| Grabher P, Großschädl J, Hoerder S, Järvinen K, Page D, Tillich S and Wójcik M (2012), "An Exploration of Mechanisms for Dynamic Cryptographic Instruction Set Extension", Journal of Cryptographic Engineering. Vol. 2, pp. 1-18. |
| Abstract: Instruction set extensions (ISEs) supplement a host processor with special-purpose, typically fixed-function hardware components and instructions to utilise them. For cryptographic use-cases, this can be very effective due to the demand for non-standard or niche operations that are not supported by general-purpose architectures. However, one disadvantage of fixed-function ISEs is inflexibility, contradicting a need for ``algorithm agility''. This paper explores a new approach, namely the provision of reconfigurable mechanisms to support dynamic (run-time changeable) ISEs. Our results, obtained using an FPGA-based LEON3 prototype, show that this approach provides a flexible general-purpose platform for cryptographic ISEs with all known advantages of previous work, but relies on careful analysis of the associated security issues. |
BibTeX:
@article{Grabher2012AnExplorationOf,
author = {Philipp Grabher and Johann Großschädl and Simon Hoerder and Kimmo Järvinen and Dan Page and Stefan Tillich and Marcin Wójcik},
title = {An Exploration of Mechanisms for Dynamic Cryptographic Instruction Set Extension},
journal = {Journal of Cryptographic Engineering},
year = {2012},
volume = {2},
pages = {1--18},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/7746048n2124q494/},
doi = {10.1007/s13389-011-0025-8}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Großschädl J, Page D and Tillich S (2012), "Efficient Java Implementation of Elliptic Curve Cryptography for J2ME-Enabled Mobile Devices", In Information Security Theory and Practice, Security and Privacy of Mobile Devices in Wireless Communication, 6th IFIP WG 11.2 International Workshop, WISTP 2012, Egham, United Kingdom, June 2012, Proceedings. Vol. 7322, pp. 189-207. Springer. |
| Abstract: The Micro Edition of the Java 2 platform (J2ME) provides an application environment specifically designed to address the demands of embedded devices like cell phones, PDAs or set-top boxes. Since the J2ME platform does not include a crypto package, developers are forced to use third-party classes or to implement all cryptographic primitives from scratch. However, most existing implementations of elliptic curve (EC) cryptography for J2ME do not perform well on resource-restricted devices, in most cases due to poor efficiency of the underlying arithmetic operations. In this paper we present an optimized Java implementation of EC scalar multiplication that combines efficient finite-field arithmetic with efficient group arithmetic. More precisely, our implementation uses a pseudo-Mersenne (PM) prime field for fast modular reduction and a Gallant-Lambert-Vanstone (GLV) curve with an efficiently computable endomorphism to speed up the scalar multiplication with random base points. Our experimental results show that a conventional mobile phone without Java acceleration, such as the Nokia 6610, is capable to execute a 174-bit scalar multiplication in roughly 400 msec, which is more than 45 times faster than the widely-used Bouncy Castle Lightweight Crypto API for J2ME. |
BibTeX:
@inproceedings{Groszschaedl2012EfficientJavaImplementation,
author = {Johann Großschädl and Dan Page and Stefan Tillich},
editor = {Ioannis G. Askoxylakis and Joachim Posegga},
title = {Efficient Java Implementation of Elliptic Curve Cryptography for J2ME-Enabled Mobile Devices},
booktitle = {Information Security Theory and Practice, Security and Privacy of Mobile Devices in Wireless Communication, 6th IFIP WG 11.2 International Workshop, WISTP 2012, Egham, United Kingdom, June 2012, Proceedings},
publisher = {Springer},
year = {2012},
volume = {7322},
pages = {189--207},
note = {(c) IFIP, 2012. This is the author's version of the work. It is posted here by permission of IFIP for your personal use. Not for redistribution. The definitive version was published in WISTP 2012, www.springerlink.com.},
url = {http://www.springerlink.com/content/g25r403025262727/},
doi = {10.1007/978-3-642-30955-7_17}
}
|
| Copyright note: (c) IFIP, 2012. This is the author's version of the work. It is posted here by permission of IFIP for your personal use. Not for redistribution. The definitive version was published in WISTP 2012, www.springerlink.com. |
| Tillich S and Wójcik M (2012), "Security Analysis of an Open Car Immobilizer Protocol Stack", Presented at the industry track of the 10th International Conference on Applied Cryptograpy and Network Security (ACNS'12). June, 2012.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: Openness is a key criterion of security algorithms and protocols which enable them to be subjected to scrutiny by independent security experts. The alternative ``methodolog'' of secret proprietary algorithms and protocols has often ended in practical breaks, e.g. of the MIFARE Oyster cards for public transport or the KeeLoq remote control systems. Open evaluation is common for general applications of security, e.g. the NIST competitions for selection of the Advanced Encryption Standard (AES) and the Secure Hash Algorithm 3 (SHA-3). Nowadays an increasing number of embedded security applications apply the principle of open evaluation as well. A recent example is the specification of an open security protocol stack for car immobilizer applications by Atmel, which has been presented at ESCAR 2010. This stack is primarily intended to be used in conjunction with automotive transponder chips of this manufacturer, but could in principle be deployed on any suitable type of transponder chip. In this paper we analyze the security of this protocol stack. We were able to uncover a number of potential security vulnerabilities, for which we suggest fixes. |
BibTeX:
@misc{Tillich2012SecurityAnalysisOf,
author = {Stefan Tillich and Marcin Wójcik},
title = {Security Analysis of an Open Car Immobilizer Protocol Stack},
howpublished = {Presented at the industry track of the 10th International Conference on Applied Cryptograpy and Network Security (ACNS'12)},
year = {2012},
note = {(c) Authors.},
url = {http://icsd.i2r.a-star.edu.sg/acns2012/index.php}
}
|
| Copyright note: (c) Authors. |
| Grabher P, Großschädl J, Hoerder S, Järvinen K, Page D, Tillich S and Wójcik M (2011), "An Exploration of Mechanisms for Dynamic Cryptographic Instruction Set Extension", In Cryptographic Hardware and Embedded Systems - CHES 2011, 13th International Workshop, Nara, Japan, September/October 2011, Proceedings. Vol. 6917, pp. 1-16. Springer. |
| Abstract: Instruction Set Extensions (ISEs) supplement a host processor with special-purpose, typically fixed-function hardware components and instructions to utilize them. For cryptographic use-cases, this can be very effective due to the demand for non-standard or niche operations that are not supported by general-purpose architectures. However, one disadvantage of fixed-function ISEs is inflexibility, contradicting a need for “algorithm agility.” This paper explores a new approach, namely the provision of re-configurable mechanisms to support dynamic (run-time changeable) ISEs. Our results, obtained using an FPGA-based LEON3 prototype, show that this approach provides a flexible general-purpose platform for cryptographic ISEs with all known advantages of previous work, but relies on careful analysis of the associated security issues. |
BibTeX:
@inproceedings{Grabher2011AnExplorationOf,
author = {Philipp Grabher and Johann Großschädl and Simon Hoerder and Kimmo Järvinen and Dan Page and Stefan Tillich and Marcin Wójcik},
editor = {Bart Preneel and Tsuyoshi Takagi},
title = {An Exploration of Mechanisms for Dynamic Cryptographic Instruction Set Extension},
booktitle = {Cryptographic Hardware and Embedded Systems - CHES 2011, 13th International Workshop, Nara, Japan, September/October 2011, Proceedings},
publisher = {Springer},
year = {2011},
volume = {6917},
pages = {1--16},
note = {(c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/b583241036114150/},
doi = {10.1007/978-3-642-23951-9_1}
}
|
| Copyright note: (c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com. |
| Hoerder S, Wójcik M, Tillich S and Page D (2011), "An Evaluation of Hash Functions on a Power Analysis Resistant Processor Architecture", In Information Security Theory and Practice, Security and Privacy of Mobile Devices in Wireless Communication, 5th IFIP WG 11.2 International Workshop, WISTP 2011, Heraklion, Crete, Greece, June 2011, Proceedings. Vol. 6633, pp. 160-174. Springer. |
| Abstract: Cryptographic hash functions are an omnipresent component in security-critical software and devices; they support digital signature and data authenticity schemes, mechanisms for key derivation, pseudo-random number generation and so on. A criterion for candidate hash functions in the SHA3 contest is resistance against side-channel analysis which is a major concern especially for mobile devices. This paper explores the implementation of said candidates on a variant of the Power-Trust platform; our results highlight a flexible solution to power analysis attacks, implying only a modest performance overhead. |
BibTeX:
@inproceedings{Hoerder2011AnEvaluationOf,
author = {Simon Hoerder and Marcin Wójcik and Stefan Tillich and Dan Page},
editor = {Claudio A. Ardagna and Jianying Zhou},
title = {An Evaluation of Hash Functions on a Power Analysis Resistant Processor Architecture},
booktitle = {Information Security Theory and Practice, Security and Privacy of Mobile Devices in Wireless Communication, 5th IFIP WG 11.2 International Workshop, WISTP 2011, Heraklion, Crete, Greece, June 2011, Proceedings},
publisher = {Springer},
year = {2011},
volume = {6633},
pages = {160--174},
note = {(c) IFIP, 2011. This is the author's version of the work. It is posted here by permission of IFIP for your personal use. Not for redistribution. The definitive version was published in WISTP 2011, www.springerlink.com.},
url = {http://www.springerlink.com/content/x37324j653681446/},
doi = {10.1007/978-3-642-21040-2_11}
}
|
| Copyright note: (c) IFIP, 2011. This is the author's version of the work. It is posted here by permission of IFIP for your personal use. Not for redistribution. The definitive version was published in WISTP 2011, www.springerlink.com. |
| Tillich S, Kirschbaum M and Szekely A (2011), "Implementation and Evaluation of an SCA-Resistant Embedded Processor", In Smart Card Research and Advanced Applications 10th IFIP WG 8.8/11.2 International Conference, CARDIS 2011, Leuven, Belgium, September 14-16, 2011, Revised Selected Papers. Vol. 7079, pp. 151-165. Springer. |
| Abstract: Side-channel analysis (SCA) attacks are a threat for many embedded applications which have a need for security. With embedded processors being at the very heart of such applications, it is desirable to address SCA attacks with countermeasures which “naturally” fit deployment in those processors. This paper describes our work in implementing one such protection concept in an ASIC prototype and our results from a practical evaluation of its security. We are able to demonstrate that the basic principle of limiting the “leaking” portion of the processor works rather well to reduce the side-channel leakage. From this result we can draw valuable conclusions for future embedded processor design. In order to minimize the remaining leakage, the security concept calls for the application of a secure logic style. We used two concrete secure logic styles (iMDPL and DWDDL) in order to demonstrate this increase in security. Unfortunately, neither of these logic styles seems to do a particularly good job as we were still able to attribute SCA leakage to the secure-logic part of the processor. If a better suited logic style can be employed we believe that the overall leakage of the processor can be further reduced. Thus we deem the evaluated security concept as a viable method for protecting embedded processors. |
BibTeX:
@inproceedings{Tillich2011ImplementationAndEvaluation,
author = {Stefan Tillich and Mario Kirschbaum and Alexander Szekely},
editor = {Emmanuel Prouff},
title = {Implementation and Evaluation of an SCA-Resistant Embedded Processor},
booktitle = {Smart Card Research and Advanced Applications 10th IFIP WG 8.8/11.2 International Conference, CARDIS 2011, Leuven, Belgium, September 14-16, 2011, Revised Selected Papers},
publisher = {Springer},
year = {2011},
volume = {7079},
pages = {151--165},
note = {(c) IFIP, 2011. This is the author's version of the work. It is posted here by permission of IFIP for your personal use. Not for redistribution. The definitive version was published in CARDIS 2011, www.springerlink.com.},
url = {http://www.springerlink.com/content/8218424122k27428/},
doi = {10.1007/978-3-642-27257-8_10}
}
|
| Copyright note: (c) IFIP, 2011. This is the author's version of the work. It is posted here by permission of IFIP for your personal use. Not for redistribution. The definitive version was published in CARDIS 2011, www.springerlink.com. |
| Gallais J-F, Großschädl J, Hanley N, Kasper M, Medwed M, Regazzoni F, Schmidt Jö-M, Tillich S and Wójcik M (2010), "Hardware Trojans for Inducing or Amplifying Side-Channel Leakage of Cryptographic Software", In Trusted Systems. Second International Conference, INTRUST 2010, Beijing, China, December 13th-15th, 2010. Proceedings. Vol. 6802, pp. 253-270. Springer. |
| Abstract: Malicious alterations of integrated circuits (ICs), introduced during either the design or fabrication process, are increasingly perceived as a serious concern by the global semiconductor industry. Such rogue alterations often take the form of a “hardware Trojan,” which may be activated from remote after the compromised chip or system has been deployed in the field. The devious actions of hardware Trojans can range from the disabling of all or part of the chip (i.e. “kill switch”), over the activation of a backdoor that allows an adversary to gain access to the system, to the covert transmission of sensitive information (e.g. cryptographic keys) off-chip. In the recent past, hardware Trojans which induce side-channel leakage to convey secret keys have received considerable attention. With the present paper we aim to broaden the scope of Trojan side-channels from dedicated cryptographic hardware to general-purpose processors on which cryptographic software is executed. In particular, we describe a number of simple micro-architectural modifications to induce or amplify information leakage via faulty computations or variations in the latency and power consumption of certain instructions. We also propose software-based mechanisms for Trojan activation and present two case studies to exemplify the induced side-channel leakage for software implementations of RSA and AES. Finally, we discuss a constructive use of micro-architectural Trojans for digital watermarking so as to facilitate the detection of illegally manufactured copies of processors. |
BibTeX:
@inproceedings{Gallais2010HardwareTrojansInducing,
author = {Jean-François Gallais and Johann Großschädl and Neil Hanley and Markus Kasper and Marcel Medwed and Francesco Regazzoni and Jörn-Marc Schmidt and Stefan Tillich and Marcin Wójcik},
editor = {Liqun Chen and Moti Yung},
title = {Hardware Trojans for Inducing or Amplifying Side-Channel Leakage of Cryptographic Software},
booktitle = {Trusted Systems. Second International Conference, INTRUST 2010, Beijing, China, December 13th-15th, 2010. Proceedings},
publisher = {Springer},
year = {2010},
volume = {6802},
pages = {253--270},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/t61w731151207j37/?MUD=MP/},
doi = {10.1007/978-3-642-25283-9_17}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Tillich S, Feldhofer M, Kirschbaum M, Plos T, Schmidt Jö-M and Szekely A (2010), "Hardware Implementations of the Round-Two SHA-3 Candidates: Comparison on a Common Ground", In Proceedings of Austrochip 2010, Villach, Austria, October 6, 2010. , pp. 43-48. Carinthia University of Applied Sciences.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: Hash functions are a core part of many protocols that are in daily use. Following recent results that raised concerns regarding the security of the current hash standards, the National Institute of Standards and Technology (NIST) pronounced a competition to find a new Secure Hash Algorithm (SHA), the SHA-3. An important criterion for the new standard is not only its security, but also the performance and the costs of its implementations. This paper evaluates all 14 candidates that are currently in the second round of the SHA-3 competition. We provide a common framework that allows a fair comparison of the hardware implementations of all SHA-3 candidates. We optimized the hardware modules towards maximum throughput and give concrete numbers of our implementations for a 0.18 $m standard-cell technology. |
BibTeX:
@inproceedings{Tillich2010HardwareImplementationsOf,
author = {Stefan Tillich and Martin Feldhofer and Mario Kirschbaum and Thomas Plos and Jörn-Marc Schmidt and Alexander Szekely},
editor = {Michael Köberle and Manfred Ley and Erwin Ofner and Johannes Sturm and Chi Zhang},
title = {Hardware Implementations of the Round-Two SHA-3 Candidates: Comparison on a Common Ground},
booktitle = {Proceedings of Austrochip 2010, Villach, Austria, October 6, 2010},
publisher = {Carinthia University of Applied Sciences},
year = {2010},
pages = {43--48},
note = {(c) Authors.},
url = {http://austrochip.fh-kaernten.at/en/home.html}
}
|
| Copyright note: (c) Authors. |
| Tillich S, Kirschbaum M and Szekely A (2010), "SCA-Resistant Embedded Processors: The Next Generation", In Proceedings of the 26th Annual Computer Security Applications Conference. , pp. 211-220. ACM Press. |
| Abstract: Resistance against side-channel analysis (SCA) attacks is an important requirement for many secure embedded systems. Microprocessors and microcontrollers which include suitable countermeasures can be a vital building block for such systems. In this paper, we present a detailed concept for building embedded processors with SCA countermeasures. Our concept is based on ideas for the secure implementation of cryptographic instruction set extensions. On the one hand, it draws from known SCA countermeasures like DPA-resistant logic styles. On the other hand, our protection scheme is geared towards use in modern embedded applications like PDAs and smart phones. It supports multitasking and a separation of secure system software and (potentially insecure) user applications. Furthermore, our concept affords support for a wide range of cryptographic algorithms. Based on this concept, embedded processor cores with support for a selected set of cryptographic algorithms can be built using a fully automated design flow. |
BibTeX:
@inproceedings{Tillich2010SCAResistantEmbedded,
author = {Stefan Tillich and Mario Kirschbaum and Alexander Szekely},
editor = {Michael Franz and John McDermott},
title = {SCA-Resistant Embedded Processors: The Next Generation},
booktitle = {Proceedings of the 26th Annual Computer Security Applications Conference},
publisher = {ACM Press},
year = {2010},
pages = {211--220},
note = {(c) ACM, 2010. This is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACSAC '10, Dec. 6-10, 2010. http://doi.acm.org/10.1145/1920261.1920293.},
url = {http://dl.acm.org/citation.cfm?id=1920293},
doi = {10.1145/1920261.1920293}
}
|
| Copyright note: (c) ACM, 2010. This is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACSAC '10, Dec. 6-10, 2010. http://doi.acm.org/10.1145/1920261.1920293. |
| Tillich S, Feldhofer M, Kirschbaum M, Plos T, Schmidt Jö-M and Szekely A (2010), "Uniform Evaluation of Hardware Implementations of the Round-Two SHA-3 Candidates", The Second SHA-3 Candidate Conference, August 23-24, 2010, Santa Barbara, California, USA. Available online at \url{http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/index.html}. August, 2010.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: We describe our high-speed hardware modules for the 14 candidates of the second evaluation round of the SHA-3 hash function competition. Emphasis has been put on bringing as many aspects of design and implementation as possible into agreement in order to receive consistent and comparable evaluation results. For most candidates we have tested a range of different design and implementation options. The evaluation involved a large number of synthesis runs in a uniform setup and under the use of a simple optimization heuristic. In addition to identifying good hardware-design options, this approach has yielded data on numerous possible area-performance tradeoffs for the different hardware modules. The best configurations then underwent place & route in order to reach the highest degree of accuracy of performance metrics short of actual implementation in silicon. |
BibTeX:
@misc{Tillich2010UniformEvaluationOf,
author = {Stefan Tillich and Martin Feldhofer and Mario Kirschbaum and Thomas Plos and Jörn-Marc Schmidt and Alexander Szekely},
title = {Uniform Evaluation of Hardware Implementations of the Round-Two SHA-3 Candidates},
howpublished = {The Second SHA-3 Candidate Conference, August 23-24, 2010, Santa Barbara, California, USA. Available online at \url{http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/index.html}},
year = {2010},
note = {(c) Authors.},
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/index.html}
}
|
| Copyright note: (c) Authors. |
| Bauer GR, Potisk P and Tillich S (2009), "Comparing Block Cipher Modes of Operation on MICAz Sensor Nodes", In Proceedings of the 17th Euromicro Conference on Parallel, Distributed and Network-based Processing. , pp. 371-378. IEEE Computer Society. |
| Abstract: Wireless sensor networks are a key technology for ``ubiquitous computing'' applications. The challenges of securing such networks are tremendous. On the one side, sensor nodes are commonly deployed in potentially hostile environments, which requires additional protection in comparison to traditional computing systems. On the other side, the capabilities of sensor nodes in terms of computing power, memory, and available energy are severely limited, which makes it hard to adapt existing security solutions. In this paper, we examine different options for providing confidentiality and message authentication to sensor network communication. More specifically, we examine four modern block cipher modes of operation regarding their applicability in sensor networks. These are the Offset Codebook mode (OCB), the Counter Cipher Feedback with Header mode (CCFB+H), the EAX mode, and the Galois/Counter mode (GCM). Our practical evaluation targets the MICAz sensor node and accounts for the typically small packet size of sensor network traffic. Our results indicate that the CCFB+H mode is the best choice for a large range of applications. |
BibTeX:
@inproceedings{Bauer2009ComparingBlockCipher,
author = {Gernot R. Bauer and Philipp Potisk and Stefan Tillich},
editor = {Didier El Baz, François Spies, and Tom Gross},
title = {Comparing Block Cipher Modes of Operation on MICAz Sensor Nodes},
booktitle = {Proceedings of the 17th Euromicro Conference on Parallel, Distributed and Network-based Processing},
publisher = {IEEE Computer Society},
year = {2009},
pages = {371--378},
note = {(c) 2009 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. |
| Copyright note: (c) 2009 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. This is an author's version of the work. The definitive version was published in PDP 2009, February 18-20, 2009 http://dx.doi.org/10.1109/PDP.2009.16. |
| Lederer C, Mader R, Koschuch M, Großschädl J, Szekely A and Tillich S (2009), "Energy-Efficient Implementation of ECDH Key Exchange for Wireless Sensor Networks", In 3rd International Workshop in Information Security Theory and Practices -- WISTP 2009, Brussels, Belgium, September 1-4, 2009, Proceedings. Vol. 5746, pp. 112-127. Springer. |
| Abstract: Wireless Sensor Networks (WSNs) are playing a vital role in an ever-growing number of applications ranging from environmental surveillance over medical monitoring to home automation. Since WSNs are often deployed in unattended or even hostile environments, they can be subject to various malicious attacks, including the manipulation and capture of nodes. The establishment of a shared secret key between two or more individual nodes is one of the most important security services needed to guarantee the proper functioning of a sensor network. Despite some recent advances in this field, the efficient implementation of cryptographic key establishment for WSNs remains a challenge due to the resource constraints of small sensor nodes such as the MICAz mote. In this paper we present a lightweight implementation of the elliptic curve Diffie-Hellman (ECDH) key exchange for ZigBee-compliant sensor nodes equipped with an ATmega128 processor running the TinyOS operating system. Our implementation uses a 192-bit prime field specified by the NIST as underlying algebraic structure and requires only 5.20 · 106 clock cycles to compute a scalar multiplication if the base point is fixed and known a priori. A scalar multiplication using a random base point takes about 12.33·106 cycles. Our results show that a full ECDH key exchange between two MICAz motes consumes an energy of 57.33 mJ (including radio communication), which is significantly better than most previously reported ECDH implementations on comparable platforms. |
BibTeX:
@inproceedings{Lederer2009Energy-EfficientImplementation,
author = {Christian Lederer and Roland Mader and Manuel Koschuch and Johann Großschädl and |
| Copyright note: (c) IFIP, 2009. This is the author's version of the work. It is posted here by permission of IFIP for your personal use. Not for redistribution. The definitive version was published in WISTP 2009, www.springerlink.com. |
| Schmidt Jö-M and Tillich S (2009), "On the Security of Untrusted Memory", In Availability, Reliability and Security, 2009. ARES '09. International Conference on., March, 2009. , pp. 329-334. IEEE Computer Society. |
| Abstract: Embedded systems can be used in versatile applications. At the same time, more and more functionality is demanded from these systems, which necessitates an increase in the size of program and data memory. Thus, an external chip providing additional memory can be added to the microcontroller, which is the system's core component. However, the connection between microcontroller chip and external memory is an easy target for an attacker. A small alteration in an external program memory can already lead to a radical change in the overall behavior of the embedded system. In security-related applications, such a change in behavior can result in potentially catastrophic consequences. Although there have been proposals for schemes to protect certain aspects of the use of external memories, none provides a comprehensive analysis of potential threats and respective countermeasures. Therefore, we propose a new scheme to detect all manipulations of data in the external memory as well as to prevent an adversary from learning potentially compromising information about the program running inside the microcontroller. Although our scheme entails a non-negligible overhead in terms of processing effort and memory, it is, to the best of our knowledge, the first to provide a practical, uniform and coherent protection for external memory. |
BibTeX:
@inproceedings{Schmidt2009SecurityofUntrusted,
author = {Jörn-Marc Schmidt and Stefan Tillich},
title = {On the Security of Untrusted Memory},
booktitle = {Availability, Reliability and Security, 2009. ARES '09. International Conference on},
publisher = {IEEE Computer Society},
year = {2009},
pages = {329--334},
note = {(c) 2009 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. |
| Copyright note: (c) 2009 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. This is an author's copy. The final publication is available at http://dx.doi.org/10.1109/ARES.2009.7. |
| Tillich S, Feldhofer M, Issovits W, Kern T, Kureck H, Mühlberghuber M, Neubauer G, Reiter A, Köfler A and Mayrhofer M (2009), "Compact Hardware Implemenations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein", In Proceedings of Austrochip 2009, October 7, 2009, Graz, Austria., October, 2009. , pp. 69-74.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: The weakening of the widely used SHA-1 hash function has also cast doubts on the strength of the related algorithms of the SHA-2 family. The US NIST has therefore initiated the SHA-3 competition in order to select a modern hash function algorithm as a ``backup'' for SHA-2. This algorithm should be efficiently implementable both in software and hardware under different constraints. In this paper, we present hardware implementations of the four SHA-3 candidates ARIRANG, BLAKE, Grøstl, and Skein with the primary constraint of minimizing chip area. |
BibTeX:
@inproceedings{Tillich2009CompactHardwareImplementations,
author = {Stefan Tillich and Martin Feldhofer and Wolfgang Issovits and Thomas Kern and Hermann Kureck and Michael Mühlberghuber and Georg Neubauer and Andreas Reiter and Armin Köfler and Mathias Mayrhofer},
editor = {Mario Auer and Wolfgang Pribyl and Peter Söser},
title = {Compact Hardware Implemenations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein},
booktitle = {Proceedings of Austrochip 2009, October 7, 2009, Graz, Austria},
year = {2009},
pages = {69--74},
note = {(c) Authors.},
url = {http://www.ife.tugraz.at/events/austrochip2009/index_de.html}
}
|
| Copyright note: (c) Authors. |
| Tillich S (2009), "Hardware Implementation of the SHA-3 Candidate Skein", Cryptology ePrint Archive (\url{http://eprint.iacr.org/}), Report 2009/159. April, 2009.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: Skein is a submission to the NIST SHA-3 hash function competition which has been optimized towards implementation in modern 64-bit processor architectures. This paper investigates the performance characteristics of a high-speed hardware implementation of Skein with a 0.18 $m standard-cell library and on different modern FPGAs. The results allow a first comparison of the hardware performance figures of full Skein with other SHA-3 candidates. |
BibTeX:
@misc{Tillich2009HardwareImplementationOf,
author = {Stefan Tillich},
title = {Hardware Implementation of the SHA-3 Candidate Skein},
howpublished = {Cryptology ePrint Archive (\url{http://eprint.iacr.org/}), Report 2009/159},
year = {2009},
note = {(c) Author.},
url = {http://eprint.iacr.org/2009/159}
}
|
| Copyright note: (c) Author. |
| Aigner M, Feldhofer M and Tillich S (2008), "Symmetric Primitives" Vol. 1, pp. 44-76. IOS Press.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: This chapter highlights the importance of symmetric cryptographic primitives for providing security in wireless sensor networks. We outline the basic goals and primitives and give a comprehensive overview in regard to modes of operation. We also provide an extensive survey of the implementation options of the Advanced Encryption Standard (AES): In software on processors of different word size, in hardware with different optimization goals, as well as in a hardware/software co-design approach with cryptographic instruction set extensions. An overview of state-of-the-art cryptographic support in today’s WSN products concludes this chapter. |
BibTeX:
@inbook{Aigner2008SymmetricPrimitives,
author = {Manfred Aigner and Martin Feldhofer and Stefan Tillich},
editor = {Javier Lopez and Jianying Zhou},
title = {Symmetric Primitives},
publisher = {IOS Press},
year = {2008},
volume = {1},
pages = {44--76},
note = {(c) IOS Press. This is an author's version of the work. The final publication is available at www.iospress.nl.},
url = {http://www.iospress.nl/loadtop/load.php?isbn=9781586038137}
}
|
| Copyright note: (c) IOS Press. This is an author's version of the work. The final publication is available at www.iospress.nl. |
| Tillich S, Feldhofer M, Popp T and Großschädl J (2008), "Area, Delay, and Power Characteristics of Standard-Cell Implementations of the AES S-Box", Journal of Signal Processing Systems., January, 2008. Vol. 50(2), pp. 251-261. |
| Abstract: Cryptographic substitution boxes (S-boxes) are an integral part of modern block ciphers like the Advanced Encryption Standard (AES). There exists a rich literature devoted to the efficient implementation of cryptographic S-boxes, wherein hardware designs for FPGAs and standard cells received particular attention. In this paper we present a comprehensive study of different standard-cell implementations of the AES S-box with respect to timing (i.e. critical path), silicon area, power consumption, and combinations of these cost metrics. We examine implementations which exploit the mathematical properties of the AES S-box, constructions based on hardware look-up tables, and dedicated low-power solutions. Our results show that the timing, area, and power properties of the different S-box realizations can vary by up to almost an order of magnitude. In terms of area and area-delay product, the best choice are implementations which calculate the S-box output. On the other hand, the hardware look-up solutions are characterized by the shortest critical path. The dedicated low-power implementations do not only reduce power consumption by a large degree, but they also show good timing properties and offer the best power-delay and power-area product, respectively. |
BibTeX:
@article{Tillich2008AreaDelayand,
author = {Stefan Tillich and Martin Feldhofer and Thomas Popp and Johann Großschädl},
title = {Area, Delay, and Power Characteristics of Standard-Cell Implementations of the AES S-Box},
journal = {Journal of Signal Processing Systems},
year = {2008},
volume = {50},
number = {2},
pages = {251--261},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/h436qq122rx63tp2/},
doi = {10.1007/s11265-007-0158-2}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Tillich S and Herbst C (2008), "Attacking State-of-the-Art Software Countermeasures---A Case Study for AES", In Cryptographic Hardware and Embedded Systems -- CHES 2008, 10th International Workshop, Washington DC, USA, August 10-13, 2008, Proceedings., August, 2008. Vol. 5154, pp. 228-243. Springer. |
| Abstract: In order to protect software implementations of secret-key cryptographic primitives against side channel attacks, a software developer has only a limited choice of countermeasures. A combination of masking and randomization of operations in time promises good protection and can be realized without too much overhead. Recently, new advanced DPA methods have been proposed to attack software implementations with such kind of protection. In this work, we have applied these methods successfully to break a protected AES software implementation on a programmable smart card. Thus, we were able to verify the practicality of the new attacks and to estimate their effectiveness in comparison to traditional DPA attacks on unprotected implementations. In the course of our work, we have also refined and improved the original attacks, so that they can be mounted more efficiently. Our practical results indicate that the effort required for attacking the protected implementation with the examined methods is more than two orders of magnitude higher compared to an attack on an unprotected implementation. |
BibTeX:
@inproceedings{Tillich2008AttackingStateOf,
author = {Stefan Tillich and Christoph Herbst},
editor = {Elisabeth Oswald and Pankaj Rohatgi},
title = {Attacking State-of-the-Art Software Countermeasures---A Case Study for AES},
booktitle = {Cryptographic Hardware and Embedded Systems -- CHES 2008, 10th International Workshop, Washington DC, USA, August 10-13, 2008, Proceedings},
publisher = {Springer},
year = {2008},
volume = {5154},
pages = {228--243},
note = {(c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/gw38j27416108h25/},
doi = {10.1007/978-3-540-85053-3_15}
}
|
| Copyright note: (c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com. |
| Tillich S and Herbst C (2008), "Boosting AES Performance on a Tiny Processor Core", In Topics in Cryptology - CT-RSA 2008, The Cryptographers' Track at the RSA Conference 2008, San Francisco, CA, USA, April 8-11, 2008, Proceedings., April, 2008. Vol. 4964, pp. 170-186. Springer. |
| Abstract: Notwithstanding the tremendous increase in performance of desktop computers, more and more computational work is performed on small embedded microprocessors. Particularly, tiny 8-bit microcontrollers are being employed in many different application settings ranging from cars over everyday appliances like doorlock systems or room climate controls to complex distributed setups like wireless sensor networks. In order to provide security for these applications, cryptographic algorithms need to be implemented on these microcontrollers. While efficient implementation is a general optimization goal, tiny embedded systems normally have further demands for low energy consumption, small code size, low RAM usage and possibly also short latency. In this work we propose a small enhancement for 8-bit Advanced Virtual RISC (AVR) cores, which improves the situation for all of these demands for implementations of the Advanced Encryption Standard. Particularly, a single 128-bit block can be encrypted or decrypted in under 1,300 clock cycles. Compared to a fast software implementation, this constitutes an increase of performance by a factor of up to 3.6. The hardware cost for the proposed extensions is limited to about 1.1 kGates. |
BibTeX:
@inproceedings{Tillich2008BoostingAESPerformance,
author = {Stefan Tillich and Christoph Herbst},
editor = {Tal Malkin},
title = {Boosting AES Performance on a Tiny Processor Core},
booktitle = {Topics in Cryptology - CT-RSA 2008, The Cryptographers' Track at the RSA Conference 2008, San Francisco, CA, USA, April 8-11, 2008, Proceedings},
publisher = {Springer},
year = {2008},
volume = {4964},
pages = {170--186},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/t4pl16w651423677/},
doi = {10.1007/978-3-540-79263-5_11}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Tillich S (2008), "Instruction Set Extensions for Support of Cryptography on Embedded Systems". Thesis at: Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology. Inffeldgasse 16a, 8010 Graz, Austria, November, 2008.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: Digital computing devices continue to be increasingly dispersed within our everyday environments. Computers are "embedded" into everyday appliances in order to serve predominantly one of two purposes: Either take over the functionality of analog electronic components or enable new services in their own right. While such digital computing capabilities are arguably a key enabler for exciting new applications, the potential hazards should not be overlooked. Problems which exist in the much more familiar domain of desktop computing (e.g., development of correct software) are now introduced into these new fields. At the same time, embedded computers also face new challenges, e.g., severe restrictions of resources like computing power, memory, and energy. One of the more pressing problems of embedded computing is the provision of adequate security mechanisms. While there are some robust solutions available for the desktop domain, resource restrictions often prevent their direct application for embedded devices. The basic problem is constituted by the fact that modern cryptographic algorithms still present a significant overhead for such constrained systems. As most embedded processors will be charged with the execution of cryptographic algorithms, it is worthwhile to revisit these processors' capabilities in this regard and to consider the benefits of "tweaking" their functionality towards these specific workloads. The main vehicle for such a tweaking is the addition of custom instructions into the default instruction set architecture of the processor. Such instruction set extensions have been highly successful in areas like multimedia and digital signal processing. In this thesis we examine instruction set extensions for cryptography, with a special focus on secret-key algorithms. Three main goals are pursued within this thesis. The first goal is the investigation of potential new instructions (design space exploration) and the proposal of worthwhile candidates. The second goal is concerned with the efficient implementation of the proposed instructions and the evaluation of their effectiveness in a realistic setup. This activity has lead to the creation of the LEON2-CIS embedded processor, which is a variant of the SPARC V8-compatible LEON2 processor and which incorporates all of the instructions which we propose in this thesis. The LEON2-CIS is available under the GNU LGPL in order to document our efforts and to provide a basis for further research. The third goal of this thesis is concerned with strategies for securing embedded processors against the threat of implementation attacks (most importantly side channel attacks). This thesis collects our research work from the last years, most of which has already been disseminated through academic publication. The publications have been put into a coherent form and have been complemented with new material. In addition to documenting our work, we have strived to provide references to relevant publications by research groups dealing with related topics. |
BibTeX:
@phdthesis{Tillich2008InstructionSetExtensions,
author = {Stefan Tillich},
title = {Instruction Set Extensions for Support of Cryptography on Embedded Systems},
school = {Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology},
year = {2008},
note = {(c) Author.},
url = {https://online.tugraz.at/tug_online/wbabs.showThesis?pThesisNr=26461&pOrgNr=37}
}
|
| Copyright note: (c) Author. |
| Großschädl J, Tillich S, Rechberger C, Hofmann M and Medwed M (2007), "Energy Evaluation of Software Implementations of Block Ciphers under Memory Constraints", In 2007 Design, Automation and Test in Europe Conference and Exposition (DATE 2007), April 16-20, 2007, Nice, France., April, 2007. , pp. 1110-1115. ACM Press.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: Software implementations of modern block ciphers often require large lookup tables along with code size increasing optimizations like loop unrolling to reach peak performance on general-purpose processors. Therefore, block ciphers are difficult to implement efficiently on embedded devices like smart cards or sensor nodes where run-time memory and program ROM are scarce resources. In this paper we analyze and compare the performance, energy consumption, runtime memory requirements, and code size of the five block ciphers RC6, Rijndael, Serpent, Twofish, and XTEA on the StrongARM SA-1100 processor. Most previous evaluations of block ciphers considered performance as the sole metric of interest and did not care about memory requirements or code size. In contrast to previous work, our study of the performance and energy characteristics of block ciphers has been conducted with ``lightweight'' implementations which restrict the size of lookup tables to 1 kB and also impose constraints on the code size. We found that Rijndael and RC6 can be well optimized for high performance and energy efficiency, while at the same time meeting the demand for low memory (RAM and ROM) footprint. In addition, we discuss the impact of key expansion and modes of operation on the overall performance and energy consumption of each block cipher. Our simulation results show that RC6 is the most energy-efficient block cipher under memory constraints and thus the best choice for resource-restricted devices. |
BibTeX:
@inproceedings{Groszschaedl2007EnergyEvaluationOf,
author = {Johann Großschädl and Stefan Tillich and Christian Rechberger and Michael Hofmann and Marcel Medwed},
editor = {Rudy Lauwereins and Jan Madsen},
title = {Energy Evaluation of Software Implementations of Block Ciphers under Memory Constraints},
booktitle = {2007 Design, Automation and Test in Europe Conference and Exposition (DATE 2007), April 16-20, 2007, Nice, France},
publisher = {ACM Press},
year = {2007},
pages = {1110--1115},
note = {(c) European Design and Automation Association (EDAA), 2007. This is an author's version of the work. The definitive version was published in DATE 2007. dl.acm.org.},
url = {http://dl.acm.org/citation.cfm?id=1266607}
}
|
| Copyright note: (c) European Design and Automation Association (EDAA), 2007. This is an author's version of the work. The definitive version was published in DATE 2007. dl.acm.org. |
| Großschädl J, Tillich S and Szekely A (2007), "Performance Evaluation of Instruction Set Extensions for Long Integer Modular Arithmetic on a SPARC V8 Processor", In Proceedings of the 10th Euromicro Conference on Digital System Design Architectures, Methods and Tools (DSD 2007)., August, 2007. , pp. 680-689. IEEE Computer Society. |
| Abstract: Many important algorithms for public-key cryptography rely on computation-intensive arithmetic operations like modular exponentiation on very long integers, typically in the range of 512 and 2048 bits. Modular exponentiation is generally realized through a sequence of modular multiplications and spends the majority of execution time in simple inner loops. Speeding up these performance-critical inner loop operations with custom instructions has, therefore, a significant impact on the total execution time of public-key cryptosystems. In this paper we analyze the performance of instruction set extensions for long integer arithmetic on a SPARC V8 processor. We discuss various implementation options and optimization opportunities for both modular multiplication and exponentiation. In particular, we introduce a partial loop unrolling (PLU) technique for modular multiplication which allows to achieve large performance gains at the cost of a moderate increase in code size, while maintaining the full flexibility of a rolled-loop implementation. In addition, we study window methods for modular exponentiation and analyze their impact on performance and memory requirements. Our experimental results, obtained with an FPGA prototype of the LEON-2 SPARC V8 core, show that a full 1024-bit modular exponentiation can be performed in about $12.5 times 10^6$ clock cycles, which is a reasonable value for embedded devices like smart cards or sensor nodes. |
BibTeX:
@inproceedings{Groszschaedl2007PerformanceEvaluationOf,
author = {Johann Großschädl and Stefan Tillich and Alexander Szekely},
title = {Performance Evaluation of Instruction Set Extensions for Long Integer Modular Arithmetic on a SPARC V8 Processor},
booktitle = {Proceedings of the 10th Euromicro Conference on Digital System Design Architectures, Methods and Tools (DSD 2007)},
publisher = {IEEE Computer Society},
year = {2007},
pages = {680--689},
note = {(c) 2007 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. |
| Copyright note: (c) 2007 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. This is an author's copy. The final publication is available at http://dx.doi.org/10.1109/DSD.2007.4341542. |
| Großschädl J, Szekely A and Tillich S (2007), "The Energy Cost of Cryptographic Key Establishment in Wireless Sensor Networks", In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS 2007). , pp. 380-382. ACM Press. |
| Abstract: Wireless sensor nodes generally face serious limitations in terms of computational power, energy supply, and network bandwidth. Therefore, the implementation of effective and secure techniques for setting up a shared secret key between sensor nodes is a challenging task. In this paper we analyze and compare the energy cost of two different protocols for authenticated key establishment. The first protocol employs a lightweight variant of the Kerberos key transport mechanism with 128-bit AES encryption. The second protocol is based on ECMQV, an authenticated version of the elliptic curve Diffie-Hellman key exchange, and uses a 256-bit prime field GF(p) as underlying algebraic structure. We evaluate the energy cost of both protocols on a Rockwell WINS node equipped with a 133 MHz StrongARM processor and a 100 kbit/s radio module. The evaluation considers both the processor's energy consumption for calculating cryptographic primitives and the energy cost of radio communication for different transmit power levels. Our simulation results show that the ECMQV key exchange consumes up to twice as much energy as Kerberos-like key transport. |
BibTeX:
@inproceedings{Groszschaedl2007TheEnergyCost,
author = {Johann Großschädl and Alexander Szekely and Stefan Tillich},
editor = {Robert H. Deng and Pierangela Samarati},
title = {The Energy Cost of Cryptographic Key Establishment in Wireless Sensor Networks},
booktitle = {Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS 2007)},
publisher = {ACM Press},
year = {2007},
pages = {380--382},
note = {(c) ACM, 2007. This is an author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ASIACCS 2007, March 20-22, 2007. http://doi.acm.org/10.1145/1229285.1229334.},
url = {http://dl.acm.org/citation.cfm?id=1229285.1229334},
doi = {10.1145/1229285.1229334}
}
|
| Copyright note: (c) ACM, 2007. This is an author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ASIACCS 2007, March 20-22, 2007. http://doi.acm.org/10.1145/1229285.1229334. |
| Großschädl J, Szekely A and Tillich S (2007), "The Energy Cost of Cryptographic Key Establishment in Wireless Sensor Networks", Cryptology ePrint Archive (\url{http://eprint.iacr.org/}), Report 2007/003. January, 2007.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: Wireless sensor nodes generally face serious limitations in terms of computational power, energy supply, and network bandwidth. Therefore, the implementation of effective and secure techniques for setting up a shared secret key between sensor nodes is a challenging task. In this paper we analyze and compare the energy cost of two different protocols for authenticated key establishment. The first protocol employs a ``light-weight'' variant of the Kerberos key distribution scheme with 128-bit AES encryption. The second protocol is based on ECMQV, an authenticated version of the elliptic curve Diffie-Hellman key exchange, and uses a 256-bit prime field GF($p$) as underlying algebraic structure. We evaluate the energy cost of both protocols on a Rockwell WINS node equipped with a 133 MHz StrongARM processor and a 100 kbit/s radio module. The evaluation considers both the processor's energy consumption for calculating cryptographic primitives and the energy cost of radio communication for different transmit power levels. Our simulation results show that the ECMQV key exchange consumes up to twice as much energy as the Kerberos key distribution. However, in large-scale networks, ECMQV is more energy-efficient than Kerberos. |
BibTeX:
@misc{Groszschaedl2007TheEnergyCost-extended,
author = {Johann Großschädl and Alexander Szekely and Stefan Tillich},
title = {The Energy Cost of Cryptographic Key Establishment in Wireless Sensor Networks},
howpublished = {Cryptology ePrint Archive (\url{http://eprint.iacr.org/}), Report 2007/003},
year = {2007},
note = {(c) Authors. This work is based on an earlier work: The Energy Cost of Cryptographic Key Establishment in Wireless Sensor Networks, in ASIACCS 2007, March 20-22, 2007, (c) ACM, 2007. http://doi.acm.org/10.1145/1229285.1229334.},
url = {http://eprint.iacr.org/2007/003}
}
|
| Copyright note: (c) Authors. This work is based on an earlier work: The Energy Cost of Cryptographic Key Establishment in Wireless Sensor Networks, in ASIACCS 2007, March 20-22, 2007, (c) ACM, 2007. http://doi.acm.org/10.1145/1229285.1229334. |
| Tillich S and Großschädl J (2007), "Power-Analysis Resistant AES Implementation with Instruction Set Extensions", In Cryptographic Hardware and Embedded Systems -- CHES 2007, 9th International Workshop, Vienna, Austria, September 10-13, 2007, Proceedings., September, 2007. Vol. 4727, pp. 303-319. Springer. |
| Abstract: In recent years, different instruction set extensions for cryptography have been proposed for integration into general-purpose RISC processors. Both public-key and secret-key algorithms can profit tremendously from a small set of custom instructions specifically designed to accelerate performance-critical code sections. While the impact of instruction set extensions on performance and silicon area has been widely investigated in the recent past, the resulting security aspects (i.e. resistivity to side-channel attacks) of this particular design approach remain an open research topic. In this paper we discuss and analyze different techniques for increasing the side-channel resistance of AES software implementations using instruction set extensions. Furthermore, we propose a combination of hardware and software-related countermeasures and investigate the resulting effects on performance, cost, and security. Our experimental results show that a moderate degree of protection can be achieved with a simple software countermeasure. Hardware countermeasures, such as the implementation of security-critical functional units using a DPA-resistant logic style, lead to much higher resistance against side-channel attacks at the cost of a moderate increase in silicon area and power consumption. |
BibTeX:
@inproceedings{Tillich2007Power-AnalysisResistant,
author = {Stefan Tillich and Johann Großschädl},
editor = {Pascal Paillier and Ingrid Verbauwhede},
title = {Power-Analysis Resistant AES Implementation with Instruction Set Extensions},
booktitle = {Cryptographic Hardware and Embedded Systems -- CHES 2007, 9th International Workshop, Vienna, Austria, September 10-13, 2007, Proceedings},
publisher = {Springer},
year = {2007},
volume = {4727},
pages = {303--319},
note = {(c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/635721606163x187/},
doi = {10.1007/978-3-540-74735-2_21}
}
|
| Copyright note: (c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com. |
| Tillich S, Herbst C and Mangard S (2007), "Protecting AES Software Implementations on 32-bit Processors against Power Analysis", In Proceedings of the 5th International Conference on Applied Cryptography and Network Security (ACNS 2007)., June, 2007. Vol. 4521, pp. 141-157. Springer. |
| Abstract: The Advanced Encryption Standard is used in many embedded devices to provide security. In the last years, several researchers have proposed to enhance general-purpose processors with custom instructions to increase the efficiency of cryptographic algorithms. In this work we have evaluated the impact of such instruction set extensions on the implementation security of AES. We have compared several AES implementation options which incorporate state-of-the-art countermeasures against power-analysis attacks---with and without the use of instruction set extensions. For both scenarios we provide a thorough analysis for different countermeasures with regard to security, performance, and memory. We have found that even a moderate level of protection would require a tremendous overhead both in terms of speed and memory. The instruction set extensions, which have been solely designed to increase performance, help to reduce this overhead, but it still remains very high. An implementation with proper protection is only feasible in a setting where the need for resistance against power analysis far outweighs the need for performance. |
BibTeX:
@inproceedings{Tillich2007ProtectingAESSoftware,
author = {Stefan Tillich and Christoph Herbst and Stefan Mangard},
editor = {Jonathan Katz and Moti Yung},
title = {Protecting AES Software Implementations on 32-bit Processors against Power Analysis},
booktitle = {Proceedings of the 5th International Conference on Applied Cryptography and Network Security (ACNS 2007)},
publisher = {Springer},
year = {2007},
volume = {4521},
pages = {141--157},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/t27755862v527r4n/},
doi = {10.1007/978-3-540-72738-5_10}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Tillich S and Großschädl J (2007), "VLSI Implementation of a Functional Unit to Accelerate ECC and AES on 32-bit Processors", In Arithmetic of Finite Fields, First International Workshop, WAIFI 2007, Madrid, Spain, June 2007, Proceedings., June, 2007. Vol. 4547, pp. 40-54. Springer. |
| Abstract: Embedded systems require efficient yet flexible implementations of cryptographic primitives with a minimal impact on the overall cost of a device. In this paper we present the design of a functional unit (FU) for accelerating the execution of cryptographic software on 32-bit processors. The FU is basically a multiply-accumulate (MAC) unit able to perform multiplications and MAC operations on integers and binary polynomials. Polynomial arithmetic is a performance-critical building block of numerous cryptosystems using binary extension fields, including public-key primitives based on elliptic curves (e.g. ECDSA), symmetric ciphers (e.g. AES or Twofish), and hash functions (e.g. Whirlpool). We integrated the FU into the Leon2 SPARC V8 core and prototyped the extended processor in an FPGA. All operations provided by the FU are accessible to the programmer through custom instructions. Our results show that the FU allows to accelerate the execution of 128-bit AES by up to 78% compared to a conventional software implementation using only native SPARC V8 instructions. Moreover, the custom instructions reduce the code size by up to 87.4%. The FU increases the silicon area of the Leon2 core by just 8,352 gates and has almost no impact on its cycle time. |
BibTeX:
@inproceedings{Tillich2007VLSIImplementationOf,
author = {Stefan Tillich and Johann Großschädl},
editor = {Claude Carlet and Berk Sunar},
title = {VLSI Implementation of a Functional Unit to Accelerate ECC and AES on 32-bit Processors},
booktitle = {Arithmetic of Finite Fields, First International Workshop, WAIFI 2007, Madrid, Spain, June 2007, Proceedings},
publisher = {Springer},
year = {2007},
volume = {4547},
pages = {40--54},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/816n52509u57q989/},
doi = {10.1007/978-3-540-73074-3_5}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Großschädl J, Ienne P, Pozzi L, Tillich S and Verma AK (2006), "Combining Algorithm Exploration with Instruction Set Design: A Case Study in Elliptic Curve Cryptography", In Proceedings of the 9th Conference on Design, Automation and Test in Europe (DATE 2006), Munich, Germany, March 6 - 10, 2006. , pp. 218-223. European Design and Automation Association.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: In recent years, processor customization has matured to become a trusted way of achieving high performance with limited cost/energy in embedded applications. In particular, Instruction Set Extensions (ISEs) have been proven very effective in many cases. A large body of work exists today on creating tools that can select efficient ISEs given an application source code: ISE automation is crucial for increasing the productivity of design teams. In this paper we show that an additional motivation for automating the ISE process is to facilitate algorithm exploration: the availability of ISE can have a dramatic impact on the performance of different algorithmic choices to implement identical or equivalent functionality. System designers need fast feedbacks on the ISE-ability of various algorithmic flavors. We use a case study in elliptic curve (EC) cryptography to exemplify the following contributions: (1) ISE can reverse the relative performance of different algorithms for one and the same operation, and (2) automatic ISE, even without predicting speed-ups as precisely as detailed simulation can, is able to show exactly the trends that the designer should follow. |
BibTeX:
@inproceedings{Groszschaedl2006CombiningAlgorithmExploration,
author = {Johann Großschädl and Paolo Ienne and Laura Pozzi and Stefan Tillich and Ajay K. Verma},
title = {Combining Algorithm Exploration with Instruction Set Design: A Case Study in Elliptic Curve Cryptography},
booktitle = {Proceedings of the 9th Conference on Design, Automation and Test in Europe (DATE 2006), Munich, Germany, March 6 - 10, 2006},
publisher = {European Design and Automation Association},
year = {2006},
pages = {218--223},
note = {(c) European Design and Automation Association (EDAA), 2006. This is an author's version of the work. The definitive version was published in DATE 2006. dl.acm.org.},
url = {http://dl.acm.org/citation.cfm?id=1131543}
}
|
| Copyright note: (c) European Design and Automation Association (EDAA), 2006. This is an author's version of the work. The definitive version was published in DATE 2006. dl.acm.org. |
| Koschuch M, Lechner J, Weitzer A, Großschädl J, Szekely A, Tillich S and Wolkerstorfer J (2006), "Hardware/Software Co-design of Elliptic Curve Cryptography on an 8051 Microcontroller", In Cryptographic Hardware and Embedded Systems -- CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings. Vol. 4249, pp. 430-444. Springer. |
| Abstract: 8-bit microcontrollers like the 8051 still hold a considerable share of the embedded systems market and dominate in the smart card industry. The performance of 8-bit microcontrollers is often too poor for the implementation of public-key cryptography in software. In this paper we present a minimalist hardware accelerator for enabling elliptic curve cryptography (ECC) on an 8051 microcontroller. We demonstrate the importance of removing system-level performance bottlenecks caused by the transfer of operands between hardware accelerator and external RAM. The integration of a small direct memory access (DMA) unit proves vital to exploit the full potential of the hardware accelerator. Our design allows to perform a scalar multiplication over the binary extension field GF($2^191$) in 118 msec at a clock frequency of 12 MHz. Considering performance and hardware cost, our system compares favorably with previous work on similar 8-bit platforms. |
BibTeX:
@inproceedings{Koschuch2006HardwareSoftwareCo-design,
author = {Manuel Koschuch and Joachim Lechner and Andreas Weitzer and Johann Großschädl and Alexander Szekely and Stefan Tillich and Johannes Wolkerstorfer},
editor = {Louis Goubin and Mitsuru Matsui},
title = {Hardware/Software Co-design of Elliptic Curve Cryptography on an 8051 Microcontroller},
booktitle = {Cryptographic Hardware and Embedded Systems -- CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings},
publisher = {Springer},
year = {2006},
volume = {4249},
pages = {430--444},
note = {(c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/rt8m3k51408u4k32/},
doi = {10.1007/11894063}
}
|
| Copyright note: (c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com. |
| Oswald E, Mangard S, Herbst C and Tillich S (2006), "Practical Second-Order DPA Attacks for Masked Smart Card Implementations of Block Ciphers", In Topics in Cryptology - CT-RSA 2006, The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings. Vol. 3860, pp. 192-207. Springer. |
| Abstract: In this article we describe an improved concept for second-order differential-power analysis (DPA) attacks on masked smart card implementations of block ciphers. Our concept allows to mount second-order DPA attacks in a rather simple way: a second-order DPA attack consists of a pre-processing step and a DPA step. Therefore, our way of performing second-order DPA attacks allows to easily assess the number of traces that are needed for a successful attack. We give evidence on the effectiveness of our methodology by showing practical attacks on a masked AES smart card implementation. In these attacks we target inputs and outputs of the SubBytes operation in the ?rst encryption round. |
BibTeX:
@inproceedings{Oswald2006PracticalSecond-OrderDPA,
author = {Elisabeth Oswald and Stefan Mangard and Christoph Herbst and Stefan Tillich},
editor = {David Pointcheval},
title = {Practical Second-Order DPA Attacks for Masked Smart Card Implementations of Block Ciphers},
booktitle = {Topics in Cryptology - CT-RSA 2006, The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings},
publisher = {Springer},
year = {2006},
volume = {3860},
pages = {192--207},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/707110g815477426/},
doi = {10.1007/11605805_13}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Schgaguler K, Tillich S and Bock H (2006), "A Dual-FGPA Approach for Evaluation of Countermeasures against Power Analysis", In Proceedings of Austrochip 2006, October 11, 2006, Vienna, Austria., October, 2006. , pp. 163–-168. Fachhochschule Technikum Wien.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: In the last decade a number of publications have shown the vulnerability of implementations of cryptographic algorithms to so-called side-channel attacks. These attacks exploit the influence of secret data on physical values during cryptographic operations of the device. Power analysis, which exploits the power consumption of cryptographic devices, is an important type of side-channel attack. Power simulation and attacks on fabricated ASICs have been two approaches to evaluate the effectiveness of countermeasures against power analysis. Another approach for countermeasure evaluation is the use of programmable logic which has been the subject of several publications. In this article we present improvements of previous works by using two Field Programmable Gate Arrays (FPGAs) in separate power domains. With this new approach we can improve power measurements on FPGAs significantly and therefore enhance the effectiveness of programmable logic as a tool for evaluating power-analysis countermeasures. |
BibTeX:
@inproceedings{Schgaguler2006ADualFPGAApproach,
author = {Klaus Schgaguler and Stefan Tillich and Holger Bock},
editor = {Peter Balog and Martin Horauer},
title = {A Dual-FGPA Approach for Evaluation of Countermeasures against Power Analysis},
booktitle = {Proceedings of Austrochip 2006, October 11, 2006, Vienna, Austria},
publisher = {Fachhochschule Technikum Wien},
year = {2006},
pages = {163–-168},
note = {(c) Authors.},
url = {http://embsys.technikum-wien.at/austrochip2006/}
}
|
| Copyright note: (c) Authors. |
| Tillich S, Feldhofer M and Großschädl J (2006), "Area, Delay, and Power Characteristics of Standard-Cell Implementations of the AES S-Box", In 6th International Workshop on Embedded Computer Systems: Architectures, Modeling, and Simulation, SAMOS 2006, Samos, Greece, July 17-20, 2006, Proceedings., July, 2006. Vol. 4017, pp. 457-466. Springer. |
| Abstract: Cryptographic substitution boxes (S-boxes) are an integral part of modern block ciphers like the Advanced Encryption Standard (AES). There exists a rich literature devoted to the efficient implementation of cryptographic S-boxes, whereby hardware designs for FPGAs and standard cells received particular attention. In this paper we present a comprehensive study of different standard-cell implementations of the AES S-box with respect to timing (i.e. critical path), silicon area, power consumption, and combinations of these cost metrics. We examined implementations which exploit the mathematical properties of the AES S-box, constructions based on hardware look-up tables, and dedicated low-power solutions. Our results show that the timing, area, and power properties of the different S-box realizations can vary by more than an order of magnitude. In terms of area and area-delay product, the best choice are implementations which calculate the S-box output. On the other hand, the hardware look-up solutions are characterized by the shortest critical path. The dedicated low-power implementations do not only reduce power consumption by a large degree, but they also show good timing properties and offer the best power-delay and power-area product, respectively. |
BibTeX:
@inproceedings{Tillich2006AreaDelayAnd,
author = {Stefan Tillich and Martin Feldhofer and Johann Großschädl},
editor = {Stamatis Vassiliadis and Stephan Wong and Timo Hämäläinen},
title = {Area, Delay, and Power Characteristics of Standard-Cell Implementations of the AES S-Box},
booktitle = {6th International Workshop on Embedded Computer Systems: Architectures, Modeling, and Simulation, SAMOS 2006, Samos, Greece, July 17-20, 2006, Proceedings},
publisher = {Springer},
year = {2006},
volume = {4017},
pages = {457--466},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/vr8767x14uu40744/},
doi = {10.1007/11796435_46}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Tillich S and Großschädl J (2006), "Instruction Set Extensions for Efficient AES Implementation on 32-bit Processors", In Cryptographic Hardware and Embedded Systems -- CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings. Vol. 4249, pp. 270-284. Springer. |
| Abstract: Secure communication over public networks like the Internet requires the use of cryptographic algorithms as basic building blocks. Most cryptographic workloads pose a considerable burden on devices like PDAs, cell phones, and sensor nodes, which are limited in processing power, memory and energy. In this paper we present an approach to increase the efficiency of 32-bit processors for handling symmetric cryptographic algorithms with the help of instruction set extensions.We propose a number of custom instructions to support the Advanced Encryption Standard (AES). Using the SPARC V8-compatible Leon2 embedded processor, we evaluate the effects of the extensions on performance and code size of AES, as well as on silicon area. With a moderate increase in silicon area, AES performance can be improved by a factor of nearly 10, while code size is reduced significantly and implementation flexibility is retained. We also show that our approach is very beneficial for implementation in superscalar processors and that it can compete with the performance of previously proposed cryptographic processors and instruction set extensions. |
BibTeX:
@inproceedings{Tillich2006InstructionSetExtensions,
author = {Stefan Tillich and Johann Großschädl},
editor = {Louis Goubin and Mitsuru Matsui},
title = {Instruction Set Extensions for Efficient AES Implementation on 32-bit Processors},
booktitle = {Cryptographic Hardware and Embedded Systems -- CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings},
publisher = {Springer},
year = {2006},
volume = {4249},
pages = {270--284},
note = {(c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/n0u6744453273161/},
doi = {10.1007/11894063_22}
}
|
| Copyright note: (c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com. |
| Großschädl J, Szekely A and Tillich S (2005), "Algorithm Exploration for Long Integer Modular Arithmetic on a SPARC V8 Processor with Cryptography Extensions", In Proceedings of the 2nd International Conference on Embedded Software and Systems (ICESS 2005). , pp. 187-194. IEEE Computer Society. |
| Abstract: In recent years, public-key cryptography has emerged to become an important workload for embedded processors, driven by a number of factors such as the need for securing wireless communication. The computational requirements of public-key cryptosystems are often beyond the modest capabilities of embedded processors, which motivated the development of architectural enhancements and instruction set extensions to accelerate cryptographic operations like long integer modular multiplication. Such instruction set extensions make it necessary to explore different algorithms for modular multiplication in order to determine the most suitable one for the given custom instructions. In this paper we analyze and compare the performance of two modular multiplication algorithms on a SPARC V8 processor with cryptography extensions. These algorithms are the Montgomery multiplication according to the product scanning (FIPS) technique and the Karatsuba-Comba-Montgomery (KCM) multiplication. Our experimental results show that the FIPS technique outperforms the KCM multiplication for typical operand lengths used in cryptography. We also compare our results with the performance figures of the GNU Multiple Precision Arithmetic Library (GMP). |
BibTeX:
@inproceedings{Groszschaedl2005AlgorithmExplorationFor,
author = {Johann Großschädl and Alexander Szekely and Stefan Tillich},
title = {Algorithm Exploration for Long Integer Modular Arithmetic on a SPARC V8 Processor with Cryptography Extensions},
booktitle = {Proceedings of the 2nd International Conference on Embedded Software and Systems (ICESS 2005)},
publisher = {IEEE Computer Society},
year = {2005},
pages = {187--194},
note = {(c) 2005 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. |
| Copyright note: (c) 2005 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. This is an author's copy. The final publication is available at http://dx.doi.org/10.1109/ICESS.2005.98. |
| Großschädl J and Tillich S (2005), "Design of Instruction Set Extensions and Functional Units for Energy-Efficient Public-Key Cryptography", ECRYPT Workshop on RFID and Lightweight Crypto. July, 2005.
[BibTeX] [PDF] [URL] [Copyright note] |
BibTeX:
@misc{Groszschaedl2005DesignOfInstruction,
author = {Johann Großschädl and Stefan Tillich},
title = {Design of Instruction Set Extensions and Functional Units for Energy-Efficient Public-Key Cryptography},
howpublished = {ECRYPT Workshop on RFID and Lightweight Crypto},
year = {2005},
note = {(c) Authors.},
url = {http://events.iaik.tugraz.at/RFIDandLightweightCrypto05/index.php}
}
|
| Copyright note: (c) Authors. |
| Großschädl J, Avanzi RM, Savaş E and Tillich S (2005), "Energy-Efficient Software Implementation of Long Integer Modular Arithmetic", In Cryptographic Hardware and Embedded Systems -- CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September 1, 2005, Proceedings. Vol. 3659, pp. 75-90. Springer. |
| Abstract: This paper investigates performance and energy characteristics of software algorithms for long integer arithmetic. We analyze and compare the number of RISC-like processor instructions (e.g. single-precision multiplication, addition, load, and store instructions) required for the execution of different algorithms such as Schoolbook multiplication, Karatsuba and Comba multiplication, as well as Montgomery reduction. Our analysis shows that a combination of Karatsuba-Comba multiplication and Montgomery reduction (the so-called KCM method) allows to achieve better performance than other algorithms for modular multiplication. Furthermore, we present a simple model to compare the energy-efficiency of arithmetic algorithms. This model considers the clock cycles and average current consumption of the base instructions to estimate the overall amount of energy consumed during the execution of an algorithm. Our experiments, conducted on a StrongARM SA-1100 processor, indicate that a 1024-bit KCM multiplication consumes about 22% less energy than other modular multiplication techniques. |
BibTeX:
@inproceedings{Groszschaedl2005Energy-EfficientSoftware,
author = {Johann Großschädl and Roberto M. Avanzi and Erkay Savaş and Stefan Tillich},
editor = {Josyula R. Rao and Berk Sunar},
title = {Energy-Efficient Software Implementation of Long Integer Modular Arithmetic},
booktitle = {Cryptographic Hardware and Embedded Systems -- CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September 1, 2005, Proceedings},
publisher = {Springer},
year = {2005},
volume = {3659},
pages = {75--90},
note = {(c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/aqn75d0rk3967gk2/},
doi = {10.1007/11545262}
}
|
| Copyright note: (c) International Association for Cryptologic Research (IACR). This is an author's version. The final publication is available at www.springerlink.com. |
| Großschädl J, Tillich S, Ienne P, Pozzi L and Verma AK (2005), "When Instruction Set Extensions Change Algorithm Design: A Study in Elliptic Curve Cryptography", In WASP '05: 4th Workshop on Application Specific Processors, New York, 22nd September 2005., September, 2005. , pp. 2-9.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: In recent years, processor customization has matured to become a trusted way of achieving aggressive performance with limited cost/energy in embedded applications. In particular, instruction set extensions (ISEs) have been proven very effective in many cases. A large body of work exists today on creating algorithms that can select efficient ISEs given an application source code: ISE automation is paramount for increasing the efficiency of design teams. In this paper we show that an additional motivation to automate the ISE process is to help algorithmic design: the availability of ISE can have a dramatic impact on the effectiveness of different algorithmic choices to implement identical or equivalent functionality. Algorithm designers need fast feedbacks on the ISE-ability of various algorithmic flavors. We use a case study in elliptic curve (EC) cryptography to prove the following contributions: (1) ISE can reverse the relative interest of different algorithm versions and (2) automatic ISE, even without predicting speedups as precisely as detailed simulation can, is able to show exactly the trends that the algorithm designer should follow. |
BibTeX:
@inproceedings{Groszschaedl2005WhenInstructionSet,
author = {Johann Großschädl and Stefan Tillich and Paolo Ienne and Laura Pozzi and Ajay K. Verma},
title = {When Instruction Set Extensions Change Algorithm Design: A Study in Elliptic Curve Cryptography},
booktitle = {WASP '05: 4th Workshop on Application Specific Processors, New York, 22nd September 2005},
year = {2005},
pages = {2--9},
note = {(c) Authors.},
url = {http://lap.epfl.ch/webdav/site/lap/shared/publications/GrossschaedlSep05_WhenInstructionSetExtensionsChangeAlgorithmDesignAStudyInEllipticCurveCryptography_WASP05.pdf}
}
|
| Copyright note: (c) Authors. |
| Pühringer C, Tillich S and Großschädl J (2005), "A Java Processor with Hardware Acceleration for the Elliptic Curve Digital Signature Algorithm", In Proceedings of Austrochip 2005, October 6, 2005, Vienna, Austria., October, 2005. , pp. 49-56. Vienna University of Technology.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: While languages like Java promise more fail-safe applications and faster development in the embedded system field, languages like C or assembler still dominate, mainly due to the worse performance of Java. By using special hardware for Java, this problem can be solved. Here the pure Java Processor JOP [1] is extended with an elliptic curve optimized hardware and it is shown that the Elliptic Curve Digital Signature Algorithm (ECDSA) programmed purely in Java runs reasonable fast on this system and so allows signing and verification of documents on this small embedded system, which fits easily on an Altera Spartan FPGA. |
BibTeX:
@inproceedings{Puehringer2005AJavaProcessor,
author = {Christian Pühringer and Stefan Tillich and Johann Großschädl},
editor = {Nikolaus Kerö and Peter Rössler},
title = {A Java Processor with Hardware Acceleration for the Elliptic Curve Digital Signature Algorithm},
booktitle = {Proceedings of Austrochip 2005, October 6, 2005, Vienna, Austria},
publisher = {Vienna University of Technology},
year = {2005},
pages = {49--56},
note = {(c) Authors.},
url = {http://achip2005.fiss-oeaw.at/}
}
|
| Copyright note: (c) Authors. |
| Tillich S and Großschädl J (2005), "Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography", In Computational Science and Its Applications - ICCSA 2005., May, 2005. Vol. 3481, pp. 665-675. Springer. |
| Abstract: The Advanced Encryption Standard (AES) specifies an algorithm for a symmetric-key cryptosystem that has already found wide adoption in security applications. A substantial part of the AES algorithm are the MixColumns and InvMixColumns operations, which involve multiplications in the binary extension field GF($2^8$). Recently proposed instruction set extensions for elliptic curve cryptography (ECC) include custom instructions for the multiplication of binary polynomials. In the present paper we analyze how well these custom instructions are suited to accelerate a software implementation of the AES. We used the SPARC V8-compatible LEON-2 processor with ECC extensions for verification and to obtain realistic timing results. Taking the fastest implementation for 32-bit processors as reference, we were able to achieve speedups of up to 25% for encryption and nearly 20% for decryption. |
BibTeX:
@inproceedings{Tillich2005AcceleratingAESUsing,
author = {Stefan Tillich and Johann Großschädl},
editor = {Marina Gavrilova and Youngsong Mun and David Taniar and Osvaldo Gervasi and Kenneth Tan and Vipin Kumar},
title = {Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography},
booktitle = {Computational Science and Its Applications - ICCSA 2005},
publisher = {Springer},
year = {2005},
volume = {3481},
pages = {665--675},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/uwqduy8b505lxkef/},
doi = {10.1007/11424826_70}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Tillich S, Großschädl J and Szekely A (2005), "An Instruction Set Extension for Fast and Memory-Efficient AES Implementation", In Communications and Multimedia Security --- 9th IFIP TC-6 TC-11 International Conference, CMS~2005, Salzburg, Austria, September 2005, Proceedings., September, 2005. Vol. 3677, pp. 11-21. Springer. |
| Abstract: As more and more security-critical computation is done in embedded systems it is also becoming increasingly important to facilitate cryptography in such systems. The Advanced Encryption Standard (AES) specifies one of the most important cryptographic algorithms today and has received a lot of attention from researchers. Most prior work has focused on efficient implementations with throughput as main criterion. However, AES implementations in small and constrained environments require additional factors to be accounted for, such as limited memory and energy supply. In this paper we present an inexpensive extension to a 32-bit general-purpose processor which allows compact and fast AES implementations. We have integrated this extension into the SPARC V8-compatible LEON-2 processor and measured a speedup by a factor of up to 1.43 for encryption and 1.3 for decryption. At the same time the code size has been reduced by 30-40%. |
BibTeX:
@inproceedings{Tillich2005AnInstructionSet,
author = {Stefan Tillich and Johann Großschädl and Alexander Szekely},
editor = {Jana Dittmann and Stefan Katzenbeisser and Andreas Uhl},
title = {An Instruction Set Extension for Fast and Memory-Efficient AES Implementation},
booktitle = {Communications and Multimedia Security --- 9th IFIP TC-6 TC-11 International Conference, CMS~2005, Salzburg, Austria, September 2005, Proceedings},
publisher = {Springer},
year = {2005},
volume = {3677},
pages = {11--21},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/4gd3gcbuqjhbqx1r/},
doi = {10.1007/11552055_2}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Großschädl J, Posch KC and Tillich S (2004), "Architectural Enhancements to Support Digital Signal Processing and Public-Key Cryptography", In Proceedings of the 2nd Workshop on Intelligent Solutions in Embedded Systems (WISES 2004)., June, 2004. , pp. 129-143. Graz University of Technology.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: In recent years, every major micro-processor architecture was extended by a number of special instructions to accelerate the processing of DSP or multimedia workloads. Even simple processors developed for the embedded systems field are nowadays equipped with fast multiply/accumulate (MAC) units to provide greater performance in processing DSP/multimedia kernels. In the present paper, we investigate the suitability of these architectural enhancements to speed up arithmetic operations used in public-key cryptography, most notably multiple-precision modular multiplication. We analyze different algorithms for modular arithmetic and discuss how these algorithms can take advantage of the fast MAC units that are present in various RISC cores based on the MIPS32 and ARMv5TE architecture, respectively. Furthermore, we compare architectural enhancements and instruction set extensions specifically designed to accelerate long integer arithmetic. Our analysis shows that the MIPS32 architecture can be easily extended for efficient cryptography processing and offers some advantages compared to the ARMv5TE architecture. |
BibTeX:
@inproceedings{Groszschaedl2004ArchitecturalEnhancementsTo,
author = {Johann Großschädl and Karl C. Posch and Stefan Tillich},
editor = {Bernhard Rinner and Wilfried Elmenreich},
title = {Architectural Enhancements to Support Digital Signal Processing and Public-Key Cryptography},
booktitle = {Proceedings of the 2nd Workshop on Intelligent Solutions in Embedded Systems (WISES 2004)},
publisher = {Graz University of Technology},
year = {2004},
pages = {129--143},
note = {(c) Authors.},
url = {http://fitipc017.tu-graz.ac.at/WISES04/proc/wises04_grozsschaedl.pdf}
}
|
| Copyright note: (c) Authors. |
| Tillich S and Großschädl J (2004), "A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF($2^m$)", In Advances in Computer Systems Architecture, 9th Asia-Pacific Conference, ACSAC 2004, Beijing, China, September 2004, Proceedings., September, 2004. Vol. 3189, pp. 282-295. Springer. |
| Abstract: Mobile and wireless devices like cell phones and network-enhanced PDAs have become increasingly popular in recent years. The security of data transmitted via these devices is a topic of growing importance and methods of public-key cryptography are able to satisfy this need. Elliptic curve cryptography (ECC) is especially attractive for devices which have restrictions in terms of computing power and energy supply. The efficiency of ECC implementations is highly dependent on the performance of arithmetic operations in the underlying finite field. This work presents a simple architectural enhancement to a generalpurpose processor core which facilitates arithmetic operations in binary finite fields GF($2^m$). A custom instruction for a multiply step for binary polynomials has been integrated into a SPARC V8 core, which subsequently served to compare the merits of the enhancement for two different ECC implementations. One was tailored to the use of GF($2^191$) with a fixed reduction polynomial. The tailored implementation was sped up by 47% and its code size was reduced. The second implementation worked for arbitrary binary fields with a range of reduction polynomials. The flexible implementation was accelerated by a factor of nearly 10. |
BibTeX:
@inproceedings{Tillich2004ASimpleArchitectural,
author = {Stefan Tillich and Johann Großschädl},
editor = {Pen-Chung Yew and Jingling Xue},
title = {A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF($2^m$)},
booktitle = {Advances in Computer Systems Architecture, 9th Asia-Pacific Conference, ACSAC 2004, Beijing, China, September 2004, Proceedings},
publisher = {Springer},
year = {2004},
volume = {3189},
pages = {282--295},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/pe4m047lnx3020f2/},
doi = {10.1007/b100354}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Tillich S and Großschädl J (2004), "A Survey of Public-Key Cryptography on J2ME-Enabled Mobile Devices", In Computer and Information Sciences - ISCIS 2004, 19th International Symposium, Kemer-Antalya, Turkey, October 2004, Proceedings., October, 2004. Vol. 3280, pp. 935-944. Springer. |
| Abstract: The advent of hand-held devices which incorporate a Java Virtual Machine (JVM) has greatly facilitated the development of mobile and wireless applications. Many of the possible applications, e.g. for e-commerce or e-government, have an inherent need for security which can be satisfied by methods of public-key cryptography. This paper investigates the feasibility of public-key implementations on modern midrange to high-end devices, with the focus set on Elliptic Curve Cryptography (ECC). We have implemented the Elliptic Curve Digital Signature Algorithm (ECDSA) for both signature generation and verification and we show that both can be done on a J2ME-enabled cell phone -- depending on the device -- in times of a few seconds or even under a second. We also compare the performance of ECDSA with RSA signatures and provide some key issues for selecting one protocol type for implementation in a constrained device. |
BibTeX:
@inproceedings{Tillich2004ASurveyOf,
author = {Stefan Tillich and Johann Großschädl},
editor = {Cevdet Aykanat and Tugrul Dayar and Ibrahim Körpeoglu},
title = {A Survey of Public-Key Cryptography on J2ME-Enabled Mobile Devices},
booktitle = {Computer and Information Sciences - ISCIS 2004, 19th International Symposium, Kemer-Antalya, Turkey, October 2004, Proceedings},
publisher = {Springer},
year = {2004},
volume = {3280},
pages = {935--944},
note = {(c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com.},
url = {http://www.springerlink.com/content/18btc0qu99kla1xw/},
doi = {10.1007/b101749}
}
|
| Copyright note: (c) Springer-Verlag. This is an author's version. The final publication is available at www.springerlink.com. |
| Feldhofer M, Groß M, Großschädl J, Popp T, Pramstaller N, Pühringer C, Scheibelhofer K, Szekely A, Tillich S and Posch K-C (2003), "Rapid Prototyping of a SPARC-V8-based Firewall-on-Chip", In Proceedings of Austrochip 2003, October10, 2003, Linz, Austria., October, 2003. , pp. 41-45.
[Abstract] [BibTeX] [Copyright note] |
| Abstract: This paper describes the design and prototype implementation of an embedded firewall realized as a system on a chip. Major components of the system include a SPARC V8-compatible processor, a 10/100 Mbps Ethernet MAC unit connected via the AMBA bus to the processor, a real-time operating system including a TCP/IP stack and the device driver for the MAC unit, as well as the application software running on top of all these. The firewall-on-chip is an example for teaching and research activities in system-on-chip (SoC) design at the Graz University of Technology. |
BibTeX:
@inproceedings{Feldhofer2003RapidPrototypingof,
author = {Martin Feldhofer and Michael Groß and Johann Großschädl and Thomas Popp and Norbert Pramstaller and Christian Pühringer and Karl Scheibelhofer and Alexander Szekely and Stefan Tillich and Karl-Christian Posch},
editor = {Timm Ostermann and Christoph Lackner},
title = {Rapid Prototyping of a SPARC-V8-based Firewall-on-Chip},
booktitle = {Proceedings of Austrochip 2003, October10, 2003, Linz, Austria},
year = {2003},
pages = {41--45},
note = {(c) Authors.}
}
|
| Copyright note: (c) Authors. |
| Tillich S (2003), "Evaluation of Side-Channel Attack Resistivity with Rapid Prototyping". Thesis at: Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology. Inffeldgasse 16a, 8010 Graz, Austria, October, 2003.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: Side-channel attacks pose a serious threat for the security of cryptographic devices. Information about the secret data processed by a device can leak through various physical values. Such side-channels can be timing characteristics, power consumption, electromagnetic emanation, and fault behavior. Cryptographic implementations have to be evaluated for their resistivity against side-channel attacks and the incorporation of di erent countermeasures has to be considered. This thesis presents a new approach to facilitate this kind of evaluation through use of rapid prototyping. With the help of a custom printedcircuit board, featuring a Field Programmable Gate Array (FPGA), the feasibility and applicability of such an evaluation system is demonstrated. In particular, the results of an attack on an unprotected hardware implementation of the Advanced Encryption Standard (AES) are presented. |
BibTeX:
@mastersthesis{Tillich2003EvaluationOfSideChannel,
author = {Stefan Tillich},
title = {Evaluation of Side-Channel Attack Resistivity with Rapid Prototyping},
school = {Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology},
year = {2003},
note = {(c) Author.},
url = {https://online.tugraz.at/tug_online/wbabs.showThesis?pThesisNr=14820&pOrgNr=37}
}
|
| Copyright note: (c) Author. |
| Rechberger C, Popp T and Tillich S (2002), "Low-cost AES", In Proceedings of Austrochip 2002, October 4, 2002, Graz, Austria. , pp. 131-136. Graz University of Technology.
[Abstract] [BibTeX] [PDF] [URL] [Copyright note] |
| Abstract: With the selection of the Rijndael algorithm for NIST’s Advanced Encryption Standard (AES) [1], hardware implementations of the AES algorithm became the subject of a number of publications. Almost all of them focus on optimising data throughput. Though most of the solutions offer a trade-off between silicon area and speed, extreme restrictions on the area cannot be satisfied. This paper presents a low-cost implementation of AES, with minimal area requirements of 0.819 mm2 using a 0.8 $m process, employing a mixed softwarehardware approach. In addition, the needs for storage space in the ROM for the microprogram code and for RAM are kept extremely low compared to a full-software implementation. With this approach, a data throughput 4 times higher compared to that of a pure software implementation is reached. At the same time, required ROM storage space for the microprogram is reduced to approximately a fourth, and required RAM storage space is also reduced. |
BibTeX:
@inproceedings{Rechberger2002LowCostAES,
author = {Christian Rechberger and Thomas Popp and Stefan Tillich},
editor = {Peter Söser},
title = {Low-cost AES},
booktitle = {Proceedings of Austrochip 2002, October 4, 2002, Graz, Austria},
publisher = {Graz University of Technology},
year = {2002},
pages = {131--136},
note = {(c) Authors.},
url = {http://www.ife.tugraz.at/events/austrochip2002/}
}
|
| Copyright note: (c) Authors. |