Side Channel Leakage Exploitation, Mitigation and Detection of Emerging Cryptosystems

Chen, Cong

26 March 2018

With the emerging computing technologies and applications in the past decades, cryptography is facing tremendous challenges in its position of guarding our digital world. The advent of quantum computers is potentially going to cease the dominance of RSA and other public key algorithms based on hard problems of factorization and discrete logarithm. In order to protect the Internet at post-quantum era, great efforts have been dedicated to the design of RSA substitutions. One of them is code- based McEliece public key schemes which are immune to quantum attacks. Meanwhile, new infrastructures like Internet of Things are bringing the world enormous benefits but, due to the resource-constrained nature, require compact and still reliable cryptographic solutions. Motivated by this, many lightweight cryptographic algorithms are introduced. Nevertheless, side channel attack is still a practical threat for implementations of these new algorithms if no countermeasures are employed. In the past decades two major categories of side channel countermeasures, namely masking and hiding, have been studied to mitigate the threat of such attacks. As a masking countermeasure, Threshold Implementation becomes popular in recent years. It is sound in providing provable side channel resistance for hardware-based cryptosystems but meanwhile it also incurs significant overheads which need further optimization for constrained applications. Masking, especially for higher order masking schemes, requires low signal-to-noise ratio to be effective which can be achieved by applying hiding countermeasures. In order to evaluate side channel resistance of countermeasures, several tools have been introduced. Due to its simplicity, TVLA is being accepted by academy and industry as a one-size-fit-all leakage detection methodolgy that can be used by non-experts. However, its effectiveness can be negatively impacted by environmental factors such as temperature variations. Thus, a robust and simple evaluation method is desired. In this dissertation, we first show how differential power analysis can efficiently exploit the power consumption of a McEliece implementation to recover the private key. Then, we apply Threshold Implementation scheme in order to protect from the proposed attack. This is, to the best of our knowledge, the first time of applying Threshold Implementation in a public key cryptosystem. Next, we investigate the reduction of shares in Threshold Implementation so as to bring down its overhead for constrained applications. Our study shows that Threshold Implementation using only two shares reduces the overheads while still provides reliable first-order resistance but in the meantime it also leaks a strong second-order leakage. We also propose a hiding countermeasure, namely balanced encoding scheme based on the idea of Dual- Rail Pre-charge logic style in hardwares. We show that it is effective to mitigate the leakage and can be combined with masking schemes to achieve better resistance. Finally, we study paired t-test versus Welch's t-test in the original TVLA and show its robustness against environmental noises. We also found that using moving average in computing t statistics can detect higher-order leakage faster.

post-quantum crypto

t-test

Threshold Implementations

Side channel attack

Lightweight Cryptography Meets Threshold Implementation: A Case Study for SIMON

Shahverdi, Aria

26 August 2015

"Securing data transmission has always been a challenge. While many cryptographic algorithms are available to solve the problem, many applications have tough area constraints while requiring high-level security. Lightweight cryptography aims at achieving high-level security with the benefit of being low cost. Since the late nineties and with the discovery of side channel attacks the approach towards cryptography has changed quite significantly. An attacker who can get close to a device can extract sensitive data by monitoring side channels such as power consumption, sound, or electromagnetic emanation. This means that embedded implementations of cryptographic schemes require protection against such attacks to achieve the desired level of security. In this work we combine a low-cost embedded cipher, Simon, with a stateof-the-art side channel countermeasure called Threshold Implementation (TI). We show that TI is a great match for lightweight cryptographic ciphers, especially for hardware implementation. Our implementation is the smallest TI of a block-cipher on an FPGA. This implementation utilizes 96 slices of a low-cost Spartan-3 FPGA and 55 slices a modern Kintex-7 FPGA. Moreover, we present a higher order TI which is resistant against second order attacks. This implementation utilizes 163 slices of a Spartan-3 FPGA and 95 slices of a Kintex-7 FPGA. We also present a state of the art leakage analysis and, by applying it to the designs, show that the implementations achieve the expected security. The implementations even feature a significant robustness to higher order attacks, where several million observations are needed to detect leakage."

cryptography

side-channel attacks

lightweight cryptography

SIMON

threshold implementation

Efficient Side-channel Resistant MPC-based Software Implementation of the AES

Fernandez Rubio, Abraham

27 April 2017

Current cryptographic algorithms pose high standards of security yet they are susceptible to side-channel analysis (SCA). When it comes to implementation, the hardness of cryptography dangles on the weak link of side-channel information leakage. The widely adopted AES encryption algorithm, and others, can be easily broken when they are implemented without any resistance to SCA. This work applies state of the art techniques, namely Secret Sharing and Secure Multiparty Computation (SMC), on AES-128 encryption as a countermeasure to those attacks. This embedded C implementation explores multiple time-memory trade-offs for the design of its fundamental components, SMC and field arithmetic, to meet a variety of execution and storage demands. The performance and leakage assessment of this implementation for an ARM based micro-controller demonstrate the capabilities of masking schemes and prove their feasibility on embedded software.

side-channel analysis

multiparty computation

AES

polynomial masking

Cooperative Channel State Information Dissemination Schemes in Wireless Ad-hoc Networks

He, Wenmin

25 April 2013

This thesis considers a novel problem of obtaining global channel state information (CSI) at every node in an ad-hoc wireless network. A class of protocols for dissemination and estimation are developed which attempt to minimize the staleness of the estimates throughout the network. This thesis also provides an optimal protocol for CSI dissemination in networks with complete graph topology and a near optimal protocol in networks having incomplete graph topology. In networks with complete graph topology, the protocol for CSI dissemination is shown to have a resemblance to finding Eulerian tours in complete graphs. For networks having incomplete graph topology, a lower bound on maximum staleness is given and a near optimal algorithm based on finding minimum connected dominating sets and proper scheduling is described in this thesis.

dominating set

MLST

Hamiltonian decomposition

channel state information

Site-Specific RSS Signature Modeling for WiFi Localization

Roberts, Brian J

01 May 2009

A number of techniques for indoor and outdoor WiFi localization using received signal strength (RSS) signatures have been published. Little work has been performed to characterize the RSS signatures used by these WiFi localization techniques or to assess the accuracy of current channel models to represent the signatures. Without accurate characterization and models of the RSS signatures, a large amount of empirical data is needed to evaluate the performance of the WiFi localization techniques. The goal of this research is to characterize the RSS signatures, propose channel model improvements based on the characterization, and study the performance of channel models for use in WiFi localization simulations to eliminate the need for large amounts of empirical data measurements. In this thesis, we present our empirical database of RSS signatures measured on the Worcester Polytechnic Institute campus. We use the empirical database to characterize the RSS signatures used in WiFi localization, showing that they are composed of connective segments and influenced by the access point (AP) location within a building. From the characterization, we propose improving existing channel models by building partitioning the signal path-loss using site-specific information from Google Earth. We then evaluate the performance of the existing channel models and the building partitioned models against the empirical data. The results show that using site-specific information to building partition the signal path-loss a tighter fit to the empirical RSS signatures can be achieved.

empirical database

WiFi localization

RSS

channel modeling

performance evaluation

Quantitative information flow of side-channel leakages in web applications

Huang, Xujing

January 2016

It is not a secret that communications between client sides and server sides in web applications can leak user confidential data through side-channel attacks. The lower lever traffic features, such as packet sizes, packet lengths, timings, etc., are public to attackers. Attackers can infer a user's web activities including web browsing histories and user sensitive information by analysing web traffic generated during communications, even when the traffic is encrypted. There has been an increasing public concern about the disclosure of user privacy through side-channel attacks in web applications. A large amount of work has been proposed to analyse and evaluate this kind of security threat in the real world. This dissertation addresses side-channel vulnerabilities from different perspectives. First, a new approach based on verification and quantitative information flow is proposed to perform a fully automated analysis of side-channel leakages in web applications. Core to this aim is the generation of test cases without developers' manual work. Techniques are implemented into a tool, called SideAuto, which targets at the Apache Struts web applications. Then the focus is turned to real-world web applications. A black-box methodology of automatically analysing side-channel vulnerabilities in real-world web applications is proposed. This research demonstrates that communications which are not explicitly involving user sensitive information can leak user secrets, even more seriously than a traffic explicitly transmitting user information. Moreover, this thesis also examines side-channel leakages of user identities from Google accounts. The research demonstrates that user identities can be revealed, even when communicating with external websites included in Alexa Top 150 websites, which have no relation to Google accounts.

Transporte de volume e condições hidrográficas no Canal de São Sebastião / Volume transport and hydrographic conditions in the São Sebastião Channel

Sandro Vianna Paixão

20 June 2008

Dados correntométricos obtidos com o emprego do \"Acoustic Doppler Current Profiler\" (ADCP) rebocado por um barco de pesquisa e dados hidrográficos quasesinóticos foram amostrados no Canal de São Sebastião (CSS) em seis cruzeiros realizados entre 2001 e 2006. Dados de vento de superfície para a Plataforma Continental Sudeste do Brasil (PCSE) obtidos pelo escaterômetro QuikSCAT também foram utilizados neste trabalho. O método da Análise Objetiva foi aplicado para a obtenção das distribuições horizontais e verticais de temperatura, salinidade, densidade, velocidade e vento. Os transportes de volume estimados para as quatro seções verticais dispostas radialmente no canal apresentaram condições de quase-continuidade ou descontinuidade entre seus valores cujas causas foram atribuídas principalmente à ocorrência de giros ciclônicos ou anticiclônicos na porção sul do CSS e à quase-sinopticidade da aquisição dos dados. Em 13/11/2002 foi obtido o maior valor para o transporte de volume no canal, de 18904m3 s1, associado aos ventos de SW, com direção para norte, enquanto que o menor valor calculado foi de -1959 m3 s1, em 27/07/2006, com movimentos para sul associado aos ventos oriundos de NE. Os giros foram observados somente na porção sul do canal. Esses giros eram ciclônicos associados aos ventos de NE e anticiclônicos quando os ventos sopraram de SW. O tempo de renovação das águas do CSS varia de 0,81 dias a 7,81 dias. Circulação em duas camadas e bidirecional, com movimentos superficiais para SW, forçados pelos ventos de NE, e movimentos profundos em direção para o norte do canal foram observados em 27/07/2006, 10/10/2006 e 14/12/2006. A Água Central do Atlântico Sul (ACAS) preencheu toda a camada de fundo do CSS em 14/12/2006, e neste dia ocorreu a ressurgência costeira com o afloramento da ACAS na superfície, na costa continental sul do CSS, associada aos ventos de NE/SE, que sopraram na PCSE entre os dias 8 e 14/12/2006. / Current data obtained using an \"Acoustic Doppler Current Profiler \" (ADCP) towed by a research boat and nearly synoptic hydrographic data were sampled in the São Sebastião Channel (SSC) during six cruises between 2001 and 2006. This study also uses ocean-surface wind fields for the South Brazil Bight (SBB) area derived from the QuikSCAT scatterometer. The method of objective analysis was applied to obtain the horizontal and vertical distributions of temperature, salinity, density, velocity and wind. The estimated along-channel volume transport for the four vertical sections arranged radially to the channel was almost continuous or discontinuous between their values, probably mainly caused by the occurrence of anticyclonic or cyclonic gyres in the southern portion of the SSC and almost synopticity in data acquisition. The calculated volume transport in the channel ranged from 18,904 m3 s1 on 13/11/2002 heading north forced by southwesterly winds, to -1,959m3 s1 on 27/07/2006 heading south forced by northeasterly winds. Gyres were observed only in the southern portion of the channel. These gyres were cyclonic during northeasterly winds and anticyclonic during southwesterly winds. The water renewal time of the SSC varies from 0.81 to 7.81 days. On 27/07/2006, 10/10/2006 and 14/12/2006, bidirectional circulation in two layers was observed, with surface currents heading SW, forced by northeasterly winds, and deep currents heading N. On 14/12/2006 the whole bottom layer of the SSC was filled with South Atlantic Central Water (SACW), and its coastal upwelling was observed at the southern continental coast of the channel, probably due to NE/SE winds that blew between 8/12/2006 and 14/12/2006.

Canal de São Sebastião

transporte de volume

Sã Sebastião Channel

volume transport

Modereportage : en marknadsföringskanal? / Fashion Editorials : a channel for marketing?

Flemmich, Sanna, Jutéus, Ida

January 2009

Marketing has been developed and revalued the last years. The consumer today is moreeducated and is therefore able to have higher demands. These requirements together with theincreased competition is forcing brands to find creative ways to reach their target market.Fashion has throughout history contributed to, and been influenced by, changes in society.Through all times, people have used fashion and clothing as a way to demonstrate their socialidentity and to be accepted. Companies in the fashion industry can be successful if theydevelop brands that attract consumers. To achieve this, companies must find newcommunication tools to reach out to the consumer, among these tools, we find the fashioneditorials.Our aim is to investigate whether product placement occurs in Swedish fashion editorials.Through our thesis we want to explore how consumers perceive the editorials and alsowhether if they are used as a marketing channel.The method is qualitative and the study is based on semi structured interviews and a focusgroup interview. To get several opinions of the problem area, the issue is discussed from twodifferent perspectives. According to the hermeneutical approach, with interpretation in focus,the empirical material has been analyzed alternately with theory. The theories have thereforebeen reviewed during the process.Our conclusion is that all respondents experience that product placement occurs in fashioneditorials. It is also clear that there are differences between the interview perspectives. Theoccurance of product placement in fashion editorials is percieved in different ways. The maindifference is that the fashion industry operatives can see the press offices as messengers forthe brand's image. The consumer, on the other hand, is completely unaware of their existence.Furthermore, readers believe that the content is selected by someone who is an interpreter inthe fashion area and therefore it is accepted. Readers can see the fashion editorials as a sourceof inspiration when shopping. The fashion brands that frequently appears in fashion editorialsbecome top-of-mind of the consumer/reader. Our results suggest that consumers actually areshopping garments from the brands that appear in editorials. Fashion editorials can thus bedescribed as an important part of a fashion company's marketing. Finally, we discuss thefuture of fashion magazines as internet and blogs are changing the conditions to attract theconsumer. / Program: Textilekonomutbildningen

fashion editorials

marketing channel

top-of-mind

Economics and Business

Ekonomi och näringsliv

Performance enhancement of massive MIMO systems under channel correlation and pilot contamination

Alkhaled, Makram Hashim Mahmood

January 2018

The past decade has seen an enormous increase in the number of connected wireless devices, and currently there are billions of devices that are connected and managed by wireless networks. At the same time, the applications that are running on these devices have also developed significantly and became more data rate insatiable. As the number of wireless devices and the demand for a high data rate will always increase, in addition to the growing concern about the energy consumption of wireless communication systems, the future wireless communication systems will have to meet three main requirements. These three requirements are: i) being able to achieve high throughput; ii) serving a large number of users simultaneously; and iii) being energy efficient (less energy consumption). Massive multiple-input multiple-output (MIMO) technology can satisfy the aforementioned requirements; and thus, it is a promising candidate technology for the next generations of wireless communication systems. Massive MIMO technology simply refers to the idea of utilizing a large number of antennas at the base station (BS) to serve a large number of users simultaneously using the same time-frequency resources. The hypothesis behind using a massive number of antennas at the BS is that as the number of antennas increases, the channels become favourable. In other words, the channel vectors between the users and their serving BS become (nearly) pairwisely orthogonal as the number of BS antennas increases. This in turn enables the use of linear processing at the BS to achieve near optimal performance. Moreover, a huge throughput and energy efficiency can be attained due to users multiplexing and array gain. In this thesis, we investigate the performance of massive MIMO systems under different scenarios. Firstly, we investigate the performance of a single-cell multi-user massive MIMO system, in which the channel vectors for the different users are assumed to be correlated. In this aspect, we propose two algorithms for users grouping that aim to improve the system performance. Afterwards, the problem of pilot contamination in multi-cell massive MIMO systems is discussed. Based on this discussion, we propose a pilot allocation algorithm that maximizes the minimum achievable rate in a target cell. Following that, we consider two different scenarios for pilot sequences allocation in multi-cell massive MIMO systems. Lower bounds on the achievable rates are derived for two linear detectors, and the performance under different system settings is analysed and discussed for both scenarios. Finally, two algorithms for pilot sequences allocation are proposed. The first algorithm takes advantage of the multiplicity of pilot sequences over the number of users to improve the achievable rate of edge cell users. While the second algorithm aims to mitigate the negative impact of pilot contamination by utilizing more system resources for the channel estimation process to reduce the inter-cell interference.

Turbulent structure and transport processes in open-channel flows with patchy-vegetated beds

Savio, Mario

January 2017

Flow-vegetation interactions are critically important for most hydraulic and sediment processes in streams and rivers and thus need to be accounted for in their management. The central goal of this project therefore was to improve the understanding of flow-vegetation interactions in patchy-vegetated river beds, which are typical in rivers. Based on laboratory experiments covering a range of selected hydraulic and patch mosaic scenarios, the hydraulic resistance mechanisms, turbulence structure, and transport mechanisms were studied. The effects of regular patch mosaic patterns (aligned and staggered) on the bulk hydraulic resistance were investigated first. For the cases in which the relative vegetation coverage BSA in respect to the total flume bed is low (BSA = 0.1), the patches mutual positions do not affect values of the friction factor. When the parameter BSA increases to intermediate values (BSA = 0.3), the spatial distribution of the vegetation patches and their interactions become crucial and lead to a significant increase in the bulk hydraulic resistance. When further increase of the vegetation cover occurs (BSA = 0.6), the effects on hydraulic resistance of patch patterns vanish. To clarify the mechanisms of the revealed patch effects on the overall hydraulic resistance, flow structure was assessed at both scales: individual patch and patch mosaic. The presence of a submerged isolated vegetation patch on the bed introduces a flow diversion which strongly alters the velocity field and turbulence parameters around the patch. Coherent structures, generated at the canopy top due to velocity shear, control the mass and momentum transfer between the layers below and above the vegetation patch. At the patch mosaic scale, a complex three-dimensional flow structure is formed around the patches which depends on the patch spacing and spatial arrangements. For the low surface area blockage factor (BSA = 0.1), the patches are sparsely distributed and the wakes are (nearly) fully developed before they are interrupted by the effects of the downstream patches. At the intermediate surface area blockage factor (BSA = 0.3), significant differences in flow structure between the aligned and staggered patches were observed. For the highest surface area blockage factor investigated (BSA = 0.6) both aligned and staggered patch mosaic configurations showed a similar behaviour. The results on the flow structure are used to provide mechanistic explanation of the observed patch mosaic effects on the bulk hydraulic resistance.

620