9/9/2012 CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven, ESAT/SCD-COSIC CHES 2012 Crypto hardware 9/9/2012 CHES Tutorial: Crypto hardware design 3 1
9/9/2012 Smart card SoC (NXP P60C080) 9/9/2012 CHES Tutorial: Crypto hardware design 4 Smart phone SoC (Texas Instrument OMAP4470) 9/9/2012 CHES Tutorial: Crypto hardware design 5 2
9/9/2012 Design target Efficient, lightweight implementation – Within power, area, timing budgets Public key: 1024 bits RSA on 8 bit m C Public key on a passive RFID tag Trustworthy implementation – Resistant to attacks Active attacks: probing, power glitches, JTAG scan chain Passive attacks: side channel attacks, including power, timing and electromagnetic leaks 9/9/2012 CHES Tutorial: Crypto hardware design 6 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Outline I. Introduction II. Building III. ASIC Blocks Optimization FPGA IV. Design flow Physical AES Area RSA/ECC Security Speed Power Passive Active 9/9/2012 CHES Tutorial: Crypto hardware design 7 3
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Part I: Introduction to hardware design ASIC FPGA Design Flow 9/9/2012 CHES Tutorial: Crypto hardware design 8 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary ASIC Design Flow System Specification Architectural Design Verilog VHDL RTL Design Synthesis Physical Design Physical Verification DRC LVS ERC Fabrication Packaging and Testing Chip Chip [Source: Andrew B. Kahng et al.] 9/9/2012 CHES Tutorial: Crypto hardware design 9 4
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Standard Cells Common Logic Gates INV NAND NOR IN OUT IN1 IN2 OUT IN1 IN2 OUT 0 1 0 0 1 0 0 1 1 0 1 0 1 1 0 0 1 0 0 1 1 0 1 0 1 1 1 1 0 1 1 0 9/9/2012 CHES Tutorial: Crypto hardware design 10 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Vdd Contact NAND Metal layer Vdd IN2 Poly layer IN2 IN1 OUT Diffusion layer OUT IN1 p-type transistor n-type GND transistor GND IN1 OUT IN2 Power (Vdd)-Rail Ground (GND)-Rail [source: Andrew B. Kahng et al.] 11 9/9/2012 CHES Tutorial: Crypto hardware design 11 5
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary SRAM bitline conditioning wordlines bitlines row decoder memory cells: 2 n-k rows x 2 m+k columns bit bit_b word n-k column k circuitry n column decoder 2 m bits 6T Cell [Source: Adnan Aziz] 9/9/2012 CHES Tutorial: Crypto hardware design 12 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Critical Path Delay CLK DFF DFF DFF Combinational Combinational D_in D_out Logic 1 Logic 2 Delay_1 Delay_2 CLK Clock Period 9/9/2012 CHES Tutorial: Crypto hardware design 13 6
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Register balancing CLK DFF DFF DFF Combinational Combinational D_out D_in Logic 1 Logic 2 Delay_1 Delay_2 = Delay_1 CLK Clock Period 9/9/2012 CHES Tutorial: Crypto hardware design 14 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Latency vs. Throughput CLK … DFF DFF DFF DFF D_in Round D_out Round Round 1 2 10 Latency: 10 Throughput: 1 Block/Cycle CLK D_in DFF DFF Round D_out Latency: 10 Throughput: 1/10 Block/Cycle 9/9/2012 CHES Tutorial: Crypto hardware design 15 7
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Power and energy Why is it important? – Limited energy – Limited power Extremely important for crypto devices. – Source of information leakage 9/9/2012 CHES Tutorial: Crypto hardware design 16 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary CMOS dynamic power IN OUT 0-1 0 0 0 transition 0 1 discharge 1 0 charge 1 1 0 9/9/2012 CHES Tutorial: Crypto hardware design 17 8
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary HW/SW codesign Support multiple algorithms and protocols MCU ECC Exp AES … RSA1024 RSA2048 DH2048 BUS ECC160p Decoder AES128 ECC256p Register Crypto Optimal File Datapath Pairing 18 9/9/2012 CHES Tutorial: Crypto hardware design I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary FPGA SRAM A B C D A B Z 4-LUT Z C 16x1 addr D ABCD Z ABCD Z 0000 0 0000 0 0001 0 0001 1 … . … . 1101 0 1101 1 1110 0 1110 1 1111 1 1111 0 A A B B Z Z AND XOR C C D D 9/9/2012 CHES Tutorial: Crypto hardware design 19 9
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary FPGA Virtex-5 SliceL 9/9/2012 CHES Tutorial: Crypto hardware design 20 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Virtex-II architecture I/O Blocks (IOBs) Block SelectRAM ™ resource Programmable interconnect Dedicated multipliers Configurable Logic Blocks (CLBs) Clock Management (DCMs, BUFGMUXes) 9/9/2012 CHES Tutorial: Crypto hardware design 21 10
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Part II: Building blocks AES Core ECC/RSA Core 9/9/2012 CHES Tutorial: Crypto hardware design 22 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary A simplified bank system 9/9/2012 CHES Tutorial: Crypto hardware design 23 11
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Sever-side specification Platform: Xilinx Virtex-5 FPGA Function – AES 128-bit (CTR) – RSA 1024-, 2048-, 4096-bit – ECC 160-, 192-, 256-bit, prime field Performance – Frequency: 200 MHz – AES128 : 20Gbits/s – RSA1024 : 2000 signatures per second – ECC160 : 4000 signatures per second 9/9/2012 CHES Tutorial: Crypto hardware design 24 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Card-side specification Platform: 130nm ASIC Area: < 60k GE Function Power: < 1mW – AES 128-bit (CTR) – RSA 1024-bit – ECC 160-bit Performance – Frequency: 5 MHz – AES128 : 1Mbits/s – RSA1024 : 5 signatures per second – ECC160: 10 signatures per second 9/9/2012 CHES Tutorial: Crypto hardware design 25 12
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary Well… 9/9/2012 CHES Tutorial: Crypto hardware design 26 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary AES - Algorithm RoundKey[0] AddRoundKey i:=1 International Standard SubBytes 128/192/256-bit ShiftRows – Nr = 10, 12, 14 i++ Separate key expansion MixColumns Nr-1 RoundKey[i] Different Enc / Dec AddRoundKey times i<Nr-1 ? SubBytes ShiftRows RoundKey[Nr] AddRoundKey 9/9/2012 CHES Tutorial: Crypto hardware design 27 13
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary AES – SubBytes Byte substitution: each byte individual 16 identical Sboxes a 0 a 4 a 8 a 12 b 0 b 4 b 8 b 12 a 1 a 5 a 9 a 13 b 1 b 5 b 9 b 13 a i b i sbox a 2 a 6 a 10 a 14 b 2 b 6 b 10 b 14 a 3 a 7 a 11 a 15 b 3 b 7 b 11 b 15 9/9/2012 CHES Tutorial: Crypto hardware design 28 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary AES - ShiftRow ShiftRow: circularly rotate each row of state array ShiftRow a 0 a 4 a 8 a 12 b 0 b 4 b 8 b 12 a 1 a 5 a 9 a 13 b 1 b 5 b 9 b 13 a 2 a 6 a 10 a 14 b 2 b 6 b 10 b 14 a 3 a 7 a 11 a 15 b 3 b 7 b 11 b 15 9/9/2012 CHES Tutorial: Crypto hardware design 29 14
9/9/2012 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary AES - MixColumn matrix multiplication of state array columns – multiply with constant entries a 0 a 4 a 8 a 12 a i b 0 b 4 b 8 b 12 b i 2 3 1 1 a i+1 a 1 a 5 a 9 a 13 b 1 b 5 b 9 b 13 b i+1 1 2 3 1 = a i+2 a 2 a 6 a 10 a 14 b 2 b 6 b 10 b 14 b i+2 1 1 2 3 a i+3 a 3 a 7 a 11 a 15 b i+3 3 1 1 2 b 3 b 7 b 11 b 15 3 x a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 2 x a 6 a 5 a 4 a 3 a 2 a 1 a 0 0 a 6 a 5 a 4 a 3 a 2 a 1 a 0 0 0 0 0 a 7 a 7 0 a 7 a 7 0 0 0 a 7 a 7 0 a 7 a 7 b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 9/9/2012 CHES Tutorial: Crypto hardware design 30 I. Introduction II. Building Blocks III. Optimization IV. Physical Security V. Summary AES - AddRoundKey Add round key a 0 a 4 a 8 a 12 k 0 k 4 k 8 k 12 a 0 a 4 a 8 a 12 a 1 a 5 a 9 a 13 k 1 k 5 k 9 k 13 a 1 a 5 a 9 a 13 + => a 2 a 6 a 10 a 14 k 2 k 6 k 10 k 14 a 2 a 6 a 10 a 14 a 3 a 7 a 11 a 15 k 3 k 7 k 11 k 15 a 3 a 7 a 11 a 15 9/9/2012 CHES Tutorial: Crypto hardware design 31 15
Recommend
More recommend