Summer School Tutorials

After introducing the problem setting and corresponding network traffic dataset, we guide the participants through all the steps required to generate high-performance hardware. At each step, we stop to investigate how design choices might impact security and performance, and discuss how to reach the optimal solution.

In particular, side-channel attacks on Elliptic Curve Cryptography implementations often assume a white-box attacker with detailed knowledge of the target implementation details. However, due to the complex and layered nature of ECC, there are many implementation choices that a developer makes to obtain a functional and interoperable implementation. These include the curve model, coordinate system, addition formulas, scalar multipliers, or lower-level details such as the finite-field multiplication algorithm. Moreover, the complexity further rises due to the application of various side-channel and fault-injection countermeasures. This situation creates a gap between the white-box attackers(often considered in academic and commercial evaluation contexts) and a real-world attacker that usually only has black-box access to the target - i.e., has no access to the source code nor specific implementation choices used. Yet, when the gap is closed, even real-world implementations of ECC succumb to side-channel attacks, as evidenced by [1] and [2].

This tutorial covers the topic of reverse-engineering, using the side-channel analysis (SCA), implementations of ECC, which is used in the TLS protocol, document signing, and blockchain applications (e.g., the Bitcoin protocol), among others. Since the tutorial is hands-on, the participants will perform exercises, including reverse-engineering well-known implementations running on a simple embedded target. In particular, we show how to infer details about ECC implementations, most notably the scalar multiplier, both from the general characteristic of power traces but also using more sophisticated methods, utilizing attack-based, structural, and behavioral characteristics. The demo, examples, and exercises utilize two open-source libraries micro-ecc and sca25519. We will also discuss other most commonly used open- source ECC libraries, which show a surprisingly wide variety of implementation details.

The main goal of the tutorial is to introduce to the audience the most common ECC implementation approaches and side-channel techniques to learn them. We concentrate on so-called passive SCA, i.e., we assume that the attacker only monitors the side channels and does not attempt to affect the functionality of the device. For majority of the practical exercises we will be using Python Elliptic Curve cryptography Side-Channel Analysis toolkit (pyecsca).

References

[1] J. Jancar, V. Sedlacek, P. Svenda a M. Sys, „Minerva: the curse of ECDSA nonces,“ IACR TCHES, p. 281–308, 2020. URL: https://tches.iacr.org/index.php/TCHES/article/view/8684
[2] T. Roche, V. Lomné, C. Mutschler a L. Imbert, „A side journey to Titan.,“ USENIX Security, p. 231–248, 2021. URL: https://www.usenix.org/conference/usenixsecurity21/presentation/roche

The objective of this tutorial is to introduce a standard open-source ASIC design flow using cryptographic hardware design examples. Tutorial attendees will learn specifically about techniques for high performance, and techniques for low area. In each case, attendees will target the OpenROAD ASIC design flow for Google Skywater 130nm standard cells.

In this design process, the attendees will learn how to analyze the tool output, and how to make meaningful design decisions towards high performance or low area in hardware.

• 1/ Transform a C reference implementation to RTL hardware, without the magic of a compiler or a high-level synthesis tool.
• 2/ Understand common RTL design transformations for high performance in hardware: pipelining, unfolding, and retiming
• 3/ Understand common RTL design transformations for low area in hardware: multiplexing and bitserial design.

In this tutorial, we offer a hands-on experience in analyzing cryptographic code from an adversarial perspective. Participants will be given code inspired by our experience in finding vulnerabilities in cryptography deployed “in the wild”, and they will try to first find the vulnerabilities and then figure out how to exploit them. The difficulty will steadily increase to ensure that both beginners and more experienced people will enjoy the tutorial. Excited about trying to spot a Bleichenbacher oracle in the wild? Want to understand how the CRIME attack really works? Then, this is the tutorial for you!

The tutorial will be structured similarly to a Capture the Flag (CTF) competition but with a lighter focus on the competition side and some additional twists. Each vulnerable service will contain a secret string called a “flag”, which the participants can submit to our website in exchange for points. For the more competitive players, a leaderboard will be available so they can try to achieve the maximum amount of points in the shortest amount of time.

We do not require experience with any particular programming language, though previous exposure to Python would be beneficial. We will be using various tools, frameworks and programming languages, so the only thing required is being flexible and willing to learn something new.

The tutorial is centered around the privacy and security threats in federated learning systems, with more focus on security attacks. These security attacks fall into two main categories, targeted and untargeted attacks. Targeted (backdoor) poisoning attacks involve the insertion of a backdoor trigger into the global model that prompts a hidden malicious behavior that would otherwise be concealed when normal inputs are used. On the other hand, untargeted attacks aim to impede the convergence of the aggregated model and reduce its utility (i.e., accuracy). The primary objective of this tutorial is to investigate various types of poisoning attacks and defense solutions that can be employed to mitigate their impact.

The tutorial is accompanied by practical hands-on exercises where the participants learn how to launch backdoor attacks and implement defense mechanisms that are sufficiently robust and resilient to security attacks that compromise the integrity of the FL model.

Tamarin uses multiset rewriting to specify the protocol to be analyzed and uses a subset of first order logic to specify properties. It supports not only trace properties but also observational equivalence. We have taught classes to master and Ph.D. level students who were then able to complete projects based on analyzing passport authentication (PACE) and key agreement (SIGMA). In this tutorial we will explain the underlying principles, motivate the design choices, and show how to use the tool. Tamarin is open-source software and further information, including the manual, the source code, and scientific papers are available at https://tamarin-prover.com/ . For some examples of its real-world use, see this article: https://hal.archives-ouvertes.fr/hal-03586826/document.

An optional side quest is a competition: Who can build the fastest SQIsign verification using their own curve and isogeny implementation? Students are encouraged to look at the existing literature to improve their implementations of curves, isogenies, and SQIsign verification beyond the bare minimum as taught in the tutorial.

The default choice of programming language will be Python, but you are free to use whatever you want — just be aware that we won’t be able to help with all languages. We provide materials for Python and Rust, so you might have to work more independently if you use another language.

This tutorial aims to familiarize the audience with both masking and its formal verification through dedicated tools. We first give a short overview of masking and how it works, as well as several masking schemes such as DOM (domain-oriented masking), TI (threshold implementation) and HPC (hardware private circuits). Similarly, we present the security notions masked implementations strive to achieve and give the formal definitions of probing security and probe-isolating non- interference. Afterwards, the attendees should have an intuition of how to use the provided building blocks and successfully mask the hardware implementation of small S-boxes.

In the second part of the tutorial, we introduce the masking verification tool called Coco, which can verify that a design is indeed secure according to a given security notion. We first give a brief overview of Coco’s workflow and explain the individual components necessary for running the tool. Next, we give an interactive demonstration of designing and formally verifying a masked design with the help of Coco. The attendees are expected to follow along with the presenter in applying masking to a small S-box (e.g., the Ascon S-box) and subsequently verifying it with Coco. Here, we show off all the steps of the design and verification process. Afterwards, the attendees should be comfortable with the practical aspects of masking, as well as its verification through Coco.