²⁰²⁵⁻⁰³⁻¹⁷
Graduation “sub auspiciis” for Barbara Gigerl and Reinhard Lüftenegger
On March 14th, six TU Graz/Uni Graz graduates received their doctorate under the auspices of the Austrian President – the highest honour in Austrian education. Two of them are ISEC Alumni: Barbara Gigerl and Reinhard Lüftenegger.
Uni Graz principal Peter Riedler and TU Graz principal Horst Bischof presented the six graduates with this honour on behalf of the President of Austria, Alexander Van der Bellen, who presented the graduates with their ring of honour on March 17th in Vienna.
We at ISEC want to congratulate Barbara and Reinhard and wish them all the best in their future endeavours!
Barbara Gigerl
Barbara’s doctoral thesis, “Efficient and Secure Masking Schemes to Counteract Power Analysis Attacks in Practice“, was written under the supervision of Univ.-Prof. Stefan Mangard.
Abstract
Embedded and IoT devices rely on cryptographic building blocks to protect sensitive user data from unrestricted access. Cryptographic algorithms have been designed to provide security against mathematical attacks, assuming that the adversary knows the input, output, and the algorithm itself but not the secret key. Real-world attackers are often more powerful because they can exploit physical access to the device, allowing them to observe physical properties like the device’s power consumption. Using side-channel attacks, such as differential power analysis, these physical properties can be statistically analyzed to extract the secret key. One popular countermeasure is masking, which splits sensitive values into multiple random shares, effectively decoupling the sensitive data from the data processed by the device and, thus, the power consumption. The security of masking schemes is based on the independent leakage assumption (ILA), which states that independent computations result in independent leakage. Unfortunately, it has been shown that the ILA does not always hold for masked implementations that are used in practice. In this thesis, we work on improving the security and efficiency of masked implementations in software and hardware.
First, we study the security of masked software when executed by a microprocessor and identify several microarchitectural building blocks that could prevent leakage-free execution due to ILA violations. To fix the discovered issues, we explore possible solutions on the hardware and software level and compare them with respect to efficiency. We focus on simple as well as more complex CPUs, which include multiple pipeline stages and superscalar building blocks. Furthermore, we investigate the security of masked software when running as a task in an operating system. To identify leakage in the first place, we propose a new formal verification approach that allows to verify the execution of masked software implementations directly on the CPU netlist, facilitating the detection of ILA violations stemming from the CPU microarchitecture.
Second, we focus on masked hardware implementations. Typically, these implementations compensate for ILA violations either by consuming a significant amount of fresh randomness or by an increased encryption latency. We research strategies to lower the randomness consumption of masking in hardware without increasing the latency, mainly by reusing fresh randomness for unrelated computations during the encryption. In addition, we research new formal verification concepts for masked hardware implementations and apply these techniques in different contexts. We construct a verification approach that supports both Boolean and arithmetic masking and allows us to detect ILA violations in implementations adapting both types of masking. In the context of masked hardware implementations on FPGAs, we build a new verification tool that can be used to uncover leakage introduced by the FPGA synthesis process.
Reinhard Lüftenegger
Reinhard’s doctoral thesis, “Algebraic Analysis of Arithmetization-Friendly Cryptographic Primitives“, was written under the supervision of Univ.-Prof. Christian Rechberger.
Abstract
In recent years, the field of symmetric cryptography has seen a significant growth of research efforts focused on tailored cryptographic primitives that address the particular needs of modern protocols such as multi-party computation (MPC), (fully) homomorphic encryption (FHE), and zero-knowledge proofs of knowledge (ZKP). Especially zero-knowledge proof systems have recently attracted a tremendous amount of attention from, both, academia and industry. This is due to several promising applications in verifiable computation, identity protection (also known as self-sovereign identity), and user authentication.
Primitives tailored for MPC-, FHE-, or ZKP-protocols are commonly refered to as arithmetization-friendly primitives (AFPs). The particular design goals of AFPs require them to admit an efficient (i.e., concise, simple, lowdegree) representation as a system of polynomial constraints. This efficient representation not only promotes arithmetization-friendliness, but, at the same time, it also makes AFPs potentially vulnerable to algebraic cryptanalysis. As a consequence, developing new techniques in algebraic cryptanalysis, and establishing a well-founded understanding of the performance thereof, have become important research directions in recent years. The present thesis discusses our research contributions in these directions. In particular, the thesis is based on the following scientific publications.
[ACG+19] We cryptanalyze the block cipher Jarvis and the hash function Friday using Gröbner basis techniques. Our analysis invalidates the security claims for all full-round instances made by the designers and indicates that a substantially higher number of rounds were necessary to restore full security.
[CGG+22] We develop novel theoretic upper bounds on the algebraic degree in substitution-permutation networks. The algebraic degree is an important indicator for the complexity of several means of cryptanalysis, such as higher-order differential distinguishers and interpolation analysis.
[GKL+22] Arithmetization-friendly hash functions aim to be efficient with respect to SNARK (e.g., R1CS or Plonk constraints) or STARK (e.g., AIR constraints) cost metrics. This has proven to be a competing design goal with plain performance. With our new design Reinforced Concrete we aim to overcome this shortcoming and propose a hash function that targets efficiency in both domains, plain performance and proving performance.
[HLL+22] Most often, equation systems modelling an AFP exhibit a particular structure. Dedicated Gröbner basis algorithms that are able to exploit this structure have great potential to improve the security analysis of AFPs and, thus, are of independent interest. We take a first step towards dedicated Gröbner basis algorithms and devise a new algorithm that performs particularly well for overdetermined, quadratic equation systems.
