A Flexible Ultralight Hardware Security Module for EPC RFID Tags

Due to the rapid growth of using Internet of Things (IoT) devices in daily life, the need to achieve an acceptable level of security and privacy for these devices is rising. Security risks may include privacy threats like gaining sensitive information from a device, and authentication problems from counterfeit or cloned devices. It is more challenging to add security features to extremely constrained devices, such as passive Electronic Product Code (EPC) Radio Frequency Identification (RFID) tags, compared to devices that have more computational and storage capabilities. EPC RFID tags are simple and low-cost electronic circuits that are commonly used in supply chains, retail stores, and other applications to identify physical objects. Most tags today are simple "license plates" that just identify the object they are attached to and have minimal security. Due to the security risks of new applications, there is an important need to implement secure RFID tags. Examples of the security risks for these applications include unauthorized physical tracking and inventorying of tags. The current commercial RFID tag designs use specialised hardware circuits approach. This approach can achieve the lowest area and power consumption; however, it lacks flexibility. This thesis presents an optimized application-specific instruction set architecture (ISA) for an ultralight Hardware Security Module (HSM). HSMs are computing devices that protect cryptographic keys and operations for a device. The HSM combines all security-related functions for passive RFID tag. The goal of this research is to demonstrate that using an application-specific instruction set processor (ASIP) architecture for ultralight HSMs provides benefits in terms of trade-offs between flexibility, extensibility, and efficiency. Our novel application specific instruction-set architecture allows flexibility on many design levels and achieves acceptable security level for passive EPC RFID tag. Our solution moves a major design effort from hardware to software, which largely reduces the final unit cost. Our ASIP processor can be implemented with 4,662 gate equivalent units (GEs) for 65 nm CMOS technology excluding cryptographic units and memories. We integrated and analysed four cryptographic modules: AES and Simeck block ciphers, WG-5 stream cipher, and ACE authenticated encryption module. Our HSM achieves very good efficiencies for both block and stream ciphers. Specifically for the AES cipher, we improve over a previous programmable AES implementation result by 32x. We increase performance dramatically and increase/decrease area by 17.97/17.14% respectively. These results fulfill the requirements of extremely constrained devices and allow the inclusion of cryptographic units into the datapath of our ASIP processor

Optimized hardware implementations of cryptography algorithms for resource-constraint IoT devices and high-speed applications

The advent of technologies, including the Internet and smartphones, has made people’s lives easier. Nowadays, people get used to digital applications for e-business, communicating with others, and sending or receiving sensitive messages. Sending secure data across the private network or the Internet is an open concern for every person. Cryptography plays an important role in privacy, security, and confidentiality against adversaries. Public-key cryptography (PKC) is one of the cryptography techniques that provides security over a large network, such as the Internet of Things (IoT). The classical PKCs, such as Elliptic Curve Cryptography (ECC) and Rivest-Shamir-Adleman (RSA), are based on the hardness of certain number theoretic problems. According to Shor’s algorithm, these algorithms can be solved very efficiently on a quantum computer, and cryptography algorithms will be insecure and weak as quantum computers increase in number. Based on NIST, Lattice-based cryptography (LBC) is one of the accepted quantum-resistant public-key cryptography. Different variants of LBC include Learning With Error (LWE), Ring Learning With Error (Ring-LWE), Binary Ring Learning with Error (Ring-Bin LWE), and etc. AES is also one of the secure cryptography algorithm that has been widely used in different applications and platforms. Also, AES-256 is secure against quantum attack. It is very important to design a crypto-system based on the need and application. In general, each network has three different layers; cloud, edge, and end-node. The cloud and edge layer require to have a high-speed crypto-system, as it is used in high-traffic application to encrypt and decrypt data. Unfortunately, most of the end-node devices are resource-constraint and do not have enough area for security guard. Providing end-to-end security is vital for every network. To mitigate this issue, designing and implementing a lightweight cryto-system for resource-constraint devices is necessary. In this thesis, a high-throughput FPGA implementation of AES algorithm for high-traffic edge applications is introduced. To achieve this goal, some part of the algorithm has been modified to balance the latency. Inner and outer pipelining techniques and loop-unrolling have been employed. The proposed high-speed implementation of AES achieves a throughput of 79.7Gbps, FPGA efficiency of 13.3 Mbps/slice, and frequency of 622.4MHz. Compared to the state-of-the-art work, the proposed design has improved data throughput by 8.02% and FPGA-Eff by 22.63%. Moreover, a lightweight architecture of AES for resource-constraint devices is designed and implemented on FPGA and ASIC. Each module of the architecture is specified in which occupied less area; and some units are shared among different phases. To reduce the power consumption clock gating technique is applied. Application-specific integrated circuit (ASIC) implementation results show a respective improvement in the area over the previous similar works from 35% to 2.4%. Based on the results and NIST report, the proposed design is a suitable crypto-system for tiny devices and can be supplied by low-power devices. Furthermore, two lightweight crypto-systems based on Binary Ring-LWE are presented for IoT end-node devices. For one of them, a novel column-based multiplication is introduced. To execute the column-based multiplication only one register is employed to store the intermediate results. The multiplication unit for the other Binary Ring-LWE design is optimized in which the multiplication is executed in less clock cycles. Moreover, to increase the security for end-node devices, the fault resiliency architecture has been designed and applied to the architecture of Binary Ring-LWE. Based on the implementation results and NIST report, the proposed Binary Ring-LWE designs is a suitable crypto-system form resource-constraint devices

Generación de falsas claves criptográficas como medida de protección frente a ataques por canal lateral

In the late 90s, Paul C. Kocher introduced the concept of differential attack focused on the power consumption of a cryptographic device. In this type of analysis the plain text sent to the device is known, and all possible hypotheses of a subset of the key, related to a specific point of the cryptographic algorithm, are tested. If the key value at that point depends only on 1 byte, it is possible to predict the input current based on a theoretical model of power consumption. Thus, using statistic procedures, it is easy to compare the consumption measured during the processing of each plain text and the intermediate values related to all the hypothesis of the key.The one with the highest level of similarity will correspond to the actual key. So far the countermeasures proposed to prevent the success of the attack can be classified into two groups: Masking and Hiding. Masking tries to decouple the processed data and the power consumption by adding a random mask which is unknown by the attacker. Therefore, it is impossible to make a hypothesis that allows the theoretical and the real power consumption of the device to be related. Although is a valid method, the key could be revealed by performing a second-order attack that analyzes several points of the current trace. Hiding aims at making constant the consumption of a device in each clock cycle and independent of the processed data. In order to achieve this objective, the data is processed in double line, in such a way that the datum and its complementary are processed together, so that the same number of transitions always occur on every clock cycle. The weakness of such a method lies on the impossibility of building identical CMOS cells, which causes a minimum difference of consumption between the two lines that can be used successfully to discover the key. This thesis proposes a countermeasure based on a differentiated protection strategy with respect to the proposals made in other specific studies. It is intended to modify the algorithm in order to force a very high correlation with a different hypothesis to the one of the true key (Faking). Thus, the actual key is hidden behind the strong correlation, which is impossible to differentiate from the rest of false assumptions and remains protected. To verify its performance a trial bank has been designed to launch consumption analysis attacks. We have implemented the algorithm AES due to its simplicity and strength. Two types of attacks have been carried out. In the first one, the analysis was performed using both the correlation and the mean difference analysis without including any countermeasure. In the second attack, the proposed countermeasure has been added and the attack was repeated to check its effectiveness. We have evaluated three different situations. First of all, the algorithm and the countermeasure are solved by software on a 32-bit processor. Secondly, the algorithm is executed in software and the implementation of the countermeasure has been performed with a specific hardware coprocessor. Finally, a full hardware implementation including both the algorithm and the countermeasure has been chosen.All of them have been implemented on a Virtex 5 FPGA Xilinx. Several conclusions are obtained from the comparison between each of the AES implementations without countermeasures and their respective solution with the added countermeasure. The obtained results are also compared to other which use "masking" and "hiding" techniques. The results demonstrate that the proposal is valid. In all three cases, the protected system behaves like the unprotected system but returning the false key after the attacks. It should be noted that the amount of resources needed to carry out the "Faking" is less than the "Masking" or "Hiding" and the time needed to process the plain text is not particularly affected.A finales de los 90 Paul C.Kocher introdujo por primera vez el concepto de ataque diferencial sobre el consumo de corriente de un dispositivo criptográfico. En este tipo de análisis, se conoce el texto plano que se envía al dispositivo y se plantean todas las posibles hipótesis de la clave para un punto concreto del algoritmo. Si el valor en ese punto del algoritmo depende únicamente de 1 byte de la clave, es posible calcular todos los valores que se producirán. Llegado a este punto, se compara, por métodos estadísticos, el consumo medido durante el procesado de cada texto plano y los valores intermedios relacionados con todas las hipótesis de la clave. Aquella que mayor nivel de similitud tenga corresponderá con la clave real. Las contramedidas propuestas hasta la fecha, para evitar el éxito del ata-que, pueden separarse en dos grupos: enmascaramiento (Masking) y ocultación (Hiding). El enmascaramiento trata de desvincular el dato procesado del consumo eléctrico mediante la adición de una máscara aleatoria y desconocida por el atacante. En consecuencia, resulta imposible realizar una hipótesis que permita relacionar los consumos teórico y real del dispositivo. Si bien este es un método inicialmente válido, puede descubrirse la clave realizando un ataque de segundo orden que analiza varios puntos del consumo. La ocultación persigue que el consumo de un dispositivo sea el mismo en cada ciclo de reloj e independiente del dato procesado. Para ello, se procesa el dato en doble línea, por un lado el dato propiamente dicho y por el otro su complementario, de forma que siempre se produzcan la misma cantidad de transiciones en cada ciclo de reloj. La debilidad de este método radica en la práctica imposibilidad de construir celdas CMOS idénticas, esto provoca que siempre exista una diferencia de consumo entre las dos líneas y pueda usarse con éxito para descubrir la clave. En esta tesis se propone una contramedida basada en una estrategia de protección claramente diferenciada con respecto a las propuestas realizadas en la bibliografía específica. Se pretende modificar el algoritmo con el objetivo de forzar una correlación muy alta en una hipótesis diferente a la de la clave (Faking). De este modo, la clave real se oculta tras la fuerte correlación aparecida, resulta imposible diferenciarla del resto de hipótesis falsas y queda protegida. Para verificar su funcionamiento se ha montado un banco de pruebas para realizar ataques por análisis de consumo. Se ha implementado el algoritmo AES debido a su simplicidad y robustez. Se han realizado dos tipos de ataques: en el primero se han practicado análisis de correlación y diferencia de medias sin contramedida alguna; en el segundo, se ha añadido la contramedida y se han repetido los ataques para comprobar su eficacia. Se han evaluado 3 escenarios diferentes, primeramente el algoritmo y la contramedida se resuelven mediante software en un procesador de 32 bits. En segundo lugar, el algoritmo se resuelve mediante software y la implementación de la contramedida se ha realizado en un coprocesador hardware específico. Fi-nalmente, se ha elegido una implementación totalmente hardware para resolver tanto el algoritmo como la contramedida. Todos ellos se han implementado sobre una FPGA Virtex5 de Xilinx. Las conclusiones se obtienen de la comparación entre cada una de las im-plementaciones del AES sin contramedidas y su respectiva solución con la con-tramedida añadida. También se comparan los resultados obtenidos con otros que utilizan las técnicas "Masking" y "Hiding" Los resultados demuestran que la propuesta es válida. En los tres casos, el sistema protegido se comporta igual que el sistema sin proteger, pero retornando la clave falsa ante los ataques realizados. Se ha de destacar que, la cantidad de recursos necesarios para llevar a cabo el "Faking" es menor que con el "Masking" o el "Hiding" y el tiempo necesario para procesar el texto plano no se ve particularmente afectado por su inclusión

Efficient and Side-Channel Resistant Implementations of Next-Generation Cryptography

The rapid development of emerging information technologies, such as quantum computing and the Internet of Things (IoT), will have or have already had a huge impact on the world. These technologies can not only improve industrial productivity but they could also bring more convenience to people’s daily lives. However, these techniques have “side effects” in the world of cryptography – they pose new difficulties and challenges from theory to practice. Specifically, when quantum computing capability (i.e., logical qubits) reaches a certain level, Shor’s algorithm will be able to break almost all public-key cryptosystems currently in use. On the other hand, a great number of devices deployed in IoT environments have very constrained computing and storage resources, so the current widely-used cryptographic algorithms may not run efficiently on those devices. A new generation of cryptography has thus emerged, including Post-Quantum Cryptography (PQC), which remains secure under both classical and quantum attacks, and LightWeight Cryptography (LWC), which is tailored for resource-constrained devices. Research on next-generation cryptography is of importance and utmost urgency, and the US National Institute of Standards and Technology in particular has initiated the standardization process for PQC and LWC in 2016 and in 2018 respectively. Since next-generation cryptography is in a premature state and has developed rapidly in recent years, its theoretical security and practical deployment are not very well explored and are in significant need of evaluation. This thesis aims to look into the engineering aspects of next-generation cryptography, i.e., the problems concerning implementation efficiency (e.g., execution time and memory consumption) and security (e.g., countermeasures against timing attacks and power side-channel attacks). In more detail, we first explore efficient software implementation approaches for lattice-based PQC on constrained devices. Then, we study how to speed up isogeny-based PQC on modern high-performance processors especially by using their powerful vector units. Moreover, we research how to design sophisticated yet low-area instruction set extensions to further accelerate software implementations of LWC and long-integer-arithmetic-based PQC. Finally, to address the threats from potential power side-channel attacks, we present a concept of using special leakage-aware instructions to eliminate overwriting leakage for masked software implementations (of next-generation cryptography)

Hardware processors for pairing-based cryptography

Bilinear pairings can be used to construct cryptographic systems with very desirable properties. A pairing performs a mapping on members of groups on elliptic and genus 2 hyperelliptic curves to an extension of the finite field on which the curves are defined. The finite fields must, however, be large to ensure adequate security. The complicated group structure of the curves and the expensive field operations result in time consuming computations that are an impediment to the practicality of pairing-based systems. The Tate pairing can be computed efficiently using the ɳT method. Hardware architectures can be used to accelerate the required operations by exploiting the parallelism inherent to the algorithmic and finite field calculations. The Tate pairing can be performed on elliptic curves of characteristic 2 and 3 and on genus 2 hyperelliptic curves of characteristic 2. Curve selection is dependent on several factors including desired computational speed, the area constraints of the target device and the required security level. In this thesis, custom hardware processors for the acceleration of the Tate pairing are presented and implemented on an FPGA. The underlying hardware architectures are designed with care to exploit available parallelism while ensuring resource efficiency. The characteristic 2 elliptic curve processor contains novel units that return a pairing result in a very low number of clock cycles. Despite the more complicated computational algorithm, the speed of the genus 2 processor is comparable. Pairing computation on each of these curves can be appealing in applications with various attributes. A flexible processor that can perform pairing computation on elliptic curves of characteristic 2 and 3 has also been designed. An integrated hardware/software design and verification environment has been developed. This system automates the procedures required for robust processor creation and enables the rapid provision of solutions for a wide range of cryptographic applications

Sustainable Environmental Solutions

This book collects research activities focused on the development of new processes to replace obsolete practices that are often highly invasive, unsustainable, and socially unacceptable.Taking inspiration from real problems and the need to face real cases of contamination or prevent potentially harmful situations, the development and optimization of ‘smart’ solutions, i.e., sustainable not only from an environmental point of view but also economically, are discussed in order to encourage, as much as possible, their actual implementation

Embedded System Design

A unique feature of this open access textbook is to provide a comprehensive introduction to the fundamental knowledge in embedded systems, with applications in cyber-physical systems and the Internet of things. It starts with an introduction to the field and a survey of specification models and languages for embedded and cyber-physical systems. It provides a brief overview of hardware devices used for such systems and presents the essentials of system software for embedded systems, including real-time operating systems. The author also discusses evaluation and validation techniques for embedded systems and provides an overview of techniques for mapping applications to execution platforms, including multi-core platforms. Embedded systems have to operate under tight constraints and, hence, the book also contains a selected set of optimization techniques, including software optimization techniques. The book closes with a brief survey on testing. This fourth edition has been updated and revised to reflect new trends and technologies, such as the importance of cyber-physical systems (CPS) and the Internet of things (IoT), the evolution of single-core processors to multi-core processors, and the increased importance of energy efficiency and thermal issues

Embedded System Design

A unique feature of this open access textbook is to provide a comprehensive introduction to the fundamental knowledge in embedded systems, with applications in cyber-physical systems and the Internet of things. It starts with an introduction to the field and a survey of specification models and languages for embedded and cyber-physical systems. It provides a brief overview of hardware devices used for such systems and presents the essentials of system software for embedded systems, including real-time operating systems. The author also discusses evaluation and validation techniques for embedded systems and provides an overview of techniques for mapping applications to execution platforms, including multi-core platforms. Embedded systems have to operate under tight constraints and, hence, the book also contains a selected set of optimization techniques, including software optimization techniques. The book closes with a brief survey on testing. This fourth edition has been updated and revised to reflect new trends and technologies, such as the importance of cyber-physical systems (CPS) and the Internet of things (IoT), the evolution of single-core processors to multi-core processors, and the increased importance of energy efficiency and thermal issues

Evaluation of the ingestive behaviour of the dairy cow under two systems of rotation with slope

The ingestive behaviour of grazing animals is modulated by the vegetation characteristics, topography and the type of stocking method. This research was carried out in 2019, at the Rumipamba CADER-UCE. It aimed to evaluate the impact of two contrasting stocking methods of dairy cows grazing a pasture with an average of slope >8.5%. Four dairy cows were set to graze a 0.4 ha paddock for 5 days for continuous stocking methods, while for the electric fence methods the dairy cows were restricted to 0.2 ha and the fence was moved uphill every 3 hours, repeating this process four times a day. Cow were equipped with activity sensors for 12 h per day. The whole procedure was repeated 2 times after realizing an equalization cuts and both paddocks, a rest time of 30 days and a random reassignment of paddocks to one of the treatments. The cows showed a difference in terms of the percentage of grazing P=0.0072, being higher with the electric fence (55% of the measurement time). From rising-plate-meter estimates of available biomass along the grazing periods, we calculated despite similar forage allowances (electric fence = 48.06 kg DM/cow/d and continuous = 48.21 DM/cow/d) a higher forage intake was obtained in the electric fence treatment (17.5 kg DM/cow/d) compared the continuous stocking (15.7 kg DM/cow/d) (P=0.006). In terms of milk production animals grazing under the differences electrical fence stocking method tended (P=0.0985) to produce more milk (17.39 kg/d) than those grazing in the continuous system (15.16 kg/d) due to the influence of the slope (P=0.05), while for milk quality the protein content was higher for the electric fence (33.7 g/l) than the continuous method (30.5 g/l) (P=0.039). None of the other milk properties differed between methods (P>0.05)