871 research outputs found
A versatile Montgomery multiplier architecture with characteristic three support
We present a novel unified core design which is extended to realize Montgomery multiplication in the fields GF(2n), GF(3m), and GF(p). Our unified design supports RSA and elliptic curve schemes, as well as the identity-based encryption which requires a pairing computation on an elliptic curve. The architecture is pipelined and is highly scalable. The unified core utilizes the redundant signed digit representation to reduce the critical path delay. While the carry-save representation used in classical unified architectures is only good for addition and multiplication operations, the redundant signed digit representation also facilitates efficient computation of comparison and subtraction operations besides addition and multiplication. Thus, there is no need for a transformation between the redundant and the non-redundant representations of field elements, which would be required in the classical unified architectures to realize the subtraction and comparison operations. We also quantify the benefits of the unified architectures in terms of area and critical path delay. We provide detailed implementation results. The metric shows that the new unified architecture provides an improvement over a hypothetical non-unified architecture of at least 24.88%, while the improvement over a classical unified architecture is at least 32.07%
Compromising emissions from a high speed cryptographic embedded system
Specific hardware implementations of cryptographic algorithms have been subject to a number of “side channel” attacks of late. A side channel is any information bearing emission that results from the physical implementation of a cryptographic algorithm. Smartcard realisations have been shown to be particularly vulnerable to these attacks. Other more complex embedded cryptographic systems may also be vulnerable, and each new design needs to be tested.
The vulnerability of a recently developed high speed cryptographic accelerator is examined. The purpose of this examination is not only to verify the integrity of the device, but also to allow its designers to make a determination of its level of conformance with any standard that they may wish to comply with.
A number of attacks were reviewed initially and two were chosen for examination and implementation - Power Analysis and Electromagnetic Analysis. These particular attacks appeared to offer the greatest threat to this particular system. Experimental techniques were devised to implement these attacks and a simulation and micrcontroller emulation were setup to ensure these techniques were sound.
Each experimental setup was successful in attacking the simulated data and the micrcontroller circuit. The significance of this was twofold in that it verified the integrity of the setup and proved that a real threat existed. However, the attacks on the cryptographic accelerator failed in all cases to reveal any significant information. Although this is considered a positive result, it does not prove the integrity of the device as it may be possible for an adversary with more resources to successfully attack the board. It does however increase the level of confidence in this particular product and acts as a stepping stone towards conformance of cryptographic standards.
The experimental procedures developed can also be used by designers wishing to test the vulnerability of their own products to these attacks
Highly secure cryptographic computations against side-channel attacks
Side channel attacks (SCAs) have been considered as great threats to modern cryptosystems, including RSA and elliptic curve public key cryptosystems. This is because the main computations involved in these systems, as the Modular Exponentiation (ME) in RSA and scalar multiplication (SM) in elliptic curve system, are potentially vulnerable to SCAs. Montgomery Powering Ladder (MPL) has been shown to be a good choice for ME and SM with counter-measures against certain side-channel attacks. However, recent research shows that MPL is still vulnerable to some advanced attacks [21, 30 and 34]. In this thesis, an improved sequence masking technique is proposed to enhance the MPL\u27s resistance towards Differential Power Analysis (DPA). Based on the new technique, a modified MPL with countermeasure in both data and computation sequence is developed and presented. Two efficient hardware architectures for original MPL algorithm are also presented by using binary and radix-4 representations, respectively
FPGA IMPLEMENTATION FOR ELLIPTIC CURVE CRYPTOGRAPHY OVER BINARY EXTENSION FIELD
Elliptic curve cryptography plays a crucial role in network and communication security. However, implementation of elliptic curve cryptography, especially the implementation of scalar multiplication on an elliptic curve, faces multiple challenges. One of the main challenges is side channel attacks (SCAs). SCAs pose a real threat to the conventional implementations of scalar multiplication such as binary methods (also called doubling-and-add methods). Several scalar multiplication algorithms with countermeasures against side channel attacks have been proposed. Among them, Montgomery Powering Ladder (MPL) has been shown an effective countermeasure against simple power analysis. However, MPL is still vulnerable to certain more sophisticated side channel attacks. A recently proposed modified MPL utilizes a combination of sequence masking (SM), exponent splitting (ES) and point randomization (PR). And it has shown to be one of the best countermeasure algorithms that are immune to many sophisticated side channel attacks [11]. In this thesis, an efficient hardware architecture for this algorithm is proposed and its FPGA implementation is also presented. To our best knowledge, this is the first time that this modified MPL with SM, ES, and PR has been implemented in hardware
Fault attacks on RSA and elliptic curve cryptosystems
This thesis answered how a fault attack targeting software used to program EEPROM can threaten hardware devices, for instance IoT devices. The successful fault attacks proposed in this thesis will certainly warn designers of hardware devices of the security risks their devices may face on the programming leve
A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components
The semiconductor industry is fully globalized and integrated circuits (ICs)
are commonly defined, designed and fabricated in different premises across the
world. This reduces production costs, but also exposes ICs to supply chain
attacks, where insiders introduce malicious circuitry into the final products.
Additionally, despite extensive post-fabrication testing, it is not uncommon
for ICs with subtle fabrication errors to make it into production systems.
While many systems may be able to tolerate a few byzantine components, this is
not the case for cryptographic hardware, storing and computing on confidential
data. For this reason, many error and backdoor detection techniques have been
proposed over the years. So far all attempts have been either quickly
circumvented, or come with unrealistically high manufacturing costs and
complexity.
This paper proposes Myst, a practical high-assurance architecture, that uses
commercial off-the-shelf (COTS) hardware, and provides strong security
guarantees, even in the presence of multiple malicious or faulty components.
The key idea is to combine protective-redundancy with modern threshold
cryptographic techniques to build a system tolerant to hardware trojans and
errors. To evaluate our design, we build a Hardware Security Module that
provides the highest level of assurance possible with COTS components.
Specifically, we employ more than a hundred COTS secure crypto-coprocessors,
verified to FIPS140-2 Level 4 tamper-resistance standards, and use them to
realize high-confidentiality random number generation, key derivation, public
key decryption and signing. Our experiments show a reasonable computational
overhead (less than 1% for both Decryption and Signing) and an exponential
increase in backdoor-tolerance as more ICs are added
A Meaningful MD5 Hash Collision Attack
It is now proved by Wang et al., that MD5 hash is no more secure, after they proposed an attack that would generate two different messages that gives the same MD5 sum. Many conditions need to be satisfied to attain this collision. Vlastimil Klima then proposed a more efficient and faster technique to implement this attack. We use these techniques to first create a collision attack and then use these collisions to implement meaningful collisions by creating two different packages that give identical MD5 hash, but when extracted, each gives out different files with contents specified by the atacker
Side-Channel Analysis: Countermeasures and Application to Embedded Systems Debugging
Side-Channel Analysis plays an important role in cryptology, as
it represents an important class of attacks against cryptographic
implementations, especially in the context of embedded systems
such as hand-held mobile devices, smart cards, RFID tags, etc.
These types of attacks bypass any intrinsic mathematical security
of the cryptographic algorithm or protocol by exploiting observable
side-effects of the execution of the cryptographic operation that
may exhibit some relationship with the internal (secret) parameters
in the device. Two of the main types of side-channel attacks are
timing attacks or timing analysis, where the relationship between
the execution time and secret parameters is exploited; and power
analysis, which exploits the relationship between power consumption
and the operations being executed by a processor as well as the
data that these operations work with. For power analysis, two
main types have been proposed: simple power analysis (SPA) which
relies on direct observation on a single measurement, and
differential power analysis (DPA), which uses multiple
measurements combined with statistical processing to extract
information from the small variations in power consumption
correlated to the data.
In this thesis, we propose several countermeasures to these
types of attacks, with the main themes being timing analysis
and SPA. In addition to these themes, one of our contributions
expands upon the ideas behind SPA to present a constructive
use of these techniques in the context of embedded systems
debugging.
In our first contribution, we present a countermeasure against
timing attacks where an optimized form of idle-wait is proposed
with the goal of making the observable decryption time constant
for most operations while maintaining the overhead to a minimum.
We show that not only we reduce the overhead in terms of execution
speed, but also the computational cost of the countermeasure,
which represents a considerable advantage in the context of
devices relying on battery power, where reduced computations
translates into lower power consumption and thus increased
battery life. This is indeed one of the important themes for
all of the contributions related to countermeasures to side-
channel attacks.
Our second and third contributions focus on power analysis;
specifically, SPA. We address the issue of straightforward
implementations of binary exponentiation algorithms (or scalar
multiplication, in the context of elliptic curve cryptography)
making a cryptographic system vulnerable to SPA. Solutions
previously proposed introduce a considerable performance
penalty. We propose a new method, namely Square-and-Buffered-
Multiplications (SABM), that implements an SPA-resistant binary
exponentiation exhibiting optimal execution time at the cost of
a small amount of storage --- O(\sqrt(\ell)), where \ell is the
bit length of the exponent. The technique is optimal in the
sense that it adds SPA-resistance to an underlying binary
exponentiation algorithm while introducing zero computational
overhead.
We then present several new SPA-resistant algorithms that result
from a novel way of combining the SABM method with an alternative
binary exponentiation algorithm where the exponent is split in
two halves for simultaneous processing, showing that by combining
the two techniques, we can make use of signed-digit representations
of the exponent to further improve performance while maintaining
SPA-resistance. We also discuss the possibility of our method
being implemented in a way that a certain level of resistance
against DPA may be obtained.
In a related contribution, we extend these ideas used in SPA and
propose a technique to non-intrusively monitor a device and trace
program execution, with the intended application of assisting in
the difficult task of debugging embedded systems at deployment
or production stage, when standard debugging tools or auxiliary
components to facilitate debugging are no longer enabled in the
device. One of the important highlights of this contribution is
the fact that the system works on a standard PC, capturing the
power traces through the recording input of the sound card
- …