Dimming Down LED: An Open-source Threshold Implementation on Light Encryption Device (LED) Block Cipher

08/27/2021 ∙ by Yuan Yao, et al. ∙ Virginia Polytechnic Institute and State University Worcester Polytechnic Institute 0

Lightweight block ciphers have been widely used in applications such as RFID tags, IoTs, and network sensors. Among them, with comparable parameters, the Light Encryption Device (LED) block cipher achieves the smallest area. However, implementation of encryption algorithms manifest side-channel leakage, therefore, it is crucial to protect their design against side-channel analyses. In this paper, we present a threshold implementation of the LED cipher which has 64-bit data input and 128-bit key. The presented design splits secret information among multiple shares to achieve a higher security level. We demonstrate that our implementation can protect against first-order power side-channel attacks. As a cost, the design area is almost doubled and the maximum operating frequency is degraded by 30 we have also open-sourced our design online.



There are no comments yet.


page 3

page 4

Code Repositories


Threshold Implementation of Lightweight Encryption Device (LED) Block Cipher

view repo
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Over the past few years, lightweight cryptography has been largely in demand. Many lightweight block ciphers have been proposed for the highly constrained devices such as RFID tags, sensors in wireless network, small internet-enabled applications with low computing power and implementation area. Improving the encryption efficiency while at the same time protecting the system has become a major challenge in this area and sparked research efforts. Recently, many encryption ciphers have been developed targeting this problem. SIMON [shahverdi2015silent], PRINCE [borghoff2012prince], TWINE [suzaki2011twine] are only a few of the light-weight block ciphers.

LED [Guo2011] is a lightweight block cipher proposed by Guo et al. at CHES 2011 which, among block ciphers with comparable parameters [mendel2012differential], achieves the smallest area footprint through its compact hardware implementation.

Although modern block cipher algorithms such as LED are secure against cryptanalysis, the implementation of an algorithm can still leak information about sensitive parameters, making them susceptible to Side Channel Attacks (SCA). SCAs break cryptosystems by obtaining information leaked from power consumption, electromagnetic radiation, or execution delay. One of the popular SCA schemes is Differential Power Analysis (DPA) [kocher1999differential] which combines information across many power measurements with different known inputs. A widely implemented countermeasure to SCA is masking [blomer2004provably, oswald2005side, ishai2003private, trichina2004small]. However, it has been proven [mangard2005side, moradi2010correlation] that hardware implementations with masking can still be vulnerable to DPA because of glitches and require fresh random values after every nonlinear operation.

To deal with this issue, Nikova et al. proposed a new masking scheme, Threshold Implementation (TI) [nikova2006threshold]. TI is a secret sharing-based countermeasure and is provably secure against first-order SCA attack even in the presence of glitches. Moreover, TI is immune to mean power consumption comparison based higher-order attacks.

In this work, we present application of threshold implementation to the lightweight cipher LED. With the advantages of LED and threshold implementation, threshold implementation on LED should be a promising prospect especially in improving the security against SCA in the area of lightweight block cipher application.Our experimental results show that the proposed implementation can potentially achieve a security level which can efficiently protect against side-channel analysis. On the other hand, with inherent redundancy in threshold implementation, our design almost doubles the area and the maximum operating frequency is degraded by about 30%.

The rest of the paper is organized as follows. Section II presents the basic concepts of the LED cipher and threshold implementation. Section III reviews the state of the art SCA countermeasures and threshold implementation applications. Section IV explains the proposed threshold implementation of LED in detail. The experiment setup and result analysis are given in Section V. The conclusion is discussed in Section VI.

Fig. 1: Encryption procedure of LED [Guo2011].
x 0 1 2 3 4 5 6 7 8 9 A B C D E F
S[x] C 5 6 B 9 0 A D 3 E F 8 4 7 1 2
TABLE I: Sbox of LED cipher

Ii Background

Ii-a Led

Light Encryption Device (LED) is a light-weight block cipher that achieves comparable security level to conventional cryptography but at a lower cost. The basic design of LED follows the AES-like design principle. It has many similarities with AES in Sbox, ShiftRows, and MixColumns operations.

Unlike AES, LED does not have real key scheduling procedure, instead, it initializes round key at the very beginning, and uses that key repeatedly in each round. LED can use three key lengths: 64-bit key, 80-bit key, and 128-bit case. The initial key is generated by specific matrix element setting function. Specifically, for 128-bit key case, the sub-key is divided into two parts and is used alternatively in each round. Therefore, LED has a relatively simple key “schedule” compared to AES.

As shown in Fig. 1, LED has 8-12 steps depending on its key length and each step has 4 rounds of encryption procedure modifying its cipher states. The procedures are, listed in sequence, the operations: AddConstant, SubCells, ShiftRows and MixColumnSerial. Specifically, the number of steps is decided by the encryption key size: for 64-bit key, step number is 8 and for key size 128 bits, step number is 12.

LED uses the Sbox from PRESENT [bogdanov2007present]. This sbox has been widely used in many other lightweight cryptographic ciphers. The look up table of Sbox is shown in Table. I.

Ii-B Serial Implementation of LED

The nibble-serial implementation of LED which was introduced by Guo et al. [Guo2011] and Farhady et al. [ghalaty2015differential] is shown in Fig.  2. The data state matrix is composed of 16 nibbles. It can compute ShiftRows and MixColumnSerial by serially rotating the matrix row-wise and column-wise. AddRoundKey, AddConstant, and SubBytes are performed by rotating the entire matrix in a serpentine way. Our threshold implementation is developed based on this design.

Fig. 2: Serial Implementation of LED.

Ii-C Threshold Implementation

Threshold Implementation [nikova2006threshold] is based on secret sharing, threshold cryptography, and multi-party computation protocols. Threshold Implementation splits the secret data and operations into multiple shares. For each share implementation, three properties should be satisfied:

Ii-C1 Correctness

The sum of output shares gives the original desired output value.

Ii-C2 Non-completeness

The function for each output share should be independent of at least one share of each input variable.

Ii-C3 Uniformity

Both the input shares and output shares should be uniformly distributed.

If the implementation of an algorithm satisfies these three properties, all the intermediate values will be independent of the input and output values, thus the correlation is eliminated between output shares and input variables. Moreover, the power consumption or any other characteristics of function will also be independent of input and output. In this way, at any time instant, no information about all shares of secret value is present in the system, even in the presence of glitches.

Iii Related Work

Iii-a Countermeasures Against SCA

To provide side-channel attack resistance different masking countermeasures have been introduced at both the algorithm level [blomer2004provably, oswald2005side] and the gate level [ishai2003private, trichina2004small]. Generally, they prevent side-channel leakage by randomizing the sensitive computed intermediates at the algorithm level so that the randomized power consumption does not correlate with the original intermediate values. However, these masking methods do not consider the presence of glitches and need multiple fresh random values along operations.

Iii-B Threshold Implementation Application

Threshold Implementation has been applied to several block ciphers and Sbox algorithms. and Sboxes with 3 and 4 shares are proposed in [bilgin2012threshold]. Moradi et al. [moradi2011pushing] proposed a Threshold Implementation of tower field approach-based AES Sbox that only requires three shares. PRESENT [poschmann2011side], AES [moradi2011pushing], Keccak [bertoni2010building, bilgin2013efficient], Fides [bilgin2013fides], and SIMON [shahverdi2015silent] with TI protection are also introduced recently. Diel et al. described an threshold implementation on LED in 2018 [diehl2018comparing]. However, there is no open-source Threshold Implementation of LED available for researcher to further evaluate-yet.

Iv Implementation Details of LED Threshold Implementation

Fig. 3: Threshold implementation on (a) linear and (b) non-linear operation.

Iv-a Linear and non-linear operations

The threshold implementation of linear and non-linear operation are different. The threshold implementation of linear operations such as AddRoundKey, AddConstant, ShiftRows and MixColumns are very straightforward. After splitting the input into multiple shares (at least two shares), each share will go through one of the duplicated circuits of the original operation, as shown in Fig. 3. In fact, the requirements of extra copies of hardware contribute to the area and power overhead of threshold implementation.

It has been proven [nikova2006threshold] that we need at least three shares to implement a non-linear function . In addition, the new operation in threshold implementation is not simply duplicating the original operation, as shown in Fig. 3(b). The only non-linear operation in LED is the Sbox operation. Fig. 4 shows the Sbox implementation in LED, it follows the design guideline by Poschmann et al. [poschmann2011side]. The detail of G1, G2, G3, F1, F2 and F3 operations are chosen to satisfy the correctness, non-completeness and uniformity properties required by threshold implementation. The detailed derivation process can be found in their original manuscript [poschmann2011side].

Fig. 4: Threshold implementation of Sbox used in LED [poschmann2011side].
Fig. 5: Threshold implementation of LED.
Fig. 6: Finite state machine of proposed LED threshold implementation.

Iv-B General data flow and state transition

The architecture and finite state machine of proposed LED threshold implementation is shown in Fig. 5 and Fig. 6, respectively. The operations of each state are explained as follows.

STATE_ADDSHARE: Each data and key nibble is split into two nibble shares while loading into the data state matrix in a byte-serial manner. Therefore, each position of data state matrix stores a data byte. As shown in Fig.  5, the add share operation is achieved using a 4 bit random number m0. The AddShare operation takes 16 cycles to load in all the data and key nibbles.

STATE_INIT: In this state, the initial AddRoundKey operation (AK in Fig. 5) () is performed. The enAK is set to high to enable the round key addition. The two data shares in position 00 are XORed with the two key shares in position 00.

STATE_ADDCONSTANT: As shown in the AC part of Fig. 5, the data shares are XORed with the round constant RC with enAC being set to high. Note that the 4 bit round constant also needs to be split into two shares. Then, state jumps to .

STATE_SBOX_CAL: The SubBytes operation (SB in Fig. 5) is performed in this state. As mentioned before, due to the non-linearity of the Sbox, three data shares are needed. As shown in Fig. 5, the data shares are increased to three using the operation before entering the Sbox and reduced to two using the operation when exiting the Sbox for later linear operations. This state takes three cycles. Then, state jumps to .

STATE_SBOX_SHIFT: In this state, the two data shares are fed back into the data state matrix in position 33 in a byte serial manner. Each data byte in the matrix shifts forward in a serpentine way. Then, the state jumps to until all 16 data bytes finish the AddConstant and SubBytes operation (BCOUNT=16). Therefore, in total cycles are required to finish. Then, the state jumps to .

STATE_SHIFTROW: The ShiftRow operation (SR in Fig. 5) will be performed in this state as well as the update of round constant. Then, the state jumps to .

STATE_MIXCOL: The MixColumn operation (MCS in Fig. 5) is applied on the column 0 and rotates row-wise after it finishes. For the leftmost column, the MixColumn operation is performed on the byte 0 and then rotates column-wise. Therefore, in total cycles are needed to finish. Since MixColumn is a linear operation, we can simply duplicate the operation. Then, the state jumps to .

STATE_NEXTROUND: In this state, if we have already completed all four rounds (RCOUNT=4), state jumps to the start of next step which is , otherwise, state jumps to .

STATE_ADDKEY: The AddRoundKey will be performed in this state. If this is the end of last step (SCOUNT=12), the encryption finishes and we jump to . Otherwise, we continue to the start of next step, which is .

STATE_BACK: In this state, for each data byte or two data nibble shares, the operation will be performed to get the encrypted data nibble. The operation is done in byte serial manner and takes 16 cycles to finish. Afterwards, it will jump to .

Fig. 7: SAKURA-G board with Spartan™-6 FPGA and TELEDYNE LECROY WaveRunner 6 Zi HRO Oscilloscope.
Fig. 8: Area comparison of (threshold implementation) and (unprotected).
Fig. 9: Maximum operating frequency comparison of (threshold implementation) and (unprotected).

V Experiment and Expected Results

V-a Experimental setup

In order to evaluate our Threshold Implementation of LED, we add it to Skiva222https://github.com/Secure-Embedded-Systems/Skiva[kiaei2020custom] as a coprocessor. Skiva is an extension of the 32bit SPARC V8 ISA. The connection between the Skiva processor and the LED coprocessor is through an Advanced Peripheral Bus (APB). We communicate with the LED accelerator by sending data to its memory-mapped registers. We assign memory addresses for control register, key registers, and plaintext registers within the LED coprocessor. The SoC implements a 32bit bus with a word-addressed memory. Therefore, in our LED-128 implementation, we assign two memory addresses for the plaintext registers (64 bits) and four memory addresses for the key registers (128 bits). The control register contains two bits; One for resetting the LED core and one for starting the encryption. Furthermore, to make our experimental evaluation as precise as possible, we add a trigger signal to the LED core indicating when the encryption is taking place. Triggering from the LED core helps in precise alignment of our power measurements.

We implement our design on Xilinx Spartan-6 FPGA on the SAKURA-G board. While running LED encryption on the main FPGA, we collect power traces for the encryption procedure and use it for power analysis. The basic setup is shown in Fig. 7. TELEDYNE LECROY WaveRunner 6 Zi HRO Oscilloscope is used for power trace collection. Power trace sets collected from the oscilloscope will be sent to PC for further analysis.

Fig. 10: T-value comparison of and .

The area and maximum operating frequency are obtained after synthesizing our design using Spartan-6 FPGA, as shown in Fig. 8 and Fig. 9. denotes our proposed LED threshold implementation, while is the original unprotected design. It can be seen that almost doubles the area because of the extra copies of hardware for other shares. The maximum frequency is reduced by about . This is due to the more complicated computations operated on multiple shares.

To further evaluate the security of the proposed Threshold implementation design on increasing side-channel resistance, we applied TVLA [gilbert2011testing] on 50k collected traces for both and ; As shown in Fig. 10, a dramatic decrease of t-value can be observed for compared to unprotected LED. This indicates that our Threshold Implementation design can significantly reduce the side-channel leakage of LED.

Vi Conclusion

In this paper, we designed a byte-serial threshold implementation of LED block cipher to mitigate first order power side-channel analysis attacks. In our understanding, this is the first open-source threshold implementation of LED cipher. In the aspect of cost, our design almost doubles the area and reduces the speed by in comparison with a reference unprotected nibble-serial LED design. We collected power consumption traces for both the reference (unprotected) and threshold implementation (protected) and we demonstrate that our proposed implementation of Threshold Implementation can effectively protect LED from side-channel leakage.