what do ultra low power requirements mean for secure hardware? · pdf filewhat do ultra low...
Post on 27-Mar-2018
216 Views
Preview:
TRANSCRIPT
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
What do ultra low power requirements mean for secure hardware?
Saibal Mukhopadhyay School of ECE, Georgia Institute of Technology
Gigascale Reliable Energy Efficient Nanosystem (GREEN) Lab School of Electrical and Computer Engineering, Georgia Tech
Exploring reliable, energy efficient computing solutions at nanometer nodes — from devices to circuits to systems
Intel Corporation IBM Qualcomm
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Emerging Computing Applications
Servers
Deskto
p
Lapto
p
Smart Pho
ne
IoTs
Wearables
Gro
wth
rate
Source: International Data Corporation (IDC)
High performance
Mobile, low power
Compute small,
everywhere
20%
80%
40%
60%
2
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
1
6.7
13
25
50
6.3 6.7 6.9 7.4 7.9
0
10
20
30
40
50
60
2003 2008 2010 2015 2020
IoT Predictions
25 Billion
Sensors, Smart Objects, Wearables, Healthcare
World Population
Tablets, Laptops, Phones
Side Channel
Attack
One connected thing per person
3
Inflection Point
50
Billion Objects
Secure Private Trustworthy
Information
Leakage
Emerging Computing Applications
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Power performance Spectrum
4
Power
Per
form
ance GPU
Multi-core processors
Servers
Cell-phone processors
Wearable medical sensors
Internet-of-things
Environment sensors
Energy autonomous systems
Growing space for ultra-low power computing
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
5
A critical challenge moving forward
How do we secure embedded systems and SoCs operating under tight power budgets?
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
6
Low-power and Security
Low-power requirements of secure hardware – Challenge? Or Opportunities ?
Hardware Trojan
Power Attack
EM attack
Cryptanalysis
Reverse engineering
Counterfeit
Tampering
Voltage scaling
Voltage regulators
Power gating
Logic design
Architecture
Activity control
Clock gating
Adaptive circuits
Hardware Security Vulnerabilities Low-power techniques
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
• Side Channels Leaking Encryption Specific Information: • Power Trace Measurements – Most commonly used side channel • Electromagnetic Emissions
Focus of this Talk
Smart Cards FPGA
Processors
7
Low-power requirements in encryption engines and protection against side channel attack
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
An Example Application: Distributed Video Surveillance with Self-power Sensors
Image sensing Node
wireless link
Datarate reduc*on (pre-‐processing and compression)
Receiver
Limited bandwidth and dynamic channel condi*on
Noise tolerance (Adap*ve modula*on)
Desirable quality of important informa*on
S. Mukhopadhyay, PI, Supported by Office of Naval Research, US
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Self-powered Image Sensors
…
Pre-‐processor MJPEG
CMOS sensor
SRAM
(edge map)
TransmiBer
Power management
Clock generator
BaBery
Other Energy
transducers
Energy harvesting from sensor
2mm x 2mm design, 130nm CMOS
138.7
80.0 61.5
10
100
1000
0.6 0.7 0.8 0.9 1.0
Ene
rgy
per f
ram
e (u
J)
SSIM of ROI
MJPEG
H.264/AVC intra
MJPEG + Pre-processing
J. Ko, IEEE TMSCS
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Area and Power Cost of Securing the Transmitted Image
10
11
12
13
14
15
2000000 2500000 3000000 3500000 4000000
Com
puta
tion
Ener
gy
per
fram
e (u
J)
Area (um2)
Baseline MJPEG
Baseline MJPEG + pre-‐processor (fixed QF/threshold)
Variable QF MJPEG + pre-‐processor + system controller
+0.6% area +1.6% energy
+ EncrypIon module (AES)
+ EncrypIon module (Simon)
+4.6% area +17% energy
We need security at very low area and energy cost
10
+0.8% area +1.8% energy
+6.2% area +19% energy
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Low-power requirement is a challenge to design power-attack
secure crypto engines
11
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Low Area/Power Cryptography
Technique Area* Power*
Adiabatic Logic Circuits 1.56X 0.24X
Serialization (8-bit datapath)
0.5X 0.11X
Using Composite Field Arithmetic
1.1X 0.08X
Register reduction, clock gating, bus specific clock
0.9X 0.56X
Sequence Switch Coding No data 0.9X
• RTL level low power techniques - clock gating, register reduction.
• SBOX function can be optimized with different mathematical realization of composite field arithmetic
• Serialization and hardware reuse is one of the popular way to minimize the hardware cost.
Significant past effort exists on low-power crypto.
Little quantitative analysis exists on how these techniques impact resistance against power attack.
12
*The factors are obtained from corresponding references
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Encryption Schemes
Key 128-bit
SBox (128-bit)
Parallel AES
AddRoundKey
(128-bit)
MixColumn (128-bit)
ShiftRow (128-bit)
128-bit datapath PlainText 128-bit
Algorithmic noise for targeted byte
SBox (8-bit)
Serial AES
AddRoundKey (8-bit)
MixColumn (8-bit)
ShiftRow (8-bit)
8-bit datapath
Key 128-bit
PlainText 128-bit
No algorithmic noise for targeted byte
Serial encryption designs are more susceptible to power attacks – valid for both serial AES and SIMON
SIMON Round
SIMON 1-bit datapath
Key 128-bit
PlainText 128-bit
No algorith-mic noise for targeted bit
13
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Correlation Power Attack Characteristics
14
(( )( ))( , )( ) ( )i j
E P P HD HDt kP HD
ρσ σ− −
=
Parallel AES Serialized AES SIMON
Serial designs are observed to be more prone to side-channel attack.
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Design Tradeoffs
15
1 1
0.1
0.4
0.02 0.08
0
0.2
0.4
0.6
0.8
1
1.2
Area Power
Parallel AES Serial AES SIMON
Area Power Latency (#cycles)
MTD
High performance parallel AES
1 1 1 1
Compact ser ia l AES
0.1 0.4 125 0.05
SIMON 0.02 0.08 1150 0.05
MTD - minimum-traces- to-disclosure
Low-power achieved by serialization and hardware re-use can degrade the resistance to side-channel attack.
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Counter-Measures Against Power Attacks
Encryption Algorithm Design
Switching Activity
Current Pattern
Measurement
Insert NOPs Masking Randomizing
Logic styles Current Equalizer Package PDN Noise Injection
Device Noise Thermal Noise M e a s u r e m e n t Noise
Key
Plain Text
Recorded Trace
16
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Overhead of Countermeasures
Countermeasure Type Area* Perf.*
Random Order Execution
Arch.
15k NA
Multiprocessor Arch 2X 0.4%
Random Isomorphism 2.5-3X 50%
PDDL/WDDL
Logic
2.3X NA
MDPL 4-5X 50%
iMDPL 18-19X 70%
Current Equalizer Physical
1.25X 50%
Clock Randomization 1.1X NA
• Most of the commercially used countermeasures (DDL, MDPL, iMDPL etc) have appreciable cost to area, power, and/or performance
17
*The factors are obtained from corresponding references
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Design Challenge
Counter-Measure Design Domain
Area-Overhead
Power Overhead Performance Overhead
18
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Low-power requirement is a new challenge to design power-attack
secure crypto engines
19
Low-power techniques provide new avenues to improve power-attack
resistance of crypto engines
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
20
Illustrative examples • Low-voltage and adaptive circuits for power
attack protection
• Integrated voltage regulators for power attack protections
Low-power Techniques for Power Attack Protection
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Clock Randomization for Power Attack Security
DELAY0
DELAY1
DELAYn-‐1
PRNG
CLKIN
CLKOUTCLOCKMUX
CLKIN
CLK0
CLK1
CLKn-‐1
o With randomization of clock edges, the processing time/instant of critical instructions can be randomized
o Techniques— q Random Clock q Random Phase Shift q Globally Async Locally Sync Clocking
(GALS)
DQCK
DQCK
DQCK
PRNG
PRNG
PRNG
CLKIN
DQCK
CLKIN
CLKOUTXOR
CLKIN
CLKOUT
Random Clock
Random Phase Shift
Power (mW) MTD (# of traces)
AES unprotected 87.8 10k
Random Clock 105.1 (+20%) >300k (>30x)
Random Phase Shift 105.4 (+20%) >300k (>30x)
Ref: Renato Menicocci et al, “Experiments on Two Clock Countermeasures against Power Analysis Attacks”, MIXDES’14 Ref: Rafael L. Soares et al, “ A Robust Architectural Approach for Cryptographic Algorithms using GALS Pipelines”, DATC’11
No Attack
21
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Exploiting DVFS for Power Attack Protection
• DVFS techniques, widely used for power management, can be exploited against SCA
• V/F registers store random combinations of VDD and frequency
• Design parameters are number of V/F pair and time interval between each transition
• Resistance to power attack demonstrated with increased trace entropy
Energy Overhead
Time Overhead
Power Trace Entropy (bits)
Time Trace Entropy (bits)
Without DVFS 0 0 4.96 0
With DVFS -27% 16% 5.42 6.02
Ref: Shengui Yang et al, “Power Attack Resistant Crypto System Design: A Dynamic Voltage and Frequency Switching Approach”, DATE’05
text
DVFS Scheduler
DVFS FeedbackLoop
Desired V/F Register
Timing Information from OS
EncryptionEngine/CPU
22
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
CKIN
TCKIN
TCKP (with noise)noiseTCKP (w/o noise)
AC: Adaptive Clocking
TCKP(=nTCKIN) tracks the instantaneous noise
Adaptive Circuits for Low-power Operation under Noise
Pipeline with Programmable
Time-Borrowing
PTDN
n
CGmodecontrol
clock buffers
CLKi
CK
EN
...
Mode control
VCO
ClockModulator
Vcontrol
CKp
powergate
VDD
CK
IN
Time-borrowing and Clock gating/stretching
K. Chae and S. Mukhoapdhyay, TCAS2014, TCAS-II 2012, TCAS-II, 2014 23
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Can Adaptive Circuits help in Power Attack Protection?
24
0.6
0.8
1
1.2
Conv. PTB PTB + AC V
olta
ge (
V) Tolerable Voltage Droop Min. Op. Voltage
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
25
Illustrative examples • Low-voltage and adaptive circuits for power attack
protection
• Integrated voltage regulators for power attack protection
Low-power Techniques for Power Attack Protection
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Power Delivery and Low-power Operation
26 Time
Curr
ent
or v
olta
ge
Current step
Voltage droop
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Advantages of Integrated Voltage Regulators
§ IVRs eliminate R/L/C parasitic of power traces in package and PCB § DC-DC conversion on-the processor chip (buck converter)
§ Less current through package traces => less power loss in PCB
§ Faster transient response reduces power supply noise § Need less voltage margin => better power efficiency
§ Faster output voltage transition § Allow more frequent power-state transitions
27
IVR
3.3V or higher
Encryption Engine
Integrated Circuit
Buck (Down-Conversion)
1.2V
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Existing Systems with Off-chip Voltage Regulators
3.3V
Off-chip Voltage Regulation Module (VRM)
Mount power attack at Vdd/GND pins
VRM
Encryption Engine
Integrated Circuit
1.2V
28
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Power Attack Protection using Integrated Voltage Regulators
29
Inductive IVR
LDO
Encryption Engine
Integrated Circuit
Mount power attack at LDO inputs
1.2V VRM
1.3V
IVR
3.3V or higher
Encryption Engine
Integrated Circuit
Buck (Down-Conversion)
1.2V IVR
20mV - 100mV
Encryption Engine
Integrated Circuit
Boost (Up-Conversion)
1.2V
Ener
gy
Har
vest
er
Integrated Low-Dropout-Regulator (Analog/Digital) 29
Mount power attack at IVR inputs
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
IVR for Power Attack Protection
30
Plain Text
Physical Design Measurement Package Encryption
Algorithm Key
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Leveraging IVR for Power Attack Protection
31
Plain Text
Physical Design Measurement Encryption
Algorithm Key
Raw Current
Transformed Current
Voltage Regulator Package
Integrated Voltage Regulator
Low-Drop-Out Regulators
Inductive VR
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
An Example of Fully Integrated Inductive Voltage Regulator
• Frequency dependent transfer function of the loop changes small signal load current
• Addition of pulsating current at the switching frequency
M. Kar et. al, CICC 2014, GOMACTECH 2014, TCAD (under prep)
32
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Why IVR-based Countermeasure?
Load Current for one AES Encryption
Measured IVR input current (with package)
Relevant Information (1st SBOX opn )
Pulsating Current at Switching Frequency FSW)
Cur
rent
(A
)
Correlation with load current, µ:0.048 σ:0.02
• IVR introduces non-linear transformation in the load current before the trace is measured at the inputs.
• The input current is weakly correlated with the AES load current.
• However low correlation ≠> no attack
Cur
rent
(A
)
Case-study of an 128-bit AES Engine
33 M. Kar et. al, CICC 2014, GOMACTECH 2014, IEEE TCAD (under prep)
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Correlation Power Attack (CPA)
34
Raw AES Current
Transformed AES Current through PDN
CPA attack was successful without IVR
MTD ~ 500
MTD ~ 500
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
35
Design 2, BW 55MHz Design 1,
BW 62MHz
CPA with IVR
IVR design can be tuned to enhance
power attack resistance
Design 2
No attack was possible with 20000 traces
MTD ~ 500
Design 1
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Inductive IVR Design Space Exploration
36
BW(MHz) L (nH) C (uF) 48 5 10
55 5 7.5
62 4 7.5
88 3 5
IVR Design Space
Power Efficiency Transient Performance
Cost of Integration
Increasing difficulty of integration
Information Leakage
0.7
1.2
1.7
2.2
40 50 60 70 80 90 Normalized
SeB
ling Time
Bandwidth (MHz)
SeBling Time vs BW
0
0.5
1
1.5
2
2.5
40 50 60 70 80 90
Normalized
Pow
er
Loss
Bandwidth (MHz)
PL vs BW
Improved Power Efficiency
Improved Transient response
Improved Power Attack Resistance
Settling time: Time the IVR output takes to settle after a sharp load transient (10mA to 500mA)
Power Loss: Summation of conduction, ripple and switching losses in IVR
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Countermeasure using Analog Low-Drop-Out Regulator
MTD ~25
Overhead Analysis of Analog LDO-based Protection
Area Power Performance
1.4% 5% (active) 500nW (stby)
0.4%
No Attack for 20k traces
AES Input Current LDO
Input Current
A. Singh et. al., ISLPED 2015
37
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Conclusion
§ Securing power constrained devices is a major challenge for current and future embedded systems.
§ Low power constraints can be a bottleneck to enable strong encryption scheme and/or countermeasures.
§ Low-power techniques provide new avenues to enhance countermeasures to attacks.
38
What do low power requirements mean for secure hardware?
New opportunities for embedded systems security
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
G IGASC ALE
RELIABLE
EN ERGYEFFIC IEN TN AN OSY STEM S LAB
Acknowledgement
PhD Students § Monodeep Kar, GREEN Lab, ECE, Gatech, § Arvind Singh, GREEN Lab, ECE, Gatech,
Industrial Collaborators § Vivek De, Intel Labs, Hillsboro, OR § Anand Rajan, Intel Labs, Hillsboro, OR Academic Collaborators § Marilyn Wolf, ECE, Gatech § Swarup Bhunia, ECE, UFL
39
top related