International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Niels Samwel

Publications

Year
Venue
Title
2022
TCHES
SoK: SCA-secure ECC in software – mission impossible?
Lejla Batina Łukasz Chmielewski Björn Haase Niels Samwel Peter Schwabe
This paper describes an ECC implementation computing the X25519 keyexchange protocol on the Arm Cortex-M4 microcontroller. For providing protections against various side-channel and fault attacks we first review known attacks and countermeasures, then we provide software implementations that come with extensive mitigations, and finally we present a preliminary side-channel evaluation. To our best knowledge, this is the first public software claiming affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to our baseline unprotected implementation is about 37% and 243%, respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is at least as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.
2020
EUROCRYPT
Friet: an Authenticated Encryption Scheme with Built-in Fault Detection 📺
Thierry Simon Lejla Batina Joan Daemen Vincent Grosso Pedro Maat Costa Massolino Kostas Papagiannopoulos Francesco Regazzoni Niels Samwel
In this work we present a duplex-based authenticated encryption scheme Friet based on a new permutation called Friet-P. We designed Friet-P with a novel approach for cryptographic permutations and block ciphers that takes fault-attack resistance into account and that we introduce in this paper. In this method, we build a permutation f_C to be embedded in a larger one f. First, we define f as a sequence of steps that all abide a chosen error-correcting code C, i.e., that map C-codewords to C-codewords. Then, we embed f_C in f by first encoding its input to an element of C, applying f and then decoding back from C. This last step detects a fault when the output of f is not in C. We motivate the design of the permutation we use in Friet and report on performance in soft- and hardware. We evaluate the fault-detection capabilities of the software and simulated hardware implementations with attacks. Finally, we perform a leakage evaluation. Our code is available at https://github.com/thisimon/Friet.git.

Coauthors

Lejla Batina (2)
Łukasz Chmielewski (1)
Joan Daemen (1)
Vincent Grosso (1)
Björn Haase (1)
Pedro Maat Costa Massolino (1)
Kostas Papagiannopoulos (1)
Francesco Regazzoni (1)
Peter Schwabe (1)
Daniel R. Simon (1)