CERG Seminars are held in the Engineering Building on the GMU Fairfax campus unless noted otherwise. Parking is available in the Sandy Creek parking deck near the Engineering Building. Directions to the campus can be found here. The seminar talks are usually 45 to 60 minutes long and are open to the public. If you wish to be notified about future seminars, please send an e-mail to Jens-Peter Kaps.

[Current] [2020] [2019] [2018] [2017] [2016] [2015] [2014] [2013] [2012] [2011] [2010] [2009] [2008] [2007]


Enabling a Control System Approach to Side-Channel and Fault Attacks

Ryan Matthew Carter, ECE MS Defense
Date: Wednesday, December 5th, 3:00 pm - 4:00 pm
Location: Engineering Building, Room 3507

As the number of embedded devices continues to grow, attacks that require physical access to the device become more plausible. Two sub-classifications of these attacks, Side-Channel Attacks (SCA) and Fault attacks, necessitate the attacker to be familiar with the target implementation. Side-Channel Attacks exploit information leaked by the target device to discover secret cryptographic keys. Fault attacks act upon the system to induce error in device operation that may result in information leakage or improper execution. The error produced by the attack is dependent on the method used to inject the fault. This paper discusses some of the advances in SCAs and Fault Attacks and proposes a control system approach to these classes of attacks. The result of the research is a System on a Chip (SOC) for measuring power consumption, analyzing results, and refining measurement as a feedback loop.

The CAESAR-API in the Real World

Michael Tempelmeier, Technical University of Munich
Date: Tuesday, May 8th, 3:00 pm - 4:00 pm
Location: Engineering Building, Room 3507

In 2013 the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) was started. It aims at determining a portfolio of ciphers for authenticated encryption that has advantages over AES-GCM in terms of performance, security, and ease of implementation. This competition, for the first time, provides a standardized hardware API, which allows a fair comparison of hardware implementations. However, the community still lacks a common platform to automatically test hardware implementations, confirm implementation claims, and benchmark performance figures on real hardware in terms of runtime, area, power and energy consumption. In this work, we present a common platform using the CAESAR-API in a Xilinx Zynq-7000 System on Chip (SoC) with ARM processors and an AXI interface. This reflects a typical real world usage scenario for hardware-accelerators and thus extends the work for a fair comparison of hardware implementations in three dimensions: first the API is evaluated on a real SoC, which shows, e.g. the performance of the API. Second, it provides a hardware platform to test the proposed implementations of the candidates easily. This can be used by future designers, as we will provide it as open source hardware. Finally, we ran all published hardware implementations of the current 3rd-round candidates during which we identified several implementation weaknesses, e.g. presumably unintended latches in the design, hence emphasizing the importance of testing hardware proposals on real hardware. (Full Announcement)

Broken with Purpose - Fault Attacks on Embedded Systems

Colin O'Flynn, NewAE Technology Inc.
Date: Friday, April 27th, 3:00 PM - 4:00 PM
Location: Engineering Building, Room 2901

Embedded systems are present in almost every aspect of our life, and it's hard to start the day without them. From the latest IoT toaster you used to perfectly crisp your bread, to the automotive computers in the car you drove to school or work. This talk looks at how fault injection attacks can be used as an attack vector, and demonstrates attacks with voltage fault injection and Electromagnetic Fault Injection (EMFI) on embedded systems.

Discussions will include fault attacks for breaking fuse bits on devices, fault attacks for breaking cryptography, and using side channel power analysis for assistance with fault injection attacks. This talk will cover several low-cost and open-source tools available in addition to commercial tools, making it suitable for those interested in recreating the work on their own. (Full Announcement)

Comparing Costs of Protecting Secret Key Ciphers Against Differential Power Analysis

William Diehl, ECE PhD Defense
Date: Tuesday, April 24, 2:30 PM - 3:30 PM
Location: Engineering Building, Room 3507

Secret key ciphers, including block ciphers and authenticated ciphers, are vulnerable to side-channel attacks, including differential power analysis (DPA). The Test Vector Leakage Assessment (TVLA) methodology (i.e., t-test methodology) has been used to verify improved resistance of block ciphers to DPA after application of countermeasures. However, extension of the t-test methodology to authenticated ciphers is non-trivial, since authenticated ciphers require additional input and output conditions, complex interfaces, and long test vectors interlaced with protocol necessary to describe authenticated cipher operations.

In this research we augment an existing side-channel analysis framework (FOBOS) with TVLA methodology for authenticated ciphers. We use TVLA to show that implementations in the Spartan-6 FPGA of the CAESAR Round 3 candidates ACORN, ASCON, CLOC (AES and TWINE), SILC (AES, PRESENT, and LED), JAMBU (AES and SIMON), and Ketje Jr., as well as AES-GCM, are vulnerable to 1st order DPA. We then implement versions of the above ciphers, protected against 1st order DPA, using threshold implementations. The TVLA methodology is used to verify improved resistance to 1st order DPA of the protected cipher implementations. Finally, we benchmark unprotected and protected cipher implementations in the Spartan-6 FPGA, and compare the costs of 1st order DPA protection in terms of area, frequency, throughput (TP), throughput-to-area (TP/A) ratio, power, and energy per bit (E/bit).

The protected cipher implementation with the lowest area, TP/A ratio, power and E/bit is ACORN, while Ketje Jr. has the highest TP, second-highest TP/A ratio, and second-highest E/bit. On average, protected cipher implementations require 3.1 times as much area, while TP and TP/A decrease by factors of 1.8 and 5.6, respectively. Power and E/bit for protected cipher implementations increase on average by a factor of 3.4 compared to their unprotected versions. Additionally, the relative ranking of the top three candidates in terms of area, TP, and TP/A, do not change between unprotected and protected implementations. (Full Announcement)

Side Channel Resistant Lightweight Cryptography for the Internet of Things Current and Future Research

William Diehl, ECE PhD Seminar
Date: Tuesday, April 3, 2:30 PM - 3:30 PM
Location: Engineering Building, Room 3507

Lightweight cryptography is an important topic in the emerging Internet of Things (IoT), since it provides moderate security at reduced cost in terms of circuit area, power, and energy. In particular, lightweight authenticated ciphers offer promise of lower-cost security solutions for certain embedded applications, since they combine the functionalities of confidentiality, integrity, and authentication into one algorithm. However, physical implementations of cryptography are vulnerable to side channel attack (SCA), where adversaries attempt to recover sensitive data by observing physical phenomena during cipher operations.

The CAESAR competition seeks to choose the best authenticated cipher candidates based on several criteria, including hardware performance and resistance to SCA. However, evaluation of the resistance to SCA and relative costs of protection against SCA is challenging, given the complexity of authenticated ciphers, and the large number of ciphers to be evaluated. In current research, we augment an open-source SCA test bench with leakage detection methodology for authenticated ciphers. We evaluate eleven authenticated cipher implementations for an SCA vulnerability called differential power analysis (DPA), protect them against 1st order DPA using threshold implementation (TI) countermeasures, and verify the effectiveness of countermeasures. We then benchmark the unprotected and protected ciphers in an FPGA, and compare the ciphers based on absolute and relative costs of protection against 1st order DPA in terms of area, throughput, throughput-to-area (TP/A) ratio, power, and energy per bit.

Since it is not always possible to distribute symmetric secret keys to all parties before use, key exchange protocols using public key solutions are also necessary for lightweight devices in the IoT. However, today’s public key standards are vulnerable to future quantum computing. Accordingly, the National Institute of Standards and Technology (NIST) intends to issue standards for post-quantum-resistant cryptographic solutions. While there are several promising candidates for post-quantum-resistant solutions, most are difficult to implement in very-lightweight platforms, and all are potentially vulnerable to side channel attacks. In future research, we will build up on our research in authenticated ciphers to develop side channel resistant implementations of post-quantum-resistant public key cryptographic solutions in lightweight reconfigurable platforms, suitable for employment in security applications in the IoT. (Full Announcement)