| 1. |
- Guo, Qian, et al.
(författare)
-
SCA-LDPC: A Code-Based Framework for Key-Recovery Side-Channel Attacks on Post-Quantum Encryption Schemes
- 2023
-
Annan publikation (övrigt vetenskapligt/konstnärligt)abstract
- Whereas theoretical attacks on standardized crypto primitives rarely lead to actual practical attacks, the situation is different for side-channel attacks. Improvements in the performance of side-channel attacks are of utmost importance.In this paper, we propose a framework to be used in key-recovery side-channel attacks on CCA-secure post-quantum encryption schemes. The basic idea is to construct chosen ciphertext queries to a plaintext checking oracle that collects information on a set of secret variables in a single query. Then a large number of such queries is considered, each related to a different set of secret variables, and they are modeled as a low-density parity-check code (LDPC code). Secret variables are finally determined through efficient iterative decoding methods, such as belief propagation, using soft information. The utilization of LDPC codes offers efficient decoding, source compression, and error correction benefits. It has been demonstrated that this approach provides significant improvements compared to previous work by reducing the required number of queries, such as the number of traces in a power attack.The framework is demonstrated and implemented in two different cases. On one hand, we attack implementations of HQC in a timing attack, lowering the number of required traces considerably compared to attacks in previous work. On the other hand, we describe and implement a full attack on a masked implementation of Kyber using power analysis. Using the ChipWhisperer evaluation platform, our real-world attacks recover the long-term secret key of a first-order masked implementation of Kyber-768 with an average of only 12 power traces.
|
|
| 2. |
- Nilsson, Alexander
(författare)
-
Decryption Failure Attacks on Post-Quantum Cryptography
- 2023
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This dissertation discusses mainly new cryptanalytical results related to issues of securely implementing the next generation of asymmetric cryptography, or Public-Key Cryptography (PKC).PKC, as it has been deployed until today, depends heavily on the integer factorization and the discrete logarithm problems.Unfortunately, it has been well-known since the mid-90s, that these mathematical problems can be solved due to Peter Shor's algorithm for quantum computers, which achieves the answers in polynomial time.The recently accelerated pace of R&D towards quantum computers, eventually of sufficient size and power to threaten cryptography, has led the crypto research community towards a major shift of focus.A project towards standardization of Post-quantum Cryptography (PQC) was launched by the US-based standardization organization, NIST. PQC is the name given to algorithms designed for running on classical hardware/software whilst being resistant to attacks from quantum computers.PQC is well suited for replacing the current asymmetric schemes.A primary motivation for the project is to guide publicly available research toward the singular goal of finding weaknesses in the proposed next generation of PKC.For public key encryption (PKE) or digital signature (DS) schemes to be considered secure they must be shown to rely heavily on well-known mathematical problems with theoretical proofs of security under established models, such as indistinguishability under chosen ciphertext attack (IND-CCA).Also, they must withstand serious attack attempts by well-renowned cryptographers both concerning theoretical security and the actual software/hardware instantiations.It is well-known that security models, such as IND-CCA, are not designed to capture the intricacies of inner-state leakages.Such leakages are named side-channels, which is currently a major topic of interest in the NIST PQC project.This dissertation focuses on two things, in general:1) how does the low but non-zero probability of decryption failures affect the cryptanalysis of these new PQC candidates?And 2) how might side-channel vulnerabilities inadvertently be introduced when going from theory to the practice of software/hardware implementations?Of main concern are PQC algorithms based on lattice theory and coding theory.The primary contributions are the discovery of novel decryption failure side-channel attacks, improvements on existing attacks, an alternative implementation to a part of a PQC scheme, and some more theoretical cryptanalytical results.
|
|
| 3. |
- Ferrans, Laura, et al.
(författare)
-
Life Cycle Assessment of Management Scenarios for Dredged Sediments : Environmental Impacts Caused during Landfilling and Soil Conditioning
- 2022
-
Ingår i: Sustainability. - : MDPI. - 2071-1050. ; 14:20, s. 13139-13139
-
Tidskriftsartikel (refereegranskat)abstract
- The management of dredged sediments is a challenging issue since it involves the interconnection of complex economic, social, technical and environmental aspects. The EU LIFE SUREproject aimed to apply a more sustainable dredging technique to Malmfjärden Bay in Kalmar/Sweden(a shallow urban water body with a high content of nutrients) and, additionally, it involved beneficial uses for the dredged material, in line with the circular economy concept. To achieve this, a life cycle assessment (LCA) study was carried out to assess the potential environmental impacts associated with two scenarios: sediment landfilling (S1) and soil conditioning (S2). This LCA study also aimed to evaluate and compare the costs related to each scenario. S1 contemplated the construction and operation of the landfill for 100 years, including the collection and discharge of leachate and biogas. S2 included the use of sediments in soils and the avoidance of producing and using fertilisers. Results showed that (S2) soil conditioning (total impact: −6.4 PE) was the scenario with fewer environmental impacts and the best economic evaluation. The S2 scenario was mainly related to the positive environmental savings produced by reducing fertiliser consumption (which also avoided purchase costs). However, S2 was also linked to potential negative effects associated with eutrophication and toxicity categories of impacts due to the possible spread of nutrients and pollutants in terrestrial and aquatic environments. In order to mitigate this problem, the sediments could be pre-treated to reduce their risk of pollution. Moreover, the main impact of the landfilling scenario(S1, total impact: 1.6 PE) was the emission of global warming-contributing gases during the operation of the facility. Implementing the soil conditioning scenario was therefore recommended, in line with the aim of the LIFE SURE project. Finally, it was recommended that LCA studies should be applied more often in the future when selecting beneficial uses for dredged sediments. The decision-making process is facilitated when the positive and negative impacts produced by each handling option are considered.
|
|
| 4. |
- Guo, Qian, et al.
(författare)
-
Don’t Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE
- 2022
-
Ingår i: IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES). - : Universitatsbibliothek der Ruhr-Universitat Bochum. - 2569-2925. ; 2022:3, s. 223-263
-
Tidskriftsartikel (refereegranskat)abstract
- Well before large-scale quantum computers will be available, traditional cryptosystems must be transitioned to post-quantum (PQ) secure schemes. The NIST PQC competition aims to standardize suitable cryptographic schemes. Candidates are evaluated not only on their formal security strengths, but are also judged based on the security with regard to resistance against side-channel attacks. Although round 3 candidates have already been intensively vetted with regard to such attacks, one important attack vector has hitherto been missed: PQ schemes often rely on rejection sampling techniques to obtain pseudorandomness from a specific distribution. In this paper, we reveal that rejection sampling routines that are seeded with secretdependent information and leak timing information result in practical key recovery attacks in the code-based key encapsulation mechanisms HQC and BIKE.Both HQC and BIKE have been selected as alternate candidates in the third round of the NIST competition, which puts them on track for getting standardized separately o the finalists. They have already been specifically hardened with constant-time decoders to avoid side-channel attacks. However, in this paper, we show novel timing vulnerabilities in both schemes: (1) Our secret key recovery attack on HQC requiresonly approx. 866,000 idealized decapsulation timing oracle queries in the 128-bit security setting. It is structurally different from previously identified attacks on the scheme: Previously, exploitable side-channel leakages have been identified in the BCH decoder of a previously submitted HQC version, in the ciphertext check as well as in the pseudorandom function of the Fujisaki-Okamoto transformation. In contrast, our attack uses the fact that the rejection sampling routine invoked during the deterministic re-encryption of the decapsulation leaks secret-dependent timing information, which can be efficiently exploited to recover the secret key when HQC is instantiated with the (now constant-time) BCH decoder, as well as with the RMRS decoder of the current submission. (2) From the timing information of the constant weight word sampler in the BIKE decapsulation, we demonstrate how to distinguish whether the decoding step is successful or not, and how this distinguisher is then used in the framework of the GJS attack to derive the distance spectrum of the secret key, using 5.8 x 107 idealized timing oracle queries. We provide details and analyses of the fully implemented attacks, as well as a discussion on possible countermeasures and their limits.
|
|
| 5. |
- Nilsson, Alexander, 1984-
(författare)
-
Evidentiality in Tajik
- 2022
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The focus of this study is evidentiality—the grammatical marking of information source—in written and spoken Tajik. For marking evidential statements, Tajik employs a secondary register of verb forms (called register II forms) that all end in -a: the Perfect and the Perfectoids (the Perfectoid Imperfect and Perfectoid Pluperfect). Whereas the Perfect is ambiguous as regards its evidential status, the Perfectoids are unambiguously non-first hand in nature. The register II forms can signal that propositions are reportative or inferential. Moreover, they are used for mirative purposes, i.e. to signal new information or surprise. In addition to the register II forms, Tajik also employs a special verb form called the Presumptive, which is also included in this study.The analysis of written Tajik is based on a close reading of 424 pages of prose fiction texts that can be divided into three groups in accordance with the time periods when they were written: the 1920s–1940s, 1980s and 2010s. The analysis of spoken Tajik is based on ca 9.5 hours of recorded material gathered in Dushanbe, Tajikistan, in the years 2016 and 2017. While the 2016 recordings were in the form of free conversations, the 2017 recordings involved a collaborative exercise developed as a method for investigating grammatical categories related to social cognition. The results of the analyses show that the evidential uses of the register II forms and the Presumptive are more prevalent in the older texts than in the newer texts. As for the spoken language, the register II forms are rarely used for reportative statements. Instead, evidential lexical markers are used with register I forms. However, speakers tend to use register II forms in cases where there is greater temporal distance to the subject matter. Inferences are also usually made with register I forms together with evidential lexical markers. However, the Perfect is employed in the creation of coherent hypothetical narratives. In conclusion, it is argued that the Tajik “mirative” is in fact evidential, since it marks direct experience of two types: new information (mirative) and personal impression (evaluative). It is also argued that the Presumptive is evidential, since it marks conclusions based on either past experiences or previous knowledge.
|
|
| 6. |
|
|
| 7. |
- Brorsson, Joakim, et al.
(författare)
-
On the Suitability of Using SGX for Secure Key Storage in the Cloud
- 2020
-
Ingår i: Lecture Notes in Computer Science. - Cham : Springer International Publishing. - 9783030589851 ; 12395, s. 32-47
-
Konferensbidrag (refereegranskat)abstract
- This paper addresses the need for secure storage in virtualized services in the cloud. To this purpose, we evaluate the security properties of Intel's Software Guard Extensions (SGX) technology, which provides hardware protection for general applications, for securing virtual Hardware Security Modules (vHSM). In order for the analysis to be comparable with analyses of physical HSMs, the evaluation proceeds from the FIPS 140--3 standard, the successor to FIPS 140--2, which is commonly used to assess security properties of HSMs.Our contribution is twofold. First, we provide a detailed security evaluation of vHSMs using the FIPS 140–3 standard. Second, after concluding that the standard is designed for stand-alone rather than virtual systems, we propose a supplementary threat model, which considers threats from different actors separately. This model allows for different levels of trust in actors with different capabilities and can thus be used to assess which parts of FIPS 140--3 that should be considered for a specific attacker.Using FIPS 140--3 in combination with the threat model, we find that SGX enclaves provide sufficient protection against a large part of the potential actors in the cloud. Thus, depending on the threat model, SGX can be a helpful tool for providing secure storage for virtualized services.
|
|
| 8. |
- Guo, Qian, et al.
(författare)
-
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM
- 2020
-
Ingår i: Advances in Cryptology – CRYPTO 2020 : 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part II - 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part II. - Cham : Springer International Publishing. - 0302-9743 .- 1611-3349. - 9783030568795 - 9783030568801 ; 12171, s. 359-386
-
Konferensbidrag (refereegranskat)abstract
- In the implementation of post-quantum primitives, it is well known that all computations that handle secret information need to be implemented to run in constant time. Using the Fujisaki-Okamoto transformation or any of its different variants, a CPA-secure primitive can be converted into an IND-CCA secure KEM. In this paper we show that although the transformation does not handle secret information apart from calls to the CPA-secure primitive, it has to be implemented in constant time. Namely, if the ciphertext comparison step in the transformation is leaking side-channel information, we can launch a key-recovery attack. Several proposed schemes in round 2 of the NIST post-quantum standardization project are susceptible to the proposed attack and we develop and show the details of the attack on one of them, being FrodoKEM. It is implemented on the reference implementation of FrodoKEM, which is claimed to be secure against all timing attacks. Experiments show that the attack code is able to extract the secret key for all security levels using about $2^{30}$ decapsulation calls.
|
|
| 9. |
- Nilsson, Alexander, et al.
(författare)
-
A Survey of Published Attacks on Intel SGX
- 2020
-
Rapport (övrigt vetenskapligt/konstnärligt)abstract
- Intel Software Guard Extensions (SGX) provides a trusted execution environment (TEE) to run code and operate sensitive data.SGX provides runtime hardware protection where both code and data are protected even if other code components are malicious.However, recently many attacks targeting SGX have been identified and introduced that can thwart the hardware defence provided by SGX.In this paper we present a survey of all attacks specifically targeting Intel SGX that are known to the authors, to date.We categorized the attacks based on their implementation details into 7 different categories.We also look into the available defence mechanisms against identified attacks and categorize the available types of mitigations for each presented attack.
|
|
| 10. |
|
|
