Secure Hardware Implementation of ARIA Based on Adaptive Random Masking Technique

The block cipher ARIA has been threatened by side‐channel analysis, and much research on countermeasures of this attack has also been produced. However, studies on countermeasures of ARIA are focused on software implementation, and there are no reports about hardware designs and their performance evaluation. Therefore, this article presents an advanced masking algorithm which is strong against second‐order differential power analysis (SODPA) and implements a secure ARIA hardware. As there is no comparable report, the proposed masking algorithm used in our hardware module is evaluated using a comparison result of software implementations. Furthermore, we implement the proposed algorithm in three types of hardware architectures and compare them. The smallest module is 10,740 gates in size and consumes an average of 47.47 μW in power consumption. Finally, we make ASIC chips with the proposed design, and then perform security verification. As a result, the proposed module is small, energy efficient, and secure against SODPA.     

Concurrent error detection of fault-based side-channel cryptanalysis of 128-bit RC6 block cipher

Fault-based side channel cryptanalysis is very effective against symmetric and asymmetric encryption algorithms. Although straightforward hardware and time redundancy based concurrent error detection (CED) architectures can be used to thwart such attacks, they entail significant overhead (either area or performance). In this paper we investigate two systematic approaches to low-cost, low-latency CED for symmetric encryption algorithm RC6. The proposed techniques have been validated on FPGA implementations of RC6, one of the advanced encryption standard finalists.     

Improved Shamir's CRT‐RSA Algorithm: Revisit with the Modulus Chaining Method

RSA signature algorithms using the Chinese remainder theorem (CRT‐RSA) are approximately four‐times faster than straightforward implementations of an RSA cryptosystem. However, the CRT‐RSA is known to be vulnerable to fault attacks; even one execution of the algorithm is sufficient to reveal the secret keys. Over the past few years, several countermeasures against CRT‐RSA fault attacks have tended to involve additional exponentiations or inversions, and in most cases, they are also vulnerable to new variants of fault attacks. In this paper, we review how Shamir's countermeasure can be broken by fault attacks and improve the countermeasure to prevent future fault attacks, with the added benefit of low additional costs. In our experiment, we use the side‐channel analysis resistance framework system, a fault injection testing and verification system, which enables us to inject a fault into the right position, even to within 1 μs. We also explain how to find the exact timing of the target operation using an Atmega128 software board.     

FPGA密码芯片改进掩码防护方法研究

功耗攻击已对密码芯片物理安全性构成严峻威胁,对其攻击和防御的研究是密码旁路分析的热点问题。文中给出了一种DES伪随机掩码算法的设计和实现方法,分析了算法抗功耗攻击的安全性。结果表明:一般的DES伪随机掩码算法只能抵抗一阶差分功耗攻击,不能有效防御二阶差分功耗攻击。为抵御二阶DPA攻击,采用掩码方法对DES掩码算法结构进行了改进,在理论上具有抗DPA攻击的能力。     

The research of DPA attacks against AES implementations

This article examines vulnerabilities to power analysis attacks between software and hardware implementations of cryptographic algorithms. Representative platforms including an Atmel 89S8252 8-bit processor and a 0.25 um 1.8 v standard cell circuit are proposed to implement the advance encryption standard （AES）. A simulation-based experimental environment is built to acquire power data, and single-bit differential power analysis （DPA）, and multi-bit DPA and correlation power analysis （CPA） attacks are conducted on two implementations respectively. The experimental results show that the hardware implementation has less data-dependent power leakages to resist power attacks. Furthermore, an improved DPA approach is proposed. It adopts hamming distance of intermediate results as power model and arranges plaintext inputs to differentiate power traces to the maximal probability. Compared with the original power attacks, our improved DPA performs a successful attack on AES hardware implementations with acceptable power measurements and fewer computations.     

Methods increasing inherent resistance of ECC designs against horizontal attacks

Due to the nature of applications such as critical infrastructure and the Internet of Things etc. side channel analysis attacks are becoming a serious threat. Side channel analysis attacks take advantage from the fact that the behaviour of crypto implementations can be observed and provides hints that simplify revealing keys. A new type of SCA is the so called horizontal differential SCA. In this paper we investigate two different approaches to increase the inherent resistance of our hardware accelerator for the kP operation. The first approach aims at reducing the impact of the addressing in our design by realizing a regular schedule of the addressing. In the second approach, we investigated how the formula used to implement the multiplication of GF(2ⁿ)-elements influences the results of horizontal DPA attacks against a Montgomery kP-implementation. We implemented 5 designs with different partial multipliers, i.e. based on different multiplication formulae. We used two different technologies, i.e. a 130 and a 250 nm technology, to simulate power traces for our analysis. We show that the implemented multiplication formula influences the success of horizontal attacks significantly. The combination of these two approaches leads to the most resistant design. For the 250 nm technology only 2 key candidates could be revealed with a correctness of about 70% which is a huge improvement given the fact that for the original design 7 key candidates achieved a correctness of more than 90%. For our 130 nm technology no key candidate was revealed with a correctness of more than 60%.     

Hybrid Architectures for Efficient and Secure Face Authentication in Embedded Systems

In this paper, we propose an efficient and secure embedded processing architecture that addresses various challenges involved in using face-based biometrics for authenticating a user to an embedded system. Our paper considers the use of robust face verifiers (PCA-LDA, Bayesian), and analyzes the computational workload involved in running their software implementations on an embedded processor. We then present a suite of hardware and software enhancements to accelerate these algorithms-fixed-point arithmetic, various code optimizations, generic custom instructions and dedicated coprocessors, and exploitation of parallel processing capabilities in multiprocessor systems-on-chip (SoCs). We also identify attacks targeted against the authentication process, and develop security measures to ensure the integrity of biometric code/data. We evaluated the proposed architectures in the context of popular open-source software implementations of face authentication algorithms running on a commercial embedded processor (Xtensa from Tensilica). Our paper shows that fast, in-system verification is possible even in the context of many resource-constrained embedded systems. We also demonstrate that the security of the authentication process for the given attack model can be achieved with minimum hardware overheads     

Multidimensional Differential‐Linear Cryptanalysis of ARIA Block Cipher

ARIA is a 128‐bit block cipher that has been selected as a Korean encryption standard. Similar to AES, it is robust against differential cryptanalysis and linear cryptanalysis. In this study, we analyze the security of ARIA against differential‐linear cryptanalysis. We present five rounds of differential‐linear distinguishers for ARIA, which can distinguish five rounds of ARIA from random permutations using only 284.8 chosen plaintexts. Moreover, we develop differential‐linear attacks based on six rounds of ARIA‐128 and seven rounds of ARIA‐256. This is the first multidimensional differential‐linear cryptanalysis of ARIA and it has lower data complexity than all previous results. This is a preliminary study and further research may obtain better results in the future.     

Improved Side‐Channel Attack on DES with the First Four Rounds Masked

This letter describes an improved side‐channel attack on DES with the first four rounds masked. Our improvement is based on truncated differentials and power traces which provide knowledge of Hamming weights for the intermediate data computed during the enciphering of plaintexts. Our results support the claim that masking several outer rounds rather than all rounds is not sufficient for the ciphers to be resistant to side‐channel attacks.     

Practical Second‐Order Correlation Power Analysis on the Message Blinding Method and Its Novel Countermeasure for RSA

Recently power attacks on RSA cryptosystems have been widely investigated, and various countermeasures have been proposed. One of the most efficient and secure countermeasures is the message blinding method, which includes the RSA derivative of the binary‐with‐random‐initial‐point algorithm on elliptical curve cryptosystems. It is known to be secure against first‐order differential power analysis (DPA); however, it is susceptible to second‐order DPA. Although second‐order DPA gives some solutions for defeating message blinding methods, this kind of attack still has the practical difficulty of how to find the points of interest, that is, the exact moments when intermediate values are being manipulated. In this paper, we propose a practical second‐order correlation power analysis (SOCPA). Our attack can easily find points of interest in a power trace and find the private key with a small number of power traces. We also propose an efficient countermeasure which is secure against the proposed SOCPA as well as existing power attacks.     

Random Point Blinding Methods for Koblitz Curve Cryptosystem

While the elliptic curve cryptosystem (ECC) is getting more popular in securing numerous systems, implementations without consideration for side‐channel attacks are susceptible to critical information leakage. This paper proposes new power attack countermeasures for ECC over Koblitz curves. Based on some special properties of Koblitz curves, the proposed methods randomize the involved elliptic curve points in a highly regular manner so the resulting scalar multiplication algorithms can defeat the simple power analysis attack and the differential power analysis attack simultaneously. Compared with the previous countermeasures, the new methods are also noticeable in terms of computational cost.     

Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches

Hardware implementations of cryptographic algorithms are vulnerable to side-channel attacks. Side-channel attacks that are based on multiple measurements of the same operation can be countered by employing masking techniques. Many protection measures depart from an idealized hardware model that is very expensive to meet with real hardware. In particular, the presence of glitches causes many masking techniques to leak information during the computation of nonlinear functions. We discuss a recently introduced masking method which is based on secret sharing and multi-party computation methods. The approach results in implementations that are provably resistant against a wide range of attacks, while making only minimal assumptions on the hardware. We show how to use this method to derive secure implementations of some nonlinear building blocks for cryptographic algorithms. Finally, we provide a provable secure implementation of the block cipher Noekeon and verify the results by means of low-level simulations.     

Hardware realization of the robust time–frequency distributions

A hardware realization of the L-estimate forms of robust time–frequency distributions is proposed. This hardware realization can be used for instantaneous frequency estimation for signals corrupted by a mixture of impulse and Gaussian noise. The most complex part in the hardware implementation is the block that performs sorting operation. In addition to the continuous realization, a recursive realization of the Bitonic sort network is proposed as well. The recursive approach also provides a fast sorting operation with a significantly reduced number of components. In order to verify the results, the FPGA implementations of the proposed systems were designed.     

On the Rapid Prototyping of Equalizers for OFDM Systems

This article discusses hardware-oriented issues related to the compensation of channel distortions in packed-based mobile Orthogonal Frequency Division Multiplexing (OFDM) systems. The adopted evaluation approach relies upon Field-Programmable Gate Array (FPGA) prototyping. Depending on radio channel parameters and the modulation scheme, the required computation effort for the compensation of channel distortions can depict significant variations. In order to perform a trade-off analysis between complexity and performance, different compensation methods for channel distortions have been simulated within an OFDM simulation chain. Based on these results, hardware models have been created and prototyped onto a FPGA. The performance of the models with regard to the hardware efficiency is evaluated by integrating the prototyped components into the OFDM simulation chain. The hardware designs and simulations have been done according to the high-speed wireless LAN standard HiperLAN/2.     

Full-Hardware Architectures for Data-Dependent Superimposed Training Channel Estimation

Channel estimation based on superimposed training (ST) has been an active research topic around the world in recent years, because it offers similar performance when compared to methods based on pilot assisted transmissions (PAT), with the advantage of a better bandwidth utilization. However, physical implementations of such estimators are still under research, and only few approaches have been reported to date. This is due to the computational burden and complexity involved in the algorithms in conjunction with their relative novelty. In order to determine the suitability of the ST-based channel estimation for commercial applications, the performance and complexity analysis of the ST approaches is mandatory. This work proposes two full-hardware channel estimator architectures for a data-dependent superimposed training (DDST) receiver with perfect synchronization and nonexistent DC-offset. These architectures were described using Verilog HDL and targeted in Xilinx Virtex-5 XC5VLX110T FPGA. The synthesis results of such estimators showed a consumption of 3 % and 1 % of total slices available in the FPGA and frequencies operation over 160 MHz. They have also been implemented on a generic 90 nm CMOS process achieving clock frequencies of 187 MHz and 247 MHz while consuming 3.7 mW and 2.74 mW, respectively. In addition, for the first time, a novel architecture that includes channel estimation, training/block synchronization and DC-offset estimation is also proposed. Its fixed-point analysis has been carried out, allowing the design to produce practically equal performance to those achieved with the floating-point models. Finally, the high throughputs and reduced hardware consumptions of the implemented channel estimators, leads to the conclusion that ST/DDST can be utilized in practical communications systems.     

Integral fault analysis of the ARIA cipher

ARIA is a Korean standard block cipher,which is flexible to provide security for software and hardware implementation.Since its introduction,some research of fault analysis is devoted to attacking the last two rounds of ARIA.It is an open problem to know whether provoking faults at some former rounds of ARIA allowed recovering the secret key.An answer was given to solve this problem by showing a novel integral differential fault analysis on two rounds earlier of ARIA.The mathematical analysis and simulating experiments show that the attack can successfully recover its secret key by fault injections.The results in this study describe that the integral fault analysis is a strong threaten to the security of ARIA.The results are beneficial to the analysis of the same type of other block ciphers.     

Vulnerability modeling of cryptographic hardware to power analysis attacks

Designers and manufacturers of cryptographic devices are always worried about the vulnerability of their implementations in the presence of power analysis attacks. This article can be categorized into two parts. In the first part, two parameters are proposed to improve the accuracy of the latest hypothetical power consumption model, so-called toggle-count model, which is used in power analysis attacks. Comparison between our proposed model and the toggle-count model demonstrates a great advance, i.e., 16%, in the similarity of hypothetical power values to the corresponding values obtained by an analog simulation. It is supposed that the attacker would be able to build such an accurate power model. Thus, in the second part of this article we aim at evaluating the vulnerability of implementations to power analysis attacks which make use of our proposed power model. Simple power analysis, various types of differential power analysis, and correlation power analysis are taken into account. Then, some techniques are proposed to examine the vulnerability of implementations to such kinds of power analysis attacks.     

An efficient and lightweight multi‐scroll chaos‐based hardware solution for protecting fingerprint biometric templates

This paper presents a new efficient and lightweight approach for enhancing the security of biometric models, namely, fingerprint templates, against possible attacks. The proposed design is based on Vernam stream cipher in which the key generator is designed in the hardware manner. The designed cryptosystem consists of using multi‐scroll chaotic system that is characterized by a large key space and can be generated N×N grid multi‐scroll attractors, with a good behavior of chaotic dynamic. The hardware approach is carried out through describing Euler method by VHDL. Field‐programmable gate array (FPGA) experimental results validate the developed architecture while still providing a good compromise between hardware resources and performance. Indeed, security analysis also shows that the designed encryption algorithm is robust against statistical, brute force, and entropy attacks. Therefore, it can be considered as a lightweight security solution, which could be very useful in many embedded applications namely securing biometric authentication systems.     

基于分布式算法的高阶FIR滤波器及其FPGA实现

随着FPGA技术的稳步提高,FPGA替代其他技术用于实现高速信号处理已经变得切实可行。针对高阶FIR滤波器十分消耗FPGA硬件资源的问题,提出了一种采用基于位级联的多查找表分布式算法,并以一个32阶8位低通FIR滤波器为例,验证了所提出的方法。仿真结果表明,采用这种方法大大减少了FPGA硬件资源的耗费。     

System Architecture and Implementation of MIMO Sphere Decoders on FPGA

Multiple-input-multiple-output (MIMO) systems use multiple antennas in both transmitter and receiver ends for higher spectrum efficiency. The hardware implementation of MIMO detection becomes a challenging task as the computational complexity increases. This paper presents the architectures and implementations of two typical sphere decoding algorithms, including the Viterbo-Boutros (VB) algorithm and the Schnorr-Euchner (SE) algorithm. Hardware/software codesign technique is applied to partition the decoding algorithm on a single field-programmable gate array (FPGA) device. Three levels of parallelism are explored to improve the decoding rate: the concurrent execution of the channel matrix preprocessing on an embedded processor and the decoding functions on customized hardware modules, the parallel decoding of real/imaginary parts for complex constellation, and the concurrent execution of multiple steps during the closest lattice point search. The decoders for a 4times4 MIMO system with 16-QAM modulation are prototyped on a Xilinx XC2VP30 FPGA device with a MicroBlaze soft core processor. The hardware prototypes of the SE and VB algorithms show that they support up to 81.5 and 36.1 Mb/s data rates at 20 dB signal-to-noise ratio, which are about 22 and 97 times faster than their respective implementations in a digital signal processor.