Michel Bardouillet

A parallelized way to provide data encryption and integrity checking on a processor-memory bus

This paper describes a novel engine, called PE-ICE (parallelized encryption and integrity checking engine), enabling to guarantee confidentiality and integrity of data exchanged between a SoC (system on chip) and its external memory. The PE-ICE approach is based on an existing block-encryption algorithm to which the integrity checking capability is added. Simulation results show that the performance overhead of PE-ICE remains low (below 4%) compared to block-encryption-only systems (which provide data confidentiality only)

Hardware Engines for Bus Encryption: A Survey of Existing Techniques

The widening spectrum of applications and services provided by portable and embedded devices brings a new dimension of concerns in security. Most of those embedded systems (pay-TV, PDAs, mobile phones, etc.) make use of external memory. As a result, the main problem is that data and instructions are constantly exchanged between memory (RAM) and CPU in clear form on the bus. This memory may contain confidential data like commercial software or private contents, which either the end-user or the content provider is willing to protect. The paper describes the problem of processor-memory bus communications in this regard and the existing techniques applied to secure the communication channel through encryption. Performance overheads implied by those solutions are discussed extensively.

Block-level added redundancy explicit authentication for parallelized encryption and integrity checking of processor-memory transactions

The bus between the System on Chip (SoC) and the external memory is one of the weakest points of computer systems: an adversary can easily probe this bus in order to read private data (data confidentiality concern) or to inject data (data integrity concern). The conventional way to protect data against such attacks and to ensure data confidentiality and integrity is to implement two dedicated engines: one performing data encryption and another data authentication. This approach, while secure, prevents parallelizability of the underlying computations. In this paper, we introduce the concept of Block-Level Added Redundancy Explicit Authentication (BL-AREA) and we describe a Parallelized Encryption and Integrity Checking Engine (PE-ICE) based on this concept. BL-AREA and PE-ICE have been designed to provide an effective solution to ensure both security services while allowing for full parallelization on processor read and write operations and optimizing the hardware resources. Compared to standard encryption which ensures only confidentiality, we show that PE-ICE additionally guarantees code and data integrity for less than 4% of run-time performance overhead.

PE-ICE: Parallelized Encryption and Integrity Checking Engine

This paper describes a novel engine, called PE-ICE (parallelized encryption and integrity checking engine), enabling to guarantee the confidentiality and the integrity of data exchanged between a SoC (system on chip) and its external memory by adding the integrity checking capability to a block encryption algorithm