Search

Publications

● SECURE-IC AT APEMC 2013, ,20-23 May 2013, Melbourne Australia.

On Tuesday afternoon, 21 May 2013, Secure-IC's scientific advisor Laurent Sauvage will chair the brand new session "ElectroMagnetic Information Leakage" of the Asia - Pacific International Symposium and Exhibition on Elelctromagnetic Compatibility 2013. Talks will be given about recent researches, attacks on TRNG, ElectroMagnetic Fault Injection, Power Current Modeling.

● ISIT 2013 paper: "Multiply Constant Weight Codes", July 7-11, 2013, Istanbul, Turkey.

The function M(m,n,d,w), the largest size of an unrestricted binary code made of m by n arrays, with constant row weight w, and minimum distance d is introduced and compared to the classical functions of combinatorial coding theory A_q(n,d) and A(n,d,w).
The analogues for systematic codes of A(n,d) and A(n,d,w) are introduced apparently for the first time.
An application to the security of embedded systems is given:
these codes happen to be efficient challenges for physically unclonable functions.

● HASP 2013 papers: "Side-Channel Indistinguishability" and "Evaluation of Delay PUFs on CMOS 65 nm Technology: ASIC vs FPGA", June 23-27, 2013, Tel Aviv, Israël.

The first paper illustrates how masking schemes can be used to refrain high-order side-channel attacks. The second paper shows that ASIC-based PUFs are more reliable than FPGA-based PUFs.

● COSADE'2013, paper "Fault Attacks on Projective-to-Affine Coordinates Conversion", March 7-8, 2013, Paris, France

At EUROCRYPT 2004, Naccache, Smart and Stern showed that when the result of an elliptic curve scalar multiplication [k]P is given in projective coordinates, an attacker can recover information on k. The attack is somewhat theoretical, because elliptic curve cryptosystems implementations usually convert scalar multiplication's result back to affine coordinates before outputting [k]P. This paper explains how injecting faults in the final projective-to-affine coordinate conversion enables an attacker to retrieve the projective coordinates of [k]P, making Naccache et al.'s attack also applicable to implementations that output points in affine coordinates. As a result, such faults allow the recovery of information about k.

● JCEN'2013 : article "From cryptography to hardware: analyzing and protecting embedded Xilinx BRAM for cryptographic applications", (Volume 3, Number 2). Extended version of the HASP'2012 conference paper, with a novel countermeasure (random register precharge for the sensible variable at the output of the BRAM) applied to the AES and its theoretical & practical analysis.

● INDOCRYPT'2012, paper "Leakage Squeezing of Order Two", December 9-12, 2012, Kolkata, West Bengal, India.

The technique of leakage squeezing consists in applying tools from the coding theory to attenuate the leakage of sensitive variables manipulated by cryptographic circuits. It was previously known that in the case of byte-oriented ciphers (e.g. the AES), the leakage squeezing manages to improve the order of security from 1 to 5. We describe in this paper how to reach security order 7 with the leakage squeezing of order two. Basically the rationale is to trade rate-1/2 codes for more efficient rate-1/3 codes. The protection requests computations with 3 shares instead of 2, i.e. a limited overhead that is already considered affordable in high-security implementations.

● IEEE HASP'2012, twain papers entitled "From Cryptography to Hardware: Analyzing Embedded Xilinx BRAM for Cryptographic Applications" and "Wavelet Transform Based Pre-processing for Side Channel Analysis", December 2, 2012, Vancouver, British Columbia, Canada

The first paper discloses that the weakness of embedded memories (called Block RAM, or BRAM) results from the leakage at their output. Indeed, the input of the BRAM is latched very close to the memory array, resulting in a minimal side-channel leakage. At the opposite, the output goes on the routing networks that is known to be extremely leaky. Therefore, in the context of optimized FPGA applications that make an extensive use of BRAM, the leakage models are not the canonical ones; this paper describes and discusses them in great details. The overall conclusion is that not only sensitive variables but also the resources that carry them shall be considered in the design and the evaluation of secure embedded cryptography.

The second paper explains how the spectral analysis with wavelets can benefit both the designer and the evaluator of cryptographic systems subject to side-channel analyses. Wavelets allow for a time-frequency 2D-space exploration of side-channel measurements (typically thanks to a graphical tool named "scalogram"). Basically, wavelets can be used for various tasks, e.g. to pre-process, filter and even distinguish between leakage traces. This signal processing tool has thus interesting features that ought to be known by the security community in general.

● CARDIS'2012, paper "Low-Cost Countermeasure against RPA", November 28-30, 2012, Graz, Austria.

Considering ECCs implementations, Refined Power Analysis (RPA) is a common vulnerability, for example on smart-cards. This side channel attack takes advantage of the apparition of special points of the form (0, y). In this talk, we present a way to thwart this attack. The countermeasure is based on co-Z formulae and an extension of the curve isomorphism countermeasure. The basic idea is to transform the base point P = (x, y) into a base point P' = (0, y') which, with -P', are the only points with a zero X-coordinate. In such case, the RPA cannot be applied. Moreover and, last but not least, the cost of this countermeasure is very low compared to other countermeasures against RPA.

● ICICS'2012, paper "Comparison between Side Channel Analysis Distinguishers", October 29-31, 2012, Hong-Kong.

This paper has two contributions. First of all, it presents a novel framework to fairly compare side-channel leakage metrics. It allows to get rid of estimators' bias, effects of imperfect estimation algorithms, success rate uncertainty, and sampling methods errors. Second, a new family of distinguishers is proposed: they operate between classes instead of simply by a comparison of individual class inner properties. As termed in the article, those distinguishers use the "inter-class" vs "per-class" paradigm.

● PROOFS'2012, paper "A formal study of two physical countermeasures against side channel attacks", September 13, 2012, Leuven, Belgium.

It is today customary, if not mandatory, to have cryptographic implementations protected against physical attacks. Specifically, side-channel analysis (i.e. SCA) and fault injection attacks (FIA) shall be thwarted carefully. Now, it is of utmost importance that the insertion of the countermeasure do not open new vulnerabilities. Typically, the countermeasure shall not alter the functionality and shall be implemented exhaustively (on all the resources) and in a way that ensures that it indeed protects efficiently against the identified threats. Formal methods allow to prove that these two goals (equivalence and property checking) are met. In this talk, Sébastien Briais, senior engineer in formal methods at Secure-IC, explains the methodology for these proofs, based on a case-study in COQ. Two countermeasures against SCA and FIA, namely WDDL and BCDL, are analyzed. Their source-to-source transformation is proved correct, and several properties are shown. Typically, WDDL and BCDL can be proved glitch-free, but only BCDL is early precharge immune.

Nota bene: An extended version of this article with more detailed COQ source code examples has appeared in the Journal of Cryptographic ENgineering (JCEN, Springer): http://link.springer.com/article/10.1007%2Fs13389-013-0054-6.

● CHES'2012, paper "3D Hardware Canaries", September 10-12, 2012, Leuven, Belgium.

Some resources in secure elements are more sensitive than others. Amongst them, attackers will of course focus on the registers that store the secure keys.Those demand a specially careful design, which is the topic of this talk. Taking advantage of the multiplicity of metal levels in recent nanometric CMOS processes, and of dies packing (so-called 3D system-in-package technology), we show how to surround the sensitive resource by a seamless serpentine. It conveys random data that are regularly checked for integrity, thanks to appropriate message authentication codes. Several prototypes have been designed, amongst them one is in 0.13 micron CMOS technology.

● FDTC'2012, paper "Random Active Shield", September 9, 2012, Leuven, Belgium.

Micro-probing with test stations and circuit modification with focused ion beams are examples of invasive attacks that can target electronic circuits containing secret information. They bring to the attacker a serious advantage, especially if the design implementation can be read simply by looking at its layout. To protect the hardware, several techniques can be envisioned. One option is to deceive the attacker by embedding only low-value, ephemeral, or masked secrets, that can also for instance move randomly in the circuit. Another option consists in preventing any tampering by surrounding the chip with several fences, called a ``shield''. In this paper, scientific advisor Sylvain Guilley uncovers a new shielding method that is virtually impossible to bypass. Indeed, first of all, the shield is active, which means that it is used to circulate random datum, that is expected to arrive untouched after its journey. Further, the shield in random, which means that its structure is so complicated to unravel that any modification by an attacker will basically be blind and is thus doomed to change its topology: therefore alterations are necessarily detected.

● DSD'2012, paper "An Easy-to-Design PUF based on a Single Oscillator: the Loop PUF", September 5-8, 2012, Çeşme, Izmir, Turkey.

This paper presents an easy to design Physically Unclonable Function (PUF). The proposed PUF implementation is a loop composed of N identical and controllable delay chains which are serially assembled in a loop to create a single ring oscillator. The frequency discrepancies resulting from the oscillator driven by complementary combinations of the delay chains allows to characterize one device. The presented PUF, nicknamed the Loop PUF (LPUF), returns a frequency comparison of loops made of N delay chains (N ≥ 2). The comparisons are done sequentially on the same structure. Unlike others PUFs based on delays, there is no specific routing constraints. Hence the LPUF is particularly flexible and easy to design. The basic use of the Loop PUF is to generate intrinsic device keys for cryptographic algorithms. It can also be used to generate challenge response pairs for simple authentication. Experiments have been carried out on CYCLONE II FPGAs to assess the performance of the LPUF, such as randomness, uniqueness and steadiness. They clearly show both the easiness of design and the quality level of the LPUF. The measurement time vs steadiness, as well as resistance against side-channel and modeling attacks are discussed.

● EMC'2012, paper "A Fault Model for Conducted Intentional ElectroMagnetic Interferences", August 5-10, 2012, Pittsburgh, PA, USA.

● AFRICACRYPT'2012, paper "Optimal First-Order Masking with Linear and Non-Linear Bijections", July 10-12, 2012, Ifrane, Morocco.

Electronic devices that manipulate sensitive data are known to be vulnerable to side-channel attacks, such as electromagnetic leakage analysis. One customary protection consists in injecting some randomness in the computation so as to limit the correlation between the "public" leakage and the "private" assets (cryptographic keys, manufacturer secrets, IDs, PIN codes, biometric data, secret algorithms, etc.). In state-of-the-art setups, using one random number increase by one the attack difficulty, i.e. its order. In this article, we provide for AES, with the "leakage squeezing" technique (that assumes a Hamming distance leakage model), a means to increase the security by four orders (instead of one) simply by encoding the leakage with a well-crafted bijection. For the first time, it is extensively explained how the knowledge about the leakage model can be exploited to optimize the countermeasures' efficiency. This work, presented at AFRICACRYPT'2012 by PhD candidate Houssem Maghrebi, results from a fruitful collaboration between Secure-IC, TELECOM-ParisTech and University Paris 13.

● WISTP'2012, paper "On the Optimality of Correlation Power Attack on Embedded Cryptographic Systems", June 20-22, 2012, Egham, UK.

Youssef Souissi, a post-doctoral student supervised by Jean-Luc Danger and Sylvain Guilley, has characterized the conditions for a correlation power analysis (CPA -- a classical attack in the field of cyberphysical assaults) to be the best strategy for an attacker. It is shown that in practical setups, it can happen that all the conditions for the CPA to be optimal can be met, thereby allowing for the fastest possible attack. Nonetheless, some parts of side-channel traces can be misleading as they cannot be exploited efficiently by CPA, although they might still leak useful information. This secondary side-channel should be analyzed with other tools than those currently used by the industry and the certification bodies, for instance information theoretic metrics.

● InTech book "Electromagnetic Radiation", June 2012, chapter 10, pp. 225-248, ISBN: 978-953-51-0639-5. Chapter entitled "Characterization of the Information Leakage of Cryptographic Devices by Using EM Analysis".

● HOST'2012 poster "Register Leakage Masking Using Gray Code", June 2-3, 2012, Moscone Center, San Francisco, CA, USA.

Scientific advisor Jean-Luc Danger and his PhD student Houssem Maghrebi will be attending the Hardware-Oriented Security and Trust (HOST) 2012 conference. They will present an optimization on a leak-free first-order masking scheme, disclosed at the same in February place during the RSA show. The proposed protection technique thwarts side-channel attacks of any order at a cost that is equal to that of first-order resistant countermeasure of the state-of-the-art. The countermeasure is thus extremely disruptive, in that it allows to reach perfect security against power or electromagnetic attacks, at the expense of no hardware overhead.

● COSADE'2012, paper "Same Values Power Analysis (SVA) using Special Points on Elliptic Curves", May 3-4, 2012, Darmstadt, Germany.

Elliptic Curve Cryptosystems can be vulnerable to side-channel attacks in embedded systems. Cédric Murdica has been invited to present a new attack on Elliptic Curve Cryptosystems at the COSADE 2012 conference. This attack is the first one based on Internal Collision Analysis on ECC implementations with points of high order.

● JCEN'2012 : article "Portability of Templates", (Volume 2, Number 1), pp. 63-74.

● PPREW (workshop of ICISTM'12), paper "System-Level Methods to Prevent Reverse-Engineering, Cloning, and Trojan Insertion" (extended version), March 28-30, 2012, Grenoble, France.

● DATE'2012, paper "RSM: a Small and Fast Countermeasure for AES, Secure against First- and Second-order Zero-Offset SCAs", March 12-16, 2012, Dresden, Germany.

● CT-RSA'2012, twain papers "Towards Different Flavors of Combined Side Channel Attacks" and "A First-Order Leak-Free Masking Countermeasure", February 27 - March 2, 2012, San Francisco, CA, USA.

● JFFoE'2012 : ICT session "Next Generation, Low power, Systems/Smart networks", February 25-28, Kyōto, Japan.

Scientific advisor Sylvain Guilley has been invited at the JFFoE'2012 Franco-Nippon conference to present the French researchers' Know-How on electronic designs security.
In his talk, Sylvain will review the current collaborative projects related to security, within France and also with other partners (such as Japan). The emphasis will then be placed on future challenges the embedded system community faces: as attacks develop and vary, the defense side must adapt accordingly. Formal modeling of the threat and proactive defense are key preventive countermeasures useful in such an uncertain context. But despite the polymorphic nature of the opponent, trustworthy solutions do exist, and simply require more R&D and advances in standardization to spread wider.

● INDOCRYPT'2011, "Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures against Side-Channel Attacks" (presentation slides), December 11-14, 2011, Chennai, India.

It is trivial that more security incurs more cost overheads. But to what extent can security be traded for cost savings? This topic is of special importance in the security market: the objective is to deliver products enjoying the adequate level of security at the best cost. Scientific adviser Sylvain Guilley will be presenting at INDOCRYPT a formal study of security/cost tradeoffs for cryptographic implementations protections based on masking. This is the first study of this kind in the domain; it is especially useful as it is based on sound and realistic metrics for both security and cost.

● ReConFig'2011, "Efficient Dual-Rail Implementations in FPGA using Block RAMs", November 30 - December 2nd 2011, Cancun, Mexico.

● IET-IFS, "Security evaluation of application-specific integrated circuits and field programmable gate arrays against setup time violation attacks", IET Information Security, Vol. 5(4), December 2011.

● WIFS'11, oral presentation "“Re-synchronization by Moments”: an efficient solution to align Side-Channel traces" and poster presentation "A Multiresolution Time-Frequency Analysis Based Side-Channel Attack", November 29 - December 2nd 2011, Foz do Iguaçu, Brazil.

Alignement of electromagnetic or power traces is a critical issue in side-channel analysis.
At WIFS'2011, a new method called "Re-synchronization by Moments" (and known informally as the "RM" method) will be presented to experts in forensics of secure systems.
The RM method is of linear complexity, whereas other correlation-based methods operate in O(n log n) time.
Thus this method is extremely well suited for online resynchronization, which is a decisive advantage for timed fault attack triggering.
At the poster session of the same conference, an optimization in the processing of side-channel traces is also presented. It consists in employing a multiresolution time-frequency analysis, inspired from the wavelets decomposition, a recent research topic in hardware security evaluation.

● HST'11, "Common Framework to Evaluate Modern Embedded Systems against Side-Channel Attacks", November 15-17, 2011. Waltham, MA, USA.

● DASIP'11, "Embedded Systems Security: An Evaluation Methodology Against Side Channel Attacks", (IEEE Signal Processing Society), November 2-4, 2011. Tampere, Finland.

● InfoSecHiComNet'11, "Rank Correction: A New Side-Channel Approach For Secret Key Recovery", October 19-22, 2011. Haldia, Purba Medinipur, West Bengal, India.

● FDTC'11, "Fault Diagnosis and Tolerance in Cryptography" (8th edition), September 28, 2011. Nara, Japan.

● NIAT'11, (program) "Efficient FPGA Implementation of dual-rail countermeasures using Stochastic Models" and "Novel Applications of Wavelet Transforms based Side-Channel Analysis", September 26-27, 2011. Nara, Japan. Secure-IC also takes part to the "tools vendors" round table (presentation).

● e-SMART'11, "Cryptographic protocols resilient to physical level attacks", September 21-23, 2011. Sophia Antipolis, France.

● TrustED'11, "DPL Implementations in FPGA using Embedded BRAM", September 15-16, 2011. Leuven, Belgium.

● EMC'11, "Practical Results of EM Cartography on a FPGA-based RSA Hardware Implementation" and "Identification of Information Leakage Points on a Cryptographic Device with an RSA Processor", at the IEEE International Symposium on Electromagnetic Compatibility (EMC), August 14-19, 2011. Long Beach, CA, USA.

Side channel attacks are powerful techniques for extracting secret keys from cryptographic applications of embedded systems. Best results are obtained by placing a small electromagnetic probe just over areas of an integrated circuit which are leaking the most. To find out such locations, Scientific Advisor Laurent Sauvage has proposed some cartography methods in the past. Whereas they theoretically could locate any part of an integrated circuit, his methods had only been experimentally evaluated against symmetric-key cryptosystems. In this presentation, he will be demonstrating some practical results showing that they are also efficient in locating the RSA crypto processor of a FPGA-based hardware implementation.

● CryptArchi'11, "Smart-SIC Analyzer: the advanced evaluation platform for cryptographic embedded systems", "BCDL Logic design with the best Trade-off Complexity/Robustness" and "Exotic Leakage Models", June 15-18, 2011. Bochum, Ruhr, Germany.

● The book "Security Trends for FPGAS — From Secured to Secure Reconfigurable Systems" is available from Springer (196 pages, ISBN: 978-94-007-1337-6). It is the outcome of the collaborative project "ICTER" (Les technologies reconfigurables - Intégrité et confidentialité des informations), funded by the French ANR.

● SSTIC'11, "Attaque d'implentations cryptographiques par canaux cachés", June 8-10, 2011. Rennes, France.

● HOST'11, "Performance Evaluation of Protocols Resilient to Physical Attacks" (poster) and "Formal Security Evaluation of Hardware Boolean Masking against Second-Order Attacks" (poster), June 5-6, 2011. San Diego, CA, USA.

● WISTP'11, "Leakage Squeezing Countermeasure Against High-Order Attacks" (best paper award), June 1-3, 2011. Heraklion, Greece.

● WISTP'11, "Formal Framework for the Evaluation of Waveform Resynchronization Algorithms", June 1-3, 2011. Heraklion, Greece.

Scientific Advisor Sylvain Guilley will be presenting a formal framework that enables rating of waveforms resynchronization algorithms. These algorithms are employed on a daily basis by security evaluation labs as preliminary step to both fault injection attacks and side-channel attacks. They aim respectively at ensuring that the fault is inserted in a timely manner, and that side-channel measurements are properly aligned. Two state-of-the-art resynchronization algorithms are confronted in terms of efficiency and complexity against unprotected, masked and balanced cryptographic implementations. A third one named "threshold phase-only correlation" is introduced, it fixes some shortcomings and better appears under some experimental conditions.

● DTIS'11, "Vade Mecum on Side-Channels Attacks and Countermeasures for the Designer and the Evaluator", April 6-8, 2011. Athens, Greece.

A special session on hardware security is scheduled at DTIS 2011. Scientific advisor Sylvain Guilley is invited to present the state-of-the-art of side-channel attacks and countermeasures.
The talk consists in a vade mecum, where attacks and countermeasures are classified in formal categories. The adequation between protection techniques and known vulnerabilities is sketched. In particular, masking and hiding -- two competing countermeasures against observation attacks -- are compared in terms of performance and in terms of leakage. A decision diagram is introduced and shows that the most relevant countermeasure depends on the experimental conditions and of the designer skills.

● DATE'11, "Enhancement of Simple Electro-Magnetic Attacks by Pre-characterization in Frequency Domain and Demodulation Techniques", March 14-18, 2011. Grenoble, France.

At DATE this year, Olivier Meynard from Scientific Advisor Jean-Luc Danger's Lab will be doing the above presentation. This work shows that hardware demodulation techniques allow the recording of an electro-magnetic (EM) signal with more information on the leakage than a raw recording. The core contribution of this presentation is a generic and fast method to find out demodulation frequencies. Notably a case study is shown where only demodulated signal permits to defeat RSA with one single measurement. Furthermore the outcome of these results demonstrates that both unintentional and direct EM emanations can be exploited.

● COSADE'11, "Quantifying the Quality of Side Channel Acquisitions", February 24-25, 2011. Darmstadt, Germany.

Scientific Advisor Jean-Luc Danger will be presenting at the COSADE international workshop a practice-oriented methodology to quantifify the quality of side-channel measurement campaigns. Up to now, comparing acquisitions garnered from different setups was indeed an open question. In his talk Prof. Jean-Luc Danger will be providing the theoretical tools and experimental results to unravel this plot.

● COSADE'11, "Time Samples Correlation Attack", February 24-25, 2011. Darmstadt, Germany.

● COSADE'11, "Software Implementation of Dual-Rail Representation", February 24-25, 2011. Darmstadt, Germany.

● ReConFig'10, "Cross-Correlation Cartography", December 13-15 2010, Cancún, Quintana Roo, México.

Based on an innovative cross-correlation technique, Scientific Advisor Laurent Sauvage presented a new EM cartography method at the 2010 International Conference on ReConFigurable Computing and FPGAs. This preliminary characterization makes it possible to fine-tune subsequent EMA (ElectroMagnetic Analysis) or EMI (ElectroMagnetic Injection) attacks.

● ReConFig'10, "Evaluation of white-box and grey-box Noekeon implementations in FPGA", December 13-15 2010, Cancún, Quintana Roo, México.

● ICISC'10, "First Principal Components Analysis: A New Side Channel Distinguisher", December 1-3, 2010, Seoul, Korea.

● ESWEEK'10 / WESS'10, "Countering Early Evaluation: An Approach Towards Robust Dual-Rail Precharge Logic", October 24-28, 2010.

● InsCrypt'10, "Characterization of the Electro-Magnetic Side Channel in Frequency Domain", October 2010, Shanghai, China.

● IJRC'10, "Exploiting Dual-Output Programmable Blocks to Balance Secure Dual-Rail Logics", October 2010.

● DATE'10 in track A4 (Dresden, Germany): Twain presentations entitled "BCDL: A High Performance Balanced DPL with Global Precharge and Without Early Evaluation" and "Far Correlation-based EMA with a precharacterized leakage model".●