Cryptographic Hardware and Embedded Systems

The introduction of the Diffie-Hellman and RSA algorithms during the middle of 1970s produced a wave of excitement in the academic community, which was fueled in further by the deployment of public-key certificates for e-commerce domains that are based on RSA. Following the invention of Elliptic Curve Cryptography in the mid 1980s, the applications and use of public-key cryptography have widened, due to the use of smaller key size and less power. The most recent phase (since 2000s) included the introduction of the side-channel attacks and countermeasures. The timing attacks and power attacks made us realize that a cryptographic algorithm implemented in software or hardware is a quite different thing from its abstract definition or mathematical properties. While it may be nearly impossible to break the public-key cryptographic algorithm theoretically, it may be quite easy to accomplish the same task practically, by simply observing the timing or power data from a device performing the signature or decryption operation. Our research along these lines fall into the topics of the Cryptographic Hardware and Embedded Systems Conference and the Journal of Cryptographic Engineering.

Topics of research include:
  • Architectures for public-key and secret-key cryptosystems
  • Reconfigurable hardware and FPGAs for cryptography
  • Cryptography for ubiquitous computing and wireless applications
  • Efficient arithmetic algorithms
  • Special-purpose hardware for cryptanalysis
  • Architectures for trusted computing
  • Device identification
  • Smart card architectures and attacks
  • True and pseudo random number generators
  • Security for embedded software and systems
  • Efficient software algorithms for embedded processors
  • Formal methods and tools for secure hardware design
  • Cryptographic processors and co-processors
  • Security in commercial consumer applications (pay-TV, automotive, etc)
  • Hardware tamper resistance
  • Technologies and hardware for content protection
  • Side channel attacks and countermeasures
  • Nonclassical cryptographic technologies

Hardware Trojan Detection

Funding: A 3-year effort recently funded by the National Science Foundation
Research Team: Çetin Kaya Koç, Kwang-Ting Cheng, İsmail San, Nicole Lesperance

Economic factors dictate that the design, manufacturing, testing, and deployment of silicon chips is spread across many companies and countries with different and often conflicting goals and interests. Hardware Trojans are a major concern for both semiconductor design houses and the U.S. government.
In modern complex designs, behaviors at a good fraction of observable output signals for many operational cycles are unspecified and vulnerable to malicious Trojan modifications. Since verification and testing has been a major bottleneck of the design process, currently the verification effort is focused on increasing the confidence in the correctness of specified functionality, meaning Trojans modifying unspecified behavior will go undetected.

Our research will address prevention and detection of Hardware Trojans inserted in unspecified design functionality. In contrast with Trojans that hide from detection using rare triggering conditions, Trojans affecting only unspecified design space do not require a trigger to avoid detection since they affect ambiguous or don’t-care functionality.

We will first develop analysis methods and tools for RTL designs written in Verilog/VHDL, then extend the techniques to SystemC/SystemVerilog TLM and behavioral models. Additionally, metrics gauging the effectiveness of our Trojan detection/prevention methods will be developed, providing design owners with the ability to trade-off security level with the costs of Trojan prevention/detection, which include area/power/timing overhead, manual effort, and analysis time.

Our recent publications:
N. Lesperance, S. Kulkarni, and K.-T. Cheng. Hardware Trojan detection using exhaustive testing of k-bit subspaces. 20th Asia and South Pacific Design Automation Conference (ASP-DAC), 2015. pdf

P. Lisherness, N. Lesperance, and K.-T. Cheng. Mutation analysis with coverage discounting. Design, Automation Test in Europe Conference Exhibition (DATE), 2013. pdf

Side-Channel Attacks and Countermeasures
“In theory, theory and practice are the same. In practice, they are not.”

Research Team: Çetin Kaya Koç, İsmail San, Tiawna Cayton, Sam Green

From credit cards to cell phones to internet servers, almost everyone is now constantly carrying or using several cryptographic devices. In addition to protecting privacy, cryptography is also used to protect intellectual property; for example hardware manufacturers often encrypt their firmware updates—this provides the manufacturer some protection from reverse engineering and it can protect the consumer from fraudulent updates.

Side-channel attacks (SCA) encompass the techniques for extracting secret keys (or other sensitive information) from devices through indirect—and often unanticipated—ways. SCA offers an adversary a means by which to obtain secrets that are otherwise mathematically secure. And SCA countermeasures provide methods to make the attacker's goal more difficult or impossible.

For an in-depth look at various aspects of SCA, please see our book Cryptographic Engineering. The Journal of Cryptographic Engineering also provides regular updates on trends in this field.

Cache Attacks

Attacks that use timing information exploit the fact that some computations take longer than others. All major ciphers, e.g. RSA, ECC, AES, have been compromised with timing attacks. Timing attacks typically exploit time delays caused by deltas in cycle counts between secret sensitive algorithms. Cache attacks are more subtle and exploit variable time code execution caused by CPU cache misses. For example, it turns out that the time it takes for value lookups for S-box based cryptography is correlated to the value being looked up; these correlations can be exploited over a network.

O. Acıiçmez, W. Schindler, and Ç. K. Koç. Cache based remote timing attack on the AES. Topics in Cryptology, The Cryptographers' Track at the RSA Conference, CT-RSA 2007, M. Abe, editor, pages 271-286, Springer, LNCS Nr. 4377, San Francisco, California, February 5-9, 2007.   pdf

O. Acıiçmez, J. P. Seifert, and Ç. K. Koç. Predicting secret keys via branch prediction. Topics in Cryptology, The Cryptographers' Track at the RSA Conference, CT-RSA 2007, M. Abe, editor, pages 225-242, Springer, LNCS Nr. 4377, San Francisco, California, February 5-9, 2007.   pdf

O. Acıiçmez, Ç. K. Koç, and J. P. Seifert. On the power of simple branch prediction analysis. ACM Symposium on Information, Computer and Communications Security, ASIACCS 2007, R. Deng and P. Samarati, editors, pages 312-320, Singapore, March 20-22, 2007.   pdf

Power consumption and related attacks

By monitoring microsecond-to-microsecond variations in power consumption of any electronic device (e.g. smart card, phone, web server, custom IC) it is possible to gain knowledge of the computations being performed and the data being processed. Likewise, whenever electricity flows through a wire, electromagnetic radiation is generated, so an antenna can also pick up sensitive details from a device. The concepts of power consumption and EM radiation enable many types of side-channel attacks.
We are currently investigating better ways to prevent and understand power leakage. Our efforts are focused on using hardware design power consumption simulations to predict side-channel leakage characteristics.


There are methods designed to prevent or reduce side-channel information. Unfortunately, many of these SCA countermeasures are difficult to implement correctly—and some countermeasures may decrease information from one side-channel but increase information from another. Furthermore the countermeasures that become popular are prominent targets to be attacked. But good countermeasures are both very valuable and important. Our current countermeasure efforts are related to RSA blinding and the Montgomery Powering Ladder.