embedded security group - cosic · secure logic styles. ecrypt ii summer school on. design and...
TRANSCRIPT
Secure Logic StylesECRYPT II summer school onDesign and Security of Cryptographic Algorithms and Devices1. June 2011
Amir Moradi
Embedded Security Group
2
Embedded Security Group
Agenda Power Consumption Characteristics of CMOS Circuits
– Glitches Solutions in Hardware
– Logic Styles– Dual-Rail Pre-charge concept– Examples– Problems– Overheads– Gains
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
3
Embedded Security Group
Power Consumption Characteristics of CMOS Circuits The majority of today’s hardware are built using CMOS
technology– Complementary Metal Oxide Semiconductor– It is immune in presence of noise– It has very low static power consumption
• The main power consumption comes from dynamic part– The point that we get the “information leakage”
– Let’s see the details of a CMOS gate to understand its behavior when the inputs change
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
4
Embedded Security Group
Power Consumption of CMOS Circuits (cont’d) A CMOS gate is built using two networks
– Pull-up and pull-down– Pull-up part is made by PMOS transistors
• Which can nicely pass HIGH (logical “1”)– Pull-down part by the NMOS transistors
• Which can nicely pass LOW (logical “0”)– The networks should be made in a way
that at each time instance when theinputs are stable, only one network is active.• Then, the static power consumption will be
very low– An example: a CMOS NAND gate
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
5
Embedded Security Group
Power Consumption of CMOS Circuits (cont’d) Static power consumption
– The transistors (NMOS and PMOS) are not perfectly blocking and there is a leakage current flows
– This issue becomes more and more relevant, the smaller the used technology is
– Pull-up and pull-down networks have different leakage currents• Data-dependent static power
Dynamic power consumption– Short circuit current: When an input of the gates switches, the pull-
down and pull-down networks are both conductive for a short period of time• Data-dependent dynamic power if the output changes
– Charging current: Whenever the output switches, the output capacitance needs to be charged or discharged;
– charging leads to a high current • Data-dependent dynamic power if the output changes from LOW to HIGH
[Physical-Security.org]ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
6
Embedded Security Group
Power Consumption of CMOS Circuits A CMOS inverter: There are many other
parameters which affect the power of a CMOS gate, but we ignore them here
Generally for PA attacks, we take the most significant part into account– In short, the power
consumption depends on the processed data
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
7
Embedded Security Group
Glitches How about a larger circuit? The power consumption of combinational circuits depends
strongly on some other points– One is glitches
– “Glitches in CMOS circuits are data dependent and have a strong impact on the dynamic power consumption” [DPABook]
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
8
Embedded Security Group
Solutions in Hardware We need a scheme to prevent glitches
– a couple of methods in VLSI design to make glitch-free circuits
– not enough to prevent data-dependency• e.g., number of toggles still will be different for different
input changes
We need a scheme to prevent glitches and make the number of toggles fixed independent of input changes– Dual-Rail Pre-charge (DRP) logic
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
9
Embedded Security Group
Each value (0/1) is presented by two lines There are two phases: pre-charge/evaluation Both lines go LOW in pre-charge phase Only one line goes HIGH in evaluation phase
There will be no glitch The number of toggles will be fixed
Dual-Rail Pre-charge (DRP) Logic
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
a1
a0pre-charge pre-chargeevaluation evaluation
To have constant power consumption, the
capacitance loads of complementary signals must
be the same
10
Embedded Security Group
DRP Logic (first example, SABL) Sense Amplifier Based Logic (SABL) [TAV02] Constant power consumption for each gate Independent Time-Of-Evaluation (TOE)
– A gate evaluates when all complimentary signals are valid
All gates are connected to CLK and prechared all together Full-custom design tools should be used Overheads
– ~double area– half speed– much more energy consumption
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
11
Embedded Security Group
SABL (cont’d) AND/NAND n-type SABL gate: CLK=0, pre-charge phase
– All signals go LOW CLK-> 1, start of evaluation phase q or qbar signal goes LOW when
both complementary a and b signals are valid Requirements
– The same capacitance for every comp. internal signal– The same resistance for every comp. path
Hard to achieve… ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
12
Embedded Security Group
DRP Logic (second example, WDDL) Wave Dynamic Differential Logic [TV04] The same idea as SABL but using standard CMOS library AND/NAND WDDL gate:
– much simpler than SABL– much smaller than SABL– less resistant against DPA attacks
WDDL flip-flop:
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
13
Embedded Security Group
WDDL (cont’d) Why less resistance than SABL?
– Complementary capacitance loads cannot be balanced
– Memory effect: charges stored in internal nodes of the gates are data-dependent
– Time-Of-Evaluation is also data-dependent– Also known as early propagation effect
• A gate evaluates the output before all complementary signal arrived
– For example, one AND gate may make the output 0 once seeing that one input is 0
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
14
Embedded Security Group
Current Mode Logic Instead of the voltage levels in CMOS, the current passing
through the gate defines the logical value of the gate output In theory sum of the currents in a complementary circuit is
data-independent Static energy consumption was a problem, solved in DyCML
(Dynamic Current Mode Logic) [AE01] Like SABL needs full-custom
design flow Capacitive loads also affect Dedicated placement and routing
for complementary signals/transistorsshould be used
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
15
Embedded Security Group
Randomization in Gate Level Each internal signal is masked by a mask bit Some schemes used one mask bit per internal signal
– Very high complexity– Very high area and power overhead
Others used a single mask bit for wholeof the circuit– Random Switching Logic
In combination with the DRP logic, they have made– Dual-rail Random Switching Logic– Masked Dual-rail Precharge Logic– …
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
16
Embedded Security Group
RSL Random Switching Logic [SSI04] A NAND(NOR) RSL gate: r is a random bit changing every CLK cycle en signal commands the gate to evaluate no duality is used
– Number of toggles is data-dependent• Random bit is used to change this dependency
Glitches are prevented if the timing of en signal for each gate at each depth level is carefully observed
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
17
Embedded Security Group
DRSL Dual-rail Random Switching Logic [CZ06] The dual-rail version of RSL AND/NAND DRSL gate: provides a dedicated circuit to
handle en signal of each gate prevents early propagation in evaluation phase
– but leads to information leakage in precharge phase can be implemented by semi-custom design tools
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
18
Embedded Security Group
MDPL Masked Dual-rail Precharge Logic [PM05] can be seen as masked version of WDDL can be implemented by standard CMOS library Main block is a majority gate, the AND/NAND gate: Mask signal m changes
every clock cycle and isshared between all gates
suffers from early propagation effect– Practical investigation showed strong leakage
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
19
Embedded Security Group
iMDPL Improved version of MDPL [PKZM07]
– to avoid the early propagation effect An Evaluation-Precharge Detection Unit (EPDU) added to
each MDPL gate: Very high area overhead Practical investigations showed
– decreased leakage– dependency of the resistance on the
imbalanced complimentary wires of the mask– still can be attacked
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
20
Embedded Security Group
More Logic Styles More DRL Logics [BGLT06], [SMBY05] Asynchronous Logics [KSS+05], [KST06]
– have the same problem of imbalanced capacitances Charge Recovery Logics [TV042], [KM+08]
– made indeed to make low-power circuits– later their DPA-resistance was observed– a full-custom design process is required– area overhead is quite high while energy
consumption gets significantly decreased
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
21
Embedded Security Group
Some Remarks Some of the logic styles only make the circuit complex without
adding sensible resistance against DPA attacks– since mostly evaluated in simulation domain
Some make the attacks harder– but the area/time/energy overheads are very high
• preventing to be taken by the designers The community somehow lost attention in this direction
– since it is believed that the gain of using such a logic style is much less than the difficulties, complexities, and overheads
– also the available simulation tools are not appropriate to be used in security evaluations of logic styles
Motivation (PhD candidates?)– More research in this area is required!
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
23
Embedded Security Group
References[DPABook] S. Mangard, E. Oswald, T. Popp. Power Analysis Attacks: Revealing
the Secrets of Smart Cards, Springer 2007.[TAV02] K. Tiri, M. Akmal, I. Verbauwhede. A Dynamic and Differential CMOS
Logic with Signal Independent Power Consumption…, ESSCIRC 2002, pp. 403-406, 2002.
[TV04] K. Tiri, I. Verbauwhede. A Logic Level Design Methodology for a Secure DPA …, DATE 2004, pp. 246-251, 2004.
[AE01] M.W. Allam, M.I. Elmasry. Dynamic Current Mode Logic…, IEEE Journal of Solid-State Circuits, 36(3), pp. 550-558, 2001.
[SSI04] D. Suzuki, M. Saeki, T. Ichikawa. Random Switching Logic: A Countermeasure against DPA…, ePrint Archive, 2004/346.
[CZ06] Z. Chen, Y. Zhou. Dual-Rail Random Switching Logic: A Countermeasure to Reduce…, CHES 2006, pp. 242–254.
[PM05] T. Popp, S. Mangard. Masked Dual-Rail Pre-charge Logic: DPA-Resistance…, CHES 2005, pp. 172-186.
[PKZM07] T. Popp, M. Kirschbaum, T. Zefferer, S. Mangard. Evaluation of the Masked Logic Style MDPL on a Prototype Chip, CHES 2007, pp. 81–94.
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi
24
Embedded Security Group
References[BGLT06] M. Bucci, L. Giancane, R. Luzzi, A. Trifiletti. Three-Phase Dual-Rail
Pre-Charge Logic, CHES 2006, pp. 232-241[SMBY05] D. Sokolov, J. Murphy, A. Bystrov, A. Yakovlev. Design and Analysis of
Dual-Rail Circuits for Security Applications. IEEE Tran. on Computers, 54(4), pp. 449-460, 2005.
[KSS+05] K.J. Kulikowski, M. Su, A.B. Smirnov, A. Taubin, M.G. Karpovsky, D. MacDonald. Delay Insensitive Encoding and Power Analysis…, ASYNC 2005, pp. 116-125.
[KST06] K.J. Kulikowski, A.B. Smirnov, A. Taubin. Automated Design of Cryptographic Devices Resistant to Multiple Side-Channel Attacks, CHES 2006, pp. 399-413.
[TV042] K. Tiri, I. Verbauwhede. Charge Recycling Sense Amplifier Based Logic: Securing Low Power…, ESSCIRC 2004, pp. 179-182.
[KM+08] M. Khatir, A. Moradi, A. Ejlali, M.T. Manzuri, M. Salmasizadeh. A Secure and Low-Energy Logic Style using Charge Recovery Approach, ISLPED 2008, pp. 259-264.
ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi