William Diehl

A universal hardware API for authenticated ciphers

In this paper, we propose a universal hardware Application Programming Interface (API) for authenticated ciphers. In particular, our API is intended to meet the requirements of all algorithms submitted to the CAESAR competition. Two major parts of the API, the interface and the communication protocol, were developed with the goal of reducing any potential biases in benchmarking of authenticated ciphers in hardware. Our high-speed implementation of the proposed hardware API includes universal, open-source pre-processing and post-processing units, common for all CAESAR candidates and the current standards, such as AES-GCM and AES-CCM. Apart from the full documentation, examples, and the source code of the pre-processing and post-processing units, we have made available in public domain a) a universal testbench to verify the functionality of any CAESAR candidate implemented using our hardware API, b) a Python script used to automatically generate test vectors for this testbench, c) VHDL wrappers used to determine the maximum clock frequency and the resource utilization of all implementations, and d) RTL VHDL source codes of highspeed implementations of AES and the Keccak Permutation F, which may be used as building blocks in implementations of related ciphers. We hope that the existence of these resources will substantially reduce the time necessary to develop hardware implementations of all CAESAR candidates for the purpose of evaluation, comparison, and future deployment in real products.

Comparison of cost of protection against differential power analysis of selected authenticated ciphers

Authenticated ciphers are vulnerable to side-channel attacks, including differential power analysis (DPA). Test Vector Leakage Assessment (TVLA) using Welchs t-test has been used to verify improved resistance of block ciphers to DPA after application of countermeasures. However, extension of this methodology to authenticated ciphers is non-trivial, since this requires additional input and output conditions, complex interfaces, and long test vectors interlaced with protocol necessary to describe authenticated cipher operations. In this research we augment an existing side-channel analysis architecture (FOBOS) with TVLA for authenticated ciphers. We use this capability to show that implementations in the Spartan-6 FPGA of the CAESAR Round 3 candidates ACORN, ASCON, CLOC (AES and TWINE), SILC (AES, PRESENT, and LED), JAMBU (AES and SIMON), and Ketje Jr., as well as AES-GCM, are potentially vulnerable to 1st order DPA. We then implement versions of the above ciphers, protected against 1st order DPA, using threshold implementations. TVLA is used to verify improved resistance to 1st order DPA of the protected cipher implementations. Finally, we benchmark unprotected and protected cipher implementations in the Spartan-6 FPGA, and compare the costs of 1st order DPA protection in terms of area, frequency, throughput, throughput-to-area (TP/A) ratio, power, and energy per bit. Our results show that ACORN is the most energy efficient, has the lowest area (in LUTs), and has the highest TP/A ratio of DPA-resistant implementations. However, Ketje Jr. has the highest throughput.

Comparing the Cost of Protecting Selected Lightweight Block Ciphers against Differential Power Analysis in Low-Cost FPGAs

Lightweight block ciphers are an important topic in the Internet of Things (IoT) since they provide moderate security while requiring fewer resources than the Advanced Encryption Standard (AES). Ongoing cryptographic contests and standardization efforts evaluate lightweight block ciphers on their resistance to power analysis side channel attack (SCA), and the ability to apply countermeasures. While some ciphers have been individually evaluated, a large-scale comparison of resistance to side channel attack and the formulation of absolute and relative costs of implementing countermeasures is difficult, since researchers typically use varied architectures, optimization strategies, technologies, and evaluation techniques. In this research, we leverage the Test Vector Leakage Assessment (TVLA) methodology and the FOBOS SCA framework to compare FPGA implementations of AES, SIMON, SPECK, PRESENT, LED, and TWINE, using a choice of architecture targeted to optimize throughput-to-area (TP/A) ratio and suitable for introducing countermeasures to Differential Power Analysis (DPA). We then apply an equivalent level of protection to the above ciphers using 3-share threshold implementations (TI) and verify the improved resistance to DPA. We find that SIMON has the highest absolute TP/A ratio of protected versions, as well as the lowest relative cost of protection in terms of TP/A ratio. Additionally, PRESENT uses the least energy per bit (E/bit) of all protected implementations, while AES has the lowest relative cost of protection in terms of increased E/bit.

RTL implementations and FPGA benchmarking of selected CAESAR Round Two authenticated ciphers

Authenticated ciphers are cryptographic transformations which combine the functionality of confidentiality, integrity, and authentication. This research uses register transfer-level (RTL) design to describe selected authenticated ciphers using a hardware description language (HDL), verifies their proper operation through functional simulation, and implements them on target FPGAs. The authenticated ciphers chosen for this research are the CAESAR Round Two variants of SCREAM, POET, Minalpher, and OMD. Ciphers are discussed from an engineering standpoint, and are compared and contrasted in terms of design features. To ensure conformity and standardization in evaluation, all four candidates are implemented with an identical version of the CAESAR Hardware API for authenticated ciphers. Functionally correct implementations of all four ciphers are realized, and results are compared against each other and previous results in terms of throughput, area, and throughput-to-area (TP/A) ratio. SCREAM is found to have the highest TP/A ratio of these four ciphers in the Virtex-6 FPGA, while Minalpher has the highest TP/A ratio in the Virtex-7 FPGA.

Implementation of a Boolean Masking Scheme for the SCREAM Cipher

Masking is a proven countermeasure to protect physical cryptographic implementations against power analysis side-channel attacks, such as differential power analysis (DPA). Boolean masking is one of several types of masking schemes that can be added to a cipher to increase its security. However, implementing a secure and efficient Boolean masking scheme across all components of a cipher, including non-linear transformations, can be challenging. In this research, a 1st order Boolean masking scheme is applied to the SCREAM authenticated cipher, a CAESAR Round Two candidate. The non-masked and masked versions of the full authenticated cipher are implemented in the Virtex-6 FPGA and compared in terms of throughput, area, and throughput-to-area (T/A) ratio. The SCREAM block cipher is then compared to a masked version of AES to determine the relative costs of masking among the two ciphers. The results show that the T/A ratio of the masked SCREAM full authenticated cipher is only 50% of the T/A ratio of the non-masked version, and that the masking cost of the SCREAM block cipher is roughly equal to that of an equivalently-masked version of the AES block cipher.

RTL Implementations and FPGA Benchmarking of Three Authenticated Ciphers Competing in CAESAR Round Two

Authenticated ciphers are cryptographic transformations which combine the functionality of confidentiality, integrity, and authentication. This research uses register transfer-level (RTL) design to describe selected authenticated ciphers using a hardware description language (HDL), verifies their proper operation through functional simulation, and implements them on target FPGAs. The authenticated ciphers chosen for this research are the CAESAR Round Two variants of SCREAM, POET, and Minalpher. Ciphers are discussed from an engineering standpoint, and are compared and contrasted in terms of design features. To ensure conformity and standardization in evaluation, all three candidates are implemented with an identical version of the CAESAR Hardware API for authenticated ciphers. Functionally correct implementations of all three ciphers are realized, and results are compared against each other and previous results in terms of throughput, area, and throughput-to-area (T/A) ratio. SCREAM is found to have the highest T/A ratio of these three ciphers in the Virtex-6 FPGA, while Minalpher has the highest T/A ratio in the Virtex-7 FPGA.

Comparison of hardware and software implementations of selected lightweight block ciphers

Lightweight block ciphers are an important topic of research in the context of the Internet of Things (IoT). Current cryptographic contests and standardization efforts seek to benchmark lightweight ciphers in both hardware and software. Although there have been several benchmarking studies of both hardware and software implementations of lightweight ciphers, direct comparison of hardware and software implementations is difficult due to differences in metrics, measures of effectiveness, and implementation platforms. In this research, we facilitate this comparison by use of a custom lightweight reconfigurable processor. We implement six ciphers, AES, SIMON, SPECK, PRESENT, LED and TWINE, in hardware using register transfer level (RTL) design, and in software using the custom reconfigurable processor. Both hardware and software implementations are instantiated in identical Xilinx Kintex-7 FPGAs, which enables direct comparison of throughput, area, throughput-to-area (TP/A) ratio, power, and energy. Results show that TWINE and AES have the highest TP/A ratios for hardware and software implementations, respectively, assuming an area target of 300–450 LUTs. In terms of direct comparison, software implementations on tailored reconfigurable processers generally use less power — especially where reconfigurable instruction set extensions are permitted. However, custom hardware implementations have higher throughput and energy-efficiency than software implementations on the same platform.

High-Speed RTL Implementations and FPGA Benchmarking of Three Authenticated Ciphers Competing in CAESAR Round Two

Authenticated ciphers are cryptographic transformations which combine the functionality of confidentiality, integrity, and authentication. This research uses register transfer-level (RTL) design to describe selected authenticated ciphers using a hardware description language (HDL), verifies their proper operation through functional simulation, and implements them on target FPGAs. The authenticated ciphers chosen for this research are the CAESAR Round Two variants of SCREAM, POET, and Minalpher. Ciphers are discussed from an engineering standpoint, and are compared and contrasted in terms of design features. To ensure conformity and standardization in evaluation, all three candidates are implemented with an identical version of the CAESAR Hardware API for authenticated ciphers. Functionally correct implementations of all three ciphers are realized, and results are compared against each other and previous results in terms of throughput, area, and throughput-to-area (T/A) ratio. SCREAM is found to have the highest T/A ratio of these three ciphers in the Virtex-6 FPGA, while Minalpher has the highest T/A ratio in the Virtex-7 FPGA.