Jen-Wei Lee

Efficient Power-Analysis-Resistant Dual-Field Elliptic Curve Cryptographic Processor Using Heterogeneous Dual-Processing-Element Architecture

Elliptic curve cryptography (ECC) for portable applications is in high demand to ensure secure information exchange over wireless channels. Because of the high computational complexity of ECC functions, dedicated hardware architecture is essential to provide sufficient ECC performance. Besides, crypto-ICs are vulnerable to side-channel information leakage because the private key can be revealed via power-analysis attacks. In this paper, a new heterogeneous dual-processing-element (dual-PE) architecture and a priority-oriented scheduling of right-to-left double-and-add-always EC scalar multiplication (ECSM) with randomized processing technique are proposed to achieve a power-analysis-resistant dual-field ECC (DF-ECC) processor. For this dual-PE design, a memory hierarchy with local memory synchronization scheme is also exploited to improve data bandwidth. Fabricated in a 90-nm CMOS technology, a 0.4- mm2 160-b DF-ECC chip can achieve 0.34/0.29 ms 11.7/9.3 μJ for one GF(p)/GF(2m) ECSM. Compared to other related works, our approach is advantageous not only in hardware efficiency but also in protection against power-analysis attacks.

A high-performance elliptic curve cryptographic processor over GF(p) with SPA resistance

In order to support high speed application such as cloud computing, we propose a new elliptic curve cryptographic (ECC) processor architecture. The proposed processor includes a 3 pipelined-stage full-word Montgomery multiplier which requires much fewer execution cycles than that of previous methods. To reach real-time requirement, the time-cost pre-computation steps of Montgomery modular multiplication are achieved by hardware as well. Moreover, our proposed processor is resistant to the simple power analysis (SPA) attack by using the Montgomery ladder-based elliptic curve scalar multiplication (ECSM). Even the Montgomery ladder method inherently has operation overhead compared with traditional binary ECSM, both of hardware sharing and parallelization techniques are exploited to improve the hardware performance. Synthesized in TSMC 90nm CMOS technology, our proposed ECC processor performs a 256-bit ECSM in 120µs over prime field with 540K gate counts. This result is at least 25% better than relative works in terms of area-time (AT) product.

A 521-bit dual-field elliptic curve cryptographic processor with power analysis resistance

Recently, several hardware implementations for elliptic curve cryptography have been proposed but few of them considered the dual-field functions, real-time requirement, hardware efficiency, and power analysis resistance as a whole. In this paper, a new unified division algorithm and a free pre-computation scheme are introduced to accelerate the GF(p)/GF(2n) elliptic curve arithmetic functions. The overall hardware is optimized by a very compact Galois field arithmetic unit with the fully pipelined technique. Moreover, a key-blinded technique with regular calculation is designed against the power analysis attacks without degrading clock speed. After fabricated in 90nm CMOS 1P9M process, our ECC processor occupied 0.55mm2 can perform the scalar multiplication in 19.2ms over GF(p521) and 8.2ms over GF(2409), respectively.

An Efficient DPA Countermeasure With Randomized Montgomery Operations for DF-ECC Processor

Nowadays, differential power-analysis (DPA) attacks are a serious threat for cryptographic systems due to the inherent existence of data-dependent power consumption. Hiding power consumption of encryption circuit or applying key-blinded techniques can increase the security against DPA attacks, but they result in a large overhead for hardware cost, execution time, and energy dissipation. In this brief, a new DPA countermeasure performing all field operations in a randomized Montgomery domain is proposed to eliminate the correlation between target and reference power traces. After implemented in 90-nm CMOS process, our protected 521-bit dual-field elliptic curve (EC) cryptographic processor can perform one EC scalar multiplication in 8.08 ms over and 4.65 ms over , respectively, with 4.3% area and 5.2% power overhead. Experiments from a field-programmable gate array evaluation board demonstrate that the private key of unprotected device will be revealed within power traces, whereas the same attacks on our proposal cannot successfully extract the key value even after measurements.

An efficient countermeasure against correlation power-analysis attacks with randomized montgomery operations for DF-ECC processor

Correlation power-analysis (CPA) attacks are a serious threat for cryptographic device because the key can be disclosed from data-dependent power consumption. Hiding power consumption of encryption circuit can increase the security against CPA attacks, but it results in a large overhead for cost, speed, and energy dissipation. Masking processed data such as randomized scalar or primary base point on elliptic curve is another approach to prevent CPA attacks. However, these methods requiring pre-computed data are not suitable for hardware implementation of real-time applications. In this paper, a new CPA countermeasure performing all field operations in a randomized Montgomery domain is proposed to eliminate the correlation between target and reference power traces. After implemented in 90-nm CMOS process, our protected 521-bit dual-field elliptic curve cryptographic (DF-ECC) processor can perform one elliptic curve scalar multiplication (ECSM) in 4.57ms over GF(p521) and 2.77ms over GF(2409) with 3.6% area and 3.8% power overhead. Experiments from an FPGA evaluation board demonstrate that the private key of unprotected device will be revealed within 103 power traces, whereas the same attacks on our proposal cannot successfully extract the key value even after 106 measurements.

A dual-field elliptic curve cryptographic processor with a radix-4 unified division unit

To enhance the data security in network communications, this paper presents a dual-field elliptic curve cryptographic processor (DECP) supporting all finite field operations and elliptic curve (EC) functions. Based on the fast radix-4 unified division algorithm, the execution time can be significantly reduced by a factor of three. By exploiting the hardware sharing and the ladder selection techniques, the proposed 160-bit and 256-bit DECP can have competitive execution cycle with only 0.29mm2 and 0.45mm2 silicon area in 90nm CMOS technology. In addition, the operating frequency in dual field can be increased by applying the data-path separation method and the degree checker. Our proposed DECP is over 2∼6 times better in area-time product than relative works.

A new MOSFET hot carrier model in SPICE feasible for VLSI reliability analysis

A newly-developed SPICE-compatible submicron LDD MOS transistor model for simulating the hot electron effect in VLSI circuit is proposed. It includes a consistent DC (I-V) and hot electron induced degradation model. Experiment measurement, parameter extraction and optimization were performed to obtain a new set of drain- and substrate-current under both DC- and AC-stress conditions. Incorporation of the above model equations in SPICE has been made. In addition, hot electron induced degradation effect and the reliability analysis in a circuit simulation environment are demonstrated with practical examples.<<ETX>>

Processor with side-channel attack resistance

Public-key cryptosystems (Fig. 3.3.1) have been widely developed for ensuring the security of information exchange in network communications, financial markets, private data storage, and personal identification devices. In contrast to the well-known RSA algorithm, elliptic curve cryptography (ECC) provides the same security level with a shorter key size. As specified in IEEE P1363 (Standard Specifications for Public Key Cryptography), ECC arithmetic is required to provide not only dual-field operations over GF(p) and GF(2m) but also arbitrary elliptic curves (EC) for different requirements, such as encryption, signature, and key exchange. In this paper, a solution supporting a 521b key size is proposed to accelerate the most time-critical elliptic curve scalar multiplication (ECSM). It computes multiple points KP = P + P + ... + P, where K is the private key and P is an EC point. In addition, side-channel attack resistance is implemented to prevent information leakage from simple power-analysis (SPA), differential power-analysis (DPA) [1], zero-value point (ZVP) [2], and doubling attacks [3].

Efficient Hardware Architecture of

To support emerging pairing-based protocols related to cloud computing, an efficient algorithm/hardware codesign methodology of ηT pairing over characteristic three is presented. By mathematical manipulation and hardware scheduling, a single Millers loop can be executed within 17 clock cycles. Furthermore, we employ torus representation and exploit the Frobenius map to lower the computation cost of final exponentiation. Pipelining and parallelization datapath are also exploited to shorten the critical path delay. Finally, by choosing suitable multiplier architecture and selecting an appropriate number of multipliers, Millers loop and final exponentiation can be computed in a fully pipelined manner. With these schemes, a test chip for the proposed pairing accelerator has been fabricated in 90-nm CMOS 1P9M technology with a core area of 1.52 × 0.97 mm2. It performs a bilinear pairing computation over F(397) in 4.76 μs under 1.0 V supply and achieves 178% improvement to relative works in terms of area-time (AT) product. To support higher level of security, a 126-bit secure pairing accelerator that can complete a bilinear pairing computation over F(3709) in 36.2 μs is implemented and this result is at least 31% better than relative works in terms of AT product.

\eta_{T}

A lightly doped drain (LDD) MOS device model for circuit simulation in SPICE is described. UNI-MOS includes a consistent set of DC (I-V), AC (C-V), and hot electron degradation effect models. For the I-V and C-V models, results for achieving accurate and computationally efficient models of both conventional and LDD MOSFETs with submicron channel length are described. Strategies for implementing the hot electron effect in the circuit simulator for predicting the lifetime of a device or circuit in a VLSI environment are demonstrated.<<ETX>>