Christof Paar

Ruhr-Universität Bochum, Bochum, North Rhine-Westphalia, Germany

Are you Christof Paar?

Claim your profile

Publications (289)34.26 Total impact

  • [Show abstract] [Hide abstract]
    ABSTRACT: Often overlooked, microcontrollers are the central component in embedded systems which drive the evolution toward the Internet of Things (IoT). They are small, easy to handle, low cost, and with myriads of pervasive applications. An increasing number of microcontroller-equipped systems are security and safety critical. In this tutorial, we take a critical look at the security aspects of today's microcontrollers. We demonstrate why the implementation of sensitive applications on a standard microcontroller can lead to severe security problems. To this end, we summarize various threats to microcontroller-based systems, including side-channel analysis and different methods for extracting embedded code. In two case studies, we demonstrate the relevance of these techniques in real-world applications: Both analyzed systems, a widely used digital locking system and the YubiKey 2 onetime password generator, turned out to be susceptible to attacks against the actual implementations, allowing an adversary to extract the cryptographic keys which, in turn, leads to a total collapse of the system security.
    Proceedings of the IEEE 01/2014; 102(8):1157-1173. · 6.91 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: General-purpose communication systems such as GSM and UMTS have been in the focus of security researchers for over a decade now. Recently also technologies that are only used under more specific circumstances have come into the spotlight of academic research and the hacker scene alike. A striking example of this is recent work [Driessen et al. 2012] that analyzed the security of the over-the-air encryption in the two existing ETSI satphone standards GMR-1 and GMR-2. The firmware of handheld devices was reverse-engineered and the previously unknown stream ciphers A5-GMR-1 and A5-GMR-2 were recovered. In a second step, both ciphers were cryptanalized, resulting in a ciphertext-only attack on A5-GMR-1 and a known-plaintext attack on A5-GMR-2. In this work, we extend the aforementioned results in the following ways: First, we improve the proposed attack on A5-GMR-1 and reduce its average-case complexity from 232 to 221 steps. Second, we implement a practical attack to successfully record communications in the Thuraya network and show that it can be done with moderate effort for approximately $5,000. We describe the implementation of our modified attack and the crucial aspects to make it practical. Using our eavesdropping setup, we recorded 30 seconds of our own satellite-to-satphone communication and show that we are able to recover Thuraya session keys in half an hour (on average). We supplement these results with experiments designed to highlight the feasibility of also eavesdropping on the satphone's emanations. The purpose of this article is threefold: Develop and demonstrate more practical attacks on A5-GMR-1, summarize current research results in the field of GMR-1 and GMR-2 security, and shed light on the amount of work and expertise it takes from setting out to analyze a complex system to actually break it in the real world.
    ACM Transactions on Information and System Security (TISSEC). 11/2013; 16(3).
  • [Show abstract] [Hide abstract]
    ABSTRACT: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like, and how difficult it would be in practice to implement one. In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against "golden chips". We demonstrate the effectiveness of our approach by inserting Trojans into two designs -- a digital post-processing derived from Intel's cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation -- and by exploring their detectability and their effects on security.
    Proceedings of the 15th international conference on Cryptographic Hardware and Embedded Systems; 08/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we perform a comprehensive area, power and energy analysis of the most recently-developed lightweight block ciphers and we compare them to the standard AES algorithm. We do this for several different architectures of the considered block ciphers. Our evaluation method consists of estimating the pre-layout power consumption and the derived energy using Cadence Encounter RTL Compiler and ModelSIM simulations. We show that the area is not always correlated to the power and energy consumption, which is of importance for mobile battery-fed devices. As a result, this paper can be used to make a choice of architecture when the algorithm has already been fixed; or it can help deciding which algorithm to choose based on energy and key/block-length requirements.
    RFID Security (RFIDsec) 2013; 07/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Modern cryptography today is substantially involved with securing lightweight (and pervasive) devices. For this purpose, several lightweight cryptographic algorithms have already been proposed. Up to now, the literature has focused on hardware-efficiency while lightweight with respect to software has barely been addressed. However, a large percentage of lightweight ciphers will be implemented on embedded CPUs- without support for cryptographic operations. In parallel, many lightweight ciphers are based on operations which are hardware-friendly but quite costly in software. For instance, bit permutations that accrue essentially no costs in hardware require a non-trivial number of CPU cycles and/or lookup tables in software. Similarly, S-Boxes often require relatively large lookup tables in software. In this work, we try to address the open question of efficient cipher implementations on small CPUs by introducing a non-linear/linear instruction set extension, to which we refer to as NLU, capable of implementing on-linear operations expressed in their algebraic normal form(ANF) and linear operations expressed in binary "matrix multiply-and-add" form. The proposed NLU is targeted for embedded micro controllers and it is therefore 8-bit wide. However, its modular architecture allows it to be used in16, 32, 64 and even 4-bit CPUs. We furthermore present examples of the use of NLU in the implementation of standard cryptographic algorithms in order to demonstrate its coding advantage.
    Computer Arithmetic (ARITH), 2013 21st IEEE Symposium on; 01/2013
  • 01/2013: pages 147-164; , ISBN: 9783642400407
  • A. Moradi, O. Mischke, C. Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: When complex functions, for example, substitution boxes of block ciphers, are realized in hardware, timing attributes of the underlying combinational circuit depend on the input/output changes of the function. These characteristics can be exploited by the help of a relatively new scheme called fault sensitivity analysis. A collision timing attack which exploits the data-dependent timing characteristics of combinational circuits is demonstrated in this paper. The attack is based on an also recently published correlation collision attack, which avoids the need for a hypothetical timing model for the underlying combinational circuit to recover the secret materials. The target platforms of our proposed attack are 14 AES ASIC cores of the SASEBO LSI chips in three different process technologies, 13 nm, 90 nm, and 65 nm. Successfully breaking all cores including the DPA-protected and fault attack protected cores indicates the strength of the attack.
    IEEE Transactions on Computers 01/2013; 62(9):1786-1798. · 1.38 Impact Factor
  • Source
    David Oswald, Bastian Richter, Christof Paar
    01/2013: pages 204-222; , ISBN: 9783642412837
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In order to protect FPGA designs against IP theft and related issues such as product cloning, all major FPGA manufacturers offer a mechanism to encrypt the bitstream used to configure the FPGA. From a mathematical point of view, the employed encryption algorithms, e.g., AES or 3DES, are highly secure. However, recently it has been shown that the bitstream encryption feature of several FPGA product lines is susceptible to side-channel attacks that monitor the power consumption of the cryptographic module. In this paper, we present the first successful attack on the bitstream encryption of the Altera Stratix II FPGA. To this end, we reverse-engineered the details of the proprietary and unpublished Stratix II bitstream encryption scheme from the Quartus II software. Using this knowledge, we demonstrate that the full 128-bit AES key of a Stratix II can be recovered by means of side-channel analysis with 30,000 measurements, which can be acquired in less than three hours. The complete bitstream of a Stratix II that is (seemingly) protected by the bitstream encryption feature can hence fall into the hands of a competitor or criminal - possibly implying system-wide damage if confidential information such as proprietary encryption schemes or keys programmed into the FPGA are extracted. In addition to lost IP, reprogramming the attacked FPGA with modified code, for instance, to secretly plant a hardware trojan, is a particularly dangerous scenario for many security-critical applications.
    Proceedings of the ACM/SIGDA international symposium on Field programmable gate arrays; 01/2013
  • Financial Cryptography; 01/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are desirable for many future pervasive applications with real-time security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very competitive chip area compared to known solutions. The fully unrolled fashion in which such algorithms need to be implemented calls for innovative design choices. The number of rounds must be moderate and rounds must have short delays in hardware. At the same time, the traditional need that a cipher has to be iterative with very similar round functions disappears, an observation that increases the design space for the algorithm. An important further requirement is that realizing decryption and encryption results in minimum additional costs. PRINCE is designed in such a way that the overhead for decryption on top of encryption is negligible. More precisely for our cipher it holds that decryption for one key corresponds to encryption with a related key. This property we refer to as α-reflection is of independent interest and we prove its soundness against generic attacks.
    Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security; 12/2012
  • Source
    David Oswald, Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: Pre-processing techniques are widely used to increase the success rate of side-channel analysis when attacking (protected) implementations of cryptographic algorithms. However, as of today, the according steps are usually chosen heuristically. In this paper, we present an analytical expression for the correlation coefficient after applying a linear transform to the side-channel traces. Doing so, we are able to precisely quantify the influence of a linear filter on the result of a correlation power analysis. On this basis, we demonstrate the use of optimisation algorithms to efficiently and methodically derive "optimal" filter coefficients in the sense that they maximise a given definition for the distinguishability of the correct key candidate. We verify the effectiveness of our methods by analysing both simulated and real-world traces for a hardware implementation of the AES.
    Proceedings of the 11th international conference on Smart Card Research and Advanced Applications; 11/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: We propose a new authentication protocol that is provably secure based on a ring variant of the learning parity with noise (LPN) problem. The protocol follows the design principle of the LPN-based protocol from Eurocrypt'11 (Kiltz et al.), and like it, is a two round protocol secure against active attacks. Moreover, our protocol has small communication complexity and a very small footprint which makes it applicable in scenarios that involve low-cost, resource-constrained devices. Performance-wise, our protocol is more efficient than previous LPN-based schemes, such as the many variants of the Hopper-Blum (HB) protocol and the aforementioned protocol from Eurocrypt'11. Our implementation results show that it is even comparable to the standard challenge-and-response protocols based on the AES block-cipher. Our basic protocol is roughly 20 times slower than AES, but with the advantage of having 10 times smaller code size. Furthermore, if a few hundred bytes of non-volatile memory are available to allow the storage of some off-line pre-computations, then the online phase of our protocols is only twice as slow as AES.
    Proceedings of the 19th international conference on Fast Software Encryption; 03/2012
  • Amir Moradi, Markus Kasper, Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents a side-channel analysis of the bitstream encryption mechanism provided by Xilinx Virtex FPGAs. This work covers our results analyzing the Virtex-4 and Virtex-5 family showing that the encryption mechanism can be completely broken with moderate effort. The presented results provide an overview of a practical real-world analysis and should help practitioners to judge the necessity to implement side-channel countermeasures. We demonstrate sophisticated attacks on off-the-shelf FPGAs that go far beyond schoolbook attacks on 8-bit AES S-boxes. We were able to perform the key extraction by using only the measurements of a single power-up. Access to the key enables cloning and manipulating a design, which has been encrypted to protect the intellectual property and to prevent fraud. As a consequence, the target product faces serious threats like IP theft and more advanced attacks such as reverse engineering or the introduction of hardware Trojans. To the best of our knowledge, this is the first successful attack against the bitstream encryption of Xilinx Virtex-4 and Virtex-5 reported in open literature.
    Topics in Cryptology - CT-RSA 2012 - The Cryptographers' Track at the RSA Conference 2012, San Francisco, CA, USA, February 27 - March 2, 2012. Proceedings; 01/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: Latest evaluation of the state-of-the-art iMDPL logic style has shown small information leakage compared to its predecessor version MDPL. Concurrently, new advanced power analysis attacks specifically targeting iMDPL have been proposed. Up to now, these attacks are purely theoretic and have not been applied to an implementation. We present a comprehensive analysis of iMDPL, backed by real measurements collected from a 180 nm iMDPL prototype chip. We thoroughly study the extent of remaining information leakage of iMDPL by applying all relevant attacks. Our investigation shows the vulnerability of the target device, a standalone AES core, to several of the advanced attack methods. In comparison to conventional power analysis attacks, the advanced attacks need less power measurements to obtain meaningful results. With the help of logic level simulations routing imbalances between complementary mask trees are identified as a major source of leakage.
    IEEE Transactions on Very Large Scale Integration (VLSI) Systems 01/2012; 20(9):1578-1589. · 1.22 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we propose a reconfigurable lightweight Internet Protocol Security (IPSec) hardware core. Our architecture supports the main IPSec protocols; namely Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE). In this work, the cryptographic algorithms and their modes of operation, which are at the heart of the IPSec protocols, are implemented in hardware. Instead of re-implementing common IPSec configurations, which are deemed “too heavy” for pervasive devices, we evaluate efficient implementations of standardized and/or well-known lightweight and hardware-friendly algorithms. In particular, we examine different versions of Present, Grøstl, Photon, and a very compact ECC core. As a consequence, we present IPSecco, a core with adequate security and only moderate resource requirements, making it suitable for lightweight devices. We selected the Xilinx Spartan family of Field Programmable Gate Arrays (FPGA) as target platform due its low-power footprint and reduced costs compared to other FPGAs. Our results show that it is possible to realize a high performance IPSec core even on members of the Spartan-3 family.
    Reconfigurable Computing and FPGAs (ReConFig), 2012 International Conference on; 01/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: Source code plagiarism has become a serious problem for the industry. Although there exist many software solutions for comparing source codes, they are often not practical in the embedded environment. Today's microcontrollers have frequently implemented a memory read protection that prevents a verifier from reading out the necessary source code. In this paper, we present three verification methods to detect software plagiarism in embedded software without knowing the implemented source code. All three approaches make use of side-channel information that is obtained during the execution of the suspicious code. The first method is passive, i.e., no previous modification of the original code is required. It determines the Hamming weights of the executed instructions of the suspicious device and uses string matching algorithms for comparisons with a reference implementation. In contrast, the second method inserts additional code fragments as a watermark that can be identified in the power consumption of the executed source code. As a third method, we present how this watermark can be extended by using a signature that serves as a proof-of-ownership. We show that particularly the last two approaches are very robust against code-transformation attacks.
    IEEE Transactions on Information Forensics and Security 01/2012; 7(4):1144-1154. · 1.90 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: There is a rich body of work related to the security aspects of cellular mobile phones, in particular with respect to the GSM and UMTS systems. To the best of our knowledge, however, there has been no investigation of the security of satellite phones (abbr. sat phones). Even though a niche market compared to the G2 and G3 mobile systems, there are several 100,000 sat phone subscribers worldwide. Given the sensitive nature of some of their application domains (e.g., natural disaster areas or military campaigns), security plays a particularly important role for sat phones. In this paper, we analyze the encryption systems used in the two existing (and competing) sat phone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the two algorithms from freely available DSP-firmware updates for sat phones, which included the development of a custom disassembler and tools to analyze the code, and extending prior work on binary analysis to efficiently identify cryptographic code. We note that these steps had to be repeated for both systems, because the available binaries were from two entirely different DSP processors. Perhaps somewhat surprisingly, we found that the GMR-1 cipher can be considered a proprietary variant of the GSM A5/2 algorithm, whereas the GMR-2 cipher is an entirely new design. The second main contribution lies in the cryptanalysis of the two proprietary stream ciphers. We were able to adopt known A5/2 cipher text-only attacks to the GMR-1 algorithm with an average case complexity of 2^{32} steps. With respect to the GMR-2 cipher, we developed a new attack which is powerful in a known-plaintext setting. In this situation, the encryption key for one session, i.e., one phone call, can be recovered with approximately 50-65 bytes of key stream and a moderate computational complexity. A major finding of our work is that the stream ciphers of the two existing satellite phone systems are considerably weaker than what is state-of-the-art in symmetric cryptography.
    01/2012;
  • Daehyun Strobel, Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: Generating random delays in embedded software is a common countermeasure to complicate side channel attacks. The idea is to insert dummy operations with varying lengths at different moments in time. This creates a non-predictable offset of the attacking point in the time dimension. Since the success of, e.g., a correlation power analysis (CPA) attack is largely affected by the alignment of the power traces, the adversary is forced to apply additional large computations or to record a huge amount of power traces to achieve acceptable results. In this paper, we present a new efficient method to identify random delays in power measurements. Our approach does not depend on how the random delays are generated. Plain uniform delays can be removed as well as Benoit-Tunstall [11] or improved floating mean delays [4]. The procedure can be divided into three steps. The first step is to convert the power trace into a string depending on the Hamming weights of the opcodes. After this, the patterns of the dummy operations are identified. The last step is to use a string matching algorithm to find these patterns and to align the power traces. We have started our analysis with two microcontrollers, an Atmel AVR ATmega8 and a Microchip PIC16F54. For our practical evaluation, we have focused on the ATmega8. However, the results can be applied to many other microcontrollers with a similar architecture.
    Proceedings of the 14th international conference on Information Security and Cryptology; 11/2011
  • Tim Güneysu, Stefan Heyse, Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: Almost all of today's security systems rely on cryptographic primitives as core components which are usually considered the most trusted part of the system. The realization of these primitives on the underlying processing platform plays a crucial role for any real-world deployment. In this work, we discuss new trends in public-key cryptography that could potentially establish as alternatives to the currently used RSA and ECC cryptosystems. Analyzing these trends from a developer's perspective, we identify the requirements for optimal processing architectures. Moreover, we investigate if these requirements are already satisfied with latest processing platforms, i.e., which of the streaming, hybrid, multi-core or application-specific instructions processors provide a most promising target architecture.
    Proceedings of the 21st ACM Great Lakes Symposium on VLSI 2010, Lausanne, Switzerland, May 2-6, 2011; 01/2011

Publication Stats

4k Citations
34.26 Total Impact Points

Institutions

  • 2002–2013
    • Ruhr-Universität Bochum
      Bochum, North Rhine-Westphalia, Germany
  • 2009–2010
    • University of Massachusetts Amherst
      • Department of Electrical and Computer Engineering
      Amherst Center, Massachusetts, United States
  • 2003–2006
    • University of Massachusetts Lowell
      • • Department of Computer Science
      • • Department of Electrical & Computer Engineering
      Lowell, MA, United States
    • Oregon State University
      Corvallis, Oregon, United States
  • 2005
    • Technical University of Kosice - Technicka univerzita v Kosiciach
      Kassa, Košický, Slovakia
  • 2004
    • Politecnico di Milano
      • Department of Electronics, Information, and Bioengineering
      Milano, Lombardy, Italy
    • Graz University of Technology
      Gratz, Styria, Austria
  • 2001
    • Zurich Instruments AG
      Zürich, Zurich, Switzerland
  • 1996–2001
    • Worcester Polytechnic Institute
      Worcester, Massachusetts, United States
  • 1997
    • Stanford University
      • Department of Electrical Engineering
      Stanford, CA, United States
  • 1994
    • University of Duisburg-Essen
      Essen, North Rhine-Westphalia, Germany