Cryptography Reference
In-Depth Information
Table 11.3
Hardware
implementation results
Gate count
Time delay (ns)
Non-red FSM
80
0.64
(10, 5, 5)
8,305
29.99
Table 11.4
Gate counts and hardware overhead caused by our protection scheme for different
Montgomery multipliers
Non-red FSM
Robust FSM
Robust data Path
FSM overhead (%)
MM(256,2,64)
3,843
269,010
436,625
37.58
MM(256,1,128)
3,812
266,882
705,560
27.05
MM(512,1,128)
3,841
268,870
760,090
25.76
MM(512,1,256)
7,307
511,532
2,500,949
16.74
We implemented these techniques using VHDL and synthesized them using the
tcb013lvhptc and DW (Design Ware) libraries of the Synopsys design tool. We report
the gate count and time delay results in Table
11.3
.
Even though the area overhead and time delay caused by our scheme seems
relatively high initially, we argue that this is the price that needs to be paid to secure
FSMs against strong adversaries. Remember that FSM security is a difficult problem,
especially against an advanced attacker. Also note that even though our protection
technique is not appropriate for low-power cryptographic hardware, it can be applied
to circuits that include large and parallel arithmetic units in the data path. Low-power
cryptographic units have relatively large FSMs due to their serial nature. In this case,
large area overhead of our FSM protection scheme might affect the circuit area and
performance in an unacceptable way. However, we argue that the overhead of our
technique will be reasonable for cryptographic hardware with parallel arithmetic
units (i.e. adders, multipliers, etc.) in the data path. These kinds of circuits have
relatively small FSMs and hence the overhead of our protection scheme becomes
minimal.
In order to clarify this idea, we investigated the effect of our FSM protection
scheme on the overall circuit area. First of all, we analyzed four different Montgomery
multipliers (MMs) with different parameters. MM(
x
,
y
,
z
) indicates a Montgomery
multiplier with different parameters where
x
is the size of the operands,
y
is the
number of pipeline stages, and
z
is the word size. The results are shown in Table
11.4
.
Note that the overhead caused by our scheme gets smaller for circuits with large and
parallel data paths. For example, our FSM protection scheme causes an area overhead
of approximately 16 % for the MM(512,1,256) case.
Furthermore, we argue that time delay caused by our scheme will not have a big
impact on the circuit performance because FSMs are usually not in the critical path
of a circuit, critical path usually goes through the data path, which includes various
arithmetic operations (i.e. multiplications, divisions, etc.). As a result, the time delay
caused by our technique will be masked and the throughput of the circuit will not be
affected by this protection technique.
