CryptoDB
Guido Bertoni
Affiliation: STMicroelectronics Srl
Publications
Year
Venue
Title
2017
TOSC
Farfalle: parallel permutation-based cryptography
Abstract
In this paper, we introduce Farfalle, a new permutation-based construction for building a pseudorandom function (PRF). The PRF takes as input a key and a sequence of arbitrary-length data strings, and returns an arbitrary-length output. It has a compression layer and an expansion layer, each involving the parallel application of a permutation. The construction also makes use of LFSR-like rolling functions for generating input and output masks and for updating the inner state during expansion. On top of the inherent parallelism, Farfalle instances can be very efficient because the construction imposes less requirements on the underlying primitive than, e.g., the duplex construction or typical block cipher modes. Farfalle has an incremental property: compression of common prefixes of inputs can be factored out. Thanks to its input-output characteristics, Farfalle is really versatile. We specify simple modes on top of it for authentication, encryption and authenticated encryption, as well as a wide block cipher mode. As a showcase, we present Kravatte, a very efficient instance of Farfalle based on Keccak-p[1600, nr] permutations and formulate concrete security claims against classical and quantum adversaries. The permutations in the compression and expansion layers of Kravatte have only 6 rounds apiece and the rolling functions are lightweight. We provide a rationale for our choices and report on software performance.
2010
EPRINT
Low Voltage Fault Attacks to AES and RSA on General Purpose Processors
Abstract
Fault injection attacks have proven in recent times a powerful tool to exploit implementative weaknesses of robust cryptographic algorithms.
A number of different techniques aimed at disturbing the computation of a cryptographic primitive have been devised, and have been successfully employed to leak secret information inferring it from the erroneous results.
In particular, many of these techniques involve directly tampering with the computing device to alter the content of the embedded memory, e.g. through irradiating it with laser beams.
In this contribution we present a low-cost, non-invasive and effective technique to inject faults in an ARM9 general purpose CPU through lowering its feeding voltage.
This is the first result available in fault attacks literature to attack a software implementation of a cryptosystem running on a full fledged CPU with a complete operating system.
The platform under consideration (an ARM9 CPU running a full Linux 2.6 kernel) is widely used in mobile computing devices such as smartphones, gaming platforms and network appliances.
We fully characterise both the fault model and the errors induced in the computation, both in terms of ensuing frequency and corruption patterns on the computed results.
At first, we validate the effectiveness of the proposed fault model to lead practical attacks to implementations of RSA and AES cryptosystems, using techniques known in open literature.
Then we devised two new attack techniques, one for each cryptosystem.
The attack to AES is able to retrieve all the round keys regardless both their derivation strategy and the number of rounds.
A known ciphertext attack to RSA encryption has been devised: the plaintext is retrieved knowing the result of a correct and a faulty encryption of the same plaintext, and assuming the fault corrupts the public key exponent.
Through experimental validation, we show that we can break any AES with roughly 4 kb of ciphertext, RSA encryption with 3 to 5 faults and RSA signature with 1 to 2 faults.
2006
EPRINT
RadioGat\'un, a belt-and-mill hash function
Abstract
We present an approach to design cryptographic hash functions that builds on and improves the one underlying the Panama hash function. We discuss the properties of the resulting hash functions that need to be investigated and give a concrete design called RadioGat\'un that is quite competitive with SHA-1 in terms of performance. We are busy performing an analysis of RadioGat\'un and present in this paper some preliminary results.
2004
EPRINT
Finding Optimum Parallel Coprocessor Design for Genus 2 Hyperelliptic Curve Cryptosystems
Abstract
Hardware accelerators are often used in cryptographic
applications for speeding up the highly arithmetic-intensive
public-key primitives, e.g. in high-end smart cards. One of these
emerging and very promising public-key scheme is based on
HyperElliptic Curve Cryptosystems (HECC). In the open literature
only a few considerations deal with hardware implementation issues
of HECC.
Our contribution appears to be the first one to propose
architectures for the latest findings in efficient group
arithmetic on HEC. The group operation of HECC allows
parallelization at different levels: bit-level parallelization
(via different digit-sizes in multipliers) and arithmetic
operation-level parallelization (via replicated multipliers). We
investigate the trade-offs between both parallelization options
and identify speed and time-area optimized configurations. We
found that a coprocessor using a single multiplier (D = 8)
instead of two or more is best suited. This coprocessor is able to
compute group addition and doubling in 479 and 334 clock
cycles, respectively. Providing more resources it is possible to
achieve 288 and 248 clock cycles, respectively.
Program Committees
- CHES 2017
- CHES 2016
- CHES 2015
- Asiacrypt 2014
- CHES 2014
- CHES 2013
- CHES 2012
- CHES 2011
- CHES 2010
- CHES 2009
- CHES 2007
Coauthors
- Gilles Van Assche (6)
- Alessandro Barenghi (1)
- Luca Breveglieri (3)
- Joan Daemen (6)
- Pasqualina Fragneto (1)
- Seth Hoffert (1)
- Ronny Van Keer (1)
- Marco Macchetti (1)
- Stefano Marchesin (1)
- Christof Paar (1)
- Michael Peeters (4)
- Michaël Peeters (2)
- Mauro Pellicioli (1)
- Gerardo Pelosi (1)
- Thomas J. Wollinger (1)