Lightweight Permutation-Based Cryptography for the Ultra-Low-Power Internet of Things

in Bella, Giampaolo; Doinea, Mihai; Janicke, Helge (Eds.) Innovative Security Solutions for Information Technology and Communications, 15th International Conference, SECITC 2022, Virtual Event, December 8-9, 2022, Revised Selected Papers (2022, December)

The U.S. National Institute of Standards and Technology is currently undertaking a process to evaluate and eventually standardize one or more "lightweight" algorithms for authenticated encryption and ... [more ▼]

The U.S. National Institute of Standards and Technology is currently undertaking a process to evaluate and eventually standardize one or more "lightweight" algorithms for authenticated encryption and hashing that are suitable for resource-restricted devices. In addition to security, this process takes into account the efficiency of the candidate algorithms in various hardware environments (e.g. FPGAs, ASICs) and software platforms (e.g. 8, 16, 32-bit microcontrollers). However, while there exist numerous detailed benchmarking results for 8-bit AVR and 32-bit ARM/RISC-V/ESP32 microcontrollers, relatively little is known about the candidates' efficiency on 16-bit platforms. In order to fill this gap, we present a performance evaluation of the final-round candidates Ascon, Schwaemm, TinyJambu, and Xoodyak on the MSP430 series of ultra-low-power 16-bit microcontrollers from Texas Instruments. All four algorithms were explicitly designed to achieve high performance in software and have further in common that the underlying primitive is a permutation. We discuss how these permutations can be implemented efficiently in Assembly language and analyze how basic design decisions impact their execution time on the MSP430 architecture. Our results show that, overall, Schwaemm is the fastest algorithm across various lengths of data and associated data, respectively. Xoodyak has benefits when a large amount of associated data is to be authenticated, whereas TinyJambu is very efficient for the authentication of short messages. [less ▲]

Lightweight EdDSA Signature Verification for the Ultra-Low-Power Internet of Things

in Deng, Robert; Bao, Feng; Wang, Guilin (Eds.) et al Information Security Practice and Experience, 16th International Conference, ISPEC 2021, Nanjing, China, December 17–19, 2021, Proceedings (2021, December)

EdDSA is a digital signature scheme based on elliptic curves in Edwards form that is supported in the latest incarnation of the TLS protocol (i.e. TLS version 1.3). The straightforward way of verifying an ... [more ▼]

EdDSA is a digital signature scheme based on elliptic curves in Edwards form that is supported in the latest incarnation of the TLS protocol (i.e. TLS version 1.3). The straightforward way of verifying an EdDSA signature involves a costly double-scalar multiplication of the form kP - lQ where P is a "fixed" point (namely the generator of the underlying elliptic-curve group) and Q is only known at run time. This computation makes a verification not only much slower than a signature generation, but also more memory demanding. In the present paper we compare two implementations of EdDSA verification using Ed25519 as case study; the first is speed-optimized, while the other aims to achieve low RAM footprint. The speed-optimized variant performs the double-scalar multiplication in a simultaneous fashion and uses a Joint-Sparse Form (JSF) representation for the two scalars. On the other hand, the memory-optimized variant splits the computation of kP - lQ into two separate parts, namely a fixed-base scalar multiplication that is carried out using a standard comb method with eight pre-computed points, and a variable-base scalar multiplication, which is executed by means of the conventional Montgomery ladder on the birationally-equivalent Montgomery curve. Our experiments with a 16-bit ultra-low-power MSP430 microcontroller show that the separated method is 24% slower than the simultaneous technique, but reduces the RAM footprint by 40%. This makes the separated method attractive for "lightweight" cryptographic libraries, in particular if both Ed25519 signature generation/verification and X25519 key exchange need to be supported. [less ▲]

Fast and Flexible Elliptic Curve Cryptography for Dining Cryptographers Networks

in Bouzefrane, Samia; Laurent, Maryline; Boumerdassi, Selma (Eds.) et al Mobile, Secure, and Programmable Networking, 6th International Conference, MSPN 2020, Paris, France, October 28–29, 2020, Revised Selected Papers (2020, October)

A Dining Cryptographers network (DCnet for short) allows anonymous communication with sender and receiver untraceability even if an adversary has unlimited access to the connection metadata of the network ... [more ▼]

A Dining Cryptographers network (DCnet for short) allows anonymous communication with sender and receiver untraceability even if an adversary has unlimited access to the connection metadata of the network. Originally introduced by David Chaum in the 1980s, DCnets were for a long time considered not practical for real-world applications because of the tremendous communication and computation overhead they introduce. However, technological innovations such as 5G networks and extremely powerful 64-bit processors make a good case to reassess the practicality of DCnets. In addition, recent advances in elliptic-curve based commitment schemes and Zero-Knowledge Proofs (ZKPs) provide a great opportunity to reduce the computational cost of modern DCnets that are able to detect malicious behavior of communicating parties. In this paper we introduce X64ECC, a self-contained library for Elliptic Curve Cryptography (ECC) developed from scratch to support all the public-key operations needed by modern DCnets: key exchange, digital signatures, Pedersen commitments, and ZKPs. X64ECC is written in C and uses compiler intrinsics to speed up performance-critical arithmetic operations. It is highly scalable and works with Montgomery curves and twisted Edwards curves of different cryptographic strength. Despite its high scalability and portability, X64ECC is able to compute a fixed-base scalar multiplication on a twisted Edwards curve over a 255-bit prime field in about 145,000 clock cycles on a modern Intel X64 processor. All cryptosystems can be adapted on-the-fly (i.e. without recompilation) to implement DCnets with arbitrary message sizes, and tradeoffs between the cryptographic strength and throughput of a DCnet are possible. [less ▲]

Energy-Scalable Montgomery-Curve ECDH Key Exchange for ARM Cortex-M3 Microcontrollers

in Awan, Irfan; Younas, Muhammad; Portela, Filipe (Eds.) Proceedings of the 6th International Conference on Future Internet of Things and Cloud Workshops (W-FICLOUD 2018) (2018, August)

The number of smart devices connected to the Internet is growing at an enormous pace and will reach 30 billion within the next five years. A large fraction of these devices have limited processing ... [more ▼]

The number of smart devices connected to the Internet is growing at an enormous pace and will reach 30 billion within the next five years. A large fraction of these devices have limited processing capabilities and energy supply, which makes the execution of computation-intensive cryptographic algorithms very costly. This problem is exacerbated by the fact that basic optimization techniques like loop unrolling can not (always) be applied since cryptographic software for the IoT often needs to meet strict constraints on code size to not exceed the program storage capacity of the target device. In this paper we introduce SECCCM3, a "lightweight" software library for scalable elliptic curve cryptography on ARM Cortex-M3 microcontrollers. The current version of SECCCM3 is able to carry out variable-base scalar multiplication on Montgomery-form curves over pseudo-Mersenne prime fields, such as Curve25519, and can be used to implement static ECDH key exchange. SECCCM3 is scalable in the sense that it supports curves of different order (as long as certain conditions are met), thereby enabling trade-offs between security and execution time (resp. energy dissipation). We made an effort to protect the field arithmetic against Timing Attacks (TAs) and Simple Power Analysis (SPA), taking into account the so-called early-termination effect of the Cortex-M3 integer multiplier, which makes the latency of "long" multiply instructions operand-dependent. Our experiments show that the integration of countermeasures against information leakage caused by this effect increases the execution time by 34%, while the code size grows by 13%. A TA and SPA-resistant scalar multiplication on Curve25519 has an execution time of 4.565 million clock cycles and consumes approximately 5.1 mJ of energy when executed on a STM32L152RE Cortex-M3 microcontroller. SECCCM3 has a binary code size of 4.0 kB, which includes domain parameters for curves over 159, 191, 223, and 255-bit prime fields. [less ▲]

Mapping Combinational Circuits to Homogenous Trellis-Constrained Codes

Poster (2017, July)

A Decoder for a Symbol-Constrained Code (preliminary version)

E-print/Working paper (2017)

Untraceable VoIP Communication based on DC-nets

E-print/Working paper (2016)

Untraceable communication is about hiding the identity of the sender or the recipient of a message. Currently most systems used in practice (e.g., TOR) rely on the principle that a message is routed via ... [more ▼]

Untraceable communication is about hiding the identity of the sender or the recipient of a message. Currently most systems used in practice (e.g., TOR) rely on the principle that a message is routed via several relays to obfuscate its path through the network. However, as this increases the end-to-end latency it is not ideal for applications like Voice-over-IP (VoIP) communication, where participants will notice annoying delays if the data does not arrive fast enough. We propose an approach based on the paradigm of Dining Cryptographer networks (DC-nets) that can be used to realize untraceable communication within small groups. The main features of our approach are low latency and resilience to packet-loss and fault packets sent by malicious players. We consider the special case of VoIP communication and propose techniques for a P2P implementation. We expose existing problems and sketch possible future large-scale systems composed of multiple groups. [less ▲]

Method and device for information-theoretically secure anonymous communication

Patent (2015)

Method and Device for Anonymous Communication

Patent (2015)

Dining Cryptographers with 0.924 Verifiable Collision Resolution

in Annales Universitatis Mariae Curie-Skłodowska. Sectio AI, Informatica (2014), 14(1), 49-59

The dining cryptographers protocol implements a multiple access channel in which senders and recipients are anonymous. A problem is that a malicious participant can disrupt communication by deliberately ... [more ▼]

The dining cryptographers protocol implements a multiple access channel in which senders and recipients are anonymous. A problem is that a malicious participant can disrupt communication by deliberately creating collisions. We propose a computationally secure dining cryptographers protocol with collision resolution that achieves a maximum stable throughput of 0.924 messages per round and which allows to easily detect disruptors. [less ▲]