Ingrid Verbauwhede

Archisman Ghosh, J. M. B. Mera, Angshuman Karmakar et al.

National Institute of Standard & Technology (NIST) is currently running a multi-year-long standardization procedure to select quantum-safe or post-quantum cryptographic schemes to be used in the future. Saber is the only LWR based algorithm to be in the final of Round 3. This work presents a Saber ASIC which provides 1.37X power-efficient, 1.75x lower area, and 4x less memory implementation w.r.t. other SoA PQC ASIC. The energy-hungry multiplier block is 1.5x energyefficient than SoA.

Antoon Purnal, Ingrid Verbauwhede

Timing channels in cache hierarchies are an important enabler in many microarchitectural attacks. ScatterCache (USENIX 2019) is a protected cache architecture that randomizes the address-to-index mapping with a keyed cryptographic function, aiming to thwart the usage of cache-based timing channels in microarchitectural attacks. In this note, we advance the understanding of the security of ScatterCache by outlining two attacks in the noise-free case, i.e. matching the assumptions in the original analysis. As a first contribution, we present more efficient eviction set profiling, reducing the required number of observable victim accesses (and hence profiling runtime) by several orders of magnitude. For instance, to construct a reliable eviction set in an 8-way set associative cache with 11 index bits, we relax victim access requirements from approximately $2^{25}$ to less than $2^{10}$ . As a second contribution, we demonstrate covert channel profiling and transmission in probabilistic caches like ScatterCache. By exploiting arbitrary collisions instead of targeted ones, our approach significantly outperforms known covert channels (e.g. full-cache eviction).

Ruan de Clercq, Ingrid Verbauwhede

CFI is a computer security technique that detects runtime attacks by monitoring a program's branching behavior. This work presents a detailed analysis of the security policies enforced by 21 recent hardware-based CFI architectures. The goal is to evaluate the security, limitations, hardware cost, performance, and practicality of using these policies. We show that many architectures are not suitable for widespread adoption, since they have practical issues, such as relying on accurate control flow model (which is difficult to obtain) or they implement policies which provide only limited security.