From New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security

Size: px

Start display at page:

Download "From New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security"

Alyson Hardy
5 years ago
Views:

1 From New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security Stéphanie Kerckhof, François-Xavier Standaert, Eric Peeters CARDIS 2013 November 2013 Microelectronics Laboratory Exploiting FRAM Memories - November

2 Context Ferroelectric RAM (FRAM): non-volatile RAM using special dielectric material Integrated in Texas Instruments microcontrollers Microelectronics Laboratory Exploiting FRAM Memories - November

3 Context Ferroelectric RAM (FRAM): non-volatile RAM using special dielectric material Integrated in Texas Instruments microcontrollers Flash FRAM Program memory only Unified memory 10 5 reprogramming reprogramming 1 page (256 bytes) at a time 1 byte at a time 4,5 ms per page write or erase a few clock cycles per byte Microelectronics Laboratory Exploiting FRAM Memories - November

4 Context non-volatile memory useful for countermeasures needing secure precomputations Microelectronics Laboratory Exploiting FRAM Memories - November

5 Context non-volatile memory useful for countermeasures needing secure precomputations Two questions: FRAM as a more secure technology against side channel attacks? FRAM as a more efficient way to implement existing countermeasures? Microelectronics Laboratory Exploiting FRAM Memories - November

6 Context non-volatile memory useful for countermeasures needing secure precomputations Two questions: FRAM as a more secure technology against side channel attacks? FRAM as a more efficient way to implement existing countermeasures? We follow the second approach: Improving past results Shuffling Making new results possible Masking with RLUT Microelectronics Laboratory Exploiting FRAM Memories - November

7 Outline 1 Improving Past Results: Shuffling What is Shuffling? Previous Implementation FRAM Implementation 2 Making New Results Possible: Masking with RLUT 3 Conclusion Microelectronics Laboratory Exploiting FRAM Memories - November

8 What is Shuffling? Shuffling: Modifies the order in which independent operations are performed Example: time Normal execution S(x 0 ) S(x 1 ) S(x 2 ) Shuffled execution S(x 7 ) S(x 0 ) S(x 15 ) S(x 15 ) S(x 1 ) Microelectronics Laboratory Exploiting FRAM Memories - November

9 What is Shuffling? Goal: Spread points of interest over t cycles Amplify physical noise by forcing the adversary to combine multiple points Microelectronics Laboratory Exploiting FRAM Memories - November

10 What is Shuffling? Goal: Spread points of interest over t cycles Amplify physical noise by forcing the adversary to combine multiple points S(x 0 ) Microelectronics Laboratory Exploiting FRAM Memories - November

11 What is Shuffling? Goal: Spread points of interest over t cycles Amplify physical noise by forcing the adversary to combine multiple points S(x 0 ) S(x 7 ) Microelectronics Laboratory Exploiting FRAM Memories - November

12 What is Shuffling? Goal: Spread points of interest over t cycles Amplify physical noise by forcing the adversary to combine multiple points S(x 0 ) S(x 7 )... Microelectronics Laboratory Exploiting FRAM Memories - November

13 Outline 1 Improving Past Results: Shuffling What is Shuffling? Previous Implementation FRAM Implementation 2 Making New Results Possible: Masking with RLUT 3 Conclusion Microelectronics Laboratory Exploiting FRAM Memories - November

14 Shuffling - Randomized Program Memory Program Memory 1. Shuffle program memory 2. Execute S(x 0 ) 3. Execute S(x 1 ) 4. Execute S(x 2 ) 5. Execute S(x 3 )... Data Memory Permutation Proposed by Veyrat-Charvillon et al. at Asiacrypt 2012 Microelectronics Laboratory Exploiting FRAM Memories - November

15 Shuffling - Randomized Program Memory Program Memory 1. Shuffle program memory 2. Execute S(x 0 ) 3. Execute S(x 1 ) 4. Execute S(x 2 ) 5. Execute S(x 3 )... Data Memory Permutation Proposed by Veyrat-Charvillon et al. at Asiacrypt 2012 Microelectronics Laboratory Exploiting FRAM Memories - November

16 Shuffling - Randomized Program Memory Program Memory 1. Shuffle program memory 2. Execute S(x 07 ) 3. Execute S(x 10 ) 4. Execute S(x 215 )) 5. Execute S(x 3 )... Data Memory Permutation Proposed by Veyrat-Charvillon et al. at Asiacrypt 2012 Microelectronics Laboratory Exploiting FRAM Memories - November

17 Shuffling - Randomized Program Memory Program Memory 1. Shuffle program memory 2. Execute S(x 07 ) 3. Execute S(x 10 ) 4. Execute S(x 215 )) 5. Execute S(x 3 )... Data Memory Permutation Proposed by Veyrat-Charvillon et al. at Asiacrypt 2012 Microelectronics Laboratory Exploiting FRAM Memories - November

18 Shuffling - Randomized Program Memory Program Memory 1. Shuffle program memory 2. Execute S(x 07 ) 3. Execute S(x 10 ) 4. Execute S(x 215 )) 5. Execute S(x 3 )... Data Memory Permutation Proposed by Veyrat-Charvillon et al. at Asiacrypt 2012 Microelectronics Laboratory Exploiting FRAM Memories - November

19 Outline 1 Improving Past Results: Shuffling What is Shuffling? Previous Implementation FRAM Implementation 2 Making New Results Possible: Masking with RLUT 3 Conclusion Microelectronics Laboratory Exploiting FRAM Memories - November

20 Shuffling with FRAM Setup: MSP430FR5739 Texas Instrument microcontroller 16-bit RISC CPU 16 kb of FRAM Implementation of the countermeasure: Definition of an AES having sets of 16 independent operations Addition of dummy key-schedule operations Access to FRAM memory between each operation Security evaluation: Similar to the one presented at Asiacrypt 2012 Microelectronics Laboratory Exploiting FRAM Memories - November

21 Shuffling with FRAM Code Size Data Size Unprotected AES Perm. Generation Shuffled AES Code Shuffling AES execution Total Unshuffled version of AES for reference Difference between unprotected and shuffled AES mainly due to dummy key schedule Microelectronics Laboratory Exploiting FRAM Memories - November

22 Shuffling with FRAM Cycle Count Unprotected AES 5800 Perm. Generation 2240 Shuffled AES Code Shuffling 2751 AES execution 8479 Total TI microcontrollers only have 12 available registers Intermediate state must be stored in memory TI implementation slower than AVR one (3546 cycles) Precomputation time divided by 100 compared to AVR: 0,19 ms (at 16 MHz) vs 18 ms Difference between unprotected and shuffled AES mainly due to dummy key schedule Microelectronics Laboratory Exploiting FRAM Memories - November

23 Outline 1 Improving Past Results: Shuffling 2 Making New Results Possible: Masking with RLUT Description of RLUT contermeasure Application to Reduced LED Results 3 Conclusion Microelectronics Laboratory Exploiting FRAM Memories - November

24 Masking with Randomized Look Up Tables (RLUT) k x S S(x m k) L1 L3 S(x k) m C q a L2 b L2 L4 Typical boolean masking of order 1 Microelectronics Laboratory Exploiting FRAM Memories - November

25 Masking with Randomized Look Up Tables (RLUT) P k k x S S(x m k) L1 L3 S(x k) m C q a L2 b L2 L4 Key addition included in precomputed table P k Microelectronics Laboratory Exploiting FRAM Memories - November

26 Masking with Randomized Look Up Tables (RLUT) x x m Pk Pk(x m) L1 L3 Pk(x) m C q a L2 b L2 L4 Key addition included in precomputed table P k Microelectronics Laboratory Exploiting FRAM Memories - November

27 Masking with Randomized Look Up Tables (RLUT) G1 a1 x x m Pk G2 Pk(x m) L1 L3 a3 Pk(x) m C q a L2 b L2 L4 Replace of x m operations by Gi = x m a i ai = precomputed random mask Microelectronics Laboratory Exploiting FRAM Memories - November

28 Masking with Randomized Look Up Tables (RLUT) x G1 G1(x,m) Pk Pk(G1(x,m)) L1 L3 G2 Pk(x) m C q a L2 b L2 L4 Replace of x m operations by Gi = x m a i ai = precomputed random mask Microelectronics Laboratory Exploiting FRAM Memories - November

29 Masking with Randomized Look Up Tables (RLUT) R x G1 G1(x,m) Pk a2 Pk(G1(x,m)) L1 L3 G2 Pk(x) m C q a L2 b L2 RC L4 Randomization of P k (and C) using a random variable Microelectronics Laboratory Exploiting FRAM Memories - November

30 Masking with Randomized Look Up Tables (RLUT) x G1 G1(x,m) R R(G1(x,m)) L1 L3 ig2 Pk(x) m RC q a L2 b L2 L4 Microelectronics Laboratory Exploiting FRAM Memories - November

31 Masking with Randomized Look Up Tables (RLUT) x G1 G1(x,m) R R(G1(x,m)) L1 L3 ig2 Pk(x) m RC q a L2 b L2 L4 G1, G 2, R and RC are precomputed Microelectronics Laboratory Exploiting FRAM Memories - November

32 Masking with Randomized Look Up Tables (RLUT) x G1 G1(x,m) R R(G1(x,m)) L1 L3 ig2 Pk(x) m RC q a L2 b L2 L4 G1, G 2, R and RC are precomputed Unconditional security if secure precomputations Microelectronics Laboratory Exploiting FRAM Memories - November

33 Outline 1 Improving Past Results: Shuffling 2 Making New Results Possible: Masking with RLUT Description of RLUT contermeasure Application to Reduced LED Results 3 Conclusion Microelectronics Laboratory Exploiting FRAM Memories - November

34 Application to Reduced LED Reduced version of LED: 16-bit state 1 to 4 rounds Microelectronics Laboratory Exploiting FRAM Memories - November

35 Application to Reduced LED Implementation details: 16 kb TI FRAM microcontroller LFSR with CRC-32 polynomial used to generate random variables a i Efficient arrangement of the 4-bit precomputed tables in memory MixColumn layer applied on each of the shares Microelectronics Laboratory Exploiting FRAM Memories - November

36 Outline 1 Improving Past Results: Shuffling 2 Making New Results Possible: Masking with RLUT Description of RLUT contermeasure Application to Reduced LED Results 3 Conclusion Microelectronics Laboratory Exploiting FRAM Memories - November

37 Results - Program Size Program size [bytes] Implementation Prediction [SPV 2012] Number of rounds Prediction in terms of number of rounds, number of S-Boxes and S-Box size Offset between curves = LED program size Microelectronics Laboratory Exploiting FRAM Memories - November

38 Results - Precomputation Time Cycle count Implementation Prediction [SPV 2012] Number of rounds Elementary operations Prediction in terms of elementary operations Here, 1 elementary operation 40 clock cycles Microelectronics Laboratory Exploiting FRAM Memories - November

39 Results - Observations Memory and time requirements can be predicted for the parameters of any cipher Full LED implementation requires: 70 kb of memory (128kB FRAM microcontroller soon available) A precomputation time of 35 ms at 16 MHz Possible performances vs security tradeoffs: Partial masking with RLUT Partial refreshing of the precomputed tables (e.g.: refreshing 10% of the table takes as much cycles as order 3 masking scheme) Microelectronics Laboratory Exploiting FRAM Memories - November

40 Conclusion FRAM enables efficient implementation of countermeasures needing precomputations Improvement for the shuffling countermeasure Makes the RLUT masking possible If secure precomputation is possible, RLUT provides unconditional security against side-channel attacks Future scope of research: Impact of partial recomputation in leaking environment Design of block ciphers suited to implementation with RLUT Microelectronics Laboratory Exploiting FRAM Memories - November

41 Thank you! Microelectronics Laboratory Exploiting FRAM Memories - November

Low Randomness Masking and Shulfifgn:

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands