Ben Marshall's research while affiliated with University of Bristol and other places
What is this page?
This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
Publications (11)
The NIST LightWeight Cryptography (LWC) selection process aims to standardise cryptographic functionality which is suitable for resource-constrained devices. Since the outcome is likely to have significant, long-lived impact, careful evaluation of each submission with respect to metrics explicitly outlined in the call is imperative. Beyond the robu...
The RISC-V true random number generator (TRNG) architecture breaks with previous ISA TRNG practice by splitting the entropy source (ES) component away from cryptographic DRBGs into a separate privileged interface, and in its use of polling. The modular approach is suitable for the RISC-V hardware IP ecosystem, allows a significantly smaller impleme...
In this paper, we describe an extensible experimental infrastructure for evaluating the micro-architectural leakage, based on power consumption, that stems from a physical device. Building on existing literature, we use it to systematically study 14 different devices, which span 4 different instruction set architectures and 4 different vendors. The...
In both hardware and software, masking can represent an effective means of hardening an implementation against side-channel attack vectors such as Differential Power Analysis (DPA). Focusing on software, however, the use of masking can present various challenges: specifically, it often 1) requires significant effort to translate any theoretical sec...
Secure, efficient execution of AES is an essential requirement on most computing platforms. Dedicated Instruction Set Extensions (ISEs) are often included for this purpose. RISC-V is a (relatively) new ISA that lacks such a standardized ISE. We survey the state-of-the-art industrial and academic ISEs for AES, implement and evaluate five different I...
![Figure 6: Target kernel for experiment 2: 2-share ISW [ISW03]...](publication/346707024/figure/fig4/AS:11431281114090533@1674239213844/Target-kernel-for-experiment-2-2-share-ISW-ISW03-multiplication-Note-that-the-kernel_Q320.jpg)
Ge et al. [GYH18] propose the augmented ISA (or aISA), a central tenet of which is the selective exposure of micro-architectural resources via a less opaque abstraction than normal. The aISA proposal is motivated by the need for control over such resources, for example to implement robust countermeasures against microarchitectural attacks. In this...
Masking is a well loved and widely deployed countermeasure against side channel attacks, in particular in software. Under certain assumptions (w.r.t. independence and noise level), masking provably prevents attacks up to a certain security order and leads to a predictable increase in the number of required leakages for successful attacks beyond thi...
Citations
... Alternatively, dedicated hardware, such as the AES functional unit [63], can be added to the datapath of the main core. The work presented in [73] analyzes the building blocks of the Lightweight Cryptography (LWC) finalists to find the most suitable acceleration granularity, e.g., their smallest hardware addition is for the Xoodyak parity plane manipulation (xorrol) with only a 1.155× increase in the area of the main core. ...
![[object Object]](https://i1.rgstatic.net/ii/profile.image/369829585408000-1465185652227_Q64/Thinh-Pham-18.jpg)
... Linear correctors are recognized by the RISC-V consortium [16], [17] as a form of admissible non-cryptographic postprocessing and are recommended to be used in several recent TRNG designs [15], [18]- [22]. They represent an attractive post-processing method due to a significantly smaller hardware footprint compared to cryptographic post-processing [23], the ability to deal with not identically distributed raw random bits and higher extraction efficiency than simple XOR function [11], [12]. ...
... To Register File interaction with the RAM to model the multiplexers between r 17 and the registers, as shown in [MPW22]. ...
... The secure pipeline executes a set of instructions protected by Domain-Oriented Masking (DOM) with multi-cycle nonlinear operations, e.g., 4-cycle 1-bit ADD instruction with two fresh random numbers per share. The idea of custom ISA instructions to mitigate SCA has been extended in [78] to include DOM and other masking approaches. The authors have presented 22 custom instructions such as conversion of operands (Boolean to/from Arithmetic masking), Boolean masking operations, arithmetic masking operations, and masked finite field arithmetic for GF(2 8 ). ...
... In addition to utilizing the C programing language for pure software implementations [18], it seemed that the preferred implementation approach also involved using an ISE. The work [19] introduced a lightweight ISE designed to support the ChaCha stream cipher in RISC-V architectures, which achieved a speedup gain of at least 5.4 times compared to the OpenSSL baseline and 3.4 times compared to an ISA optimized implementation. The study [20] focused on achieving secure and efficient execution of AES by separating different ISEs for 32-bit and 64-bit, which demonstrated significant performance improvements for AES-128 block encryption. ...
... Nevertheless, in an actual implementation, it should be randomly generated at the beginning of the execution. This random generation should be done at a hardware level, using a non-deterministic method such as TRNG, details on this implementation are out of scope for this work, for reference, the work of Saarinen et al. [70] shows how such a TRNG could be implemented. ...
... For example, attaching a cryprographic co-processor, such as the DTLS Cryptographic Engine [59], is a common solution. Alternatively, dedicated hardware, such as the AES functional unit [63], can be added to the datapath of the main core. The work presented in [73] analyzes the building blocks of the Lightweight Cryptography (LWC) finalists to find the most suitable acceleration granularity, e.g., their smallest hardware addition is for the Xoodyak parity plane manipulation (xorrol) with only a 1.155× increase in the area of the main core. ...
... Some studies have implemented local masking (initialization phase and finalization phase) countermeasures to special algorithms based on software to reduce the overhead of masking countermeasures while ensuring security [32]. The hardware-based masking scheme is mainly implemented based on TI (Threshold Implementation) [33,34], and there are studies using the second operand feature of the ARM instruction set to reduce the computational complexity of Boolean masking [35]. Inserting pseudo-instructions into an algorithm to hide side-channel information is a means of resisting high-order physical attacks, but this method often causes concerns in security evaluation and scalability [36]. ...
... Then, Goudarzi et al. [6] and Journault et al. [7] evaluated the efficiency of its software implementation by explicitly packing shares into a single general-purpose register. Finally, Gao et al. called this type of implementation "share slicing" and studied its security [8]. The incompatibility between bit-wise masking and word-wise processing in CPUs is one reason of its inefficiency, and share slicing addresses this issue by concatenating the shares into a word, e.g., x 0 ||x 1 || . . . ...
