Tuesday, September 11, 2012

CHES 2012 - Day 1

This year's CHES in Leuven is seeing its highest number of attendees ever (well over 400). Monday's sessions focused on side-channel attacks and countermeasures.

The first session covered intrusive attacks and countermeasures. Jean-Michel Cioranesco presented an approach to build a 3D Hamiltonian cage around a cryptographic circuit in order to thwart probing attacks. They propose to use multiple metal layers and the connecting vias (and possible die stacking). The signal on this Hamiltonian path is passed through various MAC units in order to check its integrity to be able to detect physical manipulations of the cage which could indicate a probing attempt. Sergei Skorobogatov talked about the analysis of a Flash FPGA which contains backdoors/undocumented features in its JTAG port. Employing a novel , (and patented) power analysis technique called Pipeline Emission Analysis (PEA), which uses analog preprocessing of power traces, the authors were able learn various embedded keys of the device which allowed them to activate the hidden features and circumvent many security mechanisms. For example they were able to read back the FPGA's configuration which should not be possible in normal operation. The third talk by Alexander Schloesser featured the results of light emission analysis of an AES chip, manifested as fascianating pictures highlighting the activity of the chip and allowing to pinpoint the exact location of single bits.

The second session about masking featured Dan Page's talk bout the compiler-assisted masking techniques which have been developed at Bristol. Starting from an initial annotation of variables as low or high security by the programmer, the compiler performs type inference in order to deal with potential security problems, e.g. a high-security variable addressing a low-security array). This approach hopes to eliminate common errors which occur when programmers implement masking by hand. Begul Bilgin presented threshold implementations (i.e. robustly masked hardware functions) of all S-boxes of size 3x3 and 4x4. Finally, Amir Moradi talked about their practical security evaluation of different variants of the so-called generalized look-up table (GLUT) approach, which can be used to secure S-box lookups. His concluding message was that designers of countermeasures should take more models into account.

The two afternoon sessions were about improved fault attacks and side channel analysis. The first paper by Banik et al. featued a differential fault attack on the Grain stream cipher family. Yossef Oren presented a refinement of algebraic side-channel attacks, which integrated the template phase and algebraic phase by feeding the a-posteriori probabilities from the template decoder directly into the solver/optimizer. This method can be used both for TASCA and Set ASCA, yielding "Template TASCA" and "Template Set ASCA", respectively. Oscar Reparaz showed how calculating the mutual information of tuples of points from power traces can be employed to optimize the selection of samples for multivariate DPA attacks. In a practical evaluation, they showed that an attack speedup of around 100x can be achieved by using only 5x more power traces. Benoit Gerard proposed to interpret linear collision attacks as a decoding problem in order to create a general framework for these settings.

The day ended with the rump session, whose talks were complemented by a swinging Big Band conducted by Bart :-)

No comments:

Post a Comment