Working Group on Hardware and Software for Crypto and Security

Objectives

• collaborative work
• presentation of articles, new results, methods, tools…
• invited talks
• status on the PhD thesis, Master and other internships

Next meetings of the working group for 2012-2013

TBA 2013, special session:

Topic: arithmetic over GF(2^m)
First part: introduction by Karim Bigou and Jérémie Métairie (open CAIRN seminar),
Second part: working group and open discussions

 

Previous meetings of the working group for 2012-2013

Thursday, 11th July 2013, 11h00-12h00 (309N Lannion), by Jean-Marc Robert, LIRMM-DALI, Université Perpignan:

Title: Algorithmes de multiplication scalaire de points de courbes elliptiques sur corps binaire, Montgomery revisité.
Abstract: La multiplication scalaire de points de courbe elliptique peut s’effectuer à l’aide d’algorithmes de type Double-and-add, qui sont vulnérables aux attaques Simple Power Analysis (SPA), de par la dépendance entre la donnée secrète (le scalaire) et les opérations effectuées par le calculateur. Au niveau des algorithmes, les deux contre mesures classiques principales sont le Double-and-add-always et l’échelle binaire de Montgomery. Ces deux algorithmes sont perfectibles, dans la mesure où s’ils sont robustes face à la SPA, il restent vulnérables à d’autres attaques plus élaborées. Dans notre exposé, après avoir rappelé ces préliminaires, nous présenterons notre travail sur des développements en vue d’améliorer la résistance à ces attaques en revisitant l’échelle binaire de Montgomery : en introduisant le “halving” au lieu du “doubling”, et en introduisant une représentation signée du scalaire en lieu et place de la représentation binaire classique. Nous présenterons des résultats de performances d’implémentation en C, puis nous conclurons sur l’état d’avancement de ces travaux en cours.

Friday, 21st June 2013, 11h00-12h00 (309N Lannion), by Thomas Dupré, IUT GEII Rennes:

Soutenance de stage

Wednesday, 19th June 2013, 10h00-11h00 (020G Lannion), by Liam Marnane, University College Cork, Ireland:

Title: Implementation of a Secure TLS Coprocessor on FPGA
Abstract: In this talk we present a design of a secure implementation of a coprocessor for the TLSv1.2 protocol, on FPGA. The processor was implemented with a secure true random number generator and hardware for signature generation and verification, based on elliptic curve algorithms. Implementations of the AES and SHA256 algorithms are also included in order to provide full hardware acceleration for a specific suite of the TLSv1.2 protocol. The algorithms used for performing the elliptic curve arithmetic were chosen to provide resistance against Simple Power Analysis (SPA) and Differential Power Analysis (DPA) attacks. The design is analysed for area and speed on a Virtex 5 FPGA.

Wednesday, 19th June 2013, 11h00-12h00 (020G Lannion), by Russell Tessier, University of Massachusetts at Amherst, USA:

Title: High-Performance Hardware Monitors to Protect Network Processors from Data Plane Attacks
Abstract: Hardware monitor subsystems, which can verify the behavior of a router’s packet processing system at runtime, can be used to identify and respond to an ever-changing range of attacks. While hardware monitors have primarily been described in the context of general-purpose computing, this work focuses on important aspects that are relevant to the embedded networking domain. The design and prototype implementation of a high-performance monitor that can track each processor instruction with low memory overhead will be presented.  It is demonstrated that our monitor architecture provides no network slowdown in the absence of an attack and provides the capability to drop attack packets without otherwise affecting regular network traffic when an attack occurs.

Tuesday, 18th June 2013, 9h30 (020G Lannion), PhD defense: Thomas Chabrier, CAIRN-IRISA:

Title: Arithmetic Recodings for ECC Cryptoprocessors with Protections against Side-Channel Attacks
Abstract: This PhD thesis focuses on the study, the hardware design, the theoretical and practical validation, and eventually the comparison of different arithmetic operators for cryptosystems based on elliptic curves (ECC). Provided solutions must be robust against some side-channel attacks, and efficient at a hardware level (execution speed and area). In the case of ECC, we want to protect the secret key, a large integer, used in the scalar multiplication. Our protection methods use representations of numbers, and behaviour of algorithms to make more difficult some attacks. For instance, we randomly change some representations of manipulated numbers while ensuring that computed values are correct. Redundant representations like signed-digit representation, the double- (DBNS) and multi-base number system (MBNS) have been studied. A proposed method provides an on-the-fly MBNS recoding which operates in parallel to curve-level operations and at very high speed. All recoding techniques have been theoretically validated, simulated extensively in software, and finally implemented in hardware (FPGA and ASIC). A side-channel attack called template attack is also carried out to evaluate the robustness of a cryptosystem using a redundant number representation. Eventually, a study is conducted at the hardware level to provide an ECC cryptosystem with a regular behaviour of computed operations during the scalar multiplication so as to protect against some side-channel attacks.

Monday, 3rd June 2013, 10h30-12h30, special session:

Topic: arithmetic recoding for ECC scalar multiplication
First part: introduction and standard methods by Arnaud Tisserand (open CAIRN seminar)
Second part: advanced multi base methods by Thomas Chabrier (open CAIRN seminar)
Third part: working group and discussions

Friday, 22th Feb. 2013, 10h30-11h30 (309N Lannion), seminar by Danuta Pamula, Silesian University of Technology:       [ slides PDF file ]

Title: Arithmetic operators on GF(2^m) for cryptographic applications: performance – power consumption – security tradeoffs
Abstract: The efficiency of devices performing arithmetic operations in finite field is crucial for the efficiency of ECC systems. The robustness of the system also depends on the robustness of the operators.  The aim of conducted researches described in the dissertation was to propose efficient and robust against power analysis side-channel attacks hardware arithmetic operators on GF(2^m) dedicated to elliptic curve cryptography (ECC) applications. We propose speed and area efficient hardware solutions for arithmetic operators on GF(2^m). Designed units are flexible and operate, due to assumed applications, on large numbers (160-600 bits). Next we propose algorithmic and architectural modifications improving robustness against some side-channel power analysis attacks. The final goal described was to find a trade-off between security of arithmetic operators and their efficiency. We were able to perform such modifications increasing robustness of designed hardware arithmetic operators, which do not impact negatively overall operator performance. The attempt to protect the lowest operations level of ECC systems, the finite field level, is a first known attempt of that type. Until now researches described in literature on the subject did not concern the finite field level operations protection. They only considered protections at curve or protocol levels. Proposed protections contribute and we may say complete already developed means of protections for ECC systems.

Wednesday, Feb. 13th 2013, 11h-12h (309N), by Karim Bigou CAIRN-INRIA-IRISA:

Title:  Opérateur matériel de tests de divisibilité par des petites constantes sur de très grands entiers       [ présentation PDF ]
Paper presented at: SympA’15 / ComPAS’13    (co-authors: T. Chabrier and A. Tisserand)
Abstract:  Nous présentons un opérateur arithmétique matériel dédié aux tests de divisibilité par des petites constantes sur des grands entiers. Ces grands entiers, de plusieurs centaines de bits, sont représentés en multi-précision. La méthode proposée permet de n’effectuer qu’un très faible nombre de calculs pour chaque mot de la représentation multi-précision. Par exemple, elle permet de tester la divisibilité par (2^a,3,5,7,9,13), où 1 <= a <= 12, beaucoup plus efficacement qu’en testant la divisibilité par chacune des petites constantes séparément. La méthode proposée a été implantée et validée sur circuit FPGA.

Wednesday, 23th Jan. 2013, 14h30-15h30 (309N  Lannion + Bréhat Rennes), Pascal Cotret CAIRN-IRISA:        [ slides PDF file ]

Title: Protection des architectures hétérogènes multiprocesseurs dans les systèmes embarqués. Une approche décentralisée basée sur des pare-feux matériels.
Abstract:  One of the goals of this thesis is to propose a method to protect communications and memories in a multiprocessor architecture implemented in a FPGA reconfigurable chip. The method is based on the implementation of hardware mechanisms offering monitoring and cryptographic features in order to give a secured execution environment according to a given threat model. The main goal of the solution proposed in this work is to minimize perturbations in the data traffic ; it is considered that it  can be accomplished by focusing on the latency impact of our security mechanisms. Our solution is also sensible to attack events : as soon as an attack is detected, an update process of security policies can be enabled.

Friday, 14th Dec. 2012, 14h-15h30 (309N):

Title:  working group meeting

Friday, 5th Oct. 2012, 10h30-12h (309N):

Title: ANR PAVOIS kick-off meeting

Thursday, 13th Sep. 2012, 15h-16h (309N + Bréhat), by Liam Marnane, University College Cork:

Title: FPGA Implementation of the SHA-3 candidate algorithms         [ SLIDES PDF FILE ]
Abstract: The NIST run SHA-3 competition is nearing completion. Currently in its final round, the five remaining competitors are still being examined in hardware, software and for security metrics in order to select a final winner. While there have been many area and speed results reported, one such metric that doesnot appear to be covered in very great detail is that of power and energy measurements on FPGA. This workattempts to add some new results to this area, namely,measured area, power, energy and iteration time results.

2011-2012

Monday, 25th June 2012 (11h15-12h00, Lannion, 309N)

présentation de soutenance de stage par Pierre Guilloux (IUT Rennes)

Monday, 18th June 2012 (11h30-12h30, Lannion, 309N)      [slides PDF]

Protections arithmétiques contre certaines attaques physiques de cryptosystème. Séminaire par Thomas Chabrier

Tuesday, 12th June 2012 (10h30-11h45, Lannion, 309N)   [slides PDF]

Sécurité des communications et des mémoires dans les architectures multiprocesseur. Séminaire invité par Pascal Cotret (LabSTICC).

Résumé: Depuis plusieurs années, la sécurité dans les architectures multiprocesseur est devenue un point critique dans le développement des systèmes embarqués. Un des points stratégiques dans cette phase de conception est l’architecture de communication par laquelle transitent toutes les données du système. Par conséquent, il faut procéder à une surveillance du trafic pour détecter une attaque avant qu’elle ne se répande dans le système embarqué. Ce travail propose une solution efficace pour sécuriser les échanges de données dans une architecture multiprocesseur grâce à l’ajout de blocs matériels et de fonctions cryptographiques.

Thursday, 26th April 2012 (14h-15h30, room 315N)

News, projects and PhD status

Friday, 27th January 2012 (14h-16h20, room 309N)   [slides PDF]

Algorithms for modular inversion in GF(p) (Karim Bigou, INRIA/DGA/IRISA/CAIRN)

Wednesday, 9th November 2011 (10h15-11h, room Oléron, IRISA)

Introduction aux problèmes de sécurité liés à la virtualisation (Franck Bucheron, DGA/IRISA)

Thursday, 6th October 2011 (11h-12h, room 020G)  [slides PDF]

Coprocesseur haute performance pour les courbes elliptiques définies sur Fp (Nicolas Guillermin, DGA Maîtrise de l’Informatique, Bruz)

Résumé: Les architectures matérielles pour réaliser la cryptographie asymétrique sont intéressantes pour de nombreux aspects (performance, embarcabilité, sécurité vis à vis des canaux auxiliaires…) et ont fait l’objet de recherches nombreuses ces dernières années. Dans cet exposé je propose une architecture utilisant les représentations RNS des nombres pour réaliser des multiplications scalaires sur courbes elliptiques quelconques à valeurs dans Fp. Cette architecture, simple et flexible, permet d’atteindre des temps de calculs très performants tout en restant
raisonnables en terme d’encombrement, et ce à tous les niveaux de sécurité classiquement utilisés (de 80 à 256 bits).

Thursday, 6th October 2011 (14h-16h, room 319N)

Réunion de début d’année

Friday, 30rd September 2011 (11h-12h, room 309N) [slides PDF]

FPGA implementation of ECDSA (Nabil Ghanmy, Ecole Nationale d’Ingénieurs de Sfax, Tunisie)

2010-2011

Tuesday, 31th May 2011 (14h-14630)

 Side Channel Cryptanalysis, Attacks and Countermeasures (Nicolas Veyrat, UCL Crypto Group)

Wednesday, 12th January 2011 (14h-14h30)

Cryptography with Arithmetic and Exoticism (Thomas Chabrier, CST presentation)

Wednesday, 12th January 2011 (15h15-15h45)

Multiplication in GF(2^m): area and time dependency/efficiency/complexity analysis (Danuta Pamula, CST presentation)

Monday, 29th November 2010 (10h30-11h30)

Introduction à la cryptographie basée sur les codes correcteurs d’erreurs (Pierre-Louis Cayrel, CASED)

2009-2010

Wednesday, 23th June 2010 (14h-15h room 036C)

Commentaires sur les travaux récents de modélisation des fuites d’information pour les attaques par canaux auxilaires (Thomas Chabrier)

Thursday, 27th May 2010 (11h-12h room 036C)

Introduction to the Residue Number System RNS (Stanislaw Piestrak) 

Thursday, 29th April 2010 (11h-12h room 036C) 

Comments on a recent article on leakage power attacks (Arnaud Tisserand) 

Wednesday, 17th March 2010 (14h-15h room 309N)             

            FPGA implementation of an elliptic curve processor using the GLV method (Mark Hamilton, UCC)

Friday, 26th February 2010 (14h-15h room 309N)

Basics of GF(2^m) computations and examples (Danuta and Arnaud)

Thursday, 14th January 2010 (14h-15h room 315N)

Montgomery multiplication (Danuta Pamula and Thomas Chabrier)

Friday, 4th December 2009 (14h-15h room 309N)

Definition of the coprocessor 

Wednesday, 18th November 2009 (14h-15h room 309N)

• Introduction to arithmetic in GF(P) (Thomas Chabrier)
• Introduction to arithmetic in GF(2^m) (Danuta Pamula)

Wednesday, 21th October 2009 (14h-15h room 309N)

Introduction to GMP, the GNU Multiple Precision Arithmetic Library (Arnaud Tisserand)

Wednesday, 7th October 2009 (14h-15h room 309N)

Presentation, objectives, resources of the WG-AOC