Self Timed S-Box implementation using NCL

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 12, December 2013)

703

Self Timed S-Box implementation using NCL

J.Mercelin Lincy

1

, S.Dhananjeyan

2

.

1_Post_{Graduate Program in}_{M.E Embedded System Technologies & Vel tech Multi tech Dr.Rangarajan Dr.Sakunthala}

Engineering College, Anna University, India.

2_{Assistant Professor, M.E Embedded System Technologies, Department of Electrical and Electronics Engineering}_{& Vel tech}

Multi tech Dr.Rangarajan Dr.Sakunthala Engineering College, Anna University, India.

Abstract—This paper demonstrates the hardware implementation of asynchronous AES S-Box which is resistant to side channel attack (SCA).The asynchronous S-Box uses the null convention logic which is a self- timed logic, supporting properties like clock free, dual-rail encoding. These advantageous properties make it difficult for an attacker to decipher secret keys embedded within the cryptographic hardware. By means of using NCL the self timed S-Box consumes much less power and also operates faster when compared to synchronous S-Box which consume more power and are not much resistant to power attacks. Protection of plaintext and key are very important consideration.

Keywords—Advanced encryption standard (AES), correlation power analysis (CPA), differential power analysis (DPA), null

convention logic (NCL), side channel attack(SCA),

substitution box (S-box).

I. INTRODUCTION

With increase in the growth of wireless communication and internet applications more general purpose users and corporate users require the security measures and devices for protecting the data, which users transmit over the channels. As the information transmitted over the open communication channel can’t be guaranteed of safe transmission, it is necessary to encrypt the information before transmitting it through the channels.

The requirements of information security within an organization have undergone two major changes in the last several decades. Before the widespread use of data processing equipment, the security of information felt to be valuable to an organization was provided primarily by physical (eg. rugged filing cabinets with locks) and administrative mechanisms (eg. the personnel screening procedures during hiring process).

Three basic securities are computer security, network security, internet security. Computer Security is the generic name for the collection of tools designed to protect data and to thwart hackers Network Security is the measures to protect data during their transmission. Internet Security is the measures to protect data during their transmission over a collection of interconnected networks.

Cryptography is the process used to encrypt the ordinary information. The original information which is referred as plaintext is used along with the cipher key and thereby finally yields the encrypted output which is called the ciphertext. Some examples of cryptographic applications are user account passwords, electronic transactions like internet banking, cellular phones etc.

Based on the key usage encryption process is classified into two basic categories Asymmetric encryption and Symmetric encryption. Symmetric encryption also referred to as conventional encryption or single-key encryption was the only type of encryption in use prior to the development of public-key encryption in the 1970s. It remains by far the most widely used of the two types of encryption. All traditional schemes are symmetric / single key / private-key encryption algorithms, with a single key, used for both encryption and decryption. Since both sender and receiver are equivalent, either can encrypt or decrypt messages using that common key. Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using different keys.

Cryptographic systems can be characterized along these three independent dimensions. The type of encryption operations used either as substitution / transposition / product. The number of keys used either as single-key or private / two-key or public. The way in which plaintext is

processed either as block / stream. A block cipher is an

encryption/decryption scheme in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length, which is as opposed to individual characters the input form used by a stream cipher.

The cryptanalysis is the process of recovering not only the plaintext but also the cipher key. There are two general approaches: Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext- ciphertext pairs. Brute-force attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average, half of all possible keys must be tried to achieve success.

(2)

International Journal of Emerging Technology and Advanced Engineering

704

There are three basic types of symmetric key encryption standards. They are Data Encryption Standard (DES), Triple Data Encryption Standard (Triple DES) and Advanced Encryption Standard (AES). The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46. DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. But it has also been much of controversy in its security, because with less effort it can be broken easily and also small block size.

In the case of Triple DES is uses 64-bit data block and 168-bit key for cryptographic process. Even though it provides a secured and reliable communication it still experiences threat due to its smaller block size. Then an advanced encryption standard called AES [2] was established by National Institute of Standards and Technology (NIST) in 2001. AES is a symmetric block cipher whose structure is complex compared to public key. It uses 128-bit block and key of 128-bit/ 192-bit / 256-bit. Its active life is 20-30 years. It’s stronger than other two encryption standards. AES is designed to be resistant against unauthorized user attacks.

AES S-box implementation in hardware experiences side

channel attack (SCA). Most research in cryptography

examines the mathematics of cryptographic algorithms, ciphers, and protocols. Since the classical focus of cryptography has been communication security, more attention has been given to attacks on the information flowing over a channel rather than the endpoint hardware.

However, the hardware which implements the

cryptography is of course an important part of the overall

system and deserves just as much scrutiny. These devices

often store private keys or other sensitive data, so compromise of this private data or the hardware which guards it can have disastrous implications.

A side-channel refers to an avenue of information provided by the implementation of cryptographic hardware. Examples of side-channels are sound, infrared radiation, time delays, power consumption, and electromagnetic radiation. This “leaked information” may be statistically related to the underlying computations or keys, giving clues that are useful to an attacker. These side-channel attacks [1] can be carried out on unmodified hardware while it is

performing normal computations.

SCAs include simple power analysis (SPA), differential power analysis (DPA), and correlation power analysis (CPA) [3], [4]. In Simple Power Analysis (SPA) attacks, the attacker observes the trace of current consumption over time and tries to directly apply it to the underlying cryptographic processing.

A more powerful kind of power analysis attack is Differential Power Analysis (DPA) which relies on statistical tests to isolate a signal of interest from noisy and complex power signals on a device. The power of DPA lies in its ability to discover useful information whenever there is a correlation between power traces and processed data, even if the relationship between power use and instruction execution is too complex to link directly.

The hardware implementation of AES S-box has higher reliability than software, less prone to reverse engineering and also difficult to be modified by the hacker. So to find the power analysis attack we make use of asynchronous circuits instead of synchronous circuits. Because in the case synchronous circuits they are time dependant, so require a precise control of timing or suffer from some timing related issues such as glitches [5], [7], hazards and early propagation [6]-[8] which could leak some side-channel information to the attackers. Hence we make use of asynchronous circuit known as null convention logic (NCL). The asynchronous circuits are the time independent, consumes less power, less circuit noise, occupies less area and operates at high speed.

Most countermeasures designed for hardware

implementation of AES are based on securing the logic cells to balance the power consumption of the system and to make it independent of the processing data. This process of adjusting the basic units of the system makes the overall design less vulnerable to attacks.

II. NULL CONVENTION LOGIC

With computer chip density increasing and battery-powered mobile device market exploding, designers are facing two stringent constraints: energy dissipation and speed. Today’s semiconductor industry is dominated by synchronous design style. During the last few years, many major issues have emerged with technology node evolving to a crucial point, among which are power dissipation, clock distribution, electromagnetic interference, process variation, and heavy timing analysis. Quasi-delay-insensitive paradigms, such as the NULL Convention Logic (NCL) protocol, have been developed to surpass the limits drawn by synchronous designs.

(3)

International Journal of Emerging Technology and Advanced Engineering

705 A. Dual Rail Encoding

TABLEI

DUAL RAIL ENCODING

NCL uses dual-rail encoding [11] for each signal. A dual-rail signal S is composed of two wires, S0 and S1. S is in DATA state if one of its rails is logic 1 and is in NULL state if both are in logic 0. Both rails cannot be asserted at the same time; this state is defined as an illegal state. DATA0 represents binary logic 0 and DATA1 represents binary logic 1. The dual-rail encoding [12] provides better data independence with the power consumption since the Hamming Waits (HWs) of each data set are the same. Table I illustrates the different states.

B. Threshold Gates

NCL systems are built from 27 fundamental gates called threshold gates [11]. The reason for the name threshold is that the output is asserted if at least the threshold number of inputs is asserted. The general type of these gates is the

THmn gate (Fig.1), where 1 ≤ m ≤ n. A THmn gate has n

[image:3.612.51.300.546.697.2]

inputs and asserts its output if m of n inputs are asserted. For instance, Th23 outputs logic 1 if at least two out of its three inputs are logic 1. On the other hand, it deasserts its output only if all inputs are deasserted.

Fig.1 THmn threshold gate [11]

Fig.2 NCL systems architecture – register, computational logic and completion [11]

C. NCL Architecture

NCL systems are very similar to Register Transfer Level (RTL) design of synchronous circuits. The NCL combinational logic is located between a set of NCL

registers as shown in Fig.2.

Two DATA cycles must always be separated by a NULL cycle. Consider a 3- stage pipeline circuit: the states of the stages would be either DATA-NULL-DATA or NULL-DATA-NULL. Ko and Ki signals are part of the handshaking protocol in which a register asserts the signal Ko to request for DATA and deasserts it to request for NULL. These handshaking signals ensure that all registers of a stage have received the DATA or NULL inputs. The completion detection element has the Ko signals of the registers of stage X as input and outputs a common Ki for the register of stage X-1. The completion waits for all Ko to be logic 1 to output logic 1 and waits for all Ko to switch to logic 0 to output logic 0.

III. AESS-BOX USING NCL

The AES cryptographic algorithm has four

transformations for both encryption and decryption. They are ADD ROUNDKEY, SUBBYTES, SHIFTROWS and MIXCOLUMNS. The AES algorithm consists of a number of rounds that are dependent on the key size. SUBBYTES step is the first step of AES round. Each byte in the array is updated by an 8-bit S-Box, which is derived from the multiplicative inverse over G.F (28). The S-Box is one of the most critical components in the implementation of AES hardware. It consumes the majority of power and is also the most vulnerable component to SCAs. Hence low power S-Box is constructed using null convention logic which is a self-timed logic .The S-Box consists of multiplicative

inverse, affine transformation and inverse affine

transformation, by combining the inverse function with an invertible affine transformation we can avoid attacks based on mathematics. A block diagram of the AES S-Box is shown in Fig. 3(a).

The affine transformation and inverse affine

transformation components follow a series of Boolean equations given in Table II where i and q represents the 8-bit input and output, respectively. Both transformations require many XOR gates. The AES S-Box hardware

implementation uses combinational logic circuit

(4)

International Journal of Emerging Technology and Advanced Engineering

706

Fig.3(a) Combinational S-Box Architecture [9]

Fig.3(b) Block diagram of Multiplicative inverse [9]

TABLE II

BOOLEAN EQUATIONS FOR AFFINE TRANSFORMATION AND

INVERSE AFFINE TRANSFORMATION COMPONENTS

It should be noticed that multiplication in GF (24) is done by multiplying the polynomial ah(x) ah(x) followed by a modular reduction. Third, a series of multiplication and XOR operations were implemented to extend the field

GF(24) to the field GF(28). To implement this conventional

S-Box using NCL, the XOR, AND, and MUX operations in dual-rail NCL gates are required [10].To achieve the input completeness and observability, it is important to choose appropriate threshold gates. For example, in the design of a 2 : 1 multiplexer, according to the Karnaugh map in Fig. 4(a), the sum-of-product (SOP) functions can be simplified as follows:

Z0 =A0S0 + S1B0 (1)

Z1 =A1S0 + S1B1. (2)

After modifying both functions for input completeness, new SOP functions are obtained as follows:

Z0 =A0S0 (A0 + A1)(B0 + B1)

+ S1B0 (A0 + A1)(B0 + B1) (3)

Z1 =A1S0 (A0 + A1)(B0 + B1)

+ S1B1 (A0 + A1)(B0 + B1) (4)

Both of them can be mapped to a NCL circuit with a TH24comp gate, a THand0 gate, and a TH22 gate. The finalized NCL MUX logic diagram is shown in Fig. 4(b). Likewise, two TH24comp gates can be used to implement an XOR logic function. THand0 and TH22 gates are used to implement an AND logic function. The logic diagrams are shown in Fig. 5.

Fig. 4 (a) K-map for the NCL multiplexer. (b) Optimized NCL multiplexer.

[image:4.612.99.250.128.322.2] [image:4.612.104.245.344.554.2] [image:4.612.325.560.468.684.2] [image:4.612.68.267.620.718.2]

(5)

International Journal of Emerging Technology and Advanced Engineering

707

Power analysis done on NCL AES S- Box shows that it is resistant to side channel attacks (SCA), power consumption is less and occupies less area. By means of using NCL logic we will also be able to find out the difference between the powers consumed during normal program flow execution which will be less when compared to the power consumed when a hacked program executes.

IV. SIMULATION RESULTS

For example, for input 158, Binary form of 158 is 1 0 0 1 1 1 1 0, its Hex form is 9E. Convert the Hex form 9E to NCL input value i.e. 10 01 01 10 10 10 10 01.This input is fed and we obtain the NCL S-Box output is 01 01 01 01 10 01 10 10, and this dual-rail encoded data word is equivalent to 00001011 in binary, which is equal to the output of the conventional synchronous S-Box. Current power analysis attacks exploit the fact that the power consumption of a device executing a algorithm depends on the intermediate results handled. When current input is entered we obtain a constant power with the required output, but if the hacker tries to enter in wrong input it will be indicated by dynamic variations in the power and hence produces wrong and it will be difficult to decipher secret keys embedded within the cryptographic circuit of FPGA board as it follows clock free, dual rail method.

The asynchronous S-Box is implemented in verilog and simulated using ModelSim. After simulation it’s implemented in FPGA which is a highly reconfigurable prototyping of integrated circuits.

Fig.6 ModelSim output of Multiplicative Inversion of S-box for inputs, 9, 26,158

.

Fig.7 ModelSim output of Affine Transformation of S-box for inputs, 9, 26,158

.

Fig.8 ModelSim output of NCL S-box for inputs, 9, 26,158

.

TABLEIII

SIMULATION RESULTS FOR THREE ARBITRARY SAMPLES FROM THE NCL

S-BOX.NCLS-BOX OUTPUTS ARE DUAL RAIL ENCODED

Simulation Results

Mode Input

Output

S-Box NCL S-Box

Encryption

9 00000001 0101010101010110

26 10100010 1001100101011001

(6)

International Journal of Emerging Technology and Advanced Engineering

708

V. CONCLUSION

Communications performed in today’s world require proper secured communication from unauthorized user. Hence we can see that secured communication is established through the use of cryptography. The asynchronous AES S-Box design is based on self-time logic referred to as NCL, which supports beneficial properties for resisting DPA: clock free, dual-rail signal, and monotonic transitions. These beneficial properties make it difficult for an attacker to decipher secret keys embedded within the cryptographic circuit of the FPGA board. The future enhancement that can be done is that, we can implement the null convention logic concept in advanced encryption standard cryptographic process so that a highly secured communication can be established.

REFERENCES

[1] Jem Berkes, “Hardware Attacks on Cryptographic Devices”, University of Waterloo, Prepared for ECE 628, winter 2006.

[2] Advanced Encryption Standard AES, Fed. Inf. Process. Standard 197,2001.

[3] J. Kocher, P. Jaffe, and B. Jun, “Introduction to differential power analysis and related attacks,” Cryptography Res. Inc., San Francisco, CA, 1998, Tech. Rep.

[4] P. Kocher, “Design and validation strategies for obtaining assurance in countermeasures to power analysis and related attacks,” in Proc. NISTPhys. Security Workshop, 2005, pp. 1–11.

[5] S. Mangard, “Masked dual-rail pre-charge logic: DPA-resistance without routing constraints,” in Proc. Workshop CHES, 2005, pp. 172–186.

[6] T. Popp, M. Kirschbaum, T. Zefferer, and S. Mangard, “Evaluation of the masked logic style MDPL on a prototype chip,” in Proc. Workshop CHES, 2007, pp. 81–94.

[7] T. Popp, M. Kirschbaum, and S. Mangard, “Practical attacks on masked hardware,” in Proc. Cryptographers’ Track RSA Conf. Topics Cryptol., 2009, pp. 211–225.

[8] M. Ahn and H. Lee, “Experiments and hardware countermeasures on power analysis attacks,” in Proc. ICCSA, 2006, vol. 3982, pp. 48–53.

[9] J. Wolkerstorfer, E. Oswald, and M. Lamberger, “An ASIC implementation of the AES sboxes,” in Proc. Cryptographer’s Track RSA Conf. TopicsCryptol., 2002, pp. 67–78.

[10]J.Wu, Y.-B. Kim, and M. Choi, “Low-power side-channel attack-resistant asynchronous s-box design for AES cryptosystems,” in

Proc. 20th Symp.Great Lakes Symp. VLSI, 2010, pp. 459–464.

[11]David Roclin, “Optimum Transistor Sizing of MTNCL Threshold Gates for Various Design Constraints”, a thesis, University of Arkansas, December 2010.