side-channel leakage through static power · side-channel leakage through static power ......

Side-Channel Leakage through Static Power

Should We Care about in Practice?

22. April 2014

Amir Moradi

Ruhr University Bochum

2

Embedded Security Group

Dynamic vs. Static Power

Dynamic power consumption 𝑃𝑑 = 𝐶𝑝𝑑 × 𝑉2 × 𝑓 × 𝛼

𝐶𝑝𝑑 : dynamic power dissipation capacitance

𝑉 : supply voltage

𝑓 : frequency

𝛼 : switching activity

Static power consumption 𝐼𝑙 = 𝑖𝑠 𝑒 𝑞×𝑉 / 𝑘×𝑇 − 1

𝑖𝑠 : reverse saturation current

𝑞, 𝑘 : electronic charge, Boltzmann’s constant

𝑉 : diode voltage

𝑇 : temperature

NXP | Hamburg | 22. April 2014 Amir Moradi

3



Dynamic power consumption 𝑃𝑑 = 𝐶𝑝𝑑 × 𝑉2 × 𝑓 × 𝛼

𝐶𝑝𝑑 : dynamic power dissipation capacitance

𝑉 : supply voltage

𝑓 : frequency

𝛼 : switching activity

Static power consumption 𝐼𝑙 = 𝑖𝑠 𝑒 𝑞×𝑉 / 𝑘×𝑇 − 1

𝑖𝑠 : reverse saturation current

𝑞, 𝑘 : electronic charge, Boltzmann’s constant

𝑉 : diode voltage

𝑇 : temperature


4



Dynamic power consumption

– The main considered side channel (CMOS concept)

– Easy to measure

– Effective

– …

Static power consumption

– getting major concern for VLSI community

– introduced as a side channel by simulation results

– also called Leakage Power Analysis (LPA)


5


What has been reported?

Simulation results (2-input AND gate)

L. Lin and W. Burleson. Leakage-based differential power analysis (LDPA) on sub-90nm

CMOS cryptosystems. ISCAS 2008.


6



Simulation results

standard gates (130nm)

J. Giorgetti, G. Scotti, A. Simonetti, and A. Trifiletti. Analysis of data dependence of leakage current in CMOS cryptographic hardware. Great Lakes Symp. on VLSI 2007.


7



Simulation results, Serpent Sbox

M. Alioto, L. Giancane, G. Scotti, and A. Trifiletti. Leakage Power Analysis Attacks: A Novel Class of Attacks to Nanometer Cryptographic Circuits. IEEE Trans. on Circuits and

Systems, 2010.


8



Practical results (SCARD chip 130 nm)

8051 uC, 25 RAM cells

(estimated) distribution of

leakage current for all

256 values stored in RAM

J. Giorgetti, G. Scotti, A. Simonetti, and A. Trifiletti. Analysis of data dependence of leakage current in CMOS cryptographic hardware. Great Lakes Symp. on VLSI 2007.


9



Practical results (100 nm)

M. Alioto, L. Giancane, G. Scotti, and A. Trifiletti. Leakage Power Analysis Attacks: A Novel Class of Attacks to Nanometer Cryptographic Circuits. IEEE Trans. on Circuits and

Systems, 2010.


10


Measurement Setup (dynamic)


11




12




13




14




15




16


Measurement Setup (static)


LeCroy AP 033

x10 internal amplifier

17


Targets


SASEBO-GII, Virtex-5, 65nm

18


Targets



SAKURA-G, Spartan-6, 45nm

19


Targets



SAKURA-G, Spartan-6, 45nm

SAKURA-X, Kintex-7, 28nm

20


Measurement Methodology


21


Difficulties

Highest vertical accuracy (200 μV/div)

Noise

– Sampling rate 1GS/s

– 20MHz bandwidth limit

– Long trace (10ms -> 10 M samples), average

• A singular value as static power (leakage current)

Super sensitive to temperature

– Thermobox


22


Preliminary Tests

Contribution of Registers’ content

Contribution of Connections (Switch Box)

Contribution of Look-up tables (LUT)

An AES Sbox

A masked AES Sbox


23


Preliminary Tests (Register)

14,400 registers

The same measurement methodology for all targets


24


Preliminary Tests (Connection)

14,400 registers + Loop


25


Preliminary Tests (LUT)

14,400 registers + Loop + LUT


26


Preliminary Tests (summary)


Temperature of the tests/devices was not the same

– results vary by slight temperature change

27


Preliminary Tests (Sbox)

Single Key XOR + AES Sbox

Canright’s design

SAKURA-X (Kintex-7)

Due to temperature change

– Two consecutive measurements of RESET and DATA

– LDATA-LRESET as the leakage corresponding to DATA

Measure right before saving the Sbox output in register

Two placements for Sbox and output registers distance


28


Preliminary Tests (Sbox)

10,000 measurements for a single key and random input

CPA by Hamming weight model (Sbox output)

– not a necessarily perfect model

• depends on placement and routing

– better model by e.g., profiling (moments-correlating DPA)


29


Preliminary Tests (Masked Sbox)

Boolean-masked input

Single Key XOR

Masked AES Sbox

– Canright’s design

SAKURA-X (Kintex-7)

The same methodology as before (on unmasked Sbox)

– no specific placement


30



50,000 measurements for a single key, random input, random masks

CPA by Hamming weight model (Sbox output)

– 1st and 2nd order (by mean-free square)


31



The known 1st-order leakage of the underlying masked Sbox

– 1st-order attack should work

better model by correlation collision attack

– Two sets of 50,000 measurements for two different keys


32


More Realistic Scenario?

Masked and shuffled AES encryption

32-bit architecture

Boolean masking

Column shuffling and Sbox instance shuffling

Measure when the Sbox outputs (of a column) is ready to be saved in the state register


33


Masked Shuffled AES

Test by PRNG off (all masks zero) 100,000 measurements

Real attack (PRNG on) 1,000,000 measurements


34


Issues

Main energy-consuming component: connections in FPGAs

– not the same in case of ASICs

Dedicated measurement setup

– low-noise DC amplifier

– ability to control the CLOCK

• Many other attacks, e.g., fault attacks, are possible

Appropriate box to precisely control the temperature

– not a thermobox

Much information about the device under attack is required

– e.g., which clock cycle to stop the CLOCK and measure

Much longer measurement process vs. dynamic

Much lower SNR compared to dynamic


35


Thanks!

Any questions?

Embedded Security Group, Ruhr University Bochum, Germany

[email protected]

side-channel leakage through static power · side-channel leakage through static power ......

Documents