Jo Vliegen

A compact FPGA-based architecture for elliptic curve cryptography over prime fields

This paper proposes an FPGA-based application-specific elliptic curve processor over a prime field. This research targets applications for which compactness is more important than speed. To obtain a small datapath, the FPGAs dedicated multipliers and carry-chain logic are used and no parallellism is introduced. A small control unit is obtained by following a microcode approach, in which the instructions are stored in the FPGAs Block RAM. The use of algorithms that prevent Simple Power Analysis (SPA) attacks creates an extra cost in latency. Nevertheless, the created processor is flexible in the sense that it can handle all finite field operations over 256-bit prime fields and all elliptic curves of a specified form. The comparison with other implementations on the same generation of FPGAs learns that our design occupies the smallest area.

Secure remote reconfiguration of an FPGA-based embedded system

This paper describes the protocol, architecture, and implementation details of an FPGA-based embedded system that is able to remotely reconfigure the FPGA, using a TCP/IP connection, in a secure way. When considering the security aspects, we imply data confidentiality, explicit key authentication and data origin authentication. Since these aspects are overhead for the main application, the system is to be as small as possible. Therefore we have focused on compactness rather than on speed for the implementation. The implemented solution exists out of 2 components: a communication part and a cryptographic part. The system can be easily integrated at any point in the design of an FPGA-based embedded system, due to the simple and modular architecture.

Side-channel evaluation of FPGA implementations of binary Edwards curves

Bernstein and Lange recently proposed to use Edwards coordinates for ECC (Elliptic Curve Cryptography). They claimed them to be more efficient, not only in terms of operation count but also in terms of side-channel security. The latter is thanks to unified point addition and doubling. This work takes on this claim about improved side-channel security of Edwards curves using unified formulas. Our analysis targets an implementation of Edwards curves with a random order execution countermeasure on a Virtex-II Pro FPGA. We find that the random order execution countermeasure increases the resistance against common DPA attacks, but not against PCA (Principal Component Analysis).

Secure, Remote, Dynamic Reconfiguration of FPGAs

With the widespread availability of broadband Internet, Field-Programmable Gate Arrays (FPGAs) can get remote updates in the field. This provides hardware and software updates, and enables issue solving and upgrade ability without device modification. In order to prevent an attacker from eavesdropping or manipulating the configuration data, security is a necessity. This work describes an architecture that allows the secure, remote reconfiguration of an FPGA. The architecture is partially dynamically reconfigurable and it consists of a static partition that handles the secure communication protocol and a single reconfigurable partition that holds the main application. Our solution distinguishes itself from existing work in two ways: it provides entity authentication and it avoids the use of a trusted third party. The former provides protection against active attackers on the communication channel, while the latter reduces the number of reliable entities. Additionally, this work provides basic countermeasures against simple power-oriented side-channel analysis attacks. The result is an implementation that is optimized toward minimal resource occupation. Because configuration updates occur infrequently, configuration speed is of minor importance with respect to area. A prototype of the proposed design is implemented, using 5,702 slices and having minimal downtime.

A single-chip solution for the secure remote configuration of FPGAs using bitstream compression

This paper presents a system that allows the secure remote configuration of an FPGA, which is assumed to be the only device in the secure zone. This means that no security critical information passes over the borders of the FPGA chip, reducing the opportunities for an attacker to break the system. In particular, bitstream compression in combination with partial reconfiguration is used to avoid the use of an external memory for the storage of the bitstream. Additionally there is no need for an external processor for the transfer of the bitstream. Nevertheless, our solution contains a mechanism that verifies the integrity of the complete bitstream before starting the configuration. This prevents attempts to load unqualified bitstreams and reduces the downtime. The integrity check, the decryption, the authentication of the origin and the freshness check of the bitstream are performed inside the FPGA while its current configuration is still active. The contribution of this work is that it presents the first complete working system for the secure remote configuration of FPGAs, consisting of a single FPGA chip and an initiating server, given that the integrity of the complete bitstream is verified before configuration. This paper gives details on the overall system and the FPGA architecture, which have been implemented and tested.

Hardware Strengthening a Distributed Logging Scheme

In the online world, service providers allow users to upload data to be stored or processed. In some cases, privacy will become an essential feature. Sensitive content can be the data provided to or the services used at the service provider. Logging of the actions of the service providers can therefore also generate privacy-sensitive content. However, to enhance transparency towards users, logging can be a very useful tool. In this paper, we build upon the concept of distributed privacy-preserving log trails. The trust in such a system lies in the storage of a vector in a certain register stored in software. With a piece of malicious software, a hacker or curious user could misuse this register to learn about a certain process or to learn for whom a service is performed, although the scheme ensures forward-unlinkability and forward-integrity. In this paper, we strengthen the conventional software approach by implementing the vector in external hardware. This hardens the scheme further, and reduces the level to which the log server has to be trusted, at the cost of additional but solvable security threats.

Practical feasibility evaluation and improvement of a pay-per-use licensing scheme for hardware IP cores in Xilinx FPGAs

In earlier published work, Maes et al. present a pay-per-use licensing scheme for hardware Intellectual Property (IP) cores. This scheme focuses on the use of IP cores on static random access memory-based field programmable gate arrays (FPGAs) and is mainly based on the partial reconfigurability property of this type of FPGA. Our work evaluates the practical feasibility of the scheme and the accompanying architecture. As already (partly) indicated by Maes et al., their solution introduces some security and usability issues. Therefore, we present improvements to the scheme and the architecture together with an additional method for decreasing the area overhead. The overall result is the first practical implementation of the pay-per-use licensing scheme occupying 841 slices on a Xilinx XC6S-LX45 FPGA. The small area overhead is mainly achieved by moving the storage of keys from slice flip-flops to configuration memory. Moreover, the implementation would not have been feasible with commercially available tools. We use an academic tool that allows nested partial reconfiguration and flexible IP core placement.

Secure FPGA technologies and techniques

This survey paper proposes an overview of contemporary FPGA-related technologies and techniques that can be used for data and system security. As such we will give an overview of the currently available features in commonly used FPGAs and link these features to established security techniques. The main goal is to evaluate the pros and contras of the different techniques and technologies in order to give directions on the security strategy.

Maximizing the throughput of threshold-protected AES-GCM implementations on FPGA

In this paper, we push the limits in maximizing the throughput of side-channel-protected AES-GCM implementations on an FPGA. We present a fully unrolled and pipelined architecture that uses a Boolean masking countermeasure (specifically, threshold implementation) for first-order DPA resistance. Using a high-end Virtex-7 device, we obtain a throughput of 15.24 Gbit/s. Since masked implementations require a stream of random bits for each execution, a high-throughput masked implementation requires a high-throughput pseudorandom number generator as well. This work determines how fast random numbers should be generated in order for ultra-high throughput, threshold-protected AES-GCM implementations to be feasible on FPGAs.

DynamIA: Dynamic Hardware Reconfiguration in Industrial Applications

This paper presents the work that will be done in the research project “DynamIA: Dynamic Hardware Reconfiguration in Industrial Applications”. The project focuses on transferring knowledge on partial and dynamic reconfiguration of FPGAs from the academic partners to small and medium enterprises (SMEs), because the success stories on partial and dynamic reconfiguration were mainly only realized in large companies with a substantial amount of R&D activities. The reason is that the technology is still perceived as being difficult to adopt and expensive in terms of NRE costs. Therefore, the goal of the DynamIA project is two-fold. (1) It develops a number of use cases and guidelines in different application domains, tailored to the activities of the SMEs in the user group and in the broader target group. These use cases demonstrate a number of benefits of partial and dynamic FPGA reconfiguration, namely a faster startup, a faster design cycle and a lower occupation of resources leading to a lower static power consumption. (2) It develops a low-cost, vendor-independent emulation environment for dynamic and partial reconfiguration, which is non-existing in commercial and academic EDA tools. Another benefit of this emulation environment is that it can also be used for static designs. This allows SMEs to have a low-cost emulation environment for their applications instead of developing their own emulation environment manually (which is very time-consuming) or buying big cost-intensive commercial emulators.