Nicola Tuveri

Arttu Paju, Alejandro Cabrera Aldaya, Nicola Tuveri et al.

Entropy--a measure of randomness--is compulsory for the generation of secure cryptographic keys; however, Internet of Things (IoT) devices that are small or constrained often struggle to collect suf ficient entropy. In this article, we solve the entropy provisioning problem for a fleet of IoT devices that can generate a limited amount of entropy. We employ a Trusted Execution Environment (TEE) based on RISC-V to create an external entropy service for a fleet of IoT devices. A small measure of true entropy or pre-installed keys can establish initial secure communication. Once connected, devices can request cryptographically strong entropy from a TEE-backed server. RISC-V offers True Random Number Generators (TRNGs) and a TEE for devices to attest that they are receiving reliable entropy. In addition, this solution can be expanded by adding IoT devices with sensors that produce high-quality entropy as additional entropy sources for the RISC-V entropy provider. Our open-source implementation shows that building trusted entropy infrastructure for IoT is both feasible and effective on open RISC-V platforms.

Daniel J. Bernstein, Billy Bob Brumley, Ming-Shing Chen et al.

Google's CECPQ1 experiment in 2016 integrated a post-quantum key-exchange algorithm, newhope1024, into TLS 1.2. The Google-Cloudflare CECPQ2 experiment in 2019 integrated a more efficient key-exchange algorithm, ntruhrss701, into TLS 1.3. This paper revisits the choices made in CECPQ2, and shows how to achieve higher performance for post-quantum key exchange in TLS 1.3 using a higher-security algorithm, sntrup761. Previous work had indicated that ntruhrss701 key generation was much faster than sntrup761 key generation, but this paper makes sntrup761 key generation much faster by generating a batch of keys at once. Batch key generation is invisible at the TLS protocol layer, but raises software-engineering questions regarding the difficulty of integrating batch key exchange into existing TLS libraries and applications. This paper shows that careful choices of software layers make it easy to integrate fast post-quantum software, including batch key exchange, into TLS with minor changes to TLS libraries and no changes to applications. As a demonstration of feasibility, this paper reports successful integration of its fast sntrup761 library, via a lightly patched OpenSSL, into an unmodified web browser and an unmodified TLS terminator. This paper also reports TLS 1.3 handshake benchmarks, achieving more TLS 1.3 handshakes per second than any software included in OpenSSL.

Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri et al.

We demonstrate that the format in which private keys are persisted impacts Side Channel Analysis (SCA) security. Surveying several widely deployed software libraries, we investigate the formats they support, how they parse these keys, and what runtime decisions they make. We uncover a combination of weaknesses and vulnerabilities, in extreme cases inducing completely disjoint multi-precision arithmetic stacks deep within the cryptosystem level for keys that otherwise seem logically equivalent. Exploiting these vulnerabilities, we design and implement key recovery attacks utilizing signals ranging from electromagnetic (EM) emanations, to granular microarchitecture cache timings, to coarse traditional wall clock timings.