Rei Ueno

Highly Efficient GF(2^8) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design

This paper proposes a compact and efficient \(GF(2^8)\) inversion circuit design based on a combination of non-redundant and redundant Galois Field (GF) arithmetic. The proposed design utilizes redundant GF representations, called Polynomial Ring Representation (PRR) and Redundantly Represented Basis (RRB), to implement \(GF(2^8)\) inversion using a tower field \(GF((2^4)^2)\). In addition to the redundant representations, we introduce a specific normal basis that makes it possible to map the former components for the 16th and 17th powers of input onto logic gates in an efficient manner. The latter components for \(GF(2^4)\) inversion and \(GF(2^4)\) multiplication are then implemented by PRR and RRB, respectively. The flexibility of the redundant representations provides efficient mappings from/to the \(GF(2^8)\). This paper also evaluates the efficacy of the proposed circuit by means of gate counts and logic synthesis with a 65 nm CMOS standard cell library and comparisons with conventional circuits, including those with tower fields \(GF(((2^2)^2)^2)\). Consequently, we show that the proposed circuit achieves approximately 40 % higher efficiency in terms of area-time product than the conventional best \(GF(((2^2)^2)^2)\) circuit excluding isomorphic mappings. We also demonstrate that the proposed circuit achieves the best efficiency (i.e., area-time product) for an AES encryption S-Box circuit including isomorphic mappings.

Toward More Efficient DPA-Resistant AES Hardware Architecture Based on Threshold Implementation

This paper presents a highly efficient AES hardware architecture resistant to differential power analyses (DPAs) on the basis of threshold implementation (TI). In contrast to other conventional masking schemes, the major feature of TI is to guarantee DPA-resistance under d-probing condition at the resister-transfer level (RTL). On the other hand, TI utilizes pipelining techniques between the non-linear functions to avoid propagating glitches, which would lead to non-negligible overheads of circuit area and latency. In this paper, we first propose a compact first-order TI-based AES S-box which has a major effect on the performance and DPA-resistance of AES hardware. The proposed S-box exploits a state-of-the-art TI construction with \(d+1\) shares in addition to the algebraic characteristics of AES S-box. We then propose an efficient AES hardware architecture suitable with the above TI-based S-box. The architectural advantage is given by register-retiming and tower-field arithmetic techniques. The performance of the proposed AES hardware was evaluated in comparison with that of conventional best ones. The logic synthesis result suggests that the proposed AES hardware architecture achieves more compact and 11–21% lower-latency than the conventional ones, which indicates that the proposed architecture can perform encryption based on TI with the lowest-energy. We also confirm the DPA-resistance of the proposed AES hardware by the Test Vector Leakage Assessment (TVLA) methodology with its FPGA implementation.

A High Throughput/Gate AES Hardware Architecture by Compressing Encryption and Decryption Datapaths

This paper proposes a highly efficient AES hardware architecture that supports both encryption and decryption for the CBC mode. Some conventional AES architectures employ pipelining techniques to enhance the throughput and efficiency. However, such pipelined architectures are frequently unfit because many practical cryptographic applications work in the CBC mode, where block-wise parallelism is not available for encryption. In this paper, we present an efficient AES encryption/decryption hardware design suitable for such block-chaining modes. In particular, new operation-reordering and register-retiming techniques allow us to unify the inversion circuits for encryption and decryption (i.e., SubBytes and InvSubBytes) without any delay overhead. A new unification technique for linear mappings further reduces both the area and critical delay in total. Our design employs a common loop architecture and can therefore efficiently perform even in the CBC mode. We also present a shared key scheduling datapath that can work on-the-fly in the proposed architecture. To the best of our knowledge, the proposed architecture has the shortest critical path delay and is the most efficient in terms of throughput per area among conventional AES encryption/decryption architectures with tower-field S-boxes. We evaluate the performance of the proposed and some conventional datapaths by logic synthesis results with the TSMC 65-nm standard-cell library and NanGate 45- and 15-nm open-cell libraries. As a result, we confirm that our proposed architecture achieves approximately 53–72 % higher efficiency (i.e., a higher bps/GE) than any other conventional counterpart.

System for Automatic Generation of Parallel Multipliers over Galois Fields

This paper presents a system for the automatic generation of Galois-field (GF) arithmetic circuits, named the GF Arithmetic Module Generator (GF-AMG). The proposed system employs a graph-based circuit description called the GF Arithmetic Circuit Graph (GF-ACG). First, we present an extension of the GF-ACG to handle GF(pm) (p ≥ 3) arithmetic circuits, which can be efficiently implemented by multiple-valued logic circuits in addition to the conventional binary circuits. We then show the validity of the generation system through the experimental design of GF(3m) multipliers for a ternary logic circuit. In addition, we evaluate the performance of typical GF(2m) multipliers empirically generated by our system. We confirm from the results that the proposed system can generate a variety of GF parallel multipliers, including practical multipliers over GF(2m) and GF(3m) having degrees greater than 128.

Formal Design of Galois-Field Arithmetic Circuits Based on Polynomial Ring Representation

This paper presents a graph-based approach to designing arithmetic circuits over Galois fields (GFs) based on a polynomial ring (PR) representation, which is a redundant representation for GF arithmetic. The proposed method extends a graph-based circuit description, called a Galois-field arithmetic circuit graph (GF-ACG), which was originally proposed for no redundant GF arithmetic. First, the extension of a GF-ACG is applied to the design and verification of the PR-based GF arithmetic circuits. Then the efficiency of the proposed method is demonstrated using the design and verification of PR-based GF multipliers. In addition, GF(28) inversion circuits with different GF representations are designed and evaluated in order to confirm the significance of the PR representation.

An Efficient Approach to Verifying Galois-Field Arithmetic Circuits of Higher Degrees and Its Application to ECC Decoders

This paper presents an efficient approach to verifying higher-degree Galois-Field(GF) arithmetic circuits. The proposed method describes GF arithmetic circuits by graph-based representation, and verifies them by a combination of algebraic method with a new verification method based on natural deduction for the first-order predicate logic with equal sign. The natural deduction method can verify kind of higher-degree GF arithmetic circuits efficiently while the conventional methods requires enormous time to verify them or sometimes cannot verify them. In this paper, we apply the proposed method to the design and verifications of various Reed-Solomon (RS) code decoders. We confirm that the proposed method can verify RS code decoders with higher-degree functions while the conventional method fails. In particular, we show that the proposed method can be applied to practical decoders with 8-bit symbols.

Multiple-Valued Debiasing for Physically Unclonable Functions and Its Application to Fuzzy Extractors

This paper proposes a new debiasing method for a stable and efficient extraction of uniform random binary responses from physically unclonable functions (PUFs). The proposed method handles multiple-valued (i.e., ternary) responses from PUF responses, including unstable response bits, and stably extracts uniform random-bit responses from them. In this paper, we evaluate the stability and effectiveness of the proposed method with two experiments with simulated and actual responses of latch PUFs implemented on an FPGA. We demonstrate that the proposed method can obtain longer debiased random-bit responses than the conventional method. In addition, we apply the proposed method to the construction of a fuzzy extractor (FE), and show the advantages of the proposed FE in terms of response length and authentication success rate in an experimental evaluation.

A Systematic Design of Tamper-Resistant Galois-Field Arithmetic Circuits Based on Threshold Implementation with (d + 1) Input Shares

This paper presents a systematic design of tamperresistantGalois-Field (GF) arithmetic circuits based on ThresholdImplementation (TI) where a secret variable is represented withmultiple variables, called shares, given by random numbers. TI isone of the countermeasures against Differential Power Analysis(DPA) on cryptographic hardware. The security order of TIdepends on the number of shares. The minimum number ofshares to be resistant dth-order DPA is said to be (d+1). Whilethe construction of GF arithmetic circuits of quadratic functionbased on TI with (d + 1) shares is known, it is not known howto construct other types of circuits based on it. In this paper, wepresent a generalization and systematic method of constructingthe TI with (d + 1) input shares for any kind of GF arithmeticcircuit in order to design a larger variety of tamper-resistantGF arithmetic circuits. We then apply the proposed method toa cryptographic hardware design in order to demonstrate its efficiency.

Formal Design of Pipelined GF Arithmetic Circuits and Its Application to Cryptographic Processors

This study presents a formal approach to designing pipelined arithmetic circuits over Galois fields (GFs). The proposed method extends a graph-based circuit description known as a Galois-field arithmetic circuit graph (GF-ACG) to Linear-time Temporal Logic (LTL) in order to represent the timing property of pipelined circuits. We first present the extension of GF-ACG and its formal verification using computer algebra. We then demonstrate the efficiency of the proposed method through an experimental design of a lightweight cryptographic processor. In particular, we design a tamper-resistant datapath with threshold Implementation (TI) based on pipelining and multi-party computation. The proposed method can verify the processor within 1 h, whereas conventional methods would fail.

On Masked Galois-Field Multiplication for Authenticated Encryption Resistant to Side Channel Analysis

This paper presents a side-channel attack on masked Galois-field (GF) multiplication used in authenticated encryptions including AES-GCM and a new countermeasure against the proposed attack. While the previous side-channel attack is likely to recover the full key of GHASH in AES-GCM, no countermeasure has been discussed and evaluated until now. In this paper, we first apply a straightforward masking countermeasure to GF multiplication for GHASH and show that the masked GF multiplication is resistant to the previous attack. We then show the straightforward masked GHASH can be defeated by a new attack utilizing the variance of power trace. The feasibility of the new attack is demonstrated by an experiment with power traces measured from a smart card operating the masked GHASH. Finally, we propose a new masking countermeasure against the proposed attack.