Implementation of DPA Attacks on Flash- based FPGA ... · DPA attack processing parameters. Three...

PR

OO

F

1861-5252/ c© 2010-2011 TSSD Transactions onSystems, Signals & Devices

Vol. 5, No. 4, pp.1-22

Implementation of DPA Attacks on Flash-based FPGA Hardware AES Cipher andProposal of a Novel Correlated PowerNoise Generator Countermeasure

N. Kamoun,1 L. Bossuet2 and A. Ghazel1

1CIRTA’COM Lab, SUP’COM, Cite technologique des Communications

El Ghazala, Ariana, Tunisia.

2Laboratory Hubert Curien, University of Lyon, Saint-Etienne, France.

Abstract In this paper, authors conducted a successful DPA attack on anAES hardware implementation on Flash-based FPGA technol-ogy. Correlation analysis method is used to reduce DPA attackdata processing time. An experimental set-up is defined to imple-ment on an FPGA board critical AES modules and DPA attack.As main contribution, this work proved the success of DPA at-tack on Flash-based FPGA. Experimental results showed thatfor different secret key values a maximum of correlation with thecorrect key is obtained during 20 mn of data processing time. Tosecure the hardware AES cipher against this DPA attack withreduced area and power consumption overhead a novel coun-termeasure based on a correlated power noise generator is pro-posed to remove the design power correlation with the secret key.Robustness of proposed countermeasure is proved against DPAattack implementation on Actel Fusion FLASH FPGA. The im-plementation on Xilinx Virtex 4 of the full 128-bits AES with theCPNG countermeasure leads to a smaller area overhead (12.78times less) than conventional masking scheme countermeasure.

Keywords : DPA, AES, S-Box, Flash-based FPGA, countermeasures.

1. Introduction

The security in embedded communication systems is of crucial impor-tance because in large number of applications vital systems data may

PR

OO

F

2 N. Kamoun et al.

be captured by attackers. Therefore, various cryptographic services re-quired for these applications involve robust solutions for data protection.Embedded equipments are equipped with hardware processors which areused for security protocols implementation. Physical implementationsof cryptographic algorithms may let escape some side channel informa-tion, like electromagnetic emanations, temperature, computing time, andpower consumption [1, 2]. With this information, an attacker can re-trieve the data that is being computed, like cryptographic keys. Amongthese side-channel attacks the differential power analysis (DPA) poses aserious threat to the security of different cryptographic implementationsbecause it is practical, non-invasive, and easy to repeat [3].

Power analysis attacks exploit the correlation between the data andthe instantaneous power consumption of cryptographic devices. As thiscorrelation is usually very small, statistical methods should be used toexploit it efficiently. This kind of attacks depends on cryptographic de-vice technology since DPA design is based on hypothetical power modelof this target device [4].

Previous research works presented interesting results relative to DPAimplementations for different VLSI technologies. A great interest wasgiven to DPA FPGA implementation but published works were limitedto SRAM-based FPGA technologies [3–7].

The first contribution of this paper consists on proposing an experi-mental implementation on Flash-based FPGA of a DPA attack on theAdvanced Encryption Standard (AES) [8]. The objective is to demon-strate the success of the DPA attack on this very attractive FPGA tech-nology characterized by its great performance in term of low power con-sumption [9]. Actel Fusion FPGA, considered in this work, offers severalsleep and standby modes of operation to further extend battery life inembedded applications.

To overcome DPA attack, countermeasures can be implemented tosecure AES implementations. They can be at the gate [10, 11], system[12], or algorithmic levels [13–15]. The first ones are based on the logicstyles that aim to achieve independence between secret key and the powerconsumption. The second ones focus on deteriorating side-channel signalquality. The third ones mask the manipulated data to remove this de-pendence. At the gate level, they are the most costly for area and powerconsumption. In embedded design case, all these countermeasures aretoo area and power consuming.

To solve this issue, authors propose in this work a novel low-costarea and high operating frequency architectural-level countermeasure

PR

OO

F

Implementation of DPA Attacks on Flash-based FPGA Hardware 3

technique robust against DPA attack. The proposed countermeasureis based on using a new Correlated Power Noise Generator (CPNG).Its basic idea is to add an interfering power signal which depends onthe manipulated data and an interfering key. This key value has to bedifferent from the secret key value.

Paper is organized as follows. In the second section we present AEScipher design and a brief survey of DPA attack techniques. Design con-siderations of DPA attack implementation on Flash-based FPGA tech-nology are detailed in section 3. In Section 4 the design principle of thenovel proposed Correlated Power Noise Generator (CPNG) countermea-sure is presented. Section 5 gives experimental results relative to thevalidation of the DPA attack implementation on FPGA Flash and therobustness and evaluation performances of secure AES implementationwith CPNG countermeasure. Finally, some conclusions and future workare outlined in section 6.

2. AES cipher design and DPA attackstechniques

2.1 AES principle

The Advanced Encryption Standard (AES), also known as Rijndael,is a block cipher adopted as an encryption standard by the U.S. govern-ment. It has been analyzed extensively and is now used worldwide. AEShas a fixed block size of 128 bits and a key size of 128, 192, or 256 bits.Since in computing 1 byte equals 8 bits, the fixed block size of 128 bitsis normally 128/8 = 16 bytes. AES operates on a 4 × 4 array of bytes,termed the state. Most AES calculations are done in a special finite field[8].

The cipher is specified, as indicated in Fig.1 in terms of repetitions ofprocessing steps that are applied to make up rounds of keyed transfor-mations between the input plain-text and the final output of cipher-text.A set of reverse rounds are applied to transform cipher-text back intothe original plain-text using the same encryption key.

- AddRoundKey: each byte of the state is combined with the roundkey; each round key is derived from the cipher key using a key schedule.

- SubBytes : a non-linear substitution step where each byte is replacedwith another according to a lookup table.

- ShiftRows : a transposition step where each row of the state is shiftedcyclically a certain number of steps.

PR

OO

F

4 N. Kamoun et al.

- MixColumns: a mixing operation which operates on the columns ofthe state, combining the four bytes in each column.

Add Round

Key

Key expantion

SubBytes ShiftRows MixColumns

OutIn

Key

Fig. 1. Processing steps of AES encryption.

2.2 Data processing techniques for DPA attacks

DPA attack, as indicated in Fig.2, targets the secret key K by pro-cessing available data from power consumption P (t), plain texts Pltxt

and ciphered text Chtxt.

Device under

attack DPA Chtxt

K?

Pltxt

P(t)

Fig. 2. DPA attack processing parameters.

Three techniques are mainly used for DPA attacks data processing.The first one is the correlation analysis [16]. The second one is themean to distance method introduced by Kocher [3]. The third one is themaximum likelihood method [2].

2.2.1 Correlation analysis technique

The attacker proceeds as follows. First, he targets the most significantbyte of the key K. Then, for N different plain texts Pltxt, he predicts thepower consumption by choosing the Hamming weight model at the S-Box

PR

OO

F


output, for every possible value of K. The result is a N × 256 selectedprediction matrix MP of the power consumption with an exhaustive listof the key. In the second part of the attack, the adversary lets the circuitencrypt the same N plain texts Pltxt with a fixed key and he measuresthe power consumption of the device while the chip is operating thetargeted operation. This results in a N × 1 measurement vector V M ofthe instant power P (t).

Finally, the attacker computes the correlation between the measure-ment vector and all the columns of the selected prediction matrix MP .If the attack is successful, it is expected that only one value, correspond-ing to the correct key bits, leads to a high correlation. An efficient wayto compute the correlation is to use the Pearson coefficient that can beexpressed as indicated in equation (1).

C(V M, Mp(ci)) =E(V MMp(ci)) − E(V M)E(Mp(ci))

√

var(V M)var(Mp(ci))(1)

In this expression, E(V M) denotes the mean of the measurementsset V M and var(V M) its variance, Mp(ci) the column number i in thematrix Mp. More explanations of the power analysis attack principlescan be found in previous publications [4].

2.2.2 Distance of mean test

The difference between the correlation analysis and the distant testtechniques relies essentially on the processing of measured device’s powerconsumption. It begins by running the cryptographic algorithm for Nrandom inputs Pltxt. For each of the N inputs, Pltxt,i, the power con-sumption, V M(i, j), is measured for the corresponding output, Chtxt,i.The power consumption signal V M(i, j) is a sampled version of thepower consumption output of the device during the execution of thealgorithm that is being attacked. The index i corresponds to the Pltxt,i

that produces the signal and the index j corresponds to the time ofthe sample. The V M(i, j) are split into two sets using a partitioningfunction, Pf(.):

Set0 = {V M(i, j)|Pf(.) = 0}, Set1 = {V M(i, j)|Pf(.) = 1}

The next step is to compute the average side-channel signal ASCl foreach set for l = 0, 1 as indicated in expression (2):

ASCl(j) =1

|Setl|

∑

Mi(j)∈Setl

Mi(j) (2)

PR

OO

F

6 N. Kamoun et al.

where, |Set0| + |Setl| = N .

By subtracting the two averages, a discrete time differential side-channel bias signal, DSC[j], is obtained as indicated in expression (3):

DSC[j] = ASC0[j] − ASC1[j] (3)

Selecting an appropriate Pf function results in a differential side chan-nel bias signal that can be used to verify guessed part of the secret key.

2.2.3 Maximum likelihood test

If V Ml, l = 1, ..., L indicates L independent sets of measured signalsand if Hj , j = 1, ..., J represents J equally likely hypotheses on someproperties of these signals, then the maximum likelihood hypothesis testdecides in favor of Hj if

K = arg

[

max1≤j≤J

L∏

l=1

P (V M/Hj)

]

If there are two hypotheses, the hypothesis H1 is chosen if

L∏

l=1

P (V Ml/H1) ≥L

∏

l=1

P (V Ml/H0)

Assume that V Ml is a vector of length N and that for all hypothesesthe signal has a multivariate Gaussian distribution; under these condi-tions and taking the natural logarithm of the previous formula, we getthat we choose the hypothesis H1 when

L∑

i=1

(

MeanH0

i − MeanH1

i

)

≥ L(

ln∣

∣

∣

∑

H1

∣

∣

∣ − ln∣

∣

∣

∑

H0

∣

∣

∣

)

With, MeanHi

i , µHi, i = 0, 1, is is the mean value of Hi. When thistheory is used in the traditional distance of mean test and by going overthis differentially with the use of a void hypothesis Hv, which meansusing a random division into the 0-bin and the 1-bin, the decision is infavor of the hypothesis H1 if MH1

≤ MH0at the correct point in time,

with

MHi=

(µHi− E|µHv

|)2

V [µHv]

−(µHi

− E|µHi|)2

V [µHi]

− ln

(

V |µHi|

V |µHv|

)

PR

OO

F


The following maximum likelihood estimators are used for the expected

values of the mean and the variance: E[µH ] = µH and V =σ2

H0

N0

+σ2

H1

N1

with µH = µ0 − µ1, the difference of the mean of the 0-bin and the1-bin, the variance of the i-bin and Ni the number of elements in thei-bin. Agrawal et al. use this method in [2].

3. Design considerations of DPA attackimplementation on Flash-based FPGAtechnology

3.1 Experimental setup for DPA attacks onFlash-based FPGA

Figure 3 presents the experimental set-up for the DPA and its imple-mentation for AES algorithm on a Flash-based FPGA board.

Fig. 3. Experimental set-up for DPA implementation on FPGA board.

An Agilent 54622D digital storage oscilloscope is used. It has a band-width of 100 MHz with maximum sampling rate of 200 MS/s. Thecommunication between the scope and the PC is done via the GeneralPurpose Bus Interface GPIB IEEE-488. A 0.2 resistor is inserted be-tween the power supply and the FPGA Board, with 1W support. Voltagedifference between CH1 and CH2 is measured with a 20 MHz low-passprobe to reject noise signal. Table I indicated main experimental set-uprequirements for DPA attack that we used to generate the instantaneousmeasured power consumption.

PR

OO

F

8 N. Kamoun et al.

Table 1. Experimental Set-up requirements for DPA attack

Equipment Specifications

FPGA 100 MHz Flash Fusion Actel AFS-600Oscilloscope BW: 0-20 MHz 200 MS/s Agilent 54622D

GBIP IEEE-488 9600 baud/sComputer 1.7 GHz 1G RAM Siemens

3.2 Implemented design under attack in FlashFPGA

Generally the DPA attacks are realized on the beginning of the firstround of the AES algorithm or in the last round. We choose to attackwith the first case. The necessary blocs to implement are the AddRound-Key and the SubBytes. As indicated in Fig.4, the AddRoundKey con-sists that the input data Din is combined with a secret key-byte K withexclusive-or. The output of this first bloc is named DK with 8 bit for-mat. This data DK is the input to the next bloc SubBytes. This blocis constituted by a basic function Substitution Box S-Box . SubBytesrequires 16 times of S-Box to perform the whole 128 data manipulatedon the AES. Then, the S-Box module is applied to retrieve the outputsamples Dout. The design of the compact S-Box, proposed by Canright[17], was used for this implementation. His S-Box is the most compactone. He uses a normal basis to minimize the cost of the multiplicationoperator. The AES S-Box module was implemented on the ACTELFusion AfS600-FG256 FLASH FPGA.

FPGA

K

8

8 8 8SDIn

AddRoundKey SubBytes

Fig. 4. Data flow chart of AES S-Box module.

PR

OO

F


3.3 Justification of the choice of the correlationanalysis based DPA technique

Standaert et al. in [6] note that different statistical tools could be con-sidered to mount power analysis attacks and the use of the correlationcoefficient is not optimal with this respect. For example, maximum like-lihood techniques [2] may yield better results. However, with the simplepower consumption models, correlation attacks provide good results andare extremely easy to manipulate and they do not require any estima-tion of the noise in the target devices. Moreover, in [5] De Mulder et al.

compare the three methods and conclude that the maximum likelihoodtest on the power measurements needs more or less the same number ofmeasurements as the correlation analysis but twice fewer as the distanceof mean test. Thus we decide to choose the correlation analysis in ourwork.

4. Proposed correlated power noise generatorcountermeasure

DPA countermeasure techniques are designed to make the power con-sumption of the cryptographic circuit independent of the processed cryp-tographic algorithms intermediate values. Several countermeasure tech-niques acting at the algorithmic or the logic level are proposed in recentresearch works. Main algorithmic countermeasures are using maskingschemes that consist on randomizing the intermediate results producedduring the cryptographic algorithm processing [15]. Masking solutionsneed some design modification and a True Random Number Generator(TRNG) to generate the random mask [18]. Masking scheme is a strongercountermeasure against first order DPA but as authors have shown in[13] this countermeasure area overhead could be significant and its im-plementation is sensitive to the glitch issue. Masking becomes inefficientif the attacker obtain some post-layout information as demonstrated in[14].

In [19], Standaert et al. introduced an architectural level countermea-sure based on generating an additive power noise signal from a part ofthe AES blocs by using unrolling architecture. As the AES rounds in-put are uncorrelated, each round is a power noise generator for the otherrounds point of view. Add a power noise to the instantaneous power con-sumption feel an interesting way to protect the cipher against the DPA.Nevertheless such countermeasure is inefficient. Actually, the averagingin DPA filters out uncorrelated noise from the differential power trace.

PR

OO

F

10 N. Kamoun et al.

With such countermeasure it is only arduous to perform the DPA butalways possible. The main advantage of architecture countermeasure isthe very low area cost and low power consumption without frequencydecrease. This motivates authors to look for a novel architectural levelcountermeasure solution with a high level of security and based on theuse of a correlated power noise generator.

The proposed countermeasure to eliminate the side channel used byDPA attacks is based, as shown in Fig. 5, on the idea to interferethe AES cipher power signal with a power signal correlated with cipherinput data Din and with an interfering random key Kinterf . The inputdata Din is inserted simultaneously to two encryption cores: a classicalAES core and an interference core used like a Correlated Power NoiseGenerator. The AES core performs the first AddRoundKey step withcipher data input Din and with the secret key K. At the same time, inthe interference core, the cipher input data Din is provided to a similarmodule AddRoundKey but with the interfering key Kinterf . The outputsof the two AddRoundKey modules are applied to two similar SubBytesmodules synchronously. The SubBytes modules outputs signals are twosignals S and Sinterf .

Like the signal S switching, the signal Sinterf switching is correlatedto Din. As the global power consumption is due to both S and Sinterf

switching it is not only correlated to the secret K and the data Din.Actually, the global cipher power consumption is corralled to data Dinand the couple of secret keys (K, Kinterf ). Thereby, it is not possibleto extract the secret key K by the classical DPA attacks as we willexperimentally prove in the next section.

Nevertheless, to be a DPA efficient countermeasure, the only conditionneeded is to have different value for secret key K and interference secretkey Kinterf as defined in formula (4).

KInterf 6= K, KInterf ∈ [ 0 255] (4)

To formally prove the benefit of the proposed countermeasure we usethe Guilley et al. work [20]. In this work the authors give the firstequation (5) that provides the formal justification to the DPA attackswith correlation analysis:

E

Pth ×

−2 ·∑

j∈J

(−1)j(t+1)

=

∑

j∈J ξ↑j − ξ↓j2

(5)

where Pth is the chip power consumption, (−1)j(t+1) is the balancedhamming weight, J is the set of nets in the netlist, ξ↑ and ξ↓ the fall and

PR

OO

F


rise transition power of a single net. This equation main assumption isthat the manipulated data in the design are independent. In our case,we assume that the manipulated data are dependent. In conclusion,with our interfering countermeasure the equation (5) is not valid. So itis impossible to recover the secret key K with classical first order DPAwithout cipher text use. In the following section, we will experimentallyprove the validity of this conclusion.

Din

AddRoundKey

SubBytes

ShiftRows

MixColumns

Classical AES core

K

Dout

AddRoundKey

SubBytes

Correlated Power Noise Generator

Kinterf

Sinterf

Fig. 5. Flow chart of the proposed Correlated Power Noise Generator coun-termeasure.

5. Experimental results and validation

5.1 DPA attack of unsecured AES S-Box

A successful attack is achieved with the AES S-Box design describedin Fig.4. Experimental results of Fig.6 show that we can retrieve thekey K from the Flash FPGA implementation with 1000 measurementsof the power consumption. For the particular test example given herethe used key K is equal to 43.

Developed attacks are extended to other value of the keys. For all thecases we can get a maximum of correlation for the correct key. The timeof DPA attacks for one key is about 140 mn in the best case. It is dividedin two parts. The first period for the acquisition data is about 2 hours.The second for processing this data is about 20 mn for an optimizedcode.

PR

OO

F

12 N. Kamoun et al.

Fig. 6. Successful attack on the first AES round for the correct key K=43 with1000 measurements.

FPGA

K1

8

8 8 8S1

DIn1AddRoundKey SubBytes

8 8 8S2

DIn2AddRoundKey SubBytes

K2

8 Uncorollated powernoise generator

Fig. 7. Attacked sample design with uncorrelated power noise generator.

5.2 DPA attack on secure AES with UncorrelatedPower Noise Generator (UPNG)countermeasure

In this second test we first apply simultaneously two independent in-put data Din1 and Din2 to two AddRoundKey modules. These modulesuse two 8-bits distinct secret keys K1 and K2. Figure 7 shows the at-tacked design where one part (driven by Din2) of this dual architecturecould be considered as an uncorrelated power noise generator for theother part (driven by Din1).

PR

OO

F


The same experimental DPA attack setup, defined in the section 3,is used. Experimental results of Fig. 8 show that success of the imple-mented DPA attack to extract secret keys K1 and K2. These resultsconfirm the uncorrelated power noise filtering by the DPA attack asstated by Standaert’s in [19].

Fig. 8. Successful DPA attack with uncorrelated power noise generator (12000measurements): (a) K1=43, (b) K2=145

PR

OO

F

14 N. Kamoun et al.

5.3 DPA attack on secure AES with correlatedpower noise generator (CPNG) countermeasure

This test consists on generating a correlated power noise. As illus-trated in Fig. 9 the same input data Din is used for the two modules(AddRoundKey and SubBytes). Hence, one part (which uses the inter-ference key Kinterf ) of this dual architecture could be considered as acorrelated power noise generator for the other part (which uses the secretkey K).

FPGA

K

8

8 8 8S1

DInAddRoundKey SubBytes

8AddRoundKey SubBytes

Kinterf

8 Corollated powernoise generator

Fig. 9. Attacked sample design with correlated power noise generator proposedDPA countermeasure.

5.3.1 First case tests: DPA attack without consideringthe CPNG countermeasure structure

In this case the countermeasure structure is not considered in theDPA power consumption model PM as defined in equation (6):

PM = f(H(S)) (6)

where, H is the Hamming weight function and S is the SubByte outputsignal represented in Fig. 5.

Validation tests are carried out by using 12 000 and 20 480 powertraces measurements. Obtained experimental results of Fig. 10 showthat the applied DPA attack did not succeed to detect the secret key K.

The number of measurements was also increased up to 100000 powertraces without allowing the success of the DPA attack. By testing withall possible 8-bits secret key K values (255 values corresponding to 28values) the DPA attack result still unsuccessful.

PR

OO

F


(a)

(b)

Fig. 10. Unsuccessful attack K with correlated power noise generator: (a)K = 43, 12000 measurements, (b) KInterf = 145, 20480 measurements.

PR

OO

F

16 N. Kamoun et al.

5.3.2 Second case tests: DPA attack with consideringthe CPNG countermeasure structure

In this second case the countermeasure structure is considered in theDPA attack implementation by changing the power consumption modelPM as defined in equation (7):

PM = f [H(S) + H(SInterf )] (7)

where, SInterf is the second SubByte output signal represented in Fig.5.

The objective of this modified DPA attack implementation is to detectthe secret and the interference keys (KandKinterf ). Experimental re-sults of Fig. 11 by considering 20480 power traces show an unsuccessfulDPA attack on the proposed secure AES design.

Fig. 11. Unsuccessful DPA attack based on power prediction model on se-cure design with the CPNG countermeasure (K=43 and KInterf=145), 20480measurements.

5.4 Performances evaluation of proposed CPNGcountermeasure

Performances of the proposed Correlated Power Noise Generator(CPNG) countermeasure are evaluated in terms of implantation areaand operating frequency. A benchmarking study of countermeasure per-formances is carried out between unsecured small S-Box proposed by

PR

OO

F


[17], secure small S-Box with masking scheme proposed by [15] and se-cure small S-Box with proposed CPNG countermeasure. Table 2 givesthe implementation results on a Xilinx Virtex4 SRAM FPGA. All resultsare obtained by using Xilinx 8.2 ISE CAD tool version with default syn-thesis and place-and-route options.

Obtained results show that the proposed CPNG countermeasure re-quires the smallest implementation area with around 4 times smallerthan the masking solution (without considering implementation area ofthe TRNG).

Unlike the masking solution, the critical path for the proposed CPNGcountermeasure is not lengthened. Consequently, the maximum operat-ing frequency for unsecure design and secure design with proposed CPNGcountermeasure is the same, whereas the maximum operating frequencyis reduced with masking countermeasure.

Table 2. Performance Comparison between AES S-Box implementations in

virtex 4 XC4VLX25-FF676

AES-Box

Performance Unsecured Secure with Secure with[17] Masking proposed CPNG

[15] countermeasure

Area (slices) 36 100 52Area overhead 0% +170% +44%

Frequency (MHz) 184 122 184Frequency decreasing 0% −33% 0%

Table 3. Performance comparison between implementation of full AES in Xil-

inx Virtex 4 XC4VLX25-FF676 device

AES

Performance Unsecured Secure with Secure with[17] Masking proposed CPNG

[15] countermeasure

Area (slices) 1424 2281 1491Area overhead 0% +60,1% +4,7%

Frequency (MHz) 143 97 143Frequency decreasing 0% −11% 0%

We implemented the whole AES on the same FPGA by using the 16times S-Box for all the design. Table 3 summarizes the performance ofthe different implementations. We note that the implementation of thesecure AES with masking do not take into consideration the implemen-tation of the random generator to produce the mask (the same masks

PR

OO

F

18 N. Kamoun et al.

are used in all rounds). The area overhead of the proposed CPNG-basedsecured implementation compared to the unsecured version is less than5%. The masking solution gives an area overhead of about 60%.

6. Conclusion

In this paper, experimental implementation of a first order Differen-tial Power Analysis (DPA) attack for Advanced Encryption Standard(AES) encryption algorithm on Flash-based FPGA is proposed. Afteranalyzing processing requirements for three different DPA techniques thechoice of the correlation analysis method is justified. An experimentalset-up is defined to implement on an FPGA board critical AES modulesand DPA attack. Main contribution of this work is relative to prov-ing for the first time, according to our knowledge, the success of DPAattack on Flash-based FPGA technology. Experimental results showedthat for different secret key values a maximum of correlation with thecorrect key is obtained during 140 mn of data acquisition and processingtime. Hence this paper contribution shows that this new and low-powertechnology suffers also from the side channels attacks. It becomes nec-essary to define suitable countermeasure for DPA attacks to protect thekey. To define DPA countermeasure technique for Flash-based FPGAhardware AES cipher authors proposed a novel architectural level coun-termeasure. This new low cost implementation solution uses an efficientcorrelated power noise generator. As the power noise is correlated withthe input data it is not possible to filter out it during DPA process.So this solution is DPA resistant as shown by carried out experimentaltests. Although, we have not test it with high order DPA, we assumethat proposed solution is offering a very attractive lower cost first orderDPA countermeasure. Indeed, some FPGA implementation results, withXilinx Virtex4 device, have shown that comparing to existing maskingscheme and secure logic countermeasure, proposed CPNG countermea-sure consumes less area and power. Moreover, with an appropriate de-sign, the proposed solution do not costs any frequency decrease. Withthe targeted FPGA, the secure AES cipher consumes only 5% more slicesthan the unsecure cipher. In ongoing future work we have to improvethe proposed solution to secure the cipher against DPA on the last AESround. Such attack uses encrypted texts as a prediction power consump-tion model input. Actually, the proposed countermeasure architecture(Fig. 5) could only prevent DPA against AES first round. Nevertheless,the proposed CPNG countermeasure is sufficient for some practical caseswhere AES block outputs are never accessible from chip pins.

PR

OO

F


Acknowledgment

The authors would like to acknowledge the University of 7th of Novem-ber at Carthage for financing this work and the IMS Lab at the Univer-sity of Bordeaux I for giving access to their security lab facilities.

References

[1] L. Batina, N. Mentens, and I. Verbauwhede, Side-channel Issues for De-signing Secure Hardware Implementations. IEEE international onlinetesting symposium, IOLTS, special session on side-channel and fault at-tacks, 36(4):68–74, 2003.

[2] D. Agrawal, JR. Rao and P. Rohatgi, Multi-channel attacks. Proceed-ings of the fifth international workshop on cryptographic hardware andembedded systems (CHES). Lecture notes in computer science, Vol.2779,2006.

[3] P. Kocher, J. Jaffe and B. Jun, Differential Power Analysis. Lec-ture Notes in Computer Science, Springer-Verlag,Santa-Barbara,USA,1666:398–412, 1999.

[4] S. B. Ors, E. Oswald and B. Preneel, Power-Analysis Attacks on anFPGA–First Experimental Results. Proceedings of Cryptographic Hard-ware and Embedded Systems - CHES 2003, 5th International WorkshopCologne, Germany, pp.35-50, 2003.

[5] E. De Mulder, S. B. Ors, B. Preneel and I. Verbauwhede, Differentialpower and electromagnetic attacks on a FPGA implementation of ellipticcurve cryptosystems. Elsevier An International Journal Computers andElectrical Engineering, 33(5):367–382, 2007.

[6] F.-X. Standaert, E. Peeters, F. Mace and J.-J. Quisquater, Updates onthe Security of FPGAs Against Power Analysis Attacks. Lecture Notesin Computer Science, Delft, The Netherlands, Springer-Verlag, 3985:335–346, 2006.

[7] N. Kamoun, L. Bossuet and A. Ghazel, SRAM-FPGA Implementation ofMasked S-Box Based DPA countermeasure for AES. IEEE InternationalDesign and Test Workshop (IDT’2008), Monastir, Tunisia, 2008.

[8] National Institute of Standards and Technology (NIST), FIPS-197: Advanced Encryption Standard. Available online athttp://www.itl.nist.gov/fipspubs/, 2001.

[9] http://www.actel.com/products/fusion/default.aspx

[10] K. Tiri, M. Akmal and I. Verbauwhede, A Dynamic and DifferentialCMOS Logic with Signal Independant Power Consumption to WithstandDifferential Power Analysis on Smart Cards. Proceedings of the IEEE

PR

OO

F

20 N. Kamoun et al.

28th European Solid-State Circuits Conference (ESSCIRC 02), pp.403–406, 2002.

[11] T. Popp and S. Mangard, Masked Dual-Rail Pre-Charge Logic: DPA-Resistance without Routing Constraints. Proceedings of the 7th Inter-national Workshop on Cryptographic Hardware and Embedded Systems(CHES 2005), Springer-Verlag, pp.172–186, 2005.

[12] G. B. Ratanpal, R. D. Williams and T. N. Blalock, An On-Chip SignalSuppression Countermeasure to Power Analysis Attacks. IEEE Trans.Dependable Sec. Comput, 1(3):179–189, 2004.

[13] N. Kamoun, L. Bossuet and A. Ghazel, SRAM-FPGA Implementationof Masked S-Box Based DPA Countermeasure for AES. Proceedings ofthe IEEE International Design and Test Workshop, IDT 2008, Monastir,Tunisa, 2008.

[14] S. Mangard, N. Pramstaller and E. Oswald, Successfully AttackingMasked AES Hardware Implementations. Proceedings of the 7th Inter-national Workshop on Cryptographic Hardware and Embedded Systems(CHES 2005), Springer-Verlag, pp.157–171, 2005.

[15] Canright and L. Batina, A Very Compact ”Perfectly Masked” S-Box forAES. Applied Cryptography and Network Security, ACNS, New York,2008.

[16] E. Brier, c. Clavier and F. Olivier, Correlation Power Analysis with aLeakage Model. Proceeding of International Conference of CryptographicHardware and Embedded Systems, CHES04, Lecture Notes in ComputerScience, Springer, 3156:135–152, 2004.

[17] D. Canright, A Very Compact S-Box for AES. Proceedings of the 7th In-ternational Workshop on Cryptographic Hardware and Embedded Systems(CHES 2005), Springer-Verlag, pp.441–445, 2005.

[18] V. Ficher and M. Drutarovsky, True Random Number Generator Em-bedded in a Reconfigurable Device. Proceedings of the 4th InternationalWorkshop on Cryptographic Hardware and Embedded Systems (CHES2002), Springer-Verlag, pp.415–430, 2002.

[19] F.-X. Standaert, S.B. Ors and B. Preneel, Power Analysis of an FPGAImplementation of Rijndael: Is Pipelining a DPA Countermeasure? Pro-ceedings of CHES 2004, Lecture Notes in Computer Science, Springer-Verlag, 3156:30–44, Cambridge, MA, USA, 2004.

[20] S. Guilley, Ph. Hoogvorst, R. Pacalet and J. Schmidt, Improving Side-Channel Attacks by Exploiting Substitution Boxes Properties. Interna-tional Conference on Boolean Functions: Cryptography and Applications(BFCA), 2007.

PR

OO

F


Biographies

Najeh Kamoun is a PhD student in communication

and information technologies at the Ecole Superieure de

Communication a Tunis-SUPCOM, Tunis, Tunisia. She

had the M.S. degree in wireless communication systems

from SUPCOM in 2002. She had the E.E. degree of archi-

tectures system of telecommunication at SUPCOM School

in 2001. She is an assistant in the Institut National des sciences Technologiques

INSAT, University of Carthage, Tunisia. She is member of CIRTA’COM Re-

search Lab. at Sup’Com, Tunisia.

Lilian Bossuet was a student of the prestigious Ecole

Normale Superieure de Cachan, France. He received the

M.S. degree (2001) in electrical engineering from the In-

stitut National des Sciences Appliquees, Rennes, France,

and the Ph.D. degree (2004) in electrical engineering and

computer sciences from the University of South Britanny,

Lorient, France. From 2005 to 2010, he has been an As-

sociate Professor, and the head of the Embedded System Department in the

Bordeaux Institute of Technologies. Since 2010, he is Associate Professor at

the University of Lyon/Saint-Etienne and he is a member of the Hubert Curien

Laboratory. He holds the special CNRS (Centre National de la Recherche Sci-

entifique) Chair of Applied Cryptography and Embedded System Security. His

main research activities focus on embedded systems hardware security, IC se-

curity, side channel attacks of cryptographic circuits, CryptoProcessor design,

and reconfigurable architecture for security. Lilian is a member of the IEEE

and a senior member of the CryptArchi Club.

Adel Ghazel Senior Member IEEE since 1997, received

the E.E and M.S. degrees in systems analysis and digi-

tal processing from the Ecole Nationale d’Ingenieurs de

Tunis - (ENIT), Tunis, Tunisia, both in 1990, the Ph.D.

degree in electrical engineering from ENIT and the Habili-

tation degree in communication and information technolo-

gies from Ecole Superieure des Communications Sup’Com,

Tunisia in 1996 and 2002, respectively. He is currently

a Professor in Telecommunications and the Director of

CIRTA’COM Research Lab. at Sup’Com, University of Carthage, Tunisia.

He is a regular visitor professor for some engineering schools in France. He

is working since 2001 in collaboration with Analog Devices Inc., Boston, MA,

as a Senior R&D Program Manager for innovative projects related to power

PR

OO

F

22 N. Kamoun et al.

line communication, IP communication and multimedia. He started his pro-

fessional experience in 1990 as a Specialist Engineer for design and field su-

pervision of industrial communication systems. In 1993, he joined the Ecole

Superieure des Postes et des Telecommunications de Tunis then Sup’Com in

1998 where He occupied the position of the Head of the Department of Elec-

tronics and Propagation from 1999 to 2004 and the Dean of Planning from

2005 to 2010. His current research interests include Software and Cognitive

Radio systems, reconfigurable digital architectures and embedded systems de-

sign for energy efficient heterogeneous communication networks. His research

led to over 200 publications.

Implementation of DPA Attacks on Flash- based FPGA ... · DPA attack processing parameters. Three...

Documents

Transcript of Implementation of DPA Attacks on Flash- based FPGA ... · DPA attack processing parameters. Three...