Figure 3 - uploaded by Kris Gaj
Content may be subject to copyright.
Source publication
In order to provide a capability for secure remote reconfiguration of FPGAs, FPGA bitstream needs to be encrypted and authenticated during its transmission through any public network. Bitstream encryption is already implemented in a few modern FPGA families, such as Xilinx Virtex II. An important feature lacking in the current generation of FPGAs i...
Similar publications
Using a random number generator for the control of the input clock in FPGA-based cryptographic systems causes misalignments in the power traces, which can be exploited as a countermeasure against Correlation Power Analysis (CPA). In this paper we propose a method to process such misaligned traces in order to identify power peaks dynamically and to...
There is generally a high demand for lightweight cryptography for the fact that lowcost
sensing devices used on the Internet-of-Things (IoT) platforms are required to be
secured. This paper implements a lightweight crypto core that unifies a variety of
algorithms while meeting the hardware area requirement of constrained devices. The
cryptographic...
AES represents an algorithm for advanced encryption standard consist of different operations required in the steps of encryption and decryption. The proposed architecture is based on optimizing area in terms of reducing no of slices required for design of AES algorithm in VHDL. This paper produces 3 step designs. AES (TOP), AES (1-9ROUNDS), AES(LAS...
The cryptographic hash functions BLAKE and Skein are built from the ChaCha stream cipher and the tweakable Threefish block cipher, respectively. Interestingly enough, they are based on the same arithmetic operations, and the same design philosophy allows one to design lightweight coprocessors for hashing and encryption. The key element of our appro...
The advancements in IoT and manufacturing techniques has given rise to the use of small embedded devices such as RFIDs, sensor nodes and smart cards. Due to hardware and software constraints, the standard encryption algorithm like AES cannot be used for encryption of such devices. Thus lightweight block ciphers like PRESENT, LED, MIDORI, and RECTAN...
Citations
... The fixed-length output of a cryptographic hash function, called message digest or simply hash, can be thought of as the fingerprint of the input bitstream, offering strong collision resistance. Cryptographic hashing primitives have been employed in [27], [30], [31]. Message digest, however, does not authenticate the source. ...
The mobile application market is rapidly growing and changing, offering always brand new software to install in increasingly powerful devices. Mobile devices become pervasive and more heterogeneous, embedding latest technologies such as multicore architectures, special-purpose circuits and reconfigurable logic. In a future mobile market scenario reconfigurable systems are employed to provide high-speed functionalities to assist execution of applications. However, new security concerns are introduced. In particular, protecting the Intellectual Property of the exchanged soft IP cores is a serious concern. The available techniques for preserving integrity, confidentiality and authenticity suffer from the limitation of heavily relying onto the system designer. In this paper we propose two different protocols suitable for the secure deployment of soft IP cores in FPGA-based mobile heterogeneous systems where multiple independent actors are involved: a simple scenario requiring trust relationship between entities, and a more complex scenario where no trust relationship exists through adoption of the Direct Anonymous Attestation protocol. Finally, we provide a prototype implementation of the proposed architectures.
... The authors of [13] implemented a lightweight ASIC version of AES-OCB2 that requires 5.9kGE with 226 clock cycles per one block of message. Furthermore, [38] provides hardware (ASIC) performance results for AES-EAX. ...
Authenticated encryption (AE) has been a vital operation in cryptography due to its ability to provide confidentiality, integrity, and authenticity at the same time. Its use has soared in parallel with widespread use of the internet and has led to several new schemes. There have been studies investigating software performance of various schemes. However, the same is yet to be done for hardware. We present a comprehensive survey of hardware (specifically ASIC) performance of the most commonly used AE schemes in the literature. These schemes include encrypt-then-MAC combination, block-cipher-based AE modes, and the recently introduced permutation-based AE scheme. For completeness, we implemented each scheme with various standardized block ciphers and/or hash algorithms, and their lightweight versions. Our evaluation targets minimizing the time-area product while maximizing the throughput on an ASIC platform. We used 45nm NANGATE Open Cell Library for syntheses. We present area, speed, time-area product, throughput, and power figures for both standard and lightweight versions of each scheme. We also provide an unbiased discussion on the impact of the structure and complexity of each scheme on hardware implementation. Our results reveal 13%--30% performance boost in permutation-based AE compared to conventional schemes, and they can be used as a benchmark in the ongoing AE competition CAESAR.
... This concept allows for protection of the system designers IP against tampering attack. Parelkar [5] noted that generic composition of authenti- cation and encryption (AES+MAC) required more circuit area than authenticated encryption (AE) algorithms. The advantages of using one algorithm for both encryption and authentication are: smaller area, less power, and one key is used for encryption and authentication. ...
... The advantages of using one algorithm for both encryption and authentication are: smaller area, less power, and one key is used for encryption and authentication. Therefore, Par- elkar [5] recommended counter with cipher block chaining- message (CCM) mode for achieving both authentication and encryption. ...
... It is clear from [5] that AES-CCM needs smaller area than (AES+MAC). The presented architecture of CCM in [5] used iterative design for AES where 16 s-boxes and 4 MixColumns were used. ...
Reconfiguration of FPGAs is becoming increasingly popular particularly in networking applications. In order to protect FPGA designs against attacks, secure reconfiguration must be performed. This paper introduces low cost solutions for protecting FPGA designs. This is achieved by implementing low cost hardware architectures of authenticated encryption (AESCCM, AES-GCM, and PRESENT-GCM) in the static part of the FPGA to perform the decryption and the authentication of bitstreams. Presented architectures were evaluated by using 90 and 130 nm technologies.
... For security reasons, the partial bitstream must be enciphered and authenticated. This concept was proposed by Bossuet et al. [Bossuet et al. 2004], Parelkar et al. [Parelkar and Gaj 2005] and Drimer [Drimer 2007]. Improved bitstream authentication using a physically unclonable function (PUF) was proposed by Simpson et al. [Simpson and Schaumont 2006]. ...
In data security systems, general purpose processors (GPPs) are often extended by a cryptographic accelerator. The article presents three ways of extending GPPs for symmetric key cryptography applications. Proposed extensions guarantee secure key storage and management even if the system is facing protocol, software and cache memory attacks. The system is partitioned into processor, cipher, and key memory zones. The three security zones are separated at protocol, system, architecture and physical levels. The proposed principle was validated on Altera NIOS II, Xilinx MicroBlaze and Microsemi Cortex M1 soft-core processor extensions. We show that stringent separation of the cipher zone is helpful for partial reconfiguration of the security module, if the enciphering algorithm needs to be dynamically changed. However, the key zone including reconfiguration controller must remain static in order to maintain the high level of security required. We demonstrate that the principle is feasible in partially reconfigurable field programmable gate arrays (FPGAs) such as Altera Stratix V or Xilinx Virtex 6 and also to some extent in FPGAs featuring hardwired general purpose processors such as Cortex M3 in Microsemi SmartFusion FPGA. Although the three GPPs feature different data interfaces, we show that the processors with their extensions reach the required high security level while maintaining partial reconfiguration capability.
... Some FPGAs can decrypt bitstreams in their configuration logic, using embedded (or battery-backed) keys, while others lack this capability. Parelkar and Gaj [1] and Drimer [2] have also proposed adding bitstream authentication. Algorithm 1 can be used with FPGAs that support any combination of these functions (three are shown inFigure 2), provided that the user logic compensates for those that are missing. ...
We present a security protocol for the remote update of volatile FPGA configurations stored in non-volatile memory. Our approach
can be implemented on existing FPGAs, as it sits entirely in user logic. Our protocol provides for remote attestation of the
running configuration and the status of the upload process. It authenticates the uploading party both before initiating the
upload and before completing it, to both limit a denial-of-service attack and protect the integrity of the bitstream. Encryption
protects bitstream confidentiality in transit; we either decrypt it before non-volatile storage, or pass on ciphertext if
the configuration logic can decrypt it. We discuss how tamper-proofing the connection between the FPGA and the non-volatile
memory, as well as space for multiple bitstreams in the latter, can improve resilience against downgrading and denial-of-service
attacks.
... Therefore, the SD wants to ensure that the running system configuration is genuine. Research efforts [4,5] have proposed solutions to provide bitstream authentication at power-up or upon update of the FPGA configuration. However, these schemes do not detect nor prevent the replay of an old version of the FPGA configuration. ...
... CRC codes are not collision-resistant; therefore, even with encryption, the probability of having a collision for two different bitstreams is non-negligible. This is why [4] and [5] suggest using respectively an authenticated encryption mode or a Message Authentication Code (MAC) function to ensure the integrity of the bitstream. Some Actel FPGAs [8] include an AES-based Message Authentication Code engine that allows the SD to append a keyed hash to the configuration stream. ...
... Existing bitstream integrity solutions prevent spoofing of the bitstream but are powerless against a replay attack and thus system downgrade threats. In [4,5,8], the keyed hash is computed only over the received bitstream. Therefore, the FPGA configuration logic is not able to distinguish between different (keyed hash, configuration) pairs legitimately generated by the SD in the past. ...
In the context of FPGAs, system downgrade consists in preventing the update of the hardware configuration or in replaying an old bitstream. The objective can be to preclude a system designer from fixing security vulnerabilities in a design. Such an attack can be performed over a network when the FPGA-based system is remotely updated or on the bus between the configuration memory and the FPGA chip at power-up. Several security schemes providing encryption and integrity checking of the bitstream have been proposed in the literature. However, as we show in this paper, they do not detect the replay of old FPGA configurations; hence they provide adversaries with the opportunity to downgrade the system. We thus propose a new architecture that, in addition to ensuring bitstream confidentiality and integrity, precludes replay of old bitstreams. We show that the hardware cost of this architecture is negligible.
... It is important to maintain the confiden- Parelkar and Gaj [36]. They propose utilizing the EAX functionality of the AES encryption algorithm to verify that the data received by the FPGA is valid and credible. ...
As Field Programmable Gate Arrays (FPGAs) become more widely used, security concerns have been raised regarding FPGA use for cryptographic, sensitive, or proprietary data. Storing or implementing proprietary code and designs on FPGAs could result in compromise of sensitive information if the FPGA device was physically relinquished or remotely accessible to adversaries seeking to obtain the information. Although multiple defensive measures have been implemented (and overcome), the possibility exists to create a secure design through the implementation of polymorphic Dynamically Reconfigurable FPGA (DRFPGA) circuits. Using polymorphic DRFPGAs removes the static attributes from their design; thus, substantially increasing the difficulty of successful adversarial reverse-engineering attacks. A variety of dynamically reconfigurable methodologies exist for implementations that challenge designers in the reconfigurable technology field. A Hardware Description Language (HDL) DRFPGA model is presented for use in security applications. The Very High Speed Integrated Circuit HDL(VHSIC)language was chosen to take advantage of its capabilities, which are well suited to the current research. Additionally, algorithms that explicitly support granular autonomous reconfiguration have been developed and implemented on the DRFPGA as a means of protecting its designs. Documented testing validated the reconfiguration results, compared original FPGA and DRFPGA, security, power usage, and area estimates.
... Parelkar was the first to suggest the use of AE for FPGA bitstreams and concluded in [18,12] that the dual-pass Counter with CBC-MAC (CCM) would be best suited for bitstream authentication with the added benefit of it being a NIST recommended mode of operation [19]. Parelkar and Gaj also suggested EAX for bitstream processing in [20]. Dual-pass AE are not well suited for bitstream processing as they would require significant changes, circuit additions, and increased time to the configuration process. ...
Encryption of volatile FPGA bitstreams provides confiden- tiality to the design but does not ensure its authenticity. This paper motivates the need for adding authentication to the configuration pro- cess by providing application examples where this functionality would be useful. An examination of possible solutions is followed by suggesting a practical one in consideration of the FPGA's configuration environment constraints. The solution proposed here involves two symmetric-key en- cryption cores running in parallel to provide both authentication and confidentiality while sharing resources for ecient implementation.
The dynamic partial reconfiguration functionality of FPGAs can be attacked, particularly when the FPGA is remotely located or the configuration bitstreams are sent through insecure networks. The existing FPGA technologies provide some built-in security mechanisms; however, these are often inadequate. The existing solutions still impose a significant impact on the reconfiguration process and on the available resources.
This article proposes a solution to improve the security of dynamic partial reconfiguration of FPGAs, without significantly affecting the reconfiguration performance. The proposed solution changes the encryption key of the remotely received bitstream by a randomly generated key, unique for each configuration, when storing them in the external unsecured memory. The native frame-wise error detection mechanism combined with an additional CBC-MAC authentication mechanism, allows for an improved countermeasure against replay attack and wrongful bitstream usage. The proposed solution introduces an overhead of 1% of the available resources on the target FPGA and provides the lowest impact on the reconfiguration process when compared to the state of the art, achieving a reconfiguration throughput of 2.5Gbps. Regarding the built-in security mechanism provided by the Xilinx FPGAs, the solution herein proposed provides better security and improves the reconfiguration performance by more than 3 times.
