Séminaire de Cryptographie

Accueil     Présentation     Archives

Chloé Gravouil

Soutenance de thèse (en francais), Masquage Booléen Résistant aux Attaques par Fautes et White-Boxabilité de Primitives Cryptographiques Légères

White-Box cryptography is the subfield of cryptography dedicated to the design of implementations of cryptographic primitives that are secure even in the eventuality of an attacker being in total control of the devices they are deployed on. One of the main security challenges white-box cryptography needs to address is side-channel security. To this end, designers aim to eliminate the dependence between variables and sensitive data. Classical countermeasures to do so are masking schemes. Nevertheless, implementations using masking schemes are still vulnerable to another type of attacks : fault attacks, where an attacker intentionally disrupts the normal functioning of an implementation to gain potential information from this unusual behaviour. Furthermore, beyond ensuring security in this attack model, a white-box designer still needs to manage the costs and performances of his implementations. In other words, even in the white-box attack model, the classical cryptographic compromise between security, costs and performances remains. Lightweight cryptography is the field of cryptography designed for devices with contrained capacities, therefore the question of the white-boxability of lightweight cryptographic algorithms arises as well. The contribution of this thesis is twofold. In the first part of the thesis, we discuss the suitability of the ten finalists of the NIST Lightweight Cryptography Standardization Contest to white-boxing. We then develop a tabularized white-box implementation to be applied on GIFT, the core cryptographic block of GIFT-COFB. In the second part of the thesis, we describe a new construction of a bitwise AND masking scheme correcting faults and only composed of Boolean operations on bits. To that end, the scheme uses errorcorrecting codes, and more precisely BCH error-correcting codes. We also describe how the bitwise NOT and XOR operations can be implemented to be compatible with this AND masking scheme. Hence, this scheme can be applied to bitsliced implementations of any cryptographic primitive.