International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Ingrid Verbauwhede

Publications

Year
Venue
Title
2021
TCHES
Analysis and Comparison of Table-based Arithmetic to Boolean Masking 📺
Masking is a popular technique to protect cryptographic implementations against side-channel attacks and comes in several variants including Boolean and arithmetic masking. Some masked implementations require conversion between these two variants, which is increasingly the case for masking of post-quantum encryption and signature schemes. One way to perform Arithmetic to Boolean (A2B) mask conversion is a table-based approach first introduced by Coron and Tchulkine, and later corrected and adapted by Debraize in CHES 2012. In this work, we show both analytically and experimentally that the table-based A2B conversion algorithm proposed by Debraize does not achieve the claimed resistance against differential power analysis due to a non-uniform masking of an intermediate variable. This non-uniformity is hard to find analytically but leads to clear leakage in experimental validation. To address the non-uniform masking issue, we propose two new A2B conversions: one that maintains efficiency at the cost of additional memory and one that trades efficiency for a reduced memory footprint. We give analytical and experimental evidence for their security, and will make their implementations, which are shown to be free from side-channel leakage in 100.000 power traces collected on the ARM Cortex-M4, available online. We conclude that when designing side-channel protection mechanisms, it is of paramount importance to perform both a theoretical analysis and an experimental validation of the method.
2021
TCHES
Scabbard: a suite of efficient learning with rounding key-encapsulation mechanisms 📺
In this paper, we introduce Scabbard, a suite of post-quantum keyencapsulation mechanisms. Our suite contains three different schemes Florete, Espada, and Sable based on the hardness of module- or ring-learning with rounding problem. In this work, we first show how the latest advancements on lattice-based cryptographycan be utilized to create new better schemes and even improve the state-of-the-art on post-quantum cryptography. We put particular focus on designing schemes that can optimally exploit the parallelism offered by certain hardware platforms and are also suitable for resource constrained devices. We show that this can be achieved without compromising the security of the schemes or penalizing their performance on other platforms.To substantiate our claims, we provide optimized implementations of our three new schemes on a wide range of platforms including general-purpose Intel processors using both portable C and vectorized instructions, embedded platforms such as Cortex-M4 microcontrollers, and hardware platforms such as FPGAs. We show that on each platform, our schemes can outperform the state-of-the-art in speed, memory footprint, or area requirements.
2020
TCHES
Time-memory trade-off in Toom-Cook multiplication: an application to module-lattice based cryptography 📺
Since the introduction of the ring-learning with errors problem, the number theoretic transform (NTT) based polynomial multiplication algorithm has been studied extensively. Due to its faster quasilinear time complexity, it has been the preferred choice of cryptographers to realize ring-learning with errors cryptographic schemes. Compared to NTT, Toom-Cook or Karatsuba based polynomial multiplication algorithms, though being known for a long time, still have a fledgling presence in the context of post-quantum cryptography.In this work, we observe that the pre- and post-processing steps in Toom-Cook based multiplications can be expressed as linear transformations. Based on this observation we propose two novel techniques that can increase the efficiency of Toom-Cook based polynomial multiplications. Evaluation is reduced by a factor of 2, and we call this method precomputation, and interpolation is reduced from quadratic to linear, and we call this method lazy interpolation.As a practical application, we applied our algorithms to the Saber post-quantum key-encapsulation mechanism. We discuss in detail the various implementation aspects of applying our algorithms to Saber. We show that our algorithm can improve the efficiency of the computationally costly matrix-vector multiplication by 12−37% compared to previous methods on their respective platforms. Secondly, we propose different methods to reduce the memory footprint of Saber for Cortex-M4 microcontrollers. Our implementation shows between 2.6 and 5.7 KB reduction in the memory usage with respect to the smallest implementation in the literature.
2019
PKC
Decryption Failure Attacks on IND-CCA Secure Lattice-Based Schemes
In this paper we investigate the impact of decryption failures on the chosen-ciphertext security of lattice-based primitives. We discuss a generic framework for secret key recovery based on decryption failures and present an attack on the NIST Post-Quantum Proposal ss-ntru-pke. Our framework is split in three parts: First, we use a technique to increase the failure rate of lattice-based schemes called failure boosting. Based on this technique we investigate the minimal effort for an adversary to obtain a failure in three cases: when he has access to a quantum computer, when he mounts a multi-target attack or when he can only perform a limited number of oracle queries. Secondly, we examine the amount of information that an adversary can derive from failing ciphertexts. Finally, these techniques are combined in an overall analysis of the security of lattice based schemes under a decryption failure attack. We show that an attacker could significantly reduce the security of lattice based schemes that have a relatively high failure rate. However, for most of the NIST Post-Quantum Proposals, the number of required oracle queries is above practical limits. Furthermore, a new generic weak-key (multi-target) model on lattice-based schemes, which can be viewed as a variant of the previous framework, is proposed. This model further takes into consideration the weak-key phenomenon that a small fraction of keys can have much larger decoding error probability for ciphertexts with certain key-related properties. We apply this model and present an attack in detail on the NIST Post-Quantum Proposal – ss-ntru-pke – with complexity below the claimed security level.
2018
TCHES
A Cautionary Note When Looking for a Truly Reconfigurable Resistive RAM PUF 📺
The reconfigurable physically unclonable function (PUF) is an advanced security hardware primitive, suitable for applications requiring key renewal or similar refresh functions. The Oxygen vacancies-based resistive RAM (RRAM), has been claimed to be a physically reconfigurable PUF due to its intrinsic switching variability. This paper first analyzes and compares various previously published RRAM-based PUFs with a physics-based RRAM model. We next discuss their possible reconfigurability assuming an ideal configuration-to-configuration behavior. The RRAM-to-RRAM variability, which mainly originates from a variable number of unremovable vacancies inside the RRAM filament, however, has been observed to have significant impact on the reconfigurability. We show by quantitative analysis on the clear uniqueness degradation from the ideal situation in all the discussed implementations. Thus we conclude that true reconfigurability with RRAM PUFs might be unachievable due to this physical phenomena.
2018
TCHES
Saber on ARM CCA-secure module lattice-based key encapsulation on ARM
The CCA-secure lattice-based post-quantum key encapsulation scheme Saber is a candidate in the NIST’s post-quantum cryptography standardization process. In this paper, we study the implementation aspects of Saber in resourceconstrained microcontrollers from the ARM Cortex-M series which are very popular for realizing IoT applications. In this work, we carefully optimize various parts of Saber for speed and memory. We exploit digital signal processing instructions and efficient memory access for a fast implementation of polynomial multiplication. We also use memory efficient Karatsuba and just-in-time strategy for generating the public matrix of the module lattice to reduce the memory footprint. We also show that our optimizations can be combined with each other seamlessly to provide various speed-memory trade-offs. Our speed optimized software takes just 1,147K, 1,444K, and 1,543K clock cycles on a Cortex-M4 platform for key generation, encapsulation and decapsulation respectively. Our memory efficient software takes 4,786K, 6,328K, and 7,509K clock cycles on an ultra resource-constrained Cortex-M0 platform for key generation, encapsulation, and decapsulation respectively while consuming only 6.2 KB of memory at most. These results show that lattice-based key encapsulation schemes are perfectly practical for securing IoT devices from quantum computing attacks.
2018
TCHES
ES-TRNG: A High-throughput, Low-area True Random Number Generator based on Edge Sampling
In this paper we present a novel true random number generator based on high-precision edge sampling. We use two novel techniques to increase the throughput and reduce the area of the proposed randomness source: variable-precision phase encoding and repetitive sampling. The first technique consists of encoding the oscillator phase with high precision in the regions around the signal edges and with low precision everywhere else. This technique results in a compact implementation at the expense of reduced entropy in some samples. The second technique consists of repeating the sampling at high frequency until the phase region encoded with high precision is captured. This technique ensures that only the high-entropy bits are sent to the output. The combination of the two proposed techniques results in a secure TRNG, which suits both ASIC and FPGA implementations. The core part of the proposed generator is implemented with 10 look-up tables (LUTs) and 5 flip-flops (FFs) of a Xilinx Spartan-6 FPGA, and achieves a throughput of 1.15 Mbps with 0.997 bits of Shannon entropy. On Intel Cyclone V FPGAs, this implementation uses 10 LUTs and 6 FFs, and achieves a throughput of 1.07 Mbps. This TRNG design is supported by a stochastic model and a formal security evaluation.
2017
CHES
Fast Leakage Assessment
Oscar Reparaz Benedikt Gierlichs Ingrid Verbauwhede
We describe a fast technique for performing the computationally heavy part of leakage assessment, in any statistical moment (or other property) of the leakage samples distributions. The proposed technique outperforms by orders of magnitude the approach presented at CHES 2015 by Schneider and Moradi. We can carry out evaluations that before took 90 CPU-days in 4 CPU-hours (about a 500-fold speed-up). As a bonus, we can work with exact arithmetic, we can apply kernel-based density estimation methods, we can employ arbitrary pre-processing functions such as absolute value to power traces, and we can perform information-theoretic leakage assessment. Our trick is simple and elegant, and lends itself to an easy and compact implementation. We fit a prototype implementation in about 130 lines of C code.
2016
CHES
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
CRYPTO
2015
CHES
2015
CHES
2015
CHES
2015
CHES
2015
CHES
2014
EPRINT
2014
EPRINT
2014
EPRINT
2014
EPRINT
2014
CHES
2014
CHES
2013
CHES
2013
CHES
2012
CHES
2012
CHES
2012
CHES
2012
ASIACRYPT
2011
CHES
2011
CHES
2009
CHES
2009
CHES
2009
CHES
2008
CHES
2006
CHES
2006
EPRINT
An Elliptic Curve Processor Suitable For RFID-Tags
RFID-Tags are small devices used for identification purposes in many applications nowadays. It is expected that they will enable many new applications and link the physical and the virtual world in the near future. Since the processing power of these devices is low, they are often in the line of fire when their security and privacy is concerned. It is widely believed that devices with such constrained resources can not carry out sufficient cryptographic operations to guarantee security in new applications. In this paper, we show that identification of RFID-Tags can reach high security levels. In particular, we show how secure identification protocols based on the DL problem on elliptic curves are implemented on a constrained device such as an RFID-Tag requiring between 8500 and 14000 gates, depending on the implementation characteristics. We investigate the case of elliptic curves over $F_{2^p}$ with p prime and over composite fields $F_{2^{2p}}$. The implementations in this paper make RFID-Tags suitable for anti-counterfeiting purposes even in the off-line setting.
2005
CHES
2005
CHES
2004
EPRINT
A Dynamic and Differential CMOS Logic Style to Resist Power and Timing Attacks on Security IC?s
Kris Tiri Ingrid Verbauwhede
We present a dynamic and differential CMOS logic style, which has a signal independent switching behavior. It is shown that during each clock cycle, power consumption and all circuit characteristics, such as leakage current, instantaneous current and input-output delay are identical and independent of the logic value and the sequence of the input data. Implementing the encryption module in this logic will protect it against any Side Channel Attack that takes advantage of power, timing and leakage information. We have built a set of logic gates and a flip-flop needed for cryptographic functions and implemented a larger module, for which area, total power consumption and variation on the power consumption have been compared with implementations in Static Complementary CMOS logic, genuine Dynamic and Differential Logic and Current Mode Logic.
2004
EPRINT
Charge Recycling Sense Amplifier Based Logic: Securing Low Power Security IC?s against Differential Power Analysis
Kris Tiri Ingrid Verbauwhede
Charge Recycling Sense Amplifier Based Logic is presented. This logic is derived from Sense Amplifier Based Logic, which is a logic style with signal independent power consumption that is capable to protect security devices such as Smart Cards against power attacks. Experimental results show that utilization of advanced circuit techniques save 20% in power consumption and 63% in peak supply current and that the logic style preserves the energy masking behavior.
2004
EPRINT
Synthesis of Secure FPGA Implementations
Kris Tiri Ingrid Verbauwhede
This paper describes the synthesis of Dynamic Differential Logic to increase the resistance of FPGA implementations against Differential Power Analysis. The synthesis procedure is developed and a detailed description is given of how EDA tools should be used appropriately to implement a secure digital design flow. Compared with an existing technique to implement Dynamic Differential Logic on FPGA, the technique saves a factor 2 in slice utilization. Experimental results also indicate that a secure version of the AES encryption algorithm can now be implemented with a mere 50% increase in time delay and 90% increase in slice utilization when compared with a normal non-secure single ended implementation.
2003
CHES
2001
CHES
1987
EUROCRYPT

Program Committees

Eurocrypt 2017
Asiacrypt 2017
CHES 2016
CHES 2014
CHES 2008
CHES 2007 (Program chair)
CHES 2006
CHES 2005
CHES 2003

Coauthors

Josep Balasch (3)
Zhenzhen Bao (1)
Lejla Batina (4)
Jose Maria Bermudo Mera (2)
Begül Bilgin (2)
Andrey Bogdanov (1)
Donald Donglong Chen (1)
Ray C. C. Cheung (1)
Kai-Hsin Chuang (1)
Amitabh Das (3)
Robin Degraeve (1)
Jeroen Delvaux (3)
Vassil S. Dimitrov (2)
Sylvain DUQUESNE (1)
Jan-Pieter D’Anvers (2)
Junfeng Fan (5)
Andrea Fantini (1)
Sebastian Faust (1)
Santosh Ghosh (2)
Benedikt Gierlichs (8)
Guido Groeseneken (1)
Johann Großschädl (3)
Milos Grujic (1)
Dawu Gu (3)
Jorge Guajardo (1)
Nicolas Guillermin (1)
Qian Guo (1)
Xu Guo (1)
Anthony Van Herrewege (2)
Matthias Hiller (2)
Alireza Hodjat (2)
Frank Hoornaert (1)
Zhi Hu (1)
David Hwang (2)
Kimmo U. Järvinen (4)
Thomas Johansson (1)
Dusko Karaklajic (1)
Angshuman Karmakar (3)
Stefan Katzenbeisser (1)
Tim Kerins (1)
Howon Kim (2)
Miroslav Knezevic (1)
Ünal Koçabas (1)
Amit Kumar (2)
Suparna Kundu (1)
Henry Kuo (1)
Bo-Cheng Lai (1)
Gregor Leander (1)
Zhenqi Li (2)
Dongdai Lin (1)
Dimitri Linten (1)
Zhe Liu (3)
Pieter Maene (1)
Roel Maes (2)
Hugo De Man (1)
Bart Mennink (1)
Nele Mentens (4)
Jose M. Bermudo Mera (1)
Nicky Mouha (1)
Svetla Nikova (2)
Alexander Nilsson (1)
Bart Preneel (3)
Oscar Reparaz (9)
Vincent Rijmen (1)
Sujoy Sinha Roy (11)
Vladimir Rozic (2)
Ahmad-Reza Sadeghi (1)
Kazuo Sakiyama (1)
Patrick Schaumont (2)
Dries Schellekens (1)
Hwajeong Seo (2)
Stefaan Seys (1)
Dave Singelée (1)
Kris Tiri (5)
Deniz Toz (1)
Pim Tuyls (2)
Michiel Van Beirendonck (1)
Joos Vandewalle (1)
Kerem Varici (1)
Frederik Vercauteren (8)
Christian Wachsmann (1)
Husen Wang (1)
Dai Watanabe (1)
Bohan Yang (2)
Shenglin Yang (1)
Gavin Xiaoxu Yao (1)
Meng-Day (Mandel) Yu (2)
Wentao Zhang (1)
Bin Zhang (2)