Cryptography and cryptanalysis for embedded systems

A growing number of devices of daily use are equipped with computing capabilities. Today, already more than 98% of all manufactured microprocessors are employed in embedded applications, leaving less than 2% to traditional computers. Many of these embedded devices are enabled to communicate amongst each other and form networks. A side effect of the rising interconnectedness is a possible vulnerability of these embedded systems. Attacks that have formerly been restricted to PCs can suddenly be launched against cars, tickets, ID cards or even pacemakers. At the same time the security awareness of users and manufacturers of such systems is much lower than in classical PC environments. This renders security one key aspect of embedded systems design and for most pervasive computing applications. As embedded systems are usually deployed in large numbers, costs are a main concern of system developers. Hence embedded security solutions have to be cheap and efficient. Many security services such as digital signatures can only be realized by public key cryptography. Yet, public key schemes are in terms of computation orders of magnitude more expensive than private key cryptosystems. At the same time the prevailing schemes rely on very similar security assumptions. If one scheme gets broken, almost all cryptosystems employing asymmetric cryptography become useless. The first part of this work explores alternatives to the prevailing public key cryptosystems. Two alternative signature schemes and one public key encryption scheme from the family of post quantum cryptosystems are explored. Their security relies on different assumptions so that a break of one of the prevailing schemes does not affect the security of the studied alternatives. The main focus lies on the implementational aspects of these schemes for embedded systems. One actual outcome is that, contrary to common belief, the presented schemes provide similar and in some cases even better performance than the prevailing schemes. The presented solutions include a highly scalable software implementation of the Merkle signature scheme aimed at low-cost microprocessors. For signatures in hardware an FPGA framework for implementing a family of signature schemes based on multivariate quadratic equations is presented. Depending on the chosen scheme, multivariate quadratic signatures show better performance than elliptic curves in terms of area consumption and performance. The McEliece cryptosystem is an alternative public key encryption scheme which was believed to be infeasible on embedded platforms due to its large key size. This work shows that by applying certain implementational tricks, both hardware and software implementation become feasible and show comparable performance to the prevailing schemes. Another security threat to embedded systems are physical attacks. Embedded systems are often employed in hostile environments where possible attackers have physical access to the device, making side channel analysis possible. The second part of this work explores how to efficiently analyze the side channel resistance of embedded implementations. By applying simulation methods the possibility of evaluating logic styles and circuit designs is presented. By these methods a yet undiscovered weakness in MDPL/iMDPL, a logic style that was, up to now, believed to effectively counteract side channel attacks, is uncovered. Furthermore, a newly developed attack on the KeeLoq cipher is presented. By applying this attack to KeeLoq-based remote keyless entry systems the possible hazards of side channel analysis for embedded systems are demonstrated. Hereby, problems of a practical application of side channel analysis in a black-box scenario and their solutions are highlighted. Finally, advanced techniques of side channel analysis are applied to reconstruct the executed code of a microprocessor by soleley analyzing its power consumption. The presented generic methods can be applied to microcontroller platforms to build a disassembler by means of passively monitoring a single side channel only.