5/18/2016 1 Cncurrent Errr Detectin fr Reliable SHA-3 Design Pei LUO 1 Cheng LI 2 Yunsi FEI 1 1. Nrtheastern Universit Energ-Efficient and Secure Sstems Lab http://nueess.ce.neu.edu Electrical & Cmputer Engineering Department Nrtheastern Universit 2. Intel Labs
5/18/2016 2 Outline Mtivatin Preliminar f SHA-3 Prtectin f peratins in SHA-3 Fault injectin attacks simulatin results Cnclusin
5/18/2016 3 Mtivatin Widel use f Keccak SHA-3 has been standardied b NIST [1] Keccak based candidates enter the 2 nd rund f CAESAR cmpetitin cmpetitin fr authenticated encrptin Fault injectin attacks n SHA-3 Single-bit faults injected at the penultimate rund input can be used t cnquer SHA-3 [2] Our wrk shws that attackers need nl 17 single-bte faults t cnquer SHA-3 Technlg scales dwn transient faults increase - reliabilit [1] Dwrkin Mrris J. "SHA-3 Standard: Permutatin-Based Hash and Etendable-Output Functins." Federal Inf. Prcess. Stds. NIST FIPS-202 August 2015. [2] Bagheri Nasur Navid Ghaedi and Smitra Kumar Sanadha. "Differential Fault Analsis f SHA-3." Prgress in Crptlg INDOCRYPT 2015. Springer Internatinal Publishing 2015. 253-269.
5/18/2016 4 Mtivatin Hw t prtect SHA-3 against randm errrs and fault injectin attacks? Intrduce redundanc int the sstem Imprve reliabilit but nt against fault injectins Make use f rund rtatin invariance prpert [1] [2] Intrduce high redundanc f either area r time cnsumptin f ROT 1 f ROT Intrduce errr detectin cdes Parit checking cde is efficient and widel used Ke pint: hw t make use f the features f Keccak [1] Baat-Sarmadi et al. "Efficient and cncurrent reliable realiatin f the secure crptgraphic SHA-3 algrithm." Cmputer-Aided Design f Integrated Circuits and Sstems IEEE Transactins n 33.7 2014: 1105-1109. [2] Lu Pei et al. "An Imprvement f Bth Securit and Reliabilit fr Keccak Implementatins n Smart Card."
5/18/2016 5 Outline Mtivatin Preliminar f SHA-3 Prtectin f each peratin in SHA-3 Fault injectin attacks simulatin results Cnclusin
5/18/2016 6 Preliminar f SHA-3
5/18/2016 7 Preliminar f SHA-3 24 runds 5 peratins in each rund
Preliminar f SHA-3 1 1 1 i 4 0 i 4 0 i + θ θ θ θ 5/18/2016 8
5/18/2016 9 Preliminar f SHA-3 ρ changes the psitins f bits alng each lane
5/18/2016 10 Preliminar f SHA-3 changes π the psitins f bits inside each slice
Preliminar f SHA-3 2 1 invlves nnlinear peratins : i i i + + χ χ χ χ χ 5/18/2016 11
5/18/2016 12 Outline Mtivatin Preliminar f SHA-3 Prtectin f peratins in SHA-3 Fault injectin attacks simulatin results Cnclusin
5/18/2016 13 Prtectin structure θ θ Prtectr ρ' ρ' Prtectr χ ι χ' Prtectr
θ Prtectin f 1 i 4 0 4 0 4 0 4 0 θ θ Which can be simplified as: 5/18/2016 14
θ Prtectin f ] [ ] [ 4 0 4 0 i 4 0 4 0 i P P θ θ θ θ [0...63] 1 ] [ ] [ i + P P θ θ 5/18/2016 15 Parit checking f peratin θ is ver efficient
5/18/2016 16 Prtectin f ρ and π Bth ρ and π are bit rtatin peratins withut changing the value Bth ρ and π are implemented using wire in hardware n registers intrduced Faults in ρ will prpagate directl int π Prtectin f ρ and π: Can be mitted fr higher efficienc Can be cmbined tgether
pitfall a - f Prtectin χ b a e e a e d d e d c c d c b b c b a a a e e d d c c b b a e d c b a peratin as the input f ne rw f Dente e d c b a χ 5/18/2016 17 If a flips with a 50% prbabilit the errr ma nt change the parit
χ Prtectin f 2 1 in which ] [ 2 ] [ ] [ ] [ i i and and i i P P P P + + + χ χ χ χ χ χ χ 5/18/2016 18 Avid t cmpress bits in each rw Invlves nl AND and XOR peratins
5/18/2016 19 Outline Mtivatin Preliminar f SHA-3 Prtectin f each peratin in SHA-3 Fault injectin attacks simulatin results Cnclusin
5/18/2016 20 Fault injectin attacks simulatin Mdeled in VHDL [1] 45 nm Opencell librar Snthesied in Cadence Encunter RTL Cmpiler Placed and ruted using Cadence Encunter Overhead estimated using Cncurrent Surces 1.1 V 25 Celsius degree Faults injected at gate level Randml inject stuck-at-0 and stuck-at-1 faults int up t ten gates [1] http://keccak.neken.rg/keccakvhdl-3.1.ip
5/18/2016 21 Simulatin results Prpsed: cmbine prtectin f χ and ι ρ and π unprtected Design 2: prtect χ and ι separatel ρ and π unprtected Design 3: cmbine prtectin f χ and ι prtect ρ and π tgether um 2 Area Timing Pwer Nrmalied % ns Nrmalied % mw Nrmalied % Errr Cverage Original 41611.7 100.00 3.892 100.00 17.95 100.00 0% Prpsed 52867.2 127.05 4.500 115.62 26.69 148.69 83.60% Design 2 62429.4 150.01 5.476 140.70 41.78 232.76 83.34% Design 3 66621.0 160.10 4.381 112.56 44.07 245.52 89.89%
5/18/2016 22 Simulatin results Prpsed: cmbine prtectin f χ and ι leave ρ and π unprtected Design 2: prtect χ and ι separatel leave ρ and π unprtected Design 3: cmbine prtectin f χ and ι prtect ρ and π tgether um 2 Area Timing Pwer Nrmalied % ns Nrmalied % mw Nrmalied % Errr Cverage Original 41611.7 100.00 3.892 100.00 17.95 100.00 0% Prpsed 52867.2 127.05 4.500 115.62 26.69 148.69 83.60% Design 2 62429.4 150.01 5.476 140.70 41.78 232.76 83.34% Design 3 66621.0 160.10 4.381 112.56 44.07 245.52 89.89%
5/18/2016 23 Simulatin results Prpsed: cmbine prtectin f χ and ι leave ρ and π unprtected Design 2: prtect χ and ι separatel leave ρ and π unprtected Design 3: cmbine prtectin f χ and ι prtect ρ and π tgether um 2 Area Timing Pwer Nrmalied % ns Nrmalied % mw Nrmalied % Errr Cverage Original 41611.7 100.00 3.892 100.00 17.95 100.00 0% Prpsed 52867.2 127.05 4.500 115.62 26.69 148.69 83.60% Design 2 62429.4 150.01 5.476 140.70 41.78 232.76 83.34% Design 3 66621.0 160.10 4.381 112.56 44.07 245.52 89.89%
5/18/2016 24 Simulatin results The prpsed scheme has lw verhead and high errr cverage Prtectin f χ and ι can be cmbined fr lwer verhead Prtectin f ρ and π can be saved fr hardware implementatins Prtectin f ρ and π shuld be implemented fr pipelined design
5/18/2016 25 Outline Mtivatin Preliminar f SHA-3 Prtectin f each peratin in SHA-3 Fault injectin attacks simulatin results Cnclusin
5/18/2016 26 Cnclusin SHA-3 shuld be prtected against randm errrs r fault injectin attacks Our wrk Eplit the features f SHA-3 fr efficient errr detectin design Overhead is small while the errr detectin rate is high Future wrk is t eplre mre efficient errr detectin methds fr SHA-3
5/18/2016 27 Acknwledgment The authrs wuld like t thank Dr. Re Xiafei Gu at Intel fr his help This wrk was supprted in part b Natinal Science Fundatin under grants SaTC-1314655 and MRI- 1337854
5/18/2016 28 Thanks!