Today, we finished the last seminar. Thomas’s talk is inspiring, especially his man-made girl ”Alice” 
Besides, I am happy to get the book “Energy scavenging for wireless sensor network” from the two professors. Hopefully I can come up with a promising project on vibration scavenge.
Title: Security and Privacy for Implantable Medical Devices
Summary: This paper addresses the security of current implantable medical devices (IMDs) and the patient privacy under adversarial conditions. A general framework for evaluating and enhancing the security and privacy of next-generation wireless IMDs is proposed.
Reviews: The goal of this paper is to propose the research directions of IMD security and privacy, and to call for the multidisciplinary collaboration between computer scientists, electrical engineers and medical treaters.
In Chapter 3, the criteria for IMDs with security and privacy considerations are clearly stated. Such criteria should be application-specific, because this paper is specifically dealing with medical devices.
In Chapter 4, two tradeoffs for implementing secure IMDs are evaluated: security versus device resources and security versus usability.
Finally, several solutions to next-generation IMDs are proposed. The research directions of longer battery lives and safer methods for device replacement are the most interesting to me. Such directions address the physical layer design issues of IMD devices.
Questions: Based on this proposal, it is very promising to pick a wireless medical device to demonstrate a possible attack and the corresponding defense scheme. Then, how to initiate an engineering research with the collaboration of hospitals and medical device manufacturers? Which medical device should be worker on first, the implantable cardiac defibrillator? What types of expertise does a hardware engineering need to have, in order to solve the security and privacy hazards of a specific medical device?
Title: Fast True Random Generator in FPGAs
Note: The second author of this paper, Sylvain Guilley, is a research on embedded security at ENST. I have read his PhD thesis “Geometries of countermeasures against side-channel attacks”.
Summary: In this paper, a novel FPGA-based true random number generator (TRNG) is designed and its randomness is tested by NIST tools. This TRNG design differs from previous work in that it simply employs an open loop structure without dedicated PLL or ring oscillator circuits. Furthermore, this design can achieve a high operating frequency of several Mbit/s
Advantages:
1. Basically speaking, a TRNG makes use of the metastable state of a D Flip-Flop (DFF). DFF is a common-used digital circuit component for register implementations. It can generate the states of logic 0, logic 1, and metastable logic, which is controlled by a clock signal. This work achieves a DFF design in FPGA for TRNG. No extra circuit is needed which will simplify the design complexity.
2. How to overcome the stability offered by the commercial FPGA to generate random outputs is the most challenging part of this work. Also, to convert the LUT-based circuit in FPGAs to single DFF circuits and delay lines is challenging, because FPGAs are optimized for look-up tables and programmable interconnects. The second version design of FPGA-based TRNG in this work realizes the proposal circuit structure.
Questions:
1: Use 100 LUTs to generate one bit of random number. Isn’t it resource-consuming?
2: I still do not understand how to implement a delay wire in FPGA. I know that the synthesis tool in FPGA tool package will automatically generate the register transfer level structure of a design. However, to achieve the structure of the Delay chain version 2 in the paper is non-trivial. I am not sure whether the routing tool of FPGA can help achieve this task.
3. How to attack this TRNG? The author says that “The chain must be long enough so that for any variation of temperature and voltage caused by a malicious attacker, at least one DFF is unstable”. How to decide the chain length to avoid differen kinds of attack, such as power attack and fault attack?
Title: A Secure and Optimally Efficient Multi-Authority Election Scheme
Summary: The author proposes a robust threshold ElGamal cryptosystem to implement a multi-authority secret-ballot election scheme. This scheme surpassed previous ones in that the time and communication complexity for the voter is independent of the number of authorities. Based on necessary mathemetical assumptions and theoretical derivations, the efficiency of this election scheme is demonstrated.
The criteria of a “good” election protocol include the following properties.
1. Eligibility: The identity of voters must be proven to cast a vote. No voter can cast more than one single vote. No fake ballot is permitted.
2. Universal Verifiability: All the parties, including the voters, the authorities and some passive observers, can verify that the election is fair. Furthermore, any party can check whether ballots are correctly cast, and that only invalid ballots are discarded.
3. Privacy: Different ballots are indistinguishable independent of any cryptographic assumption.
4. Robustness: The behavior of coalition of participants can be resisted. Any cheating voter can be detected and discarded.
5. No vote duplication: it is impossible to copy another voter’s vote, even without knowing what the copied vote is.
6. No interaction between voters: voters should not interact with each other as part of the voting protocol, especially for large-scale elections.
7. Receipt-freeness: any voter cannot carry away from the protocol a receipt that proves the way he voted. No vote buying or coercion behaviors are permitted.
http://www.morphthing.com/
Here, based on image processing technique, you can merge two faces into one. You can upload your own face picture, and merge your face with a movie star! And…….it is free!
Enjoy!
Title: A digital design flow for secure integrated circuits
Review: The author of this paper are Kris Tiri and Ingrid Verbauwhede, who have published a lot of secure IC design papers in the crypto world. I started to know him when I was doing a project on “differential power anlaysis”. I appreciate Kris’ work because he built a bridge between crypto fields and CMOS design fields.
The DPA-resistant logic SABL and WDDL are first proposed by the auther. In this journal paper, the author introduces an entire design flow to implement WDDL logic gates in cryptosystems. This design flow uses the standard cell design flow with merely small changes. It includes specific logic synthesis, place & route and layout stages for the WDDL logic style. An AES prototype is generated by the design flow and tested by DPA attack. The results demonstrate the efficiency of DPA-resistant logic at the stage of IC fabrication.
Some points of interests:
1. Why Differential power analysis can work?
The power consumption of standard CMOS gates is dependent on the signal activity. When the output of the logic gate makes a 0 to 1 transition, a current comes from the power supply and charges the output capacitance. On the other hand, when the output sees a 1 to 0, a 0 to 0, or a 1 to 1 transition, no or only a limited amount of energy is consumed from the power supply.
2. The requirements of a DPA-resistant logic:
1) a logic gate must have exactly one switching event per signal transition; 2) the logic gate must charge a constant capacitance in that switching event.
3. Some facts about the design methodology:
Two new design processes: “cell substitution” and “interconnect decomposition”
Prototype technology: TSMC 6M 0.18um process with 1.8V supply voltage
Design tools: HSPICE for low-level circuit simulation, DesignAnalyzer for netlist generation, Silicon Ensemble for place & route
Weeknesses:
1. To balance the dynamic power of WDDL logic gates, the interconnect capacitances have to be matched. This is the most difficulty task in designing WDDL gates, but the most important feature to resistant differential power analysis. The author discusses this big issue in section III, where the matched interconnected capacitances are obtained by routing the dual-rail output with parallel routes on the same layers with the same length. Figure 4 depicts such routing method. However, I wonder whether the load effect can influence this routing method. Does each WDDL gate have the same fanout? Is the load capacitance comparable with the interconnect capacitance? Anyway, due to the uncertainty of parasitic capacitance, the DPA-resistance of different WDDL-based chips will be various.
2. It is always essential to seek an ideal trade-off between power consumption and security level of a DPA-resistant IC. As the auther mentioned at the end of the paper, the protected AES core has 4 times power consumption more than the unprotected one. This is an unavoidable cost. However, when we design power-constraint electrical systems or battery-assisted systems, we may not be able to tolerate this cost. This is a great challenge in desiging secure RFIDs, smartcards and wireless sensor systems. It is still unclear of a DPA-resistant logic style that is suitable for a real pervasive computing system or a portable device.
On October 24th, I am going to give a presentation on an interesting paper from Berkeley. The title is: Vibration Powered Battery-Assisted Passive RFID Tag. I am currently doing a project with Professor Fu and Professor Burleson on “vibration scavenger design”. Thus, I am very happy to introduce this paper to everyone in the seminar, and get comments back.
Title: Making P2P Accountable without Losing Privacy
Summary: In this paper, a novel protocol “e-cash” for peer-to-peer system is designed and evaluated. This protocol provides a currency-based scheme of buy and barter for each involved node, which can guarantee the anonymity, unforgeability and fair exchange of P2P users. Security and privacy of P2P users are strengthened by this protocol with fairly low cost of computational overhead and distributed communication load.
Strengths:
1. The buying and bartering protocols introduce symmetric encryption algorithm, which helps guarantee the security and privacy of two communication parties. P2P system is cool because increased participation of users will increase the capacity of the system. However, exponential increase of joined users may lead to free-riding and forgeable currency. As far as I know, most current P2P system does not support encryptions. Therefore, it is significant to explore security-aware P2P system.
2. This currency-based protocol is similar to that of economic and banking world. Analogous to the cash-back scheme in Citi credit card, the protocol for P2P system provides some incentives to the seeders, who contribute more resources than other users to the P2P system. This is very important to P2P system, because a user without fair data exchange will always prefer to provide less rather than waste resources for diminishing gains. The protocol defines the concept of “fungiblility”, which means that a user is paid for his contribution to the whole system and can spend this payment for later services. Also, such scheme is similar to the BBS forum, where a user can earn e-points by posting new threads and must have enough e-points to read other’s threads or download other’s sharing-files.
Weeknesses:
1. The author provides an evaluation of the privacy cost of the proposed protocol. Such an evaluation seems not justifiable. The author only implements the proposed protocol and shows the cost in terms of data size and data exchange time. However, at least, the author should compare this evaluation with other protocol such as BitTorrent. We cannot tell the advantage of the proposed protocol over traditional P2P systems.
2. I am still not sure of the scaliblility of the encryption algorithm in E-cash based P2P system. The author indicates that economic issues exist in the proposed P2P system, for example, vulnerability to Sybil attacks and creation of e-cash. Another problem is whether the security of users can be maintained as the P2P system is expanded. From the perspective of network level, there must be key management scheme and authentication scheme to support a large number of P2P users.
Paper title:
Initial SRAM State as an Identifying Fingerprint and Source of True Random Numbers.
Summary:
In this paper, the author introduces an economical way to generate both chip fingerprint ID and true random number (TRN) for integrated systems with SRAM. The basic assumption is that the initialization status of 6-transistor SRAM cell is impacted by circuit mismatch and random noise. The chip ID generation makes use of process variation on SRAM cells, while the TRN generation makes use of on-chip noise.
Strengths:
1. Cost-efficient: As the recent demand of security and privacy in RFIDs and wireless sensor network, both ID fingerprint and true random number generator are necessary in hardware design. However, low-power goals prevent engineers from using dedicated hardware to implement such functions. This paper gives a novel idea of SRAM-based ID and TRN generation without extra circuits. This idea is fairly intriguing for power-driven devices.
2. Statistical model: This paper gives good explanations of several statistical terms that support the FERNS principle. For example, the concept of “skew”, the comparison of “latent fingerprint” with “known fingerprint”, and the concept of “entropy extraction”. These concepts help readers to understand the theoretical bases of device fingerprint ID generation and true random number generation.
Weaknesses:
1. Possible overestimation of SRAM: Fingerprint ID is supposed to a fixed bit value that is unique for each device. Manufacturers can intentionally introduce a process mismatch to SRAM cells to allocate a unique ID. It is possible that the initialization status of a cell can be used for ID generation. However, such a process mismatch may have negative effects on the reliability of SRAM under the normal status. If the normal function of SRAM is influenced by repeated initialization for generating numbers, the feasibility of FERNS is seriously impaired. On the other hand, it seems that fingerprint ID generation and true random number generation are paradoxical because ID is predictable and random number is random. Temperature variation can affect the status of SRAM but the author has not proven that randomness can be accessible from SRAM with no dependence of the initialization status of SRAM.
2. Limitation of the experiment: The author claims that the FERNS principle works properly on SRAMs and WISPs. However, the SRAMs and WISPs are merely general purpose chips. It seems that most current SRAM cells have the potential ability to generate both ID and true random number, though they are not designed to do. I think that a prototype SRAM with special induced process variation is a better hardware platform to demonstrate the FERNS principle.