Beating Real-Time Crypto: Solutions and Analysis

Designing cryptographic primitives with minimum execution time in hardware implementation (so-called latency) is a very young and emergent research discipline. In the last recent years, we have seen a very rapid deployment of secure microcontrollers in IoT, automotive and cloud infrastructures, various technology fields, including industrial automation, robotics, and the 5th generation mobile network. This deployment has urged the need for real-time operation and the requirement of low-latency execution while preserving the highest possible level of security.

A good example for this is memory encryption and integrity mechanisms. Likewise, and even more prominently, smart cards do local memory encryption in an ultra-constrained setting. Another example of applying ultra-low-latency ciphers is for secure caches in modern CPUs. This application received significant attention in the last few years as microarchitectural attacks revealed serious shortcomings in the security architectures of widely deployed high-end processors. Many hardware-based mitigations for such attacks call for a higher level of encrypted communication inside of CPUs as well as between CPUs and their surrounding hardware components. To implement new features of this kind in the next generations of mainstream processors, without causing a large performance penalty, high-speed encryption primitives are among the most important building blocks. Pointer authentication, dedicated hardware instructions, and similar hardware-assisted mechanisms against software exploitation are other examples for applying low-latency cryptographic primitives.

Moreover, in some applications of cryptographic primitives, there is a need for encrypting inputs of different and relatively small sizes. However, typical cryptographic primitives are often relatively large, e.g., more than 128 bits. Although smaller primitives, even up to a block size of 32 bits have been introduced, going beyond that size has always been an avoided challenge. Only last year, two ultra-small low-latency primitives, BipBip with 24-bit block size and SCARF with 10-bit block size and both using a 40-bit tweak, have been introduced. However, the design and use of these primitives come with their own problems. Most notably, these primitives require a delicate design of a good key schedule, and due to the birthday paradox, one requires special modes of operation that would see these primitives fit.

The incentive of the workshop is to improve and intensify the design and analysis of low-latency and variable-sized primitives. The presented solutions will be relevant, noting that they fill a gap currently exposed in the landscape of lightweight cryptography. The challenge is unique as it pushes lightweight cryptography to the edge of its capabilities, and it brings together different fields of expertise, including cryptanalysts, theoreticians, and side-channel specialists, to assure this quest happens with no sacrifice in security.