towards the automatic applications of side channel
play

Towards the Automatic Applications of Side Channel Countermeasures - PowerPoint PPT Presentation

Towards the Automatic Applications of Side Channel Countermeasures Francesco Regazzoni Francesco Regazzoni 23 October 2015, Chia, Italy P. 1 Contents 1 Motivations 2 DPA Resistant Synthesis 3 DPA Resistant Place and Route 4 DPA


  1. Towards the Automatic Applications of Side Channel Countermeasures Francesco Regazzoni Francesco Regazzoni 23 October 2015, Chia, Italy P. 1

  2. Contents 1 Motivations 2 DPA Resistant Synthesis 3 DPA Resistant Place and Route 4 DPA Resistant Instruction Set Extension 5 Quick Note on Software Francesco Regazzoni 23 October 2015, Chia, Italy P. 2

  3. Why Electronic Design Automation for security? Security is very often considered at later stages of design Cost and Time to Market Possible Security pitfalls Francesco Regazzoni 23 October 2015, Chia, Italy P. 3

  4. Why Electronic Design Automation for security? Security is very often considered at later stages of design Cost and Time to Market Possible Security pitfalls EXTRA CONSTRAINT Use as much as possible “standard” EDA commodities! Francesco Regazzoni 23 October 2015, Chia, Italy P. 3

  5. Motivating Example Francesco Regazzoni 23 October 2015, Chia, Italy P. 4

  6. Contents 1 Motivations 2 DPA Resistant Synthesis 3 DPA Resistant Place and Route 4 DPA Resistant Instruction Set Extension 5 Quick Note on Software Francesco Regazzoni 23 October 2015, Chia, Italy P. 5

  7. Simplified Hardware Design Flow (ASIC) Algorithm Design C, Matlab, VHDL RTL (Architecture) Design Synthesizable HDL Gate x x XOR y y Layout Francesco Regazzoni 23 October 2015, Chia, Italy P. 6

  8. Let’s focus on Synthesis RTL (Architecture) Design Synthesizable HDL Logic Synthesis Gate Level x x XOR y y Francesco Regazzoni 23 October 2015, Chia, Italy P. 7

  9. Logic Synthesis Input and Output INPUT : HDL Description Technological Library (area, timing, power) Synthetic Library (multipliers...) Constraints OUTPUT : Gate Level Netlist Estimation of area, timing, power (!) Timing constraints Francesco Regazzoni 23 October 2015, Chia, Italy P. 8

  10. Is it sufficient for DPA? Paul Kocher, Joshua Jaffe, and Benjamin Jun, “ Differential Power Analysis ”, in Proceedings of Advances in Cryptology-CRYPTO’99 , Santa Barbara, California, USA, August 15-19, 1999. (Cited by 5177) Francesco Regazzoni 23 October 2015, Chia, Italy P. 9

  11. Countermeasures Power consumption independent from processed key dependent data Intermediate values of the cryptographic algorithm Intermediate values processed by the device Power consumption of the cryptographic device Francesco Regazzoni 23 October 2015, Chia, Italy P. 10

  12. Countermeasures Power consumption independent from processed key dependent data Intermediate values of the cryptographic algorithm Masking Countermeasures Intermediate values processed by the device Power consumption of the cryptographic device Francesco Regazzoni 23 October 2015, Chia, Italy P. 11

  13. Countermeasures Power consumption independent from processed key dependent data Intermediate values of the cryptographic algorithm Masking Countermeasures Intermediate values processed by the device Hiding Countermeasures Power consumption of the cryptographic device Francesco Regazzoni 23 October 2015, Chia, Italy P. 12

  14. Countermeasures Power consumption independent from processed key dependent data Intermediate values of the cryptographic algorithm Masking Countermeasures Intermediate values processed by the device Hiding Countermeasures Power consumption of the cryptographic device They can be implemented in Software or in Hardware Francesco Regazzoni 23 October 2015, Chia, Italy P. 12

  15. Approach One INPUT : HDL Description Technological Library (area, timing, power) Synthetic Library (multipliers...) Constraints OUTPUT : DPA resistant Gate Level Netlist Estimation of area, timing, power (!) Timing constraints Francesco Regazzoni 23 October 2015, Chia, Italy P. 13

  16. Approach Two INPUT : HDL Description Technological Library (area, timing, power) Synthetic Library (multipliers...) Constraints (limit the gates) OUTPUT : Gate Level Netlist “Cell Substitution” : Replace cells with Reload the design for correct area and timing K. Tiri and I. Verbauwhede, A digital design flow for secure integrated circuits , IEEE TCAD, 2006 Francesco Regazzoni 23 October 2015, Chia, Italy P. 14

  17. Contents 1 Motivations 2 DPA Resistant Synthesis 3 DPA Resistant Place and Route 4 DPA Resistant Instruction Set Extension 5 Quick Note on Software Francesco Regazzoni 23 October 2015, Chia, Italy P. 15

  18. Place and Route Gate x x XOR y y Place and Route Layout Francesco Regazzoni 23 October 2015, Chia, Italy P. 16

  19. Place and Route Input and Output INPUT : Gate level description of the circuit Physical view of the library (pin placement, ...) Constraints from synthesis OUTPUT : Gate Level Netlist Position and interconnection of the gates Estimation of area, timing, power (!) Francesco Regazzoni 23 October 2015, Chia, Italy P. 17

  20. This is not yet the end! Security Evaluation Chip Finalization Tape Out Security Evaluation Francesco Regazzoni 23 October 2015, Chia, Italy P. 18

  21. Security Evaluation Toggle Count .... SPICE simulation Real measures on fabricated chip Francesco Regazzoni 23 October 2015, Chia, Italy P. 19

  22. Reconfigurable Devices Measure directly Less Freedom Tools more “closed” Francesco Regazzoni 23 October 2015, Chia, Italy P. 20

  23. Contents 1 Motivations 2 DPA Resistant Synthesis 3 DPA Resistant Place and Route 4 DPA Resistant Instruction Set Extension 5 Quick Note on Software Francesco Regazzoni 23 October 2015, Chia, Italy P. 21

  24. Protect PRESENT with secure hardware Lightweight block cipher 4 bit S-box addRoundKey , sBoxLayer // Calculate S-box (plaintext XOR key) int PRESENT(int plaintext, int key) { 1 int result = 0; // initialize the result 2 plaintext = plaintext ^key; // perform the xor with the key 3 result = S[plaintext]; // perform the S-box 4 return result; }; // return the result Francesco Regazzoni 23 October 2015, Chia, Italy P. 22

  25. What can I do? Register File IMM. A B ISE ISE ISE ALU Memory Francesco Regazzoni 23 October 2015, Chia, Italy P. 23

  26. What can I do? Register File IMM. B A ISE ISE ISE ALU Memory Francesco Regazzoni 23 October 2015, Chia, Italy P. 24

  27. What can I do? Register File IMM. A B ISE ISE ISE ALU Memory Francesco Regazzoni 23 October 2015, Chia, Italy P. 25

  28. What can I do? Register File IMM. A B ISE ISE ISE ALU Memory Francesco Regazzoni 23 October 2015, Chia, Italy P. 26

  29. What can I do? Register File IMM. A B ISE ISE ISE ALU Memory Francesco Regazzoni 23 October 2015, Chia, Italy P. 27

  30. What can I do? Register File IMM. A B ISE ISE ISE ALU Memory Francesco Regazzoni 23 October 2015, Chia, Italy P. 28

  31. What can I do? Something easier? Francesco Regazzoni 23 October 2015, Chia, Italy P. 29

  32. Protected / Non Protected CO-Design! Register File IMM. A B ISE ISE ISE ALU Memory Francesco Regazzoni 23 October 2015, Chia, Italy P. 30

  33. Protected / Non Protected CO-Design! Register File IMM. A B ISE ISE ISE ALU Memory Francesco Regazzoni 23 October 2015, Chia, Italy P. 31

  34. Protected / Non Protected CO-Design! Register File IMM. A B ISE ISE ISE ALU Memory Francesco Regazzoni 23 October 2015, Chia, Italy P. 32

  35. Automatic design of DPA resistant ISE identify Partition Protect Security sensitive parts Sensitive / Sensitive Evaluation Non Sensitive Francesco Regazzoni 23 October 2015, Chia, Italy P. 33

  36. Needed “Basic Blocks” identify Partition Protect Security sensitive parts Sensitive / Sensitive Evaluation Non Sensitive Generate useful power traces? Francesco Regazzoni 23 October 2015, Chia, Italy P. 34

  37. Needed “Basic Blocks” identify Partition Protect Security sensitive parts Sensitive / Sensitive Evaluation Non Sensitive Generate useful power traces? Measure the DPA resistance? Francesco Regazzoni 23 October 2015, Chia, Italy P. 35

  38. Needed “Basic Blocks” identify Partition Protect Security sensitive parts Sensitive / Sensitive Evaluation Non Sensitive Generate useful power traces? Measure the DPA resistance? Countermeasure and its design flow? Francesco Regazzoni 23 October 2015, Chia, Italy P. 36

  39. Needed “Basic Blocks” identify Partition Protect Security sensitive parts Sensitive / Sensitive Evaluation Non Sensitive Generate useful power traces? Measure the DPA resistance? Countermeasure and its design flow? Partition the algorithm? Francesco Regazzoni 23 October 2015, Chia, Italy P. 37

  40. Needed “Basic Blocks” identify Partition Protect Security sensitive parts Sensitive / Sensitive Evaluation Non Sensitive Generate useful power traces? Measure the DPA resistance? Countermeasure and its design flow? Partition the algorithm? Francesco Regazzoni 23 October 2015, Chia, Italy P. 38

  41. The CMOS Design Flow software processor HDL code crypto.c Protected ISE HDL code Library Protected ISE Extractor Synth and P&R CMOS Library CMOS Synth and P&R crypto_ISE.c 0101001. 0101001. 1100001. SPICE level 1100001. simulation Security Evaluaton Francesco Regazzoni 23 October 2015, Chia, Italy P. 39

Recommend


More recommend