential Power Analysis on FPGA board: Boundaries of Success

Autoři
Mazur, L.; Novotný, M.
Rok
2017
Publikováno
Proceedings of the 6th Mediterranean Conference on Embedded Computing (MECO 2017). IEEE (Institute of Electrical and Electronics Engineers), 2017. p. 92-95. ISBN 978-1-5090-6741-1.
Typ
Stať ve sborníku
Anotace
Differential Power Analysis (DPA) is a contemporary method able to break cryptographic device via measuring and analyzing its power consumption. The success rate of the DPA method strongly depends on the measurement setup. We have investigated and evaluated the influence of measurement setup on the success rate of DPA attack against FPGA board running AES encryption. From our findings it follows that removing decoupling capacitors plays major role in success rate of the DPA attack. Replacing standard switched-mode power supply with accumulators and linear stabilizers simplifies the attack, however, its effect is not that significant.

Influence of passive hardware redundancy on differential power analysis resistance of AES cipher implemented in FPGA

Rok
2017
Publikováno
Microprocessors and Microsystems. 2017, 2017(51), 220-226. ISSN 0141-9331.
Typ
Článek
Anotace
Many electronic systems have to fulfill strict dependability properties, especially both fault tolerance and attack resistance. Intuitively, these requirements may seem to contradict each other. A study and an experiment description of the possible methods how to measure these impacts as well as result of first experiments are presented in this paper. Specifically, how basic passive hardware redundancy design methods affects resistance against differential power analysis attack and how the whole design can be modified to increase attack resistance will be discussed.

Cryptanalytic attacks on cyber-physical systems

Autoři
Rok
2017
Publikováno
Microprocessors and Microsystems. 2017, 2017(52), 534-539. ISSN 0141-9331.
Typ
Článek
Anotace
Cryptography finds its application in various objects used in our everyday life. GSM communication, credit cards, tickets for public transport or REID tags employ cryptographic features either to protect privacy or to ensure trustworthy authentication. However, many such objects are vulnerable to certain cryptanalytic attacks. In this review we discuss how FPGA-based cryptanalytic hardware may compromise GSM communication, or how standard laboratory equipment may be used for breaking Smart Card security. This review summarizes keynote speech that was given at 5th Mediterranean Conference on Embedded Computing (MECO'2016).

Influence of Fault-Tolerance Techniques on Power-Analysis Resistance of Cryptographic Design

Rok
2017
Publikováno
Proc. of the 20th Euromicro Conference on Digital System Design. Piscataway, NJ: IEEE, 2017. p. 260-267. ISBN 978-1-5386-2146-2.
Typ
Stať ve sborníku
Anotace
As the security is becoming more and more important these days, we still should not forget about reliability. When designing a cryptographic device for some mission-critical or another reliability demanding system, we need to make the device not only attack-resistant, but also fault-tolerant. There are many common fault-tolerant digital design techniques, however, it is questionable, how these techniques affect the attack-resistance. Do they make the device more vulnerable e.g. to side-channel attacks? In our work we focused on finding the answer to this question. We experimentally evaluated the influence of information redundancy, space redundancy and time redundancy techniques on resistance against power analysis attack. In this paper we present our observations.

Optimization of Pearson correlation coefficient calculation for DPA and comparison of different approaches

Rok
2017
Publikováno
Proceedings of the 2017 IEEE 20th International Symposium on Design and Diagnotics of Electronic Circuit & Systems. Piscataway, NJ: IEEE, 2017. p. 184-189. ISSN 2473-2117. ISBN 978-1-5386-0472-4.
Typ
Stať ve sborníku
Anotace
Differential power analysis (DPA) is one of the most common side channel attacks. To perform this attack we need to calculate a large amount of correlation coefficients. This amount is even higher when attacking FPGAs or ASICs, for higher order attacks and especially for attacking DPA protected devices. This article explains different approaches to the calculation of correlations, describes our implementation of these approaches and presents a detailed comparison considering their performance and their properties for a practical usage.

Influence of fault-tolerant design methods on differential power analysis resistance of AES cipher: Methodics and challenges

Rok
2016
Publikováno
Proceedings of the 5th Mediterranean Conference on Embedded Computing (MECO 2016). Piscataway: Institute of Electrical and Electronics Engineers, 2016. p. 14-17. ISSN 2377-5475. ISBN 978-1-5090-2221-2.
Typ
Stať ve sborníku
Anotace
Many electronic systems has to fulfill strict dependability properties, especially both fault tolerance and attack resistance. These requirements usually contradict each other. The study and experiment descriptions of the possible methods how to measure these impacts are presented in this paper. Specifically, how fault-tolerant design methods affects resistance against differential power analysis attack and how the whole design can be modified to increase attack resistance will be discussed.

High-Performance Cryptanalysis on RIVYERA and COPACOBANA Computing Systems

Autoři
Gueneysu, T.; Kasper, T.; Novotný, M.; Paar, C.; Wienbrandt, L.; Zimmermann, R.
Rok
2013
Publikováno
High-Performance Computing Using FPGAs. New York: Springer, 2013. p. 335-366. ISBN 978-1-4614-1791-0.
Typ
Kapitola v knize
Anotace
Special-purpose computing platforms based on reconfigurable hardware have shown to typically exhibit a much better performance-cost ratio than off-the-shelf computers populated with general-purpose processors. In this chapter we introduce two different FPGA-based cluster architectures, called COPACOBANA and RIVYERA. These high-performance computing clusters are populated with up to 256 Xilinx Spartan or Virtex FPGAs per system and can be interconnected to form an even larger system with 2560 FPGA per rack. In this chapter, we present a wide range of applications from the fields of cryptanalysis %and bioinformatics that have been successfully implemented on both architectures.

Differential Power Analysis under Constrained Budget: Low Cost Education of Hackers

Autoři
Štěpánek, F.; Buček, J.; Novotný, M.
Rok
2013
Publikováno
Proceedings of 16th Euromicro Conference on Digital System Design. Piscataway: IEEE Service Center, 2013. p. 645-648. ISBN 978-0-7695-5074-9.
Typ
Stať ve sborníku
Anotace
The differential power analysis is popular technique in exploiting weaknesses of the embedded systems — mostly of the smart cards. This approach is understandable as the DPA does not require expensive equipment or strong theoretical background on the device under attack. Therefore it is ideal for education of beginners or students in the field of computer security. The aim of this paper is to describe the economy of obtaining the basic equipment for the education of the differential power analysis and to share the experience with its teaching.

Lightweight Cipher Resistivity against Brute-Force Attack: Analysis of PRESENT

Autoři
Pospíšil, J.; Novotný, M.
Rok
2012
Publikováno
Proceedings of the 2012 IEEE 15th International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS). New York: IEEE Computer Society Press, 2012, pp. 197-198. ISBN 978-1-4673-1185-4.
Typ
Stať ve sborníku
Anotace
The PRESENT cipher symmetric block cipher with 64 bits of data block and 80 (or 128) bits of key.It is based on Substitution-permutation network and consists of 31 rounds. PRESENT is intended to be implemented in small embedded and contactless systems, thus its design needs only small amount of chip area and consumes low power. In this work we evaluate the resistance of PRESENT against brute-force attack. We determine the computational demand of this type of attack conducted on special parallel hardware COPACOBANA consisting of array of FPGA chips with custom design.

Evaluating Cryptanalytical Strength of Lightweight Cipher PRESENT on Reconfigurable Hardware

Autoři
Pospíšil, J.; Novotný, M.
Rok
2012
Publikováno
Proceedings of the 15th Euromicro Conference on Digital System Design. Los Alamitos: IEEE Computer Society Press, 2012, pp. 560-567. ISBN 978-0-7695-4798-5.
Typ
Stať ve sborníku
Anotace
The PRESENT cipher is a symmetric block cipher with 64 bits of data block and 80 (or 128) bits of key. It is based on Substitution-permutation network and consists of 31 rounds. PRESENT is intended to be implemented in small embedded and contactless systems, thus its design needs only small amount of chip area and consumes low power. In this work we evaluate the resistance of PRESENT against time-memory trade-off attack. Specifically Rainbow Tables method is used. We determine the computational demand of this type of attack conducted on special parallel reconfigurable hardware COPACOBANA consisting of array of FPGA chips with custom design.

Breaking Hitag2 with Reconfigurable Hardware

Autoři
Štembera, P.; Novotný, M.
Rok
2011
Publikováno
Proceedings of the 14th Euromicro Conference on Digital System Design. Los Alamitos: IEEE Computer Society Press, 2011, pp. 558-563. ISBN 978-0-7695-4494-6.
Typ
Stať ve sborníku
Anotace
The Hitag2 stream cipher is used in many real-world applications, such as car immobilizers and door opening systems, as well as for the access control of buildings. The short length of the 48-bit secret key employed makes the cipher vulnerable to a brute-force attack, i.e., exhaustive key search. In this paper we develop the first hardware architecture for the cryptanalysis of Hitag2 by means of exhaustive key search. Our implementation on COPACOBANA is able to reveal the secret key of a Hitag2 transponder in less than 2 hour in the worst case. The speed of our approach outperforms all previously proposed attacks and requires only 2 sniffed communications between a car and a tag. Our findings thus define a new lower limit for the cloning of car keys in practice. Moreover, the attack is arbitrarily parallelizable and could thus be run on multiple COPACOBANAs to decrease the time to find the secret key.

Cryptanalysis of KeeLoq with COPACOBANA

Autoři
Novotný, M.; Kasper, T.
Rok
2009
Publikováno
SHARCS '09 Special-Purpose Hardware for Attacking Cryptographic Systems. Lausanne: EPFL, 2009, pp. 159-164.
Typ
Stať ve sborníku
Anotace
In this paper we develop a hardware architecture for the cryptanalysis of KeeLoq. Our brute-force attack, implemented on the Cost-Optimized Parallel Code-Breaker COPACOBANA, is able to reveal the secret key of a remote control in less than 0.5 seconds if a 32-bit seed is used and in less than 6 hours in case of a 48-bit seed. To obtain reasonable cryptographic strength against this type of attack, a 60-bit seed has to be used, for which COPACOBANA needs in the worst case about 1011 days for the key recovery. However, the attack is arbitrarily parallelizable and could thus be run on multiple COPACOBANAs to decrease the attack time.

Za obsah stránky zodpovídá: doc. Ing. Štěpán Starosta, Ph.D.