Usuba: high-throughput and constant-time ciphers, by construction

Mercadier, Darius; Dagand, Pierre-Évariste

doi:10.1145/3314221.3314636

Cited by 11 publications

(11 citation statements)

References 53 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As part of future work, we intend to further enrich our compiler backend with optimizations specific to embedded architectures (Cortex M and/or Risc-V), systematizing various primitivespecific optimizations documented in the literature [35,28,33]. Previous results on Intel architecture [29] has demonstrated that Usuba can produce code whose performance is on par with hand-optimized, assembly implementations.…”

Section: Resultsmentioning

confidence: 99%

“…However, bitslicing can be generalized to n-slicing [29] (with n > 1). Whereas bitslicing splits an m-word quantity into m individual bits, we can also treat it at a coarser granularity 5 , splitting it into k variables of n bits each (preserving the invariant that m = k × n).…”

Section: Usubamentioning

confidence: 99%

“…For example, it features a custom instruction scheduling algorithm, aimed at minimizing the register pressure of bitsliced code. On high-end Intel architectures featuring Single Instruction Multiple Data (SIMD) extensions, Usuba has demonstrated performance on par with hand-optimized reference implementations [29].…”

Section: Vectorization Transpilationmentioning

confidence: 99%

“…Besides, operating each loop (increment, comparison, branching) impedes an overhead that the C compiler is something heuristically willing to optimize out at small orders, leading to confusing threshold effects when benchmarking. To address both issues, we systematically perform loop fusion, thus obtaining for (int i=0; i<=MASKING_ORDER; i++) { A(i); B(i); C(i); } on the above example, followed by instruction scheduling, which will strive to reduce the live range [29] (and thus the number of temporaries) of, for example, the variables set in A and used in B.…”

Section: Optimizationsmentioning

confidence: 99%

“…In practice one could hope for an integrated tool that takes an input circuit in a simple syntax, determine where to place the refresh gadgets and compile the augmented circuit into a masked implementation, for a given masking order on a given computing platform. Usuba, introduced by Mercadier and Dagand in [29], is a highlevel programming language for specifying symmetric block ciphers. It provides an optimizing compiler that produces efficient bitsliced implementations.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Tornado: Automatic Generation of Probing-Secure Masked Bitsliced Implementations

Belaïd

Dagand

Mercadier

et al. 2020

Advances in Cryptology – EUROCRYPT 2020

Self Cite

View full text Add to dashboard Cite

Cryptographic implementations deployed in real world devices often aim at (provable) security against the powerful class of side-channel attacks while keeping reasonable performances. Last year at Asiacrypt, a new formal verification tool named tightPROVE was put forward to exactly determine whether a masked implementation is secure in the well-deployed probing security model for any given security order t. Also recently, a compiler named Usuba was proposed to automatically generate bitsliced implementations of cryptographic primitives. This paper goes one step further in the security and performances achievements with a new automatic tool named Tornado. In a nutshell, from the high-level description of a cryptographic primitive, Tornado produces a functionally equivalent bitsliced masked implementation at any desired order proven secure in the probing model, but additionally in the so-called register probing model which much better fits the reality of software implementations. This framework is obtained by the integration of Usuba with tightPROVE + , which extends tightPROVE with the ability to verify the security of implementations in the register probing model and to fix them with inserting refresh gadgets at carefully chosen locations accordingly. We demonstrate Tornado on the lightweight cryptographic primitives selected to the second round of the NIST competition and which somehow claimed to be masking friendly. It advantageously displays performances of the resulting masked implementations for several masking orders and proves their security in the register probing model.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Usubamentioning

confidence: 99%

Section: Vectorization Transpilationmentioning

confidence: 99%

Section: Optimizationsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Tornado: Automatic Generation of Probing-Secure Masked Bitsliced Implementations

Belaïd

Dagand

Mercadier

et al. 2020

Advances in Cryptology – EUROCRYPT 2020

Self Cite

View full text Add to dashboard Cite

show abstract

RiCaSi: Rigorous Cache Side Channel Mitigation via Selective Circuit Compilation

Mantel

Scheidel

Schneider

et al. 2020

Cryptology and Network Security

View full text Add to dashboard Cite

Custom Instruction Support for Modular Defense Against Side-Channel and Fault Attacks

Kiaei

Mercadier

Dagand

et al. 2021

Constructive Side-Channel Analysis and Secure Design

Self Cite

View full text Add to dashboard Cite

The design of software countermeasures against active and passive adversaries is a challenging problem that has been addressed by many authors in recent years. The proposed solutions adopt a theoretical foundation (such as a leakage model) but often do not offer concrete reference implementations to validate the foundation. Contributing to the experimental dimension of this body of work, we propose a customized processor called SKIVA that supports experiments with the design of countermeasures against a broad range of implementation attacks. Based on bitslice programming and recent advances in the literature, SKIVA offers a flexible and modular combination of countermeasures against power-based and timing-based side-channel leakage and fault injection. Multiple configurations of side-channel protection and fault protection enable the programmer to select the desired number of shares and the desired redundancy level for each slice. Recurring and security-sensitive operations are supported in hardware through custom instruction-set extensions. The new instructions support bitslicing, secret-share generation, redundant logic computation, and fault detection. We demonstrate and analyze multiple versions of AES from a side-channel analysis and a fault-injection perspective, in addition to providing a detailed performance evaluation of the protected designs. To our knowledge, this is the first validated end-to-end implementation of a modular bitslice-oriented countermeasure.

show abstract

Usuba: high-throughput and constant-time ciphers, by construction

Cited by 11 publications

References 53 publications

Tornado: Automatic Generation of Probing-Secure Masked Bitsliced Implementations

Tornado: Automatic Generation of Probing-Secure Masked Bitsliced Implementations

RiCaSi: Rigorous Cache Side Channel Mitigation via Selective Circuit Compilation

Custom Instruction Support for Modular Defense Against Side-Channel and Fault Attacks

Contact Info

Product

Resources

About