Christof Paar

Ruhr-Universität Bochum, Bochum, North Rhine-Westphalia, Germany

Are you Christof Paar?

Claim your profile

Publications (322)42.75 Total impact

  • ACM Transactions on Information and System Security 03/2015; 17(3-3):10:1-10:31. DOI:10.1145/2699904 · 0.86 Impact Factor
  • IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 01/2015; DOI:10.1109/TCAD.2015.2423274 · 1.20 Impact Factor
  • IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 01/2015; DOI:10.1109/TCAD.2015.2399455 · 1.20 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents new speed records for 128-bit secure elliptic-curve Diffie-Hellman key-exchange software on three different popular microcontroller architectures. We consider a 255-bit curve proposed by Bernstein known as Curve25519, which has also been adopted by the IETF. We optimize the X25519 key-exchange protocol proposed by Bernstein in 2006 for AVR ATmega 8-bit microcontrollers, MSP430X 16-bit microcontrollers, and for ARM Cortex-M0 32-bit microcontrollers. Our software for the AVR takes only 13,900,397 cycles for the computation of a Diffie-Hellman shared secret, and is the first to perform this computation in less than a second if clocked at 16 MHz for a security level of 128 bits. Our MSP430X software computes a shared secret in 5,301,792 cycles on MSP430X microcontrollers that have a 32-bit hardware multiplier and in 7,933,296 cycles on MSP430X microcontrollers that have a 16-bit multiplier. It thus outperforms previous constant-time ECDH software at the 128-bit security level on the MSP430X by more than a factor of 1.2 and 1.15, respectively. Our implementation on the Cortex-M0 runs in only 3,589,850 cycles and outperforms previous 128-bit secure ECDH software by a factor of 3.
    Designs Codes and Cryptography 01/2015; DOI:10.1007/s10623-015-0087-1 · 0.73 Impact Factor
  • Stefan Heyse, Ralf Zimmermann, Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: In this work, we describe the first implementation of an information set decoding (ISD) attack against code-based cryptosystems like McEliece or Niederreiter using special-purpose hardware. We show that in contrast to other ISD attacks due to Lee and Brickel [7], Leon [8], Stern [15] and recently [9] (May et al) and [2] (Becket et al), reconfigurable hardware requires a different implementation and optimization approach: Proposed time-memory trade-off techniques are not possible in the desired parameter sets. We thus derive new parameter sets from all steps involved in the ISD attack, taking a near cycle-accurate runtime estimation as well as the communication overhead into account. Finally, we present the implementation of a hardware/software co-design – based on the Stern’s attack –, evaluate it against the challenges from the Wild-McEliece website[5], discuss its shortcomings and possible enhancements.
    Post-Quantum Cryptography, 10/2014: pages 126-141;
  • [Show abstract] [Hide abstract]
    ABSTRACT: In the era of the Internet of Things, smart electronic devices facilitate processes in our everyday lives. Texas Instrument's MSP430 microcontrollers target low-power applications, among which are wireless sensor, metering and medical applications. Those domains have in common that sensitive data is processed, which calls for strong security primitives to be implemented on those devices. Curve25519, which builds on a 255-bit prime field, has been proposed as an efficient, highly-secure elliptic-curve. While its high performance on powerful processors has been shown, the question remains, whether it is suitable for use in embedded devices. In this paper we present an implementation of Curve25519 for MSP430 microcontrollers. To combat timing attacks, we completely avoid conditional jumps and loads, thus making our software constant time.We give a comprehensive evaluation of different implementations of the modular multiplication and show which ones are favorable for different conditions.We further present implementation results of Curve25519, where our best implementation requires an estimated cycle count of 9.2 million or 6.6 million cycles on MSP430Xs having a 16 x 16-bit or a 32 x 32-bit hardware multiplier respectively.
    Third International Conference on Cryptology and Information Security in Latin America - LATINCRYPT 2014, Florianopolis, Brazil; 09/2014
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Often overlooked, microcontrollers are the central component in embedded systems which drive the evolution toward the Internet of Things (IoT). They are small, easy to handle, low cost, and with myriads of pervasive applications. An increasing number of microcontroller-equipped systems are security and safety critical. In this tutorial, we take a critical look at the security aspects of today's microcontrollers. We demonstrate why the implementation of sensitive applications on a standard microcontroller can lead to severe security problems. To this end, we summarize various threats to microcontroller-based systems, including side-channel analysis and different methods for extracting embedded code. In two case studies, we demonstrate the relevance of these techniques in real-world applications: Both analyzed systems, a widely used digital locking system and the YubiKey 2 onetime password generator, turned out to be susceptible to attacks against the actual implementations, allowing an adversary to extract the cryptographic keys which, in turn, leads to a total collapse of the system security.
    Proceedings of the IEEE 08/2014; 102(8):1157-1173. DOI:10.1109/JPROC.2014.2325397 · 5.47 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: To protect Field-Programmable Gate Array (FPGA) designs against Intellectual Property (IP) theft and related issues such as product cloning, all major FPGA manufacturers offer a mechanism to encrypt the bitstream that is used to configure the FPGA. From a mathematical point of view, the employed encryption algorithms (e.g., Advanced Encryption Standard (AES) or 3DES) are highly secure. However, it has been shown that the bitstream encryption feature of several FPGA families is susceptible to side-channel attacks based on measuring the power consumption of the cryptographic module. In this article, we present the first successful attack on the bitstream encryption of the Altera Stratix II and Stratix III FPGA families. To this end, we analyzed the Quartus II software and reverse engineered the details of the proprietary and unpublished schemes used for bitstream encryption on Stratix II and Stratix III. Using this knowledge, we demonstrate that the full 128-bit AES key of a Stratix II as well as the full 256-bit AES key of a Stratix III can be recovered by means of side-channel attacks. In both cases, the attack can be conducted in a few hours. The complete bitstream of these FPGAs that are (seemingly) protected by the bitstream encryption feature can hence fall into the hands of a competitor or criminal-possibly implying system-wide damage if confidential information such as proprietary encryption schemes or secret keys programmed into the FPGA are extracted. In addition to lost IP, reprogramming the attacked FPGA with modified code, for instance, to secretly plant a hardware Trojan, is a particularly dangerous scenario for many security-critical applications.
    ACM Transactions on Reconfigurable Technology and Systems 01/2014; 7(4):1-23. DOI:10.1145/2629462 · 0.41 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: General-purpose communication systems such as GSM and UMTS have been in the focus of security researchers for over a decade now. Recently also technologies that are only used under more specific circumstances have come into the spotlight of academic research and the hacker scene alike. A striking example of this is recent work [Driessen et al. 2012] that analyzed the security of the over-the-air encryption in the two existing ETSI satphone standards GMR-1 and GMR-2. The firmware of handheld devices was reverse-engineered and the previously unknown stream ciphers A5-GMR-1 and A5-GMR-2 were recovered. In a second step, both ciphers were cryptanalized, resulting in a ciphertext-only attack on A5-GMR-1 and a known-plaintext attack on A5-GMR-2. In this work, we extend the aforementioned results in the following ways: First, we improve the proposed attack on A5-GMR-1 and reduce its average-case complexity from 232 to 221 steps. Second, we implement a practical attack to successfully record communications in the Thuraya network and show that it can be done with moderate effort for approximately $5,000. We describe the implementation of our modified attack and the crucial aspects to make it practical. Using our eavesdropping setup, we recorded 30 seconds of our own satellite-to-satphone communication and show that we are able to recover Thuraya session keys in half an hour (on average). We supplement these results with experiments designed to highlight the feasibility of also eavesdropping on the satphone's emanations. The purpose of this article is threefold: Develop and demonstrate more practical attacks on A5-GMR-1, summarize current research results in the field of GMR-1 and GMR-2 security, and shed light on the amount of work and expertise it takes from setting out to analyze a complex system to actually break it in the real world.
    ACM Transactions on Information and System Security 11/2013; 16(3). DOI:10.1145/2535522 · 0.86 Impact Factor
  • Amir Moradi, Oliver Mischke, Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: When complex functions, for example, substitution boxes of block ciphers, are realized in hardware, timing attributes of the underlying combinational circuit depend on the input/output changes of the function. These characteristics can be exploited by the help of a relatively new scheme called fault sensitivity analysis. A collision timing attack which exploits the data-dependent timing characteristics of combinational circuits is demonstrated in this paper. The attack is based on an also recently published correlation collision attack, which avoids the need for a hypothetical timing model for the underlying combinational circuit to recover the secret materials. The target platforms of our proposed attack are 14 AES ASIC cores of the SASEBO LSI chips in three different process technologies, 13 nm, 90 nm, and 65 nm. Successfully breaking all cores including the DPA-protected and fault attack protected cores indicates the strength of the attack.
    IEEE Transactions on Computers 09/2013; 62(9):1786-1798. DOI:10.1109/TC.2012.154 · 1.47 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like, and how difficult it would be in practice to implement one. In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against "golden chips". We demonstrate the effectiveness of our approach by inserting Trojans into two designs -- a digital post-processing derived from Intel's cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation -- and by exploring their detectability and their effects on security.
    Proceedings of the 15th international conference on Cryptographic Hardware and Embedded Systems; 08/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we perform a comprehensive area, power and energy analysis of the most recently-developed lightweight block ciphers and we compare them to the standard AES algorithm. We do this for several different architectures of the considered block ciphers. Our evaluation method consists of estimating the pre-layout power consumption and the derived energy using Cadence Encounter RTL Compiler and ModelSIM simulations. We show that the area is not always correlated to the power and energy consumption, which is of importance for mobile battery-fed devices. As a result, this paper can be used to make a choice of architecture when the algorithm has already been fixed; or it can help deciding which algorithm to choose based on energy and key/block-length requirements.
    RFID Security (RFIDsec) 2013; 07/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In order to protect FPGA designs against IP theft and related issues such as product cloning, all major FPGA manufacturers offer a mechanism to encrypt the bitstream used to configure the FPGA. From a mathematical point of view, the employed encryption algorithms, e.g., AES or 3DES, are highly secure. However, recently it has been shown that the bitstream encryption feature of several FPGA product lines is susceptible to side-channel attacks that monitor the power consumption of the cryptographic module. In this paper, we present the first successful attack on the bitstream encryption of the Altera Stratix II FPGA. To this end, we reverse-engineered the details of the proprietary and unpublished Stratix II bitstream encryption scheme from the Quartus II software. Using this knowledge, we demonstrate that the full 128-bit AES key of a Stratix II can be recovered by means of side-channel analysis with 30,000 measurements, which can be acquired in less than three hours. The complete bitstream of a Stratix II that is (seemingly) protected by the bitstream encryption feature can hence fall into the hands of a competitor or criminal - possibly implying system-wide damage if confidential information such as proprietary encryption schemes or keys programmed into the FPGA are extracted. In addition to lost IP, reprogramming the attacked FPGA with modified code, for instance, to secretly plant a hardware trojan, is a particularly dangerous scenario for many security-critical applications.
    Proceedings of the ACM/SIGDA international symposium on Field programmable gate arrays; 01/2013
  • Financial Cryptography; 01/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Modern cryptography today is substantially involved with securing lightweight (and pervasive) devices. For this purpose, several lightweight cryptographic algorithms have already been proposed. Up to now, the literature has focused on hardware-efficiency while lightweight with respect to software has barely been addressed. However, a large percentage of lightweight ciphers will be implemented on embedded CPUs- without support for cryptographic operations. In parallel, many lightweight ciphers are based on operations which are hardware-friendly but quite costly in software. For instance, bit permutations that accrue essentially no costs in hardware require a non-trivial number of CPU cycles and/or lookup tables in software. Similarly, S-Boxes often require relatively large lookup tables in software. In this work, we try to address the open question of efficient cipher implementations on small CPUs by introducing a non-linear/linear instruction set extension, to which we refer to as NLU, capable of implementing on-linear operations expressed in their algebraic normal form(ANF) and linear operations expressed in binary "matrix multiply-and-add" form. The proposed NLU is targeted for embedded micro controllers and it is therefore 8-bit wide. However, its modular architecture allows it to be used in16, 32, 64 and even 4-bit CPUs. We furthermore present examples of the use of NLU in the implementation of standard cryptographic algorithms in order to demonstrate its coding advantage.
    Computer Arithmetic (ARITH), 2013 21st IEEE Symposium on; 01/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: We examine the widespread SimonsVoss digital locking system 3060 G2 that relies on an undisclosed, proprietary protocol to mutually authenticate transponders and locks. For assessing the security of the system, several tasks have to be performed: By decapsulating the used microcontrollers with acid and circumventing their read-out protection with UV-C light, the complete program code and data contained in door lock and transponder are extracted. As a second major step, the multi-pass challenge-response protocol and corresponding cryptographic primitives are recovered via low-level reverse-engineering. The primitives turn out to be based on DES in combination with a proprietary construction. Our analysis pinpoints various security vulnerabilities that enable practical key-recovery attacks. We present two different approaches for unauthorizedly gaining access to installations. Firstly, an attacker having physical access to a door lock can extract a master key, allowing to mimic transponders, in altogether 30 minutes. A second, purely logical attack exploits an implementation flaw in the protocol and works solely via the wireless interface. As the only prerequisite, a valid ID of a transponder needs to be known (or guessed). After executing a few (partial) protocol runs in the vicinity of a door lock, and some seconds of computation, an adversary obtains all of the transponder’s access rights.
    Advances in Cryptology – CRYPTO 2013, Edited by Canetti, Ran and Garay, JuanA, 01/2013: pages 147-164; Springer Berlin Heidelberg., ISBN: 9783642400407
  • Source
    David Oswald, Bastian Richter, Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: The classical way of authentication with a username-password pair is often insufficient: an adversary can choose from a multitude of methods to obtain the credentials, e.g., by guessing passwords using a dictionary, by eavesdropping on network traffic, or by installing malware on the system of the target user. To overcome this problem, numerous solutions incorporating a second factor in the authentication process have been proposed. A particularly wide-spread approach provides each user with a hardware token that generates a One-Time Password (OTP) in addition to the traditional credentials. The token itself comprises a secret cryptographic key that, together with timestamps and counters, is used to derive a fresh OTP for each authentication. A relatively new yet wide-spread example for an OTP token is the Yubikey 2 produced by Yubico. This device employs an open-source protocol based on the mathematically secure AES and emulates a USB keyboard to enter the OTP in a platform-independent manner. In this paper, we analyse the susceptibility of the Yubikey 2 to side-channel attacks. We show that by non-invasively measuring the power consumption and the electro-magnetic emanation of the device, an adversary is able to extract the full 128-bit AES key with approximately one hour of access to the Yubikey 2. The attack leaves no physical traces on the device and can be performed using low-cost equipment. In consequence, an adversary is able to generate valid OTPs, even after the Yubikey 2 has been returned to the owner.
    Research in Attacks, Intrusions, and Defenses, Edited by Stolfo, Salvatore J. and Stavrou, Angelos and Wright, Charles V., 01/2013: pages 204-222; Springer., ISBN: 9783642412837
  • [Show abstract] [Hide abstract]
    ABSTRACT: Special-purpose computing platforms based on reconfigurable hardware have shown to typically exhibit a much better performance-cost ratio than off-the-shelf computers populated with general-purpose processors. In this chapter we introduce two different FPGA-based cluster architectures, called COPACOBANA and RIVYERA. These high-performance computing clusters are populated with up to 256 Xilinx Spartan or Virtex FPGAs per system and can be interconnected to form an even larger system with 2,560 FPGA per rack. In this chapter, we present a wide range of applications from the fields of cryptanalysis that have been successfully implemented on both architectures.
    High-Performance Computing Using FPGAs, 01/2013: pages 335-366; , ISBN: 978-1-4614-1790-3
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are desirable for many future pervasive applications with real-time security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very competitive chip area compared to known solutions. The fully unrolled fashion in which such algorithms need to be implemented calls for innovative design choices. The number of rounds must be moderate and rounds must have short delays in hardware. At the same time, the traditional need that a cipher has to be iterative with very similar round functions disappears, an observation that increases the design space for the algorithm. An important further requirement is that realizing decryption and encryption results in minimum additional costs. PRINCE is designed in such a way that the overhead for decryption on top of encryption is negligible. More precisely for our cipher it holds that decryption for one key corresponds to encryption with a related key. This property we refer to as α-reflection is of independent interest and we prove its soundness against generic attacks.
    Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security; 12/2012
  • Benedikt Driessen, Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: Satellitentelefonie ist in verschiedenen Szenarien interessant, hauptsächlich immer dann, wenn in abgelegenen oder unterentwickelten Regionen über Distanzen hinweg kommuniziert werden muss. Dies betrifft zum einen Abenteurer und Expeditionen, aber auch Kriegsberichterstatter nutzen Satellitentelefonie um die bekannten Schwächen von GSM zum umgehen. Aktuelle Forschungsergebnisse des Horst Görtz Instituts für IT-Sicherheit zeigen aber, dass die zwei wesentlichen Satellitentelefoniestandards GMR-1 und GMR-2 unsicher sind und die Privatsphäre der Kommunikationspartner nur unzureichend schützen. In diesem Artikel zeichnen wir unsere Untersuchungen von und Angriffe auf GMR-1 nach und diskutieren die Implikationen.
    Datenschutz und Datensicherheit - DuD 12/2012; 36(12). DOI:10.1007/s11623-012-0296-y

Publication Stats

6k Citations
42.75 Total Impact Points

Institutions

  • 2002–2014
    • Ruhr-Universität Bochum
      • Sprachwissenschaftliches Institut
      Bochum, North Rhine-Westphalia, Germany
  • 2005
    • Offenburg University of Applied Sciences
      Offenburg, Baden-Württemberg, Germany
    • University of Massachusetts Lowell
      • Department of Electrical & Computer Engineering
      Lowell, MA, United States
  • 2004
    • Politecnico di Milano
      • Department of Electronics, Information, and Bioengineering
      Milano, Lombardy, Italy
  • 1996–2004
    • Worcester Polytechnic Institute
      • Department of Electrical and Computer Engineering
      Worcester, Massachusetts, United States
  • 1997
    • Stanford University
      • Department of Electrical Engineering
      Stanford, CA, United States
  • 1994
    • University of Duisburg-Essen
      Essen, North Rhine-Westphalia, Germany