D6.9 Report on security testing
PRISMACLOUD aims at bringing novel cryptographic concepts and methods to practical application to improve the security and privacy of cloud based services and makes them usable for providers and users.
This document is a report on the security analysis performed on the prototype device demonstrating the hardware secure implementation of crypto primitives that was performed during task T6.4. The prototype device implements a redactable signature scheme such as described in deliverable D4.4  that is robust to attacks with quantum computers. Deliverable D6.7  explains the choice of Keccak and BLISS as cryptographic primitives. Deliverable D6.8  describes the hardware itself.
The hardware implementation of these primitives aims at providing more performance on speed and security. Hardware implementation generally offer tamper resistance to a wide variety of attacks including side channel attacks, provided that the right counter measures are implemented. It is the purpose of Task 6.4 to evaluate the robustness of the cryptographic primitives.
A short risk analysis allows to focus the evaluation on the signing algorithm (BLISS). An analysis of the algorithm shows a vulnerability in the sparse multiplication that could be used to gain access to the key. The hardware has been slightly modified to ease the characterisation of the vulnerability, and a characterisation has been conducted, showing a path to an attack of the sparse multiplication. The masking property of the scalar product used in Greedy Scale makes it impossible to build an equation system to retrieve the coefficients of the key directly. But another property of the key coefficients allows to overcome that difficulty. The secret key coefficients are elements of a cyclotomic ring which has convenient multiplication properties. Within the trace we should always find the trace of a coefficient and its opposite. Thanks to this property a simple algorithm to retrieve the coefficient has been designed and the keys retrieved. With knowledge of this attack, it is possible to describe some countermeasures that would harden the sparse multiplication and make the attack impossible.