Another method and the earliest form of practical privacy-preserving computa- tion is developing custom hardware processors, also mentioned by Rivestet al. [4] in 1978. An example is the state-of-the-art secure processor AEGIS [21]; designed to only reveal the data inside the processor, any data entering or leaving the processor is encrypted, for example to external memory. This protects against a range of software and physical attacks. However, AEGIS still has security vulnerabilities in the form of side-channel-attacks [102][103]. This attack vector analyses information “leaked” from the physical execution of a program, for example power consumption [104] or electromagnetic ra- diation [105]. Other limitations of secure processors are the practicality of deployment in the cloud, because they are a physical entity.
By creating services reliant on custom hardware, we lose the core essence of what the cloud should be, which is abstract and dynamic [36]. However, users can now deploy Field-Programmable Gate Array (FPGA) designs in the cloud for custom hardware accelerators [106]. A FPGA bridges the gap be- tween hardware and software, by providing performance closer to that of an application-specific integrated circuit, while having the reconfigurability of a microprocessor. They contain a finite amount of programmable logic, also known as reconfigurable logic, that can be used to implement digital circuits by applying a bitstream file to the device. This bitstream file is analogous to a compiled program in software, but where programs contain machine in- structions, a bitstream file contains a sequence of bits which configure circuits and logical functions. Processing data in parallel can give better performance; however, it is usually achieved by computing the same function over chunks of data at the same time. FPGAs offer a slightly different form of parallel
Storage Virtual Machine FPGA Encrypted Data Encrypted Data Decrypt Data Process Encrypt Data Encrypted Data Encrypted Data
Figure 2.3:SFaaS data flow for secure processing
processing by pipelining a design. This allows different stages of a function to be processed in parallel such that the data flows through the function, giving the performance that is currently lacking with secure processing. The design can either be application specific or based on an instruction set processor [107]. Using a FPGA in the cloud could allow a data flow process similar to Fig- ure 2.3 [36], where the virtual machine acts as the controller. The bitstream file is encrypted with the FPGAs public key and includes the decryption key for the data. This allows symmetrical keys to be used for data processing, giv- ing greater performance and using less logic over a public key cryptosystem. Providing the decryption key for the data stops malicious users of the FPGA being able to decrypt the data by writing a bitstream file to decrypt other users’ data.
2.3.1 Physical Unclonable Function
A Physical Unclonable Function (PUF) allows for secrets to be derived from complex physical characteristics of the silicon (a physical one-way function) rather than storing the secrets in memory [108][109][110]. Guajardo et al. proposed the feasibility of using PUFs for intellectual property protection by encrypting the bitstream file using elliptic curve cryptography [111]. PUFs are naturally noisy, which combined with varying temperatures and ageing could affect the reliability [112]. However, the key only needs to be generated or regenerated once per power cycle. Therefore, after the FPGA is powered on
and the private key has passed a test against the known public key, any PUF issues will not be encountered until it is reset. Even though the feasibility of PUFs is still to be discovered, the idea of having a decryption key only visible to the FPGA could be realised soon.
The alternative to using a PUF is where a FPGA is hardcoded with a private key which is generated automatically during manufacturing, and the public key is printed on the chip or included in the box. The keys should never be saved, and only visible for a brief moment during manufacturing. The manufacturer could also sign all public keys, allowing customers to verify the key was generated by the manufacturer, not by a malicious entity. However, the private key is visible at some point in time, so is not the ideal solution.
2.3.2 Programmed Decryption Key
With a protected bitstream file, the decryption key for data processing can remain protected, as it will only be exposed within the FPGA. Three cryptog- raphy schemes will be analysed for usage in an FPGA in terms of logic size and performance. Note that logic size depends on the FPGA used, and is given as an approximation.
Advanced Encryption Standard
Rijndael, or as it is commonly known, AES, is a method of data encryption with symmetric keys [113]. The advantage over other cryptography schemes for layered encryption is the cipher-text is the same size as the plain text. For example, with a 2048-bit RSA encryption key, a 32-bit plain-text value increases by a factor of 64. Adding another layer of encryption grows the size again, as a 2048-bit value needs to be split into smaller chunks to be encrypted with another 2048-bit key. Therefore, for layered encryption, the property of fixed sized cipher text is important. With inputs larger than the key size, they are split into blocks and chained together. The core operations of AES are XOR and bit rotating, giving it good performance as well as small cipher text sizes. The two components required for encryption and decryption are the key (256-bit for example), and initialisation vector.
formance (>20Gbps) [114][115][116]. Designs can also be tailored to use less logic, from thousands of slices down to a few hundred while still achieving megabits per second [115][116]. The advantage of AES over other cryptog- raphy schemes in terms of implementation on an FPGA is the simplicity of the algorithm: the flexible performance versus logic required. The only main limitation of AES is that it uses a symmetric key. Even with the key pro- tected in the bitstream file, data sharing and multiple data sources remain an issue. However, AES could be used for data storage and processing, while all uploaded or outgoing data could be encrypted with a public key cryptosystem.
Rivest-Shamir-Adleman Cryptosystem
Recall that Rivest-Shamir-Adleman cryptosystem (RSA) is a public key en- cryption scheme designed on the factoring problem, computing the plain-text or cipher base value to an exponent within a modulo [34], and can use Mont- gomery modular multiplication [117][118]. RSA is more expensive in terms of area and performance compared to AES for FPGAs. For example, a slower implementation still requires thousands of slices, where faster implementations can require tens of thousands [119]. Performance can vary between megabits per second down to kilobits per second [118].
Elliptic Curve Cryptography
A public key cryptosystem, Elliptic Curve Cryptography (ECC), was pro- posed independently by Neal Koblitz and Victor Miller in 1985, and its crypto- graphic strength comes from the elliptic curve discrete logarithm problem being hard [120]. The advantages of ECC are smaller key sizes, smaller cipher text sizes (less data transferred) and faster computation times [121][122] when com- pared with non-ECC schemes such as RSA. For example, thesecp256r1/nistp256 curve (256-bit) is comparable to the cryptographic strength of an RSA 3072- bit key [123]. An early FPGA implementation by Leung et al. showed a ×30 speedup over software implementations, using only a few thousand slices [124]. A recent survey in 2007 showed the varying difference between state-of-the-art implementations [125], and in 2008, a 33.05µs solution on a 163 bit binary field was proposed [126].
2.3.3 Attack Vectors
Apart from black box attacks, all other attack vectors require physical access, including readback attacks, side-channel attacks and reverse engineering an FPGA bitstream file [127]. This is an improvement over current software solutions for data processing, which can be accessed and broken remotely.
Black Box Attacks
These are a common attack for systems where all possible input combinations are tried, with the output revealing the inner design [127]. This attack is not feasible given that the input and output data must be encrypted, where the public key may not even be known. The design should handle incorrect input, for example a value not encrypted with the correct public key.
Readback Attacks
For debugging, FPGAs often have a readback feature to allow values to be read from the FPGA, for example the decryption keys through a special interface. Methods of disabling this functionality exist [127]; however, for a production FPGA deployed in a cloud service, this functionality should not exist or be physically disabled in the chip once the chip has passed production tests.
Side-Channel Attacks
These attack vectors are viable and involve analysing physical properties of the FPGA while in operation, for example power consumption [104] or elec- tromagnetic radiation [105]. These are difficult and can require a laboratory environment to be successful.
Reverse Engineering the Bitstream File
With enough time and effort, the design of a bitstream file (once decrypted) can be reverse engineered [127]. However, an attacker only need focus on finding the decryption key for the input data, which could be easier depending on the level of obfuscation.