15 research outputs found
A Low-Area Unified Hardware Architecture for the AES and the Cryptographic Hash Function Grøstl
This article describes the design of an 8-bit coprocessor for the AES (encryption, decryption, and key expansion) and the cryptographic hash function Grøstl on several Xilinx FPGAs. Our Arithmetic and Logic Unit performs a single instruction that allows for implementing AES encryption, AES decryption, AES key expansion, and Grøstl at all levels of security. Thanks to a careful organization of AES and Grøstl internal states in the register file, we manage to generate all read and write addresses by means of a modulo-128 counter and a modulo-256 counter. A fully autonomous implementation of Grøstl and AES on a Virtex-6 FPGA requires 169 slices and a single 36k memory block, and achieves a competitive throughput. Assuming that the security guarantees of Grøstl are at least as good as the ones of the other SHA-3 finalists, our results show that Grøstl is the best candidate for low-area cryptographic coprocessors
Hardware design of cryptographic accelerators
With the rapid growth of the Internet and digital communications, the volume of sensitive electronic transactions being transferred and stored over and on insecure media has increased dramatically in recent years. The growing demand for cryptographic systems to secure this data, across a multitude of platforms, ranging from large servers to small mobile devices and smart cards, has necessitated research into low cost, flexible and secure solutions. As constraints on architectures such as area, speed and power become key factors in choosing a cryptosystem, methods for speeding up the development and evaluation process are necessary. This thesis investigates flexible hardware architectures for the main components of a cryptographic system. Dedicated hardware accelerators can provide significant performance improvements when compared to implementations on general purpose processors. Each of the designs proposed are analysed in terms of speed, area, power, energy and efficiency. Field Programmable Gate Arrays (FPGAs) are chosen as the development platform due to their fast development time and reconfigurable nature. Firstly, a reconfigurable architecture for performing elliptic curve point scalar multiplication on an FPGA is presented. Elliptic curve cryptography is one such method to secure data, offering similar security levels to traditional systems, such as RSA, but with smaller key sizes, translating into lower memory and bandwidth requirements. The architecture is implemented using different underlying algorithms and coordinates for dedicated Double-and-Add algorithms, twisted Edwards algorithms and SPA secure algorithms, and its power consumption and energy on an FPGA measured. Hardware implementation results for these new algorithms are compared against their software counterparts and the best choices for minimum area-time and area-energy circuits are then identified and examined for larger key and field sizes. Secondly, implementation methods for another component of a cryptographic system, namely hash functions, developed in the recently concluded SHA-3 hash competition are presented. Various designs from the three rounds of the NIST run competition are implemented on FPGA along with an interface to allow fair comparison of the different hash functions when operating in a standardised and constrained environment. Different methods of implementation for the designs and their subsequent performance is examined in terms of throughput, area and energy costs using various constraint metrics. Comparing many different implementation methods and algorithms is nontrivial. Another aim of this thesis is the development of generic interfaces used both to reduce implementation and test time and also to enable fair baseline comparisons of different algorithms when operating in a standardised and constrained environment. Finally, a hardware-software co-design cryptographic architecture is presented. This architecture is capable of supporting multiple types of cryptographic algorithms and is described through an application for performing public key cryptography, namely the Elliptic Curve Digital Signature Algorithm (ECDSA). This architecture makes use of the elliptic curve architecture and the hash functions described previously. These components, along with a random number generator, provide hardware acceleration for a Microblaze based cryptographic system. The trade-off in terms of performance for flexibility is discussed using dedicated software, and hardware-software co-design implementations of the elliptic curve point scalar multiplication block. Results are then presented in terms of the overall cryptographic system
Compact Hardware Implementations of ChaCha, BLAKE, Threefish, and Skein on FPGA
The cryptographic hash functions BLAKE and Skein are built from the ChaCha stream cipher and the tweakable Threefish block cipher, respectively. Interestingly enough, they are based on the same arithmetic operations, and the same design philosophy allows one to design lightweight coprocessors for hashing and encryption. The key element of our approach is to take advantage of the parallelism of the algorithms to deeply pipeline our Arithmetic an Logic Units, and to avoid data dependencies by interleaving independent tasks. We show for instance that a fully autonomous implementation of BLAKE and ChaCha on a Xilinx Virtex-6 device occupies 144 slices and three memory blocks, and achieves competitive throughputs. In order to offer the same features, a coprocessor implementing Skein and Threefish requires a substantial higher slice count
Comparative Study of Keccak SHA-3 Implementations
This paper conducts an extensive comparative study of state-of-the-art solutions for im-
plementing the SHA-3 hash function. SHA-3, a pivotal component in modern cryptography, has
spawned numerous implementations across diverse platforms and technologies. This research aims
to provide valuable insights into selecting and optimizing Keccak SHA-3 implementations. Our
study encompasses an in-depth analysis of hardware, software, and software–hardware (hybrid)
solutions. We assess the strengths, weaknesses, and performance metrics of each approach. Critical
factors, including computational efficiency, scalability, and flexibility, are evaluated across differ-
ent use cases. We investigate how each implementation performs in terms of speed and resource
utilization. This research aims to improve the knowledge of cryptographic systems, aiding in the
informed design and deployment of efficient cryptographic solutions. By providing a comprehensive
overview of SHA-3 implementations, this study offers a clear understanding of the available options
and equips professionals and researchers with the necessary insights to make informed decisions in
their cryptographic endeavors
Comprehensive Evaluation of High-Speed and Medium-Speed Implementations of Five SHA-3 Finalists Using Xilinx and Altera FPGAs
In this paper we present a comprehensive comparison of all Round 3 SHA-3 candidates and the current standard SHA-2 from the point of view of hardware performance in modern FPGAs. Each algorithm is implemented using multiple architectures based on the concepts of iteration, folding, unrolling, pipelining, and circuit replication. Trade-offs between speed and area are investigated, and the best architecture from the point of view of the throughput to area ratio is identified. Finally, all algorithms are ranked based on their overall performance in FPGAs. The characteristic features of each algorithm important from the point of view of its implementation in hardware are identified
SPONGENT: The Design Space of Lightweight Cryptographic Hashing
The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography - optimizing the algorithms to fit the most constrained environments - has received a great deal of attention, the recent research being mainly focused on building block ciphers. As opposed to that, the design of lightweight hash functions is still far from being well-investigated with only few proposals in the public domain.
In this article, we aim to address this gap by exploring the design space of lightweight hash functions based on the sponge construction instantiated with PRESENT-type permutations. The resulting family of hash functions is called SPONGENT. We propose 13 SPONGENT variants
-- for different levels of collision and (second) preimage resistance as well as for various implementation constraints. For each of them we provide several ASIC hardware implementations - ranging from the lowest area to the highest throughput. We make efforts to address the fairness of comparison with other designs in the field by providing an exhaustive hardware evaluation on various technologies, including an open core library. We also prove essential differential properties of SPONGENT permutations, give a security analysis in terms of collision and preimage resistance, as well as study in detail dedicated linear distinguishers
Analysis and Design of Symmetric Cryptographic Algorithms
This doctoral thesis is dedicated to the analysis and the design of
symmetric cryptographic algorithms.
In the first part of the dissertation, we deal with fault-based attacks
on cryptographic circuits which belong to the field of active implementation
attacks and aim to retrieve secret keys stored on such chips. Our main focus
lies on the cryptanalytic aspects of those attacks. In particular, we target
block ciphers with a lightweight and (often) non-bijective key schedule where
the derived subkeys are (almost) independent from each other. An attacker who is
able to reconstruct one of the subkeys is thus not necessarily able to directly
retrieve other subkeys or even the secret master key by simply reversing the key
schedule. We introduce a framework based on differential fault analysis that
allows to attack block ciphers with an arbitrary number of independent subkeys
and which rely on a substitution-permutation network. These methods are then
applied to the lightweight block ciphers LED and PRINCE and we show in both
cases how to recover the secret master key requiring only a small number of
fault injections. Moreover, we investigate approaches that utilize algebraic
instead of differential techniques for the fault analysis and discuss advantages
and drawbacks. At the end of the first part of the dissertation, we explore
fault-based attacks on the block cipher Bel-T which also has a lightweight key
schedule but is not based on a substitution-permutation network but instead on
the so-called Lai-Massey scheme. The framework mentioned above is thus not
usable against Bel-T. Nevertheless, we also present techniques for the case of
Bel-T that enable full recovery of the secret key in a very efficient way using
differential fault analysis.
In the second part of the thesis, we focus on authenticated encryption
schemes. While regular ciphers only protect privacy of processed data,
authenticated encryption schemes also secure its authenticity and integrity.
Many of these ciphers are additionally able to protect authenticity and
integrity of so-called associated data. This type of data is transmitted
unencrypted but nevertheless must be protected from being tampered with during
transmission. Authenticated encryption is nowadays the standard technique to
protect in-transit data. However, most of the currently deployed schemes have
deficits and there are many leverage points for improvements. With NORX we
introduce a novel authenticated encryption scheme supporting associated data.
This algorithm was designed with high security, efficiency in both hardware and
software, simplicity, and robustness against side-channel attacks in mind. Next
to its specification, we present special features, security goals,
implementation details, extensive performance measurements and discuss
advantages over currently deployed standards. Finally, we describe our
preliminary security analysis where we investigate differential and rotational
properties of NORX. Noteworthy are in particular the newly developed
techniques for differential cryptanalysis of NORX which exploit the power of
SAT- and SMT-solvers and have the potential to be easily adaptable to other
encryption schemes as well.Diese Doktorarbeit beschäftigt sich mit der Analyse und dem Entwurf von
symmetrischen kryptographischen Algorithmen.
Im ersten Teil der Dissertation befassen wir uns mit fehlerbasierten Angriffen
auf kryptographische Schaltungen, welche dem Gebiet der aktiven
Seitenkanalangriffe zugeordnet werden und auf die Rekonstruktion geheimer
Schlüssel abzielen, die auf diesen Chips gespeichert sind. Unser Hauptaugenmerk
liegt dabei auf den kryptoanalytischen Aspekten dieser Angriffe. Insbesondere
beschäftigen wir uns dabei mit Blockchiffren, die leichtgewichtige und eine
(oft) nicht-bijektive Schlüsselexpansion besitzen, bei denen die erzeugten
Teilschlüssel voneinander (nahezu) unabhängig sind. Ein Angreifer, dem es
gelingt einen Teilschlüssel zu rekonstruieren, ist dadurch nicht in der Lage
direkt weitere Teilschlüssel oder sogar den Hauptschlüssel abzuleiten indem er
einfach die Schlüsselexpansion umkehrt. Wir stellen Techniken basierend auf
differenzieller Fehleranalyse vor, die es ermöglichen Blockchiffren zu
analysieren, welche eine beliebige Anzahl unabhängiger Teilschlüssel einsetzen
und auf Substitutions-Permutations Netzwerken basieren. Diese Methoden werden im
Anschluss auf die leichtgewichtigen Blockchiffren LED und PRINCE angewandt und
wir zeigen in beiden Fällen wie der komplette geheime Schlüssel mit einigen
wenigen Fehlerinjektionen rekonstruiert werden kann. Darüber hinaus untersuchen
wir Methoden, die algebraische statt differenzielle Techniken der Fehleranalyse
einsetzen und diskutieren deren Vor- und Nachteile. Am Ende des ersten Teils der
Dissertation befassen wir uns mit fehlerbasierten Angriffen auf die Blockchiffre
Bel-T, welche ebenfalls eine leichtgewichtige Schlüsselexpansion besitzt jedoch
nicht auf einem Substitutions-Permutations Netzwerk sondern auf dem sogenannten
Lai-Massey Schema basiert. Die oben genannten Techniken können daher bei Bel-T
nicht angewandt werden. Nichtsdestotrotz werden wir auch für den Fall von Bel-T
Verfahren vorstellen, die in der Lage sind den vollständigen geheimen Schlüssel
sehr effizient mit Hilfe von differenzieller Fehleranalyse zu rekonstruieren.
Im zweiten Teil der Doktorarbeit beschäftigen wir uns mit authentifizierenden
Verschlüsselungsverfahren. Während gewöhnliche Chiffren nur die Vertraulichkeit
der verarbeiteten Daten sicherstellen, gewährleisten authentifizierende
Verschlüsselungsverfahren auch deren Authentizität und Integrität. Viele dieser
Chiffren sind darüber hinaus in der Lage auch die Authentizität und Integrität
von sogenannten assoziierten Daten zu gewährleisten. Daten dieses Typs werden in
nicht-verschlüsselter Form übertragen, müssen aber dennoch gegen unbefugte
Veränderungen auf dem Transportweg geschützt sein. Authentifizierende
Verschlüsselungsverfahren bilden heutzutage die Standardtechnologie um Daten
während der Übertragung zu beschützen. Aktuell eingesetzte Verfahren weisen
jedoch oftmals Defizite auf und es existieren vielfältige Ansatzpunkte für
Verbesserungen. Mit NORX stellen wir ein neuartiges authentifizierendes
Verschlüsselungsverfahren vor, welches assoziierte Daten unterstützt. Dieser
Algorithmus wurde vor allem im Hinblick auf Einsatzgebiete mit hohen
Sicherheitsanforderungen, Effizienz in Hardware und Software, Einfachheit, und
Robustheit gegenüber Seitenkanalangriffen entwickelt. Neben der Spezifikation
präsentieren wir besondere Eigenschaften, angestrebte Sicherheitsziele, Details
zur Implementierung, umfassende Performanz-Messungen und diskutieren Vorteile
gegenüber aktuellen Standards. Schließlich stellen wir Ergebnisse unserer
vorläufigen Sicherheitsanalyse vor, bei der wir uns vor allem auf differenzielle
Merkmale und Rotationseigenschaften von NORX konzentrieren. Erwähnenswert sind
dabei vor allem die für die differenzielle Kryptoanalyse von NORX entwickelten
Techniken, die auf die Effizienz von SAT- und SMT-Solvern zurückgreifen und das
Potential besitzen relativ einfach auch auf andere Verschlüsselungsverfahren
übertragen werden zu können