Online Testing Schemes for the IDEA NXT Crypto-Algorithm Andreea Bozeşan, Flavius Opriţoiu Computer Science Department, University Politehnica Timisoara, Romania
Total Page:16
File Type:pdf, Size:1020Kb
Volume 56, Number 1-2, 2015 35 Online Testing Schemes for the IDEA NXT Crypto-algorithm Andreea Bozeşan, Flavius Opriţoiu Computer Science Department, University Politehnica Timisoara, Romania, Abstract—This paper presents a hardware architecture for online self-test in the context of the IDEA NXT crypto-algorithm. From the many techniques and solutions presented in the literature for increasing Built In Self-Test (BIST) capabilities, after a careful analysis of these solutions, we decided to focus our attention on solutions based on parity-prediction. In this sense we designed and implemented a parity-based error detection architecture for the Datapath and one for the Key Schedule mechanism of IDEA NXT. The solution we propose doesn't interfere in any way with the algorithm's structure, as there is a complete separation between the functional and testing channels. The proposed solution is the first of this kind for the IDEA NXT crypto-algorithm. We evaluated the performance of the proposed test strategy with different redundancy levels and formulated recommendations for the concurrent detection strategy based on the obtained experimental results. The error-detection rate of the architecture in regards to stuck-at faults was also calculated in this paper. Keywords— cryptography, IDEA NXT, crypto-algorithm, LFSR, concurrent-testing, parity-based testing Substitution-Permutation Networks based on the Feistel 1. INTRODUCTION scheme [2]. The ortomorphism represents a Feistel scheme on a single round which has the identity The Cryptographic domain is continuously trying function as a round function. IDEA NXT consists of 'n- to find ways for strengthening the means for obtaining 1' iterations of a round function called lmor64, the security of sensitive information. More and more followed by applying a slightly modified function attacks showing the weaknesses of existing algorithms called lmid64. The decryption process is very similar were published in the past years, most of the attacks on to the encryption one, the only difference is that lmio64 block cipher algorithms operated with just simple key is used instead of lmor64 [3]. In this paper we will only programmers and algebraic substitution boxes, so these refer to the 64-bit version of IDEA NXT. crypro-algorithms' strucuture constituted merely an aid Function f32 stays at the base of lmor64 and also for algebraic attacks. The new trend in cryptographic constitutes the foundation of the entire encryption algorithms is IDEA NXT, a family of symmetric algorithm. It is composed of three parts: substitution, encryption algorithms, flexible and scalable, called diffusion and a round key addition part, as can be IDEA NXT which was theoretically proven to combine observed from Fig. 1. The substitution part uses a the speed of IDEA and security of AES crypto- substitution box (sbox) which essentially is a look-up algorithms [2]. table filled with predefined values. The diffusive part The IDEA NXT family is mainly made of two mu32 is a linear multipermutation defined of Galois block ciphers (NXT64, NXt128) which Field GF(28) [2]. essentially have the same algebraic structure The key is processed by a Key Scheduler module but differ in text sizes, key lengths and number which performs a four-layer encryption of its own of rounds. The NXT crypto-algorithms can be before providing the obtained round key to the data generalized by implementing a general version with encryption process itself. This algorithm is the very variable parameters. core of IDEA NXT, which gives the algorithm its security strength [2]. 2. MATHEMATICAL STRUCTURE OF IDEA The Key Scheduler's constituting parts are: NXT padding, mixing, diversification and the non-linear part called NL64. The IDEA NXT algorithm, which takes an input The f32 function stays at the base of lmor64 and text of 64 or 128 bits and a key of 128, 192 or 256 bits, also constitutes the foundation of the entire encryption depending on the chosen algorithm version, is based on algorithm. It is composed of three parts: substitution, a Lay-Massey scheme combined with two diffusion and a round key addition part. The ortomorphisms and the round functions are of type substitution part uses a substitution box (sbox) which essentially is a look-up table filled with predefined © 2015 – Mediamira Science Publisher. All rights reserved 36 ACTA ELECTROTEHNICA values. The diffusive part (mu32/mu64) is a linear at every stage of the algorithm. There are two types of multipermutation defined of Galois Field GF(28) [2]. error detection principles: offline and concurrent testing. In the first case, the testing is made when the system is not running, whereas in the second case testing is done while the system is in operating mode. Concurrent checking schemes are designed to detect certain types of errors (e.g. single errors, double errors, unidirectional errors) or all or a high percentage of single stuck at 0/1 faults, but in general a single fault can cause different types of errors to occur [17]. Therefore, one must design its architecture to be as general as possible and detect as many types of faults as possible. So far, no verification mechanisms have been implemented for the IDEA NXT crypto-algorithm, nor offline or concurrent, so we decided to increase the reliability of crypto-systems in which this powerful algorithm is used by creating a pair of concurrent, self- testing architectures, one for the Datapath and the other for the Key Scheduler. The fault detection principle we used is the non intrusive concurrent error detection mechanism from Fig. 1 The f64 function, main part of lmor64 [16] based on the output’s parity prediction. A parity check code is a code in which the parity of multiple circuit outputs, forming a parity group, is checked The non-linear step is itself made of multiple against a predicted parity bit for that group. The parts: substitution (which uses 4 parallel sigma4 objective is to classify the outputs in a minimal number processes that are each composed of 4 substitution of groups, such that any single fault in the circuit will boxes operating in parallel), diffusion, composed of affect the parity of at most one output bit in every parity four times mu4 (a linear (4,4) multipermutation defined group. To ensure that the fault effect will be detected, on GF(28)) functions plus mixing, and mixing. The no sharing is allowed between the cones of logic of result is obtained from various combinations of XOR output bits belonging to the same parity group. The two operations between the 4 parts obtained by splitting the extreme cases for the number of parity groups are input vector. The diversification part takes the key single-bit parity and duplication. In single-bit parity, all computed in the mixing part, having ek bits length, the output bits of the circuit form a single group and, total number of rounds and the current round number and consequently, no sharing between their cones of logic is modifies the key with the help of a 24-bit LFSR. The allowed [18]. Duplication leaves the original circuit main part of diversification, the Linear Feedback Shift intact, yet incurs the cost of an additional copy of the Register (LFSR), is used to generate pseudo-random circuit to predict the parity of each group, while the numbers. single-bit parity case is relatively inexpensive, as no redundancy is introduced. We chose the second case for 3. CONCURRENT ERROR DETECTION our parity-checking architecture. ARCHITECTURES The output parity prediction means adding a After an encryption algorithm is starting to be number of parity bits and calculating at each stage if the used in the field, integrated in a chip or used as such, it parity remains the same or not. Thus the architecture has to be checked periodically for correct functioning. will correctly detect any odd number of errors affecting There are a lot of things that can determine its the result of the protected module, while remaining malfunction, from system faults to intruder attacks to completely independent from the circuit under test. the algorithm. As has already been proved in various (CUT). This type of error detection fits well with the papers [3], [23], [24], there are many different types of notion of integrated circuits that are designed to be attacks that can compromise the encryption process totally self-checking with respect to a set of faults, as even in the case of a hardware implementation of a we can verify each stage and component of a cryptographic algorithm. Attackers can inject faults into cryptographic algorithm in the proposed manner. crypto-chips and cryptographic cores, which can lead to As mentioned before, we constructed two permanent faults by modifying the underlying concurrent architectures - for the Datapath and the Key semiconductor layer. We can mention particularly Scheduler of IDEA NXT – so that the whole algorithm linear and differential cryptanalysis and fault attacks. is checked for possible errors, not just part of it. The In order to check for errors and faults we can two error detection mechanisms will be described in construct testing architectures which fit in detail the detail in the following chapter. algorithm's structure and verifies for correct functioning Volume 56, Number 1-2, 2015 37 4. PROPOSED CONCURRENT TESTING bits of data, so calculating the parity of the operation ARCHITECTURES reduces to calculating the parity of one substitution box and then summing up all the s-boxes' parity outputs. A simple solution is to sum all the s-box's input parity 4.1. Error detection mechanism for IDEA bits, obtaining a single parity bit which is preserved by NXT’s Datapath the transformation. This result must be verified for correct execution against the Verifier used for the first The concurrent architecture for the Datapath is XOR operations described above.