HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel Power Resistance for Encryption Algo- rithms using Dynamic Partial Reconfiguration or SPREAD As a countermeasure to DPA, CPA and other types of side-channel attacks tech- niques referred to as SCA SPREAD changes the underlying hardware as a mechanism to reduce data correla- tions that are leveraged by SCA techiques Replicated primitives within AES, in particular, the SBOX, are synthesized to multi- ple implementations using a set of implementation diversity techniques During encryption/decryption, SBOX components are randomly selected and replaced dynamically on-the-fly with one of these diverse implementations Dynamic replacement on FPGAs is done via dynamic partial reconfiguration ( DPR ) A state machine reconfigures regions of the FPGA while the FPGA continues to execute encryption operations at full speed ECE UNM 1 (3/20/18)
HOST SCA Countermeasures II ECE 525 Introduction DPA depends on the underlying circuit implementation remaining invariant By changing the implementation characteristics (while preserving the functional behavior), the signal delays change Power trace behavior is directly related to the delay characteristics of the under- lying hardware Implementation diversity can be introduced by: • Circuit Level : A fine-grained approach adds capacitive loads to the existing wires of the encryption engine Circuit level technique change path delays in subtle ways, adding only 10’s of picoseconds to delays • Synthesis Directed : A course-grained approach changes components in the standard cell library and/or makes small inconsequential changes to the RTL or netlist CAD synthesis tools are then used to introduce diversity in the implementations Synthesis directed techniques create large, nanosecond level, changes in delay ECE UNM 2 (3/20/18)
HOST SCA Countermeasures II ECE 525 SPREAD Architecture We propose a moving target architecture as a countermeasure to SCA SPREAD can be applied to any type of encryption algorithm that incorporates repli- cated primitives, e.g., the SBOX within the AES algorithm We use AES in our examples here AES has 16 SBOXs in its datapath which operate in parallel in custom ASIC and FPGA implementations SPREAD adds a 17th SBOX, and a set of shifters and MUXs shifters 8 8 8 8 17 DPR control SBOX 3 SBOX 17 SBOX 1 SBOX 2 signals 17 8 8 8 8 MUXs ECE UNM 3 (3/20/18)
HOST SCA Countermeasures II ECE 525 SPREAD Architecture The 17th SBOX represents a hole in the datapath of AES that is dynamically recon- figured shifters 8 8 8 8 17 DPR control SBOX 3 SBOX 17 SBOX 1 SBOX 2 signals 17 8 8 8 8 MUXs A state machine controls the shifters and MUXs to move the hole to different loca- tions, e.g., the figure shows SBOX 2 is configured as the hole DPR is then used to replace SBOX 2 with, e.g., any one of 10 diverse implementations Note that the MIXCOLs component of AES is connected combinationally to the SBOX outputs, which deals with downstream data correlations AES runs at full speed during DPR -- hole configuration adds only one stall cycle ECE UNM 4 (3/20/18)
HOST SCA Countermeasures II ECE 525 SPREAD Implementation Diversity Techniques Circuit Level : Adds capacitive loads to the P&R design (using FPGA implemented design view ) 1st-test-path differences .4 (a) (b) (c) Delay difference (ns) 3rd scenario .3 original 2nd scenario fanouts fanout test path added here .2 load fanout 1st scenario routing added here .1 fanout 0 added here 2nd-test-path differences 0 10 20 30 40 50 60 Capacitive loads are introduced by adding wire stubs to existing routes in the design The clock strobing technique described in the PUF screencasts is used to measure changes in path delays as wire stubs are added Each wire stub adds only approx. 3.3 ps to an existing route, so to be effective, many copies of wire stubs need to be added ECE UNM 5 (3/20/18)
HOST SCA Countermeasures II ECE 525 SPREAD Implementation Diversity Techniques Synthesis Directed : Uses CAD synthesis tools to add diversity as the design is syn- thesized to a netlist (via changes to the standard cell library) and/or implementation Synthesis Directed diversity methods include: • Adding/removing logic gates from the standard cell library • Changing the timing constraints • Making small, inconsequential changes to the RTL The implementations are functionally equivalent but differ dramatically in terms of their netlist, P&R and corresponding delay characteristics ECE UNM 6 (3/20/18)
HOST SCA Countermeasures II ECE 525 SPREAD Implementation Diversity Techniques The RTL for SBOX implementations V1 and V2 add two dummy input wires to the port list, which are connected directly in V1 and through an inverter in V2 Same path is sensitized V1 V2 for these plaintext tests 16 15 14 delay (ns) 13 12 V1 V2 11 10 1 20 40 60 Plaintext Test Number Xilinx Vivado creates different implementations, which produce different delays, as shown for a subset of the paths tested using the same plaintexts Note that paths with the same delay represent frequently tested paths and are likely to contribute significantly to correlations that DPA leverages Synthesis directed diversity is likely to significantly reduce these correlations ECE UNM 7 (3/20/18)
HOST SCA Countermeasures II ECE 525 Preliminary Results DPA experiments using a Xilinx Spartan 3E FPGA, with 1,000,000 plaintexts to a 64-bit version of DES The top three bar graphs are constructed from the DPA results of the 3 individual placements The correct key guess (decimal 53) is highlighted and is clearly the largest among the set of 64 possible key guesses in each of these graphs Bottom bar graph mixes 1/3 of the power traces from the individual experiments Peak associated with correct key significantly reduced and ghost peaks appear ECE UNM 8 (3/20/18)
HOST SCA Countermeasures II ECE 525 DPR Leakage Note that it is important that the adversary is not able to ’track’ which SBOX imple- mentation is being removed/installed mV Trigger pulse 20 SBOX 0 config SBOX 1 config 0 DPR time interval 0 µ sec. 950 The traces shown above are produced by the DPR operation using two different SBOX implementations Note that the number of possible configurations is exponential For example, if any of 5 different implementations can be placed into any of the 16 positions of SBOX with AES than 1 million configurations are possible ECE UNM 9 (3/20/18)
HOST SCA Countermeasures II ECE 525 SPREAD Controller FPGA PS-side Trusted Execution Env. Rich Execution Env. (Trust Zone) (Applications) GPIO Secure GPIO PL-side ICAP BRAM SBOX pblock SPB 1 reconfiguration regions ctrl SPB 2 AES DPR Controller SPB n timer nonces bitstream selector Nonce gen. engine Operations • PS-side loads SBOX partial bitstreams labeled SPB x into BRAM • DPR Controller starts nonce generation engine • DPR Controller uses the nonces to randomize the selection of the SPB x , the recon- figuration region and the time interval between DPR operations. • DPR Controller synchronizes with AES, asserts the appropriate control signals for reconfiguration of the randomly selected SBOXs and executes the transfer protocol with the ICAP controller ECE UNM 10 (3/20/18)
Recommend
More recommend
