Fault Detection Scheme for AES Using Composite Field

BY

AJAL.A.J EPGPM – IIM K

•SYSTEM ARCHITECTURE•SYSTEM ARCHITECTURE

•SIMULATION RESULTS•SIMULATION RESULTS

•RIJNDAEL ALGORITHM•RIJNDAEL ALGORITHM

FUTURE DEVELOPMENTFUTURE DEVELOPMENT

PRESENTATION OVERVIEW

INTRODUCTION

• The cipher Rijndael is one of the five finalists of the Advanced Encryption Standard (AES)

• The algorithm has been designed by Joan Daemen and Vincent Rijmen

• It is a Block cipher. • The hardware implementation with 128-bit blocks

and 128-bit keys is presented. • VLSI optimizations of the Rijndael algorithm are

discussed and several hardware design modifications and techniques are used, such as memory sharing and parallelism.

Critical communications private

(confidentiality)

Know who we are dealing with (identity)

Guarantee messages unaltered (integrity)

Assert rights over content use (authorization)

All critical systems up-and-running

(availability)

Critical N/W Security Elements

The Rijndael Chip

6

1. Rijndael2. Serpent3. Two fish4. RC 65. MARS

AES 128bit implementation

Selected by AES (Advanced Encryption Standard, part of NIST) as the new private-key encryption standard.

Add Round KeySub BytesShift RowsMix ColumnsAdd Round Key

Sub BytesShift RowsMix ColumnsAdd Round KeySub BytesShift RowsAdd Round Key

Add Round KeyInv Sub BytesInv Shift RowsInv Mix ColumnsAdd Round Key

Inv Sub BytesInv Shift RowsInv Mix ColumnsAdd Round KeyInv Sub BytesInv Shift RowsAdd Round Key

1

9

101

2

10

9

Encryption Decryption

Partition of the rounds not suited for intraround pipelining

Rijndael Algorithm – Round

Rijndael Architecture - Overview

ParallelRound 1

Round KeyRegister

ParallelRound 2

KeyGenerator

Add

Key

Dat

a R

egK

ey R

eg

Con

trol

ler

128

12832

32

32128

128 128

128 128

Dat

a R

eg

Largest potential for optimizations in rounds

It all starts with a key• What is a key? • Encryption algorithm is like a recipe for

spaghetti. Key is like the choice of sauce that changes the end result.

Encrypt – Garble so it’s unreadable

Decrypt – Ungarble so it can be read again

Plain text

I am going to the market

encrypt algorithm – add x letters

key - 2 hard to read, UNLESS you

know the key

Cipher text

K co iqkpi vq vjg octmgv

Encrypting Text

Plain text

I am going to the market

CipherText

K co iqkpi vq vjg octmgv

decryption algorithm – subtract x

letters

key - 2

Decrypting Text

That’s encryption!

BLOCK DIAGRAM - DECRYPTION CORES

EncryptionPath

DecryptionPath

SubBytes

Inv SubBytes

Inv

Aff

Tra

ns

Mul

t Inv

erse

Aff

Tra

ns

Rijndael S-box consists of two operations

Parallel impletation of S-Boxes

Multiplicative inverse can be shared

Mul

t Inv

erse

Encryption Simulation Result

Decryption Simulation Result

Synthesis Report And Result Of AES Fault Detection Schemes

Comparison of s- box

Design Area Delay Power

LUT-Based 262144 31.824ns 35mw

Composite Field Based

28514 8.129ns 34mw

Output Waveform for composite field s-box without error

Output wave form of encryption algorithm for composite field s-box

without error

Output wave form decryption algorithm for composite field s-box

without error

Output wave form decryption algorithm for composite field s-box

with error

Map report--------------

• Number of errors: 0

• Number of warnings: 0

HDL SYNTHESIS REPORT

Macro Statistics# ROMs : 5616x128-bit ROM : 56# Multiplexers : 668-bit 10-to-1 MUX : 108-bit 16-to-1 MUX : 56# XORs : 171128-bit xor2 : 118-bit xor2 : 1508-bit xor3 : 10

Implementation Encryption Speed

Software implementation (ANSI C)

27Mb/s

Visual C++ 70.5Mb/s

Hardware Implementation (Altra)

268Mb/s

Proposed VHDL (Virtex II)

2.18Gb/s

Performance Comparison

FUTURE DEVELOPMENT

• For future development, estimation on the real time required for key initialization and time for a whole encryption should be done on the real chip.

• Research is still going on the encryptor core for higher bit lengths.

• FPGA based solutions have shown significant speedups compared with software based approaches

• The widespread adoption of distributed, wireless, and mobile computing makes the inclusion of privacy, authentication and security

• Power consumption will remain a critical factor ,especially when cryptographic applications will move into embedded context

CONCLUSION• In this paper, a VLSI implementation for the Rijndael

encryption algorithm is presented • The combination of security, and high speed implementation,

makes it a very good choice for wireless systems.• The whole design was captured entirely in VHDL language

using a bottom-up design and verification methodology • The proposed VLSI implementation of the algorithm reduces the

covered area and achieves a data throughput up to 2.18Gbit/sec.• An optimized coding for the implementation of Rijndael

algorithm for 128 bits has been developed • Architectural innovations like on the fly round key generation,

which facilitates simultaneous execution of sub bytes, shift rows and mix columns and round key generation has been incorporated in our coding.

FUTURE WORK

• We have presented a high performance parity based low complexity fault detection scheme for the AES using the S-box and the inverse S-box in composite fields.

• In our implementations, we used parity method in case of s box and ensured that error detection at s box takes two times which improves the fault coverage to a great extent. According to our simulation results, with acceptable error coverage, the structure-independent schemes proposed in this paper have the highest efficiencies, showing reasonable area and time complexity overheads. Based on the AES structure chosen, the performance goals to achieve, and the resources available, one can use combinations of the presented schemes in order to have much more reliable AES encryption and decryption structure.

FUTURE WORK

 [1] National Institute of Standards and Technologies, Announcing the Advanced Encryption Standard (AES) FIPS 197, Nov. 2001.[2] R. Karri, K. Wu, P. Mishra, and K. Yongkook, “Fault-based side-channel cryptanalysis tolerant Rijndael symmetric block cipher architecture,” in Proc. DFT, Oct. 2001, pp. 418–426.[3] R. Karri, K. Wu, P. Mishra, and Y. Kim, “Concurrent error detection schemes for fault-based side-channel cryptanalysis of symmetric block ciphers,” IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst., vol. 21, no. 12, pp. 1509–1517, Dec. 2002.[4] A. Satoh, T. Sugawara, N. Homma, and T. Aoki, “High-performance concurrent error detection scheme for AES hardware,” in Proc. CHES, Aug. 2008, pp. 100–112.

[5] L. Breveglieri, I. Koren, and P. Maistri, “Incorporating error detection and online reconfiguration into a regular architecture for the advanced encryption standard,” in Proc. DFT, Oct. 2005, pp. 72–80.[6] M. Karpovsky, K. J. Kulikowski, and A. Taubin, “Differential fault analysis attack resistant architectures for the advanced encryption standard,” in Proc. CARDIS, Aug. 2004, vol. 153, pp. 177–192.[7] P. Maistri and R. Leveugle, “Double-data-rate computation as a countermeasure against fault analysis,” IEEE Trans. Computers, vol. 57, no. 11, pp. 1528–1539, Nov. 2008.[8] C. H. Yen and B. F.Wu, “Simple error detection methods for hardwareimplementation of advanced encryption standard,” IEEE Trans. Computers, vol. 55, no. 6, pp. 720–731, Jun. 2006.[9] G. Bertoni, L. Breveglieri, I. Koren, P. Maistri, and V. Piuri, “A parity code based fault detection for an implementation of the advanced encryption standard,” in Proc. DFT, Nov. 2002, pp. 51–59.[10] G. Bertoni, L. Breveglieri, I. Koren, P. Maistri, and V. Piuri, “Error analysis and detection procedures for a hardware implementation of the advanced encryption standard,” IEEE Trans. Computers, vol. 52, no. 4, pp. 492–505, Apr. 2003.[11] C. Moratelli, F. Ghellar, E. Cota, and M. Lubaszewski, “A fault-tolerant DFA-resistant AES core,” in Proc. ISCAS, 2008, pp. 244–247.[12] M. Mozaffari-Kermani and A. Reyhani-Masoleh, “Parity-based fault detection architecture of S-box for advanced encryption standard,” in Proc. DFT, Verbauwhede, “A systematic evaluation of compact hardware implementations for the Rijndael S-box,” in Proc. CT-RSA, Feb. 2005, pp. 323–333. Oct. 2006, pp. 572 580.

[13] S.-Y. Wu and H.-T. Yen, “On the S-box architectures with concurrent error detection for the advanced encryption standard,” IEICE Trans. Fundam. Electron., Commun. Comput. Sci., vol. E89-A, no. 10, pp. 2583–2588, Oct. 2006.

[14] A. E. Cohen, “Architectures for Cryptography Accelerators,” Ph.D. dissertation, Univ. Minnesota, Twin Cities, Sep. 2007.

[15] M. Mozaffari-Kermani and A. Reyhani-Masoleh, “A lightweight concurrent fault detection scheme for the AES S-boxes using normal basis,” in Proc. CHES, Aug. 2008, pp. 113–129.

[16] D. Canright, “A very compact S-box for AES,” in Proc. CHES, Aug. 2005, pp. 441–455.

[17] A. Satoh, S. Morioka, K. Takano, and S. Munetoh, “A compact Rijndael hardware architecture with S-box optimization,” in Proc. ASIACRYPT, Dec. 2001, pp. 239–254.

[18] J.Wolkerstorfer, E. Oswald, and M. Lamberger, “An ASIC implementation of the AES SBoxes,” in Proc. CT-RSA, 2002, pp. 67–78.

[19] V. Rijmen, Dept. ESAT, Katholieke Universiteit Leuven, Leuven, Belgium, Efficient Implementation of the Rijndael S-Box, 2000.

[20] X. Zhang and K. K. Parhi, “High-speed VLSI architectures for the AES algorithm,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. VLSI-12, no. 9, pp. 957–967, Sep. 2004.

[21] X. Zhang and K. K. Parhi, “On the optimum constructions of composite field for the AES algorithm,” IEEE Trans. Circuits Syst. II, Exp. Briefs, vol. 53, no. 10, pp. 1153–1157, Oct. 2006.

[22] N. Mentens, L. Batina, B. Preneel, and I. Verbauwhede, “A systematic evaluation of compact hardware implementations for the Rijndael S-box,” in Proc. CT-RSA, Feb. 2005, pp. 323–333.

QUERRIES ? ? ?

AJAL.A.J

MOB: 0-8907305642