Secure and Efficient Implementations of Cryptographic Primitives Xu Guo Dissertation submitted to the Faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Engineering Patrick Schaumont, Chair Ezra Brown Cameron Patterson Sandeep Shukla Joe Tront May 1, 2012 Blacksburg, Virginia Keywords: System-on-Chip, Cryptographic Coprocessor, Elliptic Curve Cryptography, Hash Function, Block Cipher, SHA-3, Side-Channel Attacks, Fault Attacks Copyright 2012, Xu Guo Secure and Efficient Implementations of Cryptographic Primitives Xu Guo Abstract Nowadays pervasive computing opens up many new challenges. Personal and sensitive data and computations are distributed over a wide range of computing devices. This presents great challenges in cryptographic system designs: how to protect privacy, authentication, and integrity in this distributed and connected computing world, and how to satisfy the requirements of different platforms, ranging from resource constrained embedded devices to high-end servers. Moreover, once mathematically strong cryptographic algorithms are implemented in either software or hardware, they are known to be vulnerable to various implementation attacks. Although many countermeasures have been proposed, selecting and integrating a set of countermeasures thwarting multiple attacks into a single design is far from trivial. Security, performance and cost need to be considered together. The research presented in this dissertation deals with the secure and efficient implemen- tation of cryptographic primitives. We focus on how to integrate cryptographic coprocessors in an efficient and secure way. The outcome of this research leads to four contributions to hardware security research. First, we propose a programmable and parallel Elliptic Curve Cryptography (ECC) coprocessor architecture. We use a systematic way of analyzing the impact of System-on-Chip (SoC) integration to the cryptographic coprocessor performance and optimize the hardware/software codesign of cryptographic coprocessors. Second, we provide a hardware evaluation methodology to the NIST SHA-3 standardization process. Our research efforts cover both of the SHA-3 fourteen Second Round candidates and five Third Round finalists. We design the first SHA-3 benchmark chip and discuss the technol- ogy impact to the SHA-3 hardware evaluation process. Third, we discuss two technology dependent issues in the fair comparison of cryptographic hardware. We provide a systematic approach to do a cross-platform comparison between SHA-3 FPGA and ASIC benchmark- ing results and propose a methodology for lightweight hash designs. Finally, we provide guidelines to select implementation attack countermeasures in ECC cryptosystem designs. We discuss how to integrate a set of countermeasures to resist a collection of side-channel analysis (SCA) attacks and fault attacks. The first part of the dissertation discusses how system integration can affect the efficiency of the cryptographic primitives. We focus on the SoC integration of cryptographic coproces- sors and analyze the system profile in a co-simulation environment and then on an actual FPGA-based SoC platform. We use this system-level design flow to analyze the SoC inte- gration issues of two block ciphers: the existing Advanced Encryption Standard (AES) and a newly proposed lightweight cipher PRESENT. Next, we use hardware/software codesign techniques to design a programmable ECC coprocessor architecture which is highly flexible and scalable for system integration into a SoC architecture. The second part of the dissertation describes our efforts in designing a hardware evaluation methodology applied to the NIST SHA-3 standardization process. Our Application Specific Integrated Circuit (ASIC) implementation results of five SHA-3 finalists are the first ASIC real measurement results reported in the literature. As a contribution to the NIST SHA-3 competition, we provide timely ASIC implementation cost and performance results of the five SHA-3 finalists in the SHA-3 standard final round evaluation process. We define a consistent and comprehensive hardware evaluation methodology to the NIST SHA-3 standardization process from Field Programmable Gate Array (FPGA) prototyping to ASIC implementation. The third part of the dissertation extends the discussion on hardware benchmarking of NIST SHA-3 candidates by analyzing the impact of technology to the fair comparison of cryptographic hardware. First, a cross-platform comparison between the FPGA and ASIC results of SHA-3 designs demonstrates the gap between two sets of benchmarking results. We describe a systematic approach to analyze a SHA-3 hardware benchmark process for both FPGAs and ASICs. Next, by observing the interaction of hash algorithm design, architecture design, and technology mapping, we propose a methodology for lightweight hash implementation and apply it to CubeHash optimizations. Our ultra-lightweight design of the CubeHash algorithm represents the smallest ASIC implementation of this algorithm reported in the literature. Then, we introduced a cost model for analyzing the hardware cost of lightweight hash implementations. The fourth part of the dissertation discusses SCA attacks and fault attacks resistant cryptosystem designs. We complete a comprehensive survey of state-of-the-art of secure ECC implementations and propose a methodology on selecting countermeasures to thwart multiple side-channel attacks and fault attacks. We focus on a systematic way of organizing and understanding known attacks and countermeasures. iii Acknowledgments Writing this personal letter of gratitude makes me recall so many nice people and all the wonderful moments. I was very fortunate to work with many worldwide excellent researchers and make a lot of good friends during the last five years. Several individuals deserve my greatest gratitude for their guidance and support in my PhD research and life. First of all, I want to express my greatest appreciation to my PhD advisor, Prof. Patrick Schaumont, who provides me with persistent guidance and so many opportunities to expand myself not only academically but personally as well. He sets an excellent model for me as one of the hardest working and dedicated researchers with great passion. I am honored to have Prof. Sandeep Shukla, Prof. Ezra Brown, Prof. Cameron Patterson and Prof. Joe Tront as my PhD advisory committee. Thank you for many valuable sugges- tions and helpful discussions in making my research plan and finalizing the dissertation. I would like to extend my greatest appreciation to many worldwide research collaborators. I learned a lot from Dr. Junfeng Fan, Dr. Elke De Mulder, Dr. Miroslav Kneˇzevi´cand Prof. Ingrid Verbauwhede from COSIC at K.U.Leuven, and had a great time to work together to make some good progress. I also learned how to play an active role in some large internationally collaborated project, and hence I would like to acknowledge those co-authors and people who have inspired my research: Prof. Daniel Bernstein, Prof. Jens-Peter Kaps, Prof. Kris Gaj, Prof. Kazuo Sakiyama, Dr. Akashi Satoh, Dr. Shinichiro Matsuo, Dr. Toshihiro Katashita, and Kazuyuki Kobayashi. I am also very grateful to several CESCA iv faculties and students who helped me a lot through inter-group research collaborations: Prof. Leyla Nazhandali, Prof. Michael Hsiao, Dr. Michael B. Henry, Meeta Srivistav, Sinan Huang, Dinesh Ganta, and Yongbo Zuo. A special thanks goes to all my colleagues in the SES group, including Dr. Zhimin Chen, Dr. Abhranil Maiti, Michael Gora, Sergey Morozov, Anand Reddy, Raghunandan Nagesh, Ambuj Sinha, Srikrishna Iyer, Christian Tergino, Francisco Borelli, Suvarna Mane, Lyndon Judge, Michael Cantrell, and Mostafa Taha, who made my working environment and life in Blacksburg very pleasant. I am very grateful to all of my friends in Blacksburg who made my oversea life feel like staying at home. Rather than trying to be exhaustive and end up with a lengthy enumeration of names, I would like to remember everyone of you by heart and simply say: my life is so great with all of you. Finally, I would like to thank my parents, my wife, and my big family. Without their encouragement and love, it would have been impossible for me to complete the dissertation. I hope that I can continue to make them as proud of me as I am of them. v Contents 1 Introduction 1 1.1 Challenges with Cryptographic Primitive Implementations . 2 1.2 Dissertation Organization and Contributions . 3 2 Background 6 2.1 Overview of Cryptology . 6 2.2 Private-Key Cryptography . 7 2.2.1 PRESENT Block Cipher . 8 2.3 Public-Key Cryptography . 8 2.3.1 Elliptic Curve Cryptography . 10 2.4 Hash Functions . 13 2.4.1 NIST SHA-3 Competition . 14 2.5 Summary . 15 3 Hardware/Software Codesign for Cryptographic Coprocessors 16 3.1 System-Level Design Flow Using GEZEL . 16 vi 3.1.1 Overview . 17 3.1.2 Hardware/Software Interfaces . 20 3.1.3 Cosimulation-based on StrongARM . 21 3.2 SoC Integration of PRESENT and AES Block Ciphers . 22 3.2.1 Introduction . 22 3.2.2 Cosimulation-based Codesign Analysis . 24 3.2.3 FPGA-based Codesign Implementation . 27 3.2.4 Summary . 31 3.3 SoC Integration of an Elliptic Curve Cryptography Coprocessor . 32 3.3.1 Introduction . 32 3.3.2 Basic Configurations and Design Space . 34 3.3.3 Considerations for ECC HW/SW Partitioning . 37 3.3.4 Proposed Optimizations . 39 3.3.5 Impact of Local Storage . 39 3.3.6 Impact of Control Hierarchy . 41 3.3.7 Programmability and Scalability . 47 3.3.8 Discussion of Experimental Results . 52 3.3.9 Summary . 53 3.4 Conclusion . 54 4 Hardware Evaluation of SHA-3 Candidates 55 4.1 SHA-3 ASIC Evaluation Methodology . 56 vii 4.1.1 Overview . 57 4.1.2 Standard Hash Interface . 58 4.1.3 Design Strategy . 60 4.1.4 Platform for Integrated FPGA Prototyping and ASIC Performance Evaluation . 62 4.1.5 Optimization Target . 63 4.1.6 Evaluation Metrics . 64 4.2 VLSI Implementation of SHA-3 Hash Functions . 65 4.2.1 BLAKE . 65 4.2.2 Grøstl .