26 research outputs found
A Comprehensive Survey on the Implementations, Attacks, and Countermeasures of the Current NIST Lightweight Cryptography Standard
This survey is the first work on the current standard for lightweight
cryptography, standardized in 2023. Lightweight cryptography plays a vital role
in securing resource-constrained embedded systems such as deeply-embedded
systems (implantable and wearable medical devices, smart fabrics, smart homes,
and the like), radio frequency identification (RFID) tags, sensor networks, and
privacy-constrained usage models. National Institute of Standards and
Technology (NIST) initiated a standardization process for lightweight
cryptography and after a relatively-long multi-year effort, eventually, in Feb.
2023, the competition ended with ASCON as the winner. This lightweight
cryptographic standard will be used in deeply-embedded architectures to provide
security through confidentiality and integrity/authentication (the dual of the
legacy AES-GCM block cipher which is the NIST standard for symmetric key
cryptography). ASCON's lightweight design utilizes a 320-bit permutation which
is bit-sliced into five 64-bit register words, providing 128-bit level
security. This work summarizes the different implementations of ASCON on
field-programmable gate array (FPGA) and ASIC hardware platforms on the basis
of area, power, throughput, energy, and efficiency overheads. The presented
work also reviews various differential and side-channel analysis attacks (SCAs)
performed across variants of ASCON cipher suite in terms of algebraic,
cube/cube-like, forgery, fault injection, and power analysis attacks as well as
the countermeasures for these attacks. We also provide our insights and visions
throughout this survey to provide new future directions in different domains.
This survey is the first one in its kind and a step forward towards
scrutinizing the advantages and future directions of the NIST lightweight
cryptography standard introduced in 2023
Physical Time-Varying Transfer Functions as Generic Low-Overhead Power-SCA Countermeasure
Mathematically-secure cryptographic algorithms leak significant side channel
information through their power supplies when implemented on a physical
platform. These side channel leakages can be exploited by an attacker to
extract the secret key of an embedded device. The existing state-of-the-art
countermeasures mainly focus on the power balancing, gate-level masking, or
signal-to-noise (SNR) reduction using noise injection and signature
attenuation, all of which suffer either from the limitations of high power/area
overheads, performance degradation or are not synthesizable. In this article,
we propose a generic low-overhead digital-friendly power SCA countermeasure
utilizing physical Time-Varying Transfer Functions (TVTF) by randomly shuffling
distributed switched capacitors to significantly obfuscate the traces in the
time domain. System-level simulation results of the TVTF-AES implemented in
TSMC 65nm CMOS technology show > 4000x MTD improvement over the unprotected
implementation with nearly 1.25x power and 1.2x area overheads, and without any
performance degradation
Reconfigurable Architectures for Cryptographic Systems
Field Programmable Gate Arrays (FPGAs) are suitable platforms for implementing cryptographic
algorithms in hardware due to their flexibility, good performance and low power consumption.
Computer security is becoming increasingly important and security requirements
such as key sizes are quickly evolving. This creates the need for customisable hardware designs
for cryptographic operations capable of covering a large design space. In this thesis we explore
the four design dimensions relevant to cryptography - speed, area, power consumption and
security of the crypto-system - by developing parametric designs for public-key generation and
encryption as well as side-channel attack countermeasures. There are four contributions.
First, we present new architectures for Montgomery multiplication and exponentiation based
on variable pipelining and variable serial replication. Our implementations of these architectures
are compared to the best implementations in the literature and the design space is explored in
terms of speed and area trade-offs.
Second, we generalise our Montgomery multiplier design ideas by developing a parametric
model to allow rapid optimisation of a general class of algorithms containing loops with dependencies
carried from one iteration to the next. By predicting the throughput and the area of
the design, our model facilitates and speeds up design space exploration.
Third, we develop new architectures for primality testing including the first hardware architecture
for the NIST approved Lucas primality test. We explore the area, speed and power
consumption trade-offs by comparing our Lucas architectures on CPU, FPGA and ASIC.
Finally, we tackle the security issue by presenting two novel power attack countermeasures
based on on-chip power monitoring. Our constant power framework uses a closed-loop
control system to keep the power consumption of any FPGA implementation constant. Our
attack detection framework uses a network of ring-oscillators to detect the insertion of a shunt
resistor-based power measurement circuit on a device's power rail. This countermeasure is
lightweight and has a relatively low power overhead compared to existing masking and hiding
countermeasures
Enhancing System Security Using Dynamic Hardware
Within the ever-advancing field of computing, there is significant research into the many facets of cyber security. However, there is very little research to support the concept of using a Field Programmable Gate Array (FPGA) to increase the security of a system. While its most common use is to provide efficiency and speedup of processes, this research considers the use of an FPGA to mitigate vulnerabilities in both software and hardware. This paper proposes circuit variance within an FPGA as a method of Moving Target Defense (MTD) and investigates its effect on side-channels. We hypothesize that although the functionality of native and variant circuits is the same, their subsequent side-channel characterizations will differ thus creating unique electromagnetic signatures. The investigation and observations of the study include circuit variant construction, side channel attacks and analyses, and subsequent comparisons of electromagnetic signatures. We found that in the analysis of variant DES implementations, there are small but present differences in side channel depictions from native to variant
Side-Channel Attacks and Countermeasures for the MK-3 Authenticated Encryption Scheme
In the field of cryptography, the focus is often placed on security in a mathematical or information-theoretic sense; for example, cipher security is typically evaluated by the difficulty of deducing the plaintext from the ciphertext without knowledge of the key. However, once these cryptographic schemes are implemented in electronic devices, another class of attack presents itself. Side-channel attacks take advantage of the side effects of performing a computation, such as power consumption or electromagnetic emissions, to extract information outside of normal means. In particular, these side-channels can reveal parts of the internal state of a computation. This is important because intermediate values occurring during computation are typically considered implementation details, invisible to a potential attacker. If this information is revealed, then the assumptions of a non-side-channel-aware security analysis based only on inputs and outputs will no longer hold, potentially enabling an attack. This work tests the effectiveness of power-based side-channel attacks against MK-3, a customizable authenticated encryption scheme developed in a collaboration between RIT and L3Harris Technologies. Using an FPGA platform, Correlation Power Analysis (CPA) is performed on several different implementations of the algorithm to evaluate their resistance to power side-channel attacks. This method does not allow the key to be recovered directly; instead, an equivalent 512-bit intermediate state value is targeted. By applying two sequential stages of analysis, a total of between 216 and 322 bits are recovered, dependent on customization parameters. If a 128-bit key is used, then this technique has no benefit to an attacker over brute-forcing the key itself; however, in the case of a 256-bit key, CPA may provide up to a 66-bit advantage. In order to completely defend MK-3 against this type of attack, several potential countermeasures are discussed at the implementation, design, and overall system levels