kth.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Securing CRYSTALS-Kyber in FPGA Using Duplication and Clock Randomization
KTH, School of Electrical Engineering and Computer Science (EECS), Electrical Engineering, Electronics and Embedded systems.ORCID iD: 0000-0002-0278-5986
KTH, School of Electrical Engineering and Computer Science (EECS), Electrical Engineering, Electronics and Embedded systems.ORCID iD: 0000-0002-4973-7412
KTH, School of Electrical Engineering and Computer Science (EECS), Electrical Engineering, Electronics and Embedded systems.ORCID iD: 0000-0003-2349-3920
KTH, School of Electrical Engineering and Computer Science (EECS), Electrical Engineering, Electronics and Embedded systems.ORCID iD: 0000-0001-7382-9408
Show others and affiliations
2024 (English)In: IEEE design & test, ISSN 2168-2356, E-ISSN 2168-2364, Vol. 41, no 5, p. 7-16Article in journal (Refereed) Published
Abstract [en]

CRYSTALS-Kyber has been selected by the NIST as a post-quantum public-key encryption and key establishment algorithm to be standardized. This makes it important to develop side-channel attack resistant implementations of CRYSTALS-Kyber. In this paper, we propose utilizing duplication combined with clock randomization as a means of protecting CRYSTALS-Kyber FPGA implementations from side-channel attacks. Such a countermeasure has been proven effective in ensuring side-channel resistance of AES FPGA implementations. It has the benefits of universal coverage, glitch immunity, and zero clock cycle overhead. We present a protected version of CRYSTALS-Kyber built on the top of the lightweight unprotected implementation by Xing el al. Our security evaluation shows that the protected implementation is resistant to deep learning-based side-channel attacks.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE) , 2024. Vol. 41, no 5, p. 7-16
Keywords [en]
CRYSTALS-Kyber, side-channel attack, countermeasure, clock randomization, duplication, deep learning
National Category
Engineering and Technology
Research subject
Electrical Engineering
Identifiers
URN: urn:nbn:se:kth:diva-344612DOI: 10.1109/mdat.2023.3298805ISI: 001302503000004Scopus ID: 2-s2.0-85165869219OAI: oai:DiVA.org:kth-344612DiVA, id: diva2:1846186
Funder
Swedish Civil Contingencies Agency, 2020-11632Vinnova, 2021-02426Swedish Research Council, 2018-04482
Note

QC 20240321

Available from: 2024-03-21 Created: 2024-03-21 Last updated: 2024-09-10Bibliographically approved
In thesis
1. Towards Securing the FPGA Bitstream: Exploiting Vulnerabilities and Implementing Countermeasures
Open this publication in new window or tab >>Towards Securing the FPGA Bitstream: Exploiting Vulnerabilities and Implementing Countermeasures
2024 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Field-programmable gate arrays (FPGAs) are used across various industries due to their high performance, energy efficiency, and reconfigurability. However, the major advantage of reconfigurability is also a source of security challenges.The present doctoral thesis investigates the security vulnerabilities of the FPGA configuration file, i.e. the bitstream, focusing on the exploration and mitigation of targeted bitstream modification attacks. The results outlined in the seven chapters of the thesis are based on the appended collection of twelve papers. Out of those papers, seven present novel research on the topic of bitstream modification attacks and countermeasures, with the majority of contributions being on attacks. Four present novel research on the topic of FPGA-based countermeasures against side-channel analysis. The final paper presents a survey on bitstream modification attacks and countermeasures. The motivation behind the papers on side-channel countermeasures is to enhance the FPGA encryption schemes, as strong encryption can thwart targeted bitstream modification attacks. 

The attack vector of targeted bitstream modification is explored through a series of attacks against cryptographic FPGA implementations. The targets are popular stream ciphers (SNOW 3G, ACORN, and Trivium) and cryptographic primitives (an arbiter-based physical unclonable function and multi-ring-oscillator-based true random number generator). In the attacks on stream ciphers, the bitstream is modified to introduce faults that weaken the keystream by linearizing its generation process. A subsequent analysis of that faulty keystream reveals the secret key of the implementations. In the attacks on cryptographic primitives, the goal of the bitstream modification attack is to lower the bar or enable a side-channel analysis. The aim of the side-channel analysis is to predict the random output values produced by the primitives. To facilitate that, the bitstream modification attack identifies components in the bitstream that produce exploitable information leakage and creates multiple copies of them. The copies have the same values as the targets, but their outputs are not connected, thus having no impact on the functionality of the design. The study on bitstream modification is complemented with the introduction of low-cost obfuscation countermeasures and a general-purpose methodology against obfuscation based on constants. The methodology is able to defeat all the countermeasures we have previously defined, and its application extends to the general field of hardware design obfuscation.

On the topic of side-channel analysis countermeasures, the popular methodology of clock randomization is evaluated. The assumed side-channel analysis aims to extract the secret key of the advanced encryption standard (AES) block cipher. The evaluation reveales that clock randomization cannot offer protection when the side-channel measurements are sampled at a frequency significantly higher than the operational frequency of the device. In response to that, the clock randomization technique is coupled with encryption core duplication to form, a novel countermeasure called CRCD (clock randomization with encryption core duplication). The countermeasure is shown to effectively protect implementations of block ciphers such as AES, and post-quantum key encapsulation mechanisms such as CRYSTALS-Kyber. Further analysis of the countermeasure reveals a weakness that is exploited and finally patched in an updated implementation of CRCD.
Abstract [sv]

Field-Programmable Gate Arrays (FPGAer) används inom olika branscher på grund av deras höga prestanda, energieffektivitet och omkonfigurerbarhet. Dock är den stora fördelen med omkonfigurerbarhet också en källa till säkerhetsutmaningar.Denna doktorsavhandling undersöker säkerhetsbristerna i FPGA-konfigurationsfilen, d.v.s. bitströmmen, med fokus på utforskning och mildring av riktade bitströmsmodifieringsattacker. Resultaten som redogörs i avhandlingens sju kapitel baseras på en bilagd samling av tolv artiklar. Av dessa artiklar presenterar sju ny forskning om ämnet bitströmsmodifieringsattacker och motåtgärder, med majoriteten av bidragen om attacker. Fyra presenterar ny forskning om ämnet FPGA-baserade motåtgärder mot sidokanalsanalys. Den sista rapporten presenterar en översikt över bitströmsmodifieringsattacker och motåtgärder. Motivationen för rapporterna om sidokanalmotåtgärder är att förbättra FPGA-krypteringsscheman, eftersom stark kryptering kan förhindra riktade bitströmsmodifieringsattacker.

Attackvektorn för riktade bitströmsmodifieringsattacker utforskas genom en serie attacker mot kryptografiska FPGA-implementationer. Målen är populära flödes-chiffer (SNOW 3G, ACORN och Trivium) och kryptografiska primitiv (en arbiter-baserad fysiskt oklonbar funktion och en multi-ring-oscillator-baserad sann slumpmässig nummergenerator). I attackerna på strömkrypteringar modifieras bitströmmen för att introducera fel som försvagar keystreamen genom att linjärisera dess genereringsprocess. En efterföljande analys av den felaktiga keystreamen avslöjar den hemliga nyckeln för implementationerna. I attackerna på kryptografiska primitiv är målet med bitströmsmodi-\\fieringsattacken att sänka ribban eller möjliggöra en sidokanalsanalys. Målet med sidokanalsanalysen är att förutsäga de slumpmässiga utvärdena som produceras av primitiverna. För att underlätta detta identifierar bitströmsmodifieringsattacken komponenter i bitströmmen som producerar utnyttjbar informationsläckage och skapar fler kopior av dem. Kopiorna har samma värden som målen, men deras utgångar är inte anslutna, vilket inte påverkar designens funktionalitet. Studien om bitströmsmodifiering kompletteras med införandet av lågkostnadsförvirringsmotåtgärder och en allmän metodik mot förvirring baserad på konstanter. Metodiken kan besegra alla de motåtgärder vi tidigare definierat, och dess tillämpning sträcker sig till det allmänna området för hårdvarudesignförvirring.

På ämnet motåtgärder mot sidokanalsanalys utvärderas den populära metoden för klockslumpning. Den antagna sidokanalsanalysen syftar till att extrahera den hemliga nyckeln för blockkryptoalgoritmen advanced encryption standard (AES). Utvärderingen visar att klockslumpning inte kan erbjuda skydd när sidokanalsmätningarna samplas med en frekvens som är avsevärt högre än enhetens driftfrekvens. Som svar på detta kombineras tekniken för klockslumpning med duplication av krypteringskärnan för att bilda en ny motåtgärd som kallas CRCD (clock randomization with encryption core duplication). Motåtgärden har visat sig effektivt skydda implementationer av blockkrypteringar som AES och postkvantum nyckelinkapslingsmekanismer som CRYSTALS-Kyber. Ytterligare analys av motåtgärden avslöjar en svaghet som utnyttjas och slutligen åtgärdas i en uppdaterad implementation av CRCD.
Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2024. p. xxx, 152
Series
TRITA-EECS-AVL ; 2024:50
Keywords
FPGA, Bitstream, Security, Attack, Cipher, TRNG, PUF, Side-Channel Analysis, Machine Learning, Clock Randomization, FPGA, Bitström, Säkerhet, Attack, Krypto, TRNG, PUF, Sidkanalsanalys, Maskininlärning, Klockslumpning
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Information and Communication Technology
Identifiers
urn:nbn:se:kth:diva-346665 (URN)978-91-8040-938-4 (ISBN)
Public defence
2024-06-12, Ka-Sal C (Sven-Olof Öhrvik), Kistagången 16, Kista, 09:00 (English)
Opponent
Supervisors
Note

QC 20240522

Available from: 2024-05-22 Created: 2024-05-22 Last updated: 2024-06-24Bibliographically approved

Open Access in DiVA

Extended version(1822 kB)826 downloads
File information
File name FULLTEXT01.pdfFile size 1822 kBChecksum SHA-512
74d686fc4be003431d2eae52b009b07db9ead55a9d347d40e2603ad1190c46a65262225da5188397b2be7ae36a79c70615eb509ace999f44bdc58bfcd850847f
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Moraitis, MichailJi, YanningBrisfors, MartinDubrova, Elena

Search in DiVA

By author/editor
Moraitis, MichailJi, YanningBrisfors, MartinDubrova, Elena
By organisation
Electronics and Embedded systems
In the same journal
IEEE design & test
Engineering and Technology

Search outside of DiVA

GoogleGoogle Scholar
Total: 827 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 703 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub