Error detecting AES using polynomial residue number systems
Introduction
In 2000, the Rijndael cipher algorithm, introduced by Vincent Rijmen and Joan Daemen was selected as the Advanced Encryption Standard (AES) by the National Institute of Standards and Technology (NIST). In the following year, this algorithm became the Federal Information Processing Standard FIPS-197 [1]. As the AES has been widely adopted for different applications, higher reliability of the AES design is required. In recent years, numerous attack schemes have been introduced to break cryptographic systems and extract secret information via; side-channel-analysis by analyzing or manipulating the observations of physical characteristics of the electronic cryptographic system. Typical examples are timing attacks [2], power attacks [3], electromagnetic radiation attacks [4] and fault attacks [5], [6]. Prior work has shown that even a single transient error occurring during the AES round operations will very likely result in a large number of errors in the final data [7]. In addition, a few attack scenarios have shown that the AES is quite vulnerable to fault attacks [7], [8], [9], [10], [11]. Hence it is necessary to provide error detection mechanisms to the AES design to achieve higher level of reliability and security.
There are several approaches to achieve error detection for cryptographic systems. Generic solutions are duplication and repeated computation, however these solutions either double hardware overhead or latency and they are not protective against permanent faults. Error detecting codes are widely used by engineers to implement error proof designs. In [12], an overview of the error detecting codes based protection mechanisms for the AES implementations can be found. There are mainly two solutions: parity code based schemes [7], [13], [14] and residue code based schemes [15], [16]. The parity-based methods shows low hardware overhead but are weak for multiple faults detection; the residue code based error detection schemes have good multiple faults coverage but are weak in single fault detection and become complicated and hardware consuming when predicting the residue codes for non-linear operations such as the SubByte operation in the AES.
The PRNS based error detecting approach that is proposed in this paper can detect 100% single bit errors and up to 4 bits errors that occur in a single GF(24) AES core for each byte based operation. The error detection mechanism is constructed using a simple XOR-AND network, which is quite low in hardware cost. In addition, the original AES operations are distributed across three GF(24) AES cores, each of which has its own data path, so it adds to the AES design built-in resistance against probing attacks. Furthermore, a unique SBox look-up-table (LUT) is constructed for each GF(24) AES core, where redundant information is added; hence it boosts the confusion level of the system. Detailed design information is shown in Section 3. Two different architectures that apply PRNS to the AES are demonstrated in Section 4, one is based on a 32-bit data path AES, the other uses an 8-bit data path round-looping architecture to implement the AES. Hardware overhead is compared and analyzed for the different architectures in Section 5. Error coverage analysis and comparisons are given in Section 6.
Section snippets
The AES algorithm
The AES is a symmetric block cipher, which uses the same key for both encryption and decryption. It has been broadly used for different applications, including smart cards and cellular phones, website servers and automated teller machines, etc. Similar to other symmetric cyphers, the AES applies round operations iteratively to the plaintext to generate the ciphertext. There are four transformations in a round operation: SubBytes, ShiftRow, MixColumn and AddRoundKey. Derived from the cipher key,
Proposed architecture
To implement the PRNS architecture, three GF(24) AES cores are individually constructed. They perform the AES transformations using the original data’s residue representation. According to PRNS theory, an arbitrary GF(28) element can be uniquely represented using its two GF(24) residues. A redundant GF(24) AES core is introduced to construct the illegitimate range for error detection. The error detection mechanism converts the residue representation back to normal representation and performs
32-Bit data path AES using PRNS
The first attempt of constructing an AES encryption core using PRNS architecture adopts a 32-bit data path and column transformation based approach to trade-off hardware consumption and throughput. Due to the use of a PRNS representation, each GF(24) AES core uses a 16-bit data path. The architecture introduced in [26] is adopted.
The encryption core mainly consists a StateRAM, Sbox, Mixcolumn and several XORs for AddRoundKey (Fig. 3). The StateRAM is constructed using four 8 × 4 bits dual-port
Hardware implementation and results
Table 4 shows the synthesis results of the proposed PRNS error detection AES. To the authors’ knowledge, this is the first attempt for the AES design using such PRNS error detection scheme. To enable a fair comparison, a normal 32-bit AES and a normal 8-bit AES, which adopts the same architecture as the PRNS core design, are implemented onto the same platform (Xilinx Spartan 3-3s1500fg320-4 FPGA). Comparisons are listed below:
It can be seen from the above table, as expected, due to the use of
Error coverage analysis and comparison
For the AES byte operation, the proposed error-detecting scheme is capable of detecting 100% single bit errors and 100% single core errors (where error occurs only in one core, up to 4-bit multiple errors). If multiple faults occur across different cores, the probability of detecting the error by this scheme is (only those errors that do not cause overflow will be missed)Comparisons with other error detection schemes are shown in the following table. As it can be seen, though
Conclusion
In this paper, two PRNS implementations of the AES have been advocated for error detection and protection against side-channel and fault attacks. The proposed error-detecting scheme yields very good error coverage and the distribution and parallelism characteristic of a PRNS architecture itself yields intrinsic resistance to some side-channel attacks. A proposed PRNS based Sbox implementation is believed to offer higher level of confusion too.
The PRNS architecture brings a new design
Junfeng Chu received the BSc degree in electronic engineering and information study from Qingdao University, Qingdao, China, in 2005 and MSc degree in electronic engineering from the University of Sheffield, Sheffield, UK, in 2007. He is currently pursuing the Ph.D. degree in electronic engineering from the University of Sheffield, Sheffield, UK. His research interests focus on residue number system and hardware architectures for cryptography.
References (27)
- National Institute of Standards and Technology (NIST), Advanced Encryption Standard (AES) Federal Information...
- P.C. Kocher, Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems, in: Advances in...
- P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in: Advances in Cryptology, CRYPTO ’99, LNCS 1666....
- K. Gandolfi, C. Mourtel, F. Oliver, Electromagnetic analysis: concrete results, in: Proc. Cryptographic Hardware and...
- et al.
Differential fault analysis of secret key cryptosystems
- et al.
On the importance of checking cryptographic protocols for faults (extended abstract)
- et al.
Error analysis and detection procedures for a hardware implementation of the advanced encryption standard
IEEE Trans. Comput.
(2003) - et al.
Differential fault analysis on AES key schedule and some countermeasures
- P. Dusart, G. Letourneux, O. Vivolo, Differential Fault Analysis on AES, Cryptology ePrint Archive: Report 2003/010,...
- Ch. Giraud, DFA on AES, in: Proceedings of the AES 2004, LNCS, vol. 3373, 2005, pp....
Cited by (0)
Junfeng Chu received the BSc degree in electronic engineering and information study from Qingdao University, Qingdao, China, in 2005 and MSc degree in electronic engineering from the University of Sheffield, Sheffield, UK, in 2007. He is currently pursuing the Ph.D. degree in electronic engineering from the University of Sheffield, Sheffield, UK. His research interests focus on residue number system and hardware architectures for cryptography.
Mohammed Benaissa (S′86–M′90–SM′06) received the Ph.D. degree in VLSI signal processing from the University of Newcastle, Upon Tyne, UK, in 1990. He has been with the Department of Electronic and Electrical Engineering, University of Sheffield, Sheffield, UK, since 1999. His research interests include hardware cryptography, error control coding hardware implementation, reconfigurable hardware design, Galois field arithmetic, and residue number systems. He has published over 80 papers on contributions to algorithmic, architectural, and circuit issues in these areas.