Cuauhtemoc Mancillas-López

Reconfigurable Hardware Implementations of Tweakable Enciphering Schemes

Tweakable enciphering schemes are length-preserving block cipher modes of operation that provide a strong pseudorandom permutation. It has been suggested that these schemes can be used as the main building blocks for achieving in-place disk encryption. In the past few years, there has been an intense research activity toward constructing secure and efficient tweakable enciphering schemes. But actual experimental performance data of these newly proposed schemes are yet to be reported. In this paper, we present optimized FPGA implementations of six tweakable enciphering schemes, namely, HCH, HCTR, XCB, EME, HEH, and TET, using a 128-bit AES core as the underlying block cipher. We report the performance timings of these modes when using both pipelined and sequential AES structures. The universal polynomial hash function included in the specification of HCH, HCHfp (a variant of HCH), HCTR, XCB, TET, and HEH was implemented using a Karatsuba multiplier as the main building block. We provide detailed algorithm analysis of each of the schemes trying to exploit their inherent parallelism as much as possible. Our experiments show that a sequential AES core is not an attractive option for the design of these modes as it leads to rather poor throughput. In contrast, according to our place-and-route results on a Xilinx Virtex 4 FPGA, our designs achieve a throughput of 3.95 Gbps for HEH when using an encryption/decryption pipelined AES core, and a throughput of 5.71 Gbps for EME when using a encryption-only pipeline AES core. The performance results reported in this paper provide experimental evidence that hardware implementations of tweakable enciphering schemes can actually match and even outperform the data rates achieved by state-of-the-art disk controllers, thus showing that they might be used for achieving provably secure in-place hard disk encryption.

Efficient hardware implementations of brw polynomials and tweakable enciphering schemes

A new class of polynomials was introduced by Bernstein (Bernstein 2007) which were later named by Sarkar as BernsteinRabin-Winograd (BRW) polynomials (Sarkar 2009). For the purpose of authentication, BRW polynomials offer considerable computational advantage over usual polynomials: (m - 1) multiplications for usual polynomial hashing versus ⌊m/2⌋ multiplications and ⌈log2 m⌉ squarings for BRW hashing, where m is the number of message blocks to be authenticated. In this paper, we develop an efficient pipelined hardware architecture for computing BRW polynomials. The BRW polynomials have a nice recursive structure which is amenable to parallelization. While exploring efficient ways to exploit the inherent parallelism in BRW polynomials we discover some interesting combinatorial structural properties of such polynomials. These are used to design an algorithm to decide the order of the multiplications which minimizes pipeline delays. Using the nice structural properties of the BRW polynomials we present a hardware architecture for efficient computation of BRW polynomials. Finally, we provide implementations of tweakable enciphering schemes proposed in Sarkar 2009 which use BRW polynomials. This leads to the fastest known implementation of disk encryption systems.

Efficient implementations of some tweakable enciphering schemes in reconfigurable hardware

We present optimized FPGA implementations of three tweak-able enciphering schemes, namely, HCH, HCTR and EME using AES-128 as the underlying block cipher.We report performance timings and hardware resources occupied by these three modes when using a fully pipelined AES core and a sequential AES design. Our experimental results suggest that in terms of area HCTR, HCH and HCHfp (a variant of HCH) require more area than EME. However, HCTR performs the best in terms of speed followed by HCHfp, EME and HCH.

ELmD: A Pipelineable Authenticated Encryption and Its Hardware Implementation

Authenticated encryption schemes which resist misuse of nonce at some desired level of privacy are two-pass or Mac-then-Encrypt constructions (inherently inefficient but provide full privacy) and online constructions like McOE, sponge-type authenticated encryptions (such as duplex) and COPA. Only the last one is almost parallelizable except that for associated data processing, the final block-cipher call is sequential (it needs to wait for the encryption of all the previous ones). In this paper, we design a new online secure authenticated encryption, called ELmD or Encrypt-Linear mix-Decrypt, which is completely (two-stage) parallel (even in associated data) and fully pipeline implementable. It also provides full privacy when associated data is not repeated. Like COPA, our construction is based on EME, an Encrypt-Mix-Encrypt type SPRP construction (secure against chosen plaintext and ciphertext). But unlike EME, we have used an online computable efficient linear mixing instead of a non-linear mixing. We have also provided the hardware implementation of the construction and compare the performance with similar constructions like COPA and EME2.

STES : A Stream Cipher Based Low Cost Scheme for Securing Stored Data

The problem of securing data present on USB memories and SD cards has not been adequately addressed in the cryptography literature. While the formal notion of a tweakable enciphering scheme (TES) is well accepted as the proper primitive for secure data storage, the real challenge is to design a low cost TES which can perform at the data rates of the targeted memory devices. In this work, we provide the first answer to this problem. Our solution, called STES, combines a stream cipher with a XOR universal hash function. The security of STES is rigorously analyzed in the usual manner of provable security approach. By carefully defining appropriate variants of the multi-linear hash function and the pseudo-dot product based hash function we obtain controllable trade-offs between area and throughput. We combine the hash function with the recent hardware oriented stream ciphers, namely Mickey, Grain and Trivium. Our implementations are targeted towards two low cost FPGAs-Xilinx Spartan 3 and Lattice ICE40. Simulation results demonstrate that the speeds of encryption/decryption match the data rates of different USB and SD memories. We believe that our work opens up the possibility of actually putting FPGAs within controllers of such memories to perform low-level in-place encryption.

GCM implementations of Camellia-128 and SMS4 by optimizing the polynomial multiplier

In some scenarios, the cryptographic primitives should support more than one functionality. Authenticated Encryption/Verified Decryption (AEVD) combines encryption and authentication at the same time, which is useful in communication protocols (DNS, IPSEC, etc.). Nevertheless, authenticated encryption needs some optimizations to ensure fast performance. One solution could be the use of the Galois Counter Mode (GCM) scheme. To reach fast performances, this work broadens some GCM models described in Chakraborty etźal.s D. Chakraborty, C. Mancillas Lopez, F. Rodriguez Henriquez, P. Sarkar, Efficient hardware implementations of BRW polynomials and tweakable enciphering schemes, Comput IEEE Trans 62 (2) (2013) 279-294, doi:10.1109/TC.2011.227 work with two changes. The first one is focused on speeding-up the polynomial multiplier necessary to perform the authentication process. That polynomial multiplier is extended for supporting four stages, based on the well-known Karatsuba-Ofman algorithm. The second one is the modification of two known block ciphers such as Camellia-128 and SMS4 with the GCM scheme. The constructed GCM is able to support variable-length messages greater than 512 bits. The throughput of the polynomial multiplier is greater than 28 Gbps for all the tested platforms. The independent block ciphers in encryption-only mode reach a throughput greater than 28 Gbps, and for all the GCM cases reported in this manuscript the throughput is greater than 9.5 Gbps.

On Some Weaknesses in the Disk Encryption Schemes EME and EME2

Tweakable enciphering schemes are a certain type of block-cipher mode of operation which provide security in the sense of a strong pseudo-random permutation. It has been proposed that these types of modes are suitable for in-place disk encryption. Currently there are many proposals available for these schemes. EME is one of the efficient candidate of this category. EME2 is a derivative of EME which is currently one of the candidates of a draft standard for wide block modes by the IEEE working group on storage security. We show some weakness of these two modes assuming that some side channel information is available.

Reconfigurable Hardware Implementation of the Lenstra Factorization Algorithm

In this paper we describe the main arithmetic building blocks needed for implementing the Lenstra factorization algorithm on a reconfigurable hardware platform. Lenstras method is utilized here for factorizing 32-bit composite numbers of the form n=pmiddotq, with p, q prime numbers. Our design was implemented on a Xilinx Virtex 2 FPGA device. It can operate at a maximum clock frequency of 87 MHz occupying a total of 6868 slices