Embedding Crypto in SoCs: Threats and Protections
Arnaud Tisserand
CNRS, Lab-STICC laboratory
GDR SoC’17, Bordeaux Summary
• Introduction & Cryptographic Background
• Side Channel Attacks
• Fault Injection Attacks
• Protections Examples
• Conclusion and References
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 2/62 Applications with Security Needs
Applications: smart cards, computers, Internet, telecommunications, set-top boxes, data storage, RFID tags, WSN, smart grids. . .
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 3/62 Cryptographic primitives: • Encryption • Digital signature • Hash function • Random numbers generation • ...
Implementation issues: • Performances: speed, delay, throughput, latency • Cost: device (memory, size, weight), low power/energy consumption, design • Security: protection against attacks
Cryptographic Features
Objectives: • Confidentiality • Integrity • Authenticity • Non-repudiation • ...
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 4/62 Implementation issues: • Performances: speed, delay, throughput, latency • Cost: device (memory, size, weight), low power/energy consumption, design • Security: protection against attacks
Cryptographic Features
Objectives: Cryptographic primitives: • Confidentiality • Encryption • Integrity • Digital signature • Authenticity • Hash function • Non-repudiation • Random numbers generation • ... • ...
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 4/62 Cryptographic Features
Objectives: Cryptographic primitives: • Confidentiality • Encryption • Integrity • Digital signature • Authenticity • Hash function • Non-repudiation • Random numbers generation • ... • ...
Implementation issues: • Performances: speed, delay, throughput, latency • Cost: device (memory, size, weight), low power/energy consumption, design • Security: protection against attacks
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 4/62 to be shared by A and B
E D
Ek (M) Dk (Ek (M)) = M
k k
• E: encryption/ciphering algorithm, D: decryption/deciphering algorithm • k: secret key
• Ek (M): encrypted text • Dk (Ek (M)): decrypted text • E: eavesdropper/spy
Symmetric / Private-Key Cryptography
M A B
• A : Alice, B : Bob • M: plain text/message
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 5/62 to be shared by A and B
Ek (M) Dk (Ek (M)) = M
k k
• k: secret key
• Ek (M): encrypted text • Dk (Ek (M)): decrypted text • E: eavesdropper/spy
Symmetric / Private-Key Cryptography E D
M A B
• A : Alice, B : Bob • M: plain text/message • E: encryption/ciphering algorithm, D: decryption/deciphering algorithm
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 5/62 Dk (Ek (M)) = M
k
to be shared by A and B
• Dk (Ek (M)): decrypted text • E: eavesdropper/spy
Symmetric / Private-Key Cryptography E D
Ek (M) M A B
k
• A : Alice, B : Bob • M: plain text/message • E: encryption/ciphering algorithm, D: decryption/deciphering algorithm • k: secret key
• Ek (M): encrypted text
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 5/62 • E: eavesdropper/spy
Symmetric / Private-Key Cryptography E D
Ek (M) M A B Dk (Ek (M)) = M
k k
• A : Alice, B : Bob • M: plain text/message • E: encryption/ciphering algorithm, D: decryption/deciphering algorithm • k: secret key to be shared by A and B
• Ek (M): encrypted text • Dk (Ek (M)): decrypted text
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 5/62 Symmetric / Private-Key Cryptography E D
Ek (M) M A B Dk (Ek (M)) = M
k E k
• A : Alice, B : Bob • M: plain text/message • E: encryption/ciphering algorithm, D: decryption/deciphering algorithm • k: secret key to be shared by A and B
• Ek (M): encrypted text • Dk (Ek (M)): decrypted text • E: eavesdropper/spy
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 5/62 Advanced Encryption Standard (AES)
Established by NIST in 2001
Symmetric encryption
Block size: 128 bits
key length #round 128 10 192 12 256 14
Based on substitution- permutation network Image source: http://fr.wikipedia.org/
NIST: National Institute of Standards and Technology Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 6/62 AES Round Operations
Images source: http://fr.wikipedia.org/
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 7/62 Ek (M)
Dk0 (Ek (M)) = M
k k0
k
• k: B’s public key (known to everyone including E)
• Ek (M): ciphered text • k0: B’s private key (must be kept secret)
• Dk0 (Ek (M)): deciphered text
Asymmetric / Public-Key Cryptography
E D
M A B
E
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 8/62 Dk0 (Ek (M)) = M
k0
• k0: B’s private key (must be kept secret)
• Dk0 (Ek (M)): deciphered text
Asymmetric / Public-Key Cryptography
E D
Ek (M) M A B
k E
k
• k: B’s public key (known to everyone including E)
• Ek (M): ciphered text
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 8/62 Asymmetric / Public-Key Cryptography
E D
Ek (M)
M A B Dk0 (Ek (M)) = M
k E k0
k
• k: B’s public key (known to everyone including E)
• Ek (M): ciphered text • k0: B’s private key (must be kept secret)
• Dk0 (Ek (M)): deciphered text
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 8/62 • Choose two large prime integers p and q
• Compute the modulus n = pq
• Compute ϕ(n)=( p − 1)(q − 1)
• Choose an integer e such that 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
• Compute d = e−1 mod ϕ(n)
• Private key (kept secret by Alice): d and also p, q, ϕ(n)
• Public key (published): (n, e)
RSA Asymmetric Cryptosystem (1/2)
Published in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman [17]
Key generation (Alice side)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 9/62 • Compute the modulus n = pq
• Compute ϕ(n)=( p − 1)(q − 1)
• Choose an integer e such that 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
• Compute d = e−1 mod ϕ(n)
• Private key (kept secret by Alice): d and also p, q, ϕ(n)
• Public key (published): (n, e)
RSA Asymmetric Cryptosystem (1/2)
Published in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman [17]
Key generation (Alice side) • Choose two large prime integers p and q
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 9/62 • Compute ϕ(n)=( p − 1)(q − 1)
• Choose an integer e such that 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
• Compute d = e−1 mod ϕ(n)
• Private key (kept secret by Alice): d and also p, q, ϕ(n)
• Public key (published): (n, e)
RSA Asymmetric Cryptosystem (1/2)
Published in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman [17]
Key generation (Alice side) • Choose two large prime integers p and q
• Compute the modulus n = pq
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 9/62 • Choose an integer e such that 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
• Compute d = e−1 mod ϕ(n)
• Private key (kept secret by Alice): d and also p, q, ϕ(n)
• Public key (published): (n, e)
RSA Asymmetric Cryptosystem (1/2)
Published in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman [17]
Key generation (Alice side) • Choose two large prime integers p and q
• Compute the modulus n = pq
• Compute ϕ(n)=( p − 1)(q − 1)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 9/62 • Compute d = e−1 mod ϕ(n)
• Private key (kept secret by Alice): d and also p, q, ϕ(n)
• Public key (published): (n, e)
RSA Asymmetric Cryptosystem (1/2)
Published in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman [17]
Key generation (Alice side) • Choose two large prime integers p and q
• Compute the modulus n = pq
• Compute ϕ(n)=( p − 1)(q − 1)
• Choose an integer e such that 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 9/62 • Private key (kept secret by Alice): d and also p, q, ϕ(n)
• Public key (published): (n, e)
RSA Asymmetric Cryptosystem (1/2)
Published in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman [17]
Key generation (Alice side) • Choose two large prime integers p and q
• Compute the modulus n = pq
• Compute ϕ(n)=( p − 1)(q − 1)
• Choose an integer e such that 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
• Compute d = e−1 mod ϕ(n)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 9/62 RSA Asymmetric Cryptosystem (1/2)
Published in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman [17]
Key generation (Alice side) • Choose two large prime integers p and q
• Compute the modulus n = pq
• Compute ϕ(n)=( p − 1)(q − 1)
• Choose an integer e such that 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1
• Compute d = e−1 mod ϕ(n)
• Private key (kept secret by Alice): d and also p, q, ϕ(n)
• Public key (published): (n, e)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 9/62 • convert the message M to an integer m (1 < m < n and gcd(m, n) = 1)
• compute the cipher text c = me mod n
• compute m = cd mod n
• convert the integer m to the message M
Encryption (Bob side):
Decryption (Alice side):
Theoretical security: integer factorization, i.e. computing (p, q) knowing n, is not possible when n is large enough
RSA Asymmetric Cryptosystem (2/2)
Private key (Alice): d Public key (all): (n, e)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 10/62 • compute m = cd mod n
• convert the integer m to the message M
• convert the message M to an integer m (1 < m < n and gcd(m, n) = 1)
• compute the cipher text c = me mod n
Decryption (Alice side):
Theoretical security: integer factorization, i.e. computing (p, q) knowing n, is not possible when n is large enough
RSA Asymmetric Cryptosystem (2/2)
Private key (Alice): d Public key (all): (n, e)
Encryption (Bob side):
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 10/62 • compute m = cd mod n
• convert the integer m to the message M
• compute the cipher text c = me mod n
Decryption (Alice side):
Theoretical security: integer factorization, i.e. computing (p, q) knowing n, is not possible when n is large enough
RSA Asymmetric Cryptosystem (2/2)
Private key (Alice): d Public key (all): (n, e)
Encryption (Bob side): • convert the message M to an integer m (1 < m < n and gcd(m, n) = 1)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 10/62 • compute m = cd mod n
• convert the integer m to the message M
Decryption (Alice side):
Theoretical security: integer factorization, i.e. computing (p, q) knowing n, is not possible when n is large enough
RSA Asymmetric Cryptosystem (2/2)
Private key (Alice): d Public key (all): (n, e)
Encryption (Bob side): • convert the message M to an integer m (1 < m < n and gcd(m, n) = 1)
• compute the cipher text c = me mod n
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 10/62 • compute m = cd mod n
• convert the integer m to the message M
Theoretical security: integer factorization, i.e. computing (p, q) knowing n, is not possible when n is large enough
RSA Asymmetric Cryptosystem (2/2)
Private key (Alice): d Public key (all): (n, e)
Encryption (Bob side): • convert the message M to an integer m (1 < m < n and gcd(m, n) = 1)
• compute the cipher text c = me mod n
Decryption (Alice side):
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 10/62 • convert the integer m to the message M
Theoretical security: integer factorization, i.e. computing (p, q) knowing n, is not possible when n is large enough
RSA Asymmetric Cryptosystem (2/2)
Private key (Alice): d Public key (all): (n, e)
Encryption (Bob side): • convert the message M to an integer m (1 < m < n and gcd(m, n) = 1)
• compute the cipher text c = me mod n
Decryption (Alice side): • compute m = cd mod n
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 10/62 Theoretical security: integer factorization, i.e. computing (p, q) knowing n, is not possible when n is large enough
RSA Asymmetric Cryptosystem (2/2)
Private key (Alice): d Public key (all): (n, e)
Encryption (Bob side): • convert the message M to an integer m (1 < m < n and gcd(m, n) = 1)
• compute the cipher text c = me mod n
Decryption (Alice side): • compute m = cd mod n
• convert the integer m to the message M
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 10/62 RSA Asymmetric Cryptosystem (2/2)
Private key (Alice): d Public key (all): (n, e)
Encryption (Bob side): • convert the message M to an integer m (1 < m < n and gcd(m, n) = 1)
• compute the cipher text c = me mod n
Decryption (Alice side): • compute m = cd mod n
• convert the integer m to the message M
Theoretical security: integer factorization, i.e. computing (p, q) knowing n, is not possible when n is large enough
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 10/62 size of exponent 1024 2048 4096 Order of magnitude of exponents: 2 2 ... 2 ... 2
Fast exponentiation principle:
b 2 b a = (a ) 2 when b is even 2 b−1 = a × (a ) 2 when b is odd
Least significant bit of the exponent: bit = 0 even and bit = 1 odd
Modular Exponentiation
Computation of operations such as : ab mod n
ab = a × a × a × a × ... × a × a × a | {z } a appears b times
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 11/62 Fast exponentiation principle:
b 2 b a = (a ) 2 when b is even 2 b−1 = a × (a ) 2 when b is odd
Least significant bit of the exponent: bit = 0 even and bit = 1 odd
Modular Exponentiation
Computation of operations such as : ab mod n
ab = a × a × a × a × ... × a × a × a | {z } a appears b times
size of exponent 1024 2048 4096 Order of magnitude of exponents: 2 2 ... 2 ... 2
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 11/62 Modular Exponentiation
Computation of operations such as : ab mod n
ab = a × a × a × a × ... × a × a × a | {z } a appears b times
size of exponent 1024 2048 4096 Order of magnitude of exponents: 2 2 ... 2 ... 2
Fast exponentiation principle:
b 2 b a = (a ) 2 when b is even 2 b−1 = a × (a ) 2 when b is odd
Least significant bit of the exponent: bit = 0 even and bit = 1 odd
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 11/62 Square and Multiply Algorithm
input : a , b , n where b = (bt−1bt−2 ... b1b0)2 output : ab mod n r = 1 f o r i from 0 to t − 1 do i f bi = 1 then r = r · a mod n end if a = a2 mod n endfor return r
This is the right to left version (there exists a left to right one)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 12/62 Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P) Point addition/doubling operations sequence of finite field operations 2 DBL: v1 = z1 , v2 = x1 − v1,... 2 ADD: w1 = z1 , w2 = z1 × w1,... GF(p) or GF(2m) operations operation modulo large prime (GF(p)) or irreducible polynomial (GF(2m))
Hardware Accelerators for Elliptic Curve Crypto.
encryption signature etc protocol level
[k]P
P + P curve level ADD(P, Q) DBL(P)
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62 Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P) Point addition/doubling operations sequence of finite field operations 2 DBL: v1 = z1 , v2 = x1 − v1,... 2 ADD: w1 = z1 , w2 = z1 × w1,... GF(p) or GF(2m) operations operation modulo large prime (GF(p)) or irreducible polynomial (GF(2m))
Hardware Accelerators for Elliptic Curve Crypto. E : y 2 = x 3 + 4x + 20 over GF(1009) encryption points: P, Q= (x, y) or (x, y, z) or . . . signature etc protocol level
[k]P
P + P curve level ADD(P, Q) DBL(P)
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62 Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P) Point addition/doubling operations sequence of finite field operations 2 DBL: v1 = z1 , v2 = x1 − v1,... 2 ADD: w1 = z1 , w2 = z1 × w1,... GF(p) or GF(2m) operations operation modulo large prime (GF(p)) or irreducible polynomial (GF(2m))
Hardware Accelerators for Elliptic Curve Crypto. E : y 2 = x 3 + 4x + 20 over GF(1009) encryption points: P, Q= (x, y) or (x, y, z) or . . . signature coordinates: x, y, z ∈ GF(·) etc GF(p), GF(2m), t : 200–600 bits protocol level
k = (kt−1kt−2 ... k1k0)2 ∈ N [k]P
P + P curve level ADD(P, Q) DBL(P)
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62 Point addition/doubling operations sequence of finite field operations 2 DBL: v1 = z1 , v2 = x1 − v1,... 2 ADD: w1 = z1 , w2 = z1 × w1,... GF(p) or GF(2m) operations operation modulo large prime (GF(p)) or irreducible polynomial (GF(2m))
Hardware Accelerators for Elliptic Curve Crypto. E : y 2 = x 3 + 4x + 20 over GF(1009) encryption points: P, Q= (x, y) or (x, y, z) or . . . signature coordinates: x, y, z ∈ GF(·) etc GF(p), GF(2m), t : 200–600 bits protocol level
k = (kt−1kt−2 ... k1k0)2 ∈ N [k]P Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P) P + P curve level ADD(P, Q) DBL(P)
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62 GF(p) or GF(2m) operations operation modulo large prime (GF(p)) or irreducible polynomial (GF(2m))
Hardware Accelerators for Elliptic Curve Crypto. E : y 2 = x 3 + 4x + 20 over GF(1009) encryption points: P, Q= (x, y) or (x, y, z) or . . . signature coordinates: x, y, z ∈ GF(·) etc GF(p), GF(2m), t : 200–600 bits protocol level
k = (kt−1kt−2 ... k1k0)2 ∈ N [k]P Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P) P + P curve level Point addition/doubling operations ADD(P, Q) DBL(P) sequence of finite field operations 2 DBL: v1 = z1 , v2 = x1 − v1,... 2 ADD: w1 = z1 , w2 = z1 × w1,...
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62 Hardware Accelerators for Elliptic Curve Crypto. E : y 2 = x 3 + 4x + 20 over GF(1009) encryption points: P, Q= (x, y) or (x, y, z) or . . . signature coordinates: x, y, z ∈ GF(·) etc GF(p), GF(2m), t : 200–600 bits protocol level
k = (kt−1kt−2 ... k1k0)2 ∈ N [k]P Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P) P + P curve level Point addition/doubling operations ADD(P, Q) DBL(P) sequence of finite field operations 2 DBL: v1 = z1 , v2 = x1 − v1,... 2 ADD: w1 = z1 , w2 = z1 × w1,... GF(p) or GF(2m) operations x±y x×y ... operation modulo large prime (GF(p)) m
field level or irreducible polynomial (GF(2 ))
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62 timing analysis power analysis
EMR analysis
observation
perturbation theoretical invasive fault injection
advanced algorithms probing reverse engineering
optimized programming
EMR = Electromagnetic radiation
Attacks
attack
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 14/62 timing analysis power analysis
EMR analysis
theoretical fault injection
advanced algorithms probing reverse engineering
optimized programming
EMR = Electromagnetic radiation
Attacks
observation
attack perturbation
invasive
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 14/62 theoretical
advanced algorithms
optimized programming
Attacks timing analysis power analysis
EMR analysis
observation
attack perturbation
invasive fault injection
probing reverse engineering
EMR = Electromagnetic radiation Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 14/62 advanced algorithms
optimized programming
Attacks timing analysis power analysis
EMR analysis
observation
attack perturbation theoretical invasive fault injection
probing reverse engineering
EMR = Electromagnetic radiation Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 14/62 Attacks timing analysis power analysis
EMR analysis
observation
attack perturbation theoretical invasive fault injection
advanced algorithms probing reverse engineering
optimized programming
EMR = Electromagnetic radiation Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 14/62 “Old style” side channel attacks:
+
clic good value clac bad value
Side Channel Attacks (SCAs) (1/2)
Attack: attempt to find, without any knowledge about the secret: • the message (or parts of the message) • informations on the message • the secret (or parts of the secret)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 15/62 Side Channel Attacks (SCAs) (1/2)
Attack: attempt to find, without any knowledge about the secret: • the message (or parts of the message) • informations on the message • the secret (or parts of the secret)
“Old style” side channel attacks:
+
clic good value clac bad value
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 15/62 measure
attack E k, M???
Side Channel Attacks (SCAs) (2/2)
E D
Ek (M) M A B Dk (Ek (M)) = M
k k
General principle: measure external parameter(s) on running device in order to deduce internal informations
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 16/62 Side Channel Attacks (SCAs) (2/2)
E D
Ek (M) M A B Dk (Ek (M)) = M
k k measure
attack E k, M???
General principle: measure external parameter(s) on running device in order to deduce internal informations
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 16/62 What Should be Measured?
Answer: everything that can “enter” and/or “get out” in/from the device • power consumption • electromagnetic radiation • temperature • sound • computation time • number of cache misses • number and type of error messages • ...
The measured parameters may provide informations on: • global behavior (temperature, power, sound...) • local behavior (EMR, # cache misses...)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 17/62 Power Consumption Analysis
General principle: 1. measure the current i(t) in the cryptosystem 2. use those measurements to “deduce” secret informations
crypto. secret key = 962571. . .
i(t) R
VDD
traces
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 18/62 Simple Power Analysis (SPA)
Source: [11]
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 19/62 Simple Power Analysis (SPA)
Source: [11]
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 19/62 1111111111111111 0000000000000001
Important: a small difference may be evaluated has a noise during the measurement traces cannot be distinguished
Question: what can be done when differences are too small?
Answer: use statistics over several traces
Limits of the SPA
Example of behavior difference: (activity into a register)
t 0000000000000000 0000000000000000
t + 1
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 20/62 Important: a small difference may be evaluated has a noise during the measurement traces cannot be distinguished
Question: what can be done when differences are too small?
Answer: use statistics over several traces
Limits of the SPA
Example of behavior difference: (activity into a register)
t 0000000000000000 0000000000000000
t + 1 1111111111111111 0000000000000001
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 20/62 Answer: use statistics over several traces
Limits of the SPA
Example of behavior difference: (activity into a register)
t 0000000000000000 0000000000000000
t + 1 1111111111111111 0000000000000001
Important: a small difference may be evaluated has a noise during the measurement traces cannot be distinguished
Question: what can be done when differences are too small?
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 20/62 Limits of the SPA
Example of behavior difference: (activity into a register)
t 0000000000000000 0000000000000000
t + 1 1111111111111111 0000000000000001
Important: a small difference may be evaluated has a noise during the measurement traces cannot be distinguished
Question: what can be done when differences are too small?
Answer: use statistics over several traces
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 20/62 internal state implementation
select bit b to attack power model measures
b = 1 power(Hb=1) comparison b = 0 power(Hb=0)
correct hypothesis
Differential Power Analysis (DPA)
cryptosystem
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62 implementation
select bit b to attack power model measures
b = 1 power(Hb=1) comparison b = 0 power(Hb=0)
correct hypothesis
Differential Power Analysis (DPA)
cryptosystem
internal state
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62 implementation
power model measures
power(Hb=1) comparison power(Hb=0)
correct hypothesis
Differential Power Analysis (DPA)
cryptosystem
internal state
select bit b to attack
b = 1
b = 0
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62 power model measures
power(Hb=1) comparison power(Hb=0)
correct hypothesis
Differential Power Analysis (DPA)
cryptosystem
internal state implementation
select bit b to attack
b = 1
b = 0
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62 measures
power(Hb=1) comparison power(Hb=0)
correct hypothesis
Differential Power Analysis (DPA)
cryptosystem
internal state implementation
select bit b to attack power model
b = 1
b = 0
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62 measures
comparison
correct hypothesis
Differential Power Analysis (DPA)
cryptosystem
internal state implementation
select bit b to attack power model
b = 1 power(Hb=1)
b = 0 power(Hb=0)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62 comparison
correct hypothesis
Differential Power Analysis (DPA)
cryptosystem
internal state implementation
select bit b to attack power model measures
b = 1 power(Hb=1)
b = 0 power(Hb=0)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62 Differential Power Analysis (DPA)
cryptosystem
internal state implementation
select bit b to attack power model measures
b = 1 power(Hb=1) comparison b = 0 power(Hb=0)
correct hypothesis
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62 internal state implementation
select variable v to attack measures measures
v = 0 power(v = 0)
v = 1 power(v = 1) comparison
v = 2 power(v = 2) training step correct hypothesis
Template Attack
cryptosystem
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62 implementation
select variable v to attack measures measures
v = 0 power(v = 0)
v = 1 power(v = 1) comparison
v = 2 power(v = 2) training step correct hypothesis
Template Attack
cryptosystem
internal state
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62 implementation
measures measures
power(v = 0)
power(v = 1) comparison
power(v = 2) training step correct hypothesis
Template Attack
cryptosystem
internal state
select variable v to attack
v = 0
v = 1
v = 2
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62 measures measures
power(v = 0)
power(v = 1) comparison
power(v = 2) training step correct hypothesis
Template Attack
cryptosystem
internal state implementation
select variable v to attack
v = 0
v = 1
v = 2
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62 measures
comparison
correct hypothesis
Template Attack
cryptosystem
internal state implementation
select variable v to attack measures
v = 0 power(v = 0)
v = 1 power(v = 1)
v = 2 power(v = 2) training step
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62 comparison
correct hypothesis
Template Attack
cryptosystem
internal state implementation
select variable v to attack measures measures
v = 0 power(v = 0)
v = 1 power(v = 1)
v = 2 power(v = 2) training step
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62 Template Attack
cryptosystem
internal state implementation
select variable v to attack measures measures
v = 0 power(v = 0)
v = 1 power(v = 1) comparison
v = 2 power(v = 2) training step correct hypothesis Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62 • global EMR with a large probe • local EMR with a micro-probe
Electromagnetic Radiation Analysis
General principle: use a probe to measure the EMR
VDD
circuit
GND
EMR measurement:
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 23/62 • local EMR with a micro-probe
Electromagnetic Radiation Analysis
General principle: use a probe to measure the EMR
VDD
circuit
GND
EMR measurement: • global EMR with a large probe
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 23/62 Electromagnetic Radiation Analysis
General principle: use a probe to measure the EMR
VDD
circuit
GND
EMR measurement: • global EMR with a large probe • local EMR with a micro-probe
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 23/62 • simple power analysis (& variants) • differential power analysis (& variants) • horizontal/vertical/templates/. . . attacks
Side Channel Attack on ECC
encryption signature etc protocol level
[k]P
curve level Scalar multiplication operation ADD(P, Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P)
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62 • simple power analysis (& variants) • differential power analysis (& variants) • horizontal/vertical/templates/. . . attacks
Side Channel Attack on ECC
encryption signature etc protocol level
[k]P
curve level Scalar multiplication operation ADD(P, Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P)
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62 • simple power analysis (& variants) • differential power analysis (& variants) • horizontal/vertical/templates/. . . attacks
Side Channel Attack on ECC
DBL DBL DBL DBL DBL DBL encryption signature etc protocol level
[k]P
curve level Scalar multiplication operation ADD(P, Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P)
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62 • simple power analysis (& variants) • differential power analysis (& variants) • horizontal/vertical/templates/. . . attacks
Side Channel Attack on ECC
DBL DBL DBL ADD DBL ADD DBL DBL encryption signature etc protocol level
[k]P
curve level Scalar multiplication operation ADD(P, Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P)
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62 • differential power analysis (& variants) • horizontal/vertical/templates/. . . attacks
Side Channel Attack on ECC
DBL DBL DBL ADD DBL ADD DBL DBL encryption signature etc protocol level 0 0 0 1 1 0 [k]P
curve level Scalar multiplication operation ADD(P, Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P) • simple power analysis (& variants) x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62 Side Channel Attack on ECC
DBL DBL DBL ADD DBL ADD DBL DBL encryption signature etc protocol level 0 0 0 1 1 0 [k]P
curve level Scalar multiplication operation ADD(P, Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P) • simple power analysis (& variants) x±y x×y ... • differential power analysis (& variants)
field level • horizontal/vertical/templates/. . . attacks
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62 Fault Injection Attacks
Objective: alter the correct functioning of a system “from outside”
Fault effects examples: • modify a value in a register • modify a value in the memory hierarchy • modify an address (data location or code location) • modify a control signal (e.g. status flag, branch direction) • skip/modify the instruction decoding • delay/advance propagation of internal control signals • etc.
Also called perturbation attacks
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 25/62 Fault Injection Techniques
Typical techniques: • perturbation in the power supply voltage • perturbation of the clock signal • temperature (over/under-heating the chip) • radiation or electromagnetic (EM) disturbances • exposing the chip to intense lights or beams • etc
Accuracy: • time: part of clock cycle, clock cycle, code block (instruction sequence) • space: gate, block, unit, core, chip, package • value: set to a specific value, bit flip, stuck-at 0 or 1, random modification
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 26/62 • Non-nominal constant power supply (e.g. 0.7 V instead of 1.2 V) • Glitches (dips, spikes) in the power supply at some selected moments
Perturbation on the Power Supply Principle:
controlled power supply
voltage
time
• Nominal power supply (e.g. ≈ [0.7, 1.2] V for current technologies)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 27/62 • Glitches (dips, spikes) in the power supply at some selected moments
Perturbation on the Power Supply Principle:
device VDD controlled under power attack GND supply
voltage
time
• Nominal power supply (e.g. ≈ [0.7, 1.2] V for current technologies) • Non-nominal constant power supply (e.g. 0.7 V instead of 1.2 V)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 27/62 Perturbation on the Power Supply Principle:
device VDD controlled power device under power glitch under generator attack GND supply attack
voltage
time
• Nominal power supply (e.g. ≈ [0.7, 1.2] V for current technologies) • Non-nominal constant power supply (e.g. 0.7 V instead of 1.2 V) • Glitches (dips, spikes) in the power supply at some selected moments
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 27/62 Observed behavior is compatible with setup violation model on a critical path (bell shape due to only one or multiple paths)
Under Powering Example Source: paper [19] presented at EDCC 2008 conference
Setup: 130 nm smart card (1.2 V nominal VDD) with AES crypto-processor
Measurement campaign: triples (msg, key, cypher) recorded for 100 VDD in [775, 825] mV over 20,000 encryptions with comparison to a (RTL) simulation for one byte corruption in the state matrix at various rounds
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 28/62 Under Powering Example Source: paper [19] presented at EDCC 2008 conference
Setup: 130 nm smart card (1.2 V nominal VDD) with AES crypto-processor
Measurement campaign: triples (msg, key, cypher) recorded for 100 VDD in [775, 825] mV over 20,000 encryptions with comparison to a (RTL) simulation for one byte corruption in the state matrix at various rounds
Observed behavior is compatible with setup violation model on a critical path (bell shape due to only one or multiple paths) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 28/62 Under Powering Example Source: paper [19] presented at EDCC 2008 conference
Setup: 130 nm smart card (1.2 V nominal VDD) with AES crypto-processor
Measurement campaign: triples (msg, key, cypher) recorded for 100 VDD in [775, 825] mV over 20,000 encryptions with comparison to a (RTL) simulation for one byte corruption in the state matrix at various rounds
Observed behavior is compatible with setup violation model on a critical path (bell shape due to only one or multiple paths) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 28/62 Power Glitching Example Source: FDTC 2008 conference paper [18]
Setup: AVR microcontroller with RSA implementation
Attack result: a power glitch causes to skip some instruction Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 29/62 • Clock with a modified duty cycle • Glitched clock • Etc.
Perturbation on the External Clock Principle: voltage
CLK time
• Normal clock (at a given frequency, duty cycle ≈ 50%)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 30/62 • Glitched clock • Etc.
Perturbation on the External Clock Principle: voltage
MCLK
CLK time
• Normal clock (at a given frequency, duty cycle ≈ 50%) • Clock with a modified duty cycle
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 30/62 Perturbation on the External Clock Principle: voltage glitches
GCLK
MCLK
CLK time
• Normal clock (at a given frequency, duty cycle ≈ 50%) • Clock with a modified duty cycle • Glitched clock • Etc.
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 30/62 Glitchy Clock Generation Example Source: paper [10] published in J. Crypto. Eng. 2011 Setup: Virtex-II Pro FPGA (on SASEBO card) used to generate a “glitchy” clock for several programmable time parameters
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 31/62 glitch 59 ns i + 1 NOP 0000 0000 0000 0000
mode glitch period cycle instruction opcode (bin) normal - i NOP 0000 0000 0000 0000 normal - i + 1 SER R18 1110 1111 0010 1111 glitch 61 ns i + 1 LDI R18,0xEF 1110 1110 0010 1111 glitch 60 ns i + 1 SBC R12,R15 0000 1000 0010 1111 glitch 59 ns i + 1 NOP 0000 0000 0000 0000
Clock Glitch Attack Example Source: paper [1] presented at FDTC 2011 conference Setup: AVR ATMega 163 microcontroller @ 1MHz
mode glitch period cycle instruction opcode (bin) normal - i NOP 0000 0000 0000 0000 normal - i + 1 EOR R15,R5 0010 0100 1111 0101
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 32/62 mode glitch period cycle instruction opcode (bin) normal - i NOP 0000 0000 0000 0000 normal - i + 1 SER R18 1110 1111 0010 1111 glitch 61 ns i + 1 LDI R18,0xEF 1110 1110 0010 1111 glitch 60 ns i + 1 SBC R12,R15 0000 1000 0010 1111 glitch 59 ns i + 1 NOP 0000 0000 0000 0000
Clock Glitch Attack Example Source: paper [1] presented at FDTC 2011 conference Setup: AVR ATMega 163 microcontroller @ 1MHz
mode glitch period cycle instruction opcode (bin) normal - i NOP 0000 0000 0000 0000 normal - i + 1 EOR R15,R5 0010 0100 1111 0101 glitch 59 ns i + 1 NOP 0000 0000 0000 0000
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 32/62 glitch 61 ns i + 1 LDI R18,0xEF 1110 1110 0010 1111 glitch 60 ns i + 1 SBC R12,R15 0000 1000 0010 1111 glitch 59 ns i + 1 NOP 0000 0000 0000 0000
Clock Glitch Attack Example Source: paper [1] presented at FDTC 2011 conference Setup: AVR ATMega 163 microcontroller @ 1MHz
mode glitch period cycle instruction opcode (bin) normal - i NOP 0000 0000 0000 0000 normal - i + 1 EOR R15,R5 0010 0100 1111 0101 glitch 59 ns i + 1 NOP 0000 0000 0000 0000
mode glitch period cycle instruction opcode (bin) normal - i NOP 0000 0000 0000 0000 normal - i + 1 SER R18 1110 1111 0010 1111
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 32/62 Clock Glitch Attack Example Source: paper [1] presented at FDTC 2011 conference Setup: AVR ATMega 163 microcontroller @ 1MHz
mode glitch period cycle instruction opcode (bin) normal - i NOP 0000 0000 0000 0000 normal - i + 1 EOR R15,R5 0010 0100 1111 0101 glitch 59 ns i + 1 NOP 0000 0000 0000 0000
mode glitch period cycle instruction opcode (bin) normal - i NOP 0000 0000 0000 0000 normal - i + 1 SER R18 1110 1111 0010 1111 glitch 61 ns i + 1 LDI R18,0xEF 1110 1110 0010 1111 glitch 60 ns i + 1 SBC R12,R15 0000 1000 0010 1111 glitch 59 ns i + 1 NOP 0000 0000 0000 0000
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 32/62 glitch 57 ns i + 2 LDI R26,0xEF 1110 1110 1010 1111 glitch 56 ns i + 2 LDI R26,0xCF 1110 1100 1010 1111 glitch 52 ns i + 2 LDI R26,0x0F 1110 0000 1010 1111 glitch 45 ns i + 2 LDI R16,0x09 1110 0000 0000 1001 glitch 32 ns i + 2 LD R0,Y+0x01 1000 0000 0000 1001 glitch 28 ns i + 2 LD R9,Y 1000 0000 0000 1000 glitch 27 ns i + 2 LDI R16,0x09 1110 0000 0000 1001 glitch 15 ns i + 2 BREQ PC+0x02 1111 0000 0000 1001
mode glitch period cycle instruction opcode (bin) normal - i TST R12 0010 0000 1100 1100 normal - i + 1 BREQ PC+0x02 1111 0000 0000 1001 normal - i + 2 SER R26 1110 1111 1010 1111
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 33/62 mode glitch period cycle instruction opcode (bin) normal - i TST R12 0010 0000 1100 1100 normal - i + 1 BREQ PC+0x02 1111 0000 0000 1001 normal - i + 2 SER R26 1110 1111 1010 1111 glitch 57 ns i + 2 LDI R26,0xEF 1110 1110 1010 1111 glitch 56 ns i + 2 LDI R26,0xCF 1110 1100 1010 1111 glitch 52 ns i + 2 LDI R26,0x0F 1110 0000 1010 1111 glitch 45 ns i + 2 LDI R16,0x09 1110 0000 0000 1001 glitch 32 ns i + 2 LD R0,Y+0x01 1000 0000 0000 1001 glitch 28 ns i + 2 LD R9,Y 1000 0000 0000 1000 glitch 27 ns i + 2 LDI R16,0x09 1110 0000 0000 1001 glitch 15 ns i + 2 BREQ PC+0x02 1111 0000 0000 1001
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 33/62 with motorized (X,Y,Z) stage/table
Y
Z X
• large antenna • micro-antenna
Electromagnetic Perturbations
Principle:
pulse circuit gen- erator
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 34/62 with motorized (X,Y,Z) stage/table
Y
Z X
• micro-antenna
Electromagnetic Perturbations
Principle:
pulse circuit gen- erator
• large antenna
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 34/62 Y
Z X
with motorized (X,Y,Z) stage/table
Electromagnetic Perturbations
Principle:
pulse circuit gen- erator
• large antenna • micro-antenna
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 34/62 Electromagnetic Perturbations
Principle:
Y pulse circuit gen- erator Z X
• large antenna • micro-antenna with motorized (X,Y,Z) stage/table
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 34/62 Electromagnetic Attack Example Source: article [12] presented at FDTC 2013 conference
Setup: 32-b Cortex-M3 ARM microprocessor (CMOS 130 nm SoC at 56 MHz), magnetic antenna with pulses in [-200, 200] V and [10, 200] ns
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 35/62 Loaded value: 12345678
Pulse voltage [V] Loaded value Occurrence rate [%] 170 1234 5678 100 172 1234 5678 100 174 9234 5678 73 176 FE34 5678 30 178 FFF4 5678 53 180 FFFD 5678 50 182 FFFF 7F78 46 184 FFFF FFFB 40 186 FFFF FFFF 100 188 FFFF FFFF 100 190 FFFF FFFF 100
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 36/62 • large illuminated area (flash light with microscope) • small “spot” (laser with variable locations)
Lights / Lasers Principle:
circuit
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 37/62 • small “spot” (laser with variable locations)
Lights / Lasers Principle:
light source
circuit
• large illuminated area (flash light with microscope)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 37/62 Lights / Lasers Principle:
light source
circuit
light source
• large illuminated area (flash light with microscope) • small “spot” (laser with variable locations)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 37/62 Then, use statistical correlation(s)
Differential Fault Analysis
Most of time, exploiting only one fault does not provide enough information • Accurately injecting fault is difficult • The fault causes a few perturbations
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 38/62 Differential Fault Analysis
Most of time, exploiting only one fault does not provide enough information • Accurately injecting fault is difficult • The fault causes a few perturbations
Then, use statistical correlation(s)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 38/62 o3 o4 o5
o3 o4
Safe Error Attack
Principle: exploit the link (or the lack of link) between injected fault(s) during “useful” (or “useless”) operations and the final result
o1 o2 o3 o4 o5 end
time
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 39/62 o3 o4 o5
o3 o4
Safe Error Attack
Principle: exploit the link (or the lack of link) between injected fault(s) during “useful” (or “useless”) operations and the final result
fault injection
o1 o2 o3 o4 o5 end
time
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 39/62 o3 o4 o5
o3 o4
Safe Error Attack
Principle: exploit the link (or the lack of link) between injected fault(s) during “useful” (or “useless”) operations and the final result
fault injection
o1 o2 o3 o4 o5 end
o3 o4
o1 o2 o5 end time
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 39/62 o3 o4 o5
o3 o4
Safe Error Attack
Principle: exploit the link (or the lack of link) between injected fault(s) during “useful” (or “useless”) operations and the final result
fault injection
o1 o2 o3 o4 o5 end
fault injection
o3 o4
o1 o2 o5 end time
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 39/62 Useless or dummy operations are a bad idea
Safe Error Attack Example in Asymmetric Crypto
for i from 0 to n − 1 do
if si = 1 then
v ← f (v,...)
v ← g(v,...)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 40/62 Useless or dummy operations are a bad idea
Safe Error Attack Example in Asymmetric Crypto WEAK against SPA for i from 0 to n − 1 do
if si = 1 then
v ← f (v,...)
v ← g(v,...)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 40/62 Useless or dummy operations are a bad idea
Safe Error Attack Example in Asymmetric Crypto WEAK against SPA for i from 0 to n − 1 do for i from 0 to n − 1 do
if si = 1 then if si = 1 then
v ← f (v,...) v ← f (v,...)
v ← g(v,...) v ← g(v,...)
else
w ← f (v,...)
v ← g(v,...)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 40/62 Useless or dummy operations are a bad idea
Safe Error Attack Example in Asymmetric Crypto WEAK against SPA WEAK against SEA for i from 0 to n − 1 do for i from 0 to n − 1 do
if si = 1 then if si = 1 then
v ← f (v,...) v ← f (v,...)
v ← g(v,...) v ← g(v,...)
else
w ← f (v,...)
v ← g(v,...)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 40/62 Safe Error Attack Example in Asymmetric Crypto WEAK against SPA WEAK against SEA for i from 0 to n − 1 do for i from 0 to n − 1 do
if si = 1 then if si = 1 then
v ← f (v,...) v ← f (v,...)
v ← g(v,...) v ← g(v,...)
else
w ← f (v,...)
v ← g(v,...)
Useless or dummy operations are a bad idea Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 40/62 C = Ek (M) M Dk (C) = M
flip(di )
• choose a plaintext message M
• encrypt M into C = Ek (M) • inject a fault by fliping di for a random i (d is the secret key) i M c2 di • compute = i M c2 di • test: M 1 I = mod N =⇒ d = 1 M c2i i M 2i I M = c mod N =⇒ di = 0 • retry for several i (=⇒ get small parts of d, then mathematical attacks)
Fault Attack Example: Bit Flip on RSA Decryption
E D
A B
k0 k
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 41/62 C = Ek (M) Dk (C) = M
flip(di )
• encrypt M into C = Ek (M) • inject a fault by fliping di for a random i (d is the secret key) i M c2 di • compute = i M c2 di • test: M 1 I = mod N =⇒ d = 1 M c2i i M 2i I M = c mod N =⇒ di = 0 • retry for several i (=⇒ get small parts of d, then mathematical attacks)
Fault Attack Example: Bit Flip on RSA Decryption
E D
M A B
k0 k
• choose a plaintext message M
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 41/62 Dk (C) = M
flip(di )
• inject a fault by fliping di for a random i (d is the secret key) i M c2 di • compute = i M c2 di • test: M 1 I = mod N =⇒ d = 1 M c2i i M 2i I M = c mod N =⇒ di = 0 • retry for several i (=⇒ get small parts of d, then mathematical attacks)
Fault Attack Example: Bit Flip on RSA Decryption
E D
C = Ek (M) M A B
k0 k
• choose a plaintext message M
• encrypt M into C = Ek (M)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 41/62 Dk (C) = M
i M c2 di • compute = i M c2 di • test: M 1 I = mod N =⇒ d = 1 M c2i i M 2i I M = c mod N =⇒ di = 0 • retry for several i (=⇒ get small parts of d, then mathematical attacks)
Fault Attack Example: Bit Flip on RSA Decryption
E D
C = Ek (M) M A B
flip(di ) k0 k
• choose a plaintext message M
• encrypt M into C = Ek (M) • inject a fault by fliping di for a random i (d is the secret key)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 41/62 • test: M 1 I = mod N =⇒ d = 1 M c2i i M 2i I M = c mod N =⇒ di = 0 • retry for several i (=⇒ get small parts of d, then mathematical attacks)
Fault Attack Example: Bit Flip on RSA Decryption
E D
C = Ek (M) M A B Dk (C) = M
flip(di ) k0 k
• choose a plaintext message M
• encrypt M into C = Ek (M) • inject a fault by fliping di for a random i (d is the secret key) i M c2 di • compute = i M c2 di
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 41/62 • retry for several i (=⇒ get small parts of d, then mathematical attacks)
Fault Attack Example: Bit Flip on RSA Decryption
E D
C = Ek (M) M A B Dk (C) = M
flip(di ) k0 k
• choose a plaintext message M
• encrypt M into C = Ek (M) • inject a fault by fliping di for a random i (d is the secret key) i M c2 di • compute = i M c2 di • test: M 1 I = mod N =⇒ d = 1 M c2i i M 2i I M = c mod N =⇒ di = 0
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 41/62 Fault Attack Example: Bit Flip on RSA Decryption
E D
C = Ek (M) M A B Dk (C) = M
flip(di ) k0 k
• choose a plaintext message M
• encrypt M into C = Ek (M) • inject a fault by fliping di for a random i (d is the secret key) i M c2 di • compute = i M c2 di • test: M 1 I = mod N =⇒ d = 1 M c2i i M 2i I M = c mod N =⇒ di = 0 • retry for several i (=⇒ get small parts of d, then mathematical attacks)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 41/62 Many other fault attacks. . .
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 42/62 Countermeasures: • electrical shielding • detectors, estimators, decoupling • use uniform computation durations and power consumption • use detection/correction codes (for fault injection attacks) • provide a random behavior (algorithms, representation, operations. . . ) • add noise (e.g. masking, useless instructions/computations) • circuit reconfiguration (algorithms, block location, representation of values. . . )
Countermeasures
Principles for preventing attacks: • embed additional protection blocks • modify the original circuit into a secured version • application levels: circuit, architecture, algorithm, protocol. . .
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 43/62 Countermeasures
Principles for preventing attacks: • embed additional protection blocks • modify the original circuit into a secured version • application levels: circuit, architecture, algorithm, protocol. . .
Countermeasures: • electrical shielding • detectors, estimators, decoupling • use uniform computation durations and power consumption • use detection/correction codes (for fault injection attacks) • provide a random behavior (algorithms, representation, operations. . . ) • add noise (e.g. masking, useless instructions/computations) • circuit reconfiguration (algorithms, block location, representation of values. . . )
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 43/62 Low-level codings of a bit: b = 0 b = 1
standard GND VDD
r0 =VDD r0 =GND dual rail (1, 0)DR (0, 1)DR r1 =GND r1 =VDD
r1
r0 cycles
b
Low-Level Coding and Circuit Activity Assumptions: • b is a bit (i.e. b ∈ {0, 1}, logical or mathematical value) • electrical states for a wire : VDD (logical 1) or GND (logical 0)
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 44/62 r0 =VDD r0 =GND dual rail (1, 0)DR (0, 1)DR r1 =GND r1 =VDD
r1
r0 cycles
b
Low-Level Coding and Circuit Activity Assumptions: • b is a bit (i.e. b ∈ {0, 1}, logical or mathematical value) • electrical states for a wire : VDD (logical 1) or GND (logical 0) Low-level codings of a bit: b = 0 b = 1
standard GND VDD
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 44/62 r1
r0 cycles
b
Low-Level Coding and Circuit Activity Assumptions: • b is a bit (i.e. b ∈ {0, 1}, logical or mathematical value) • electrical states for a wire : VDD (logical 1) or GND (logical 0) Low-level codings of a bit: b = 0 b = 1
standard GND VDD
r0 =VDD r0 =GND dual rail (1, 0)DR (0, 1)DR r1 =GND r1 =VDD
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 44/62 Low-Level Coding and Circuit Activity Assumptions: • b is a bit (i.e. b ∈ {0, 1}, logical or mathematical value) • electrical states for a wire : VDD (logical 1) or GND (logical 0) Low-level codings of a bit: b = 0 b = 1
standard GND VDD
r0 =VDD r0 =GND dual rail (1, 0)DR (0, 1)DR r1 =GND r1 =VDD
r1
r0 cycles
b
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 44/62 Low-Level Coding and Circuit Activity Assumptions: • b is a bit (i.e. b ∈ {0, 1}, logical or mathematical value) • electrical states for a wire : VDD (logical 1) or GND (logical 0) Low-level codings of a bit: b = 0 b = 1
standard GND VDD
r0 =VDD r0 =GND dual rail (1, 0)DR (0, 1)DR r1 =GND r1 =VDD
r1
r0 cycles
b
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 44/62 Solution based on precharge logic and dual-rail coding:
pc precharge evaluation precharge evaluation precharge evaluation
r1 invalid b = 0 invalid b = 0 invalid b = 1 r0 cycles
Solution based on validity line and dual-rail coding:
r1 r0 valid
Important overhead: silicon area and local storage (registers)
Circuit Logic Styles Countermeasure principles: uniformize circuit activity and exclusive coding
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 45/62 Solution based on validity line and dual-rail coding:
r1 r0 valid
Important overhead: silicon area and local storage (registers)
Circuit Logic Styles Countermeasure principles: uniformize circuit activity and exclusive coding
Solution based on precharge logic and dual-rail coding:
pc precharge evaluation precharge evaluation precharge evaluation
r1 invalid b = 0 invalid b = 0 invalid b = 1 r0 cycles
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 45/62 Circuit Logic Styles Countermeasure principles: uniformize circuit activity and exclusive coding
Solution based on precharge logic and dual-rail coding:
pc precharge evaluation precharge evaluation precharge evaluation
r1 invalid b = 0 invalid b = 0 invalid b = 1 r0 cycles
Solution based on validity line and dual-rail coding:
r1 r0 valid
Important overhead: silicon area and local storage (registers) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 45/62 Circuit-Level Protections for Arithmetic Operators
References: [8] and [9]
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 46/62 Countermeasure: Architecture
Increase internal parallelism: • replace one fast but big operator • by several instances of a small but slow one
op op op op op op op op op archi. A time op op op op 2 4 op op op op op op archi. B 1 3 op op
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 47/62 Protected
Overhead: Area/time < 10 %
References: PhD D. Pamula [13] Articles: [16], [15], [14]
Protected Multipliers
250 Mastrovito 233 200 150 Unprotected 100
#transitions 50 0 0 100 200 300 400 500 200 225 250 cycles cycles
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 48/62 Protected Multipliers
250 Mastrovito 233 200 150 Unprotected 100
#transitions 50 0 0 100 200 300 400 500 200 225 250 cycles cycles
Protected
Overhead: Area/time < 10 %
References: PhD D. Pamula [13] Articles: [16], [15], [14]
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 48/62 Protected ECC Accelerator
300 Activity trace 200 Protected 100 Mastrovito #transit. 0 ADD operation 0.16 Current measures 0.12 Protected 0.08 Mastrovito 0.04 DBL operation
current [mA] 0.00 300 Activity trace 200 Protected 100 Mastrovito #transit. 0 DBL operation 0.08 Current measures 0.06 Unprotected 0.04 Mastrovito 0.02 DBL operation
current [mA] 0.00 300 Activity trace 200 Unprotected 100 Mastrovito #transit. 0 DBL operation 0 50 100 150 200 250 300 350 cycles Warning: old dedicated accelerator (similar behavior is expected for our new one) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 49/62 Arithmetic Level Countermeasures
Redundant number system= • a way to improve the performance of some operations • a way to represent a value with different representations
k
R1(k) R2(k) R3(k) R4(k) R5(k) R6(k) R7(k) ...
[R1(k)]P [R2(k)]P [R3(k)]P [R4(k)]P [R5(k)]P [R6(k)]P [R7(k)]P ...
Important property: ∀i [Ri (k)]P = [k]P
Proposed solution: use random redundant representations of k
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 50/62 Digits: ki ∈ {0, 1}, typical size: t ∈ {160,..., 600}
Double-Base Number System (DBNS): n−1 X aj bj k = kj 2 3 = j=0
aj , bj ∈ N, kj ∈ {1} or kj ∈ {−1, 1}, size n ≈ log t
DBNS is a very redundant and sparse representation: 1701 = (11010100101)2 1701 = 243 + 1458 = 2035 + 2136 = (1, 0, 5), (1, 1, 6) = 1728 − 27 = 2633 − 2033 = (1, 6, 3), (−1, 0, 3) = 729 + 972 = 2036 + 2235 = (1, 0, 6), (1, 2, 5) ...
Double-Base Number System Standard radix-2 representation: t−1 X i ... k = ki 2 = kt−1 kt−2 k2 k1 k0 t explicit digits i=0
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 51/62 Double-Base Number System (DBNS): n−1 X aj bj k = kj 2 3 = j=0
aj , bj ∈ N, kj ∈ {1} or kj ∈ {−1, 1}, size n ≈ log t
DBNS is a very redundant and sparse representation: 1701 = (11010100101)2 1701 = 243 + 1458 = 2035 + 2136 = (1, 0, 5), (1, 1, 6) = 1728 − 27 = 2633 − 2033 = (1, 6, 3), (−1, 0, 3) = 729 + 972 = 2036 + 2235 = (1, 0, 6), (1, 2, 5) ...
Double-Base Number System Standard radix-2 representation: t−1 2t−1 2t−2 ... 22 21 20 implicit weights X i ... k = ki 2 = kt−1 kt−2 k2 k1 k0 t explicit digits i=0 Digits: ki ∈ {0, 1}, typical size: t ∈ {160,..., 600}
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 51/62 aj , bj ∈ N, kj ∈ {1} or kj ∈ {−1, 1}, size n ≈ log t
DBNS is a very redundant and sparse representation: 1701 = (11010100101)2 1701 = 243 + 1458 = 2035 + 2136 = (1, 0, 5), (1, 1, 6) = 1728 − 27 = 2633 − 2033 = (1, 6, 3), (−1, 0, 3) = 729 + 972 = 2036 + 2235 = (1, 0, 6), (1, 2, 5) ...
Double-Base Number System Standard radix-2 representation: t−1 2t−1 2t−2 ... 22 21 20 implicit weights X i ... k = ki 2 = kt−1 kt−2 k2 k1 k0 t explicit digits i=0 Digits: ki ∈ {0, 1}, typical size: t ∈ {160,..., 600}
Double-Base Number System (DBNS): n−1 X aj bj k = kj 2 3 = j=0
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 51/62 DBNS is a very redundant and sparse representation: 1701 = (11010100101)2 1701 = 243 + 1458 = 2035 + 2136 = (1, 0, 5), (1, 1, 6) = 1728 − 27 = 2633 − 2033 = (1, 6, 3), (−1, 0, 3) = 729 + 972 = 2036 + 2235 = (1, 0, 6), (1, 2, 5) ...
Double-Base Number System Standard radix-2 representation: t−1 2t−1 2t−2 ... 22 21 20 implicit weights X i ... k = ki 2 = kt−1 kt−2 k2 k1 k0 t explicit digits i=0 Digits: ki ∈ {0, 1}, typical size: t ∈ {160,..., 600}
Double-Base Number System (DBNS): ... n−1 kn−1 k1 k0 n (2, 3)−terms X aj bj k = kj 2 3 = an−1 ... a1 a0 explicit “digits” ... j=0 bn−1 b1 b0 explicit ranks
aj , bj ∈ N, kj ∈ {1} or kj ∈ {−1, 1}, size n ≈ log t
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 51/62 Double-Base Number System Standard radix-2 representation: t−1 2t−1 2t−2 ... 22 21 20 implicit weights X i ... k = ki 2 = kt−1 kt−2 k2 k1 k0 t explicit digits i=0 Digits: ki ∈ {0, 1}, typical size: t ∈ {160,..., 600}
Double-Base Number System (DBNS): ... n−1 kn−1 k1 k0 n (2, 3)−terms X aj bj k = kj 2 3 = an−1 ... a1 a0 explicit “digits” ... j=0 bn−1 b1 b0 explicit ranks
aj , bj ∈ N, kj ∈ {1} or kj ∈ {−1, 1}, size n ≈ log t
DBNS is a very redundant and sparse representation: 1701 = (11010100101)2 1701 = 243 + 1458 = 2035 + 2136 = (1, 0, 5), (1, 1, 6) = 1728 − 27 = 2633 − 2033 = (1, 6, 3), (−1, 0, 3) = 729 + 972 = 2036 + 2235 = (1, 0, 6), (1, 2, 5) ...
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 51/62 Randomized DBNS Recoding of the Scalar k On-the-fly DBNS random recoding for the scalar k randomly recode windows of the scalar k on-the-fly: encryption 2 3 2 1 + 2 3 1 + 3 2 1 + 2 3 ... signature control number of reductions (←) and expansions (→) etc
protocol level block time k ki possible rules recoding rules [k]P
curve level Point tripling operation ADD(P, Q) DBL(P) TPL(P) Q = TPL(P) = P + P + P
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 52/62 Randomized DBNS Recoding of the Scalar k On-the-fly DBNS random recoding for the scalar k randomly recode windows of the scalar k on-the-fly: encryption 2 3 2 1 + 2 3 1 + 3 2 1 + 2 3 ... signature control number of reductions (←) and expansions (→) etc
protocol level block time k ki possible rules recoding rules [k]P
random choice recoded ki (,ki+1)
curve level Point tripling operation ADD(P, Q) DBL(P) TPL(P) Q = TPL(P) = P + P + P
x±y x×y ... field level
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 52/62 Randomized DBNS Recoding of the Scalar k On-the-fly DBNS random recoding for the scalar k randomly recode windows of the scalar k on-the-fly: encryption 2 3 2 1 + 2 3 1 + 3 2 1 + 2 3 ... signature control number of reductions (←) and expansions (→) etc
protocol level block time k ki possible rules recoding rules [k]P
random choice recoded ki (,ki+1)
curve level Point tripling operation ADD(P, Q) DBL(P) TPL(P) Q = TPL(P) = P + P + P
DBNS is redundant ⇒ security % DBNS is sparse ⇒ 20–30 % speed % x±y x×y ... Ref: [7] Chabrier, Pamula & Tisserand.
field level Asilomar 2009
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 52/62 Hardware Implementation of RNS for ECC (1/2) RNS: Residue Number System
• Base B = (m1, m2,..., mk ) of k relatively prime moduli • Size of the base: k
A = {a1, a2,..., ak }, ∀i ai = A mod mi
Operations:
A ± B = (|a1 ± b1|m1 ,..., |ak ± bk |mk )
A × B = (|a1 × b1|m1 ,..., |ak × bk |mk )
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 53/62 Hardware Implementation of RNS for ECC (2/2)
I/O channel 1 channel 2 ... channel n w ... IN CTRL CTRL precomp. {rst, mode, . . . } w registers @ 1 mult. (shared) w w w w w w 30-state FSM w . ≈ 2n × w . ... @2 precomp. w w {@, en, r/w} r (×2) i e
|s|3 |s|4 |q|3 |q|4 w w w i r Arithmetic Unit 2 local reg.
log (6 pipeline stages) Rower 1 Rower 2 ... Rower n d w w mod3 precomp. Cox @3 mod3 mod3 mod3 add. w w ... 2 w 2 w 2 w 38 × w . w t + 2 . . cmp mod3
... = b1 = −c1 ... 2 w . OUT mod3 OUT .
Optimized algorithms and implementations for GF(p) operations: • fast operations: inversion [3], modular multiplication [5], patterns [4] • PhD Thesis Karim Bigou [2] • hybrid positio-residues (HPR) representation [6]
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 54/62 Comparison ECC 256 vs HECC 128 (1/2)
time [ms]
30 1,1 ECC 25 HECC 20 1,2 1,1 2,1 15 3,1 4,1 5,1 1,2 1,4 2,2 10 2,1 3,2 4,2 5,2 2,2 2,4 3,4 5,4 4,1 4,4 5 3,1 5,1 6,17,1 8,1 9,1 11,1 12,1 3,2 10,211,2 12,2 4,2 5,2 6,2 7,2 10,1 8,2 9,2 area [slices] 600 800 1000 1200 1400 1600 1800 2000 2200
On average HECC is 40 % faster than ECC for a similar silicon cost
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 55/62 Comparison ECC 256 vs HECC 128 (2/2)
ECC HECC 5 4 3 2
speedup 1 0 3 area
× 2
1 100 80 60 40 % usage 20 0 1,1 1,2 1,4 2,4 3,4 4,4 1,1 1,2 2,1 3,1 3,2 5,2 8,2
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 56/62 Current works examples: • Methods/tools for automating security analysis • Circuit reconfiguration (representations, algorithms) • Circuits with reduced activity variations • Representation of numbers with error detection/correction “codes” • Design space exploration • CAD tools with security improvement capabilities
Conclusion • Side channel and fault attacks are serious threats • Attacks are more and more efficient (many variants) • Security analysis is mandatory at all levels (specification, algorithm, operation, implementation) • Security = trade-off between performances, robustness and cost • Security = func( secret value, attacker capabilities ) • security= computer science+ microelectronics+ mathematics
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 57/62 Conclusion • Side channel and fault attacks are serious threats • Attacks are more and more efficient (many variants) • Security analysis is mandatory at all levels (specification, algorithm, operation, implementation) • Security = trade-off between performances, robustness and cost • Security = func( secret value, attacker capabilities ) • security= computer science+ microelectronics+ mathematics
Current works examples: • Methods/tools for automating security analysis • Circuit reconfiguration (representations, algorithms) • Circuits with reduced activity variations • Representation of numbers with error detection/correction “codes” • Design space exploration • CAD tools with security improvement capabilities
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 57/62 Our Long Term Objectives Study the links between: area 1 • cryptosystems • arithmetic algorithms • Fq, pts representations delay 1 • architectures & units • circuit optimisations energy to ensure 1 • high security against
I theoretical attacks I physical attacks • low design cost • low silicon cost • low energy(/power) • high performances security 1 • high flexibility
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 58/62 Our Long Term Objectives Study the links between: area 1 1 + a • cryptosystems • arithmetic algorithms • Fq, pts representations delay 1 1 + t • architectures & units • circuit optimisations energy to ensure 1 1 + e • high security against a, t, e ∈ 0%, 5%, 10%,..., 100% I theoretical attacks I physical attacks • low design cost • low silicon cost • low energy(/power) • high performances security 1 • high flexibility
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 58/62 Our Long Term Objectives Study the links between: area 1 1 + a • cryptosystems • arithmetic algorithms • Fq, pts representations delay 1 1 + t • architectures & units • circuit optimisations energy to ensure 1 1 + e • high security against a, t, e ∈ 0%, 5%, 10%,..., 100% I theoretical attacks I physical attacks • low design cost • low silicon cost ×100 • low energy(/power) ×10 • high performances security 1 • high flexibility
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 58/62 ReferencesI
[1] J. Balasch, B. Gierlichs, and I. Verbauwhede. An in-depth and black-box characterization of the effects of clock glitches on 8-bit MCUs. In Proc. 8th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pages 105–114, Nara, Japan, September 2011. IEEE. [2] K. Bigou. Etude´ th´eorique et implantation mat´erielled’unit´esde calcul en repr´esentationmodulaire des nombres pour la cryptographie sur courbes elliptiques. Phd thesis, University Rennes 1, Lannion, France, November 2014. [3] K. Bigou and A. Tisserand. Improving modular inversion in RNS using the plus-minus method. In G. Bertoni and J.-S. Coron, editors, Proc. 15th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), volume 8086 of LNCS, pages 233–249, Santa Barbara, CA, USA, August 2013. Springer.
[4] K. Bigou and A. Tisserand. RNS modular multiplication through reduced base extensions. In H. Fu and D. Thomas, editors, Proc. 25th IEEE International Conference on Application-specific Systems, Architectures and Processors (ASAP), pages 57–62, Zurich, Switzerland, June 2014. IEEE.
[5] K. Bigou and A. Tisserand. Single base modular multiplication for efficient hardware RNS implementations of ECC. In T. Guneysu and H. Handschuh, editors, Proc. 17th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), volume 9293 of LNCS, pages 123–140, Saint-Malo, France, September 2015. Springer.
[6] K. Bigou and A. Tisserand. Hybrid position-residues number system. In J. Hormigo, S. Oberman, and N. Revol, editors, Proc. 23rd Symposium on Computer Arithmetic (ARITH), pages 126–133, Santa Clara, CA, U.S.A, July 2016. IEEE Computer Society. [7] T. Chabrier, D. Pamula, and A. Tisserand. Hardware implementation of DBNS recoding for ECC processor. In Proc. 44rd Asilomar Conference on Signals, Systems and Computers, pages 1129–1133, Pacific Grove, California, U.S.A., November 2010. IEEE.
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 59/62 ReferencesII
[8] J. Chen, A. Tisserand, E. M. Popovici, and S. Cotofana. Robust sub-powered asynchronous logic. In J. Becker and M. R. Adrover, editors, Proc. 24th International Workshop on Power and Timing Modeling, Optimization and Simulation (PATMOS), pages 1–7, Palma de Mallorca, Spain, September 2014. IEEE.
[9] J. Chen, A. Tisserand, E. M. Popovici, and S. Cotofana. Asynchronous charge sharing power consistent Montgomery multiplier. In J. Sparso and E Yahya, editors, Proc. 21st IEEE International Symposium on Asynchronous Circuits and Systems (ASYNC), pages 132–138, Mountain View, California, USA, May 2015.
[10] S. Endo, T. Sugawara, N. Homma, T. Aoki, and A. Satoh. An on-chip glitchy-clock generator for testing fault injection attacks. Journal of Cryptographic Engineering, 1(4):265–270, December 2011.
[11] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Proc. Advances in Cryptology (CRYPTO), volume 1666 of LNCS, pages 388–397. Springer, August 1999.
[12] N. Moro, A. Dehbaoui, K. Heydemann, B. Robisson, and E. Encrenaz. Electromagnetic fault injection: Towards a fault model on a 32-bit microcontroller. In Proc. 10th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pages 77–88, Santa Barbara, CA, USA, August 2013. IEEE. [13] D. Pamula. Arithmetic Operators on GF(2m) for Cryptographic Applications: Performance - Power Consumption - Security Tradeoffs. Phd thesis, University of Rennes 1 and Silesian University of Technology, December 2012. [14] D. Pamula, E. Hrynkiewicz, and A. Tisserand. Analysis of GF(2233) multipliers regarding elliptic curve cryptosystem applications. In 11th IFAC/IEEE International Conference on Programmable Devices and Embedded Systems (PDeS), pages 271–276, Brno, Czech Republic, May 2012.
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 60/62 ReferencesIII
[15] D. Pamula and A. Tisserand. GF(2m) finite-field multipliers with reduced activity variations. In 4th International Workshop on the Arithmetic of Finite Fields, volume 7369 of LNCS, pages 152–167, Bochum, Germany, July 2012. Springer. [16] D. Pamula and A. Tisserand. Fast and secure finite field multipliers. In Proc. 18th Euromicro Conference on Digital System Design (DSD), pages 653–660, Madeira, Portugal, August 2015.
[17] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.
[18] J. Schmidt and C. Herbst. A practical fault attack on square and multiply. In Proc. 5th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pages 53–58, Washington, DC, USA, August 2008. IEEE. [19] N. Selmane, S. Guilley, and J.-L. Danger. Practical setup time violation attacks on AES. In Proc. 7th European Dependable Computing Conference (EDCC), Kaunas, Lithuania, 2008.
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 61/62 The end, questions ?
Contact: • mailto:[email protected] • http://www-labsticc.univ-ubs.fr/~tisseran • CNRS, Lab-STICC Laboratory University South Brittany (UBS), Centre de recherche C. Huygens, rue St Maud´e,BP 92116, 56321 Lorient cedex, France
Thank you
Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 62/62