Towards data storage in cryptographic systems: an efficient hardware architecture based on multivariate scheme for secure storage applications

Abstract

Secure storage devices are a good example of the Internet of Things (IoTs), which require secure access control mechanisms via using the prominent pubic key cryptographic systems, e.g. RSA, ECC and related systems. However, quantum computer is in a position to attack RSA, ECC and other signature algorithms adopted by many storage devices. Therefore, storage security is facing severe threats. In this paper, an efficient hardware architecture based on multivariate scheme for storage devices is proposed. Multivariate scheme belongs to multivariate public key cryptography (MPKC), which uses affine transformations and central map transformations during cryptographic operations. The advantage of adopting multivariate scheme is that multivariate scheme is immune to quantum computer attack. The efficient hardware architecture is composed of processor module, cryptographic module, storage module, display module, power module, keyboard module, export module and terminal module (off-chip). We implement the hardware architecture on the methodology of TSMC-0.18 μm standard cell CMOS Application Specific Integrated Circuit. The implementation results show that the architecture based on multivariate scheme is very efficient and well suit for storage devices.

1 Introduction

With the widespread use of personal computer and Internet, protecting personal data storage has become an increasingly crucial issue. Storage security of data is a specialty area of security that is concerned with securing data storage devices and the data that resides on these devices. According to the Storage Networking Industry Association (SNIA), data storage security represents the convergence of the storage technologies, networking communications, and security methodologies for the purpose of protecting and securing personal data. Historically, the focus of storage devices has been on both the vendor aspects of making storage devices more secure and the consumer aspects associated with using storage devices in secure ways.

Prominent examples of secure storage devices use RSA, ECC and other related cryptographic algorithms. However, quantum computer is in a position to attack RSA, ECC and other signature algorithms adopted by many storage devices. Therefore, storage security is facing severe threats. Fortunately, there are a few post-quantum candidates for storage devices, in which Multivariate Public Key Cryptography (MPKC) [1] is included. It uses affine transformations and central map transformations during cryptographic operations, which is believed to be hard on average for both classical and quantum computers [2].

Various schemes of multivariate schemes have been proposed during the past thirty years [3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19]. Hardware and software implementations of multivariate schemes have been one of the research focuses in areas of cryptography and engineering [20,21,22,23,24,25,26,27,28]. However, most of multivariate schemes are implemented on Application Specific Integrated Circuits (ASICs) and Field-Programmable Gate Arrays (FPGAs), few of them are used for storage devices.

We propose an efficient hardware architecture via using multivariate cryptographic scheme for storage devices. First, the architecture is improved and includes processor module, cryptographic module, storage module, display module, power module, keyboard module, export module and terminal module (off-chip). Second, multivariate schemes will protect the storage devices from quantum computer attacks. Third, multivariate cryptographic scheme is adopted in the architecture via using finite field GF(2⁸), which will significantly increase the speed of cryptographic operations on storage devices since it is claimed to be faster than RSA and ECC.

The hardware architecture is implemented via using Verilog hardware programming language and Design Complier (DC), which is the Synopsys logical synthesis tool. The methodology adapted during implementation is TSMC-0.18 μm standard cell CMOS Application Specific Integrated Circuit (ASIC). The implementation results show that our design based on multivariate scheme is very efficient and well suit for storage devices.

We organize the rest of this paper as follows: In Sect. 2, we introduce cryptographic schemes of MPKCs. In Sect. 3, we propose an efficient hardware architecture based on multivariate cryptographic scheme for storage devices. In Sect. 4, we implement our design and present the experimental results. In Sect. 5, conclusions are summarized.

2 Preliminary

Multivariate cryptographic scheme includes a system of quadratic polynomials with several field elements in a small finite field K, which is illustrated in Table 1.

$$\begin{array}{l} {p^{(0)}}({x_0},{x_1}, \ldots ,{x_{n - 1}}) = \sum\limits_{i = 0}^{n - 1} {p_{ij}^{(0)}{x_i}} {x_j} + \sum\limits_{i = 0}^{n - 1} {p_i^{(0)}{x_i}} + p_0^{(0)}\\ {p^{(1)}}({x_0},{x_1}, \cdots ,{x_{n - 1}}) = \sum\limits_{i = 0}^{n - 1} {p_{ij}^{(1)}{x_i}} {x_j} + \sum\limits_{i = 0}^{n - 1} {p_{ij}^{(1)}{x_i}} + p_0^{(1)}\\ \ldots \\ {p^{(m - 1)}}({x_0},{x_1}, \ldots ,{x_{n - 1}}) = \sum\limits_{i = 0}^{n - 1} {p_{ij}^{(m - 1)}{x_i}} {x_j} + \sum\limits_{i = 0}^{n - 1} {p_i^{(m - 1)}{x_i}} + p_0^{(m - 1)} \end{array}$$

(1)

Table 1 Basic construction of multivariate public cryptographic schemes

Multivariate cryptographic schemes are based on the multivariate Quadratic (MQ) polynomial problem: given m quadratic polynomials p⁽⁰⁾(x₀, x₁,…, x_n-1), p⁽¹⁾(x₀, x₁,…, x_n-1),…,p^(m−1)(x₀, x₁,…, x_n-1) in the n variables x₀, x₁,…, x_n-1. Multivariate cryptographic schemes relies on the difficulty of finding a vector x(x₀, x₁,…, x_n-1) by solving a system of equations with the following form.

$$\begin{array}{l} {p^{(0)}}({x_0},{x_1}, \ldots ,{x_{n - 1}}) = 0\\ {p^{(1)}}({x_0},{x_1}, \ldots ,{x_{n - 1}}) = 0\\ \cdots \\ {p^{(m - 1)}}({x_0},{x_1}, \ldots ,{x_{n - 1}}) = 0 \end{array}$$

(2)

The multivariate cryptographic schemes are based on an invertible quadratic map F:Kⁿ  →  K^m and two invertible affine maps S:K^m  →  K^m and T:Kⁿ  →  Kⁿ. Thus, the public key of multivariate cryptographic schemes is the composed map P  =  S^∘F^∘T:Kⁿ  →  K^m. The private key includes F:Kⁿ  →  K^m, S:K^m  →  K^m and T:Kⁿ  →  Kⁿ.

The multivariate cryptographic schemes are used to encrypt, decrypt, signature generation and verification.

In order to encrypt a plain text z ∊ Kⁿ, we evaluate the public key to compute the cipher text w  =  P(z) ∊ K^m. In order to decrypt a cipher text w ∊ K^m, we compute x  =  S⁻¹(w) ∊ K^m, y  =  F⁻¹(x) ∊ Kⁿ, and z  =  T⁻¹(y) ∊ Kⁿ. The encryption and decryption process of multivariate cryptographic schemes are depicted in Fig. 1.

Fig. 1

Multivariate Public Key Encryption and Decryption

In order to generate a signature of message w ∊ K^m, we compute x  =  S⁻¹(w) ∊ K^m, y  =  F⁻¹(x) ∊ Kⁿ, and z  =  T⁻¹(y) ∊ Kⁿ. In order to verify a signature z ∊ Kⁿ, we use the public key to compute the message w  =  P(z) ∊ K^m. The signature generation and verification process of multivariate cryptographic schemes are depicted in Fig. 2.

Fig. 2

Multivariate Public Key Signature Generation and Verification

3 An efficient hardware architecture based on multivariate cryptographic scheme for storage devices

3.1 An efficient hardware architecture

We propose an efficient hardware cryptographic architecture for storage devices based on multivariate scheme, which includes processor module, cryptographic module, storage module, display module, power module, keyboard module, export module and terminal module (off-chip). The architecture is constructed and depicted in Fig. 3.

Fig. 3

An Efficient Cryptographic Architecture for Storage Devices

It can be observed from Fig. 3 that the architecture is composed of the following modules.

1. 1.

   Processor module is the kernel module, which includes compute and control functions;

2. 2.

   Cryptographic module is the security module, which includes RAM and enTTS functions;

3. 3.

   Storage module is the disk module, which includes disk and disk Inputs/Outputs (I/Os) functions;

4. 4.

   Display module is the output module, which includes screen and screen controller functions;

5. 5.

   Power module is the supply module, which includes battery and power controller functions;

6. 6.

   Keyboard module is the input module, which includes keyboard and input controller functions;

7. 7.

   Export module is the peripheral module, which includes USB and export controller functions;

8. 8.

   Terminal module is the application module, which includes APP and USB functions.

3.2 Processor module

The processor module is the kernel module in storage devices, which connects with other modules.

The processor module is composed of compute and control functions. The control function is used to control other modules. The compute function performs addition and subtraction operations in integer fields. We adopt Streaming SIMD Extensions (SSE) instruction set in the processor module, which is an Intel instruction set extension introduced with the Intel Pentium III.

The I/Os of processor module includes output port c, which is used to output cipher texts. Besides, it includes input ports a, b, clock port clk, reset port res, which is used to input clock signal, secret keys, plain texts and reset signal. We illustrate the input and output in Table 2.

Table 2 Inputs and outputs of the architecture

1. 1.

   Message: the message is 20 bytes;

2. 2.

   Signature: the signature is 28 bytes;

3. 3.

   Private keys (F): the private keys include F, L₁, L₂, F is a central map transformation, which includes 20 multivariate quadratic polynomial equations;

4. 4.

   Private keys (L₁): the private key L₁ is an affine transformation with the form ofy  =  Ax  +  B, where A is a 20  ×  20 matrix and B is a vector with size 20;

5. 5.

   Private keys (L₂): the private key L₂ is an affine transformation with the form ofy  =  Ax  +  B, where A is a 28  ×  28 matrix and B is a vector with size28;

6. 6.

   Public keys (\( \bar{F} \)): the public key \( \bar{F} \) is the combination of F, L₁, L₂ with the form of \( \bar{F} = L_{1}^\circ F^\circ L_{2} \);

7. 7.

   Clock signal: the clock cycle is 20 ns and the clock signal is 50 MHz;

8. 8.

   Reset signal: it resets all modules and sets the signal to 0 when the reset signal is 1.

3.3 Power module and display module

The display module is used to display the output information of storage devices, which takes a role as the bridge between users and storage devices. The display module includes screen and screen controller functions. We adapt a Liquid–Crystal Display (LCD) with size 3  ×  2 cm² in the display module. The output information of storage devices is displayed on the screen.

The power module is used to supply electric power for storage devices, which includes mains and power controller.

3.4 Storage module

The storage module includes disk and disk I/O functions. We adopt a 512 MB Solid-State Drive (SSD) in the storage module. We use the disk function to store user’s secret keys and personal data. Personal data includes account information, financial information, health information, certifications, etc. Secret keys are used in enTTS cryptographic operations. The disk I/O component includes ra0, ra1, rd0, rd1, ro0, ro1, re0 and re1, which are illustrated in Table 3.

Table 3 Inputs and outputs of storage module

1. 1.

   ra0 and ra1: address input ports with 8-bit;

2. 2.

   rd0 and rd1: data input ports with 2-byte;

3. 3.

   ro0 and ro1: data output ports with 8-bit;

4. 4.

   re0 and re1: enable input ports with 1-bit.

3.5 Cryptographic module

The cryptographic module is composed of RAM and enTTS. User’s data and secret keys are stored in storage model. The cryptographic module reads them from storage model and they are delivered to RAM. The cryptographic module uses enTTS algorithm to generate and verify signature, where enTTS scheme is introduced in Table 4 and described as follows.

Table 4 Parameters of cryptographic module

We suppose that the hash value of the message of enTTS is denoted by y(y₀, y₁,…, y₁₉) and its size is 20, where y₀, y₁,…, y₁₉ are field elements. We also suppose that the signature of enTTS is denoted by x(x₀, x₁,…, x₂₇) and its size is 28, where x₀, x₁,…, x₂₇ are field elements.

In order to sign an enTTS message y(y₀, y₁,…, y₁₉), we need to solve the following equation.

$$ F^\circ L_{2} (x_{0} ,x_{1} , \ldots ,x_{27} ) = L_{1}^{ - 1} (y_{0} ,y_{1} , \ldots ,y_{19} ). $$

(3)

To do this, we first solve

$$ \bar{y} = L_{1}^{ - 1} (y_{0} ,y_{1} , \ldots ,y_{19} ). $$

(4)

L⁻¹₁ is an affine transformation with the form as follows.

$$ \bar{y} = Ay + B. $$

(5)

Second, it is required to solve the following equation.

$$ \bar{x} = F^{ - 1} (\bar{y}_{0} ,\bar{y}_{1} , \ldots ,\bar{y}_{19} ), $$

(6)

The construction of the central map transformation depends on a map with the following form.

$$ F(\bar{x}_{0} ,\bar{x}_{1} , \ldots ,\bar{x}_{27} ) = (f_{0} ,f_{1} , \ldots ,f_{19} ). $$

(7)

MQ polynomial f_i is defined by

$$ \begin{aligned} f_{i - 8} = \bar{x}_{i} + \sum\nolimits_{j = 1}^{7} {p_{ij} \bar{x}_{j} } \bar{x}_{8 + ((i + j)\;\bmod \;9)} ,\;\;\;\;i \, = \, 8,9, \ldots ,16, \hfill \\ f_{9} = \bar{x}_{17} + p_{17,1} \bar{x}_{1} \bar{x}_{6} + p_{17,2} \bar{x}_{2} \bar{x}_{5} + p_{17,3} \bar{x}_{3} \bar{x}_{4} + p_{17,4} \bar{x}_{9} \bar{x}_{16} + p_{17,5} \bar{x}_{10} \bar{x}_{15} + p_{17,6} \bar{x}_{11} \bar{x}_{14} + p_{17,7} \bar{x}_{12} \bar{x}_{13} , \hfill \\ f_{10} = \bar{x}_{18} + p_{18,1} \bar{x}_{2} \bar{x}_{7} + p_{18,2} \bar{x}_{3} \bar{x}_{6} + p_{18,3} \bar{x}_{4} \bar{x}_{5} + p_{18,4} \bar{x}_{10} \bar{x}_{17} + p_{18,5} \bar{x}_{11} \bar{x}_{16} + p_{18,6} \bar{x}_{12} \bar{x}_{15} + p_{18,7} \bar{x}_{13} \bar{x}_{14} , \hfill \\ f_{i - 8} = \bar{x}_{i} + p_{i,0} \bar{x}_{i - 11} \bar{x}_{i - 9} + \sum\nolimits_{j = 19}^{i} {p_{i,j - 18} \bar{x}_{2(i - j)} \bar{x}_{j} } \, \; + \sum\nolimits_{j = i + 1}^{27} {p_{i,j - 18} \bar{x}_{i - j + 19} \bar{x}_{j} } ,i = 19,20, \ldots ,27, \hfill \\ \end{aligned} $$

(8)

In the equations, p_ij is part of private keys.The polynomials f₀, f₁,…, f₁₉ in

$$ \bar{y}(\bar{y}_{0} ,\bar{y}_{1} , \ldots ,\bar{y}_{19} ) = f(f_{0} ,f_{2} , \ldots ,f_{19} ) $$

(9)

can be divided into three groups:

$$ \begin{aligned} &f_{i} |i = 0,1, \ldots ,8 \hfill \\ &f_{i} |i = 9,10 \hfill \\ &f_{i} |i = 11,12, \ldots ,19. \hfill \\ \end{aligned} $$

(10)

Similarly, \( \bar{x}(\bar{x}_{0} ,\bar{x}_{1} , \ldots ,\bar{x}_{27} ) \) are divided into four groups:

$$ \begin{aligned} &\bar{x}_{i} |i = 0,1, \ldots ,7 \hfill \\ &\bar{x}_{i} |i = 8,9, \ldots ,16 \hfill \\ &\bar{x}_{i} |i = 17,18 \hfill \\ &\bar{x}_{i} |i = 19,20, \ldots ,27. \hfill \\ \end{aligned} $$

(11)

We randomly choose \( \bar{x}_{0} ,\bar{x}_{1} , \ldots ,\bar{x}_{7} \) and evaluate f₀, f₁,…,f₈.

After that, it is required to solve the systems of linear equations on \( \bar{x}_{8} ,\bar{x}_{9} , \ldots ,\bar{x}_{16} \).

Next, \( \bar{x}_{17} ,\bar{x}_{18} \) are computed by evaluating f₉, f₁₀.

Then, f₁₁, f₁₂,…, f₁₉ is evaluated and it is required to solve the systems of linear equations on \( \bar{x}_{19} ,\bar{x}_{20} , \ldots ,\bar{x}_{27} \).

Last, we solve

$$ x = L_{2}^{ - 1} (\bar{x}_{0} ,\bar{x}_{1} , \ldots ,\bar{x}_{27} ). $$

(12)

L⁻¹₂ is an affine transformation

$$ x = C\bar{x} + D. $$

(13)

Finally, x is the cypher text of y.

3.6 Other modules

The keyboard module includes keyboard and input controller functions. In keyboard module, we adopt a small keyboard. Interaction via the keyboard is the main input device for storage devices.

The export module is composed of USB and export controller. USB (Universal Serial Bus) is used as a bridge between storage devices and personal computers. The export module is used to standardize the connection of storage devices to personal computers. We adopt USB 3.1 in the export module. The speed of USB 3.1 is updated to 10 Gbit/s.

The terminal module includes USB and APP. The terminal module uses personal computer. The storage device is connected to a personal computer via USB. The terminal module uses USB 3.1. We implement an APP on personal computers and it connects the storage devices with a username and password.

4 Implementation

We adapt enTTS(20,28) scheme in our design. The flowchart to generate a signature of enTTS is illustrated Fig. 4.

Fig. 4

Implementation of Cryptographic System

The main computations of implementation of enTTS are multiplication, inversion in GF(2⁸).

In order to compute multiplications in GF(2⁸), we implement a table look-up method, which is described in the following.

The number of elements in GF(2⁸) is 256. We suppose that α is chosen as the primitive element. Then, all non-zero elements can be represented as a power of α. We suppose that p(x) is the irreducible polynomial in GF(2⁸). Then, we compute and store k_i(x) in address i of the look-up table based on the following equation.

$$ k_{i} (x) = \alpha^{i} \;\bmod \;p(x) $$

(14)

A look-up table is depicted in Table 5 for multiplications in GF(2⁸). The following is an example for multiplications using table look-up. We suppose that the element in GF(2⁸) is denoted by (xxxxxxxx)₂, where x ∊ GF(2), i.e. x  =  0 or x  =  1.

Table 5 Table Look-up for Multiplications in GF(2⁸)

Example 1

Compute (00000010)₂  ×  (00000100)₂. Since (00000010)₂  =  α¹ and (00000100)₂  =  α², (00000010)₂  ×  (00000100)₂  =  α¹  ×  α²  =  α³. By looking up Table 5, we have α³  =  (00001000)₂. Therefore, (00000010)₂  ×  (00000100)₂  =  (00001000)₂.

In order to compute inversions in GF(2⁸), we implement a table look-up method, which is described in the following.

The number of elements in GF(2⁸) is 256. We compute and store k_i(x) in address i of the look-up table based on the following equation.

$$ i \times k_{i} (x)\;\bmod \;p(x) = (00000001)_{2} $$

(15)

The results of inversions are computed via other inversion methods, e.g. Fermat theorem. A look-up table for inversions in GF(2⁸)is depicted in Table 6. The following is an example for inversions.

Table 6 Table look-up for inversions in GF(2⁸)

Example 2

Compute (00000001)⁻¹₂. By looking up Table 6, k₁(x)  =  (00000001)₂. Thus, the inverse of (00000001)₂ is (00000001)₂.

We adopt multipliers and inverters to solve systems of linear equations in GF(2⁸). It is required to solve a system of linear equations with the matrix size of 9  ×  9. The method used in the architecture is Gaussian elimination. Gaussian elimination, also known as row reduction, is employed to solve systems of linear equations with two steps. The first step is to transform Ax  =  b into the equivalent system A^′x  =  b^′ by applying the forward elimination, where A^′ is an upper triangular matrix with size of 9  ×  9 and b^′ is a vector with size of 9. It takes 9 iterations for the first step of solving systems of linear equations with matrix size of 9  ×  9, where each iteration consists of pivoting, normalization and elimination. The second step is to solve A^′x  =  b^′ by applying the backward substitution. Then we have an equivalent system A^′′x  =  b^′′, where A^′′ is an identity matrix with size of 9  ×  9 and b^′′ is a vector with size of 9. After that, b^′′ is the solution of the systems of linear equations Ax  =  b.

We adopt 28 multipliers and an inverter in our architecture. The hardware architecture is implemented via using Verilog hardware programming language and Design Complier. The methodology adapted during implementation is TSMC-0.18 μm standard cell CMOS ASIC. The executing time of multivariate scheme is 240 us and its area is low, which shows that our design based on multivariate scheme is very efficient.

5 Conclusion

We propose an efficient hardware architecture via using multivariate cryptographic scheme for storage devices in this paper. First, the architecture is improved and includes processor module, cryptographic module, storage module, display module, power module, keyboard module, export module and terminal module (off-chip). Second, multivariate schemes will protect the storage devices from quantum computer attacks. Third, multivariate cryptographic scheme is adopted in the architecture for cryptographic systems via using finite field GF(2⁸), which will significantly increase the speed of cryptographic operations on storage devices since it is claimed to be faster than RSA and ECC. We implement the architecture on ASICs. The implementation results show that our design based on multivariate scheme is very efficient and well suit for storage devices.