# Cryptographic Engineering

Çetin Kaya Koç

Oregon State University & Istanbul Commerce University

SBSEG'06 Santos, Brasil

#### **Current Affiliations**

- Oregon State University

   On leave, since Sept 2005

  Istanbul Commerce University

   Professor, since Sept 2005
   Information Security Research Center
   Founder & Director

  International research & consulting
  - activities

#### **Research Interests**

- Research and development in hardware and software realizations of information security and cryptographic systems
- Research emphasis on scalable and unified cryptographic processor design, cryptographic design in embedded software, and True Random Number Generators (TRNGs)

#### **Research Applications**

- High-throughput crypto accelerators for VPNs, SSL servers, and IPSec routers
- Mobile and resource-constrained devices, smartcards, and cell phones: small PKI, mobile VPN, power-efficient cryptographic modules for encryption and authentication

## Cryptographic Engineering

- Cryptographic engineering deals with software and hardware realizations
- Public-key cryptographic algorithms are based on computationally intensive arithmetic and finite-field operations
- Interdisciplinary research area
  - Electrical engineering
  - Computer science
  - Mathematics

#### Security Pyramid

Security Protocol Architecture

Cryptographic Algorithms

Number Theory Finite Fields

Cycle accurate & Instruction accurate models

Implementation

Encryption, integrity and authentication functions, Digital signatures

SHA, RSA, ECC, DES, AES

Galois fields, large primes, special primes

Verilog Register Transfer, StrongArm assembly

FPGA, Flash, Core, ASIC

#### **Recent Research Activities**

- Cryptographic infrastructure work
  - True random number generators
  - Embedded software cryptography
  - Cryptographic coprocessors
- New security products
  - Cryptographic modules
  - Security systems and modules
  - Innovative watermarking

Random Numbers in Cryptography

- Random session key
- RSA prime factors
- Random numbers for DSA
- Zero-knowledge protocols
- □ Challenge-response protocols

8

□ IV (initializing vectors)

#### Random Number Generators

- True (physical) random number generators (TRNGs)
- Deterministic random number generators (DRNGs) – output is completely determined by the seed
- Hybrid generators refresh their seed regularly, e.g., by exploiting user's interaction, mouse movements, key strokes, or register values

#### Requirements

- Requirements depend essentially on the application
- <u>R1:</u> The random numbers should have good statistical properties
- R2: The knowledge of subsequences of random numbers should not enable to compute predecessors or successors or to guess them with non-negligible probability







#### **TRNG References**

- V. Bagini, M. Bucci, "A design of a reliable true random number generator for cryptographic applications", Proc. CHES 99, Lecture Notes in Computer Sciences 1717, Springer-Verlag, Heidelberg, Germany, pp. 204-218, 1999.
- M. Bucci, L. Germani, R. Luzzi, A. Trifiletti, M. Varanonuovo, "A high speed oscillator-based truly IC random number source for cryptographic applications on smart card", IEEE Trans. Computers, Special Issue on Cryptographic Hardware and Embedded Systems, pp.403-409, April 2003.
- W.T. Wolman, J.A. Connelly, A.B. Dowlatabadi, "An integrated analog/digital random noise source", IEEE Trans. Circuits and Systems I, vol. 44, no. 6, pp. 521-528, June 1997.
- B. Jun, P. Kocher, "The Intel random number generator", Cryptography Research Inc., white paper prepared for Intel Corp., April 1999, at <u>http://www.cryptography.com/resources/whitepapers/IntelRNG.pdf</u>
- T. Stojanovski, L. Kocarev, "Chaos-based random number generators Part I: Analysis", IEEE Trans. Circuits and Systems I, vol. 48, no. 3, pp. 281-288, March 2001.
- E. Trichina, M. Bucci, D. De Seta, R. Luzzi, "Supplemental cryptographic hardware for smart cards", IEEE Micro, vol. 21, no. 6, 2001.



W.T. Wolman, J.A. Connelly, A.B. Dowlatabadi, "<u>An integrated analog/digital</u> <u>random noise source</u>", **IEEE Trans. Circuits and Systems I**, vol. 44, no. 6, pp. 521-528, June 1997.

## **Oscillator Sampling**



B. Jun, P. Kocher, "<u>The Intel random number generator</u>", **Cryptography Research Inc.**, White paper prepared for Intel Corp., April 1999, at http://www.cryptography.com/resources/whitepapers/IntelRNG.pdf

#### **TRNG** Test Chips

#### □ <u>Process</u>: TSMC 0.18µm

- □ <u>Chip area</u>: 0.025mm<sup>2</sup> (220µm×116µm)
- Power supply: 3.3V/1.8V
- □ Power consumption:  $\approx$  3.6mW



#### **TRNG Test Chip Detail**



#### Randomness Tests

Maurer's Test

U. M. Maurer, "A Universal Statistical Test for Random Bit Generators", *Journal of Cryptology*, vol. 5, no. 2, 1992, pp. 89-105.

Diehard

G. Marsaglia, "A current view of random number generator", *Proc. Computer Science Statistics: 16<sup>th</sup> Symp. Interface*, Keynote Address, 1984.

NIST Tests

NIST Special Publication 800-22, "A statistical test suite for random and pseudorandom number generator for cryptographic application", September 2000.

□ FIPS Tests

"FIPS 140-1, Security requirements for cryptographic modules", Federal Information Processing Standards Publication 140-1. U.S. Department of Commerce/NIST, National Technical Information Service, Springfield, VA, 1994.





#### **A TRNG Architecture**







#### **TRNGs in Operation: Problems**

# Total breakdown of the noise source Aging effects Tolerances of components

#### Tests

| <u>Tests</u> | Aim                                                                                         |
|--------------|---------------------------------------------------------------------------------------------|
| Tot-test     | Shall detect a total breakdown of the noise source very quickly                             |
| Startup test | Shall ensure the functionality of the TRNG at the start                                     |
| Online test  | Shall detect non-tolerable<br>weakness or deterioration of the<br>quality of random numbers |

#### **Evaluation of TRNGs**

- ITSEC (Information Security Evaluation Criteria) and CC (Common Criteria) do not specify any uniform evaluation criteria for random number generators
- NIST does not offer any standard method for evaluating TRNGs (no FIPS for such purpose)
- The only TRNG evaluation standard in the world: AIS 31 (German standard)

# AIS 31

Published by BSI (Bundesamt fuer Sicherheit in der Informationstechnik) on Sep 2001

http://www.bsi.bund.de/zertifiz/zert/interpr/ais\_cc.htm

- Provides clear evaluation criteria for TRNGs
  Distinguishes between two functionality classes
  P1 less sensitive (challenge-response)
  D2 consitive (key generation)
  - P2 sensitive (key generation)

## 3 Prototypes

RNG1: High speed amplification-based
 RNG2: High quality oscillator-based
 RNG3: Full digital (standard cells)
 RNG4: ....

Working on several TRNGs at the same time and select the best one: in terms of cost, chip area requirements, quality of randomness, robustness, and reliability

#### **TRNG Provable Quality**

- The overall design to be approved by international bodies
- Extensive analytical and statistical tests to be performed internally
- Tests under various attack scenarios
- Create robust, trusted TRNGs for across the board systems

# **TRNG Project Plan**

- Design of noise source generators
- Implementation
- Design of post-processors
- Randomness testing
- Validation
- Decision

## Cryptographic Coprocessor

- Design of several cryptographic hardware modules
- A unified design for a coprocessor family to be used in several different products
- Provides scalability for future upgrades
- Area-time tradeoffs for environments with different constraints and requirements

#### ECC/RSA Hardware Design

- Two types of finite fields are more commonly used in many real-world applications
  - Prime fields: GF(p)
  - Binary extension fields: GF(2^k)
- These fields have dissimilar properties
- Different design possibilities
- Different implementations on specialized hardware

## Unified (Dual-Field) Arithmetic

- A unified hardware design methodology is possible for both fields since
  - The elements of either field are represented using almost the same data structures
  - The algorithms for basic arithmetic operations in both fields have structural similarities, i.e., the steps of the algorithms are nearly identical

#### Benefits of Unified Arithmetic

- Low manufacturing cost
- Compatibility

However, the design needs to be

- Scalable
- □ Fast and parallel
- Impartial (does not favor one prime against another or one irreducible polynomial against another)

## Montgomery Arithmetic

Montgomery multiplication is the right choice since

- Suitable for unified design and works for both
- Scalable
- Parallelizable
- Suitable for pipelining
- Impartial

#### Scalability

#### An architecture is scalable if

it can be reused or replicated in order to generate long-precision results independently of the data path precision for which it was originally designed

Application-specific architectures are generally limited by the data path for which they were designed



#### Dependency Graph of Montgomery



#### **Pipelined Computation**



An example of pipeline computation for 7 bit operands where word-length is 1 bit

38

#### **Pipeline Stalls**



Pipeline stalls when fewer processing units are available, here m=7, w=1, k=3

## Pipeline Organization with 2 Units



40

## **3-bit Processing Unit**



#### Dual-field Adder



#### Synthesis Results

- PU is synthesized with Mentor Tools using 1.2 micron CMOS technology
- 2-input NAND gate takes 0.94 chip area
- $\Box$  Unified field area (w) = 48.5w
- $\Box$  Only GF(p) area (w) = 47.2w
- $\Box$  Latch area = 8.32w
- Total Area for k-stage pipeline =
  - 56.82kw 8.32w
- Propagation time is 11ns
- □ Clock frequency 90MHz

## Security Products Objectives

#### Creation of a Road Map

- Design several security architectures (architectural scenarios) with different kinds of security objectives/levels
- Create documents for detailed security requirements for different terminals (cell phone, PDA, smartcard, etc.)
- Create security solutions with generic properties satisfying a wide-range of requirements

## Security Classification

| No<br>security                    | Minimal<br>Security<br>(no crypto)                           | Basic<br>Security<br>(simple<br>security<br>features)     | Advanced<br>Security<br>(security<br>features,<br>crypto<br>functions,<br>certificates) | High-End<br>Security<br>(advanced<br>security<br>features, full<br>crypto,<br>certificates)       |
|-----------------------------------|--------------------------------------------------------------|-----------------------------------------------------------|-----------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|
| First US<br>analog cell<br>phones | Simple PC<br>security<br>Software<br>against<br>viruses, etc | Loyalty,<br>metering,<br>basic GSM,<br>identificati<br>on | Banking<br>(debit,<br>credit),<br>access, m/e-<br>commerce,<br>healthcare               | Banking, e-<br>purse, PKI,<br>pay-TV,<br>multifunction<br>cards, DRM,<br>trustworthy<br>computing |

### Security Needs

- Tamperproofness (which level)
- Security placement (which level)
- Cryptographic performance
- What type of application
- Overall system security
- □ IMEI, SIM lock, etc. protection
- Immunization and counter-measures against side-channel attacks

#### Attacks and Countermeasures



47

#### **Trusted Phone Applications**

- The use of cell phone as a storage and/or applicator of smartcards
  - Concept: VSC (virtual smartcard)
  - A software approach to create multifunction smartcards
  - A methodology for SSO (single-sign-on)
  - Needs to confirm with ISO standards
  - Interface through a USB or similar port

#### **Trusted Phone Applications**

- The use of cell phone as a rolling key generator (similar to RSA SecureID)
  - Currently exists as a separate device
  - Integrated with the phone using a complete silicon solution
  - Visual interface with the user
  - Needs to work with enterprise desktop authentication software

## What Future Will Bring

- Which crypto algorithms are needed in future
  - Design of flexible, patent-free crypto modules
  - Allow doubling of key and block sizes (scalability)
- New side-channel attacks
  - Can we win against the new attacks
  - Use of proven security mechanisms
- Can we make provably secure chips?
  - Formal methods for attack characterization
  - Secure functionality by formal verification of 16-bit and 32-bit CPUs
  - Side-channel attack resistance and tamper resistance

# What Future Will Bring

- Innovative watermarking techniques
  - Use of physical one-way functions and physical signatures
  - Support from the device technologies
  - Creation of other physical one-way functions supported by RFIDs
- Innovative use of error-detecting and error-correcting codes
- Ubiquitous and pervasive computing
  - Solutions should be offered in silicon
  - Low-cost, cheap solutions for basic security functionalities
  - Leadership and innovation are the most important traits at this juncture