CoProcessor Design for Crypto- Applications using Hyperelliptic Curve Cryptography



Similar documents
Von der Hardware zur Software in FPGAs mit Embedded Prozessoren. Alexander Hahn Senior Field Application Engineer Lattice Semiconductor

Getting Started with Embedded System Development using MicroBlaze processor & Spartan-3A FPGAs. MicroBlaze

Architectures and Platforms

Lesson 7: SYSTEM-ON. SoC) AND USE OF VLSI CIRCUIT DESIGN TECHNOLOGY. Chapter-1L07: "Embedded Systems - ", Raj Kamal, Publs.: McGraw-Hill Education

Kirchhoff Institute for Physics Heidelberg

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Horst Görtz Institute for IT-Security

FPGAs for Trusted Cloud Computing

Hardware-Software Codesign in Embedded Asymmetric Cryptography Application a Case Study

MicroBlaze Tutorial Creating a Simple Embedded System and Adding Custom Peripherals Using Xilinx EDK Software Tools

The WIMP51: A Simple Processor and Visualization Tool to Introduce Undergraduates to Computer Organization

Offline HW/SW Authentication for Reconfigurable Platforms

ELECTENG702 Advanced Embedded Systems. Improving AES128 software for Altera Nios II processor using custom instructions

Cryptography and Network Security Chapter 10

Reconfig'09 Cancun, Mexico

CMS Level 1 Track Trigger

A NOVEL STRATEGY TO PROVIDE SECURE CHANNEL OVER WIRELESS TO WIRE COMMUNICATION

AND8336. Design Examples of On Board Dual Supply Voltage Logic Translators. Prepared by: Jim Lepkowski ON Semiconductor.

MATLAB/Simulink Based Hardware/Software Co-Simulation for Designing Using FPGA Configured Soft Processors

Best Practises for LabVIEW FPGA Design Flow. uk.ni.com ireland.ni.com

7a. System-on-chip design and prototyping platforms

Eli Levi Eli Levi holds B.Sc.EE from the Technion.Working as field application engineer for Systematics, Specializing in HDL design with MATLAB and

LogiCORE IP AXI Performance Monitor v2.00.a

Contents. System Development Models and Methods. Design Abstraction and Views. Synthesis. Control/Data-Flow Models. System Synthesis Models

Hardware and Software

Wireless Microcontrollers for Environment Management, Asset Tracking and Consumer. October 2009

Architekturen und Einsatz von FPGAs mit integrierten Prozessor Kernen. Hans-Joachim Gelke Institute of Embedded Systems Professur für Mikroelektronik

Reconfigurable System-on-Chip Design

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules

Introducción. Diseño de sistemas digitales.1

Hardware Security Modules for Protecting Embedded Systems

Secure Embedded Systems eine Voraussetzung für Cyber Physical Systems und das Internet der Dinge

Side Channel Analysis and Embedded Systems Impact and Countermeasures

CFD Implementation with In-Socket FPGA Accelerators

Hardware Implementations of RSA Using Fast Montgomery Multiplications. ECE 645 Prof. Gaj Mike Koontz and Ryon Sumner

Cryptography & Network-Security: Implementations in Hardware

An Instruction Set Extension for Fast and Memory-Efficient AES Implementation

Microsemi Security Center of Excellence

Modeling a GPS Receiver Using SystemC

Technical Note. Micron NAND Flash Controller via Xilinx Spartan -3 FPGA. Overview. TN-29-06: NAND Flash Controller on Spartan-3 Overview

Digitale Signalverarbeitung mit FPGA (DSF) Soft Core Prozessor NIOS II Stand Mai Jens Onno Krah

Multi-Layered Cryptographic Processor for Network Security

White Paper. Enhancing Website Security with Algorithm Agility

CSCE 465 Computer & Network Security

An Efficient Hardware Architecture for Factoring Integers with the Elliptic Curve Method

What is LOG Storm and what is it useful for?

Cryptography and Network Security

IJESRT. [Padama, 2(5): May, 2013] ISSN:

Building Blocks for PRU Development

GoldKey Product Info. Do not leave your Information Assets at risk Read On... Detailed Product Catalogue for GoldKey

Pre-tested System-on-Chip Design. Accelerates PLD Development

ECC is Ready for RFID A Proof in Silicon

International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research)

Polymorphic AES Encryption Implementation

Today. Important From Last Time. Old Joke. Computer Security. Embedded Security. Trusted Computing Base

Cryptanalysis with a cost-optimized FPGA cluster

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

SHE Secure Hardware Extension

Vehicular Security Hardware The Security for Vehicular Security Mechanisms

CSCE 465 Computer & Network Security

Arquitectura Virtex. Delay-Locked Loop (DLL)

Codesign: The World Of Practice

Model-based system-on-chip design on Altera and Xilinx platforms

Notes on Network Security Prof. Hemant K. Soni

Performance Evaluation of AES using Hardware and Software Codesign

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Software Implementations of Elliptic Curve Cryptography

Secure Hardware PV018 Masaryk University Faculty of Informatics

Reconfigurable Architecture Requirements for Co-Designed Virtual Machines

CRYPTOGRAPHY IN NETWORK SECURITY

Open Flow Controller and Switch Datasheet

LMS is a simple but powerful algorithm and can be implemented to take advantage of the Lattice FPGA architecture.

40G MACsec Encryption in an FPGA

Table of Contents. Bibliografische Informationen digitalisiert durch

Design and Verification of Area-Optimized AES Based on FPGA Using Verilog HDL

Applying Cryptography as a Service to Mobile Applications

Implementation of Full -Parallelism AES Encryption and Decryption

System Considerations

Seeking Opportunities for Hardware Acceleration in Big Data Analytics

Design and Implementation of an On-Chip timing based Permutation Network for Multiprocessor system on Chip

All Programmable Logic. Hans-Joachim Gelke Institute of Embedded Systems. Zürcher Fachhochschule

NIOS II Based Embedded Web Server Development for Networking Applications

The implementation and performance/cost/power analysis of the network security accelerator on SoC applications

Reconfigurable Computing. Reconfigurable Architectures. Chapter 3.2

Automatized Fault Attack Emulation for Penetration Testing

Pervasive Computing und. Informationssicherheit

KEEP IT SYNPLE STUPID

IMPROVISED SECURITY PROTOCOL USING NEAR FIELD COMMUNICATION IN SMART CARDS

HMI EMBEDDED SYSTEM DESIGN AS A FUNCTION OF TECU

Development. Igor Sheviakov Manfred Zimmer Peter Göttlicher Qingqing Xia. AGIPD Meeting April, 2014

CPSC 467b: Cryptography and Computer Security

Transcription:

CoProcessor Design for Crypto- Applications using Hyperelliptic Curve Cryptography 28. Februar 2008 Alexander Klimm, Oliver Sander, Jürgen Becker Institut für Technik der Informationsverarbeitung Sylvain Subileau, Daimler AG Institut für Technik der Informationsverarbeitung

Overview Motivation Public Key Cryptography Hyperelliptic Curve Cryptography (HECC) Hardware/Software Codesign for HECC on a Xilinx FPGA Measurements and Evaluation Outlook & future Work ITIV 2008, Alexander Klimm 2

Motivation Increased need for security of embedded systems Increasing number of embedded devices cell phones, PDAs, ECUs, etc. Networks of embedded devices ECUs, ubiquitous computing, etc. Applications need secure systems chip tuning, c2x, toll systems, etc. Communication and data transfers need to be secured. Industry very cost driven Small Platforms low computation power small memory space short time-to-market ITIV 2008, Alexander Klimm 3

Motivation Public Key Cryptography (PKC) in Embedded Systems Advantages: Less storage memory for keys needed Secrets stay inside an entity If one entity is compromised the others remain still secure Easier logistics RSA standard for PKC: Long keys (1024 bit) Probably not secure enough in the future ECC & HECC: Smaller keys (163 bit) and same level of security as RSA computational intensive algorithms Goal: HECC based protocol (few patents) Acceleration of used algorithms Small hardware platform (FPGA) ITIV 2008, Alexander Klimm 4

Public-Key Cryptography Eve? Basic Crypto: Alice encrypts a message with a key. Alice m c m Bob Bob decrypts the received cyphertext with his key that matches the encryption key. E(m)=c D(c)=m Disadvantage: Alice needs a key for every possible communication partner. Alice Bob Public-Key Crypto: m c m All encryption-keys are public. E e (m)=c D d (c)=m? Only Bob can decrypt a message that is meant for him with his secret private key. Eve ITIV 2008, Alexander Klimm 5

Elliptic Curves - PointAdd - P+Q = R P+(-P) = O O: defined as Point of Infinity Quelle: Certicom Corp. ITIV 2008, Alexander Klimm 6

HECC Hyperelliptic Curve Cryptography - PointAdd - 2 5 C2 : v = u 5u + 4u + 3 3 ITIV 2008, Alexander Klimm 7

HW/SW Codesign - Design Approach - HECC Implementations so far only in SW Addition Inversion Software Protocol Scalar Mult. HECC Arithmetic PointAdd PointDouble GF2N Arithmetic Multiplication Multiplication MAC MAC Hardware SW Implementions are too slow: Duration of one Scalar Multiplication: Freescale Star12 (16 Bit, 16 MHz): > 5000 ms PowerPC (32 Bit, 80 MHz): > 500 ms Optimized Code ca. 100 ms Goal: 50 ms Implementation on MicroBlaze (32 Bit, 33 MHz) and outsourcing of time-consuming calculations to HW Evaluation of performance and adaptation of HW/SW ITIV 2008, Alexander Klimm 8

System Components FPGA Gatewayplatform Spartan3-5000 (33 MHz) Microcontroller MicroBlaze (32 bit) OPB Bus Microcontroller opb_uartlite Output of Data to PC (i.e. Testlogs) Counter_verylight Co-Processor opb_gpio: LED Debug outputs Counter-verylight a precise Counter to count the system s clock-cycles opb_gpio LED opb_uartlite RS232 ITIV 2008, Alexander Klimm 9

CoProzessordesign - Hardware Modules - Hardware Units used: GF(2 n ) Multiplier - MALUd1 Operand A 83 GF-Add (XOR-Logic of two 83 Bit input signals) MAC (Multiply-Accumulate) Operand B MULTIPLY MALUd1 MAC Unit 83 Operand C 83 ADD 83 Result ITIV 2008, Alexander Klimm 10

MALUd1 - Setup - GF2n Multiplication - Shift&Add Algorithm with simultaneous reduction of result Setup of module Cell Reduction by adding a reduction polynom (hardcoded, XOR) a_i b(4) b(3) b(2) b(1) b(0) t_next(4) t_next(3) t_next(2) t_next(1) t_next(0) t(5) t(4) p(4) t(3) p(3) t(2) p(2) t(1) p(1) t(0) p(0) ITIV 2008, Alexander Klimm 11

Connection of Peripherals to the MicroBlaze Vergleich der Varianten bzgl. Implementierung MicroBlaze ALU (FIFO), zeit, strom Entschlüsselte Daten Instructions Register 32x32 Data-side bus interface OPB CoProzessor (Option A) Interface options a) On-Chip Peripheral Bus (OPB) b) Fast Simplex Link (FSL) FSL1 FSL2 CoProzessor (Option B) ITIV 2008, Alexander Klimm 12

Tradeoff: Performance vs. Secure System Vergleich der Varianten bzgl. Implementierung MicroBlaze ALU (FIFO), zeit, strom Entschlüsselte Daten Instructions FSL1 Register 32x32 FSL2 Data-side bus interface OPB CoProzessor Processor Software Algorithms Peripheral System Busses Memory Implementation CoProzessor SIDECHANNEL AWARENESS! ITIV 2008, Alexander Klimm 13

Interface MAC/MicroBlaze via OPB -Overview- MicroBlaze ALU Reg Option B Option A MicroBlaze (OPB Master) OPB_Mult2 (OPB Slave) IPIF interface USER_LOGIC_I (user_logic.vhd) FSM: Data Control MAC (MALUd1.vhd + XOR Logic) Registers are accessible (read/write) by Software. Busprotocol is implemented by IPIF. Function of Slave is implemented in user_logic.vhd. OPB Register for Operand A Register for Operand B Register for Operand C Register for Result ITIV 2008, Alexander Klimm 14

Interface Multiplier/MicroBlaze via FSL -Overview- MicroBlaze ALU Reg Option A MicroBlaze fsl_hwa fsl_interface (user_logic.vhd) Option B FSL0 FSM: Data Control MULTIPLY FIFO Register for Operand A Data transfer over two FIFO, embedded into the MicroBlaze. Dataflow Control in User Logic FSL1 Register for Operand B Register for Result ITIV 2008, Alexander Klimm 15

Comparision of Basic GF Operations 300 Very high benefit for GF- Multiplication 250 Almost no gain for GF-Addition # clk 200 150 MAC Unit beneficial for PointAdd/-Double operations 100 50 0 Software OPB FSL FSL-MAC gf-add (u1+u2) 93 85 not implemented not implemented gf-mult (u1*u2) 12391 168 131 131 ITIV 2008, Alexander Klimm 16

Communication-Overhead GF-Multiplication: 180 160 140 120 100 80 60 40 20 0 OPB- Interface FSL- Interface Communication MicroBlaze-HW internal Datatransfer Multiplication OPB : 50% of processing time needed for communication between MicroBlaze and HW. FSL : over 30% of processing time needed for communication between MicroBlaze and HW. ITIV 2008, Alexander Klimm 17

Speed Measurement - Comparison Point Add/Point Double & Scalar Multiplication - 100 90 80 70 ms 60 50 40 max. time 30 20 10 0 Software OPB-Mul OPB-MAC FSL-MUL FSL-MAC hecc-pointadd 30,276 14,014 13,981 13,959 13,925 hecc-pointdouble 25,343 13,591 13,571 13,55 13,529 hecc-scalarmult ITIV 2008, Alexander Klimm 2789 62,39 57,479 53,981 48,858 18

Resources Used on FPGA Platform - Spartan 500 E - Spartan5000 Spartan1000 Spartan500E MicroBlaze UART-RS232 Other Peripherals CoProcessor Counter_verylight GF_MUL (OPB) Available Resources Spartan3E S500 ft 256-4: 4656 Slices, 9312 FF, 9312 LUTs, Used Resources MicroBlaze: 1020 Slices, 811 FF, 1597 4 input LUTs CoProzessor: 517 Slices, 509 FF, 920 4 input LUTs UART - RS232 (OPB): 258 Slices, 277 FF, 438 4 input LUTs Counter_verylight: 188 Slices, 211 FF, 298 4 input LUTs ITIV 2008, Alexander Klimm 19

Summary Goals reached: Time Constraints are met if FSL interfacing is employed. Minimal resources are used. System can be implemented on a fairly small FPGA (Spartan 500E). Evaluation: FSL Interface fast, but FIFOs tend to be very power consuming. OPB Interface too slow to meet timing requirements. Next Steps: Evaluation of the systems security (Side-Channels). Optimization of SW, and CoProzessor. ITIV 2008, Alexander Klimm 20

Future Work Architectures CoProcessor PicoBlaze NiosII FPGA Security Storage of secrets, secure memory on FPGAs avoidance of unauthorized access to FPGA and/or its bitstream How are known side-channel attacks a danger to FPGA implementation? Countermeasures against security threats ITIV 2008, Alexander Klimm 21

Thank you for your attention. Any Questions? Alexander Klimm Universität Karlsruhe (TH) ITIV (Institut für Technik der Informationsverarbeitung ) email: klimm@itiv.uni-karlsruhe.de ITIV 2008, Alexander Klimm 22