Cryptographic Engineering
September 711, 2020
EPFL Premises, Lausanne, Switzerland

Introduction to Block Ciphers: DES and AES
Ingrid Verbauwhede, KU Leuven for
Christof Paar, RuhrUniversity Bochum
We will first give a brief introduction to AES, DES and 3DES, which are the most widely used symmetric ciphers. We will then develop method for efficiently implementing both AES and 3DES in software. For AES, algorithms for both 32 bit CPUs and 8 bit smart card CPUs, will be treated. We will then introduce the bitslicing method, an advanced and very efficient approach for fast software implementation of block ciphers. We will use DES as an example for illustrating bitslicing.

Lightweight Block Ciphers for RFIDs
Ingrid Verbauwhede, KU Leuven for
Christof Paar, RuhrUniversity Bochum
For extremely resources constrained environments such as RFIDs, sensor notes or other mobile applications, it is highly desirable to have ciphers which are extremely lightweight. We will introduce optimization techniques for lowarea and lowpower ciphers. PRESENT, which is an extremely compact block cipher, will be discussed as a case study.

Integer Arithmetic Algorithms and Architectures
Çetin K. Koç, UC Santa Barbara
Integer rings. Addition and multiplication. Modular addition and multiplication. Montgomery multiplication and exponentiation. Multiplicative inversion. The CIOS algorithm. Arithmetic with special primes. Solinas algorithms.

Finite Field Arithmetic Algorithms and Architectures
Çetin K. Koç, UC Santa Barbara
Representing field elements. Polynomial and normal basis. Addition in GF(2^k). Multiplication in polynomial basis. Irreducible polynomials. Normal basis squaring. Optimal normal basis multiplication. Quadratic and subquadratic multiplication algorithms. Karatsuba multiplication. Recursive Karatsuba algorithm. 2Term and 3Term Karatsuba algorithm and generalization. MontgomeryKaratsuba formulas.

Specialized Hardware for SecretKey Algorithms
Ingrid Verbauwhede, KU Leuven
This lecture will introduce hardware implementation aspects of block ciphers and stream ciphers. The DES and AES algorithm will be discussed in detail. These ciphers are never used standalone but combined with modes of operation and integrated as IP blocks in larger systems. Very compact realizations and very high throughput realizations will also be discussed.

Introduction to PUFs (Physically Uncloneable Functions)
Ingrid Verbauwhede, KU Leuven
CMOS process variations are considered a burden to IC developers since they introduce undesirable random variability between equally designed ICs. Measuring this variability can also be profitable as a physically unclonable method of silicon device identification. This can be applied to generate strong cryptographic keys which are intrinsically bound to the embedding IC instance. In this lecture, we study and compare different proposed constructions.

PublicKey Cryptography Algorithms and Protocols
Çetin K. Koç, UC Santa Barbara
Computational requirements of RSA, Elliptic Curve Cryptography, DiffieHellman, ElGamal, and DSA and their ECC variants. PKC computational pyramid. PKC ALU Design. Lessons of the first RSA chip. Exponentiation and point multiplication. Addition chains. Power tree and factor method. Binary and mary methods. Sliding window methods. Additionsubtraction chains. Canonical encoding algorithm. The NAF algorithm and its variants. Optional: Koblitz curves and tauadic expansions.

PublicKey Cryptographic Hardware and Embedded Systems
Çetin K. Koç, UC Santa Barbara
Scalable dualfield arithmetic. Putting together GF(p) and GF(2^k) arithmetic. Montgomery multiplication in GF(2^k). Unified or dualfield full adder. Scalable and dualfield Montgomery multiplication. PKC on embedded software. Functional characteristics of embedded platforms. Incomplete addition. Compilers and assembler optimizations. Special curve solutions.

Trusted Computing Architectures, SSL and IPSec
Pankaj Rohatgi, Cryptograpy Research
Businesses, governments and individuals are increasingly reliant on complex, highlyinterconnected computing platforms, mobile endpoints and network centric applications to conduct much of their business. Maintaining and validating the trustworthiness of this infrastructure has therefore become critical. However, as the complexity and value of the infrastructure has increased, the number of software vulnerabilities discovered and attacks mounted against applications, platforms, endpoints, identities and sensitive data within this infrastructure have grown at an even faster pace. There is a realization that given this complexity, softwareonly security mechanisms may not be sufficient to defend against these attacks or to evaluate the trustworthiness of a system.
Trusted computing is an effort to use trusted hardware to assist software in improving and evaluating the security for platforms, endpoints, applications, identities and data. In this lecture, I will describe the Trusted Platform Module (TPM), which provides the hardware foundations for Trusted Computing and describe several ways in which the TPM could be used as a building block to improve or validate the security of platforms, endpoints, applications, data and identities.

Introduction to SideChannel Analysis
Marc Joye, Technicolor
Sidechannel analysis is a powerful technique rediscovered by Kocher in 1996. The principle consists in monitoring some sidechannel information like the running time, the power consumption or the electromagnetic radiation. Next, from the monitored data, the adversary tries to deduce the innerworkings of the algorithm and thereby to retrieve some secret information. This talk reviews the basics of sidechannel analysis on various cryptographic algorithms. It is illustrated with practical examples and several sidechannel attacks are mounted against several naive, unprotected implementations of cryptosystems.

RSA – SideChannel Attacks and Countermeasures
Marc Joye, Technicolor
RSA is the most widely used public key cryptosystem. It can be used for both encryption and signature. While the security of (blackbox) RSA is well understood its secure implementation remains challenging. Basically, two classes of sidechannel attacks can be distinguished: SPAlike attacks and DPAlike attacks. An SPAlike analysis is a process with a single measurement of some sidechannel information; when there are several measurements handled with statistical tools, the process is referred to as a DPAlike analysis. This talk teaches how to prevent those two classes of attacks. General guidelines are provided along with concrete implementations.

Electromagnetic Analysis and Advance SideChannel Analysis
Pankaj Rohatgi, Cryptograpy Research
This lecture will provide an introduction to the electromagnetic emanation (EM) sidechannel. We will describe the various types of compromising EM emanations and the equipment needed to capture them. We will illustrate how compromising EM emanations can be captured from a variety of cryptographic devices and how multiple signals can be captured from each device. Next we will illustrate a variety of EM attacks on cryptographic implementations. Although the attack techniques are similar to power analysis, many EM attacks are not feasible using the power side channel, either because they exploit additional leakages present in EM channels or the power sidechannel is inaccessible. Finally we will describe how one can design countermeasures against EM attacks.

ECC – Side Channel Attacks & Countermeasures
Marc Joye, Technicolor
Elliptic curve cryptography (ECC) shows an increasing impact in our everyday lives where the use of memoryconstrained devices such as smart cards and other embedded systems is ubiquitous. Its main advantage resides in a smaller key size for a conjectured equivalent security level. In this talk, we survey different known techniques to get efficient ECC implementations that resist against a variety of implementation attacks.

PostQuantum Cryptographic Engineering
Çetin K. Koç, UC Santa Barbara
This seminar aims at presenting stateoftheart research in cryptographic engineering aspects of cryptographic systems that are currently believed to be secure against quantum computer cryptanalysis. This includes the performance and security evaluation of cryptographic systems in hardware and software platforms. The concrete goal is to highlight new results in the design and analysis of cryptographic hardware and software implementations of postquantum cryptography.

SideChannel Attacks to Block Ciphers: DES and AES
FrançoisXavier Standaert, Université Catholique de Louvain
In this lecture, I will introduce various attacks against block ciphers such as the DES or AES implemented in software or hardware. For this purpose, I will describe both the origin of the physical information leakages and how simple statistical strategies allow exploiting these leakages and turning them into keyrecoveries. I will then detail the main challenges for cryptographic engineers trying to implement such block ciphers securely without countermeasures.

Countermeasures for Block Ciphers
FrançoisXavier Standaert, Université Catholique de Louvain
In this lecture, I will investigate in more details the problem of physical security evaluations against sidechannel attacks, with applications to implortant classes of countermeasures such as masking. In a first step, I will descibe formal approaches to quantify the information leakages and put forward their potential shortcomings. Next, I will use case studies to illustrate that one can gain good intuition about the security of certain implementation based on simple heuristic formulas.

Random Number Generators for Cryptographic Applications
Werner Schindler, BSI Bund
Many cryptographic mechanisms require random numbers, e.g. as challenges, session keys or signature parameters. Inappropriate random number generators may weaken principally strong cryptographic mechanisms considerably. Requirements are formulated that appropriate random number generators should fulfill and concrete examples are discussed. Relevant differences between deterministic and the nondeterministic random number generators are worked out.

Evaluation Criteria for NonDeterministic Random Number Generator
Werner Schindler, BSI Bund
In this lecture, I will investigate in more details the problem of physical security evaluations against sidechannel attacks, with applications to implortant classes of countermeasures such as masking. In a first step, I will descibe formal approaches to quantify the information leakages and put forward their potential shortcomings. Next, I will use case studies to illustrate that one can gain good intuition about the security of certain implementation based on simple heuristic formulas.

Random Number Generator Design Constraints and Challenges
Viktor Fischer, Université de Saint Etienne
In this lecture, we will first analyze the main characteristics of random number generators (RNGs): quality related issues such as sources of randomness, entropy extraction principles, postprocessing, output bitrate and its stability; security related issues such as existence of a mathematical model, inner testability and robustness against attacks; design related issues such as resource usage, power consumption, feasibility in logic devices and design automation. Next, we will critically analyze and compare the main existing RNG principles. Based on this analysis, we will point out pitfalls that can exist in a practical RNG design and challenges that are usually faced when designing secure RNGs according to recommendations AIS 20/AIS 31.

