Fault-tolerant methods for a new lightweight cipher SIMON

3 downloads 0 Views 501KB Size Report
2 Nashua North High School, New Hampshire, USA. 3State Key Laboratory of ISN, Xidian University, Xi'an, China. 1E-mail: [email protected]. Abstract.
Fault-Tolerant Methods for a New Lightweight Cipher SIMON 1

Jaya Dofe1, Connor Reed2, Ning Zhang3, Qiaoyan Yu1 Electrical and Computer Engineering Department, University of New Hampshire, USA 2 Nashua North High School, New Hampshire, USA 3 State Key Laboratory of ISN, Xidian University, Xi’an, China 1 E-mail: [email protected] 64, 128, or 256), simple parity check codes are not sufficient to detect multiple faults. To increase fault detection capability, multiple groups of simple parity check codes or complicated parity codes are needed, at the cost of dramatic increase on hardware overhead. Low-density parity-check (LDPC) is incorporated in sequential circuits to mitigate the fault attacks [3]. The common challenge in the application of coding for error correction is the non-linear transformation in cipher. As SIMON is a newly released cipher, to the best of our knowledge, this is the first work to investigate fault-tolerant methods for SIMON. Since SIMON uses less complicated non-linear functions than AES does, basic fault detection approaches, such as modular redundancy, reverse function and simple linear codes are worth being explored for SIMON. In this work, we first explore three low-cost faulttolerant methods for SIMON in Section 2, and then assess the hardware cost and fault detection efficiency of different methods in Section 3. The impact of fault injection timing and location on SIMON function failure is studied in Section 3, as well. This work is concluded in Section 4.

Abstract We propose three fault-tolerant methods for a new lightweight block cipher SIMON, which has the potential to be a hardware-efficient security primitive for embedded systems. As a single fault in the encryption (decryption) process can completely change the ciphertext (received plaintext), it is critical to ensure the reliability of encryption and decryption modules. We explore double-modular redundancy (DMR), reverse function, and a parity check code combined with a non-linear compensation function (EPC) to detect faults in SIMON. The proposed faulttolerant methods were implemented in iterative and pipelined SIMON architectures. The corresponding hardware cost, power consumption, and fault detection failure rate were assessed. Simulation results show that EPC-SIMON consumes less area and power than DMRSIMON and Reversed-SIMON but yields a higher fault detection failure rate as the number of concurrent faults increases. Moreover, our experiments show that the impact of fault location on the fault-detection failure rates for different methods is not consistent.

2. Proposed Fault-Tolerant Methods for SIMON

Keywords

2.1 Preliminaries for Basic SIMON SIMON is composed of round function and key schedule function, and it can be implemented with shifting functions (SHIFT-L and SHIFT-R), ANDs and exclusively ORs, as shown in Figs. 1 and 2. The round function for SIMON is described in equations (1)-(3). RWi and LWi stand for the right and left halves of the plaintext, respectively. The superscript i is the round number.

SIMON; fault tolerance; block cipher; reliability.

1. Introduction Advanced Encryption Standard (AES) has been accepted as the standard for both government and industry applications, but AES is not suitable for resourceconstrained platforms because of its high-complexity. The emerging consensus suggests that the desirable area cost of a cipher should be no more than 2000 gates [7]. To fulfill the security concerns for sensitive and hardware-constrained applications, NSA published SIMON cipher in June 2013 [5]. SIMON is a balanced Feistel cipher, which consumes 70% smaller area than the standardized low-cost AES alternative PRESENT [6]. Traditional fault-tolerant methods have been widely investigated for the implementation of cipher, such as AES [2, 8, 10, 13]. Reverse functions are used to recover the original input for the encryption/decryption process; the recovered input is compared to the original one to detect faults in AES [1]. The hardware-redundant-based concurrent error detection schemes [9, 11] can be applied to the internal function, round, or entire encryption process levels. Another category of fault detection methods for AES is based on parity codes [2, 4, 10-13]. The parity check codes can be applied to each byte of the state matrix, each transformation, after each round, or at the end of encryption process. Because of the wide input and key width (typical value is 978-1-4799-7581-5/15/$31.00 ©2015 IEEE

RW i = LW i−1

(1)

(

)

LW i = RW i −1 ⊕ F LW i −1 ⊕ K i −1

(2)

Where F(·) is defined in (3). F ( X ) = (( X