PROOFS 2019:Papers with Abstracts

Abstract. Cache timing attacks are serious security threats that exploit cache memories to steal secret information.
We believe that the identification of a sequence of operations from a set of cache-timing data measurements is not a trivial step when building an attack. We present a recurrent neural network model able to automatically retrieve a sequence of function calls from cache-timings. Inspired from natural language processing, our model is able to learn on partially labelled data. We use the model to unfold an end-to-end automated attack on OpenSSL ECDSA on the secp256k1 curve. Contrary to most research, we did not need human processing of the traces to retrieve relevant information.
Abstract. Side-channel analysis and fault injection attacks are two typical threats to cryptographic implementations, especially in modern embedded devices. Thus there is an insistent demand for dual side-channel and fault injection protections. As it is known, masking scheme is a kind of provable countermeasures against side-channel attacks. Recently, inner product masking (IPM) was proposed as a promising higher-order masking scheme against side-channel analysis, but not for fault injection attacks. In this paper, we devise a new masking scheme named IPM-FD. It is built on IPM, which enables fault detection. This novel masking scheme has three properties: the security orders in the word-level probing model, bit-level probing model, and the number of detected faults. IPM-FD is proven secure both in the word-level and in the bit-level probing models, and allows for end-to-end fault detection against fault injection attacks.

Furthermore, we illustrate its security order by linking it to one defining parameters of linear code, and show its implementation cost by applying IPM-FD to AES-128.
Abstract. The era of PUFs has been characterized by the efforts put into research and the devel- opment of PUFs that are resilient against attacks, in particular, machine learning (ML) attacks. Due to the lack of systematic and provable methods for this purpose, we have witnessed the ever-continuing competition between PUF designers/ manufacturers, crypt- analysts, and of course, adversaries that maliciously break the security of PUFs. This is despite a series of acknowledged principles developed in cryptography and complexity theory, under the umbrella term “hardness amplification”. This paper aims at narrowing the gap between these studies and hardware security, specifically for applications in the domain of PUFs. To this end, this paper provides an example of somewhat hard PUFs and demonstrates how to build a strongly secure construction out of these considerably weaker primitives. Our theoretical findings are discussed in an exhaustive manner and supported by the silicon results captured from real-world PUFs.
Abstract. Cryptographic hardware primitives must be protected against fault-injection attacks. Security-oriented error-detecting codes provide (probabilistic) guarantees for detection of maliciously injected faults even under assumption of a sophisticated attacker with access to powerful equipment.
In this paper, we revisit the earlier finding that error-detection infrastructure may increase the undesired information leakage. We formalize the information leakage from the checker response by means of mutual information. We apply our analysis to the best security-oriented robust codes known today. We prove that the probability of an undetected attack is exponentially smaller than the entropy loss due to information leak from the checker. This means that an attack will be detected far before the attacker will gain significant information. Given a bound for acceptable information leakage (e.g., 0.5 bits of a 128-bit secret key), our analysis allows the designer to easily choose the number of redundant bits required to stay below that bound. The obtained results extend our knowledge about the relationship between detection capabilities of codes and information leakage due to them.
Abstract. This paper presents a method for constructing an operation sequence of sliding window exponentiation from the noisy cache information of RSA, which can be used for a cache attack using sliding window's leak (SWL). SWL, which was reported in CHES 2017, is a kind of cache side-channel leak of a sequence of operations (i.e., multiplication and squaring) from software RSA decryption using the sliding window method for modular exponentiation. It was shown that an SWL attack can retrieve the secret keys of 1,024-bit and 2,048-bit RSA with non-negligible probability if the SWL is correctly captured. How- ever, in practice, it is not always possible for an attacker to acquire a complete and correct operation sequence from cache information observation. In addition, no concrete method for deriving a fully correct operation sequence from a partially acquired operation sequence as been reported in literature. In this paper, we first show that the capture errors in an operation sequence can be evaluated based on the Levenshtein distance between correct and estimated sequences. The dynamic time warping (DTW) algorithm is employed for quantitative evaluation. Then, we present a method of accurately estimating a complete and correct operation sequence from noisy sequences obtained through multiple observations. The basic idea of the proposed method and DTW-based evaluation is to divide the acquired operation sequence into short subsequences referred to as "operation patterns." Furthermore, we show the effectiveness of the proposed method through a set of experiments performed using RSA software in Libgcrypt, which is one of the most common open source software in cryptography.