International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Elisabeth Oswald

Publications

Year
Venue
Title
2019
TCHES
Share-slicing: Friend or Foe? 📺
Si Gao Ben Marshall Daniel Page Elisabeth Oswald
Masking is a well loved and widely deployed countermeasure against side channel attacks, in particular in software. Under certain assumptions (w.r.t. independence and noise level), masking provably prevents attacks up to a certain security order and leads to a predictable increase in the number of required leakages for successful attacks beyond this order. The noise level in typical processors where software masking is used may not be very high, thus low masking orders are not sufficient for real world security. Higher order masking however comes at a great cost, and therefore a number techniques have been published over the years that make such implementations more efficient via parallelisation in the form of bit or share slicing. We take two highly regarded schemes (ISW and Barthe et al.), and some corresponding open source implementations that make use of share slicing, and discuss their true security on an ARM Cortex-M0 and an ARM Cortex-M3 processor (both from the LPC series). We show that micro-architectural features of the M0 and M3 undermine the independence assumptions made in masking proofs and thus their theoretical guarantees do not translate into practice (even worse it seems unpredictable at which order leaks can be expected). Our results demonstrate how difficult it is to link theoretical security proofs to practical real-world security guarantees.
2019
ASIACRYPT
A Critical Analysis of ISO 17825 (‘Testing Methods for the Mitigation of Non-invasive Attack Classes Against Cryptographic Modules’)
Carolyn Whitnall Elisabeth Oswald
The ISO standardisation of ‘Testing methods for the mitigation of non-invasive attack classes against cryptographic modules’ (ISO/IEC 17825:2016) specifies the use of the Test Vector Leakage Assessment (TVLA) framework as the sole measure to assess whether or not an implementation of (symmetric) cryptography is vulnerable to differential side-channel attacks. It is the only publicly available standard of this kind, and the first side-channel assessment regime to exclusively rely on a TVLA instantiation.TVLA essentially specifies statistical leakage detection tests with the aim of removing the burden of having to test against an ever increasing number of attack vectors. It offers the tantalising prospect of ‘conformance testing’: if a device passes TVLA, then, one is led to hope, the device would be secure against all (first-order) differential side-channel attacks.In this paper we provide a statistical assessment of the specific instantiation of TVLA in this standard. This task leads us to inquire whether (or not) it is possible to assess the side-channel security of a device via leakage detection (TVLA) only. We find a number of grave issues in the standard and its adaptation of the original TVLA guidelines. We propose some innovations on existing methodologies and finish by giving recommendations for best practice and the responsible reporting of outcomes.
2017
ASIACRYPT
2016
ASIACRYPT
2015
ASIACRYPT
2015
CHES
2014
ASIACRYPT
2014
ASIACRYPT
2013
CHES
2013
ASIACRYPT
2013
FSE
2012
CHES
2011
CRYPTO
2010
ASIACRYPT
2006
FSE
2005
CHES
2005
FSE
2003
CHES
2002
CHES
2001
CHES

Program Committees

Crypto 2020
Asiacrypt 2018
CHES 2018
Crypto 2017
FSE 2017
Asiacrypt 2016
CHES 2016
Eurocrypt 2015 (Program chair)
Eurocrypt 2014 (Program chair)
FSE 2014
FSE 2013
FSE 2012
CHES 2012
FSE 2011
Eurocrypt 2011
CHES 2011
Asiacrypt 2010
CHES 2010
FSE 2010
CHES 2009
Asiacrypt 2009
FSE 2008
CHES 2008 (Program chair)
FSE 2007
Asiacrypt 2007
FSE 2006
CHES 2006
CHES 2005