Authenticated Encryption for Very Short Inputs

We study authenticated encryption (AE) modes dedicated to very short messages, which are crucial for Internet-of-things applications. Since the existing general-purpose AE modes need at least three block cipher calls for non-empty messages, we explore the design space for AE modes that use at most two calls. We proposed a family of AE modes, dubbed Manx, that work when the total input length is less than $2n$ bits, using an $n$-bit block cipher. Notably, the second construction of Manx can encrypt almost n-bit plaintext and saves one or two block cipher calls from the standard modes, such as GCM or OCB, keeping the comparable provable security. We also present benchmarks on popular 8/32-bit microprocessors using AES. Our results show the clear advantage of Manx over the previous modes for such short messages

Fast Skinny-128 SIMD Implementations for Sequential Modes of Operation

This paper reports new software implementation results for the Skinny-128 tweakable block ciphers on various SIMD architectures. More precisely, we introduce a decomposition of the 8-bit S-box into four 4-bit S-boxes in order to take advantage of vector permute instructions, leading to significant performance improvements over previous constant-time implementations. Since our approach is of particular interest when Skinny-128 is used in sequential modes of operation, we also report how it benefits to the Romulus authenticated encryption scheme, a finalist of the NIST LWC standardization process

Fixslicing: A New GIFT Representation

The GIFT family of lightweight block ciphers, published at CHES 2017, offers excellent hardware performance figures and has been used, in full or in part, in several candidates of the ongoing NIST lightweight cryptography competition. However, implementation of GIFT in software seems complex and not efficient due to the bit permutation composing its linear layer (a feature shared with PRESENT cipher). In this article, we exhibit a new non-trivial representation of the GIFT family of block ciphers over several rounds. This new representation, that we call fixslicing, allows extremely efficient software bitsliced implementations of GIFT, using only a few rotations, surprisingly placing GIFT as a very efficient candidate on micro-controllers. Our constant time implementations show that, on ARM Cortex-M3, 128-bit data can be ciphered with only about 800 cycles for GIFT-64 and about 1300 cycles for GIFT-128 (assuming pre-computed round keys). In particular, this is much faster than the impressive PRESENT implementation published at CHES 2017 that requires 2116 cycles in the same setting, or the current best AES constant time implementation reported that requires 1617 cycles. This work impacts GIFT, but also improves software implementations of all other cryptographic primitives directly based on it or strongly related to it

Bricklayer Attack: A Side-Channel Analysis on the ChaCha Quarter Round

ChaCha is a family of stream ciphers that are very efficient on constrainted platforms. In this paper, we present electromagnetic side-channel analyses for two different software implementations of ChaCha20 on a 32-bit architecture: one compiled and another one directly written in assembly. On the device under test, practical experiments show that they have different levels of resistance to side-channel attacks. For the most leakage-resilient implementation, an analysis of the whole quarter round is required. To overcome this complication, we introduce an optimized attack based on a divide-and-conquer strategy named bricklayer attack

Secure implementation and integration of lightweight cryptography for the internet of things

Si l’internet des objets laisse entrevoir de nouvelles perspectives, tantpour les entreprises que pour les administrations et les citoyens, son déploiement représente un défi majeur en termes de sécurité et de respect de la vie privée.Afin d’assurer la confidentialité des données générées par ces objets connectés, la plupart des protocoles de l’internet des objets intègrent des primitives cryptographiques au sein même de leur spécification. Bien que les algorithmes cryptographiques employés à ce jour bénéficient d’une sécurité éprouvée, ils sont directement tirés des protocoles de sécurité traditionnels et par conséquent, n’ont pas été conçus pour être particulièrement efficaces sur des plateformes à faibles ressources telles que celles dédiées aux objets connectés. Cette thèse se concentre sur les primitives cryptographiques dites “légères” spécialement conçues pour l’internet des objets.Outre les principaux objectifs des algorithmes cryptographiques légers, quisont d’être plus efficaces et plus compacts que les algorithmes traditionnels, leur capacité à se protéger facilement des attaques physiques, qui ciblent l’implémentation d’un algorithme cryptographique plutôt que sa structure mathématique, est également un critère à forte valeur ajoutée. Bien que ces attaques nécessitent pour la plupart un accès physique au composant en charge d’exécuter la primitive cryptographique, elles constituent une réelle menace dans le modèle de l’internet des objets, où les objets connectés sont potentiellement déployés à proximité physique de tout type d’attaquant.Nos travaux se concentrent sur l’étude des algorithmes ChaCha, ACORN et Ascon.While the internet of things (IoT) promises many advances for businesses, administrations and citizens, its deployment is a real challenge in terms of privacy and security. In order to ensure the confidentiality and the authenticity of information transmitted by these objects, numerous IoT protocols incorporate cryptographic algorithms within their specification. To date, these algorithms are the same as the ones used in traditionnal internet security protocols and thus, have not been designed with constrainted plateforms in mind. This thesis focuses on lightweight cryptography which aims at reduce as much as possible the cost of its implementation.Apart from the main goal of lightweight cryptography which is to consume less ressources than traditional algorithms, it is also valuable to take into account the integration of countermeasures against physical attacks during the design phase in order to limit their impact. Although this kind of attacks require a physical access to the target, this can be a realistic scenario as connected objets might be deployed everywhere and thus, potentially accessible by malicious people. Our works focus on the study of three lightweight cryptographic algorithms, each having a potential for industrial applications. Especially, we highlight the need of secure implementations by introducing two new side-channel attacks : one against ChaCha20, standardized by the IETF and now used in TLS 1.3, and another one against ACORN, an algorithm being part of the CAESAR portfolio

Cryptographie légère pour l'internet des objets : implémentations et intégrations sécurisées.

While the internet of things (IoT) promises many advances for businesses, administrations and citizens, its deployment is a real challenge in terms of privacy and security. In order to ensure the confidentiality and the authenticity of information transmitted by these objects, numerous IoT protocols incorporate cryptographic algorithms within their specification. To date, these algorithms are the same as the ones used in traditionnal internet security protocols and thus, have not been designed with constrainted plateforms in mind. This thesis focuses on lightweight cryptography which aims at reduce as much as possible the cost of its implementation.Apart from the main goal of lightweight cryptography which is to consume less ressources than traditional algorithms, it is also valuable to take into account the integration of countermeasures against physical attacks during the design phase in order to limit their impact. Although this kind of attacks require a physical access to the target, this can be a realistic scenario as connected objets might be deployed everywhere and thus, potentially accessible by malicious people. Our works focus on the study of three lightweight cryptographic algorithms, each having a potential for industrial applications. Especially, we highlight the need of secure implementations by introducing two new side-channel attacks : one against ChaCha20, standardized by the IETF and now used in TLS 1.3, and another one against ACORN, an algorithm being part of the CAESAR portfolio.Si l’internet des objets laisse entrevoir de nouvelles perspectives, tantpour les entreprises que pour les administrations et les citoyens, son déploiement représente un défi majeur en termes de sécurité et de respect de la vie privée.Afin d’assurer la confidentialité des données générées par ces objets connectés, la plupart des protocoles de l’internet des objets intègrent des primitives cryptographiques au sein même de leur spécification. Bien que les algorithmes cryptographiques employés à ce jour bénéficient d’une sécurité éprouvée, ils sont directement tirés des protocoles de sécurité traditionnels et par conséquent, n’ont pas été conçus pour être particulièrement efficaces sur des plateformes à faibles ressources telles que celles dédiées aux objets connectés. Cette thèse se concentre sur les primitives cryptographiques dites “légères” spécialement conçues pour l’internet des objets.Outre les principaux objectifs des algorithmes cryptographiques légers, quisont d’être plus efficaces et plus compacts que les algorithmes traditionnels, leur capacité à se protéger facilement des attaques physiques, qui ciblent l’implémentation d’un algorithme cryptographique plutôt que sa structure mathématique, est également un critère à forte valeur ajoutée. Bien que ces attaques nécessitent pour la plupart un accès physique au composant en charge d’exécuter la primitive cryptographique, elles constituent une réelle menace dans le modèle de l’internet des objets, où les objets connectés sont potentiellement déployés à proximité physique de tout type d’attaquant.Nos travaux se concentrent sur l’étude des algorithmes ChaCha, ACORN et Ascon

Fixslicing AES-like Ciphers: New bitsliced AES speed records on ARM-Cortex M and RISC-V

The fixslicing implementation strategy was originally introduced as a new representation for the hardware-oriented GIFT block cipher to achieve very efficient software constant-time implementations. In this article, we show that the fundamental idea underlying the fixslicing technique is not of interest only for GIFT, but can be applied to other ciphers as well. Especially, we study the benefits of fixslicing in the case of AES and show that it allows to reduce by 52% the amount of operations required by the linear layer when compared to the current fastest bitsliced implementation on 32-bit platforms. Overall, we report that fixsliced AES-128 allows to reach 80 and 91 cycles per byte on ARM Cortex-M and E31 RISC-V processors respectively (assuming pre-computed round keys), improving the previous records on those platforms by 21% and 26%. In order to highlight that our work also directly improves masked implementations that rely on bitslicing, we report implementation results when integrating first-order masking that outperform by 12% the fastest results reported in the literature on ARM Cortex-M4. Finally, we demonstrate the genericity of the fixslicing technique for AES-like designs by applying it to the Skinny-128 tweakable block ciphers

Fixslicing: A New GIFT Representation: Fast Constant-Time Implementations of GIFT and GIFT-COFB on ARM Cortex-M

The GIFT family of lightweight block ciphers, published at CHES 2017, offers excellent hardware performance figures and has been used, in full or in part, in several candidates of the ongoing NIST lightweight cryptography competition. However, implementation of GIFT in software seems complex and not efficient due to the bit permutation composing its linear layer (a feature shared with PRESENT cipher). In this article, we exhibit a new non-trivial representation of the GIFT family of block ciphers over several rounds. This new representation, that we call fixslicing, allows extremely efficient software bitsliced implementations of GIFT, using only a few rotations, surprisingly placing GIFT as a very efficient candidate on micro-controllers. Our constant time implementations show that, on ARM Cortex-M3, 128-bit data can be ciphered with only about 800 cycles for GIFT-64 and about 1300 cycles for GIFT-128 (assuming pre-computed round keys). In particular, this is much faster than the impressive PRESENT implementation published at CHES 2017 that requires 2116 cycles in the same setting, or the current best AES constant time implementation reported that requires 1617 cycles. This work impacts GIFT, but also improves software implementations of all other cryptographic primitives directly based on it or strongly related to it

Practical Algebraic Side-Channel Attacks against ACORN

International audienc

On the importance of considering physical attacks when implementing lightweight cryptography

International audiencePervasive devices are usually deployed in hostile environments where they are physically accessible to attackers. As lightweight cryptography is designed for such devices, it has to be particularly resistant to physical attacks. In this paper, we illustrate how active and passive physical attacks against the lightweight block cipher PRIDE can be carried. A side channel attack and a fault attack have been successfully implemented on the same software implementation of the algorithm. In both cases, we were able to recover the entire encryption key. First, we present our attacks, then we analyze them in terms of complexity and feasibility and finally, we discuss possible countermeasures