Javad Bahrami, V. Dang, Abubakr Abdulgadir, Khaled N. Khasawneh, J. Kaps, K. Gaj
LowMC is a parameterizable block cipher developed for use in Multi-Party Computation (MPC) and Fully Homomorphic Encryption (FHE). In these applications, linear operations are much less expensive in terms of resource utilization compared to the non-linear operations due to their low multiplicative complexity. In this work, we implemented two versions of LowMC -- unrolled and lightweight. Both implementations are realized using RTL VHDL. To the best of our knowledge, we report the first lightweight implementation of LowMC and the first implementation protected against side-channel analysis (SCA). For the SCA protection, we used a hybrid 2/3 shares Threshold Implementation (TI) approach, and for the evaluation, the Test Vector Leakage Assessment (TVLA) method, also known as the T-test. Our unprotected implementations show information leakage at 10K traces, and after protection, they could successfully pass the T-test for 1 million traces. The Xilinx Vivado is used for the synthesis, implementation, functional verification, timing analysis, and programming of the FPGA. The target FPGA family is Artix-7, selected due to its widespread use in multiple applications. Based on our results, the numbers of LUTs are 867 and 3,328 for the lightweight and the unrolled architecture with unrolling factor U = 16, respectively. It takes 14.21 μs for the lightweight architecture and 1.29 μs for the unrolled design with U = 16 to generate one 128-bit block of the ciphertext. The fully unrolled architecture beats the best previous implementation by Kales et al. in terms of the number of LUTs by a factor of 4.5. However, this advantage comes at the cost of having 2.9 higher latency.
LowMC是为多方计算(MPC)和完全同态加密(FHE)而开发的可参数分组密码。在这些应用程序中,由于线性操作的乘法复杂度较低,因此与非线性操作相比,线性操作在资源利用率方面要便宜得多。在这项工作中,我们实现了两个版本的LowMC——展开版和轻量级版。这两种实现都是使用RTL VHDL实现的。据我们所知,我们报告了LowMC的第一个轻量级实现和第一个防止侧信道分析(SCA)的实现。对于SCA保护,我们使用了混合2/3份额阈值实现(TI)方法,对于评估,使用了测试向量泄漏评估(TVLA)方法,也称为t检验。我们未受保护的实现在10K走线处显示信息泄漏,并且在保护之后,它们可以成功通过100万走线的t测试。Xilinx Vivado用于FPGA的合成、实现、功能验证、时序分析和编程。目标FPGA系列是Artix-7,选择它是因为它在多种应用中广泛使用。根据我们的结果,轻量级和展开因子U = 16的展开架构的lut数量分别为867和3328。轻量级架构需要14.21 μs, U = 16的展开设计需要1.29 μs来生成一个128位的密文块。就lut的数量而言,完全展开的体系结构比Kales等人之前最好的实现高出4.5倍。然而,这种优势是以2.9更高的延迟为代价的。
{"title":"Lightweight Implementation of the LowMC Block Cipher Protected Against Side-Channel Attacks","authors":"Javad Bahrami, V. Dang, Abubakr Abdulgadir, Khaled N. Khasawneh, J. Kaps, K. Gaj","doi":"10.1145/3411504.3421219","DOIUrl":"https://doi.org/10.1145/3411504.3421219","url":null,"abstract":"LowMC is a parameterizable block cipher developed for use in Multi-Party Computation (MPC) and Fully Homomorphic Encryption (FHE). In these applications, linear operations are much less expensive in terms of resource utilization compared to the non-linear operations due to their low multiplicative complexity. In this work, we implemented two versions of LowMC -- unrolled and lightweight. Both implementations are realized using RTL VHDL. To the best of our knowledge, we report the first lightweight implementation of LowMC and the first implementation protected against side-channel analysis (SCA). For the SCA protection, we used a hybrid 2/3 shares Threshold Implementation (TI) approach, and for the evaluation, the Test Vector Leakage Assessment (TVLA) method, also known as the T-test. Our unprotected implementations show information leakage at 10K traces, and after protection, they could successfully pass the T-test for 1 million traces. The Xilinx Vivado is used for the synthesis, implementation, functional verification, timing analysis, and programming of the FPGA. The target FPGA family is Artix-7, selected due to its widespread use in multiple applications. Based on our results, the numbers of LUTs are 867 and 3,328 for the lightweight and the unrolled architecture with unrolling factor U = 16, respectively. It takes 14.21 μs for the lightweight architecture and 1.29 μs for the unrolled design with U = 16 to generate one 128-bit block of the ciphertext. The fully unrolled architecture beats the best previous implementation by Kales et al. in terms of the number of LUTs by a factor of 4.5. However, this advantage comes at the cost of having 2.9 higher latency.","PeriodicalId":136554,"journal":{"name":"Proceedings of the 4th ACM Workshop on Attacks and Solutions in Hardware Security","volume":"40 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126946515","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper, we promote the idea that recent woes in hardware security are not because of a lack of technical solutions but rather because market forces and incentives prevent those with the ability to fix problems from doing so. At the root of the problem is the fact that hardware security comes at a cost; present issues in hardware security can be seen as the result of the players in the game of hardware security finding ways of avoiding paying this cost. We formulate this idea into a doctrine of security, namely the Doctrine of Shared Burdens. Three cases studies-Rowhammer, Spectre, and Meltdown-are interpreted though the lens of this doctrine. Our doctrine illuminates why these problems exist and what can be done about them.
{"title":"WaC: A New Doctrine for Hardware Security","authors":"A. Hastings, S. Sethumadhavan","doi":"10.1145/3411504.3421217","DOIUrl":"https://doi.org/10.1145/3411504.3421217","url":null,"abstract":"In this paper, we promote the idea that recent woes in hardware security are not because of a lack of technical solutions but rather because market forces and incentives prevent those with the ability to fix problems from doing so. At the root of the problem is the fact that hardware security comes at a cost; present issues in hardware security can be seen as the result of the players in the game of hardware security finding ways of avoiding paying this cost. We formulate this idea into a doctrine of security, namely the Doctrine of Shared Burdens. Three cases studies-Rowhammer, Spectre, and Meltdown-are interpreted though the lens of this doctrine. Our doctrine illuminates why these problems exist and what can be done about them.","PeriodicalId":136554,"journal":{"name":"Proceedings of the 4th ACM Workshop on Attacks and Solutions in Hardware Security","volume":"152 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123268460","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Transient execution attacks use microarchitectural covert channels to leak secrets that should not have been accessible during logical program execution. Commonly used micro-architectural covert channels are those that leave lasting footprints in the micro-architectural state, for example, a cache state change, from which the secret is recovered after the transient execution is completed. In this paper, we present SpectreRewind, a new approach to create and exploit contention-based covert channels for transient execution attacks. In our approach, a covert channel is established by issuing the necessary instructions logically before the transiently executed victim code. Unlike prior contention based covert channels, which require simultaneous multi-threading (SMT), SpectreRewind supports covert channels based on a single hardware thread, making it viable on systems where the attacker cannot utilize SMT. We show that contention on the floating point division unit on commodity processors can be used to create a high-performance (~100 KB/s), low-noise covert channel for transient execution attacks instead of commonly used flush+reload based cache covert channels. We also show that the proposed covert channel works in the JavaScript sandbox environment of a Chrome browser.
{"title":"SpectreRewind: Leaking Secrets to Past Instructions","authors":"Jacob Fustos, M. Bechtel, H. Yun","doi":"10.1145/3411504.3421216","DOIUrl":"https://doi.org/10.1145/3411504.3421216","url":null,"abstract":"Transient execution attacks use microarchitectural covert channels to leak secrets that should not have been accessible during logical program execution. Commonly used micro-architectural covert channels are those that leave lasting footprints in the micro-architectural state, for example, a cache state change, from which the secret is recovered after the transient execution is completed. In this paper, we present SpectreRewind, a new approach to create and exploit contention-based covert channels for transient execution attacks. In our approach, a covert channel is established by issuing the necessary instructions logically before the transiently executed victim code. Unlike prior contention based covert channels, which require simultaneous multi-threading (SMT), SpectreRewind supports covert channels based on a single hardware thread, making it viable on systems where the attacker cannot utilize SMT. We show that contention on the floating point division unit on commodity processors can be used to create a high-performance (~100 KB/s), low-noise covert channel for transient execution attacks instead of commonly used flush+reload based cache covert channels. We also show that the proposed covert channel works in the JavaScript sandbox environment of a Chrome browser.","PeriodicalId":136554,"journal":{"name":"Proceedings of the 4th ACM Workshop on Attacks and Solutions in Hardware Security","volume":"81 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"113985201","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the 4th ACM Workshop on Attacks and Solutions in Hardware Security","authors":"","doi":"10.1145/3411504","DOIUrl":"https://doi.org/10.1145/3411504","url":null,"abstract":"","PeriodicalId":136554,"journal":{"name":"Proceedings of the 4th ACM Workshop on Attacks and Solutions in Hardware Security","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132322447","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: