The Design and Evaluation Methodology of Dependable VLSI for … · 2013/12/25 · (WDDL,...
Transcript of The Design and Evaluation Methodology of Dependable VLSI for … · 2013/12/25 · (WDDL,...
Dependable VLSI Tamper Resistance
The Design and Evaluation Methodology of Dependable VLSI for Tamper Resistance
Takeshi Fujino @ Ritsumeikan Univ. Yohei Hori @ AIST(Advanced Industrial Science and Technology)
Masaya Yoshikawa @ Meijo University Daisuke Suzuki @ Mitsubishi Electric
2013.12.7 DLSI
International Symposium
1
Focusing on the security of hardware modules - Tamper resistant cryptographic circuit - Evaluation tools for tamper resistance - Physical Unclonable Function (PUF)
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
Introduction to cryptographic modules and Side channel attacks
The aspect of Side channel attacks (SCAs)
The Effect of on-chip Capacitance
The Effect of on-chip Metal Shielding
The Effect of finer device fabrication process
The AES cryptographic circuit against SCAs
Countermeasure against Power Analysis
Countermeasure against EM Analysis
The evaluation platform SASEBO
Smartcard-type evaluation board new
Secure Key Storage using Physical Unclonable Functions
Contents 2
Dependable VLSI Tamper Resistance
1. INTRODUCTION TO CRYPTOGRAPHIC MODULES AND SIDE CHANNEL ATTACKS 3
IC card
SIM card
Automotive Security
Smart meter Embedded Systems Security
Cryptographic circuit
Dependable VLSI Tamper Resistance
The research target in tamper resistant security LSI 4
Regular Input/Output
Invasive Attack
EM Radiation
Current /Voltage
Processing Time
Reverse Engineering Probing electro signal
Side Channel Information
Malicious Input
Illegal Clock (e.g. Glitch) Power Supply fluctuation Input Noise
Open Package Laser or EM Injection
Side Channel Attack
Fault Attack
Cloning Attack
Security LSI module
The design methodology for tamper resistant LSI
The evaluation tools for tamper resistance
Secure system utilizing Physical Unclonable Function
Abnormal Output
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
Cryptographic module and Side Channel Information 5
Cipher text C
Encryption
Key : KE Encryption
Security Functions (LSI)
Cryptography for Realizing Security Functions (exam.)
Storage (HDD)
Authentic
ation
Authorized User
Plaintext M
① Authentication: Read/write permissions to HDD are granted to authorized users
② Encryption: HDD data are encrypted in case of loss or theft
② Encryption
① Authentication Authentication
Key : KA
Request
Challenge
Response
Decryption
EM Radiation
Current /Voltage
Processing Time
Side Channel Information
Key : KA
Secret Information
Dependable VLSI Tamper Resistance Side Channel Attack
6
Plain Text Evaluation Board
SASEBO-RII
Oscilloscope
Control & Analysis software
for revealing secret key
Cipher Text
Cryptographic Module
Secret key is revealed by exploiting side channel information
from crypto module
Consumption Power or EM leakage are used as an information
EM Probe
AES Chip
Power
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
Power consumption is correlated to the HD of resisters and HW of Sbox input
The attacking points on AES crypto circuit 7
Plain Text
16Byte RoundKey 0
16Byte
SEL
Data Registers
・・・
ShiftRows
MixColumns
SEL
16Byte
RoundKey 1-10
Cipher Text
Round 1-9 Round10
16Byte
SubBytes
16Byte
Sb
ox
16
Sb
ox
15
Sb
ox
02
Sb
ox
01
1Byte
Key
16Byte
SEL
Key Expansion
Temp Key
Registers
Hamming Distance(HD)
Data Register
Hamming Weight(HW)
Sbox input(output)
Dependable VLSI Tamper Resistance
2. THE ASPECT OF SIDE CHANNEL ATTACKS
8
Plain
Cipher
Safe Power
Consumption
Electromagnetic
wave
Power
Attack Cryptographic
Device
Threat
Side channel information
(Text)
EM
Attack
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
The Power leakage is considered to be reduced by the on-Chip or off-chip decoupling capacitor
On-chip Capacitor make vulnerable to EMA attack with HW correlation
The Effect of Capacitance 9
Capacitor’s Effect Capacitor’s Effect
PA attack EMA attack
SAMPLE: Non-countermeasured AES (Sbox:Composite Field)
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
The Metal Shielding reduce the EM leakage
The secret key can still be exploited by the increased number of traces
Metal Shielding is not a perfect solution against EM attack
The Effect of Metal Shielding 10
0
2
4
6
8
10
12
14
16
0 20000 40000 60000 80000 100000Nu
mb
er
of
reve
ale
d k
eys
[Byt
es]
Number of traces
Without metal-shield
With metal-shield
Metal 3
ROM Cell(PO, M1)
Metal 4Metal 5
VDDGND
VDDGND
SAMPLE: I/O masked dual rail ROM (The countermeasured AES circuit against Power Analysis)
Metal Shielding layers
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
The Power and EM attack are tested in 65 and 28nm FPGA
EM attack getting powerful in the finer process
Reason: Static Power leakage is dominant
The Effect of Finer fabrication process 11
[mW] dynamic
(28nm)
(65nm)
Solid line : EM Attack Dotted line : Power Attack
65nm
28nm
Dependable VLSI Tamper Resistance
3. THE AES CRYPTOGRAPHIC CIRCUIT AGAINST SCAS
12
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance (Our countermeasure)
I/O Masked Dual Rail ROM (MDR-ROM) 13
R m [127:0]
AES IN
128
SEL
128
Shift Rows
Mix Columns
Round1 - 9
Round10
SEL
Round key
Round key
DFF
128
AES OUT
R um [127:0]
Sub Bytes
IO- masked
rail ROM
R m [127:0]
AES IN
128
SEL
128
Shift Rows
Mix Columns
Round1 - 9
Round10
SEL
DFF
128
AES OUT
R um [127:0]
dual-
AES applied IO-masked
dual-rail ROM
Sense
Amp
Masked In Data Masked Out Data
Unmask Data
Mask Data
dual-rail complementary operation
one hot transition
IO-masked dual-rail
(MDR) ROM
non
-linea
r circuit
Advanced Encryption
Standard (AES)
①
② ③
④
AES IN
128
SEL
128
Shift Rows
Mix Columns
Round1 - 9
Round10
SEL
Round key
Round key
DFF
128
AES OUT
Sub Bytes
S-B
ox1
AES IN
128
SEL
128
Shift Rows
Mix Columns
Round1 - 9
Round10
SEL
DFF
128
AES OUT
Sub Bytes
S-B
ox2
S-B
ox1
6
MDR-ROM provides constant power consumption irrespective of input value
2K bit MDR-ROM is used in the SubByte transformation on the AES circuit
Other linear circuits are masked by the additive mask
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance (Our countermeasure)
I/O Masked Dual Rail ROM (MDR-ROM) 14
MDR-ROM provides constant power consumption irrespective of input value
2K bit MDR-ROM is used in the SubByte transformation on the AES circuit
Other linear circuits are masked by the additive mask
Sense
Amp
Masked In Data Masked Out Data
Unmask Data
Mask Data
dual-rail complementary operation
one hot transition
IO-masked dual-rail (MDR) ROM
①
② ③
④
SBox
Dependable VLSI Tamper Resistance
Evaluation results of MDR-ROM 15
Dual rail RSL memory is used for S-box and
other circuits are designed in Standard ASIC flow
Power overhead is 50 % of no countermeasure
Sufficient PA resistance is demonstrated
compared with other countermeasures
(WDDL, MDPL,MAO,TI)
MDR ROM
Information Leakage
Small area
Low Power No Leakage
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
MDR-ROM demonstrate high resistance against Power Attack
MDR-ROM has a EM leakage called “Geometric Leak”
This type of leakage is discovered for the 1st time in the world on our experiments (presented at CHES 2013, invited to submit on Journal of Cryptographic Engineering )
EM leakage on MDR-ROM 16
Sense
AmpUnMask
Data
Mask Data
Masked Data
Masked Data
Masked Data
EM Probe Position
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
Multiplicative masking is also introduced in addition to additive mask
Inverse operation on Galois Field is tabled on the MDR-ROM
The addresses except for zero are randomly accessed regardless of the input data
Sbox is commonly used for encryption and decryption
(New countermeasure) Hybrid Masked Dual Rail ROM (HMDR-ROM)
17
The number of MDR-ROM is half
IO-
Mas
ked
D
ual
Rai
l R
OM
Memory Cell Array
Memory Cell Array
IO-
Mas
ked
D
ual
Rai
l R
OM
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
Geometric leakage is diminished and high EMA resistance is obtained in HMDR-ROM
EMA resistance on HMDR-ROM 18
Additive mask:OFF Multiplicative mask:OFF
Additive mask:ON Multiplicative mask:OFF
Additive mask:ON Multiplicative mask:ON
Dependable VLSI Tamper Resistance
4. THE EVALUATION PLATFORM SASEBO 19
FPGA Board
SASEBO-GIII Compact Scanner
for EM Analysis
Analysis Software
Dependable VLSI Tamper Resistance
Development of SCA Test Environment
• SASEBO: Side-channel Attack Standard Evaluation Board
– Provides a uniform experimental environment to academic, industrial and governmental researchers
– Facilitates research of side-channel attacks
• Outcome
– Commercially available and globally used in >100 institutes
– >1100 academic papers use/cite SASEBO (1/Nov/2013, Google scholar)
– Included in world’s de-facto standard SCA evaluation tools
SASEBO-RII ASIC evaluation
SASEBO-GIII 28-nm Kintex-7
MiMICC 45-nm Spartan-6
Compact automatic EM scanner
Photo from the Riscure’s INSPECTOR brochure
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
Smartcard-type evaluation board w/45-nm FPGA
H/W-implemented cipher algorithms (etc.) on a smartcard can be tested
Physical dimensions are almost ISO/IEC 7810 ID-1 compliant
ISO/IEC 7816 (T=0) data transfer protocol is supported
21 MiMICC: Minature Measurement IC Card
Card reader
(SASEBO-W)
Memory
mapped I/F
APDU
operator
ATR sender 0000
FFFF
User
application
circuit
UART I/F
User
application
circuit
Smartcard emulation circuit
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
Secret key extraction from AES on the smartcard
Key length = 128 bits (16 bytes). Block length = 128 bits.
Without countermeasures
EM radiation from the chip is measured and analyzed
22 EMA Demonstration Using MiMICC
Power
source
SASEBO-W
MiMICC
Loop antenna
Oscilloscope
Analysis
tool
EM radiation
Loop antenna
Amplifier
Oscilloscope
Cipher text
Statistical analysis tool
MiMICC
Waveform
Extract secret key
AES is running on the smartcard board MiMICC.
EM radiation is measured with loop antenna.
Dependable VLSI Tamper Resistance
5. SECURE KEY STORAGE USING PHYSICAL UNCLONABLE FUNCTIONS 23
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
PUF extracts physical variation in each device
Unique and Unclonable ID(Identification code) can be produced
We proposed arbiter base DTM PUF with high uniqueness
Physical Unclonable Function 24
#1 [ 0 , 0 , 0 , … , 0 ]
#2 [ 1 , 0 , 0 , … , 0 ]#3 [ 0 , 1 , 0 , … , 0 ]
PUF#A
PUF#B
PUF#C
001
101
010
Challenges [ C0 , C1 , C2 , … , CN-1]
・・・
・・・
・・・
・・・
Responses
#1#2#3・・・
Challenges
2 x N multiplexors
1
0
1
0
1
0
1
0
1
0
1
0
・・・
1
0
1
0
1
0
1 1 1
0 0 0
N
Δt
Response
0
1 0 1 01 0 1 0
Ddt0
1 0
D dt
Conventional Arbiter DTM method (Delay time measurement)
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
RNG ENC
DECENC
Hash
Hash
初期鍵生成処理
再生成処理
レスポンス
レスポンス
ヘルパーデータ
再生成鍵
初期鍵W
C
C W
W’ C’ ^ C
^ W
PUF #A
Generate Initial Responses
PUF #A
Regenerate Responses
訂正符号例入力⇒出力
⇒
⇒
0 0001 111
Initial Key Generation
Reproduction
Reproduced Key
Helper Data
Error Correction
Code in out
IDs produced by PUF has the instability
Fuzzy Extractor is used for error correction
PUF based Key Generation 25
●Fuzzy Extractor (FE)
[1] “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data”
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
Authentication key had to be stored in secure memory
PUF Encrypted authentication key (2) can be stored in the standard memory
Authentication key can be produced by (1) (2) (3)
Secure Key Storage using PUF 26
AES
RNG ENC
ENC DEC
Hash
Hash
Initial Key Generation
Reproduce Key
PUF
PUF Key
(1)Challenges
PUF
AES PUF Key
Authentication Key cannot be produced
without PUF
(1)Challenges
Authentication Key
Authentication Key
(3)PUF Encrypted Authentication Key
(2)Helper Data
(1) (2) (3)
Dependable VLSI Tamper Resistance Dependable VLSI Tamper Resistance
Side channel attacks (SCAs) is a serious threat for cryptographic modules which are used in IC card, smart meter or automobile
The countermeasures against SCAs is not easy On chip capacitor is effective against power analysis but vulnerable against
EM analysis
Metal Shielding is not perfect countermeasure against EM analysis
EM analysis is still powerful on finer device fabrication process
The AES cryptographic circuit against SCAs are designed I/O Masked Dual Rail ROM (MDR-ROM) is a good countermeasure against
power analysis, but EM leak called “geometric leak” was found
Hybrid Masked Dual Rail ROM (HMDR-ROM) is free from “geometric leak”
The FPGA on the smartcard is newly designed, and EM analysis is successfully demonstrated by using SASEBO-W board
Stable PUF Key generation by Fuzzy-Extractor, and authentication system using PUF-protected key are demonstrated
SUMMARY 27