Browse ORBi

- What it is and what it isn't
- Green Road / Gold Road?
- Ready to Publish. Now What?
- How can I support the OA movement?
- Where can I learn more?

ORBi

MoTE-ECC: Energy-Scalable Elliptic Curve Cryptography for Wireless Sensor Networks Liu, Zhe ; ; Groszschädl, Johann in Boureanu, Ioana; Owezarski, Philippe; Vaudenay, Serge (Eds.) Applied Cryptography and Network Security - 12th International Conference, ACNS 2014, Lausanne, Switzerland, June 10-13, 2014. Proceedings (2014, June) Wireless Sensor Networks (WSNs) are susceptible to a wide range of malicious attacks, which has stimulated a body of research on "light-weight" security protocols and cryptographic primitives that are ... [more ▼] Wireless Sensor Networks (WSNs) are susceptible to a wide range of malicious attacks, which has stimulated a body of research on "light-weight" security protocols and cryptographic primitives that are suitable for resource-restricted sensor nodes. In this paper we introduce MoTE-ECC, a highly optimized yet scalable ECC library for Memsic's MICAz motes and other sensor nodes equipped with an 8-bit AVR processor. MoTE-ECC supports scalar multiplication on Montgomery and twisted Edwards curves over Optimal Prime Fields (OPFs) of variable size, e.g. 160, 192, 224, and 256 bits, which allows for various trade-offs between security and execution time (resp. energy consumption). OPFs are a special family of "low-weight" prime fields that, in contrast to the NIST-specified fields, facilitate a parameterized implementation of the modular arithmetic so that one and the same software function can be used for operands of different length. To demonstrate the performance of MoTE-ECC, we take (ephemeral) ECDH key exchange between two nodes as example, which requires each node to execute two scalar multiplications. The first scalar multiplication is performed on a fixed base point (to generate a key pair), whereas the second scalar multiplication gets an arbitrary point as input. Our implementation uses a fixed-base comb method on a twisted Edwards curve for the former and a simple ladder approach on a birationally-equivalent Montgomery curve for the latter. Both scalar multiplications require about 9*10^6 clock cycles in total and occupy only 380 bytes in RAM when the underlying OPF has a length of 160 bits. We also describe our efforts to harden MoTE-ECC against side-channel attacks (e.g. simple power analysis) and introduce a highly regular implementation of the comb method. [less ▲] Detailed reference viewed: 407 (70 UL)New Speed Records for Montgomery Modular Multiplication on 8-Bit AVR Microcontrollers Liu, Zhe ; Groszschädl, Johann in Pointcheval, David; Vergnaud, Damien (Eds.) Progress in Cryptology - AFRICACRYPT 2014, 7th International Conference on Cryptology in Africa, Marrakesh, Morocco, May 28-30, 2014. Proceedings (2014, May) Detailed reference viewed: 195 (12 UL)High-Speed Elliptic Curve Cryptography on the NVIDIA GT200 Graphics Processing Unit ; Liu, Zhe ; Groszschädl, Johann et al in Huang, Xinyi; Zhou, Jianying (Eds.) Information Security Practice and Experience, 10th International Conference, ISPEC 2014, Fuzhou, China, May 5-8, 2014. Proceedings (2014, May) Detailed reference viewed: 209 (12 UL)Low-Weight Primes for Lightweight Elliptic Curve Cryptography on 8-bit AVR Processors Liu, Zhe ; Groszschädl, Johann ; in Lin, Dongdai; Xu, Shouhuai; Yung, Moti (Eds.) Information Security and Cryptology - 9th International Conference, INSCRYPT 2013, Guangzhou, China, November 27-30, 2013 (2013, November) Small 8-bit RISC processors and micro-controllers based on the AVR instruction set architecture are widely used in the embedded domain with applications ranging from smartcards over control systems to ... [more ▼] Small 8-bit RISC processors and micro-controllers based on the AVR instruction set architecture are widely used in the embedded domain with applications ranging from smartcards over control systems to wireless sensor nodes. Many of these applications require asymmetric encryption or authentication, which has spurred a body of research into implementation aspects of Elliptic Curve Cryptography (ECC) on the AVR platform. In this paper, we study the suitability of a special class of finite fields, the so-called Optimal Prime Fields (OPFs), for a "lightweight" implementation of ECC with a view towards high performance and security. An OPF is a finite field Fp defined by a prime of the form p = u*2^k + v, whereby both u and v are "small" (in relation to 2^k) so that they fit into one or two registers of an AVR processor. OPFs have a low Hamming weight, which allows for a very efficient implementation of the modular reduction since only the non-zero words of p need to be processed. We describe a special variant of Montgomery multiplication for OPFs that does not execute any input-dependent conditional statements (e.g. branch instructions) and is, hence, resistant against certain side-channel attacks. When executed on an Atmel ATmega processor, a multiplication in a 160-bit OPF takes just 3237 cycles, which compares favorably with other implementations of 160-bit modular multiplication on an 8-bit processor. We also describe a performance-optimized and a security-optimized implementation of elliptic curve scalar multiplication over OPFs. The former uses a GLV curve and executes in 4.19M cycles (over a 160-bit OPF), while the latter is based on a Montgomery curve and has an execution time of approximately 5.93M cycles. Both results improve the state-of-the-art in lightweight ECC on 8-bit processors. [less ▲] Detailed reference viewed: 584 (156 UL)Efficient Implementation of NIST-Compliant Elliptic Curve Cryptography for Sensor Nodes Liu, Zhe ; ; Groszschädl, Johann et al in Qing, Sihan; Zhou, Jianying; Liu, Dongmei (Eds.) Information and Communications Security - 15th International Conference, ICICS 2013, Beijing, China, November 20-22, 2013. Proceedings (2013, November) In this paper, we present a highly-optimized implementation of standards-compliant Elliptic Curve Cryptography (ECC) for wireless sensor nodes and similar devices featuring an 8-bit AVR processor. The ... [more ▼] In this paper, we present a highly-optimized implementation of standards-compliant Elliptic Curve Cryptography (ECC) for wireless sensor nodes and similar devices featuring an 8-bit AVR processor. The field arithmetic is written in Assembly language and optimized for the 192-bit NIST-specified prime p = 2^192 - 2^64 - 1, while the group arithmetic (i.e. point addition and doubling) is programmed in ANSI C. One of our contributions is a novel lazy doubling method for multi-precision squaring which provides better performance than any of the previously-proposed squaring techniques. Based on our highly optimized arithmetic library for the 192-bit NIST prime, we achieve record-setting execution times for scalar multiplication (with both fixed and arbitrary points) as well as multiple scalar multiplication. Experimental results, obtained on an AVR ATmega128 processor, show that the two scalar multiplications of ephemeral Elliptic Curve Diffie-Hellman (ECDH) key exchange can be executed in 1.75 s altogether (at a clock frequency of 7.37 MHz) and consume an energy of some 42 mJ. The generation and verification of an ECDSA signature requires roughly 1.91 s and costs 46 mJ at the same clock frequency. Our results significantly improve the state-of-the-art in ECDH and ECDSA computation on the P-192 curve, outperforming the previous best implementations in the literature by a factor of 1.35 and 2.33, respectively. We also protected the field arithmetic and algorithms for scalar multiplication against side-channel attacks, especially Simple Power Analysis (SPA). [less ▲] Detailed reference viewed: 408 (56 UL)Algorithms for Switching between Boolean and Arithmetic Masking of Second Order Vadnala, Praveen Kumar ; Groszschädl, Johann in Gierlichs, Benedikt; Guilley, Sylvain; Mukhopadhyay, Debdeep (Eds.) Security, Privacy, and Applied Cryptography Engineering - Third International Conference, SPACE 2013, Kharagpur, India, October 19-23, 2013. Proceedings (2013, October) Masking is a widely-used countermeasure to thwart Differential Power Analysis (DPA) attacks, which, depending on the involved operations, can be either Boolean, arithmetic, or multiplicative. When used to ... [more ▼] Masking is a widely-used countermeasure to thwart Differential Power Analysis (DPA) attacks, which, depending on the involved operations, can be either Boolean, arithmetic, or multiplicative. When used to protect a cryptographic algorithm that performs both Boolean and arithmetic operations, it is necessary to change the masks from one form to the other in order to be able to unmask the secret value at the end of the algorithm. To date, known techniques for conversion between Boolean and arithmetic masking can only resist first-order DPA. This paper presents the first solution to the problem of converting between Boolean and arithmetic masking of second order. To set the context, we show that a straightforward extension of first-order conversion schemes to second order is not possible. Then, we introduce two algorithms to convert from Boolean to arithmetic masking based on the second-order provably secure S-box output computation method proposed by Rivain et al (FSE 2008). The same can be used to obtain second-order secure arithmetic to Boolean masking. We prove the security of our conversion algorithms using similar arguments as Rivain et al. Finally, we provide implementation results of the algorithms on three different platforms. [less ▲] Detailed reference viewed: 205 (11 UL)Twisted Edwards-Form Elliptic Curve Cryptography for 8-bit AVR-based Sensor Nodes ; Groszschädl, Johann ; Liu, Zhe et al in Chen, Kefei; Xie, Qi; Qiu, Weidong (Eds.) et al Proceedings of the first ACM Workshop on Asia Public-Key Cryptography (ASIAPKC 2013) (2013, May) Wireless Sensor Networks (WSNs) pose a number of unique security challenges that demand innovation in several areas including the design of cryptographic primitives and protocols. Despite recent progress ... [more ▼] Wireless Sensor Networks (WSNs) pose a number of unique security challenges that demand innovation in several areas including the design of cryptographic primitives and protocols. Despite recent progress, the efficient implementation of Elliptic Curve Cryptography (ECC) for WSNs is still a very active research topic and techniques to further reduce the time and energy cost of ECC are eagerly sought. This paper presents an optimized ECC implementation that we developed from scratch to comply with the severe resource constraints of 8-bit sensor nodes such as the MICAz and IRIS motes. Our ECC software uses Optimal Prime Fields (OPFs) as underlying algebraic structure and supports two different families of elliptic curves, namely Weierstraß-form and twisted Edwards-form curves. Due to the combination of efficient field arithmetic and fast group operations, we achieve an execution time of 5.8*10^6 clock cycles for a full 158-bit scalar multiplication on an 8-bit ATmega128 microcontroller, which is 2.78 times faster than the widely-used TinyECC library. Our implementation also shows that the energy cost of scalar multiplication on a MICAz (or IRIS) mote amounts to just 19 mJ when using a twisted Edwards curve over a 160-bit OPF. This result compares fairly well with the energy figures of two recently-presented hardware designs of ECC based on twisted Edwards curves. [less ▲] Detailed reference viewed: 357 (44 UL)Cryptanalysis of the Full AES Using GPU-Like Special-Purpose Hardware Biryukov, Alex ; Groszschädl, Johann in Fundamenta Informaticae (2012), 114(3-4), 221-237 The block cipher Rijndael has undergone more than ten years of extensive cryptanalysis since its submission as a candidate for the Advanced Encryption Standard (AES) in April 1998. To date, most of the ... [more ▼] The block cipher Rijndael has undergone more than ten years of extensive cryptanalysis since its submission as a candidate for the Advanced Encryption Standard (AES) in April 1998. To date, most of the publicly-known cryptanalytic results are based on reduced-round variants of the AES (respectively Rijndael) algorithm. Among the few exceptions that target the full AES are the Related-Key Cryptanalysis (RKC) introduced at ASIACRYPT 2009 and attacks exploiting Time-Memory-Key (TMK) trade-offs such as demonstrated at SAC 2005. However, all these attacks are generally considered infeasible in practice due to their high complexity (i.e. 2^99.5 AES operations for RKC, 2^80 for TMK). In this paper, we evaluate the cost of cryptanalytic attacks on the full AES when using special-purpose hardware in the form of multi-core AES processors that are designed in a similar way as modern Graphics Processing Units (GPUs) such as the NVIDIA GT200b. Using today's VLSI technology would allow for the implementation of a GPU-like processor reaching a throughput of up to 10^12 AES operations per second. An organization able to spend one trillion US$ for designing and building a supercomputer based on such processors could theoretically break the full AES in a time frame of as little as one year when using RKC, or in merely one month when performing a TMK attack. We also analyze different time-cost trade-offs and assess the implications of progress in VLSI technology under the assumption that Moore's law will continue to hold for the next ten years. These assessments raise some concerns about the long-term security of the AES. [less ▲] Detailed reference viewed: 189 (6 UL) |
||