Upload
meminitui
View
34
Download
6
Embed Size (px)
Citation preview
CryptoBlaze: 8-Bit Security
Microcontroller
Quick Start Training
Agenda
• What is CryptoBlaze?• KryptoKit• GF(2m) Multiplier• Customize CryptoBlaze• Attacks• CryptoBlaze Support
Quick Start Training
What is CryptoBlaze?• A fully customizable soft microcontroller
– PicoBlaze– 49 baseline16-bit instructions– 8 general-purpose 8-bit registers
• Set of Cryptographic processor architecture extensions (“KryptoKit”)– Field operations– S-Boxes– LFSR extensions
Quick Start Training
PicoBlaze
Quick Start Training
PicoBlaze Baseline Instruction Set
Control Arith./Logical Shift/Rotate Interrupt;I/OJUMP aa ADD sX, KK SR0 sX INTERRUPTJUMP Z, aa ADDCY sX, KK SRX sX RETURNIJUMP NZ, aa SUB sX, KK SRA sX INTP DISABLEJUMP NC, aa SUBCY sX, KK RR sX INTP ENABLECall aa ADD sX, sY SL0 sX ENABLE INTPCall Z, aa ADDCY sX, xY SL1 sX DISABLE INTPCall NZ, aa SUB sX, sY SLX sX INPUT sX, PPCall C, aa SUBCY sX, sY SLA sX INPUT sX, sYCall NC, aa LOAD sX, KK RL sX OUTPUT sX, PPRETURN AND sX, KK OUTPUT sX, sYRETURN Z OR sX, KKRETURN NZ XORsX, KKRETURN C LOAD sX, sYRETURN NC Or sX, sY
AND sX, sYXOR sX, sY
Quick Start Training
KryptoKitFunction Size Resource Usage CommentsGF(24) multiplier 4 bit 12 macrocells Gates+flopsGF(28) multiplier 8 bit 24 macrocells Gates+flopsGF(216) multiplier 16 bit 48 macrocells Gates+flopsGF(232) multiplier 32 bit 96 macrocells Gates+flopsGF(2163) multiplier 163 bit 340 macrocells Serial inputAES S-box 8 bit 384 ANDs,8 ORs Flops unusedLFSRs variable One / stage ANDs unusedIrreduc.Polynom. variable 3-5 ANDs * Flops unusedLog (28) 8 bit 383 ANDs,8 ORs Flops unusedExp (28) 8 bit 370 ANDs,8 ORs Flops unusedGF(28 ) Inverter 8 bit 397 ANDs,8 ORs Flops unused
* irreducible polynomial in trinomial or pentanomial form
Quick Start Training
What is a Galois Field?• Finite Field with binary operands• Has all the math properties for closure on
addition, multiplication, commutivity, etc.• An extension field permits polynomial notation
and algebraic manipulation• Commonly used to describe Linear Feedback
Shift Registers• Very interesting properties appropriate to CPLDs
Quick Start Training
Finite Field Arithmetic• Field Arithmetic is cool
– All operands ultimately the same number of bits– Suitable for fixed word size applications
• Cryptography• Channel coding (Reed Solomon, BCH, Viterbi, etc.)• Digital signal processing
• Addition for Galois Fields is just EX-OR• Multiplication can be done with Add/Shift
– Needs polynomial “modulo” correction
Quick Start Training
Example: GF(23) MultiplyExample of 8 Bit Multiplication
57 * 83 = C1 (reduction polynomial = X 8 + X 4 + X 3 + X + 1= 100011011)
0101 0111 (57)x 1000 0011 (83)01010111
0101011100000000
0000000000000000
000000000000000001010111_______
10101101111001 (answer, must be reduced)EX-OR 100011011_____
00100000011001 (must be reduced again!)EX-OR 100011011___
000011000001 = C1 (done! ie, stop when msb=1)
Quick Start Training
GF(2m) Multiplier/Adder• Natural extension of Berlekamp-Massey structure• Based on work of Johannes Großschädl• Compiled & simulated • Works in serial or parallel modes• Can use DualEdge clocking for performance• Operates up to: 250+ MHz• Built up to 163 bits long in CoolRunner-II• App Note on GF(2m) Multiplier (Xapp 371)
Quick Start Training
GF(24) Multiplier
DQ
DQ
DQ
10 D
Q
DQ
DQ
10 D
Q
DQ
DQ
10
DQ
DQ
DQ
01
DQ
DQ
DQ
DQ
MPY/ADD
MULTIPLIER
MSBMULTIPLICAND
MSB
IRREDUCIBLE POLYNOMIAL
RESULTMSB
NOTE: CLOCKS & EXTERNAL DATA INPUT CONNECTIONS ARE NOT SHOWN
R(3) R(2) R(1) R(0)
P(3) P(2) P(1) P(0)
A(3) A(2) A(1) A(0)
B(3) B(2) B(1) B(0)
RESULT = (A x B)mod P
Quick Start Training
Res. MS bit =1?
Subtract Polynomial
Left shift Result (fill with 0)Result = Result (A i AND B)
Result = 0Loop = 3
Loop = Loop -1
Loop = 0? Done
No
The Flow
Yes
Yes
No
Quick Start Training
CryptoBlaze =PicoBlaze with Field Operations
GF(23)MPY
Quick Start Training
Applications
• ECC-Error Channel Coding– Reed-Solomon – BCH operations
• ECC-elliptic curve cryptography• RSA • Advanced Encryption Standard
Quick Start Training
CoolRunner-II Enhanced Security
• Multiple security bits• Nonvolatile• Reconfigurable• Multiple metal layers• Difficult to reverse engineer• Double Data Rate Operation• DataGate
Quick Start Training
Design Your Own• Start with baseline instrs. - delete unused ones• Add choice of elements from KryptoKit• Evaluate tradeoffs of S/W vs. H/W solutions
– First identify bottlenecks– Second evaluate replacement H/W
• Invent new instructions• Tune the processor to suit your requirements• Easy to add to VHDL and the assembler
Quick Start Training
Attacks• Anything that can get a cryptographic module to
reveal its “secret” is an attack– Brute force attack (lots of trials)– Chosen text attacks– Side channel
• Timing attacks• Power analysis• Tempest attack
• Usually targets the protocol
Quick Start Training
Power Analysis: Kerckhoffs meets Kirchoff
• Looks at the current flow into a chip over time• Distinguishes “different” power behavior to reveal
inner behavior of algorithm• Usually focuses on microprocessors, with
knowledge of algorithm and instruction set• Easily identifies loop/branching behavior
– loop behavior correlates to keystream bits• CryptoBlaze method permits tuning of the
processor to increase difficulty of Power Analysis
Quick Start Training
Basic Idea
input output
-+
Quick Start Training
Power Attack Strategies• Loop behavior is identified with Power Analysis• Loop unrolling helps• Breaking up loops helps• Modifying instructions helps• Modifying hardware helps
– bogus randomizing hardware• Homogenizing execution time helps• Main idea: changing the hardware helps!• Power tuning is possible
Quick Start Training
CryptoBlaze Conclusion• Building specialized processors can improve:
– Performance– Power consumption– Security
• Development support available free from Xilinx– Basic reference design– Cross Assembler– Krypto Kit
• Fully supported by Xilinx Design Software