Studies on Disk Encryption

Transcription

1 0 Studies on Disk Encryption Cuauhteoc Mancillas López Advisor: Dr. Debrup Chakraborty Centro de Investigación y Estudios Avanzados del IPN

2 Disk Encryption Proble The proble of disk encryption k is to encrypt bulk inforation stored in a storage edia like hard disk, flash eory, CD or DVD. The nature of storage edia dictates the type of encryption required. We are priarily interested in hard disks. A well acepted proposal for encrypting hard disks is to encrypt individual sectors. k

3 Agenda Introduction Tweakable Enciphering Schees - Ipleentations Side Channel Attacks - Distinguishing Attack against EME - Stronger Attack against EME BRW Polynoials

4 3 Syetric Key Cryptography Adversarial Goals C=Enc(K,M) (Partial) Key Recovery (Partial) Plaintext Recovery Create Ciphertext Distinguishing Adversarial Resources Ciphertext only Known Plaintext Chosen Plaintext M=Dec(K,C) Chosen Ciphertext Adaptive Chosen Plaintext Adaptive Chosen Ciphertext

5 4 Finite Fields We shall view n-bit strings as eleents of GF( n ). n-bit strings can be considered as polynoials of degree atost n- over GF(). This fors a field of n eleents For exaple the 5-bit string 00 can be represented as the polynoial x 4 x

6 5 Finite Fields (Contd.) By addition of strings we shall ean the addition of polynoials which can be realized by the XOR of two n bit strings. For ultiplication of two n-bit strings we need to choose a an n degree irreducible polynoial t(x). Multiplication of two strings A and B is realized by the ultiplication of the polynoials a(x),b(x) odulo the polynoial t(x).

7 6 Finite Fields (Contd.) Given a string A, by xa we shall ean the ultiplication of the polynoial a(x) with the polynoial x. This can be realized very efficiently by a shift and a conditional XOR. For exaple if we consider the field GF( 8 ). And the irreducible polynoial x 8 x 7 x x

8 7 Finite Fields (Contd.) We can ipleent xa as A xa (A ) 0 0 if if sb(a) sb(a) 0

9 8 Polynoial Hash Inforally a hash function aps a big string into a sall one. We shall use a specific type of hash called the polynoial hash, n 0, 0, n H { 0,} n defined as H( h, P... P ) P h P h... P h All operations are in GF( n )

10 9 Block-Ciphers Block-Ciphers are one of the ost iportant priitives in cryptology. essage Block Cipher cipher key Can encrypt fixed length essages. Are generally very efficient and are widely used for bulk encryption. AES, DES, IDEA, MARS, SERPENT

11 0 Block-Ciphers (Contd.) If the block length of a block-cipher be n then the block-cipher can be seen as a function: :E n n {0,}{0,} K Generally we shall denote a block-cipher by E(K, M) E(M) K For each key K in the key space E K ust be a perutation. So, for each K there exist an inverse of the block cipher such that - EK K (E(M)) M A block-cipher secure against an adaptive chosen plaintext chosen ciphertext adversary is considered to be a Strong Pseudo Rando Perutation (SPRP).

12 The Adversary The adversary is considered to be a probabilistic algorith It has oracle access to the functions and can output either a 0 or It can interact with the function through valid queries An adversary A interacting with an oracle O outputing will be denoted by A O

13 Pseudorando Perutations K K $ π $ Per E K π E K is called a pseudorando perutation if it is infeaseable for a coputationally bounded adversary to distinguish between E K and π.

14 3 PRP Advantage The prp advantage of an adversary A is defined as Adv prp E K (A) $ Pr[K K :A E K ] $ Pr[π Per(n) :A π ] This definition can be easily translated into a resource bounded definition. The general resources of interest are nuber of queries, tie, query coplexity etc.

15 4 Strong Pseudorando Perutations K K $ E K E π π K π $ Per prp $ Adv (A) Pr[K KA: E K It is assued that a secure block-cipher is a KK E,E ] strong pseudorando perutation $ π, Pr[ π Per( A: ]

16 5 Modes of Operations A ode of operation is a specific way to use a we encrypt block cipher P P for P a M encrypting P (M>n) arbitrary P bit IV IV+ IV+(-) P length essages. IV essage? Soe classical odes of operations are: We have a secure n-bit to n-bit block-cipher how can Cipher Block Counter Chaining Mode Mode Electronic Code Book Mode Electronic Code Book (ECB) E K E K E K E K Cipher Block Chaining (CBC) Cipher Feed-back (CFB) Output Feed-back (OFB) P P C C CC C C Counter (CTR) E K E K E K C P E K E K C C

17 6 Types of Modes Modes can be classified according to the type of security service it provide Privacy Only Authenticated Encryption Authenticated encryption with associated data Tweakable enciphering schees Message Authentication Codes

18 7 Types of Modes (Contd.) Tweakable Enciphering schees Security of such schees are that of a strong pseudorando perutation They are length preserving. These schees takes in an extra public quantity called the tweak. They can provide partial authentication. A potential application area of such schees is inplace disc encryption.

19 8 Types of Modes (Contd.) NIST have been running a standarization effort for different types of odes, and currently there are ore than twenty different odes which provides various functionalities. Tweakable enciphering schees are not covered under this effort. A recent standarization effort by the IEEE working group on storage security is currently considering standarization of tweakable enciphering schees for the disc encryption application.

20 9 Tweakable Enciphering Schees E: M KT M Where M, K and T are the essage space, key space and tweak space respectively. M i {0,} i0 E should be a tweakable strong pseudorando perutation

21 0 Tweakable Enciphering Schees Current constructions can be classified into three ain categories: Encrypt Mask Encrypt Hash-ECB-Hash Hash-Counter-Hash

22 EME: HCTR: ECB-Mask-ECB Hash-Counter CMC: CBC-Mask-CBC TET: Transfor-ECB-Transfor CMC (Halevi and Rogaway, 003) EME (Halevi and Rogaway, 003) EME* (Halevi, 004) Tweakable Enciphering Schees ABL (McGrew and Viega, 004) XCB (McGrew and Fluhrer, 004) HCTR (Wang, et. al, 005) HCH (Chakraborty and Sarkar, 006 and 007) PEP (Chakraborty and Sarkar, 006) Other TET related (Halevi, work: 007) Efficient HEH (Sarkar, Tweakable 007) Enciphering Schees fro (Block- Wise) Universal Hash Functions (Sarkar, 009).

23 Hypothesis There are no efficient ipleentations of TES in both software and hardware. Soe experiental results about ipleentations in FPGAs are reported in y aster thesis. These results can be iproved. All schees in the literature have associated with it a security proof in specific security odel. These proofs do not consider real-live scenarios like Side Channel Attacks.

24 3 Hypothesis Because the counity has been focused ainly on provable security, all existing proposals are theoretical, and has not paid attention to realistic and efficient constructions. Till date block Ciphers are the unique paradig for constructing TES. It ay be possible to use other priitives for constructing TES.

25 4 Broad Objectives Efficient ipleentation of existing constructions. Analysis of the existing constructions for sidechannel vulnerabilities. Attept new constructions keeping in ind efficiency and security against side channel attacks. Exploring related applications where TES can be used.

26 5 Ipleentations of Tweakable Encipherings Schees

27 6 Field Prograable Gate Array (FPGA) It is an integrated circuit designed to be configured by the custoer or designer after anufacturing. The FPGA configuration is generally specified using a hardware description language (HDL). FPGAs contain prograable logic coponents called logic blocks, and a hierarchy of reconfigurable interconnects that allow the blocks to be wired together. In ost FPGAs, the logic blocks also include eory eleents, which ay be siple flip-flops or ore coplete blocks of eory.

28 7 Field Prograable Gate Array (FPGA) FPGAs failies like Virtex4, Virtex, Spartan 3E their lookup tables can ipleent every boolean function of four variables. The newest FPGAs Virtex5 have lookup tables with six inputs. Virtex4 and Virtex5 have dedicated hardware for digital signal processing useful for high perforance cryptographic aplications also.

29 8 Ipleentations AA L x the / A H y BB L x / B H We used 8-bit AES core as the underlaying block cipher. product C A* B is coputed as follows: C x A H B H A L B L A H B H A L B L A H A L B H B L x / C x C H L C Round key input The universal polynoial hash function included in specifications of hash-counter-hash and hash-ecbhash was key ipleented using a Karatsuba-Ofan Key 0 ultiplier as the ain building block. Initial Round Transforation round 9-ties Final round without MC output

30 9 Architecture of HCTR HCTR: Hash- Counter Keys generator coparator counter Round Round Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 0 Key Key Key 3 Key 4 Key 5 Key 6 Key 7 Key 8 Key 9 Key 0

31 30 Architecture of HCTR AES counter and single odes HCTR: Hash- Counter Control unit

32 3 EME: ECB-Mask-ECB Tweakable XCB: HEH: HCH: TET: Extended Linear Hash-ECB-Hash Hash-Counter-Hash transfor-ecb-linear Code Enciphering Book transfor Schees CMC (Halevi and Rogaway, 003) EME (Halevi and Rogaway, 003) EME* (Halevi, 004) ABL (McGrew and Viega, 004) XCB (McGrew and Fluhrer, 004) HCTR (Wang, et. al, 005) HCH (Chakraborty and Sarkar, 006 and 007) PEP (Chakraborty and Sarkar, 006) TET (Halevi, 007) HEH (Sarkar, 007)

33 Results HARDWARE COSTS OF THE PRIMITIVES: VIRTEX 4 IMPLEMENTATIONS Method Slices B-RAM Frequency (MHz) Clock Cycles Throughput GBits/Sec Full-core AES-Secuential Full-core AES-Pipeline Encryption-Only AES-Pipeline Hash Function Multiplier

34 33 Results HARDWARE COSTS OF THE MODES WITH AN UNDERLYING FULL 0- STAGE PIPELINED 8-BIT AES CORE WHEN PROCESSING ONE SECTOR OF 3 AES BLOCKS: VIRTEX 4 IMPLEMENTATIONS Mode Slices B-RAM Frequency (MHz) Clock Cycles Tie (µs) Latency (µs) Throughput GBits/Sec HCH HCHfp HCTR O XCB EME TET HEH

35 34 Results HARDWARE COSTS OF THE MODES WITH AN UNDERLYING SEQUENTIAL8-BIT AES CORE WHEN PROCESSING ONE SECTOR OF 3 AES BLOCKS: VIRTEX 4 IMPLEMENTATIONS Mode Slices B-RAM Frequency (MHz) Clock Cycles Tie (µs) Throughput GBits/Sec HCH HCHfp HCTR XCB EME TET HEH

36 35 Results HARDWARE COSTS OF THE HCH, HCTR, EME, TET, AND HEH MODES WITH AN UNDERLYING ENCRYPTION-ONLY 0-STAGE PIPELINED 8-BIT AES CORE WHEN PROCESSING ONE SECTOR OF 3 AES BLOCKS: VIRTEX 4 IMPLEMENTATIONS Mode Slices B-RAM Frequency (MHz) Clock Cycles Tie (µs) Latency (µs) Throughput GBits/Sec HCHfp HCTR EME TET HEH

37 36 Results PERFORMANCE OF THE MODES IN OTHER FPGA FAMILIES OF DEVICES Mode Slices B-RAM Frequency (MHz) Clock Cycles Tie (µs) Latency (µs) Throughput GBits/Sec Full 0 Stage pipelined AES-8 core in Virtex 5 HCTR HCH HCHfp TET EME XCB HEH Full 0 Stage pipelined AES-8 core in Virtex pro HCTR HCH HCHfp TET EME XCB HEH Sequential AES 8 core in Spartan 3 E HEH HCTR

38 37 Results A PERFORMANCE COMPARISON OF THE EME MODE OF OPERATION USING SEVERAL AES ENCRYPTION CORES IMPLEMENTED IN SOFTWARE Vs. OUR EME RECONFIGURABLE HARDWARE DESING. Design Processor Cycles/Sector EME Latency Fold Speed up EME with AES in () Intel S 7.39 EME with AES in 7 Intel S 7.80 EME with AES in 6 Athlon-64@GHz S 7.8 EME with AES in Intel S 8.44 EME with AES in Athlon-64@GHz S 9.6 EME here Virtex IV@49MHz S.00

39 38 Side Channel Attacks Physical attacks on cryptographic devices take advantage of specific ipleentation characteristics to recover the secret paraeters involved in the coputation.

40 39 Side Channel Attacks (Contd.) Adversary tries to exploit physical inforation leakages such that: o Tiing inforation (Kocher, 996) o Power consuption (Kocher, 999) o Electroagnetic radiation (Agrawal, 00)

41 40 Side Channel Attacks Against EME and EME EME: ECB-Mask-ECB The weakness of the xtie opeation is widely known. xtie can be ipleented by linear feedback shift register (LFSR). Algorith xties(l) b MSB(L) L L << if b= L L XOR Q return L The studies on vulnerability of LFSR to side channel attacks have been published [Joux and Delaunay, 006] and [Buran et al, 007.]

42 4 Side Channel Attacks Against EME and EME Assuption: If the operation xl is ipleented according to the algorith xties as shown in last slide then MSB of L can be obtained. Proposition: If xties is applied k (k n) ties successively on L then the k ost significant bits can be recovered. In order to prove the proposition we describe the next procedure to recover the k bits of L. Algorith Recover(Q,k,L). D {d n-,d n-,,d 0 } 0 n. B Epty String 3. for i to k 4. b,l SC(x i L); (b the MSB of x i L, L x i L) 5. if d n- = 0 6. B B b 7. else 8. B B ~b 9. end if 0. D D<<;. if b =. D D XOR Q; 3. end if 4. L L 5. end for 6. return B

43 4 Side Channel Attacks Against EME and EME Algorith Recover(Q,k,L). D {d n-,d n-,,d 0 } 0 n. B Epty String 3. for i to k 4. b,l SC(x i L); (b the MSB of x i L, L x i L) 5. if d n- = 0 6. B B b 7. else 8. B B ~b 9. end if 0. D D<<;. if b =. D D XOR Q; 3. end if 4. L L 5. end for 6. return B Q= 0000 (x 8 +x 4 +x 3 +x+ ) L=0000 n=8 i=i=i=3i=4i=5i=6i=7i=8 b B L L L L L L L L D D D D D D D D We 0 0 0have b b b bl<< L<< L<< L<< recovered b b L<< L<< L<< L<< L b = b = b then 0 = b then = b then 0 = b then 0 = b then = b then 0 = then 0 then L d d 7 =0 7 d=0 then d then we we take take b b 7 =0 7 d=0 then then we we take take b b 7 d= 7 d= 7 then d= 7 then =0 then we then we take we take we take ~b take ~b ~b b B B B 0 B0 B 0 D<< D<< B 0 0 D<< D<< D<< D<< D<< D<< b = b = b then 0 = b then = b then 0 = b then 0 = b then = b then 0 = then 0 then D L b 0 B D copletely L XOR L XOR L QXOR L QXOR L QXOR L Q XOR L QXOR L QXOR Q Q L0 L L 0 L 0 L 0 L D XOR D XOR D Q XOR D Q XOR D Q XOR D Q XOR D Q XOR D Q XOR Q Q D0 D 0 D 0 D 0 D 0 D

44 43 Side Channel Attacks Against EME and EME MP Mc EME: ECB-Mask-ECB L xe(0 n ) M MPMC Algorith EME.Encrypt T,K (P). Partion P into P, P,,P. L xe K (0 n ) 3. for i to do 4. i x i- L XOR Q xties 5. PPPis i applied E K (PP i ) ties xe6. K (0) endy for- ties on M. We 7. SP PPP XOR PPP 3 XOR XOR called PPPthe L-side-channel and 8. MP M-side-channel PPP XOR SP XOR T 9. MC E K (MP ) respectively. 0. M MP XOR MC. for i to do. CCC i, PPP i XOR x i- M We 3. end can forrecover bits of xe4. K (0 SC n ) CCC XOR CCC 3 XOR XOR CCC 5. CCC MC XOR SC XOR T and 6. for- i tobits doof M. 7. CC i E K (CCC i ) 8. C i x i- L XOR CC i 9. end for 0. return C, C,,C

45 44 The Distinguishing Attack against EME. Apply L T arbitrary x L encryption query. of n blocks with an arbitrary tweak. L LObtain 0 the n bits of E K (0 n ) fro the L-side-channel. E K (0) Copute L=x E K (0 n ). P PP PPP C. Apply an encryption query with plaintext E L and and tweak x - K (0) x LEK (0) EK (0) L. Let 0 C be the response of this query. MP MCE K (0) SP0 ( SCA x) x L MP If the SCA can predict the output Mc of EME then it is not a SPRP EME: ECB-Mask-ECB CCC 3. If C Kis equal to ( KXOR x)x - L output EME otherwise output E rando. K (0) CC E (0) 0E (0) 0 C LE K (0) xe K (0) E K (0) C ( x) x L SP PPP PPP3... PPP SC CCC CCC3... CCC

46 45 The Stronger Attack against EME Proposition. An oracle access to the blockcipher E K is enough to encrypt any plaintext P P P with arbitrary tweak T using the EME ode of operation wich uses the key K. Siilarly, with oracle acces to both E - K and E K one can decrypt any arbitrary cipher text C C C with an arbitrary tweak T wich has been produced by the EME ode of operation with key K.

47 46 The Stronger Attack against EME P L EME Y xl AdvSCA K (.,.) Y ( X ) Y... Apply arbitrary encryption query of PP n i Y blocks with an arbitrary tweak. SP PPP Obtain PPP the n bits... of EPPP K (0 n ) 3 n fro the L-side-channel. SP E Copute ( Y ) L=x E K (0 n ).. Apply ( EK ( Yan ) encryption... E ( Y )) K query with tweak X and n the following n MPblocks PPPplaintext: SP X YL, YxL,..., Yx n L MP E ( Y ) E ( Y ) X Recover K - bits K of M using M-side-channel, call this as M. MCE K K ( X x ) n L x L X If T=X, we can recover n- bits EME: of EECB-Mask-ECB K (X) MP Mc M MPMCX E K ( X ) 3. Hence Output MM XXOR E drop ( X ) n- (X) K

48 47 The Stronger Attack against EME AdvSCB(X,drop n- (E K (X))). Apply an arbitrary encryption with n blocks with an arbitrary tweak.. Z - Obtain the n bits of L using the L-side-channel. drop E K X 3. SAdvSCA 4. Apply a query with tweak Z and plaintext - Get the output as C 5. if drop n- ( C L) = S output Z else output Z 0 Z x EMEK (.,.) L X L

49 48 The Stronger Attack against EME Proposition: Let the procedure AdvSCB EME K (.,.) (X,drop n- (E K (X))), then PrAdvSCB EME k (.,.) ( X, drop n ( E K ( X )) E K ( X ) n SCB can copute E K (X) for a X of his choice with a very high probability

50 49 BRW Polynoials

51 50 BRW Polynoials Sarkar at 009 proposed to use BRW as hash function to construct efficients Tweakable Enciphering Schees. ihch HEH-BRW

52 BRW Polynoials The BRW (Bernstein, Rabin and Winograd) polynoials were introduced by Bernstein in 007, in order to iprove the polynoial evaluation. They are defined as: t n t and t if H r H H r r r H r r H r H H H n t t t t n 4,8,6,3,... ),... (...,,...,,,,,,, n 4 3 n n Nuber of Multiplications: Nuber of additions: 5

53 5 BRW Polynoials We propose a fraework for construct a efficient circuit to copute BRW polynoial using pipelined ultiplier. As an exaple we will use a polynoial with 6 coefficients, defined as: r 4 8 r 3 r 4 r 5r 6 7 r 8 4 r r r r r H ( 6,..., 6 ) r Last equation has only 8 ultiplications, half in coparison with noral polynoial and soe ultiplications are independent. The total nuber of operations are 8 ultiplications, 4 squarings and 9 additions.

54 53 BRW Polynoials Every BRW polynoial can be represented as a tree with ultiplications and additions nodes as follows: H(,..,6) (6) H(,...,8) (8) H(,...,4) H(,...,3) (4) H(,) (3) () () H(,...,7) (6) (5) H(,...,5) () (7) (0) (9) () (3) (4) (5) - How can we siplify 6 the tree? 8 We can eliinate the addition nodes leaving the connections. 4 Denote the nodes as its even operand. The new tree contain only ultiplications nodes r 4 8 r 3 r 4 r 5r 6 7 r 8 4 r r r r r H ( 6,..., 6 ) r

55 54 BRW Polynoials The following are true regarding the BRW tree: Nuber of nodes: P Nuber of ultiplications in level : N N N for N i lg lg N ( ) N Nuber of ultiplications in each paralel round: N i lg Ni N i 0 lg for for for i i i 6 0 4

56 55 BRW Polynoials To achieve a good perforance in the ipleentations of BRW polynoial, there are two iportant aspects: Scheduling of the blocks of inforation, trying to have the pipeline always full. 8 6 The nuber of accuulators or registers required We design an algorith to copute the above tasks.

57 56 BRW Polynoials Scheduling using three-stages Scheduling pipeline ultiplier using three-stages pipeline Scheduling ultiplier using three-stages pipeline ultiplier clock cycles clock clock cycles cycles clock cycles ultiplications without dependencies r r 6 7 r 8 6,..., 6 r r r r r r 6 r 3 r 4 r 5r 6 7 r 8 r H ( 6 6,..., 6 ) 0 r 3 r 4 r 5 8 (,..., ) 4 r r r r 6 9 r 0 r r r r r 3 r ( ) r 4 r 4 8 r 3 r 4 r 5r 6 7 r 8 H ( 6,..., 6 ) r r r 6 r r 4 r r r r 6 9 r 0 r r 3 r 4 5 H 6 r r 4 r r r

58 57 BRW Polynoials Algorith Schedule clock=; while (there are nodes left to be scheduled ) if L is not epty If the difference of clock and START-TIME of the first node of L is greater than NSTAGES Delete the node fro L; Output the node; decreent the indegree of its parent; if the indegree of the parent reduces to zero Mark its START-TIME as clock add it to L endif else if L is not epty output the first node of L; Delete the node fro L decreent the indegree of its parent if the indegree reduces to zero Mark its start tie as clock and add it to L endif endif else endif clock = clock + end while output the first node of L; Delete the node fro L decreent the indegree of its parent if the indegree of the parent reduces to zero Mark its start tie as clock and add it to L endif

59 58 BRW Polynoials Soe propierties of the algorith with Nuber of connected coponents is the Haing weight of P, if bit i (P)= it contains a connected coponente with i nodes. P nodes: 6 If the nuber of pipeline stages is NSTAGES, and the nuber of essage blocks be, for which the nuber of nodes in the tree is P. Then the algorith Schedule gives a full pipeline in the following cases: NSTAGES= and 6 and bit 0 (P)= or bit (P)=.. NSTAGES=3 and 4 and bit 0 (P)= and bit (P)=. 3. NSTAGES=4 and 30 and bit 0 (P)= and bit (P)= and bit (P)= and bit 3 (P)=.

60 59 The HEH-BRW Mode of Operation Is easy to see the iproveent in tie, HEH takes 75 clock cycles while HEH-BRW takes 55.

61 60 The HEH-BRW Mode of Operation AES counter and siple ode T ina AES Architecture for HEHBRW inb xnties AES We use: key rcounter AES keygen outa sc Three stages pipelined Karatsuba-Ofan ultiplier. AES design suitable for Virtex 5 FPGAs (Standaert, et. al, 008 ). Reset clk inhb regs inha Microprogra BRW Hash regm Counter Control Unit Ctrl Word 4 bits KOM Three- Stage Pipeline outh regu reg reg xtie ACC ACC outb squaring squaring

62 6 Results Mode Slices Frequency (MHz) Clock Cycles Tie (ns) Latency (ns) Throughput (GBits/Sec) TPA ihch HEH-BRW Mode Slices B-RAM Frequenc y (MHz) Clock Cycles Tie (µs) Latency (µs) Throughput GBits/Sec HCHfp HEH

63 6 Publications - C. Mancillas-López, D. Chakraborty, and F. Rodríguez-Henríquez. Efficient Ipleentations of Soe Tweakable Enciphering Schees in Reconfigurable Hardware. In INDOCRYPT, volue 4859 of Lecture Notes in Coputer Science, pages Springer, 007. ( work done in y asters thesis). - C. Mancillas-López, D. Chakraborty, and F. Rodríguez-Henríquez. Reconfigurable Hardware Ipleentations oftweakable Enciphering Schees (extended and iproved version of the previous), IEEE Transactions on Coputers (under review ). - C. Mancillas-López, D. Chakraborty, and F. Rodríguez-Henríquez, On Soe Weaknesses in the Disk Encryption Schees EME and EME. International Conference on Inforation Systes Security (ICISS 009), Lecture Notes in Coputer Science (to appear) - D. Chakraborty, C. Mancillas-López, F. Rodríguez-Henríquez, P. Sarkar, Polynoial Evaluation with Applications to Disk Encryption. (under preparation)

64 63 Future Work Side Channel Attacks We have just started the preliinary investigations on side channel weaknesses of disk encryption schees. We would do side channel analysis of ore odes We also plan to build up an experiental setup for side channel attacks and deonstrate the attacks on real hardware ipleentations New Constructions We plan to explore new constructions in the following directions: ) Using strea ciphers instead of block ciphers. A preliinary proposal regarding this was published this year by Sarkar. We plan to iprove upon this construction. ) Explore the use of weak pseudorando functions (WPRF) for constructing TES

65 64 Future Work New Applications Secure Backup:. We shall studied the specific security requireents for secure backup application.. Design a schee to achieve secure backup. 3. Ipleentation and practical proofs.

66 65 Calendar First Year 009. Study of the Theoretical Background X X X. Efficient Ipleentation of Existing Constructions 3. Iprove Existing Constructions X X X X Second Year Side Channel Attacks X X X X 5. Propose New Schees using other priitives. X X X 6. Propose New Schees WPRF X X 7. Courses (Cryptography II, Reconfigurable Coputing, Selected Topics on Syetric Key Cryptography) 8. New applications: Secure backup X X X X Third Year Thesis Manuscript X X X

67 66 Thank you for your attention