[Cryptography] How to lock registers with GCC?

Tue May 20 13:47:58 EDT 2014

> Message du 20/05/14 19:38
> De : "Natanael" 
> 
> How much do you trust NSA? They published the lightweight ciphers Simon
> (intended for hardware implementation) and Speck (for software, including
> on microcontrollers). They're meant to perform well. There's a real chance
> they're backdoored, though, but they might be useful for experimenting. But
> they have versions of Speck with block size/key size of 48/96 and 64/96
> bits, up to 128/128 (still faster than AES).
> 
> Note that 80 bit keys is considered the current upper limit of what's
> practically bruteforcable by large organizations, and that's assuming a
> strong cipher. I would not trust 96 bits for very long considering the risk
> of a small fast cipher having half it's effective key strength undone by
> cryptanalysis and the continuous advancements in hardware, I want a better
> security margin. It is ok if it only needs to protect temporary secrets,
> though.
> 
> Then you also need some secure cipher mode on top of that, ideally an
> authenticated one (don't ever do ECB). Don't know any that's fast even on
> microcontrollers.
> 

Thank you for the suggestions.

I found this link: https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html

And this comment below the post: {"The aim of SIMON and SPECK is to fill the need for secure, flexible, and analyzable lightweight block ciphers." - the interesting in that is "analyzable"...}

It is worth keeping the quotes in it just for fun.

Now answering your question, I really trust the NSA. My trust on them is the trust that you give to a thief, he will rob you sooner or later, that's for sure and that is something you can trust, right? Trust in the negative sense is also a form of trust in our world of smoke, mirrors and doublespeak.

Meanwhile as we keep scratching our heads, I found this intredasting table:

https://www.cryptolux.org/index.php/Lightweight_Block_Ciphers

While Schneier and a few others put their work immediately under public domain, the good thing about the DES-improved paper that I posted earlier and some of these alternatives is that we would be free to choose which license the code could be placed under, if we make it ourselves.

Anybody knows if at least one of those cipher proposals can be trusted, outside AES?

Now more details of our situation:

Most ARM processors starting with version 6 - with the exception of M family - have the possibility to allocate registers for other functions out of running raw code. They all have 16 registers. Allocating 6 of them as in one of their operating modes seems doable albeit at some obvious performance penalty because we know by experience that 10 registers is kind of too little even for RISC machines.

So that allocation mode guarantees us that other programs won't poke in the registers even if they can override the compiler limitations, this could even be applied to a monocore processor, then. There are ARM processors with more registers, but they are more the exception than the rule, so we will stick to the rule.

MIPS 3000 is already a pretty old standard, I don't know how many older MIPS exist out there. But if we consider only the 3000 and up, then we have 32 registers or more and according to the link I posted regarding processing performance. We could use up to 16 registers without hurting the processing power too much by means of GCC reservation of registers.

MIPS would thus allow us better encryption with even the possibility of storing 128 bit public/private keys inside the processor. If I remember correctly there are a few public key systems that could use such small keys, like NTRU. A very interesting possibility, but NTRU is locked in GPL landscape and sometimes it eats your data.

Pentium IV has 128 registers and that number grows in newer models, so we don't really need to use the debug registers for storing keys if the compiler guarantees us the privacy of the reserved registers. However I have no idea how this will impact performance because we are talking about a CISC machine here.