scroll identifier for mobile
main-content

## Über dieses Buch

This book constitutes the refereed proceedings of the 8th International Conference on Security, Privacy, and Applied Cryptography Engineering, SPACE 2018, held in Kanpur, India, in December 2018.
The 12 full papers presented together with 5 short paper, were carefully reviewed and selected from 34 submissions. This annual event is devoted to various aspects of security, privacy, applied cryptography, and cryptographic engineering. This is indeed a very challenging field, requiring the expertise from diverse domains, ranging from mathematics to solid-state circuit design.

## Inhaltsverzeichnis

### An Observation of Non-randomness in the Grain Family of Stream Ciphers with Reduced Initialization Round

The key scheduling algorithm (KSA) of the Grain family of stream ciphers expands the uniformly chosen key (K) and initialization vector (IV) to a larger uniform looking state. The existence of non-randomness in KSA results a non-randomness in final keystream. In this paper, we observe a non-randomness in the KSA of Grain-v1 and Grain-128a stream ciphers of reduced round R. However, we could not exploit the non-randomness into an attack. It can be claimed that if the KSA generates pseudorandom state, then the probability of generating a valid state T (i.e., in the range set of KSA function) of Grain-v1, Grain-128a must be $$2^{-\delta }$$, where $$\delta$$ is the length of padding bits. In case of Grain-v1 and Grain-128a, $$\delta =16, 32$$ respectively. We show that a new valid state can be constructed by flipping 3 and 19 bits of a given state in Grain-v1 and Grain-128a respectively with a probability higher than $$2^{-\delta }$$. We show that the non-randomness happens for $$R \le 129$$ and $$R\le 208$$ rounds of KSA of Grain-v1 and Grain-128a respectively. Further, in the case of Grain-v1, we also found non-randomness in some key, IV bits from the experiment.
Deepak Kumar Dalai, Dibyendu Roy

### Template-Based Fault Injection Analysis of Block Ciphers

We present the first template-based fault injection analysis of FPGA-based block cipher implementations. While template attacks have been a popular form of side-channel analysis in the cryptographic literature, the use of templates in the context of fault attacks has not yet been explored to the best of our knowledge. Our approach involves two phases. The first phase is a profiling phase where we build templates of the fault behavior of a cryptographic device for different secret key segments under different fault injection intensities. This is followed by a matching phase where we match the observed fault behavior of an identical but black-box device with the pre-built templates to retrieve the secret key. We present a generic treatment of our template-based fault attack approach for SPN block ciphers, and illustrate the same with case studies on a Xilinx Spartan-6 FPGA-based implementation of AES-128.
Ashrujit Ghoshal, Sikhar Patranabis, Debdeep Mukhopadhyay

### NEON SIKE: Supersingular Isogeny Key Encapsulation on ARMv7

We present a highly-optimized implementation of Supersingular Isogeny Key Encapsulation (SIKE) mechanism on ARMv7 family of processors. We exploit the state-of-the-art implementation techniques and processor capabilities to efficiently develop post-quantum key encapsulation scheme on 32-bit ARMv7 Cortex-A processors. We benchmark our results on two popular ARMv7-powered cores. Our benchmark results show significant performance improvement of the key encapsulation mechanism in comparison with the portable implementation. In particular, we achieve almost 7.5 times performance improvement of the entire protocol over the SIKE 503-bit prime field on a Cortex-A8 core.
Amir Jalali, Reza Azarderakhsh, Mehran Mozaffari Kermani

### A Machine Vision Attack Model on Image Based CAPTCHAs Challenge: Large Scale Evaluation

Over the past decade, several public web services made an attempt to prevent automated scripts and exploitation by bots by interrogating a user to solve a Turing-test challenge (commonly known as a CAPTCHA) before using the service. A CAPTCHA is a cryptographic protocol whose underlying hardness assumption is based on an artificial intelligence problem. CAPTCHAs challenges rely on the problem of distinguishing images of living or non-living objects (a task that is easy for humans). User studies proves, it can be solved by humans 99.7% of the time in under 30 s while this task is difficult for machines. The security of image based CAPTCHAs challenge is based on the presumed difficulty of classifying CAPTCHAs database images automatically.
In this paper, we proposed a classification model which is 95.2% accurate in telling apart the images used in the CAPTCHA database. Our method utilizes layered features optimal tuning with an improved VGG16 architecture of Convolutional Neural Networks. Experimental simulation is performed using Caffe deep learning framework. Later, we compared our experimental results with significant state-of-the-art approaches in this domain.
Ajeet Singh, Vikas Tiwari, Appala Naidu Tentu

### Addressing Side-Channel Vulnerabilities in the Discrete Ziggurat Sampler

Post-quantum cryptography with lattices typically requires high precision sampling of vectors with discrete Gaussian distributions. Lattice signatures require large values of the standard deviation parameter, which poses difficult problems in finding a suitable trade-off between throughput performance and memory resources on constrained devices. In this paper, we propose modifications to the Ziggurat method, known to be advantageous with respect to these issues, but problematic due to its inherent rejection-based timing profile. We improve upon information leakage through timing channels significantly and require: only 64-bit unsigned integers, no floating-point arithmetic, no division and no external libraries. Also proposed is a constant-time Gaussian function, possessing all aforementioned advantageous properties. The measures taken to secure the sampler completely close side-channel vulnerabilities through direct timing of operations and these have no negative implications on its applicability to lattice-based signatures. We demonstrate the improved method with a 128-bit reference implementation, showing that we retain the sampler’s efficiency and decrease memory consumption by a factor of 100. We show that this amounts to memory savings by a factor of almost 5,000, in comparison to an optimised, state-of-the-art implementation of another popular sampling method, based on cumulative distribution tables.
Séamus Brannigan, Máire O’Neill, Ayesha Khalid, Ciara Rafferty

### Secure Realization of Lightweight Block Cipher: A Case Study Using GIFT

Lightweight block ciphers are predominately useful in resource constrained Internet-of-Things(IoT) applications. The security of ciphers is often overthrown by various types of attacks, especially, side-channel attacks. These attacks make it necessary for us to come up with efficient countermeasure techniques that can revert the effect caused by these attacks. PRESENT inspired block cipher, GIFT is taken for analysis and development of countermeasure. In this paper: Firstly, we have implemented the GIFT algorithm in (Un)rolled fashion for vulnerability analysis. Then cipher key is revealed successfully using correlation power analysis. We proposed various protected implementation profiles using Threshold Implementation (TI) and realization techniques carried out on the GIFT algorithm. We believe, the case study widens the choice of level-of-security with trade-off factors for secure realization of the cipher based on application requirement.
Varsha Satheesh, Dillibabu Shanmugam

### Exploiting Security Vulnerabilities in Intermittent Computing

Energy harvesters have enabled widespread utilization of ultra-low-power devices that operate solely based on the energy harvested from the environment. Due to the unpredictable nature of harvested energy, these devices experience frequent power outages. They resume execution after a power loss by utilizing intermittent computing techniques and non-volatile memory. In embedded devices, intermittent computing refers to a class of computing that stores a snapshot of the system and application state, as a checkpoint, in non-volatile memory, which is used to restore the system and application state in case of power loss. Although non-volatile memory provides tolerance against power failures, they introduce new vulnerabilities to the data stored in them. Sensitive data, stored in a checkpoint, is available to an attacker after a power loss, and the state-of-the-art intermittent computing techniques fail to consider the security of checkpoints. In this paper, we utilize the vulnerabilities introduced by the intermittent computing techniques to enable various implementation attacks. For this study, we focus on TI’s Compute Through Power Loss utility as an example of the state-of-the-art intermittent computing solution. First, we analyze the security, or lack thereof, of checkpoints in the latest intermittent computing techniques. Then, we attack the checkpoints and locate sensitive data in non-volatile memory. Finally, we attack AES using this information to extract the secret key. To the best of our knowledge, this work presents the first systematic analysis of the seriousness of security threats present in the field of intermittent computing.
Archanaa S. Krishnan, Patrick Schaumont

### EdSIDH: Supersingular Isogeny Diffie-Hellman Key Exchange on Edwards Curves

Problems relating to the computation of isogenies between elliptic curves defined over finite fields have been studied for a long time. Isogenies on supersingular elliptic curves are a candidate for quantum-safe key exchange protocols because the best known classical and quantum algorithms for solving well-formed instances of the isogeny problem are exponential. We propose an implementation of supersingular isogeny Diffie-Hellman (SIDH) key exchange for complete Edwards curves. Our work is motivated by the use of Edwards curves to speed up many cryptographic protocols and improve security. Our work does not actually provide a faster implementation of SIDH, but the use of complete Edwards curves and their complete addition formulae provides security benefits against side-channel attacks. We provide run time complexity analysis and operation counts for the proposed key exchange based on Edwards curves along with comparisons to the Montgomery form.
Reza Azarderakhsh, Elena Bakos Lang, David Jao, Brian Koziel

### Correlation Power Analysis on KASUMI: Attack and Countermeasure

The KASUMI block cipher imparts confidentiality and integrity to the 3G mobile communication systems. In this paper we present power analysis attack on KASUMI as a two-pronged attack: first the FL function is targeted, and subsequently the recovered output of FL function is used to mount attack on $$7\times 7$$ and $$9\times 9$$ S-boxes embedded in the FO function of the cipher. Our attack recovers all 128 bits of the secret key of KASUMI. Further, we present a countermeasure for this attack which requires lesser resource footprint as compared to existing countermeasures, rendering such implementations practically feasible for resource-constrained applications, such as IoT and RFID devices.
Devansh Gupta, Somanath Tripathy, Bodhisatwa Mazumdar

### On the Performance of Convolutional Neural Networks for Side-Channel Analysis

In this work, we ask a question whether Convolutional Neural Networks are more suitable for side-channel attacks than some other machine learning techniques and if yes, in what situations. Our results point that Convolutional Neural Networks indeed outperform machine learning in several scenarios when considering accuracy. Still, often there is no compelling reason to use such a complex technique. In fact, if comparing techniques without extra steps like preprocessing, we see an obvious advantage for Convolutional Neural Networks when the level of noise is small, and the number of measurements and features is high. The other tested settings show that simpler machine learning techniques, for a significantly lower computational cost, perform similarly or sometimes even better. The experiments with guessing entropy indicate that methods like Random Forest or XGBoost could perform better than Convolutional Neural Networks for the datasets we investigated.
Stjepan Picek, Ioannis Petros Samiotis, Jaehun Kim, Annelie Heuser, Shivam Bhasin, Axel Legay

### Differential Fault Attack on SKINNY Block Cipher

SKINNY is a family of tweakable lightweight block ciphers, proposed in CRYPTO 2016. The proposal of SKINNY describes two block size variants of 64 and 128 bits as well as three options for tweakey. In this paper, we present differential fault analysis (DFA) of four SKINNY variants – SKINNY 64-64, SKINNY 128-128, SKINNY 64-128 and SKINNY 128-256. The attack model of tweakable block ciphers allow the access and full control of the tweak by the attacker. Respecting this attack model, we assume a fixed tweak for the attack window. With this assumption, extraction of the master key of SKINNY requires about 10 nibble fault injections on average for 64-bit versions of the cipher, whereas the 128-bit versions require roughly 21 byte fault injections. The attacks were validated through extensive simulation. To the best of authors’ knowledge, this is the first DFA attack on SKINNY tweakable block cipher family and, in fact, any practical realization of tweakable block ciphers.
Navid Vafaei, Nasour Bagheri, Sayandeep Saha, Debdeep Mukhopadhyay

### d-MUL: Optimizing and Implementing a Multidimensional Scalar Multiplication Algorithm over Elliptic Curves

This paper aims to answer whether d-MUL, the multidimensional scalar point multiplication algorithm, can be implemented efficiently. d-MUL is known to access costly matrix operations and requires memory access frequently. In the first part of the paper, we derive several theoretical results on the structure and the construction of the addition chains in d-MUL. These results are interesting on their own right. In the second part of the paper, we exploit our theoretical results, and propose an optimized variant of d-MUL. Our implementation results show that d-MUL can be very practical for small d, and it remains as an interesting algorithm to further explore for parallel implementation and cryptographic applications.
Huseyin Hisil, Aaron Hutchinson, Koray Karabina

### Backmatter

Weitere Informationen

## BranchenIndex Online

Die B2B-Firmensuche für Industrie und Wirtschaft: Kostenfrei in Firmenprofilen nach Lieferanten, Herstellern, Dienstleistern und Händlern recherchieren.

## Whitepaper

- ANZEIGE -

### Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung

Unternehmen haben das Innovationspotenzial der eigenen Mitarbeiter auch außerhalb der F&E-Abteilung erkannt. Viele Initiativen zur Partizipation scheitern in der Praxis jedoch häufig. Lesen Sie hier  - basierend auf einer qualitativ-explorativen Expertenstudie - mehr über die wesentlichen Problemfelder der mitarbeiterzentrierten Produktentwicklung und profitieren Sie von konkreten Handlungsempfehlungen aus der Praxis.