Instruction Set Extensions for Support of Cryptography on Embedded Systems by Stefan Tillich A PhD Thesis Presented to the Faculty of Computer Science in Partial Fulfillment of the Requirements for the PhD Degree Assessors Prof. Dr. Karl Christian Posch (TU Graz, Austria) Prof. Dr. Bart Preneel (KU Leuven, Belgium) November 2008 Institute for Applied Information Processing and Communications (IAIK) Faculty of Informatics Graz University of Technology, Austria Abstract Digital computing devices continue to be increasingly dispersed within our ev- eryday environments. Computers are “embedded” into everyday appliances in order to serve predominantly one of two purposes: Either take over the func- tionality of analog electronic components or enable new services in their own right. While such digital computing capabilities are arguably a key enabler for exciting new applications, the potential hazards should not be overlooked. Problems which exist in the much more familiar domain of desktop computing (e.g., development of correct software) are now introduced into these new fields. At the same time, embedded computers also face new challenges, e.g., severe restrictions of resources like computing power, memory, and energy. One of the more pressing problems of embedded computing is the provision of adequate security mechanisms. While there are some robust solutions available for the desktop domain, resource restrictions often prevent their direct applica- tion for embedded devices. The basic problem is constituted by the fact that modern cryptographic algorithms still present a significant overhead for such constrained systems. As most embedded processors will be charged with the execution of cryp- tographic algorithms, it is worthwhile to revisit these processors’ capabilities in this regard and to consider the benefits of “tweaking” their functionality towards these specific workloads. The main vehicle for such a tweaking is the addition of custom instructions into the default instruction set architecture of the pro- cessor. Such instruction set extensions have been highly successful in areas like multimedia and digital signal processing. In this thesis we examine instruction set extensions for cryptography, with a special focus on secret-key algorithms. Three main goals are pursued within this thesis. The first goal is the investi- gation of potential new instructions (design space exploration) and the proposal of worthwhile candidates. The second goal is concerned with the efficient imple- mentation of the proposed instructions and the evaluation of their effectiveness in a realistic setup. This activity has lead to the creation of the LEON2-CIS embedded processor, which is a variant of the SPARC V8-compatible LEON2 processor and which incorporates all of the instructions which we propose in this thesis. The LEON2-CIS is available under the GNU LGPL in order to document our efforts and to provide a basis for further research. The third goal of this thesis is concerned with strategies for securing embedded processors against the threat of implementation attacks (most importantly side channel attacks). This thesis collects our research work from the last years, most of which has already been disseminated through academic publication. The publications have i ii been put into a coherent form and have been complemented with new material. In addition to documenting our work, we have strived to provide references to relevant publications by research groups dealing with related topics. Acknowledgements First of all I would like to thank Johann Großsch¨adlfor the very fruitful co- operation during the last years, which has manifested itself in the form of the LEON2-CIS processor. Johann’s work has provided both an excellent starting point as well as a valuable complement to my own. Furthermore, I consider myself very lucky that I have been able to learn from Johann a great deal about the academic world (and especially the publishing process). Many thanks also go to my fellow colleagues and friends who have supported me during my studies and work. I would especially like to mention my coauthors (apart from Johann) of the publications which constitute the “flesh and bones” of this thesis: Martin Feldhofer, Christoph Herbst, Stefan Mangard, Thomas Popp, and Alexander Szekely. In this regard, I would also like to thank David Canright, Dan Page, and Johannes Wolkerstorfer for their support. Stefan Mangard and Elisabeth Oswald deserve special credit for providing guidance and support and for their patience with their younger colleagues. Fur- thermore, I’d like to thank the academic staff at IAIK, but especially Manfred Aigner for granting me enough leeway to finish this work and Karl Christian Posch for serving both as my advisor and assessor for this thesis. Many thanks also go to Bart Preneel for serving as second assessor and for his willingness to make the trip to Graz. Thanks also to all who took the time to read over the drafts of this thesis and made valuable comments and suggestions: Manfred Aigner, Christoph Herbst, Mario Kirschbaum, Marcel Medwed, Thomas Popp, Thomas Plos, J¨orn-Marc Schmidt, and Alexander Szekely. Last but not least I would like to thank my family and friends, which have constantly supported me during the whole course of my studies, but especially my parents, without whom none of this work would have been possible. Stefan Tillich Graz, November 2008 iii Contents Abstract i Acknowledgements iii List of Tables xi List of Figures xiii Acronyms xvii Notation xix 1 Introduction 1 1.1 The Future of Computing ...................... 1 1.2 Challenges for Ubiquitous Computing ............... 3 1.3 The Role of Cryptography ...................... 3 1.4 Implementing Cryptography on Constrained Devices . 4 1.5 Instruction Set Extensions for Cryptography ........... 5 1.5.1 Previous Work ........................ 7 1.5.2 Our Contribution ....................... 8 1.6 International Research Work Regarding Support for Public-Key Cryptography ............................. 10 1.6.1 Integer Modulo Arithmetic . 10 1.6.2 Non-Integer Arithmetic ................... 10 1.7 Work on Support for Secret-Key Cryptography by Other Research Groups ................................. 12 1.7.1 General Permutations .................... 12 1.7.2 Broad Algorithm Support . 12 1.7.3 Specific Algorithm Support for the Advanced Encryption Standard ........................... 14 1.8 Our Contributions and Results for Secret-Key Cryptography Sup- port .................................. 14 1.8.1 Synergies Between Secret-Key Algorithms and Public-Key Algorithms .......................... 15 1.8.2 Dedicated Support for AES . 15 1.8.3 Protection Against Side-Channel Attacks . 17 1.9 Organization of This Thesis ..................... 18 v vi Contents 2 Concepts and Methods of Modern Cryptography 21 2.1 Mathematical Preliminaries ..................... 21 2.2 Principles of Public-Key Cryptography . 22 2.2.1 RSA .............................. 23 2.2.2 Digital Signature Algorithm (DSA) . 23 2.2.3 Elliptic Curve Cryptography (ECC) . 23 2.2.4 Other Public-Key Cryptosystems . 23 2.3 Details on Elliptic Curve Cryptography . 24 2.4 Modern Secret-Key Cryptography Algorithms . 24 2.4.1 Block Ciphers ......................... 25 2.4.2 Hash Functions ........................ 25 2.4.3 Stream Ciphers ........................ 26 2.5 Description of the Advanced Encryption Standard . 27 2.5.1 Principal Structure ...................... 27 2.5.2 Round Transformations ................... 28 3 Cryptography and Instruction Set Extensions 35 3.1 Implementation Options for Cryptographic Algorithms . 35 3.1.1 Application-Specific Integrated Circuit . 38 3.1.2 Application-Specific Instruction Set Processors /Applica- tion Domain-Specific Processors . 39 3.1.3 General-Purpose Processor with Coprocessor . 39 3.1.4 General-Purpose Processor with Instruction Set Extensions 40 3.1.5 General-Purpose Processor . 40 3.2 Design and Implementation Approach for Instruction Set Exten- sions .................................. 41 4 Instruction Set Extensions for Public-Key Cryptography 43 4.1 Related Work on Public-Key Extensions . 44 4.2 Low-Cost Instruction Set Extensions for ECC over GF(2m) . 44 4.3 Arithmetic in Binary Extension Fields . 46 4.4 Proposed Multiply-Step Instructions . 48 4.4.1 Single-Bit Variant ...................... 49 4.4.2 Double-Bit Variant ...................... 51 4.5 Possible Implementation with Modified Ripple-Carry Adder . 52 4.6 Experimental Results ......................... 55 4.6.1 Hardware Cost ........................ 56 4.6.2 Performance ......................... 57 4.6.3 Memory Requirements .................... 58 4.7 Summary and Conclusions ...................... 59 5 Accelerating AES Using Instruction Set Extensions for Ellip- tic Curve Cryptography 61 5.1 Implementing AES on 32-bit Processors . 62 5.2 Optimizing AES Using Instruction Set Extensions . 64 5.2.1 Column-Oriented Implementation . 65 Contents vii 5.2.2 Row-Oriented Implementation . 68 5.3 Practical Results ........................... 70 5.3.1 Precomputed Key Schedule . 71 5.3.2 On-the-fly Key Expansion . 71 5.3.3 Code Size and Side-Channel Attacks . 72 5.4 Summary and Conclusions ...................... 72 6 Analysis of the Impact of Instruction Set Extensions on Mem- ory Efficiency 73 6.1 Memory Considerations for AES Implementations . 73 6.2 Custom Instruction for S-box Lookup . 74 6.3 Influence of Cache Size on Performance .............. 77 6.4 Comparison of Calculated AES Implementations . 78 6.4.1 Area Overhead Estimation