Winter is here! A decade of cache-based side-channel attacks,detection & mitigation for RSA

Timing-based side-channels play an important role in exposing the state of a process execution on underlying hardware by revealing information about timing and access patterns. Side-channel attacks (SCAs) are powerful cryptanalysis techniques that focus on the underlying implementation of cryptographic ciphers during execution rather than attacking the structure of cryptographic functions. This paper reviews cache-based software side-channel attacks, mitigation and detection techniques that target various cryptosystems, particularly RSA, proposed over the last decade (2007–2018). It provides a detailed taxonomy of attacks on RSA cryptosystems and discusses their strengths and weaknesses while attacking different algorithmic implementations of RSA. A threat model is presented based on the cache features that are being leveraged for such attacks across cache hierarchy in computing architectures. The paper also provides a classification of these attacks based on the source of information leakage. It then undertakes a qualitative analysis of secret key retrieval efficiency, complexity, and the features being exploited on target cryptosystems in these attacks. The paper also discusses the mitigation and detection techniques proposed against such attacks and classifies them based on their effectiveness at various levels in caching hardware and leveraged features. Finally, the paper discusses recent trends in attacks, the challenges involved in their mitigation, and future research directions needed to deal with side-channel information leakage.     

Remarks concerning the optimization of matrix codes

This paper describes the results of a general theory of matrix codes correcting a set of given types of multiple errors. A detailed study has been made of certain matrix classes of these systematic binary error correcting codes that will correct typical errors of some digital channels. These codes published by Elias,^(2,3) Hobb's,⁽⁵⁾ and Voukalis⁽¹¹⁾ account for this theory and other new families of binary systematic matrix codes of arbitrary size, correcting random, burst and clusters of errors are given here. Also presented here are the basic ideas of each of these codes. We can easily find practical decoding algorithms for each of these codes. The characteristic calculation of the parity check equations that the information matrix codebook has to satisfy are also shown. Further on we deal with the optimum construction of these codes showing their use in certain applications. We answer questions such as: “What is the optimum size of the code?” “What is the best structure of the code?” “What is the probability of error correction and the mean error correction performance?” Consequently, in this paper we also describe the results of an extensive search for optimum matrix codes designed to correct a given set of multiple errors as well as their implementation.     

Message authentication and encryption combined

Encryption for considentiality and cryptographic techniques for message authentication are usually treated as separate techniques that may or may not be applied to protect message contents. In many cases there is a need for both confidentiality and message authentication. If treated as separate functions this may lead to doubling of cryptographic algorithms and key management. Some encryption functions may, however, give also good protection against message manipulations, while others do less well. The paper investigates how different encryption functions behave in this respect.The redundancy needed in the plain-text for detecting message manipulations is primarily supposed to be of the common error checksum type, rather than specially designed manipulation detection codes. The conclusion is that several encryption schemes will protect well against active attacks with these “natural” redundancy controls. Other schemes are found not to be recommendable. By choosing the right encryption scheme, message authentication may in many situations be had for free.     

Remote dynamic partial reconfiguration: A threat to Internet-of-Things and embedded security applications

The advent of the Internet of Things has motivated the use of Field Programmable Gate Array (FPGA) devices with Dynamic Partial Reconfiguration (DPR) capabilities for dynamic non-invasive modifications to circuits implemented on the FPGA. In particular, the ability to perform DPR over the network is essential in the context of a growing number of Internet of Things (IoT)-based and embedded security applications. However, the use of remote DPR brings with it a number of security threats that could lead to potentially catastrophic consequences in practical scenarios. In this paper, we demonstrate four examples where the remote DPR capability of the FPGA may be exploited by an adversary to launch Hardware Trojan Horse (HTH) attacks on commonly used security applications. We substantiate the threat by demonstrating remotely-launched attacks on Xilinx FPGA-based hardware implementations of a cryptographic algorithm, a true random number generator, and two processor based security applications - namely, a software implementation of a cryptographic algorithm and a cash dispensing scheme. The attacks are launched by on-the-fly transfer of malicious FPGA configuration bitstreams over an Ethernet connection to perform DPR and leak sensitive information. Finally, we comment on plausible countermeasures to prevent such attacks.     

Stochastic stability analysis of networked control systems with random cryptographic protection under random zero-measurement attacks

Security issues in networked control systems (NCSs) have received increasing attention in recent years. However, security protection often requires extra energy consumption, computational overhead, and time delays, which could adversely affect the real-time and energy-limited system. In this paper, random cryptographic protection is implemented. It is less expensive with respect to computational overhead, time, and energy consumption, compared with persistent cryptographic protection. Under the consideration of weak attackers who have little system knowledge, ungenerous attacking capability and the desire for stealthiness and random zero-measurement attacks are introduced as the malicious modification of measurements into zero signals. NCS is modeled as a stochastic system with two correlated Bernoulli distributed stochastic variables for implementation of random cryptographic protection and occurrence of random zero-measurement attacks; the stochastic stability can be analyzed using a linear matrix inequality (LMI) approach. The proposed stochastic stability analysis can help determine the proper probability of running random cryptographic protection against random zero-measurement attacks with a certain probability. Finally, a simulation example is presented based on a vertical take-off and landing (VTOL) system. The results show the effectiveness, robustness, and application of the proposed method, and are helpful in choosing the proper protection mechanism taking into account the time delay and in determining the system sampling period to increase the resistance against such attacks.     

Problems and solutions from the fourth International Students’ Olympiad in Cryptography (NSUCRYPTO)

Mathematical problems and their solutions from the fourth International Students’ Olympiad in cryptography (NSUCRYPTO-2017) are presented. We consider problems related to attacks on ciphers and hash functions, cryptographic Boolean functions, linear branch numbers, addition chains, and error correction codes, among others. We discuss several open problems involving the algebraic structures of cryptographic functions, useful proof-of-work algorithms, the Boolean hidden shift problem, and quantum computing.     

Design of circular dot pattern code (CDPC) for maximum information capacity and robustness on geometric distortion/noise

One dimensional or linear bar code has been used for distribution purposes such as product information and distribution channel identification. Those linear bar codes can support only one directional code layout and also support limited code error detection capability. Two dimensional bar codes (e.g., QR code) extending one dimensional bar codes were developed in database and index based types. Database type barcodes embed full information bits and show weak recognition rate with geometric distortion. Index-based embed only the index information and requires additional network servers to interpret the index information, which leads to limited information storage capacity. Instead of using visible bar codes, we propose CDPC (circular dot pattern code), which is a dot based codes which is more invisible than bar codes. We design CDPC to be more robust to geometric distortion and noise than previous coding schemes using circular template matching. To maximize the information capacity and robustness, we use a circular dot patterns which is more robust to affine transformation. Code can be easily extended according to the number of data circles. If the number of data circle is n, then we can embed \( \left( {5\sum {_{{k = 2}}^{{n + 1}}{\text{k}}} } \right) - {\text{n}} \) data bits. In our experimentation, we set the number of circle to three, and resulting information capacity can be 42 bits per one code. To extract information from a CDPC codes, we perform (1) image capture, (2) identification of dots, (3) graph based topological analysis of dot patterns, (4) template matching between topological graphs using position symbols, and (5) information bit extraction with error correction capability. To evaluate information capacity under various geometric distortions, we experiment our CDPC with StirMark Benchmark’s affine transformation (simulation of geometric and noise attacks) and with real cell phone image captures. Our experimental results also show that our CDPC scheme achieves more robust recognition performance than those proposed in previous research works including QR code.     

Synchronization of multiple chaotic FitzHugh-Nagumo neurons with gap junctions under external electrical stimulation

This paper discusses the synchronization of three coupled chaotic FitzHugh-Nagumo (FHN) neurons with different gap junctions under external electrical stimulation. A nonlinear control law that guarantees the asymptotic synchronization of coupled neurons (with reduced computations) is proposed. The developed control law incorporates the synchronization error between two slave neurons in addition to the conventionally considered synchronization errors between the master and the slave neurons, which make the proposed scheme computationally more efficient. Further, a novel L₂ gain reduction criterion has been developed for multi-input multi-output systems with non-zero initial conditions, and is applied to robust synchronization of FHN neurons under L₂ norm bounded disturbance and uncertainties. Furthermore, a robust adaptive nonlinear control law is developed, which is capable of handling variations in nonlinear part of synchronization error dynamics, without using any neural-network-based training-oriented adaptive scheme. The proposed control schemes ensure global synchronization with computational simplicity, easy way of design and implementation and avoiding extra measurements. The results obtained with the proposed control laws are verified through numerical simulations.     

严格反馈型非仿射非线性系统的自适应模糊控制

针对一类具有严格反馈形式的非仿射非线性受扰系统,提出了基于backstepping方法的自适应模糊控制.该算法仅要求模糊逻辑系统逼近误差范数有界,引入监督控制补偿系统逼近误差和外界干扰,保证闭环系统所有信号一致有界,跟踪误差一致渐近稳定.将R(o)ssle混沌系统作为仿真对象,仿真结果表明了该方法的有效性.     

Exponential fitting BDF-Runge-Kutta algorithms

In other papers, the authors presented exponential fitting methods of BDF type. Now, these methods are used to derive some BDF-Runge-Kutta type formulas (of second-, third- and fourth-order), capable of the exact integration (with only round-off errors) of differential equations whose solutions are linear combinations of an exponential with parameter A and ordinary polynomials. Theorems of the truncation error reveal the good behavior of the new methods for stiff problems. Plots of their absolute stability regions that include the whole of the negative real axis are provided. Different procedures to find the parameter of the method are proposed, using these techniques there will not be necessary to compute the exponential matrix at each step, even when nonlinear problems are integrated. Numerical examples underscore the efficiency of the proposed codes, especially when they are integrating stiff problems.     

Robust copyright marking using Weibull distribution

For multimedia document, watermarking provides many advantages; however, its vulnerability due to attacks using signal processing methods offers challenge in designing robust techniques. This paper presents a novel method for enhancing robustness in copyright marking into mid-frequency discrete cosine transform (DCT) coefficients of an image. We establish that Weibull distribution suitably models mid-frequency coefficients well and use it for hiding copyright data. Our method is robust against JPEG compression attacks at both high and low compressions. Further, it is statistically undetectable in comparison to existing techniques of data hiding based on DCT coefficients. This is because it insignificantly affects the DCT coefficients of the stego image without compromising with data hiding capacity of the host image. Simulation result on Lena, Gibbon, Boat, and Peppers images illustrates that our algorithm offers lower bit error rate (BER) and higher peak signal to noise ratio (PSNR) leading to improved imperceptibility. Thus, it is useful in robust copyright marking.     

A sinkhole resilient protocol for wireless sensor networks: Performance and security analysis

This work focuses on: (1) understanding the impact of selective forwarding attacks on tree-based routing topologies in wireless sensor networks (WSNs), and (2) investigating cryptography-based strategies to limit network degradation caused by sinkhole attacks. The main motivation of our research stems from the following observations. First, WSN protocols that construct a fixed routing topology may be significantly affected by malicious attacks. Second, considering networks deployed in a difficult to access geographical region, building up resilience against such attacks rather than detection is expected to be more beneficial. We thus first provide a simulation study on the impact of malicious attacks based on a diverse set of parameters, such as the network scale and the position and number of malicious nodes. Based on this study, we propose a single but very representative metric for describing this impact. Second, we present the novel design and evaluation of two simple and resilient topology-based reconfiguration protocols that broadcast cryptographic values. The results of our simulation study together with a detailed analysis of the cryptographic overhead (communication, memory, and computational costs) show that our reconfiguration protocols are practical and effective in improving resilience against sinkhole attacks, even in the presence of collusion.     

Image copyright protection with forward error correction

A copyright protection method for digital image with 1/T rate forward error correction (FEC) is proposed in this paper. In this method, the original image is lossless and the watermark is robust to malicious attacks including geometric attacks such as scaling, rotation, cropping, print–photocopy–scan, and scaling–cropping attacks and nongeometric attacks such as low-pass filtering, sharpening, JPEG compression attacks. The watermark logo is fused with noise bits to improve the security, and later XORed with the feature value of the image by 1/T rate FEC. During extraction, the watermark bits are determined by majority voting, and the extraction procedure needs neither the original image nor the watermark logo. Experimental results show that not only the image is lossless but also the proposed method can effectively resist the common malicious attacks. Since the proposed method is based on spatial domain and there is no need to do frequency transform, the embedding and extraction performances are quite improved.     

Semi-global robust output regulation of minimum-phase nonlinear systems based on high-gain nonlinear internal model

We consider the assumption of existence of the general nonlinear internal model that is introduced in the design of robust output regulators for a class of minimum-phase nonlinear systems with rth degree (r ≥ 2). The robust output regulation problem can be converted into a robust stabilisation problem of an augmented system consisting of the given plant and a high-gain nonlinear internal model, perfectly reproducing the bounded including not only periodic but also nonperiodic exogenous signal from a nonlinear system, which satisfies some general immersion assumption. The state feedback controller is designed to guarantee the asymptotic convergence of system errors to zero manifold. Furthermore, the proposed scheme makes use of output feedback dynamic controller that only processes information from the regulated output error by using high-gain observer to robustly estimate the derivatives of the regulated output error. The stabilisation analysis of the resulting closed-loop systems leads to regional as well as semi-global robust output regulation achieved for some appointed initial condition in the state space, for all possible values of the uncertain parameter vector and the exogenous signal, ranging over an arbitrary compact set.     

Combining Rabin cryptosystem and error correction codes to facilitate anonymous authentication with un-traceability for low-end devices

Secure authentication of low cost Radio Frequency Identification (RFID) with low computing capacity is a big challenge, due to the constraint of the limited resources and the privacy concern of their mobility and traceability. Here, we not only concern authentication but also privacy (anonymity and un-traceability) to protect privacy of these mobile devices and their holders. In this paper, we delicately combine Rabin cryptosystem and error correction codes to design lightweight authentication scheme with anonymity and un-traceability. Compared to its previous counterpart [4], the proposed schemes improve the number of supported tags from O(k) to O(2^k), where k is the dimension of the codes. The scheme is attractive to low-end devices, especially those low-cost cryptographic RFIDs. We, additionally, show the security weaknesses of a recently published Rabin cryptosystem-based RFID authentication scheme.     

An LMI approach to design robust fault detection filter for uncertain LTI systems

In this paper, the robust fault detection filter design problem for uncertain linear time-invariant (LTI) systems with both unknown inputs and modelling errors is studied. The basic idea of our study is to use an optimal residual generator (assuming no modelling errors) as the reference residual model of the robust fault detection filter design for uncertain LTI systems with modelling errors and, based on it, to formulate the robust fault detection filter design as an H_∞ model-matching problem. By using some recent results of H_∞ optimization, a solution of the optimization problem is then presented via a linear matrix inequality (LMI) formulation. The main results include the development of an optimal reference residual model, the formulation of robust fault detection filter design problem, the derivation of a sufficient condition for the existence of a robust fault detection filter and a construction of it based on the LMI solution parameters, the determination of adaptive threshold for fault detection. An illustrative design example is employed to demonstrate the effectiveness of the proposed approach.     

一种抗同步攻击的视频水印新方案

文章提出一种新颖的基于纠错和同步编码的视频水印方案,在嵌入水印时先将水印信息进行纠错编码后,和同步码作数据封装,然后嵌入到视频数据中。在检测水印时,先检测同步码,然后对得到的信息码进行纠错译码,还原出水印信息。此外,为了抵抗几何攻击,算法利用Zernike矩来确定水印嵌入的位置。实验表明,该水印方案具有低复杂性,能够有效抵抗帧丢失、帧插入等时间域的同步攻击与几何攻击。     

Guaranteed and robust a posteriori error estimates and balancing discretization and linearization errors for monotone nonlinear problems

We derive a posteriori error estimates for a class of second-order monotone quasi-linear diffusion-type problems approximated by piecewise affine, continuous finite elements. Our estimates yield a guaranteed and fully computable upper bound on the error measured by the dual norm of the residual, as well as a global error lower bound, up to a generic constant independent of the nonlinear operator. They are thus fully robust with respect to the nonlinearity, thanks to the choice of the error measure. They are also locally efficient, albeit in a different norm, and hence suitable for adaptive mesh refinement. Moreover, they allow to distinguish, estimate separately, and compare the discretization and linearization errors. Hence, the iterative (Newton–Raphson, fixed point) linearization can be stopped whenever the linearization error drops to the level at which it does not affect significantly the overall error. This can lead to important computational savings, as performing an excessive number of unnecessary linearization iterations can be avoided. A strategy combining the linearization stopping criterion and adaptive mesh refinement is proposed and numerically tested for the p-Laplacian.     

Fingerprinting: bounding soft-error-detection latency and bandwidth

Recent studies suggest that the soft-error rate in microprocessor logic is likely to become a serious reliability concern by 2010. Detecting soft errors in the processor's core logic presents a new challenge beyond what error detecting and correcting codes can handle. Commercial microprocessor systems that require an assurance of reliability employ an error-detection scheme based on dual modular redundancy (DMR) in some form - from replicated pipelines within the same die to mirroring of complete processors. To detect errors across a distributed DMR pair, we develop fingerprinting, a technique that summarizes a processor's execution history into a cryptographic signature, or "fingerprint". More specifically, a fingerprint is a hash value computed on the changes to a processor's architectural state resulting from a program's execution. Fingerprinting summarizes the history of internal processor state updates into a cryptographic signature. The processors in a dual modular redundant pair periodically exchange and compare fingerprints to corroborate each other's correctness. Relative to other techniques, fingerprinting offers superior error coverage and significantly reduces the error-detection latency and bandwidth     

On error-correcting fingerprinting codes for use with watermarking

Digital fingerprinting has been suggested for copyright protection. Using a watermarking scheme, a fingerprint identifying the buyer is embedded in every copy sold. If an illegal copy appears, it can be traced back to the guilty user. By using collusion-secure codes, the fingerprinting system is made secure against cut-and-paste attacks. In this paper we study the interface between the collusion-secure fingerprinting codes and the underlying watermarking scheme, and we construct several codes which are both error-correcting and collusion-secure. Error-correction makes the system robust against successful attacks on the watermarking layer.