To provide for secure communications and protection of financial, military, medical or other data requiring a high degree of protection, computer and microprocessor-based systems now implement various security measures. These measures are generally intended to preclude an adversary's illicit access to data transmitted on communication channels, stored in nonvolatile storage, such as disk drives or optical media, or stored in a memory being accessed by the microprocessor, for example, because the memory and microprocessor are on the same circuit board and/or coupled by a bus.
An exemplary application area is protecting the data stored in the memory of a secure computing system, but other types of applications are equally common and important. Common types of attacks on such processors can be categorized as active or passive attacks. In passive attacks an adversary reads the contents of the memory, in the hope to discover secrets, like passwords, copyrighted material, etc. A passive attacker can also monitor the data traffic between the processor and the memory (or some peripherals) for secrets.
Active attacks attempt to modify the contents of the memory, or the data traffic between the memory and the processor. Active attacks include attempts to copy-and-paste memory blocks between different locations, or playing back earlier content of the same, or another location. Such attacks can cause harm, for example by creating an infinite loop, or otherwise impact the program running on the secure microprocessor, and using data from the protected memory. In a known data recognition attack, an adversary may attempt to learn an encryption key by watching writes of known data to the same address.
The secrecy and integrity of stored, processed or transmitted sensitive data can be assured by cryptographic means. The most important cryptographic tools are block ciphers. They use secret keys, which determine their behaviors at a given encryption algorithm. The most often used ciphers perform many iterations of transformation steps, called rounds. These transformation steps are influenced by secret round-keys, derived from the cipher key. The security and speed of the cipher depends on how these round keys are generated. Many currently used ciphers are slow and consume a lot of power and energy, partly because of the complexity of generating highly uncorrelated round keys. Their key generation also leaks exploitable information on side channels. Other currently used ciphers employ round-key generators, which produce low quality (correlated, biased) keys.
The round keys for block ciphers have to be highly uncorrelated, even though they are derived from the same cipher key. The algorithm generating the round keys is also called key-schedule. Many ciphers use simple key-schedules, like LFSR's (Linear Feedback Shift Registers). These are easily computed and fast, but the resulting round-keys are highly correlated. For example, in the LFSR case, half of the time a round key is just a 1-bit rotated version of the previous round-key, and at the other half of the time only a handful bits are changed in the rotated previous round-key.
If the key schedule is not complex enough to produce uncorrelated round-keys, the cipher needs many rounds to achieve high security. Commonly used ciphers accomplish their key-schedules by repeating simple steps, including rotate, XOR, and bit rearrangements. They face a difficult tradeoff: few such steps produce correlated round-keys, and thus the cipher needs many rounds; while performing many key-schedule steps consumes much time at each round. Either way the cipher needs a considerable amount of time.
Currently used key schedule algorithms generate round-keys from earlier round-keys, therefore they have to generate all the round-keys to get the last one, with which the decryption can begin. At single cipher operations on general purpose microprocessors the overall number of operations could be the same with any order of round-key generation, so this iterative key schedule does not slow down the ciphers implemented in software. On the other hand, at systems implemented in electronic hardware the sequential round-key generation causes an initial delay at decryption. An exception is when many decryption operations are performed with the same key, and the corresponding round-keys can be cached. However, large cache memories are targets of physical attacks, and using the same key over and over again exposes the security system to side channel attacks. Key-rolling improves the security of most applications, but it prevents caching the round-keys, and can result in a slowdown in decryption. (Key rolling means changing the encryption key after every one, or after every few uses.)
Thus, a heretofore unaddressed need exists in the industry to address the aforementioned deficiencies and inadequacies.