Papers by Debdeep Mukhopadhyay
Journal of Cryptology
Formally bounding side-channel leakage is important to bridge the gap between the theory and prac... more Formally bounding side-channel leakage is important to bridge the gap between the theory and practice in cryptography. However, bounding side-channel leakages is difficult because leakage in a cryptosystem could be from several sources. Moreover the amount of leakage from a source may vary depending on the implementation of the cipher and the form of attack. To formally analyze the security of a cryptosystem against a form of attack, it is therefore essential to consider each source of leakage independently. This paper considers data prefetching, which is used in most modern day cache memories to reduce the miss penalty. To the best of our knowledge, we show for the first time that micro-architectural features like prefetching is a major source of leakage in profiled cache-timing attacks. We further quantify the leakage due to important data prefetching algorithms, namely sequential and arbitrarystride prefetching. The analytical results, with supported experimentation, brings out interesting facts like the effect of placement of tables in memory and the cipher's implementation on the leakage in profiled cache-timing attacks.
arXiv (Cornell University), Feb 12, 2018
Ransomware can produce direct and controllable economic loss, which makes it one of the most prom... more Ransomware can produce direct and controllable economic loss, which makes it one of the most prominent threats in cyber security. As per the latest statistics, more than half of malwares reported in Q1 of 2017 are ransomware and there is a potent threat of a novice cybercriminals accessing rasomware-as-a-service. The concept of public-key based data kidnapping and subsequent extortion was introduced in 1996. Since then, variants of ransomware emerged with different cryptosystems and larger key sizes though, the underlying techniques remained same. Though there are works in literature which proposes a generic framework to detect the crypto ransomwares, we present a two step unsupervised detection tool which when suspects a process activity to be malicious, issues an alarm for further analysis to be carried in the second step and detects it with minimal traces. The two step detection framework-RAPPER uses Artificial Neural Network and Fast Fourier Transformation to develop a highly accurate, fast and reliable solution to ransomware detection using minimal trace points.
2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2017
Radio-Frequency Identification tags are used for several applications requiring authentication me... more Radio-Frequency Identification tags are used for several applications requiring authentication mechanisms, which if subverted can lead to dire consequences. Many of these devices are based on low-cost Integrated Circuits which are designed in offshore fabrication facilities and thus raising concerns about their trust. Recently, a lightweight entity authentication protocol called LCMQ was proposed, which is based on Learning Parity with Noise, Circulant Matrix, and Multivariate Quadratic problems. This protocol was proven to be secure against Man-inthe-middle attack and cipher-text only attacks. In this paper, we show that in the standard setting, although the authentication uses two m bit keys, K1 and K2, knowledge of only K2 is sufficient to forge the authentication. Based on this observation, we design a stealthy malicious modification to the circuitry based on the idea of Safe-errors to leak K2 and thus can be used to forge the entire authentication mechanism. We develop a Field Programmable Gate Array prototype of the design which is extremely lightweight and can be implemented using four Lookup tables.
Network and Application Security, 2011
Cryptography and network security
Security, Privacy, and Applied Cryptography Engineering, 2017
Journal of Cryptographic Engineering, 2020
Malware detection is still one of the difficult problems in computer security because of the dail... more Malware detection is still one of the difficult problems in computer security because of the daily occurrences of newer varieties of malware programs. There have been enormous efforts in developing a generalized solution to this critical security aspect, but a little has been done considering the security of resource constraint embedded devices. In this paper, we attempt to develop a lightweight malware detection tool explicitly designed for embedded platforms using micro-architectural side-channel information obtained through Hardware Performance Counters (HPCs) and high-level programs representing Operating System (OS) resources. The methodology uses statistical hypothesis testing, in the form of t-test, to develop a metric, called λ, which indicates a conceptual boundary between the programs which are allowed to run on a given embedded platform, with the codes that are suspected as malwares. The metric is computed based on the observations obtained from carefully chosen features, which are tuples of high-level programs representing OS resources along with low-level HPCs. An ideal λ-value for a malicious program is 1, as opposed to 0 for a benign application. However, in reality, the efficacy of λ to classify a program as malware or benign largely depends on the proper assignment of weights to the tuples. We employ a gradient-descent-based learning mechanism to determine optimal choices for these weights. We present detailed experimental results on an embedded Linux running on an ARM processor which validates that the proposed lightweight side-channel-based learning mechanism improves the classification accuracy significantly compared to an ad-hoc selection of weights leading to significantly low false positives and false negatives in all our test cases.
IACR Cryptol. ePrint Arch., 2015
In this paper, we first demonstrate a new Differential Power Analysis (DPA) attack technique agai... more In this paper, we first demonstrate a new Differential Power Analysis (DPA) attack technique against the Grain family of stream ciphers (Grain v1 and Grain-128) by resynchronizing the cipher multiple times with the same value of the secret key and randomly generated different initialization vectors (IVs). Subsequently, we develop a combined side channel and fault analysis attack strategy targeting various fault attack countermeasures for the Grain cipher family. We considered clock glitch induced faults occurring in practice for a hardware implementation of the cipher to devise our novel attack technique. Our proposed combined attack strategy works well even if the useful ciphertexts are not available to the adversary. Further, the power trace classifications of a Grain cipher implementation on SASEBO G-II standard side channel evaluation board is shown in order to validate our proposed attack against the cipher. The captured power traces were analyzed using Least Squares Support Ve...
2010 International Conference on Security and Cryptography (SECRYPT), 2010
Tiger is a cryptographic hash function created by Anderson and Biham in 1996 with hash value of 1... more Tiger is a cryptographic hash function created by Anderson and Biham in 1996 with hash value of 192 bits. Reduced round variants of Tiger have shown some weaknesses recently. Kelsey and Lucks have shown a collision attack on Tiger reduced to round 16 and 17. Mendel and Rijmen have found 1 bit pseudo near collision for full round Tiger. In this article we discover a new key schedule differential for Tiger which leads to the finding of message pairs for 1-bit pseudo near collision.
ArXiv, 2019
Neural Networks (NN) have recently emerged as backbone of several sensitive applications like aut... more Neural Networks (NN) have recently emerged as backbone of several sensitive applications like automobile, medical image, security, etc. NNs inherently offer Partial Fault Tolerance (PFT) in their architecture; however, the biased PFT of NNs can lead to severe consequences in applications like cryptography and security critical scenarios. In this paper, we propose a revised implementation which enhances the PFT property of NN significantly with detailed mathematical analysis. We evaluated the performance of revised NN considering both software and FPGA implementation for a cryptographic primitive like AES SBox. The results show that the PFT of NNs can be significantly increased with the proposed methodology.
IACR Cryptol. ePrint Arch., 2016
Besides security against classical cryptanalysis, its important for cryptographic implementations... more Besides security against classical cryptanalysis, its important for cryptographic implementations to have sufficient robustness against side-channel attacks. Many countermeasures have been proposed to thwart side channel attacks, especially power trace measurement based side channel attacks. Additionally, researchers have proposed several evaluation metrics to evaluate side channel security of crypto-system. However, evaluation of any crypto-system is done during the testing phase and is not part of the actual hardware. In our approach, we propose to implement such evaluation metrics on-chip for run-time side channel vulnerability estimation of a cryptosystem. The objective is to create a watchdog on the hardware which will monitor the side channel leakage of the device, and will alert the user if that leakage crosses a pre-determined threshold, beyond which the system might be considered vulnerable. Once such alert signal is activated, proactive countermeasures can be activated eit...
Int. J. Netw. Secur., 2013
This paper proposes a reversible, balanced and nonlinear vectorial Boolean function called ”Rain”... more This paper proposes a reversible, balanced and nonlinear vectorial Boolean function called ”Rain”. Traditional integer addition modulo 2^n has several features like reversibility, balancedness and nonlinearity. However, the bias for the best linear approximation of the output bits and their linear combinations is quite high. This leads to several attacks on stream cipher like NLS, which employs addition modulo 2^n. In this paper, it has been proved mathematically that the bias of the each output bit and their non-zero linear combinations of the proposed vectorial Boolean function decreases exponentially with the bit position. Also as a case study, it has been shown that attacks against stream cipher NLS is prevented through the incorporation of Rain.
Serial matrices are a preferred choice for building diffusion layers of lightweight block ciphers... more Serial matrices are a preferred choice for building diffusion layers of lightweight block ciphers as one just needs to implement the last row of such a matrix. In this work we analyze a new class of serial matrices which are the lightest possible \(4 \times 4\) serial matrix that can be used to build diffusion layers. With this new matrix we show that block ciphers like LED can be implemented with a reduced area in hardware designs, though it has to be cycled for more iterations. Further, we suggest the usage of an alternative S-box to the standard S-box used in LED with similar cryptographic robustness, albeit having lesser area footprint. Finally, we combine these ideas in an end-end FPGA based prototype of LED. We show that with these optimizations, there is a reduction of \(16\% \) in area footprint of one round implementation of LED.
Lecture Notes in Computer Science, 2021
ArXiv, 2018
Testability of digital ICs rely on the principle of controllability and observability. Adopting c... more Testability of digital ICs rely on the principle of controllability and observability. Adopting conventional techniques like scan-chains open up avenues for attacks, and hence cannot be adopted in a straight-forward manner for security chips. Furthermore, testing becomes incredibly challenging for the promising class of hardware security primitives, called PUFs, which offer unique properties like unclonability, unpredictibility, uniformity, uniqueness, and yet easily computable. However, the definition of PUF itself poses a challenge on test engineers, simply because it has no golden response for a given input, often called challenge. In this paper, we develop a novel test strategy considering that the fabrication of a batch of $N>1$ PUFs is equivalent to drawing random instances of Boolean mappings. We hence model the PUFs as black-box Boolean functions of dimension $m\times1$, and show combinatorially that random designs of such functions exhibit correlation-spectra which can b...
Proceedings of the 56th Annual Design Automation Conference 2019, 2019
Deep Learning algorithms have recently become the de-facto paradigm for various prediction proble... more Deep Learning algorithms have recently become the de-facto paradigm for various prediction problems, which include many privacy-preserving applications like online medical image analysis. Presumably, the privacy of data in a deep learning system is a serious concern. There have been several efforts to analyze and exploit the information leakages from deep learning architectures to compromise data privacy. In this paper, however, we attempt to provide an evaluation strategy for such information leakages through deep neural network architectures by considering a case study on Convolutional Neural Network (CNN) based image classifier. The approach takes the aid of low-level hardware information, provided by Hardware Performance Counters (HPCs), during the execution of a CNN classifier and a simple hypothesis testing in order to produce an alarm if there exists any information leakage on the actual input.
Journal of Cryptographic Engineering, 2019
Horizontal collision correlation analysis, in short HCCA, imposes a serious threat to simple powe... more Horizontal collision correlation analysis, in short HCCA, imposes a serious threat to simple power analysis-resistant elliptic curve cryptosystems involving unified algorithms, e.g., Edwards curve unified formula. This attack can be mounted even in the presence of differential power analysis-resistant randomization schemes. In this paper, we have designed an effective countermeasure for HCCA protection, where the dependency of side-channel leakage from a schoolbook multiplication with the underlying multiplier operands is investigated. We have shown how changing the sequence in which the operands are passed to the multiplication algorithm introduces dissimilarity in the information leakage. This disparity has been utilized in constructing a minimal cost countermeasure against HCCA. This countermeasure integrated with an effective randomization method has been shown to successfully thwart HCCA. Additionally we provide experimental validation for our proposed countermeasure technique on a SASEBO platform. To the best of our knowledge, this is the first time that asymmetry in information leakage has been utilized in designing a side-channel countermeasure. Keywords ECC • HCCA • Countermeasure • Asymmetric leakage • Field multiplications The authors would like to thank ISEA Funding for Research on Next Generation Network Security for partially supporting their work.
2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2017
We present the first practically realizable sidechannel assisted fault attack on PRESENT, that ca... more We present the first practically realizable sidechannel assisted fault attack on PRESENT, that can retrieve the last round key efficiently using single nibble faults. The attack demonstrates how side-channel leakage can allow the adversary to precisely determine the fault mask resulting from a nibble fault injection instance. We first demonstrate the viability of such an attack model via side-channel analysis experiments on top of a laser-based fault injection setup, targeting a PRESENT-80 implementation on an ATmega328P microcontroller. Subsequently, we present a differential fault analysis (DFA) exploiting the knowledge of the output fault mask in the target round to recover multiple last round key nibbles independently and in parallel. Both analytically and through experimental evidence, we show that the combined attack can recover the last round key of PRESENT with 4 random nibble fault injections in the best case, and around 7-8 nibble fault injections in the average case. Our attack sheds light on a hitherto unexplored vulnerability of PRESENT and PRESENT-like block ciphers that use bit-permutations instead of maximum distance separable (MDS) layers for diffusion.
Journal of Hardware and Systems Security, 2017
In March 2017, NIST (National Institute of Standards and Technology) has announced to create a po... more In March 2017, NIST (National Institute of Standards and Technology) has announced to create a portfolio of lightweight algorithms through an open process. The report emphasizes that with emerging applications like automotive systems, sensor networks, healthcare, distributed control systems, the Internet of Things (IoT), cyber-physical systems, and the smart grid, a detailed evaluation of the so called lightweight ciphers helps to recommend algorithms in the context of profiles, which describe physical, performance, and security characteristics. In recent years, a number of lightweight block ciphers have been proposed for encryption/decryption of data which makes such choices complex. Each such cipher offers a unique combination of Rajat Sadhukhan
IEEE Transactions on Information Forensics and Security, 2017
Classical fault attacks such as Differential Fault Analysis (DFA) as well as biased fault attacks... more Classical fault attacks such as Differential Fault Analysis (DFA) as well as biased fault attacks such as the Differential Fault Intensity Analysis (DFIA) have been a major threat to cryptosystems in recent times. DFA uses pairs of fault-free and faulty ciphertexts to recover the secret key. DFIA, on the other hand, combines principles of side channel analysis and fault attacks to try and extract the key using faulty ciphertexts only. Till date, no effective countermeasure that can thwart both DFA as well as DFIA based attacks has been reported in the literature to the best of our knowledge. In particular, traditional redundancy based countermeasures that assume uniform fault distribution are found to be vulnerable against DFIA due to its use of biased fault models. In this work, we propose a novel generic countermeasure strategy that combines the principles of redundancy with that of fault space transformation to achieve security against both DFA and DFIA based attacks on AES-like block ciphers. As a case study, we have applied our proposed technique to to obtain temporal and spatial redundancy based countermeasures for AES-128, and have evaluated their security against both DFA and DFIA via practical experiments on a SASEBO-GII board. Results show that our proposed countermeasure makes it practically infeasible to obtain a single instance of successful fault injection, even in the presence of biased fault models.
Lecture Notes in Computer Science, 2015
Asymmetric-key cryptographic algorithms when implemented on systems with branch predictors, are s... more Asymmetric-key cryptographic algorithms when implemented on systems with branch predictors, are subjected to side-channel attacks exploiting the deterministic branch predictor behavior due to their keydependent input sequences. We show that branch predictors can also leak information through the hardware performance monitors which are accessible by an adversary at the user-privilege level. This paper presents an iterative attack which target the key-bits of 1024 bit RSA, where in offline phase, the system's underlying branch predictor is approximated by a theoretical predictor in literature. Subsimulations are performed to classify the message-space into distinct partitions based on the event branch misprediction and the target key bit value. In online phase, we ascertain the secret key bit using branch mispredictions obtained from the hardware performance monitors which reflect the behavior of the underlying predictor hardware. We theoretically prove that the probability of success is equivalent to the accurate modelling of the theoretical predictor to the underlying system predictor. Experimentations reveal that the success-rate increases with message-count and reaches such a significant value so as to consider side-channel from the performance counters as a real threat to RSA-like ciphers due to the underlying branch predictors and needs to be considered for developing secured-systems.
Uploads
Papers by Debdeep Mukhopadhyay