Lesamanta-LW, Enocoro, Trivium, PRESENT, CLEFIA. I. INTRODUCTION. While AES and SHA work well together within computer systems, they struggle in an ...
Since most IoT devices are. Prof William J. Buchanan (1), Dr Shancang Li (2), Dr Rameez Asif (1). (1) The Cyber Academy, Edinburgh Napier University, UK.
Nov 28, 2011 ... When analyzing this tree traversal in Section 3.4 we made the strong hy- ...... n
devices based on the ARM Cortex such as the EFM32 Gecko, STM32 and ......
block ciphers, designs have already closely approached the mini-.
and software solutions for Wireless Sensor Networks (WSNs). In [49] .... is designed for lightweight software and achieves the best overall status in this domain.
Feb 21, 2015 - message authentication code (MAC) to provides data confidentiality, ... TinySec uses the CBC encryption mode (Cipher Block Chaining) ...
Powerball [8], Mitsubishi LWAPA10 [9], Yaskawa-Motoman SIA5F [10], Denso. VS-6577G-B [12], Barett robotic arm [13] etc. Exception in this case gives new.
For this purpose we have prepared sample codes to almost all primitives described ... 2.11 Rijndael128-CTR example . ..... 13.7 ECCP based digital signature .
the ARM C and C++ compilers, and for information on standards conformance ....
Koenig, A, C Traps and Pitfalls, Addison-Wesley (1989), Reading, Mass. ISBN.
through the network and provide new experience to us. In order ... describe two reasons that support our proposal. 1. ..
a concrete use, the ECDSA (Elliptic Curve Digital Signature Algorithm) [10] .... shown, there is a steep price to be paid in the 128-bit level of security pairing.
the Elliptic Curve Digital Signature Algorithm (ECDSA),. Elliptic Curve Schnorr Signature ... Add one cycle for each in-memory source (read) and two cycles for a ...
Keywords: System-on-Chip, Learning Classifier System, XCS. 1 Introduction .... The original action selection strategy for the LCT is roulette-wheel, which se-.
ARM instruction set extension for Elliptic Curve Cryptography over binary finite ... Gamal [1]), digital signature schemes (like Digital Signature Algorithm, DSA [2]), ...
in several cryptographic operations such as digital signatures over binary elliptic curves and encryption. ... the best known algorithm. We also illustrate the ... timing results of our software implementation on the ARM Cortex-A8,. A9 and A15 ...
q t. q q. â¡. â¤. = â£. ⦠, where r q is the vector of rigid modes (generalized joint coordinates) and f q is the vector of flexible modes, respectively defined as: 1. 11. 1.
Sep 2, 2015 - with increased energy efficiency, shortened development cycles and other ... level generic OS (e.g. Linux, Android) on a single unified platform.
ware/software co-design is often the only answer to implement the com- ... Almost all existing HECC implementations consider binary fields and curves of genus ...
timing results of our software implementation on the ARM Cortex-A8, ...... Cortex. A53 and A57) may provide great speed up to binary ECC, since the architecture.
Abstract. Software analysis techniques, and in particular software âde- sign recoveryâ, have been highly successful at both technical and business-.
software, data protection, file security, e-mail security, web security. 1. ... cryptographic protection on file and block data levels;. ⢠digital signature;. ⢠access ...
Developer, Inspector, SPL Developer, SPL Tester and Scrum. Team. Table I describes ..... 4Savi on Apple Store - https://itunes.apple.com/us/app/savi/id590385285. 5RiSE Labs .... phone address book, import contact from twitter account, and.
Evaluation Theory & Engineering Design Principles ... Bottom-up Evaluation Method ... lightweight SPA methods, referred to as the top-down approach. 2.
Lightweight Cryptography on ARM - Software ... - SPEED-B
We target low-end and NEON-capable ARM processors, typical of embedded .... GCC 6.1.1 with flags -O3 -fno-schedule-insns -mcpu=cortex-a53. -mthumb ...
Lightweight Cryptography on ARM Software implementation of block ciphers and ECC
Rafael Cruz, Tiago Reis, Diego F. Aranha, Julio López, Harsh Kupwade Patil University of Campinas, LG Electronics Inc.
Introduction
Context
1
Context Cryptography can mitigate critical security issues in embedded devices. Security property Protecting data at rest Protecting data in transit Secure software updates Secure booting Secure debugging Device id/auth Key distribution
Several algorithms required to implement primitives: • • • •
Block and stream ciphers Hash functions AEAD and Message Authentication Codes (MACs) Elliptic Curve Cryptography
2
Context
Problem: Why “lightweight cryptography”? Shouldn’t all cryptography be ideally lightweight? From Mouha in [Mou15] “Although the question seems simple, this appears to be a quite controversial subject. (...) It is important to note that lightweight cryptography should not be equated with weak cryptography”. Solution: Alternative name for application-specific cryptography or application-driven cryptographic design?
3
Summary
We discuss techniques for efficient and secure implementations of lightweight encryption in software: 1. Fantomas, an LS-Design proposed in [GLSV14]. 2. PRESENT, a Substitution-Permutation Network (SPN) [BKL+ 07]. 3. Curve25519 for Elliptic Curve Cryptography. . We target low-end and NEON-capable ARM processors, typical of embedded systems. Results are part of a project sponsored by LG involving 7 students and more than 30 symmetric (C) and asymmetric (ASM) algorithms.
4
Fantomas
Construction LS-Designs Paradigm to construct block ciphers providing: • Lightweight designs from simple substitution and linear layers. • Friendliness to side-channel countermeasures (bitslicing and masking). • Tweakable variant for authenticated encryption (SCREAMv3).
l bits State Matrix s bits
5
Construction
Algorithm 1 LS-Design encrypting block B into ciphertext C with key K. 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11:
C←B⊕K for 0 ≤ r < Nr do for 0 ≤ i < l do C[i, ⋆] = S[C[i, ⋆]] end for for 0 ≤ j < s do C[⋆, j] = L[C[⋆, j]] end for C ← C ⊕ K ⊕ C(r) end for return C
▷ C represents an s × l-bit matrix ▷ S-box layer
▷ L-box layer
▷ Key and round constant addition
6
Algorithm The LS-Design paper introduced an involutive instance (Robin), and a non-involutive cipher (Fantomas). Fantomas • 128-bit key length and block size. • No key scheduling. • 8-bit (3/5-bit 3-round) S-boxes from MISTY. • L-box from vector-matrix product in F2 .
Lbox Sbox
8-bits
16-bits
Count Parity X
?
7
Implementation in 32/64 bits
Internal state can be represented with union to respect strict aliasing rules for 16/32/64-bit operations: t y p e d e f union { u i n t 3 2 _ t u32 ; // u i n t 6 4 _ t u64 ; u i n t 1 6 _ t u16 [ 2 ] ; // u i n t 1 6 _ t u16 [ 4 ] ; } U32_t ;
Bitsliced S-boxes operate over 16-bit chunks in the u16 portion. Key addition works using the u32/u64 internal state: f o r ( j =0; j < 4 ; j ++) // f o r ( j =0; j < 2 ; j ++) s t [ j ] . u32 ^= key_32 [ j ] ; // s t [ j ] . u64 ^= key_64 [ j ] ;
8
Implementation in 32/64 bits
L-box can be evaluated using two precomputed tables: /* U n p r o t e c t e d L−box v e r s i o n */ s t [ j ] . u16 [ 0 ] = LBoxH [ s t [ j ] . u16 [0] > >8] ^ LBoxL [ s t [ j ] . u16 [ 0 ] & 0 x f f ] ; s t [ j ] . u16 [ 1 ] = LBoxH [ s t [ j ] . u16 [1] > >8] ^ LBoxL [ s t [ j ] . u16 [ 1 ] & 0 x f f ] ;
Problem: Beware of cache-timing attacks!
9
Implementation in 32/64 bits
L-box can be evaluated using two precomputed tables: /* U n p r o t e c t e d L−box v e r s i o n */ s t [ j ] . u16 [ 0 ] = LBoxH [ s t [ j ] . u16 [0] > >8] ^ LBoxL [ s t [ j ] . u16 [ 0 ] & 0 x f f ] ; s t [ j ] . u16 [ 1 ] = LBoxH [ s t [ j ] . u16 [1] > >8] ^ LBoxL [ s t [ j ] . u16 [ 1 ] & 0 x f f ] ;
Problem: Beware of cache-timing attacks! Attacker who monitors L-box positions in cache can recover internal state. Internal state trivially reveals keys and plaintext if recovered right before/after last/first key addition.
9
Construction
Algorithm 2 LS-Design encrypting block B into ciphertext C with key K. 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11:
C←B⊕K for 0 ≤ r < Nr do for 0 ≤ i < l do C[i, ⋆] = S[C[i, ⋆]] end for for 0 ≤ j < s do C[⋆, j] = L[C[⋆, j]] end for C ← C ⊕ K ⊕ C(r) end for return C
▷ C represents an s × l-bit matrix ▷ S-box layer
▷ L-box layer
▷ Key and round constant addition
10
Implementation in 32/64 bits
Solution: We can replace memory access with online computation: s t a t i c i n l i n e t y p e _ t LBox ( t y p e _ t x , t y p e _ t y , u i n t 8 _ t s ) { x &= y ; x ^= x >> 8 ; x ^= x >> 4 ; x ^= x >> 2 ; x ^= x >> 1 ; r e t u r n ( x & 0 x00010001 )
