DOCSLIB.ORG

Analysis of Cryptographic Algorithms Against Theoretical and Implementation Attacks INF/01

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis of Cryptographic Algorithms Against Theoretical and Implementation Attacks INF/01 UNIVERSITA` DEGLI STUDI DI MILANO Department of Computer Science \Giovanni Degli Antoni" Doctoral School in Computer Science Ph.D. in Computer Science XXIX cycle Analysis of cryptographic algorithms against theoretical and implementation attacks INF/01 Ph.D Candidate: Silvia Mella Advisor: Prof. Stelvio Cimato Co-Advisor: Dr. Gilles Van Assche Coordinator: Prof. Paolo Boldi Academic year 2016/2017 Dissertation presented in partial fulfillment of the requirements for the degree of Doctor in Computer Science Ph.D. Candidate: Silvia Mella Advisor: Prof. Stelvio Cimato Co-Advisor: Dr. Gilles Van Assche Coordinator: Prof. Paolo Boldi Universit`adegli Studi di Milano Department of Computer Science \Giovanni degli Antoni" Abstract This thesis deals with theoretical and implementation analysis of cryptographic functions. Theo- retical attacks exploit weaknesses in the mathematical structure of the cryptographic primitive, while implementation attacks leverage on information obtained by its physical implementation, such as leakage through physically observable parameters (side-channel analysis) or susceptibility to errors (fault analysis). In the area of theoretical cryptanalysis, we analyze the resistance of the Keccak-f permuta- tions to differential cryptanalysis (DC). Keccak-f is used in different cryptographic primitives: Keccak (which defines the NIST standard SHA-3), Ketje and Keyak (which are currently at the third round of the CAESAR competition) and the authenticated encryption function Kravatte. In its basic version, DC makes use of differential trails, i.e. sequences of differences through the rounds of the primitive. The power of trails in attacks can be characterized by their weight. The existence of low-weight trails over all but a few rounds would imply a low resistance with respect to DC. We thus present new techniques to efficiently generate all 6-round differential trails in Keccak-f up to a given weight, in order to improve known lower bounds. The limit weight we can reach with these new techniques is very high compared to previous attempts in literature for weakly aligned primitives. This allows us to improve the lower bound on 6 rounds from 74 to 92 for the four largest variants of Keccak-f. This result has been used by the authors of Kravatte to choose the number of rounds in their function. Thanks to their abstraction level, some of our techniques are actually more widely applicable than to Keccak-f. So, we formalize them in a generic way. The presented techniques have been integrated in the KeccakTools and are publicly available [BDPV15]. In the area of fault analysis, we present several results on differential fault analysis (DFA) on the block cipher AES. Most DFA attacks exploit faults that modify the intermediate state or round key. Very few examples have been presented, that leverage changes in the sequence of operations by reducing the number of rounds. In this direction, we present four DFA attacks that exploit faults that alter the sequence of operations during the final round. In particular, we show how DFA can be conducted when the main operations that compose the AES round function are corrupted, skipped or repeated during the final round. Another aspect of DFA we analyze is the role of the fault model in attacks. We study it from an information theoretical point of view, showing that the knowledge that the attacker has on the injected fault is fundamental to mount a successful attack. In order to soften the a-priori knowledge on the injection technique needed by the attacker, we present a new approach for DFA based on clustering, called J-DFA. The experimental results show that J-DFA allows to successfully recover the key both in classical DFA scenario and when the model does not perfectly match the faults effect. A peculiar result of this method is that, besides the preferred candidate for the key, it also provides the preferred models for the fault. This is a quite remarkable ability because it furnishes precious information which can be used to analyze, compare and characterize different specific injection techniques on different devices. VI In the area of side-channel attacks, we improve and extend existing attacks against the RSA algorithm, known as partial key exposure attacks. These attacks on RSA show how it is possible to find the factorization of the modulus from the knowledge of some bits of the private key. We present new partial key exposure attacks when the countermeasure known as exponent blinding is used. We first improve known results for common RSA setting by reducing the number of bits or by simplifying the mathematical analysis. Then we present novel attacks for RSA implemented using the Chinese Remainder Theorem, a scenario that has never been analyzed before in this context. List of Publications Part of the contributions of this thesis has been published in the following papers. In Journals: Silvia Mella, Joan Daemen, Gilles Van Assche. New techniques for trail bounds and applica- • tion to differential trails in Keccak. IACR Transactions on Symmetric Cryptology, 2017(1), pages 329-357, 2017. In Proceedings of International Conferences/Workshops: Claudio Ferretti, Silvia Mella, and Filippo Melzani. The role of the fault model in DFA • against AES. In Proceedings of the Third Workshop on Hardware and Architectural Support for Security and Privacy (HASP 2014), pages 4:1-4:8. Minneapolis, MN, USA, June 15, 2014. ACM. Silvia Mella, Filippo Melzani. Differential fault attacks against AES tampering with the • instruction flow. In Proceedings of the 11th International Conference on Security and Cryp- tography (SECRYPT 2014), pages 1-6. Wien, Austria, August 28-30, 2014. Stelvio Cimato, Silvia Mella, Ruggero Susella. New results for partial key exposure on RSA • with exponent blinding. In Proceedings of the 12th International Conference on Security and Cryptography (SECRYPT 2015), pages 136-147. Colmar, Alsace, France, July 20-22, 2015. Stelvio Cimato, Silvia Mella, Ruggero Susella. Partial key exposure attacks on RSA with • exponent blinding. In 12th International Joint Conference on e-Business and Telecommu- nications (ICETE 2015) Revised and Extended Selected Papers, pages 364-385. Springer International Publishing. Luca Magri, Silvia Mella, Filippo Melzani, Beatrice Rossi, Pasqualina Fragneto. J-DFA: a • novel approach for robust differential fault analysis. In proceedings of the 12th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2015), pages 35-44. Saint Malo, France, September 13, 2015. IEEE Computer Society. Stelvio Cimato, Ernesto Damiani, Silvia Mella, Ching-Nung Yang. Key Recovery in public • clouds: a survey on cross-VM side channel attacks. International Conference on Cloud Com- puting and Security (ICCCS 2016) Revised Selected Papers, pages 456-467. Nanjing, China, July 29-31, 2016. Springer International Publishing. Contents Abstract .......................................................................V List of Publications ............................................................ VII List of Figures ................................................................. XII List of Tables ..................................................................XIV 1 Introduction ............................................................... 1 1.1 Cryptanalysis . .1 1.1.1 Theoretical attacks . .2 1.1.2 Implementation attacks . .3 1.2 Thesis contributions . .6 1.3 Thesis structure . .7 Part I Trail search in Keccak-f 2 Introduction ............................................................... 11 3 Preliminaries on differential cryptanalysis ................................. 13 3.1 Differentials . 13 3.2 Differential trails . 15 3.3 Trail extension . 16 3.4 Trail cores . 16 4 A generic approach for trail generation .................................... 19 4.1 Generating trails . 19 4.1.1 The first-order approach: trails from extending round differentials . 19 4.1.2 The second-order method: trails from extending two-round trails . 21 4.1.3 Lower bounding the weight starting from two-round trail cores . 22 4.2 Tree traversal approach . 22 4.2.1 Units and unit-lists . 23 4.2.2 Lower bound on the cost . 25 4.2.3 Traversing the unit-tree . 25 4.3 Searching by canonicity . 26 5 Keccak-f .................................................................. 27 5.1 The Keccak-f state .................................................... 27 5.2 The Keccak-f round function . 28 5.3 Difference propagation properties of the step mappings . 28 X Contents 5.3.1 Properties of χ .................................................... 30 5.3.2 Properties of θ .................................................... 30 5.3.3 Properties of π .................................................... 33 5.3.4 Properties of ρ .................................................... 33 5.3.5 Properties of ι .................................................... 35 5.3.6 Translation invariance along the z-axis . 35 5.4 Differential trails in Keccak-f ............................................ 36 5.4.1 Extension of trails and trail cores in Keccak-f ....................... 37 5.4.2 Extension of trail cores in Keccak-f ................................ 38 5.4.3 The Matryoshka structure . 38 6 Lower bounding the weight of trails in Keccak-f ........................... 39 6.1 Scanning the space of trails in Keccak . 39 6.1.1 Scanning the space of 6-round trail cores . 39 6.1.2 Scanning the space of 3-round trail cores . 40 6.1.3 Covering the space of 4 and 5 rounds . 42 6.2 Generating two-round trail cores in Keccak-f as a tree traversal
Load more

Recommended publications
  • The Design of Rijndael: AES - the Advanced Encryption Standard/Joan Daemen, Vincent Rijmen
    Joan Daernen · Vincent Rijrnen Theof Design Rijndael AES - The Advanced Encryption Standard With 48 Figures and 17 Tables Springer Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Springer TnL-1Jn Joan Daemen Foreword Proton World International (PWI) Zweefvliegtuigstraat 10 1130 Brussels, Belgium Vincent Rijmen Cryptomathic NV Lei Sa 3000 Leuven, Belgium Rijndael was the surprise winner of the contest for the new Advanced En­ cryption Standard (AES) for the United States. This contest was organized and run by the National Institute for Standards and Technology (NIST) be­ ginning in January 1997; Rij ndael was announced as the winner in October 2000. It was the "surprise winner" because many observers (and even some participants) expressed scepticism that the U.S. government would adopt as Library of Congress Cataloging-in-Publication Data an encryption standard any algorithm that was not designed by U.S. citizens. Daemen, Joan, 1965- Yet NIST ran an open, international, selection process that should serve The design of Rijndael: AES - The Advanced Encryption Standard/Joan Daemen, Vincent Rijmen. as model for other standards organizations. For example, NIST held their p.cm. Includes bibliographical references and index. 1999 AES meeting in Rome, Italy. The five finalist algorithms were designed ISBN 3540425802 (alk. paper) . .. by teams from all over the world. 1. Computer security - Passwords. 2. Data encryption (Computer sCIence) I. RIJmen, In the end, the elegance, efficiency, security, and principled design of Vincent, 1970- II. Title Rijndael won the day for its two Belgian designers, Joan Daemen and Vincent QA76.9.A25 D32 2001 Rijmen, over the competing finalist designs from RSA, IBl\!I, Counterpane 2001049851 005.8-dc21 Systems, and an English/Israeli/Danish team.
    [Show full text]
  • Encryption Block Cipher
    10/29/2007 Encryption Encryption Block Cipher Dr.Talal Alkharobi 2 Block Cipher A symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher take n-bit block of plaintext as input, and output a corresponding n-bit block of ciphertext. The exact transformation is controlled using a secret key. Decryption is similar: the decryption algorithm takes n-bit block of ciphertext together with the secret key, and yields the original n-bit block of plaintext. Mode of operation is used to encrypt messages longer than the block size. 1 Dr.Talal Alkharobi 10/29/2007 Encryption 3 Encryption 4 Decryption 2 Dr.Talal Alkharobi 10/29/2007 Encryption 5 Block Cipher Consists of two algorithms, encryption, E, and decryption, D. Both require two inputs: n-bits block of data and key of size k bits, The output is an n-bit block. Decryption is the inverse function of encryption: D(E(B,K),K) = B For each key K, E is a permutation over the set of input blocks. n Each key K selects one permutation from the possible set of 2 !. 6 Block Cipher The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to 128-bit. Padding scheme is used to allow plaintexts of arbitrary lengths to be encrypted. Typical key sizes (k) include 40, 56, 64, 80, 128, 192 and 256 bits.
    [Show full text]
  • Keccak Sponge Function Family Main Document
    Keccak sponge function family main document Guido Bertoni1 Joan Daemen1 Micha¨el Peeters2 Gilles Van Assche1 http://keccak.noekeon.org/ Version 1.0 1STMicroelectronics October 27, 2008 2NXP Semiconductors Keccak 2 / 78 Contents 1 Introduction 7 1.1 NIST requirements . .7 1.2 Acknowledgments . .8 2 Design rationale summary 9 2.1 Choosing the sponge construction . .9 2.2 Choosing an iterated permutation . 10 2.3 Designing the Keccak-f permutations . 10 2.4 Choosing the parameter values . 11 3 The sponge construction 13 3.1 Security of the sponge construction . 13 3.1.1 Indifferentiability from a random oracle . 13 3.1.2 Indifferentiability of multiple sponge functions . 14 3.1.3 Immunity to generic attacks . 15 3.1.4 Randomized hashing . 15 3.1.5 Keyed modes . 16 3.2 Rationale for the padding . 16 3.2.1 Sponge input preparation . 16 3.2.2 Multi-capacity property . 17 3.2.3 Digest-length dependent digest . 17 3.3 Parameter choices . 17 3.3.1 Capacity . 17 3.3.2 Width . 18 3.3.3 The default sponge function Keccak[] . 18 3.4 The four critical operations of a sponge . 18 3.4.1 Definitions . 19 3.4.2 The operations . 19 4 Sponge functions with an iterated permutation 21 4.1 The philosophy . 21 4.1.1 There should be no better attacks than generic attacks . 21 4.1.2 The impossibility of implementing a random oracle . 21 4.1.3 The choice between a permutation and a transformation . 22 4.1.4 The choice of an iterated permutation .
    [Show full text]
  • Innovations in Symmetric Cryptography
    Innovations in symmetric cryptography Joan Daemen STMicroelectronics, Belgium SSTIC, Rennes, June 5, 2013 1 / 46 Outline 1 The origins 2 Early work 3 Rijndael 4 The sponge construction and Keccak 5 Conclusions 2 / 46 The origins Outline 1 The origins 2 Early work 3 Rijndael 4 The sponge construction and Keccak 5 Conclusions 3 / 46 The origins Symmetric crypto around ’89 Stream ciphers: LFSR-based schemes no actual design many mathematical papers on linear complexity Block ciphers: DES design criteria not published DC [Biham-Shamir 1990]: “DES designers knew what they were doing” LC [Matsui 1992]: “well, kind of” Popular paradigms, back then (but even now) property-preservation: strong cipher requires strong S-boxes confusion (nonlinearity): distance to linear functions diffusion: (strict) avalanche criterion you have to trade them off 4 / 46 The origins The banality of DES Data encryption standard: datapath 5 / 46 The origins The banality of DES Data encryption standard: F-function 6 / 46 The origins Cellular automata based crypto A different angle: cellular automata Simple local evolution rule, complex global behaviour Popular 3-bit neighborhood rule: 0 ⊕ ai = ai−1 (ai OR ai+1) 7 / 46 The origins Cellular automata based crypto Crypto based on cellular automata CA guru Stephen Wolfram at Crypto ’85: looking for applications of CA concrete stream cipher proposal Crypto guru Ivan Damgård at Crypto ’89 hash function from compression function proof of collision-resistance preservation compression function with CA Both broken stream cipher in
    [Show full text]
  • Changing of the Guards
    Changing of the Guards . Joan Daemen CHES 2017 Taipei, September 26, 2017 Radboud University STMicroelectronics 1 / 18 Disclaimer . This is not a talk about higher-order countermeasures 2 / 18 Iterative cryptographic permutation . 3 / 18 Three-stage round function: wide trail . 4 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c .
    [Show full text]
  • A High-Performance Threshold Implementation of a Baseking Variant on an ARM Architecture
    Bachelor thesis Computer Science Radboud University A high-performance threshold implementation of a BaseKing variant on an ARM architecture Author: First supervisor/assessor: Tim van Dijk prof. dr. Joan Daemen [email protected] [email protected] Second supervisor: drs. Kostas Papagiannopoulos [email protected] Second assessor: prof. dr. Lejla Batina [email protected] July 3, 2017 Abstract In this thesis we present a straightforward implementation and a threshold implementation of the block cipher DoubleKing, a variant of BaseKing that uses 32-bit words instead of 16-bit words and has a block size of a 384- bit. The implementations are optimized with a focus on throughput and are made for the ARM Cortex-M4 microcontroller that uses the ARMv7 instruction set. The straightforward implementation achieves a throughput of 5.54 cycles per bit and the threshold implementation achieves one of 25.2 cycles per bit. We performed a test for resistance against first-order differen- tial power analysis on the threshold implementation using close to a million traces. We did not find significant leakages. Therefore we conclude the threshold implementation indeed does protect against first-order differential power analysis. Contents 1 Introduction 3 2 Preliminaries 5 2.1 BaseKing . .5 2.1.1 Key addition . .6 2.1.2 Mixing layer . .6 2.1.3 Early shift . .6 2.1.4 Nonlinear transform . .6 2.1.5 Late shift . .7 2.2 DoubleKing . .7 2.3 ARM Cortex-M4 . .8 2.3.1 Registers . .8 2.3.2 Instruction set . .8 2.3.3 Instructions .
    [Show full text]
  • Introduction to Symmetric Cryptography
    Introduction to symmetric cryptography Joan Daemen Institute for Computing and Information Sciences Radboud University Šibenik summer school 2016 Page 1 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Outline Security services Stream encryption Authentication and authenticated encryption Building schemes with modes Building the primitives Example: Noekeon Page 2 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Currently we are here... Security services Stream encryption Authentication and authenticated encryption Building schemes with modes Building the primitives Example: Noekeon Confidentiality I To protect: • people’s privacy • company assets • enforcing business: no pay, no content • meta: PIN, password, cryptographic keys I Data confidentiality • only authorised entities get access to the data • cryptographic operation: encryption I Protection against traffic analysis • existence of communication between parties • frequency and statistics of communication • called metadata • no direct link with a basic cryptographic operation Page 3 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Security services Data integrity and authentication I Basic concepts: • data integrity: was not modified without proper authorization • entity authentication: entity is what it claims to be • data origin authentication: data received as it was sent • symmetric crypto operation: message authentication codes I Freshness: • entity is there now • received message was written recently • mechanism: unpredictable challenge I
    [Show full text]
  • A Advanced Encryption Standard See AES AES 35–64 AES Process And
    Index A DFC and DFC v2 196, 199 E2 196 Advanced Encryption Standard see AES FEAL and FEAL-NX 194, 198, 202–203 AES 35–64 FOX 199 AES process and finalists 196 FROG 196 algebraic attack 60 GOST 194 bottleneck attack 58 Grand Cru 198 key schedule 45, 178 Hasty Pudding Cipher 196 related-key attack 62 Hierocrypt-L1 and Hierocrypt-3 198 s-box 44, 50, 191 Hight 200 side-channel cryptanalysis 63 ICE 195 square attack 55 IDEA 194, 198, 205–207 algebraic attack see AES KASUMI 178, 185, 207–212 amplified boomerang attack see differential KFC 199 cryptanalysis Khazad 198 authenticated encryption 82–85 Khufu and Khafre 194 CCM 83 LION and LIONESS 195 EAX 84 LOKI, LOKI91, and LOKI97 194, 196 Lucifer 13, 194 B Madygra 194 Magenta 196 block cipher MARS 196, 198 3-way 195 mCrypton 200 Akelarre 195 Mercy 199 Anubis 191, 198 MISTY 185, 191, 195, 198, 207 BaseKing 195 MULTI2 194 BEAR 195 Nimbus 198 Blowfish 195 Noekeon 198 Camellia 198 NUSH 198 CAST-128 and CAST-256 195, 196 PES and IPES 194 CIPHERUNICORN-A 198 PRESENT 191, 200, 217–218 CIPHERUNICORN-E 198 Q 198 Clefia 200 RC2 194 Crypton 196 RC5 179, 195, 212–214 CS-Cipher 198 RC6 196, 198 DEAL 179, 196 REDOC II 194 DES-based variants see DES Rijndael see AES, 195 L.R. Knudsen and M.J.B. Robshaw, The Block Cipher Companion, Information Security 221 and Cryptography, DOI 10.1007/978-3-642-17342-4, © Springer-Verlag Berlin Heidelberg 2011 222 Index SAFER and variants 195, 196, 198 boomerang attack 162 SC2000 198 countermeasures 184 SEA 200 definition of difference 145 Serpent 178, 196, 197 difference distribution
    [Show full text]
  • Development and Benchmarking of New Hardware Architectures for Emerging Cryptographic Transformations
    DEVELOPMENT AND BENCHMARKING OF NEW HARDWARE ARCHITECTURES FOR EMERGING CRYPTOGRAPHIC TRANSFORMATIONS by Marcin Rogawski A Dissertation Submitted to the Graduate Faculty of George Mason University In Partial fulfillment of The Requirements for the Degree of Doctor of Philosophy Electrical and Computer Engineering Committee: Dr. Kris Gaj, Dissertation Director Dr. Jens-Peter Kaps, Committee Member Dr. Qiliang Li, Committee Member Dr. Massimiliano Albanese, Committee Member Dr. Andre Manitius, Department Chair Dr. Kenneth S. Ball, Dean, Volgenau School of Engineering Date: Summer Semester 2013 George Mason University Fairfax, VA Development and Benchmarking of New Hardware Architectures for Emerging Cryptographic Transformations A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy at George Mason University By Marcin Rogawski Master of Science Military University of Technology, 2003 Director: Dr. Kris Gaj, Associate Professor Department of Electrical and Computer Engineering Summer Semester 2013 George Mason University Fairfax, VA Copyright © 2013 by Marcin Rogawski All Rights Reserved ii Dedication I dedicate this dissertation to my beloved wife and constant advocate, Kasia. Her patience, trust and support during these years in withstanding all the hours lost to my studies was critical to my success. To my mother Danusia and my stepfather Bohdan, who gave me the character and goal-oriented attitude, which has enabled me to get this far. To my parents- in-law Jadwiga and Czeslaw, who always believe, that my crazy ideas will work. Finally, I dedicate this thesis to the memory of my father Stanis law. iii Acknowledgments This research was partially supported by National Institute of Standards and Tech- nology through the Recovery Act Measurement Science and Engineering Research Grant Program, under contract no.
    [Show full text]
  • Cipher and Hash Function Design Strategies Based on Linear and Differential Cryptanalysis
    Cipher and Hash Function Design Strategies based on linear and differential cryptanalysis Joan Daemen March 1995 i Note: This version has been compiled in January 2004. With respect to the original version,the formatting of some formulas was modified for layout purposes and some sentences were rephrased to allow easier line breaks. ii Voorwoord In deze inleiding maak ik van de gelegenheid gebruik om al diegenen te bedanken die er voor hebben gezorgd dat dit doctoraat tot stand is gekomen in een informele en vriendschappelijke werksfeer met veel ruimte voor samenwerking,creativiteit en persoonlijk initiatief. In de eerste plaats denk ik hierbij aan mijn promotoren Prof. Ren´e Govaerts en Prof. Joos Vandewalle,die mij op weg hebben geholpen met concrete voorstellen voor onderzoek. Door mij steeds te wijzen op het belang van de praktische toepasbaarheid van onderzoeksresultaten hebben zij voor een belangrijk deel de toon gezet voor deze verhandeling. Voorts wil ik graag de overige leden van het leescomit´e bedanken,Prof. Bart De Decker van het Dept. Computerwetenschappen en Prof. Jean-Jacques Quisquater van de UCL. Mijn oprechte dank gaat ook uit naar mijn collega en jurylid Bart Preneel,die het manuscript op vrijwillige basis heeft nagelezen en met wie ik vele leerrijke gesprekken gevoerd heb. Een speciaal woord van dank gaat naar jurylid Prof. Luc Claesen van IMEC voor zijn inzet en enthousiasme die hebben geleid tot de vlotte implementatie en demonstratie van de Subterranean chip. I am also grateful to Prof. Peter Landrock of the university of Arhus˚ for serving in my jury despite his busy agenda.
    [Show full text]
  • Threshold Implementations of All 3 × 3 and 4 × 4 S-Boxes
    Threshold Implementations of all 3 × 3 and 4 × 4 S-boxes Begul Bilgin1;3, Svetla Nikova1, Ventzislav Nikov4, Vincent Rijmen1;2, and Georg St¨utz2 1 Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC and IBBT, Belgium 2 Graz University of Technology, IAIK, Austria 3 University of Twente, EEMCS-DIES, The Netherlands 4 NXP Semiconductors, Belgium Abstract. Side-channel attacks have proven many hardware implemen- tations of cryptographic algorithms to be vulnerable. A recently proposed masking method, based on secret sharing and multi-party computation methods, introduces a set of sufficient requirements for implementations to be provably resistant against first-order DPA with minimal assump- tions on the hardware. The original paper doesn't describe how to con- struct the Boolean functions that are to be used in the implementation. In this paper, we derive the functions for all invertible 3×3, 4×4 S-boxes and the 6 × 4 DES S-boxes. Our methods and observations can also be used to accelerate the search for sharings of larger (e.g. 8 × 8) S-boxes. Finally, we investigate the cost of such protection. Keywords: DPA, masking, glitches, sharing, nonlinear functions, S-box, decomposition 1 Introduction Side-channel analysis exploits the information leaked during the compu- tation of a cryptographic algorithm. The most common technique is to analyze the power consumption of a cryptographic device using differen- tial power analysis (DPA). This side-channel attack exploits the correla- tion between the instantaneous power consumption of a device and the intermediate results of a cryptographic algorithm. Several countermeasures against side-channel attacks have been pro- posed.
    [Show full text]
  • Lecture Notes in Computer Science 1978 Edited by G
    Lecture Notes in Computer Science 1978 Edited by G. Goos, J. Hartmanis and J. van Leeuwen 3 Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Singapore Tokyo Bruce Schneier (Ed.) Fast Software Encryption 7th International Workshop, FSE 2000 New York, NY, USA, April 10-12, 2000 Proceedings 13 Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editor Bruce Schneier Counterpane Internet Security, Inc. 3031 Tisch Way, Suite 100PE, San Jose, CA 95128, USA E-mail: [email protected] Cataloging-in-Publication Data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Fast software encryption : 7th international workshop ; proceedings / FSE 2000, New York, NY, April 10 - 12, 2000. Bruce Schneider (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Hong Kong ; London ; Milan ; Paris ; Singapore ; Tokyo : Springer, 2001 (Lecture notes in computer science ; Vol. 1978) ISBN 3-540-41728-1 CR Subject Classification (1998): E.3, F.2.1, E.4, G.4 ISSN 0302-9743 ISBN 3-540-41728-1 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law.
    [Show full text]