side-channel leakage through static power · side-channel leakage through static power ......
TRANSCRIPT
Side-Channel Leakage through Static Power
Should We Care about in Practice?
22. April 2014
Amir Moradi
Ruhr University Bochum
2
Embedded Security Group
Dynamic vs. Static Power
Dynamic power consumption 𝑃𝑑 = 𝐶𝑝𝑑 × 𝑉2 × 𝑓 × 𝛼
𝐶𝑝𝑑 : dynamic power dissipation capacitance
𝑉 : supply voltage
𝑓 : frequency
𝛼 : switching activity
Static power consumption 𝐼𝑙 = 𝑖𝑠 𝑒 𝑞×𝑉 / 𝑘×𝑇 − 1
𝑖𝑠 : reverse saturation current
𝑞, 𝑘 : electronic charge, Boltzmann’s constant
𝑉 : diode voltage
𝑇 : temperature
NXP | Hamburg | 22. April 2014 Amir Moradi
3
Embedded Security Group
Dynamic vs. Static Power
Dynamic power consumption 𝑃𝑑 = 𝐶𝑝𝑑 × 𝑉2 × 𝑓 × 𝛼
𝐶𝑝𝑑 : dynamic power dissipation capacitance
𝑉 : supply voltage
𝑓 : frequency
𝛼 : switching activity
Static power consumption 𝐼𝑙 = 𝑖𝑠 𝑒 𝑞×𝑉 / 𝑘×𝑇 − 1
𝑖𝑠 : reverse saturation current
𝑞, 𝑘 : electronic charge, Boltzmann’s constant
𝑉 : diode voltage
𝑇 : temperature
NXP | Hamburg | 22. April 2014 Amir Moradi
4
Embedded Security Group
Dynamic vs. Static Power
Dynamic power consumption
– The main considered side channel (CMOS concept)
– Easy to measure
– Effective
– …
Static power consumption
– getting major concern for VLSI community
– introduced as a side channel by simulation results
– also called Leakage Power Analysis (LPA)
NXP | Hamburg | 22. April 2014 Amir Moradi
5
Embedded Security Group
What has been reported?
Simulation results (2-input AND gate)
L. Lin and W. Burleson. Leakage-based differential power analysis (LDPA) on sub-90nm
CMOS cryptosystems. ISCAS 2008.
NXP | Hamburg | 22. April 2014 Amir Moradi
6
Embedded Security Group
What has been reported?
Simulation results
standard gates (130nm)
J. Giorgetti, G. Scotti, A. Simonetti, and A. Trifiletti. Analysis of data dependence of leakage current in CMOS cryptographic hardware. Great Lakes Symp. on VLSI 2007.
NXP | Hamburg | 22. April 2014 Amir Moradi
7
Embedded Security Group
What has been reported?
Simulation results, Serpent Sbox
M. Alioto, L. Giancane, G. Scotti, and A. Trifiletti. Leakage Power Analysis Attacks: A Novel Class of Attacks to Nanometer Cryptographic Circuits. IEEE Trans. on Circuits and
Systems, 2010.
NXP | Hamburg | 22. April 2014 Amir Moradi
8
Embedded Security Group
What has been reported?
Practical results (SCARD chip 130 nm)
8051 uC, 25 RAM cells
(estimated) distribution of
leakage current for all
256 values stored in RAM
J. Giorgetti, G. Scotti, A. Simonetti, and A. Trifiletti. Analysis of data dependence of leakage current in CMOS cryptographic hardware. Great Lakes Symp. on VLSI 2007.
NXP | Hamburg | 22. April 2014 Amir Moradi
9
Embedded Security Group
What has been reported?
Practical results (100 nm)
M. Alioto, L. Giancane, G. Scotti, and A. Trifiletti. Leakage Power Analysis Attacks: A Novel Class of Attacks to Nanometer Cryptographic Circuits. IEEE Trans. on Circuits and
Systems, 2010.
NXP | Hamburg | 22. April 2014 Amir Moradi
16
Embedded Security Group
Measurement Setup (static)
NXP | Hamburg | 22. April 2014 Amir Moradi
LeCroy AP 033
x10 internal amplifier
17
Embedded Security Group
Targets
NXP | Hamburg | 22. April 2014 Amir Moradi
SASEBO-GII, Virtex-5, 65nm
18
Embedded Security Group
Targets
NXP | Hamburg | 22. April 2014 Amir Moradi
SASEBO-GII, Virtex-5, 65nm
SAKURA-G, Spartan-6, 45nm
19
Embedded Security Group
Targets
NXP | Hamburg | 22. April 2014 Amir Moradi
SASEBO-GII, Virtex-5, 65nm
SAKURA-G, Spartan-6, 45nm
SAKURA-X, Kintex-7, 28nm
21
Embedded Security Group
Difficulties
Highest vertical accuracy (200 μV/div)
Noise
– Sampling rate 1GS/s
– 20MHz bandwidth limit
– Long trace (10ms -> 10 M samples), average
• A singular value as static power (leakage current)
Super sensitive to temperature
– Thermobox
NXP | Hamburg | 22. April 2014 Amir Moradi
22
Embedded Security Group
Preliminary Tests
Contribution of Registers’ content
Contribution of Connections (Switch Box)
Contribution of Look-up tables (LUT)
An AES Sbox
A masked AES Sbox
NXP | Hamburg | 22. April 2014 Amir Moradi
23
Embedded Security Group
Preliminary Tests (Register)
14,400 registers
The same measurement methodology for all targets
NXP | Hamburg | 22. April 2014 Amir Moradi
24
Embedded Security Group
Preliminary Tests (Connection)
14,400 registers + Loop
NXP | Hamburg | 22. April 2014 Amir Moradi
25
Embedded Security Group
Preliminary Tests (LUT)
14,400 registers + Loop + LUT
NXP | Hamburg | 22. April 2014 Amir Moradi
26
Embedded Security Group
Preliminary Tests (summary)
NXP | Hamburg | 22. April 2014 Amir Moradi
Temperature of the tests/devices was not the same
– results vary by slight temperature change
27
Embedded Security Group
Preliminary Tests (Sbox)
Single Key XOR + AES Sbox
Canright’s design
SAKURA-X (Kintex-7)
Due to temperature change
– Two consecutive measurements of RESET and DATA
– LDATA-LRESET as the leakage corresponding to DATA
Measure right before saving the Sbox output in register
Two placements for Sbox and output registers distance
NXP | Hamburg | 22. April 2014 Amir Moradi
28
Embedded Security Group
Preliminary Tests (Sbox)
10,000 measurements for a single key and random input
CPA by Hamming weight model (Sbox output)
– not a necessarily perfect model
• depends on placement and routing
– better model by e.g., profiling (moments-correlating DPA)
NXP | Hamburg | 22. April 2014 Amir Moradi
29
Embedded Security Group
Preliminary Tests (Masked Sbox)
Boolean-masked input
Single Key XOR
Masked AES Sbox
– Canright’s design
SAKURA-X (Kintex-7)
The same methodology as before (on unmasked Sbox)
– no specific placement
NXP | Hamburg | 22. April 2014 Amir Moradi
30
Embedded Security Group
Preliminary Tests (Masked Sbox)
50,000 measurements for a single key, random input, random masks
CPA by Hamming weight model (Sbox output)
– 1st and 2nd order (by mean-free square)
NXP | Hamburg | 22. April 2014 Amir Moradi
31
Embedded Security Group
Preliminary Tests (Masked Sbox)
The known 1st-order leakage of the underlying masked Sbox
– 1st-order attack should work
better model by correlation collision attack
– Two sets of 50,000 measurements for two different keys
NXP | Hamburg | 22. April 2014 Amir Moradi
32
Embedded Security Group
More Realistic Scenario?
Masked and shuffled AES encryption
32-bit architecture
Boolean masking
Column shuffling and Sbox instance shuffling
Measure when the Sbox outputs (of a column) is ready to be saved in the state register
NXP | Hamburg | 22. April 2014 Amir Moradi
33
Embedded Security Group
Masked Shuffled AES
Test by PRNG off (all masks zero) 100,000 measurements
Real attack (PRNG on) 1,000,000 measurements
NXP | Hamburg | 22. April 2014 Amir Moradi
34
Embedded Security Group
Issues
Main energy-consuming component: connections in FPGAs
– not the same in case of ASICs
Dedicated measurement setup
– low-noise DC amplifier
– ability to control the CLOCK
• Many other attacks, e.g., fault attacks, are possible
Appropriate box to precisely control the temperature
– not a thermobox
Much information about the device under attack is required
– e.g., which clock cycle to stop the CLOCK and measure
Much longer measurement process vs. dynamic
Much lower SNR compared to dynamic
NXP | Hamburg | 22. April 2014 Amir Moradi
35
Embedded Security Group
Thanks!
Any questions?
Embedded Security Group, Ruhr University Bochum, Germany