Jorge Guajardo

FPGA Intrinsic PUFs and Their Use for IP Protection

In recent years, IP protection of FPGA hardware designs has become a requirement for many IP vendors. In [34], Simpson and Schaumont proposed a fundamentally different approach to IP protection on FPGAs based on the use of Physical Unclonable Functions (PUFs). Their work only assumes the existence of a PUF on the FPGAs without actually proposing a PUF construction. In this paper, we propose new protocols for the IP protection problem on FPGAs and provide the first construction of a PUF intrinsic to current FPGAs based on SRAM memory randomness present on current FPGAs. We analyze SRAM-based PUF statistical properties and investigate the trade offs that can be made when implementing a fuzzy extractor.

Extended abstract: The butterfly PUF protecting IP on every FPGA

IP protection of hardware designs is the most important requirement for many FPGA IP vendors. To this end, various solutions have been proposed by FPGA manufacturers based on the idea of bitstream encryption. An alternative solution was advocated in (E. Simpson and P. Schaumont, 2006). Simpson and Schaumont proposed a new approach based on physical unclonable functions (PUFs) for IP protection on FPGAs. PUFs are a unique class of physical systems that extract secrets from complex physical characteristics of the integrated circuits which along with the properties of unclonability provide a highly secure means of generating volatile secret keys for cryptographic operations. However, the first practical PUF on an FPGA was proposed only later in (J. Guajardo et al., 2007) based on the startup values of embedded SRAM memories which are intrinsic in some of the current FPGAs. The disadvantage of these intrinsic SRAM PUFs is that not all FPGAs support uninitialized SRAM memory. In this paper, we propose a new PUF structure called the butterfly PUF that can be used on all types of FPGAs. We also present experimental results showing their identification and key generation capabilities.

Privacy-Preserving Face Recognition

Face recognition is increasingly deployed as a means to unobtrusively verify the identity of people. The widespread use of biometrics raises important privacy concerns, in particular if the biometric matching process is performed at a central or untrusted server, and calls for the implementation of Privacy-Enhancing Technologies. In this paper we propose for the first time a strongly privacy-enhanced face recognition system, which allows to efficiently hide both the biometrics and the result from the server that performs the matching operation, by using techniques from secure multiparty computation. We consider a scenario where one party provides a face image, while another party has access to a database of facial templates. Our protocol allows to jointly run the standard Eigenfaces recognition algorithm in such a way that the first party cannot learn from the execution of the protocol more than basic parameters of the database, while the second party does not learn the input image or the result of the recognition process. At the core of our protocol lies an efficient protocol for securely comparing two Pailler-encrypted numbers. We show through extensive experiments that the system can be run efficiently on conventional hardware.

Provably secure masking of AES

A general method to secure cryptographic algorithms against side-channel attacks is the use of randomization techniques and, in particular, masking. Roughly speaking, using random values unknown to an adversary one masks the input to a cryptographic algorithm. As a result, the intermediate results in the algorithm computation are uncorrelated to the input and the adversary cannot obtain any useful information from the side-channel. Unfortunately, previous AES randomization techniques have based their security on heuristics and experiments. Thus, flaws have been found which make AES randomized implementations still vulnerable to side-channel cryptanalysis. In this paper, we provide a formal notion of security for randomized maskings of arbitrary cryptographic algorithms. Furthermore, we present an AES randomization technique that is provably secure against side-channel attacks if the adversary is able to access a single intermediate result. Our randomized masking technique is quite general and it can be applied to arbitrary algorithms using only arithmetic operations over some finite field. To our knowledge this is the first time that a randomization technique for the AES has been proven secure in a formal model.

Public-Key Cryptography for RFID-Tags

RFID-tags are a new generation of bar-codes with added functionality. An emerging application is the use of RFID-tags for anti-counterfeiting by embedding them into a product. Public-key cryptography (PKC) offers an attractive solution to the counterfeiting problem but whether a publickey cryptosystem can be implemented on an RFID tag or not remains unclear. In this paper, we investigate which PKC-based identification protocols are useful for these anti-counterfeiting applications. We also discuss the feasibility of identification protocols based on elliptic curve cryptography (ECC) and show that it is feasible on RFID tags. Finally, we compare different implementation options and explore the cost that side-channel attack countermeasures would have on such implementations

Efficient Algorithms for Elliptic Curve Cryptosystems

This contribution describes three algorithms for efficient implementations of elliptic curve cryptosystems. The first algorithm is an entirely new approach which accelerates the multiplications of points which is the core operation in elliptic curve public-key systems. The algorithm works in conjunction with the k-ary or sliding window method. The algorithm explores computational advantages by computing repeated point doublings directly through closed formulae rather than from individual point doublings. This approach reduces the number of inversions in the underlying finite field at the cost of extra multiplications. For many practical implementations, where field inversion is at least four times as costly as field multiplication, the new approach proofs to be faster than traditional point multiplication methods. The second algorithm deals with efficient inversion in composite Galois fields of the form GF((2n)n). Based on an idea of Itoh and Tsujii, we optimize the algorithm for software implementation of elliptic curves. The algorithm reduced inversion in the composite field to inversion in the subfield GF(2n). The third algorithm describes the application of the Karatsuba-Ofman Algorithm to multiplication in GF((2n)n). We provide a detailed complexity analysis of the algorithm for the case that subfield arithmetic is performed through table look-up. We apply all three algorithms to an implementation of an elliptic curve system over GF((216)11). We provide absolute performance measures for the field operations and for an entire point multiplication.

Physical Unclonable Functions and Public-Key Crypto for FPGA IP Protection

In recent years, IP protection of FPGA hardware designs has become a requirement for many IP vendors. To this end solutions have been proposed based on the idea of bitstream encryption, symmetric-key primitives, and the use of physical unclonable functions (PUFs). In this paper, we propose new protocols for the IP protection problem on FPGAs based on public-key (PK) cryptography, analyze the advantages and costs of such an approach, and describe a PUF intrinsic to current FPGAs based on SRAM properties. A major advantage of using PK-based protocols is that they do not require the private key stored in the FPGA to leave the device, thus increasing security. This added security comes at the cost of additional hardware resources but it does not cause significant performance degradation.

Efficient Helper Data Key Extractor on FPGAs

Physical Unclonable Functions (PUFs) have properties that make them very attractive for a variety of security-related applications. Due to their inherent dependency on the physical properties of the device that contains them, they can be used to uniquely bind an application to a particular device for the purpose of IP protection. This is crucial for the protection of FPGA applications against illegal copying and distribution. In order to exploit the physical nature of PUFs for reliable cryptography a so-called helper data algorithm or fuzzy extractor is used to generate cryptographic keys with appropriate entropy from noisy and non-uniform random PUF responses. In this paper we present for the first time efficient implementations of fuzzy extractors on FPGAs where the efficiency is measured in terms of required hardware resources. This fills the gap of the missing building block for a full FPGA IP protection solution. Moreover, in this context we propose new architectures for the decoders of Reed-Muller and Golay codes, and show that our solutions are very attractive from both the area and error correction capability points of view.

Security on FPGAs: State-of-the-art implementations and attacks

In the last decade, it has become apparent that embedded systems are integral parts of our every day lives. The wireless nature of many embedded applications as well as their omnipresence has made the need for security and privacy preserving mechanisms particularly important. Thus, as field programmable gate arrays (FPGAs) become integral parts of embedded systems, it is imperative to consider their security as a whole. This contribution provides a state-of-the-art description of security issues on FPGAs, both from the system and implementation perspectives. We discuss the advantages of reconfigurable hardware for cryptographic applications, show potential security problems of FPGAs, and provide a list of open research problems. Moreover, we summarize both public and symmetric-key algorithm implementations on FPGAs.

Itoh-Tsujii Inversion in Standard Basis and Its Application in Cryptography and Codes

AbstractThis contribution is concerned with a generalization of Itoh and Tsujiis algorithm for inversion in extension fields