hardware software co design for security ecc processor
play

Hardware-Software Co-Design for Security: ECC Processor Example - PowerPoint PPT Presentation

Oct 16, 2023 •24 likes •574 views

Hardware-Software Co-Design for Security: ECC Processor Example Arnaud Tisserand CNRS, Lab-STICC SILM Workshop, Nov. 2019 -- Introduction Public-key (or asymmetric) cryptography (PKC): RSA (hyper-)elliptic curve cryptography ((H)ECC)

  1. Hardware-Software Co-Design for Security: ECC Processor Example Arnaud Tisserand CNRS, Lab-STICC SILM Workshop, Nov. 2019 --

  2. Introduction Public-key (or asymmetric) cryptography (PKC): • RSA • (hyper-)elliptic curve cryptography ((H)ECC) • post-quantum crypto (PQC) Design, prototype and evaluate hardware/software (HW/SW) for PKC: • HW: computation units, accelerators, crypto-processors • SW: libraries, generators for HW, dedicated compiler for our processors Objectives: • high speed, reduced silicon area and energy consumption • protections against side-channel and fault-injection attacks (SCA/FIA) • HW: FPGA and ASIC implementations • SW: embedded processors implementations Arnaud Tisserand. CNRS – Lab-STICC 2/20

  3. Elliptic Curve Cryptography (ECC) Elliptic curve over GF( p ): y 2 = x 3 + ax + b E : Curve points representation: • P = ( x , y ) affine coordinates many field inversions • P = ( x , y , z , . . . ) redundant coordinates significantly faster (e.g., Jacobian) y 2 = x 3 + 4 x + 20 over GF (1009) Scalar multiplication: Q = [ k ] P = P + P + · · · + P The most time consuming � �� � operation in protocols k times where P ∈ E and k = ( k n − 1 k n − 2 . . . k 1 k 0 ) 2 k has 200–600 bits Good and complete presentation in [14] and [10] Arnaud Tisserand. CNRS – Lab-STICC 3/20

  4. Scalar Multiplication • P ∈ E Q = [ k ] P = P + P + · · · + P � �� � • k = ( k n − 1 k n − 2 . . . k 1 k 0 ) 2 k times Double-and-add scalar multiplication algorithm: 1: Q ← O 2: for i from n − 1 to 0 do 3: Q ← [2] Q ( DBL ) 4: if k i = 1 then Q ← Q + P ( ADD ) 5: return Q • scans each bit of k and performs corresponding curve-level operation • average cost: 0 . 5 n ADD + n DBL (security ≈ 0 . 5 n ones in k ) v4 PY PY v18 mul mul v25 v4 sub RY OUT v6 v17 v24 add QZ mul v23 v5 v22 add v24 v25 RZ v3 sub mul sqr v23 add OUT QY QY mul v16 v6 v11 v5 PY mul v6 sub PY PZ RX QZ PZ v6 mul OUT v14 v13 v7 PY PZ v9 v10 mul sqr v6 PZ mul v7 v8 v10 add v11 add v10 v8 add v9 add v12 QZ v7 mul mul PZ v8 v7 v12 sub sub PX QZ v13 PZ v10 v11 add v12 add PX v17 v5 v12 v11 mul RZ OUT sqr v17 add v18 v19 v20 PX v1 mul add PX mul v18 sub RY OUT PZ v10 v16 v1 v9 PX mul sqr v0 v15 sqr a v4 sub mul v2 v9 a add v19 add QX v0 mul v3 QX mul sub v10 v1 add v2 sqr v14 v2 v4 v1 v1 add mul RX OUT v2 Arnaud Tisserand. CNRS – Lab-STICC 4/20

  5. Side Channel Attacks protocol level key exchange signature etc [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC 5/20

  6. Side Channel Attacks protocol level key exchange signature etc [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC 5/20

  7. Side Channel Attacks protocol level DBL DBL DBL DBL DBL DBL key exchange signature etc [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC 5/20

  8. Side Channel Attacks protocol level DBL DBL DBL ADD DBL ADD DBL DBL key exchange signature etc [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC 5/20

  9. Side Channel Attacks protocol level DBL DBL DBL ADD DBL ADD DBL DBL key exchange signature etc 0 0 0 1 1 0 [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) • simple power analysis (& variants) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC 5/20

  10. Side Channel Attacks protocol level DBL DBL DBL ADD DBL ADD DBL DBL key exchange signature etc 0 0 0 1 1 0 [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) • simple power analysis (& variants) field level . . . x ± y x × y • differential power analysis (& variants) • horizontal/vertical/templates/. . . attacks Arnaud Tisserand. CNRS – Lab-STICC 5/20

  11. Software vs Hardware Support I SW instructions management + control @ hierarchy memory @ D reg. FU 1 FU 2 FU 3 LSU file large large EXCELLENT slow moderate FLEXIBILITY SPEED AREA ENERGY DEVEL. COST limited fast small small HUGE CTRL reg. reg. reg. reg. op. op. op. op. HW memory

  12. Software vs Hardware Support I SW instructions management + control @ hierarchy memory @ SECURITY? D reg. FU 1 FU 2 FU 3 LSU file large large EXCELLENT slow moderate FLEXIBILITY SPEED AREA ENERGY DEVEL. COST limited fast small small HUGE CTRL reg. reg. reg. reg. op. op. op. op. HW memory Arnaud Tisserand. CNRS – Lab-STICC 6/20

  13. Activity in a Processor Operation to be executed: r ← x + a[i] data/op. x a[i] time + r • AS: ALU status • PIS: fetch, decode, pipeline management, bypasses, memory hierarchy, branch predictor, monitoring, etc. Arnaud Tisserand. CNRS – Lab-STICC 7/20

  14. Activity in a Processor Operation to be executed: r ← x + a[i] signals data/op. x a[i] time + r • AS: ALU status • PIS: fetch, decode, pipeline management, bypasses, memory hierarchy, branch predictor, monitoring, etc. Arnaud Tisserand. CNRS – Lab-STICC 7/20

  15. Activity in a Processor Operation to be executed: r ← x + a[i] signals data/op. instructions x LD R1,R2 a[i] time + ADD R3,R1,R4 r • AS: ALU status • PIS: fetch, decode, pipeline management, bypasses, memory hierarchy, branch predictor, monitoring, etc. Arnaud Tisserand. CNRS – Lab-STICC 7/20

  16. Activity in a Processor Operation to be executed: r ← x + a[i] signals data/op. instructions x LD R1,R2 a[i] time + ADD R3,R1,R4 AS r • AS: ALU status • PIS: fetch, decode, pipeline management, bypasses, memory hierarchy, branch predictor, monitoring, etc. Arnaud Tisserand. CNRS – Lab-STICC 7/20

  17. Activity in a Processor Operation to be executed: r ← x + a[i] signals data/op. state instructions x LD R1,R2 processor internal state (PIS) a[i] time processor internal state (PIS) + ADD R3,R1,R4 AS r processor internal state (PIS) • AS: ALU status • PIS: fetch, decode, pipeline management, bypasses, memory hierarchy, branch predictor, monitoring, etc. Arnaud Tisserand. CNRS – Lab-STICC 7/20

  18. Our Processor Specifications protocol level key exchange signature etc [ k ] P curve level P + P ADD ( P , Q ) DBL ( P ) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC 8/20

  19. Our Processor Specifications • Performances = ⇒ hardware ( HW ) protocol level key exchange ◮ dedicated functional units signature ◮ internal parallelism etc • Limited cost (embedded systems) ◮ reduced silicon area ◮ low energy (& power consumption) [ k ] P ◮ large area used at each clock cycle curve level P + P ADD ( P , Q ) DBL ( P ) HW field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC 8/20

  20. Our Processor Specifications • Performances = ⇒ hardware ( HW ) protocol level key exchange ◮ dedicated functional units signature ◮ internal parallelism etc • Limited cost (embedded systems) ◮ reduced silicon area ◮ low energy (& power consumption) [ k ] P ◮ large area used at each clock cycle curve level • Flexibility = ⇒ software ( SW ) ◮ curves, algorithms, representations P + P (points/elements), k recoding, . . . ADD ( P , Q ) DBL ( P ) ◮ at design time / at run time SW HW field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC 8/20

  21. Our Processor Specifications • Performances = ⇒ hardware ( HW ) protocol level key exchange ◮ dedicated functional units signature ◮ internal parallelism etc • Limited cost (embedded systems) ◮ reduced silicon area ◮ low energy (& power consumption) [ k ] P HW ◮ large area used at each clock cycle curve level • Flexibility = ⇒ software ( SW ) ◮ curves, algorithms, representations P + P (points/elements), k recoding, . . . ADD ( P , Q ) DBL ( P ) ◮ at design time / at run time SW • Security against SCAs = ⇒ HW HW field level ◮ secure units ( F 2 m , F p ) . . . x ± y x × y ◮ secure key storage/management ◮ secure control Arnaud Tisserand. CNRS – Lab-STICC 8/20

  22. Processor Architecture processor Arnaud Tisserand. CNRS – Lab-STICC 9/20

  23. Processor Architecture processor FU 1 FU 2 FU 3 Arnaud Tisserand. CNRS – Lab-STICC 9/20

  24. Processor Architecture processor register file FU 1 FU 2 FU 3 Arnaud Tisserand. CNRS – Lab-STICC 9/20

  25. Processor Architecture processor key mng. register file FU 1 FU 2 FU 3 Arnaud Tisserand. CNRS – Lab-STICC 9/20

  26. Processor Architecture processor key mng. register CTRL file FU 1 FU 2 FU 3 Arnaud Tisserand. CNRS – Lab-STICC 9/20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

software and hardware for the Internet of Things. Choose hardware Design hardware Design

software and hardware for the Internet of Things. Choose hardware Design hardware Design

Zeidman Technologies has created a fundamentally new way to develop embedded software and hardware for the Internet of Things. Choose hardware Design hardware Design software Initial hardware choices determine Integrate functionality and

185 views • 15 slides
What Shall We Do? Let's design a simple processor to understand the entire flow from writing

What Shall We Do? Let's design a simple processor to understand the entire flow from writing

17.1 17.2 What Shall We Do? Let's design a simple processor to understand the entire flow from writing software to Unit 18 designing the hardware This may not be the most advanced processor but the goal is to give you a fully working

308 views • 6 slides
Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor

Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor

Processor Design Pipelined Processor Hung-Wei Tseng Drawbacks of a single-cycle processor The cycle time is determined by the longest instruction Could be very long, thinking about fetch data from DRAM Hardware is mostly idle 3

866 views • 47 slides
Design of Control Path Debdeep Mukhopadhyay IIT Madras Hardwired Hardware GCD Processor An

Design of Control Path Debdeep Mukhopadhyay IIT Madras Hardwired Hardware GCD Processor An

Design of Control Path Debdeep Mukhopadhyay IIT Madras Hardwired Hardware GCD Processor An Example Hardware for the GCD processor State Table for the Control Unit What kind of state machine is this? Classical method S 0 = 00, S 1 = 01, S 2

224 views • 21 slides
Part I Security Challenges in Automotive Hardware/Software Architecture Design Martin

Part I Security Challenges in Automotive Hardware/Software Architecture Design Martin

Part I Security Challenges in Automotive Hardware/Software Architecture Design Martin Lukasiewycz TUM CREATE Singapore Outline Motivation (current E/E architectures) Trends (Integrated Architectures / Connected Car) Challenges Overview

496 views • 23 slides
Summary Security: Applications & Aspects Part I Cryptographic Features Introduction

Summary Security: Applications & Aspects Part I Cryptographic Features Introduction

Summary Security: Applications & Aspects Part I Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Basic Cyphering Part II Symmetric vs Asymmetric

1.14k views • 21 slides
Computer Basics Class Rob Germeroth & Matt Harmon Hardware vs Software Hardware Any

Computer Basics Class Rob Germeroth & Matt Harmon Hardware vs Software Hardware Any

Computer Basics Class Rob Germeroth & Matt Harmon Hardware vs Software Hardware Any physical component that makes up part of the computer. (mouse, keyboard, processor, hard drive, etc.) Software - Programs and other operating

450 views • 17 slides
Who we are Eshard - Embedded Security Company Software & Hardware Security What do we

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we do: @eshardNews Tools: Side Channel / Code Analysis Consultancy https://www.eshard.com Audit contact@eshard.com Training

752 views • 54 slides
Chapt hapter er 4 4 The Processor 4.1 Introduction Introduction CPU performance factors

Chapt hapter er 4 4 The Processor 4.1 Introduction Introduction CPU performance factors

COMPUTER ORGANIZATION AND DESIGN 5 th Edition The Hardware/Software Interface Chapt hapter er 4 4 The Processor 4.1 Introduction Introduction CPU performance factors Instruction count Determined by ISA and

1.39k views • 137 slides
Building Hardware Components for Memory Protection of Applications on a Tiny Processor Oct 14

Building Hardware Components for Memory Protection of Applications on a Tiny Processor Oct 14

Building Hardware Components for Memory Protection of Applications on a Tiny Processor Oct 14 2017 Hyunyoung Oh*, Yongje Lee, Junmo Park, Myonghoon Y ang and Yunheung Paek Seoul National University, Korea *Speaker 1 Security Optimization

630 views • 13 slides
Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software

Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software

Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software protections Binary and malware analysis Fuzzing Network security Hardware and OS security 2 Assuming secure software, what is

984 views • 72 slides
Hardware Design for Cryptographers P . Schaumont Bradley Department of Electrical and Computer

Hardware Design for Cryptographers P . Schaumont Bradley Department of Electrical and Computer

Hardware-oriented Specification Hardware Circuits Hardware Description in C Hardware Design for Cryptographers P . Schaumont Bradley Department of Electrical and Computer Engineering Virginia Tech Blacksburg, VA Design and Security of

1.01k views • 63 slides
Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB https://github.com/secworks IT security Embedded systems ASIC, FPGA Biometrics Open Crypto Hardware CPU design Assembly hacking Hardware Security

896 views • 50 slides
Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

SP SPACE ACE 201 2016 Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security Security: : New Front New Frontiers iers Swarup Bhunia Professor Electrical & Computer Engineering SPACE | Dec 2016 1

607 views • 29 slides
Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of

Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of

Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of Abstraction Emil Axelsson Hardware Description and Verification May 2009 Why low-level? Why low-level? Related question: Why is some software

908 views • 51 slides
ECE232: Hardware Organization and Design Lecture 11: Introduction to MIPs Datapath Adapted from

ECE232: Hardware Organization and Design Lecture 11: Introduction to MIPs Datapath Adapted from

ECE232: Hardware Organization and Design Lecture 11: Introduction to MIPs Datapath Adapted from Computer Organization and Design , Patterson & Hennessy, UCB MIPS-lite processor Computer Processor IMemory (CPU) MIPS Want to build a

358 views • 21 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
A Random Walk Around The Block Johan Ugander Stanford University Joint work with: Isabel

A Random Walk Around The Block Johan Ugander Stanford University Joint work with: Isabel

A Random Walk Around The Block Johan Ugander Stanford University Joint work with: Isabel Kloumann (Facebook) & Jon Kleinberg (Cornell) Google Mountain View August 17, 2016 S e e d s e t e x p a n s i o n Given a

724 views • 44 slides
Automated determination of isoptics with dynamic geometry Thierry Dana-Picard 1 acs 2 Zolt an

Automated determination of isoptics with dynamic geometry Thierry Dana-Picard 1 acs 2 Zolt an

Automated determination of isoptics with dynamic geometry Thierry Dana-Picard 1 acs 2 Zolt an Kov 1 Jerusalem College of Technology 2 The Private University College of Education of the Diocese of Linz CICM Hagenberg, Calculemus August 15,

728 views • 56 slides
Symmetry Breaking in Quantum Curves & Super Chern-Simons Matrix Models Sanefumi Moriyama

Symmetry Breaking in Quantum Curves & Super Chern-Simons Matrix Models Sanefumi Moriyama

YITP Workshop 19/08/20 Symmetry Breaking in Quantum Curves & Super Chern-Simons Matrix Models Sanefumi Moriyama (Osaka City Univ/NITEP) Main References: S.M., S.Nakayama, T.Nosaka, JHEP, 2017; S.M., T.Nosaka, T.Yano, JHEP, 2017; N.Kubo,

745 views • 36 slides
Introductory Chemical Engineering Thermodynamics By J.R. Elliott and C.T. Lira Chapter 6 -

Introductory Chemical Engineering Thermodynamics By J.R. Elliott and C.T. Lira Chapter 6 -

Introductory Chemical Engineering Thermodynamics By J.R. Elliott and C.T. Lira Chapter 6 - Engineering Equations of State II. Generalized Fluid Properties The principle of two-parameter corresponding states 50 50 40 40 30 30 T=705K 20

246 views • 13 slides
GAIMD Congestion Control Y. Richard Yang and Simon S. Lam, General AIMD Congestion Control

GAIMD Congestion Control Y. Richard Yang and Simon S. Lam, General AIMD Congestion Control

GAIMD Congestion Control Y. Richard Yang and Simon S. Lam, General AIMD Congestion Control Proceedings IEEE ICNP 2000 Congestion Control, Proceedings IEEE ICNP 2000 , November 2000. GAIMD (Simon S. Lam) 1 3/9/2017 1 Motivation for new

437 views • 32 slides
Toward Computing Towards an Optimal . . . An (Almost) Optimal . . . Minor Problem an Optimal

Toward Computing Towards an Optimal . . . An (Almost) Optimal . . . Minor Problem an Optimal

Need for Unmanned . . . Need for Easily . . . Technical Details of . . . Need for an Optimal . . . Toward Computing Towards an Optimal . . . An (Almost) Optimal . . . Minor Problem an Optimal Trajectory for Solution: How to . . . What If

429 views • 20 slides
Migrations, Brain Drain and Global Justice: What role for corporations? IX POLITEIA FORUM ON CSR

Migrations, Brain Drain and Global Justice: What role for corporations? IX POLITEIA FORUM ON CSR

GIULIA MEZZETTI Migrations, Brain Drain and Global Justice: What role for corporations? IX POLITEIA FORUM ON CSR Milan, 14 December 2012 In what way are CSR and international migrations related? NEGATIVE OBLIGATIONS Migrants' rights

265 views • 8 slides

More recommend