Final Publishable Summary:
Summary of the context and overall objectives of the project
Security has become a critical requirement for most applications. Robust security typically requires strong hardware foundations. HECTOR’s objective was to bridge the gap between the mathematical heaven of theoretically secure cryptographic algorithms and the challenges when it comes to implementing them securely and efficiently into hardware. The project focused on how to improve the hardware efficiency and robustness of 3 elementary security building blocks, namely crypto algorithms, random numbers generators, and physically unclonable functions (PUFs), as well as opportunities to optimize their interactions.
For true random number generators (TRNGs), the requirement is to fulfil demanding security requirements such as specified by the AIS20/31 standard in order to guarantee the generation of enough entropy, and/or detect and report when this is no longer the case. Besides designing hardware-efficient TRNG cell(s), the main ambition was to propose a process allowing to meet the requirements while minimizing the necessary expertise, design-iterations, and efforts.
Compared to TRNGs, so far there is no AIS20/31-like framework for PUFs. The objective was therefore to research if such an approach could be proposed.
Cryptography relies on good random numbers for keys, protocols and side-channels protection. On one hand, the project was assuming the availability of good random numbers, and researching more hardware-efficient crypto approaches. Efficiency has been addressed both from the design-process point of view, researching how to minimize the path towards a validated, protected crypto implementation, as well as from a crypto building block and system efficiency point of view, with research on authenticated encryption and hardware-friendlier crypto algorithms. The project has also been investigating if there are efficiency gains to be made by relaxing TRNG quality requirements and through more random-tolerant crypto designs.
Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so farThe project was structured around 6 work packages.
WP1 captured, studied and specified requirements for the work that needed to be performed within the technical work packages:
1) The demonstration scenarios have been refined. This allowed defining the hardware platforms to be developed for the demonstrators as well as the required building blocks from WP2 and WP3.
2) Opportunities, requirements and constraints from the consortium’s commercial partners have been studied in order to try to align developments with exploitation opportunities.
3) A common evaluation platform has been defined and distributed to partners, together with sample firmware and FPGA-designs. It consists in an FPGA-based motherboard with features to ease security characterization, and a set of low-cost daughter modules allowing to evaluate HECTOR primitives implemented in different FPGA families or ASICs.
WP2 focused on TRNG and PUFs. Several candidate principles have been proposed. A set of comparison and evaluation criteria have been defined. Preliminary implementations helped compare and rank the candidates. Selected TRNG and PUF principles together with dedicated embedded tests and post-processing have been designed for both FPGAs and ASICs. Several hick-ups and manufacturing delays (external factors) repeatedly pushed-out silicon availability and forced to limit physical evaluations to FPGA implementations. HECTOR ASIC test chips will still be used and characterized but after the official completion of the project.
WP3 focused on cryptographic algorithms and countermeasures. Since these rely heavily on random numbers (cryptographic keys, random IVs, masking), a first line of research has been to study the effect of non-ideal randomness on cryptography and on the effectiveness of countermeasures. Known-key and related-key attacks have been studied. Matlab scripts to generate standardized sets of degraded random numbers have been developed to test the effect of weak random numbers on commonly used side-channel countermeasures. The second line of research has been focusing on efficient cryptography and countermeasures. The consortium has been very active in the CAESAR authentication encryption competition. Five of the fifteen candidates of the third round of the competition were proposals from consortium members and 3 proposals remain among the 7 finalists. An important improvement in the usage of the sponge construction for Authenticated Encryption has been introduced, easing the interface between a TRNG/PUF, its crypto post-processing and the cryptographic algorithm itself. HECTOR also worked on design-process efficiency with bottom-up and top-down methodologies for design-time evaluation of side-channel protection.
WP4 focused on the development of demonstrators to illustrate how the technical developments from WP2 and WP3 can be combined for relevant applicative use cases. Three demonstrators have been developed: A dedicated, high-throughput random numbers generators, a secure USB storage, as well as a secure messaging system.
WP5 focused on dissemination, communication, exploitation, standardization and training. The project generated 59 articles and publications, participated to 48 conferences and workshops, as well as 12 other dissemination activities (web site, newsletters, etc.). HECTOR also participated to key cryptography and TRNG related standardization efforts and events, most notably the CAESAR authenticated encryption competition and the NIST TRNG workshop.
WP6 has been the project management work package providing the necessary processes and tools and to ensure proper execution.
Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)
HECTOR enabled stronger European knowledge integration through collaboration among key security actors. In particular:
- We proposed TRNGs designs with provable entropy guarantees and robustness to physical attacks, paving the way for more robust products and lower cost security certification. We discussed about the AIS20/31 with the BSI and participated to the second NIST RBG workshop, providing feedback on the draft and influencing the content of the final NIST SP800-90B TRNG specification.
- By researching and proposing an approach similar to AIS31 for PUFs we hope to have shown the way forward for tackling the challenges related to PUF-security specification and assessment.
- Through our contributions on sponges, Authenticated-Encryption schemes and to the CAESAR competition we hope to have contributed to what could become tomorrow’s hardware-friendlier, easier-to-secure (side-channels) and more-hardware-efficient cryptography standards.
Adoptions (over time) of HECTOR technologies into partner products should provide a first way to propagate the benefits to a wide range of applications and actors of the partner’s respective value chains. For example HECTOR’s pre-evaluated, AIS31-compliant TRNGs are already being adopted by two commercial members of the consortium, for the benefit and improved protection of their respective customers and end-users.
Dissemination of HECTOR results through teaching, publications and other dissemination events and through inputs to standardization will broaden the propagation of those benefits beyond the project’s commercial partners’ respective value chains.
DOWNLOAD: TRNG and PUF examples
HECTOR project consortium uses a HECTOR evaluation platform for evaluation of TRNG and PUF functions. There are several versions of software for the platform. Following archive contains two template projects for evaluation of TRNG and PUF (firmware for motherboard, daughter board, and TCL scripts). [ZIP] 27 MB
VIDEO: TRNG video of KU Leuven
VIDEO: Demonstrator 3: secure messaging device
VIDEO: Demonstrator 2: secure portable USB storage
VIDEO: Demonstrator 1: High Performance Secure TRNG
DOWNLOAD: Advanced Encryption Standard: AES-128
According to the requirements in AIS 20/31 PTG.2 it is not allowed to use the same cryptographic primitive for RNG post-processing and data encryption/decryption. Therefore, the HECTOR consortium will not reuse Ascon/Ketje in demonstrator D2: Secure USB Stick and D3: Secure Messaging Device for the post processing of the RNG output. Therefore, the AES-128 has been implemented. It is now available for download. [ZIP] 200 KB
DOWNLOAD: Authenticated Encryption Algorithms: KETJE
Ketje is a family of algorithms for authenticated encryption, which share the same permutation-based structure. All instantiations of Ketje are aimed at memory-constrained devices and strongly rely on nonce uniqueness for security. Ketje was designed and submitted by Guido Bertoni, Joan Daemen, Michael Peeters, Gilles Van Assche, Ronny Van Keer and is now available for download. [ZIP] 14 MB
DOWNLOAD: Authenticated Encryption Algorithms: ASCON
Ascon is a family of authenticated encryption algorithms, currently participating in round 3 of the CAESAR competition. The Ascon family was designed to be lightweight and easy to implement, even with added countermeasures against side-channel attacks. Ascon was designed by a team of cryptographers from Graz University of Technology (Christoph Dobraunig, Maria Eichlseder, Florian Mendel and Martin Schläffer) and is now available for download. [ZIP] 19 MB
DOWNLOAD: Workshop on the HECTOR Evaluation Platform
From 23 to 24 May, 2016 there was a project internal workshop held in Leuven, Belgium related to the HECTOR evaluation platform. Objectivies of this tutorial was to share knowlegde about the evaluation platform and to simplify the developments by providing reference designs of the mother- and daughterboards. Helpful user guides and supporting material are now available for download via [ZIP] 81 MB