Efficiency and agility: in secure hardware and in life! Nele - - PowerPoint PPT Presentation

Efficiency and agility: in secure hardware and in life!

Nele Mentens

KU Leuven, ESAT, imec-COSIC and ES&S nele.mentens@kuleuven.be

High-Tech Women, TU Darmstadt, March 4, 2020

Motivation

High-Tech Women, TU Darmstadt, March 4, 2020

Secure hardware: Why? What? How?

Security in electronic sytems

low power/energy low cost high performance security

• Security is crucial in electronic systems that store, process or communicate

data that are personal or company-critical.

• Security mechanisms should have a minimal impact on

‐ the power/energy consumption, ‐ the performance, ‐ the cost

• f the electronic system.

Motivation

High-Tech Women, TU Darmstadt, March 4, 2020

Examples of applications

low energy – pacemaker low cost – disposable medical sensors high performance – video conferencing low power – RFID access control

Different applications have different requirements:

Motivation

High-Tech Women, TU Darmstadt, March 4, 2020

Cryptographic hardware

• For some applications, software running on a general-purpose processor is

sufficient to meet the requirements.

• But many important applications require the most demanding

computations, like cryptographic operations, to be done in hardware. performance

High Low

cost (for large volumes)

Low High

power/energy consumption

Low High configurable hardware (e.g. FPGA) domain-specific processor (e.g. DSP) general- purpose processor ASIC

Motivation

High-Tech Women, TU Darmstadt, March 4, 2020

Cryptographic hardware

• For some applications, software running on a general-purpose processor is

sufficient to meet the requirements.

• But many important applications require the most demanding

computations, like cryptographic operations, to be done in hardware. performance

High Low

cost (for large volumes)

Low High

power/energy consumption

Low High configurable hardware (e.g. FPGA) domain-specific processor (e.g. DSP) general- purpose processor ASIC

Motivation

High-Tech Women, TU Darmstadt, March 4, 2020

Cryptographic hardware

• In this presentation, two important goals in

cryptographic hardware design are addressed.

Motivation

High-Tech Women, TU Darmstadt, March 4, 2020

Cryptographic hardware

• In this presentation, two important goals in

cryptographic hardware design are addressed.

– Goal #1: efficiency

Motivation

High-Tech Women, TU Darmstadt, March 4, 2020

Cryptographic hardware

• In this presentation, two important goals in

cryptographic hardware design are addressed.

– Goal #1: efficiency – Goal #2: agility

Motivation

High-Tech Women, TU Darmstadt, March 4, 2020

Cryptographic hardware

• In this presentation, two important goals in

cryptographic hardware design are addressed.

– Goal #1: efficiency – Goal #2: agility

Motivation

High-Tech Women, TU Darmstadt, March 4, 2020

Goal #1: Efficiency

Efficiency: Why? What? How?

High-Tech Women, TU Darmstadt, March 4, 2020

• Traditional technology research

concentrates on shrinking

Hardware technology

Goal #1: Efficiency

• Traditional technology research

concentrates on shrinking

• It is difficult to keep up the pace of

Moore’s law

– due to physical challenges, – due to the high cost for silicon manufacturing plants to move to the next process node.

… …

Hardware technology

Goal #1: Efficiency

• Traditional technology research

concentrates on shrinking

• It is difficult to keep up the pace of

Moore’s law

– due to physical challenges, – due to the high cost for silicon manufacturing plants to move to the next process node.

• Emerging technologies are proposed to

improve efficiency

… …

Hardware technology

Goal #1: Efficiency

• We currently concentrate on three emerging technologies:

– Ultra low-cost circuits on flexible plastic substrates – Ultra low-power/low-energy circuits in deep submicron technology

• 28 nm fully depleted silicon on insulator (FD-SOI) technology

– Ultra high-performance network intrusion detection on FPGA

• 200 Gbps Xilinx Virtex UltraScale+ FPGA platforms using 16 nm FinFET technology

low energy low cost high performance low power

Research focus

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

• We currently concentrate on three emerging technologies:

– Ultra low-cost circuits on flexible plastic substrates – Ultra low-power/low-energy circuits in deep submicron technology

• 28 nm fully depleted silicon on insulator (FD-SOI) technology

– Ultra high-performance network intrusion detection on FPGA

• 200 Gbps Xilinx Virtex UltraScale+ FPGA platforms using 16 nm FinFET technology
• Research question: how do cryptographic circuits behave in

these emerging technologies?

– with respect to performance, power/energy consumption, and cost – with respect to security threats

Research focus

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

• We currently concentrate on three emerging technologies:

– Ultra low-cost circuits on flexible plastic substrates – Ultra low-power/low-energy circuits in deep submicron technology

• 28 nm fully depleted silicon on insulator (FD-SOI) technology

– Ultra high-performance network intrusion detection on FPGA

• 200 Gbps Xilinx Virtex UltraScale+ FPGA platforms using 16 nm FinFET technology
• Research question: how do cryptographic circuits behave in

these emerging technologies?

– with respect to performance, power/energy consumption, and cost – with respect to security threats

Research focus

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Flexible electronics on plastics

Displays

• Widespread commercial use in flexible displays
• Millions of thin-film transistors controlling the pixels

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Flexible electronics on plastics

Digital circuits

• Large potential for

flexible digital circuits in (passive) RFID/NFC chips, integrated in paper or plastics

• Examples:

– Flexible labels – Intelligent packages – Smart blisters – Electronic medical patches

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Flexible electronics on plastics

Digital circuits

• Circuits that have

already been fabricated:

– NFC transponder – 8-bit microprocessor with limited instruction set

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Flexible electronics on plastics

Transistor technology – comparison with silicon

silicon (10 nm) plastics (5 µm) Core supply voltage 0.7 V 5-10 V Charge carrier mobility 500-1500 cm2/Vs 2-20 cm2/Vs Transistor density ~ 45 mio per mm2 103-104 per cm2 Semiconductor type n-type and p-type

• nly n-type

Cost per 1000 transistors > 0.3 USD > 0.01 USD Flexible? no yes Higher power consumption Lower performance Larger area Unipolar logic Lower cost Bendable, stretchable

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Flexible electronics on plastics

Non-volatile memory technology

• We need non-volatile memory to store values, such

as cryptographic keys, after fabrication

• On plastic substrates, electrically readable/writable

memory (e.g. flash) does not exist

• Two one-time programmable storage mechanisms

are used:

– Additive method: connect wires with conductive ink – Modificative method: cut wires with a laser

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Flexible electronics on plastics

Security challenge

• To secure the

communication between the flexible tag and the reader, many hurdles need to be overcome

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Flexible electronics on plastics

Security challenge

• To secure the

communication between the flexible tag and the reader, many hurdles need to be overcome

• We concentrate on two challenges:

– First challenge: integrate working crypto cores in the flexible chip

• #transistors in crypto cores > #transistors in flexible chips reported up to now
• #transistors   reliability 

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Flexible electronics on plastics

Security challenge

• To secure the

communication between the flexible tag and the reader, many hurdles need to be overcome

• We concentrate on two challenges:

– First challenge: integrate working crypto cores in the flexible chip

• #transistors in crypto cores > #transistors in flexible chips reported up to now
• #transistors   reliability 

– Second challenge: prevent the key bits from being read out

• The chips are not packaged and the features are relatively large
• The available non-volatile memory technology allows the key bits to be read
• ut easily under a microscope

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

First challenge: crypto core on plastics

• 4044 TFTs
• 331.5 mm2

 48 pads for I/O, VDD, Vbias and GND

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

First challenge: crypto core on plastics

level shifters probe card FPGA chip

Goal #1: Efficiency

Flexible electronics on plastics

Security challenge

• To secure the

communication between the flexible tag and the reader, many hurdles need to be overcome

• We concentrate on two challenges:

– First challenge: integrate working crypto cores in the flexible chip

• #transistors in crypto cores > #transistors in flexible chips reported up to now
• #transistors   reliability 

– Second challenge: prevent the key bits from being read out

• The chips are not packaged and the features are relatively large
• The available non-volatile memory technology allows the key bits to be read
• ut easily under a microscope

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Second challenge: key hiding

Unprotected key programming

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Second challenge: key hiding

Unprotected key programming

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Second challenge: key hiding

Unprotected key programming

PROBLEM: The key bits can easily be read out using a microscope

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Second challenge: key hiding

Proposed new concept

• We need to add components that we can make conductive or non-conductive

in a visually indistinguishable way

• The conductive or non-conductive nature needs to be non-volatile

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Second challenge: key hiding

Proposed new concept

• We need to add components that we can make conductive or non-conductive

in a visually indistinguishable way

• The conductive or non-conductive nature needs to be non-volatile
• We propose a novel concept that permanently changes the mode of a

transistor through lasering

transistors

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Second challenge: key hiding

Proposed new concept

The temperature change caused by lasering, shifts the threshold voltage (VT) and thus the Id - Vg graph With a fixed input voltage (Vneg), the TFT switches from off to on

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Second challenge: key hiding

Experimental validation

Apply different settings of the laser to cause different VT shifts that cannot be visually distinguished:

• Setting 1 (top image):

attenuation of 45 dB in low energy mode; one pulse applied  TFT on

• Setting 2 (bottom image):

attenuation of 35 dB in low energy mode; two pulses applied  TFT off

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Flexible electronics on plastics

Security challenge

• To secure the

communication between the flexible tag and the reader, many hurdles need to be overcome

• We concentrate on two challenges:

– First challenge: integrate working crypto cores in the flexible chip

• #transistors in crypto cores > #transistors in flexible chips reported up to now
• #transistors   reliability 

– Second challenge: prevent the key bits from being read out

• The chips are not packaged and the features are relatively large
• The available non-volatile memory technology allows the key bits to be read
• ut easily under a microscope

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

• The first cryptographic core on

flex foil [1]

• A solution for the “invisible”

programming of the key bits [1]

[1] N. Mentens, J. Genoe, T. Vandenabeele, L. Verschueren, D. Smets, W. Dehaene, and K. Myny, Security on Plastics: Fake or Real?, CHES 2019.

Flexible electronics on plastics

Results

Goal #1: Efficiency

High-Tech Women, TU Darmstadt, March 4, 2020

Cryptographic hardware

• In this presentation, two important goals in

cryptographic hardware design are addressed.

– Goal #1: efficiency – Goal #2: agility

High-Tech Women, TU Darmstadt, March 4, 2020

Goal #2: Agility

Agility: Why? What? How?

High-Tech Women, TU Darmstadt, March 4, 2020

Cryptographic agility = the ability of cryptographic hardware or software to be updated depending on

• newly detected vulnerabilities,
• new standards.

What is cryptographic agility?

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

The need for cryptographic agility

Theoretical cryptanalysis

DES A5/1 MD5 SHA1 RC4

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

The need for cryptographic agility

Theoretical cryptanalysis

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020 A5/1 SHA1 MD5 RC4 DES

The need for cryptographic agility

New standards

A5/1 SHA1

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020 MD5 RC4 DES

Rijndael, 1998  AES, 2001 (NIST FIPS 197) PRESENT, 2007 CLEFIA, 2007 Keccak, 2009  SHA-3, 2015 (NIST FIPS 202) NIST Lightweight Cryptography Standardization:

• ngoing competition

NIST Post-quantum Cryptography Standardization:

• ngoing competition

Lightweight crypto, 2012 (ISO/IEC 29192-2)

The need for cryptographic agility

Physical cryptanalysis

Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 FA Boneh et al. EUROCRYPT‘97 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Exploiting algebra Coron CHES’99 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Exploiting algebra Coron CHES’99 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Exploiting algebra Coron CHES’99 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Exploiting algebra Coron CHES’99 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Exploiting algebra Coron CHES’99 SABL Tiri et al. ESSCIRC’02 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Exploiting algebra Coron CHES’99 SABL Tiri et al. ESSCIRC’02 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 Optical FA Skorobogatov et al. CHES‘02 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Exploiting algebra Coron CHES’99 SABL Tiri et al. ESSCIRC’02 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 Optical FA Skorobogatov et al. CHES‘02 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Gate-level masking Ishai et al. CRYPTO’03 Exploiting algebra Coron CHES’99 SABL Tiri et al. ESSCIRC’02 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 CPA Brier et al. CHES‘04 Optical FA Skorobogatov et al. CHES‘02 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Gate-level masking Ishai et al. CRYPTO’03 Exploiting algebra Coron CHES’99 SABL Tiri et al. ESSCIRC’02 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 CPA Brier et al. CHES‘04 Optical FA Skorobogatov et al. CHES‘02 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Gate-level masking Ishai et al. CRYPTO’03 Exploiting algebra Coron CHES’99 DPA glitches Mangard et al. CT-RSA‘05 SABL Tiri et al. ESSCIRC’02 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 CPA Brier et al. CHES‘04 Optical FA Skorobogatov et al. CHES‘02 TI Nikova et al. ICICS‘06 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Gate-level masking Ishai et al. CRYPTO’03 Exploiting algebra Coron CHES’99 DPA glitches Mangard et al. CT-RSA‘05 SABL Tiri et al. ESSCIRC’02 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 CPA Brier et al. CHES‘04 Optical FA Skorobogatov et al. CHES‘02 TI Nikova et al. ICICS‘06 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Gate-level masking Ishai et al. CRYPTO’03 Exploiting algebra Coron CHES’99 DPA glitches Mangard et al. CT-RSA‘05 Dynamic reconfiguration Mentens et al. CHES’08 SABL Tiri et al. ESSCIRC’02 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 CPA Brier et al. CHES‘04 Optical FA Skorobogatov et al. CHES‘02 TI Nikova et al. ICICS‘06 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Gate-level masking Ishai et al. CRYPTO’03 Exploiting algebra Coron CHES’99 DPA glitches Mangard et al. CT-RSA‘05 Dynamic reconfiguration Mentens et al. CHES’08 SABL Tiri et al. ESSCIRC’02 Random delays Coron et al. CHES’09 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 CPA Brier et al. CHES‘04 Optical FA Skorobogatov et al. CHES‘02 TI Nikova et al. ICICS‘06 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Gate-level masking Ishai et al. CRYPTO’03 Exploiting algebra Coron CHES’99 DPA glitches Mangard et al. CT-RSA‘05 Dynamic reconfiguration Mentens et al. CHES’08 SABL Tiri et al. ESSCIRC’02 Random delays Coron et al. CHES’09 Leakage-resilient crypto Pietrzak EUROCRYPT’09 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 CPA Brier et al. CHES‘04 Optical FA Skorobogatov et al. CHES‘02 TI Nikova et al. ICICS‘06 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Gate-level masking Ishai et al. CRYPTO’03 Exploiting algebra Coron CHES’99 DPA glitches Mangard et al. CT-RSA‘05 Horizontal CPA Clavier eprint‘10 Dynamic reconfiguration Mentens et al. CHES’08 SABL Tiri et al. ESSCIRC’02 Random delays Coron et al. CHES’09 Leakage-resilient crypto Pietrzak EUROCRYPT’09 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 CPA Brier et al. CHES‘04 Optical FA Skorobogatov et al. CHES‘02 TI Nikova et al. ICICS‘06 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Gate-level masking Ishai et al. CRYPTO’03 Exploiting algebra Coron CHES’99 DPA glitches Mangard et al. CT-RSA‘05 Horizontal CPA Clavier eprint‘10 Dynamic reconfiguration Mentens et al. CHES’08 SABL Tiri et al. ESSCIRC’02 Random delays Coron et al. CHES’09 Leakage-resilient crypto Pietrzak EUROCRYPT’09 ML-based SCA Hospodar et al. JCEN’11 Goal #2: Agility

The need for cryptographic agility

Physical cryptanalysis

TA Kocher CRYPTO‘96 DPA Kocher et al. CRYPTO‘99 HO-DPA Chari et al. – Messerges CRYPTO’99 – CHES’00 EMA Gandolfi et al. – Quisquater et al. CHES’01 – E-Smart’01 FA Boneh et al. EUROCRYPT‘97 DFA Biham et al. CRYPTO‘97 Template attacks Chari et al. CHES‘02 CPA Brier et al. CHES‘04 Optical FA Skorobogatov et al. CHES‘02 TI Nikova et al. ICICS‘06 Boolean masking Chari et al. – Goubin et al. CRYPTO’99 – CHES’99 Gate-level masking Ishai et al. CRYPTO’03 Exploiting algebra Coron CHES’99 DPA glitches Mangard et al. CT-RSA‘05 Horizontal CPA Clavier eprint‘10 Dynamic reconfiguration Mentens et al. CHES’08 SABL Tiri et al. ESSCIRC’02 Random delays Coron et al. CHES’09 Leakage-resilient crypto Pietrzak EUROCRYPT’09 ML-based SCA Hospodar et al. JCEN’11 Changing of the guards Daemen CHES’17 Goal #2: Agility

performance

High Low

cost (for large volumes)

Low High

power/energy consumption

Low High configurable hardware (e.g. FPGA) domain-specific processor (e.g. DSP) general- purpose processor

How to achieve crypto agility?

ASIC

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

performance

High Low

cost (for large volumes)

Low High

power/energy consumption

Low High configurable hardware (e.g. FPGA) domain-specific processor (e.g. DSP) general- purpose processor

programmability/productivity

Low High

How to achieve crypto agility?

ASIC

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

performance

High Low

cost (for large volumes)

Low High

power/energy consumption

Low High configurable hardware (e.g. FPGA) domain-specific processor (e.g. DSP) general- purpose processor

programmability/productivity

Low High

Research question: how can we achieve maximal performance, minimal power/energy consumption and minimal cost in combination with a high level of programmability/productivity?

How to achieve crypto agility?

ASIC configurable hardware (e.g. FPGA) ASIC

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

Enabling cryptographic agility

Implementation platforms

performance

High Low

cost (for large volumes)

Low High

power/energy consumption

Low High configurable hardware (e.g. FPGA) domain-specific processor (e.g. DSP) general- purpose processor

programmability/productivity

Low High

Best option for cryptographic agility?

ASIC

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

Enabling cryptographic agility

Implementation platforms

performance

High Low

cost (for large volumes)

Low High

power/energy consumption

Low High configurable hardware (e.g. FPGA) domain-specific processor (e.g. DSP) general- purpose processor

programmability/productivity

Low High ASIC

Best option for cryptographic agility? Are there better solutions?

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

Efficient cryptographic agility

What do we actually want?

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

• 1. Be lazy, why work if we can

(re-)use the efforts of others

– No new design tools  rely on the decades of experience of EDA companies

Efficient cryptographic agility

What do we actually want?

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

• 1. Be lazy, why work if we can

(re-)use the efforts of others

– No new design tools  rely on the decades of experience of EDA companies

• 2. Maximize productivity

– No new design languages/input  use VHDL, Verilog, HLS

Efficient cryptographic agility

What do we actually want?

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

• 1. Be lazy, why work if we can

(re-)use the efforts of others

– No new design tools  rely on the decades of experience of EDA companies

• 2. Maximize productivity

– No new design languages/input  use VHDL, Verilog, HLS

• 3. Optimize efficiency

– Performance  – Power/energy consumption  – Cost 

Efficient cryptographic agility

What do we actually want?

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

synthesis mapping + place & route design entry schematic, HDL, HLS,… netlist physical layout bitstream generation bitstream FPGA configuration

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

Efficient cryptographic agility

Traditional FPGA

Efficient cryptographic agility

Our approach

synthesis mapping + place & route design entry schematic, HDL, HLS,… netlist physical layout bitstream generation bitstream FPGA configuration RE-USE

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

• Fine-grained reconfigurable architecture
• Matrix of configurable Full Adder (cFA) cells

Efficient cryptographic agility

Our approach

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

Results after synthesis and mapping

• TI = threshold implementation
• SLICEL / SLICEM / cFA: number of Xilinx slices / cFa slices
• area (µm2) and critical path (ns): based on re-implemented Xilinx slices / cFA slices in NanGate 45nm technology
• conf: number of configuration bits

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

Results after synthesis and mapping

• TI = threshold implementation
• SLICEL / SLICEM / cFA: number of Xilinx slices / cFa slices
• area (µm2) and critical path (ns): based on re-implemented Xilinx slices / cFA slices in NanGate 45nm technology
• conf: number of configuration bits

3x – 9x area decrease

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

Results after synthesis and mapping

• TI = threshold implementation
• SLICEL / SLICEM / cFA: number of Xilinx slices / cFa slices
• area (µm2) and critical path (ns): based on re-implemented Xilinx slices / cFA slices in NanGate 45nm technology
• conf: number of configuration bits

similar speed

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

Results after synthesis and mapping

• TI = threshold implementation
• SLICEL / SLICEM / cFA: number of Xilinx slices / cFa slices
• area (µm2) and critical path (ns): based on re-implemented Xilinx slices / cFA slices in NanGate 45nm technology
• conf: number of configuration bits

3x – 9x configuration memory decrease

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

Target application platforms

• Embedded FPGAs (eFPGAs)

– Configurable logic integrated in ASICs – Growing market (QuickLogic, Achronix, Flex Logix, Menta)

• Dedicated configurable crypto tiles in

existing FPGAs

– Following the trend of adding dedicated features such as BRAM, DSP slices, microprocessors, fast carry chains,…

Goal #2: Agility

High-Tech Women, TU Darmstadt, March 4, 2020

synthesis mapping + place & route design entry schematic, HDL, HLS,… netlist physical layout RE-USE

Fine-grained configurable architecture + tool flow [2,3]

LIACS, October 9, 2019

[2]

• N. Mentens, E. Charbon, and F. Regazzoni,

Rethinking Secure FPGAs: Towards a Cryptography-friendly Configurable Cell Architecture and its Automated Design Flow, FCCM 2018. [3]

• N. Mentens, E. Charbon, and F. Regazzoni,

Reconfigurable Logic Circuit, Patent Application No. PCT/EP2018/081673. Goal #2: Agility

Efficient cryptographic agility

Results

Cryptographic hardware

• In this presentation, two important goals in

cryptographic hardware design are addressed.

– Goal #1: efficiency – Goal #2: agility

High-Tech Women, TU Darmstadt, March 4, 2020

Cryptographic hardware

• In this presentation, two important goals in

cryptographic hardware design are addressed.

– Goal #1: efficiency – Goal #2: agility

life

High-Tech Women, TU Darmstadt, March 4, 2020

What is important to me in life?

In alphabetical order:

• Family
• Friends
• Sleep
• Sports
• Time for myself
• Work

High-Tech Women, TU Darmstadt, March 4, 2020

Finding the balance

Finding the (continuously moving) balance:

• Setting priorities = making choices

– External help (cleaning, taking care of kids) – Combination with partner’s job

• Letting go of perfectionism

– Impossible to be the perfect mom and the perfect wife in perfect shape in a perfectly clean house with perfectly raised kids and an outstanding career

High-Tech Women, TU Darmstadt, March 4, 2020

Finding the balance

Finding the (continuously moving) balance:

• Keeping a good energy level

– Sports, sleep

• Finding good combinations

– Sports + friends – Sports + family – Travel (work) + time for myself + sleep – Work + friends – Bad combination: work + kids

High-Tech Women, TU Darmstadt, March 4, 2020

Work-life balance = juggling glass and rubber balls

[Bryan Dyson, former CEO of Coca-Cola]

If you drop the rubber ball, it will bounce back. If you drop one of the glass balls, it will be damaged, or even shattered, and will never be the same as it was before.

High-Tech Women, TU Darmstadt, March 4, 2020