Luca Henzen

Long-term performance of the SwissQuantum quantum key distribution network in a field environment

In this paper, we report on the performance of the SwissQuantum quantum key distribution (QKD) network. The network was installed in the Geneva metropolitan area and ran for more than one-and-a-half years, from the end of March 2009 to the beginning of January 2011. The main goal of this experiment was to test the reliability of the quantum layer over a long period of time in a production environment. A key management layer has been developed to manage the key between the three nodes of the network. This QKD-secure network was utilized by end-users through an application layer.

FPGA parallel-pipelined AES-GCM core for 100G Ethernet applications

The forthcoming IEEE 802.3ba Ethernet standard will provide data transmission at a bandwidth of 100 Gbit/s. Currently, the fastest cryptographic primitive approved by the U.S. National Institute for Standard and Technology, that combines data encryption and authentication, is the Galois/Counter Mode (GCM) of operation. If the feasibility to increase the speed of the GCM up to 100 Gbit/s on ASIC technologies has already been demonstrated, the FPGA implementation of the GCM in secure 100G Ethernet network systems arises some important structural issues. In this paper, we report on an efficient FPGA architecture of the GCM combined with the AES block cipher. With the parallelization of four pipelined AES-GCM cores we were able to reach the speed required by the new Ethernet standard. Furthermore, the time-critical binary field multiplication of the authentication process relies on four pipelined 2-step Karatsuba-Ofman multipliers.

Developing a hardware evaluation method for SHA-3 candidates

The U.S. National Institute of Standards and Technology encouraged the publication of works that investigate and evaluate the performances of the second round SHA-3 candidates. Besides the hardware characterization of the 14 candidate algorithms, the main goal of this paper is the description of a reliable methodology to efficiently characterize and compare VLSI circuits of cryptographic primitives. We took the opportunity to apply it on the ongoing SHA-3 competition. To this end, we implemented several architectures in a 90 nm CMOS technology, targeting high- and moderate-speed constraints separately. Thanks to this analysis, we were able to present a complete benchmark of the achieved post-layout results of the circuits.

VLSI Characterization of the Cryptographic Hash Function BLAKE

Cryptographic hash functions are used to protect information integrity and authenticity in a wide range of applications. After the discovery of weaknesses in the current deployed standards, the U.S. Institute of Standards and Technology started a public competition to develop the future standard SHA-3, which will be implemented in a multitude of environments, after its selection in 2012. In this paper, we investigate high-speed and low-area hardware architectures of one of the 14 “second-round” candidates in this competition: BLAKE. VLSI performance results of the proposed high-speed designs indicate a throughput improvement between 16% and 36% compared to the current standard SHA-2. Additionally, we propose a compact implementation of BLAKE with memory optimization that fits in 0.127 mm2 of a 0.18 μ m CMOS. Measurements reveal a minimal power dissipation of 9.59 μW/MHz at 0.65 V, which suggests that BLAKE is suitable for resource-limited systems.

VLSI hardware evaluation of the stream ciphers Salsa20 and ChaCha, and the compression function Rumba

Salsa20 is a stream cipher candidate in the software-oriented profile of the eSTREAM project. ChaCha is a successor stream cipher with improved per round diffusion and, conjecturally, increased resistance to cryptanalysis. Based on the combination of four Salsa20 instances, Rumba is a compression function for hashing schemes. This paper presents the evaluation of five VLSI circuits for Salsa20. Synthesis results for a 0.18 mum CMOS technology point out that the fastest implementation achieves a throughput of 6.4Gbps, while the smallest design requires only an area of 10 k gate equivalents (GE) at 16 Mbps. This work also presents the first hardware implementations of ChaCha and Rumba. The fastest ChaCha design achieves 6.8 Gbps and the smallest design requires an area of 9.1 kGE at 16 Mbps. Furthermore, two Rumba implementations are able to achieve 17.9 Gbps or a compact area of 16.8 kGE at 12 Mbps.

A Security-Enhanced UHF RFID Tag Chip

The integration of strong security functionality to radio-frequency identification (RFID) tags operating in the ultra-high frequency (UHF) range is challenging. Main limiting factors are chip size and power consumption. In this work we present the design of the digital part of a security-enhanced UHF RFID tag that uses the Electronic Product Code (EPC) Generation-2 (Gen-2) standard for communication. The tag provides mutual-authentication functionality based on a challenge-response protocol and the Advanced Encryption Standard (AES). The stream cipher Grain is used for generating cryptographically secure random numbers during the authentication procedure. Moreover, the AES module on the tag has countermeasures integrated (shuffling of bytes and insertion of dummy rounds) to make so-called power analysis attacks less efficient. The digital part of the security-enhanced tag including AES and Grain modules can be implemented with 12000 GE (without non-volatile memory). The average power consumption during a full authentication round is 5 uW for a 130 nm low-leakage technology. The results clearly point out that both values chip size and power consumption fulfill the requirements of low-cost UHF RFID tags.

Hardware implementations of the SHA-3 candidates Shabal and CubeHash

At the current stage of the SHA-3 competition organized by the U.S. National Institute of Standards and Technology (NIST), the 51 accepted candidates for the next-generation cryptographic hash standard SHA-3 are being evaluated in terms of security properties, computational efficiency, and memory requirements. While detailed information about the software performance on various platforms is provided for all candidates, a thorough analysis of the algorithm performance on dedicated hardware is often missing. Nevertheless, hardware efficiency is of substantial importance, as SHA-3 is expected to be implemented in many resource-constrained applications. This work intends to complement the specifications of the candidates Shabal and CubeHash by investigating their suitability for both high-speed and low-area VLSI implementations. Shabals high speed core reaches a fairly large throughput of 6.351 Gbps at a complexity of 41.32 k gate equivalents (GE), whereas CubeHash makes do with a complexity of only 7.63kGE and is thus particularly appealing for lightweight implementations.

The Hash Function BLAKE

This is a comprehensive description of the cryptographic hash function BLAKE, one of the five final contenders in the NIST SHA3 competition, and of BLAKE2, an improved version popular among developers. It describes how BLAKE was designed and why BLAKE2 was developed, and it offers guidelines on implementing and using BLAKE, with a focus on software implementation. In the first two chapters, the authors offer a short introduction to cryptographic hashing, the SHA3 competition, and BLAKE. They review applications of cryptographic hashing, they describe some basic notions such as security definitions and state-of-the-art collision search methods, and they present SHA1, SHA2, and the SHA3 finalists. In the chapters that follow, the authors give a complete description of the four instances BLAKE-256, BLAKE-512, BLAKE-224, and BLAKE-384; they describe applications of BLAKE, including simple hashing with or without a salt, and HMAC and PBKDF2 constructions; they review implementation techniques, from portable C and Python to AVR assembly and vectorized code using SIMD CPU instructions; they describe BLAKEs properties with respect to hardware design for implementation in ASICs or FPGAs; they explain BLAKEs design rationale in detail, from NISTs requirements to the choice of internal parameters; they summarize the known security properties of BLAKE and describe the best attacks on reduced or modified variants; and they present BLAKE2, the successor of BLAKE, starting with motivations and also covering its performance and security aspects. The book concludes with detailed test vectors, a reference portable C implementation of BLAKE, and a list of third-party software implementations of BLAKE and BLAKE2. The book is oriented towards practice engineering and craftsmanship rather than theory. It is suitable for developers, engineers, and security professionals engaged with BLAKE and cryptographic hashing in general, and for applied cryptography researchers and students who need a consolidated reference and a detailed description of the design process, or guidelines on how to design a cryptographic algorithm.

FPGA implementation of a 2G fibre channel link encryptor with authenticated encryption mode GCM

The Galois/counter mode (GCM) algorithm enables fast encryption combined with per-packet message authentication. This paper presents an FPGA implementation of a complete bidirectional 2 Gbps fibre channel link encryptor hosting two area-optimized GCM cores for concurrent authenticated encryption and decryption. The proposed architecture fits into one Xilinx Virtex-4 device. Measurements in a working network link point out that per-packet authentication results in a speed decrease up to 20% of the channel capacity for a reference frame length of 256 bits. Two methods of frame encryption are investigated to reduce the required GCM overhead and to exploit different network configurations.

VLSI implementations of the cryptographic hash functions MD6 and ïrRUPT

A public competition organized by the NIST recently started, with the aim of identifying a new standard for cryptographic hashing (SHA-3). Besides a high security level, candidate algorithms should show good performance on various platforms. While an average performance on high-end processors is generally not critical, implementability and flexibility in hardware is crucial, because the new standard will be implemented in a variety of lightweight devices. This paper investigates VLSI architectures of the SHA-3 candidates MD6 and ïrRUPT. The fastest circuit is the 16×parallel MD6 core, reaching 16.3 Gbps at a complexity of 69.8 k gate equivalents (GE) on ASIC and 8.4 Gbps using 4465 Slices on FPGA. However, large memory requirements preclude the application of MD6 to resource-constrained systems. The most flexible and efficient circuit turns out to be our 2-ïrRUPT64x2-256/8 core, which achieves a throughput of 5.0 Gbps at 12.7 kGE on ASIC and 1.7 Gbps using 613 Slices on FPGA.