Lightweight AEAD and Hashing using the Sparkle Permutation Family

We introduce the Sparkle family of permutations operating on 256, 384 and 512 bits. These are combined with the Beetle mode to construct a family of authenticated ciphers, Schwaemm, with security levels ranging from 120 to 250 bits. We also use them to build new sponge-based hash functions, Esch256 and Esch384. Our permutations are among those with the lowest footprint in software, without sacrificing throughput. These properties are allowed by our use of an ARX component (the Alzette S-box) as well as a carefully chosen number of rounds. The corresponding analysis is enabled by the long trail strategy which gives us the tools we need to efficiently bound the probability of all the differential and linear trails for an arbitrary number of rounds. We also present a new application of this approach where the only trails considered are those mapping the rate to the outer part of the internal state, such trails being the only relevant trails for instance in a differential collision attack. To further decrease the number of rounds without compromising security, we modify the message injection in the classical sponge construction to break the alignment between the rate and our S-box layer

RISC-V Instruction Set Extensions for Lightweight Symmetric Cryptography

The NIST LightWeight Cryptography (LWC) selection process aims to standardise cryptographic functionality which is suitable for resource-constrained devices. Since the outcome is likely to have significant, long-lived impact, careful evaluation of each submission with respect to metrics explicitly outlined in the call is imperative. Beyond the robustness of submissions against cryptanalytic attack, metrics related to their implementation (e.g., execution latency and memory footprint) form an important example. Aiming to provide evidence allowing richer evaluation with respect to such metrics, this paper presents the design, implementation, and evaluation of one separate Instruction Set Extension (ISE) for each of the 10 LWC final round submissions, namely Ascon, Elephant, GIFT-COFB, Grain-128AEADv2, ISAP, PHOTON-Beetle, Romulus, Sparkle, TinyJAMBU, and Xoodyak; although we base the work on use of RISC-V, we argue that it provides more general insight

Efficient Software Implementation of the SIKE Protocol Using a New Data Representation

Thanks to relatively small public and secret keys, the Supersingular Isogeny Key Encapsulation (SIKE) protocol made it into the third evaluation round of the post-quantum standardization project of the National Institute of Standards and Technology (NIST). Even though a large body of research has been devoted to the efficient implementation of SIKE, its latency is still undesirably long for many real-world applications. Most existing implementations of the SIKE protocol use the Montgomery representation for the underlying field arithmetic since the corresponding reduction algorithm is considered the fastest method for performing multiple-precision modular reduction. In this paper, we propose a new data representation for supersingular isogeny-based Elliptic-Curve Cryptography (ECC), of which SIKE is a sub-class. This new representation enables significantly faster implementations of modular reduction than the Montgomery reduction, and also other finite-field arithmetic operations used in ECC can benefit from our data representation. We implemented all arithmetic operations in C using the proposed representation such that they have constant execution time and integrated them to the latest version of the SIKE software library. Using four different parameters sets, we benchmarked our design and the optimized generic implementation on a 2.6 GHz Intel Xeon E5-2690 processor. Our results show that, for the prime of SIKEp751, the proposed reduction algorithm is approximately 2.61 times faster than the currently best implementation of Montgomery reduction, and our representation also enables significantly better timings for other finite-field operations. Due to these improvements, we were able to achieve a speed-up by a factor of about 1.65, 2.03, 1.61, and 1.48 for SIKEp751, SIKEp610, SIKEp503, and SIKEp434, respectively, compared to state-of-the-art generic implementations.IKEp751, SIKEp610, SIKEp503, and SIKEp434, respectively, compared to state-of-the-art generic implementations

Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography

The Advanced Encryption Standard (AES) specifies an algorithm for a symmetric-key cryptosystem that has already found wide adoption in security applications. A substantial part of the AES algorithm are the MixColumns and InvMixColumns operations, which involve multiplications in the binary extension field GF(2 8). Recently proposed instruction set extensions for elliptic curve cryptography (ECC) include custom instructions for the multiplication of binary polynomials. In the present paper we analyze how well these custom instructions are suited to accelerate a software implementation of the AES. We used the SPARC V8-compatible LEON-2 processor with ECC extensions for verification and to obtain realistic timing results. Taking the fastest implementation for 32-bit processors as reference, we were able to achieve speedups of up to 25 % for encryption and nearly 20 % for decryption

TinySA: A Security Architecture for Wireless Sensor Networks

This paper presents the design and rationale of TinySA, a lightweight security architecture for wireless sensor networks and so-called "smart dust" running the TinyOS operating system. TinySA consists of a suite of security protocols and cryptographic primitives to ensure confidentiality, integrity and authenticity of communication in a sensor network. An integral part of TinySA is a highly optimized elliptic curve cryptosystem, which has been developed from scratch to comply with the extremely limited computational resources available in sensor nodes like the MicaZ mote. This elliptic curve system combines efficient finite field arithmetic with fast curve arithmetic and requires only 5.5·10^6 clock cycles to compute a 160-bit point multiplication on the Atmega128 processor. Even though our results show that strong elliptic curve cryptography is feasible on sensor nodes, its energy requirements are still orders of magnitude higher compared to that of symmetric cryptosystems. Therefore, TinySA uses elliptic curve cryptography only for infrequent but security-critical operations like key establishment during the initial configuration of the sensor network or the authentication of routing information

Power Analysis Resistant AES Implementation with Instruction Set Extensions

In recent years, different instruction set extensions for cryptography have been proposed for integration into general-purpose RISC processors. Both public-key and secret-key algorithms can profit tremendously from a small set of custom instructions specifically designed to accelerate performance-critical code sections. While the impact of instruction set extensions on performance and silicon area has been widely investigated in the recent past, the resulting security aspects (i.e. resistivity to side-channel attacks) of this particular design approach remain an open research topic. In this paper we discuss and analyze different techniques for increasing the side-channel resistance of AES software implementations using instruction set extensions. Furthermore, we propose a combination of hardware and software-related countermeasures and investigate the resulting effects on performance, cost, and security. Our experimental results show that a moderate degree of protection can be achieved with a simple software countermeasure. Hardware countermeasures, such as the implementation of security-critical functional units using a DPA-resistant logic style, lead to much higher resistance against side-channel attacks at the cost of a moderate increase in silicon area and power consumption