There is, I think, something ethereal about i —the square root of minus one. I remember first hearing about it at school. It seemed an odd beast at that time—an intruder hovering on the edge of reality.

Usually familiarity dulls this sense of the bizarre, but in the case of i it was the reverse: over the years the sense of its surreal nature intensified. It seemed that it was impossible to write mathematics that described the real world in …

I and i

National Institute of Standards and Technology における超伝導研究及び生活

We describe several software side-channel attacks based on inter-process leakage through the state of the CPU’s memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache. We discuss in detail several such attacks on AES, and experimentally demonstrate their applicability to real systems, such as OpenSSL and Linux’s dm-crypt encrypted partitions (in the latter case, the full key can be recovered after just 800 writes to the partition, taking 65 milliseconds). Finally, we describe several countermeasures for mitigating such attacks.

/pdf/cache-attacks-and-countermeasures-the-case-of-aes-4r1moh4qcv.pdf

Cache attacks and Countermeasures: the Case of AES.

Cache attacks and countermeasures: the case of AES

ONAG, as the book is commonly known, is one of those rare publications that sprang to life in a moment of creative energy and has remained influential for over a quarter of a century. Originally written to define the relation between the theories of transfinite numbers and mathematical games, the resulting work is a mathematically sophisticated but eminently enjoyable guide to game theory. By defining numbers as the strengths of positions in certain games, the author arrives at a new class, the surreal numbers, that includes both real numbers and ordinal numbers. These surreal numbers are applied in the author's mathematical analysis of game strategies. The additions to the Second Edition present recent developments in the area of mathematical game theory, with a concentration on surreal numbers and the additive theory of partizan games.

On numbers and games, by J. H. Conway. Pp ix, 238. £6·50. 1976. SBN 0 12 186350 6 (Academic Press)

During the last years, several masking schemes for AES have been proposed to secure hardware implementations against DPA attacks. In order to investigate the effectiveness of these countermeasures in practice, we have designed and manufactured an ASIC. The chip features an unmasked and two masked AES-128 encryption engines that can be attacked independently.

In addition to conventional DPA attacks on the output of registers, we have also mounted attacks on the output of logic gates. Based on simulations and physical measurements we show that the unmasked and masked implementations leak side-channel information due to glitches at the output of logic gates. It turns out that masking the AES S-Boxes does not prevent DPA attacks, if glitches occur in the circuit.

/pdf/successfully-attacking-masked-aes-hardware-implementations-88stha8iyu.pdf

Successfully attacking masked AES hardware implementations

So far, efficient algorithmic countermeasures to secure the AES algorithm against (first-order) differential side-channel attacks have been very expensive to implement. In this article, we introduce a new masking countermeasure which is not only secure against first-order side-channel attacks, but which also leads to relatively small implementations compared to other masking schemes implemented in dedicated hardware.

Our approach is based on shifting the computation of the finite field inversion in the AES S-box down to GF(4). In this field, the inversion is a linear operation and therefore it is easy to mask.

Summarizing, the new masking scheme combines the concepts of multiplicative and additive masking in such a way that security against first-order side-channel attacks is maintained, and that small implementations in dedicated hardware can be achieved.

/pdf/a-side-channel-analysis-resistant-description-of-the-aes-s-5f4orkf8yi.pdf

A side-channel analysis resistant description of the AES s-box

This is the first article analyzing the security of SHA-256 against fast collision search which considers the recent attacks by Wang et al We show the limits of applying techniques known so far to SHA-256 Next we introduce a new type of perturbation vector which circumvents the identified limits This new technique is then applied to the unmodified SHA-256 Exploiting the combination of Boolean functions and modular addition together with the newly developed technique allows us to derive collision-producing characteristics for step-reduced SHA-256, which was not possible before Although our results do not threaten the security of SHA-256, we show that the low probability of a single local collision may give rise to a false sense of security

Analysis of step-reduced SHA-256

In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.

/pdf/exploiting-coding-theory-for-collision-attacks-on-sha-1-57q26lql6t.pdf

Exploiting coding theory for collision attacks on SHA-1

In this article, we present two AES hardware architectures: one for ASICs and one for FPGAs. Both architectures utilize the similarities of encryption and decryption to provide a high throughput using only a relatively small area. The presented architectures can be used in a wide range of applications. The architecture for ASIC implementations is suited for full-custom as well as for semi-custom design flows. The architecture for the FPGA implementation does not require on-chip block RAMs and can therefore even be used for low-cost FPGAs.

Norbert Pramstaller

Papers

Successfully attacking masked AES hardware implementations

A side-channel analysis resistant description of the AES s-box

Analysis of step-reduced SHA-256

Exploiting coding theory for collision attacks on SHA-1

Efficient AES implementations on ASICs and FPGAs