So CHES 2013 started today, with a first session on Side-Channel Attacks in which our very own Carolyn presented her joint work with (also our very own) Elisabeth, Profiling DPA: Efficacy and efficiency trade-offs. The other talks in this session were given by Amir Moradi -- on a glitch-resistant masking scheme, Adrian Thillard -- on evaluating the effectiveness of a side-channel attack, and Yasser Shoukry-- on noninvasive spoofing attacks for anti-lock braking systems, and the audience was packed throughout the day. The CHES attendees then joined the CRYPTO folk for Adam's talk, and then two more sessions were scheduled in the afternoon before the IACR membership meeting and the beach barbeque. I'm going to blog mainly about the afternoon sessions.
The first CHES afternoon comprised of two session, dedicated to Physical Unclonable Functions (PUF), respectively Lightweight Cryptography. Disclaimer: I am by far not a PUF expert, so please be lenient; I did get some expert advice from Marcin (yes, our own Marcin) though, so hope all's well in the end.
Physical(ly) Unclonable Functions (PUFs) are functions embodied in a physical structure, that are easy to evaluate and hard to predict. Initially, materials displaying properties that could easily be extracted but were hard to characterize and reproduce were used, such as bubbles in a plastic film. More recently, silicon-based implementations have emerged as useful blocks in secure hardware design, with applications covering identification/authentication and even encryption key generation.
The first two papers discussed in this session tackled the PUF reliability model. In a nutshell, PUFs are noisy, and a reliability model is a way to model noisy PUF behaviour. Classically, it is assumed that all cells of a PUF are homogeneous, i.e. every cell is equally likely to produce an error at any time. This means the reliability behavior of the PUF as a whole is described by a single ﬁxed parameter: the bit error rate pe. While convenient, this model’s limitations are obvious when looking at experimental results. A typical PUF instantiation exhibits both unstable and stable cells, i.e. some cells are more likely to produce an error while other cells are hardly ever wrong. This behavior is not captured by this model which treats every cell in the same way. Thus, a new model is proposed by Roel Maes. The main motivation behind the newly introduced model is to accurately capture this cell-speciﬁc behaviour.
The third paper, presented by Christian Wachsmann, describes an attack on SRAM PUFs using remanence decay phenomenon. The attack assumes that the adversary has access to the SRAM memory before it is being used as a PUF, which in real-time deployments might not possible and thus mitigates a potential only to some very resource-constraint devices, but anyway it is good idea overall.
Lightweight cryptography needs little introduction. The quest for the cipher as light as a feather, and as hard as dragon-scales is motivated by the ever increasing demand for computing capabilities in low-resource scenarios such as RFID tags, mobile phones, smart cards, etc. Therefore, the qualifier lightweight should not automatically lead to the association with weak cryptographic designs; the goal is to achieve a balance between security, hardware performance and low overall cost (power consumption, total area and physical cost).
Begul Bilgin et al. introduced FIDES, a new lightweight authenticated cipher optimized for hardware implementations with either 80- or 96-bit keys. This new protocol reportedly has an area consumption which is 2 times smaller than that of Hummingbird-2 and is 3 times more compact than Grain-128a, its main class competitors. It also comes with a built-in masking scheme against side-channel attacks, the gate count for the protected ASIC implementation being comparable to plain implementations of AES-based authenticated encryption schemes such as ALE.
Also in this session, Michael Hutter presented hardware implementations of Keccak (the winner of the NIST SHA-3 competition) that aim for lowest power and lowest area. He presented two versions: the first design aimed for lowest power and area, while the second design allowed for higher throughput at the cost of a larger area.