International Association for Cryptologic Research

International Association
for Cryptologic Research


Helena Handschuh


RISCV and Security: how, when and why? 📺
Helena Handschuh
In this talk we will provide an overview of the current activities of the RISCV Foundation, including the creation of a Security Standing Committee about a year ago which is in charge of assessing new threats and opportunities in security in the RISCV world; we will discuss progress being made by the security-related task groups. The first one is working on specifying extensions of the base instruction set architecture (ISA) that will enable high-performance and high security cryptographic operations (AES, SHA-2, Public Key Cryptography); the second one is looking at creating extensions and hardware/software specifications to enable a trusted execution environment built on top of a RISCV processor; we will also provide details on the activities of the Security Standing Committee itself, and what some of the plans are to tackle the newest microarchitectural cache timing side-channel attacks such as Spectre, Meltdown, Foreshadow, etc. We will review some additional work on secure RISCV and existing security extension initiatives by academia around the world. Finally, we will describe some approaches of how a side-channel and DPA-resistant RISCV CPU could be built and elaborate on the research we have been focused on in the past months.
Fault Resistant RSA Signatures: Chinese Remaindering in Both Directions
Arnaud Boscher Helena Handschuh Elena Trichina
Fault attacks are one of the most severe attacks against secure embedded cryptographic implementations. Block ciphers such as AES, DES or public key algorithms such as RSA can be broken with as few as a single or a handful of erroneous computation results. Many countermeasures have been proposed both at the algorithmic level and using ad-hoc methods. In this paper, we address the problem of finding efficient countermeasures for RSA signature computations based on the Chinese Remainder Theorem for which one uses the inverse operation (verification) in order to secure the algorithm against fault attacks. We propose new efficient methods with associated security proofs in two different models; our methods protect against run-time errors, computation errors, and most permanent errors in the key parameters as well. We also extend our methods with infective computation strategies to secure the algorithm against double faults.
Mobile Terminal Security
The miniaturization of electronics and recent developments in biometric and screen technologies will permit a pervasive presence of embedded systems. This - and the inclusion of networking capabilities and IP addresses in many handheld devices - will foster the widespread deployment of personal mobile equipment.\smallskip This work attempts to overview these diverse aspects of mobile device security. We will describe mobile networks' security (WLAN and WPAN security, GSM and 3GPP security) and address platform security issues such as bytecode verification for mobile equipment and protection against viruses and Trojan horses in mobile environment - with a concrete J2ME implementation example. Finally we will turn to hardware attacks and briefly survey the physical weaknesses that can be exploited to compromise mobile equipment.\smallskip
Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages
This paper considers arbitrary-length chosen-ciphertext secure asymmetric encryption, thus addressing what is actually needed for a practical usage of strong public-key cryptography in the real world. We put forward two generic constructions, gem-1 and gem-2, which apply to explicit fixed-length weakly secure primitives and provide a strongly secure (IND-CCA2) public-key encryption scheme for messages of unfixed length (typically computer files). Our techniques optimally combine a single call to any one-way trapdoor function with repeated encryptions through some weak block-cipher (a simple xor is fine) and hash functions of fixed-length input so that a minimal number of calls to these functions is needed. Our encryption/decryption throughputs are comparable to the ones of standard methods (asymmetric encryption of a session key + symmetric encryption with multiple modes). In our case, however, we formally prove that our designs are secure in the strongest sense and provide complete security reductions holding in the random oracle model.

Program Committees

CHES 2015 (Program chair)
CHES 2014
CHES 2013
FSE 2011
CHES 2011
Eurocrypt 2010
FSE 2010
CHES 2009
Asiacrypt 2009
FSE 2009
Eurocrypt 2009
FSE 2008
Asiacrypt 2007
CHES 2007
FSE 2007
FSE 2006
CHES 2006
FSE 2005 (Program chair)
FSE 2004
Eurocrypt 2003
Asiacrypt 2002