Side Channel Analysis & Countermeasures Begl Bilgin 27 Dec. - - PowerPoint PPT Presentation

Side Channel Analysis & Countermeasures

Begül Bilgin

27 Dec. 2014 - IAM Alumni Meeting

Adversary Models

2

Adversary Models

2

Adversary Models

Black-box Gray-box White-box

3

Adversary Models

Black-box Gray-box White-box

Crypto Algorithm

Key Ini Outi

3

Adversary Models

Black-box Gray-box White-box

Crypto Algorithm

Key Ini Outi

#Cryptanalysis

3

Adversary Models

Black-box Gray-box White-box

Crypto Algorithm

Key Ini Outi

#Cryptanalysis

#Differential Cryp. #Linear Cryp. #Brute Force Att.

3

Adversary Models

Black-box Gray-box White-box

Crypto Algorithm

Key Ini Outi

#Cryptanalysis

#Differential Cryp. #Linear Cryp. #Brute Force Att.

#Cube Att. #Related Key Att. #Meet-in-the-Middle Att. #Boomerang Att. #Impossible Diff. Att.

3

Adversary Models

Black-box Gray-box White-box

Crypto Algorithm

Key Ini Outi

Crypto Algorithm

3

Adversary Models

Black-box Gray-box White-box

Crypto Algorithm

Key Ini Outi

Crypto Algorithm

#Game Consoles #Set-top Boxes

3

Adversary Models

Black-box Gray-box White-box

Crypto Algorithm

Key Ini Outi

Crypto Algorithm Crypto Algorithm

3

Adversary Models

Black-box Gray-box White-box

Crypto Algorithm

Key Ini Outi

Crypto Algorithm Crypto Algorithm

3

Adversary Models

Black-box Gray-box White-box Non-invasive (Semi)-invasive

4

Adversary Models

Black-box Gray-box White-box Non-invasive (Semi)-invasive

4

Adversary Models

Black-box Gray-box White-box Non-invasive (Semi)-invasive

4

Adversary Models

Black-box Gray-box White-box Non-invasive (Semi)-invasive

Active Passive

• Light attacks
• Laser cutters
• …
• Photonic inspection
• Probing
• …

4

Adversary Models

Black-box Gray-box White-box Non-invasive (Semi)-invasive

Active Passive

• Light attacks
• Laser cutters
• …
• Photonic inspection
• Probing
• …

Active Passive

• Temperature
• r voltage change
• …
• Side channel

analysis

4

Adversary Models

Black-box Gray-box White-box Non-invasive (Semi)-invasive

Active Passive

• Light attacks
• Laser cutters
• …
• Photonic inspection
• Probing
• …

Active Passive

• Temperature
• r voltage change
• …
• Side channel

analysis

Timing EM, Power Analysis

Simple Differential

4

Adversary Models

Black-box Gray-box White-box Non-invasive (Semi)-invasive

Active Passive

• Light attacks
• Laser cutters
• …
• Photonic inspection
• Probing
• …

Active Passive

• Temperature
• r voltage change
• …
• Side channel

analysis

Timing EM, Power Analysis

Simple Differential Smart Card Protocol Testing Reverse Engineering Code Review

4

Adversary Models

Black-box Gray-box White-box Non-invasive (Semi)-invasive

Active Passive

• Light attacks
• Laser cutters
• …
• Photonic inspection
• Probing
• …

Active Passive

• Temperature
• r voltage change
• …
• Side channel

analysis

Timing EM, Power Analysis

Simple Differential Smart Card Protocol Testing Reverse Engineering Code Review

Passive EM, Power Analysis

Differential

4

Introduction to Power Analysis

5

6

Measurement Setup

Oscilloscope Clock Gen. & Power Supply Device Under Test

6

Measurement Setup

Oscilloscope Clock Gen. & Power Supply Device Under Test

• Instantaneous power over time

6

Measurement Setup

Oscilloscope Clock Gen. & Power Supply Device Under Test

• Instantaneous power over time
• Realistic ???

6

Measurement Setup

Oscilloscope Clock Gen. & Power Supply Device Under Test

• Instantaneous power over time
• Realistic ???
• Yes

6

Measurement Setup

Oscilloscope Clock Gen. & Power Supply Device Under Test

• Instantaneous power over time
• Realistic ???
• Yes
• Almost (Noise, trigger point, sampling rate etc.)

7

Power Analysis

7

Power Analysis

• Dominant technology: CMOS (Complementary metal oxide semiconductor)
• Low static power consumption
• High dynamic power consumption
• Power consumption depends on input

7

Power Analysis

• Dominant technology: CMOS (Complementary metal oxide semiconductor)
• Low static power consumption
• High dynamic power consumption
• Power consumption depends on input
• Signal switch consumes more power
• 0 → 0 : low
• 0 → 1 : high
• 1 → 0 : high
• 1 → 1 : low

7

Power Analysis

• Dominant technology: CMOS (Complementary metal oxide semiconductor)
• Low static power consumption
• High dynamic power consumption
• Power consumption depends on input
• Leakage of Enc(pt,key)

creates a fingerprint

[courtesy: P . Kocher]

• Signal switch consumes more power
• 0 → 0 : low
• 0 → 1 : high
• 1 → 0 : high
• 1 → 1 : low

8

Simple Power Analysis

8

Simple Power Analysis

• Analysis using one (pt, key) pair

8

Simple Power Analysis

• Analysis using one (pt, key) pair
• Pattern recognition

8

Simple Power Analysis

• Analysis using one (pt, key) pair
• Pattern recognition
• e.g. RSA exponentiation using sq-and-mult
• sig = ptskey
• Coprocessor optimized for squaring

8

Simple Power Analysis

• Analysis using one (pt, key) pair
• Pattern recognition
• e.g. RSA exponentiation using sq-and-mult
• sig = ptskey
• Coprocessor optimized for squaring

[courtesy: C.Clavier]

9

Simple Power Analysis

[courtesy: L.Batina]

9

Simple Power Analysis

Symmetric-key algorithm

[courtesy: L.Batina]

9

Simple Power Analysis

Symmetric-key algorithm

AES

[courtesy: L.Batina]

9

Simple Power Analysis

Symmetric-key algorithm

• Algorithm detection

AES

[courtesy: L.Batina]

9

Simple Power Analysis

Symmetric-key algorithm

• Algorithm detection
• Understanding the implementation

AES

[courtesy: L.Batina]

9

Simple Power Analysis

Symmetric-key algorithm

• Algorithm detection
• Understanding the implementation
• Key extraction is NOT easy !

AES

[courtesy: L.Batina]

9

Simple Power Analysis

Symmetric-key algorithm

• Algorithm detection
• Understanding the implementation
• Key extraction is NOT easy !
• Detailed information on the device

AES

[courtesy: L.Batina]

9

Simple Power Analysis

Symmetric-key algorithm

• Algorithm detection
• Understanding the implementation
• Key extraction is NOT easy !
• Detailed information on the device
• Generate templates

AES

[courtesy: L.Batina]

9

Simple Power Analysis

Symmetric-key algorithm

• Algorithm detection
• Understanding the implementation
• Key extraction is NOT easy !
• Detailed information on the device
• Generate templates
• Use math solvers

AES

[courtesy: L.Batina]

10

Differential Power Analysis

10

Differential Power Analysis

• Encryptions of different pt using the same key

10

Differential Power Analysis

• Encryptions of different pt using the same key
• Divide and conquer principle
• Attack using intermediate results (e.g. Sbox output)
• Depend on a few key bits

Sbox pti keyi ⊕

• uti

10

Differential Power Analysis

• Encryptions of different pt using the same key
• Divide and conquer principle
• Attack using intermediate results (e.g. Sbox output)
• Depend on a few key bits

Sbox pti keyi ⊕

• uti
• Power consumption variation is small

10

Differential Power Analysis

• Encryptions of different pt using the same key
• Divide and conquer principle
• Attack using intermediate results (e.g. Sbox output)
• Depend on a few key bits

Sbox pti keyi ⊕

• uti
• Power consumption variation is small
• Detectable using statistics

10

Differential Power Analysis

• Encryptions of different pt using the same key
• Divide and conquer principle
• Attack using intermediate results (e.g. Sbox output)
• Depend on a few key bits

Sbox pti keyi ⊕

• uti
• Power consumption variation is small
• Detectable using statistics
• Guess keyi

10

Differential Power Analysis

• Encryptions of different pt using the same key
• Divide and conquer principle
• Attack using intermediate results (e.g. Sbox output)
• Depend on a few key bits

Sbox pti keyi ⊕

• uti
• Power consumption variation is small
• Detectable using statistics
• Guess keyi
• Group traces

10

Differential Power Analysis

• Encryptions of different pt using the same key
• Divide and conquer principle
• Attack using intermediate results (e.g. Sbox output)
• Depend on a few key bits

Sbox pti keyi ⊕

• uti
• Power consumption variation is small
• Detectable using statistics
• Guess keyi
• Group traces
• Wrong key guess → random grouping, no difference

10

Differential Power Analysis

• Encryptions of different pt using the same key
• Divide and conquer principle
• Attack using intermediate results (e.g. Sbox output)
• Depend on a few key bits

Sbox pti keyi ⊕

• uti
• Power consumption variation is small
• Detectable using statistics
• Guess keyi
• Group traces
• Wrong key guess → random grouping, no difference
• Correct key guess → correct grouping, difference

11

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e...

[courtesy: B.Gierlichs]

11

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1)&1 1 1 1 1

key1=00

[courtesy: B.Gierlichs]

11

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1)&1 1 1 1 1

key1=00

[courtesy: B.Gierlichs]

11

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... Take means S(pt1 ⊕ key1)&1 1 1 1 1

key1=00

[courtesy: B.Gierlichs]

11

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... Take means Take difference S(pt1 ⊕ key1)&1 1 1 1 1

key1=00

[courtesy: B.Gierlichs]

12

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e...

[courtesy: B.Gierlichs]

12

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1)&1 1 1 1

key1=2b

[courtesy: B.Gierlichs]

12

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1)&1 1 1 1

key1=2b

[courtesy: B.Gierlichs]

12

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1)&1 1 1 1

key1=2b

Take means

[courtesy: B.Gierlichs]

12

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1)&1 1 1 1

key1=2b

Take means Take difference

[courtesy: B.Gierlichs]

12

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1)&1 1 1 1

key1=2b

Take means Take difference

[courtesy: B.Gierlichs]

12

Differential Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1)&1 1 1 1

key1=2b

Take means Take difference

D i f f e r e n c e

• f

M e a n s

[courtesy: B.Gierlichs]

13

Differential Power Analysis

Correlation Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e...

13

Differential Power Analysis

Correlation Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1) 82 62 7e 7b f6 e8 f3

key1=00

13

Differential Power Analysis

Correlation Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1) 82 62 7e 7b f6 e8 f3

key1=00

Corr.

13

Differential Power Analysis

Correlation Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1) 82 62 7e 7b f6 e8 f3

key1=00

Corr.

13

Differential Power Analysis

Correlation Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1) 82 62 7e 7b f6 e8 f3

key1=00

Corr.

13

Differential Power Analysis

Correlation Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1) 82 62 7e 7b f6 e8 f3

key1=00

13

Differential Power Analysis

Correlation Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1) 82 62 7e 7b f6 e8 f3

key1=00

S(pt1 ⊕ key1) 12 cd 32 34 4a 11 fc

key1=2b

13

Differential Power Analysis

Correlation Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1) HW(82) HW(62) HW(7e) HW(7b) HW(f6) HW(e8) HW(f3)

key1=00

S(pt1 ⊕ key1) HW(12) HW(cd) HW(32) HW(34) HW(4a) HW(11) HW(fc)

key1=2b

13

Differential Power Analysis

Correlation Power Analysis

pt 1234… abcd… 8aef… 0354... 7791… c80d… 7e9e... S(pt1 ⊕ key1) HW(82) HW(62) HW(7e) HW(7b) HW(f6) HW(e8) HW(f3)

key1=00

S(pt1 ⊕ key1) HW(12) HW(cd) HW(32) HW(34) HW(4a) HW(11) HW(fc)

key1=2b

Better leakage model → better attack

14

Differential Power Analysis

(Notes & Assumptions)

14

Differential Power Analysis

(Notes & Assumptions)

• Knowledge about the algorithm

14

Differential Power Analysis

(Notes & Assumptions)

• Knowledge about the algorithm
• Timing of the intermediate value computation

14

Differential Power Analysis

(Notes & Assumptions)

• Knowledge about the algorithm
• Timing of the intermediate value computation
• Perfectly aligned traces

14

Differential Power Analysis

(Notes & Assumptions)

• Knowledge about the algorithm
• Timing of the intermediate value computation
• Perfectly aligned traces
• No countermeasures

14

Differential Power Analysis

(Notes & Assumptions)

• Knowledge about the algorithm
• Timing of the intermediate value computation
• Perfectly aligned traces
• No countermeasures
• # of traces increase with noise

15

Countermeasures Against DPA

16

Countermeasures

16

Countermeasures

• Limit number of encryptions per key

16

Countermeasures

• Limit number of encryptions per key
• Distribution of key is difficult

16

Countermeasures

• Limit number of encryptions per key
• Distribution of key is difficult
• Leakage resilient algorithms

16

Countermeasures

• Limit number of encryptions per key
• Distribution of key is difficult
• Leakage resilient algorithms
• Performance drop

16

Countermeasures

• Limit number of encryptions per key
• Distribution of key is difficult
• Leakage resilient algorithms
• Performance drop
• Decrease Signal-to-Noise Ratio (SNR)

16

Countermeasures

• Limit number of encryptions per key
• Distribution of key is difficult
• Leakage resilient algorithms
• Performance drop
• Decrease Signal-to-Noise Ratio (SNR)
• Decreasing signal (~constant power imp., special cells)

16

Countermeasures

• Limit number of encryptions per key
• Distribution of key is difficult
• Leakage resilient algorithms
• Performance drop
• Decrease Signal-to-Noise Ratio (SNR)
• Decreasing signal (~constant power imp., special cells)
• Increasing noise (dummy operations, shuffling)

16

Countermeasures

• Limit number of encryptions per key
• Distribution of key is difficult
• Leakage resilient algorithms
• Performance drop
• Decrease Signal-to-Noise Ratio (SNR)
• Decreasing signal (~constant power imp., special cells)
• Increasing noise (dummy operations, shuffling)
• Breaking the correlation

16

Countermeasures

• Limit number of encryptions per key
• Distribution of key is difficult
• Leakage resilient algorithms
• Performance drop
• Decrease Signal-to-Noise Ratio (SNR)
• Decreasing signal (~constant power imp., special cells)
• Increasing noise (dummy operations, shuffling)
• Breaking the correlation
• Masking

17

S

(x ,y ,z , ...) (a ,b ,c , ...)

Boolean Masking

18

Boolean Masking

18

(x1,y1,z1, ...)

Boolean Masking

18

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...)

Boolean Masking

18

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

18

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

18

Random input/output shares ➡ Random intermediate values

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

18

Random input/output shares ➡ Random intermediate values

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

unshared shares mean var 0,0=0 1,5 1,5 1,1=3 1,5 1,5 1 0,1=1 1,5 0.5 1 1,0=2 1,5 0.5

18

Random input/output shares ➡ Random intermediate values

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

unshared shares mean var 0,0=0 1,5 1,5 1,1=3 1,5 1,5 1 0,1=1 1,5 0.5 1 1,0=2 1,5 0.5

18

Random input/output shares ➡ Random intermediate values

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

unshared shares mean var 0,0=0 1,5 1,5 1,1=3 1,5 1,5 1 0,1=1 1,5 0.5 1 1,0=2 1,5 0.5

✓ 1st-order DPA security x 2nd-order DPA security

19

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

19

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

dth-order DPA ⇄ d probing model

19

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

dth-order DPA ⇄ d probing model

19

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

dth-order DPA ⇄ d probing model

19

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

dth-order DPA ⇄ d probing model

19

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

dth-order DPA ⇄ d probing model #shares > d

19

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

dth-order DPA ⇄ d probing model # of traces increase exponentially with attack order #shares > d

19

(x1,y1,z1, ...) (x2,y2,z2, ...) ⊕ = (x, y, z, ...) = (a, b, c, ...)

S1

(a1,b1,c1, ...)

S2

(a2,b2,c2, ...) ⊕

Boolean Masking

dth-order DPA ⇄ d probing model # of traces increase exponentially with attack order glitches reduce the security #shares > d

20

Masking Secure Against Glitches

S1 (x1,y1,z1, ...) (a1,b1,c1, ...) S2 (x2,y2,z2, ...) (a2,b2,c2, ...) Ss (xs,ys,zs, ...) (as,bs,cs, ...) … … … ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = = (x, y, z, ...) (a, b, c, ...)

20

Masking Secure Against Glitches

S1 (x1,y1,z1, ...) (a1,b1,c1, ...) S2 (x2,y2,z2, ...) (a2,b2,c2, ...) Ss (xs,ys,zs, ...) (as,bs,cs, ...) … … … ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = = (x, y, z, ...) (a, b, c, ...)

20

Masking Secure Against Glitches

S1 (x1,y1,z1, ...) (a1,b1,c1, ...) S2 (x2,y2,z2, ...) (a2,b2,c2, ...) Ss (xs,ys,zs, ...) (as,bs,cs, ...) … … … ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = = (x, y, z, ...) (a, b, c, ...)

20

Masking Secure Against Glitches

S1 (x1,y1,z1, ...) (a1,b1,c1, ...) S2 (x2,y2,z2, ...) (a2,b2,c2, ...) Ss (xs,ys,zs, ...) (as,bs,cs, ...) … … … ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = = (x, y, z, ...) (a, b, c, ...)

Such as:

20

Masking Secure Against Glitches

S1 (x1,y1,z1, ...) (a1,b1,c1, ...) S2 (x2,y2,z2, ...) (a2,b2,c2, ...) Ss (xs,ys,zs, ...) (as,bs,cs, ...) … … … ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = = (x, y, z, ...) (a, b, c, ...)

Such as:

• Threshold Implementations (ICICS’06, AsiaCrypt’14)

20

Masking Secure Against Glitches

S1 (x1,y1,z1, ...) (a1,b1,c1, ...) S2 (x2,y2,z2, ...) (a2,b2,c2, ...) Ss (xs,ys,zs, ...) (as,bs,cs, ...) … … … ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = = (x, y, z, ...) (a, b, c, ...)

Such as:

• Threshold Implementations (ICICS’06, AsiaCrypt’14)
• Prouff & Roche (CHES’11) ~ BGW scheme

21

Thank You!

22

Announcements

• COSIC Course (Leuven, Belgium)
• 15-18 June 2015
• https://www.cosic.esat.kuleuven.be/course/index.shtml
• Summer School on Real-World Crypto and Privacy (Šibernik, Croatia)
• 31 May - 5 June 2015
• http://summerschool-croatia15.cs.ru.nl
• Summer School on Design and security of cryptographic algorithms (Italy)
• To be announced soon

(Courses)

23

Announcements

(Competitions)

• Cracking Telegram Encryption
• $300,000 award
• https://telegram.org/blog/cryptocontest
• NSUCRYPTO
• Siberian Student’s Olympiad in Cryptography with International

Participation

• http://www.nsucrypto.nsu.ru
• HACKMETU
• http://hackmetu.com