Next Issue
Previous Issue

Table of Contents

Cryptography, Volume 2, Issue 4 (December 2018)

  • Issues are regarded as officially published after their release is announced to the table of contents alert mailing list.
  • You may sign up for e-mail alerts to receive table of contents of newly released issues.
  • PDF is the official format for papers published in both, html and pdf forms. To view the papers in pdf format, click on the "PDF Full-text" link, and use the free Adobe Readerexternal link to open them.
View options order results:
result details:
Displaying articles 1-16
Export citation of selected articles as:
Open AccessArticle CMCC: Misuse Resistant Authenticated Encryption with Minimal Ciphertext Expansion
Cryptography 2018, 2(4), 42; https://doi.org/10.3390/cryptography2040042
Received: 21 September 2018 / Revised: 5 November 2018 / Accepted: 4 December 2018 / Published: 19 December 2018
Viewed by 205 | PDF Full-text (597 KB) | HTML Full-text | XML Full-text
Abstract
In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CMCC (CBC-MAC-CTR-CBC), an authenticated encryption scheme with associated data (AEAD) that is also nonce misuse resistant. The main focus for this work is
[...] Read more.
In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We present CMCC (CBC-MAC-CTR-CBC), an authenticated encryption scheme with associated data (AEAD) that is also nonce misuse resistant. The main focus for this work is minimizing ciphertext expansion, especially for short messages including plaintext lengths less than the underlying block cipher length (e.g., 16 bytes). For many existing AEAD schemes, a successful forgery leads directly to a loss of confidentiality. For CMCC, changes to the ciphertext randomize the resulting plaintext, thus forgeries do not necessarily result in a loss of confidentiality which allows us to reduce the length of the authentication tag. For protocols that send short messages, our scheme is similar to Synthetic Initialization Vector (SIV) mode for computational overhead but has much smaller expansion. We prove both a misuse resistant authenticated encryption (MRAE) security bound and an authenticated encryption (AE) security bound for CMCC. We also present a variation of CMCC, CWM (CMCC With MAC), which provides a further strengthening of the security bounds. Full article
(This article belongs to the Special Issue Authenticated Encryption)
Figures

Figure 1

Open AccessArticle Security Incident Information Exchange for Cloud Service Provisioning Chains
Cryptography 2018, 2(4), 41; https://doi.org/10.3390/cryptography2040041
Received: 30 October 2018 / Revised: 23 November 2018 / Accepted: 5 December 2018 / Published: 11 December 2018
Viewed by 259 | PDF Full-text (4699 KB) | HTML Full-text | XML Full-text
Abstract
Online services are increasingly becoming a composition of different cloud services, making incident-handling difficult, as Cloud Service Providers (CSPs) with end-user customers need information from other providers about incidents that occur at upstream CSPs to inform their users. In this paper, we argue
[...] Read more.
Online services are increasingly becoming a composition of different cloud services, making incident-handling difficult, as Cloud Service Providers (CSPs) with end-user customers need information from other providers about incidents that occur at upstream CSPs to inform their users. In this paper, we argue the need for commonly agreed-upon incident information exchanges between providers to improve accountability of CSPs, and present both such a format and a prototype implementing it. The solution can handle simple incident information natively as well as embed standard representation formats for incident-sharing, such as IODEF and STIX. Preliminary interviews show a desire for such a solution. The discussion considers both technical challenges and non-technical aspects related to improving the situation for incident response in cloud-computing scenarios. Our solution holds the potential of making incident-sharing more efficient. Full article
(This article belongs to the Special Issue Cloud, IoT and Software Defined Networks Security)
Figures

Figure 1

Open AccessArticle Redundancy in Key Management for WSNs
Cryptography 2018, 2(4), 40; https://doi.org/10.3390/cryptography2040040
Received: 31 October 2018 / Revised: 29 November 2018 / Accepted: 5 December 2018 / Published: 8 December 2018
Viewed by 208 | PDF Full-text (693 KB) | HTML Full-text | XML Full-text
Abstract
Security in wireless sensor networks is commonly based on symmetric encryption and requires key-management systems to establish and exchange secret keys. A constraint that is common to many key-management approaches is an upper bound to the total number of nodes in the network.
[...] Read more.
Security in wireless sensor networks is commonly based on symmetric encryption and requires key-management systems to establish and exchange secret keys. A constraint that is common to many key-management approaches is an upper bound to the total number of nodes in the network. An example is represented by the schemes based on combinatorial design. These schemes use specific rules for the generation of sets of keys that are distributed to the nodes before deploying the network. The aim of these approaches is to improve the resilience of the network. However, the quantity of data that must be stored by each node is proportional to the number of nodes of the network, so the available memory affects the applicability of these schemes. This paper investigates the opportunity of reducing the storage overhead by distributing the same set of keys to more than one node. In addition, the presence of redundant sets of keys affects the resilience and the security of the network. A careful analysis is conducted to evaluate benefits and drawbacks of redundant key distribution approaches. The results show that the use of redundancy decreases the level of resilience, but it scales well on very large networks. Full article
(This article belongs to the Special Issue Key Management in Wireless Sensor Network)
Figures

Figure 1

Open AccessArticle Security and Cryptographic Challenges for Authentication Based on Biometrics Data
Cryptography 2018, 2(4), 39; https://doi.org/10.3390/cryptography2040039
Received: 25 October 2018 / Revised: 20 November 2018 / Accepted: 1 December 2018 / Published: 6 December 2018
Viewed by 177 | PDF Full-text (3195 KB) | HTML Full-text | XML Full-text
Abstract
Authentication systems based on biometrics characteristics and data represents one of the most important trend in the evolution of the society, e.g., Smart City, Internet-of-Things (IoT), Cloud Computing, Big Data. In the near future, biometrics systems will be everywhere in the society, such
[...] Read more.
Authentication systems based on biometrics characteristics and data represents one of the most important trend in the evolution of the society, e.g., Smart City, Internet-of-Things (IoT), Cloud Computing, Big Data. In the near future, biometrics systems will be everywhere in the society, such as government, education, smart cities, banks etc. Due to its uniqueness, characteristic, biometrics systems will become more and more vulnerable, privacy being one of the most important challenges. The classic cryptographic primitives are not sufficient to assure a strong level of secureness for privacy. The current paper has several objectives. The main objective consists in creating a framework based on cryptographic modules which can be applied in systems with biometric authentication methods. The technologies used in creating the framework are: C#, Java, C++, Python, and Haskell. The wide range of technologies for developing the algorithms give the readers the possibility and not only, to choose the proper modules for their own research or business direction. The cryptographic modules contain algorithms based on machine learning and modern cryptographic algorithms: AES (Advanced Encryption System), SHA-256, RC4, RC5, RC6, MARS, BLOWFISH, TWOFISH, THREEFISH, RSA (Rivest-Shamir-Adleman), Elliptic Curve, and Diffie Hellman. As methods for implementing with success the cryptographic modules, we will propose a methodology which can be used as a how-to guide. The article will focus only on the first category, machine learning, and data clustering, algorithms with applicability in the cloud computing environment. For tests we have used a virtual machine (Virtual Box) with Apache Hadoop and a Biometric Analysis Tool. The weakness of the algorithms and methods implemented within the framework will be evaluated and presented in order for the reader to acknowledge the latest status of the security analysis and the vulnerabilities founded in the mentioned algorithms. Another important result of the authors consists in creating a scheme for biometric enrollment (in Results). The purpose of the scheme is to give a big overview on how to use it, step by step, in real life, and how to use the algorithms. In the end, as a conclusion, the current work paper gives a comprehensive background on the most important and challenging aspects on how to design and implement an authentication system based on biometrics characteristics. Full article
(This article belongs to the Special Issue Code-Based Cryptography)
Figures

Figure 1

Open AccessArticle Trusted Time-Based Verification Model for Automatic Man-in-the-Middle Attack Detection in Cybersecurity
Cryptography 2018, 2(4), 38; https://doi.org/10.3390/cryptography2040038
Received: 9 November 2018 / Revised: 2 December 2018 / Accepted: 4 December 2018 / Published: 5 December 2018
Viewed by 203 | PDF Full-text (2924 KB) | HTML Full-text | XML Full-text
Abstract
Due to the prevalence and constantly increasing risk of cyber-attacks, new and evolving security mechanisms are required to protect information and networks and ensure the basic security principles of confidentiality, integrity, and availability—referred to as the CIA triad. While confidentiality and integrity can
[...] Read more.
Due to the prevalence and constantly increasing risk of cyber-attacks, new and evolving security mechanisms are required to protect information and networks and ensure the basic security principles of confidentiality, integrity, and availability—referred to as the CIA triad. While confidentiality and integrity can be achieved using Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates, these depend on the correct authentication of servers, which could be compromised due to man-in-the-middle (MITM) attacks. Many existing solutions have practical limitations due to their operational complexity, deployment costs, as well as adversaries. We propose a novel scheme to detect MITM attacks with minimal intervention and workload to the network and systems. Our proposed model applies a novel inferencing scheme for detecting true anomalies in transmission time at a trusted time server (TTS) using time-based verification of sent and received messages. The key contribution of this paper is the ability to automatically detect MITM attacks with trusted verification of the transmission time using a learning-based inferencing algorithm. When used in conjunction with existing systems, such as intrusion detection systems (IDS), which require comprehensive configuration and network resource costs, it can provide a robust solution that addresses these practical limitations while saving costs by providing assurance. Full article
Figures

Figure 1

Open AccessArticle Deterministic Authenticated Encryption Scheme for Memory Constrained Devices
Cryptography 2018, 2(4), 37; https://doi.org/10.3390/cryptography2040037
Received: 10 September 2018 / Revised: 13 November 2018 / Accepted: 28 November 2018 / Published: 4 December 2018
Viewed by 167 | PDF Full-text (510 KB) | HTML Full-text | XML Full-text
Abstract
A technique of authenticated encryption for memory constrained devices called sp-AELM was proposed by Agrawal et al. at ACISP 2015. The sp-ALEM construction utilizes a sponge-based primitive to support online encryption and decryption functionalities. Online encryption in the construction is achieved in the
[...] Read more.
A technique of authenticated encryption for memory constrained devices called sp-AELM was proposed by Agrawal et al. at ACISP 2015. The sp-ALEM construction utilizes a sponge-based primitive to support online encryption and decryption functionalities. Online encryption in the construction is achieved in the standard manner by processing plaintext blocks as they arrive to produce ciphertext blocks. However, decryption is achieved by storing only one intermediate state and releasing it to the user upon correct verification. This intermediate state allows a legitimate user to generate the plaintext herself. However, the scheme is nonce-respecting, i.e., the scheme is insecure if the nonce is repeated. Implementation of a nonce is non-trivial in practice, and reuse of a nonce in an AE scheme is often devastating. In this paper, we propose a new AE scheme called dAELM, which stands for deterministic authenticated encryption (DAE) scheme for low memory devices. DAE is used in domains such as the key wrap, where the available message entropy omits the overhead of a nonce. For limiting memory usage, our idea is to use a session key to encrypt a message and share the session key with the user depending upon the verification of a tag. We provide the security proof of the proposed construction in the ideal cipher model. Full article
(This article belongs to the Special Issue Authenticated Encryption)
Figures

Figure 1

Open AccessArticle An Attack Bound for Small Multiplicative Inverse of φ(N) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques
Cryptography 2018, 2(4), 36; https://doi.org/10.3390/cryptography2040036
Received: 18 July 2018 / Revised: 1 November 2018 / Accepted: 11 November 2018 / Published: 22 November 2018
Viewed by 221 | PDF Full-text (388 KB) | HTML Full-text | XML Full-text
Abstract
In this paper, we gave an attack on RSA (Rivest–Shamir–Adleman) Cryptosystem when φ(N) has small multiplicative inverse modulo e and the prime sum p+q is of the form p+q=2nk0+k
[...] Read more.
In this paper, we gave an attack on RSA (Rivest–Shamir–Adleman) Cryptosystem when φ ( N ) has small multiplicative inverse modulo e and the prime sum p + q is of the form p + q = 2 n k 0 + k 1 , where n is a given positive integer and k 0 and k 1 are two suitably small unknown integers using sublattice reduction techniques and Coppersmith’s methods for finding small roots of modular polynomial equations. When we compare this method with an approach using lattice based techniques, this procedure slightly improves the bound and reduces the lattice dimension. Employing the previous tools, we provide a new attack bound for the deciphering exponent when the prime sum p + q = 2 n k 0 + k 1 and performed an analysis with Boneh and Durfee’s deciphering exponent bound for appropriately small k 0 and k 1 . Full article
Figures

Figure 1

Open AccessArticle Forward-Secure Linkable Ring Signatures from Bilinear Maps
Cryptography 2018, 2(4), 35; https://doi.org/10.3390/cryptography2040035
Received: 14 September 2018 / Revised: 31 October 2018 / Accepted: 1 November 2018 / Published: 8 November 2018
Viewed by 228 | PDF Full-text (352 KB) | HTML Full-text | XML Full-text
Abstract
We present the first linkable ring signature scheme with both unconditional anonymity and forward-secure key update: a powerful tool which has direct applications in elegantly addressing a number of simultaneous constraints in remote electronic voting. We propose a comprehensive security model, and construct
[...] Read more.
We present the first linkable ring signature scheme with both unconditional anonymity and forward-secure key update: a powerful tool which has direct applications in elegantly addressing a number of simultaneous constraints in remote electronic voting. We propose a comprehensive security model, and construct a scheme based on the hardness of finding discrete logarithms, and (for forward security) inverting bilinear or multilinear maps of moderate degree to match the time granularity of forward security. We prove efficient security reductions—which, of independent interest, apply to, and are much tighter than, linkable ring signatures without forward security, thereby vastly improving the provable security of these legacy schemes. If efficient multilinear maps should ever admit a secure realisation, our contribution would elegantly address a number of problems heretofore unsolved in the important application of (multi-election) practical Internet voting. Even if multilinear maps are never obtained, our minimal two-epoch construction instantiated from bilinear maps can be combinatorially boosted to synthesise a polynomial time granularity, which would be sufficient for Internet voting and more. Full article
(This article belongs to the Special Issue Public Key Cryptography)
Open AccessArticle An Enhanced Key Management Scheme for LoRaWAN
Cryptography 2018, 2(4), 34; https://doi.org/10.3390/cryptography2040034
Received: 21 August 2018 / Revised: 23 October 2018 / Accepted: 29 October 2018 / Published: 2 November 2018
Viewed by 336 | PDF Full-text (2596 KB) | HTML Full-text | XML Full-text
Abstract
The LoRaWAN is one of the new low-power wide-area network (LPWAN) standards applied to Internet of Things (IoT) technology. The key features of LPWAN are its low power consumption and long-range coverage. The LoRaWAN 1.1 specification includes a basic security scheme. However, this
[...] Read more.
The LoRaWAN is one of the new low-power wide-area network (LPWAN) standards applied to Internet of Things (IoT) technology. The key features of LPWAN are its low power consumption and long-range coverage. The LoRaWAN 1.1 specification includes a basic security scheme. However, this scheme could be further improved in the aspect of key management. In this paper, LoRaWAN 1.1 security is reviewed, and enhanced LoRaWAN security with a root key update scheme is proposed. The root key update will make cryptoanalysis of security keys in LoRaWAN more difficult. The analysis and simulation show that the proposed root key update scheme requires fewer computing resources compared with other key derivation schemes, including the scheme used in the LoRaWAN session key update. The results also show the key generated in the proposed scheme has a high degree of randomness, which is a basic requirement for a security key. Full article
(This article belongs to the Special Issue Key Management in Wireless Sensor Network)
Figures

Figure 1

Open AccessArticle Revocable Identity-Based Encryption and Server-Aided Revocable IBE from the Computational Diffie-Hellman Assumption
Cryptography 2018, 2(4), 33; https://doi.org/10.3390/cryptography2040033
Received: 30 August 2018 / Revised: 11 October 2018 / Accepted: 18 October 2018 / Published: 23 October 2018
Viewed by 302 | PDF Full-text (1425 KB) | HTML Full-text | XML Full-text
Abstract
An Identity-based encryption (IBE) simplifies key management by taking users’ identities as public keys. However, how to dynamically revoke users in an IBE scheme is not a trivial problem. To solve this problem, IBE scheme with revocation (namely revocable IBE scheme) has been
[...] Read more.
An Identity-based encryption (IBE) simplifies key management by taking users’ identities as public keys. However, how to dynamically revoke users in an IBE scheme is not a trivial problem. To solve this problem, IBE scheme with revocation (namely revocable IBE scheme) has been proposed. Apart from those lattice-based IBE, most of the existing schemes are based on decisional assumptions over pairing-groups. In this paper, we propose a revocable IBE scheme based on a weaker assumption, namely Computational Diffie-Hellman (CDH) assumption over non-pairing groups. Our revocable IBE scheme is inspired by the IBE scheme proposed by Döttling and Garg in Crypto2017. Like Döttling and Garg’s IBE scheme, the key authority maintains a complete binary tree where every user is assigned to a leaf node. To adapt such an IBE scheme to a revocable IBE, we update the nodes along the paths of the revoked users in each time slot. Upon this updating, all revoked users are forced to be equipped with new encryption keys but without decryption keys, thus they are unable to perform decryption any more. We prove that our revocable IBE is adaptive IND-ID-CPA secure in the standard model. Our scheme serves as the first revocable IBE scheme from the CDH assumption. Moreover, we extend our scheme to support Decryption Key Exposure Resistance (DKER) and also propose a server-aided revocable IBE to decrease the decryption workload of the receiver. In our schemes, the size of updating key in each time slot is only related to the number of newly revoked users in the past time slot. Full article
(This article belongs to the Special Issue Public Key Cryptography)
Figures

Figure 1

Open AccessArticle A New Technique in Rank Metric Code-Based Encryption
Cryptography 2018, 2(4), 32; https://doi.org/10.3390/cryptography2040032
Received: 29 August 2018 / Revised: 7 October 2018 / Accepted: 11 October 2018 / Published: 15 October 2018
Viewed by 317 | PDF Full-text (371 KB) | HTML Full-text | XML Full-text
Abstract
We propose a rank metric codes based encryption based on the hard problem of rank syndrome decoding problem. We propose a new encryption with a public key matrix by considering the adding of a random distortion matrix over Fqm of full
[...] Read more.
We propose a rank metric codes based encryption based on the hard problem of rank syndrome decoding problem. We propose a new encryption with a public key matrix by considering the adding of a random distortion matrix over F q m of full column rank n. We show that IND-CPA security is achievable for our encryption under assumption of the Decisional Rank Syndrome Decoding problem. Furthermore, we also prove some bounds for the number of matrices of a fixed rank with entries over a finite field. Our proposal allows the choice of the error terms with rank up to r 2 , where r is the error-correcting capability of a code. Our encryption based on Gabidulin codes has public key size of 13 . 68 KB, which is 82 times smaller than the public key size of McEliece Cryptosystem based on Goppa codes. For similar post-quantum security level of 2 140 bits, our encryption scheme has a smaller public key size than the key size suggested by LOI17 Encryption. Full article
(This article belongs to the Special Issue Public Key Cryptography)
Open AccessArticle The Definition and Software Performance of Hashstream, a Fast Length-Flexible PRF
Cryptography 2018, 2(4), 31; https://doi.org/10.3390/cryptography2040031
Received: 13 September 2018 / Revised: 5 October 2018 / Accepted: 11 October 2018 / Published: 15 October 2018
Viewed by 261 | PDF Full-text (342 KB) | HTML Full-text | XML Full-text
Abstract
Two of the fastest types of cryptographic algorithms are the stream cipher and the almost-universal hash function. There are secure examples of each that process data in software using less than one CPU cycle per byte. Hashstream combines the two types of algorithms
[...] Read more.
Two of the fastest types of cryptographic algorithms are the stream cipher and the almost-universal hash function. There are secure examples of each that process data in software using less than one CPU cycle per byte. Hashstream combines the two types of algorithms in a straightforward manner yielding a PRF that can both consume inputs of and produce pseudorandom outputs of any desired length. The result is an object useful in many contexts: authentication, encryption, authenticated encryption, random generation, mask generation, etc. The HS1-SIV authenticated-encryption algorithm—a CAESAR competition second round selection—was based on Hashstream and showed the promise of such an approach by having provable security and topping the speed charts in several test configurations. Full article
(This article belongs to the Special Issue Authenticated Encryption)
Figures

Figure 1

Open AccessArticle Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment
Cryptography 2018, 2(4), 30; https://doi.org/10.3390/cryptography2040030
Received: 11 September 2018 / Revised: 26 September 2018 / Accepted: 9 October 2018 / Published: 12 October 2018
Viewed by 257 | PDF Full-text (316 KB) | HTML Full-text | XML Full-text
Abstract
The design of a practical code-based signature scheme is an open problem in post-quantum cryptography. This paper is the full version of a work appeared at SIN’18 as a short paper, which introduced a simple and efficient one-time secure signature scheme based on
[...] Read more.
The design of a practical code-based signature scheme is an open problem in post-quantum cryptography. This paper is the full version of a work appeared at SIN’18 as a short paper, which introduced a simple and efficient one-time secure signature scheme based on quasi-cyclic codes. As such, this paper features, in a fully self-contained way, an accurate description of the scheme setting and related previous work, a detailed security analysis, and an extensive comparison and performance discussion. Full article
(This article belongs to the Special Issue Code-Based Cryptography)
Open AccessArticle Pairing Free Identity-Based Blind Signature Scheme with Message Recovery
Cryptography 2018, 2(4), 29; https://doi.org/10.3390/cryptography2040029
Received: 17 September 2018 / Revised: 4 October 2018 / Accepted: 5 October 2018 / Published: 9 October 2018
Viewed by 342 | PDF Full-text (803 KB) | HTML Full-text | XML Full-text
Abstract
With the rapid development of modern technology, personal privacy has become a critical concern in many applications. Various digitalized applications such as online voting systems and the electronic cash systems need authenticity and anonymity. Blind signature is an advanced technique that provides the
[...] Read more.
With the rapid development of modern technology, personal privacy has become a critical concern in many applications. Various digitalized applications such as online voting systems and the electronic cash systems need authenticity and anonymity. Blind signature is an advanced technique that provides the authenticity and anonymity of the user by obtaining a valid signature for a message without revealing its content to the signer. The message recovery property minimizes the signature size and allows efficient communication in situations where bandwidth is limited. With the advantage of blind signature and message recovery properties, in this paper, we present a new pairing free blind signature scheme with message recovery in Identity-based settings. The proposed scheme is proven to be secure in the random oracle model under the assumption that the Elliptic Curve Discrete Logarithm Problem (ECDLP) is intractable. The proposed scheme meets the security requirements such as blindness, untracebility, and unforgeability. We compare our scheme with the well-known existing schemes in the literature, and the efficiency analysis shows that our scheme is more efficient in terms of computational and communicational point of view. Full article
Figures

Figure 1

Open AccessFeature PaperArticle A (k, n)-Threshold Progressive Visual Secret Sharing without Expansion
Cryptography 2018, 2(4), 28; https://doi.org/10.3390/cryptography2040028
Received: 31 August 2018 / Revised: 22 September 2018 / Accepted: 25 September 2018 / Published: 27 September 2018
Viewed by 319 | PDF Full-text (6275 KB) | HTML Full-text | XML Full-text
Abstract
Visual cryptography (VC) encrypts a secret image into n shares (transparency). As such, we cannot see any information from any one share, and the original image is decrypted by stacking all of the shares. The general (k, n)-threshold secret sharing
[...] Read more.
Visual cryptography (VC) encrypts a secret image into n shares (transparency). As such, we cannot see any information from any one share, and the original image is decrypted by stacking all of the shares. The general (k, n)-threshold secret sharing scheme (SSS) can similarly encrypt and decrypt the original image by stacking at least k (≤ n) shares. If one stack is fewer than k shares, the secret image is unrecognizable. Another subject is progressive visual secret sharing, which means that when more shares are progressively stacked, the combined share becomes clearer. In this study, we constructed an advanced scheme for (k, n)-threshold SSS that can be encrypted in VC for any positive integers nk ≥ 2 through the method of combination, and the size of each share is the same as that of the original image. That is, no pixel expansion is required. Our scheme is novel, and the results from the theoretical analysis and simulation reveal that our scheme exhibits favorable contrast to that of other related schemes. Full article
(This article belongs to the Special Issue Visual Cryptography)
Figures

Figure 1

Open AccessArticle Improving Performance and Mitigating Fault Attacks Using Value Prediction
Cryptography 2018, 2(4), 27; https://doi.org/10.3390/cryptography2040027
Received: 24 July 2018 / Revised: 20 September 2018 / Accepted: 20 September 2018 / Published: 23 September 2018
Viewed by 366 | PDF Full-text (2098 KB) | HTML Full-text | XML Full-text
Abstract
We present Value Prediction for Security (VPsec), a novel hardware-only framework to counter fault attacks in modern microprocessors, while preserving the performance benefits of Value Prediction (VP.) VP is an elegant and hitherto mature microarchitectural performance optimization, which aims to predict the data
[...] Read more.
We present Value Prediction for Security (VPsec), a novel hardware-only framework to counter fault attacks in modern microprocessors, while preserving the performance benefits of Value Prediction (VP.) VP is an elegant and hitherto mature microarchitectural performance optimization, which aims to predict the data value ahead of the data production with high prediction accuracy and coverage. Instances of VPsec leverage the state-of-the-art Value Predictors in an embodiment and system design to mitigate fault attacks in modern microprocessors. Specifically, VPsec implementations re-architect any baseline VP embodiment with fault detection logic and reaction logic to mitigate fault attacks to both the datapath and the value predictor itself. VPsec also defines a new mode of execution in which the predicted value is trusted rather than the produced value. From a microarchitectural design perspective, VPsec requires minimal hardware changes (negligible area and complexity impact) with respect to a baseline that supports VP, it has no software overheads (no increase in memory footprint or execution time), and it retains most of the performance benefits of VP under realistic attacks. Our evaluation of VPsec demonstrates its efficacy in countering fault attacks, as well as its ability to retain the performance benefits of VP on cryptographic workloads, such as OpenSSL, and non-cryptographic workloads, such as SPEC CPU 2006/2017. Full article
Figures

Figure 1

Cryptography EISSN 2410-387X Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top