design automation for cryptography
play

Design Automation for Cryptography Anupam Chattopadhyay Assistant - PowerPoint PPT Presentation

Apr 20, 2023 •395 likes •669 views

Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer Science and Engineering School of Physical and Mathematical Sciences, Nanyang Technological University June 7, 2017 Motivation Security not a

  1. Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer Science and Engineering School of Physical and Mathematical Sciences, Nanyang Technological University June 7, 2017

  2. Motivation • Security not a feature but a design metric • Crytography is highly dynamic Custom cryptanalysis ] Cryptanalysis Lightweight cryptography ▪ Timeline of cryptgraphic competitions 24 PHC 15 AES eSTREAM 35 42 NESSIE All proposals SHA-3 59 attacked ! CRYPTEC 58 CAESAR 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 Year Block ciphers Stream ciphers Hash functions AE

  3. Motivation • Design metrics • Security kerenels developer has a huge design space Variety of constraints Variety of target platforms Area footprint, power GPPs, DSP, GPUs, utilization, latency, operating ASICs, ASIPs, FPGAs, frequency, cost, ... CPLDs, Microcontrollers, ... Architectural customization Variety of requirements Wordsize, instruction set, Throughput, security, thermal Memory, microarchitectural limitations, distribution, scalability, flexibility, ... template, Interfaces, ...

  4. Contents  • Custom Optimization Examples • Domain-specific High Level Synthesis • Fault-resistant Design by Physical Synthesis

  5. HC-128: Parallelization by State Splitting • P and Q has 512 words of 32-bit • 5 reads, 1 write P 0 Q 0 Design1 Update P & Design2 : Even P 0 P 1 Q 0 Q 1 Key Gen. odd splitting P 0 P 1 P 2 P 3 Q 0 Q 1 Q 2 Q 3 Design3 : 4-way splitting A. Khalid, et al. One Word/Cycle HC-128 Accelerator via State-Splitting Optimization, in INDOCRYPT 2014

  6. HC-128: Parallelization by State Splitting Pipeline for Design3 Faraday 65m Standard Cell library, typical case

  7. AES: Technology Mapping • The AES MixColumns: matrix multiplication operation of the AES state byte matrix by a constant matrix given by • The smallest circuit in literature requires 108 XOR gates to implement this. • This function is four instances of the following equation over :  41 LUTs using the LUT6 FPGA technology. • Instead, we view the operation as a Boolean function rather than over and we optimize it towards an implementation of 36 LUTs . • Inverse MixColumns similarly can be reduced from 72 to 60 LUTs . Joint work with Mustafa Khairallah and Thomas Peyrin, unpublished

  8. FPGA-Aware Pipelining FPGA-aware Partitioning Logic-aware Partitioning Joint work with Mustafa Khairallah and Thomas Peyrin, unpublished

  9. High-Level Synthesis • Focuses on algorithm to RTL flow × Dependent on user proficiency, varies widely from tool to tool × Unaware of technology platforms × Hard to reuse design knowledge × Storage allocation optimizations missing Domain-specialization?

  10. Berkeley Dwarfs for Parallel Computing [1] How apps relate to 13 dwarfs (Red Hot  Blue Cool) • ed es C am b C E m B L P P Health Image Speech Music Brows G M D H E S 1Finite State Mach. 2Combinational 3Graph Traversal 4Structured Grid 5Dense Matrix 6Sparse Matrix 7Spectral (FFT) 8Dynamic Prog 9N-Body 10MapReduce 11Backtrack/ B&B 12Graphical Models 13Unstructured Grid [1] The Landscape of Parallel Computing Research: A View from Berkeley, by K. Asanovic et al , Technical Report, 2006

  11. SoC Processing Elements GPP DSP Log P O W E R D I S S I P A T I O N ASIP Log F L E X I B I L I T Y FPGA Programmable 10 5 . . . 10 6 Configurable Log P E R F O R M A N C E 10 3 . . . 10 4 Source: T. Noll, RWTH Aachen

  12. Domain-specific High Level Synthesis: Lessons from Wireless Communication IP

  13. Contents • Custom Optimization Examples •  Domain-specific High Level Synthesis • Fault-resistant Design by Physical Synthesis

  14. CRYKET: Overview • CRYKET (Cryptographic Kernels Toolkit): Domain specific HLS – Language independent GUI based design capture – Domain specific expertise, well understood kernels Algorithmic Architectural Test CRYKET CRYKET Specifications Specifications Vectors Library Synth Test Verilog ANSI C Verification Scripts Bench RTL Model Model Logic RTL System Software System Synthesis Simulation Simulation Integration Validation A. Khalid, et al. RAPID-FeinSPN: A Rapid Prototyping Framework for Feistel and SPN-Based Block Ciphers. ICISS 2013

  15. RunFein: Feistel and SPN Block Cipher ▪ Block/key/word sizes, rounds, mode of operation, test vectors ▪ Layers of operation: S/P-Box, Bitwise/ Arithmetic/Boolean/ Field operations, compound popular cipher operations Key Key Plaintext Plaintext L Data R Data Key Register Data Register Key Register K i layer 0 Rearrange layer 0 Key Update K i layer 1 Key Update layer 1 ... S 1 S 2 S n S 1 layer 2 S 2 ... S n layer 2 Rearrange layer 3 layer 3 GF Mul P-Box layer 4 Feistel Network cipher SPN Cipher A. Khalid, et al. RunFein: A Rapid Prototyping Framework for Feistel and SPN Based Block Ciphers, JCEN 2016

  16. RunFein: Fast Design Space Exploration Plaintext Plaintext Plaintext Plaintext Data Register Round 1a Data Register Data Register Data Register Round 1 Round 1 Data Register Round 1 Round 1b Data Register Round 2 Loop folded ... ... No Unrolling Data Register Round N Round N Round 1c Bit slicing N times unrolled N times unrolled Sub-pipelined round with pipelining A. Khalid, et al. RunFein: A Rapid Prototyping Framework for Feistel and SPN Based Block Ciphers, JCEN 2016

  17. RunFein: GUI

  18. RunFein Cipher Design Capture GUI PRESENT-80/ 128, AES-128, Algorithmic parameters KLEIN-64/ 80/ 96, Known Enter Y Known (basic, round layers and configuration LED-64/128, SEA. Cipher? configurations kround layers) N TEA, XTEA, XXTEA, .... Microarchitecture Testvectors (.xml) Validate? Load configuration Fail Pass Cipher Model creation after validation of layers d_state k_state update Layer 0 Layer 0 Layer 1 Layer 1 ... ... Kernel library, Controller state Validation checks Layer n Layer m Controller Datapath ANSI C Algorithmic Hardware Software Implementation, HDL for Controller Generate Verification environment, and Datapath, Profiling switches, Testbench, Nodes library Synthesis Scripts (.c, .h, scripts) (.v, .h, scripts) RTL/ gate level Simulation, Testvectors Verification, Synthesis, Throughput Profiling, Switching Power estimation NIST test Suite

  19. RunFein: PRESENT-80 Bitslicing Faraday 65m Standard Cell library, typical case, Operating frequency 100 KHz Faraday 65m Standard Cell library, typical case, Synopsys Design Compiler F-2011.09

  20. RunStream: Analysis and Results Better A. Khalid, et al. RunStream: A High-level Rapid Prototyping Framework for Stream Ciphers. In ACM TECS, 2016

  21. Contents • Custom Optimization Examples • Domain-specific High Level Synthesis •  Fault-resistant Design by Physical Synthesis

  22. Preventing Differential Fault Analysis Attack • Attacker assumptions – Ability to induce fault at a given time ( 𝑈 ) and space ( 𝑇 ) precision – Ability to infer/solve a system of equations based on the observed faulty ( 𝐷𝑈 ∗ ) and correct ( 𝐷𝑈 ) ciphertext • Prevention – Redundancy, Concurrent Error Detection – Attack-specific mounted sensor

  23. DFARPA: Differential Fault Attack Resistant Physical Design Automation • Exemplary Fault Attack on AES 1 – Multi-byte fault attack model D0 D1 D2 D3 – Fault is induced in at least one of the four D3 D0 D1 D2 diagonals in the AES state D2 D3 D0 D1 D1 D2 D3 D0 • Solution: Generate floorplan for the 16 blocks, so that the fault become un-exploitable in presence of the fault cluster of radius 𝑠 units – Place the blocks(elements) of each diagonal at least 𝑠 units distance – Formulated as a constrained placement problem 1. D. Saha, D. Mukhopadhyay, and D. RoyChowdhury. A diagonal fault attack on the advanced encryption standard. Cryptology ePrint Archive, Report 2009/581, 2009. http://eprint.iacr.org/2009/581. Joint work with Debdeep Mukhopadhyay and Shivam Bhasin, unpublished

  24. DFARPA: Reactive Countermeasure • The sensor is composed of two key components – a watchdog ring oscillator (WRO) and a phase detection (PD) circuit. • High energy injections impact signal propagation delay, which disturbs the phase of WRO. This phase change is detected by the PD circuit to raise an alarm and halt sensitive computation. • 2 Metal layers are reserved for WRO routing Joint work with Debdeep Mukhopadhyay and Shivam Bhasin, unpublished

  25. Contents • Custom Optimization Examples • Domain-specific High Level Synthesis • Fault-resistant Design by Physical Synthesis 

  26. Conclusion and Outlook • Conclusion – Domain-specific HLS can push the design efficiency and productivity – Different phases of EDA can integrate cryptographic/cryptanalyst knowhow to improve • Outlook – Integrating (more) custom optimizations – Diverse technology/platform-specific constraints – Diverse cipher families – Integrating automated SCA and DFA protection

  27. Thank you! Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

Industrial Automation Spring 2019, EPFL 1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures aiming at replacing human work through machines (e.g. automation is applied science) 2) the

1.39k views • 63 slides
Sl d Sludge Handling Automation Sludge Handling Automation Sl d H H dli dli A t A t ti

Sl d Sludge Handling Automation Sludge Handling Automation Sl d H H dli dli A t A t ti

Sl d Sludge Handling Automation Sludge Handling Automation Sl d H H dli dli A t A t ti ti MECH/MECA 440 B Senior Project Spring 2010 Final Design Presentation Tuesday, May 11 th , 2010 y, y , Design Team Members Design Team

522 views • 29 slides
EDA - Electronic Design Automation or Electronic Design Assistance? NSF Workshop Electronic

EDA - Electronic Design Automation or Electronic Design Assistance? NSF Workshop Electronic

EDA - Electronic Design Automation or Electronic Design Assistance? NSF Workshop Electronic Design Automation Past, Present, and Future Andreas Kuehlmann NSF Workshop, July 8 9 2009 The Past The Vision of the Silicon Compiler

250 views • 11 slides
Automotive Design Automation Chung-Wei Lin cwlin@csie.ntu.edu.tw Assistant Professor CSIE

Automotive Design Automation Chung-Wei Lin cwlin@csie.ntu.edu.tw Assistant Professor CSIE

From Electronic Design Automation to Automotive Design Automation Chung-Wei Lin cwlin@csie.ntu.edu.tw Assistant Professor CSIE Department National Taiwan University April 2019 Connected and Autonomous Vehicles A good application may need

616 views • 32 slides
VLSI Design Styles Basic Concepts in VLSI Physical Design Automation VLSI Design Cycle

VLSI Design Styles Basic Concepts in VLSI Physical Design Automation VLSI Design Cycle

VLSI Design Styles Basic Concepts in VLSI Physical Design Automation VLSI Design Cycle Large number of devices System Optimization requirements Specifications for high performance Time-to-market competition Cost Manual

789 views • 57 slides
VLSI Design Styles Basic Concepts in VLSI Physical Design Automation 1 VLSI Design Cycle

VLSI Design Styles Basic Concepts in VLSI Physical Design Automation 1 VLSI Design Cycle

VLSI Design Styles Basic Concepts in VLSI Physical Design Automation 1 VLSI Design Cycle Large number of devices System Optimization requirements Specifications for high performance Time-to-market competition Cost

559 views • 29 slides
Cyber-Physical System Design Automation: A Tale of Platforms and Contracts Pierluigi Nuzzo Ming

Cyber-Physical System Design Automation: A Tale of Platforms and Contracts Pierluigi Nuzzo Ming

From Electronic Design Automation to Cyber-Physical System Design Automation: A Tale of Platforms and Contracts Pierluigi Nuzzo Ming Hsieh Department of Electrical and Computer Engineering University of Southern California, Los Angeles

549 views • 21 slides
HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
Sowmyan Rajagopalan, Founder & CTO Thalia Design Automation Bluetooth IP Migration &

Sowmyan Rajagopalan, Founder & CTO Thalia Design Automation Bluetooth IP Migration &

Sowmyan Rajagopalan, Founder & CTO Thalia Design Automation Bluetooth IP Migration & Leveraging FDSOI Back Gate Biasing feature December, 2019 | Analog IP Design Decision fork Design new IPs Build a portfolio of analog IPs

418 views • 17 slides
HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? } k } n } n { , { , { , It is a function E of parameters k and n that maps

329 views • 17 slides
Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability - Evaluation Estimation de la fiabilit Verlsslichkeitsabschtzung Dr. Jean-Charles Tournier CERN, Geneva, Switzerland 2015 - JCT The material

1.78k views • 91 slides
Interleaving Cryptography and Mechanism Design The Case of Online Auctions Edith Elkind and

Interleaving Cryptography and Mechanism Design The Case of Online Auctions Edith Elkind and

Interleaving Cryptography and Mechanism Design The Case of Online Auctions Edith Elkind and Helger Lipmaa Princeton University and Helsinki University of Technology FC 2004, 03.12.2003 Interleaving Cryptography and Mechanism Design,

366 views • 20 slides
The Design of SNAP2 National ASIC Design Engineering Center, Institute of Automation, Chinese

The Design of SNAP2 National ASIC Design Engineering Center, Institute of Automation, Chinese

The Design of SNAP2 National ASIC Design Engineering Center, Institute of Automation, Chinese Academy of Sciences Presenter: Qiuxiang Fan Email: qiuxiang.fan@ia.ac.cn 1 Outline Introduction Powerful FPGA High-Speed Interface

591 views • 23 slides
Towards a Framework for Responsible Timing Dr. Joo Geada CLK Design Automation CLK

Towards a Framework for Responsible Timing Dr. Joo Geada CLK Design Automation CLK

Towards a Framework for Responsible Timing Dr. Joo Geada CLK Design Automation CLK Confidential & Proprietary 1 About CLKDA q Leaders in Variance Analysis market, technology, expertise q FX is the first transistor

428 views • 14 slides
Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and standards 9.6 Analyse de scurit et normes Sicherheitsanalyse und Normen Prof Dr. Hubert Kirrmann & Dr. B. Eschermann ABB Research Center,

799 views • 31 slides
Constraint-driven Design - The Next Step Towards Analog Design Automation Invited Talk Gran

Constraint-driven Design - The Next Step Towards Analog Design Automation Invited Talk Gran

Constraint-driven Design - The Next Step Towards Analog Design Automation Invited Talk Gran Jerke Jens Lienig Robert Bosch GmbH, AE/EIM Dresden University of Technology, IFTE Reutlingen, Germany Dresden, Germany Email:

661 views • 35 slides
Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System

Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System

Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System Microprocessor used as a component in a device and is designed for a specific control function within a device Used In: Cell Phones

560 views • 31 slides
SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 ,

SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 ,

Motivations Design of SPAE Security of the scheme Performances SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 , Sbastien Riou 2 1 Univ. Grenoble Alpes / Institut Fourier,

519 views • 27 slides
How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron

How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron

How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron Velasco 1 , Solymar Ayala Cortez 1 Olga Kosheleva 2 , and Vladik Kreinovich 3 1 Department of Geological Sciences 2 Department of Teacher Education 3

562 views • 23 slides
Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft

Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft

Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft Research Overview . 1 Overview Question : Is it possible to conduct network trace analyses in a way that provides strict formal differential

496 views • 20 slides
On the security of security extensions for IP-based KNX networks Aljosha Judmayer

On the security of security extensions for IP-based KNX networks Aljosha Judmayer

On the security of security extensions for IP-based KNX networks Aljosha Judmayer ajudmayer@sba-research.org ajudmayer@auto.tuwien.ac.at On the security of security extensions for IP-based KNX networks 1 SBA Research P1.1: Risk Management

1.06k views • 51 slides
Intrusion Tolerant IDS James Riordan Marc Dacier Dominique Alessandri Andreas Wespi IBM

Intrusion Tolerant IDS James Riordan Marc Dacier Dominique Alessandri Andreas Wespi IBM

Intrusion Tolerant IDS James Riordan Marc Dacier Dominique Alessandri Andreas Wespi IBM Forschungslaboratorium R uschlikon, Switzerland 19 June 2001 1 MAFTIA A European project whose aim is to develop: Malicious- and Accidental-

366 views • 13 slides
Bug Squashing with SQLsmith andreas.seltenreich@credativ.de October 25, 2018

Bug Squashing with SQLsmith andreas.seltenreich@credativ.de October 25, 2018

Bug Squashing with SQLsmith andreas.seltenreich@credativ.de October 25, 2018 andreas.seltenreich@credativ.de PGConf.EU 2018 1 / 32 Outline Motivation Testing Methodology Analysis of Bugs Uncovered Design Future Work

1.6k views • 37 slides
MSc in Computer Engineering, Cybersecurity and Artificial Intelligence, Fault Diagnosis and

MSc in Computer Engineering, Cybersecurity and Artificial Intelligence, Fault Diagnosis and

MSc in Computer Engineering, Cybersecurity and Artificial Intelligence, Fault Diagnosis and Estimation in Dynamical Systems (FDE), a.a. 2019/2020, Lecture 2 A brief review of analysis of continuous-time linear dynamical systems Prof. Mauro

591 views • 48 slides

More recommend