On Random Pattern Testability of Cryptographic VLSI Cores

Transcription

1 On Random Pattern Testability of Cryptographic VLSI Cores A. Schubert, W. Anheier Institut für Theoretische Elektrotechnik und Mikroelektronik (ITEM) University of Bremen P.O. Box , D Bremen Abstract In this paper we show, that the statistical qualities of cryptographic basic operations are the reason for the exent pseudorandom testability of cryptographic processor cores. For the examination typical basic operations of modern cryptographic algorithms are categorized in classes and analyzed regarding their pseudorandom properties. Exemplary, a global BIST for a cryptographic processor core based on the symmetric block encryption algorithm 3WAY is developed and analyzed. Finally, the quality of the proposed test architecture is determined by fault simulations. 1. Introduction Within the scope of the development of a cryptographic VHDL library VLSI processor cores are designed. The cryptographic cores are intended for corebased system design. They can be embedded in integrated systems as on-chip security modules. An important demand on security hardware is high testability. Security reasons indicate an implementation of the test measures in the form of a built-in self-test (BIST). Generally, BIST techniques represent the most suitable test method for newly developed VLSI cores. They meet requirements like low test costs, modularity and reusability (test-ready intellectual property) [1,2]. Cryptographic processor cores are characterized by a data path with wide inputs and outputs. For these kinds of circuits only a BIST based on pseudorandom patterns is suitable. It can be realized by means of LFSRs (linear feedback shift register) and MISRs (multiple input signature register). Usually BIST test structures are locally applied to s (e.g. PLAs, ROMs, RAMs, multipliers and adders), which are suitable for an autonomous self-test. The pseudorandom test of individual s of a processor core (local BIST) by means of shift registers with additional test functions, test multiplexers or built-in logic block observers (BILBO) is costly [3]. A more efficient approach combined with lower test cost is the global BIST. In this approach pseudorandom test patterns are only fed to the primary inputs of the data path. Conditions for the global test are: i. Propagation of pseudorandom test patterns through the data path of cryptographic VLSI cores, so that the data inputs of every are stimulated by pseudorandom patterns. ii. Generation of new pseudorandom test patterns by operations in the data path. iii. Propagation of fault effects (errors) through the data path. These conditions are met by symmetric block ciphers such as DES and IDEA and their VLSI implementations. In [1] the pseudorandom testability of the hardware realization of the IDEA algorithm is examined by means of specific data flow graphs (DFG) and so-called predecessor lists. In this and others works of the author the analysis is further extended to other modern symmetric block ciphers like SAFER K-128, RC5 or 3WAY [4]. The basic operations of these new algorithms are examined with regard to their property to propagate pseudorandom test patterns. In this paper it will be exemplarily shown for the VLSI implementation of the symmetric block encryption algorithm 3WAY, that the hardware realizations of cryptographic algorithms are especially suitable for the global BIST. The examination is verified by means of fault simulations. 2. Global BIST The so-called global BIST uses the inherently good pseudorandom testability of cryptographic circuits. Thus, the control and observation paths for testing different internal circuit modules can be realized without modification of the internal functional architecture. For controlling the test patterns one has to consider only the function of the involved control modules and not their internal structure [3]. A global pseudorandom BIST (cf. fig. 1) has the following advantages compared to a local BIST:

2 Besides the test of complex s (adders, multipliers, memories etc.), the test of random logic (registers, multiplexers etc.) and wires is also carried out. Only minimal additional test costs: functional and test architectures are to a large extent identical, i.e. considerably lower hardware overhead through central pseudorandom pattern generators (PRPG) and multiple input signature register (MISR) and fewer BIST control tasks. Test time is decreased by simultaneous testing of all subcircuits. P R P G PI datapath of the processor core P R P G PI random logic DUT Figure 1. Global pseudorandom BIST 3. Statistical properties of cryptographic operations 3.1. Pseudorandom test patterns The statistical properties of pseudorandom number sequences represent an appropriate basis for the following examination. The aim is the determination of the ability of cryptographic basic operations to propagate pseudorandom test patterns. Pseudorandom test patterns are similar to a truly random sequence except for their repeatability. In a first approximation the following three conditions for truly random sequences can be applied to the statistical qualities of pseudorandom test patterns [3]. Assumption: In a set of n-bit test patterns the probability is 0.5, that an arbitrary bit is 1 and 0 respectively: Condition 1 (serial statistical independence): In a serial bit string of any column the individual bits must be statistically independent of each other. Then the conditional probabilities between any two bits y and x are: PO M I S R { } P( y = a / x = b) = P( y = a) = 0. 5, where a, b 0, 1. Condition 2 (parallel statistical independence): In any test pattern row the individual bits must also be statistically independent and the same statements about the conditional probabilities as in condition 1 are valid. Condition 3 (binomial probability distribution of the number of signal transitions): The probability distribution of the number of signal transitions m (0 m n) between any two consecutive test patterns has a binomial form: n n P( m signal transitions ) = 2. m 3.2. Cryptographic Operations Group operations and operations with similar properties, bit permutations as well as pseudorandom S- boxes and similar functions are essential elements in modern symmetric block ciphers (cf. table 1) Group operations. Group operations Y = X*Z have the following statistical property: If the patterns at input X and Z are statistically independent, then an uniform 1 probability distribution P( group element) = # group elements (i.e. pseudorandom values) at input X or Z propagates to output Y. Like the pseudorandom input patterns the patterns at output Y also have the statistical property 1 P( group element) = # group elements. The three conditions for (pseudo)randomness of section 3.1 are maintained at the output. In addition to the propagation of pseudorandom test patterns group operations generate pseudorandomness, because they produce pseudorandom values even with a deterministic input on condition that the other input is pseudorandom [1]. Class II operations have similar properties. They provide pseudorandom outputs if input X is pseudorandom and statistically independent of the function f(z), f(u,z) or f(x,u,z) Pseudorandom S-boxes and similar functions. The example functions enumerated in table 1 / III resemble pseudorandom substitution(s)-boxes. The function of a quadratic n s n s S-box can be described through boolean equations in ANF (algebraic normal form) representation. Each of the n s output bits is a function of all n s input bits: ( ) f x, x,..., x = a a x a x... a x a, x x k 1 2 n s n s n s a1, 2, 3, 4, 5, 6, 7,..., x x x x x x x... x ns n. s In case of pseudorandom S-boxes the coefficients of the n s ANF equations are random and statistically independent from each other. The number of terms with non-linear order i ( 0 i n s ) are binomially distributed. Their number is on average 1 ns. 2 i The serial statistical independence (cf. section 3.1) remains for the output words since the pseudorandom S- boxes are memoryless transformations (ANF equations X t and are nonrecursive). Any two input patterns ( ) X( t + T) with X( t T) X( t) + cause two different ANF equations for the same output bit f k (1 k n s ). Their

3 Table 1. Typical basic operations of modern cryptographic algorithms I II III IV Operation classes Example operations Algorithms Operations in finite groups: ( X + Z)mod 256, ( X Z)mod 256 SAFER K-128, Y = X * Z ; X, Y, Z = variables or X Z 3WAY, RC5, IDEA Group operations with an input which is a function ( 2Z + X) mod 256, ( 2Z X) mod 256 SAFER K-128, of one or several variables: or X ( U + Z ) 3WAY Y = X * f ( Z), Y = X * f ( U, Z) or Y = X * f ( X, U, Z) Pseudorandom S-boxes and similar functions: Y = prsbox(x) Constant and data dependent bit permutations: Y = bper(x) X ( 45 )mod 257 or (log 45 X) mod 257 SAFER K-128 ROTL(X), ROTR(X), ROTL Z (X) or ROTR Z (X) SAFER K-128, 3WAY, IDEA, RC5 difference is a function of one or more random and statistically independent coefficients (single probability 0.5). The difference has the probability ( k ( ( )) k ( ( + )) = 1 ) = P fk ( X( t T) ) P f X t f X t T ( ) + = 1 =0.5, which implies statistical independence. Although each output bit depends on all input bits the parallel statistical independence is also valid for the output bits. Each input pattern determines a coefficient subset in the ANF equations. The number of combinations with an odd number of coefficients in these subsets is: w( X) w( X) w( X) w( X) = w( X) , where w( X) is the weight of the current input pattern X( t ). The assumption of random ANF coefficients and a single probability for a set ANF coefficient of 0.5 leads to the following probability, that an ANF equation has a 1 as result: ( k ( 1 2 n s ) ) 2 w ( X ) 2 w ( X ) P f x, x,..., x = 1 = 2 2 = On account of the statistical independence of the coefficients the output bits of different ANF equations are statistically independent from each other. The pattern of signal transitions between two arbitrary consecutive output patterns is derived from the ing of the two patterns. Due to the serial statistical independence the probability of every bit column of the operation is P( fk ( X( t) ) fk ( X( t + 1) ) = 1 ) = ( 1 2) = 0.5. Together with the already mentioned parallel statistical independence a binomial probability distribution of the number of signal transitions occurs at the output. Sufficient condition for a pseudorandom output is a constantly changing pattern sequence (without repetition) at the input of the pseudorandom S-box. Therefore, pseudorandom S-boxes and similar functions propagate, increase and generate pseudorandomness Constant and data dependent bit permutations. The serial statistical independence remains in the output 1 2 words, because the (data dependent) permutations bper(x) are memoryless transformations. The parallel statistical independence is preserved for the bits of the output words, because (data dependent) permutations change the order but not the values of the bits of the permutated input word X. The Hamming weight and binomial probability distribution of the non-zero elements in the individual test patterns are not changed. This results in a binomial probability distribution of the number of signal transitions between any two consecutive output patterns. All three conditions for (pseudo)randomness remain uninfluenced by the operation. Accordingly, a pseudorandom test pattern assumed at the permutation input X propagates to the output. 4. Pseudorandom properties of 3WAY The importance of the specific properties of cryptographic basic operations for the pseudorandom test of cryptographic hardware are explained in the following example. The symmetric block cipher algorithm 3WAY [5] is used as a paradigm. The algorithm is analyzed concerning the property to propagate pseudorandom test patterns. The 3WAY algorithm consists of two subalgorithms: encryption and subkey generation Encryption The encryption data flow graph (DFG) of 3WAY [5] is depicted in Fig. 2. In addition to the combination of data and subkeys (operation class I) and constant rotations of 32-bit data subblocks (operation class IV) the 3WAY DFG contains the so-called and γ function Linear substitution. The linear substitution B = (A) is a polynomial multiplication, which is defined as follows [5]: h h ( ) ( ) ( 1 ) 12 b( x) = e x a x mod + x with e( x) = 1+ x + x + x + x + x + x 10, h = n/12 and n =.

4 S 2 Linear Substitution ROL 1 ROR 10 Non-linear Substitution ROR 10 ROL 1 I 2, I 1, I 0 : Data Inputs S 2, S 1, S 0 : Subkeys I 2 I 1 I 0 γ S 1 S 0 O 2, O 1, O 0 : Data Ouputs Figure 2. Encryption DFG of 3WAY O 0 O 1 O 2 Table 2. Predecessor operation list of the encryption DFG 3WAY Encryption Op. no. Op. Operation types Relevant pr in Pred. Pr in Pr out 0 I 0, I 1,I 2, inputs*) X,U,Z or - X,U,Z - S 0,S 1,S 2 S 0,S 1,S 2 1 xor X =X*S 0,U =U*S 1, X,U,Z or 0 X,U,Z yes Z =Z*S 2 S 0,S 1,S 2 2 X =X*f(X,U,Z), X,U,Z 1 X,U,Z yes U =U*f(U,Z,X), Z =Z*f(Z,X,U) 3 π1 X =bper(x), X,U,Z 2 X,U,Z yes U =U, Z =bper(z) 4 γ X =X*f(U,Z), X,U,Z 3 X,U,Z yes U =U*f(Z,X), Z =Z*f(X,U) 5 π2 X =bper(x), X,U,Z 4 X,U,Z yes U =U, Z =bper(z) 6 xor X =X*S 0,U =U*S 1, X,U,Z or 5 X,U,Z yes Z =Z*S 2 S 0,S 1,S *) Assumption: data and key inputs are statistically independent X,U,Z and S 0,S 1,S 1 : 32-bit data subblocks and subkey variables The polynomial a(x) is the polynomial representation of n 1 i the binary vector A = (a 0, a 1,..., a n-1 ): a( x) = a x. i = 0 An alternative description of the operation consists of three partial equations. The equations have the form X = X*f(X,U,Z), U = U*f(U,Z,X) and Z = Z*f(Z,X,U), e.g. X = X (X>>16) (U<<16) (U>>16) (Z<<16) (U>>24) (Z<<8) (Z>>8) (X<<24) (Z>>16) (X<<16) (Z>>24) (X<<8). The equations are realized by s and bit shifts of the 32-bit subblocks X, U and Z and belong to the operation class II (cf. section 3.2). Note that due to the bitwise character of the operation the statistical independence is only required at bit level Non-linear substitution γ. The non-linear substitution B=γ (A) also belongs to the operation class II and is defined as follows [5]: b = a ( a a ), i i ( i + k ) mod ( i+ 2 k ) mod where k = n/3 = 32 for 0 i 95. The above equation can be converted to the following three partial equations: X' = X ( U + Z), U' = U ( Z + X) and Z' = Z ( X + U). Table 2 shows the predecessor operation list, which is derived from the DFG. In the list the data inputs of the DFG are assumed to be pseudorandom. If the data und subkey inputs of the DFG are statistically independent, i then the inputs of every group operation are statistically independent. The DFG and the predecessor operation list reveal, that the input of every operation, which is relevant for the propagation of pseudorandomness, is pseudorandom. Thus, pseudorandom test patterns will propagate through the whole encryption algorithm. Furthermore, the group operations of class I and II contained in the algorithm cause the generation of new pseudorandom values at the output of the DFG. They can be used as test patterns again. Similar properties can also be derived for the decryption DFG of 3WAY. The DFG of the 3WAY decryption differs from the encryption DFG only in the constant bit permutation µ. This permutation inverts the bit order of a binary vector and is applied in an additional input and output transformation Constant bit permutation µ. The bit permutation B=µ (A) inverts the order of the bits of a n-bit data vector: bi = an 1 i for 0 i 95. Referring to the three 32-bit variables X, U and Z the following three partial equations result from the above formula: x j = z 31-j, u j = u 31-j, z j = x 31-j for 0 j 31. Since the bit permutation µ belongs to the operation class IV (cf. section 3.2) it does not change the pseudorandom properties of the decryption DFG. Besides the propagation and generation of pseudorandom test patterns (controllability), the

5 propagation of errors (observability) is of decisive importance for the pseudorandom testability of circuits. Symmetric block ciphers like 3WAY are in particular characterized by the avalanche effect. This property means, that with the modification of only one input bit (key or data) every output bit changes its value with a probability near 0.5 [4]. In a reduced form this principle can be found again in the substructures and basic operations of a sym. block cipher. Therefore, errors propagate with very high probability to the primary outputs of a cryptographic core Subkey generation The subkey generation is kept simple and is partially based on the same basic operations as the encryption and decryption DFG. Thus, pseudorandom patterns at the key inputs propagate to the subkey outputs [5]. Figure 3 shows the DFG of the subkey generation for decryption. K 2 K 1 Linear Substitution K C D 8 LFSR µ Bit Permutation Expansion K 2, K 1 and K 0 : Session key C D : Start constant 8 S 2, S 1 and S 0 : Subkeys Figure 3. Subkey generation DFG of 3WAY (Decryption) 5. Functional and test architecture Figure 4 shows the functional architecture of the cryptographic processor core, which realizes the sym. block cipher 3WAY. The data path consists of the two parts subkey generation and encryption. In the cipher data path a common encryption and decryption round structure is implemented. For carrying out the effective 12 encryption rounds the output data of the round structure are fed back via multiplexer and register to the inputs. In figure 4 the global pseudorandom BIST architecture for the core is also depicted. By means of LFSRs pseudorandom test patterns are fed to the primary key and data inputs of the processor core. They propagate through the data path. In principle random logic like multiplexer and register does not prevent the propagation of pseudorandom test pattern. A MISR compresses the test responses at the primary outputs of the core to a signature. A BIST controller causes the processor core controller to S 0 S 1 S 2 B I S T C T R L Subkey Generation CE CD LFSR 8 Expansion CONTROL µ CRYPTOGRAPHIC PROCESSORCORE PRPG PI Key In REG µ REG REG π1 γ π2 PO Data Out MISR µ PRPG PI Data In Round Struct. Cipher Datapath Figure 4. Architecture for the sym. block cipher 3WAY carry out several encryptions and decryptions. This means, that the processor core carries out its normal function during the self-test. The cost for this kind of selftest is minimal. Notice that on account of the data feedback the implemented round structure is tested by 12 pseudorandom test patterns during one conversion. By contrast most of the remaining circuit is only occupied with one test pattern per conversion. This fact has effects on the test lengths for the different parts of the core. An advantage of the 3WAY algorithm in comparison to other corresponding algorithms is that no memory elements (e.g. subkey RAMs or S-box ROMs) are required for its implementation. Though a test of RAMs and ROMs with pseudorandom test patterns is in principle possible, memories in a circuit under test usually lead to an increase of the test length [6]. In case of embedding the 3WAY functional architecture in a realization of the modes of operation according to ISO standard [4] the presented test principle can be extended to this larger circuit. Then, the pseudorandom output values of the 3WAY architecture can also be used for the test of the modes of operation circuit. 6. Fault simulation To verify the theoretical analysis of sections 3 and 4 fault simulations are carried out for the data path of the cryptographic processor core. During the fault simulation 40 conversions (20 encryptions and 20 decryptions) with

6 40 pseudorandom test patterns at the data and key inputs take place. One conversion takes 12 clock cycles (further 3 cycles for a following (reset) break). The results of the fault simulation are summarized in table 3. One item is not considered so far: the pseudorandom testability of the basic operations themselves. The additional table 4 shows the results of individual fault simulations for essential basic operations. Besides the determination of the different fault coverages, the fault simulations contribute to the determination of the test length required for a fault coverage over 99%. The results of the fault simulation prove, that the global BIST is very efficient with regard to fault coverage and test length. Table 3. Fault coverages (40 test conversions) 3WAY Fault coverage # Total faults Processor core (SA faults) Total data path 99.6 % Subkey generation 99.1 % 7825 Encryption data path 100 % Round structure 100 % 6168 Table 4. Fault coverage and test length for basic operations of 3WAY Basic operations Test length (# pr test pattern) Fault coverage (SA faults) Linear % substitution Non-linear % substitution γ Bit permutations µ, π1, π2 - * - * * bit permutations contain no gates 7. Summary The statistical properties of typical basic operations of modern cryptographic algorithms are described. Based on these qualities symmetric block ciphers and their VLSI implementations can be analyzed with regard to propagating pseudorandom test patterns. In this paper the sym. block encryption algorithm 3WAY is used as a paradigm. The results of this and others works show, that cryptographic processor cores are ideal for an efficient global pseudorandom BIST because of their specific structures and operations. In principle the results can be used for other circuit architectures with similar properties like for example architectures based on RNS arithmetic. But generally, they can not be applied to VLSI realizations of typical DSP algorithms such as FFT or digital filter. In these algorithms logic and arithmetic operations play an important role, which do not propagate pseudorandom patterns. For example, shift operations, additions and multiplications with overflow as well as logic operations like OR and AND belong to these kinds of operations. In a continuation of this work the BIST concept is extended to larger cryptographic processor cores, which contain additional circuits to realize modes of operation according to ISO standard. 8. References [1] H. Bonnenberg, Secure Testing of VLSI Cryptographic Equipment, Dissertation No , ETH Zurich, [2] Federal Information Processing Standard Publication (FIPS PUB) 140, Telecommunications: General Security Requirements for Equipment using the Data Encryption Standard, April, [3] M. Gerner, B. Müller and G. Sandweg, Selbsttest digitaler Schaltungen, R. Oldenbourg Verlag, München, [4] B. Schneier, Applied Cryptography, Protocols, Algorithms, and Source Code in C, John Wiley & Sons, NY, [5] J. Daemen, R. Govaerts and J. Vandewalle, A New Approach to Block Cipher Design, Fast Software Encryption, Lectures Notes in Computer Science No. 809, Springer, NY, 1994, pp [6] P.H. Bardell, W.H. McAnney and J. Savir, Built-In Test for VLSI: Pseudorandom Techniques, John Wiley & Sons, NY, 1987.