Showing papers by "Ingrid Verbauwhede published in 2011"
28 Sep 2011
TL;DR: Spongent is a family of lightweight hash functions with hash sizes of 88, 128, 160, 224, and 256 bits based on a sponge construction instantiated with a present-type permutation, following the hermetic sponge strategy.
Abstract: This paper proposes spongent - a family of lightweight hash functions with hash sizes of 88 (for preimage resistance only), 128, 160, 224, and 256 bits based on a sponge construction instantiated with a present-type permutation, following the hermetic sponge strategy. Its smallest implementations in ASIC require 738, 1060, 1329, 1728, and 1950 GE, respectively. To our best knowledge, at all security levels attained, it is the hash function with the smallest footprint in hardware published so far, the parameter being highly technology dependent. spongent offers a lot of flexibility in terms of serialization degree and speed. We explore some of its numerous implementation trade-offs.
We furthermore present a security analysis of spongent. Basing the design on a present-type primitive provides confidence in its security with respect to the most important attacks. Several dedicated attack approaches are also investigated.
345 citations
TL;DR: This work comprehensively investigates the application of a machine learning technique in SCA, a powerful kernel-based learning algorithm: the Least Squares Support Vector Machine (LS-SVM) and the target is a software implementation of the Advanced Encryption Standard.
Abstract: Electronic devices may undergo attacks going beyond traditional cryptanalysis. Side-channel analysis (SCA) is an alternative attack that exploits information leaking from physical implementations of e.g. cryptographic devices to discover cryptographic keys or other secrets. This work comprehensively investigates the application of a machine learning technique in SCA. The considered technique is a powerful kernel-based learning algorithm: the Least Squares Support Vector Machine (LS-SVM). The chosen side-channel is the power consumption and the target is a software implementation of the Advanced Encryption Standard. In this study, the LS-SVM technique is compared to Template Attacks. The results show that the choice of parameters of the machine learning technique strongly impacts the performance of the classification. In contrast, the number of power traces and time instants does not influence the results in the same proportion. This effect can be attributed to the usage of data sets with straightforward Hamming weight leakages in this first study.
279 citations
01 Jan 2011
TL;DR: This paper investigates the problems associated with implementing a backward compatible message authentication Protocol, CANAuth, and presents a message authentication protocol that meets all of the requirements set forth and does not violate any constraint of the CAN bus.
Abstract: The Controller-Area Network (CAN) bus protocol [1] is a bus protocol invented in 1986 by Robert Bosch GmbH, originally intended for automotive use. By now, the bus can be found in devices ranging from cars and trucks, over lightning setups to industrial looms. Due to its nature, it is a system very much focused on safety, i.e., reliability. Unfortunately, there is no build-in way to enforce security, such as encryption or authentication. In this paper, we investigate the problems associated with implementing a backward compatible message authentication protocol on the CAN bus. We show which constraints such a protocol has to meet and why this eliminates, to the best of our knowledge, all the authentication protocols published so far. Furthermore, we present a message authentication protocol, CANAuth, that meets all of the requirements set forth and does not violate any constraint of the CAN bus. Keywords—CAN bus, embedded networks, broadcast authentication, symmetric cryptography
246 citations
29 Sep 2011
TL;DR: This work thoroughly analyse how clock glitches affect a commercial low-cost processor by performing a large number of experiments on five devices, and explains how typical fault attacks can be mounted on this device, and describes a new attack for which the fault injection is easy and the cryptanalysis trivial.
Abstract: The literature about fault analysis typically describes fault injection mechanisms, e.g. glitches and lasers, and cryptanalytic techniques to exploit faults based on some assumed fault model. Our work narrows the gap between both topics. We thoroughly analyse how clock glitches affect a commercial low-cost processor by performing a large number of experiments on five devices. We observe that the effects of fault injection on two-stage pipeline devices are more complex than commonly reported in the literature. While injecting a fault is relatively easy, injecting an exploitable fault is hard. We further observe that the easiest to inject and reliable fault is to replace instructions, and that random faults do not occur. Finally we explain how typical fault attacks can be mounted on this device, and describe a new attack for which the fault injection is easy and the cryptanalysis trivial.
161 citations
29 Sep 2011
TL;DR: This paper classified the existing fault attacks on implementations of cryptographic algorithms on embedded devices according to different criteria to expose possible security threats caused by fault attacks and propose different classes of countermeasures capable of preventing them.
Abstract: For a secure hardware designer, the vast array of fault attacks and countermeasures looks like a jungle. This paper aims at providing a guide through this jungle and at helping a designer of secure embedded devices to protect a design in the most efficient way. We classify the existing fault attacks on implementations of cryptographic algorithms on embedded devices according to different criteria. By doing do, we expose possible security threats caused by fault attacks and propose different classes of countermeasures capable of preventing them.
77 citations
Journal Article•
TL;DR: This paper presents two FPGA-based high speed pairing designs using the Residue Number System and lazy reduction, and shows that by combining RNS, which is naturally suitable for parallel architectures, and lazy Reduction, the speed of pairing computation in hardware can be largely increased.
Abstract: Recently, a lot of progress has been made in the implementation of pairings in both hardware and software. In this paper, we present two FPGA-based high speed pairing designs using the Residue Number System and lazy reduction. We show that by combining RNS, which is naturally suitable for parallel architectures, and lazy reduction, which performs one reduction for multiple multiplications, the speed of pairing computation in hardware can be largely increased. The results show that both designs achieve higher speed than previous designs. The fastest version computes an optimal ate pairing at 126-bit security level in 0.573 ms, which is 2 times faster than all previous hardware implementations at the same security level.
75 citations
28 Sep 2011
TL;DR: In this article, the authors present two FPGA-based high speed pairing designs using the Residue Number System and lazy reduction, which is naturally suitable for parallel architectures and performs one reduction for multiple multiplications.
Abstract: Recently, a lot of progress has been made in the implementation of pairings in both hardware and software. In this paper, we present two FPGA-based high speed pairing designs using the Residue Number System and lazy reduction. We show that by combining RNS, which is naturally suitable for parallel architectures, and lazy reduction, which performs one reduction for multiple multiplications, the speed of pairing computation in hardware can be largely increased. The results show that both designs achieve higher speed than previous designs. The fastest version computes an optimal ate pairing at 126-bit security level in 0.573 ms, which is 2 times faster than all previous hardware implementations at the same security level.
68 citations
TL;DR: It is shown that a modular multiplier using the proposed algorithm achieves a higher speed comparing to the modular multipliers based on the previously proposed algorithms.
38 citations
02 May 2011
TL;DR: This work summarizes and compare the different proposed constructions and is able to identify some generalizing properties for PUFs on silicon devices.
Abstract: CMOS process variations are considered a burden to IC developers since they introduce undesirable random variability between equally designed ICs. However, it was demonstrated that measuring this variability can also be profitable as a physically unclonable method of silicon device identification. This can moreover be applied to generate strong cryptographic keys which are intrinsically bound to the embedding IC instance. This holds a number of very interesting advantages in comparison to traditional forms of secure identification and key storage. In this work, we summarize and compare the different proposed constructions and are able to identify some generalizing properties for PUFs on silicon devices.
38 citations
26 Jun 2011
TL;DR: The concept of RFID groups is introduced and a hierarchical RFID authentication protocol is proposed, which offers impersonation resistance and is narrow-strong privacy-preserving.
Abstract: RFID (Radio Frequency Identification) technology enables readers to scan remote RFID tags, and label the objects and people to which they are attached. Current cryptographic authentication protocols deployed in heterogeneous environments are often not compatible, or reveal too much information to the RFID readers. To tackle this problem, we introduce the concept of RFID groups and propose a hierarchical RFID authentication protocol. By using this protocol, an RFID tag can tune its identification process to the type of reader it is communicating with. Only a subset of readers can learn the identity of a particular tag, while others can only acquire information on the group to which the tag belongs. Our protocol offers impersonation resistance and is narrow-strong privacy-preserving. Furthermore, we extend the concept to multiple level of subgroups, and demonstrate the feasibility of our proposed protocols for RFID tags.
24 citations
14 Jun 2011
TL;DR: 4th ACM Conference on Wireless Network Security, WiSec'11; Hamburg; 15 June 2011 through 17 June 2011
Abstract: 4th ACM Conference on Wireless Network Security, WiSec'11; Hamburg; 15 June 2011 through 17 June 2011
14 Mar 2011
TL;DR: This paper proposes a low-cost fault detection mechanism for Elliptic Curve Scalar Multiplication (ECSM) using the López-Dahab algorithm, and significantly reduces both performance losses and area overhead compared to other methods in this scenario.
Abstract: When using Elliptic Curve Cryptography (ECC) in constrained embedded devices such as RFID tags, Lopez-Dahab's method along with the Montgomery powering ladder is considered as the most suitable method. It uses x-coordinate only for point representation, and meanwhile offers intrinsic protection against simple power analysis. This paper proposes a low-cost fault detection mechanism for Elliptic Curve Scalar Multiplication (ECSM) using the Lopez-Dahab algorithm. Introducing minimal changes to the last round of the algorithm, we make it capable of detecting faults with a very high probability. In addition, by reusing the existing resources, we significantly reduce both performance losses and area overhead compared to other methods in this scenario. This method is suitable especially for constrained devices.
20 Jun 2011
TL;DR: This paper describes the protocol, architecture, and implementation details of an FPGA-based embedded system that is able to remotely reconfigure the FPN, using a TCP/IP connection, in a secure way, and implies data confidentiality, explicit key authentication and data origin authentication.
Abstract: This paper describes the protocol, architecture, and implementation details of an FPGA-based embedded system that is able to remotely reconfigure the FPGA, using a TCP/IP connection, in a secure way. When considering the security aspects, we imply data confidentiality, explicit key authentication and data origin authentication. Since these aspects are overhead for the main application, the system is to be as small as possible. Therefore we have focused on compactness rather than on speed for the implementation. The implemented solution exists out of 2 components: a communication part and a cryptographic part. The system can be easily integrated at any point in the design of an FPGA-based embedded system, due to the simple and modular architecture.
Posted Content•
TL;DR: It is shown that combining RNS, which are naturally suitable for parallel architectures, and lazy reduction, which performs one reduction for more than one multiplication, the computational complexity of pairings can be largely reduced.
Abstract: In this paper, we present a high speed pairing coprocessor using Residue Number System (RNS) and lazy reduction. We show that combining RNS, which are naturally suitable for parallel architectures, and lazy reduction, which performs one reduction for more than one multiplication, the computational complexity of pairings can be largely reduced. The design is prototyped on a Xilinx Virtex-6 FPGA, which utilizes 7023 slices and 32 DSPs, and finishes one 254-bit optimal ate pairing computation in 0.664 ms.
TL;DR: This paper describes two novel architectures for a unified multiplier and inverter (UMI) in GF(2 m): the UMI merges multiplier and inverse into one unified data-path, and the area of the data- path is reduced.
01 Jan 2011
TL;DR: This paper presents a step-by-step methodology to construct a memory hierarchy on an FPGA to reuse data in on-chip buffer memories and minimize the number of accesses to off-chip memory.
Abstract: The high performance potential of an FPGA is not fully exploited if a design suffers a memory bottleneck. Therefore, a memory hierarchy is needed to reuse data in on-chip buffer memories and minimize the number of accesses to off-chip memory. Buffer memories not only hide the external memory latency, but can also be used to remap data and augment the on-chip bandwidth through parallel access of multiple buffers. This paper discusses the differences and similarities of memory hierarchies on processor- and on FPGA-based systems and presents a step-by-step methodology to construct a memory hierarchy on an FPGA.
Posted Content•
TL;DR: This paper explores the design space of lightweight hash functions based on the sponge construction instantiated with present-type permutations, and proposes 13 spongent variants--or different levels of collision and preimage resistance as well as for various implementation constraints.
Abstract: The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography – optimizing the algorithms to fit the most constrained environments – has received a great deal of attention, the recent research being mainly focused on building block ciphers. As opposed to that, the design of lightweight hash functions is still far from being well-investigated with only few proposals in the public domain. In this article, we aim to address this gap by exploring the design space of lightweight hash functions based on the sponge construction instantiated with present-type permutations. The resulting family of hash functions is called spongent. We propose 13 spongent variants – for different levels of collision and (second) preimage resistance as well as for various implementation constraints. For each of them we provide several ASIC hardware implementations ranging from the lowest area to the highest throughput. We make efforts to address the fairness of comparison with other designs in the field by providing an exhaustive hardware evaluation on various technologies, including an open core library. We also prove essential differential properties of spongent permutations, give a security analysis in terms of collision and preimage resistance, as well as study in detail dedicated linear distinguishers.
Journal Article•
TL;DR: This roundtable is based on the topic of hardware security and trust, which was the focus of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST 2011) held with the 2011 Design Automation Conference.
Abstract: This roundtable is based on the topic of hardware security and trust, which was the focus of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST 2011) held with the 2011 Design Automation Conference.
Patent•
17 Mar 2011TL;DR: In this paper, the authors present a method for differential pair conductor routing in a logic circuit, by routing conductors of a first line width to obtain a first routing for a first logic library, wherein connections between the vertical and horizontal paths are provided by vias.
Abstract: Methods for differential pair conductor routing in a logic circuit. One embodiment includes a method for differential pair conductor routing in a logic circuit, by routing conductors of a first line width to obtain a first routing for a first logic library, wherein vertical and horizontal paths are separated such that vertical and horizontal conductors do not short, wherein connections between the vertical and horizontal paths are provided by vias, separating conductor paths in the first routing into differential paths by splitting the conductors of a first line width into spaced parallel conductors of a second line width, where the second line width is smaller than the first line width, separating the vias into pairs of vias, and replacing the first logic library with a differential logic library.
05 Jun 2011
TL;DR: Using the graph representation of a design, this paper provides a simple and efficient method to detect possible C safe-errors and applies the method to two well-known exponentiation algorithms: square-and-multiply-always and the Montgomery ladder.
Abstract: This paper proposes a systematic security evaluation of cryptographic hardware against C safe-error attacks. Using the graph representation of a design, we provide a simple and efficient method to detect possible C safe-errors. Exposing possible vulnerabilities at an early stage of a design process, this method avoids costly design re-spins and reduces time-to-market. As a proof of concept, we apply the method to two well-known exponentiation algorithms: square-and-multiply-always and the Montgomery ladder.