amir ali kouzeh geran and arash reyhani-masoleharith23.gforge.inria.fr › slides ›...
Post on 27-Jun-2020
8 Views
Preview:
TRANSCRIPT
Amir Ali Kouzeh Geran and Arash Reyhani-Masoleh
Presented by: Arash Reyhani-Masoleh
Department of Electrical and Computer Engineering
Western University, London, Ontario, Canada
23rd IEEE Symposium on Computer Arithmetic (ARITH 23)
June 11, 2016
Outline
Motivation
Preliminaries
Single-bit Fault Detection Scheme
CRC-based Fault Detection Scheme
Fault Simulation Results
FPGA Implementations and Overheads
Conclusion
2
Motivations: GCM Galois/Counter Mode (GCM) is a recently adopted mode
of operation for symmetric key cryptography (like AES).
Proposed by McGrew and Viega in 2005 and was defined by NIST (SP 800-38D) in 2007.
AES-GCM is included in “NSA Suite B Cryptography”.
It is being used in a number of protocols and standards:
IEEE 802.1AE, IEEE 802.11 AD
ANSI (INCITS) Fiber Channel Security Protocols (FC-SP).
IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2.
It provides authentication assurance for additional data that is not encrypted.
It detects accidental modifications of data, unauthorized alterations, and protects confidentiality.
3
Motivations: Reliable GCM Sources of faults in cryptographic systems:
Natural Faults
Fault Attacks: inject faults and look for leakage of
information.
The need for fault detection method
Protect the integrity and authenticity of data
Prevent the attack sequence in case of fault attack.
In this paper, we propose a reliable GCM scheme todetect both permanent and transient faults.
Low overhead in terms of area and delay.
Acceptable fault coverage.
4
Preliminaries The GCM has two operations: authenticated encryption
and authenticated decryption.
There are 4 inputs for authenticated encryption:
1. A secret key (K) with the length based on the block cipher.
2. An initialization vector (IV) between 1 and 264.
3. A plaintext (P) with any number of bits between 0 and 239 − 256
4. An additional authenticated data (A), which is authenticated but
not encrypted, with any number of bits between 0 and 264.
There are two outputs for authenticated encryption:
1. A ciphertext (C) whose length is exactly that of the plaintext.
2. An authentication tag (T), whose length can be any value
between 0 and 128.
5
AES-GCM Block Diagram
6
• The “Hash Key” H is generated by the encryption of 128
bits of zero using the symmetric key (K): H = E(K,0128)=EK(0)
• The Plaintext P is
divided into n blocks
of 128-bit long: P1, P2, . . . , Pn
• An up-counter with the output Ui is used to generate
blocks of ciphertext: Ci=Pi⊕ EK(Ui) for i=1, 2, …, n.
• The Additional
Authenticated Data
A is represented as
m blocks of 128 bits:
A1, A2, . . . , Am
AES-GCM Block Diagram (cont.)
7
• Using the inputs H, A and C, the output of the GCM
is defined by Xm+n+1 = GHASH (H, A, C), where
• The 128-bit register Y
• Cleared initially.
• After the (m+n+1)th
clock cycle, it
contains Xm+n+1 = GHASH (H, A, C).
• In this paper, we
consider the GCM loop.
Single-bit Fault Detection Scheme The parity of multiplier output (Xi) is computed using
two different functions:1. Actual parity (pXi ) is obtained by XORing the
coordinates of Xi
8
).,,(ˆ YCHfp iX i
Then, they are
compared to
find error:
2. The predicted parity is a
complex function of H, Ci, Y:
if 𝑝 ≠ Ƹ𝑝 ⇒ eout=1.
Single-bit Parity Prediction FormulationsWe write the multiplier output as follows:
𝑋𝑖 = 𝐻 × 𝐷𝑖mod 𝐹(α), where α is the root of irreducible polynomial F(x)=x128 + x7 + x2 + x + 1 and 0 ≤ 𝑖 ≤ 𝑚 + 𝑛 + 1.
The hash key 𝐻 ∈ GF(2128) is fixed in each iterations 𝑖.
The field element 𝐷𝑖 = σ𝑗=0127 𝑑𝑗α
𝑗 (drop 𝑖 for simplicity).
𝑋𝑖=σ𝑗=0127 𝑑𝑗 𝑍
(𝑗), where 𝑍𝑗= (𝐻 α𝑗 )mod 𝐹(α), Z(0)=H.
Then, the parity prediction of multiplier output:
9
.ˆˆ127
0
)(
j
ZjX ji
pdp
Single-bit Parity Prediction Formulations (Cont.)
Since 𝐷 = 𝑌 + 𝐶 ⇒ dj=yj+cj
10
)()( ˆˆˆ127
0
127
0
jji Z
j
jZj
jX pcpyp
)(ˆ jZp• , 0 ≤ 𝑗 ≤ 127 , is a binary function and depends on
the coordinates of 𝐻 ∈ 𝐺𝐹 2128 :• 𝑍
0= 𝐻 ⇒
• 𝑍1= 𝑍
0α mod 𝐹 α ⇒
• In general:• These values are stored in a register (PH) at the
initialization phase. • They remain constant for the entire 𝑚+ 𝑛 + 1 cycles of
the GCM computation.
127
0
)(ˆˆj
ZjX ji
pdp
⇒
.ˆ )0( HZpp
.ˆˆ127)0()1( hpp
ZZ
.1271ˆˆ )1(
127)1()( jforzpp j
ZZ jj
Single Parity Fault Detection Architecture
11
.ˆˆˆ )()(
127
0
127
0
jji Z
j
jZj
jX pcpyp
• The actual and predicted
parities are computed
and compared in each
clock cycle to generate
the output error signal.
CRC-Based Fault Detection Scheme
12
• We extend the idea from single bit to multiple bits.
• The Cyclic Redundancy Check (CRC) code has
been adopted to detect errors in the GCM loop.
• For 𝑘 parity bits, the CRC generator polynomial
must be of degree 𝑘: 𝑔𝑘 𝑥 = 𝑥𝑘 + …+ 𝑔1𝑥 + 1.• Let us denote the output of the multiplier in the
GCM loop as the message: 𝑚 𝑥 = 𝑋i(𝑥)
1. Compute actual k-bit parity:
𝑝 𝑥 = 𝑚 𝑥 𝑚𝑜𝑑 𝑔k(𝑥)2. Compute k-bit predicted parity:
Ƹ𝑝 𝑥 = 𝑓 𝐶,𝐻, 𝑌 .
3. Compare them to detect
error:
if 𝑝 𝑥 ≠ Ƹ𝑝 𝑥 ⇒ eout=1.
Matrix-Based CRC Formulations
13
1. The k parity bits of the multiplier output are computed as
pCRC-k=[p0p1 … pk-1]=[m0m1 … m127]GCRC-k.
• mj ∈ {0 ,1} is the j-th coordinate of the multiplier output 𝑋𝑖.• GCRC-k is the 128 × 𝑘 CRC generator matrix.
• The 𝑗-th row, 0 ≤ 𝑗 ≤ 127, of GCRC-k contain coefficients of 𝑥𝑗𝑚𝑜𝑑 𝑔k 𝑥 .
• For 𝑘 = 1 (single bit parity), 𝑔1 𝑥 = 𝑥 + 1 and then
GCRC-1=[1 1 … 1 ]T ⇒ p=m0+m1 +…+m127
• For 2 ≤ 𝑘 ≤ 4 ⇒
Matrix-Based CRC Formulations (cont.)
14
2. To calculate k predicted parity bits, we use the Mastrovito
formulation for the multiplier output as
m=[m0m1… m127]T=Ed
• The entries of E contain coordinates of 𝐻 only.
• d=y+c is a vector with the coordinates of 𝐷𝑖 = 𝑌𝑖 + 𝐶i
• Substituting mT=dTET into pCRC-k=mTGCRC-k, we obtain
ෝ𝒑CRC-k = [ Ƹ𝑝0 Ƹ𝑝1… Ƹ𝑝k-1] =dTETGCRC-k
=yTOCRC-k+cTOCRC-k
• The entries of OCRC-k =ETGCRC-k
are functions of 𝐻 only.• They are stored into k
128-bit registers at the initialization phase.
15
Matrix-Based CRC Formulations (cont.)
3. After calculations of [p0p1 … pk-1] and [ Ƹ𝑝0 Ƹ𝑝1… Ƹ𝑝k-1], we
compare all 𝑘 actual parities with the corresponding
predicted parities to generate the output error signal
eout = (p0+ Ƹ𝑝0) ∨ (p1+ Ƹ𝑝1) ∨ … ∨ (pk-1+ Ƹ𝑝k-1)
• It requires 𝑘 2-input
XOR gates and a k-input OR gate.
16
CRC-Based Fault Detection Architecture
ෝ𝒑CRC-k = [ Ƹ𝑝0 Ƹ𝑝1… Ƹ𝑝k-1]=yTOCRC-k+cTOCRC-k
pCRC-k=[p0p1 … pk-1]=[m0m1 … m127]GCRC-k
eout =(p0+ Ƹ𝑝0) ∨(p1+ Ƹ𝑝1) ∨…∨(pk-1+ Ƹ𝑝k-1)
• The actual and
predicted parities are
computed and
compared in each
clock cycle to
generate the output
error signal.
Fault Simulation Results
17
• We have written a VHDL code to simulate the entire fault
detection scheme for the GCM using ModelSim.
• We have considered up to degree six for the CRC
generator polynomials.
• Different cases of single and multiple bit faults (300,000
in total) are injected into different modules of the
proposed fault detection architecture.
• By increasing number of parity bits, fault coverage
increases and can reach to 100% with acceptable false
alarm.
FPGA Implementations and Overheads
18
• We have implemented the original GCM and six fault
detection architectures on Altera’s 28 nm FPGA.
• Their areas in terms number of ALM (Adaptive Logic
Module) and longest delays are recorded.
• The area and time overheads of the fault detection
schemes are presented as compared to the original one.
• For fault coverage of 98% (k=6), we have area
overhead of 10.9% and delay of 23%.
Conclusion We proposed a reliable GCM scheme capable of detecting
permanent and transient faults.
The proposed fault detection scheme checks the validity of
the GCM computation in every clock cycle.
Based on available overheads and/or required fault
coverage, number of parity bits (and hence the CRC
generator polynomial) can be selected.
We performed fault simulation and FPGA implementations
We considered single and multiple faults in all locations of
the GCM, parity generation and predicted modules.
The proposed fault detection scheme has high fault
coverage with low overheads and negligible false alarm.
19
Thank You&
Questions?
20
top related