Muhamadali Hajisoltani; Raziyeh Salarifard; Hadi Soleimany
Abstract
Masking techniques are used to protect the hardware implementation of cryptographic algorithms against side-channel attacks. Reconfigurable hardware, such as FPGA, is an ideal target for the secure implementation of cryptographic algorithms. Due to the restricted resources available to the reconfigurable ...
Read More
Masking techniques are used to protect the hardware implementation of cryptographic algorithms against side-channel attacks. Reconfigurable hardware, such as FPGA, is an ideal target for the secure implementation of cryptographic algorithms. Due to the restricted resources available to the reconfigurable hardware, efficient secure implementation is crucial in an FPGA. In this paper, a two-share threshold technique for the implementation of AES is proposed. In continuation of the work presented by Shahmirzadi et al. at CHES 2021, we employ built-in Block RAMs (BRAMs) to store component functions. Storing several component functions in a single BRAM may jeopardize the security of the implementation. In this paper, we describe a sophisticated method for storing two separate component functions on a single BRAM to reduce area complexity while retaining security. Out design is well suited for FPGAs, which support both encryption and decryption. Our synthesis results demonstrate that the number of BRAMs used is reduced by 50% without affecting the time or area complexities.
Vahid Meraji; Hadi Soleimany
Abstract
Numerous studies have been conducted to present new attacks using the time difference between the processor access to main memory and cache memory. Access-driven attacks are a series of cache-based attacks using fewer measurement samples to extract sensitive key values due to the ability of the attacker ...
Read More
Numerous studies have been conducted to present new attacks using the time difference between the processor access to main memory and cache memory. Access-driven attacks are a series of cache-based attacks using fewer measurement samples to extract sensitive key values due to the ability of the attacker to evict or access cache lines compared to the other attacks based on this feature. In the access-driven attacks, the attacker frequently needs to evict or reload data from the cache memory before or after performing the targeted cryptosystem which requires the knowledge about the virtual or physical addresses. Knowledge of address offset for the corresponding data blocks in cryptographic libraries is a prerequisite for an adversary to reload or evict cache lines in Intel processors. Preventing the access of attackers to the address offsets can potentially be a countermeasure to mitigate access-driven attacks. In this paper, we demonstrate how to perform the Evict+Time attack on Intel x86 CPUs without any privilege of knowing address offsets.
Milad Seddigh; Hadi Soleimany
Abstract
In cloud computing, multiple users can share the same physical machine that can potentially leak secret information, in particular when the memory de-duplication is enabled. Flush+Reload attack is a cache-based attack that makes use of resource sharing. T-table implementation of AES is commonly used ...
Read More
In cloud computing, multiple users can share the same physical machine that can potentially leak secret information, in particular when the memory de-duplication is enabled. Flush+Reload attack is a cache-based attack that makes use of resource sharing. T-table implementation of AES is commonly used in the crypto libraries like OpenSSL. Several Flush+Reload attacks on T-table implementation of AES have been proposed in the literature which requires a notable number of encryptions. In this paper, we present a technique to enhance the Flush+Reload attack on AES in the ciphertext-only scenario by significantly reducing the number of needed encryptions in both native and cross-VM setups. In this paper, we focus on finding the wrong key candidates and keep the right key by considering only the cache miss event. Our attack is faster than previous Flush+Reload attacks. In particular, our method can speed-up the Flush+Reload attack in cross-VM environment significantly. To verify the theoretical model, we implemented the proposed attack.
F. Moazami; A.R. Mehrdad; H. Soleimany
Abstract
Deoxys is a final-round candidate of the CAESAR competition. Deoxys is built upon an internal tweakable block cipher Deoxys-BC, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. This paper presents the first impossible differential cryptanalysis of Deoxys-BC-256 ...
Read More
Deoxys is a final-round candidate of the CAESAR competition. Deoxys is built upon an internal tweakable block cipher Deoxys-BC, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. This paper presents the first impossible differential cryptanalysis of Deoxys-BC-256 which is used in Deoxys as an internal tweakable block cipher. First, we find a 4.5-round ID characteristic by utilizing a miss-in-the-middle-approach. We then present several cryptanalysis based upon the 4.5 rounds distinguisher against round-reduced Deoxys-BC-256 in both single-key and related-key settings. Our contributions include impossible differential attacks on up to 8-round Deoxys-BC-256 in the single-key model. Our attack reaches 9 rounds in the related-key related-tweak model which has a slightly higher data complexity than the best previous results obtained by a related-key related-tweak rectangle attack presented at FSE 2018, but requires a lower memory complexity with an equal time complexity.