ARMADILLO: a Multi-Purpose Cryptographic Primitive Dedicated to Hardware

Size: px

Start display at page:

Download "ARMADILLO: a Multi-Purpose Cryptographic Primitive Dedicated to Hardware"

Kerrie Lucas
5 years ago
Views:

1 : a Multi-Purpose Cryptographic Primitive Dedicated to Stéphane Badel 1, Nilay Dağtekin 1, Jorge Nakahara Jr 1, Khaled Ouafi 1, Nicolas Reffé 2, Pouyan Sepehrdad 1, Petr Sušil 1, Serge Vaudenay 1 1 EPFL, Lausanne, Switzerland 2 Oridao, Montpellier, France EPFL, Switzerland and Oridao, France 1/ 30

2 EPFL, Switzerland and Oridao, France 2/ 30

3 EPFL, Switzerland and Oridao, France 3/ 30

4 small placental mammal, known for having a leathery armor shell. armadillo is Spanish for little armored one. Habitant: United States, from Texas to Illinois, Indiana and southern Ontario. used in the study of Leprosy: the few known non-human animal species that can contract the disease systemically. EPFL, Switzerland and Oridao, France 4/ 30

5 a general-purpose cryptographic function I FIL-MAC: for challenge-response protocols II Hashing and Digital Signatures III PRNG and PRF hardware oriented target environments: RFID tags and sensor networks based on data-dependent permutations patent pending by Oridao ( EPFL, Switzerland and Oridao, France 5/ 30

6 Overall Design: 2 Input: initial value C, message block U i Output: (V c,v t ) = 2(C,U i ) X = Q(U i,c U i ) X undergoes a sequence of bit permutations, σ 0 and σ 1 and XOR with a constant, denoted by Q: maps a bitstring of k bits and a vector X of k bits into a vector of k bits, then (V c,v t ) = 2(C,U i ) = Q(X,C U i ) X permutation Q defined recursively as Q(s b,x) = Q(s,X σb γ) for b {0,1} and bitstrings s and X and a constant bitstring γ = (10) k/2. EPFL, Switzerland and Oridao, France 6/ 30

7 Vc S m Vt Q(X, C U) X = Q(U, C U) C U i c m.. k. Figure: function of 2 EPFL, Switzerland and Oridao, France 7/ 30

8 Applications I FIL-MAC: for challenge-response protocols V t = AMAC C (U) II Hashing and Digital Signatures V c = AHASH IV (message padding) III PRNG and PRF APRF seed (x) = head t (AHASH seed (x cste)) EPFL, Switzerland and Oridao, France 8/ 30

9 Old Design: Input: initial value C, message block U i Output: (V c,v t ) = (C,U i ) Xinter = C U i x = Xinter Xinter x undergoes a sequence of bit permutations, σ 0 and σ 1, denoted by P: maps a bitstring of k bits and a vector x of 2k bits into a vector of 2k bits, then S = P(Xinter,x) = tail k ((Xinter Xinter) σxinter ) where P is defined recursively as P(s b,x) = P(s,X σb ) for b {0,1} and bitstrings s and X and P(,X) = tail k (X). (V c,v t ) S Xinter EPFL, Switzerland and Oridao, France 9/ 30

10 Schematic Diagram Outline Vc S m Vt (Xinter Xinter)σ Xinter Xinter Xinter C U i c m.. 3 k. 2 1 Figure: The function EPFL, Switzerland and Oridao, France 10/ 30

11 EPFL, Switzerland and Oridao, France 11/ 30

12 Table: Parameter vectors Vector k c m r t A B C D E EPFL, Switzerland and Oridao, France 12/ 30

13 2 no complementation of the k-bit input Xinter = (C U i ). σ i permutations (and so Q) operate on k-bit data (C U i ). no truncation anymore at the output of Q. EPFL, Switzerland and Oridao, France 13/ 30

14 2 no complementation of the k-bit input Xinter = (C U i ). σ i permutations (and so Q) operate on k-bit data (C U i ). no truncation anymore at the output of Q. more compact design and so performance advantage EPFL, Switzerland and Oridao, France 13/ 30

15 EPFL, Switzerland and Oridao, France 14/ 30

16 Defense Mechanism Greek Ouroboros Figure: Armadillo Lizard EPFL, Switzerland and Oridao, France 15/ 30

17 Bounds characterized by two parameters S offline and S online. the best offline attack has complexity 2 S offline. the best online attack, with practical complexity, has success probability 2 S online. aim at S offline 80 and S online 40, but we can only upper bound S offline and S online. EPFL, Switzerland and Oridao, France 16/ 30

18 Concern attack against, but not 2. extra pre-processing in 2, i.e X = Q(U i,c U i ) prevents the attack on. EPFL, Switzerland and Oridao, France 17/ 30

19 EPFL, Switzerland and Oridao, France 18/ 30

20 Armored Armadillo EPFL, Switzerland and Oridao, France 19/ 30

21 implementation of the function b d in [0] d in [1] d out [0] d out [1] key in load X inter X inter 2k J J-N J S-1 0 2k J-N 2k key out out d in [2k-1] d out [2k-1] clk en 0 N stages (a) (b) Figure: (a) one permutation stage, (b) P function building block EPFL, Switzerland and Oridao, France 20/ 30

22 Is FOM = throughput / GE enough? EPFL, Switzerland and Oridao, France 21/ 30

23 Is FOM = throughput / GE enough? at first sight: provides a more general measure of quality. EPFL, Switzerland and Oridao, France 21/ 30

24 Is FOM = throughput / GE enough? at first sight: provides a more general measure of quality. BUT, it is flawed: how about trading off throughput for power? EPFL, Switzerland and Oridao, France 21/ 30

25 Is FOM = throughput / GE enough? at first sight: provides a more general measure of quality. BUT, it is flawed: how about trading off throughput for power? according to this metric, two designs A and B are as efficient: A s throughput and area is twice B s throughput and area. B s power dissipation is half that of A. EPFL, Switzerland and Oridao, France 21/ 30

26 Is FOM = throughput / GE enough? at first sight: provides a more general measure of quality. BUT, it is flawed: how about trading off throughput for power? according to this metric, two designs A and B are as efficient: A s throughput and area is twice B s throughput and area. B s power dissipation is half that of A. by doubling B s operating frequency, its throughput can be made equal to that of A while consuming the same power and still occupying a smaller area. B should be recognized as superior to A. EPFL, Switzerland and Oridao, France 21/ 30

27 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. EPFL, Switzerland and Oridao, France 22/ 30

28 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: EPFL, Switzerland and Oridao, France 22/ 30

29 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. EPFL, Switzerland and Oridao, France 22/ 30

30 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. EPFL, Switzerland and Oridao, France 22/ 30

31 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. depends heavily on the process technology, the supply voltage, and the parasitic capacitances. EPFL, Switzerland and Oridao, France 22/ 30

32 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. depends heavily on the process technology, the supply voltage, and the parasitic capacitances. vary largely depending on the method used to measure it. EPFL, Switzerland and Oridao, France 22/ 30

33 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. depends heavily on the process technology, the supply voltage, and the parasitic capacitances. vary largely depending on the method used to measure it. different standard-cell libraries exhibit various power/area/speed trade-offs. EPFL, Switzerland and Oridao, France 22/ 30

34 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. depends heavily on the process technology, the supply voltage, and the parasitic capacitances. vary largely depending on the method used to measure it. different standard-cell libraries exhibit various power/area/speed trade-offs. generally not available. EPFL, Switzerland and Oridao, France 22/ 30

35 How about FOM = throughput / GE 2? Solution: dividing the metric by the power dissipation. But it has its own problems: power dissipation: an extremely volatile quantity. subject to the same error factors as the area. depends heavily on the process technology, the supply voltage, and the parasitic capacitances. vary largely depending on the method used to measure it. different standard-cell libraries exhibit various power/area/speed trade-offs. generally not available. A fairer FOM: include the influence of power dissipation. we can assume that the power is proportional to the gate count. EPFL, Switzerland and Oridao, France 22/ 30

36 T-stage pipeline: R = k/(n.t) of permutations at each stage. throughput: 1/R items per cycle and the latency: k/n cycles. more pipeline stages: more hardware replication, area, power. a fully serial implementation: ideal for RFID applications. In practice, to maximize FOM with T = 1, we obtain N = 4 for 2. obtain an area of 4030 GE, 77 µw, and a latency of 44 cycles (1.09 Mbps for hashing or 2.9 Mbps for encryption). EPFL, Switzerland and Oridao, France 23/ 30

37 Synthesis Results synthesis in a 0.18µm CMOS process using a commercial standard-cell library. Synopsys Design Compiler in topographical mode. power consumption: Synopsys Primetime-PX using gate-level vector-based analysis. EPFL, Switzerland and Oridao, France 24/ 30

38 Synthesis results at 1 MHz N=1 N=4 Algorithm Vect. Area Power Thr. Latency Area Power Thr. Latency (GE) (µw) (kbps) (cycles) (GE) (µw) (kbps) (cycles) A B C D E Table: the throughput values correspond to hash mode. EPFL, Switzerland and Oridao, France 25/ 30

39 Comparing hash functions performance at 100 khz Algorithm Digest Block Area Time Throughput Logic FOM (bits) (bits) (GE) (cycles/block) (kb/s) (µm) (nanobit/cycle.ge 2 ) 2-A A H-PRESENT B MD B MD C C SHA D C-PRESENT D MAME E SHA E EPFL, Switzerland and Oridao, France 26/ 30

40 Comparing performance of ciphers at 100 khz Algorithm Key Block Area Time Throughput Logic FOM (bits) (bits) (GE) (cycles/block) (kb/s) (µm) (nanobit/cycle.ge 2 ) DES PRESENT Grain KTANTAN KATAN A Trivium PRESENT A mcrypton PRESENT HIGHT TEA B B AES C C DESXL D D E E EPFL, Switzerland and Oridao, France 27/ 30

41 EPFL, Switzerland and Oridao, France 28/ 30

42 a new hardware dedicated cryptographic function design. two instances: and 2 2: fully serial architecture, 2923 GE could perform one compression within 176 clock cycles, consuming 44 µw at 1 MHz. another tradeoff leads us to 4030 GE, 44 cycles, 77 µw, 11 Mbps of hashing, and 2.9 Mbps of encryption. EPFL, Switzerland and Oridao, France 29/ 30

43 Questions? EPFL, Switzerland and Oridao, France 30/ 30

Lightweight Cryptography for RFID Systems

Lightweight Cryptography for RFID Systems Guang Gong Department of Electrical and Computer Engineering University of Waterloo CANADA G. Gong (University of Waterloo)