Specifications for Applications

2.3.1 IEEE P1363

The standard IEEE P1363 [7] with its extension version [8] specify several prim-itives based on ECC to achieve the cryptographic schemes. For the key agreement schemes, the primitives include elliptic curve secret value derivation primitive Diffie-Hellman (ECSVDP-DH) [5, 6, 65] and elliptic curve secret value derivation primitive Menezes-Qu-Vanstone (ECSVDP-MQV) [66]. For the signature schemes with appendix, the primitives include elliptic curve signature primitive Nyberg-Rueppel (ECSP-NR) [5,6, 67] and elliptic curve signature primitive digital signature algorithm (ECSP-DSA) [5,6,68].

In addition, elliptic curve integrated encryption scheme (ECIES) [69] is adopted to im-plement encryption and decryption.

2.3.2 IEEE 802.15.4/6

As specified in the IEEE 802.15.4 [9], the symmetric-key cryptographic algorithm uses block cipher AES [3] with three operation modes; that is, counter (CTR), ci-pher block chaining message authentication code (CBC-MAC), and CTR with CBC-MAC (CCM) [70]. Also, it is applied to conduct the security schemes involving with encryp-tion, authenticaencryp-tion, and message integrity, respectively. In addition to two AES operation modes, cipher-based message authentication code (CMAC) [71] and CCM exerted in IEEE 802.15.6 [10], an asymmetric-key cryptographic algorithm based on ECC [7] is adopted to achieve the message exchange with Diffie-Hellman key (DHK) agreement [65] on an open channel.

AES algorithm

As described in [3], the AES cipher processes a 128-bit plaintext block with either 128, 192, or 256-bit secret key to generate a 128-bit ciphertext block. The design with larger key size provides higher security level but it has more processed cycles. A round is the basic transformation function in AES algorithm, and the number of rounds for one AES encryption depends on the key size. Key sizes 128, 192, and 256-bit refer to 10, 12, and 14 rounds respectively for single 128-bit input message. The round function consists of four

basic transformations: SubByte, ShiftRow, MixColumn, and AddRoundKey, except for the last round, which is without MixColumn. The KeySchedule algorithm expends the secret key in a word-oriented fashion, and it generates a 128-bit round key every round to add the state value by a simple bit-wise exclusive-OR operation in AddRoundKey, where the state value is a 16 8-bit temporary data for AES round calculation.

Encryption, authentication, and message integrity

Figure 2.2(a) and Figure 2.2(b) show the AES schemes including encryption (or de-cryption), authentication, and message integrity by using CTR, CBC-MAC/CMAC, and CCM modes, respectively. In the CTR mode, the plaintext is encrypted by performing bit-wise exclusive-OR logic operator with a block-stream ciphertext, which is produced from the AES output by feeding in a block message consists of nonce and counter. Note that the data flow of decryption in CTR mode is the similar with that of encryption.

For the CBC-MAC and CMAC modes, a message integrity code (MIC) is produced by a chain reaction of AES encryption for detecting any tampering in the plaintext. For achieving the message integrity scheme (i.e., authenticated encryption), the CCM mode is efficiently implemented by a combined operation of CTR and CBC-MAC modes.

Message exchange with DHK agreement

Figure 2.3 shows the procedure before message exchange between two parties commu-nicating over an insecure channel based on well-known DHK agreement [65]. Address A and Address B represent the media access control address of Alice and Bob, respectively, and security suite indicates the security level of cipher function. Note that both of the public-key generation and DHK agreement can be achieved by performing the ECSM from a selected private key. As communicating in an open channel, the delivered message is encrypted and decrypted by using the AES CCM mode based on a master key (MK), which is refreshed and activated when a new party is joining in the network.

EncryptionAES

Figure 2.2: The data flow of each AES mode, where the nonce and initial vector (IV) are an arbitrary number and secrete value, respectively. The functional notation MSBTlen/LSBTlen denotes the most/least significant Tlen bits of the data, and Tlen/Clen is the bit length of the MIC/ciphertext.

1a. Choose private key KA and

calculate public key QA=ECSM(KA, P… 1b. Choose private key KB and calculate public key QB=ECSM(KB, P…

4b. Reply Ack frame 2a. Select 128-bit Nonce A

3a. Send Nonce A, QAAddress A, Address B, and Security Suite

7b. Compute DHK=x-coordinate(ECSM(KB,QA……

KMAC 3B=MSB64(CMAC(MSB128(DHK…,Address A||Address B||Nonce A||Nonce B||Security Suite……

KMAC 4B=MSB64(CMAC(MSB128(DHK…,Address B||Address A||Nonce B||Nonce A||Security Suite……

Bob

2b. Select 128-bit Nonce B

8b. Send Nonce B, QB, KMAC 3B, Address A, Address B, and Security Suite

6a.Reply Ack frame

7a. Compute DHK=x-coordinate(ECSM(KA,QB……

KMAC 3A=MSB64(CMAC(MSB128(DHK…,Address A||Address B||Nonce A||Nonce B||Security Suite……

KMAC 4A=MSB64(CMAC(MSB128(DHK…,Address B||Address A||Nonce B||Nonce A||Security Suite……

10a. Check KMAC 3A=?KMAC 3B Do not proceed if check fails 11a. Send Nonce A, QA,KMAC 4A, Address A, Address B, and Security Suite

12b. Reply Ack frame

13b. Check KMAC 4A=?KMAC 4B Do not proceed if check fails

14. Both parties compute & activate their new MK=CMAC(LSB128(DHK…, Nonce A||Nonce B…

9a. Reply Ack frame

Figure 2.3: Message can be securely sent based on MK to a specific party by using both of asymmetric and symmetric-key algorithm without pre-knowledge encryption and decryption keys.

Chapter 3

Side-Channel Attacks (SCAs)

Modern security systems apply the cryptographic algorithms to provide confidentiality, integrity, and authenticity of data, where the cryptographic algorithms are mathematical functions that usually take two input parameters, including message (also called plain-text) and a cryptographic key. The cryptographic algorithms map these parameters to an output, called ciphertext, and this process is regarded as the encryption. In current cryptography, the cryptographic algorithms are assumed to be known, which means that all details about the cryptographic algorithms are publicly available and only the crypto-graphic key is kept secret. This notion can be traced back to Auguste Kerckhoffs [72], who was a Dutch cryptographer of the 19th century, and the concept is famous as “Kerckhoffs’

principle”.

Breaking a cryptographic algorithm typically means that finding the secret key is based on some public information, such as instance pairs of plaintexts and ciphertexts.

A cryptographic algorithm is considered to be secure in practice if there are no attacks known that can break it within a reasonable amount of time and with a reasonable amount of computing power. Many algorithms are designed such that the effort of breaking them grows significantly or exponentially with the number of bits of the key. Consequently, the length of the key is an important factor in the security of a cryptographic algorithm.

Crypto engines are the electronic devices, such as an application-specified integrated circuit (ASIC), field-programmable gate array (FPGA), or microprocessor, that imple-ment cryptographic algorithms using the keys stored on them. The fact that crypto engines are used to accelerate the cryptographic algorithms, while this leads to a new

issue for the practical security of the algorithms. In practice, not only the security of the cryptographic algorithm should be taken into concern. The security of the whole system, i.e. the crypto engine that implements the cryptographic algorithms, needs to be considered. Breaking a crypto engine means extracting the key of the device. A person who tries to extract the key of a crypto engine in an unauthorized way is the attacker, and then any attempt to extract the key in an unauthorized way is viewed as an attack.

In order to evaluate the security of a crypto engine, it is necessary to make assumptions about the knowledge that an attacker has about it. The strongest assumption is that the attacker is assumed to know the details of the crypto engines.

In recent years, several kinds of attacks on crypto engines have become public. Side-channel attacks (SCAs) are the attacks based on information leakage obtained from the physical implementation of cryptosystems, rather than brute force or theoretical weak-nesses in the algorithms. In Figure 3.1, for example, the timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of infor-mation, which can be exploited to break the system. Among of them, the power-analysis attacks, initially presented by Kocher [51], have received such a large amount of attention because they are very powerful and because they can be conducted relatively easily. The basic idea of this kind of attacks is to reveal the key of a crypto engine by analyzing its power consumption. The variation of power consumption is directly to reflect the difference of key-dependent processed data, where the total power consumption Ptotal of a cell is the sum of static power Pstat and dynamic power Pdyn as shown in Figure 3.2.

Consequently, the power-analysis attacks pose a serious threat to the security of crypto engines in practice.

In this dissertation, we have tried our best to investigate the state-of-the-art ap-proaches of power-analysis attacks. They include the simple power-analysis (SPA) at-tacks [51], differential power-analysis (DPA) atat-tacks [73], zero-value power-analysis (ZPA) attacks [74], and collision power-analysis (CPA) attacks [75]. The concepts of them are described in the following sub-sections, and we also show the successful attacks of the power measurement conducted on the devices. Figure 3.3(a) and Figure 3.3(b) show our power-analysis verification environment of the chip, where it is powered by an ECC crypto engine fabricated by UMC 90-nm CMOS technology.

Processing Time

Electromagnetic Emission

Current, Voltage Plaintext, Ciphertext, Key and Password

Data I/O

Figure 3.1: Scenario of side-channel attacks on hardware device.

total dyn stat L dd2 leak dd

L dd

Figure 3.2: Power consumption of CMOS circuits with supply voltage Vdd and leakage current Ileak.

(a)

(b)

Figure 3.3: (a) Environment of power measurement. (b) Current running through the chip is recorded by measuring the voltage drop via a resistor in series with the core power

For a quick preview, the ECC processor is targeted at accelerating the elliptic curve scalar multiplication (ECSM) KP , where K is the private key and P is the point on elliptic curve. Thus the object of power-analysis attacks on ECC processor is to extract the private key K by the measured power traces of ECSM calculation. Since P is usually public, it is reasonable to assume that the attacker has the information about P , and the attacker can control or inject any input values of P as possible.