Mengce Zheng

Bio: Mengce Zheng is an academic researcher from University of Science and Technology of China. The author has contributed to research in topics: Side channel attack & Cryptosystem. The author has an hindex of 4, co-authored 24 publications receiving 44 citations. Previous affiliations of Mengce Zheng include Zhejiang Wanli University & University of Tokyo.

A Novel Evaluation Metric for Deep Learning-Based Side Channel Analysis and Its Extended Application to Imbalanced Data

Abstract: Since Kocher (CRYPTO’96) proposed timing attack, side channel analysis (SCA) has shown great potential to break cryptosystems via physical leakage. Recently, deep learning techniques are widely used in SCA and show equivalent and even better performance compared to traditional methods. However, it remains unknown why and when deep learning techniques are effective and efficient for SCA. Masure et al. (IACR TCHES 2020(1):348–375) illustrated that deep learning paradigm is suitable for evaluating implementations against SCA from a worst-case scenario point of view, yet their work is limited to balanced data and a specific loss function. Besides, deep learning metrics are not consistent with side channel metrics. In most cases, they are deceptive in foreseeing the feasibility and complexity of mounting a successful attack, especially for imbalanced data. To mitigate the gap between deep learning metrics and side channel metrics, we propose a novel Cross Entropy Ratio (CER) metric to evaluate the performance of deep learning models for SCA. CER is closely related to traditional side channel metrics Guessing Entropy (GE) and Success Rate (SR) and fits to deep learning scenario. Besides, we show that it works stably while deep learning metrics such as accuracy becomes rather unreliable when the training data tends to be imbalanced. However, estimating CER can be done as easy as natural metrics in deep learning algorithms with low computational complexity. Furthermore, we adapt CER metric to a new kind of loss function, namely CER loss function, designed specifically for deep learning in side channel scenario. In this way, we link directly the SCA objective to deep learning optimization. Our experiments on several datasets show that, for SCA with imbalanced data, CER loss function outperforms Cross Entropy loss function in various conditions.

An Enhanced Convolutional Neural Network in Side-Channel Attacks and Its Visualization

Abstract: In recent years, the convolutional neural networks (CNNs) have received a lot of interest in the side-channel community. The previous work has shown that CNNs have the potential of breaking the cryptographic algorithm protected with masking or desynchronization. Before, several CNN models have been exploited, reaching the same or even better level of performance compared to the traditional side-channel attack (SCA). In this paper, we investigate the architecture of Residual Network and build a new CNN model called attention network. To enhance the power of the attention network, we introduce an attention mechanism - Convolutional Block Attention Module (CBAM) and incorporate CBAM into the CNN architecture. CBAM points out the informative points of the input traces and makes the attention network focus on the relevant leakages of the measurements. It is able to improve the performance of the CNNs. Because the irrelevant points will introduce the extra noises and cause a worse performance of attacks. We compare our attention network with the one designed for the masking AES implementation called ASCAD network in this paper. We show that the attention network has a better performance than the ASCAD network. Finally, a new visualization method, named Class Gradient Visualization (CGV) is proposed to recognize which points of the input traces have a positive influence on the predicted result of the neural networks. In another aspect, it can explain why the attention network is superior to the ASCAD network. We validate the attention network through extensive experiments on four public datasets and demonstrate that the attention network is efficient in different AES implementations.

A practical quantum designated verifier signature scheme for E-voting applications

Abstract: Although most of the quantum signatures can be verified by a designated receiver, they do not match the classical designated verifier signature since an indistinguishable signature cannot be efficiently simulated. To adapt quantum signatures in specific environments like E-voting and E-bidding, several quantum designated verifier signature (QDVS) schemes have been proposed. However, it is still too complicated and infeasible to implement existing QDVS schemes in practice. In this paper, we propose a practical QDVS scheme without entanglement for E-voting applications. It only involves the quantum processing part of the underlying quantum key distribution (QKD) to generate correlated key strings, which protects the communication against potential eavesdroppers. The proposed scheme can be easily and efficiently deployed over the existing QKD network without complicated quantum operations. We further show that our QDVS scheme satisfies the required main security requirements and has the capability against several common attacks.

Cryptanalysis of Prime Power RSA with two private exponents

Abstract: In this paper, we consider a variant of RSA schemes called Prime Power RSA with modulus N = prq for r ≥ 2, where p, q are of the same bit-size. May showed that when private exponent \(d < {N^{\frac{r}{{{{\left( {r + 1} \right)}^2}}}}}\) or \(d < {N^{{{\left( {\frac{{r - 1}}{{r + 1}}} \right)}^2}}}\), N can be factored in polynomial time in PKC 2004. Later in 2014, Sarkar improved the bound for r ≤ 5. We propose a new cryptanalytic method to attack this RSA variant when given two pairs of public and private exponents, namely (e1, d1) and (e2, d2) with the same modulus N. Suppose that we know d1 < Nδ1 and d2 < Nδ2. Our results show that when \({\delta _1}{\delta _2} < {\left( {\frac{{r - 1}}{{r + 1}}} \right)^3}\), Prime Power RSA is insecure.

Cryptanalysis of RSA Variants with Modified Euler Quotient

Abstract: The standard RSA scheme provides the key equation \(ed\equiv 1\pmod {\varphi (N)}\) for \(N=pq\), where \(\varphi (N)=(p-1)(q-1)\) is Euler quotient (or Euler’s totient function), e and d are the public and private keys, respectively. It has been extended to the following variants with modified Euler quotient \(\omega (N)=(p^2-1)(q^2-1)\), which in turn indicates the modified key equation is \(ed\equiv 1\pmod {\omega (N)}\).

Provably Secure Password Authenticated Key Exchange Based on RLWE for the Post-QuantumWorld.

Abstract: Authenticated Key Exchange (AKE) is a cryptographic scheme with the aim to establish a high-entropy and secret session key over a insecure communications network. Password-Authenticated Key Exchange (PAKE) assumes that the parties in play share a simple password, which is cheap and human-memorable and is used to achieve the authentication. PAKEs are practically relevant as these features are extremely appealing in an age where most people access sensitive personal data remotely from more-and-more pervasive hand-held devices. Theoretically, PAKEs allow the secure computation and authentication of a high-entropy piece of data using a low-entropy string as a starting point. In this paper, we apply the recently proposed technique introduced in [19] to construct two lattice-based PAKE protocols enjoying a very simple and elegant design that is an parallel extension of the class of Random Oracle Model (ROM)-based protocols \(\mathsf {PAK}\) and \(\mathsf {PPK}\) [13, 41], but in the lattice-based setting. The new protocol resembling \(\mathsf {PAK}\) is three-pass, and provides mutual explicit authentication, while the protocol following the structure of \(\mathsf {PPK}\) is two-pass, and provides implicit authentication. Our protocols rely on the Ring-Learning-with-Errors (RLWE) assumption, and exploit the additive structure of the underlying ring. They have a comparable level of efficiency to \(\mathsf {PAK}\) and \(\mathsf {PPK}\), which makes them highly attractive. We present a preliminary implementation of our protocols to demonstrate that they are both efficient and practical. We believe they are suitable quantum safe replacements for \(\mathsf {PAK}\) and \(\mathsf {PPK}\).

SoK: Deep Learning-based Physical Side-channel Analysis

Abstract: Side-channel attacks represent a realistic and serious threat to the security of embedded devices for already almost three decades. A variety of attacks and targets they can be applied to have been introduced, and while the area of side-channel attacks and their mitigation is very well-researched, it is yet to be consolidated. Deep learning-based side-channel attacks entered the field in recent years with the promise of more competitive performance and enlarged attackers’ capabilities compared to other techniques. At the same time, the new attacks bring new challenges and complexities to the domain, making the systematization of knowledge (SoK) even more critical. We first dissect deep learning-based side-channel attacks according to the different phases they can be used in and map those phases to the efforts conducted so far in the domain. For each phase, we identify the weaknesses and challenges that triggered the known open problems. We also connect the attacks to the threat models and evaluate their advantages and drawbacks. Finally, we provide a number of recommendations to be followed in deep learning-based side-channel attacks.

A framework for password-based authenticated key exchange

Abstract: In this paper we present a general framework for password-based authenticated key exchange protocols, in the common reference string model. Our protocol is actually an abstraction of the key exchange protocol of Katz et al. and is based on the recently introduced notion of smooth projective hashing by Cramer and Shoup. We gain a number of benefits from this abstraction. First, we obtain a modular protocol that can be described using just three high-level cryptographic tools. This allows a simple and intuitive understanding of its security. Second, our proof of security is significantly simpler and more modular. Third, we are able to derive analogues to the Katz et al. protocol under additional cryptographic assumptions. Specifically, in addition to the DDH assumption used by Katz et al., we obtain protocols under both the Quadratic and N-Residuosity assumptions. In order to achieve this, we construct new smooth projective hash functions.

Two-Round PAKE from Approximate SPH and Instantiations from Lattices.

Abstract: Password-based authenticated key exchange (PAKE) enables two users with shared low-entropy passwords to establish cryptographically strong session keys over insecure networks. At Asiacrypt 2009, Katz and Vaikuntanathan showed a generic three-round PAKE based on any CCA-secure PKE with associated approximate smooth projective hashing (ASPH), which helps to obtain the first PAKE from lattices. In this paper, we give a framework for constructing PAKE from CCA-secure PKE with associated ASPH, which uses only two-round messages by carefully exploiting a splittable property of the underlying PKE and its associated non-adaptive ASPH. We also give a splittable PKE with associated non-adaptive ASPH based on the LWE assumption, which finally allows to instantiate our two-round PAKE framework from lattices.