ISSN (Online), Volume 1, Special Issue 2(ICITET 15), March 2015 International Journal of Innovative Trends and Emerging Technologies

Transcription

1 International Journal of Innovative Trend and Emerging Tehnologie ROBUST SCAN TECHNIQUE FOR SECURED AES AGAINST DIFFERENTIAL CRYPTANALYSIS BASED SIDE CHANNEL ATTACK A.TAMILARASAN 1, MR.A.ANBARASAN 2 1 PG holar, 2 At. Profeor, 1,2 ECE Dept, Surya Group of Intitution, Vikravandi, Villupuram, India Abtrat: The propoed i a an-protetion heme that provide teting failitie both at prodution time and over the oure of the iruit life. The underlying priniple i to an-in both input vetor and expeted repone and to ompare expeted and atual repone within the iruit. Thi heme avoid the ue of authentiation tet. The propoed an-protetion heme for the mot eured ryptographi algorithm (AES Algorithm) to implement on any hardware with BIST arhiteture. Thi propoed method ue a Robut San Flip-Flop (RSFF) that deliver different output tate for the ame an input. Thu the tehnique i unueptible to ide hannel attak that haker ue to eaily an the enryption/deryption key and algorithm implementation. I.INTRODUCTION In today digital world, enryption i enryption key i of high importane in ymmetri ipher uh a AES. Software implementation of emerging a a diintegrable part of all enryption algorithm doe not provide ultimate ommuniation network and information erey of the key ine the operating ytem, on proeing ytem, for proteting both tored data whih the enryption oftware run; it i alway and tranmitted data. Enryption i the vulnerable to attak. tranformation of meage input data (known a ENCRYPTION AND KEY BASED plaintext) into unintelligible data (known a ipher APPROACH text) through an algorithm referred to a ipher. There are numerou enryption algorithm are ommonly ued in omputation, but the U.S. government ha adopted the Advaned Enryption Standard (AES) to be ued by Federal department and agenie for proteting enitive information. Different verion of AES algorithm exiting today (AES128, AES196, and AES256) depending on the ize of the enryption key. In thi projet, a hardware model for implementing the AES128 algorithm wa developed uing the Verilog hardware deription language. A unique The National Intitute of Standard and feature of the deign propoed in thi projet i that Tehnology (NIST) have publihed the the round key, whih are onumed during peifiation of thi enryption tandard in the Federal Information Proeing Standard (FIPS) Publiation Any onventional ymmetri ipher, uh a AES, require a ingle key for both enryption and deryption, whih i independent of the plaintext and the ipher itelf. It i impratial to retrieve the plaintext olely baed on the ipher text and the enryption algorithm, without knowing the different iteration of enryption, are generated in parallel with the enryption proe. LANGUAGES The hardware model wa ompletely verified uing a tet benh, whih took an advantage of the Verilog programming feature, by ontruting random tet objet and providing them to the model. Then, the verified model wa yntheized uing the Synopi Deign-Compiler enryption key. Thu, the erey of the tool to get an etimated number of gate, area and

2 International Journal of Innovative Trend and Emerging Tehnologie timing of the hardware model. Finally, the performane of oftware and hardware implementation were ompared. Cryptographi ytem are generally laified on the following bai: 1.TYPE OF OPERATIONS USED TO FOR TRANSFORMING PLAINTEXT TO CIPHER TEXT: Mot enryption algorithm are baed on two general priniple, a.subtitution, in whih eah element in plain text i mapped to ome other element to form the ipher text b.tranpoition, in whih element in plaintext are rearranged to form ipher text. 2.NUMBER OF KEYS USED: If both the ender and the reeiver ue a ame key then uh a ytem i referred to a Symmetri, ingle-key, eret-key or onventional enryption. If the ender and reeiver ue different key, then uh a ytem i alled Aymmetri, Two-key, or private-key enryption. 3.PROCESSING OF PLAIN TEXT: A Blok ipher proe one blok input at a time, produing an output for eah input blok. A Stream ipher proee the input element ontinuouly produing output element on the fly. Mot of the ryptographi algorithm are either ymmetri or aymmetri key algorithm. 4.SECRET KEY CRYPTOGRAPHY: Thi type of ryptoytem ue the ame key for both enryption and deryption. Some of the advantage of uh a ytem are Very fat relative to publi key ryptography Conidered eure, a long a the key i trong Symmetri key ryptoytem have ome diadvantage too. Exhange and adminitration of the key beome ompliated. Non-repudiation i not poible. Some of the example of Symmetri key ryptoytem inlude DES, 3-DES, RC4, RC5 et. 5.PUBLIC KEY CRYPTOGRAPHY Thi type of ryptoytem ue different key for enryption and deryption. Eah uer ha a publi key, whih i known to all other, and a private key, whih remain a eret. The private key and publi key are mathematially linked. Enryption i performed with the publi key and the deryption i performed with the private key. Publi key ryptoytem are onidered to be very eure and upport Non-repudiation. No exhange of key i required thu reduing key adminitration to a minimum. But it i muh lower than Symmetri key algorithm and the ipher text tend to be muh larger than plaintext. Some of the example of publi key ryptoytem inlude Diffie-Hellman, RSA and Ellipti Curve Cryptography. Therefore, the implementation of thee two tranformation affet the implementation of the whole AES tremendouly. Later in thi hapter, the implementation variation of the S-box and invere S-box inluding the ompoite field implementation are explained in detail. SECURITY OF AES Three poible approahe to attaking the AES algorithm are a follow: Brute Fore: Thi involve trying out all the poible private key. Mathematial attak: There are everal approahe, all equivalent in effet to fatoring the produt of 2 prime. Timing attak: Thee depend on the running time of the deryption algorithm. EXISTING SYSTEM And the ompoite field S-box and Invere S-box are divided into many blok and LUT are ued for both S-box and Invere S-box and

3 International Journal of Innovative Trend and Emerging Tehnologie optimum olution were found. Wherea thi method i not opted for high peed implementation. And finally parameter are analyzed with help of EDA tool. PROPOSED SYSTEM In our propoed approah we introdue the new ombinational logi for S-box and Invere S- box in order to find the mot optimum olution and we alo analyzed all required parameter to prove that the propoed ytem i not only effetive in alulation and alo give proper effiieny in peed,power and area through hardware implementation. INPUTS, OUTPUTS AND THE STATE The plaintext input and ipher text output for the AES algorithm are blok of 128 bit. The ipher key input i a equene of 128, 192 or 256 bit. In other word the length of the ipher key, N k, i 4, 6 or 8 word whih repreent the number of olumn in the ipher key. The AES algorithm i ategorized into three verion baed on the ipher key length. The number of round of enryption for eah AES verion depend on the ipher key ize. In the AES algorithm, the number of round i repreented by N r, where N r = 10 when N k = 4, N r = 12 when N k = 6, and N r = 14 when N k = 8. The following table illutrated the variation of the AES algorithm. For the AES algorithm the blok ize (N b ), whih repreent the number of olumn ompriing the State i N b = 4. The bai proeing unit for the AES algorithm i a byte. A a reult, the plaintext, ipher text and the ipher key are arranged and proeed a array of byte. For an input, an output or a ipher key denoted by a, the byte in the reulting array are referened a a n, where n i in one of the following range: Blok length = 128 bit, 0 <= n < 16 Key length = 128 bit, 0 <= n < 16 Key length = 192 bit, 0 <= n < 24 Key length = 256 bit, 0 <= n < 24 All byte value in the AES algorithm are preented a the onatenation of their individual bit value between brae in the order {b7, b6, b5, b4, b3, b2, b1, b0}. All the AES algorithm operation are performed on a two dimenional 4x4 array of byte whih i alled the State, and any individual byte within the State i referred to a r,, where letter r repreent the row and letter denote the olumn. At the beginning of the enryption proe, the State i populated with the plaintext. Then the ipher perform a et of ubtitution and permutation on the State. After the ipher operation are onduted on the State, the final value of the tate i opied to the ipher text output. CIPHER TRANSFORMATIONS The AES ipher either operate on individual byte of the State or an entire row/olumn. At the tart of the ipher, the input i opied into the State and then, an initial Round Key addition i performed on the State. Round key are derived from the ipher key uing the Key Expanion routine. The key expanion routine generate a erie of round key for eah round of tranformation that are performed on the State. It onit of the following four tep. Both the LUT baed method and the non LUT baed method onit of all thee four tep. II.IMPLEMENTATION OF AES ALGORITHM USING LUT METHOD The AES algorithm implemented with LUT ue a look up table for generating ub byte and invere ub byte tranformation. S- Box implementation i onidered to an important operation beaue it peed deide the throughput. LUT approah of implementing the S-Box ha two diadvantage one the unbreakable delay of lookup table and the eond, it i diffiult to ue ub

4 International Journal of Innovative Trend and Emerging Tehnologie pipeline truture to peed up the arhiteture. The LUT table method ue the four tep for onverting the plain text into the ipher text. AES ha a fixed blok ize of 128 bit alled a tate. Blok length i limited to 128 bit The key ize an be independently peified to 128, 192 or 256 bit Number of round, Nr, depend on key ize Eah round i a repetition of funtion that perform a tranformation over State array Conit of 4 main funtion: one permutation and three ubtitution Subtitute byte, Shift row, Mix olumn, Add round key BLOCK DIAGRAM OF AES ADDROUNDKEY round key i added to the State uing XOR operation. MIXCOLUMNS take all the olumn of the State and mixe their data, independently of one another, making ue of arithmeti over GF(2^8). Thi tranformation operate on the olumn of the State, treating eah olumn a a four term polynomial the finite field GF(2 8 ). Eah olumn i multiplied modulo x 4 +1 with a fixed four-term polynomial a(x) = {03}x 3 + {}x 2 + {}x + {02} over the GF(2 8 ). The MixColumn tranformation an be expreed a a matrix multipliation a hown below: ' ' ' ' 1, 2, 3, The MixColumn tranformation replae the four byte of the proeed olumn with the following value: ' 0, ({ 02} ) ({03} 1, ) 2, 3, ' 1, ({ 02} 1, ) ({03} 2, ) 3, ({ 02} 2, ) ({03} 3, ) ' 0, 1, ({ 03} 1, ) 2, ({02} 3, ' 1, ) Figure - Step in AES algorithm The orrepond to the multipliation of polynomial in GF (2 8 ). The MixColumn tranformation i illutrated in Figure 4.5.Thi tranformation together with ShiftRow provide ubtantial diffuion in the ipher meaning that the reult of the ipher depend on the ipher input in a very omplex way. In other word, in a ipher with a good diffuion, a ingle bit hange in the plaintext will ompletely hange the iphertext in an unpreditable manner.

5 International Journal of Innovative Trend and Emerging Tehnologie SHIFTROWS - Proee the State by ylially hifting the lat three row of the State by different offet. 4.5 SUBBYTES Ue S-box to perform a byte-by-byte ubtitution of State For example, if 1,1 ={53}, then the ubtitution value would be determinedby the interetion of the row with index 5 and the olumn with index 3 in the below table Thi would reult in 1,1 having a value of {ed}. INVERSE CIPHER The Cipher tranformation an be inverted and the implemented in revere order to produe a traightforward Invere Cipher for the AES algorithm. The individual tranformation ued in the Invere Cipher -InvShiftRow, InvSubByte, InvMixColumn, and AddRoundKey proe the State and are deribed in the following ubetion. Invere ShiftRow Tranformation: Invere ShiftRow i the invere of the ShiftRow tranformation. The byte in the lat three row of the State are ylially hifted over different number of byte (offet). The firt row, r = 0, i not hifted. The bottom three row are ylially hifted by Nb-hift(r, Nb) byte, where the hift value hift(r,nb) depend on the row number.there i no hift for the firt olumn, eond olumn i left hifted one, eond row i left hifted for two time and the third row left i hifted for three time Invere ub byte Tranformation InvSubByte i the invere of the byte ubtitution tranformation, in whih the invere S-box i applied to eah byte of the State. Thi i obtained by applying the invere of the affine tranformation followed by taking the multipliative invere in GF (2 8 ). Invere Mix Column Tranformation Invere Mix Column i the invere of the Mix Column tranformation. InvMixColumn operate on the State olumn-by-olumn, treating eah olumn a a four-term polynomial. The olumn are onidered a polynomial over GF (2 8 ) and multiplied with a fixed polynomial a - 1 (x).themultipliation i done a hown below. Invere of the Add Round Key Tranformation AddRoundKey i it own invere, ine it only involve an appliation of the XOR operation. ROBUST SCAN TECHNIQUE For a long time, the Data Enryption Standard (DES) wa onidered a a tandard for the ymmetri key enryption. DES ha a key length of 56 bit. However, thi key length i urrently onidered mall and an eaily be broken. For thi reaon, the National Intitute of Standard and Tehnology (NIST) opened a formal all for algorithm in September A group of fifteen AES andidate algorithm were announed in Augut Next, all algorithm were ubjet to aement proe performed by variou group of ryptographi reearher all over the world. In Augut 2000, NIST eleted five algorithm: Mar, RC6, Rijndael, Serpent and Twofih a the final ompetitor. Thee algorithm were ubjet to further analyi prior to the eletion of the bet algorithm for the AES. Finally, on Otober 2, 2000, NIST announed that the Rijndael algorithm wa the winner. Rijndael an be peified with key and blok ize in any multiple of 32 bit, with a minimum of 128 bit and a maximum of 256 bit.

6 International Journal of Innovative Trend and Emerging Tehnologie Therefore, the problem of breaking the key beome more diffiult [1]. In ryptography, the AES i alo known a Rijndael [2]. AES ha a fixed blok ize of 128 bit and a key ize of 128, 192 or 256 bit. SIDE CHANNEL ATTACKS San tet ha been widely adopted a a default teting tehnique among mot VLSI deign, inluding rypto ore. Unfortunately, thee an hain might be ued a a ide hannel to reover the eret key from the hardware implementation of ryptographi algorithm, for example an-baed attak on Data Enryption Standard (DES), Advaned Enryption Standard (AES), and Ellipti Curve Cryptography (ECC) [1] [3], repetively. S D 0 FF SI 1 C Fig Normal San FF. In general, the exiting an-baed ide hannel attak (SSCA) ould be viewed a one kind of differential ryptanalyi by uing an hain of rypto ore. Unlike other known ide hannel attak, SSCA i muh eaier. It i beaue that in SSCA, in addition to the primary output of the rypto ore, a haker ould ue an hain to hift out the intermediate ontent during a ryptographi operation. It wa illutrated in [2] that on average overall only 544 plaintext are required to diover the AES key by uing SSCA, whih learly how the great potential threat of an-baed ide hannel attak PREVIOUS IMPLEMENTATIONS OF THE S- BOX D S One of the mot ommon and traight forward implementation of the S-Box for the SubByte operation whih wa done in previou work wa to have the pre-omputed value tored in a ROM baed lookup table. In thi implementation, all 256 value are tored in a ROM and the input byte would be wired to the ROM addre bu. However, thi method uffer from an unbreakable delay ine ROM have a fixed ae time for it read and write operation. [3] Furthermore, uh implementation i expenive in term of hardware. A more refined way of implementing the S-Box i to ue ombinational logi. Suh example of work that implement the S-Box uing thi method were [1], [3] and [5]. Thi S-Box ha the advantage of having mall area oupany, in addition to be apable of being pipelined for inreaed performane in lok frequeny. The S-Box arhiteture diued in thi paper i baed on the ombinational logi implementation. THE SUBBYTES AND INVSUBBYTE TRANSFORMATION The Sub Byte tranformation i omputed by taking the multipliative invere in GF (28) followed by an affine tranformation. For it revere, the InvSubBytetranformation,the invere affine tranformation i applied firt prior to omputing the multipliative invere.the tep involved for both tranformation i hown below. SubByte: Multipliative Inverion in GF (28), Affine Tranformation InvSubByte: Inv Affine Tranformation, Multipliative Inverion in GF (28). The AT and AT -1 are the Affine Tranformation and it invere while the vetor a i the multipliative invere of the input byte from the tate array. From here, it i oberved that both the SubByte and the InvSubByte tranformation

7 International Journal of Innovative Trend and Emerging Tehnologie involve a multipliative inverion operation. Thu, both tranformation may atually hare the ame multipliative inverion module in a ombined arhiteture. An example of uh hardware arhiteture i hown below. Swithing between SubByte and InvSubByte i jut a matter of hanging the value of INV. INV i et to 0 for SubByte while 1 i et when Invere Sub Byte operation i deired. S-BOX CONSTRUCTION METHODOLOGY Thi etion illutrate the tep involved in ontruting the multipliative invere module for the S-Box uing ompoite field arithmeti. Sine both the SubByte and InvSubByte tranformation are imilar other than their operation whih involve the Affine Tranformation and it invere, therefore only the implementation of the SubByte operation will be diued in thi paper. The multipliative invere omputation will firt be overed and the affine tranformation will then follow to omplete the methodology involved for ontruting the S-Box for the SubByte operation. For the InvSubByte operation, the reader an reue multipliative inverion module and ombine it with the Invere Affine Tranformation. Sub byte tranformation Firt multipliative inverion of the eight bit value i taken then affine tranformation i done by following matrix the affine tranformation matrix. Invere ub byte After taking invere affine tranform the eight bit ubbytevalue i tranformed into eight bit value by undergoing multipliative inverion. ROBUST SECURE SCAN Due to the eurity and tetability requirement a mentioned above, a novel robut eure an-baed tet approah i propoed a a ountermeaure againt an-baed differential ryptanalyi. Fig 5.6. Propoed RSFF. When in normal funtion mode (SE==0) SFF load data from the logi through DI, and the output to logi i DO. Beaue the additional inverter and the XOR gate are inerted along the an path, they do not affet the timing of the deign. Thu in funtion mode, RSSF work like a traditional an flip flop. When in an tet mode, we an oberve from Fig. 1 that (3) during an hift operation, the ontent of FF i XOR ed with SI to be hifted out to the next SFF and the inverted an-in data (SI) will be loaded into FF. Thu for haker, it beome extremely ompliated to identify the relationhip between the aptured repone and the an-out. RSS deign The bai idea of the propoed RSS deign i to enrypt the ontent in an hain during an operation, o a to redue the ontrollability and obervability of unintended uer. By doing thi, it beome more ompliated for haker to identify the bit differene between pair of related plaintext when they are enrypted under the ame key. One kind of the propoed RSS deign i hown in Fig. 1, in whih the ontent of two neighboring SFF are enoded during an operation from a eurity apet.

8 International Journal of Innovative Trend and Emerging Tehnologie When ompared with the traditional SFF, an extra inverter and an XOR gate are introdued in the RSS deign. Thi imple logi ould be ued for enryption during an operation. Oberve that the propoed robut an flip-flop (RSSF) ha idential pin out when ompared with the traditional an flip-flop a hown in Fig. 1, and i therefore fully ompatible with indutry tandard deign tool from a deign perpetive, when integrated into urrent deign flow it only require the RSSF added into the ell library. SECURITY AND IMPLEMENTATION ANALYSIS In thi etion, eurity analyi and implementation overhead are diued to how the advantage of the propoed eure tet tehnique over exiting method. Seurity analyi Due to the avalanhe effet of ryptographi algorithm, there exit two kind of an-baed differential ryptanalyi, alled a ontant baed (CBA) and fixed hamming-ditanebaed attak (FHDA). Here let u ue AES a an example ryptographi algorithm to explain thee two kind of attak. CBA take advantage of the fat that in enryption proe, the ontent of ome peial regiter are independent on the inputted plaintext. For example, the round regiter in AES, without peial protetion, for eah normal input, in the firt yle they would be 00, and then 00, 10. By uing everal different plaintext input and anning out the ontent at different time of the ryptographi operation, thee regiter ould be eaily identified. Then by etting the regiter a 10 (i.e., to indiate the round yle i 10, the lat round for 128-bit AES), whih i beaue in AES the mix-olumn operation i bypaed in the lat round, it beame muh eaier to diover the eret key. Suh a kind of attak i alled ontant-baed attak. FHDA i another kind of an-baed attak by ounting the number of bit hange on relevant plaintext o a to diover the eret key, and refer to [2] for more detail on FHDA. Reliable againt attak When uing the propoed RSS, it an be eaily onfigured that one the intermediate data of CFF paing the replaed RSSF, they would be enrypted and thi make it extremely diffiult to identify the poition of CFF in the an hain from external. In addition, beaue the propoed RSSF deal with the an-in and an-out a well, it i alo diffiult for haker to et the CFF to deired tate with no detailed knowledge of the an truture implementation. We imply group the regiter together in the an hain for eah blok, replae the lat SFF in the an hain with RSSF, and then ondut FHDA. Here we found that the two pair of plaintext do not belong to any of the original four pair, whih might milead the haker to wrong key. DESIGN HIERARCHY The propoed AES128 hardware model i a 3-level hierarhial deign a hown in Figure 8. The root module in the hierarhy i the AES128_ipher_top. Thi module implement the AES128 peudo ode diplayed in Figure 2. It ha two 128-bit input for reeiving the ipher key and the plaintext. There i alo a ingle bit input ignal, Ld, whih i ued to indiate the availability of a new et of plaintext or ipher key on the input port. The ompletion of the enryption proe i indiated by aerting the done ingle bit output.

9 International Journal of Innovative Trend and Emerging Tehnologie Fig -5.8 Deign Hierarhy A unique feature of the propoed deign i that the AES128_Key_Expand module i pipelined with the AES128_ipher_top module. While the AES128 ipher top module i performing an iteration of the enryption. Tranformation on the State uing the previouly generate round key, the AES128 Key Expand produe the next round et of key to be ued by the root module in the next enryption iteration. SIMULATION OUTPUT WITH MASKING CONCLUSION: In thi brief, we arried out implementation of AES ryptographi algorithm with an baed teting future. It ha been previouly demontrated that an hain introdued for hardware tetability open a bak door to potential attak. Here, we propoe a level baed making and RSFF baed flip flop making a a an-protetion heme that provide teting failitie both at prodution time and over the oure of the iruit life. Compared to regular an tet, thi tehnique ha no impat on the quality of the tet or the model-baed fault diagnoi. Here we proved that RSFF baed AES will give better hardware omplexity & power optimization with oniderable delay enhanement. An aurate SFF-baed analyi approah wa introdued for AES ore with ingle and multi FF haraterization. The propoed approah wa derived from the SFF method. The method avoid the ue of a large number of making parameter to minimize the required reoure for area- and power-effiient built-in teting appliation. Modelim baed pre imulation reult of an AES implementation howed the feaibility of the approah. For a QUARTUS II baed hardware ynthei report proved the effiieny of propoed method REFERENCES [1] M. Akkar and C. Giraud, An Implementation of DES and AES, Seure againt Some Attak, In Pro. of the Workhop on Cryptographi Hardware and Embedded Sytem (CHES20), Pari, Frane, pp , May 20. [2] t/quartu2/qt-index.html [3] R. Anderon, E. Biham, and L. Knuden, Serpent: A Propoal for the Advaned Enryption Standard, AES algorithm ubmiion, June [4] G. Bertoni, L. Breveglieri, I. Koren, P. Maitri, and V. Piuri, Error Analyi and Detetion Proedure for a Hardware Implementation of the Advaned Enryption Standard, IEEE Tran. on Computer, vol. 52, no. 4, pp , April [5] G. Bertoni, L. Breveglieri, I. Koren, and P. Maitri, An effiient hardwarebaed fault diagnoi heme for AES: performane and ot, In Pro. of the IEEE International Sympoium on Defet and Fault Tolerane in VLSI Sytem (DFT2004), Canne, Frane, pp , Ot [6] D. Boneh, R. A. DeMillo, and R. J. Lipton, On the Importane of Eliminating Error in

10 International Journal of Innovative Trend and Emerging Tehnologie Cryptographi Computation, Journal of Cryptology, vol. 14, no. 2, pp , 20.