Mike Rosulek,Lawrence Roy

DOI: https://doi.org/10.1007/978-3-030-84242-0_5

2021-01-01

Abstract:We describe a garbling scheme for boolean circuits, in which XOR gates are free and AND gates require communication of 1.5κ+5documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$1.5kappa + 5$$end{document} bits. This improves over the state-of-the-art “half-gates” scheme of Zahur, Rosulek, and Evans (Eurocrypt 2015), in which XOR gates are free and AND gates cost 2κdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$2kappa $$end{document} bits. The half-gates paper proved a lower bound of 2κdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$2kappa $$end{document} bits per AND gate, in a model that captured all known garbling techniques at the time. We bypass this lower bound with a novel technique that we call slicing and dicing, which involves slicing wire labels in half and operating separately on those halves. Ours is the first to bypass the lower bound while being fully compatible with free-XOR, making it a drop-in replacement for half-gates. Our construction is proven secure from a similar assumption to prior free-XOR garbling (circular correlation-robust hash), and uses only slightly more computation than half-gates.

Erik Pohle,Aysajan Abidin,Bart Preneel

DOI: https://doi.org/10.1109/tifs.2024.3402145

IF: 7.231

2024-05-29

IEEE Transactions on Information Forensics and Security

Abstract:Garbling schemes are vital primitives for privacy-preserving protocols and secure two-party computation. This paper presents a projective garbling scheme that assigns values to wires in a circuit comprising XOR and unary projection gates. A generalization of FreeXOR allows the XOR of wires with values to be very efficient. We then analyze the performance of our scheme by evaluating substitution-permutation ciphers. Using our proposal, we measure high-speed evaluation of the ciphers with a moderately increased cost in garbling and bandwidth. Theoretical analysis suggests that for evaluating the nine examined ciphers, one can expect a 4- to 70-fold improvement in evaluation performance with, at most, a 4-fold increase in garbling cost and, at most, an 8-fold increase in communication cost compared to the Half-Gates (Zahur, Rosulek and Evans; Eurocrypt'15) and ThreeHalves (Rosulek and Roy; Crypto'21) garbling schemes. In an offline/online setting, such as secure function evaluation as a service, the circuit garbling and communication to the evaluator can proceed in the offline phase. Thus, our scheme offers a fast online phase. Furthermore, we present efficient Boolean circuits for the S-boxes of TWINE and Midori64 ciphers. To our knowledge, our formulas give the smallest number of AND gates for the S-boxes of these two ciphers.

computer science, theory & methods,engineering, electrical & electronic

Xu Yan,Bin Lian,Yunhao Yang,Xiaotie Wang,Jialin Cui,Xianghong Zhao,Fuqun Wang,Kefei Chen

DOI: https://doi.org/10.3390/sym16060664

2024-05-28

Symmetry

Abstract:The secure computation of symmetric encryption schemes using Yao's garbled circuits, such as AES, allows two parties, where one holds a plaintext block m and the other holds a key k, to compute Enc(k,m) without leaking m and k to one another. Due to its wide application prospects, secure AES computation has received much attention. However, the evaluation of AES circuits using Yao's garbled circuits incurs substantial communication overhead. To further improve its efficiency, this paper, upon observing the special structures of AES circuits and the symmetries of an S-box, proposes a novel ciphertext reduction scheme for garbling an S-box in the last SubBytes step. Unlike the idea of traditional Yao's garbled circuits, where the circuit generator uses the input wire labels to encrypt the corresponding output wire labels, our garbling scheme uses the input wire labels of an S-box to encrypt the corresponding "flip bit strings". This approach leads to a significant performance improvement in our garbling scheme, which necessitates only 28 ciphertexts to garble an S-box and a single invocation of a cryptographic primitive for decryption compared to the best result in previous work that requires 8×28 ciphertexts to garble an S-box and multiple invocations of a cryptographic primitive for decryption. Crucially, the proposed scheme provides a new idea to improve the performance of Yao's garbled circuits. We analyze the security of the proposed scheme in the semi-honest model and experimentally verify its efficiency.

multidisciplinary sciences

Ke Lin

2023-12-05

Abstract:In classic settings of garbled circuits, each gate type is leaked to improve both space and speed optimization. Zahur et al. have shown in EUROCRYPT 2015 that a typical linear garbling scheme requires at least two $\lambda$-bit elements per gate with a security parameter of $\lambda$, which limits their efficiency. In contrast to typical garbled circuits, gate-hiding garbled circuits have the potential to drastically reduce time costs, although they have been underappreciated. We propose the first skipping scheme for gate-hiding garbled circuits to enhance the efficiency of evaluation by observing prime implicants. Our scheme introduces skip gates to eliminate the need to calculate the entire circuit, enabling unnecessary execution paths to be avoided. We also introduce two variants of our scheme that balance security with parallelism. A proof of hybrid security that combines simulation-based and symmetry-based security in semi-honest scenarios is presented to demonstrate its security under gate-hiding conditions. Our scheme will inspire new directions to improve the general garbling scheme and lead to more practical ones.

Cryptography and Security

Jianqiao Mo,Jayanth Gopinath,Brandon Reagen

DOI: https://doi.org/10.1145/3579371.3589045

2023-04-25

Abstract:Privacy and security have rapidly emerged as priorities in system design. One powerful solution for providing both is privacy-preserving computation, where functions are computed directly on encrypted data and control can be provided over how data is used. Garbled circuits (GCs) are a PPC technology that provide both confidential computing and control over how data is used. The challenge is that they incur significant performance overheads compared to plaintext. This paper proposes a novel garbled circuits accelerator and compiler, named HAAC, to mitigate performance overheads and make privacy-preserving computation more practical. HAAC is a hardware-software co-design. GCs are exemplars of co-design as programs are completely known at compile time, i.e., all dependence, memory accesses, and control flow are fixed. The design philosophy of HAAC is to keep hardware simple and efficient, maximizing area devoted to our proposed custom execution units and other circuits essential for high performance (e.g., on-chip storage). The compiler can leverage its program understanding to realize hardware's performance potential by generating effective instruction schedules, data layouts, and orchestrating off-chip events. In taking this approach we can achieve ASIC performance/efficiency without sacrificing generality. Insights of our approach include how co-design enables expressing arbitrary GCs programs as streams, which simplifies hardware and enables complete memory-compute decoupling, and the development of a scratchpad that captures data reuse by tracking program execution, eliminating the need for costly hardware managed caches and tagging logic. We evaluate HAAC with VIP-Bench and achieve an average speedup of 589$\times$ with DDR4 (2,627$\times$ with HBM2) in 4.3mm$^2$ of area.

Hardware Architecture,Cryptography and Security

Jonas Sander,Sebastian Berndt,Ida Bruhns,Thomas Eisenbarth

2024-10-16

Abstract:The adoption of machine learning solutions is rapidly increasing across all parts of society. As the models grow larger, both training and inference of machine learning models is increasingly outsourced, e.g. to cloud service providers. This means that potentially sensitive data is processed on untrusted platforms, which bears inherent data security and privacy risks. In this work, we investigate how to protect distributed machine learning systems, focusing on deep convolutional neural networks. The most common and best-performing mixed MPC approaches are based on HE, secret sharing, and garbled circuits. They commonly suffer from large performance overheads, big accuracy losses, and communication overheads that grow linearly in the depth of the neural network. To improve on these problems, we present Dash, a fast and distributed private convolutional neural network inference scheme secure against malicious attackers. Building on arithmetic garbling gadgets [BMR16] and fancy-garbling [BCM+19], Dash is based purely on arithmetic garbled circuits. We introduce LabelTensors that allow us to leverage the massive parallelity of modern GPUs. Combined with state-of-the-art garbling optimizations, Dash outperforms previous garbling approaches up to a factor of about 100. Furthermore, we introduce an efficient scaling operation over the residues of the Chinese remainder theorem representation to arithmetic garbled circuits, which allows us to garble larger networks and achieve much higher accuracy than previous approaches. Finally, Dash requires only a single communication round per inference step, regardless of the depth of the neural network, and a very small constant online communication volume.

Cryptography and Security,Machine Learning

Ignacio Cascudo,Ronald Cramer,Chaoping Xing,Chen Yuan

DOI: https://doi.org/10.1007/978-3-319-96878-0_14

2018-01-01

Abstract:A fundamental and widely-applied paradigm due to Franklin and Yung (STOC 1992) on Shamir-secret -sharing based general n-player MPC shows how one may trade the adversary threshold t against amortized communication complexity, by using a so-called packed version of Shamir's scheme. For e.g. the BGW-protocol (with active security), this trade-off means that if t 2k 2 < n/3, then k parallel evaluations of the same arithmetic circuit on different inputs can be performed at the overall cost corresponding to a single BGW-execution. In this paper we propose a novel paradigm for amortized MPC that offers a different trade-off, namely with the size of the field of the circuit which is securely computed, instead of the adversary threshold. Thus, unlike the Franklin-Yung paradigm, this leaves the adversary threshold unchanged. Therefore, for instance, this paradigm may yield constructions enjoying the maximal adversary threshold L(n 1)/3] in the BGWmodel (secure channels, perfect security, active adversary, synchronous communication). Our idea is to compile an MPC for a circuit over an extension field to a parallel MPC of the same circuit but with inputs defined over its base field and with the same adversary threshold. Key technical handles are our notion of reverse multiplication-friendly embeddings (RMFE) and our proof, by algebraic -geometric means, that these are constant-rate, as well as efficient auxiliary protocols for creating "subspace-randomness" with good amortized complexity. In the BGW-model, we show that the latter can be constructed by combining our tensored-up linear secret sharing with protocols based on hyper-invertible matrices a la BeerliovaHirt (or variations thereof). Along the way, we suggest alternatives for hyper-invertible matrices with the same functionality but which can be defined over a large enough constant size field, which we believe is of independent interest. As a demonstration of the merits of the novel paradigm, we show that, in the BGW-model and with an optimal adversary threshold L(n 1)/3], it is possible to securely compute a binary circuit with amortized complexity 0(n) of bits per gate per instance. Known results would given log n bits instead. By combining our result with the Franklin-Yung paradigm, and assuming a sub-optimal adversary (i.e., an arbitrarily small > 0 fraction below 1/3), this is improved to 0(1) bits instead of 0(n).

K. Tjell,N. Schlüter,P. Binfet,M. Schulze Darup

DOI: https://doi.org/10.48550/arXiv.2112.03654

2021-12-07

Abstract:Encrypted control seeks confidential controller evaluation in cloud-based or networked systems. Many existing approaches build on homomorphic encryption (HE) that allow simple mathematical operations to be carried out on encrypted data. Unfortunately, HE is computationally demanding and many control laws (in particular non-polynomial ones) cannot be efficiently implemented with this technology. We show in this paper that secure two-party computation using garbled circuits provides a powerful alternative to HE for encrypted control. More precisely, we present a novel scheme that allows to efficiently implement (non-polynomial) max-out neural networks with one hidden layer in a secure fashion. These networks are of special interest for control since they allow, in principle, to exactly describe piecewise affine control laws resulting from, e.g., linear model predictive control (MPC). However, exact fits require high-dimensional preactivations of the neurons. Fortunately, we illustrate that even low-dimensional learning-based approximations are sufficiently accurate for linear MPC. In addition, these approximations can be securely evaluated using garbled circuit in less than 100~ms for our numerical example. Hence, our approach opens new opportunities for applying encrypted control.

Systems and Control

Mohammad Hashemi,Steffi Roy,Domenic Forte,Fatemeh Ganji

DOI: https://doi.org/10.48550/arXiv.2208.03806

2022-08-08

Abstract:Recent work has highlighted the risks of intellectual property (IP) piracy of deep learning (DL) models from the side-channel leakage of DL hardware accelerators. In response, to provide side-channel leakage resiliency to DL hardware accelerators, several approaches have been proposed, mainly borrowed from the methodologies devised for cryptographic implementations. Therefore, as expected, the same challenges posed by the complex design of such countermeasures should be dealt with. This is despite the fact that fundamental cryptographic approaches, specifically secure and private function evaluation, could potentially improve the robustness against side-channel leakage. To examine this and weigh the costs and benefits, we introduce hardware garbled NN (HWGN2), a DL hardware accelerator implemented on FPGA. HWGN2 also provides NN designers with the flexibility to protect their IP in real-time applications, where hardware resources are heavily constrained, through a hardware-communication cost trade-off. Concretely, we apply garbled circuits, implemented using a MIPS architecture that achieves up to 62.5x fewer logical and 66x less memory utilization than the state-of-the-art approaches at the price of communication overhead. Further, the side-channel resiliency of HWGN2 is demonstrated by employing the test vector leakage assessment (TVLA) test against both power and electromagnetic side-channels. This is in addition to the inherent feature of HWGN2: it ensures the privacy of users' input, including the architecture of NNs. We also demonstrate a natural extension to the malicious security modeljust as a by-product of our implementation.

Cryptography and Security

Subrata Das,Swaroop Ghosh

2023-06-29

Abstract:The success of quantum circuits in providing reliable outcomes for a given problem depends on the gate count and depth in near-term noisy quantum computers. Quantum circuit compilers that decompose high-level gates to native gates of the hardware and optimize the circuit play a key role in quantum computing. However, the quality and time complexity of the optimization process can vary significantly especially for practically relevant large-scale quantum circuits. As a result, third-party (often less-trusted/untrusted) compilers have emerged, claiming to provide better and faster optimization of complex quantum circuits than so-called trusted compilers. However, untrusted compilers can pose severe security risks, such as the theft of sensitive intellectual property (IP) embedded within the quantum circuit. We propose an obfuscation technique for quantum circuits using randomized reversible gates to protect them from such attacks during compilation. The idea is to insert a small random circuit into the original circuit and send it to the untrusted compiler. Since the circuit function is corrupted, the adversary may get incorrect IP. However, the user may also get incorrect output post-compilation. To circumvent this issue, we concatenate the inverse of the random circuit in the compiled circuit to recover the original functionality. We demonstrate the practicality of our method by conducting exhaustive experiments on a set of benchmark circuits and measuring the quality of obfuscation by calculating the Total Variation Distance (TVD) metric. Our method achieves TVD of up to 1.92 and performs at least 2X better than a previously reported obfuscation method. We also propose a novel adversarial reverse engineering (RE) approach and show that the proposed obfuscation is resilient against RE attacks. The proposed technique introduces minimal degradation in fidelity (~1% to ~3% on average).

Quantum Physics,Cryptography and Security

Tairong Shi,Wenling Wu,Bin Hu,Jie Guan,Han Sui,Senpeng Wang,Mengyuan Zhang

DOI: https://doi.org/10.1109/tifs.2024.3402970

IF: 7.231

2024-06-07

IEEE Transactions on Information Forensics and Security

Abstract:A lot of work in the field of quantum cryptanalysis is currently devoted to finding applications of Grover-meets-Simon algorithm and its complexity is given in the form of , but research on how to implement the attack efficiently is still insufficient. After all, it is crucial to study quantum attacks in resource-limited situations, according to NIST's guidance on circuit depth. This work first evaluates the parallelization of Grover-meets-Simon by drawing on the Grover's parallel approach and shows that as the width increases by , the depth decreases by a factor of . Further, the first dedicated quantum attack on a class of functions that appear in cryptographic scheme applications (so-called XOR-type function) is proposed. The depth, width, and the number of gates required for the attack are greatly reduced compared to the general parallelization. Then we apply the attack to various Beyond-Birthday-Bound (BBB) MACs, where the XOR function can be constructed, including SUM-ECBC and its variants (2K-SUM-ECBC, 2K-ECBC_Plus), and GCM-SIV2. In the typical case where SUM-ECBC is based on AES-128, our attack saves at least 62.3% in depth, 19.5% in width and 22.2% in gate count simultaneously. The impact on some lightweight ciphers is further explored, and it is interesting to note that the lighter the quantum circuit implementation of the cipher is, the greater the possible impact of an attack will be. This observation may provide new insights into quantum cryptanalysis.

computer science, theory & methods,engineering, electrical & electronic

Surajit Mandal,Ravi Anand,Mostafizar Rahman,Santanu Sarkar,Takanori Isobe

DOI: https://doi.org/10.1038/s41598-024-69188-8

IF: 4.6

2024-09-11

Scientific Reports

Abstract:Extensive research is currently underway to determine the security of existing ciphers in light of the advancements in quantum computing. Against symmetric key cryptography, Grover's search algorithm is a prominent attack, capable of reducing search costs to the square root. For using Grover's algorithm, it is imperative to embed the target cipher into a quantum circuit. Even so, this area of research is relatively new; it has garnered significant attention from the research community. In this study, we provide the first estimation of the cost of Grover's key search attack against the AES-based AEAD schemes Rocca-S , AEGIS-128 , and Tiaoxin-346 . Our analysis considers circuit depth restrictions specified in NIST's PQC standardization process. Considering NIST's maximum depth constraints, We present the overall cost of these attacks using gate count and depth-times-width metrics. We observed that for , Rocca-S , AEGIS-128 , and Tiaoxin-346 can be retrieved using Grover's search algorithm with gate count of 1.09 × 2 253 , 1.14 × 2 124 , and 1.22 × 2 124 respectively. Concerning the current updated values by NIST, these ciphers are secure in terms of the cost of implementing Grover's attack for key recovery. The quantum circuits of these ciphers are implemented using QISKIT, an open-source software development kit (SDK) designed for working with quantum computers running on the IBM Quantum Experience platform.

multidisciplinary sciences

Yibiao Lu,Bingsheng Zhang,Hong-Sheng Zhou,Weiran Liu,Lei Zhang,Kui Ren

DOI: https://doi.org/10.1007/978-3-030-88428-4_34

2021-01-01

Abstract:With the advancement of the trusted execution environment (TEE) technologies, hardware-supported secure computing becomes increasingly popular due to its efficiency. During the protocol execution, typically, the players need to contact a third-party server for remote attestation, ensuring the validity of the involved trusted hardware component, such as Intel SGX, as well as the integrity of the computation result. When the hardware manufacturer is not fully trusted, sensitive information may be leaked to the third-party server through backdoors, steganography, and kleptography, etc. In this work, we introduce a new security notion called semi-trusted hardware model, where the adversary is allowed to passively or maliciously corrupt the hardware. Therefore, she can learn the input of the hardware component and might also tamper its output. We then show how to utilize such semi-trusted hardwares for correlated randomness teleportation. When the semi-trusted hardware is instantiated by Intel SGX, to generate 10k random OT's, our protocol is 24X and 450X faster than the EMP-IKNP-ROT in the LAN and WAN setting, respectively. When SGX is used to teleport Garbled circuits, the resulting two-party computation protocol is 5.3-5.7X and 43-47X faster than the EMP-SH2PC in the LAN and WAN setting, respectively, for the AES-128, SHA-256, and SHA-512 evaluation. We also show how to achieve malicious security with little overhead.

Jianqiang Ni,Jianhui Zhang,Gaoli Wang,Rui Li,Yanzhao Shen

DOI: https://doi.org/10.3390/sym15081563

2023-01-01

Symmetry

Abstract:The rise of modern cryptographic protocols such as Zero-Knowledge proofs and secure Multi-party Computation has led to an increased demand for a new class of symmetric primitives. Unlike traditional platforms such as servers, microcontrollers, and desktop computers, these primitives are designed to be implemented in arithmetical circuits. In terms of security evaluation, arithmetization-oriented primitives are more complex compared to traditional symmetric cryptographic primitives. The arithmetization-oriented permutation Grendel employs the Legendre Symbol to increase the growth of algebraic degrees in its nonlinear layer. To analyze the security of Grendel thoroughly, it is crucial to investigate its resilience against algebraic attacks. This paper presents a preimage attack on the sponge hash function instantiated with the complete rounds of the Grendel permutation, employing algebraic methods. A technique is introduced that enables the elimination of two complete rounds of substitution permutation networks (SPN) in the sponge hash function without significant additional cost. This method can be combined with univariate root-finding techniques and Gröbner basis attacks to break the number of rounds claimed by the designers. By employing this strategy, our attack achieves a gain of two additional rounds compared to the previous state-of-the-art attack. With no compromise to its security margin, this approach deepens our understanding of the design and analysis of such cryptographic primitives.

Alexey Moiseevskiy

2023-04-12

Abstract:Advanced Encryption Standard is one of the most widely used and important symmetric ciphers for today. It well known, that it can be subjected to the quantum Grover's attack that twice reduces its key strength. But full AES attack requires hundreds of qubits and circuit depth of thousands, that makes impossible not only experimental research but also numerical simulations of this algorithm. Here we present an algorithm for optimized Grover's attack on downscaled Simplifed-AES cipher. Besides full attack we present several approaches that allows to reduce number of required qubits if some nibbles of the key are known as a result of side-channel attack. For 16-bit S-AES the proposed attack requires 23 qubits in general case and 19, 15 or 11 if 4, 8 or 12 bits were leaked in specifc confguration. Comparing to previously known 32-qubits algorithm this approach potentially allows to run the attack on today's NISQ-devices and perform numerical simulations with GPU, that may be useful for further research of problem-specifc error mitigation and error correction techniques.

Quantum Physics

Dejun Xu,Kai Wang,Jing Tian

2024-07-03

Abstract:CRYSTALS-Kyber (a.k.a. Kyber) has been drafted to be standardized as the only key encapsulation mechanism (KEM) scheme by the national institute of standards and technology (NIST) to withstand attacks by large-scale quantum computers. However, the side-channel attack (SCA) on its implementation is still needed to be well considered for the upcoming migration. In this brief, we propose a secure and efficient hardware implementation for Kyber by incorporating a novel compact shuffling architecture. First of all, we modify the Fisher-Yates shuffle to make it more hardware-friendly. We then design an optimized shuffling architecture for the well-known open-source Kyber hardware implementation to enhance the security of all the potential side-channel leakage points. Finally, we implement the modified Kyber design on FPGA and evaluate its security and performance. The security is verified by conducting the correlation power analysis (CPA) attacks on the hardware. Meanwhile, FPGA place-and-route results show that the proposed design reports only 8.7% degradation on the hardware efficiency compared with the original unprotected version, much better than existing hiding schemes.

Cryptography and Security

Yun Li,Yufei Duan,Zhicong Huang,Cheng Hong,Chao Zhang,Yifan Song

2023-01-01

Abstract:In this work, we focus on maliciously secure 3PC for binary circuits with honest majority. While the state-of-the-art (Boyle et al. CCS 2019) has already achieved the same amortized communication as the best-known semi-honest protocol (Araki et al. CCS 2016), they suffer from a large computation overhead: when comparing with the best-known implementation result (Furukawa et al. Eurocrypt 2017) which requires 9x communication cost of Araki et al., the protocol by Boyle et al. is around 4.5x slower than that of Furukawa et al. In this paper, we design a maliciously secure 3PC protocol that matches the same communication as Araki et al. with comparable concrete efficiency as Furukawa et al. To obtain our result, we manage to apply the distributed zero-knowledge proofs (Boneh et al. Crypto 2019) for verifying computations over F-2 by using prime fields and explore the algebraic structure of prime fields to make the computation of our protocol friendly for native CPU computation. Experiment results show that our protocol is around 3.5x faster for AES circuits than Boyle et al. We also applied our protocol to the binary part (e.g. comparison and truncation) of secure deep neural network inference, and results show that we could reduce the time cost of achieving malicious security in the binary part by more than 67%. Besides our main contribution, we also find a hidden security issue in many of the current probabilistic truncation protocols, which may be of independent interest.

Mengyuan Zhang,Tairong Shi,Wenling Wu,Han Sui

DOI: https://doi.org/10.1109/tc.2024.3449094

IF: 3.183

2024-10-12

IEEE Transactions on Computers

Abstract:In the post-quantum era, the security level of encryption algorithms is often evaluated based on the quantum resources required to attack AES. In this work, we make thoroughly estimations on various performance metrics of the quantum circuit of AES-128/192/256. Firstly, we introduce a generic round structure for in-place implementation of the AES algorithm, maximizing the parallelism between nonlinear components. Specifically, when employed as an encryption oracle, our structure reduces the T-depth from 2rd to (r+1)d. Furthermore, by leveraging the properties of block-cyclic matrices, we present an in-place implementation circuit for MixColumn with depth 10, utilizing 105 CNOT gates. In relation to the S-box, we have assessed its minimum circuit width at different T-depths and provide multiple versions of circuit implementations for a depth-width trade-off. Finally, based on our optimized S-box circuit, we conduct a comprehensive analysis of the implementation complexity of different round structures, where our structure exhibits significant advantages in terms of low T-depth.

engineering, electrical & electronic,computer science, hardware & architecture

HU Wei,MU De-jun,HUANG Xing-li,TAI Yu

DOI: https://doi.org/10.3969/j.issn.1001-0548.2015.03.019

2015-01-01

Abstract:Components such as caches and branch predictors in modern processor architectures tend to include hard-to-detect covert channels, which provide a foot-holder for attackers to perform malicious activities. However, existing methods are inefficient in detecting hardware-specific covert channels. As a consequence, these security holes expose only after significant damages are inflicted. In this paper, a secure architecture based on the execution lease mechanism is built in order to tightly bound the effects of untrusted execution contexts and enforce the strict isolation of execution contexts. Further, the information flow model of the hardware architecture is constructed by using the gate level information flow analysis method, which allows the precise measurement of all digital flows in the underlying hardware and the detection of security vulnerabilities by capturing harmful flows of information. In addition, hardware/software security co-verification can be achieved with the aid of information flow measurement capability provided by the information flow model of the instruction set architecture.