| Foreword |
|
xvii | |
| Preface |
|
xix | |
| List of Figures |
|
xxiii | |
| List of Tables |
|
xxxi | |
| I Background |
|
1 | (82) |
|
1 Mathematical Background |
|
|
3 | (26) |
|
|
|
3 | (1) |
|
|
|
4 | (2) |
|
1.3 Groups, Rings, and Fields |
|
|
6 | (2) |
|
1.4 Greatest Common Divisors and Multiplicative Inverse |
|
|
8 | (5) |
|
1.4.1 Euclidean Algorithm |
|
|
9 | (1) |
|
1.4.2 Extended Euclidean Algorithm |
|
|
10 | (1) |
|
1.4.3 Chinese Remainder Theorem |
|
|
11 | (2) |
|
1.5 Subgroups, Subrings, and Extensions |
|
|
13 | (1) |
|
1.6 Groups, Rings, and Field Isomorphisms |
|
|
14 | (2) |
|
1.7 Polynomials and Fields |
|
|
16 | (1) |
|
1.8 Construction of Galois Field |
|
|
17 | (1) |
|
|
|
18 | (1) |
|
1.10 Cyclic Groups of Group Elements |
|
|
19 | (2) |
|
1.11 Efficient Galois Fields |
|
|
21 | (3) |
|
1.11.1 Binary Finite Fields |
|
|
21 | (3) |
|
1.12 Mapping between Binary and Composite Fields |
|
|
24 | (4) |
|
1.12.1 Constructing Isomorphisms between Composite Fields |
|
|
25 | (11) |
|
1.12.1.1 Mapping from GF(2k) to GF(2n)m, where k = nm |
|
|
25 | (1) |
|
1.12.1.2 An Efficient Conversion Algorithm |
|
|
26 | (2) |
|
|
|
28 | (1) |
|
2 Overview of Modern Cryptography |
|
|
29 | (36) |
|
|
|
30 | (1) |
|
2.2 Cryptography: Some Technical Details |
|
|
31 | (5) |
|
|
|
36 | (8) |
|
2.3.1 Inner Structures of a Block Cipher |
|
|
38 | (1) |
|
2.3.2 The Advanced Encryption Standard |
|
|
39 | (1) |
|
2.3.3 The AES Round Transformations |
|
|
40 | (3) |
|
|
|
41 | (1) |
|
|
|
42 | (1) |
|
|
|
42 | (1) |
|
|
|
43 | (1) |
|
2.3.4 Key-Scheduling in AES |
|
|
43 | (1) |
|
2.4 Rijndael in Composite Field |
|
|
44 | (4) |
|
2.4.1 Expressing an Element of GF(28) in Subfield |
|
|
44 | (1) |
|
2.4.2 Inversion of an Element in Composite Field |
|
|
45 | (1) |
|
2.4.3 The Round of AES in Composite Fields |
|
|
46 | (2) |
|
|
|
48 | (10) |
|
2.5.1 Simplification of the WeierstraI3 Equation |
|
|
50 | (1) |
|
2.5.2 Singularity of Curves |
|
|
51 | (1) |
|
2.5.3 The Abelian Group and the Group Laws |
|
|
51 | (1) |
|
2.5.4 Elliptic Curves with Characteristic 2 |
|
|
52 | (5) |
|
2.5.5 Projective Coordinate Representation |
|
|
57 | (1) |
|
2.6 Scalar Multiplications: LSB First and MSB First Approaches |
|
|
58 | (1) |
|
2.7 Montgomery's Algorithm for Scalar Multiplication |
|
|
59 | (3) |
|
2.7.1 Montgomery's Ladder |
|
|
60 | (1) |
|
2.7.2 Faster Multiplication on EC without Pre-computations |
|
|
60 | (2) |
|
2.7.3 Using Projective co-ordinates to Reduce the Number of Inversions |
|
|
62 | (1) |
|
|
|
62 | (3) |
|
3 Modern Hardware Design Practices |
|
|
65 | (18) |
|
|
|
65 | (7) |
|
|
|
66 | (2) |
|
3.1.2 The FPGA Design Flow |
|
|
68 | (4) |
|
3.2 Mapping an Algorithm to Hardware: Components of a Hardware Architecture |
|
|
72 | (1) |
|
3.3 Case study: Binary gcd Processor |
|
|
73 | (2) |
|
3.4 Enhancing the Performance of a Hardware Design |
|
|
75 | (3) |
|
3.5 Modelling of the Computational Elements of the gcd Processor |
|
|
78 | (2) |
|
3.5.1 Modeling of an Adder |
|
|
78 | (1) |
|
3.5.2 Modeling of a Multiplexer |
|
|
79 | (1) |
|
3.5.3 Total LUT Estimate of the gcd Processor |
|
|
80 | (1) |
|
3.5.4 Delay Estimate of the gcd Processor |
|
|
80 | (1) |
|
|
|
80 | (1) |
|
3.6.1 LUT utilization of the gcd processor |
|
|
81 | (1) |
|
3.6.2 Delay Estimates for the gcd Processor |
|
|
81 | (1) |
|
|
|
81 | (2) |
| II Hardware Design of Cryptographic Algorithms |
|
83 | (94) |
|
4 Hardware Design of the Advanced Encryption Standard (AES) |
|
|
85 | (30) |
|
|
|
85 | (1) |
|
4.2 Algorithmic and Architectural Optimizations for AES Design |
|
|
86 | (1) |
|
4.3 Circuit for the AES S-Box |
|
|
86 | (12) |
|
|
|
87 | (1) |
|
4.3.2 Circuit Optimizations in the Polynomial Basis |
|
|
87 | (4) |
|
4.3.3 Circuit Optimizations in the Normal Basis |
|
|
91 | (3) |
|
4.3.4 Most Compact Realization: Polynomial vs. Normal basis |
|
|
94 | (2) |
|
4.3.5 Common Subexpressions |
|
|
96 | (1) |
|
4.3.6 Merging of Basis Change Matrix and Affine Mapping |
|
|
97 | (1) |
|
4.3.7 Merged S-Box and Inverse S-Box |
|
|
97 | (1) |
|
4.4 Implementation of the MixColumns Transformation |
|
|
98 | (3) |
|
4.4.1 The AES S-Box and MixColumns |
|
|
99 | (1) |
|
4.4.2 Implementing the Inverse MixColumns |
|
|
100 | (1) |
|
4.5 An Example Reconfigurable Design for the Rijndael Cryptosystem |
|
|
101 | (8) |
|
4.5.1 Overview of the Design |
|
|
101 | (5) |
|
|
|
102 | (1) |
|
4.5.1.2 Pipelining and Serializing in FPGAs |
|
|
102 | (1) |
|
4.5.1.3 Back to the Design |
|
|
103 | (3) |
|
4.5.2 Key-Schedule Optimization |
|
|
106 | (1) |
|
|
|
107 | (2) |
|
|
|
109 | (1) |
|
4.7 Single Chip Encryptor/Decryptor |
|
|
110 | (1) |
|
|
|
111 | (4) |
|
5 Efficient Design of Finite Field Arithmetic on FPGAs |
|
|
115 | (38) |
|
|
|
116 | (1) |
|
5.2 Finite Field Multiplier |
|
|
116 | (1) |
|
5.3 Finite Field Multipliers for High Performance Applications |
|
|
117 | (1) |
|
5.4 Karatsuba Multiplication |
|
|
118 | (1) |
|
5.5 Karatsuba Multipliers for Elliptic Curves |
|
|
118 | (1) |
|
5.6 Designing for the FPGA Architecture |
|
|
119 | (1) |
|
5.7 Analyzing Karatsuba Multipliers on FPGA Platforms |
|
|
120 | (6) |
|
5.7.1 The Hybrid Karatsuba Multiplier |
|
|
123 | (3) |
|
5.8 Performance Evaluation |
|
|
126 | (1) |
|
5.9 High-Performance Finite Field Inversion Architecture for FPGAs |
|
|
126 | (1) |
|
5.10 Itoh-Tsujii Inversion Algorithm |
|
|
127 | (1) |
|
5.11 The Quad ITA Algorithm |
|
|
128 | (9) |
|
5.11.1 Clock Cycles for the ITA |
|
|
129 | (1) |
|
5.11.2 The Quad ITA Generalization |
|
|
130 | (3) |
|
5.11.3 Hardware Architecture of Quad ITA |
|
|
133 | (8) |
|
5.11.3.1 Addition Chain Selection Criteria |
|
|
136 | (1) |
|
5.11.3.2 Design of the Quadblock |
|
|
136 | (1) |
|
5.12 Experimental Results |
|
|
137 | (1) |
|
5.13 Generalization of the ITA for 2n Circuit |
|
|
138 | (2) |
|
5.14 Hardware Architecture for 2n Circuit Based ITA |
|
|
140 | (1) |
|
5.15 Area and Delay Estimations for the 2n ITA |
|
|
141 | (7) |
|
5.15.1 Area and Delay of a x Variable Boolean Function |
|
|
141 | (1) |
|
5.15.2 Area and LUT Delay Estimates for the Field Multiplier |
|
|
142 | (3) |
|
5.15.3 Area and LUT Delay Estimates for the Reduction Circuit |
|
|
145 | (1) |
|
5.15.4 Area and LUT Delay Estimates of a 2n Circuit |
|
|
146 | (1) |
|
5.15.5 Area and LUT Delay Estimates of a Multiplexer |
|
|
146 | (1) |
|
5.15.6 Area and LUT Delay Estimates for the Powerblock |
|
|
146 | (1) |
|
5.15.7 Area Estimate for the Entire ITA Architecture |
|
|
147 | (1) |
|
5.15.8 LUT Delay Estimate for the Entire ITA Architecture |
|
|
147 | (1) |
|
5.16 Obtaining the Optimal Performing ITA Architecture |
|
|
148 | (1) |
|
5.17 Validation of Theoretical Estimations |
|
|
149 | (2) |
|
|
|
151 | (2) |
|
6 High-Speed Implementation of Elliptic Curve Scalar Multiplication on FPGAs |
|
|
153 | (24) |
|
|
|
153 | (2) |
|
6.2 The Elliptic Curve Cryptoprocessor |
|
|
155 | (2) |
|
|
|
155 | (1) |
|
6.2.2 Finite Field Arithmetic Unit |
|
|
156 | (1) |
|
|
|
156 | (1) |
|
6.3 Point Arithmetic on the ECCP |
|
|
157 | (3) |
|
|
|
157 | (2) |
|
|
|
159 | (1) |
|
6.4 The Finite State Machine (FSM) |
|
|
160 | (3) |
|
6.5 Performance Evaluation |
|
|
163 | (1) |
|
6.6 Further Acceleration Techniques of the ECC Processor |
|
|
163 | (1) |
|
6.7 Pipelining Strategies for the Scalar Multiplier |
|
|
164 | (4) |
|
6.8 Scheduling of the Montgomery Algorithm |
|
|
168 | (3) |
|
6.8.1 Scheduling for Two Consecutive Bits of the Scalar |
|
|
169 | (2) |
|
6.8.2 Data Forwarding to Reduce Clock Cycles |
|
|
171 | (1) |
|
6.9 Finding the Right Pipeline |
|
|
171 | (1) |
|
6.9.1 Number of Clock Cycles |
|
|
171 | (1) |
|
6.9.2 Analyzing Computation Time |
|
|
172 | (1) |
|
6.10 Detailed Architecture of the ECM |
|
|
172 | (2) |
|
6.11 Implementation Results |
|
|
174 | (1) |
|
|
|
175 | (2) |
| III Side Channel Analysis |
|
177 | (170) |
|
7 Introduction to Side Channel Analysis |
|
|
179 | (22) |
|
|
|
179 | (1) |
|
7.2 What Are Side Channels? |
|
|
180 | (2) |
|
7.2.1 Difference of Side Channel Analysis and Conventional Cryptanalysis |
|
|
181 | (1) |
|
7.2.2 Types of Side Channel Attacks |
|
|
182 | (1) |
|
7.3 Kocher's Seminal Works |
|
|
182 | (2) |
|
7.3.1 Timing Attack on Modular Exponentiation |
|
|
182 | (2) |
|
7.3.1.1 Timing Measurement |
|
|
183 | (1) |
|
7.3.1.2 The Attack Methodology |
|
|
183 | (1) |
|
|
|
184 | (7) |
|
7.4.1 Simple Power Analysis |
|
|
185 | (1) |
|
7.4.2 An Example SPA of the ECCP Designed |
|
|
186 | (2) |
|
7.4.3 Differential Power Attacks |
|
|
188 | (3) |
|
|
|
191 | (2) |
|
7.5.1 Fault Analysis of the RSA Cipher |
|
|
193 | (1) |
|
|
|
193 | (3) |
|
7.6.1 Working Principle of Cache-Timing Attacks |
|
|
194 | (2) |
|
7.7 Scan Chain Based Attacks |
|
|
196 | (3) |
|
7.7.1 Working Principle of Scan-Chain-Attacks on Block Ciphers |
|
|
196 | (3) |
|
|
|
199 | (2) |
|
8 Differential Fault Analysis of Ciphers |
|
|
201 | (64) |
|
8.1 Introduction to Differential Fault Analysis |
|
|
202 | (4) |
|
8.1.1 General Principle of DFA of Block Ciphers |
|
|
203 | (3) |
|
|
|
204 | (1) |
|
8.1.1.2 The Effect of Faults on a Block Cipher |
|
|
204 | (2) |
|
8.2 DFA and Associated Fault Models |
|
|
206 | (5) |
|
8.2.1 Fault Models for DFA of AES |
|
|
206 | (3) |
|
8.2.1.1 Faults Are Injected in Any Location and Any Round |
|
|
207 | (1) |
|
8.2.1.2 Faults Are Injected in AddRoundKey in Round 0 |
|
|
207 | (1) |
|
8.2.1.3 Faults Are Injected between the Output of 7th and the Input of 8th MixColumns |
|
|
207 | (1) |
|
8.2.1.4 Faults Are Injected between the Output of 8th and the Input of 9th MixColumns |
|
|
208 | (1) |
|
8.2.2 Relationships between the Discussed Fault Models |
|
|
209 | (2) |
|
8.2.2.1 Faults Are Injected in Any Location and Any Round |
|
|
209 | (1) |
|
8.2.2.2 Faults Are Injected in AddRoundKey in Round 0 |
|
|
209 | (1) |
|
8.2.2.3 Faults Are Injected between the Output of 7th and the Input of 8th MixColumns |
|
|
209 | (1) |
|
8.2.2.4 Faults Are Injected between the Output of 8th and the Input of 9th MixColumns |
|
|
210 | (1) |
|
8.3 Principle of Differential Fault Attacks on AES |
|
|
211 | (3) |
|
8.3.1 Differential Properties of AES S-Box |
|
|
211 | (1) |
|
8.3.2 DFA of AES Using Bit Faults |
|
|
212 | (1) |
|
8.3.3 Bit-Level DFA of Last Round of AES |
|
|
212 | (1) |
|
8.3.4 Bit-Level DFA of First Round of AES |
|
|
213 | (1) |
|
8.4 State-of-the-art DFAs on AES |
|
|
214 | (8) |
|
8.4.1 Byte-Level DFA of Penultimate Round of AES |
|
|
214 | (8) |
|
8.4.1.1 DFA Using Two Faults |
|
|
216 | (1) |
|
8.4.1.2 DFA Using Only One Fault |
|
|
216 | (4) |
|
8.4.1.3 DFA with Reduced Time Complexity |
|
|
220 | (2) |
|
8.5 Multiple-Byte DFA of AES-128 |
|
|
222 | (3) |
|
8.5.1 DFA According to Fault Model DM0 |
|
|
222 | (2) |
|
8.5.1.1 Equivalence of Faults in the Same Diagonal |
|
|
222 | (2) |
|
8.5.2 DFA According to Fault Model DM1 |
|
|
224 | (1) |
|
8.5.3 DFA According to Fault Model DM2 |
|
|
224 | (1) |
|
8.6 Extension of the DFA to Other Variants of AES |
|
|
225 | (5) |
|
8.6.1 DFA on AES-192 States |
|
|
226 | (1) |
|
8.6.2 DFA on AES-256 States |
|
|
226 | (4) |
|
8.6.2.1 First Phase of the Attack on AES-256 States |
|
|
226 | (2) |
|
8.6.2.2 Second Phase of the Attack on AES-256 States |
|
|
228 | (2) |
|
8.7 DFA of AES Targeting the Key Schedule |
|
|
230 | (14) |
|
8.7.1 Attack on AES-128 Key Schedule |
|
|
231 | (5) |
|
8.7.1.1 First Phase of the Attack on AES-128 Key Schedule |
|
|
231 | (3) |
|
8.7.1.2 Second Phase of the Attack on AES-128 Key Schedule |
|
|
234 | (1) |
|
8.7.1.3 Time Complexity Reduction |
|
|
234 | (2) |
|
8.7.2 Proposed Attack on AES-192 Key Schedule |
|
|
236 | (4) |
|
8.7.2.1 First Phase of the Attack on AES-192 Key Schedule |
|
|
236 | (3) |
|
8.7.2.2 Second Phase of the Attack on AES-192 Key Schedule |
|
|
239 | (1) |
|
8.7.3 Proposed Attack on AES-256 Key Schedule |
|
|
240 | (4) |
|
8.7.3.1 First Phase of the Attack of AES-256 Key Schedule |
|
|
241 | (2) |
|
8.7.3.2 Second Phase of th Attack of AES-256 Key Schedule |
|
|
243 | (1) |
|
|
|
244 | (10) |
|
8.8.1 Hardware Redundancy |
|
|
246 | (1) |
|
|
|
247 | (1) |
|
8.8.3 Information Redundancy |
|
|
248 | (3) |
|
|
|
248 | (1) |
|
|
|
249 | (1) |
|
|
|
250 | (1) |
|
|
|
250 | (1) |
|
|
|
251 | (3) |
|
|
|
254 | (1) |
|
8.9 Invariance based DFA Countermeasures |
|
|
254 | (8) |
|
8.9.1 An Infective Countermeasure Scheme |
|
|
254 | (1) |
|
8.9.2 Infection Countermeasure |
|
|
255 | (1) |
|
8.9.3 Attacks on the Infection Countermeasure |
|
|
256 | (1) |
|
8.9.3.1 Further Loop Holes in the Countermeasure: Attacking the Infection Technique |
|
|
257 | (1) |
|
8.9.4 Infection Caused by Compulsory Dummy Round |
|
|
257 | (2) |
|
8.9.4.1 Attacking the Top Row |
|
|
258 | (1) |
|
8.9.5 Piret & Quisquater's Attack on the Countermeasure |
|
|
259 | (3) |
|
8.10 Improved Countermeasure |
|
|
262 | (2) |
|
|
|
264 | (1) |
|
9 Cache Attacks on Ciphers |
|
|
265 | (28) |
|
9.1 Memory Hierarchy and Cache Memory |
|
|
266 | (3) |
|
9.1.1 Organization of Cache Memory |
|
|
267 | (2) |
|
9.1.2 Improving Cache Performance for Superscalar Processors |
|
|
269 | (1) |
|
9.2 Timing Attacks Due to CPU Architecture |
|
|
269 | (3) |
|
9.2.1 Attacks on Block Ciphers using Data Cache Memories |
|
|
269 | (3) |
|
9.2.1.1 Table-based Implementation of the AES |
|
|
269 | (2) |
|
9.2.1.2 Software Implementations of AES |
|
|
271 | (1) |
|
9.3 Trace-Driven Cache Attacks |
|
|
272 | (3) |
|
9.3.1 A Theoretical Cache Trace Attack on DES |
|
|
273 | (1) |
|
9.3.2 Trace-Driven Attacks on AES |
|
|
273 | (1) |
|
9.3.3 Trace-Driven Attacks on the Last Round of AES |
|
|
274 | (1) |
|
9.3.4 Trace-Driven Attack Based on Induced Cache Miss |
|
|
275 | (1) |
|
9.4 Access-Driven Cache Attacks |
|
|
275 | (5) |
|
9.4.1 Access-Driven Attacks on Block Ciphers |
|
|
276 | (1) |
|
9.4.2 Second Round Access-Driven Attack on AES |
|
|
277 | (1) |
|
9.4.3 A Last Round Access Driven Attack on AES |
|
|
278 | (1) |
|
9.4.4 Asynchronous Access-Driven Attacks |
|
|
278 | (1) |
|
9.4.5 Fine-Grained Access-Driven Attacks on AES |
|
|
279 | (1) |
|
9.5 Time-Driven Cache Attacks |
|
|
280 | (6) |
|
9.5.1 Remote Timing Attacks |
|
|
280 | (1) |
|
9.5.2 Distinguishing between a Hit and Miss with Time |
|
|
281 | (1) |
|
9.5.3 Second Round Time-Driven Attack on AES |
|
|
282 | (1) |
|
9.5.4 Theoretical Analysis of Time-Driven Attacks |
|
|
283 | (1) |
|
9.5.5 Profiled Time-Driven Attack on AES |
|
|
283 | (3) |
|
9.6 Countermeasures for Timing Attacks |
|
|
286 | (5) |
|
9.6.1 Application-Layer Countermeasures |
|
|
287 | (1) |
|
9.6.2 Countermeasures Applied in the Hardware |
|
|
288 | (3) |
|
|
|
291 | (2) |
|
10 Power Analysis of Cipher Implementations |
|
|
293 | (40) |
|
10.1 Power Attack Setup and Power Traces |
|
|
294 | (4) |
|
10.1.1 Power Traces of an AES hardware |
|
|
295 | (2) |
|
10.1.2 Quality of Power Measurements |
|
|
297 | (1) |
|
|
|
298 | (3) |
|
10.2.1 Hamming Weight Power Model |
|
|
298 | (1) |
|
10.2.2 Hamming Distance Power Model |
|
|
298 | (2) |
|
10.2.3 Why Do Gates Leak? |
|
|
300 | (1) |
|
10.3 Differential Power Analysis Using Difference of Mean |
|
|
301 | (3) |
|
10.3.1 Computing DoM for Simulated Power Traces on AES |
|
|
302 | (1) |
|
10.3.2 Simulation of the Power Traces and Computing the DoM |
|
|
302 | (1) |
|
10.3.3 DOM and the Hamming Distance vs. Hamming Weight Model |
|
|
303 | (1) |
|
10.4 PKDPA: An Improvement of the DoM technique |
|
|
304 | (5) |
|
10.4.1 Application of PKDPA to AES |
|
|
304 | (2) |
|
10.4.2 Choosing the Window-Size |
|
|
306 | (3) |
|
10.5 Correlation Power Attack |
|
|
309 | (3) |
|
10.5.1 Computing Correlation Coefficient for Simulated Power Traces for AES |
|
|
310 | (1) |
|
10.5.2 Computation of the Correlation Matrix |
|
|
311 | (1) |
|
10.5.3 Experimental Results on Simulated Traces |
|
|
312 | (1) |
|
10.6 Metrics to Evaluate a Side Channel Analysis |
|
|
312 | (3) |
|
10.6.1 Success Rate of a Side Channel Adversary |
|
|
312 | (1) |
|
10.6.2 Guessing Entropy of an Adversary |
|
|
313 | (2) |
|
10.7 CPA on Real Power Traces of AES-128 |
|
|
315 | (6) |
|
10.7.1 SNR of a Power Trace |
|
|
315 | (2) |
|
10.7.2 DPA of an Iterative Architecture |
|
|
317 | (1) |
|
10.7.3 DPA on a Serialized Architecture of AES |
|
|
318 | (1) |
|
10.7.4 Shuffling Architecture |
|
|
318 | (3) |
|
10.8 Popular Countermeasures against Power Analysis: Masking |
|
|
321 | (9) |
|
10.8.1 Masking at the Algorithmic Level |
|
|
322 | (5) |
|
10.8.1.1 Masking the AES S-Box |
|
|
322 | (2) |
|
10.8.1.2 Security of the Masking Scheme |
|
|
324 | (1) |
|
10.8.1.3 Circuit Complexity and Reuse of Masks |
|
|
325 | (2) |
|
10.8.2 Masking at the Gate Level |
|
|
327 | (1) |
|
10.8.3 The Masked AND Gate and Vulnerabilities due to Glitches |
|
|
328 | (2) |
|
|
|
330 | (3) |
|
11 Testability of Cryptographic Hardware |
|
|
333 | (14) |
|
|
|
333 | (1) |
|
11.2 Scan Chain Based Attacks on Cryptographic Implementations |
|
|
334 | (2) |
|
11.2.1 Scan Chain Based Attack on Stream Ciphers |
|
|
335 | (1) |
|
11.3 Scan Attack on Trivium |
|
|
336 | (5) |
|
11.3.1 Brief Description of Trivium |
|
|
336 | (1) |
|
11.3.1.1 Key and IV Setup |
|
|
336 | (1) |
|
11.3.2 KeyStream Generation |
|
|
337 | (1) |
|
|
|
337 | (2) |
|
11.3.3.1 Objective of the Attacker |
|
|
337 | (1) |
|
11.3.3.2 Attack on Trivium |
|
|
337 | (1) |
|
11.3.3.3 Ascertaining Bit Correspondence |
|
|
338 | (1) |
|
11.3.4 Deciphering the Cryptogram |
|
|
339 | (2) |
|
11.4 Testability of Cryptographic Designs |
|
|
341 | (4) |
|
11.4.0.1 Reset Attack on Flipped-Scan Mechanism |
|
|
342 | (3) |
|
|
|
345 | (2) |
| IV Hardware Intellectual Property Protection |
|
347 | (32) |
|
12 Hardware Intellectual Property Protection through Obfuscation |
|
|
349 | (30) |
|
|
|
350 | (2) |
|
|
|
352 | (1) |
|
12.3 Functional Obfuscation through State Transition Graph Modification |
|
|
353 | (9) |
|
12.3.1 Goals of the Obfuscation Technique |
|
|
353 | (1) |
|
12.3.2 Hardware IP Piracy: Adversary's Perspective |
|
|
353 | (2) |
|
12.3.2.1 Modification Scheme Employing Input Logic-cone Expansion |
|
|
354 | (1) |
|
12.3.3 Obfuscation Metric |
|
|
355 | (1) |
|
12.3.4 System-level Obfuscation |
|
|
356 | (1) |
|
12.3.4.1 State Transition Function Modification |
|
|
356 | (1) |
|
12.3.5 Embedding Authentication Features |
|
|
357 | (1) |
|
12.3.6 Choice of Optimal Set of Nodes for Modification |
|
|
358 | (1) |
|
12.3.7 The HARPOON Design Methodology |
|
|
359 | (3) |
|
12.4 Extension of STG Modification for RTL Designs |
|
|
362 | (2) |
|
12.5 Obfuscation through Control and Dataflow Graph (CDFG) Modification |
|
|
364 | (4) |
|
12.5.1 CDFG Obfuscation Methodology |
|
|
364 | (3) |
|
12.5.1.1 Embedding Authentication Features |
|
|
367 | (1) |
|
12.5.2 Comparison between the Two Approaches |
|
|
367 | (1) |
|
12.5.3 Obfuscation-based Secure SoC Design Flow |
|
|
368 | (1) |
|
12.6 Measure of Obfuscation Level |
|
|
368 | (4) |
|
12.6.1 Manual Attacks by Visual Inspection |
|
|
368 | (1) |
|
12.6.2 Simulation-based Attacks |
|
|
369 | (1) |
|
12.6.3 Structural Analysis-based Attack |
|
|
369 | (2) |
|
12.6.3.1 Structural Analysis against STG Modification |
|
|
369 | (2) |
|
12.6.3.2 Structural Analysis against CDFG Modification-based Approach |
|
|
371 | (1) |
|
12.6.4 Quantitative Comparison |
|
|
371 | (1) |
|
|
|
372 | (5) |
|
12.7.1 Design Flow Automation |
|
|
372 | (2) |
|
12.7.2 Implementation Results |
|
|
374 | (1) |
|
12.7.2.1 Implementation Setup |
|
|
374 | (1) |
|
12.7.2.2 Obfuscation Efficiency and Overheads |
|
|
374 | (1) |
|
12.7.3 Effect of Key Length |
|
|
375 | (2) |
|
12.7.3.1 Support for Multiple-length Keys |
|
|
375 | (1) |
|
12.7.3.2 Effect of Increasing Key Length |
|
|
376 | (1) |
|
|
|
377 | (1) |
|
12.8.1 Using Unreachable States during Initialization |
|
|
377 | (1) |
|
|
|
378 | (1) |
| V Hardware Trojans |
|
379 | (94) |
|
13 Overview of Hardware Trojans |
|
|
381 | (28) |
|
|
|
382 | (1) |
|
13.2 Trojan Taxonomy and Examples |
|
|
383 | (3) |
|
|
|
386 | (6) |
|
13.3.1 Difficulty of Recovering Encryption Key from Modified Faulty Cipher-text |
|
|
389 | (1) |
|
13.3.2 Effectiveness of Multi-level Attacks |
|
|
389 | (1) |
|
13.3.3 Results: Multi-level Attacks |
|
|
390 | (1) |
|
13.3.4 Extension of the Multi-level Attack Model |
|
|
391 | (1) |
|
13.3.5 Prevention Techniques against Multi-level Attacks |
|
|
391 | (1) |
|
13.4 Effect of Hardware Trojan on Circuit Reliability |
|
|
392 | (6) |
|
13.4.1 Hardware Trojan and Reliability: Analysis and Results |
|
|
394 | (1) |
|
13.4.1.1 Combinational Trojans |
|
|
394 | (1) |
|
13.4.2 Synchronous Counter-based Sequential Trojan |
|
|
395 | (2) |
|
13.4.3 Asynchronous Counter-based Sequential Trojan |
|
|
397 | (1) |
|
13.5 Hardware Trojan Insertion by Direct Modification of FPGA Configuration Bitstream |
|
|
398 | (9) |
|
13.5.1 Xilinx Configuration Bitstream Structure |
|
|
400 | (1) |
|
13.5.2 Xilinx Virtex-II FPGA Builiding Blocks |
|
|
400 | (1) |
|
13.5.3 Xilinx Configuration Bitstream File Organisation |
|
|
400 | (1) |
|
13.5.3.1 Configuration Memory Addressing |
|
|
400 | (1) |
|
13.5.4 Configuration Process |
|
|
401 | (1) |
|
13.5.5 Cyclic Redundancy Check (CRC) |
|
|
401 | (1) |
|
13.5.6 Disabling CRC Check |
|
|
401 | (1) |
|
13.5.7 Bitstream Modification Technique |
|
|
401 | (3) |
|
13.5.8 Demonstration of the Bitstream Modification-based Attack |
|
|
404 | (2) |
|
13.5.9 Prevention/Detection Techniques against the Proposed Attack |
|
|
406 | (1) |
|
13.5.9.1 Grounding Unused Pins in a FPGA |
|
|
406 | (1) |
|
13.5.9.2 Online Temperature Monitoring |
|
|
406 | (1) |
|
13.5.9.3 Filling-up Unused Resources of the FPGA |
|
|
406 | (1) |
|
13.5.10 Logic Distribution to Balance Power Consumption from the I/O Power Pins |
|
|
406 | (4) |
|
13.5.10.1 Dedicated Hardware Logic to Check CRC Status |
|
|
406 | (1) |
|
13.5.10.2 Scrambling and De-scrambling the Bitstream File |
|
|
406 | (1) |
|
|
|
407 | (2) |
|
14 Logic Testing based Hardware Trojan Detection |
|
|
409 | (12) |
|
|
|
409 | (1) |
|
14.2 Statistical Approach for Trojan Detection |
|
|
410 | (5) |
|
14.2.1 Mathematical Analysis |
|
|
411 | (1) |
|
|
|
412 | (1) |
|
14.2.3 Coverage Estimation |
|
|
413 | (1) |
|
14.2.4 Choice of Trojan Sample Size |
|
|
413 | (1) |
|
|
|
413 | (1) |
|
14.2.6 Improving Trojan Detection Coverage |
|
|
413 | (2) |
|
|
|
415 | (5) |
|
|
|
415 | (1) |
|
14.3.2 Comparison with Random and ATPG Patterns |
|
|
416 | (1) |
|
14.3.3 Effect of Number of Trigger Points (q) |
|
|
417 | (1) |
|
14.3.4 Effect of Trigger Threshold (θ) |
|
|
418 | (1) |
|
14.3.5 Sequential Trojan Detection |
|
|
418 | (2) |
|
14.3.6 Application to Side-channel Analysis |
|
|
420 | (1) |
|
|
|
420 | (1) |
|
15 Side-channel Analysis Techniques for Hardware Trojans Detection |
|
|
421 | (32) |
|
|
|
422 | (1) |
|
15.2 Motivation for the Proposed Approaches |
|
|
423 | (1) |
|
15.3 Multiple-parameter Analysis based Trojan Detection |
|
|
424 | (9) |
|
15.3.1 Theoretical Analysis |
|
|
425 | (3) |
|
15.3.2 Improving Detection Sensitivity |
|
|
428 | (5) |
|
15.3.2.1 Test Vector Selection |
|
|
428 | (2) |
|
15.3.2.2 Power Gating and Operand Isolation |
|
|
430 | (1) |
|
15.3.2.3 Use of Other Side-channel Parameters |
|
|
431 | (1) |
|
|
|
432 | (1) |
|
|
|
433 | (6) |
|
15.4.1 Simulation Verification |
|
|
433 | (3) |
|
|
|
433 | (1) |
|
|
|
434 | (2) |
|
15.4.2 Hardware Validation |
|
|
436 | (3) |
|
|
|
436 | (2) |
|
|
|
438 | (1) |
|
15.5 Integration with Logic-testing Approach |
|
|
439 | (14) |
|
15.5.1 Motivation of Self-Referencing Approach |
|
|
441 | (2) |
|
15.5.2 Analysis of Process Variations on Self-Referencing |
|
|
443 | (1) |
|
15.5.3 Self-Referencing Methodology |
|
|
444 | (5) |
|
15.5.3.1 Functional Decomposition |
|
|
445 | (1) |
|
15.5.3.2 Statistical Test Vector Generation |
|
|
446 | (1) |
|
15.5.3.3 Side-channel Analysis Using Self-Referencing |
|
|
447 | (1) |
|
15.5.3.4 Decision Making Process |
|
|
448 | (1) |
|
15.5.4 Self-referencing Simulation Results |
|
|
449 | (1) |
|
15.5.5 Experimental Results |
|
|
450 | (1) |
|
|
|
451 | (2) |
|
16 Design Techniques for Hardware Trojan Threat Mitigation |
|
|
453 | (20) |
|
|
|
453 | (1) |
|
16.2 Obfuscation-based Trojan Detection/Protection |
|
|
454 | (8) |
|
16.2.1 Methodology of Circuit Obfuscation-based Trojan Detection Protection |
|
|
454 | (2) |
|
16.2.2 Effect of Obfuscation on Trojan Insertion |
|
|
456 | (1) |
|
16.2.3 Effect of Obfuscation on Trojan Potency |
|
|
457 | (1) |
|
16.2.4 Effect of Obfuscation on Trojan Detectability |
|
|
458 | (1) |
|
16.2.5 Effect of Obfuscation on Circuit Structure |
|
|
459 | (1) |
|
16.2.6 Determination of Unreachable States |
|
|
460 | (1) |
|
16.2.7 Test Generation for Trojan Detection |
|
|
460 | (1) |
|
16.2.8 Determination of Effectiveness |
|
|
461 | (1) |
|
16.3 Integrated Framework for Obfuscation |
|
|
462 | (2) |
|
|
|
464 | (6) |
|
|
|
466 | (1) |
|
16.4.2 Application to Third-party IP Modules and SoCs |
|
|
466 | (1) |
|
16.4.3 Protection against Malicious CAD Tools |
|
|
466 | (3) |
|
16.4.4 Improving Level of Protection and Design Overhead |
|
|
469 | (1) |
|
16.4.5 Protection against Information Leakage Trojans |
|
|
469 | (1) |
|
16.5 A FPGA-based Design Technique for Trojan Isolation |
|
|
470 | (1) |
|
16.6 A Design Infrastructure Approach to Prevent Circuit Malfunction |
|
|
471 | (2) |
| VI Physically Unclonable Functions |
|
473 | (32) |
|
17 Physically Unclonable Functions: a Root-of-Trust for Hardware Security |
|
|
475 | (20) |
|
|
|
476 | (1) |
|
17.2 Physically Unclonable Function |
|
|
476 | (2) |
|
17.3 Classification of PUFs |
|
|
478 | (3) |
|
17.3.1 Classification based on Technology |
|
|
478 | (1) |
|
17.3.2 Classification based on Response Collection Mechanism |
|
|
479 | (1) |
|
17.3.3 Classification based on Difficulty of Modeling |
|
|
480 | (1) |
|
17.3.4 Classification based on Reconfiguration Technique |
|
|
480 | (1) |
|
17.4 Realization of Silicon PUFs |
|
|
481 | (5) |
|
|
|
481 | (3) |
|
17.4.1.1 Ring Oscillator PUF |
|
|
481 | (1) |
|
|
|
482 | (1) |
|
17.4.1.3 Bistable Ring PUF |
|
|
483 | (1) |
|
|
|
483 | (1) |
|
|
|
484 | (2) |
|
|
|
484 | (1) |
|
|
|
485 | (1) |
|
|
|
485 | (1) |
|
|
|
485 | (1) |
|
17.5 PUF Performance Metrics for Quality Evaluation |
|
|
486 | (2) |
|
|
|
486 | (1) |
|
|
|
487 | (1) |
|
|
|
488 | (1) |
|
|
|
488 | (1) |
|
|
|
488 | (1) |
|
17.6 Secure PUF: What Makes a PUF Secure? |
|
|
488 | (1) |
|
17.7 Applications of PUF as a Root-of-Trust |
|
|
489 | (2) |
|
17.7.1 Low-cost Authentication |
|
|
489 | (1) |
|
17.7.2 Cryptographic Key Generation |
|
|
489 | (2) |
|
17.7.3 IP protection of FPGA Hardware Designs |
|
|
491 | (1) |
|
|
|
491 | (1) |
|
17.8 Attacks Model: How PUF Security Could Be Compromised? |
|
|
491 | (2) |
|
17.8.1 Fault Attacks on PUFs and Fuzzy Extractors |
|
|
492 | (1) |
|
17.8.2 Side-channel Attacks on PUFs |
|
|
492 | (1) |
|
17.8.3 Modeling Attacks on Delay-based PUFs |
|
|
492 | (1) |
|
17.9 Looking Forward: What Lies Ahead for PUFs? |
|
|
493 | (2) |
|
18 Genetic Programming-based Model-building Attack on PUFs |
|
|
495 | (10) |
|
|
|
495 | (2) |
|
18.2 Background: Genetic Programming and RO-PUFs |
|
|
497 | (2) |
|
18.2.1 Genetic Programming |
|
|
497 | (1) |
|
18.2.2 Ring Oscillator PUF (RO-PUF) |
|
|
498 | (1) |
|
|
|
499 | (1) |
|
18.3.1 Reproduction Schemes |
|
|
500 | (1) |
|
|
|
500 | (1) |
|
18.3.1.2 Tournament Selection Model |
|
|
500 | (1) |
|
|
|
500 | (5) |
|
18.4.1 Experimental Setup |
|
|
500 | (2) |
|
|
|
502 | (3) |
| Bibliography |
|
505 | (30) |
| Index |
|
535 | |
Lisainfo e-raamatute kohta