Date de l'exposé : 27 juin 2023
Soutenance de thèse (en francais), Masquage Booléen Résistant aux Attaques par Fautes et White-Boxabilité de Primitives Cryptographiques Légères
White-Box cryptography is the
subfield of cryptography dedicated to the design
of implementations of cryptographic primitives
that are secure even in the eventuality
of an attacker being in total control of the
devices they are deployed on. One of the
main security challenges white-box cryptography
needs to address is side-channel security.
To this end, designers aim to eliminate
the dependence between variables and sensitive
data. Classical countermeasures to do so
are masking schemes. Nevertheless, implementations
using masking schemes are still
vulnerable to another type of attacks : fault attacks,
where an attacker intentionally disrupts
the normal functioning of an implementation
to gain potential information from this unusual
behaviour.
Furthermore, beyond ensuring security in
this attack model, a white-box designer still
needs to manage the costs and performances
of his implementations. In other words, even
in the white-box attack model, the classical
cryptographic compromise between security,
costs and performances remains. Lightweight
cryptography is the field of cryptography designed
for devices with contrained capacities,
therefore the question of the white-boxability
of lightweight cryptographic algorithms arises
as well.
The contribution of this thesis is twofold.
In the first part of the thesis, we discuss
the suitability of the ten finalists of the
NIST Lightweight Cryptography Standardization
Contest to white-boxing. We then develop
a tabularized white-box implementation to be
applied on GIFT, the core cryptographic block
of GIFT-COFB.
In the second part of the thesis, we
describe a new construction of a bitwise
AND masking scheme correcting faults and
only composed of Boolean operations on
bits. To that end, the scheme uses errorcorrecting
codes, and more precisely BCH
error-correcting codes. We also describe how
the bitwise NOT and XOR operations can be
implemented to be compatible with this AND
masking scheme. Hence, this scheme can
be applied to bitsliced implementations of any
cryptographic primitive.