Thomas J. Wollinger

Security on FPGAs: State-of-the-art implementations and attacks

In the last decade, it has become apparent that embedded systems are integral parts of our every day lives. The wireless nature of many embedded applications as well as their omnipresence has made the need for security and privacy preserving mechanisms particularly important. Thus, as field programmable gate arrays (FPGAs) become integral parts of embedded systems, it is imperative to consider their security as a whole. This contribution provides a state-of-the-art description of security issues on FPGAs, both from the system and implementation perspectives. We discuss the advantages of reconfigurable hardware for cryptographic applications, show potential security problems of FPGAs, and provide a list of open research problems. Moreover, we summarize both public and symmetric-key algorithm implementations on FPGAs.

A New Class of Collision Attacks and Its Application to DES

Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new class of attacks which originates from Hans Dobbertin and is based on the fact that side channel analysis can be used to detect internal collisions. We applied our attack against the widely used Data Encryption Standard (DES). We exploit the fact that internal collisions can be caused in three adjacent S-Boxes of DES [DDQ84] in order to gain information about the secret key-bits. As result, we were able to exploit an internal collision with a minimum of 140 encryptions yielding 10.2 key-bits. Moreover, we successfully applied the attack to a smart card processor.

Optimum Digit Serial GF(2^m) Multipliers for Curve-Based Cryptography

Digit serial multipliers are used extensively in hardware implementations of elliptic and hyperelliptic curve cryptography. This contribution shows different architectural enhancements in least significant digit (LSD) multiplier for binary fields GF(2m). We propose two different architectures, the double accumulator multiplier (DAM) and N-accumulator multiplier (NAM), which are both faster compared to traditional LSD multipliers. Our evaluation of the multipliers for different digit sizes gives optimum choices and shows that currently used digit sizes are the worst possible choices. Hence, one of the most important results of this contribution is that digit sizes of the form 2l - 1, where l is an integer, are preferable for the digit multipliers. Furthermore, one should always use the NAM architecture to get the best timings. Considering the time area product DAM or NAM gives the best performance depending on the digit size

Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves

For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosystems (ECC) and are, thus, not too attractive for practical applications. Only quite recently improvements have been made, mainly restricted to curves of genus 2. The work at hand advances the state-of-the-art considerably in several aspects. First, we generalize and improve the closed formulae for the group operation of genus 3 for HEC defined over fields of characteristic two. For certain curves we achieve over 50% complexity improvement compared to the best previously published results. Second, we introduce a new complexity metric for ECC and HECC defined over characteristic two fields which allow performance comparisons of practical relevance. It can be shown that the HECC performance is in the range of the performance of an ECC; for specific parameters HECC can even possess a lower complexity than an ECC at the same security level. Third, we describe the first implementation of a HEC cryptosystem on an embedded (ARM7) processor. Since HEC are particularly attractive for constrained environments, such a case study should be of relevance.

Low cost security: Explicit formulae for genus-4 hyperelliptic curves

It is widely believed that genus four hyperelliptic curve cryptosystems (HECC) are not attractive for practical applications because of their complexity compared to systems based on lower genera, especially elliptic curves. Our contribution shows that for low cost security applications genus-4 hyperelliptic curves (HEC) can outperform genus-2 HEC and that we can achieve a performance similar to genus-3 HEC. Furthermore our implementation results show that a genus-4 HECC is an alternative cryptosystem to systems based on elliptic curves.

Cantor versus Harley: optimization and analysis of explicit formulae for hyperelliptic curve cryptosystems

Hyperelliptic curves (HEC) look promising for cryptographic applications, because of their short operand size compared to other public-key schemes. The operand sizes seem well suited for small processor architectures, where memory and speed are constrained. However, the group operation has been believed to be too complex and, thus, HEC have not been used in this context so far. In recent years, a lot of effort has been made to speed up group operation of genus-2 HEC. In this paper, we increase the efficiency of the genus-2 and genus-3 hyperelliptic curve cryptosystems (HECC). For certain genus-3 curves, we can gain almost 80 percent performance for a group doubling. This work not only improves Gaudry and Harleys algorithm, but also improves the original algorithm introduced by Cantor [1987]. Contrary to common belief, we show that it is also practical for certain curves to use Cantors algorithm to obtain the highest efficiency for the group operation. In addition, we introduce a general reduction method for polynomials according to Karatsuba. We implemented our most efficient group operations on Pentium and ARM microprocessors.

Elliptic and hyperelliptic curves on embedded μP

It is widely recognized that data security will play a central role in future IT systems. Providing public-key cryptographic primitives, which are the core tools for security, is often difficult on embedded processor due to computational, memory, and power constraints. This contribution appears to be the first thorough comparison of two public-key families, namely elliptic curve (ECC) and hyperelliptic curve cryptosystems on a wide range of embedded processor types (ARM, ColdFire, PowerPC). We investigated the influence of the processor type, resources, and architecture regarding throughput. Further, we improved previously known HECC algorithms resulting in a more efficient arithmetic.

Hyperelliptic curve coprocessors on a FPGA

Cryptographic algorithms are used in a large variety of different applications to ensure security services. It is, thus, very interesting to investigate various implementation platforms. Hyperelliptic curve schemes are cryptographic primitives to which a lot of attention was recently given due to the short operand size compared to other algorithms. They are specifically interesting for special-purpose hardware. This paper provides a comprehensive investigation of high-efficient HEC architectures. We propose a genus-2 hyperelliptic curve cryptographic coprocessor using affine coordinates. We implemented a special class of hyperelliptic curves, namely using the parameter h(x)=x and f=x5+f1x+f0 and the base field GF(289). In addition, we only consider the most frequent case in our implementation and assume that the other cases are handled, e.g. by the protocol. We provide three different implementations ranging from high speed to moderate area. Hence, we provide a solution for a variety of applications. Our high performance HECC coprocessor is 78.5% faster than the best previous implementation and our low area implementation utilizes only 22.7% of the area that the smallest published design uses. Taking into account both area and latency, our coprocessor is an order of magnitude more efficient than previous implementations. We hope that the work at hand provides a step towards introducing HEC systems in practical applications.

Security Aspects of FPGAs in Cryptographic Applications

This contribution provides a state-of-the-art description of security issues on FPGAs from a system perspective.We consider the potential security problems of FPGAs and propose some countermeasure for the existing drawbacks of FPGAs. Even though there have been many contributions dealing with the algorithmic aspects of cryptographic schemes implemented on FPGAs, this contribution is one of the few investigations of system and security aspects.

Finding optimum parallel coprocessor design for genus 2 hyperelliptic curve cryptosystems

Hardware accelerators are often used in cryptographic applications for speeding up the highly arithmetic-intensive public-key primitives, e.g. in high-end smart cards. One of these emerging and very promising public-key schemes is based on hyperelliptic curve cryptosystems (HECC). In the open literature only a few considerations deal with hardware implementation issues of HECC. Our contribution appears to be the first one to propose architectures for the latest findings in efficient group arithmetic on HEC. The group operation of HECC allows parallelization at different levels: bit-level parallelization (via different digit-sizes in multipliers) and arithmetic operation-level parallelization (via replicated multipliers). We investigate the trade-offs between both parallelization options and identify speed and time-area optimized configurations. We found that a coprocessor using a single multiplier (D=8) instead of two or more is best suited. This coprocessor is able to compute group addition and doubling in 479 and 334 clock cycles, respectively. Providing more resources it is possible to achieve 288 and 248 clock cycles, respectively.