68 research outputs found

    El archivo de Gonzalo de Reparaz

    No full text
    La clasificación del archivo particular del geógrafo Gonzalo de Reparaz Rodríguez ha permitido acceder a un mejor conocimiento de este autor. A través de sus documentos, este artículo traza un breve relato de su vida mostrando aspectos y acontecimientos poco conocidos y revelando el papel de su esposa, Carmen Ruiz, y de su hijo, Gonzalo de Reparaz Ruiz.La classificació de l'arxiu particular del geògraf Gonçal de Reparaz Rodríguez ha permès accedir a un millor coneixement d'aquest autor. A través dels seus documents, aquest article dibuixa un breu relat de la seva vida mostrant aspectes i fets poc coneguts i revelant el paper de la seva esposa, Carmen Ruiz, i del seu fill, Gonçal de Reparaz Ruiz.La classification des archives particuliers du géographe Gonzalo de Reparaz Rodríguez ont possibilité atteindre une meilleure connaissance de l'auteur. À travers de ses documents, ce article fait un récit bref de sa vie à fin de montrer les aspects et les événements moins connus de son éxistence ainsi que révéler le rôle de son épouse, Carmen Ruiz, et son fils, Gonzalo de Reparaz Ruiz.Personal archives of geographer Gonzalo de Reparaz have been classified in order to achieve a better knowledge of the author. This article provides a brief narration of his life, based on documents from his Archives, thus revealing little known aspects and events of his life as well as the role of his wife, Carmen Ruiz, and their son, Gonzalo de Reparaz Ruiz

    El archivo de Gonzalo de Reparaz

    No full text
    La clasificación del archivo particular del geógrafo Gonzalo de Reparaz Rodríguez ha permitido acceder a un mejor conocimiento de este autor. A través de sus documentos, este artículo traza un breve relato de su vida mostrando aspectos y acontecimientos poco conocidos y revelando el papel de su esposa, Carmen Ruiz, y de su hijo, Gonzalo de Reparaz Ruiz.La classificació de l'arxiu particular del geògraf Gonçal de Reparaz Rodríguez ha permès accedir a un millor coneixement d'aquest autor. A través dels seus documents, aquest article dibuixa un breu relat de la seva vida mostrant aspectes i fets poc coneguts i revelant el paper de la seva esposa, Carmen Ruiz, i del seu fill, Gonçal de Reparaz Ruiz.La classification des archives particuliers du géographe Gonzalo de Reparaz Rodríguez ont possibilité atteindre une meilleure connaissance de l'auteur. À travers de ses documents, ce article fait un récit bref de sa vie à fin de montrer les aspects et les événements moins connus de son éxistence ainsi que révéler le rôle de son épouse, Carmen Ruiz, et son fils, Gonzalo de Reparaz Ruiz.Personal archives of geographer Gonzalo de Reparaz have been classified in order to achieve a better knowledge of the author. This article provides a brief narration of his life, based on documents from his Archives, thus revealing little known aspects and events of his life as well as the role of his wife, Carmen Ruiz, and their son, Gonzalo de Reparaz Ruiz

    Detecting Flawed Masking Schemes with Leakage Detection Tests

    No full text
    sponsorship: We thank an anonymous reviewer that found a mistake in Sect. 3.5, Francois-Xavier Standaert for extensive comments and Ingrid Verbauwhede. The author is funded by a PhD fellowship of the Fund for Scientific Research-Flanders (FWO). This work was funded also by Flemish Government, FWO G.0550.12N, G.00130.13N, Hercules Foundation AKUL/11/19, and through the Horizon 2020 research and innovation programme under grant agreement 644052 HECTOR. (Fund for Scientific Research-Flanders (FWO), Hercules Foundation|AKUL/11/19, Horizon research and innovation programme|644052 HECTOR, Flemish Government|FWO G.0550.12N, Flemish Government|G.00130.13N)status: Publishe

    DPA, Bitslicing and Masking at 1 GHz

    No full text
    © International Association for Cryptologic Research 2015. We present DPA attacks on an ARM Cortex-A8 processor running at 1GHz. This high-end processor is typically found in portable devices such as phones and tablets. In our case, the processor sits in a single board computer and runs a full-fledged Linux operating system. The targeted AES implementation is bitsliced and runs in constant time and constant flow. We show that, despite the complex hardware and software, high clock frequencies and practical measurement issues, the implementation can be broken with DPA starting from a few thousand measurements of the electromagnetic emanation of a decoupling capacitor near the processor. To harden the bitsliced implementation against DPA attacks, we mask it using principles of hardware gate-level masking. We evaluate the security of our masked implementation against firstorder and second-order attacks. Our experiments show that successful attacks require roughly two orders of magnitude more measurements.sponsorship: We would like to thank the CHES 2015 reviewers for their valuable feedback. This work has been supported in part by the Research Council of KU Leuven (GOA/11/007), by the Flemish Government FWO G.0550.12N and by the Hercules foundation (AKUL/11/19). Oscar Reparaz is funded by a PhD fellowship of the Fund for Scientific Research - Flanders (FWO). Benedikt Gierlichs is a Postdoctoral Fellow of the Fund for Scientific Research - Flanders (FWO). (Research Council of KU Leuven|GOA/11/007, Flemish Government|FWO G.0550.12N, Hercules foundation|AKUL/11/19, PhD fellowship of the Fund for Scientific Research - Flanders (FWO))status: Publishe

    A Masked Ring-LWE Implementation

    No full text
    © International Association for Cryptologic Research 2015. Lattice-based cryptography has been proposed as a postquantum public-key cryptosystem. In this paper, we present a masked ring-LWE decryption implementation resistant to first-order side-channel attacks. Our solution has the peculiarity that the entire computation is performed in the masked domain. This is achieved thanks to a new, bespoke masked decoder implementation. The output of the ring-LWE decryption are Boolean shares suitable for derivation of a symmetric key. We have implemented a hardware architecture of the masked ring-LWE processor on a Virtex-II FPGA, and have performed side channel analysis to confirm the soundness of our approach. The area of the protected architecture is around 2000 LUTs, a 20% increase with respect to the unprotected architecture. The protected implementation takes 7478 cycles to compute, which is only a factor ×2. 6 larger than the unprotected implementation.sponsorship: The authors would like to thank the CHES 2015 reviewers for their valuable comments. This work has been supported in part by the European Commission through the ICT programme under contracts H2020-ICT-645622 PQCRYPTO, H2020-ICT-644209 HEAT and FP7-ICT-2013-10-SEP-210076296 PRACTICE; by the Research Council KU Leuven TENSE (GOA/11/007); by the Flemish Government FWO G.0550.12N, G.00130.13N and G.0876.14N; and by the Hercules Foundation AKUL/11/19. Oscar Reparaz is funded by a PhD fellowship of the Fund for Scientific Research - Flanders (FWO). Sujoy Sinha Roy was supported by Erasmus Mundus PhD Scholarship. (European Commission through the ICT programme|H2020-ICT-645622 PQCRYPTO, European Commission through the ICT programme|H2020-ICT-644209 HEAT, European Commission through the ICT programme|FP7-ICT-2013-10-SEP-210076296 PRACTICE, Research Council KU Leuven TENSE|GOA/11/007, Flemish Government|FWO G.0550.12N, Flemish Government|G.00130.13N, Flemish Government|G.0876.14N, Hercules Foundation|AKUL/11/19, PhD fellowship of the Fund for Scientific Research - Flanders (FWO), Erasmus Mundus PhD Scholarship, EPSRC|EP/L001802/1)status: Publishe

    Additively Homomorphic ring-LWE Masking

    No full text
    © Springer International Publishing Switzerland 2016. In this paper, we present a new masking scheme for ring LWE decryption. Our scheme exploits the additively-homomorphic property of the existing ring-LWE encryption schemes and computes an additive-mask as an encryption of a random message. Our solution differs in several aspects from the recent masked ring-LWE implementation by Reparaz et al. presented at CHES 2015; most notably we do not require a masked decoder but work with a conventional, unmasked decoder. As such, we can secure a ring-LWE implementation using additive masking with minimal changes. Our masking scheme is also very generic in the sense that it can be applied to other additively-homomorphic encryption schemes.sponsorship: EPSRC|EP/L001802/1status: Publishe

    A note on the security of Higher-Order Threshold Implementations

    No full text
    At ASIACRYPT 2014, Bilgin et al. describe higher-order threshold implementations: a masking countermeasure claiming resistance against higher-order differential power analysis attacks. In this note, we point out that higher-order threshold implementations do not necessarily provide higher-order security. We give as counterexamples two concrete higher-order threshold implementations that exhibit a second order flaw

    Masking AES With d+1 Shares in Hardware

    No full text
    Masking requires splitting sensitive variables into at least d + 1 shares to provide security against DPA attacks at order d. To this date, this minimal number has only been deployed in software implementations of cryptographic algorithms and in the linear parts of their hardware counterparts. So far there is no hardware construction that achieves this lower bound if the function is nonlinear and the underlying logic gates can glitch. In this paper, we give practical implementations of the AES using d + 1 shares aiming at first- and second-order security even in the presence of glitches. To achieve this, we follow the conditions presented by Reparaz et al. at CRYPTO 2015 to allow hardware masking schemes, like Threshold Implementations, to provide theoretical higher-order security with d + 1 shares. The decrease in number of shares has a direct impact in the area requirements: our second-order DPA resistant core is the smallest in area so far, and its S-box is 50% smaller than the current smallest Threshold Implementation of the AES S-box with similar security and attacker model. We assess the security of our masked cores by practical side-channel evaluations. The security guarantees are met with 100 million traces

    Masking AES with d+1 Shares in Hardware

    No full text
    © International Association for Cryptologic Research 2016. Masking requires splitting sensitive variables into at least d + 1 shares to provide security against DPA attacks at order d. To this date, this minimal number has only been deployed in software implementations of cryptographic algorithms and in the linear parts of their hardware counterparts. So far there is no hardware construction that achieves this lower bound if the function is nonlinear and the underlying logic gates can glitch. In this paper, we give practical implementations of the AES using d + 1 shares aiming at first- and second-order security even in the presence of glitches. To achieve this, we follow the conditions presented by Reparaz et al. at CRYPTO 2015 to allow hardware masking schemes, like Threshold Implementations, to provide theoretical higher-order security with d + 1 shares. The decrease in number of shares has a direct impact in the area requirements: our second-order DPA resistant core is the smallest in area so far, and its S-box is 50% smaller than the current smallest Threshold Implementation of the AES S-box with similar security and attacker model. We assess the security of our masked cores by practical side-channel evaluations. The security guarantees are met with 100 million traces.status: Publishe

    Analyse en ontwerp van maskeringsschema's voor veilige cryptografische implementaties

    No full text
    Masking is the central topic of this thesis based on publications. Masking is a technique that allows the secure execution of cryptographic algorithms in untrusted environments. More concretely, masking provides security guarantees even if an adversary observes side-channel leakage. We first propose a methodology to attack masked implementations more quickly. Our method is relevant in practice since it allows to carry out attacks that before took months in days. The proposed method first locates the relevant time samples for an attack and then only attacks those. For this purpose we rely on versatile information-theoretic tools. The second selected paper in this thesis deals with Differential Power Analysis, masking and bit-slicing at very high clock speeds, such as those typically found in today's smartphones and personal electronic devices. We present an attack on an ARM Cortex-A8 running at 1 GHz, and then apply the principles of gate-level masking to develop a DPA-resistant bit-sliced AES implementation. In our third selected paper, we propose a new masking strategy for a post-quantum public-key algorithm: ring-LWE. Our solution is essentially arithmetic masking with a bespoke probabilistic decoder. Our approach fits in a standard FPGA and incurs manageable performance overheads. We explain in our fourth paper similarities and differences between theoretical and practical instances of masking schemes. These observations allow us to break some masking schemes proposed in literature and transfer attractive features from one scheme to another. To conclude, in the fifth paper we describe a simple, yet powerful tool to detect flaws in masking schemes. Sound masking schemes can be surprisingly difficult to design (especially if they provide higher-order security guarantees); our tool assists the design process of a masking scheme by assessing the soundness of a masking scheme at the algorithmic level before implementing it on an actual device.status: Publishe
    corecore