good practices for designing cryptographic primitives in
play

Good Practices for Designing Cryptographic Primitives in Hardware - PowerPoint PPT Presentation

Jul 12, 2023 •216 likes •1.09k views

Good Practices for Designing Cryptographic Primitives in Hardware Miroslav Kne evi NXP Semiconductors miroslav.knezevic@nxp.com January 25, 2016 School on Design for a Secure IoT, Tenerife, 2016 THINGS Smart Plugs 3. January 28, 2016

  1. Good Practices for Designing Cryptographic Primitives in Hardware Miroslav Kne ž evi ć NXP Semiconductors miroslav.knezevic@nxp.com January 25, 2016 School on Design for a Secure IoT, Tenerife, 2016

  2. THINGS

  3. Smart Plugs 3. January 28, 2016

  4. Smart Door Locks 4. January 28, 2016

  5. Smart Thermostats 5. January 28, 2016

  6. Smart Smoke Detectors 6. January 28, 2016

  7. Smart Light Bulbs 7. January 28, 2016

  8. Connected Cars 8. January 28, 2016

  9. WHY HARDWARE?

  10. …to run software, obviously! 10. January 28, 2016

  11. But software alone is… Slow Insecure Energy inefficient 11. January 28, 2016

  12. Super Powers of Embedded HW Performance Security* Power Area (Energy) * In the original slide deck Superman was held responsible for Security. During the coffee break, students suggested that Batman would be a better representative and I agree he is. So sorry, Mr. Kent! 13. January 28, 2016

  13. Area – Designing the Smallest Block Cipher 14. January 28, 2016

  14. MOSFET Channel Length V DD A A D G S 15. January 28, 2016

  15. NAND gate Smallest logical gate with two inputs. • GE (gate equivalence) = physical area • of a single NAND gate. (Ab)used for comparing HW designs • across different CMOS technologies. 16. January 28, 2016

  16. XOR gate 2-3 GE 17. January 28, 2016

  17. Modern Lightweight Ciphers < 1000 GE 18. January 28, 2016

  18. AES (128-bit key, ENC only) 2500 GE 19. January 28, 2016

  19. Advances in CMOS Technology 140 nm 40 nm 10 nm 20. January 28, 2016

  20. ARM Cortex M0 example (~20 kGE) CMOS CMOS 140 nm 40 nm 16.25 mm 21. January 28, 2016

  21. Block Cipher – HW Perspective Minimize! Key size ≥ 80 bits Round function + Memory Key schedule + Block size ≥ 32 bits Control logic 22. January 28, 2016

  22. KATAN – The Smallest Block Cipher 23. January 28, 2016

  23. KATAN – The Smallest Block Cipher Only 508 bits of expanded key! KATAN32 = 315 GE + 508 bits of ROM 24. January 28, 2016

  24. KATAN in numbers It’s (one of) the smallest known cipher(s): < 500 GE But it’s not very fast: 254 clock cycles Still scalable: 3 times faster for negligible area overhead 25. January 28, 2016

  25. KATAN vs Competition LED KATAN 180nm NXP140 Synopsys Cadence Piccolo ≥ 700 GE ≥ 460 GE 130nm PRESENT Synopsys UMC180 ≥ 700 GE IHP250 AMIS350 Synopsys ~1kGE KLEIN TSMC180 Synopsys ≥ 1.3 kGE SIMON SPECK IBM130 IBM130 Synopsys Synopsys ≥ 520 GE ≥ 580 GE 26. January 28, 2016

  26. Memory Elements in different CMOS Technologies AREA OF SCAN-FF [GE] 7.67 6.67 6.25 <5 NXP 90NM UMC 130NM UMC 180NM NANGATE 45NM 27. January 28, 2016

  27. SPONGENT in different CMOS Technologies up to 70% difference! AREA [GE] 2323 2071 2012 1950 1768 1728 1571 1367 1340 1329 1256 1192 1103 1060 918 868 759 738 737 521 VERSION 1 VERSION 2 VERSION 3 VERSION 4 VERSION 5 28. January 28, 2016

  28. How can we do a fair comparison? Difficult in practice. But why not using an open-core library at least? http://www.nangate.com/ 29. January 28, 2016

  29. Performance – Designing the Fastest Block Cipher 30. January 28, 2016

  30. Latency vs Throughput 12 Serial 9 3 processing 6 Latency = 15 s Throughput = 0.067 beer/s 31. January 28, 2016

  31. Latency vs Throughput 12 Parallel 9 3 processing! 6 Latency = 15 s Throughput = 0.2 beer/s 32. January 28, 2016

  32. Latency vs Throughput 12 9 3 Pipelining! 6 Latency = 15 s Throughput = 0.2 beer/s 33. January 28, 2016

  33. Latency vs Throughput 12 9 3 Unrolling! 6 bottom-up! Latency = 5 s Throughput = 0.2 beer/s 34. January 28, 2016

  34. Latency of Existing Ciphers – Is Lightweight = “Light + Wait”? BLOCK-SIZE KEY-SIZE S-BOX P-LAYER K-SCHEDULE AES 128 128 8 MDS LIGHT NOEKEON 128 128 4 BINARY NO MINI-AES 64 64 4 MDS LIGHT 64 64, 96, 128 4 BINARY LIGHT MCRYPTON BIT PRESENT 64 80, 128 4 LIGHT PERMUTATION KLEIN 64 64, 80, 96 4 MDS LIGHT LED 64 64, 128 4 MDS NO 35. January 28, 2016

  35. Unrolled HW Architectures 36. January 28, 2016

  36. Results – Latency (CMOS 90 nm) 37. January 28, 2016 17.8 20.2 15.3 16.4 20.3 21.4 25.3 26.4 31.2 32.8 46.6 LATENCY [NS] 48.2 1-cycle 9.8 10.8 2-cycle 9.8 10.8 9.8 11 9.9 12 14.8 17 15.5 17.4 14.8 16.4 14.7 16.6

  37. Number of Rounds vs Key Size 38. January 28, 2016

  38. Results – Area (CMOS 90 nm) 39. January 28, 2016 366.6 191.8 48.2 24.9 63.7 32.6 79.9 41.3 128.7 63.5 193.1 96 AREA [KGE] 1-cycle 41.3 20.9 2-cycle 40.4 21.1 41.4 21 40 22 102.5 49.6 49.5 27.1 72.3 37.6 73.8 37.1

  39. Low Latency Encryption S-box Use small S-boxes (e.g. 5-bit, 4-bit, 3-bit) • Almost everything follows the normal distribution. So does the S-box! • choose me! slide credit: Gregor Leander 40. January 28, 2016

  40. Low Latency Encryption Number of Rounds vs Round Complexity Not too low complexity. • Reduce the number of rounds at the cost of (slightly) heavier round. • 41. January 28, 2016

  41. Low Latency Encryption Key Schedule Number of rounds should be independent of the key schedule. • Use constant addition instead of a key schedule (if possible). • 42. January 28, 2016

  42. Low Latency Encryption Encryption vs Decryption Use involution where possible: 𝑔 𝑔 𝑦 = 𝑦. • Make Encryption and Decryption procedures similar. • BUT: think application oriented – sometimes it is beneficial to have • asymmetric constructions. 43. January 28, 2016

  43. Low Latency Encryption Meet PRINCE 𝛽 -reflection property: 44. January 28, 2016

  44. Low Latency Encryption Meet PRINCE LATENCY [NS] 46.6 31.2 25.3 20.3 17.8 15.3 15.5 14.8 14.8 14.7 9.8 9.8 9.8 9.9 8 45. January 28, 2016

  45. Low Latency Encryption Meet PRINCE AREA [KGE] 366.6 193.1 128.7 102.5 79.9 73.8 72.3 63.7 49.5 48.2 41.4 41.3 40.4 40 17 46. January 28, 2016

  46. Power/Energy – Future of Lightweight Crypto 47. January 28, 2016

  47. History of Lightweight Crypto (Area) Lightweight Block Ciphers 3500 3000 2500 AREA (GE) AES DES 2000 1500 1000 PRESENT 500 KATAN 0 1970 1980 1990 2000 2010 2020 YEAR 48. January 28, 2016

  48. History of Lightweight Crypto (Latency) Lightweight Block Ciphers 10000 LATENCY (# CLOCK CYCLES) 1000 100 10 1 1970 1980 1990 2000 2010 2020 YEAR 49. January 28, 2016

  49. History of Lightweight Crypto (Energy*) Lightweight Block Ciphers 100000000 10000000 1000000 100000 10000 AREA * LATENCY 1000 100 10 1 1970 1980 1990 2000 2010 2020 YEAR 50. January 28, 2016

  50. Future of Lightweight Crypto (Energy*) Lightweight Block Ciphers 100000000 10000000 1000000 100000 10000 AREA * LATENCY PRINCE Future of LWC 1000 100 10 1 1970 1980 1990 2000 2010 2020 YEAR 51. January 28, 2016

  51. = Energy 52. January 28, 2016

  52. = Power 53. January 28, 2016

  53. Passive RFID: Low Power Applications Reader RFID tag CONTROL NETWORK RF RF MEMORY INTERFACE CRYPTO 54. January 28, 2016

  54. Anything Battery Powered: Low Energy Applications 55. January 28, 2016

  55. Every mW matters! Total number of mobile devices in 2015 = 9.5 billion* Average (regular) power consumption of a smartphone = 160 mW** Total energy spent = € 2.8 billion*** a year! * Mobile Statistics Report 2015-2019, The Radicati Group Inc. ** An Analysis of Power Consumption in a Smartphone, A Carroll, G Heiser, USENIX 2010. *** average electricity price in 2014 in EU was € 0.208 per kWh. 56. January 28, 2016

  56. Cisco estimates… … 50 billion* connected devices by 2020 * http://www.cisco.com/web/solutions/trends/iot/portfolio.html 57. January 28, 2016

  57. Intel says… … 200 billion* smart devices by 2020 * http://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html 58. January 28, 2016

  58. Moving Bits vs Moving People & Things * http://www.tech-pundit.com/wp-content/uploads/2013/07/Cloud_Begins_With_Coal.pdf 59. January 28, 2016

  59. World’s ICT Energy Consumption The ICT ecosystem uses about 1500 TWh of electricity annually and approaches 10% of world electricity generation! * http://www.tech-pundit.com/wp-content/uploads/2013/07/Cloud_Begins_With_Coal.pdf 60. January 28, 2016

  60. What can Crypto do about it? Become Lightweight Crypto! 61. January 28, 2016

  61. Power Consumption in (Crypto) HW 𝑄 𝑢𝑝𝑢 = 𝑄 𝑡𝑥𝑗𝑢𝑑ℎ𝑗𝑜𝑕 + 𝑄 𝑚𝑓𝑏𝑙𝑏𝑕𝑓 𝑄 𝑡𝑥𝑗𝑢𝑑ℎ𝑗𝑜𝑕 ≫ 𝑄 𝑚𝑓𝑏𝑙𝑏𝑕𝑓 2 ∙ 𝑔 𝑄 𝑡𝑥𝑗𝑢𝑑ℎ𝑗𝑜𝑕 ≈ 𝐷 𝑓𝑔𝑔 ∙ 𝑊 𝑑𝑚𝑙 ∙ 𝑡𝑥 𝐸𝐸 62. January 28, 2016

  62. Energy Consumption in (Crypto) HW 𝐹 = 𝑄 ∙ 𝑢 = 𝑄 ∙ 𝑂 𝑔 𝑑𝑚𝑙 2 ∙ 𝑂 ∙ 𝑡𝑥 𝐹 ≈ 𝐷 𝑓𝑔𝑔 ∙ 𝑊 𝐸𝐸 63. January 28, 2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a brief introduction to symmetric and asymmetric cryptographic primitives, pointing out some relevant design principles and security properties.

532 views • 26 slides
Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness Extractors Story So Far Basic primitives for secure communication: Shared-Key Public-Key SKE PKE Encryption MAC

498 views • 17 slides
Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA &amp; PSL

Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA &amp; PSL

Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA &amp; PSL Research University, Paris, France ECRYPT-NET Summer School, Crete, Greece 12 th October 2017 R azvan Ros ie Key-Robustness for Cryptographic

949 views • 48 slides
Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation Problem and

779 views • 47 slides
Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s

Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s

Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s Brand ao Joint work with: Apostol Vassilev, Nicky Mouha, Michael Davidson The red dancing devil is from clker.com/clipart-13643.html National

2.04k views • 175 slides
Toward Criteria for Standardization of Multi-Party Threshold Schemes for Cryptographic Primitives

Toward Criteria for Standardization of Multi-Party Threshold Schemes for Cryptographic Primitives

Toward Criteria for Standardization of Multi-Party Threshold Schemes for Cryptographic Primitives Lus T. A. N. Brando* Cryptographic Technology Group National Institute of Standards and Technology (Gaithersburg, USA) Presentation on August

828 views • 63 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Computer Aided Security : Cryptographic Primitives, Voting protocols, and Wireless Sensor

Computer Aided Security : Cryptographic Primitives, Voting protocols, and Wireless Sensor

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Computer Aided Security : Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Pascal Lafourcade November 6, 2012

624 views • 44 slides
On the Bit Security of Cryptographic Primitives M E T R A S 7 . 7 M Daniele Micciancio

On the Bit Security of Cryptographic Primitives M E T R A S 7 . 7 M Daniele Micciancio

On the Bit Security of Cryptographic Primitives M E T R A S 7 . 7 M Daniele Micciancio Michael Walter UCSD IST Austria eprint.iacr.org/2018/077 Security Security Adversary Game 1 Security Security Adversary Game

883 views • 40 slides
Fast Cryptographic Primitives &amp; Circular-Secure Encryption Based on Hard Learning Problems

Fast Cryptographic Primitives &amp; Circular-Secure Encryption Based on Hard Learning Problems

Fast Cryptographic Primitives &amp; Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international, UCLA CRYPTO 2009 Learning Noisy Linear

352 views • 33 slides
Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal , Bu Lake, Alan Ehret, and Michel Kinsy Adaptive &amp; Secure Computing Systems Lab Department of Electrical &amp; Computer Engineering Boston

964 views • 48 slides
NEW NUMBER-THEORETIC CRYPTOGRAPHIC PRIMITIVES ric Brier Houda Ferradi Marc Joye David

NEW NUMBER-THEORETIC CRYPTOGRAPHIC PRIMITIVES ric Brier Houda Ferradi Marc Joye David

Innovation Centre NEW NUMBER-THEORETIC CRYPTOGRAPHIC PRIMITIVES ric Brier Houda Ferradi Marc Joye David Naccache NutMiC 2019 Paris, June 2427, 2019 THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (1) The oldest and most known

592 views • 28 slides
Good Practices An Introduction Presentation Module 3 Good Practices and Youth perception

Good Practices An Introduction Presentation Module 3 Good Practices and Youth perception

YouthMetre - Training Materials Good Practices An Introduction Presentation Module 3 Good Practices and Youth perception Today, the sharing of practices is one of the first things to be carried out in a knowledge management initiative. The

213 views • 8 slides
Constructions of feebly secure cryptographic primitives Olga Melanich Steklov Institute of

Constructions of feebly secure cryptographic primitives Olga Melanich Steklov Institute of

Constructions of feebly secure cryptographic primitives Olga Melanich Steklov Institute of Mathematics at St. Petersburg 3.10.2009 1 / 12 Basic definitions Notation B n , m = { f : B n B m } , where B = { 0 , 1 } . 2 / 12 Basic

605 views • 39 slides
Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All

Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All

Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All Together The Bitcoin System The First Primitive Data Structure Reference Reference Header Header Header Transactions Transactions

1k views • 57 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Week 1- Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course

Week 1- Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course

Week 1- Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course July - November 2015 1 / 14 Course overview 2 / 14 What are we interested in? 3 / 14 What are we interested in? Software Controllers Code that

219 views • 21 slides
Tutorial 1 : Setting Up Your Unix Environment to work with Synopsys Tools Authors : Bibhas Ghoshal

Tutorial 1 : Setting Up Your Unix Environment to work with Synopsys Tools Authors : Bibhas Ghoshal

Tutorial 1 : Setting Up Your Unix Environment to work with Synopsys Tools Authors : Bibhas Ghoshal (bibhas.ghoshal@gmail.com), Subhadip Kundu (dip224@gmail.com) This tutorial guides you to set up your design libraries for both VLSI Design and

270 views • 4 slides
Dr. Hans-Georg Eer http://ohm.hgesser.de/ v1.0, 10/06/2013 Hans-Georg Eer, TH Nuremberg

Dr. Hans-Georg Eer http://ohm.hgesser.de/ v1.0, 10/06/2013 Hans-Georg Eer, TH Nuremberg

e t t r r i i e e b e m m - - Slide set 2: b s s s s y y s s t t e B. e B. Crash courses C / bash n t t w u n m i i t t w i i c c k k l l u n G E. E. n G m for self-study e r r a a t t e a m m m m i i n P r r O L. i i t t e

1.12k views • 75 slides
http://cs246.stanford.edu Would like to do prediction: estimate a function f(x) so that y = f(x)

http://cs246.stanford.edu Would like to do prediction: estimate a function f(x) so that y = f(x)

Note to other teachers and users of these slides: We would be delighted if you found our material useful for giving your own lectures. Feel free to use these slides verbatim, or to modify them to fit your own needs. If you make use of a

963 views • 52 slides
FMCAD 2009 EDA Vendors Panel Kevin Harer Principal Engineer and R&amp;D Manager Magellan

FMCAD 2009 EDA Vendors Panel Kevin Harer Principal Engineer and R&amp;D Manager Magellan

FMCAD 2009 EDA Vendors Panel Kevin Harer Principal Engineer and R&amp;D Manager Magellan R&amp;D, Synopsys 1 Topics Our customers most pressing problems Translation of problems into research agenda Uninspiring research topics

298 views • 5 slides
Speech Processing 15-492/18-492 Speech Synthesis Waveform generation 2 Speech Synthesis Text

Speech Processing 15-492/18-492 Speech Synthesis Waveform generation 2 Speech Synthesis Text

Speech Processing 15-492/18-492 Speech Synthesis Waveform generation 2 Speech Synthesis Text Analysis Text Analysis Chunking, tokenization, token expansion Chunking, tokenization, token expansion Linguistic Analysis

644 views • 29 slides
Frameworks for Data-Intensive Applications By Ahmad and Cheung Presented by: Ishank Jain

Frameworks for Data-Intensive Applications By Ahmad and Cheung Presented by: Ishank Jain

Automatically Leveraging MapReduce Frameworks for Data-Intensive Applications By Ahmad and Cheung Presented by: Ishank Jain Department of Computer Science 03/19/2019 CONTENT Background Research Question Method Results

497 views • 29 slides
Satellite Data Give Snapshot the LOS displacement field of InSAR around the northern Pakistan

Satellite Data Give Snapshot the LOS displacement field of InSAR around the northern Pakistan

Eos, Vol. 87, No. 7, 14 February 2006 VOLUME 87 NUMBER 7 14 FEBRUARY 2006 PAGES 7384 EOS, TranSacTiOnS, amErican GEOphySical UniOn The largest observed displacement of Satellite Data Give Snapshot the LOS displacement field of InSAR

308 views • 3 slides

More recommend