基於串流加密和身分為基礎的物聯網密碼系統

Abstract

隨著物聯網的普及，資訊安全成為一個重要的議題。然而過去普遍使用的加解密技術像是用 RC4 或 AES 演算法來做訊息加解密，用 RSA 或 Diffie-Hellman 演算法來做金鑰交換通常都無法達到物聯網的規格限制。在眾多新演算法中，輕量級加解密演算法搭配以身分為基礎的密碼系統是一個很有潛力的方案。另一方面，旁通道攻擊中的能量分析攻擊法在此情境下變成很大的威脅。主要原因是因為他們可以用低成本的工具來量測與金鑰相關的晶片能量軌跡進而破解金鑰。然而，在過去資訊安全文獻中並沒有一個完整考量此兩點並實做到物聯網中的設計指南。

在本論文中，我們將會討論如何建構出一個物聯網的安全系統。首先，我們會研究如何設計和實作出適合物聯網的密碼學模組，包含演算法和硬體電路架構的探討。接下來我們會用創新的能量分析攻擊法來攻擊電路並將結果呈現在我們提出的評估平台上。對於能量分析攻擊法，我們也提出相對應的解決方案。最後我們會針對物聯網應用的安全性給予一個系統性的設計方法和設計指南。

我們主要的學術貢獻可分為三部分。第一部分是我們設計並實作eSTREAM 計畫中的三個輕量級硬體導向的串流加密器，且針對硬體串流加密器提出更有效的能量分析攻擊法。為了避免相關能量分析攻擊法，我們提出了 Uniform Distribution RandomPower Generator (UDRPG) 來解決此一問題。根據我們的實驗結果，此方法可有效的提 升三個數量級的旁通道攻擊安全性。且相對於傳統方法省下 40% 以上的面積使用量。

第二部分為提出了一個高效能特徵值為 3 的 etaT 配對加速器來供伺服端使用。在此設計中我們藉由數學推導和硬體排程使得一個米勒迴圈可以在 17 個 clock 周期內做完。我們也用 torus 表示法和 Frobenius map 來降低最終算算指數運算的運算量。管線化和平行運算技巧也用來減少 critical 路徑的延遲。最後我們選擇了適宜的乘法器數目和架構來讓上述兩個運算達成完全管線化。根據上述技巧，我們實現了一個基於 90奈 CMOS 製程的測試晶片。此晶片核心所佔的面積為 1.52 x 0.97mm^2 ，且可以在 1 伏特的操作電壓下於 4.76us 完成一個 F(3^97) 的雙線性配對運算，此一數據相較於過去文獻至少有 178% 的進步。為了支援終端結點的實作，我們也提出了一個基於冗餘數對表示法的雙線性配對運算器。我們分析並採用 Mixed Radix Conversion (MRC) 來做基底轉換。另外也針對米勒迴圈和最終指數運算做優化。在 128 位元的安全度下我們可以在 480ms 下完成一個在 F(256) 的雙線性配對運算。最後，我們也用 Full-Word Montgomery Multiplier(FWMM) 來優化橢圓曲線點乘法的運算。本部份的密碼模組可用來建構以身分為基礎的密碼系統。

第三部分，我們提出了一個創新的平台來公平的比較旁通道攻擊的攻擊法和防禦方法。我們的平台有幾項特色：我們採用學界和業界廣泛使用的 SAKURA-G FPGA 板來當作我們硬體實現的平台。並採用低成本且開源的 OpenADC 來做波型擷取。我們的量測和分析軟體則是基於開源的 Chipwhisperer 專案。這個架構不只能提升比較的公平性，且能讓旁通道攻擊法重現性提高。

綜合以上三部分我們提出了一個設計指南。根據我們的設計方法，我們實際討論了一個影音串流系統的安全系統設計。並說明此系統的安全性可以得到實現及驗證。

As the applications of Internet-of-Things (IoT) grow, information security becomes an important issue. Nevertheless, common popular privacy protection schemes like encryption using data RC4 or AES and key distribution via RSA or Diffie-Hellman algorithms are often failed to meet the stringent low-cost requirements. One of the most promising alternatives is lightweight cryptography incorporate ID-based protocols. On the other hand, Side-Channel Analysis (SCA) attacks, particularly power analysis attacks, are becoming the biggest threat for IoT end nodes. This is because they can break the security modules by simply analyzing the key-dependent power leakage using low-cost toolkits. Unfortunately, there lacks efficient and effective design methodology that cope with these two design challenges at the same time in the literature.

In this dissertation, we aim to fulfill this gap. Firstly, we investigate the design of crypto modules that suit IoT applications, including the algorithm selection and optimization, hardware architecture exploration, and circuit-level design. Moreover, several novel power analysis methods as well as countermeasures are discussed and conducted on our proposed side-channel evaluation platform. Finally, a systematic design methodology is proposed to provide a solution delivering secure modules in IoT context.

Our contributions can be mainly divided into threefolds: first, the lightweight eSTREAM ciphers are analyzed and implemented with small footprint, and the register-based power analysis attacks are exploited to show the practical dangers of unprotected design. To patch this flaws, an effective countermeasure scheme called Uniform Distribution Random Power Generator (UDRPG) is proposed which can provide at least three orders of magnitude in terms of SCA-resistance. Moreover, experiment results show that the area overhead is improved for at least 40% with relative works.

Second, to support submerging ID-based cryptosystem in the server side, an efficient etaT pairing over characteristic three is presented. By mathematical manipulation and hardware scheduling, a single Miller’s loop can be executed within 17 clock cycles. Furthermore, we employ torus representation and exploit the Frobenius map to lower the computation cost of final exponentiation. Pipelining and parallelization datapath are also exploited to shorten the critical path delay. Finally, by choosing suitable multiplier architecture and selecting appropriate number of multipliers, Miller’s loop and final exponentiation can be computed in a fully pipelined manner. With these schemes, a test chip for the proposed pairing accelerator has been fabricated in 90-nm CMOS 1P9M technology with core area of 1.52 x 0.97mm^2 . It performs a bilinear pairing computation over F(3^97) in 4.76us under 1.0V supply and achieves 178% improvement to relative works in terms of area-time (AT) product. To further provide solutions for constraint client side in IoT end node, a cost-effective pairing accelerator using Residue Number System (RNS) which intrinsically suitable for parallel computation is proposed. Mixed Radix Conversion (MRC) based extension technique is analyzed and utilized to enhance hardware efficiency. Moreover, novel optimizations are applied for both Miller’s loop and final exponentiation. With these schemes, a 128-bit secure pairing accelerator which can complete a bilinear pairing computation over F(256) in 480ms is implemented and this result is at least 70% better than relative works in terms of AT product. Finally, the underlying Elliptic Curve Scalar Multiplication is also optimized using Full-Word Montgomery Multiplier(FWMM). The modules in this part can be used to constrict ID-based ryptosystems.

Third, we proposed a novel framework for side-channel evaluations which aims to unify the comparisons among different SCA attacks and countermeasures. There are several characteristics of this framework. First, SAKURA-G FPGA board is selected as our target for test circuit implementations due to its popularity among both academic and industry. Second, low cost and open source OpenADC are selected as our oscilloscope to capture the power traces. The measurement and analysis software stack are built upon Chipwhisperer which is an excellent open source toolkit that provides several useful modules for side-channel attacks. The framework lowers the cost of side-channel evaluations and makes the comparisons of SCA fair and reproducible.

Finally, based on the above mentioned three techniques, a design guideline is proposed. An example is also presented using our design methodology which is applied to video streaming systems. By using our methodology, the requirements of IoT security can be satisfied.