Smart Card Research and Advanced Applications

Template attacks model side-channel leakage information using Gaussian multivariate distributions. They have been quite successful in directly reconstructing individual bits of 8-bit parallel buses and registers from power traces. However, extending their use directly to larger word sizes, such as 32-bit buses, becomes impractical. Here we show that it is possible to use an LDA-based stochastic model to independently build templates for just byte fragments of such a word, to predict the exact values of its four member bytes, instead of only overall Hamming weights. We demonstrate this technique to reconstruct the arbitrary-length inputs of SHA3-512 and some other Keccak sponge functions implemented on a 32-bit Cortex-M4 device. The quality of these templates was high enough such that remaining errors in their predictions could be eliminated via belief propagation on a factor-graph network (SASCA). In our experiments, we already reliably recovered SHA3-512 inputs up to 719 bytes long (10 invocations of the permutation), and reconstructing even longer inputs should be just a matter of making longer recordings.

Neural Networks (NN) have been built to solve universal function approximation problems. Some architectures as Convolutional Neural Networks (CNN) are dedicated to classification in the context of image distortion. They have naturally been considered in the community to perform side-channel attacks showing good results on traces exposing time misalignment. However, even where these timing distortions are not present, NN have produced better results than legacy attacks.

Recently in TCHES 2020, auto-encoders have been used as preprocessing for noise reduction. The main idea is to train an auto-encoder using as inputs noisy traces and less noisy traces so that the auto-encoder is able to remove part of the noise in the attack dataset.

We propose to extend this idea of using NN for pre-processing by not only considering the noise-reduction but to translate data between two side-channel domains. In a nutshell, clean (or less noisy) traces may not be available to an attacker, but similar traces that are easier to attack may be obtainable. Availability of such traces can be leveraged to learn how to translate difficult traces to easy ones to increase attackability.

Profiled side-channel attacks represent the most powerful category of side-channel attacks. There, the attacker has access to a clone device to profile its leaking behavior. Additionally, it is common to consider the attacker unbounded in power to allow the worst-case security analysis. This paper starts with a different premise where we are interested in the minimum power that the attacker requires to conduct a successful attack. We propose a new framework for profiled side-channel analysis that we call the Efficient Attacker Framework. With it, we require attacks to be as powerful as possible, but we also provide a setting that inherently allows a more objective analysis among attacks. To confirm our theoretical results, we provide an experimental evaluation of our framework in the context of deep learning-based side-channel analysis.

The evaluation of side-channel measurement setups and the impact they can have on physical security evaluations is a surprisingly under-discussed topic. In this paper, we initiate a comprehensive study of such setups for embedded software and hardware (FPGA) implementations. We systematically investigate a design space including the choice of the probing method, the clock frequency of the device under test, its supply voltage and the sampling rate of the adversary’s oscilloscope. Our results quantify the impact (i.e., the risk of security over-estimations) that suboptimal setups can cause and lead to easy-to-use guidelines for security evaluators. Despite some of our conclusions are device-dependent, we argue that the proposed methodology and some of the proposed guidelines are of general interest and could be applied to other setups.

Advances in cryptography have enabled the features of confidentiality, security, and integrity on small embedded devices such as IoT devices. While mathematically strong, the platform on which an algorithm is implemented plays a significant role in the security of the final product. Side-channel attacks exploit the variations in the system’s physical characteristics to obtain information about the sensitive data. In our scenario, a software implementation of a cryptographic algorithm is flashed on devices from different manufactures with the same instruction set configured for identical execution. To analyze the influence of the microarchitecture on side-channel leakage, we acquire thirty-two sets of power traces from four physical devices. While we notice minor differences in the leakage behavior for different physical boards from the same manufacturer, our results confirm that the difference in microarchitecture implementations of the same core will leak different side-channel information. We also show that TVLA leakage prediction should be treated with caution as it is sensitive to both false positives and negatives.

Public knowledge about the structure of a cryptographic system is a standard assumption in the literature and algorithms are expected to guarantee security in a setting where only the encryption key is kept secret. Nevertheless, undisclosed proprietary cryptographic algorithms still find widespread use in applications both in the civil and military domains. Even though side-channel-based reverse engineering attacks that recover the hidden components of custom cryptosystems have been demonstrated for a wide range of constructions, the complete and practical reverse engineering of AES-128-like ciphers remains unattempted.

In this work, we close this gap and propose the first practical reverse engineering of AES-128-like custom ciphers, i.e., algorithms that deploy undisclosed SubBytes, ShiftRows and MixColumns functions. By performing a side-channel-assisted differential power analysis, we show that the amount of traces required to fully recover the undisclosed components are relatively small, hence the possibility of a side-channel attack remains as a practical threat. The results apply to both 8-bit and 32-bit architectures and were validated on two common microcontroller platforms.

Although fault injection is a powerful technique to exploit implementation weaknesses, this is not without limitations. An important preliminary step, based on rigorous calibration of the fault injection equipment, greatly affects the exploitability and repeatability of injected faults. The equipment parameter space is usually explored with random search, grid search, and more recently with the help of metaheuristic algorithms. In this article, we apply, for the first time, two recent hyperparameter optimization techniques to fault injection. We evaluate these optimization techniques on three different 32-bit microcontrollers, and find better glitch waveforms than with metaheuristic algorithms. In addition, we propose a two-stage optimization strategy under black-box conditions to reduce the dimensionality of the parameter space and speed up the equipment calibration. Finally, we apply this approach to bypass the code read protection of a built-in bootloader faster than with genetic algorithms.

The need to increase the level of digital security standards requires a sustained research effort on new means of perturbations likely to disturb the processing of integrated circuits. X-rays modification is a powerful semi-permanent fault injection technique with a high spatial accuracy, which allows an adversary to modify efficiently secret data from an electronic device. Experimental results demonstrate that several semi-permanent bit erase faults can be injected in code and data with corrupting flash memory, even with an X-rays spot from an X-rays laboratory source of less than 10 µm in diameter. This is the order of magnitude of 15 memory cells with a process node of 350 nm in the presented experiments. The article also presents the specificity of performing an X-rays attack without the need of a synchrotron-focused beam, as presented in CHES 2017 [1].

Fault injection attacks rely on experimental techniques to inject one or several faults into a device during operation. Among these techniques, laser fault injection is known as a powerful one, thanks to its unmatched spatial and temporal precision. So far though, the overwhelming majority of published laser fault injection attacks were performed with only one laser spot. In this article, we present a new multi-spot laser fault injection setup. After a description of the optical system, we highlight its new capabilities against the limitations of existing single-spot laser fault injection setups. We then discuss some intrinsic limitations that this setup has, making it not equivalent to running multiple single-spot setups simultaneously on the same target. We then provide experimental evidence of faults performed with two and four spots which are unfeasible with a single-spot laser fault injection setup. This paves the way for new fault attacks on security and cryptography algorithms that exploit this new type of fault.

A variety of post-quantum cryptographic schemes are currently undergoing standardization in the National Institute of Standards and Technology’s post-quantum cryptography standardization process. It is well known from classical cryptography that actual implementations of cryptographic schemes can be attacked by exploiting side-channels, e.g. timing behavior, power consumption or emanation in the electromagnetic field. Although several of the reference implementations currently in the third and final standardization round are – to some extent – implemented in a timing-constant fashion, resistance against other side-channels is not taken into account yet.

Implementing sufficient countermeasures, however, is challenging. We therefore exemplarily examine CRYSTALS-Kyber, which is a lattice-based key encapsulation mechanism currently considered as a candidate for standardization. By analyzing the power consumption side-channel during message encoding we develop four more and compare six different implementations with an increasing degree of countermeasures. We show that introducing randomization countermeasures is crucial as all examined implementations aiming at reducing the leakage by minimizing the Hamming distance of the processed intermediate values only are vulnerable against single-trace attacks when implemented on an ARM Cortex-M4.

Pairings are cornerstones to several interesting cryptographic protocols including Non-interactive ARgument of Knowledge currently used in Zcash cryptocurrency. The Kim and Barbulescu Number Field Sieve attack has weakened pairing-friendly curves. Most impacted are the famous BN curves which now require an increase of the parameters to provide equivalent security. Recent cost estimations of pairings have recommended switching to other curves, but their selections are no longer clearly straightforward. This paper aims at providing the first hardware-based pairing implementations on the best curve candidates at both 128-bit and 192-bit security levels. The proposed architecture intends to fit both lightweight FPGA and ASIC purposes and the design is prototyped on a Kintex-7 FPGA device. It computes a pairing within 42.7 ms for 128-bit of security and 184.2 ms for 192-bit.

CRYSTALS-Dilithium as a lattice-based digital signature scheme has been selected as a finalist in the Post-Quantum Cryptography (PQC) standardization process of NIST. As part of this selection, a variety of software implementations have been evaluated regarding their performance and memory requirements for platforms like x86 or ARM Cortex-M4. In this work, we present a first set of Field-Programmable Gate Array (FPGA) implementations for the low-end Xilinx Artix-7 platform, evaluating the peculiarities of the scheme in hardware, reflecting all available round-3 parameter sets. As a key component in our analysis, we present results for a specifically adapted Number-Theoretic Transform (NTT) core for the Dilithium cryptosystem, optimizing this component for an optimal Look-Up Table (LUT) and Flip-Flop (FF) utilization by efficient use of special purpose Digital Signal Processors (DSPs). Presenting our results, we aim to shed further light on the performance of lattice-based cryptography in low-cost and high-throughput configurations and their respective potential use-cases in practice.

Numerous timing side-channels attacks have been proposed in the recent years, showing that all shared states inside the microarchitecture are potential threats. Previous works have dealt with this problem by considering those “shared states” separately and not by looking at the system as a whole.

In this paper, instead of reconsidering the problematic shared resources one by one, we lay out generic guidelines to design complete cores immune to microarchitectural timing information leakage. Two implementations are described using the RISC-V ISA with a simple extension. The cores are evaluated with respect to performances, area and security, with a new open-source benchmark assessing timing leakages.

We show that with this “generic” approach, designing secure cores even with complex features such as simultaneous multithreading is possible. We discuss about the trade-offs that need to be done in that respect regarding the microarchitecture design.

Designing a robust white-box implementation against state-of-the-art algebraic and differential computational analysis attacks is a challenging problem. The study of white-box security was revamped by recent advances involving grey box attacks. Since then, many authors have struggled to protect implementations against such new attacks. New designs as well as new security notions appeared, and white-box research in general seems to have greatly benefited from such advances. The current research aims at finding the best encodings and masking schemes to resist tracing attacks. In this perspective we suggest a new encoding scheme that can be applied to white-box designs. By using a modified version of the Benaloh cryptosystem, our design introduces semi-homomorphic properties to the encoding. To the best of our knowledge, this is the first time such properties are applied to an encoding design. This allows reducing the memory requirements and providing a better resistance against tracing attacks. Our encoding is versatile and can be adapted to different ciphers, and in most cases it provides performance improvements with respect to the state-of-the-art.

Compiling Java Card applets is based on the assumption that export files used to translate Java class item to Java Card CAP tokens are legitimate. Bouffard et al. [2] reversed the translation mechanism. Based on malicious Application Programming Interface (API) embedded in a target, they succeeded in making a man-in-the-middle attack where cryptographic keys can leak.

In this article, we disclose that, on a pool of legitimate export files, Java Card Virtual Machine (JCVM) implementations can be confused by a CAP file verified by the Java Card Bytecode Verifier (BCV). The disclosed vulnerability leads to Java Card class hierarchy rewriting. The introduced vulnerability is exploitable up to Java Card 3.0.5. Recently, Java Card 3.1.0 provides a new export file format which prevents this vulnerability.

Implantable medical devices, sensors and wearables are widely deployed today. However, establishing a secure wireless communication channel to these devices is a major challenge, amongst others due to the constraints on energy consumption and the need to obtain immediate access in emergencies. To address this issue, researchers have proposed various key agreement protocols based on the measurement of physiological signals such as a person’s heart signal. At the core of such protocols are fuzzy cryptographic primitives that allow to agree on a shared secret based on several simultaneous, noisy measurements of the same signal. So far, although many fuzzy primitives have been proposed, there is no comprehensive evaluation and comparison yet of the overhead that such methods incur on resource-constrained embedded devices. In this paper, we study the feasibility of six types of fuzzy cryptographic primitives on embedded devices for 128-bit key agreement. We configure several variants for each fuzzy primitive under different parameter selections and mismatch rates of the physiological signal measurements on an MSP430 microcontroller, and then measure and compare their energy consumption and communication overhead. The most efficient constructions consume between 0.021 mJ and 0.198 mJ for the transmitter and between 0.029 mJ and 0.380 mJ for the receiver under different mismatch rates. Subsequently, we modify the best performing methods so that they run in constant time to protect against timing side-channel attacks, and observe that these changes only minimally affect resource consumption. Finally, we provide open-source implementations and energy consumption data of each fuzzy primitive as a reference for real-world designs.