FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

Similar documents
Threshold Implementations. Svetla Nikova

Constructing TI-Friendly Substitution Boxes using Shift-Invariant Permutations. Si Gao, Arnab Roy, and Elisabeth Oswald

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

4. Design Principles of Block Ciphers and Differential Attacks

SHA-3 and permutation-based cryptography

Variety of scalable shuffling countermeasures against side channel attacks

SIDE-CHANNEL attacks exploit the leaked physical information

Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:

Conditional Cube Attack on Reduced-Round Keccak Sponge Function

CESEL: Flexible Crypto Acceleration. Kevin Kiningham Dan Boneh, Mark Horowitz, Philip Levis

Side-Channel Leakage through Static Power

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

Dedicated Cryptanalysis of Lightweight Block Ciphers

OFDM Based Low Power Secured Communication using AES with Vedic Mathematics Technique for Military Applications

From New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security

Methodologies for power analysis attacks on hardware implementations of AES

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Design of a High Throughput 128-bit AES (Rijndael Block Cipher)

Glitch-Free Implementation of Masking in Modern FPGAs

Diffie-Hellman key-exchange protocol

DPA Leakage Models for CMOS Logic Circuits

CDMA Physical Layer Built-in Security Enhancement

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

Power Analysis Attacks on SASEBO January 6, 2010

Some Cryptanalysis of the Block Cipher BCMPQ

Lightweight Mixcolumn Architecture for Advanced Encryption Standard

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery

Generation of AES Key Dependent S-Boxes using RC4 Algorithm

Differential Cryptanalysis of REDOC III

High Diffusion Cipher: Encryption and Error Correction in a Single Cryptographic Primitive

Correlation Power Analysis of Lightweight Block Ciphers

Finding the key in the haystack

DATA SECURITY USING ADVANCED ENCRYPTION STANDARD (AES) IN RECONFIGURABLE HARDWARE FOR SDR BASED WIRELESS SYSTEMS

Lessons Learned from Designing a 65 nm ASIC for Third Round SHA-3 Candidates

Classical Cryptography

Meet-in-the-Middle Attacks on Reduced-Round Midori-64

The number theory behind cryptography

Overview. The Big Picture... CSC 580 Cryptography and Computer Security. January 25, Math Basics for Cryptography

Generic Attacks on Feistel Schemes

DES Data Encryption standard

Is Your Mobile Device Radiating Keys?

Formal Hardware Verification: Theory Meets Practice

Hardware Bit-Mixers. Laszlo Hars January, 2016

Lessons Learned from Designing a 65 nm ASIC for Third Round SHA-3 Candidates

An Architecture-Independent Instruction Shuffler to Protect against Side-Channel Attacks

JICE: Joint Data Compression and Encryption for Wireless Energy Auditing Networks

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

DUBLIN CITY UNIVERSITY

Network Security: Secret Key Cryptography

Generic Attacks on Feistel Schemes

Keywords: dynamic P-Box and S-box, modular calculations, prime numbers, key encryption, code breaking.

On Permutation Operations in Cipher Design

Voice Data Encryption AT Crypt One

Random Bit Generation and Stream Ciphers

Permutation Operations in Block Ciphers

Cryptanalysis on short messages encrypted with M-138 cipher machine

A low-cost UHF RFID tag chip with AES cryptography engine

Smashing the Implementation Records of AES S-box

Cryptology and Graph Theory

How cryptographic benchmarking goes wrong. Thanks to NIST 60NANB12D261 for funding this work, and for not reviewing these slides in advance.

Cryptanalysis of HMAC/NMAC-Whirlpool

Understanding Cryptography: A Textbook For Students And Practitioners PDF

Explaining Differential Fault Analysis on DES. Christophe Clavier Michael Tunstall

Advances in SCA and RF-DNA Fingerprinting Through Enhanced Linear Regression Attacks and Application of Random Forest Classifiers

Lecture 1: Introduction

Power Analysis an overview. Agenda. Measuring power consumption. Measuring power consumption (2) Benedikt Gierlichs, KU Leuven - COSIC.

Lecture 1: Introduction to Digital System Design & Co-Design

Evaluating a New Mac for Current and Next Generation Rfid

EFFICIENT ASIC ARCHITECTURE OF RSA CRYPTOSYSTEM

Atomic-AES: A Compact Implementation of the AES Encryption/Decryption Core

Evaluation of On-chip Decoupling Capacitor s Effect on AES Cryptographic Circuit

DETECTING POWER ATTACKS ON RECONFIGURABLE HARDWARE. Adrien Le Masle, Wayne Luk

Throughput vs. Area Trade-offs in High-Speed Architectures of Five Round 3 SHA-3 Candidates Implemented Using Xilinx and Altera FPGAs

Course Developer: Ranjan Bose, IIT Delhi

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Image Encryption Based on the Modified Triple- DES Cryptosystem

Side-Channel Attack Standard Evaluation Board SASEBO-W for Smartcard Testing

Image Encryption using Pseudo Random Number Generators

Alternative forms of representation of Boolean functions in Cryptographic Information Security Facilities. Kushch S.

Investigating the DPA-Resistance Property of Charge Recovery Logics

Secure Function Evaluation

Permutation Polynomials Modulo 2 w

Array-Based Statistical Analysis of the MK-3 Authenticated Encryption Scheme. P. Bajorski, A. Kaminsky, M. Kurdziel, M. Łukowiak, S.

Recommendations for Secure IC s and ASIC s

Successful Implementation of the Hill and Magic Square Ciphers: A New Direction

Triple-DES Block of 96 Bits: An Application to. Colour Image Encryption

Analysis of S-box in Image Encryption Using Root Mean Square Error Method

Power Analysis Based Side Channel Attack

Minimum key length for cryptographic security

Transform. Jeongchoon Ryoo. Dong-Guk Han. Seoul, Korea Rep.

THE INTEGRATION of nanodevices with complementary

CRYPTANALYSIS OF THE PERMUTATION CIPHER OVER COMPOSITION MAPPINGS OF BLOCK CIPHER

Voice and image encryption, and performance analysis of counter mode advanced encryption standard for WiMAX

Teacher s Notes. Problem of the Month: Courtney s Collection

SYNCHRONOUS stream ciphers are lightweight

LOSSLESS CRYPTO-DATA HIDING IN MEDICAL IMAGES WITHOUT INCREASING THE ORIGINAL IMAGE SIZE THE METHOD

Embedded System Hardware - Reconfigurable Hardware -

Pseudorandom Number Generation and Stream Ciphers

Assessing and. Rui Wang, Assistant professor Dept. of Information and Communication Tongji University.

Transcription:

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begül Bilgin, Andrey Bogdanov, Miroslav Knežević, Florian Mendel, and Qingju Wang DIAC 2013, Chicago 1

Side Channel Resistance 2

Side Channel Resistance The Game... 2

Side Channel Resistance The Game... Mathematically secure crypto algorithms 2

Side Channel Resistance The Game... Mathematically secure crypto algorithms AES, RSA, Keccak, OCB, 2

Side Channel Resistance The Game... Mathematically secure crypto algorithms AES, RSA, Keccak, OCB, Weak implementation 2

Side Channel Resistance The Game... Mathematically secure crypto algorithms AES, RSA, Keccak, OCB, Weak implementation 2

Side Channel Resistance The Game... Mathematically secure crypto algorithms AES, RSA, Keccak, OCB, Weak implementation Dependency between power consumption and intermediate value (depends on the key) 2

Side Channel Resistance 3

Side Channel Resistance x Change the key frequently 3

Side Channel Resistance x Change the key frequently x Equalize power consumption 3

Side Channel Resistance x Change the key frequently x Equalize power consumption Randomize power consumption 3

Side Channel Resistance x Change the key frequently x Equalize power consumption Randomize power consumption - Boolean masking 3

Side Channel Resistance x Change the key frequently inp^m0 L out^m1 x Equalize power consumption m0 L m1 Randomize power consumption - Boolean masking 3

Side Channel Resistance x Change the key frequently x Equalize power consumption Randomize power consumption - Boolean masking 3

Side Channel Resistance x Change the key frequently inp^m0 S out^m1 x Equalize power consumption m0 S m1 Randomize power consumption - Boolean masking 3

Side Channel Resistance x Change the key frequently inp^m0 S out^m1 x Equalize power consumption m0 S m1 Randomize power consumption - Boolean masking - Multiplicative masking 3

Side Channel Resistance x Change the key frequently x Equalize power consumption Randomize power consumption - Boolean masking - Multiplicative masking 3

Side Channel Resistance x Change the key frequently x Equalize power consumption Randomize power consumption - Boolean masking - Multiplicative masking - Secret sharing e.g. Threshold Implementations [Nikova 11] 3

Side Channel Resistance x Change the key frequently inp^m0^m1 S out^m2^m3 x Equalize power consumption m0 S m2 Randomize power consumption - Boolean masking - Multiplicative masking m1 S m3 - Secret sharing e.g. Threshold Implementations [Nikova 11] 3

Side Channel Resistance 4

Side Channel Resistance Have the design 4

Side Channel Resistance Need efficient impl. Have the design 4

Side Channel Resistance Need efficient impl. Have the design Need secure impl. 4

Side Channel Resistance Need efficient impl. Have the design Need secure impl. 1 st Order Boolean Mask Multipl. Mask TI 2 nd Order SW?? Still efficient?? HW 4

Side Channel Resistance Need efficient impl. Have the design Need secure impl. 1 st Order Boolean Mask Multipl. Mask TI 2 nd Order SW Still efficient HW 5

Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 6

Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge 6

Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed 6

Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online 6

Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online Single pass 6

Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online Single pass b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12 6

Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online Single pass b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12 7

Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online Single pass b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12 8

Design - Structure a A 1 A 2 A v C 1 M 1 C u M u K N 16R...... 16R T K 0 - Similar to duplex sponge - Rounds are not keyed Online Single pass b k/n/t r FIDES-80 160 80 10 FIDES-96 192 96 12 9

Design - Structure State SubBytes ShiftRows MixColumns ConstantAddition 10

Design - Structure State SubBytes ShiftRows MixColumns ConstantAddition 11

Design - Structure State SubBytes ShiftRows 0 1 2 7 MixColumns ConstantAddition 12

Design - Structure State SubBytes ShiftRows MixColumns ConstantAddition Almost MDS branch number is 4 13

Design - Structure State SubBytes ShiftRows MixColumns ConstantAddition 14

Design - S-boxes FIDES-80: 5-bit Almost Bent (AB) - - optimal resistance against differential & linear cryptanalysis degree 2 (two), 3(one), 4(one) FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 15

Design - S-boxes FIDES-80: 5-bit Almost Bent (AB) - - optimal resistance against differential & linear cryptanalysis degree 2 (two), 3(one), 4(one) FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 ++Low latency++ 15

Design - S-boxes FIDES-80: 5-bit Almost Bent (AB) - - optimal resistance against differential & linear cryptanalysis degree 2 (two), 3(one), 4(one) FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 ++Low latency++ 15

Design - S-boxes FIDES-80: 5-bit Almost Bent (AB) - - optimal resistance against differential & linear cryptanalysis degree 2 (two), 3(one), 4(one) FIDES-96: 6-bit Almost Perfect Nonlinear (APN) - optimal resistance against differential cryptanalysis - degree 4 ++Low latency++ 16

Design - S-boxes 17

Design - S-boxes Affine Equivalent to AB permutation with degree 2 17

Design - S-boxes Affine Equivalent to AB permutation with degree 2 Unshared S-box Shared S-box 25000 25000 # of S-boxes 20000 15000 10000 5000 20000 15000 10000 5000 0 0 45 50 55 60 65 70 75 80 # of GE (UMC 180nm) 85 90 95 100 105 135 145 155 165 175 185 195 205 215 225 235 245 255 17

Design - S-boxes Affine Equivalent to AB permutation with degree 2 Unshared S-box Shared S-box 25000 25000 # of S-boxes 20000 15000 10000 5000 20000 15000 10000 5000 0 0 45 50 55 60 65 70 75 80 # of GE (UMC 180nm) 85 90 95 100 105 135 145 155 165 175 185 195 205 215 225 235 245 255 18

Design - S-boxes Affine Equivalent to AB permutation with degree 2 Unshared S-box Shared S-box 25000 25000 # of S-boxes 20000 15000 10000 5000 20000 15000 10000 5000 0 0 45 50 55 60 65 70 75 80 # of GE (UMC 180nm) 85 90 95 100 105 135 145 155 165 175 185 195 205 215 225 235 245 255 Similar for APN 18

Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 19

Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 19

Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 16 rounds: 2-4x48x2 = 2-384 19

Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 16 rounds: 2-4x48x2 = 2-384 Collision Trails 19

Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 16 rounds: 2-4x48x2 = 2-384 Collision Trails 16 rounds: 2-4x(48+48) = 2-384 19

Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 16 rounds: 2-4x48x2 = 2-384 Collision Trails 16 rounds: 2-4x(48+48) = 2-384 Impossible Differential 19

Security Analysis # # Active S-box rnd. any diff. zero diff. 1 0-2 4-3 7-4 16-5 22-6 32 52 7 42 49 8 48 48 Differential & Linear Cryptanalysis 16 rounds: 2-4x48x2 = 2-384 Collision Trails 16 rounds: 2-4x(48+48) = 2-384 Impossible Differential 9 rounds 19

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 20

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 21

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 21

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 21

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 21

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 21

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 22

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 23

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 23

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 23

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 23

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 23

Implementation - FIDES-S - FIDES-4S - FIDES-R - FIDES-T 24

Performance 15000 FIDES on Different Technologies 12000 Area in GE 9000 6000 3000 0 NXP 90nm NANGATE 45nm UMC 130nm FIDES-80-S FIDES-80-4S FIDES-80-R FIDES-80-T FIDES-96-S FIDES-96-4S FIDES-96-R FIDES-96-T 25

Performance 600 480 FIDES-80 FIDES-96 ALE AES-CCM ASC-1 A ASC-1 B c-quark KECCAK-200-MD Hummingbird2 Throughput (kb/s) 360 240 120 0 0 2000 4000 6000 8000 Area (GE) 26

Conclusion FIDES 27

Conclusion Lightweight AE - - less than 1500GE online, single-pass FIDES 27

Conclusion Lightweight AE - - less than 1500GE online, single-pass with Side Channel Resistance - TI less than 5000 GE FIDES 27

Conclusion Lightweight AE - - less than 1500GE online, single-pass with Side Channel Resistance - TI less than 5000 GE and 80-bit or 90-bit security FIDES - - AB and APN permutations almost MDS 27

THANK YOU! 28

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback