Bohan Yang

RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms

In this paper, we propose a new lightweight block cipher named RECTANGLE. The main idea of the design of RECTANGLE is to allow lightweight and fast implementations using bit-slice techniques. RECTANGLE uses an SP-network. The substitution layer consists of 16 4×4 S-boxes in parallel. The permutation layer is composed of 3 rotations. As shown in this paper, RECTANGLE offers great performance in both hardware and software environment, which provides enough flexibility for different application scenario. The following are 3 main advantages of RECTANGLE. First, RECTANGLE is extremely hardware-friendly. For the 80-bit key version, a one-cycle-per-round parallel implementation only needs 1600 gates for a throughput of 246 Kbits/s at 100 kHz clock and an energy efficiency of 3.0 pJ/bit. Second, RECTANGLE achieves a very competitive software speed among the existing lightweight block ciphers due to its bit-slice style. Using 128-bit SSE instructions, a bit-slice implementation of RECTANGLE reaches an average encryption speed of about 3.9 cycles/byte for messages around 3000 bytes. Last but not least, we propose new design criteria for the RECTANGLE S-box. Due to our careful selection of the S-box and the asymmetric design of the permutation layer, RECTANGLE achieves a very good security-performance tradeoff. Our extensive and deep security analysis shows that the highest number of rounds that we can attack, is 18 (out of 25).摘要创新点本论文提出一个新的轻量级分组密码 RECTANGLE. RECTANGLE 具有以下 4 个特点: (1.) 具有很好的抵抗数学类攻击的安全冗余度; (2). 容易进行侧信道防护; (3). 设计基于比特切片技术, 同时具有很好的硬件和软件实现; (4). 我们公开了 RECTANGLE 的设计准则. RECTANGLE 的 S 盒选取, 我们提出了新的设计准则; RECTANGLE 的 P 置换设计也非常关键, RECTANGLE 的 P 置换仅由 3 次循环移位组成, 同时适合硬件和软件实现; RECTANGLE 的 S 盒和 P 置换组合在一起, 使整体的密码算法具有很弱的差分/线性路径的聚集, 从而使 RECTANGLE 具有很好的安全性和实现效率的折中.

On the Feasibility of Cryptography for a Wireless Insulin Pump System

This paper analyses the security and privacy properties of a widely used insulin pump and its peripherals. We eavesdrop the wireless channel using Commercial Off-The-Shelf (COTS) software-based radios to intercept the messages sent between these devices; fully reverse-engineer the wireless communication protocol using a black-box approach; and document the message format and the protocol state-machine in use. The upshot is that no standard cryptographic mechanisms are applied and hence the system is shown to be completely vulnerable to replay and message injection attacks. Furthermore, sensitive patient health-related information is sent unencrypted over the wireless channel. Motivated by the results of our attacks, we study the feasibility of applying cryptography to protect the data transmitted over the air and prevent unauthorized access to the insulin pump. We present a solution based on AES in combination with an updated message format optimized for energy consumption. We implement our solution on a 16-bit micro-controller and evaluate its security properties and energy requirements. Finally, we discuss potential strategies for further reducing the energy consumption.

SOFIA: Software and control flow integrity architecture

Microprocessors used in safety-critical systems are extremely sensitive to software vulnerabilities, as their failure can lead to injury, damage to equipment, or environmental catastrophe. This paper proposes a hardware-based security architecture for microprocessors used in safety-critical systems. The proposed architecture provides protection against code injection and code reuse attacks. It has mechanisms to protect software integrity, perform control flow integrity, prevent execution of tampered code, and enforce copyright protection. We are the first to propose a mechanism to enforce control flow integrity at the finest possible granularity. The proposed architectural features were added to the LEON3 open source soft microprocessor, and were evaluated on an FPGA running a software benchmark. The results show that the hardware area is 28.2% larger and the clock is 84.6% slower, while the software benchmark has a cycle overhead of 13.7% and a total execution time overhead of 110% when compared to an unmodified processor.

TOTAL: TRNG on-the-fly testing for attack detection using Lightweight hardware

We present a design methodology for embedded tests of entropy sources. These tests are necessary to detect attacks and failures of true random number generators. The central idea of this work is to use an empirical design methodology consisting of two phases: collecting the data under attack and finding a useful statistical feature. In this work we focus on statistical features that are implementable in lightweight hardware. This is the first paper to address the design of on-the-fly tests based on the attack effects. The presented design methodology is illustrated with 2 examples: an elementary ring-oscillator based TRNG and a carry-chain based TRNG. The effectiveness of the tests was confirmed on FPGA prototypes.

On-the-fly tests for non-ideal true random number generators

Hardware implementations of statistical tests are needed to detect failures and statistical weaknesses of entropy sources in True Random Number Generators on the fly. Current implementations of these tests work under the assumption that the entropy source produces independent, identically distributed (IID) numbers. However, some entropy sources produce non-IID data and rely on compression to provide the full entropy. Currently there are no embedded test implementations suitable for this type of entropy source. We provide the first FPGA implementation of embedded tests that estimate the generated min-Entropy and verify if it is within the expected boundaries.

Highly efficient entropy extraction for true random number generators on FPGAs

True random number generators are essential components in cryptographic hardware. In this work, a novel entropy extraction method is used to improve throughput of jitter-based true random number generators on FPGA. By utilizing ultra-fast carry-logic primitives available on most commercial FPGAs, we have improved the efficiency of the entropy extraction, thereby increasing the throughput, while maintaining a compact implementation. Design steps and techniques are illustrated on an example of a ring-oscillator based true random number generator on Spartan-6 FPGA. In this design, the required accumulation time is reduced by 3 orders of magnitude compared to the most efficient oscillator-based TRNG on the same FPGA. The presented implementation occupies only 67 slices, achieves a throughput of 14.3 Mbps and it is provided with a formal evaluation of security.

Evolving Cryptographic Pseudorandom Number Generators

Random number generators (RNGs) play an important role in many real-world applications. Besides true hardware RNGs, one important class are deterministic random number generators. Such generators do not possess the unpredictability of true RNGs, but still have a widespread usage. For a deterministic RNG to be used in cryptography, it needs to fulfill a number of conditions related to the speed, the security, and the ease of implementation. In this paper, we investigate how to evolve deterministic RNGs with Cartesian Genetic Programming. Our results show that such evolved generators easily pass all randomness tests and are extremely fast/small in hardware.

Embedded HW/SW platform for on-the-fly testing of true random number generators

We present a HW/SW platform for on-the-fly detection of failures and weaknesses in entropy sources. By splitting the operations between hardware and software, we achieve sufficient flexibility to control the level of significance of the tests. This approach also enables sharing resources between different tests thereby reducing the area and power. Statistical tests were selected from the NIST test suite. We propose several versions of hardware co-processors for monitoring random bit sequences, ranging from 52 slices (5 tests) to 552 slices (9 tests) on Spartan-6 FPGA. We are the first to provide implementations of the Serial test and the Approximate entropy test for on-the-fly monitoring.

Design of S-boxes Defined with Cellular Automata Rules

The aim of this paper is to find cellular automata (CA) rules that are used to describe S-boxes with good cryptographic properties and low implementation cost. Up to now, CA rules have been used in several ciphers to define an S-box, but in all those ciphers, the same CA rule is used. This CA rule is best known as the one defining the Keccak χ transformation. Since there exists no straightforward method for constructing CA rules that define S-boxes with good cryptographic/implementation properties, we use a special kind of heuristics for that -- Genetic Programming (GP). Although it is not possible to theoretically prove the efficiency of such a method, our experimental results show that GP is able to find a large number of CA rules that define good S-boxes in a relatively easy way. We focus on the 4 x 4 and 5 x 5 sizes and we implement the S-boxes in hardware to examine implementation properties like latency, area, and power. Particularly interesting is the internal encoding of the solutions in the considered heuristics using combinatorial circuits; this makes it easy to approximate S-box implementation properties like latency and area a priori.

PRNGs for Masking Applications and Their Mapping to Evolvable Hardware

This paper proposes the use of evolutionary computation for the design and optimization of lightweight Pseudo Random Number Generators (PRNGs). In this work, we focus on PRNGs that are suitable for generating masks and secret shares. Such generators should be light-weight and have a high throughput with good statistical properties. As a proof-of-concept, we present three novel hardware architectures that have an increasing level of prediction resistance and an increasing level of reconfigurability at run-time. We evaluate the three architectures on Zynq, Virtex-6, and ASIC platforms and compare the occupied resources and the throughput of the obtained designs. Finally, we use the Spartan-6 platform for the evaluation of the masked implementation where the masks are obtained via our PRNG.