CRYPTOGRAPHIC ENGINEERING |
||
Introduction to Block Ciphers: DES and AES We will first give a brief introduction to AES, DES and 3DES, which are the most widely used symmetric ciphers. We will then develop method for efficiently implementing both AES and 3DES in software. For AES, algorithms for both 32 bit CPUs and 8 bit smart card CPUs, will be treated. We will then introduce the bit-slicing method, an advanced and very efficient approach for fast software implementation of block ciphers. We will use DES as an example for illustrating bit-slicing. |
||
Lightweight Block Ciphers for RFIDs For extremely resources constrained environments such as RFIDs, sensor notes or other mobile applications, it is highly desirable to have ciphers which are extremely lightweight. We will introduce optimization techniques for low-area and low-power ciphers. PRESENT, which is an extremely compact block cipher, will be discussed as a case study. |
||
Random Number Generators for Cryptographic Applications Many cryptographic mechanisms require random numbers, e.g. as challenges, session keys or signature parameters. Inappropriate random number generators may weaken principally strong cryptographic mechanisms considerably. Requirements are formulated that appropriate random number generators should fulfill and concrete examples are discussed. Relevant differences between deterministic and the non-deterministic random number generators are worked out. |
||
Evaluation Criteria for Non-Deterministic Random Number Generators This lecture introduces the evaluation criteria for physical random number generators. The meanings of central requirements are explained and illustrated by several examples and counterexamples. National and international evaluation guidelines and standards are discussed. |
||
Specialized Hardware for Secret Key Algorithms This lecture will introduce hardware implementation aspects of block ciphers and stream ciphers. The DES and AES algorithm will be discussed in detail. These ciphers are never used standalone but combined with modes of operation and integrated as IP blocks in larger systems. Very compact realizations and very high throughput realizations will also be discussed. |
||
Fundamentals and Algorithms for Public-Key Cryptography This lecture discusses basic public-key cryptographic algorithms based on factoring and discrete logarithms. We will introduce the fundamental algorithms and protocols for public-key encryption and digital signatures. |
||
RSA, Diffie-Hellman, and Elliptic Curve Cryptography and Discrete Logarithms This lecture will discuss the basics of RSA, Diffie-Hellman and Elliptic Curve Cryptography. The security of these algorithms with respect to the underlying computationally difficult problems is analyzed. |
||
Introduction to Modular Arithmetic & Finite Fields for Cryptography A variety of algorithms are needed to compute the RSA signature, Diffie-Hellman Key Agreement, and Elliptic Curve Digital Signature Algorithms. Starting from exponentiation down to bit level operations for modular addition, subtraction, and multiplication algorithms we will describe algorithms used in obtaining high-speed implementations of public-key, cryptographic primitives. |
||
Software and Hardware Realizations of Modular Arithmetic and Finite Fields The definitions of Montgomery multiplication in fields of characteristics 2 and p have are very similar, allowing us to make a general unified definition, and therefore design unified (dual-field) algorithms to compute the product. The unified arithmetic may be unsuitable for general purpose software implementations; however, it offers compact implementations in hardware. We will give the theoretical background as well as the practical implementation, as exemplified by a new Motorola security processor family MPC 180-190. |
||
Pairing-Based Cryptography Pairings on elliptic curves provide many interesting new protocols and services that are not available within classical asymmetric cryptography. This lecture will review the many components necessary for building such systems and look in detail at the enhanced arithmetic required, concentrating on the field extensions and evaluation of several different pairings. |
||
Modular Arithmetic and Side Channels Montgomery's method for modular multiplication is the preferred algorithm, but it has some security issues when implemented in tokens that may be subject to side channels attacks. The problems and some improvements will be discussed. The classical exponentiation algorithms also suffer from leakage but can be modified to give much greater security with little significant overhead. |
||
Side-Channel Attacks on Cryptographic Tokens Side-channel analysis is a powerful technique re-discovered by Kocher in 1996. The principle consists in monitoring some side-channel information like the running time, the power consumption or the electromagnetic radiation. Next, from the monitored data, the adversary tries to deduce the inner-workings of the algorithm and thereby to retrieve some secret information. This talk reviews the basics of side-channel analysis on various cryptographic algorithms (including RSA, DES and AES). It is illustrated with practical examples and several side-channel attacks are mounted against several naive, unprotected implementations of cryptosystems. |
||
Countermeasures for Preventing Side-Channel Attacks Basically, two classes of side-channel attacks can be distinguished: SPA-like attacks and DPA-like attacks. An SPA-like analysis is a process with a single measurement of some side-channel information; when there are several measurements handled with statistical tools, the process is referred to as a DPA-like analysis. This talk teaches how to prevent those two classes of attacks. General guidelines are provided along with concrete implementations. |
||
Electromagnetic Attacks and Countermeasures This lecture will provide an introduction to the electromagnetic emanation (EM) side-channel. We will describe the various types of compromising EM emanations and the equipment needed to capture them. We will illustrate how compromising EM emanations can be captured from a variety of cryptographic devices and how multiple signals can be captured from each device. Next we will illustrate a variety of EM attacks on cryptographic implementations. Although the attack techniques are similar to power analysis, many EM attacks are not feasible using the power side channel, either because they exploit additional leakages present in EM channels or the power side-channel is inaccessible. Finally we will describe how one can design countermeasures against EM attacks. |
||
Improved Techniques for Side-Channel Analysis Popular side-channel attack techniques such SPA and DPA do not fully utilize the information present within a single side channel. Furthermore, such techniques cannot handle the case where multiple side channels are available. This lecture will describe how techniques from Signal Detection and Estimation Theory can be applied to substantially improve side-channel attacks. We will review template attacks, which are theoretically optimal in the sense of utilizing all information present in the available side channels. We will describe the additional assumption and approximations that make template attacks practical and illustrate these by means of examples. One drawback of template attacks over DPA is the need for a training device. We will describe how techniques from signal detection and estimation theory can be used to improve single and multi-channel DPA-style attacks. |
||
Trusted Computing Architectures Businesses, governments and individuals are increasingly reliant on complex, highly-interconnected computing platforms, mobile end-points and network centric applications to conduct much of their business. Maintaining and validating the trustworthiness of this infrastructure has therefore become critical. However, as the complexity and value of the infrastructure has increased, the number of software vulnerabilities discovered and attacks mounted against applications, platforms, end-points, identities and sensitive data within this infrastructure have grown at an even faster pace. There is a realization that given this complexity, software-only security mechanisms may not be sufficient to defend against these attacks or to evaluate the trustworthiness of a system. Trusted computing is an effort to use trusted hardware to assist software in improving and evaluating the security for platforms, end-points, applications, identities and data. In this lecture, I will describe the Trusted Platform Module (TPM), which provides the hardware foundations for Trusted Computing and describe several ways in which the TPM could be used as a building block to improve or validate the security of platforms, end-points, applications, data and identities. |
||
Efficient Implementations of Symmetric Cryptographic Primitives In this talk, we will discuss the efficient implementation of recent symmetric cryptographic primitives including block ciphers and stream ciphers in FPGAs. For this purpose, we will cover different algorithms (from standard to specialized solutions) and evaluate their cost and efficiency in different implementation contexts (high throughput, low cost, etc.). Based on concrete examples, we will then discuss different metrics for these evaluations and underline how a target technology influences the overall architecture of any security building block. Finally, we will briefly assess the expected security of present ciphers with respect to exhaustive key search engines using low-cost FPGAs. |
||
Efficient Implementations of Symmetric Cryptographic Primitives In this talk, we will discuss the efficient implementation of recent symmetric cryptographic primitives including block ciphers and stream ciphers in FPGAs. For this purpose, we will cover different algorithms (from standard to specialized solutions) and evaluate their cost and efficiency in different implementation contexts (high throughput, low cost, etc.). Based on concrete examples, we will then discuss different metrics for these evaluations and underline how a target technology influences the overall architecture of any security building block. Finally, we will briefly assess the expected security of present ciphers with respect to exhaustive key search engines using low-cost FPGAs. |