Publications

Abstract: andom number generation is a key function oftoday’s secure devices. Commonly used for key generation,random number streams are more and more frequently usedas the anchor of trust of several countermeasures such asmasking. True Random Number Generators (TRNGs) thusbecome a relevant entry point for attacks that aim at loweringthe security of integrated systems. Within this context, thispaper investigates the robustness of TRNGs based on RingOscillators (focusing on the delay chain TRNG) againstpulsed electromagnetic fault injection. Indeed, weaknesses ingenerating random bits for masking scheme degenerate the SideChannel resistance. Finally by exploiting fault results on delaychain TRNG some general guidelines to harden them are derived.

Abstract: this paper, we evaluate clock signals generated in ring oscillators andself-timed rings and the way their jitter can be transformed into random numbers. Weshow that counting the periods of the jittery clock signal produces random numbersof significantly better quality than the methods in which the jittery signal is simplysampled (the case in almost all current methods). Moreover, we use the counter valuesto characterize and continuously monitor the source of randomness. However, insteadof using the widely used statistical variance, we propose to use Allan variance to doso. There are two main advantages: Allan variance is insensitive to low frequencynoises such as flicker noise that are known to be autocorrelated and significantlyless circuitry is required for its computation than that used to compute commonlyused variance. We also show that it is essential to use a differential principle ofrandomness extraction from the jitter based on the use of two identical oscillatorsto avoid autocorrelations originating from external and internal global jitter sourcesand that this fact is valid for both kinds of rings. Last but not least, we propose amethod of statistical testing based on high order Markov model to show the reduceddependencies when the proposed randomness extraction is applied.

Abstract: Physical unclonable functions in field programmable arrays are always linked to the used hardware. Therefore, it is necessary to have high amount of simple devices for evaluation purposes. One of the suitable platform for such evaluation is HECTOR Evaluation Platform. The following paper describes this platform, compares it with existing solutions, and shows several examples of its using. The proposed platform consists of a motherboard and exchangeable daughter board modules. These are designed to be as simple as possible to allow cheap and independent evaluation across many devices. In comparison to similar existing solutions, proposed platform excels in its simple architecture, which allows remote using of module. The platform is also suitable for evaluation of other cryptographic primitives like true random number generators, encryption systems, and etc. Platform's components are adjusted for side channel attacks measurements. HECTOR evaluation platform was designed and optimized to fulfil the European HECTOR project (H2020) requirements.

Abstract: The continually growing number of security-related autonomous devices requires efficient mechanisms to counteract low-cost side-channel analysis (SCA) attacks. Masking provides high SCA resistance at an adjustable level of security. A high level of resistance, however, goes hand in hand with an increasing demand for fresh randomness which drastically increases the implementation costs. Since hardware-based masking schemes have other security requirements than software masking schemes, the research in these two fields has been conducted quite independently over the last 10 years. One important practical difference is that recently published software schemes achieve a lower randomness footprint than hardware masking schemes. In this work we combine existing software and hardware masking schemes into a unified masking algorithm. We demonstrate how to protect software and hardware implementations using the same masking algorithm, and for lower randomness costs than the separate schemes. Especially for hardware implementations, the randomness costs can in some cases be halved over the state of the art. Theoretical considerations as well as practical implementation results are then used for a comparison with existing schemes from different perspectives and at different levels of security.

Abstract: The Rowhammer bug allows unauthorized modification of bits in DRAM cells from unprivileged software, enabling powerful privilege-escalation attacks. Sophisticated Rowhammer countermeasures have been presented, aiming at mitigating the Rowhammer bug or its exploitation. However, the state of the art provides insufficient insight on the completeness of these defenses. In this paper, we present novel Rowhammer attack and exploitation primitives, showing that even a combination of all defenses is ineffective. Our new attack technique, one-location hammering, breaks previous assumptions on requirements for triggering the Rowhammer bug, i.e., we do not hammer multiple DRAM rows but only keep one DRAM row constantly open. Our new exploitation technique, opcode flipping, bypasses recent isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries. We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker-chosen physical locations. Finally, we abuse Intel SGX to hide the attack entirely from the user and the operating system, making any inspection or detection of the attack infeasible. Our Rowhammer enclave can be used for coordinated denial-of-service attacks in the cloud and for privilege escalation on personal computers. We demonstrate that our attacks evade all previously proposed countermeasures for commodity systems.

Abstract: Security in random number generation for cryptography is closely related to the entropy rate at the generator output. This rate has to be evaluated using an appropriate stochastic model. The stochastic model proposed in this paper is dedicated to the transition effect ring oscillator (TERO)-based true random number generator (TRNG) proposed by Varchola and Drutarovsky (in: Cryptographic hardware and embedded systems (CHES), 2010, Springer, 2010). The advantage and originality of this model are that it is derived from a physical model based on a detailed study and on the precise electrical description of the noisy physical phenomena that contribute to the generation of random numbers. We compare the proposed electrical description with data generated in two different technologies: TERO TRNG implementations in 40 and 28 nm CMOS ASICs. Our experimental results are in very good agreement with those obtained with both the physical model of TERO’s noisy behavior and the stochastic model of the TERO TRNG, which we also confirmed using the AIS 31 test suites.

Abstract: he objective of this paper is to provide insighton the design, evaluation and testing of modern True RandomNumber Generators (TRNGs) aimed towards certification. Wediscuss aspects related to each of these stages by means of twoillustrative TRNG designs: PLL-TRNG and DC-TRNG. Topicscovered in the paper include: the importance of formal securityevaluations based on a stochastic model of the entropy source, thedevelopment of suitable and lightweight embedded tests to detectfailures, the implementation and testing of TRNGs in dedicatedFPGA platforms, and a robustness assessment to environmentaland/or physical modifications.

Abstract: This paper presents a refined stochastic model of the delay-chain based true random number generator (DC-TRNG) and its application. DC-TRNG is a true random number generator for FPGAs that utilizes time-to-digital conversion (TDC) to accurately determine the position of the ring-oscillator jittery signal edge. Our stochastic model employs precise time characterization of the carry-chains that are used for TDC in the DC-TRNG. In order to determine lower bounds of the estimated min-entropy, the binary probabilities are calculated by applying the stochastic model. Based on these computed probabilities, we perform optimizations of the DC-TRNG parameters on two different FPGAs — Xilinx Spartan 6 and Intel Cyclone IV, in order to achieve the highest possible throughput of the DC-TRNG.

Abstract: In modern cryptographic systems, security is basedon quality and unpredictability of confidential keys. These keysare generated in random number generators using randomphysical phenomena appearing inside the cryptographic systemon chip. The most frequently used source of randomness in digitaldevices is the jitter of clock signals generated inside the devicein ring oscillators, self-timed rings, RC oscillators, phase-lockedloops (PLLs), etc. The quality and unpredictability of generatednumbers depends on the quality and the size of the clock jitter.It is therefore a good practice to monitor this jitter continuouslyusing some embedded jitter measurement method. The measuredjitter parameters can be then used as input parameters of thestochastic model used to estimate entropy, which characterizesunpredictability of generated numbers. In this paper, we presentand compare two methods of embedded jitter assessment basedon the measurement of the variance of counter values, obtainedby counting the periods of the jittery clock during a time intervaldefined by a reference clock generated in the same device. Besidescomparing obvious design results such as area, speed, and powerconsumption, we observe and discuss the impact of the twoembedded variance measurement methods on the clock jitteritself, and compare the behavior of the two clock generatorsused as sources of randomness with and without clock variancemeasurement circuitry, and with and without additional logicsuch as an AES cipher, which perturbs the variance computation,as it is the case in most cryptographic embedded systems. Thiscomparison is very important for a good estimation of the lowentropy bound from the measurement result

Abstract: We cryptanalyze several symmetric encryption and hashing algorithms. Acentral factor in the security of symmetric cryptographic algorithms is theresistance of their core building block, the primitive, against cryptanalyticattacks such as di erential, linear, and algebraic cryptanalysis. The funda-mental idea of di erential cryptanalysis is to extract secret information orforge malicious messages by investigating the behavior of the primitive fortwo related, slightly di erent inputs, and has proven both very powerfuland highly versatile since its inception in the 1990s. Resistance againstsuch attacks is thus one of the cornerstones in the design of block ciphers.More recently, alternative symmetric primitives have risen to generalattention: Permutations and tweakable block ciphers in particular haveshown the potential to rival block ciphers in their role as the ideal primitivefor ecient and elegant schemes. However, the available cryptanalytictools and theory on the design and analysis of these alternative primitivesare arguably less mature than for block ciphers.We investigate the security of these primitives against di erential crypt-analysis. Compared to classic block ciphers, adversaries who target permu-tations or tweakable block ciphers can take advantage of known, chosen,or related round-key material. We nd that in some cases, the designers'block-cipher-based design strategies do not suciently protect againstvariations of the classical di erential strategy. In particular, we breakthe full security claims of the tweakable block cipherMANTIS-5andthe permutationSimpira v1. We provide a key recovery attack for theround-reduced block cipherLowMCand analyze the authenticated cipherPrstin a related-key setting. We also develop techniques to improve thecomputer-aided di erential analysis of unkeyed primitives, leading to thebest practical collision attacks on the round-reduced hash standardSHA-2.

Abstract: The TWEAKEY/STK construction is an increasingly popular approach for designing tweakable block ciphers that notably uses a linear tweakey schedule. Several recent attacks have analyzed the implications of this approach for differential cryptanalysis and other attacks that can take advantage of related tweakeys. We generalize the clustering approach of a recent differential attack on the tweakable block cipher MANTIS₅ and describe a tool for efficiently finding and evaluating such clusters. More specifically, we consider the set of all differential characteristics compatible with a given truncated characteristic, tweak difference, and optional constraints for the differential. We refer to this set as a semi-truncated characteristic and estimate its probability by analyzing the distribution of compatible differences at each step. We apply this approach to find a semi-truncated differential characteristic for MANTIS₆ with probability about 2^−67.73 and derive a key-recovery attack with a complexity of about 2^55.09 chosen-plaintext queries and 2^55.52 computations. The data-time product is 2^110.61 << 2¹²⁶.

Abstract: andom number generation is a key function oftoday’s secure devices. Commonly used for key generation,random number streams are more and more frequently usedas the anchor of trust of several countermeasures such asmasking. True Random Number Generators (TRNGs) thusbecome a relevant entry point for attacks that aim at loweringthe security of integrated systems. Within this context, thispaper investigates the robustness of TRNGs based on RingOscillators (focusing on the delay chain TRNG) againstpulsed electromagnetic fault injection. Indeed, weaknesses ingenerating random bits for masking scheme degenerate the SideChannel resistance. Finally by exploiting fault results on delaychain TRNG some general guidelines to harden them are derived.
keywords:Pulse Electromagnetic fault Injection, True RandomNumber Generator, security guidelines

Abstract: n this paper we present a novel true random number generator based onhigh-precision edge sampling. We use two novel techniques to increase the throughputand reduce the area of the proposed randomness source: variable-precision phaseencoding and repetitive sampling. The first technique consists of encoding theoscillator phase with high precision in the regions around the signal edges and withlow precision everywhere else. This technique results in a compact implementation atthe expense of reduced entropy in some samples. The second technique consists ofrepeating the sampling at high frequency until the phase region encoded with highprecision is captured. This technique ensures that only the high-entropy bits are sentto the output. The combination of the two proposed techniques results in a secureTRNG, which suits both ASIC and FPGA implementations. The core part of theproposed generator is implemented with 10 look-up tables (LUTs) and 5 flip-flops(FFs) of a Xilinx Spartan-6 FPGA, and achieves a throughput of1.15M bpswith0.997bits of Shannon entropy. On Intel Cyclone V FPGAs, this implementation uses10 LUTs and 6 FFs, and achieves a throughput of1.07M bps. This TRNG design issupported by a stochastic model and a formal security evaluation.
Keywords: Hardware random number generators ring oscillators entropy FPGA stochastic mode

Abstract: Several recent designs show that the phase locked-loops (PLLs) are well suited for building true random number generators (TRNG) in logic devices and especially in FPGAs, in which PLLs are physically isolated from the rest of the device. However, the setup of the PLL configuration for the PLL-based TRNG is a challenging task. Indeed, the designer has to take into account physical constraints of the hardwired block, when trying to achieve required performance (bit rate) and security (entropy rate per bit). In this paper, we introduce a method aimed at choosing PLL parameters (e.g. input frequency, multiplication and division factors of the PLL) that satisfy hardware constraints, while achieving the highest possible bit rate or entropy rate according to application requirements. The proposed method is fast enough to produce all possible configurations in a short time. Comparing to the previous method based on a genetic algorithm, which was able to find only a locally optimized solution and only for one PLL in tens of seconds, the new method finds exhaustive set of feasible configurations of one- or two-PLL TRNG in few seconds, while the found configurations can be ordered depending on their performance or sensitivity to jitter.

Abstract: True random number generators (TRNGs) are fundamental constituents of secure embedded cryptographic systems. In this paper, we introduce a general methodology for porting TRNG across different FPGA vendor families. In order to demonstrate our methodology, we applied it to the delay-chain based TRNG (DC-TRNG) on Intel Cyclone IV and Cyclone V FPGAs. We examine vendor-agnostic generality of the underlying DCTRNG principle and propose modifications to address differences in structure of FPGAs. Implementation of the DC-TRNG on Cyclone IV uses 149 LEs and has a throughput of 5Mbps, while on Cyclone V it occupies 230 ALMs with an output rate of 12.5 Mbps. The quality of the random bits produced by the DC-TRNG on Intel Cyclone IV and V is further confirmed by using NIST statistical test suite.

Abstract: This brief deals with the problem of mathematically formalizing hardware circuits' vulnerability to side-channel attacks. We investigate whether spectral analysis is a useful analytical tool for this purpose by building a mathematically sound theory of the vulnerability phenomenon. This research was originally motivated by the need for deeper, more formal knowledge around vulnerable nonlinear circuits. However, while building this new theoretical framework, we discovered that it can consistently integrate known results about linear ones as well. Eventually, we found it adequate to formally model side-channel leakage in several significant scenarios. In particular, we have been able to find the vulnerability perimeter of a known cryptographic primitive (i.e., Keccak \cite{Bertoni:2010ug}) and thus tackle the analysis of vulnerability when signal glitches are present. We believe the conceptual framework we propose will be useful for researchers and practitioners in the field of applied cryptography and side-channel attacks.

Abstract: Side-channel attacks on mobile devices have gained increasing attention since their introduction in 2007. While traditional side-channel attacks, such as power analysis attacks and electromagnetic analysis attacks, required physical presence of the attacker as well as expensive equipment, an (unprivileged) application is all it takes to exploit the leaking information on modern mobile devices. Given the vast amount of sensitive information that are stored on smartphones, the ramifications of side-channel attacks affect both the security and privacy of users and their devices. In this paper, we propose a new categorization system for side-channel attacks, which is necessary as side-channel attacks have evolved significantly since their scientific investigations during the smart card era in the 1990s. Our proposed classification system allows to analyze side-channel attacks systematically, and facilitates the development of novel countermeasures. Besides this new categorization system, the extensive survey of existing attacks and attack strategies provides valuable insights into the evolving field of side-channel attacks, especially when focusing on mobile devices. We conclude by discussing open issues and challenges in this context and outline possible future research directions.

Abstract: coming soon

Abstract: No two physical objects are exactly the same, even when manufactured with a nominally identical process. For example, two sheets of paper that are indistinguishable with the naked eye, still differ considerably in their nanoscale fiber structures. Although manufacturing variability is usually undesired, the associated ability to uniquely identify a physical object, which is constrained to an integrated circuit (IC) in this thesis, can be leveraged for security purposes. To facilitate the registration of unique features, a so-called physically unclonable function (PUF) can be implemented on the IC. A PUF circuit is designed to be sensitive to process variations, i.e., challenged with a binary input, it provides a binary, device-unique response. This building block can hence be understood as the silicon equivalent of human biometrics. PUFs can augment the security architecture of an ever-increasing number of electronic devices that access our personal data and/or represent our identities. This includes but is not limited to smartphones, credit cards, access badges, the sensors and actuators of automated home, and medical implants. PUFs usually need to team up with other building blocks, e.g., true random number generators (TRNGs), cryptographic algorithms, error-correcting codes, nonvolatile memory (NVM), etc. We analyze the security of such multi-component systems in a format that allows for comparisons among proposals that have similar or identical objectives. Numerous newly revealed flaws and attacks are presented throughout this thesis. On the bright side, the lessons learned can help improve the quality of future PUF-based systems.

Abstract: We describe a fast technique for performing the computationally heavy part of leakage assessment, in any statistical moment (or other property) of the leakage samples distributions. The proposed technique outperforms by orders of magnitude the approach presented at CHES 2015 by Schneider and Moradi. We can carry out evaluations that before took 90 CPU-days in 4 CPU-hours (about a 500-fold speed-up). As a bonus, we can work with exact arithmetic, we can apply kernel-based density estimation methods, we can employ arbitrary pre-processing functions such as absolute value to power traces, and we can perform information-theoretic leakage assessment. Our trick is simple and elegant, and lends itself to an easy and compact implementation. We fit a prototype implementation in about 130 lines of C code.

Abstract: Applications of true random number generators (TRNGs) span from art to numerical computing and system security. In cryptographic applications, TRNGs are used for generating new keys, nonces and masks. For this reason, a TRNG is an essential building block and often a point of failure for embedded security systems. One type of primitives that are widely used as source of randomness are ring oscillators. For a ring-oscillator-based TRNG, the true randomness originates from its timing jitter. Therefore, determining the jitter strength is essential to estimate the quality of a TRNG. In this paper, we propose a method to measure the jitter strength of a ring oscillator implemented on an FPGA. The fast tapped delay chain is utilized to perform the on-chip measurement with a high resolution. The proposed method is implemented on both a Xilinx FPGA and an Intel FPGA. Fast carry logic components on different FPGAs are used to implement the fast delay line. This carry logic component is designed to be fast and has dedicated routing, which enables a precise measurement. The differential structure of the delay chain is used to thwart the influence of undesirable noise from the measurement. The proposed methodology can be applied to other FPGA families and ASIC designs.

Abstract: Physically unclonable functions are used for IP protection, hardware authentication and supply chain security. While many PUF constructions have been put forward in the past decade, only few of them are applicable to FPGA platforms. Strict constraints on the placement and routing are the main disadvantages of the existing PUFs on FPGAs, because they place a high effort on the designer. In this paper we propose a new delay-based PUF construction called Monte Carlo PUF, that does not require low-level placement and routing control. This construction relies on the on-chip Monte Carlo method that is applied for measuring the delays of logic elements in order to extract a unique device fingerprint. The proposed construction allows a trade-off between the evaluation time and the error rate. The Monte Carlo PUF is implemented and evaluated on Xilinx Spartan-6 FPGAs.

Abstract: The continually growing number of security-related autonomous devices requires efficient mechanisms to counteract low-cost side-channel analysis (SCA) attacks. Masking provides high resistance against SCA at an adjustable level of security. A high level of SCA resistance, however, goes hand in hand with an increasing demand for fresh randomness which drastically increases the implementation costs. Since hardware based masking schemes have other security requirements than software masking schemes, the research in these two fields has been conducted quite independently over the last ten years. One important practical difference is that recently published software schemes achieve a lower randomness footprint than hardware masking schemes. In this work we combine existing software and hardware masking schemes into a unified masking algorithm. We demonstrate how to protect software and hardware implementations using the same masking algorithm, and for lower randomness costs than the separate schemes. Especially for hardware implementations the randomness costs can in some cases be halved over the state of the art. Theoretical considerations as well as practical implementation results are then used for a comparison with existing schemes from different perspectives and at different levels of security.

Abstract: With the scaling down of electronic devices and the boom of wireless communications, more and more smart devices are interconnected in what we call the Internet of Things. Connecting devices of everyday use can greatly improve our comfort, but it can also introduce unprecedented security problems. With billions of devices connected there is a huge risk of unauthorized use. In this context, Physical Unclonable Functions (PUFs) are a promising solution since they extract device intrinsic fingerprint that can be used for hardware identification and authentication. Here we present the first fully functional implementation of Oscillator based PUFs on Flash based FPGA. The implementation is presented for the Ring Oscillator based PUF and the Transient Effect Ring Oscillatory based PUF. After explaining those two PUF principles, we give all the necessary design practices to follow to obtain an efficient PUF implementation on Flash FPGA. Finally, we present the characterization of the PUFs and compare it to previous work. To the best of our knowledge, it is the first work which deals with the implementation of Oscillator based PUF on Flash FPGAs. Moreover, all design files are available online to ensure repeatability.

Abstract: MANTIS is a lightweight tweakable block cipher published at CRYPTO 2016. In addition to the full 14-round version, MANTIS-7, the designers also propose an aggressive 10-round version, MANTIS-5. The security claim for MANTIS-5 is resistance against “practical attacks”, defined as related-tweak attacks with data complexity 2^d less than 2³⁰ chosen plaintexts (or 2⁴⁰ known plaintexts), and computational complexity at most 2^126-d. We present a key-recovery attack against MANTIS-5 with 2²⁸ chosen plaintexts and a computational complexity of about 2³⁸ block cipher calls, which violates this claim. Our attack is based on a family of differential characteristics and exploits several properties of the lightweight round function and tweakey schedule. To verify the validity of the attack, we also provide a practical implementation which recovers the full key in about 1 core hour using 2³⁰ chosen plaintexts.

Abstract: Passive physical attacks, like power analysis, pose a serious threat to the security of digital circuits. In this work, we introduce an efficient sidechannel protected Advanced Encryption Standard (AES) hardware design that is completely scalable in terms of protection order. Therefore, we revisit the private circuits scheme of Ishai et al. [13] which is known to be vulnerable to glitches. We demonstrate how to achieve resistance against multivariate higher-order attacks in the presence of glitches for the same randomness cost as the private circuits scheme. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6 kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order.

Abstract: Intellectual Property (IP) illegal copying is a major threat in today’s integrated circuits industry which is massively based on a design-and-reuse paradigm. In order to fight this threat, a designer must track how many times an IP has been instantiated. Moreover, illegal copies of an IP must be unusable. We propose a hardware/software scheme which allows a designer to remotely activate an IP with minimal area overhead. The software modifies the IP efficiently and can handle very large netlists. Unique identification of hardware instances is achieved by integrating a TERO-PUF along with a lightweight key reconciliation module. A cryptographic core guarantees security and triggers a logic locking/masking module which makes the IP unusable unless the correct encrypted activation word is applied. The hardware side is implemented on several FPGAs.

Abstract: Physical Unclonable Functions (PUFs) are promising primitives for the lightweight authentication of an integrated circuit (IC). Indeed, by extracting an identifier from random process variations, they allow each instance of a design to be uniquely identified. However, the extracted identifiers are not stable enough to be used as is, and hence need to be corrected first. This is currently achieved using error-correcting codes in secure sketches, that generate helper data through a one-time procedure. As an alternative, we propose key reconciliation protocols. This interactive method, originating from quantum key distribution, allows two entities to correct errors in their respective correlated keys by discussing over a public channel. We believe that this can also be used by a device and a remote server to agree on two different responses to the same challenge from the same PUF obtained at different times. This approach has the advantage of requiring very few logic resources on the device side. The information leakage caused by the key reconciliation process is limited and easily computable. Results of implementation on FPGA targets are presented, showing that it is the most lightweight error-correction module to date.

Abstract: Phase-locked loop (PLL) based true random number generator (TRNG) is very well suited for security applications using field programmable gate arrays (FPGAs) because most of FPGAs feature hardwired PLL blocks. PLL based TRNGs (PLL-TRNGs) are easy to implement and do not require manual placement or routing. The design of such TRNGs is also highly portable within the same device family. This is not the case in many other TRNG designs. However, the design of a PLLTRNGs is not a trivial task. Due to many PLL parameters, which need to be fine tuned to achieve required security and speed requirements, an exhaustive design space exploration is practically not feasible. Thus, the designers are required to go through many trial and error cycles of manual parameter tweaking and the results are still not guaranteed to be optimal. In this paper, we use a genetic algorithm (GA) based optimization to generate a suitable configuration of the PLL-TRNG, such that it is secure and reaches high output bit rate. GA optimization allows to take into account physical limits of the PLL, such as input/output frequency, and maximum voltage controlled oscillator (VCO) frequency, which avoids invalid configurations and reduces the development time. The method has proven to be very efficient and it significantly reduces the design time without compromising the security. All the presented configurations were tested on recent FPGA families and the statistical quality of the resulting TRNG configurations was verified using the AIS 31 test suite.

Abstract: Side-channel attacks and in particular differential power analysis (DPA) attacks pose a serious threat to cryptographic implementations. One approach to counteract such attacks are cryptographic schemes based on fresh re-keying. In settings of pre-shared secret keys, such schemes render DPA attacks infeasible by deriving session keys and by ensuring that the attacker cannot collect side-channel leakage on the session key during cryptographic operations with different inputs. While these schemes can be applied to secure standard communication settings, current re-keying approaches are unable to provide protection in settings where the same input needs to be processed multiple times. In this work, we therefore adapt the re-keying approach and present a symmetric authenticated encryption scheme that is secure against DPA attacks and that does not have such a usage restriction. This means that our scheme fully complies with the requirements given in the CAESAR call and hence, can be used like other noncebased authenticated encryption schemes without loss of side-channel protection. Its resistance against side-channel analysis is highly relevant for several applications in practice, like bulk storage settings in general and the protection of FPGA bitfiles and firmware images in particular.

Abstract: In this paper, we deal with the problem of efficiently assessing the higher order vulnerability of a hardware cryptographic circuit. Our main concern is to provide methods that allow a circuit designer to detect early in the design cycle if the implementation of a Boolean-additive masking countermeasure does not hold up to the required protection order. To achieve this goal, we promote the search for vulnerabilities from a statistical problem to a purely symbolical one and then provide a method for reasoning about this new symbolical interpretation. Eventually we show, with a synthetic example, how the proposed conceptual tool can be used for exploring the vulnerability space of a cryptographic primitive.

Abstract: A novel physically unclonable function (PUF) utilizing the intrinsic randomness of oxide breakdown (BD) positions in CMOS transistors is presented. The advantages of this approach are studied and validated by measurements on test-chips fabricated in a commercial 40nm CMOS process. Experiments show that the required soft BDs can be reliably generated in a sufficiently short period. The randomness of the utilized mechanism shows excellent properties, required for PUF applications: an overall bias of 0.498 and inter-chip hamming distance (HD) of 0.501. Further analysis of the current distributions reveals a dependence of operating voltage on readout resolution and window. Finally, dedicated experiments with external heating and embedded poly-heaters show that these soft BDs are stable and show no read-out errors up to operating temperatures of 600K.

Abstract: Simpira v1 is a recently proposed family of permutations, based on the AES round function. The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The designers' security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide differential trails with only 40 (instead of 75) active S-boxes for the recommended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity 2^82.62 for the recommended full 15 rounds and a truncated 256-bit hash value, and complexity 22^110.16 for 16 rounds and the full 512-bit hash value. These attacks violate the designers' security claims that there are no structural distinguishers with complexity below 22¹²⁸.

Abstract: Modern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. However, current CPUs provide no protection against code-reuse attacks like ROP. ASLR is used to prevent these attacks by making all addresses unpredictable for an attacker. Hence, the kernel security relies fundamentally on preventing access to address information. We introduce Prefetch Side-Channel Attacks, a new class of generic attacks exploiting major weaknesses in prefetch instructions. This allows unprivileged attackers to obtain address information and thus compromise the entire system by defeating SMAP, SMEP, and kernel ASLR. Prefetch can fetch inaccessible privileged memory into various caches on Intel x86. It also leaks the translation-level for virtual addresses on both Intel x86 and ARMv8-A. We build three attacks exploiting these properties. Our first attack retrieves an exact image of the full paging hierarchy of a process, defeating both user space and kernel space ASLR. Our second attack resolves virtual to physical addresses to bypass SMAP on 64-bit Linux systems, enabling ret2dir attacks. We demonstrate this from unprivileged user programs on Linux and inside Amazon EC2 virtual machines. Finally, we demonstrate how to defeat kernel ASLR on Windows 10, enabling ROP attacks on kernel and driver binary code. We propose a new form of strong kernel isolation to protect commodity systems incuring an overhead of only 0.06-5.09%.

Abstract: Recent work shows that the Rowhammer hardware bug can be used to craft powerful attacks and completely subvert a system. However, existing efforts either describe probabilistic (and thus unreliable) attacks or rely on special (and often unavailable) memory management features to place victim objects in vulnerable physical memory locations. Moreover, prior work only targets x86 and researchers have openly wondered whether Rowhammer attacks on other architectures, such as ARM, are even possible. We show that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses. Rather than assuming special memory management features, our attack, Drammer, solely relies on the predictable memory reuse patterns of standard physical memory allocators. We implement Drammer on Android/ARM, demonstrating the practicability of our attack, but also discuss a generalization of our approach to other Linux-based platforms. Furthermore, we show that traditional x86-based Rowhammer exploitation techniques no longer work on mobile platforms and address the resulting challenges towards practical mobile Rowhammer attacks. To support our claims, we present the first Rowhammer-based Android root exploit relying on no software vulnerability, and requiring no user permissions. In addition, we present an analysis of several popular smartphones and find that many of them are susceptible to our Drammer attack. We conclude by discussing potential mitigation strategies and urging our community to address the concrete threat of faulty DRAM chips in widespread commodity platforms.

Abstract: The focus and novelty of this work is the derivation of tight upper bounds on the min-entropy of several physically unclonable funcions (PUFs), i.e., Ring Oscillator Sum, Arbiter, Feed-Forward Arbiter, and S-ArbRO PUFs. This constrains their usability for the fuzzy extraction of a secret key, as an alternative to storing keys in non-volatile memory. For example, it is shown that an ideal Arbiter PUF with 64 stages cannot provide more than 197 bits of min-entropy. At Financial Cryptography 2012, Van Herrewege et al. assume that 1785 bits of min-entropy can be extracted, which renders their 128-bit key generator instantly insecure. We also derive upper bounds that comply with nonideal PUFs, attributed to, e.g., manufacturing in silicon. As a side contribution hereby, we refute the claim that S-ArbRO PUFs are highly resistant against machine learning.

Abstract: Glitches represent a great danger for hardware implementations of cryptographic schemes. Their intrinsic random nature makes them difficult to tackle and their occurrence threatens side-channel protections. Although countermeasures aiming at structurally solving the problem already exist, they usually require some effort to be applied or introduce non-negligible overhead in the design. Our work addresses the gap between such countermeasures and the naive implementation of schemes being vulnerable in the presence of glitches. Our contribution is twofold: (1) we expand the mathematical framework proposed by Brzozowski and Ésik (FMSD 2003) by meaningfully adding the notion of information leakage, (2) thanks to which we define a formal methodology for the analysis of vulnerabilities in combinatorial circuits when glitches are taken into account.

Abstract: FPGAs are widely used to integrate cryptographic primitives, algorithms, and protocols in cryptographic systems-on-chip (CrySoC). As a building block of CrySoCs, True Random Number Generators (TRNGs) exploit analog noise sources in electronic devices to generate confidential keys, initialization vectors, challenges, nonces, and random masks in cryptographic protocols. TRNGs aimed at cryptographic applications must fulfill the security requirements defined in the German Federal Bureau for Information Security’s (BSI) recommendations AIS-20/31, which has become a de facto standard in Europe. Many TRNG cores have already been published, only a few of which are suitable for FPGAs and even fewer comply with AIS-20/31. Here we present the results of the implementation of AIS-20/31 compliant TRNG cores in three FPGA families: Xilinx Spartan 6, Altera Cyclone V and Microsemi SmartFusion 2. In addition to common design parameters like area, bit rate and power/energy consumption, we compare and discuss the feasibility of generator cores in different FPGAs and the statistical quality of their output. These results will help designers select the best generator and the device family to match the requirements of the data security application. To ensure reproducibility of the results, the open source VHDL code of all generators adapted to individual families can be downloaded from the dedicated web page.

Abstract: Since the first demonstration of fault attacks by Boneh et al. on RSA, a multitude of fault attack techniques on various cryptosystems have been proposed. Most of these techniques, like Differential Fault Analysis, Safe Error Attacks, and Collision Fault Analysis, have the requirement to process two inputs that are either identical or related, in order to generate pairs of correct/faulty ciphertexts. However, when targeting authenticated encryption schemes, this is in practice usually precluded by the unique nonce required by most of these schemes. In this work, we present the first practical fault attacks on several noncebased authenticated encryption modes for AES. This includes attacks on the ISO/IEC standards GCM,CCM, EAX, and OCB, as well as several second-round candidates of the ongoing CAESAR competition. All attacks are based on the Statistical Fault Attacks by Fuhr et al., which use a biased fault model and just operate on collections of faulty ciphertexts. Hereby, we put e ort in reducing the assumptions made regarding the capabilities of an attacker as much as possible. In the attacks, we only assume that we are able to influence some byte (or a larger structure) of the internal AES state before the last application of MixColumns, so that the value of this byte is afterwards non-uniformly distributed. In order to show the practical relevance of Statistical Fault Attacks and for evaluating our assumptions on the capabilities of an attacker, we perform several fault-injection experiments targeting real hardware. For instance, laser fault injections targeting an AES co-processor of a smartcard microcontroller, which is used to implement modes like GCM or CCM, show that 4 bytes (resp. all 16 bytes) of the last round key can be revealed with a small number of faulty ciphertexts.

Abstract: True random number generators (TRNGs) are critical components in security systems used to generate session keys, challenges for authentication protocols and masks for secret sharing. Unfortunately, TRNGs are vulnerable to a wide class of physical attacks ranging from passive observation of generated numbers to active manipulation. In this work we investigate the susceptibility of the Transition Effect Ring Oscillator (TERO) TRNG to active manipulation attacks. In particular we perform underpower and low temperature attacks on an implementation of the TERO running on a Xilinx Spartan 6 FPGA and experimentally evaluate the effectiveness of four online tests as countermeasure.

Abstract: In the last 10 years, cache attacks on Intel x86 CPUs have gained increasing attention among the scientific community and powerful techniques to exploit cache side channels have been developed. However, modern smartphones use one or more multi-core ARM CPUs that have a different cache organization and instruction set than Intel x86 CPUs. So far, no cross-core cache attacks have been demonstrated on non-rooted Android smartphones. In this work, we demonstrate how to solve key challenges to perform the most powerful cross-core cache attacks Prime+Probe, Flush+Reload, Evict+Reload, and Flush+Flush on non-rooted ARM-based devices without any privileges. Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen. Eventually, we are the first to attack cryptographic primitives implemented in Java. Our attacks work across CPUs and can even monitor cache activity in the ARM TrustZone from the normal world. The techniques we present can be used to attack hundreds of millions of Android devices.

Abstract: We present a design methodology for embedded tests of entropy sources. These tests are necessary to detect attacks and failures of true random number generators. The central idea of this work is to use an empirical design methodology consisting of two phases: collecting the data under attack and finding a useful statistical feature. In this work we focus on statistical features that are implementable in lightweight hardware. This is the first paper to address the design of on-the-fly tests based on the attack effects. The presented design methodology is illustrated with 2 examples: an elementary ring-oscillator based TRNG and a carry-chain based TRNG. The effectiveness of the tests was confirmed on FPGA prototypes.

Abstract: In this paper we present a design methodology and hardware implementations of lightweight post-processing modules for debiasing random bit sequences. This work is based on the iterated Von Neumann procedure (IVN). We present a method to maximize the efficiency of IVN for applications with area and throughput constraints. The resulting hardware modules can be applied for post-processing raw numbers in random number generators.

Abstract: The device-unique response of a physically unclonable function (PUF) can serve as the root of trust in an embedded cryptographic system. Fuzzy extractors transform this noisy non-uniformly distributed secret into a stable high-entropy key. The overall efficiency thereof, typically depending on error-correction with a binary [n; k; d] block code, is determined by the universal and well-known (n - k) bound on the min-entropy loss. We derive new considerably tighter bounds for PUF-induced distributions that suffer from, e.g., bias or spatial correlations. The bounds are easy-to-evaluate and apply to large non-trivial codes, e.g., BCH, Hamming and Reed-Muller codes. Apart from an inherent reduction in implementation footprint, the newly developed theory also facilitates the analysis of state-of-the-art error-correction methods for PUFs. As such, we debunk the reusability claim of the reverse fuzzy extractor. Moreover, we provide proper quantitative motivation for debiasing schemes, as this was missing in the original proposals.

Abstract: The hash function Kupyna was recently published as the Ukrainian standard DSTU 7564:2014. It is structurally very similar to the SHA-3 finalist GrØstl, but differs in details of the round transformations. Most notably, some of the round constants are added with a modular addition, rather than bitwise xor. This change prevents a straightforward application of some recent attacks, in particular of the rebound attacks on the compression function of similar AES-like hash constructions. However, we show that it is actually possible to mount rebound attacks, despite the presence of modular constant additions. More specifically, we describe collision attacks on the compression function for 6 (out of 10) rounds of Kupyna-256 with an attack complexity of 2⁷⁰, and for 7 rounds with complexity 2^125:8. In addition, we have been able to use the rebound attack for creating collisions for the round-reduced hash function itself. This is possible for 4 rounds of Kupyna-256 with complexity 2⁶⁷ and for 5 rounds with complexity 2¹²⁰.

Abstract: Kiasu-BC is a tweakable block cipher presented within the TWEAKEY framework at AsiaCrypt 2014. Kiasu-BC is almost identical to AES-128, the only difference to AES-128 is the tweak addition, where the 64-bit tweak is xored to the first two rows of every round-key. The security analysis of the designers focuses primarily on related-key related-tweak differential characteristics and meet-in-the-middle attacks. For other attacks, they conclude that the security level of Kiasu-BC is similar to AES-128. In this work, we provide the first third-party analysis of Kiasu-BC. We show that we can mount Square attacks on up to 7-round Kiasu-BC with a complexity of about 2^48:5 encryptions, which improves upon the best published 7-round attacks for AES-128. Furthermore, we show that such attacks are applicable to the round-reduced JCB3-like mode of the CAESAR candidate Kiasu6=. To be specific, we show a key-recovery attack on 7-round Kiasu6= with a complexity of about 2⁸² encryptions.

Abstract: A fundamental assumption in software security is that a memory location can only be modified by processes that may write to this memory location. However, a recent study has shown that parasitic effects in DRAM can change the content of a memory cell without accessing it, but by accessing other memory locations in a high frequency. This so-called Rowhammer bug occurs in most of today's memory modules and has fatal consequences for the security of all affected systems, e.g., privilege escalation attacks. All studies and attacks related to Rowhammer so far rely on the availability of a cache flush instruction in order to cause accesses to DRAM modules at a sufficiently high frequency. We overcome this limitation by defeating complex cache replacement policies. We show that caches can be forced into fast cache eviction to trigger the Rowhammer bug with only regular memory accesses. This allows to trigger the Rowhammer bug in highly restricted and even scripting environments. We demonstrate a fully automated attack that requires nothing but a website with JavaScript to trigger faults on remote hardware. Thereby we can gain unrestricted access to systems of website visitors. We show that the attack works on off-the-shelf systems. Existing countermeasures fail to protect against this new Rowhammer attack.

Abstract: Research on cache attacks has shown that CPU caches leak signi_cant information. Proposed detection mechanisms assume that all cache attacks cause more cache hits and cache misses than benign applications and use hardware performance counters for detection. In this article, we show that this assumption does not hold by developing a novel attack technique: the Flush+Flush attack. The Flush+Flush attack only relies on the execution time of the ush instruction, which depends on whether data is cached or not. Flush+Flush does not make any memory accesses, contrary to any other cache attack. Thus, it causes no cache misses at all and the number of cache hits is reduced to a minimum due to the constant cache ushes. Therefore, Flush+Flush attacks are stealthy, i.e., the spy process cannot be detected based on cache hits and misses, or state-of-the-art detection mechanisms. The Flush+Flush attack runs in a higher frequency and thus is faster than any existing cache attack. With 496 KB/s in a cross-core covert channel it is 6:7 times faster than any previously published cache covert channel.

Abstract: We introduce the concept of canary numbers, to be used in health tests for true random number generators. Health tests are essential components of true random number generators because they are used to detect defects and failures of the entropy source. These tests need to be lightweight, low-latency and highly reliable. The proposed solution uses canary numbers which are an extra output of the entropy source of lower quality. This enables an early-warning attack detection before the output of the generator is compromised. We illustrate the idea with 2 case studies of true random number generators implemented on aXilinx Spartan-6 FPGA.

Abstract: In this paper we present a threshold implementation of the Advanced Encryption Standard’s S-box which is secure against first- and second-order power analysis attacks. This security guarantee holds even in the presence of glitches, and includes resistance against bivariate attacks. The design requires an area of 7849 Gate Equivalents and 126 bits of randomness per S-box execution. The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests.

Abstract: Hash functions are often constructed based on permutations or blockciphers, and security proofs are typically done in the ideal permutation or cipher model. However, once these random primitives are instantiated, vulnerabilities of these instantiations may nullify the security. At ASIACRYPT 2007, Knudsen and Rijmen introduced known-key security of blockciphers, which gave rise to many distinguishing attacks on existing blockcipher constructions. In this work, we analyze the impact of such attacks on primitive-based hash functions. We present and formalize the weak cipher model, which captures the case a blockcipher has a certain weakness but is perfectly random otherwise. A specific instance of this model, considering the existence of sets of B queries whose XOR equals 0 at bit-positions C, where C is an index set, covers a wide range of known-key attacks in literature. We apply this instance to the PGV compression functions, as well as to the Grøstl (based on two permutations) and Shrimpton-Stam (based on three permutations) compression functions, and show that these designs do not seriously succumb to any differential known-key attack known to date.

Abstract: iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers' security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys E_K(0¹²⁸) and E_K(PMN||1), where K is the secret key and PMN the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn E_K(P*) for any freely chosen plaintext P*. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.

Abstract: Security in random number generation for cryptography is closely related to the entropy rate at the generator output. This rate has to be evaluated using an appropriate stochastic model. The stochastic model proposed in this paper is dedicated to the transition effect ring oscillator (TERO) based true random number generator (TRNG) proposed by Varchola and Drutarovsky in 2010. The advantage and originality of this model is that it is derived from a physical model based on a detailed study and on the precise electrical description of the noisy physical phenomena that contribute to the generation of random numbers. We compare the proposed electrical description with data generated in a 28 nm CMOS ASIC implementation. Our experimental results are in very good agreement with those obtained with both the physical model of TERO’s noisy behavior and with the stochastic model of the TERO TRNG, which we also confirmed using the AIS 31 test suites.

Abstract: Recent work on cache attacks has shown that CPU caches represent a powerful source of information leakage. However, existing attacks require manual identification of vulnerabilities, i.e., data accesses or instruction execution depending on secret information. In this paper, we present Cache Template Attacks. This generic attack technique allows us to profile and exploit cachebased information leakage of any program automatically, without prior knowledge of specific software versions or even specific system information. Cache Template Attacks can be executed online on a remote system without any prior offline computations or measurements. Cache Template Attacks consist of two phases. In the profiling phase, we determine dependencies between the processing of secret information, e.g., specific key inputs or private keys of cryptographic primitives, and specific cache accesses. In the exploitation phase, we derive the secret values based on observed cache accesses. We illustrate the power of the presented approach in several attacks, but also in a useful application for developers. Among the presented attacks is the application of Cache Template Attacks to infer keystrokes and—even more severe—the identification of specific keys on Linux and Windows user interfaces. More specifically, for lowercase only passwords, we can reduce the entropy per character from log2(26) = 4.7 to 1.4 bits on Linux systems. Furthermore, we perform an automated attack on the T-table-based AES implementation of OpenSSL that is asefficient as state-of-the-art manual cache attacks.

Abstract: Page deduplication is a mechanism to reduce the memory footprint of a system. Identical physical pages are identified across borders of virtual machines and programs and merged by the operating system or the hypervisor. However, this enables side-channel information leakage through cache or memory access time. Therefore, it is considered harmful in public clouds today, but it is still considered safe to use in a private environment, i.e., private clouds, personal computers, and smartphones. We present the first memory-disclosure attack in sandboxed Javascript which exploits page deduplication. Unlike previous attacks, our attack does not require the victim to execute an adversary’s program, but simply to open a website which contains the adversary’s Javascript code. We are not only able to determine which applications are running, but also specific user activities, for instance, whether the user has specific websites currently opened. The attack works on servers, personal computers and smartphones, and across the borders of virtual machines.