| Both sides previous revision Previous revision Next revision | Previous revision |
| public:research:main [2024-01-17 15:56] – [Disk encryption] xbroz | public:research:main [2024-01-18 15:50] (current) – [Open-source security tools] xjancar |
|---|
| ====== Research themes in CRoCS laboratory [crcs.cz/projects] ====== | ====== Research topics at CRoCS ====== |
| ~~NOTOC~~ | ~~NOTOC~~ |
| |
| We systematically analyze the security of cryptographic implementations, including the blackbox ones with no access to a source code (e.g., cryptographic smartcards). Typically, a large number of cryptographic operations is executed with observed data and various side-channel information recorded and statistically analyzed. The approach leads to several high-profile discoveries, including the practical factorization of RSA keys from Infineon chips ([[https://roca.crocs.fi.muni.cz/|ROCA attack CVE-2017-15361]]) or EC private key extraction from timing of ECDSA signatures ([[https://minerva.crocs.fi.muni.cz/|Minerva attack CVE-2019-15809]]). The goal is not only to find an attack but also to provide open-source verification tools. | We systematically analyze the security of cryptographic implementations, including the blackbox ones with no access to a source code (e.g., cryptographic smartcards). Typically, a large number of cryptographic operations is executed with observed data and various side-channel information recorded and statistically analyzed. The approach leads to several high-profile discoveries, including the practical factorization of RSA keys from Infineon chips ([[https://roca.crocs.fi.muni.cz/|ROCA attack CVE-2017-15361]]) or EC private key extraction from timing of ECDSA signatures ([[https://minerva.crocs.fi.muni.cz/|Minerva attack CVE-2019-15809]]). The goal is not only to find an attack but also to provide open-source verification tools. |
| |
| <button collapse="cryptoimplementations">Find out more</button> | <button icon="fa fa-caret-down" collapse="cryptoimplementations">Find out more</button> |
| <button icon="fa fa-file-text-o">[[:publications:keywords:cryptoimplementations|Publications]]</button> | <button icon="fa fa-file-text-o">[[:publications:keywords:cryptoimplementations|Publications]]</button> |
| |
| {{ :public:research:jcalgtest_logo.png?direct&200|}} | {{ :public:research:jcalgtest_logo.png?direct&200|}} |
| |
| For almost two decades, we analyze the security of cryptographic hardware and interesting uses in security systems as a trusted element. We work mainly with JavaCard based cryptographic smart cards and Trusted Platform Modules (TPMs). We maintain a large collection of JavaCards and use them to assess their performance, quality of truly random number generators, key generation algorithms as well as security improvements over time. While the internal implementation of cryptographic operations is typically proprietary, we had to develop a suite of techniques for black-box analysis of the implementation correctness - with the advantage of assessment also by other users without the need for proprietary knowledge. | For more than two decades, we analyze the security of cryptographic hardware and interesting uses in security systems as a trusted element. We work mainly with JavaCard based cryptographic smart cards and Trusted Platform Modules (TPMs). We maintain a large collection of JavaCards and use them to assess their performance, quality of truly random number generators, key generation algorithms as well as security improvements over time. While the internal implementation of cryptographic operations is typically proprietary, we had to develop a suite of techniques for black-box analysis of the implementation correctness - with the advantage of assessment also by other users without the need for proprietary knowledge. |
| |
| We also develop tools and libraries helping open-source developers to create open, faster, and more secure JavaCard applets. | We also develop tools and libraries helping open-source developers to create open, faster, and more secure JavaCard applets. |
| |
| <button collapse="smartcards">Find out more</button> | <button icon="fa fa-caret-down" collapse="smartcards">Find out more</button> |
| <button icon="fa fa-file-text-o">[[:publications:keywords:smartcards|Publications]]</button> | <button icon="fa fa-file-text-o">[[:publications:keywords:smartcards|Publications]]</button> |
| |
| <collapse id="smartcards" collapsed="true"> | <collapse id="smartcards" collapsed="true"> |
| |
| **Last update: 20.1.2021** | **Last update: 18.1.2024** |
| |
| **Contact:** Petr Švenda <svenda@fi.muni.cz> | **Contact:** Petr Švenda <svenda@fi.muni.cz> |
| * **Smartcard development resources** | * **Smartcard development resources** |
| * Low-level ECPoint and BigInteger library: [[https://github.com/OpenCryptoProject/JCMathLib | JCMathLib]] | * Low-level ECPoint and BigInteger library: [[https://github.com/OpenCryptoProject/JCMathLib | JCMathLib]] |
| * On-card applet performance profiler: [[https://github.com/OpenCryptoProject/JCProfiler| JCProfiler]] | * On-card applet performance profiler: [[https://github.com/lzaoral/JCProfilerNext| JCProfilerNext]] |
| * Efficient re-implementations of [[http://www.fi.muni.cz/~xsvenda/jcalgs.html | AES & SHA2 & OAEP for JavaCard]], [[https://github.com/petrs/JCSWAlgs/ | GitHub repo]] | * Efficient re-implementations of [[http://www.fi.muni.cz/~xsvenda/jcalgs.html | AES & SHA2 & OAEP for JavaCard]], [[https://github.com/petrs/JCSWAlgs/ | GitHub repo]] |
| * APDUPlay project - [[https://github.com/crocs-muni/APDUPlay/ | PC/SC APDU inspection and manipulation tool]] | * APDUPlay project - [[https://github.com/crocs-muni/APDUPlay/ | PC/SC APDU inspection and manipulation tool]] |
| |
| **Involved people:** | **Involved people:** |
| * [[https://is.muni.cz/auth/osoba/445281|Antonín Dufka]] 2019-now (MPC implementations on javacards) | * [[https://is.muni.cz/auth/osoba/445281|Antonín Dufka]] 2019-now (MPC on javacards, ECC leakage) |
| | * [[https://is.muni.cz/auth/osoba/492760|Veronika Hanulíková]] 2023-now (ECC leakage) |
| * [[https://is.muni.cz/auth/osoba/445358|Ján Jančár]] 2017-now (testing of ECC implementations) | * [[https://is.muni.cz/auth/osoba/445358|Ján Jančár]] 2017-now (testing of ECC implementations) |
| * [[https://is.muni.cz/auth/osoba/4085|Petr Švenda]] 2003-now (project lead, initial implementations) | * [[https://is.muni.cz/auth/osoba/4085|Petr Švenda]] 2003-now (project lead, initial implementations) |
| |
| ** Selected publications: ** | ** Selected publications: ** |
| | * [2024] Svenda, P.; Dufka, A.; Broz, M.; Lacko, R.; Jaros, T.; Zatovic, D.; Pospisil, J.: [[https://crocs.fi.muni.cz/papers/tpm_ches2024|TPMScan: A wide-scale study of security-relevant properties of TPM 2.0 chips]], In IACR Transactions on Cryptographic Hardware and Embedded Systems (CHES) 2024. |
| * [2020] Jančár, J.; Sedláček, V.; Sýs, M.; Švenda, P.: [[https://minerva.crocs.fi.muni.cz/|Minerva: The curse of ECDSA nonces; Systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces]], In IACR Transactions on Cryptographic Hardware and Embedded Systems (CHES) 2020. **Received Best Paper Award** | * [2020] Jančár, J.; Sedláček, V.; Sýs, M.; Švenda, P.: [[https://minerva.crocs.fi.muni.cz/|Minerva: The curse of ECDSA nonces; Systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces]], In IACR Transactions on Cryptographic Hardware and Embedded Systems (CHES) 2020. **Received Best Paper Award** |
| * [2017] Nemec, M.; Sýs, M.; Švenda, P.; Klinec, D.; Matyas, V.: [[:public:papers:rsa_ccs17|The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli]], In Proceedings of ACM CCS 2017, 2017. **Received Real-world Impact Award** | * [2017] Nemec, M.; Sýs, M.; Švenda, P.; Klinec, D.; Matyas, V.: [[:public:papers:rsa_ccs17|The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli]], In Proceedings of ACM CCS 2017, 2017. **Received Real-world Impact Award** |
| ===== Cryptanalysis of elliptic curves and other algebraic methods ===== | ===== Cryptanalysis of elliptic curves and other algebraic methods ===== |
| |
| {{ :public:research:std.png?nolink&200|}} | {{ :public:research:curves.png?nolink&120|}} |
| |
| Likely the most theoretical and math-heavy research we do, though still with real-world consequences in mind. We approach elliptic curves from many different directions: we study ECC implementations, problems with ECC formulas, ECC key datasets and in general diverse mathematical ideas involving elliptic curves. Sometimes, this requires us to dive into lattice methods as well. Currently, our [[https://dissect.crocs.fi.muni.cz/|most ambitious project]] is an analysis of standard curves themselves, where we try to distinguish them from randomly generated ones by any means possible. | Likely the most theoretical and math-heavy research we do, though still with real-world consequences in mind. We approach elliptic curves from many different directions: we study ECC implementations, problems with ECC formulas, ECC key datasets and in general diverse mathematical ideas involving elliptic curves. Sometimes, this requires us to dive into lattice methods as well. |
| |
| Another focus of our research is isogeny based cryptography. In particular, we have been closely looking into isogeny graphs, division polynomials, or general computational problems of isogenies. This work has been motivated by the recent development of post-quantum protocols based on isogenies. | In the past, we were systematically analyzing standardized elliptic curves. Lately, we have been mainly focusing on ECC with respect to side-channel attacks and the involvement of elliptic curves in the Bitcoin protocol. |
| |
| <button collapse="ecc">Find out more</button> | <button icon="fa fa-caret-down" collapse="ecc">Find out more</button> |
| <button icon="fa fa-file-text-o">[[:publications:keywords:ecc|Publications]]</button> | <button icon="fa fa-file-text-o">[[:publications:keywords:ecc|Publications]]</button> |
| |
| <collapse id="ecc" collapsed="true"> | <collapse id="ecc" collapsed="true"> |
| |
| **Last update: 21. 01. 2021** | **Last update: 18. 01. 2024** |
| |
| **Contact:** Vláďa Sedláček <vlada.sedlacek@mail.muni.cz> | **Contact:** Vojtěch Suchánek <vojtechsu@mail.muni.cz> |
| |
| **More information, projects and resources:** | **More information, projects and resources:** |
| | * [[https://dissect.crocs.fi.muni.cz/|DiSSECTion of standard curves]] |
| * [[https://neuromancer.sk/std/|Database of standard curves]] | * [[https://neuromancer.sk/std/|Database of standard curves]] |
| * [[https://github.com/crocs-muni/minerva|Minerva ECDSA vulnerability repository]] | * [[https://github.com/crocs-muni/minerva|Minerva ECDSA vulnerability repository]] |
| |
| **Involved people:** | **Involved people:** |
| * [[https://is.muni.cz/auth/osoba/445281|Antonín Dufka]] 2020-now (the database guru) | * [[https://is.muni.cz/auth/osoba/445281|Antonín Dufka]] 2020-now |
| * [[https://is.muni.cz/auth/osoba/j08ny|Jan Jančár]] 2019-now (the projective project prodigy) | * [[https://is.muni.cz/auth/osoba/j08ny|Jan Jančár]] 2019-now |
| * [[https://is.muni.cz/auth/osoba/vlada.sedlacek|Vladimír Sedláček]] 2018-now (the crazy mathgician) | * [[https://is.muni.cz/auth/osoba/451866|Vojtěch Suchánek]] 2020-now |
| * [[https://is.muni.cz/auth/osoba/451866|Vojtěch Suchánek]] 2020-now (the isogenius) | * [[https://is.muni.cz/auth/osoba/232886|Marek Sýs]] 2018-now |
| * [[https://is.muni.cz/auth/osoba/232886|Marek Sýs]] 2018-now (the conceptual optimist) | |
| |
| ** Selected publications: ** | ** Selected publications: ** |
| | * [2022] [[https://dissect.crocs.fi.muni.cz/| Sedláček, V.; Suchánek, V.; Dufka A.; Sýs, M.; Matyáš, V.: DiSSECT: Distinguisher of Standard and Simulated Elliptic Curves via Traits]], In Progress in Cryptology - AFRICACRYPT 2022. |
| | * [2021] [[:public:papers:formulas_asiacrypt21| Sedláček, V.; Chi-Domínguez, J.J.; Jančár, J.; Brumley, B.B.: A formula for disaster: a unified approach to elliptic curve special-point-based attacks]], In Advances in Cryptology – ASIACRYPT 2021. |
| * [2020] [[https://minerva.crocs.fi.muni.cz/| Jančár, J.; Sedláček, V.; Sýs, M.; Švenda, P.: Minerva: The curse of ECDSA nonces; Systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces]], In IACR Transactions on Cryptographic Hardware and Embedded Systems (CHES) 2020. **Received Best Paper Award** | * [2020] [[https://minerva.crocs.fi.muni.cz/| Jančár, J.; Sedláček, V.; Sýs, M.; Švenda, P.: Minerva: The curse of ECDSA nonces; Systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces]], In IACR Transactions on Cryptographic Hardware and Embedded Systems (CHES) 2020. **Received Best Paper Award** |
| * [2020] [[:public:papers:primality_esorics20| Sedláček, V.; Jančár, J.; Švenda, P.: Fooling primality tests on smartcards]], In 25th European Symposium on Research in Computer Security (ESORICS) 2020 | * [2020] [[:public:papers:primality_esorics20| Sedláček, V.; Jančár, J.; Švenda, P.: Fooling primality tests on smartcards]], In 25th European Symposium on Research in Computer Security (ESORICS) 2020 |
| |
| | |
| <button collapse="randomness">Find out more</button> | <button icon="fa fa-caret-down" collapse="randomness">Find out more</button> |
| <button icon="fa fa-file-text-o">[[:publications:keywords:randomness|Publications]]</button> | <button icon="fa fa-file-text-o">[[:publications:keywords:randomness|Publications]]</button> |
| |
| With the use of secure multi-party computation, the risk of vulnerable implementations can be mitigated. Secure multi-party computation allows for splitting of the secret key among multiple devices, which partake in an interactive protocol to perform cryptographic operations. The complete secret key is never reconstructed during this protocol, so if at least one of the devices remains uncorrupted, the secret key is not exposed. Our research focuses on secure multi-party computation executed on the specialized cryptographic devices, which bring interesting constraints to protocol design and implementation. | With the use of secure multi-party computation, the risk of vulnerable implementations can be mitigated. Secure multi-party computation allows for splitting of the secret key among multiple devices, which partake in an interactive protocol to perform cryptographic operations. The complete secret key is never reconstructed during this protocol, so if at least one of the devices remains uncorrupted, the secret key is not exposed. Our research focuses on secure multi-party computation executed on the specialized cryptographic devices, which bring interesting constraints to protocol design and implementation. |
| |
| <button collapse="smpc">Find out more</button> | <button icon="fa fa-caret-down" collapse="smpc">Find out more</button> |
| <button icon="fa fa-file-text-o">[[:publications:keywords:smpc|Publications]]</button> | <button icon="fa fa-file-text-o">[[:publications:keywords:smpc|Publications]]</button> |
| |
| The work leverages our expertise in the side-channel analysis of cryptographic hardware (especially relevant for the hardware wallets), scrutiny of cryptographic implementations (both builder's and attacker's perspective), and randomness testing (crucial to have non-biased private keys and non-leaking signatures). | The work leverages our expertise in the side-channel analysis of cryptographic hardware (especially relevant for the hardware wallets), scrutiny of cryptographic implementations (both builder's and attacker's perspective), and randomness testing (crucial to have non-biased private keys and non-leaking signatures). |
| |
| <button collapse="cryptocurrencies">Find out more</button> | <button icon="fa fa-caret-down" collapse="cryptocurrencies">Find out more</button> |
| <button icon="fa fa-file-text-o">[[:publications:keywords:cryptocurrencies|Publications]]</button> | <button icon="fa fa-file-text-o">[[:publications:keywords:cryptocurrencies|Publications]]</button> |
| |
| |
| |
| <button collapse="opentools">Find out more</button> | <button icon="fa fa-caret-down" collapse="opentools">Find out more</button> |
| <button icon="fa fa-file-text-o">[[:publications:keywords:opentools|Publications]]</button> | <button icon="fa fa-file-text-o">[[:publications:keywords:opentools|Publications]]</button> |
| |