CoFHEE: A Co-processor for Fully Homomorphic Encryption Execution

The migration of computation to the cloud has raised privacy concerns as sensitive data becomes vulnerable to attacks since they need to be decrypted for processing. Fully Homomorphic Encryption (FHE) mitigates this issue as it enables meaningful computations to be performed directly on encrypted data. Nevertheless, FHE is orders of magnitude slower than unencrypted computation, which hinders its practicality and adoption. Therefore, improving FHE performance is essential for its real world deployment. In this paper, we present a year-long effort to design, implement, fabricate, and post-silicon validate a hardware accelerator for Fully Homomorphic Encryption dubbed CoFHEE. With a design area of $12mm^2$, CoFHEE aims to improve performance of ciphertext multiplications, the most demanding arithmetic FHE operation, by accelerating several primitive operations on polynomials, such as polynomial additions and subtractions, Hadamard product, and Number Theoretic Transform. CoFHEE supports polynomial degrees of up to $n = 2^{14}$ with a maximum coefficient sizes of 128 bits, while it is capable of performing ciphertext multiplications entirely on chip for $n \leq 2^{13}$. CoFHEE is fabricated in 55nm CMOS technology and achieves 250 MHz with our custom-built low-power digital PLL design. In addition, our chip includes two communication interfaces to the host machine: UART and SPI. This manuscript presents all steps and design techniques in the ASIC development process, ranging from RTL design to fabrication and validation. We evaluate our chip with performance and power experiments and compare it against state-of-the-art software implementations and other ASIC designs. Developed RTL files are available in an open-source repository

Analysis of DPA and DEMA Attacks

Side channel attacks (SCA) are attacks on the implementations of cryptographic algorithms or cryptography devices that do not employ full brute force attack or exploit the weaknesses of the algorithms themselves. There are mant types of side channel attacks, and they include timing, sound, power consumptions, electromag- netic (EM) radiations, and more. A statistical side channel attack technique that uses power consumption and EM readings was developed, and they are called Differential Power Analysis (DPA) and Differential Electromagnetic Analysis respectively. DPA takes the overall power consumption readings from the system of interest, and DEMA takes a localized EM readings from the system of interest. In this project, we will examine the effectiveness of both techniques and compare the results. We will compare the techniques based on the amount of resource and time they needed to perform a successful SCA on the same system. In addition, we will attempt to use a radio receiver to down mix the power consumption readings and the EM readings to reduce the amount of computing resources it takes to perform SCA. We will provide our test results of performing SCA with DPA and DEMA, and we will also compare the results to determine the effectiveness of the two techniques

Elastic Block Ciphers: Method, Security and Instantiations

We introduce the concept of an elastic block cipher which refers to stretching the supported block size of a block cipher to any length up to twice the original block size while incurring a computational workload that is proportional to the block size. Our method uses the round function of an existing block cipher as a black box and inserts it into a substitution- permutation network. Our method is designed to enable us to form a reduction between the elastic and the original versions of the cipher. Using this reduction, we prove that the elastic version of a cipher is secure against key-recovery attacks if the original cipher is secure against such attacks. We note that while reduction-based proofs of security are a cornerstone of cryptographic analysis, they are typical when complete components are used as sub-components in a larger design. We are not aware of the use of such techniques in the case of concrete block cipher designs. We demonstrate the general applicability of the elastic block cipher method by constructing examples from existing block ciphers: AES, Camellia, MISTY1, and RC6. We compare the performance of the elastic versions to that of the original versions and evaluate the elastic versions using statistical tests measuring the randomness of the ciphertext. We also use our examples to demonstrate the concept of a generic key schedule for block ciphers

Terakey - An Encryption Method Whose Security Can Be Analyzed from First Principles

Terakey is an encryption system whose confidentiality can be demonstrated from first principles, without making assumptions about the computational difficulty of certain mathematical problems. It employs a key that is much larger than the anticipated volume of message traffic. It is based on the one-time pad, but addresses the risk of key reuse stochastically. Conventional cryptographic techniques can be used to ameliorate infrequent byte collisions. The large size of the key reduces the risk of key exfiltration and facilitates physical security measures to maintain a secure chain of control for the key. Terakey also serves as a potential alternative for comparison with quantum key distribution technology, arguably providing equivalent security with fewer complications

A holistic approach examining RFID design for security and privacy

This paper adopts a holistic approach to Radio Frequency Identification (RFID) security that considers security and privacy under resource constraints concurrently. In this context, a practical realisation of a secure passive (battery-less) RFID tag is presented. The tag consists of an off the shelf front end combined with a bespoke 0.18 μm Application Specific Integrated Circuit (ASIC) assembled as a -sized prototype. The ASIC integrates the authors’ ultra low power novel Advanced Encryption Standard (AES) design together with a novel random number generator and a novel protocol, which provides both security and privacy. The analysis presented shows a security of 64-bits against many attack methods. Both modelled and measured power results are presented. The measured average core power consumed during continuous normal operation is 1.36 μW

Dynamic block encryption with self-authenticating key exchange

One of the greatest challenges facing cryptographers is the mechanism used for key exchange. When secret data is transmitted, the chances are that there may be an attacker who will try to intercept and decrypt the message. Having done so, he/she might just gain advantage over the information obtained, or attempt to tamper with the message, and thus, misguiding the recipient. Both cases are equally fatal and may cause great harm as a consequence. In cryptography, there are two commonly used methods of exchanging secret keys between parties. In the first method, symmetric cryptography, the key is sent in advance, over some secure channel, which only the intended recipient can read. The second method of key sharing is by using a public key exchange method, where each party has a private and public key, a public key is shared and a private key is kept locally. In both cases, keys are exchanged between two parties. In this thesis, we propose a method whereby the risk of exchanging keys is minimised. The key is embedded in the encrypted text using a process that we call `chirp coding', and recovered by the recipient using a process that is based on correlation. The `chirp coding parameters' are exchanged between users by employing a USB flash memory retained by each user. If the keys are compromised they are still not usable because an attacker can only have access to part of the key. Alternatively, the software can be configured to operate in a one time parameter mode, in this mode, the parameters are agreed upon in advance. There is no parameter exchange during file transmission, except, of course, the key embedded in ciphertext. The thesis also introduces a method of encryption which utilises dynamic blocks, where the block size is different for each block. Prime numbers are used to drive two random number generators: a Linear Congruential Generator (LCG) which takes in the seed and initialises the system and a Blum-Blum Shum (BBS) generator which is used to generate random streams to encrypt messages, images or video clips for example. In each case, the key created is text dependent and therefore will change as each message is sent. The scheme presented in this research is composed of five basic modules. The first module is the key generation module, where the key to be generated is message dependent. The second module, encryption module, performs data encryption. The third module, key exchange module, embeds the key into the encrypted text. Once this is done, the message is transmitted and the recipient uses the key extraction module to retrieve the key and finally the decryption module is executed to decrypt the message and authenticate it. In addition, the message may be compressed before encryption and decompressed by the recipient after decryption using standard compression tools

Exploiting the Physical Disparity: Side-Channel Attacks on Memory Encryption

Memory and disk encryption is a common measure to protect sensitive information in memory from adversaries with physical access. However, physical access also comes with the risk of physical attacks. As these may pose a threat to memory confidentiality, this paper investigates contemporary memory and disk encryption schemes and their implementations with respect to Differential Power Analysis (DPA) and Differential Fault Analysis (DFA). It shows that DPA and DFA recover the keys of all the investigated schemes, including the tweakable block ciphers XEX and XTS. This paper also verifies the feasibility of such attacks in practice. Using the EM side channel, a DPA on the disk encryption employed within the ext4 file system is shown to reveal the used master key on a Zynq Z-7010 system on chip. The results suggest that memory and disk encryption secure against physical attackers is at least four times more expensive