Post on 08-Nov-2021
1
Prototype IC with WDDL and Differential Routing – DPA Resistance Assessment
K. Tiri, D. Hwang, A. Hodjat, B. Lai, S. Yang, P. Schaumont, I. Verbauwhede
tiri@ee.ucla.edu
This work was supported in part by
National Science Foundation (CCR-0098361), UC-Micro 02-079 and 03-088, Panasonic Foundation,
SUN Microsystems, Atmel corporation and the Fannie and John Hertz Foundation
Kris Tiri CHES 2005, 09/01/05 2
Outline
� Side-channel attacks
� IC system architecture
� Resisting DPA attacks
� Secure digital design flow
� Prototype IC
� Insecure coprocessor as benchmark
� DPA resistance experimental results
� Conclusions
2
Kris Tiri CHES 2005, 09/01/05 3
Side-channel attacks
Current Probe
� 128-bit AES encryption cracked under 3 min.
start encryption
11 clock cycles
supply current
start signal
Kris Tiri CHES 2005, 09/01/05 4
Fingerprint
sensor
2MB SRAM
LEON Processor
Secure ASIC
LEON Processor
Boot PROM I/F
AMBA Peripheral
Bus
32bits Memory Bus
Comparator
LEON Processor
AES
coprocessor
comparator
Template
storage
Regular processor
Boot ROM
RS232
LEON processor
UART1
UART2
cache
AHB
controller
Memory
controller
Boot
PROM I/F
AHB/APB
bridge
AMB A
Peripheral
Bus
32bits Memory Bus
Integer unitAHB I /F D cache
2KBI cache
2KB
Fingerprint
sensor
2MB SRAM
LEON Processor
Secure ASIC
LEON Processor
Boot PROM I/F
AMBA Peripheral
Bus
32bits Memory Bus
Comparator
LEON Processor
AES
coprocessor
comparator
Template
storage
Regular processor
Boot ROM
RS232
LEON processor
UART1
UART2
cache
AHB
controller
Memory
controller
Boot
PROM I/F
AHB/APB
bridge
AMB A
Peripheral
Bus
32bits Memory Bus
Integer unitAHB I /F D cache
2KBI cache
2KB
ThumbPod device
� Biometrically-driven
electronic key
� Strong, secure bond between owner and key
� Components:
� Microprocessor
� Fingerprint sensor
� Wireless transceiver
� Secure coprocessor
� Security partitioning
3
Kris Tiri CHES 2005, 09/01/05 5
AES encryption core
� Advanced Encryption Standard optimized for speed: 128-bit key, 128-data
� Sbox table lookup, on the fly key scheduling
� 11 cycles per encryption
� OFB, CBC, and ECB modes without loss in throughput
KEY
SCHEDULE
XORSUBSHIFT
ROW
MIX
COLUMN
KEY
DIN
DOUT
RA
RB RC
Kris Tiri CHES 2005, 09/01/05 6
Resisting DPA attacks
� Protection against class of power analyses
� Independent of algorithm/arithmetic
� Correct by construction
� Distributed solution
basic building blocksame power for every transition
� Asymmetric power consumption
4
Kris Tiri CHES 2005, 09/01/05 7
Secure digital design flow
script lib.v
logic synthesis
logic design
behavior.v design specs
rtl.v
cell substitution
fat_lib.lef diff_lib.lef
place &
route
fat.v fat.def
interconnect decomposition
diff.def layout
stream out
Few key modifications with minimal influence in backend of regular synchronous
static CMOS standard cell design flow
Kris Tiri CHES 2005, 09/01/05 8
Wave Dynamic Differential Logic
single switching event per cycle
Secure digital design flow (cnt’d)
� Static CMOS standard cell
� Dual rail with precharge
� Interconnect: dominant
� Balancing interconnect: crucial
Differential Routing
constant load capacitance
AOI221X2 gate
C0
OAI221X1
AOI22 1X1A0
A1
B0
B1
Y
Y
INVX2
INVX2A0
A1
B0
B1
C0
AOI221X2 gate
C0
OAI221X1
AOI22 1X1A0
A1
B0
B1
Y
Y
INVX2
INVX2A0
A1
B0
B1
C0
5
Kris Tiri CHES 2005, 09/01/05 9
Prototype IC in 0.18µm CMOS
� WDDL, differential route � Single-ended, regular route
AES
AES
AES
AES
Kris Tiri CHES 2005, 09/01/05 10
DPA attack setup
leon sparc coprocessor IC
synchr. signal
current probe
6
Kris Tiri CHES 2005, 09/01/05 11
� Unprotected AES � Protected AES
Supply current traces
encryption
supply current
Kris Tiri CHES 2005, 09/01/05 12
� Unprotected AES � Protected AES
Supply current traces (cnt’d)
encryption
supply current
7
Kris Tiri CHES 2005, 09/01/05 13
DPA resistance assessment
� Estimate power consumption in round 11 + 1
� Compare Hamming distances & measurements
� 16*28 key guesses vs. 2128 key guesses
R11
max fcost(K11) = corr(Pmeasurement,Pestimation) K11
where Pmeasurement = max(Isupply,11+1)
Pestimation = HamDist(D11,C11)
D11 = sub-1(shiftrow-1(K11 ⊗ C11))
D11XORSUB
SHIFT
ROW
MIX
COLUMN
DIN
DOUT
RB RC
KEY
C11
K11
C11C11R11+1
Kris Tiri CHES 2005, 09/01/05 14
DPA attack
� Unprotected key byte (15K meas.)
Measurements
to Disclosure
8
Kris Tiri CHES 2005, 09/01/05 15
DPA attack (cnt’d)
� Protected key byte (1,500K meas.)
Kris Tiri CHES 2005, 09/01/05 16
Results
Parameter Unprotected AES Protected AES
Gate Count (eq. gates) [K] 79 245
Area [mm2] 0.79 2.45
Maximum Frequency (@1.8V) [MHz] 330.0 85.5*
Maximum Throughput (@1.8V) [Gb/s] 3.84 0.99
Power Consumption (@1.8V, 50 MHz) [mW] 54 200†
Measurements to Disclosure‡
min 320 21,185
mean 2,133 255,391
max 8,168 1,276,186
Key bytes not found (@1.5M Meas.) n/a 5 *Duty factor of clock > 50% to guarantee precharge of all gates
†Estimation based on area ratio AES vs. Entire System
‡Based on correctly guessed key bytes
9
Kris Tiri CHES 2005, 09/01/05 17
Security tradeoff - figure of merit
� Three times area, and four times power consumption and minimum clock period
� Security partitioning minimizes cost for complex systems
� Secure coprocessor orders of magnitude faster and expends less energy than software on main processor
� Figure of merit: (throughput /power consumption)� Secure coprocessor: 2.9Gb/s/W.
� C code on embedded Sparc: 0.0011Gb/s/W
Kris Tiri CHES 2005, 09/01/05 18
Conclusions
� Power supply current
� Major & easy side-channel leakage source
� Design approach
� Secure digital design flow
� Prototype IC in 0.18µm CMOS
� Demonstrated DPA countermeasure implemented and tested in actual silicon