Fault Diagnosis Schemes for Low-Energy Block Cipher Midori Benchmarked on FPGA

BULK IEEE VLSI PROJECTS

**Abstract:**

Achieving secure high-performance implementations for constrained applications such as implantable and wearable medical devices are a priority in efficient block ciphers. However, security of these algorithms is not guaranteed in the presence of malicious and natural faults. Recently, a new lightweight block cipher, Midori, has been proposed that optimizes the energy consumption besides having low latency and hardware complexity. In this paper, fault diagnosis schemes for variants of Midori are proposed. To the best of the authors’ knowledge, there has been no fault diagnosis scheme presented in the literature for Midori to date. The fault diagnosis schemes are provided for the nonlinear S-box layer and for the round structures with both 64-bit and 128-bit Midori symmetric key ciphers. The proposed schemes are benchmarked on a field programmable gate array and their error coverage is assessed with fault-injection simulations. These proposed error detection architectures make the implementations of this new low-energy lightweight block cipher more reliable. The proposed architecture of this paper analysis the logic size, area and power consumption using Xilinx 14.2.

**Existing System:**

Midori provides acceptable security level with optimal energy consumption. The S-boxes of Midori are different from those of the AES and other lightweight block ciphers. Furthermore, Midori has two types of bijective 4-bit S-boxes that are more energy efficient than the 8-bit ones. It is noted that Midori, like other lightweight block ciphers, accepts optimal cell permutation matrices and uses the most efficient maximum distance separable (MDS) matrices due to low implementation overheads and increasing immunity against several attacks.

Error detection in crypto-architectures has been the center of attention. The prior work has focused on various time and hardware redundancy approaches (including the approaches that are dependent or oblivious of the implementation platform and the algorithm architecture). However, in the case of Midori, to the best of the authors’ knowledge, there is no prior work. The merit of the proposed approaches in this paper compared with that of the approaches presented before for lightweight block ciphers is twofold. First, we present both logic-gate-based and lookup table (LUT)-based error detection schemes for the two types of the S-boxes in Midori, which gives freedom to the designers to choose the implementation strategy based on the implementation and performance metric requirements and the platform to implement. Second, for the MixColumn operation, we have examined to achieve to have low-overhead detection approaches, by performing design space explorations before math not as an afterthought. Such careful investigations to have a combined original implementation and error detection architecture has not been performed in previous state-of-the-art approaches.

The performed simulation results show high error coverage (the percent of ratio of the number of detected errors to the number of injected faults) for the presented schemes. Using the proposed approaches, the error detection structures are capable of detecting the injected faults with high coverage (transient and permanent as well as single, multiple, and adjacent faults). We note that permanent faults, e.g., stuck-at faults, are caused by VLSI manufacturing defects (and of course if the intention is to break the entire device, such faults can be injected at runtime). There are well-established automatic test pattern generation based testing techniques to identify these faults. On the other hand, “long transient faults” can lead to information leakage. Simple time redundancy cannot detect long transient faults that last for the normal computation and recomputation, and attackers have successfully injected long transient faults to break this countermeasure.

**Disadvantages**:

- Area coverage is high

**Proposed System:**

Proposed Approaches for the S-Box Variants:

In the hardware implementations of Midori, two approaches can be used for realizing the S-boxes, i.e., LUT-based and logic-gate-based implementations. The LUT-based S-boxes have advantages such as good performance and disadvantages such as having high area and power consumption. On the other hand, the latter approach typically has less area and power consumption. Our proposed signature-based error detection approach is not confined to a special signature. However, for the sake of clarity, we present two examples, i.e., parity-based and interleaved parity-based approaches. We can store predicted parities (or interleaved parities) of elements from the S array in LUTs. The scheme for the S-boxesSb0andSb1is based on deriving the predicted parities of the S-boxes using LUTs, as shown in Table I. For each element of S-boxes, we modulo-2 add all bits. Then, we store the result as a parity bit in an extended LUT with 5-bit elements (note that one extra bit is added to each 4-bit entry). Thus, the new protected state would consist of 16 5-bit elements that can be stored in FPGA block memories or pipelined distributed LUTs. An example would be to derive the parity of the first element ofSb0,whichis{c}16={1100}2, which is zero.

The other signature-based error detection scheme is based on interleaved parity bits that are proposed in order to protect the nonlinear S-boxes. Interleaved-parity-based schemes are able to detect burst faults, i.e., adjacent multiple faults. Such faults happen in both natural defects and malicious fault attacks. In this scheme, we compute the interleaved parity bits

of the 4-bit bijective S-boxes Sb0 and Sb1 in hexadecimal form, as shown in Table I. We have derived such parities by the modulo-2 addition of odd bits and even bits with each other separately. Similarly, these 2-bit interleaved parities along with 4-bit elements of each state are stored as 6-bit elements in memories. An example would be to derive the interleaved parity of the first element of Sb0,whichis{c}16= {1100}2, which is 11 (modulo-2 adding the odd and even bits separately).

Figure 1: Derivation of the error indication flags for the S-boxes in Midori128

Different S-boxes are applied in the variants of Midori, for instance, Midori128 applies four different 8-bit S-boxes SSbi, 0≤i ≤3. To keep the involution property of S-boxes, each output bit permutation is derived as the inverse of the corresponding input bit permutation. The structure of Midori and the proposed fault diagnosis schemes are presented in Fig. 1. Fig. 1 shows that four 8-bit outputs of these S-boxes are taken of specific permutation order (two of the S-boxes are omitted for the sake of brevity). Through the comparison of actual and predicted parities, we have error indication flags for eachSb1 in S-boxes of SSbi, as shown in Fig. 1 (e0−e7). Moreover, both aforementioned parity bits such as single parity and interleaved parity bit have been utilized to create error indication flags. Eventually, one canORthe flags to have a final error indication flag that alters of any faults detected in SSbi.

1) Recomputing With Swapped Inputs: We use the method of recomputing with swapped inputs (RESI), as shown in Fig. 2, for Midori128 (part of the S-box block is shown for the sake of brevity). This method is a subset to the approaches presented. In this approach, we have swapped the inputs to the S-boxes Sb1 in each of the four 8-bit S-boxes SSbi, i.e., the first four inputs are asserted to the second S-box Sb1 and the next 4-bit inputs go to the first one, as shown in Fig. 2. Then, if the output of each Sb1is swapped, it gives the correct results. Finally, we compare the swapped outputs with actual outputs to detect not only transient faults but also permanent faults.

Figure 2: Proposed RESI scheme for Midori128.

- Fault Diagnosis of Shuffle Cell and KeyAdd:

The signature derivation for fault detection in Shuffle Cell, such as parity, would be straightforward and can be realized free in hardware due to just rewiring of the elements of 4×4 array state (for instance, parity of inputs is equal to parity of outputs because rewiring does not affect the computation of parities). We need error detection mechanisms for ShuffleCell (an attacker may try to inject fault by violating setup time for these paths); yet, through using signatures, e.g., parity or interleaved parities, the predicted signatures are equal to the actual signatures of the prior transformation, and that reduces the cost for error detection.

Proposed Design for Fault Detection in MixColumn:

A these matrices, involutive almost MDS (MC) has been applied more in various lightweight ciphers such as PRINCE due to its efficiency. Furthermore, MC has low diffusion speed and a small number of active S-boxes in each round and has led to increase in the immunity against linear and nonlinear attacks. In the proposed fault detection schemes, the objective is to evaluate these three matrices to possibly add a new aspect on how efficient these are when fault diagnosis approaches are used. For this operation, we present three error detection schemes as detailed in the following.

1) Scheme 1 (Column Signatures): In the first scheme, we propose modulo-2 addition of the state elements of each column of the output matrix (S’). The theorem is that the result is equal to modulo-2 addition of the state elements of each column of the input matrix (S). Since the modulo-2 addition of each column of matrixMin all of three types of matrices is equal to “1,” fault diagnosis through this approach is efficiently performed for the three matrices.

2) Scheme 2 (Low-Overhead Union Signature):The second scheme is through modulo-2 addition of all the elements of the output state (union signature), i.e., s’0 + s’1 +···+ s’14+ s’15 =(m0 + m1 + m2 + m3) s0 + (m4+ m5+ m6+ m7) s1 + (m8 + m9+ m10+ m11) s2 + (m12+ m13+ m14+ m15) s3 + (m0+ m1+ m2+ m3) s4+···+ (m12+ m13+ m14+ m15) s15. It is derived that each of these coefficients, e.g., m0+m1+m2+m3, is equal to “1” for the aforementioned matrices.

3) Scheme 3 (Interleaved Signatures): The third scheme is through predicting interleaved signatures. We prove that for each of the two random rows ofMC, this is a viable approach, whereas it is not a suitable scheme for the other two matrices presented before. Let us, through an example, detail on this scheme.

Proposed Approach for Key Schedule:

As mentioned before, for both variants of Midori, a 128-bit secret key(K) is applied; however, in the case of Midori64,the key is denoted as two 64-bit subkeys K0 and K1 and the WK is derived through modulo-2 addition of these 64-bit subkeys.

Overall Presented Architecture:

This section is finalized by presenting the overall structures of the presented error detection schemes. The mentioned error detection structures of encryption of Midori128, which consists of 20 rounds with a cell size of 8 bits, are depicted in Fig. 3. The encryption function of this variant consists of the round function and key generation in which the last round has just the SubCell operation and the WK is modulo-2 added just in the first and last steps. As seen in Fig. 3, we have shown the respective subsections in which we have proposed the error detection schemes for different operations.

Figure 3: Proposed error detection architecture for Midori128.

**Advantages:**

- Area coverage is low

**Software implementation:**

- Modelsim
- Xilinx ISE