Institute of Physics Publishing doi:10.1088/1742-6596/10/1/084

Journal of Physics: Conference Series 10 (2005) 343–347 Second Conference on Microelectronics, Microsystems and Nanotechnology

Low power cryptography (invited) P Kitsos, O Koufopavlou, G Selimis and N Sklavos VLSI Design Lab, Electrical and Computer Engineering Department, University of Patras, Rio 26500, Patras, Greece E-mail: [email protected] Abstract. Today more and more sensitive data is stored digitally. Bank accounts, medical records and personal emails are some categories that data must keep secure. The science of cryptography tries to encounter the lack of security. Data confidentiality, authentication, non-reputation and data integrity are some of the main parts of cryptography. The evolution of cryptography drove in very complex cryptographic models which they could not be implemented before some years. The use of systems with increasing complexity, which usually are more secure, has as result low throughput rate and more energy consumption. However the evolution of cipher has no practical impact, if it has only theoretical background. Every encryption algorithm should exploit as much as possible the conditions of the specific system without omitting the physical, area and timing limitations. This fact requires new ways in design architectures for secure and reliable Crypto Systems. A main issue in the design of Crypto systems is the reduction of power consumption, especially for portable systems as smart cards.

1. Introduction The energy consumption on a CMOS chip can be classified as static and dynamic power dissipation. The main difference between them is that dynamic power is frequency dependent, while static is not. The static power in CMOS circuits is mainly due to leakage currents. As the size of transistor decreases the factor of leakage current increases. To solve this problem techniques in physical design have been proposed [1]. Dynamic power can be classified into power consumed internally by the cell and power consumed due to driving the load. A first order approximation of the dynamic energy consumption of CMOS circuitry is given by the formula: (1) Pd = Ceff V 2 f where Pd is the power in Watts, Ceff is the switch capacitance in Farads, V is the supply voltage in Volts and f is the frequency of operations in Hertz. C eff combines two factors C , the capacitance being charged/discharged and the switching activity a , which the probability that a transition occurs. (2) Ceff = aC Due to (1) and (2) equations the power could be reduced by the reduction of the above power factors.

© 2005 IOP Publishing Ltd

343

344

2. Cryptographic Implementations in Power Inefficient Crypto Systems Last years many cryptographic implementations have been proposed. They are implemented in software or in hardware [2], [3], [4]. The choice of the implementation depends on the application and on the algorithm that is to implement. Hardware implementations are more expensive but they perform better in terms of throughput and power. 2.1. Secret key Algorithms DES, Triple DES and last years AES are commonly found in many cryptographic systems. The software implementations are 10-100 times slower that the hardware. 2.2. Public-key encryption algorithms They are based on modular multiplication-for example, RSA, Diffie-Helman (DH), or the Digital Signature Standard (DSS). RSA signatures and verifications are supported with a choice of 512, 768, or 1024 bit key lengths. The algorithms typically use the Chinese Remainder Theorem (CRT) in order to speed up the processing. The use of public-key algorithms based o elliptic curves is quite novel and not yet extensively used. Two main types of commonly used curves will determine the need for computing power: curves over GF(p) (a Galois Field over the prime p) requiring resources similar to those for standard public-key cryptography; and curves over GF(2^n) (a GF over polynomials of size n), computations don’t require carries (addition/subtraction is an XOR, and multiplication is done without internal carries). 2.3. Hashing algorithms They commonly found include SHA-1 and MD-5. The main role of a cryptographic hash function is in the provision of digital signatures. Since hash functions are generally faster than digital signature algorithms, it is typical to compute the digital signature to some entity by computing the signature on the entity’s hash value, which is small compared to the document itself. 2.4. Random numbers They always required for cryptographic procedures. Smart cards require random numbers for: 1. Key generation to authenticate the card and terminal 2. Creating padding bytes and blinding values for encryption, as initial values for transmission sequence counters; and 3. Implementation of algorithmic counter-measures against side-channel attacks. 3. ASIC, FPGAs and Software Approaches Cryptographic algorithms are commonly implemented as software running on a CPU, microcontroller, or DSP, as a fixed function ASIC, or within a programmable logic device (FPGA). The pros and cons of these various methods are briefly discussed below. 3.1. ASIC Approach Low-power ASIC design appears to be more heavily researched than high performance ASIC design – perhaps due to low-power techniques being used in many other areas besides cryptographic algorithm design. Typical methodologies include: Clock gating: The clock tree in a synchronously designed device can consume a large fraction of a chip’s overall energy usage; isolating unused logic sections of the chip on a clock-by-clock basis can significantly reduce this problem. Asynchronous logic design: Asynchronous design techniques (based on ‘request’/’acknowledge’ handshaking signals rather than clock edges) tend to produce lower power designs, and occasionally provide

345

additional throughput as well. Variable voltage logic supplies: While dropping an IC’s power supply by a half will tend to make it twice as slow, the power consumption will typically be quartered. In systems that have variable encryption rate needs, this fact can be exploited to very significantly reduce overall power requirements. Glitch reduction: Since digital gates only dissipate (significant) power when switching, ‘stage to stage’ coupling (e.g., pipeline stage interconnects) should be designed to produce as few spurious glitches as possible; this can often be accomplished with some redundant gates. This solution is somewhat similar to ‘clock gating,’ but on a smaller scale. Parallelism and pipelining: Some algorithms are amenable to having their various constituents operations computed in parallel or in a fully-pipelined order. This is often a ‘win’ in that throughput is increased and – at least initially, until control circuitry complexity becomes large – overall power consumption drops. Unfortunately, pipelining doesn’t work with ‘chaining’ variants of encryption algorithms (e.g., for DES, only the electronic codebook – ECB – methodology works with pipelining). Functional Optimizations: It is tried to optimise system architectures in terms of power. 3.2. FPGA Aproach Only a very small subset of FPGAs is suitable for use in, e.g., battery powered devices. Nevertheless, low-power design for FPGAs would encompass the same criteria as with ASICs so long as it is ‘allowed’ in the chip. I.e., no commercial FPGA yet allows supports large circuit asynchronous design techniques; clock gating cannot be performed with a granularity of one clock cycle, etc. 3.3. Software Aproach There is an attempt to improve the software implementations and in this road the processor have to include instructions as rotating the content of register, include cryptographic functions as bit permutation, expansions and substitutions, enabled by a configuration register that determines how to place the bits of one register and fast memory accesses require. Low power techniques are applied in all these instructions 4. Known Low Power Schemes in Cryptography 4.1 Asyncronous VLSI implementations Asynchronous VLSI implementations of cryptographic algorithms IDEA and DES are presented in the papers [5] and [6].In the paper [5] an asynchronous VLSI implementation of the International Data Encryption Algorithm (IDEA) is presented. In order to evaluate the asynchronous design a synchronous version of the algorithm was also designed. VHDL hardware description language was used in order to describe the algorithm. By using Synopsys commercial available tools the VHDL code was synthesized. After placing and routing both designs were fabricated with 0.6 um CMOS technology. With a system clock of up to 8 MHz and a power supply of 5 Volt the two chips were tested and evaluated comparing with the software implementation of the IDEA algorithm. This new approach proves efficiently the lowest power consumption of the asynchronous implementation compared to the existing synchronous. Therefore the asynchronous chip performs efficiently in WEP (Wireless Encryption Protocols) and high speed networks. In the paper [6] the authors have designed an asynchronous Data Encryption Standard (DES) data encryption chip. There are many Cryptographic Applications that demand both high speed and low power. In order to meet these requirements the asynchronous hardware design adopted. 4.2. Variable voltage logic supplies In the paper [7] the overall architecture of the scalable encryption processor is presented as it is shown in figure 1.

346

Figure 1. The Scalable Encryption Processor. The processor consists of two main functional blocks: a variable security encryption engine, and a variable output DC/DC converter. The encryption engine utilizes an algorithm known as the Quadratic Residue Generator to generate a cryptographically- secure pseudorandom keystream sequence that is then XORed with a serial data stream to form the encrypted data stream. The variable output DC/DC converter allows us to utilize variable supply techniques which dynamically adjust the supply voltage as the amount of computation varies in order to minimize the energy dissipation. The two blocks are coupled through the use of an external look up table (LUT) that translates the current throughput and security requirements (as specified by the Width input) into a digital word representing the desired supply voltage. The embedded DC/DC converter then translates this digital word into a pulse-width modulated (PWM) signal that is filtered through an external LC filter to create the QRG’s supply voltage. The voltage is also sampled by the converter in order to perform closed loop voltage regulation. 4.3. Optimized Architectures In Terms of Power In the paper [8] the authors have developed a low-power S-Box architecture: a multi-stage PPRM (Positive Polarity Reed-Muller form) architecture for compact S-Boxes. It is an improvement of the composite field S-Box, and in this S-Box, the gates are arranged so that: (i) the signal arrival times at the gates are as close as possible if the depths of the gates from the primary inputs are the same, to avoid generating dynamic hazards, and (ii) the hazard-transparent XOR gates are located after the other gates that may block the hazards, to avoid the propagation of dynamic hazards. The multi-stage PPRM S-Box archives the lowest power consumption of 29 µW at 10 MHz using 0.13 µm 1.5 V CMOS technology, and its circuit size is still much smaller than conventional S-Box implementations whose power consumptions are around 140 µW. 5. References [1] Chandrakasan A, Bowhill W J Fox F 2001 Design of High –Performance Microprocessor Circuits (IEEE Press) [2] Dhem J F and Feyt N 2001 Hardware and Software Symbiosis Helps Smart Card Evolution published in IEEE Micro 21(6): 14-25 [3] Ho-Won Kim, Yonge Choi and Moo-Seopkim, Design and Implementation of a Crypto Processor and its Applications to SecuritySystem in proc. of the 2002 International Technical Conference on Circuits/Systems, Computers and Communications [4] Naccache D and Raohi D 1996 Cryptographic Smart Cards in proc. of IEEE Micro Vol. 16, Issue 3 Pages: 14 – 24 [5] Sklavos N and Koufopavlou O Asynchronous Low Power VLSI Implementation of the International Data Encryption Algorithm, proc. of 8th IEEE International Conference on Electronics, Circuits

347

[6] [7]

[8]

and Systems (ICECS'01) (Malta 2-5 September 2001) Vol. III pp 1425-1428 Pui-Lam Siu, Chiou-Sing Choy, Butas J, Chan C F A Low Power Asynchronous DES in proc. of 2001 Circuits and Systems Symposium (ISCAS 2001) 538-541 vol. 4 Goodman J, Chandrakasan A., Dancy A. P Design and implementation of a scalable encryption processor with embedded variable DC/DC converter in proc. of the 36th ACM/IEEE conference on Design automation June 1999 Morioka S, Satoh A. An Optimized S-Box Circuit Architecture for Low Power AES Design in proc. of CHES 2002 pp172-186

Low power cryptography (invited)

Bank accounts, medical records and personal ... Creating padding bytes and blinding values for encryption, as initial values for transmission sequence counters ...
Download PDF
103KB Sizes 1 Downloads 222 Views
Report

Recommend Documents

Invited RED: Invited RED - Biotechnology Industry Organization
Track 2. Track 3. Track 4. Track 5. Advanced Biofuels and Biorefinery ... Renewable Oil Feedstocks for the Pacific. Rim .... Roger Sedjo, Resources for the Future.
Low-power design - IEEE Xplore
tors, combine microcontroller architectures with some high- performance analog circuits, and are routinely produced in tens of millions per year with a power ...
Invited RED: Invited RED - Biotechnology Industry Organization
Tim Hsiau, University of California -Berkeley. William Kenealy ... James Carothers, University of Washington -. Seattle ... Wim Vermaas, Arizona State University.
Low Power Radio
locations, such as the office or home base, by telephone. Digital technology also ... A number of LPR manufacturers exist in the United States (see Appendix B).
Competition: Towards Low-Latency, Low-Power Wireless ... - EWSN
Beshr Al Nahas, Olaf Landsiedel. Department of Computer Science and Engineering. Chalmers University of Technology, Sweden beshr, olafl @chalmers.se.
low power and low complex implementation of turbo ...
It consists of two recursive systematic encoders which are ... second encoder the interleaved version of the ... highly undesirable in the high data rate coding.
you're invited! -
Page 1 ... The Larimer County Workforce Center invites youth, young adults & parents to: * Get the inside scoop from local employers. * Apply to the Larimer County Conservation Corps (14-24). * Learn about summer jobs, internships & MORE. Loveland Pu
Invited Speakers
... ideas through both specific oral/poster presentations and free discussions. ... Mandatory online registration: from March 1st, 2014 on the workshop website.
WQ LOW RISK POWER WASHING.pdf
Page 1 of 2. Page 1. LOW RISK DISCHARGE GUIDANCE: DISCHARGES FROM SURFACE COSMETIC POWER WASHING. OPERATIONS TO LAND. JULY 2010. This discharge guidance has been developed in accordance with the WQP-27, Low Risk Discharges and addresses. the discharg
Low Power Radio - Oregon State University
In New York State, Sea Grant collaborated with a park commission to test low power radio in a variety of coastal settings. An LPR broadcast at a coastal campground informed listeners of marine safety; and LPR at a barrier beach aided tens of thousand
Low-power multi-bay parking meter
Apr 8, 1999 - '097 patent further simplify accounting procedures. An auditor is .... a speci?ed timeout period programmed in the softWare. ..... needs service.
WQ LOW RISK POWER WASHING.pdf
available online at www.cdphe.state.co.us/wq/WhatsNew/SpillGuidanceDocument.pdf ... during future storm events. ... The Report of the Board Audit Committee .
Narrow Bus Encoding for Low Power Systems
Abstract. High integration in integrated circuits often leads to the prob- lem of running out of pins. Narrow data buses can be used to alleviate this problem at the cost of performance degradation due to wait cycles. In this paper, we address bus co
ICLR Invited Talk
Key Idea from Alex. 19. • Use model parallelism when we have a small parameters / activation ratio. (hint: convolutions!) • Use data parallelism when we have a ...
Consequential Conditionals: Invited and Suppressed ...
Although pervasive in everyday reasoning, consequential con- ditionals have not yet been a topic of psychological research.2 We provide a characterization of those statements, a detailed experi- mental account of the inferences they invite, and a dis
Low-Power Cmos Design through V/sub th/ Control and Low-Swing ...
Low-Power CMOS :Design through V, Control and Low-Swing Circuits. Takayasu Sakurai *, Hiroshi Kawaguchi * and Tadahiro Kuroda**. *) Institute of Industrial ...
In this paper, a new low-voltage low power CMOS 1-bit ...
ISSN: 2221-7258(Print) ISSN: 2221-7266 (Online) www.ijeecs.org. 4-BIT & 8-BIT ... R. N. Mandavgane. Bapurao Deshmukh College Of Engineering,. Bapurao ...
Abstracts of invited talks
teaching mathematics, which will help make the learning of mathematics interesting ..... The National Curriculum Framework (NCF, 2005) suggests the need of more ...... http://www.eurekalert.org/pub_releases/2002-02/aiop-ohs021202.php.
DN175 - Off-Line Low Noise Power Supply Does ... - Linear Technology
USE CAUTION IN CONSTRUCTION AND TESTING! 1 In depth coverage of this device, its use and performance verification appears in LTC Application Note 70, “A Monolithic Switching Regulator with 100μV Output. Noise,” by Jim Williams.
Using the LTC6900 Low Power SOT-23 Oscillator ... - Linear Technology
The LTC6900 master oscillator is controlled by the ratio of the voltage between V+ and the SET pin and the current,. IRES, entering the SET pin. As long as IRES ...