Differential and Higher Order Attacks.- A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter.- Gaussian Mixture Models for Higher-Order Side Channel Analysis.- Side Channel Cryptanalysis of a Higher Order Masking Scheme.- Random Number Generation and Device Identification.- High-Speed True Random Number Generation with Logic Gates Only.- FPGA Intrinsic PUFs and Their Use for IP Protection.- Logic Styles: Masking and Routing.- Evaluation of the Masked Logic Style MDPL on a Prototype Chip.- Masking and Dual-Rail Logic Don't Add Up.- DPA-Resistance Without Routing Constraints?.- Efficient Algorithms for Embedded Processors.- On the Power of Bitslice Implementation on Intel Core2 Processor.- Highly Regular Right-to-Left Algorithms for Scalar Multiplication.- MAME: A Compression Function with Reduced Hardware Requirements.- Collision Attacks and Fault Analysis.- Collision Attacks on AES-Based MAC: Alpha-MAC.- Secret External Encodings Do Not Prevent Transient Fault Analysis.- Two New Techniques of Side-Channel Cryptanalysis.- High Speed AES Implementations.- AES Encryption Implementation and Analysis on Commodity Graphics Processing Units.- Multi-gigabit GCM-AES Architecture Optimized for FPGAs.- Public-Key Cryptography.- Arithmetic Operators for Pairing-Based Cryptography.- FPGA Design of Self-certified Signature Verification on Koblitz Curves.- How to Maximize the Potential of FPGA Resources for Modular Exponentiation.- Implementation Cost of Countermeasures.- TEC-Tree: A Low-Cost, Parallelizable Tree for Efficient Defense Against Memory Replay Attacks.- Power Analysis Resistant AES Implementation with Instruction Set Extensions.- Security Issues for RF and RFID.- Power and EM Attacks on Passive RFID Devices.- RFID Noisy Reader How to Prevent from Eavesdropping on the Communication?.- RF-DNA: Radio-Frequency Certificates of Authenticity.- Special Purpose Hardware for Cryptanalysis.- CAIRN 2: An FPGA Implementation of the Sieving Step in the Number Field Sieve Method.- Collision Search for Elliptic Curve Discrete Logarithm over GF(2 m ) with FPGA.- A Hardware-Assisted Realtime Attack on A5/2 Without Precomputations.- Side Channel Analysis.- Differential Behavioral Analysis.- Information Theoretic Evaluation of Side-Channel Resistant Logic Styles.- Problems and Solutions for Lightweight Devices.- On the Implementation of a Fast Prime Generation Algorithm.- PRESENT: An Ultra-Lightweight Block Cipher.- Cryptographic Hardware and Embedded Systems - CHES 2007.

Cryptographic hardware and embedded systems : CHES 2007 : 9th International Workshop, Vienna, Austria, September 10-13, 2007 : proceedings

Embedded systems are deployed in various domains, including industrial installations, critical and nomadic environments, private spaces and public infrastructures. Their operation typically involves access, storage and communication of sensitive and/or critical information that requires protection, making the security of their resources and services an imperative design concern. The demand for applicable cryptographic components is therefore strong and growing. However, the limited resources of these devices, in conjunction with the ever-present need for smaller size and lower production costs, hinder the deployment of secure algorithms typically found in other environments and necessitate the adoption of lightweight alternatives. This paper provides a survey of lightweight cryptographic algorithms, presenting recent advances in the field and identifying opportunities for future research. More specifically, we examine lightweight implementations of symmetric-key block ciphers in hardware and software architectures. We evaluate 52 block ciphers and 360 implementations based on their security, performance and cost, classifying them with regard to their applicability to different types of embedded devices and referring to the most important cryptanalysis pertaining to these ciphers.

A review of lightweight block ciphers

The linear layer is a core component in any substitution-permutation network block cipher. Its design significantly influences both the security and the efficiency of the resulting block cipher. Surprisingly, not many general constructions are known that allow to choose trade-offs between security and efficiency. Especially, when compared to Sboxes, it seems that the linear layer is crucially understudied. In this paper, we propose a general methodology to construct good, sometimes optimal, linear layers allowing for a large variety of trade-offs. We give several instances of our construction and on top underline its value by presenting a new block cipher. PRIDE is optimized for 8-bit micro-controllers and significantly outperforms all academic solutions both in terms of code size and cycle count.

/pdf/block-ciphers-focus-on-the-linear-layer-feat-pride-3zbm6b4eue.pdf

Block Ciphers – Focus on the Linear Layer (feat. PRIDE)

Piccolo: An Ultra-Lightweight Blockcipher

The underlying fundaments of blockchain are cryptography and cryptographic concepts that provide reliable and secure decentralized solutions. Although many recent papers study the use-cases of blockchain in different industrial areas, such as finance, health care, legal relations, IoT, information security, and consensus building systems, only few studies scrutinize the cryptographic concepts used in blockchain. To the best of our knowledge, there is no Systematization of Knowledge (SoK) that gives a complete picture of the existing cryptographic concepts which have been deployed or have the potential to be deployed in blockchain. In this paper, we thoroughly review and systematize all cryptographic concepts which are already used in blockchain. Additionally, we give a list of cryptographic concepts which have not yet been applied but have big potentials to improve the current blockchain solutions. We also include possible instantiations of these cryptographic concepts in the blockchain domain. Last but not least, we explicitly postulate 21 challenging problems that cryptographers interested in blockchain can work on.

SoK of Used Cryptography in Blockchain

We present a new method for constructing cryptographically strong 4×4-bit S-boxes with the help of quasigroups of order 4. So far, cryptographers were constructing 4×4-bit Sboxes used in cryptographic primitives suitable for lightweight cryptography, only by exhaustive search of permutations of order 16. Our construction of 4×4-bit Quasigroup-S-boxes (QS-boxes) uses quasigroup string transformations. This methodology enables someone to work basically with several different strong S-boxes iteratively reusing only one hardware circuit and just changing a few parameters (called leaders in our method). Keywords-lightweight cryptography; quasigroups; quasigroup string transformations; S-boxes.

/pdf/construction-of-optimal-4-bit-s-boxes-by-quasigroups-of-2zqltq1ovx.pdf

Construction of Optimal 4-bit S-boxes by Quasigroups of Order 4

In today’s world of big data and rapidly increasing telecommunications, using secure cryptographic primitives that are parallelizable and incremental is becoming ever more important design goal. π-Cipher is parallel, incremental, nonce based authenticated encryption cipher with associated data. It is designed with the special purpose of providing confidentiality and integrity for big data in transit or at rest. It has, as an option, a secret part of the nonce which provides noncemisuse resistance. The design involves operations of several solid cryptographic concepts such as the Encrypt-then-MAC principle, the XOR MAC scheme and the two-pass sponge construction. It contains parameters that can provide the functionality of tweakable block ciphers for authenticated encryption of data at rest. The security of the cipher relies on the core permutation function based on ARX (Addition, Rotation and XOR) operations. π-Cipher offers several security levels ranging from 96 to 256 bits.

π-Cipher: Authenticated Encryption for Big Data

Modern cryptography today is substantially involved with securing lightweight (and pervasive) devices. For this purpose, several lightweight cryptographic algorithms have already been proposed. Up to now, the literature has focused on hardware-efficiency while lightweight with respect to software has barely been addressed. However, a large percentage of lightweight ciphers will be implemented on embedded CPUs- without support for cryptographic operations. In parallel, many lightweight ciphers are based on operations which are hardware-friendly but quite costly in software. For instance, bit permutations that accrue essentially no costs in hardware require a non-trivial number of CPU cycles and/or lookup tables in software. Similarly, S-Boxes often require relatively large lookup tables in software. In this work, we try to address the open question of efficient cipher implementations on small CPUs by introducing a non-linear/linear instruction set extension, to which we refer to as NLU, capable of implementing on-linear operations expressed in their algebraic normal form(ANF) and linear operations expressed in binary "matrix multiply-and-add" form. The proposed NLU is targeted for embedded micro controllers and it is therefore 8-bit wide. However, its modular architecture allows it to be used in16, 32, 64 and even 4-bit CPUs. We furthermore present examples of the use of NLU in the implementation of standard cryptographic algorithms in order to demonstrate its coding advantage.

A Non-Linear/Linear Instruction Set Extension for Lightweight Ciphers

Authenticated encryption (AE) has been a vital operation in cryptography due to its ability to provide confidentiality, integrity, and authenticity at the same time. Its use has soared in parallel with widespread use of the internet and has led to several new schemes. There have been studies investigating software performance of various schemes. However, the same is yet to be done for hardware. We present a comprehensive survey of hardware (specifically ASIC) performance of the most commonly used AE schemes in the literature. These schemes include encrypt-then-MAC combination, block-cipher-based AE modes, and the recently introduced permutation-based AE scheme. For completeness, we implemented each scheme with various standardized block ciphers and/or hash algorithms, and their lightweight versions. Our evaluation targets minimizing the time-area product while maximizing the throughput on an ASIC platform. We used 45nm NANGATE Open Cell Library for syntheses. We present area, speed, time-area product, throughput, and power figures for both standard and lightweight versions of each scheme. We also provide an unbiased discussion on the impact of the structure and complexity of each scheme on hardware implementation. Our results reveal 13%--30% performance boost in permutation-based AE compared to conventional schemes, and they can be used as a benchmark in the ongoing AE competition CAESAR.

A Survey on Authenticated Encryption--ASIC Designer’s Perspective

According to several recent studies, the global IP communication and digital storage have already surpassed the zettabyte threshold (\(10^{21}\) bytes). The Internet entered the zettabyte era in which fast and secure computations are important more than ever. One solution for certain types of computations, that may offer a speedup up to several orders of magnitude, is the incremental cryptography. While the idea of incremental crypto primitives is not new, so far its potential has not been fully exploited. In this paper, we define two incremental hash functions iSHAKE128 and iSHAKE256 based on the recent NIST proposal for SHA-3 Extendable-Output Functions SHAKE128 and SHAKE256. We describe two practical implementation scenarios of the newly introduced hash functions and compare them with the already known tree-based hash scheme. We show the trends of efficiency gains as the amount of data increases in comparison to the standard tree-based incremental schemes. Our proposals iSHAKE128 and iSHAKE256 provide security against collision attacks of 128 and 256 bits, respectively.

/pdf/reviving-the-idea-of-incremental-cryptography-for-the-sve50dkpnc.pdf

Hristina Mihajloska

Papers

Construction of Optimal 4-bit S-boxes by Quasigroups of Order 4

π-Cipher: Authenticated Encryption for Big Data

A Non-Linear/Linear Instruction Set Extension for Lightweight Ciphers

A Survey on Authenticated Encryption--ASIC Designer’s Perspective

Reviving the Idea of Incremental Cryptography for the Zettabyte Era Use Case: Incremental Hash Functions Based on SHA-3