ECE 5520 - Secure Hardware Design

	ECE 5520: Secure Hardware Design Spring 2010 Instructor: Patrick Schaumont Prerequisites: ECE 4514 (or equivalent). Students need an understanding of contemporary digital design using a hardware description language. Syllabus (from Spring 2009 offering) Summary: Design and implementation of secure hardware at multiple levels of abstraction, covering cryptographic hardware primitives, cryptographic modules, and trusted platforms. Reverse engineering of cryptographic modules using passive attacks, active attacks, and cryptanalytic techniques. Countermeasures against reverse engineering. The course uses case studies and literature surveys to reflect on the state-of-the-art in secure hardware implementation. Cryptography theory is covered on an as-needed basis. Useful background material: This course is based in part on the following references. Cryptographic Algorithms on Reconfigurable Hardware by F. Rodriguez-Henriquez, N. A. Saqib, A. Diaz-Perez, and C. K. Koc (Springer 2007) Cryptographic Engineering by Cetin Kaya Koc, Ed. (Springer 2009) Secure Telecommunication Systems, Course notes and slides by Kris Gaj, George Mason University Cryptography and Computer Network Security, Course notes and slides by Kris Gaj, George Mason University Synthesis of Arithmetic Circuits: FPGAs, ASICs, and Embedded Systems by Jean-Pierre Deschamps, Gery Bioul, Gustavo Sutter (Wiley 2006). Handbook of Applied Cryptography, by A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, CRC Press, 1996. Power Analysis Attacks: Revealing the secrets of smartcards, by Stefan Mangard, Elisabeth Oswald, Thomas Popp (Springer 2007). ECRYPT Summer School on Cryptographic Hardware, Side-Channel and Fault Attacks, Louvain-La-Neuve, June 2006. Online References: A Classical Introduction to Cryptography by S. Vaudenay (Springer 2006) Guide to Elliptic Curve Cryptogrpahy by Darrel Hankerson, Scott Vanstone and Alfred Menezes (Springer 2004) Power Analysis Attacks: Revealing the secrets of smartcards, by Stefan Mangard, Elisabeth Oswald, Thomas Popp (Springer 2007). Cryptographic Algorithms on Reconfigurable Hardware by F. Rodriguez-Henriquez, N. A. Saqib, A. Diaz-Perez, and C. K. Koc (Springer 2007) Cryptographic Engineering by Cetin Kaya Koc, Ed. (Springer 2009) Elementary Number Theory, Cryptography and Codes by M. W. Baldoni, C. Ciliberto and G. M. P. Cattaneo (Springer 2009) Encyclopedia of Cryptography and Security by H. van Tilborg, Ed. (Springer 2005) Cryptography in C and C++ by M. Welschenbach (Springer 2005) Questions? Contact the instructor at schaum@vt.edu
Lecture 1	Introduction [Slides] Course Desription Course Requirements The Clipper Chip Modular Arithmetic
Lecture 2	A Brief Overview of Cryptography [Slides] Security Services Symmetric-Key Algorithms: Stream and Block Ciphers Asymmetric-Key Algorithms: Factorization, Discrete-Log, Elliptic-Curve Hash Algorithms Key Length Requirements
Lecture 3	Random Number Generators (Principles of Design) [Slides] Standard requirements for RNG Classification of RNG: Deterministic and Non-deterministic Design of Deterministic RNG Design of Non-deterministic RNG: Entropy, Compression Function, Sources of Entropy
Lecture 4	Random Number Generators (Testing and Examples) [Slides] Tests on Random Number Generator Probability density function Hypothesis test = statistic + significance Example statistic: Freq test, Runs test Test Suites: DIEHARD, NIST Random Number generator Design DRNG: LCG, RSA Hybrid DRNG: Tkacik TRNG: Epstein, Tokunaga, Ring Oscillator
Lecture 5	Prime Field Arithmetic: Part 1: Add, Subtract, Multiply [Slides] Prime Field Goal: modular exp: RSA, Diffie Helman Modulo m addition Normal, base B Modulo m subtraction Normal, base B Modular multiplication Digit expansion, OSF, PSF Squaring Modular Reduction w restoring/non-restoring division Interleaved mult/reduction
Lecture 6	Prime Field Arithmetic Part 2: Montgomery Multiplication & Exponentiation [Slides] Montgomery Multiplication Montgomery Reduction Montgomery Product Hardware Implementation Bit-serial montgomery multitplier in hardware Finding the Modular Inverse in hardware Exponentiation MSB-First LSB-First Montgomery NIST Primes
Lecture 7	Binary Field Arithmetic [Slides] Binary Fields, Polynomial Basis Primitive Polynomial Addition Reduction Multiplication Bit-serial design, MSB first Bit-serial design, LSB first Digit-serial design Optimizations Montgomery
Lecture 8	Hash Functions [Slides] Hash Functions Security Properties Classification Compression Function Applications Hash Application Block Cipher based Hash and HMAC Implementation Aspects Padding MD5 Whirlpool
Lecture 9	Block Ciphers - Overview [Slides] Block Cipher Principle True Block Cipher Attack Complexity Block Cipher Structure SP Network, Feistel Network Key Schedule Hardware Implementations Low-footprint - Example High-throughput - Pipelining Comparing Block Cipher Implementations
Lecture 10	Block Ciphers - AES [Slides] The Advanced Encryption Standard History AES Algorithm AES Round Definition Subbytes, ShiftRows, MixColumn Key Schedule AES Implementation SBox, MixColumn Modules 1 cycle/round Encryption/Decryption Design Compact Implementations
Lecture 11	Block Ciphers - Modes of Operation [Slides] Mode of Operation (MOO) Why MOO ? History Modes for Confidentiality Cipher Block Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) Counter (CTR) Modes for Authentication CBC-MAC Modes for Authenticated Encryption CBC-MAC with Counter (CCM) Concluding Remarks
Lecture 12	Elliptic Curve Cryptography Part 1: The Point Multiplication [Slides] Background Elliptic Curves EC Group Structure Addition and Doubling of Points Point Coordinate Systems Affine and Projective The Point Multiplication Right-to-left, left-to-right, NAF Double-add-always, Montgomery
Lecture 13	Elliptic Curve Cryptography Part 2: Implementation Strategy [Slides] Montgomery Scalar Multiplication using Lopez-Dahab Coordinates Standard Micro-coded Datapaths: Allocation Scheduling Binding ECC Speed Records in FPGA
Lecture 14	Basics of Side-channel Analysis [Slides] Logical vs Physical Attacks Classification Timing Power Consumption Sources Models (HW & HD) Taking and Using measurements Single-point models Multi-variate models
Lecture 15	Advanced Side-channel Analysis [Slides] Review: Simple Power Analysis Averaging Confidence Interval Differential Power Analysis Correlation DPA on AES Power Models: Hamming Weight, Hamming Distance
Lecture 16	Fault Attacks [Slides] Types of Faults Fault Models Fault Attacks on Symmetric-Key Algorithms CDES: DFA CAES: Bit/Byte Forcing, Bit Flipping, Random-byte Attack Fault Attacks on Public-Key Algorithms CRSA: Safe-error Attack ECC Fault Countermeasures
Lecture 17	Side Channel Countermeasures: Hiding [Slides] SPA, DPA Signal to Noise Ratio (SNR) Countermeasures: Hiding and Masking Hiding Types of hiding Constant-power-dissipation logic: WDDL Building Complementary Circuits Implementation Issues ASIC FPGA
Lecture 18	Side Channel Countermeasures: Masking [Slides] SCA Countermeasures: Hiding and Masking Masking Concepts Masking Operation Masked Functions Secret Sharing Perfect masking Masked Logic Styles Random Switching Logic Masked Dual Rail Precharge Logic
Lecture 19	Secure Processors [Slides] Secure Processors IBM 4758 AEGIS Trustzone The Future Qu'ils mangent de la brioche!

ECE 5520: Secure Hardware DesignSpring 2010

ECE 5520: Secure Hardware Design
Spring 2010