SPACE 2016

Keynote Talks

Implementing Complete Formulas on Weierstrass Curves in Hardware (Abstract)
Lejla Batina, Radboud University, Netherlands
Secure Hardware and Hardware-Enabled Security (Abstract)
Swarup Bhunia, University of Florida, USA
Practical Post-Quantum Key Exchange from Supersingular Isogenies (Abstract)
Craig Costello, Microsoft Research, USA
On non-uniformity in threshold schemes (Spectral characterization of iterating lossy mappings) (Abstract)
Joan Daemen, Radboud University, Netherlands
Enabling Secure Web Payments with GNU Taler (Abstract)
Christian Grothoff, INRIA Rennes Bretagne Atlantique, France
Breaking Cryptographic Implementations Using Deep Learning Techniques (Abstract)
Emmanuel Prouff, Safran Identity & Security, France
Towards Fair and Efficient Evaluations of Leaking Cryptographic Devices (Abstract)
Francois-Xavier Standaert, Université Catholique de Louvain, Belgium
Ring-LWE: Applications to Cryptography and their Hardware Implementation (Abstract)
Ingrid Verbauwhede, K.U.Leuven, Belgium

Abstracts

Implementing Complete Formulas on Weierstrass Curves in Hardware
Lejla Batina, Radboud University, Netherlands
Abstract: This work revisits the recent complete addition formulas for prime order elliptic curves of Renes, Costello and Batina in light of parallelization. We introduce the first hardware implementation of the new formulas on an FPGA based on three arithmetic units performing Montgomery multiplication. Our results are competitive with current literature and show the potential of the new complete formulas in hardware design. Furthermore, we present algorithms to compute the formulas using anywhere between two and six processors, using the minimum number of field multiplications.
Secure Hardware and Hardware-Enabled Security
Swarup Bhunia, University of Florida, USA
Abstract: Security has emerged as a critical design parameter for modern electronic hardware that builds the foundation for exciting new applications from smart wearables to smart cities. However, recent discoveries and reports on numerous attacks on microchips violate the well-regarded concept of hardware trust anchors. It has prompted system designers to develop wide array of design-for-security and test/validation solutions to achieve high security assurance. At the same time, emerging security issues and countermeasures have led to interesting interplay between security, energy, reliability, and test. Hardware faults and parametric variations, on one hand, have created new barriers to establishing hardware integrity in ever-complex semiconductor supply chain. On the other hand, reliability issues -- in particular, those induced by process variations and aging effects, create new opportunities in designing powerful security primitives to protect against supply chain security issues as well as to enable better functional security solutions. This talk will highlight the interaction of hardware security issues and protection mechanisms with hardware faults and reliability issues. It will present new frontiers in hardware security with the rapidly diversifying application space and their symbiosis as well as conflicts with test. The talk will also cover promising role of hardware in security of various consumables, including food, supplements, and medicine.
Practical Post-Quantum Key Exchange from Supersingular Isogenies
Craig Costello, Microsoft Research, USA
Abstract: Academic groups, corporate bodies, and government agencies from all over the world are hastily examining a range of cryptographic primitives that are believed to remain secure in the presence of a large-scale quantum computer. Indeed, all of the currently standardized public-key cryptography will offer little or no security if such a computer is realized. In their Februrary 2016 report on post-quantum cryptography, NIST stated that It seems improbable that any of the currently known algorithms can serve as a drop-in replacement for what is in use today, citing one challenge as being that quantum resistant algorithms have larger key sizes than the algorithms they will replace. While this statement is certainly applicable to many of the lattice- and code-based schemes, Jao and De Feo's 2011 supersingular isogeny Diffie-Hellman (SIDH) proposal is one post-quantum candidate that could serve as a drop-in replacement to existing internet protocols. Not only are high-security SIDH public keys smaller than their lattice- and code-based counterparts, they are even smaller than some of the traditional (i.e., finite field) Diffie-Hellman public keys. Moreover, in contrast to the proposed lattice- and code-based schemes (which are all either KEMs or encryption protocols), SIDH affords the option of restoring the elegant symmetry of the original Diffie-Hellman protocol.
This talk will give a detailed overview of isogeny-based key exchange, and will present a full-fledged software implementation of SIDH that is designed to provide $128$ bits of security against a quantum adversary. We will conclude by pointing out some important open problems and interesting research directions in the realm of isogeny-based cryptography.
On non-uniformity in threshold schemes (Spectral characterization of iterating lossy mappings)
Joan Daemen, Radboud University, Netherlands
Abstract: In this paper we study what happens to sets when we iteratively apply lossy (round) mappings to them. We describe the information loss as imbalances of parities of intermediate distributions and show that their evolution is governed by the correlation matrices of the mappings. At the macroscopic level we show that iterating lossy mappings results in an increase of a quantity we call total imbalance. We quantify the increase in total imbalance as a function of the number of iterations and of round mapping characteristics. At the microscopic level we show that the imbalance of a parity located in some round, dubbed final, is the sum of distinct terms. Each of these terms consists of the imbalance of a parity located at the output of a round, multiplied by the sum of the correlation contributions of all linear trails between that parity and the final parity. We illustrate our theory with experimental data. The developed theory can be applied whenever lossy mappings are repeatedly applied to a state. This is the case in many modes of block ciphers and permutations for, e.g., iterated hashing or self-synchronizing stream encryption. The main reason why we have developed it however, is for applying it to study the security implications of using non-uniform threshold schemes as countermeasure against differential power and electromagnetic analysis.
Enabling Secure Web Payments with GNU Taler
Christian Grothoff, INRIA Rennes Bretagne Atlantique, France
Abstract: GNU Taler is a new electronic online payment system which provides privacy for customers and accountability for merchants. It uses an exchange service to issue digital coins using blind signatures, and is thus not subject to the performance issues that plague Byzantine fault-tolerant consensus-based solutions.
The focus of this paper is addressing the challenges payment systems face in the context of the Web. We discuss how to address Web-specific challenges, such as handling bookmarks and sharing of links, as well as supporting users that have disabled JavaScript. Web payment systems must also navigate various constraints imposed by modern Web browser security architecture, such as same-origin policies and the separation between browser extensions and Web pages. While our analysis focuses on how Taler operates within the security infrastructure provided by the modern Web, the results partially generalize to other payment systems. We also include the perspective of merchants, as existing systems have often struggled with securing payment information at the merchant's side. Here, challenges include avoiding database transactions for customers that do not actually go through with the purchase, as well as cleanly separating security-critical functions of the payment system from the rest of the Web service.
Breaking Cryptographic Implementations Using Deep Learning Techniques
Emmanuel Prouff, Safran Identity & Security, France
Abstract: Template attack is the most common and powerful profiled side channel attack. It relies on a realistic assumption regarding the noise of the device under attack: the probability density function of the data is a multivariate Gaussian distribution. To relax this assumption, a recent line of research has investigated new profiling approaches mainly by applying machine learning techniques. The obtained results are commensurate, and in some particular cases better, compared to template attack. In this work, we propose to continue this recent line of research by applying more sophisticated profiling techniques based on deep learning. Our experimental results confirm the overwhelming advantages of the resulting new attacks when targeting both unprotected and protected cryptographic implementations.
Towards Fair and Efficient Evaluations of Leaking Cryptographic Devices
Francois-Xavier Standaert, Université Catholique de Louvain, Belgium
Abstract: Side-channel analysis is an important concern for the security of cryptographic implementations, and may lead to powerful key recovery attacks if no countermeasures are deployed. Therefore, various types of protection mechanisms have been proposed over the last 20 years. In view of the cost and performance overheads caused by these protections, their fair evaluation is a primary concern for hardware and software designers. Yet, the physical nature of side-channel analysis also renders the security evaluation of cryptographic implementations very different than the one of cryptographic algorithms against mathematical cryptanalysis. That is, while the latter can be quantified based on (well-defined) time, data and memory complexities, the evaluation of side-channel analysis additionally requires to quantify the informativeness and exploitability of the physical leakages. This implies that a part of these security evaluations is inherently heuristic and dependent on engineering expertise.
Ring-LWE: Applications to Cryptography and their Hardware Implementation
Ingrid Verbauwhede, K.U.Leuven, Belgium
Abstract: In this paper we present an FPGA implementation of a high-speed elliptic curve scalar multiplier for binary finite fields. High compuatation speeds are achieved by boosing the operating clock frequency, while at the same time reducing the number of clock cycles required to do a scalar multiplication. To increase clock frequency, the design uses optimized implementations of the underlying field primitives and a mathematically analyzed pipeline design. To reduce clock cycles, a new scheduling scheme is presented that allows overlapped processing of scalar bits. The resulting scalar multiplier is the fastest implementation for generic curves over bimary finite fields. Additionally, the optimized primitives leads to area requirements that is considerably lesser compared to other high-speed implementations. Detailed implementation results are furnished in order to support the claims.

SPACE 2016 Home