Christof Paar

Ruhr-Universität Bochum, Bochum, North Rhine-Westphalia, Germany

Are you Christof Paar?

Claim your profile

Publications (339)55.74 Total impact

  • [Show abstract] [Hide abstract]
    ABSTRACT: According to historical reports, many telegrams that date from the Spanish Civil War (1936–1939) still remain undisclosed. It is believed that these telegrams were encrypted with a cryptosystem called the “Spanish Strip Cipher” (SSC). During this civil war, SSC was the most used cryptographic algorithm. This method corresponds to a homophonic substitution cipher in which a plaintext letter can map to between three and five ciphertext symbols. By means of cryptanalysis, the authors detect a weakness in the encryption process of the SSC. In this article, they describe how this vulnerability is exploited to efficiently reconstruct a plaintext from a relatively short ciphertext. The attack is based on combinatorial and statistical methods, and it is divided into three phases: homophones-table analysis, letter-frequency analysis, and dictionary search. The attack was implemented in Java and tested on a laptop with an i7 processor and 4 GB of RAM. The tests were carried out with several real telegrams from the Spanish Civil War. In this article, the authors provide the results of one test that was successfully performed only using the first 201 ciphertext symbols of a Spanish telegram. 2015
    No preview · Article · Nov 2015 · Cryptologia
  • Andreas Gornik · Amir Moradi · Jurgen Oehm · Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: Side-channel attacks are one of the major concerns for security-enabled applications as they make use of information leaked by the physical implementation of the underlying cryptographic algorithm. Hence, reducing the side-channel leakage of the circuits realizing the cryptographic primitives is amongst the main goals of circuit designers. In this paper, we present a novel circuit concept, which decouples the main power supply from an internal power supply that is used to drive a single logic gate. The decoupling is done with the help of buffering capacitances integrated into semiconductor. We also introduce—compared to the previously known schemes—an improved decoupling circuit which reduces the crosstalk from the internal to the external power supply. The result of practical side-channel evaluation on a prototype chip fabricated in a 150nm CMOS technology shows a high potential of our proposed technique to reduce the side-channel leakages.
    No preview · Article · Aug 2015 · IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
  • [Show abstract] [Hide abstract]
    ABSTRACT: This paper investigates a novel attack vector against cryptography realized on FPGAs, which poses a serious threat to real-world applications. We demonstrate how a targeted bitstream modification can seriously weaken cryptographic algorithms, which we show with the examples of AES and 3-DES. The attack is performed by modifying the FPGA bitstream that configures the hardware elements during initialization. Recently, it has been shown that cloning of FPGA designs is feasible, even if the bitstream is encrypted. However, due to its proprietary file format, a meaningful modification is challenging. While some previous work addressed bitstream reverse-engineering, so far it has not been evaluated how difficult it is to detect and modify cryptographic elements. We outline two possible practical attacks that have serious security implications. We target the S-boxes of block ciphers that can be implemented in look-up tables or stored as precomputed set of values in the memory of the FPGA. We demonstrate that it is possible to detect and apply meaningful changes to cryptographic elements inside an unknown, proprietary, and undocumented bitstream. Our proposed attack does not require any knowledge of the internal routing. Furthermore, we show how an AES key can be revealed within seconds. Finally, we discuss countermeasures that can raise the bar for an adversary to successfully perform this kind of attack.
    No preview · Article · Aug 2015 · IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
  • Gesine Hinterwälder · Felix Riek · Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: Ever since its invention in the 1980s, e-cash has been considered a promising solution for privacy-preserving electronic payments. However, the computational capabilities, required for the processing of e-cash protocols, are demanding. Only recent works show the feasibility of implementing e-cash on constrained platforms. A particularly challenging, while at the same time extremely attractive platform, are smartcards. Smartcards are, next to magnetic stripe cards, the dominant platform used to execute electronic payments, and they enjoy wide user acceptance. In this paper we present an implementation of two e-cash schemes on MULTOS smartcards. We base the schemes on elliptic curve cryptography, which is supported by the API of the platform of choice. Our results are promising: When relying on a 160-bit elliptic curve, spending a coin, which encodes two attributes that are not revealed, can be executed in less than 800 ms with both considered schemes.
    No preview · Chapter · Jun 2015
  • [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents new speed records for 128-bit secure elliptic-curve Diffie-Hellman key-exchange software on three different popular microcontroller architectures. We consider a 255-bit curve proposed by Bernstein known as Curve25519, which has also been adopted by the IETF. We optimize the X25519 key-exchange protocol proposed by Bernstein in 2006 for AVR ATmega 8-bit microcontrollers, MSP430X 16-bit microcontrollers, and for ARM Cortex-M0 32-bit microcontrollers. Our software for the AVR takes only 13,900,397 cycles for the computation of a Diffie-Hellman shared secret, and is the first to perform this computation in less than a second if clocked at 16 MHz for a security level of 128 bits. Our MSP430X software computes a shared secret in 5,301,792 cycles on MSP430X microcontrollers that have a 32-bit hardware multiplier and in 7,933,296 cycles on MSP430X microcontrollers that have a 16-bit multiplier. It thus outperforms previous constant-time ECDH software at the 128-bit security level on the MSP430X by more than a factor of 1.2 and 1.15, respectively. Our implementation on the Cortex-M0 runs in only 3,589,850 cycles and outperforms previous 128-bit secure ECDH software by a factor of 3.
    No preview · Article · May 2015 · Designs Codes and Cryptography
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In contrast to ASICs, hardware Trojans can potentially be injected into FPGA designs post-manufacturing by bit stream alteration. Hardware Trojans which target cryptographic primitives are particularly interesting for an adversary because a weakened primitive can lead to a complete loss of system security. One problem an attacker has to overcome is the identification of cryptographic primitives in a large bit stream with unknown semantics. As the first contribution, we demonstrate that AES can be algorithmically identified in a look-up table-level design for a variety of implementation styles. Our graph-based approach considers AES implementations which are created using several synthesis and technology mapping options. As the second contribution, we present and discuss the drawbacks of a dynamic obfuscation countermeasure which allows for the configuration of certain crucial parts of a cryptographic primitive after the algorithm has been loaded into the FPGA. As a result, reverse-engineering and modifying a primitive in the bit stream is more challenging.
    Preview · Article · May 2015
  • [Show abstract] [Hide abstract]
    ABSTRACT: Secret key establishment based on parameters of the communication channel is a highly attractive option for many applications that operate in a dynamic mobile environment with peer-to-peer association. On the other hand, high usability and dynamic key management are still very difficult to achieve for wireless devices which have to operate under strict resource constraints. In fact, most previously reported key generation methods cannot operate in such environment.In this work, we present a new system architecture which is suitable also for resource-constrained platforms. Our design strongly focuses on security, rather than a robust key generation rate, as well as on low complexity and efficiency. Our approach has the potential to dramatically reduce the cost of securing small embedded devices for the Internet of Things, and hence make mass production and deployment viable.
    No preview · Article · Mar 2015
  • [Show abstract] [Hide abstract]
    ABSTRACT: We propose a new lightweight cryptographic payment scheme for transit systems, called P4R (Privacy- Preserving Pre-Payments with Refunds), which is suitable for low-cost user devices with limited capabilities. Using P4R, users deposit money to obtain one-show credentials, where each credential allows the user to make an arbitrary ride on the system. The trip fare is determined on-the-fly at the end of the trip. If the deposit for the credential exceeds this fare, the user obtains a refund. Refund values collected over several trips are aggregated in a single token, thereby saving memory and increasing privacy. Our solution builds on Brands's e-cash scheme to realize the prepayment system and on Boneh-Lynn-Shacham (BLS) signatures to implement the refund capabilities. Compared to a Brands-only solution for transportation payment systems, P4R allows us to minimize the number of coins a user needs to pay for his rides and thus minimizes the number of expensive withdrawal transactions, as well as storage requirements for the fairly large coins. Moreover, P4R enables flexible pricing because it allows for exact payments of arbitrary amounts (within a certain range) using a single fast paying (and refund) transaction. Fortunately, the mechanisms enabling these features require very little computational overhead. Choosing contemporary security parameters, we implemented P4R on a prototyping payment device and show its suitability for future transit payment systems. Estimation results demonstrate that the data required for 20 rides consume less than 10KB of memory, and the payment and refund transactions during a ride take less than half a second. We show that malicious users are not able to cheat the system by receiving a refund that exceeds the overall deposit minus the overall fare and can be identified during double-spending checks. At the same time, the system protects the privacy of honest users in that transactions are anonymous (except for deposits) and trips are unlinkable.
    No preview · Article · Mar 2015 · ACM Transactions on Information and System Security
  • [Show abstract] [Hide abstract]
    ABSTRACT: The random number generator (RNG) is a critical, if not in fact the most important, component in every cryptographic device. Introducing the symmetric radio channel, represented by estimations of location-specific, reciprocal, and time-variant channel characteristics, as a common RNG is not a trivial task. In recent years, several practice-oriented protocols have been proposed, challenging the utilization of wireless communication channels to enable the computation of a shared key. However, the security claims of those protocols typically rely on channel abstractions that are not fully experimentally substantiated, and (at best) rely on statistical off-line tests. In the present paper, we investigate on-line statistical testing for channel-based key extraction schemes, which is independent from channel abstractions due to the capability to verify the entropy of the resulting key material. We demonstrate an important security breach if on-line estimation is not applied, e.g., if the device is in an environment with an insufficient amount of entropy. Further, we present real-world evaluation results of 10 recent protocols for the generation of keys with a verified security level of 128-bit.
    No preview · Article · Jan 2015
  • C.T. Zenger · J. Zimmer · C. Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: The use of reciprocal and random properties of wireless channels for the generation of secret keys is a highly attractive option for many applications that operate in a mobile environment. In recent years, several practice-oriented protocols have been proposed, but unfortunately without a sufficient and consistent security analysis and without a fair comparison between each other. This can be attributed to the fact that until now neither a common evaluation basis, nor a security metric in an on-line scenario (e.g., with changing channel properties) was proposed. We attempt to close this gap by presenting test vectors based on a large measurement campaign, an extensive comparative evaluation framework (including ten protocols as well as new on-line entropy estimators), and a rigorous experimental security analysis. Further, we answer for the first time a variety of security and performance related questions about the behavior of 10 channel-based key establishment schemes from the literature.
    No preview · Article · Jan 2015
  • Stefan Heyse · Ralf Zimmermann · Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: In this work, we describe the first implementation of an information set decoding (ISD) attack against code-based cryptosystems like McEliece or Niederreiter using special-purpose hardware. We show that in contrast to other ISD attacks due to Lee and Brickel [7], Leon [8], Stern [15] and recently [9] (May et al) and [2] (Becket et al), reconfigurable hardware requires a different implementation and optimization approach: Proposed time-memory trade-off techniques are not possible in the desired parameter sets. We thus derive new parameter sets from all steps involved in the ISD attack, taking a near cycle-accurate runtime estimation as well as the communication overhead into account. Finally, we present the implementation of a hardware/software co-design – based on the Stern’s attack –, evaluate it against the challenges from the Wild-McEliece website[5], discuss its shortcomings and possible enhancements.
    No preview · Chapter · Oct 2014
  • [Show abstract] [Hide abstract]
    ABSTRACT: In the era of the Internet of Things, smart electronic devices facilitate processes in our everyday lives. Texas Instrument's MSP430 microcontrollers target low-power applications, among which are wireless sensor, metering and medical applications. Those domains have in common that sensitive data is processed, which calls for strong security primitives to be implemented on those devices. Curve25519, which builds on a 255-bit prime field, has been proposed as an efficient, highly-secure elliptic-curve. While its high performance on powerful processors has been shown, the question remains, whether it is suitable for use in embedded devices. In this paper we present an implementation of Curve25519 for MSP430 microcontrollers. To combat timing attacks, we completely avoid conditional jumps and loads, thus making our software constant time.We give a comprehensive evaluation of different implementations of the modular multiplication and show which ones are favorable for different conditions.We further present implementation results of Curve25519, where our best implementation requires an estimated cycle count of 9.2 million or 6.6 million cycles on MSP430Xs having a 16 x 16-bit or a 32 x 32-bit hardware multiplier respectively.
    No preview · Conference Paper · Sep 2014

  • No preview · Article · Aug 2014
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Often overlooked, microcontrollers are the central component in embedded systems which drive the evolution toward the Internet of Things (IoT). They are small, easy to handle, low cost, and with myriads of pervasive applications. An increasing number of microcontroller-equipped systems are security and safety critical. In this tutorial, we take a critical look at the security aspects of today's microcontrollers. We demonstrate why the implementation of sensitive applications on a standard microcontroller can lead to severe security problems. To this end, we summarize various threats to microcontroller-based systems, including side-channel analysis and different methods for extracting embedded code. In two case studies, we demonstrate the relevance of these techniques in real-world applications: Both analyzed systems, a widely used digital locking system and the YubiKey 2 onetime password generator, turned out to be susceptible to attacks against the actual implementations, allowing an adversary to extract the cryptographic keys which, in turn, leads to a total collapse of the system security.
    Full-text · Article · Aug 2014 · Proceedings of the IEEE
  • [Show abstract] [Hide abstract]
    ABSTRACT: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like and how difficult it would be in practice to implement one. In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against “golden chips”. We demonstrate the effectiveness of our approach by inserting Trojans into two designs—a digital post-processing derived from Intel’s cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation—and by exploring their detectability and their effects on security.
    No preview · Article · Apr 2014 · Journal of Cryptographic Engineering
  • [Show abstract] [Hide abstract]
    ABSTRACT: To protect Field-Programmable Gate Array (FPGA) designs against Intellectual Property (IP) theft and related issues such as product cloning, all major FPGA manufacturers offer a mechanism to encrypt the bitstream that is used to configure the FPGA. From a mathematical point of view, the employed encryption algorithms (e.g., Advanced Encryption Standard (AES) or 3DES) are highly secure. However, it has been shown that the bitstream encryption feature of several FPGA families is susceptible to side-channel attacks based on measuring the power consumption of the cryptographic module. In this article, we present the first successful attack on the bitstream encryption of the Altera Stratix II and Stratix III FPGA families. To this end, we analyzed the Quartus II software and reverse engineered the details of the proprietary and unpublished schemes used for bitstream encryption on Stratix II and Stratix III. Using this knowledge, we demonstrate that the full 128-bit AES key of a Stratix II as well as the full 256-bit AES key of a Stratix III can be recovered by means of side-channel attacks. In both cases, the attack can be conducted in a few hours. The complete bitstream of these FPGAs that are (seemingly) protected by the bitstream encryption feature can hence fall into the hands of a competitor or criminal-possibly implying system-wide damage if confidential information such as proprietary encryption schemes or secret keys programmed into the FPGA are extracted. In addition to lost IP, reprogramming the attacked FPGA with modified code, for instance, to secretly plant a hardware Trojan, is a particularly dangerous scenario for many security-critical applications.
    No preview · Article · Jan 2014 · ACM Transactions on Reconfigurable Technology and Systems
  • [Show abstract] [Hide abstract]
    ABSTRACT: In the past years, various electronic access control systems have been found to be insecure. In consequence, attacks have emerged that permit unauthorized access to secured objects. One of the few remaining, allegedly secure digital locking systems-the system 3060 manufactured and marketed by SimonsVoss-is employed in numerous objects worldwide. Following the trend to analyze the susceptibility of real-world products towards implementation attacks, we illustrate our approach to understand the unknown embedded system and its components. Detailed investigations are performed in a step-by-step process, including the analysis of the communication between transponder and lock, reverse-engineering of the hardware, bypassing the read-out protection of a microcontroller, and reverse-engineering the extracted program code. Piecing all parts together, the security mechanisms of the system can be completely circumvented by means of implementation attacks. We present an EM side-channel attack for extracting the secret system key from a door lock. This ultimately gives access to all doors of an entire installation. Our technique targets a proprietary function (used in combination with a DES for key derivation), probably originally implemented as an obscurity-based countermeasure to prevent attacks.
    No preview · Article · Jan 2014
  • Pawel Swierczynski · Gregor Leander · Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: Wie beim DES-Nachfolger AES schrieb das US-amerikanische NIST 2007 einen öffentlichen Wettbewerb um die Nachfolge des Hashverfahrens SHA-2 aus. Im Oktober 2012 fiel die Wahl auf Keccak. Die Autoren stellen den Hashalgorithmus vor, beschreiben eine Smartcard-Implementierung und stellen das Verfahren dem „amtierenden“ SHA-2-Standard gegenüber.
    No preview · Article · Nov 2013 · Datenschutz und Datensicherheit - DuD
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: General-purpose communication systems such as GSM and UMTS have been in the focus of security researchers for over a decade now. Recently also technologies that are only used under more specific circumstances have come into the spotlight of academic research and the hacker scene alike. A striking example of this is recent work [Driessen et al. 2012] that analyzed the security of the over-the-air encryption in the two existing ETSI satphone standards GMR-1 and GMR-2. The firmware of handheld devices was reverse-engineered and the previously unknown stream ciphers A5-GMR-1 and A5-GMR-2 were recovered. In a second step, both ciphers were cryptanalized, resulting in a ciphertext-only attack on A5-GMR-1 and a known-plaintext attack on A5-GMR-2. In this work, we extend the aforementioned results in the following ways: First, we improve the proposed attack on A5-GMR-1 and reduce its average-case complexity from 232 to 221 steps. Second, we implement a practical attack to successfully record communications in the Thuraya network and show that it can be done with moderate effort for approximately $5,000. We describe the implementation of our modified attack and the crucial aspects to make it practical. Using our eavesdropping setup, we recorded 30 seconds of our own satellite-to-satphone communication and show that we are able to recover Thuraya session keys in half an hour (on average). We supplement these results with experiments designed to highlight the feasibility of also eavesdropping on the satphone's emanations. The purpose of this article is threefold: Develop and demonstrate more practical attacks on A5-GMR-1, summarize current research results in the field of GMR-1 and GMR-2 security, and shed light on the amount of work and expertise it takes from setting out to analyze a complex system to actually break it in the real world.
    Full-text · Article · Nov 2013 · ACM Transactions on Information and System Security
  • Source
    Amir Moradi · Oliver Mischke · Christof Paar
    [Show abstract] [Hide abstract]
    ABSTRACT: When complex functions, for example, substitution boxes of block ciphers, are realized in hardware, timing attributes of the underlying combinational circuit depend on the input/output changes of the function. These characteristics can be exploited by the help of a relatively new scheme called fault sensitivity analysis. A collision timing attack which exploits the data-dependent timing characteristics of combinational circuits is demonstrated in this paper. The attack is based on an also recently published correlation collision attack, which avoids the need for a hypothetical timing model for the underlying combinational circuit to recover the secret materials. The target platforms of our proposed attack are 14 AES ASIC cores of the SASEBO LSI chips in three different process technologies, 13 nm, 90 nm, and 65 nm. Successfully breaking all cores including the DPA-protected and fault attack protected cores indicates the strength of the attack.
    Preview · Article · Sep 2013 · IEEE Transactions on Computers

Publication Stats

7k Citations
55.74 Total Impact Points

Institutions

  • 2002-2015
    • Ruhr-Universität Bochum
      • Sprachwissenschaftliches Institut
      Bochum, North Rhine-Westphalia, Germany
  • 1996-2001
    • Worcester Polytechnic Institute
      • Department of Electrical and Computer Engineering
      Worcester, Massachusetts, United States
  • 1997
    • Stanford University
      • Department of Electrical Engineering
      Stanford, CA, United States