Crypto Blaze : 8-Bit Security Microcontroller

CryptoBlaze: 8-Bit Security

Microcontroller

Quick Start Training

Agenda

• What is CryptoBlaze?• KryptoKit• GF(2m) Multiplier• Customize CryptoBlaze• Attacks• CryptoBlaze Support


What is CryptoBlaze?

• A fully customizable soft microcontroller – PicoBlaze– 49 baseline16-bit instructions– 8 general-purpose 8-bit registers

• Set of Cryptographic processor architecture extensions (“KryptoKit”)– Field operations– S-Boxes– LFSR extensions


PicoBlaze


PicoBlaze Baseline Instruction Set

Control Arith./Logical Shift/Rotate Interrupt;I/OJUMP aa ADD sX, KK SR0 sX INTERRUPTJUMP Z, aa ADDCY sX, KK SRX sX RETURNIJUMP NZ, aa SUB sX, KK SRA sX INTP DISABLEJUMP NC, aa SUBCY sX, KK RR sX INTP ENABLECall aa ADD sX, sY SL0 sX ENABLE INTPCall Z, aa ADDCY sX, xY SL1 sX DISABLE INTPCall NZ, aa SUB sX, sY SLX sX INPUT sX, PPCall C, aa SUBCY sX, sY SLA sX INPUT sX, sYCall NC, aa LOAD sX, KK RL sX OUTPUT sX, PPRETURN AND sX, KK OUTPUT sX, sYRETURN Z OR sX, KKRETURN NZ XORsX, KKRETURN C LOAD sX, sYRETURN NC Or sX, sY

AND sX, sYXOR sX, sY


KryptoKitFunction Size Resource Usage CommentsGF(24) multiplier 4 bit 12 macrocells Gates+flopsGF(28) multiplier 8 bit 24 macrocells Gates+flopsGF(216) multiplier 16 bit 48 macrocells Gates+flopsGF(232) multiplier 32 bit 96 macrocells Gates+flopsGF(2163) multiplier 163 bit 340 macrocells Serial inputAES S-box 8 bit 384 ANDs,8 ORs Flops unusedLFSRs variable One / stage ANDs unusedIrreduc.Polynom. variable 3-5 ANDs * Flops unusedLog (28) 8 bit 383 ANDs,8 ORs Flops unusedExp (28) 8 bit 370 ANDs,8 ORs Flops unusedGF(28 ) Inverter 8 bit 397 ANDs,8 ORs Flops unused

* irreducible polynomial in trinomial or pentanomial form


What is a Galois Field?

• Finite Field with binary operands• Has all the math properties for closure on

addition, multiplication, commutivity, etc.• An extension field permits polynomial notation

and algebraic manipulation• Commonly used to describe Linear Feedback

Shift Registers• Very interesting properties appropriate to CPLDs


Finite Field Arithmetic

• Field Arithmetic is cool– All operands ultimately the same number of bits– Suitable for fixed word size applications

• Cryptography• Channel coding (Reed Solomon, BCH, Viterbi, etc.)• Digital signal processing

• Addition for Galois Fields is just EX-OR• Multiplication can be done with Add/Shift

– Needs polynomial “modulo” correction


Example: GF(23) MultiplyExample of 8 Bit Multiplication

57 * 83 = C1 (reduction polynomial = X 8 + X 4 + X 3 + X + 1 = 100011011)

0101 0111 (57) x 1000 0011 (83) 01010111 01010111 00000000 00000000 00000000 00000000 00000000 01010111_______ 10101101111001 (answer, must be reduced) EX-OR 100011011_____ 00100000011001 (must be reduced again!) EX-OR 100011011___ 000011000001 = C1 (done! ie, stop when msb=1)


GF(2m) Multiplier/Adder

• Natural extension of Berlekamp-Massey structure• Based on work of Johannes Großschädl• Compiled & simulated • Works in serial or parallel modes• Can use DualEdge clocking for performance• Operates up to: 250+ MHz• Built up to 163 bits long in CoolRunner-II• App Note on GF(2m) Multiplier (Xapp 371)


GF(24) Multiplier

DQ

DQ

DQ

1

0D

Q

DQ

DQ

1

0D

Q

DQ

DQ

1

0D

Q

DQ

DQ

0

1

DQ

DQ

DQ

DQ

MPY/ADD

MULTIPLIER

MSB

MULTIPLICAND

MSB

IRREDUCIBLE POLYNOMIAL

RESULTMSB

NOTE: CLOCKS & EXTERNAL DATA INPUT CONNECTIONS ARE NOT SHOWN

R(3) R(2) R(1) R(0)

P(3) P(2) P(1) P(0)

A(3) A(2) A(1) A(0)

B(3) B(2) B(1) B(0)

RESULT = (A x B)mod P


Res. MS bit =1?

Subtract Polynomial

Left shift Result (fill with 0)Result = Result (A i AND B)

Result = 0 Loop = 3

Loop = Loop -1

Loop = 0? DoneYes

No

Yes

No

The Flow


CryptoBlaze =PicoBlaze with Field Operations

GF(23) MPY


Applications

• ECC-Error Channel Coding– Reed-Solomon – BCH operations

• ECC-elliptic curve cryptography• RSA • Advanced Encryption Standard


CoolRunner-II Enhanced Security

• Multiple security bits• Nonvolatile• Reconfigurable• Multiple metal layers• Difficult to reverse engineer• Double Data Rate Operation• DataGate


Design Your Own• Start with baseline instrs. - delete unused ones• Add choice of elements from KryptoKit• Evaluate tradeoffs of S/W vs. H/W solutions

– First identify bottlenecks– Second evaluate replacement H/W

• Invent new instructions• Tune the processor to suit your requirements• Easy to add to VHDL and the assembler


Attacks• Anything that can get a cryptographic module to

reveal its “secret” is an attack– Brute force attack (lots of trials)– Chosen text attacks– Side channel

• Timing attacks• Power analysis• Tempest attack

• Usually targets the protocol


Power Analysis: Kerckhoffs meets Kirchoff

• Looks at the current flow into a chip over time• Distinguishes “different” power behavior to reveal

inner behavior of algorithm• Usually focuses on microprocessors, with knowledge

of algorithm and instruction set• Easily identifies loop/branching behavior

– loop behavior correlates to keystream bits

• CryptoBlaze method permits tuning of the processor to increase difficulty of Power Analysis


Basic Idea

input output

-+


Power Attack Strategies• Loop behavior is identified with Power Analysis• Loop unrolling helps• Breaking up loops helps• Modifying instructions helps• Modifying hardware helps

– bogus randomizing hardware

• Homogenizing execution time helps• Main idea: changing the hardware helps!• Power tuning is possible


CryptoBlaze Conclusion• Building specialized processors can improve:

– Performance– Power consumption– Security

• Development support available free from Xilinx– Basic reference design– Cross Assembler– Krypto Kit

• Fully supported by Xilinx Design Software

Crypto Blaze : 8-Bit Security Microcontroller

Documents

Transcript of Crypto Blaze : 8-Bit Security Microcontroller