Constructive Side-Channel Analysis and Secure Design: 11th International Workshop, COSADE 2020, Lugano, Switzerland, April 1–3, 2020, Revised Selected Papers (Security and Cryptology)

Preface
Organization
Contents
Fault and Side Channel Attacks
Persistent Fault Analysis with Few Encryptions
	1 Introduction
		1.1 Zhang et al.\'s Attack
		1.2 Contributions
		1.3 Outline
	2 Bias Cancelling Effect of MixColumns
	3 Improvement Using Maximum Likelihood
		3.1 Optimal Distinguisher
		3.2 Key Byte Ranking
		3.3 Combination of Several Key Bytes to Reconstruct the Full Key
		3.4 Efficiencies of Key Byte Rank and Combination Algorithms
		3.5 Comparison with the Tool of Veyrat-Charvillon et al. ch1DBLP:confspseurocryptspsVeyratspsCharvillonGS13
	4 Conclusion and Perspectives
		4.1 Conclusion
		4.2 Perspectives
		4.3 Note Added After Revision of the Accepted Paper
	References
A Template Attack to Reconstruct the Input of SHA-3 on an 8-Bit Device
	1 Introduction
	2 Preliminaries and Notation
		2.1 Keccak-f[1600] and SHA-3
		2.2 Template Attack
		2.3 Combining Multiple Likelihood Tables
	3 Attack Strategy
	4 Template Attack on SHA-3
		4.1 Target Hardware Device and Measurement Setup
		4.2 Interesting Clock Cycle Detection
		4.3 Building Templates
		4.4 Evaluating the Quality of Templates
	5 Searching the Correct Intermediate States
		5.1 Layer 1: Generating Tables for Byte Rows
		5.2 Layer 2: Generating Tables for Byte Slices
		5.3 Layer 3: Consistency Checking
		5.4 Results
	6 Discussion and Conclusion
	References
Single-Trace Side-Channel Analysis on Polynomial-Based MAC Schemes
	1 Introduction
	2 Preliminaries and Related Works
		2.1 Basic Notation
		2.2 Authenticated Encryptions Based on Polynomial Hash Function
		2.3 The Problem of Unforgeability
		2.4 Conventional SCAs on Polynomial Hash Function
	3 Proposed Attack on ChaCha20-Poly1305
		3.1 Attack Description
		3.2 Side-Channel Analysis on Final Addition
		3.3 Exhaustive Polynomial Factorization
		3.4 Feasibility Evaluation
		3.5 Application to Open-Source Poly1305 Implementation
	4 Discussion
		4.1 Noise Tolerance
		4.2 Applicability and Generality of the Proposed Attack
		4.3 Countermeasures
	5 Conclusion
	References
Side-Channel Analysis Methodologies
Wavelet Scattering Transform and Ensemble Methods for Side-Channel Analysis
	1 Introduction
	2 Problem Statement
	3 Time-Frequency Analysis with the Wavelet Scattering Transform
		3.1 Some Time-Frequency Representations
		3.2 The Wavelet Scattering Transform
	4 A Combination Procedure for Ensemble Methods in SCA
	5 Experiments
		5.1 Method Used
		5.2 Datasets
		5.3 Choosing the Parameters
		5.4 Results
		5.5 Visualizing Leakages
	6 Conclusion
	References
Scatter: a Missing Case?
	1 Introduction
	2 Background
		2.1 Scatter Transform with Chi2/MIA Distinguishers
		2.2 On-the-Fly Linear Regression
		2.3 Selection of Parameters
	3 First-Order Experiments
		3.1 Setting #1: A Simulated Shuffled Implementation
		3.2 Setting #2: A Concrete Jittery Implementation
	4 Higher-Order Scatter
		4.1 The Need of a Combination Function
		4.2 Second-Order Simulated Experiments
	5 Conclusion
	References
Augmenting Leakage Detection Using Bootstrapping
	1 Introduction
	2 Preliminaries
		2.1 Leakage Detection Using Welch\'s t-test
		2.2 The Bootstrapping Method
		2.3 Kolmogorov-Smirnov Test
	3 Applying Bootstrapping to Leakage Detection
		3.1 Simulating Leakage Detection
		3.2 Experimental Results
	4 Limitations
	5 Implementation Details
	6 Conclusion
	References
Evaluation of Attacks and Security
Security Assessment of White-Box Design Submissions of the CHES 2017 CTF Challenge
	1 Introduction
		1.1 CHES 2017 Capture the Flag Challenge
		1.2 Our Contribution
	2 Tooling
		2.1 Preprocessing the Source Code
		2.2 Tooling for DCA
		2.3 Tooling for DFA
	3 Security Assessment and Classification
		3.1 DCA Vulnerable Designs
		3.2 DFA Vulnerable Designs
		3.3 Second Order DCA
		3.4 Automated Resistant Challenges
		3.5 2019 Edition of the White-Box Competition
	4 Real-Life Usefulness of White-Box Cryptography
	References
On the Implementation Efficiency of Linear Regression-Based Side-Channel Attacks
	1 Introduction
		1.1 Context: Side-Channel Analysis
		1.2 State-of-the-Art\'s Review
		1.3 Contributions
		1.4 Outline
	2 Mathematical Modelization
		2.1 Notations
		2.2 Description of Stochastic Attacks
	3 LRA Study and Improvements of Its Implementation
		3.1 Difference Between SCAs with and Without Coalescence
		3.2 LRA with Assumption of Equal Images Under Different Subkeys
		3.3 Spectral Approach Computation to Speed up LRA (with EIS)
		3.4 Further Improvement
		3.5 Incremental Implementation of LRA
	4 Extension of the Improvements to the Protected Implementations by Masking
		4.1 Normalized Product Combination Against Arithmetic Masking
	5 Experiments
		5.1 LRA with and Without Spectral Approach
		5.2 SCAs with and Without Coalescence
		5.3 LRA Against Higher-Order Masking
	6 Conclusion and Perspectives
	A  Proof of Proposition2
	B  LRA Algorithm 4
	C  WHT Algorithm
	References
Side-Channel Attacks and Deep Learning
Kilroy Was Here: The First Step Towards Explainability of Neural Networks in Profiled Side-Channel Analysis
	1 Introduction
	2 Background
		2.1 Multilayer Perceptron and Convolutional Neural Networks
		2.2 Comparison of Neural Networks and SVCCA Methodology
		2.3 Related Work
	3 Establishing a Baseline
		3.1 DPAcontest V4 Dataset
		3.2 Comparison Datasets
		3.3 Experimental Setup
	4 Portability
		4.1 Datasets and Experimental Setup
		4.2 Results
	5 Conclusions and Future Work
	A  Additional Figures
	References
Online Performance Evaluation of Deep Learning Networks for Profiled Side-Channel Analysis
	1 Introduction
	2 Preliminaries
		2.1 Notations
		2.2 Profiling Attacks
		2.3 Neural Networks
		2.4 Evaluation Metrics
		2.5 Related Work on Metrics for Side-Channel Analysis
	3 dtrain,val: A Deep Learning Evaluation Metric for Side-Channel Analysis
		3.1 dtrain,val: Internal State Detection
		3.2 Detection of Overfitting/underfitting
		3.3 dtrain,val : A Suitable Metric for Early Stopping
	4 Experimental Results
		4.1 Early Stopping on the ASCAD Database
		4.2 Comparison Between GEBVD and 1train,val
	5 Conclusion
	A  Networks
	References
Primitives and Tools for Physical Attacks Resistance
Custom Instruction Support for Modular Defense Against Side-Channel and Fault Attacks
	1 Introduction
	2 Preliminaries
	3 Modular Design of Countermeasures
		3.1 Higher-Order Masked Computation
		3.2 Data-Redundant Computation
		3.3 Time-Redundant Computation
	4 SKIVA Implementation
		4.1 Custom Instruction-Set Extensions in SKIVA
		4.2 Hardware Support for Aggregated Bitslice Operations
	5 Results
		5.1 Performance Evaluation
		5.2 Side-Channel Analysis
		5.3 Security Analysis of Data Faults
	6 Conclusion
	References
Processor Anchor to Increase the Robustness Against Fault Injection and Cyber Attacks
	1 Introduction
	2 Background
		2.1 Control Flow Graph
		2.2 Control Flow Hijacking
		2.3 Control Flow Integrity
	3 Related Work
		3.1 Threat Model
		3.2 Protection State of the Art
		3.3 Limitation of Our Approach
	4 Solution
		4.1 Hardware
		4.2 Software
	5 Speculative Execution
	6 Interruptions Management
	7 Attack Model and Security Guaranties
	8 Implementation
	9 Performance
	10 Conclusion
	References
Integrating Side Channel Security in the FPGA Hardware Design Flow
	1 Introduction
	2 Augmenting the Xilinx Vivado FPGA Design Flow
	3 Experimental Validation
	4 Concluding Remarks
	References
Side-Channel Countermeasures
Self-secured PUF: Protecting the Loop PUF by Masking
	1 Introduction
	2 The Loop PUF
		2.1 Architecture
		2.2 Operating Mode
		2.3 Loop PUF Challenges for Maximum Entropy
		2.4 Loop PUF Implementation
	3 Side-Channel Analysis of the Loop PUF
		3.1 Experimental Setup
		3.2 Frequency of Interest Detection
		3.3 Side-Channel Analysis of the Loop PUF
		3.4 Limitations and Constraints: Frequency Resolution
	4 Securing the Loop PUF
		4.1 Temporal Masking
		4.2 Self-secured Loop PUF Using 1-Bit RNG from LSB
		4.3 Empirical Analysis of the LSB-Mask
		4.4 Side-Channel Analysis of the Self-secured Loop PUF
	5 Remarks on the Proposed Solution
		5.1 Impact of Measurement Time
		5.2 Application of Temporal Masking to RO PUFs
	6 Conclusion
	References
Leakage-Resilient Authenticated Encryption from Leakage-Resilient Pseudorandom Functions
	1 Introduction
		1.1 Our Contribution
		1.2 Related Work
		1.3 Organization of the Paper
	2 Preliminaries
		2.1 Notation
		2.2 Primitives
		2.3 Leakage Model
		2.4 Security Notions
		2.5 The FGHF Construction
	3 Unpredictability and Pseudorandomness Under Leakage
		3.1 Under Leakage: Unpredictability  Pseudorandomness
		3.2 Under Leakage: Pseudorandomness  Unpredictability
	4 Leakage Resilience of the N2 Construction
	5 Leakage Resilience of the FGHF Construction
		5.1 Leakage-Resilient MACs from LPRFs
		5.2 Leakage-Resilient Encryption from LPRFs
		5.3 Security of the FGHF Construction
	References