Realizing arbitrary-precision modular multiplication with a fixed-precision multiplier datapath

Within the context of cryptographic hardware, the term scalability refers to the ability to process operands of any size, regardless of the precision of the underlying data path or registers. In this paper we present a simple yet effective technique for increasing the scalability of a fixed-precision Montgomery multiplier. Our idea is to extend the datapath of a Montgomery multiplier in such a way that it can also perform an ordinary multiplication of two n-bit operands (without modular reduction), yielding a 2n-bit result. This conventional (nxn->2n)-bit multiplication is then used as a “sub-routine” to realize arbitrary-precision Montgomery multiplication according to standard software algorithms such as Coarsely Integrated Operand Scanning (CIOS). We show that performing a 2n-bit modular multiplication on an n-bit multiplier can be done in 5n clock cycles, whereby we assume that the n-bit modular multiplication takes n cycles. Extending a Montgomery multiplier for this extra functionality requires just some minor modifications of the datapath and entails a slight increase in silicon area

Cryptographic coprocessors for embedded systems

In the field of embedded systems design, coprocessors play an important role as a component to increase performance. Many embedded systems are built around a small General Purpose Processor (GPP). If the GPP cannot meet the performance requirements for a certain operation, a coprocessor can be included in the design. The GPP can then offload the computationally intensive operation to the coprocessor; thus increasing the performance of the overall system. A common application of coprocessors is the acceleration of cryptographic algorithms. The work presented in this thesis discusses coprocessor architectures for various cryptographic algorithms that are found in many cryptographic protocols. Their performance is then analysed on a Field Programmable Gate Array (FPGA) platform. Firstly, the acceleration of Elliptic Curve Cryptography (ECC) algorithms is investigated through the use of instruction set extension of a GPP. The performance of these algorithms in a full hardware implementation is then investigated, and an architecture for the acceleration the ECC based digital signature algorithm is developed. Hash functions are also an important component of a cryptographic system. The FPGA implementation of recent hash function designs from the SHA-3 competition are discussed and a fair comparison methodology for hash functions presented. Many cryptographic protocols involve the generation of random data, for keys or nonces. This requires a True Random Number Generator (TRNG) to be present in the system. Various TRNG designs are discussed and a secure implementation, including post-processing and failure detection, is introduced. Finally, a coprocessor for the acceleration of operations at the protocol level will be discussed, where, a novel aspect of the design is the secure method in which private-key data is handle

Implementing RLWE-based Schemes Using an RSA Co-Processor

We repurpose existing RSA/ECC co-processors for (ideal) lattice-based cryptography by exploiting the availability of fast long integer multiplication. Such co-processors are deployed in smart cards in passports and identity cards, secured microcontrollers and hardware security modules (HSM). In particular, we demonstrate an implementation of a variant of the Module-LWE-based Kyber Key Encapsulation Mechanism (KEM) that is tailored for high performance on a commercially available smart card chip (SLE 78). To benefit from the RSA/ECC co-processor we use Kronecker substitution in combination with schoolbook and Karatsuba polynomial multiplication. Moreover, we speed-up symmetric operations in our Kyber variant using the AES co-processor to implement a PRNG and a SHA-256 co-processor to realise hash functions. This allows us to execute CCA-secure Kyber768 key generation in 79.6 ms, encapsulation in 102.4 ms and decapsulation in 132.7 ms

Fast, compact and secure implementation of rsa on dedicated hardware

RSA is the most popular Public Key Cryptosystem (PKC) and is heavily used today. PKC comes into play, when two parties, who have previously never met, want to create a secure channel between them. The core operation in RSA is modular multiplication, which requires lots of computational power especially when the operands are longer than 1024-bits. Although today’s powerful PC’s can easily handle one RSA operation in a fraction of a second, small devices such as PDA’s, cell phones, smart cards, etc. have limited computational power, thus there is a need for dedicated hardware which is specially designed to meet the demand of this heavy calculation. Additionally, web servers, which thousands of users can access at the same time, need to perform many PKC operations in a very short time and this can create a performance bottleneck. Special algorithms implemented on dedicated hardware can take advantage of true massive parallelism and high utilization of the data path resulting in high efficiency in terms of both power and execution time while keeping the chip cost low. We will use the “Montgomery Modular Multiplication” algorithm in our implementation, which is considered one of the most efficient multiplication schemes, and has many applications in PKC. In the first part of the thesis, our “2048-bit Radix-4 based Modular Multiplier” design is introduced and compared with the conventional radix-2 modular multipliers of previous works. Our implementation for 2048-bit modular multiplication features up to 82% shorter execution time with 33% increase in the area over the conventional radix-2 designs and can achieve 132 MHz on a Xilinx xc2v6000 FPGA. The proposed multiplier has one of the fastest execution times in terms of latency and performs better than (37% better) our reference radix-2 design in terms of time-area product. The results are similar in the ASIC case where we implement our design for UMC 0.18 μm technology. In the second part, a fast, efficient, and parameterized modular multiplier and a secure exponentiation circuit intended for inexpensive FPGAs are presented. The design utilizes hardwired block multipliers as the main functional unit and Block-RAM as storage unit for the operands. The adopted design methodology allows adjusting the number of multipliers, the radix used in the multipliers, and number of words to meet the system requirements such as available resources, precision and timing constraints. The deployed method is based on the Montgomery modular multiplication algorithm and the architecture utilizes a pipelining technique that allows concurrent operation of hardwired multipliers. Our design completes 1020-bit and 2040-bit modular multiplications* in 7.62 μs and 27.0 μs respectively with approximately the same device usage on Xilinx Spartan-3E 500. The multiplier uses a moderate amount of system resources while achieving the best area-time product in literature. 2040-bit modular exponentiation engine easily fits into Xilinx Spartan-3E 500; moreover the exponentiation circuit withstands known side channel attacks with an insignificant overhead in area and execution time. The upper limit on the operand precision is dictated only by the available Block-RAM to accommodate the operands within the FPGA. This design is also compared to the first one, considering the relative advantages and disadvantages of each circuit

Efficient Modular Multiplication

This paper is concerned with one of the fundamental building blocks used in modern public-key cryptography: modular multiplication. Speed-ups applied to the modular multiplication algorithm or implementation directly translate in a faster modular exponentiation for RSA or a faster realization of the group law when using elliptic curve cryptography

Authentication Protocols and Privacy Protection

Tato dizertační práce se zabývá kryptografickými prostředky pro autentizaci. Hlavním tématem však nejsou klasické autentizační protokoly, které nabízejí pouze ověření identity, ale tzv. atributové autentizační systémy, pomocí kterých mohou uživatelé prokazovat svoje osobní atributy. Tyto atributy pak mohou představovat jakékoliv osobní informace, např. věk, národnost či místo narození. Atributy mohou být prokazovány anonymně a s podporou mnoha funkcí na ochranu digitální identity. Mezi takové funkce patří např. nespojitelnost autentizačních relací, nesledovatelnost, možnost výběru prokazovaných atributů či efektivní revokace. Atributové autentizační systémy jsou již nyní považovány za nástupce současných systémů v oficiálních strategických plánech USA (NSTIC) či EU (ENISA). Část požadovaných funkcí je již podporována existujícími kryptografickými koncepty jako jsou U-Prove či idemix. V současné době však není známý systém, který by poskytoval všechny potřebné funkce na ochranu digitální identity a zároveň byl prakticky implementovatelný na zařízeních, jako jsou čipové karty. Mezi klíčové slabiny současných systémů patří především chybějící nespojitelnost relací a absence revokace. Není tak možné efektivně zneplatnit zaniklé uživatele, ztracené či ukradené autentizační karty či karty škodlivých uživatelů. Z těchto důvodů je v této práci navrženo kryptografické schéma, které řeší slabiny nalezené při analýze existujících řešení. Výsledné schéma, jehož návrh je založen na ověřených primitivech, jako jsou $\Sigma$-protokoly pro důkazy znalostí, kryptografické závazky či ověřitelné šifrování, pak podporuje všechny požadované vlastnosti pro ochranu soukromí a digitální identity. Zároveň je však návrh snadno implementovatelný v prostředí smart-karet. Tato práce obsahuje plný kryptografický návrh systému, formální ověření klíčových vlastností, matematický model schématu v programu Mathematica pro ověření funkčnosti a výsledky experimentální implementace v prostředí .NET smart-karet. I přesto, že navrhovaný systém obsahuje podporu všech funkcí na ochranu soukromí, včetně těch, které chybí u existujících systémů, jeho výpočetní složitost zůstává stejná či nižší, doba ověření uživatele je tedy kratší než u existujících systémů. Výsledkem je schéma, které může velmi znatelně zvýšit ochranu soukromí uživatelů při jejich ověřování, především při využití v elektronických dokladech, přístupových systémech či Internetových službách.This dissertation thesis deals with the cryptographic constructions for user authentication. Rather than classical authentication protocols which allow only the identity verification, the attribute authentication systems are the main topic of this thesis. The attribute authentication systems allow users to give proofs about the possession of personal attributes. These attributes can represent any personal information, for example age, nationality or birthplace. The attribute ownership can be proven anonymously and with the support of many features for digital identity protection. These features include, e.g., the unlinkability of verification sessions, untraceability, selective disclosure of attributes or efficient revocation. Currently, the attribute authentication systems are considered to be the successors of existing authentication systems by the official strategies of USA (NSTIC) and EU (ENISA). The necessary features are partially provided by existing cryptographic concepts like U-Prove and idemix. But at this moment, there is no system providing all privacy-enhancing features which is implementable on computationally restricted devices like smart-cards. Among all weaknesses of existing systems, the missing unlinkability of verification sessions and the absence of practical revocation are the most critical ones. Without these features, it is currently impossible to invalidate expired users, lost or stolen authentication cards and cards of malicious users. Therefore, a new cryptographic scheme is proposed in this thesis to fix the weaknesses of existing schemes. The resulting scheme, which is based on established primitives like $\Sigma$-protocols for proofs of knowledge, cryptographic commitments and verifiable encryption, supports all privacy-enhancing features. At the same time, the scheme is easily implementable on smart-cards. This thesis includes the full cryptographic specification, the formal verification of key properties, the mathematical model for functional verification in Mathematica software and the experimental implementation on .NET smart-cards. Although the scheme supports all privacy-enhancing features which are missing in related work, the computational complexity is the same or lower, thus the time of verification is shorter than in existing systems. With all these features and properties, the resulting scheme can significantly improve the privacy of users during their verification, especially when used in electronic ID systems, access systems or Internet services.

Software and Critical Technology Protection Against Side Channel Analysis Through Dynamic Hardware Obfuscation

Side Channel Analysis (SCA) is a method by which an adversary can gather information about a processor by examining the activity being done on a microchip though the environment surrounding the chip. Side Channel Analysis attacks use SCA to attack a microcontroller when it is processing cryptographic code, and can allow an attacker to gain secret information, like a crypto-algorithm\u27s key. The purpose of this thesis is to test proposed dynamic hardware methods to increase the hardware security of a microprocessor such that the software code being run on the microprocessor can be made more secure without having to change the code. This thesis uses the Java Optimized Processor (JOP) to identify and _x SCA vulnerabilities to give a processor running RSA or AES code more protection against SCA attacks

New methods for finite field arithmetic

We describe novel methods for obtaining fast software implementations of the arithmetic operations in the finite field GF(p) and GF(p[superscript k]). In GF(p) we realize an extensive speedup in modular addition and subtraction routines and some small speedup in the modular multiplication routine with an arbitrary prime modulus p which is of arbitrary length. The most important feature of the method is that it avoids bit-level operations which are slow on microprocessors and performs word-level operations which are significantly faster. The proposed method has applications in public-key cryptographic algorithms defined over the finite field GF(p), most notably the elliptic curve digital signature algorithm. The new method provides up to 13% speedup in the execution of the ECDSA algorithm over the field GF(p) for the length of p in the range 161≤k≤256. In the finite extension field GF(p[superscript k]) we describe two new methods for obtaining fast software implementations of the modular multiplication operation with an arbitrary prime modulus p, which has less bit-length than the word-length of a microprocessor and an arbitrary generator polynomial. The second algorithm is a significant improvement over the first algorithm by using the same concepts introduced in GF(p) arithmetic

Proceedings of the 5th International Workshop on Reconfigurable Communication-centric Systems on Chip 2010 - ReCoSoC\u2710 - May 17-19, 2010 Karlsruhe, Germany. (KIT Scientific Reports ; 7551)

ReCoSoC is intended to be a periodic annual meeting to expose and discuss gathered expertise as well as state of the art research around SoC related topics through plenary invited papers and posters. The workshop aims to provide a prospective view of tomorrow\u27s challenges in the multibillion transistor era, taking into account the emerging techniques and architectures exploring the synergy between flexible on-chip communication and system reconfigurability