Sylvain Guilley

Secure-IC · R&D

True Random Number Generators (TRNGs) are sensitive Intellectual Property (IP) blocks involved in the creation of cryptographic keys, initialization vectors, nonces, etc. They must behave properly within a large environmental spectrum, including multiple corners, in case of aging-induced change of device characteristics over time, and also under in...

Enhancing the reliability of natively unstable Physically Unclonable Functions (PUFs) is a major requirement when the PUF is to generate secret identifiers like cryptographic keys. One traditional method is to rely on an addition of a public word: the Helper Data. However, it involves extra complexity and constitutes a vulnerability against attacks...

Identity Based Encryption is an approach to link the public key to an identity. It is an extremely useful asymmetric cryptography type in which public and private keys are computed from a known identifier such as an email address instead of being generated randomly. This allows more flexibility in managing ad-hoc public key encryption and ensuring...

The test of security primitives is particularly strategic as any bias coming from the implementation or environment can wreak havoc on the security it is intended to provide. This paper presents how some security properties are tested on hardware security primitives including True Random Number Generation (TRNG), Physically Unclonable Function (PUF...

Aggressive scaling continues to push technology into smaller feature sizes and results in more complex systems in a single chip. With such scaling, various robustness concerns have come into account among which the change of circuits' properties during their lifetime, so-called device aging, has received a lot of attention. Due to aging, the electr...

A common countermeasure against side-channel attacks on secret key cryptographic implementations is $d$th-order masking, which splits each sensitive variable into $d+1$ random shares. In this paper, maximal leakage bounds on the probability of success of any side-channel attack are derived for any masking order. Maximal leakage (Sibson's informatio...

A Temperature Resilient PUF Assuring Reliability. Presented as a Hardware demo at HOST 2023.

Masking schemes have been introduced to thwart side-channel attacks. In software applications, attackers can measure leakage at several points in time and combine them to defeat the masking. In hardware gate-level masking, all shares of a masked variable are manipulated at the same time in a nanoscale circuit. In this article, we focus on setups wh...

Secure chips implement cryptographic algorithms and protocols to ensure self-protection (e.g., firmware authenticity) as well as user data protection (e.g., encrypted data storage). In turn, cryptography needs to defer to incorruptible sources of entropy to implement their functions according to their mandatory usage guidance. Typically, keys, nonc...

At Eurocrypt 2015, Duc et al. conjectured that the success rate of a side-channel attack targeting an intermediate computation encoded in a linear secret-sharing, a.k.a. masking with \(d+1\) shares, could be inferred by measuring the mutual information between the leakage and each share separately. This way, security bounds can be derived without h...

This article proposes a general purpose IoT framework usually applicable to all Edge-to-Cloud applications and provides an evaluation study on a use-case involving automotive V2X architecture, tested and verified on a toy smart-car in an emulated smart-car environment. The architecture in study is finely tuned to mimic actual scenarios and therefor...

Side-channel attacks aim at extracting secret keys from cryptographic devices. Randomly masking the implementation is a provable way to protect the secrets against this threat. Recently, various masking schemes have converged to the “code-based masking” philosophy. In code-based masking, different codes allow for different levels of side-channel se...

Faults occur naturally and are responsible for reliability concerns. Faults are also an interesting tool for attackers to extract sensitive information from secure chips. In particular, non-invasive fault attacks have received a fair amount of attention. One easy way to perturb a chip without altering it is the so-called Electromagnetic Fault Injec...

Block ciphers are protected against side-channel attacks by masking. On one hand, when the leakage model is unknown, second-order correlation attacks are typically used. On the other hand, when the leakage model can be profiled, template attacks are prescribed. But what if the profiled model does not exactly match that of the attacked device? One s...

Cryptographic chips are prone to side-channel analysis attacks aiming at extracting their secrets. Side-channel leakage is particularly hard to remove completely, unless using a bottom-up approach (compositional security). On the contrary, industrial secure-by-design methods are rather relying on a top-down approach: (would-be) protected circuits a...

The hardware primitives known as Physically Unclonable Functions (PUFs) generate unique signatures based on uncontrollable variations which occur during the manufacturing process of silicon chips. These signatures are in turn used for securing Integrated Circuits either as a secret key for cryptographic modules, or as a medium for authenticating de...

Sensing environmental conditions are highly useful for embedded systems as such sensing not only can help in optimizing system performance but also can be essential for safety and security in order to prevent failures or detect attacks. It is necessary to equip mission-critical chips with sensors raising alarms when the chips are operated out-of-sp...

Fault Injection Attacks (FIA) have received a lot of attention in recent years. An adversary launches such an attack to abusively take control over the system or to leak sensitive data. Laser illumination has been considered as an effective technique to launch FIA. The laser-based FIAs are mainly used when the adversary opts to target a specific lo...

Code-based masking is a highly generalized type of masking schemes, which can be instantiated into specific cases by assigning different encoders. It captivates by its side-channel resistance against higher-order attacks and the potential to withstand fault injection attacks. However, similar to other algebraically-involved masking schemes, code-ba...

Code-based masking is a recent line of research on masking schemes aiming at provably counteracting side-channel attacks. It generalizes and unifies many masking schemes within a coding-theoretic formalization. In code-based masking schemes, the tuning parameters are the underlying linear codes, whose choice significantly affects the side-channel r...

Internet-of-Things (IoT) devices are natural targets for side-channel attacks. Still, side-channel leakage can be complex: its modeling can be assisted by statistical tools. Projection of the leakage into an orthonormal basis allows to understand its structure, typically linear (1st-order leakage) or non-linear (sometimes referred to as glitches)....

Unintentional uncontrollable variations in the manufacturing process of integrated circuits are used to realize silicon primitives known as physical unclonable functions (PUFs). These primitives are used to create unique signatures for security purposes. Investigating the vulnerabilities of PUFs is of utmost importance to uphold their usefulness in...

Profiled side-channel attacks represent the most powerful category of side-channel attacks. There, the attacker has access to a clone device to profile its leaking behavior. Additionally, it is common to consider the attacker unbounded in power to allow the worst-case security analysis. This paper starts with a different premise where we are intere...

The frontend of modern Intel processors will decode instructions into μops and stream them to the backend by the frontend bus, which is shared between two logical cores to maximize utilization without sharing mechanism fully disclosed. Taking Haswell as an example, we reverse the bus from Decoded ICache to Instruction Decode Queue and the bus from...

Hazards or intentional perturbations must be identified in safety-and security-critical applications. Digital sensors have been shown to be an appealing approach to detect such abnormalities. However, as any sensor technology, digital sensors are prone to mis-calibration. In particular, even if the digital sensor initial calibration is correct, the...

Masking schemes are classical countermeasures against Side-Channel Attacks on cryptographic implementations. This paper investigates the effectiveness of masking when the code does not run in constant time. We prove that in this case, a first-order Correlation Power Analysis can break an otherwise perfect masking scheme. Furthermore, with an in-dep...

In this paper, we propose a vertical side-channel leakage detection on the decryption function of the third round implementation of CPA-secure public-key encryption scheme underlying CRYSTALS-Kyber, a lattice-based key encapsulation mechanism, which is a candidate to the NIST Post-Quantum Cryptography standardization project. Using a leakage assess...

Injection of faults has been studied in various research works since last decades. Several hardware targets have been studied with respect to the efficiency of fault injections. In this paper we address the security evaluation of embedded systems in constrained environments called black-box analyses. This is not considered by standards of evaluatio...

Fault attacks have raised serious concern with the growing amount of connected devices. Even a small vulnerability might compromise a complete network. It is therefore important to secure all the devices in the connected architecture. A solution to this problem is presented in this paper where we provide a hardware framework, called Smart Monitor,...

Embedded systems utilize Physically Unclonable Functions (PUFs) for authentication and identification purposes. However, modeling PUFs’ behavior via machine-learning methods has received utmost attention. Current research on modeling PUFs mainly targets a single PUF instance (PUF producing a single-bit response per query). It is admittedly more cha...

The test of security primitives is particularly strategic as any bias coming from the implementation or environment can wreck havoc on the security it is intended to provide. This paper presents how some security properties are tested on leading primitives: True Random Number Generation (TRNG), Physically Unclonable Function (PUF), cryptographic pr...

The growing threat of Hardware Trojans (HT) in the System-on-Chips (SoC) industry has given way to the embedded systems researchers to propose a series of detection methodologies to identify and detect the presence of Trojan circuits or logics inside a host design in the various stages of the chip design and manufacturing process. Many state of the...

Side-channel attacks aim at extracting secret keys from cryptographic devices. Ran- domly masking the implementation is a provable way to protect the secrets against this threat. Recently, various masking schemes have converged to the “code-based masking” philosophy. In code-based masking, different codes allow for different levels of side-channel...

In some practical enciphering frameworks, operational constraints may require that a secret key be embedded into the cryptographic algorithm. Such implementations are referred to as White-Box Cryptography (WBC). One technique consists of the algorithm’s tabulation specialized for its key, followed by obfuscating the resulting tables. The obfuscatio...

A distinguisher is a statistical tool whose purpose is to determine the most probable key among a set of keys. Several distinguishers are introduced in the literature. Hereafter, we present the most used ones.

We provide hereafter the definition of the Walsh-Hadamard transform.

As shown previously in Sect. 3.2.3, the Correlation Power Analysis (CPA) is a method that allows to recover the secret information concealed in embedded devices [1]. It consists in leveraging the Pearson correlation coefficient as a way to relate an assumed model with the measured power consumed during the running of the operations that involve a s...

Cryptographic devices manage secret keys, which must be protected against extraction. One stealthy attack consists in the analysis of side-channel leakage. As a countermeasure, cryptographic computations can be randomly masked.

On the one hand, template attacks have been introduced to deal with multivariate leakages, with as few assumptions as possible on the leakage model. On the other hand, many works have underlined the need for dimensionality reduction. In this chapter, we clarify the relationship between template attacks in full space and in linear subspaces.

Let us first adopt some useful notations that will hold for the remainder of the book.

SCAs succeed because the leakage of cryptographic devices depends on the sensitive variables. Consequently, all the countermeasures aim at breaking this dependency, or at least to reduce it. Essentially they boil down to randomizing the leakage, or to making it equal in each device clock cycle.

Today’s digital era connects everyone and everything in between through the Internet of Things (IoTs). That situation leads to an omnipresence of embedded systems in our daily life endowed with integrated capability to run cryptographic protocols (consumer electronics, telecommunication and industrial appliances, governmental and military systems,...

This paper presents a unified approach to quantifying the information leakages in the most general code-based masking schemes. Specifically, by utilizing a uniform representation, we highlight first that all code-based masking schemes’ side-channel resistance can be quantified by an all-in-one framework consisting of two easy-tocompute parameters (...

Low Entropy Masking Schemes (LEMS) had been proposed to mitigate the high-performance overhead results from the Full Entropy Masking Schemes (FEMS) while offering good protection against side-channel attacks. The masking schemes usually rely on Boolean masking, however, splitting sensitive variables in a multiplicative way is more amenable to non-l...

Inner Product Masking (IPM) is a generalization of several masking schemes including the Boolean one to protect cryptographic implementation against side-channel analysis. The core competitiveness of IPM is that it provides higher side-channel resistance than Boolean masking with the same number of shares. In this paper, we follow a coding theoreti...

Since the seminal paper on side-channel attacks (SCA) by Kocher et al. [1], several improvements have been published. As showed in Sect. 3.4 the most efficient SCA to date is the Template Attack (TA) [2]. This method is split into two phases, that is a profiling and a matching stage. An important weakness of this attack is the large number of measu...

Notations Throughout this chapter we use the same notations as above (see Sect. 2.1). Recall that, during an attack, we consider that the adversary targets the manipulation of a single sensitive variable Z, such that Z=F(X,k). Typically Z=sbox(X⊕k), such that s-box denotes a substitution box and ⊕ denotes the bitwise addition. The attack is carried...

Profiling side-channel attacks in which an adversary creates a “profile” of a sensitive device and uses such profile to model a target device with similar implementation has received the lion’s share of attention in the recent years. In particular, template attacks are known to be the most powerful profiling side-channel attacks from an information...

It has been more than 20 years since the seminal publications on side-channel attacks. They aim at extracting secrets from embedded systems while they execute cryptographic algorithms, and they consist of two steps, measurement and analysis. This useful textbook/guide tackles the analysis part, especially under situations where the targeted device...

Side-channel analysis and fault injection attacks are two typical threats to cryptographic implementations, especially in modern embedded devices. Thus, there is an insistent demand for dual side-channel and fault injection protections. As we know, masking is a kind of provable countermeasure against side-channel attacks. Recently, inner product ma...

Cache-timing attacks are serious security threats that exploit cache memories to steal secret information. We believe that the identification of a sequence of function calls from cache-timing data measurements is not a trivial step when building an attack. We present a recurrent neural network model able to automatically retrieve a sequence of oper...

Physically Unclonable Functions (PUFs) are well-known to be solutions for silicon-level anti-copy applications. However, as they are sensitive components, they are the obvious target of physical attacks. Thus, they shall be well protected. In this work we discuss the use case of key generation with a Loop PUF. We discuss the Loop PUF’s efficiency a...

Probing attack is considered to be one of the most powerful attack used to break the security and extract confidential information from an embedded system. This attack requires different bespoke equipment’s and expertise. However, for the moment, there is no methodology to evaluate theoretically the security level of a design or circuit against thi...