An IoT Endpoint System-on-Chip for Secure and Energy-Efficient Near-Sensor Analytics

Near-sensor data analytics is a promising direction for IoT endpoints, as it minimizes energy spent on communication and reduces network load - but it also poses security concerns, as valuable data is stored or sent over the network at various stages of the analytics pipeline. Using encryption to protect sensitive data at the boundary of the on-chip analytics engine is a way to address data security issues. To cope with the combined workload of analytics and encryption in a tight power envelope, we propose Fulmine, a System-on-Chip based on a tightly-coupled multi-core cluster augmented with specialized blocks for compute-intensive data processing and encryption functions, supporting software programmability for regular computing tasks. The Fulmine SoC, fabricated in 65nm technology, consumes less than 20mW on average at 0.8V achieving an efficiency of up to 70pJ/B in encryption, 50pJ/px in convolution, or up to 25MIPS/mW in software. As a strong argument for real-life flexible application of our platform, we show experimental results for three secure analytics use cases: secure autonomous aerial surveillance with a state-of-the-art deep CNN consuming 3.16pJ per equivalent RISC op; local CNN-based face detection with secured remote recognition in 5.74pJ/op; and seizure detection with encrypted data collection from EEG within 12.7pJ/op.Comment: 15 pages, 12 figures, accepted for publication to the IEEE Transactions on Circuits and Systems - I: Regular Paper

SIR10US: A tightly coupled elliptic-curve cryptography co-processor for the OpenRISC

Today's embedded systems require resource-aware acceleration engines, which support advanced cryptographic algorithms such as elliptic-curve cryptography (ECC). The authors present an application-specific co-processor for digital signature verification according to the Elliptic Curve Digital Signature Algorithm (ECDSA) based on the NIST B-233 standard. A novel OpenRISC-ISA (instruction-set architecture) core featuring a high IPC rate and balanced pipeline stages has been developed to act as the main controlling unit of the accelerator. The redesigned OpenRISC core processes 67% more instructions per second than the reference architecture and ties with a micro-controllable ECC datapath through a highly optimized interface. An ECDSA signature is verified in 11 ms, which is equal to a speedup of 15 7 and 3.3 7 with respect to a portable C implementation on the OpenRISC and an assembler-optimized implementation on an ARM7, respectively. Moreover, thanks to a tightly coupled data memory, the proposed co-processor does not block the OpenRISC during its ECC-specific operations, thereby enabling it to also support concurrent execution of other workloads and/or software-based cryptographic extension functions

Leakage bounds for Gaussian side channels

In recent years, many leakage-resilient schemes have been published. These schemes guarantee security against side-channel attacks given bounded leakage of the underlying primitive. However, it is a challenging task to reliably determine these leakage bounds from physical properties. In this work, we present a novel approach to find reliable leakage bounds for side channels of cryptographic implementations when the input data complexity is limited such as in leakage-resilient schemes. By mapping results from communication theory to the side-channel domain, we show that the channel capacity is the natural upper bound for the mutual information (MI) to be learned from multivariate side-channels with Gaussian noise. It shows that this upper bound is determined by the device-specific signal-to-noise ratio (SNR). We further investigate the case when attackers are capable of measuring the same side-channel leakage multiple times and perform signal averaging. Our results here indicate that the gain in the SNR obtained from averaging is exponential in the number of points of interest that are used from the leakage traces. Based on this, we illustrate how the side-channel capacity gives a tool to compute the minimum attack complexity to learn a certain amount of information from side-channel leakage. We then show that our MI bounds match with reality by evaluating the MI in multivariate Gaussian templates built from practical measurements on an ASIC. We finally use our model to show the security of the keccak- f [400]-based authenticated encryption scheme Isap on this ASIC against power analysis attacks