Secure and efficient coprocessor design for cryptographic applications on FPGAs

Proefschrift voorgedragen tot het behalen van het doctoraat in de ingenieurswetenschappen door Nele MENTENS Alle rechten voorbehouden. Niets uit deze uitgave mag vermenigvuldigd en/of openbaar gemaakt worden door middel van druk, fotocopie, microfilm, elektronisch of op welke andere wijze ook zonder voorafgaande schriftelijke toestemming van de uitgever. All rights reserved. No part of the publication may be reproduced in any form by print, photoprint, microfilm or any other means without written permission from the publisher. Acknowledgments After 4 years of Ph.D. research, I would like to thank the people who supported me along the way. First of all, great appreciation goes to my promoters, Prof. Bart Preneel and Prof. Ingrid Verbauwhede. They gave me the chance to be a Ph.D. researcher at COSIC and led my research in the right direction. Their complementary knowledge on cryptography and electronic system design was vital for this thesis to succeed. My gratitude also goes to Prof. Hugo De Man and Prof. Joos Vandewalle, who were on my advisory committee and who carefully evaluated my work during the past 4 years. Furthermore, I give thanks to Prof. Wim Dehaene, Prof. Christof Paar and Jan Genoe for accepting to be on my examination committee and providing me with valuable suggestions and remarks to improve this manuscript. I also thank the chairman of the jury, Prof. Etienne Aernoudt. Many thanks go to my colleagues at COSIC for making our research group a big happy family. Special thanks go to Lejla Batina, who has been my travelling companion and good friend since the beginning of my research at COSIC. I am grateful to Kazuo Sakiyama for the insights and discussions, but also for the diversions and laughs. I would also like to thank Frederik Vercauteren for his useful comments on this manuscript and, together with Jasper Scholten, for his help on mathematical problems. Without Péla Noë and Elvira Wouters, COSIC would be nothing but disorder, so many thanks to them as well for their administrative support. Besides my COSIC colleagues, I would also like to thank my ESAT colleague Marian Verhelst for her friendship and for the yoghurt breaks. Furthermore, I would like to thank my colleagues at the Katholieke Hogeschool Limburg, who motivated me by always being interested in the progress of my research and who made it possible to practically arrange the combination of teaching in Diepenbeek and doing research in Leuven. Special thanks go …

[1]  Ingrid Verbauwhede,et al.  A Side-channel Attack Resistant Programmable PKC Coprocessor for Embedded Applications , 2007, 2007 International Conference on Embedded Computer Systems: Architectures, Modeling and Simulation.

[2]  Bart Preneel,et al.  Power Analysis of an FPGA: Implementation of Rijndael: Is Pipelining a DPA Countermeasure? , 2004, CHES.

[3]  Frédéric Valette,et al.  Enhancing Collision Attacks , 2004, CHES.

[4]  Viktor Bunimov,et al.  Complexity-Effective Version of Montgomery ’ s Algorihm , 2002 .

[5]  Tadayoshi Kohno,et al.  The CWC Authenticated Encryption (Associated Data) Mode , 2003 .

[6]  Tsuyoshi Takagi,et al.  Signed Binary Representations Revisited , 2004, CRYPTO.

[7]  Virgil D. Gligor,et al.  Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes , 2001, FSE.

[8]  T. Sakurai Perspectives on power-aware electronics , 2003, 2003 IEEE International Solid-State Circuits Conference, 2003. Digest of Technical Papers. ISSCC..

[9]  Mike Johnson,et al.  Superscalar microprocessor design , 1991, Prentice Hall series in innovative technology.

[10]  K. Manochehri,et al.  Fast Montgomery modular multiplication by pipelined CSA architecture , 2004, Proceedings. The 16th International Conference on Microelectronics, 2004. ICM 2004..

[11]  Ingrid Verbauwhede,et al.  Securing Encryption Algorithms against DPA at the Logic Level: Next Generation Smart Card Technology , 2003, CHES.

[12]  Christof Paar,et al.  Testing Framework for eSTREAM Proflle II Candidates , 2005 .

[13]  Morris Dworkin,et al.  Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2003 .

[14]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[15]  Ingrid Verbauwhede,et al.  Time-Memory Trade-Off Attack on FPGA Platforms: UNIX Password Cracking , 2006, ARC.

[16]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[17]  S. Vanstone,et al.  Introduction to Finite Fields and Bases , 1993 .

[18]  Atsuko Miyaji,et al.  Efficient Elliptic Curve Exponentiation Using Mixed Coordinates , 1998, ASIACRYPT.

[19]  Tim Kerins,et al.  Public-Key Cryptography for RFID-Tags , 2007, Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07).

[20]  Çetin Kaya Koç,et al.  A Scalable Architecture for Montgomery Multiplication , 1999, CHES.

[21]  Ingrid Verbauwhede,et al.  A Systematic Evaluation of Compact Hardware Implementations for the Rijndael S-Box , 2005, CT-RSA.

[22]  Ingrid Verbauwhede,et al.  Side channel attacks and fault attacks on cryptographic algorithms , 2004 .

[23]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[24]  Ingrid Verbauwhede,et al.  Side-channel aware design: algorithms and architectures for elliptic curve cryptography over GF(2/sup n/) , 2005, 2005 IEEE International Conference on Application-Specific Systems, Architecture Processors (ASAP'05).

[25]  Máire O'Neill,et al.  FPGA Montgomery multiplier architectures - a comparison , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[26]  Tim Kerins,et al.  An Elliptic Curve Processor Suitable For RFID-Tags , 2006, IACR Cryptol. ePrint Arch..

[27]  Bart Preneel,et al.  Power-Analysis Attacks on an FPGA - First Experimental Results , 2003, CHES.

[28]  Ingrid Verbauwhede,et al.  A Parallel Processing Hardware Architecture for Elliptic Curve Cryptosystems , 2006, 2006 IEEE International Conference on Acoustics Speech and Signal Processing Proceedings.

[29]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[30]  Jerome A. Solinas,et al.  Efficient Arithmetic on Koblitz Curves , 2000, Des. Codes Cryptogr..

[31]  Jean-Sébastien Coron,et al.  On Boolean and Arithmetic Masking against Differential Power Analysis , 2000, CHES.

[32]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[33]  Ingrid Verbauwhede,et al.  Fpga-Oriented Secure Data Path Design: Implementation of a Public Key Coprocessor , 2006, 2006 International Conference on Field Programmable Logic and Applications.

[34]  Stefan Mangard,et al.  Successfully Attacking Masked AES Hardware Implementations , 2005, CHES.

[35]  Ingrid Verbauwhede,et al.  SFINKS: A synchronous stream cipher for restricted hardware environments , 2005 .

[36]  Ingrid Verbauwhede,et al.  An FPGA Implementation of Rijndael: Trade-offs for side-channel security , 2004 .

[37]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[38]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[39]  A. P. Chandrakasan,et al.  An energy-efficient reconfigurable public-key cryptography processor , 2001, IEEE J. Solid State Circuits.

[40]  Ingrid Verbauwhede,et al.  Reconfigurable modular arithmetic logic unit supporting high-performance RSA and ECC over GF( p ) , 2007 .

[41]  Ingrid Verbauwhede,et al.  A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[42]  Jovan Dj. Golic New paradigms for digital generation and post-processing of random data , 2004, IACR Cryptol. ePrint Arch..

[43]  Lejla Batina,et al.  Flexible Hardware Design for RSA and Elliptic Curve Cryptosystems , 2004, CT-RSA.

[44]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[45]  Eli Biham,et al.  Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication , 2003, CRYPTO.

[46]  Ingrid Verbauwhede,et al.  Small footprint ALU for public-key processors for pervasive security , 2006 .

[47]  C. D. Walter,et al.  Montgomery's Multiplication Technique: How to Make It Smaller and Faster , 1999, CHES.

[48]  Ingrid Verbauwhede,et al.  Efficient pipelining for modular multiplication architectures in prime fields , 2007, GLSVLSI '07.

[49]  Ingrid Verbauwhede,et al.  Throughput Optimized SHA-1 Architecture Using Unfolding Transformation , 2006, IEEE 17th International Conference on Application-specific Systems, Architectures and Processors (ASAP'06).

[50]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[51]  William C. Barker,et al.  TECHNOLOGY ADMINISTRATION , 2004 .

[52]  Ingrid Verbauwhede,et al.  Side-channel issues for designing secure hardware implementations , 2005, 11th IEEE International On-Line Testing Symposium.

[53]  George W. Reitwiesner,et al.  Binary Arithmetic , 1960, Adv. Comput..

[54]  B. Preneel,et al.  Serial multiplier architectures over GF(2/sup n/) for elliptic curve cryptosystems , 2004, Proceedings of the 12th IEEE Mediterranean Electrotechnical Conference (IEEE Cat. No.04CH37521).

[55]  Christof Paar,et al.  A Scalable GF(p) Elliptic Curve Processor Architecture for Programmable Hardware , 2001, CHES.

[56]  Ingrid Verbauwhede,et al.  Energy, performance, area versus security trade-offs for stream ciphers , 2004 .

[57]  J. Groβchadl The Chinese Remainder Theorem and its application in a high-speed RSA crypto chip , 2000 .

[58]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[59]  Neal Koblitz,et al.  Hyperelliptic cryptosystems , 1989, Journal of Cryptology.

[60]  M. McLoone,et al.  Fast Montgomery modular multiplication and RSA cryptographic processor architectures , 2003, The Thrity-Seventh Asilomar Conference on Signals, Systems & Computers, 2003.

[61]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[62]  I. Verbauwhede,et al.  A dynamic and differential CMOS logic with signal independent power consumption to withstand differential power analysis on smart cards , 2002, Proceedings of the 28th European Solid-State Circuits Conference.

[63]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[64]  Thomas S. Messerges,et al.  Using Second-Order Power Analysis to Attack DPA Resistant Software , 2000, CHES.

[65]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[66]  Stefan Mangard,et al.  Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints , 2005, CHES.

[67]  D. Harris,et al.  Parallelized Very High Radix Scalable Montgomery Multipliers , 2005, Conference Record of the Thirty-Ninth Asilomar Conference onSignals, Systems and Computers, 2005..

[68]  Akashi Satoh,et al.  A Compact Rijndael Hardware Architecture with S-Box Optimization , 2001, ASIACRYPT.

[69]  Vijay Kumar,et al.  Efficient Rijndael Encryption Implementation with Composite Field Arithmetic , 2001, CHES.

[70]  Philip Heng Wai Leong,et al.  Modular exponentiation using parallel multipliers , 2003, Proceedings. 2003 IEEE International Conference on Field-Programmable Technology (FPT) (IEEE Cat. No.03EX798).

[71]  Bart Preneel,et al.  A New Systolic Architecture for Multiplication in GF(2^n) , 2004 .

[72]  Ingrid Verbauwhede,et al.  Reconfigurable Modular Arithmetic Logic Unit for High-Performance Public-Key Cryptosystems , 2006, ARC.

[73]  Ingrid Verbauwhede,et al.  Public-Key Cryptography on the Top of a Needle , 2007, 2007 IEEE International Symposium on Circuits and Systems.

[74]  Ingrid Verbauwhede,et al.  Low-Cost Elliptic Curve Cryptography for Wireless Sensor Networks , 2006, ESAS.

[75]  Joos Vandewalle,et al.  Hardware architectures for public key cryptography , 2003, Integr..

[76]  Peter Wright,et al.  Spy Catcher : The Candid Autobiography of a Senior Intelligence Officer , 1987 .

[77]  Dakshi Agrawal,et al.  Templates as Master Keys , 2005, CHES.

[78]  Burton S. Kaliski,et al.  A Cryptographic Library for the Motorola DSP56000 , 1991, EUROCRYPT.

[79]  C. D. Walter,et al.  Montgomery exponentiation needs no final subtractions , 1999 .

[80]  W. V. Eck Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? , 1996 .

[81]  Ingrid Verbauwhede,et al.  Flexible hardware architectures for curve-based cryptography , 2006, 2006 IEEE International Symposium on Circuits and Systems.

[82]  Nele Mentens,et al.  An FPGA Implementation of an Elliptic Curve Processor over GF ( 2 m ) , 2004 .

[83]  Christof Paar,et al.  Efficient hardware architectures for modular multiplication on FPGAs , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[84]  Christof Paar,et al.  Efficient Algorithms for Elliptic Curve Cryptosystems , 1997, CRYPTO.

[85]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[86]  Ingrid Verbauwhede,et al.  Cracking Unix Passwords using FPGA Platforms , 2005 .

[87]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[88]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[89]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[90]  Charanjit S. Jutla,et al.  Encryption Modes with Almost Free Message Integrity , 2001, Journal of Cryptology.

[91]  Christof Paar,et al.  A Stochastic Model for Differential Side Channel Cryptanalysis , 2005, CHES.

[92]  Alice Silverberg,et al.  Torus-Based Cryptography , 2003, CRYPTO.

[93]  Ingrid Verbauwhede,et al.  Power Analysis of Synchronous Stream Ciphers with Resynchronization Mechanism , 2004, IITA 2008.

[94]  Christof Paar,et al.  A Collision-Attack on AES: Combining Side Channel- and Differential-Attack , 2004, CHES.

[95]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[96]  Elisabeth Oswald,et al.  An ASIC Implementation of the AES SBoxes , 2002, CT-RSA.

[97]  Joos Vandewalle,et al.  An FPGA Implementation of a Montgomery Multiplier Over GF(2^m) , 2012, Comput. Artif. Intell..

[98]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[99]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[100]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[101]  Christophe Giraud,et al.  An Implementation of DES and AES, Secure against Some Attacks , 2001, CHES.

[102]  Christof Paar,et al.  Security Aspects of FPGAs in Cryptographic Applications , 2005 .

[103]  Tim Güneysu,et al.  Efficient Hardware Implementation of Finite Fields with Applications to Cryptography , 2006 .

[104]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .