Efficient Masking of ARX-Based Block Ciphers Using Carry-Save Addition on Boolean Shares

Masking is a widely-used technique to protect block ciphers and other symmetric cryptosystems against Differential Power Analysis (DPA) attacks. Applying masking to a cipher that involves both arithmetic and Boolean operations requires a conversion between arithmetic and Boolean masks. An alternative approach is to perform the required arithmetic operations (e.g. modular addition or subtraction) directly on Boolean shares. At FSE 2015, Coron et al. proposed a logarithmic-time algorithm for modular addition on Boolean shares based on the Kogge-Stone carry-lookahead adder. We revisit their addition algorithm in this paper and present a fast implementation for ARM processors. Then, we introduce a new technique for direct modular addition/subtraction on Boolean shares using a simple Carry-Save Adder (CSA) in an iterative fashion. We show that the average complexity of CSA-based addition on Boolean shares grows logarithmically with the operand size, similar to the Kogge-Stone carry-lookahead addition, but consists of only a single AND, an XOR, and a left-shift per iteration. A 32-bit CSA addition~on Boolean shares has an average execution time of 162 clock cycles on an ARM Cortex-M3 processor, which is approximately 43% faster than the Kogge-Stone adder. The performance gain increases to over 55% when comparing the average subtraction times. We integrated both addition techniques into a masked implementation of the block cipher Speck and found that the CSA-based variant clearly outperforms its Kogge-Stone counterpart by a factor of 1.70 for encryption and 2.30 for decryption

Side-Channel Attacks meet Secure Network Protocols

Side-channel attacks are powerful tools for breaking systems that implement cryptographic algorithms. The Advanced Encryption Standard (AES) is widely used to secure data, including the communication within various network protocols. Major cryptographic libraries such as OpenSSL or ARM mbed TLS include at least one implementation of the AES. In this paper, we show that most implementations of the AES present in popular open-source cryptographic libraries are vulnerable to side-channel attacks, even in a network protocol scenario when the attacker has limited control of the input. We present an algorithm for symbolic processing of the AES state for any input configuration where several input bytes are variable and known, while the rest are fixed and unknown as is the case in most secure network protocols. Then, we classify all possible inputs into 25 independent evaluation cases depending on the number of bytes controlled by attacker and the number of rounds that must be attacked to recover the master key. Finally, we describe an optimal algorithm that can be used to recover the master key using Correlation Power Analysis (CPA) attacks. Our experimental results raise awareness of the insecurity of unprotected implementations of the AES used in network protocol stacks

Energy-Scalable Montgomery-Curve ECDH Key Exchange for ARM Cortex-M3 Microcontrollers

The number of smart devices connected to the Internet is growing at an enormous pace and will reach 30 billion within the next five years. A large fraction of these devices have limited processing capabilities and energy supply, which makes the execution of computation-intensive cryptographic algorithms very costly. This problem is exacerbated by the fact that basic optimization techniques like loop unrolling can not (always) be applied since cryptographic software for the IoT often needs to meet strict constraints on code size to not exceed the program storage capacity of the target device. In this paper we introduce SECCCM3, a "lightweight" software library for scalable elliptic curve cryptography on ARM Cortex-M3 microcontrollers. The current version of SECCCM3 is able to carry out variable-base scalar multiplication on Montgomery-form curves over pseudo-Mersenne prime fields, such as Curve25519, and can be used to implement static ECDH key exchange. SECCCM3 is scalable in the sense that it supports curves of different order (as long as certain conditions are met), thereby enabling trade-offs between security and execution time (resp. energy dissipation). We made an effort to protect the field arithmetic against Timing Attacks (TAs) and Simple Power Analysis (SPA), taking into account the so-called early-termination effect of the Cortex-M3 integer multiplier, which makes the latency of "long" multiply instructions operand-dependent. Our experiments show that the integration of countermeasures against information leakage caused by this effect increases the execution time by 34%, while the code size grows by 13%. A TA and SPA-resistant scalar multiplication on Curve25519 has an execution time of 4.565 million clock cycles and consumes approximately 5.1 mJ of energy when executed on a STM32L152RE Cortex-M3 microcontroller. SECCCM3 has a binary code size of 4.0 kB, which includes domain parameters for curves over 159, 191, 223, and 255-bit prime fields

Optimal First-Order Boolean Masking for Embedded IoT Devices

Boolean masking is an effective side-channel countermeasure that consists in splitting each sensitive variable into two or more shares which are carefully manipulated to avoid leakage of the sensitive variable. The best known expressions for Boolean masking of bitwise operations are relatively compact, but even a small improvement of these expressions can significantly reduce the performance penalty of more complex masked operations such as modular addition on Boolean shares or of masked ciphers. In this paper, we present and evaluate new secure expressions for performing bitwise operations on Boolean shares. To this end, we describe an algorithm for efficient search of expressions that have an optimal cost in number of elementary operations. We show that bitwise AND and OR on Boolean shares can be performed using less instructions than the best known expressions. More importantly, our expressions do no require additional random values as the best known expressions do. We apply our new expressions to the masked addition/subtraction on Boolean shares based on the Kogge-Stone adder and we report an improvement of the execution time between 14% and 19%. Then, we compare the efficiency of first-order masked implementations of three lightweight block ciphers on an ARM Cortex-M3 to determine which design strategies are most suitable for efficient masking. All our masked implementations passed the t-test evaluation and thus are deemed secure against first-order side-channel attacks

Triathlon of Lightweight Block Ciphers for the Internet of Things

In this paper, we introduce a framework for the benchmarking of lightweight block ciphers on a multitude of embedded platforms. Our framework is able to evaluate the execution time, RAM footprint, as well as binary code size, and allows one to define a custom "figure of merit" according to which all evaluated candidates can be ranked. We used the framework to benchmark implementations of 19 lightweight ciphers, namely AES, Chaskey, Fantomas, HIGHT, LBlock, LEA, LED, Piccolo, PRESENT, PRIDE, PRINCE, RC5, RECTANGLE, RoadRunneR, Robin, Simon, SPARX, Speck, and TWINE, on three microcontroller platforms: 8-bit AVR, 16-bit MSP430, and 32-bit ARM. Our results bring some new insights into the question of how well these lightweight ciphers are suited to secure the Internet of things. The benchmarking framework provides cipher designers with an easy-to-use tool to compare new algorithms with the state of the art and allows standardization organizations to conduct a fair and consistent evaluation of a large number of candidates

Global assessment of marine plastic exposure risk for oceanic birds

Plastic pollution is distributed patchily around the world’s oceans. Likewise, marine organisms that are vulnerable to plastic ingestion or entanglement have uneven distributions. Understanding where wildlife encounters plastic is crucial for targeting research and mitigation. Oceanic seabirds, particularly petrels, frequently ingest plastic, are highly threatened, and cover vast distances during foraging and migration. However, the spatial overlap between petrels and plastics is poorly understood. Here we combine marine plastic density estimates with individual movement data for 7137 birds of 77 petrel species to estimate relative exposure risk. We identify high exposure risk areas in the Mediterranean and Black seas, and the northeast Pacific, northwest Pacific, South Atlantic and southwest Indian oceans. Plastic exposure risk varies greatly among species and populations, and between breeding and non-breeding seasons. Exposure risk is disproportionately high for Threatened species. Outside the Mediterranean and Black seas, exposure risk is highest in the high seas and Exclusive Economic Zones (EEZs) of the USA, Japan, and the UK. Birds generally had higher plastic exposure risk outside the EEZ of the country where they breed. We identify conservation and research priorities, and highlight that international collaboration is key to addressing the impacts of marine plastic on wide-ranging species

Global assessment of marine plastic exposure risk for oceanic birds

Plastic pollution is distributed patchily around the world’s oceans. Likewise, marine organisms that are vulnerable to plastic ingestion or entanglement have uneven distributions. Understanding where wildlife encounters plastic is crucial for targeting research and mitigation. Oceanic seabirds, particularly petrels, frequently ingest plastic, are highly threatened, and cover vast distances during foraging and migration. However, the spatial overlap between petrels and plastics is poorly understood. Here we combine marine plastic density estimates with individual movement data for 7137 birds of 77 petrel species to estimate relative exposure risk. We identify high exposure risk areas in the Mediterranean and Black seas, and the northeast Pacific, northwest Pacific, South Atlantic and southwest Indian oceans. Plastic exposure risk varies greatly among species and populations, and between breeding and non-breeding seasons. Exposure risk is disproportionately high for Threatened species. Outside the Mediterranean and Black seas, exposure risk is highest in the high seas and Exclusive Economic Zones (EEZs) of the USA, Japan, and the UK. Birds generally had higher plastic exposure risk outside the EEZ of the country where they breed. We identify conservation and research priorities, and highlight that international collaboration is key to addressing the impacts of marine plastic on wide-ranging species

50ft cruiser-racer catamaran.

Up to the 80’s, the world of catamarans has been evolving in a parallel to the one of monohulls. During that period, racing or tropical chartering were mainly their domains and the corresponding design approach almost automatically leaded to either non-aesthetic heavy crafts or pure racing machines. Their entrance and full acceptance as pure owner’s boat in the European public field is only recent. This change in mind is probably due to the evolution of their design aspect, nowadays more inspired by the free spirit expression of wild racing large multihulls (The Race around the world event) along with the willing of rather fortunate owners to afford comfortable craft, nonetheless capable of achieving more than respectable average speeds. In this respect, a few races were borne (mainly being organised in the tropical areas of the globe), gathering more and more owners each year, mainly interested by conjugating the pleasure of fast sailing and friendly port of calls. As new exotic materials really started to appear on the commercial field (90’s) as a consequence of racing yachts development and of their application process being correctly controlled by a few boatyards, commercial catamarans could start to beneficiate from quality (relatively) lightweight building and so become more performative without losing their ability to offer comfort onboard. As this evolution of the building processes is still going on, and the demand for this type of craft is still increasing, it appears interesting to try investigating this path of naval architecture and try to apply the theoretical skills learnt during these three years on a real complete personal design

A parallel implicit mixed-fem solution for complex domain radiative transfer problems usingimmersed meshes

International audienc