A Fast and Compact RISC-V Accelerator for Ascon and Friends

Ascon-p is the core building block of Ascon, the winner in the lightweight category of the CAESAR competition. With ISAP, another Ascon-p-based AEAD scheme is currently competing in the 2nd round of the NIST lightweight cryptography standardization project. In contrast to Ascon, ISAP focuses on providing hardening/protection against a large class of implementation attacks, such as DPA, DFA, SFA, and SIFA, entirely on mode-level. Consequently, Ascon-p can be used to realize a wide range of cryptographic computations such as authenticated encryption, hashing, pseudorandom number generation, with or without the need for implementation security, which makes it the perfect choice for lightweight cryptography on embedded devices. In this paper, we implement Ascon-p as an instruction extension for RISC-V that is tightly coupled to the processors register file and thus does not require any dedicated registers. This single instruction allows us to realize all cryptographic computations that typically occur on embedded devices with high performance. More concretely, with ISAP and Ascon\u27s family of modes for AEAD and hashing, we can perform cryptographic computations with a performance of about 2 cycles/byte, or about 4 cycles/byte if protection against fault attacks and power analysis is desired. As we show, our instruction extension requires only 4.7 kGE, or about half the area of dedicated Ascon co-processor designs, and is easy to integrate into low-end embedded devices like 32-bit ARM Cortex-M or RISC-V microprocessors. Finally, we analyze the provided implementation security of ISAP, when implemented using our instruction extension

Shuffling against Side-Channel Attacks: A comprehensive Study with Cautionary Note

Together with masking, shuffling is one of the most frequently considered solutions to improve the security of small embedded devices against side-channel attacks. In this paper, we provide a comprehensive study of this countermeasure, including improved implementations and a careful information theoretic and security analysis of its different variants. Our analyses lead to important conclusions as they moderate the strong security improvements claimed in previous works. They suggest that simplified versions of shuffling (e.g. using random start indexes) can be significantly weaker than their counterpart using full permutations. We further show with an experimental case study that such simplified versions can be as easy to attack as unprotected implementations. We finally exhibit the existence of “indirect leakages” in shuffled implementations that can be exploited due to the different leakage models of the different resources used in cryptographic implementations. This suggests the design of fully shuffled (and efficient) implementations, were both the execution order of the instructions and the physical resources used are randomized, as an interesting scope for further research

Stealthy Compromise of Wireless Sensor Nodes with Power Analysis Attacks

Node capture is considered as one of the most critical issues in the security of wireless sensor networks. A popular approach to thwart the problem relies on the detection of events that arise during the attack such as the removal of a node for instance. However, certain attacks, such as side-channel attacks, might be furtive and defeat this type of defense. This work clarifies this question by performing a case study on power analysis attacks of AES and ECC implementations on two common types of nodes: the MICAz and the TelosB. From our experiments, the attacks can be carried out in a stealthy manner. As a result, stealthy node compromises should be considered when securing wireless sensor networks. Also, the moderate complexity of our attacks underlines the importance of low-cost side-channel countermeasures for sensor nodes

From False Confession to Wrongful Conviction: Seven Psychological Processes

A steadily increasing tide of literature has documented the existence and causes of false confession as well as the link between false confession and wrongful conviction of the innocent. This literature has primarily addressed three issues: the manner in which false confessions are generated by police interrogation, individual differences in susceptibility to interrogative influence, and the role false confessions have played in documented wrongful convictions of the innocent. Although the specific mechanisms through which interrogation tactics can induce false confessions, and through which they can exert enhanced influence on vulnerable individuals have been widely addressed in this literature, the processes through which false confessions, once obtained by police, may lead to wrongful conviction have remained largely unaddressed. This article addresses this gap in the literature, examining seven psychological processes linking false confession to wrongful conviction and failures of post-conviction relief: (1) powerful biasing effects of the confession itself, including incorporated misleading specialized knowledge (inside crime-relevant knowledge displayed by the suspect in the false confession, but acquired through outside sources (such as the interrogator) rather than in the course of the commission of the crime); (2) tunnel-vision and confirmation biases, (3) motivational biases, (4) emotional influences on thinking and behavior; (5) institutional influences on evidence production and decision-making; and inadequate context for evaluation of claims of innocence, including (6) inadequate or incorrect relevant knowledge, and (7) progressively constricting relevant evidence. We discuss reciprocal influences of these mechanisms and their biasing impact on the perceptions and behaviors of suspects, investigators, prosecution and defense attorneys, juries, and trial and appellate judges

Beyond Birthday Bound Secure Fresh Rekeying:Application to Authenticated Encryption

Item does not contain fulltextASIACRYPT 202