Error detecting AES using polynomial residue number systems

https://doi.org/10.1016/j.micpro.2012.05.010Get rights and content

Abstract

A new method using polynomial residue number systems (PRNS) is introduced in this paper to protect the Advanced Encryption Standard (AES) against faults attacks. By using PRNS, the byte based AES operations over GF(28) are decomposed into several parallel operations that use its residues over smaller fields. Three GF(24) irreducible polynomials are selected as the moduli set for the chosen PRNS, including a redundant modulus to achieve error detection. Three GF(24) AES cores are constructed individually according to the chosen moduli. This PRNS architecture brings several advanced features to AES design from the scope of anti-side-channel analysis. Firstly, for each 8-bit GF(28) element, this implementation is capable of detecting up to 4 bits errors that occur in a single GF(24) AES core. Secondly, thanks to the data independency between PRNS operations, the distributed PRNS AES cores have an intrinsic resistance against probing attacks. In addition, due to the introduction of redundant information and the residue representation replacing the original representation, more confusion is added to the system, which may also enhance the design’s security. To the authors’ knowledge, this is the world’s first PRNS AES implementation. Two different architectures for implementing the proposed error detecting AES are demonstrated and supported by actual hardware implementation results on FPGA.

Introduction

In 2000, the Rijndael cipher algorithm, introduced by Vincent Rijmen and Joan Daemen was selected as the Advanced Encryption Standard (AES) by the National Institute of Standards and Technology (NIST). In the following year, this algorithm became the Federal Information Processing Standard FIPS-197 [1]. As the AES has been widely adopted for different applications, higher reliability of the AES design is required. In recent years, numerous attack schemes have been introduced to break cryptographic systems and extract secret information via; side-channel-analysis by analyzing or manipulating the observations of physical characteristics of the electronic cryptographic system. Typical examples are timing attacks [2], power attacks [3], electromagnetic radiation attacks [4] and fault attacks [5], [6]. Prior work has shown that even a single transient error occurring during the AES round operations will very likely result in a large number of errors in the final data [7]. In addition, a few attack scenarios have shown that the AES is quite vulnerable to fault attacks [7], [8], [9], [10], [11]. Hence it is necessary to provide error detection mechanisms to the AES design to achieve higher level of reliability and security.

There are several approaches to achieve error detection for cryptographic systems. Generic solutions are duplication and repeated computation, however these solutions either double hardware overhead or latency and they are not protective against permanent faults. Error detecting codes are widely used by engineers to implement error proof designs. In [12], an overview of the error detecting codes based protection mechanisms for the AES implementations can be found. There are mainly two solutions: parity code based schemes [7], [13], [14] and residue code based schemes [15], [16]. The parity-based methods shows low hardware overhead but are weak for multiple faults detection; the residue code based error detection schemes have good multiple faults coverage but are weak in single fault detection and become complicated and hardware consuming when predicting the residue codes for non-linear operations such as the SubByte operation in the AES.

The PRNS based error detecting approach that is proposed in this paper can detect 100% single bit errors and up to 4 bits errors that occur in a single GF(24) AES core for each byte based operation. The error detection mechanism is constructed using a simple XOR-AND network, which is quite low in hardware cost. In addition, the original AES operations are distributed across three GF(24) AES cores, each of which has its own data path, so it adds to the AES design built-in resistance against probing attacks. Furthermore, a unique SBox look-up-table (LUT) is constructed for each GF(24) AES core, where redundant information is added; hence it boosts the confusion level of the system. Detailed design information is shown in Section 3. Two different architectures that apply PRNS to the AES are demonstrated in Section 4, one is based on a 32-bit data path AES, the other uses an 8-bit data path round-looping architecture to implement the AES. Hardware overhead is compared and analyzed for the different architectures in Section 5. Error coverage analysis and comparisons are given in Section 6.

Section snippets

The AES algorithm

The AES is a symmetric block cipher, which uses the same key for both encryption and decryption. It has been broadly used for different applications, including smart cards and cellular phones, website servers and automated teller machines, etc. Similar to other symmetric cyphers, the AES applies round operations iteratively to the plaintext to generate the ciphertext. There are four transformations in a round operation: SubBytes, ShiftRow, MixColumn and AddRoundKey. Derived from the cipher key,

Proposed architecture

To implement the PRNS architecture, three GF(24) AES cores are individually constructed. They perform the AES transformations using the original data’s residue representation. According to PRNS theory, an arbitrary GF(28) element can be uniquely represented using its two GF(24) residues. A redundant GF(24) AES core is introduced to construct the illegitimate range for error detection. The error detection mechanism converts the residue representation back to normal representation and performs

32-Bit data path AES using PRNS

The first attempt of constructing an AES encryption core using PRNS architecture adopts a 32-bit data path and column transformation based approach to trade-off hardware consumption and throughput. Due to the use of a PRNS representation, each GF(24) AES core uses a 16-bit data path. The architecture introduced in [26] is adopted.

The encryption core mainly consists a StateRAM, Sbox, Mixcolumn and several XORs for AddRoundKey (Fig. 3). The StateRAM is constructed using four 8 × 4 bits dual-port

Hardware implementation and results

Table 4 shows the synthesis results of the proposed PRNS error detection AES. To the authors’ knowledge, this is the first attempt for the AES design using such PRNS error detection scheme. To enable a fair comparison, a normal 32-bit AES and a normal 8-bit AES, which adopts the same architecture as the PRNS core design, are implemented onto the same platform (Xilinx Spartan 3-3s1500fg320-4 FPGA). Comparisons are listed below:

It can be seen from the above table, as expected, due to the use of

Error coverage analysis and comparison

For the AES byte operation, the proposed error-detecting scheme is capable of detecting 100% single bit errors and 100% single core errors (where error occurs only in one core, up to 4-bit multiple errors). If multiple faults occur across different cores, the probability of detecting the error by this scheme is (only those errors that do not cause overflow will be missed)212-28212=93.75%Comparisons with other error detection schemes are shown in the following table. As it can be seen, though

Conclusion

In this paper, two PRNS implementations of the AES have been advocated for error detection and protection against side-channel and fault attacks. The proposed error-detecting scheme yields very good error coverage and the distribution and parallelism characteristic of a PRNS architecture itself yields intrinsic resistance to some side-channel attacks. A proposed PRNS based Sbox implementation is believed to offer higher level of confusion too.

The PRNS architecture brings a new design

Junfeng Chu received the BSc degree in electronic engineering and information study from Qingdao University, Qingdao, China, in 2005 and MSc degree in electronic engineering from the University of Sheffield, Sheffield, UK, in 2007. He is currently pursuing the Ph.D. degree in electronic engineering from the University of Sheffield, Sheffield, UK. His research interests focus on residue number system and hardware architectures for cryptography.

References (27)

  • National Institute of Standards and Technology (NIST), Advanced Encryption Standard (AES) Federal Information...
  • P.C. Kocher, Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems, in: Advances in...
  • P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in: Advances in Cryptology, CRYPTO ’99, LNCS 1666....
  • K. Gandolfi, C. Mourtel, F. Oliver, Electromagnetic analysis: concrete results, in: Proc. Cryptographic Hardware and...
  • E. Biham et al.

    Differential fault analysis of secret key cryptosystems

  • D. Boneh et al.

    On the importance of checking cryptographic protocols for faults (extended abstract)

  • G. Bertoni et al.

    Error analysis and detection procedures for a hardware implementation of the advanced encryption standard

    IEEE Trans. Comput.

    (2003)
  • Ch.-N. Chen et al.

    Differential fault analysis on AES key schedule and some countermeasures

  • P. Dusart, G. Letourneux, O. Vivolo, Differential Fault Analysis on AES, Cryptology ePrint Archive: Report 2003/010,...
  • Ch. Giraud, DFA on AES, in: Proceedings of the AES 2004, LNCS, vol. 3373, 2005, pp....
  • D. Peacham, B. Thomas, A DFA Attack Against the AES Key Schedule, SiVenture....
  • T. Malkin, F.-X. Standaert, M. Yung, A comparative cost/security analysis of fault attack countermeasures, in: Fault...
  • R. Karri, G. Kuznetsov, M. Goessel, Parity-based concurrent error detection of substitution-permutation network block...
  • Cited by (0)

    Junfeng Chu received the BSc degree in electronic engineering and information study from Qingdao University, Qingdao, China, in 2005 and MSc degree in electronic engineering from the University of Sheffield, Sheffield, UK, in 2007. He is currently pursuing the Ph.D. degree in electronic engineering from the University of Sheffield, Sheffield, UK. His research interests focus on residue number system and hardware architectures for cryptography.

    Mohammed Benaissa (S′86–M′90–SM′06) received the Ph.D. degree in VLSI signal processing from the University of Newcastle, Upon Tyne, UK, in 1990. He has been with the Department of Electronic and Electrical Engineering, University of Sheffield, Sheffield, UK, since 1999. His research interests include hardware cryptography, error control coding hardware implementation, reconfigurable hardware design, Galois field arithmetic, and residue number systems. He has published over 80 papers on contributions to algorithmic, architectural, and circuit issues in these areas.

    View full text