Choose an application

• Reference Manager
• EndNote
• RefWorks (Direct export to RefWorks)

When deployed in a potentially hostile environment, security-critical devices are susceptible to physical attacks. In particular, an adversary can mount devastating attacks by exploiting the side-channel leakage of a device or by actively introducing faults in the cryptographic computations. Countering these threats constitutes an active research topic. In contrast to side-channel countermeasures, of which the security properties are well understood, the literature surrounding fault attack resistance is much less developed. Even less mature are countermeasures that resist the combined application of both attack vectors. An interesting proposal in this context is CAPA, an algorithm-level countermeasure methodology that provides security against combined physical attacks in a very strong adversarial model. This thesis aims to contribute to the development and evaluation of combined countermeasures by applying the CAPA methodology to protect Keccak against combined physical attacks. Most influential due to their standardization as SHA-3, the Keccak sponge functions play an important role in symmetric-key cryptography. By presenting four secure hardware designs of Keccak, we explore the far-reaching speed-area tradeoff. %that plays an essential role in the design space of any hardware masking countermeasure. Depending on the Keccak permutation width, our low-latency implementation is either faster than or competitive to the previous side-channel protected implementations in the literature. At the other end of the spectrum, very compact implementations are obtained that are up to fifty times smaller than their high-speed counterparts. Resulting from these efforts are, to the best of our knowledge, the first implementations of Keccak with resistance against combined side-channel and fault attacks. The security against these threats can be scaled to arbitrary order by parametrization of the design. To aid the system designer, we assess the performance and implementation overhead of the countermeasure as a function of the security parameters. In addition, we introduce a more resource-efficient implementation of the CAPA preprocessing stage that applies generally to all cryptographic algorithms. To verify the security of the designs, we subjugate a suitable and representative Keccak implementation to state-of-the-art side-channel evaluation tests on an FPGA platform. No leakage is detected given the statistical evidence of 80 million power traces.