Papers by François-xavier Standaert
Efficient FPGA Implementations of Block Ciphers KHAZAD and MISTY1
The technical analysis used in determining which of the NESSIE candidates will be selected as a s... more The technical analysis used in determining which of the NESSIE candidates will be selected as a standard block cipher includes efficiency testing of both hardware and software implementations of candidate algorithms. Reprogrammable devices such as Field Programmable Gate Arrays (FPGA's) are highly attractive options for hardware implementations of encryption algorithms and this report investigates the significance of FPGA implementations of
A Cryptanalytic Time-Memory Tradeoff: First FPGA Implementation
Field-Programmable Logic and Applications, 2002
A cryptanalytic time-memory tradeoff allows the cryptanalysis of any N key symmetric cryptosystem... more A cryptanalytic time-memory tradeoff allows the cryptanalysis of any N key symmetric cryptosystem in O(N 2/3 ) operations with O(N 2/3 ) storage, if a precomputation of O(N) operations has been done in advance. This procedure is well known but did not lead to any realistic ...
A Design Methodology for Secured ICs Using Dynamic Current Mode Logic
Lecture Notes in Computer Science, 2005
Abstract. This paper presents principles and concepts for the secured design of cryptographic IC&... more Abstract. This paper presents principles and concepts for the secured design of cryptographic IC's. In order to achieve a secure implementa-tion of those structures, we propose to use a Binary Decision Diagrams (BDDs) approach to design and determine the most secured ...
Simpler and More Efficient Rank Estimation for Side-Channel Security Assessment
Lecture Notes in Computer Science, 2015
LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations
Lecture Notes in Computer Science, 2015
Lecture Notes in Computer Science, 2008
The power consumption and electromagnetic radiation are among the most extensively used side-chan... more The power consumption and electromagnetic radiation are among the most extensively used side-channels for analyzing physically observable cryptographic devices. This paper tackles three important questions in this respect. First, we compare the effectiveness of these two side-channels. We investigate the common belief that electromagnetic leakages lead to more powerful attacks than their power consumption counterpart. Second we study the best combination of the power and electromagnetic leakages. A quantified analysis based on sound information theoretic and security metrics is provided for these purposes. Third, we evaluate the effectiveness of two data dimensionality reduction techniques for constructing subspace-based template attacks. Selecting automatically the meaningful time samples in side-channel leakage traces is an important problem in the application of template attacks and it usually relies on heuristics. We show how classical statistical tools such as Principal Component Analysis and Fisher Linear Discriminant Analysis can be used for efficiently preprocessing the leakage traces. ⋆ Postdoctoral researcher of the Belgian Fund for Scientific Research (FNRS).
A Comparative Cost/Security Analysis of Fault Attack Countermeasures
Lecture Notes in Computer Science, 2006
CiteSeerX - Document Details (Isaac Councill, Lee Giles): Abstract. Deliberate injection of fault... more CiteSeerX - Document Details (Isaac Councill, Lee Giles): Abstract. Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. To protect cryptographic implementations (eg of the recent ...
Systematic Construction and Comprehensive Evaluation of Kolmogorov-Smirnov Test Based Side-Channel Distinguishers
Lecture Notes in Computer Science, 2013
Lecture Notes in Computer Science, 2012
Leakage-resilient constructions have attracted significant attention over the last couple of year... more Leakage-resilient constructions have attracted significant attention over the last couple of years. In practice, pseudorandom functions are among the most important such primitives, because they are stateless and do not require a secure initialization as, e.g. stream ciphers. However, their deployment in actual applications is still limited by security and efficiency concerns. This paper contributes to solve these issues in two directions. On the one hand, we highlight that the condition of bounded data complexity, that is guaranteed by previous leakage-resilient constructions, may not be enough to obtain practical security. We show experimentally that, if implemented in an 8-bit microcontroller, such constructions can actually be broken. On the other hand, we present tweaks for tree-based leakage-resilient PRFs that improve their efficiency and their security, by taking advantage of parallel implementations. Our security analyses are based on worst-case attacks in a noise-free setting and suggest that under reasonable assumptions, the side-channel resistance of our construction grows super-exponentially with a security parameter that corresponds to the degree of parallelism of the implementation. In addition, it exhibits that standard DPA attacks are not the most relevant tool for evaluating such leakage-resilient constructions and may lead to overestimated security. As a consequence, we investigate more sophisticated tools based on lattice reduction, which turn out to be powerful in the physical cryptanalysis of these primitives. Eventually, we put forward that the AES is not perfectly suited for integration in a leakage-resilient design. This observation raises interesting challenges for developing block ciphers with better properties regarding leakage-resilience.
Unified and optimized linear collision attacks and their application in a non-profiled setting: extended version
Journal of Cryptographic Engineering, 2013
ABSTRACT Side-channel collision attacks are one of the most investigated techniques allowing the ... more ABSTRACT Side-channel collision attacks are one of the most investigated techniques allowing the combination of mathematical and physical cryptanalysis. In this paper, we discuss their relevance in the security evaluation of leaking devices with two main contributions. On one hand, we suggest that the exploitation of linear collisions in block ciphers can be naturally re-written as a Low Density Parity Check Code decoding problem. By combining this re-writing with a Bayesian extension of the collision detection techniques, we improve the efficiency and error tolerance of previously introduced attacks. On the other hand, we provide various experiments in order to discuss the practicality of such attacks compared to standard differential power analysis (DPA). Our results exhibit that collision attacks are less efficient in classical implementation contexts, e.g. 8-bit microcontrollers leaking according to a linear power consumption model. We also observe that the detection of collisions in software devices may be difficult in the case of optimized implementations, because of less regular assembly codes. Interestingly, the soft decoding approach is particularly useful in these more challenging scenarios. Finally, we show that there exist (theoretical) contexts in which collision attacks succeed in exploiting leakages, whereas all other non-profiled side-channel attacks fail.
Efficient Selection of Time Samples for Higher-Order DPA with Projection Pursuits
Lecture Notes in Computer Science, 2015
Lecture Notes in Computer Science, 2007
We propose to apply an information theoretic metric to the evaluation of side-channel resistant l... more We propose to apply an information theoretic metric to the evaluation of side-channel resistant logic styles. Due to the long design and development time required for the physical evaluation of such hardware countermeasures, our analysis is based on simulations. Although they do not aim to replace the need of actual measurements, we show that simulations can be used as a meaningful first step in the validation chain of a cryptographic product. For illustration purposes, we apply our methodology to gate-level simulations of different logic styles and stress that it allows a significant improvement of the previously considered evaluation methods. In particular, our results allow putting forward the respective strengths and weaknesses of actual countermeasures and determining to which extent they can practically lead to secure implementations (with respect to a noise parameter), if adversaries were provided with simulation-based side-channel traces. Most importantly, the proposed methodology can be straightforwardly adapted to adversaries provided with any other kind of leakage traces (including physical ones). ⋆ François Macé is a PhD student funded by the FRIA, Belgium. ⋆⋆ Postdoctoral researcher of the Belgian Fund for Scientific Research (FNRS).
Multi-trail Statistical Saturation Attacks
Lecture Notes in Computer Science, 2010
ABSTRACT
How Leaky Is an Extractor?
Lecture Notes in Computer Science, 2010
ABSTRACT
Side-Channel Analysis and Its Relevance to Fault Attacks
Information Security and Cryptography, 2012
ABSTRACT
Design strategies and modified descriptions to optimize cipher FPGA implementations
Proceedings of the 2003 ACM/SIGDA eleventh international symposium on Field programmable gate arrays - FPGA '03, 2003
Abstract We propose a new mathematical DES description that allows optimized implementations. It ... more Abstract We propose a new mathematical DES description that allows optimized implementations. It also provides the best DES and triple-DES FPGA implementations known in term of ratio throughput/area, where area means the number of FPGA slices ...
A methodology to implement block ciphers in reconfigurable hardware and its application to fast and compact AES RIJNDAEL
Proceedings of the 2003 ACM/SIGDA eleventh international symposium on Field programmable gate arrays - FPGA '03, 2003
François-Xavier Standaert, Gael Rouvroy, Jean-Jacques Quisquater, Jean-Didier Legat {standaert,ro... more François-Xavier Standaert, Gael Rouvroy, Jean-Jacques Quisquater, Jean-Didier Legat {standaert,rouvroy,quisquater,[email protected] ... UCL Crypto Group Laboratoire de Microélectronique Université Catholique de Louvain Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium
Efficient Implementation of Rijndael Encryption in Reconfigurable Hardware: Improvements and Design Tradeoffs
Lecture Notes in Computer Science, 2003
... A1. The multiplexor model: A first and obvious solution is to consider SubBytes as a large mu... more ... A1. The multiplexor model: A first and obvious solution is to consider SubBytes as a large multiplexor and take advantage of special FPGA configu-rations to implement these ones. ... For these ones, only one register is needed to pipeline the diffusion layer. ...
Lecture Notes in Computer Science, 2003
introduced the concept of cryptanalytic time-memory tradeoffs, which allows the cryptanalysis of ... more introduced the concept of cryptanalytic time-memory tradeoffs, which allows the cryptanalysis of any N key symmetric cryptosystem in O(N 2 3 ) operations with O(N 2 3 ) storage, provided a precomputation of O(N ) is performed beforehand. This procedure is well known but did not lead to realistic implementations. This paper considers a cryptanalytic time-memory tradeoff using distinguished points, a method referenced to Rivest [2]. The algorithm proposed decreases the expected number of memory accesses with sensible modifications of the other parameters and allows much more realistic implementations of fast key search machines. We present a detailed analysis of the algorithm and solve theoretical open problems of previous models. We also propose efficient mask functions in terms of hardware cost and probability of success. These results were experimentally confirmed and we used a purpose-built FPGA design to perform realistic tradeoffs against DES. The resulting online attack is feasible on a single PC and we recover a 40-bit key in about 10 seconds.
Side-channel attacks are a serious threat to implementations of cryptographic algorithms. Secret ... more Side-channel attacks are a serious threat to implementations of cryptographic algorithms. Secret information is recovered based on power consumption, electromagnetic emanations or any other form of physical information leakage. Template attacks are probabilistic sidechannel attacks, which assume a Gaussian noise model. Using the maximum likelihood principle enables us to reveal (part of) a device's secret data for each set of recordings (i.e. leakage trace). In practice, however, the major concerns are (i) how to select the points of interest of the traces, (ii) how to choose the minimal distance between these points, and (iii) how many points of interest are needed for attacking. So far, only heuristics were provided. In this work, we propose to perform template attacks in the principal subspace of the traces. This new type of attack addresses all practical issues in principled way and automatically. The approach is validated by attacking stream ciphers such as RC4. We also report analysis results of template style attacks against an FPGA implementation of the AES Rijndael. Roughly, the template attack we carried out requires five time less encrypted messages than the best reported correlation attack against similar block cipher implementations. ⋆ Postdoctoral researcher of the Belgian Fund for Scientific Research (FNRS). 1 Here, the data space is the space in which the leakage traces live.
Uploads
Papers by François-xavier Standaert