Abstract
\(\mathtt{PHOTON} \) is a lightweight hash function which was proposed by Guo et al. in CRYPTO 2011. This is used in low-resource ubiquitous computing devices such as RFID tags, wireless sensor nodes, smart cards and mobile devices. \(\mathtt{PHOTON} \) is built using sponge construction and it provides a new \(\mathtt{MAC} \) function called \(\mathtt{MAC}-\mathtt{PHOTON} \). This paper deals with FPGA implementations of \(\mathtt{MAC}-\mathtt{PHOTON} \) and their side-channel attack (SCA) resistance. First, we describe three architectures of the \(\mathtt{MAC}-\mathtt{PHOTON} \) based on the concepts of iterative, folding and unrolling, and we provide their performance results on the Xilinx Virtex-5 FPGAs. Second, we analyse security of the \(\mathtt{MAC}-\mathtt{PHOTON} \) against side-channel attack using a SASEBO-GII development board. Finally, we present an analysis of its Threshold Implementation (TI) and discuss its resistance against first-order power analysis attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
FT2232D DUAL USB TO SERIAL UART/FIFO IC Datasheet, 2nd edn. Future Technology Devices International Ltd. (2010)
Advanced Industrial Science Technology (AIST), N.I.: Side-channel Attack Standard Evaluation Board SASEBO-GII specification (2009). http://www.rcis.aist.go.jp/special/SASEBO/SASEBO-GII-ja.html
Anandakumar, N.N., Peyrin, T., Poschmann, A.: A very compact FPGA implementation of LED and PHOTON, Proceedings. In: Meier, W., Mukhopadhyay, D. (eds.) Progress in Cryptology – INDOCRYPT 2014. Lecture Notes in Computer Science, vol. 8885, pp. 304–321. Springer, Cham (2014). http://dx.doi.org/10.1007/978-3-319-13039-2_18
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: Leander, G., Thomsen, S.S. (eds.) SKEW (2011)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponge functions (2011). http://sponge.noekeon.org/CSF-0.1.pdf
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak sponge function family (2011). http://keccak.noekeon.org/
Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)
Boura, C., Lévêque, S., Vigilant, D.: Side-channel analysis of Grøstl and Skein. In: IEEE Symposium on Security and Privacy Workshops, pp. 16–26. IEEE Computer Society (2012)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
Eiroa, S., Baturone, I.: FPGA implementation and DPA resistance analysis of a lightweight HMAC construction based on photon hash family. In: FPL, pp. 1–4. IEEE (2013)
Engel, A., Liebig, B., Koch, A.: Feasibility analysis of reconfigurable computing in low-power wireless sensor applications. In: Koch, A., Krishnamurthy, R., McAllister, J., Woods, R., El-Ghazawi, T. (eds.) ARC 2011. LNCS, vol. 6578, pp. 261–268. Springer, Heidelberg (2011)
Feldhofer, M., Aigner, M.J., Baier, T., Hutter, M., Plos, T., Wenger, E.: Semi-passive RFID development platform for implementing and attacking security tags. In: ICITST. pp. 1–6. IEEE (2010)
Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash Functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)
Homsirikamol, E., Rogawski, M., Gaj, K.: Throughput vs. area trade-offs in high-speed architectures of five round 3 SHA-3 candidates implemented using Xilinx and altera FPGAs. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 491–506. Springer, Heidelberg (2011)
Järvinen, K.: Design and implementation of a SHA-1 hash module on FPGAs. Helsinki University of Technology Signal Processing Laboratory (2004)
Järvinen, K.U., Tommiska, M., Skyttä, J.: Hardware implementation analysis of the MD5 hash algorithm. In: 38th Hawaii International Conference on System Sciences (HICSS-38 2005), CD-ROM/Abstracts Proceedings, 3–6 January 2005, Big Island, HI, USA. IEEE Computer Society (2005). http://dx.doi.org/10.1109/HICSS.2005.291
Kobayashi, K., Ikegami, J., Sakiyama, K., Ohta, K., Knezevic, M., Kocabas, Ü., Fan, J., Verbauwhede, I., Guo, E.X., Matsuo, S., Huang, S., Nazhandali, L., Satoh, A.: Prototyping platform for performance evaluation of SHA-3 candidates. In: Plusquellic, J., Mai, K. (eds.) HOST, pp. 60–63. IEEE Computer Society (2010)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 388. Springer, Heidelberg (1999)
Ltd, F.T.D.I.: CodeExamples. http://www.ftdichip.com/Support/SoftwareExamples/CodeExamples/CSharp.htm
Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006)
Poschmann, A., Moradi, A., Khoo, K., Lim, C.W., Wang, H., Ling, S.: Side-channel resistant crypto for less than 2,300 GE. J. Crypt. 24(2), 322–345 (2011)
Taha, M.M.I., Schaumont, P.: Side-channel analysis of MAC-Keccak. In: HOST, pp. 125–130. IEEE (2013)
Tuan, T., Rahman, A., Das, S., Trimberger, S., Kao, S.: A 90-nm low-power FPGA for battery-powered applications. IEEE Trans. CAD Integr. Circ. Syst. 26(2), 296–300 (2007)
Yalçın, T., Kavun, E.B.: On the implementation aspects of sponge-based authenticated encryption for pervasive devices. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 141–157. Springer, Heidelberg (2013)
Zohner, M., Kasper, M., Stöttinger, M., Huss, S.A.: Side channel analysis of the SHA-3 finalists. In: Rosenstiel, W., Thiele, L. (eds.) DATE, pp. 1012–1017. IEEE (2012)
Acknowledgments
This research work has been funded by Department of Atomic Energy (DAE), Govt. of India under the grand number 12-R&D-IMS-5.01.0204. The author would like to thank Suganya Annadurai, M. Prem Laxman Das, Lakshmi Kuppusamy and Ravikumar Selvam for helpful discussions, and also thank the anonymous reviewers for their critical suggestions that greatly improved the quality of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Our Communication Interface for SASEBO-GII
A Our Communication Interface for SASEBO-GII
Our communication interface for SASEBO-GII [2] is derived from the work proposed in [19] with slight modifications which is suitable and customisable for cryptographic primitives. Our entire interface control logic was implemented based on a finite-state machine and also provides the MATLAB solutions instead of SASEBO-Checker [19] to work with the FTDI chip. This choice is made for accessibility and ease of maintenance. Figure 9 shows the overview of the SASEBO-GII communication interface. This interface is used to communicate with the PC and two FPGAs of SASEBO-GII board. They are a cryptographic FPGA (Virtex-5) and control FPGA (Spartan-3A), a cryptographic FPGA usually implements the cryptographic algorithm and a control FPGA which communicates the data between the PC and the cryptographic FPGA. In our case, the MAC-PHOTON-80/20/16 module was ported into the cryptographic FPGA whereas the control FPGA acted as a bridge between the PC and the MAC-PHOTON-80/20/16 module.
SASEBO-GII communication Interface
1.1 A.1 The Interface Between the Control and Cryptographic FPGAs
The control FPGA module consists of the following 5 states: initial, receiveusb, ControlFPGAsend, ControlFPGAreceive and sendusb. During initial state, the USB module in the control FPGA is initialized through the FT2232D USB chip [1]. In receiveusb state, the input data is received 8-bits at a time from the PC (MATLAB) through the USB chip and then the values are stored in the data registers. During ControlFPGAsend state, a MAC-PHOTON-80/20/16 module in the cryptographic FPGA via init signal is initialized first. Then, the control FPGA sends the input data 16-bits wide via datain signal from the input data registers to the cryptographic FPGA. Once the data is processed the ControlFPGAreceive state receives the output data 16-bits-wide via dataout signal from the cryptographic FPGA and stores the data into the output data registers. During sendusb state, the output data (MAC) is sent back (8-bits wide) to the PC (MATLAB) from output data registers through the FT2232D USB chip. Hence, it requires 30 clock cycles to process the interface between the Control and Cryptographic FPGAs.
The cryptographic FPGA module consists of the following 3 states: process, CryptoFPGAreceive and CryptoFPGAsend. In CryptoFPGAreceive state, the cryptographic FPGA start to receives the input data from the control FPGA when the init signal is reached and then the values are stored in the data registers. The process state, is to execute the MAC-PHOTON-80/20/16 module. The CryptoFPGAsend state, once the MAC-PHOTON-80/20/16 module is processed, sends the output data (MAC) 16-bits wide via dataout signal to the control FPGA.
1.2 A.2 The Interface Between the PC and Control FPGA
The FT2232D USB chip was permanently mounted with the contol FPGA of the SASEBO-GII board. This chip acts as the communication interface between the MATLAB software and the control FPGA. This MATLAB software is run on the host PC and it is the control center of the whole system. In this work, the MATLAB is used for 2 purposes: one is to record the traces from the oscilloscope and the other is to send or receive the data from the PC to the control FPGA via FT2232D USB chip from FTDI inc. Although MATLAB provides support to call shared library functions, there is no readily available MATLAB solutions [21] to work with the FTDI chip. In this work, we translate from working .Net wrapper [21] to MATLAB with call shared library functions.
The translation program is divided into 4 parts: initialization, transfer, receive and closing. During initialization, the data length is defined, the library functions are loaded and also handle is defined to specify that the device (USB port) is opened. Once initialization is complete, the program tells the user that it is ready to receive data and asks the user to trigger the FPGA. During the transfer stage, the program continuously write the input data to the control FPGA until the expected number of data length. During the receive stage, the program read the output data from the control FPGA. Once receive stage is complete, handle device (USB port) is closed. Hence, it requires 216 clock cycles to process the interface between the PC and Control FPGA.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Nalla Anandakumar, N. (2015). SCA Resistance Analysis on FPGA Implementations of Sponge Based \(\mathtt{MAC}-\mathtt{PHOTON} \) . In: Bica, I., Naccache, D., Simion, E. (eds) Innovative Security Solutions for Information Technology and Communications. SECITC 2015. Lecture Notes in Computer Science(), vol 9522. Springer, Cham. https://doi.org/10.1007/978-3-319-27179-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-27179-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27178-1
Online ISBN: 978-3-319-27179-8
eBook Packages: Computer ScienceComputer Science (R0)