Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITU/TTC Workshop (2016.7.4) How Communications will Change Vehicle and Transport The Potential of Lightweight Cryptography to Secure Resource-Constrained.

Published byClement Gibbs Modified over 6 years ago

Similar presentations

Presentation on theme: "ITU/TTC Workshop (2016.7.4) How Communications will Change Vehicle and Transport The Potential of Lightweight Cryptography to Secure Resource-Constrained."— Presentation transcript:

1 ITU/TTC Workshop (2016.7.4) How Communications will Change Vehicle and Transport
The Potential of Lightweight Cryptography to Secure Resource-Constrained Systems On-Board Vehicles Shiho Moriai Director Security Fundamentals Laboratory Cybersecurity Research Institute NICT

2 Outline of my talk Emerging Automotive/ITS Services
Automotive sensors are key factors Lightweight Cryptography to protect automotive sensor data and address privacy concerns with “lightweight” cost Standards, Implementation aspects

3 Emerging Automotive/ITS Services
V2V communication services for road safety position, speed, car size… (privacy data) privacy concern

4 Emerging Automotive/ITS Services
Use of in-vehicle sensor data   to drive safe and save Insurance company upload “Automobile Driver Fingerprinting” by Enev et al., in Proceedings on Privacy Enhancing Technologies, 2016(1):34-51 - Miles driven - Acceleration - Braking - Right and left turns - Speeds of 80 mph or over - Time of day the car is driven privacy concern

5 Emerging Automotive/ITS Services
Autonomous Driving   for safety and more Correctness, integrity, authentication, and authenticity of sensory information is crucial to system reliability.

6 Automotive Sensors Critical to system reliability
Facing privacy issues Concerns Insufficient Security Countermeasures resource-constrained wireless communication Misuse of the Data Active Attacks

7 Protection of Automotive Sensor Data
TPMS (Tire Pressure Monitoring System) TPMS ID, Air Pressure turn upside down Vehicle Identification Number (VIN) could be sent. Tracing the vehicle is possible. peel off rubber TPMS chip Vehicle Identification Number 7

8 How far is Vehicle ID propagated?
Frequency band and Output power used for TPMS Frequency band Output power Japan 315MHz > 0.25mW US (mandated in 2007) > 5mW EU (mandated in 2014) 433MHz Eavesdropping attack over a distance of several meters (Japan) receiver If a receiver is set at the crossing, when and which car passed is identified. car Ray tracing method 8

9 V2X communication security
Enable the driver to sense threats and hazards. Vehicles broadcast vehicle position, speed, location, body info etc. location, speed, body info Frequency band and Output power used for V2X Frequency band Output power Japan MHz 0.01W US GHz 〜1W EU GHz 9

10 How far is it propagated?
Eavesdropping attack over a distance of > 100 meters (Japan) Radio propagation simulation using “Raplab” >100m

11 Lightweight Cryptography
Cryptographic primitives with advantages (lightweight properties) in specific implementation efficiency measures admitting tradeoffs between efficiency and security

12 History of Downsizing Cryptosystems
Hardware gate count 1925 Efficient Hardware Lightweight Cryptography Ultra Lightweight Cryptography 2000 2005 < 10Kgate 2010 < 3Kgate KASUMI, adopted by 3GPP standard HIGHT, CLEFIA, PRESENT 2020? < 1Kgate KATAN, Piccolo Portable!! ENIGMA 12

13 Standards ISO/IEC 29192 (Lightweight Cryptography) Part 1: General
editors: Riaal Domingues, Shiho Moriai Part 2: Block ciphers editors: Shiho Moriai, Axel Poschmann Part 3: Stream ciphers editor: Hirotaka Yoshida Part 4: Mechanisms using asymmetric techniques editors: Matt Robshaw, Jean-Francois Misarsky Part 5: Hash-functions  editors: Axel Poschmann, Shiho Moriai               

14 ISO/IEC 29192 Standardization Status
2008 2009 2010 2011 2012 ISO/IEC 29192 WD NP SP 2013 1stWD 1st CD 2nd CD IS FDIS FCD Part 3 Part 4 (Stream ciphers) (Mechanisms using asymmetric techniques ) DIS 1st WD 2nd WD Part 2 (Block ciphers) Part 1 (General) SP (Study Period) NP (New Project) WD (Working Draft) CD (Committee Draft) FCD (Final Committee Draft) FDIS (Final Draft International Standard) IS (International Standard) Standardization stages in ISO/IEC Subdivision Part 5 (Hash-functions) 2014

15 ISO/IEC 29192 Standardization Status
NSA designed lightweight block ciphers for IoT (SIMON & SPECK) and proposed them for ISO/IEC NIST hold a workshop and will publish a report on LWC. NIST Lightweight Cryptography Workshop 2015 (July 20-21, 2015)

16 Implementation Evaluation
Aim Evaluate some lightweight block ciphers using the same interface and platform for a fair comparison. Target algorithms AES, Camellia, TDEA, CLEFIA, PRESENT, LED, Piccolo, TWINE, PRINCE Implementation Platforms Hardware implementation ASIC (library:NANGATE Open Cell Library (45nm CMOS)) Embedded Software implementation Processor:Renesas Electronics RL78 (16bit microcontroller) 16

17 Hardware Implementation
Standard CMOS cell library:NANGATE Open Cell Library (45nm) 3 Architectures: Unrolled, Round, Serial implementations Measures:Max Frequency, Throughput, Gate counts, Latency, Power, Peak power, Leak power Low-Cost implementation Standard implementation High-Speed implementation

18 Serial Implementation (Low-cost)
Gate Count Crypto-core is small (1-3Kgates), but I/F (incl. registers for plaintext/ciphertext and key) can not be ignored. [Kgate] Crypto core optimization almost reaches the limit small lightweight crypto 18

19 Serial Implementation (Low-cost)
Throughput Small gate size does not sacrifice speed in some lightweight crypto [Mbps] keep high throughput Throughput lightweight crypto 19

20 Round Implementation Gate Count Many lightweight crypto can be implemented within ~4Kgates. [Kgate] Crypto core small lightweight crypto 20

21 Round Implementation Throughput Many lightweight crypto achieve 10 times higher throughput than AES with a similar gate size (~60Mbps with ~6Kgates). [Mbps] high throughput Throughput lightweight crypto 21

22 Unrolled Implementation (High-Speed)
Gate Count Low-latency cryptography can encrypt within one clock cycle with ~1/10 gate counts of AES. [Kgate] Crypto core Low-latency cryptography 22

23 Unrolled Implementation (High-Speed)
Path Delay Low-latency cryptography achieves real-time security (several ns) with less than 20 Kgate counts. [ns] Path Delay For real-time security applications Low-latency cryptography 23

24 Embedded Software Implementation
Processor Renesas Electronics RL78 (16bit microcontroller) General-purpose (G1x series): ROM 1KB〜, RAM 128B〜   Automotive (F1x series): ROM 8KB〜, RAM 512B〜 Measures Speed, RAM size, ROM size Optimized for speed within 4 combinations of limited memory size (ROM, RAM). Only limited memory is available for crypto. Small memory requirement increases selection options of microcontrollers. ROM 512 Byte 1024 Byte RAM 64 Byte 128 Byte 24

25 Implementation within (ROM 1024Byte, RAM 128Byte)
Speed Slow Fast

26 Implementation within (ROM 512Byte, RAM 128Byte)
Speed Slow Fast AES, Camellia, CLEFIA, TDES can not be implemented!

27 Least ROM Size with RAM 128 byte

28 Speed Slow Speck128/128 Fast 28

29 Key Takeaways In emerging automotive/ITS services, protection of automotive sensor data is critical to system reliability and privacy concerns. Lightweight cryptography has great potentials for this purpose on resource-constrained devices.

Download ppt "ITU/TTC Workshop (2016.7.4) How Communications will Change Vehicle and Transport The Potential of Lightweight Cryptography to Secure Resource-Constrained."

Similar presentations

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
128-bit Block Cipher Camellia

128-bit Block Cipher Camellia
The Lightweight Block Ciphers Zoo Nathan Keller Bar Ilan University Lightweight Crypto Day, Haifa University, 2.2.2014.

The Lightweight Block Ciphers Zoo Nathan Keller Bar Ilan University Lightweight Crypto Day, Haifa University,
KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.

KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.
Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.

Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.
Department of Electrical and Computer Engineering Configurable computing for high-security/high-performance ambient systems 1 Guy Gogniat, Lilian Bossuet,

Department of Electrical and Computer Engineering Configurable computing for high-security/high-performance ambient systems 1 Guy Gogniat, Lilian Bossuet,
Geneva, Switzerland, 15-16 September 2014 Lightweight Cryptography for the Connected Car/ITS Security Shiho Moriai Director, Security Fundamentals Laboratory,

Geneva, Switzerland, September 2014 Lightweight Cryptography for the Connected Car/ITS Security Shiho Moriai Director, Security Fundamentals Laboratory,
A Compact and Efficient FPGA Implementation of DES Algorithm Saqib, N.A et al. In:International Conference on Reconfigurable Computing and FPGAs, Sept.

A Compact and Efficient FPGA Implementation of DES Algorithm Saqib, N.A et al. In:International Conference on Reconfigurable Computing and FPGAs, Sept.
Description of the monitoring system experimentation on the freight car pSHIELD Demonstrator Testbed Architecture pSHIELD Final Review Meeting, Bruxelles.

Description of the monitoring system experimentation on the freight car pSHIELD Demonstrator Testbed Architecture pSHIELD Final Review Meeting, Bruxelles.
F Networked Embedded Applications and Technologies Lab Department of Computer Science and Information Engineering National Cheng Kung University, TAIWAN.

F Networked Embedded Applications and Technologies Lab Department of Computer Science and Information Engineering National Cheng Kung University, TAIWAN.
LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.

LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.
SHA-3 Candidate Evaluation 1. FPGA Benchmarking - Phase 1 2 14 Round-2 SHA-3 Candidates implemented by 33 graduate students following the same design.

SHA-3 Candidate Evaluation 1. FPGA Benchmarking - Phase Round-2 SHA-3 Candidates implemented by 33 graduate students following the same design.
New Block Cipher for Ultra-Compact Hardware   BeeM みかか A. Satoh K. Aoki.

New Block Cipher for Ultra-Compact Hardware   BeeM みかか A. Satoh K. Aoki.
KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.

KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.
The C URUPIRA -2 Block Cipher for Constrained Platforms: Specification and Benchmarking Marcos Simplicio Paulo Barreto Tereza Carvalho Cintia Margi Mats.

The C URUPIRA -2 Block Cipher for Constrained Platforms: Specification and Benchmarking Marcos Simplicio Paulo Barreto Tereza Carvalho Cintia Margi Mats.
R ECONFIGURABLE H ARDWARE FOR H IGH - SECURITY /H IGH -P ERFORMANCE E MBEDDED S YSTEMS : T HE SAFES P ERSPECTIVE Guy Gogniat, Tilman Wolf, Wayne Burleson,

R ECONFIGURABLE H ARDWARE FOR H IGH - SECURITY /H IGH -P ERFORMANCE E MBEDDED S YSTEMS : T HE SAFES P ERSPECTIVE Guy Gogniat, Tilman Wolf, Wayne Burleson,
Overview of the security weaknesses in Bluetooth Dave Singelée COSIC seminar 11/06/2003.

Overview of the security weaknesses in Bluetooth Dave Singelée COSIC seminar 11/06/2003.
Azam Supervisor : Prof. Raj Jain

Azam Supervisor : Prof. Raj Jain
Encryption / Decryption on FPGA Final Presentation Written by: Daniel Farcovich ID. 303710388 Saar Vigodskey ID. 039608153 Advisor: Mony Orbach Summer.

Encryption / Decryption on FPGA Final Presentation Written by: Daniel Farcovich ID Saar Vigodskey ID Advisor: Mony Orbach Summer.
1 Device Controller I/O units typically consist of A mechanical component: the device itself An electronic component: the device controller or adapter.

1 Device Controller I/O units typically consist of A mechanical component: the device itself An electronic component: the device controller or adapter.

Similar presentations

Ads by Google