Time:

9:00 — 12:00 (Sunday, September 10, 2023)

Speaker:

Elif Bilge Kavun, University of Passau, Germany

Abstract:

In recent years, the demand for cost-effective, low-latency encryption has significantly increased, particularly for applications such as memory encryption. The processing time required by a cryptographic primitive implemented in hardware is a crucial performance metric in these scenarios.

However, achieving low latency involves intricate trade-offs with other metrics, including circuit area, time-area product, power consumption, and energy efficiency. Therefore, it becomes essential to thoroughly investigate these trade-offs to optimize the performance of hardware implementations. This tutorial aims to present a comprehensive overview of low-latency encryption techniques on hardware, specifically focusing on block cipher design and hardware implementation. We will delve into the extensive body of research and cipher proposals for low-latency cryptography published in the past decade, providing a qualitative analysis of their merits and drawbacks. Through this tutorial, we intend to equip aspiring low-latency block cipher designers and hardware designers with the necessary knowledge and insights to make informed decisions and develop efficient solutions.

The tutorial will commence with the fundamental concepts and challenges of low-latency encryption on hardware. We will explore the impact of factors such as the number of rounds, their complexity, and the similarity of encryption and decryption procedures on the resulting latency. By understanding the core principles, participants will gain the basis to comprehend the subsequent discussions. Following this, we will review a diverse range of previous works and cipher proposals for low-latency cryptography, focusing on the advancements made within the past decade. Based on this literature, we will provide a qualitative description of various methodologies employed to achieve low latency. This analysis will highlight the strengths and weaknesses of different approaches, enabling participants to evaluate their suitability for specific hardware implementation scenarios. We will also discuss the impact of physical attacks countermeasures on low latency together with other metrics.

To enrich the learning experience, the tutorial will include a hands-on session following the theoretical part. Participants will have the opportunity to engage in Verilog-HDL-based simulations and ASIC/FPGA-based implementations, gaining practical insights into the challenges and intricacies of low-latency encryption on hardware. By providing an in-depth examination of low-latency encryption techniques on hardware, this tutorial aims to foster a deeper understanding of the subject and enable participants to design and implement efficient solutions. The combination of theoretical knowledge, practical demonstrations, and recommendations for aspiring low-latency block cipher designers and hardware designers will equip attendees with valuable insights and skills in this rapidly evolving field.

Please find the tutorial slides and material here.

Time:

9:00 — 12:00 (Sunday, September 10, 2023)

Speaker:

Jean-Pierre Thibault, NewAE Technology Inc., Canada

Abstract:

Side-channel attacks are a threat for ECC implementations, which is especially relevant with the use of ECDSA-based schemes for identification and authentication of embedded devices. This tutorial (briefly) introduces ECC along with implementations in both hardware and software, and common trade-offs.

The tutorial then walks through power analysis attacks on both hardware (implemented in an FPGA) and software (implemented in a microcontroller) ECC implementations. Pre-recorded power traces are provided for simplicity, but live demonstrations of the capture process will also be done. This also allows comparisons of power traces when turning on and off certain features or countermeasures. A common hurdle when attacking asymmetric cryptography is the difficulty of locating (in time) the potential leakage in a power trace recorded over millions of clock cycles. We will show multiple ways to do this, including target code modifications, triggering logic, and the use of Arm Coresight trace—an under-used technology with much potential for facilitating side-channel attacks—and discuss their pros and cons.

All implementations used in the tutorial are open-source, based on CrypTech Alpha [1] for the FPGA, and micro-ecc [2] for the microcontroller. The attacks are implemented in a series of open-source Jupyter notebooks using Python [3]. Students can bring a laptop to interactively work through the attacks during the tutorial, or download the traces and notebooks to work through them at a later time.

As part of the tutorial, the synthesis of the hardware ECC core will be demonstrated. This will lead to a discussion of countermeasures, and a demonstration of how the attendees could add their own countermeasures to this design. The provided notebooks and framework will allow the attendees to evaluate their countermeasures compared to the reference design.

[1] CrypTech, https://cryptech.is/

[2] micro-ecc, https://github.com/kmackay/micro-ecc

[3] Thibault, J.P., O’Flynn, C., Dewar, A.: Ark of the ECC: An open-source ECDSA power analysis attack on a FPGA based Curve P-256 implementation. Cryptology ePrint Archive, Paper 2021/1520 (2021),

Time:

14:00 — 17:00 (Sunday, September 10, 2023)

Speaker:

Matthias J. Kannwischer, Academia Sinica, Taipei, Taiwan

Abstract:

In July 2022, the US National Institute Institute of Standards and Technology (NIST) announced the first set of post-quantum schemes to be standardized: Kyber, Dilithium, Falcon, and SPHINCS+. It is expected that NIST will publish its first post-quantum cryptography standard including those schemes soon. This talk will cover the implementation of the lattice-based key-encapsulation mechanism Kyber and the digital signature scheme Dilithium. I will introduce the core construction of the schemes and essential implementation techniques. This will cover number-theoretic transforms, Montgomery multiplication, Barrett multiplication, and Plantard multiplication. I will present how these techniques can be used to obtain fast implementations on both low-end Arm microcontrollers, as well as high-end Arm processors supporting the Neon vector instructions.

Participants will then implement their own number-theoretic transforms for Kyber and Dilithium using Arm Cortex-M4 assembly. Instructions will be provided to functionally test the implementations on an Arm Cortex-M4 emulated using QEMU (version 5.2 or newer). For measuring the performance, a small number of STM32F407 development boards will be available during the tutorial.

Participants should follow the pre-tutorial instructions available at https://github.com/mkannwischer/ches-tutorial-2023. In particular, please install arm-none-eabi-gcc, qemu, and st-link. The 'helloworld' program should successfully run on QEMU before the tutorial.

Time:

14:00 — 17:00 (Sunday, September 10, 2023)

The TASER (Topics in hArdware SEcurity and RISC-V) workshop broadly aims to establish hardware security using RISC-V as a topic of interest for the CHES community.

TASER Program

Abstract:

The open nature of RISC-V and the associated community and eco-system have arguably led to a "golden era" of research and innovation within the field of computer architecture. This, in turn, has positively impacted the associated area of hardware security, where significant existing challenges remain and new challenges continue to emerge. RISC-V offers opportunities for academic and industrial research and development that stem from the ISA's extensible, configurable nature and the transparency afforded by access to high-quality HDL implementations. Established in 2021 as a CHES forum, TASER aims to 1) establish and solidify RISC-V as a topic of interest for CHES, and 2) act as an interface between the RISC-V and CHES communities.