Design and Implementation of Unified Hardware for 128‐Bit Block Ciphers ARIA and AES

ARIA and the Advanced Encryption Standard (AES) are next generation standard block cipher algorithms of Korea and the US, respectively. This letter presents an area‐efficient unified hardware architecture of ARIA and AES. Both algorithms have 128‐bit substitution permutation network (SPN) structures, and their substitution and permutation layers could be efficiently merged. Therefore, we propose a 128‐bit processor architecture with resource sharing, which is capable of processing ARIA and AES. This is the first architecture which supports both algorithms. Furthermore, it requires only 19,056 logic gates and encrypts data at 720 Mbps and 1,047 Mbps for ARIA and AES, respectively.     

Secure Hardware Implementation of ARIA Based on Adaptive Random Masking Technique

The block cipher ARIA has been threatened by side‐channel analysis, and much research on countermeasures of this attack has also been produced. However, studies on countermeasures of ARIA are focused on software implementation, and there are no reports about hardware designs and their performance evaluation. Therefore, this article presents an advanced masking algorithm which is strong against second‐order differential power analysis (SODPA) and implements a secure ARIA hardware. As there is no comparable report, the proposed masking algorithm used in our hardware module is evaluated using a comparison result of software implementations. Furthermore, we implement the proposed algorithm in three types of hardware architectures and compare them. The smallest module is 10,740 gates in size and consumes an average of 47.47 μW in power consumption. Finally, we make ASIC chips with the proposed design, and then perform security verification. As a result, the proposed module is small, energy efficient, and secure against SODPA.     

Differential Side Channel Analysis Attacks on FPGA Implementations of ARIA

In this paper, we first investigate the side channel analysis attack resistance of various FPGA hardware implementations of the ARIA block cipher. The analysis is performed on an FPGA test board dedicated to side channel attacks. Our results show that an unprotected implementation of ARIA allows one to recover the secret key with a low number of power or electromagnetic measurements. We also present a masking countermeasure and analyze its second‐order side channel resistance by using various suitable preprocessing functions. Our experimental results clearly confirm that second‐order differential side channel analysis attacks also remain a practical threat for masked hardware implementations of ARIA.     

抗差分功耗分析和差分故障分析的AES算法VLSI设计与实现

提出了一种抗差分功耗分析和差分故障分析的AES算法硬件设计与实现方案,该设计主要采用了数据屏蔽和二维奇偶校验方法相结合的防御措施.在保证硬件安全性的前提下,采用将128bit运算分成4次32bit运算、模块复用、优化运算次序等方法降低了硬件实现成本,同时使用3级流水线结构提高了硬件实现的速度和吞吐率.基于以上技术设计的AES IP核不仅具有抗双重旁道攻击的能力,而且拥有合理的硬件成本和运算性能.     

A pre-silicon logic level security verification flow for higher-order masking schemes against glitches on FPGAs

Higher-order masking schemes have been proven in theory to be secure countermeasures against side-channel attacks in the algorithm level. The ISW framework is one of the most acceptable secure models of the existing higher-order masking schemes. However, a gap may exist between scheme and implementation. Several analyses have exhibited the weakness of masking in hardware designs on FPGAs. Firstly, we give the definition of leakage point and introduce three implementation logical flaws: glitch, EDA optimization and intermediate variable of scheme flaw. Secondly, we propose a leakage verification flow for implementing and verifying circuits realized higher-order masking schemes to avoid these leakage points. The flow provides an efficient evaluation method to locate and identify leakage points in masking hardware implementations. With the knowledge of the weaknesses of implementation, the implementation should be modified by corresponding methods to fix flaws, especially for glitch, which has been regarded as the main challenge of masking in hardware designs, we provide a method to remove the leakage point using Dijkstra algorithm with no extra time and area overheads. Finally, the design flow is evaluated on the implementation of Rivain&Prouff masking. Our experiments demonstrate how it automatically locates and protects the implementation. In addition, the experiments are also performed on flawed implementations due to EDA optimization and intermediate variables.     

Integral fault analysis of the ARIA cipher

ARIA is a Korean standard block cipher,which is flexible to provide security for software and hardware implementation.Since its introduction,some research of fault analysis is devoted to attacking the last two rounds of ARIA.It is an open problem to know whether provoking faults at some former rounds of ARIA allowed recovering the secret key.An answer was given to solve this problem by showing a novel integral differential fault analysis on two rounds earlier of ARIA.The mathematical analysis and simulating experiments show that the attack can successfully recover its secret key by fault injections.The results in this study describe that the integral fault analysis is a strong threaten to the security of ARIA.The results are beneficial to the analysis of the same type of other block ciphers.     

Efficient Masked Implementation for SEED Based on Combined Masking

This paper proposes an efficient masking method for the block cipher SEED that is standardized in Korea. The nonlinear parts of SEED consist of two S‐boxes and modular additions. However, the masked version of these nonlinear parts requires excessive RAM usage and a large number of operations. Protecting SEED by the general masking method requires 512 bytes of RAM corresponding to masked S‐boxes and a large number of operations corresponding to the masked addition. This paper proposes a new‐style masked S‐box which can reduce the amount of operations of the masking addition process as well as the RAM usage. The proposed masked SEED, equipped with the new‐style masked S‐box, reduces the RAM requirements to 288 bytes, and it also reduces the processing time by 38% compared with the masked SEED using the general masked S‐box. The proposed method also applies to other block ciphers with the same nonlinear operations.     

High‐Speed Hardware Architectures for ARIA with Composite Field Arithmetic and Area‐Throughput Trade‐Offs

This paper presents two types of high‐speed hardware architectures for the block cipher ARIA. First, the loop architectures for feedback modes are presented. Area‐throughput trade‐offs are evaluated depending on the S‐box implementation by using look‐up tables or combinational logic which involves composite field arithmetic. The sub‐pipelined architectures for non‐feedback modes are also described. With loop unrolling, inner and outer round pipelining techniques, and S‐box implementation using composite field arithmetic over GF(2⁴)², throughputs of 16 Gbps to 43 Gbps are achievable in a 0.25 μm CMOS technology. This is the first sub‐pipelined architecture of ARIA for high throughput to date.     

Area, Delay, and Power Characteristics of Standard-Cell Implementations of the AES S-Box

Cryptographic substitution boxes (S-boxes) are an integral part of modern block ciphers like the Advanced Encryption Standard (AES). There exists a rich literature devoted to the efficient implementation of cryptographic S-boxes, wherein hardware designs for FPGAs and standard cells received particular attention. In this paper we present a comprehensive study of different standard-cell implementations of the AES S-box with respect to timing (i.e. critical path), silicon area, power consumption, and combinations of these cost metrics. We examine implementations which exploit the mathematical properties of the AES S-box, constructions based on hardware look-up tables, and dedicated low-power solutions. Our results show that the timing, area, and power properties of the different S-box realizations can vary by up to almost an order of magnitude. In terms of area and area-delay product, the best choice are implementations which calculate the S-box output. On the other hand, the hardware look-up solutions are characterized by the shortest critical path. The dedicated low-power implementations do not only reduce power consumption by a large degree, but they also show good timing properties and offer the best power-delay and power-area product, respectively.     

Low‐Power Design of Hardware One‐Time Password Generators for Card‐Type OTPs

Since card‐type one‐time password (OTP) generators became available, power and area consumption has been one of the main issues of hardware OTPs. Because relatively smaller batteries and smaller chip areas are available for this type of OTP compared to existing token‐type OTPs, it is necessary to implement power‐efficient and compact dedicated OTP hardware modules. In this paper, we design and implement a low‐power small‐area hardware OTP generator based on the Advanced Encryption Standard (AES). First, we implement a prototype AES hardware module using a 350 nm process to verify the effectiveness of our optimization techniques for the SubBytes transform and data storage. Next, we apply the optimized AES to a real‐world OTP hardware module which is implemented using a 180 nm process. Our experimental results show the power consumption of our OTP module using the new AES implementation is only 49.4% and 15.0% of those of an HOTP and software‐based OTP, respectively.     

Multidimensional Differential‐Linear Cryptanalysis of ARIA Block Cipher

ARIA is a 128‐bit block cipher that has been selected as a Korean encryption standard. Similar to AES, it is robust against differential cryptanalysis and linear cryptanalysis. In this study, we analyze the security of ARIA against differential‐linear cryptanalysis. We present five rounds of differential‐linear distinguishers for ARIA, which can distinguish five rounds of ARIA from random permutations using only 284.8 chosen plaintexts. Moreover, we develop differential‐linear attacks based on six rounds of ARIA‐128 and seven rounds of ARIA‐256. This is the first multidimensional differential‐linear cryptanalysis of ARIA and it has lower data complexity than all previous results. This is a preliminary study and further research may obtain better results in the future.     

对7轮ARIA-192的不可能差分分析

ARIA密码是2003年由韩国学者提出的新的分组密码算法,该密码与AES的设计原理相类似,并在2004年被选为韩国的分组密码标准。该文根据ARIA密码的结构特征,提出ARIA密码的一种新的7轮不可能差分攻击路径,首次实现了对ARIA-192的不可能差分攻击,攻击的时间复杂度为2176.2。同时,利用扩散层的相关性质降低攻击ARIA-256的时间复杂度为2192.2。     

Dynamic inhomogeneous S-Boxes design for efficient AES masking mechanisms

It is an important challenge to implement a lowcost power analysis immune advanced encryption standard （AES） circuit. The previous study proves that substitution boxes （S-Boxes） in AES are prone to being attacked, and hard to mask for its non-linear characteristic. Besides, large amounts of circuit resources in chips and power consumption are spent in protecting S-Boxes against power analysis. Thus, a novel power analysis immune scheme is proposed, which divides the data-path of AES into two parts： inhomogeneous S-Boxes instead of fixed S-Boxes are selected randomly to disturb power and logic delay in the non-linear module; at the same time, the general masking strategy is applied in the linear part of AES. This improved AES circuit was synthesized with united microelectronics corporation （UMC） 0.25 μm 1.8 V complementary metal-oxide-semiconductor （CMOS） standard cell library, and correlation power analysis experiments were executed. The results demonstrate that this secure AES implementation has very low hardware cost and can enhance the AES security effectually against power analysis.     

Techniques for Random Masking in Hardware

A new technique for Boolean random masking of the logic and operation in terms of nand logic gates is proposed and applied for masking the integer addition. The new technique can be used for masking arbitrary cryptographic functions and is more efficient than previously known techniques, recently applied to the Advanced Encryption Standard (AES). New techniques for the conversions from Boolean to arithmetic random masking and vice versa are also developed. They are hardware oriented and do not require additional random bits. Unlike the previous, software-oriented techniques showing a substantial difference in the complexity of the two conversions, they have a comparable complexity being about the same as that of one integer addition only. All the techniques proposed are in theory secure against the first-order differential power analysis on the logic gate level. They can be applied in hardware implementations of various cryptographic functions, including AES, (keyed) SHA-1, IDEA, and RC6     

基于AHB总线的AES密码协处理器实现

AES加密算法是一种的常规加密算法,其被广泛应用在商业和政府部门。本文研究了AES(Advanced Encryption Standard)算法,包括AES的具体加密、解密过程以及基于AMBA(高级微控制器总线架构)总线的硬件实现方法。本文还介绍了一种用仿真与采用Xilinx公司的Virtex-4 LX100 FPGA器件来快速验证AES算法硬件IP核的方法。     

A high-throughput low-cost AES processor

We propose an efficient hardware implementation of the advanced encryption standard algorithm, with key expansion capability. Compared to the widely used table lookup technique, the proposed basis transformation technique reduces the hardware overhead of the S-box by 64 percent. Our pipelined design has a very high throughput rate. Using typical 0.35 /spl mu/m CMOS technology, a 200 MHz clock is easily achieved, and the throughput rate in the non-feedback cipher mode is 2.38 Gb/s for 128-bit keys, 2.008 Gb/s for 192-bit keys, and 1.74 Gb/s for 256-bit keys, respectively. Testability of the design is also considered. The hardware cost of the AES design is approximately 58 K gates using a standard synthesis flow.     

基于电路模块自相似性的硬件木马检测方法

由于硬件木马种类的多样性和SoC电路制造过程中不可预测的工艺变化,硬件木马检测变得极具挑战性。现有的旁路信号分析法存在两个缺点,一是需要黄金模型作为参考,二是工艺波动会掩盖部分硬件木马的活动效果。针对上述不足,提出一种利用电路模块结构自相似性的无黄金模型检测方法。通过对32位超前进位加法器的软件仿真实验和对128位AES加密电路的硬件仿真实验,验证了该方法的有效性。实验结果表明,在45 nm工艺尺寸下,对于面积占比较小的硬件木马,该方法的检测成功率可以达到90.0%以上。     

Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches

Hardware implementations of cryptographic algorithms are vulnerable to side-channel attacks. Side-channel attacks that are based on multiple measurements of the same operation can be countered by employing masking techniques. Many protection measures depart from an idealized hardware model that is very expensive to meet with real hardware. In particular, the presence of glitches causes many masking techniques to leak information during the computation of nonlinear functions. We discuss a recently introduced masking method which is based on secret sharing and multi-party computation methods. The approach results in implementations that are provably resistant against a wide range of attacks, while making only minimal assumptions on the hardware. We show how to use this method to derive secure implementations of some nonlinear building blocks for cryptographic algorithms. Finally, we provide a provable secure implementation of the block cipher Noekeon and verify the results by means of low-level simulations.     

A new methodology to implement the AES algorithm using partial and dynamic reconfiguration

Wireless networks are very widespread nowadays, so secure and fast cryptographic algorithms are needed. The most widely used security technology in wireless computer networks is WPA2, which employs the AES algorithm, a powerful and robust cryptographic algorithm. In order not to degrade the Quality of Service (QoS) of these networks, the encryption speed is very important, for which reason we have implemented the AES algorithm in an FPGA, taking advantage of the hardware characteristics and the software-like flexibility of these devices. In this paper, we propose our own methodology for doing an FPGA-based AES implementation. This methodology combines the use of three hardware languages (Handel-C, VHDL and JBits) with partial and dynamic reconfiguration, and a pipelined and parallel implementation. The same design methodology could be extended to other cryptographic algorithms. Thanks to all these improvements our pipelined and parallel implementation reaches a very high throughput (24.922 Gb/s) and the best efficiency (throughput/area ratio) of all the related works found in the literature (6.97 Mb/s per slice).     

Banyan网输入输出排队的神经网络调度及其实现

Ｂａｎｙａｎ网是一种多级互联网络，它广泛地应用在ＡＴＭ交换结构中．Ｂａｎｙａｎ网输入排队的神经网络调度方法已有文章提出，但其硬件实现比较复杂．本文提出了一种Ｂａｎｙａｎ网输入输出排队的神经网络调度方法，它的硬件实现容易．计算机模拟结果表明，该调度方法是非常有效的．在此，还给出了该系统的硬件实现方法．