How to Protect RISC-V Against Side-channel Attacks? · execution of an operation to extract secret...
Transcript of How to Protect RISC-V Against Side-channel Attacks? · execution of an operation to extract secret...
How to Protect RISC-V Against Side-channel Attacks?
Elke De Mulder Samatha Gummalla
Michael Hutter
2
Introduction
Intuitively: • ≠ power consumption
Open/closed transistor Bit Flip Register Yes/No ≠ values
• Intermediate values = f(secret)
Side Channel Analysis == use of measurable, physical properties of a chip during the execution of an operation to extract secret information used within the chip
Output
Cryptographic Implementation
Input
3
• State-of-the-art: Boolean masking
• E.g. value 𝑥 represented as a tuple (𝑥0, 𝑥1) 𝑥 = 𝑥0⨁𝑥1 with 𝑥0 random
• Algorithms are adjusted to work with this representation such that each intermediate is statistically independent of 𝑥 and 𝑦
Countermeasures
f
𝑥
𝑦
f ’
𝑥
𝑦
𝑥0 𝑥1
𝑦0 𝑦1
4
Side-channel Related Software Leaks
• ALU
• Register bank
Where are these secret related values used in a SW implementation on a processor?
Register Bank
ALU
5
Side-channel Related Software Leaks
• ALU
• Register bank
• Memory and memory interface
Where are these secret related values used in a SW implementation on a processor?
Memory
Mem
ory
Inte
rfac
e Register Bank
ALU
6
Side-channel Related Software Leaks
• ALU
• Register bank
• Memory and memory interface
• ALU input/output registers
Where are these secret related values used in a SW implementation on a processor?
Memory
Mem
ory
Inte
rfac
e Register Bank
ALU
ALU InA ALU InB
ALU Out
7
Side-channel Related Software Leaks
• ALU
• Register bank
• Memory and memory interface
• ALU input/output registers
• Forwarding
Where are these secret related values used in a SW implementation on a processor?
Memory
Mem
ory
Inte
rfac
e Register Bank
ALU
ALU InA ALU InB
ALU Out
Forwarding
8
Side-channel Related Software Leaks
• ALU
• Register bank
• Memory and memory interface
• ALU input/output registers
• Forwarding
• Cache
Where are these secret related values used in a SW implementation on a processor?
Memory
Mem
ory
Inte
rfac
e Register Bank
ALU
ALU InA ALU InB
ALU Out
Forwarding
Cache
9
Side-channel Related Software Leaks
• ALU
• Register bank
• Memory and memory interface
• ALU input/output registers
• Forwarding
• Cache
• Branch Prediction Unit
Where are these secret related values used in a SW implementation on a processor?
Memory
Mem
ory
Inte
rfac
e Register Bank
ALU
ALU InA ALU InB
ALU Out
Forwarding
Cache
Branch Prediction Unit
10
Side-channel Related Software Leaks
• ALU
• Register bank
• Memory and memory interface
• ALU input/output registers
• Forwarding
• Cache
• Branch Prediction Unit
• Fetch and Decode Unit
Where are these secret related values used in a SW implementation on a processor?
Memory
Mem
ory
Inte
rfac
e Register Bank
ALU
ALU InA ALU InB
ALU Out
Forwarding
Cache
Branch Prediction Unit
Fetch/Decode Unit
11
Side-channel Related Software Leaks
• ALU
• Register bank
• Memory and memory interface
• ALU input/output registers
• Forwarding
• Cache
• Branch Prediction Unit
• Fetch and Decode Unit
• JTAG/Debug interface
Where are these secret related values used in a SW implementation on a processor?
Memory
Mem
ory
Inte
rfac
e Register Bank
ALU
ALU InA ALU InB
ALU Out
Forwarding
Cache
Branch Prediction Unit
Fetch/Decode Unit
JTAG/Debug Interface
12
Side-channel Related Software Leaks
• ALU
• Register bank
• Memory and memory interface
• ALU input/output registers
• Forwarding
• Cache
• Branch Prediction Unit
• Fetch and Decode Unit
• JTAG/Debug interface
• ……
Where are these secret related values used in a SW implementation on a processor?
Memory
Mem
ory
Inte
rfac
e Register Bank
ALU
ALU InA ALU InB
ALU Out
Forwarding
Cache
Branch Prediction Unit
Fetch/Decode Unit
JTAG/Debug Interface
All Interconnects/Paths Between Blocks
13
How does power related information manifest itself inside these components?
• Direct values
Register writing, values going through the ALU, values stored in micro-architecture registers ( e.g. forwarding register, register at the entrance or exit of an ALU, …)
• Data-overwrite values
Overwriting a value with a different value exhibits a power consumption usage related to the bit difference between the two values
• At the circuit-level through glitches, wire interconnects, etc.
Side-channel Related Software Leaks
14
1. Generate a random value 𝑑
2. 𝑦0 = 𝑦1 = 𝑑
3. t = 𝑎0 ⋀ 𝑏0
4. 𝑦1 = 𝑦1 ⨁ 𝑡
5. 𝑡 = 𝑎1 ⋀ 𝑏0
6. 𝑦1 = 𝑦1 ⨁ 𝑡
7. 𝑡 = 𝑎0 ⋀ 𝑏1
8. 𝑦1 = 𝑦1 ⨁ 𝑡
9. 𝑡 = 𝑎1 ⋀ 𝑏1
10. 𝑦1 = 𝑦1 ⨁ 𝑡
Countermeasure Example: AND Operation
AND
𝑎
𝑦
AND’
𝑎
𝑦
𝑎1 𝑎2
𝑦1 𝑦2
𝑏
𝑏
𝑏1 𝑏2
15
1. Generate a random value 𝑑
2. 𝑦0 = 𝑦1 = 𝑑
3. t = 𝑎0 ⋀ 𝑏0
4. 𝑦1 = 𝑦1 ⨁ 𝑡
5. 𝑡 = 𝑎1 ⋀ 𝑏0
6. 𝑦1 = 𝑦1 ⨁ 𝑡
7. 𝑡 = 𝑎0 ⋀ 𝑏1
8. 𝑦1 = 𝑦1 ⨁ 𝑡
9. 𝑡 = 𝑎1 ⋀ 𝑏1
10. 𝑦1 = 𝑦1 ⨁ 𝑡
Countermeasure Example: AND Operation
AND
𝑎
𝑦
AND’
𝑎
𝑦
𝑎1 𝑎2
𝑦1 𝑦2
𝑏
𝑏
𝑏1 𝑏2
Not statistically independent
16
1. Generate a random value 𝑑
2. 𝑦0 = 𝑦1 = 𝑑
3. t = 𝑎0 ⋀ 𝑏0
4. 𝑦1 = 𝑦1 ⨁ 𝑡
5. 𝑡 = 𝑎1 ⋀ 𝑏0
6. 𝑦1 = 𝑦1 ⨁ 𝑡
7. 𝑡 = 𝑎0 ⋀ 𝑏1
8. 𝑦1 = 𝑦1 ⨁ 𝑡
9. 𝑡 = 𝑎1 ⋀ 𝑏1
10. 𝑦1 = 𝑦1 ⨁ 𝑡
Countermeasure Example: AND Operation
AND
𝑎
𝑦
AND’
𝑎
𝑦
𝑎1 𝑎2
𝑦1 𝑦2
𝑏
𝑏
𝑏1 𝑏2
Not statistically independent
17
• Creating SCA secure SW implementations on unknown HW
== Not EASY!
• Lots of testing and lots of theoretical and practical knowledge required from a SW developer
Take-away
18
• Idea: “transparent hardware-protection layer”
• Software does not need to take care about DPA or side-channel leakage
• Software can be written in a classical “unprotected” way
• Custom RISC-V design with 5 pipeline stages
• Added features to counteract side-channel analysis
• Random number generator (RNG) integration
• Masking countermeasure to protect data path + register bank
• Memory-access leakage protection
An SCA-protected RISC-V Architecture
19
RISC-V protected
• Data from/to memory gets masked/unmasked inside the CPU boundary
• Register bank is doubled to store both mask shares
• Data path is processing 2 shares
• ALU uses state-of-the-art provable secure masking techniques to avoid leakage
Architecture Overview Pipeline Unit
Branch Predictor
IF
Debug
CSR Block
PRNG
ID OF EX WB
Register File
AXI Master
Masking
iMem dMem
External Bus (AXI)
20
• Storing both shares would require too much overhead…
• Idea: memory encryption with on-the-fly session-key calculation
• Session keys are a function of a random seed and the memory address
• Software can choose from at least 2 available session keys
• Session keys can be updated via dedicated Control Status Registers (CSR)
SCA-protected Memory Access
21
How to assess side-channel security?
• Any data dependent power consumption has the potential to reveal secrets
• Intuitively: Can I distinguish between power measurements of a fixed input to the algorithm and a random input? Any statistical significant difference = problematic
• Statistical significance measured by Welch’s t-test, threshold level set at 4.5σ
𝑡 𝑖 = 𝜇𝐴 𝑖 − 𝜇𝐵(𝑖)
𝜎𝐴2(𝑡)𝑁𝐴
+𝜎𝐵
2(𝑡)𝑁𝐵
Side-channel Leakage Assessment
22
Implementation and Testing
Zynq ZC702
Programmable Logic
ARM Cortex
A9
RISC-V Shared
Memory
PC
Scope
UART
23
Examples of Cryptographic Implementations: AES
Input Leak
Average Power Consumption
Time
T-Te
st V
alu
es
Po
wer
Co
nsu
mp
tio
n V
alu
e
Output Leak
T-Test Thresholds
24
Examples of Cryptographic Implementations: AES
Input Leak
Average Power Consumption
Time
T-Te
st V
alu
es
Po
wer
Co
nsu
mp
tio
n V
alu
e
Output Leak
T-Test Thresholds
25
Examples of Cryptographic Implementations: SHA-2
Time
T-Te
st V
alu
es
Po
we
r C
on
sum
pti
on
Val
ue
Input Leak Output Leak
T-Test Thresholds
Average Power Consumption
26
Summary
• Implemented a DPA-hardened RISC-V core
• Idea: software implementors can write unprotected code and still achieve 1st order DPA security
27
Thank You Q&A