The Design and Evaluation Methodology of Dependable VLSI for … · 2013/12/25 · (WDDL,...

Dependable VLSI Tamper Resistance

The Design and Evaluation Methodology of Dependable VLSI for Tamper Resistance

Takeshi Fujino @ Ritsumeikan Univ. Yohei Hori @ AIST(Advanced Industrial Science and Technology)

Masaya Yoshikawa @ Meijo University Daisuke Suzuki @ Mitsubishi Electric

2013.12.7 DLSI

International Symposium

1

Focusing on the security of hardware modules - Tamper resistant cryptographic circuit - Evaluation tools for tamper resistance - Physical Unclonable Function (PUF)

Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance

Introduction to cryptographic modules and Side channel attacks

The aspect of Side channel attacks (SCAs)

The Effect of on-chip Capacitance

The Effect of on-chip Metal Shielding

The Effect of finer device fabrication process

The AES cryptographic circuit against SCAs

Countermeasure against Power Analysis

Countermeasure against EM Analysis

The evaluation platform SASEBO

Smartcard-type evaluation board new

Secure Key Storage using Physical Unclonable Functions

Contents 2


1. INTRODUCTION TO CRYPTOGRAPHIC MODULES AND SIDE CHANNEL ATTACKS 3

IC card

SIM card

Automotive Security

Smart meter Embedded Systems Security

Cryptographic circuit


The research target in tamper resistant security LSI 4

Regular Input/Output

Invasive Attack

EM Radiation

Current /Voltage

Processing Time

Reverse Engineering Probing electro signal

Side Channel Information

Malicious Input

Illegal Clock (e.g. Glitch) Power Supply fluctuation Input Noise

Open Package Laser or EM Injection

Side Channel Attack

Fault Attack

Cloning Attack

Security LSI module

The design methodology for tamper resistant LSI

The evaluation tools for tamper resistance

Secure system utilizing Physical Unclonable Function

Abnormal Output


Cryptographic module and Side Channel Information 5

Cipher text C

Encryption

Key : KE Encryption

Security Functions (LSI)

Cryptography for Realizing Security Functions (exam.)

Storage (HDD)

Authentic

ation

Authorized User

Plaintext M

① Authentication: Read/write permissions to HDD are granted to authorized users

② Encryption: HDD data are encrypted in case of loss or theft

② Encryption

① Authentication Authentication

Key : KA

Request

Challenge

Response

Decryption

EM Radiation

Current /Voltage

Processing Time

Side Channel Information

Key : KA

Secret Information

Dependable VLSI Tamper Resistance Side Channel Attack

6

Plain Text Evaluation Board

SASEBO-RII

Oscilloscope

Control & Analysis software

for revealing secret key

Cipher Text

Cryptographic Module

Secret key is revealed by exploiting side channel information

from crypto module

Consumption Power or EM leakage are used as an information

EM Probe

AES Chip

Power


Power consumption is correlated to the HD of resisters and HW of Sbox input

The attacking points on AES crypto circuit 7

Plain Text

16Byte RoundKey 0

16Byte

SEL

Data Registers

・・・

ShiftRows

MixColumns

SEL

16Byte

RoundKey 1-10

Cipher Text

Round 1-9 Round10

16Byte

SubBytes

16Byte

Sb

ox

16

Sb

ox

15

Sb

ox

02

Sb

ox

01

1Byte

Key

16Byte

SEL

Key Expansion

Temp Key

Registers

Hamming Distance(HD)

Data Register

Hamming Weight(HW)

Sbox input(output)


2. THE ASPECT OF SIDE CHANNEL ATTACKS

8

Plain

Cipher

Safe Power

Consumption

Electromagnetic

wave

Power

Attack Cryptographic

Device

Threat

Side channel information

(Text)

EM

Attack


The Power leakage is considered to be reduced by the on-Chip or off-chip decoupling capacitor

On-chip Capacitor make vulnerable to EMA attack with HW correlation

The Effect of Capacitance 9

Capacitor’s Effect Capacitor’s Effect

PA attack EMA attack

SAMPLE: Non-countermeasured AES (Sbox:Composite Field)


The Metal Shielding reduce the EM leakage

The secret key can still be exploited by the increased number of traces

Metal Shielding is not a perfect solution against EM attack

The Effect of Metal Shielding 10

0

2

4

6

8

10

12

14

16

0 20000 40000 60000 80000 100000Nu

mb

er

of

reve

ale

d k

eys

[Byt

es]

Number of traces

Without metal-shield

With metal-shield

Metal 3

ROM Cell(PO, M1)

Metal 4Metal 5

VDDGND

VDDGND

SAMPLE: I/O masked dual rail ROM (The countermeasured AES circuit against Power Analysis)

Metal Shielding layers


The Power and EM attack are tested in 65 and 28nm FPGA

EM attack getting powerful in the finer process

Reason: Static Power leakage is dominant

The Effect of Finer fabrication process 11

[mW] dynamic

(28nm)

(65nm)

Solid line : EM Attack Dotted line : Power Attack

65nm

28nm


3. THE AES CRYPTOGRAPHIC CIRCUIT AGAINST SCAS

12

Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance (Our countermeasure)

I/O Masked Dual Rail ROM (MDR-ROM) 13

R m [127:0]

AES IN

128

SEL

128

Shift Rows

Mix Columns

Round1 - 9

Round10

SEL

Round key

Round key

DFF

128

AES OUT

R um [127:0]

Sub Bytes

IO- masked

rail ROM

R m [127:0]

AES IN

128

SEL

128

Shift Rows

Mix Columns

Round1 - 9

Round10

SEL

DFF

128

AES OUT

R um [127:0]

dual-

AES applied IO-masked

dual-rail ROM

Sense

Amp

Masked In Data Masked Out Data

Unmask Data

Mask Data

dual-rail complementary operation

one hot transition

IO-masked dual-rail

(MDR) ROM

non

-linea

r circuit

Advanced Encryption

Standard (AES)

①

② ③

④

AES IN

128

SEL

128

Shift Rows

Mix Columns

Round1 - 9

Round10

SEL

Round key

Round key

DFF

128

AES OUT

Sub Bytes

S-B

ox1

AES IN

128

SEL

128

Shift Rows

Mix Columns

Round1 - 9

Round10

SEL

DFF

128

AES OUT

Sub Bytes

S-B

ox2

S-B

ox1

6

MDR-ROM provides constant power consumption irrespective of input value

2K bit MDR-ROM is used in the SubByte transformation on the AES circuit

Other linear circuits are masked by the additive mask

Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance (Our countermeasure)

I/O Masked Dual Rail ROM (MDR-ROM) 14

MDR-ROM provides constant power consumption irrespective of input value

2K bit MDR-ROM is used in the SubByte transformation on the AES circuit

Other linear circuits are masked by the additive mask

Sense

Amp

Masked In Data Masked Out Data

Unmask Data

Mask Data

dual-rail complementary operation

one hot transition

IO-masked dual-rail (MDR) ROM

①

② ③

④

SBox


Evaluation results of MDR-ROM 15

Dual rail RSL memory is used for S-box and

other circuits are designed in Standard ASIC flow

Power overhead is 50 % of no countermeasure

Sufficient PA resistance is demonstrated

compared with other countermeasures

(WDDL, MDPL,MAO,TI)

MDR ROM

Information Leakage

Small area

Low Power No Leakage


MDR-ROM demonstrate high resistance against Power Attack

MDR-ROM has a EM leakage called “Geometric Leak”

This type of leakage is discovered for the 1st time in the world on our experiments (presented at CHES 2013, invited to submit on Journal of Cryptographic Engineering )

EM leakage on MDR-ROM 16

Sense

AmpUnMask

Data

Mask Data

Masked Data

Masked Data

Masked Data

EM Probe Position


Multiplicative masking is also introduced in addition to additive mask

Inverse operation on Galois Field is tabled on the MDR-ROM

The addresses except for zero are randomly accessed regardless of the input data

Sbox is commonly used for encryption and decryption

(New countermeasure) Hybrid Masked Dual Rail ROM (HMDR-ROM)

17

The number of MDR-ROM is half

IO-

Mas

ked

D

ual

Rai

l R

OM

Memory Cell Array

Memory Cell Array

IO-

Mas

ked

D

ual

Rai

l R

OM


Geometric leakage is diminished and high EMA resistance is obtained in HMDR-ROM

EMA resistance on HMDR-ROM 18

Additive mask：OFF Multiplicative mask：OFF

Additive mask：ON Multiplicative mask：OFF

Additive mask：ON Multiplicative mask：ON


4. THE EVALUATION PLATFORM SASEBO 19

FPGA Board

SASEBO-GIII Compact Scanner

for EM Analysis

Analysis Software


Development of SCA Test Environment

• SASEBO: Side-channel Attack Standard Evaluation Board

– Provides a uniform experimental environment to academic, industrial and governmental researchers

– Facilitates research of side-channel attacks

• Outcome

– Commercially available and globally used in >100 institutes

– >1100 academic papers use/cite SASEBO (1/Nov/2013, Google scholar)

– Included in world’s de-facto standard SCA evaluation tools

SASEBO-RII ASIC evaluation

SASEBO-GIII 28-nm Kintex-7

MiMICC 45-nm Spartan-6

Compact automatic EM scanner

Photo from the Riscure’s INSPECTOR brochure

http://www.riscure.com/index.php


Smartcard-type evaluation board w/45-nm FPGA

H/W-implemented cipher algorithms (etc.) on a smartcard can be tested

Physical dimensions are almost ISO/IEC 7810 ID-1 compliant

ISO/IEC 7816 (T=0) data transfer protocol is supported

21 MiMICC: Minature Measurement IC Card

Card reader

(SASEBO-W)

Memory

mapped I/F

APDU

operator

ATR sender 0000

FFFF

User

application

circuit

UART I/F

User

application

circuit

Smartcard emulation circuit


Secret key extraction from AES on the smartcard

Key length = 128 bits (16 bytes). Block length = 128 bits.

Without countermeasures

EM radiation from the chip is measured and analyzed

22 EMA Demonstration Using MiMICC

Power

source

SASEBO-W

MiMICC

Loop antenna

Oscilloscope

Analysis

tool

EM radiation

Loop antenna

Amplifier

Oscilloscope

Cipher text

Statistical analysis tool

MiMICC

Waveform

Extract secret key

AES is running on the smartcard board MiMICC.

EM radiation is measured with loop antenna.


5. SECURE KEY STORAGE USING PHYSICAL UNCLONABLE FUNCTIONS 23


PUF extracts physical variation in each device

Unique and Unclonable ID(Identification code) can be produced

We proposed arbiter base DTM PUF with high uniqueness

Physical Unclonable Function 24

#1 [ 0 , 0 , 0 , … , 0 ]

#2 [ 1 , 0 , 0 , … , 0 ]#3 [ 0 , 1 , 0 , … , 0 ]

PUF#A

PUF#B

PUF#C

001

101

010

Challenges [ C0 , C1 , C2 , … , CN-1]

・・・

・・・

・・・

・・・

Responses

#1#2#3・・・

Challenges

2 x N multiplexors

1

0

1

0

1

0

1

0

1

0

1

0

・・・

1

0

1

0

1

0

1 1 1

0 0 0

N

Δt

Response

0

1 0 1 01 0 1 0

Ddt0

1 0

D dt

Conventional Arbiter DTM method (Delay time measurement)


RNG ENC

DECENC

Hash

Hash

初期鍵生成処理

再生成処理

レスポンス

レスポンス

ヘルパーデータ

再生成鍵

初期鍵W

C

C W

W’ C’ ^ C

^ W

PUF #A

Generate Initial Responses

PUF #A

Regenerate Responses

訂正符号例入力⇒出力

⇒

⇒

0 0001 111

Initial Key Generation

Reproduction

Reproduced Key

Helper Data

Error Correction

Code in out

IDs produced by PUF has the instability

Fuzzy Extractor is used for error correction

PUF based Key Generation 25

●Fuzzy Extractor (FE)

[1] “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data”


Authentication key had to be stored in secure memory

PUF Encrypted authentication key (2) can be stored in the standard memory

Authentication key can be produced by (1) (2) (3)

Secure Key Storage using PUF 26

AES

RNG ENC

ENC DEC

Hash

Hash

Initial Key Generation

Reproduce Key

PUF

PUF Key

(1)Challenges

PUF

AES PUF Key

Authentication Key cannot be produced

without PUF

(1)Challenges

Authentication Key

Authentication Key

(3)PUF Encrypted Authentication Key

(2)Helper Data

(1) (2) (3)


Side channel attacks (SCAs) is a serious threat for cryptographic modules which are used in IC card, smart meter or automobile

The countermeasures against SCAs is not easy On chip capacitor is effective against power analysis but vulnerable against

EM analysis

Metal Shielding is not perfect countermeasure against EM analysis

EM analysis is still powerful on finer device fabrication process

The AES cryptographic circuit against SCAs are designed I/O Masked Dual Rail ROM (MDR-ROM) is a good countermeasure against

power analysis, but EM leak called “geometric leak” was found

Hybrid Masked Dual Rail ROM (HMDR-ROM) is free from “geometric leak”

The FPGA on the smartcard is newly designed, and EM analysis is successfully demonstrated by using SASEBO-W board

Stable PUF Key generation by Fuzzy-Extractor, and authentication system using PUF-protected key are demonstrated

SUMMARY 27

The Design and Evaluation Methodology of Dependable VLSI for … · 2013/12/25 · (WDDL,...

Documents

Transcript of The Design and Evaluation Methodology of Dependable VLSI for … · 2013/12/25 · (WDDL,...