0 Concealing Secrets in Embedded Processor Designs … A B C Z Hannes Gross , Manuel Jelinek, Stefan Mangard, Thomas Unterluggauer, and Mario Werner Institute for Applied Information Processing and Communications Graz University of Technology D O M 0 Concealing Secrets in Embedded Processor Designs
This work in one slide… 1 1 o V-scale processor (RISC-V) A + B o Domain-Oriented Masking = Z C o SCA protected V-scale d + 1 o arbitrary protection level o flexible and updateable o transparent to software designers o open source: https://github.com/hgrosz/vscale_dom D O M 1 Concealing Secrets in Embedded Processor Designs
This work in numbers… 2 2 1 st -Order 2 nd -order Unprotected LUTs 1 2.6 k 4.1 k 5.6 k + 57% + 37% registers 1 1.0 k 1.8 k 2.5 k + 80% + 39% random bits 0 64 192 3� ∗ ��� � �� pipeline stages 3 4 4 1) for Xilinx Kintex-7 FPGA D O M 2 Concealing Secrets in Embedded Processor Designs
Motivation 3 3 Masking is… very effective SCA countermeasure cumbersome traces error prone requires expertise lots of evaluation work � for specific implementations decomposition of complex functions slows down the implementation D O M 3 Concealing Secrets in Embedded Processor Designs
Boolean Masking from Different Perspectives 4 4 Masking Sharing � � � � � � � � � � � ⋯ � � � � � � � � � � … Boolean masking D O M 4 Concealing Secrets in Embedded Processor Designs
Domain-Oriented Masking 5 5 � CIRCUIT CIRCUIT � � (insecure) (insecure) … D O M 5 Concealing Secrets in Embedded Processor Designs
Domain-Oriented Masking 6 6 � ← ���2 � � � � � � ← ���2 � � � � � … D O M 6 Concealing Secrets in Embedded Processor Designs
Domain-Oriented Masking 7 7 Domain A � � , � � , … � � � � , � � , … � � � CIRCUIT CIRCUIT Domain B � � � , � � , … � � � � , � � , … � � (insecure) (insecure) … � � 1 domains D O M 7 Concealing Secrets in Embedded Processor Designs
Linear Operations 8 8 � � � � � � Domain A … � � � � � � Domain B … D O M 8 Concealing Secrets in Embedded Processor Designs
Nonlinear Operations 9 9 � � � � Domain A Z Domain B � � � �` � � � � � � D O M 9 Concealing Secrets in Embedded Processor Designs
Protecting Arbitrary Circuits 10 10 transform CIRCUIT CIRCUIT (insecure) (insecure) D O M 10 Concealing Secrets in Embedded Processor Designs
�� -Order Secure AND Gate 11 11 � � � � � � � … DOM-indep DOM-indep � � � � Multiplier Multiplier … � � … 1. Calculation 2. Resharing 3. Integration D O M 11 Concealing Secrets in Embedded Processor Designs
1. Calculation 12 12 � � �� � �� � �� � � � � � ⋯ ��� � �� � � � � � ⋯ � D O M 12 Concealing Secrets in Embedded Processor Designs
1. Calculation 13 13 � � �� � �� � �� � � � � � ⋯ ��� � �� � � � � � ⋯ � D O M 13 Concealing Secrets in Embedded Processor Designs
2. Resharing 14 14 � � � � � �� � � � � � � � � �� � � � � � � � � ⋯ �� � � � � � � � � � � � � � �� � � � � � � � � ⋯ �� � � � � � � � � �� � � � � � � � � � � � � � ⋯ D O M 14 Concealing Secrets in Embedded Processor Designs
2. Resharing 15 15 � � � � � �� � � � � � � � � �� � � � � � � � � ⋯ �� � � � � � � � � � � � � � �� � � � � � � � � ⋯ �� � � � � � � � � �� � � � � � � � � � � � � � ⋯ D O M 15 Concealing Secrets in Embedded Processor Designs
3. Integration 16 16 � � � � � �� � � � � � � � � �� � � � � � � � � ⋯ �� � � � � � � � � � � � � � �� � � � � � � � � ⋯ �� � � � � � � � � �� � � � � � � � � � � � � � ⋯ D O M 16 Concealing Secrets in Embedded Processor Designs
RISC-V ISA 17 17 o free and open RISC ISA o register sizes 32, 64 or 128 bit o only base integer instructions (I, E) mandatory o lots of extensions o multiplication/division (M) o atomic operations (A) o single- (F) and double-precision (D) floating point ops o compressed instructions (C) o extensions (X) o no flags D O M 17 Concealing Secrets in Embedded Processor Designs
V-scale Processor 18 18 o RV32IM instruction set o 32 x 32-bit registers o single-issue in-order 3-stage pipeline o combined decode & execute stage o write back stage with bypass functionality o AHB-Lite interface either Harvard or von Neumann o open source https://github.com/ucb-bar/vscale/ D O M 18 Concealing Secrets in Embedded Processor Designs
DOM Protected V-scale Processor 19 19 o High-level overview of changes o Protected (shared) parts “I” instructions data memory interface register file o Unprotected parts “M” instructions instruction memory instruction decoder program counter D O M 19 Concealing Secrets in Embedded Processor Designs
DOM Protected V-scale Processor 20 20 D O M 20 Concealing Secrets in Embedded Processor Designs
Protected ALU 21 21 • Linear functions • Shifts • XOR • Nonlinear functions • AND (OR) • Adder • Two fresh random Z’s D O M 21 Concealing Secrets in Embedded Processor Designs
Protected Adder 22 22 • Kogge-Stone Adder • Calculation split into “generate” and “propagate” • Logarithmic runtime (init. + 5 steps + postproc.) • Two Z shares D O M 22 Concealing Secrets in Embedded Processor Designs
23 Concealing Secrets in Embedded Processor Designs Results M O D 23 23
Required Randomness 24 24 640 576 512 448 384 random bits 320 256 192 128 64 0 0 1 2 3 4 protection order � D O M 24 Concealing Secrets in Embedded Processor Designs
Influence on the Maximum Clock 25 25 60 50 40 f clk [MHz] 30 20 10 0 0 1 2 3 4 protection order � D O M 25 Concealing Secrets in Embedded Processor Designs
T-test – 1. Collect Traces for Constant Input 26 26 0x0001020304… DOM R V-Scale A D O M 26 Concealing Secrets in Embedded Processor Designs
T-test – 2. Collect Traces for Constant Input 27 27 0x??????????… DOM R V-Scale B D O M 27 Concealing Secrets in Embedded Processor Designs
T-test – 3. Calculate “t” Value 28 28 Null hypothesis: both trace sets have equal mean � � � � � � � |�| � � � � � Pass criterion |t| < 4.5 for |�| > 99.999% confidence otherwise fail D O M 28 Concealing Secrets in Embedded Processor Designs
T-test – Result 29 29 D O M 29 Concealing Secrets in Embedded Processor Designs
Conclusions 30 30 • SCA resistant RISC-V processor • DOM for arbitrary protection level Advantages • more flexible • transparent for SW designers • inherently a lot of noise • faster development of secure systems • faster than SW based masking D O M 30 Concealing Secrets in Embedded Processor Designs
Conclusions 31 31 Drawbacks • requires a lot of randomness • slower than dedicated HW solutions • does not seal all leakages sources D O M 31 Concealing Secrets in Embedded Processor Designs
32 Concealing Secrets in Embedded Processor Designs The HECTOR project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644052. This work was partially supported by the TU Graz LEAD project "Dependable Internet of Things in Adverse Environments". This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No 681402). Hannes Gross , Manuel Jelinek, Stefan Mangard, Thomas Unterluggauer, and Mario Werner Institute for Applied Information Processing and Communications Graz University of Technology D O M 32 Concealing Secrets in Embedded Processor Designs
Recommend
More recommend
