A Flexible Ultralight Hardware Security Module for EPC RFID Tags

Due to the rapid growth of using Internet of Things (IoT) devices in daily life, the need to achieve an acceptable level of security and privacy for these devices is rising. Security risks may include privacy threats like gaining sensitive information from a device, and authentication problems from counterfeit or cloned devices. It is more challenging to add security features to extremely constrained devices, such as passive Electronic Product Code (EPC) Radio Frequency Identification (RFID) tags, compared to devices that have more computational and storage capabilities. EPC RFID tags are simple and low-cost electronic circuits that are commonly used in supply chains, retail stores, and other applications to identify physical objects. Most tags today are simple "license plates" that just identify the object they are attached to and have minimal security. Due to the security risks of new applications, there is an important need to implement secure RFID tags. Examples of the security risks for these applications include unauthorized physical tracking and inventorying of tags. The current commercial RFID tag designs use specialised hardware circuits approach. This approach can achieve the lowest area and power consumption; however, it lacks flexibility. This thesis presents an optimized application-specific instruction set architecture (ISA) for an ultralight Hardware Security Module (HSM). HSMs are computing devices that protect cryptographic keys and operations for a device. The HSM combines all security-related functions for passive RFID tag. The goal of this research is to demonstrate that using an application-specific instruction set processor (ASIP) architecture for ultralight HSMs provides benefits in terms of trade-offs between flexibility, extensibility, and efficiency. Our novel application specific instruction-set architecture allows flexibility on many design levels and achieves acceptable security level for passive EPC RFID tag. Our solution moves a major design effort from hardware to software, which largely reduces the final unit cost. Our ASIP processor can be implemented with 4,662 gate equivalent units (GEs) for 65 nm CMOS technology excluding cryptographic units and memories. We integrated and analysed four cryptographic modules: AES and Simeck block ciphers, WG-5 stream cipher, and ACE authenticated encryption module. Our HSM achieves very good efficiencies for both block and stream ciphers. Specifically for the AES cipher, we improve over a previous programmable AES implementation result by 32x. We increase performance dramatically and increase/decrease area by 17.97/17.14% respectively. These results fulfill the requirements of extremely constrained devices and allow the inclusion of cryptographic units into the datapath of our ASIP processor

Symmetric block ciphers with a block length of 32 bit

Subject of the thesis at hand is the analysis of symmetric block ciphers with a block length of 32 bit. It is meant to give a comprising overview over the topic of 32 bit block ciphers. The topic is divided in the examination of three questions. It contains a list of state of the art block ciphers with a block length of 32 bit. The block ciphers are being described, focussing on the encryption function. An SPN-based cipher with 32 bit block length is being proposed by rescaling the AES cipher. The 32 bit block length results in certain security issues. These so called risk factors are analysed and mitigating measures are proposed. The result of the thesis is, that 32 bit block ciphers can be implemented in a secure manner. The use of 32 bit ciphers should be limited to specific use-cases and with a profound risk analysis, to determine the protection class of the data to be encrypted

Multi-Purpose Designs in Lightweight Cryptography

The purpose of this thesis is to explore a number of techniques used in lightweight cryptography design and their applications in the hardware designs of two lightweight permutations called sLiSCP and sLiSCP-light. Most of current methods in lightweight cryptography are optimized around one functionality and is only useful for applications that require their specific design. We aimed to provide a design that can provide multiple functionalities. In this thesis, we focus and show the hash function and authenticated encryption of our design. We implemented two lightweight permutations designs of sLiSCP and sLiSCP-light in VHDL. During the verification of sLiSCP cipher, we discovered additional area that could be saved if we tweaked the design slightly. This would lead us to consider the design of sLiSCP-light which helps dramatically reduce area. Results of our designs of sLiSCP and sLiSCP-light satisfied the lightweight requirements, including hardware area, power, and throughput, for applications such as passive RFID tags. Lastly, we did tests on the randomness of Simeck and Simon Feistel structures. We wanted to observe the pseudorandom nature of structures similar to Simeck and Simon so we performed exhaustive tests on small instances of these structures to trace any trends in their behavior. We confirmed that Simon and Simeck were very consistent and provided acceptable pseudorandom results. For larger sizes, we expect similar results from Simon and Simeck

Optimized Hardware Implementations of Lightweight Cryptography

Radio frequency identification (RFID) is a key technology for the Internet of Things era. One important advantage of RFID over barcodes is that line-of-sight is not required between readers and tags. Therefore, it is widely used to perform automatic and unique identification of objects in various applications, such as product tracking, supply chain management, and animal identification. Due to the vulnerabilities of wireless communication between RFID readers and tags, security and privacy issues are significant challenges. The most popular passive RFID protocol is the Electronic Product Code (EPC) standard. EPC tags have many constraints on power consumption, memory, and computing capability. The field of lightweight cryptography was created to provide secure, compact, and flexible algorithms and protocols suitable for applications where the traditional cryptographic primitives, such as AES, are impractical. In these lightweight algorithms, tradeoffs are made between security, area/power consumption, and throughput. In this thesis, we focus on the hardware implementations and optimizations of lightweight cryptography and present the Simeck block cipher family, the WG-8 stream cipher, the Warbler pseudorandom number generator (PRNG), and the WGLCE cryptographic engine. Simeck is a new family of lightweight block ciphers. Simeck takes advantage of the good components and design ideas of the Simon and Speck block ciphers and it has three instances with different block and key sizes. We provide an extensive exploration of different hardware architectures in ASICs and show that Simeck is smaller than Simon in terms of area and power consumption. For the WG-8 stream cipher, we explore four different approaches for the WG transformation module, where one takes advantage of constant arrays and the other three benefit from the tower field constructions of the finite field \F_{2^8} and also efficient basis conversion matrices. The results in FPGA and ASICs show that the constant arrays based method is the best option. We also propose a hybrid design to improve the throughput with a little additional hardware. For the Warbler PRNG, we present the first detailed and smallest hardware implementations and optimizations. The results in ASICs show that the area of Warbler with throughput of 1 bit per 5 clock cycles (1/5 bpc) is smaller than that of other PRNGs and is in fact smaller than that of most of the lightweight primitives. We also optimize and improve the throughput from 1/5 bpc to 1 bpc with a little additional area and power consumption. Finally, we propose a cryptographic engine WGLCE for passive RFID systems. We merge the Warbler PRNG and WG-5 stream cipher together by reusing the finite state machine for both of them. Therefore, WGLCE can provide data confidentiality and generate pseudorandom numbers. After investigating the design rationales and hardware architectures, our results in ASICs show that WGLCE meets the constraints of passive RFID systems

SMT-based Cube Attack on Simeck32/64

Satisfiability modulo theories or SMT can be stated as a generalization of Boolean satisfiability problem or SAT. The core idea behind the introduction of SMT solvers is to reduce the complexity through providing more information about the problem environment. In this paper, we take advantage of a similar idea and feed the SMT solver itself, by extra information provided through middle state Cube characteristics, to introduce a new method which we call SMT-based Cube Attack, and apply it to improve the success of the solver in attacking reduced-round versions of the Simeck32/64 lightweight block cipher. We first propose a new algorithm to find cubes with most number of middle state characteristics. Then, we apply these obtained cubes and their characteristics as extra information in the SMT definition of the cryptanalysis problem, to evaluate its effectiveness. Our cryptanalysis results in a full key recovery attack by 64 plaintext/ciphertext pairs on 12 rounds of the cipher in just 122.17 seconds. This is the first practical attack so far presented against the reduced-round versions of Simeck32/64. We also conduct the cube attack on the Simeck32/64 to compare with the SMT-based cube attack. The results indicate that the proposed attack is more powerful than the cube attack

SAND: an AND-RX Feistel lightweight block cipher supporting S-box-based security evaluations

We revisit designing AND-RX block ciphers, that is, the designs assembled with the most fundamental binary operations---AND, Rotation and XOR operations and do not rely on existing units. Likely, the most popular representative is the NSA cipher \texttt{SIMON}, which remains one of the most efficient designs, but suffers from difficulty in security evaluation. As our main contribution, we propose \texttt{SAND}, a new family of lightweight AND-RX block ciphers. To overcome the difficulty regarding security evaluation, \texttt{SAND} follows a novel design approach, the core idea of which is to restrain the AND-RX operations to be within nibbles. By this, \texttt{SAND} admits an equivalent representation based on a $4\times8$ \textit{synthetic S-box} ($SSb$). This enables the use of classical S-box-based security evaluation approaches. Consequently, for all versions of \texttt{SAND}, (a) we evaluated security bounds with respect to differential and linear attacks, and in both single-key and related-key scenarios; (b) we also evaluated security against impossible differential and zero-correlation linear attacks. This better understanding of the security enables the use of a relatively simple key schedule, which makes the ASIC round-based hardware implementation of \texttt{SAND} to be one of the state-of-art Feistel lightweight ciphers. As to software performance, due to the natural bitslice structure, \texttt{SAND} reaches the same level of performance as \texttt{SIMON} and is among the most software-efficient block ciphers

State of the Art in Lightweight Symmetric Cryptography

Lightweight cryptography has been one of the hot topics in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a lightweight algorithm is usually designed to satisfy in both the software and the hardware case. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (NIST...) and international (ISO/IEC...) standards are listed. We identified several trends in the design of lightweight algorithms, such as the designers\u27 preference for ARX-based and bitsliced-S-Box-based designs or simpler key schedules. We also discuss more general trade-offs facing the authors of such algorithms and suggest a clearer distinction between two subsets of lightweight cryptography. The first, ultra-lightweight cryptography, deals with primitives fulfilling a unique purpose while satisfying specific and narrow constraints. The second is ubiquitous cryptography and it encompasses more versatile algorithms both in terms of functionality and in terms of implementation trade-offs

Implementation of Time Memory Trade-off attack using MPI on GPC

Time memory trade-off (TMTO) is a computationally intensive cryptographic attack originally introduced by Hellman in 1980. Since then many different improvements and implementations were researched and developed. In this thesis, we propose a frame work to implement TMTO with parallel computing using message passing interface (MPI) which is generic to serve a general cryptographic algorithm with flexibility. We have presented the framework development, design rationale, behavior testing, and proposal for collision handling. For the design rationale, we identified all the components, and features needed to build or expand the framework, and we identified the differences between it and original methodology proposed by Hellman. We explained the rationale behind choosing specific features for our implementation and for adding verification features like XOR cipher. We tested the behavior of the framework using mostly Simeck and partially Speck ciphers. We show that the main issue affecting the effectiveness of the generic implementation is collisions. We concluded that problem is almost completely parallel and coarse grained once we ignore the requirement for uniformly distributed random generation of the starting points. Throughout the program design and job result analysis, it became apparent that collision will be the main challenge so we proposed a fine grained collision detection and avoidance algorithm using parallel computing that should eliminate this problem and increase the coverage of the framework. The proposed algorithm relies on three layers of processes. The difference from the current approach is the middle layer that will be responsible for detecting and preventing collisions using doubly linked list structures. This will also be helpful in detecting cipher biases since it monitors the calculated block over the whole search space

A reliable trust-aware reinforcement learning based routing protocol for wireless medical sensor networks.

Interest in the Wireless Medical Sensor Network (WMSN) is rapidly gaining attention thanks to recent advances in semiconductors and wireless communication. However, by virtue of the sensitive medical applications and the stringent resource constraints, there is a need to develop a routing protocol to fulfill WMSN requirements in terms of delivery reliability, attack resiliency, computational overhead and energy efficiency. This doctoral research therefore aims to advance the state of the art in routing by proposing a lightweight, reliable routing protocol for WMSN. Ensuring a reliable path between the source and the destination requires making trustaware routing decisions to avoid untrustworthy paths. A lightweight and effective Trust Management System (TMS) has been developed to evaluate the trust relationship between the sensor nodes with a view to differentiating between trustworthy nodes and untrustworthy ones. Moreover, a resource-conservative Reinforcement Learning (RL) model has been proposed to reduce the computational overhead, along with two updating methods to speed up the algorithm convergence. The reward function is re-defined as a punishment, combining the proposed trust management system to defend against well-known dropping attacks. Furthermore, with a view to addressing the inborn overestimation problem in Q-learning-based routing protocols, we adopted double Q-learning to overcome the positive bias of using a single estimator. An energy model is integrated with the reward function to enhance the network lifetime and balance energy consumption across the network. The proposed energy model uses only local information to avoid the resource burdens and the security concerns of exchanging energy information. Finally, a realistic trust management testbed has been developed to overcome the limitations of using numerical analysis to evaluate proposed trust management schemes, particularly in the context of WMSN. The proposed testbed has been developed as an additional module to the NS-3 simulator to fulfill usability, generalisability, flexibility, scalability and high-performance requirements