parallel synchronous code generation forsecond round ......parallel synchronous code generation for...
TRANSCRIPT
![Page 1: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/1.jpg)
Parallel Synchronous Code Generation forSecond Round Light Weight Candidates
Pantea Kiaei , Archanaa S. Kr ishnan, Patr ick SchaumontWo r c e s t e r P o l y t e c h n i c I n s t i t u t e
V i r g i n i a Te c h
![Page 2: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/2.jpg)
Outline 1. Background
2. Timing side-channel
3. Timing aspects of AEAD ciphers
4. Predictable-time solutions
5. Parallel synchronous programming
6. Results
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 2
![Page 3: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/3.jpg)
• AEAD algorithm• Confidentiality• Integrity• Authenticity
• Implementation• Side-channel analysis• Fault attacks
Background
M A T H E M A T I C A L A L G O R I T H M
P H Y S I C A L I M P L E M E N T A T I O N
• Cryptanalysis on the algorithm
• Timing analysis• Power analysis• Fault injection• …
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 3
![Page 4: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/4.jpg)
Timing attacks• Sources of non-constant run-time:
• Algorithm• Data-dependent run-time
• Memory hierarchy• Cache-hit vs. cache-miss
• Shared resources
• Timing side-channel• Algorithm
• Table lookups
• Memory hierarchy• Last Level Cache (LLC): Flush+Reload [1], Prime+Probe [2]
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 4
[1] Yuval Yarom, Katrina Falkner. “FLUSH+ RELOAD: a high resolution, low noise, L3 cache side-channel attack”. USENIX Security 2014[2] Dag Arne Osvik, Adi Shamir, Eran Tromer. “Cache attacks and countermeasures: the case of AES”. Cryptographers' track at the RSA conference 2006
![Page 5: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/5.jpg)
AEAD ciphers
• Timing side-channel • Recognize different phases
• Facilitate power SCA and fault injection
• Gain information about the internal state
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES
Initialization AD Processing
Message Processing Finalization
5
![Page 6: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/6.jpg)
Predictable-time solutions• Bitslicing
• Every thing computed no table lookups
• Data scattered over many locations no memory hierarchy timing leakage
• Normal control logic
• Parallel Synchronous Programming [3]• Implements FSMD in software• Adds the control logic into the bitslicing no algorithm-related unpredictability
Reg0
Reg1
RegR-1
bit0bitB-1
R…
Reg0
Reg1
RegB-1
Reg2
BR
B…
bit0
bitB-1
bitslice
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 6
Reg0
Reg1
RegB-1
Reg2
R
B…
bit0
bitB-1
+
[3] P. Kiaei and P. Schaumont. “Synthesis of Parallel Synchronous Software”. IEEE Embedded Systems Letters 2020
![Page 7: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/7.jpg)
Parallel Synchronous Programming (PSP)• PSP kernel
• Generated by automated tool (PSPCG)• Equivalent to one clock cycle of FSMD
• PSP wrapper• Calls the PSP kernel
7
void kernel(..., MDTYPE* done) {...NOT1(rst, n01_);XOR2(fsmd_reg[0], CNT[0], n02_);XOR2(CNT[1], fsmd_reg[1], n03_);OR2(n02_, n03_, n04_);...DFF(clk, n00_[0], fsmd_reg[0]);DFF(clk, n00_[1], fsmd_reg[1]);DFF(clk, n00_[2], fsmd_reg[2]);DFF(clk, n00_[3], fsmd_reg[3]);}
int main() {// prepare inputs in bitsliced format...// reset:...// keep calling the kernel until all // calculations complete:while (done != 0xffffffff) {
kernel(..., &done);}return 0;}
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES
![Page 8: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/8.jpg)
PSP implementation of LWC candidates
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 8
• Predictable run-time • The longest calculation among the parallel runs
• Indistinguishable AEAD phases
![Page 9: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/9.jpg)
Implementations• Implemented PSP version of a few second round LWC candidates
• Not a comparison among the candidates
• Compared the PSP version and normal implementation provided by submissions
• Compared the PSP version and bitsliced implementation generated by the Usuba compiler
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 9
![Page 10: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/10.jpg)
Results: PSP vs. reference implementation
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 10
![Page 11: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/11.jpg)
Results: PSP vs. bitsliced – code size
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 11
![Page 12: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/12.jpg)
Results: PSP vs. bitsliced – logic
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 12
![Page 13: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/13.jpg)
Results: PSP vs. bitsliced – memory spill
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 13
![Page 14: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/14.jpg)
Conclusion• Naïve implementations of AEAD ciphers can result in exploitable timing side-channel
• Parallel synchronous programming can prevent timing side-channel of AEAD ciphers
• Parallel synchronous programs in contrast to bitslicing include the control logic therefore are more secure while also being more compact
PARALLEL SYNCHRONOUS CODE GENERATION FOR LWC CANDIDATES 14
![Page 15: Parallel Synchronous Code Generation forSecond Round ......Parallel Synchronous Code Generation for Second Round Light Weight Candidates Pantea Kiaei, Archanaa S. Krishnan, Patrick](https://reader035.vdocuments.us/reader035/viewer/2022071515/613769810ad5d20676489a1b/html5/thumbnails/15.jpg)
Thank youhttps://github.com/Secure-Embedded-Systems/psp-nistlwc20