DPA Leakage Models for CMOS Logic Circuits

Similar documents
Evaluation of the Masked Logic Style MDPL on a Prototype Chip

Evaluation of the Masked Logic Style MDPL on a Prototype Chip

Secure Adiabatic Logic: a Low-Energy DPA-Resistant Logic Style

Power Analysis Attacks on SASEBO January 6, 2010

Recommendations for Secure IC s and ASIC s

Evaluation of On-chip Decoupling Capacitor s Effect on AES Cryptographic Circuit

SIDE-CHANNEL attacks exploit the leaked physical information

Threshold Implementations. Svetla Nikova

DETECTING POWER ATTACKS ON RECONFIGURABLE HARDWARE. Adrien Le Masle, Wayne Luk

1. Short answer questions. (30) a. What impact does increasing the length of a transistor have on power and delay? Why? (6)

Investigating the DPA-Resistance Property of Charge Recovery Logics

Topic 6. CMOS Static & Dynamic Logic Gates. Static CMOS Circuit. NMOS Transistors in Series/Parallel Connection

Test Apparatus for Side-Channel Resistance Compliance Testing

Dynamic Logic. Domino logic P-E logic NORA logic 2-phase logic Multiple O/P domino logic Cascode logic 11/28/2012 1

Three Phase Dynamic Current Mode Logic: AMoreSecureDyCML to Achieve a More Balanced Power Consumption

Module 4 : Propagation Delays in MOS Lecture 19 : Analyzing Delay for various Logic Circuits

When Failure Analysis Meets Side-Channel Attacks

arxiv: v1 [cs.cr] 2 May 2016

Power Analysis Based Side Channel Attack

Chapter 2 Combinational Circuits

Information Theoretic and Security Analysis of a 65-nanometer DDSLL AES S-box

Side-Channel Leakage through Static Power

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

Lecture 16. Complementary metal oxide semiconductor (CMOS) CMOS 1-1

! Review: Sequential MOS Logic. " SR Latch. " D-Latch. ! Timing Hazards. ! Dynamic Logic. " Domino Logic. ! Charge Sharing Setup.

Differential Power Analysis Attack on FPGA Implementation of AES

Transient-Steady Effect Attack on Block Ciphers

paioli Power Analysis Immunity by Offsetting Leakage Intensity Sylvain Guilley perso.enst.fr/ guilley Telecom ParisTech

Hardware Based Strategies Against Side-Channel-Attack Implemented in WDDL

EEC 118 Lecture #12: Dynamic Logic

CMOS VLSI Design (A3425)

! Is it feasible? ! How do we decompose the problem? ! Vdd. ! Topology. " Gate choice, logical optimization. " Fanin, fanout, Serial vs.

Investigations of Power Analysis Attacks on Smartcards

Chapter 6 Combinational CMOS Circuit and Logic Design. Jin-Fu Li Department of Electrical Engineering National Central University Jungli, Taiwan

Constant Power Reconfigurable Computing

EM Attack Is Non-Invasive? - Design Methodology and Validity Verification of EM Attack Sensor

Analysis and Mitigation of Process Variation Impacts on Power-Attack Tolerance

Constructing TI-Friendly Substitution Boxes using Shift-Invariant Permutations. Si Gao, Arnab Roy, and Elisabeth Oswald

Glitch-Free Implementation of Masking in Modern FPGAs

Combinational Circuit Obfuscation through Power Signature Manipulation

Design Of Synchronous Up-Down Counter Using CMOS 90nm Technology

Investigation on Performance of high speed CMOS Full adder Circuits

Power Analysis an overview. Agenda. Measuring power consumption. Measuring power consumption (2) Benedikt Gierlichs, KU Leuven - COSIC.

Design of New Full Swing Low-Power and High- Performance Full Adder for Low-Voltage Designs

Electronic Circuits EE359A

Finding the key in the haystack

A Simulation-Based Methodology for Evaluating the DPA-Resistance of Cryptographic Functional Units with Application to CMOS and MCML Technologies

UNIT-III GATE LEVEL DESIGN

EE 330 Lecture 43. Digital Circuits. Other Logic Styles Dynamic Logic Circuits

CHAPTER 5 DESIGN AND ANALYSIS OF COMPLEMENTARY PASS- TRANSISTOR WITH ASYNCHRONOUS ADIABATIC LOGIC CIRCUITS

Transform. Jeongchoon Ryoo. Dong-Guk Han. Seoul, Korea Rep.

Information Leakage from Cryptographic Hardware via Common-Mode Current

EE434 ASIC & Digital Systems

Review and Analysis of Glitch Reduction for Low Power VLSI Circuits

Lecture 4&5 CMOS Circuits

Is Your Mobile Device Radiating Keys?

EE 330 Lecture 43. Digital Circuits. Other Logic Styles Dynamic Logic Circuits

INF3430 Clock and Synchronization

A Hardware-based Countermeasure to Reduce Side-Channel Leakage

When Electromagnetic Side Channels Meet Radio Transceivers

Chapter 3 DESIGN OF ADIABATIC CIRCUIT. 3.1 Introduction

Correlation Power Analysis of Lightweight Block Ciphers

IJMIE Volume 2, Issue 3 ISSN:

Assoc. Prof. Dr. Burak Kelleci

NOVEMBER 29, 2017 COURSE PROJECT: CMOS TRANSIMPEDANCE AMPLIFIER ECG 720 ADVANCED ANALOG IC DESIGN ERIC MONAHAN

Security Evaluation Against Electromagnetic Analysis at Design Time

ENEE307 Lab 7 MOS Transistors 2: Small Signal Amplifiers and Digital Circuits

Low-Power Digital CMOS Design: A Survey

Hardware Bit-Mixers. Laszlo Hars January, 2016

The EM Side Channel(s)

Design of Low Power Vlsi Circuits Using Cascode Logic Style

A Static Power Model for Architects

Exploiting On-Chip Voltage Regulators as a Countermeasure Against Power Analysis Attacks

An on-chip glitchy-clock generator and its application to safe-error attack

Announcements. Advanced Digital Integrated Circuits. Quiz #3 today Homework #4 posted This lecture until 4pm

Electromagnetic-based Side Channel Attacks

SUBTHRESHOLD DESIGN SPACE EXPLORATION FOR GAUSSIAN NORMAL BASIS MULTIPLIER

Logic Restructuring Revisited. Glitching in an RCA. Glitching in Static CMOS Networks

DIFFERENTIAL power analysis (DPA) attacks can obtain

Lecture Summary Module 1 Switching Algebra and CMOS Logic Gates

CPE/EE 427, CPE 527 VLSI Design I: Homeworks 3 & 4

8. Combinational MOS Logic Circuits

! Sequential Logic. ! Timing Hazards. ! Dynamic Logic. ! Add state elements (registers, latches) ! Compute. " From state elements

Design and Implementation of Digital CMOS VLSI Circuits Using Dual Sub-Threshold Supply Voltages

The backend duplication method

EE 330 Lecture 44. Digital Circuits. Other Logic Styles Dynamic Logic Circuits

Leakage Current Analysis

Estimation of keys stored in CMOS cryptographic device after baking by using the charge shift

Low-Power Multipliers with Data Wordlength Reduction

All-digital ramp waveform generator for two-step single-slope ADC

Lecture Outline. ESE 570: Digital Integrated Circuits and VLSI Fundamentals. Previously: Two XOR Gates. Pass Transistor Logic. Cascaded Pass Gates

A NEW APPROACH FOR DELAY AND LEAKAGE POWER REDUCTION IN CMOS VLSI CIRCUITS

Design of Robust and power Efficient 8-Bit Ripple Carry Adder using Different Logic Styles

ELEC Digital Logic Circuits Fall 2015 Delay and Power

Design of the oscillating circuit in DC/DC switching power supply

Collision-based Power Analysis of Modular Exponentiation Using Chosen-message Pairs

Combinational Logic Gates in CMOS

White Paper Stratix III Programmable Power

ECE 334: Electronic Circuits Lecture 10: Digital CMOS Circuits

Lecture 10. Circuit Pitfalls

Transcription:

CHES 25 in Edinburgh DPA Leakage Models for CMOS Logic Circuits Daisuke Suzuki Minoru Saeki Mitsubishi Electric Corporation, Information Technology R&D Center Tetsuya Ichikawa Mitsubishi Electric Engineering Company Limited 1

CHES 25 in Edinburgh Summary - Motivation and result Outline Our New Leakage Models for CMOS Circuit - Static model and dynamic model against standard DPA Leakage Models against Enhanced DPAs - We adapt our leakage models to enhanced DPAs - And we discuss effectiveness of these analysis from the view point of our models Evaluation and Experimental Results - We demonstrate the weakness of previously know hardware countermeasures by using our models - These results fully agree with our implementation results on FPGA Conclusion 2

CHES 25 in Edinburgh Summary (1/3) Why does DPA leakage occur? It is important for constructing the countermeasure against DPA to grasp the reason accurately Modeling the DPA leakage is an effective solution to this problem Our leakage models based on the transition probability for each gate (this presentation) We can evaluate DPA leakage in upstream design processes We can directly analyze DPA leakage from logic information in CMOS circuits 3

CHES 25 in Edinburgh Summary (2/3) We adapt our models to Second-Order DPAs for CMOS logic circuits and evaluate the effectiveness of these techniques Messerges's Second-Order DPA (M-2DPA)[12] Our secure condition against each analysis shows that M-2DPA is essentially equivalent to the standard (Kocher s) DPA Waddle's Second-order DPA (W-2DPA)[13] W-2DPA can detect the bias of the distribution of the transition probability All known masked CMOS logics are ineffectual against W-2DPA 4

CHES 25 in Edinburgh We evaluate previously known countermeasures by using our leakage models. WDDL[6] Masked-AND[7] MAND[18] Summary (3/3) These results fully agree with our implementation results on FPGA Standard DPA (M-2DPA) W-2DPA : leaks on the static model : leaks on the dynamic model 5

CHES 25 in Edinburgh Our New Leakage Models for CMOS Circuit (1/6) Related works Analog model S. Chari, C.S. Jutla, J.R. Rao and P. Rohatgi, ``Towards Sound Approaches to Counteract Power Analysis Attacks, Crypto'99 R. Bevan and E. Knudsen, ``Ways to Enhance Differential Power Analysis," ICISC 22 Based on the Hamming weight difficult to evaluate in upstream design prosses insufficient C. Clavier, J.-S. Coron and N. Dabbous, ``Differential Power Analysis in the Presence of Hardware Countermeasures," CHES 2 6

CHES 25 in Edinburgh Our New Leakage Models for CMOS Circuit (2/6) Power consumption in CMOS circuits[16] P total p t = p t C L V 2 dd f clk charge/discharge + p t I sc V dd f direct-path short circuit current clk + I leakage V dd leakage current C L V dd f clk I sc I leakage : transition probability of signals : loading capacitance : supply voltage : clock frequency : direct-path short circuit current : leakage current( of course this leakage is not DPA leakage ) 7

CHES 25 in Edinburgh Our New Leakage Models for CMOS Circuit (3/6) Power consumption in CMOS circuits[16] P total = p t C L V dd f clk + p t I sc V dd f clk + I leakage V dd are determined when the circuit is constructed (don't depend on the intermediate value) is dependent on the intermediate value (including key data) The source of the DPA leakage is a bias of the transition probability for each gate 8

CHES 25 in Edinburgh Our New Leakage Models for CMOS Circuit (4/6) Our models to compute transition probability Static Model An ideal circuit without signal propagation delay We evaluate a Boolean function at the output of each gate Dynamic Model A real circuit wherein a transient hazard is generated due to the delay We evaluate a Boolean function under a single input change assumption 9

CHES 25 in Edinburgh Our New Leakage Models for CMOS Circuit (5/6) Our leakge models based on the transition probability against standard DPA Definition 1. (Static Leakage) : p stc α,( i ) stc stc stc stc N diff Ndiff = Nα= 1 Nα= = ( pα= 1,( i ) pα=,( i )) k i = 1 stc α : signal for DPA grouping (selection bit ) N stc : expected transition counts in one clock cycle : transition probability of the i th gate in the static model Secure condition : stc N diff = 1

N = CHES 25 in Edinburgh Our New Leakage Models for CMOS Circuit (6/6) Our leakge models based on the transition probability against standard DPA Definition 2. (Dynamic Leakage) : diff N α= 1 N α= = k N diff ( p ( e) i= 1 e E ( i) α= 1,( i ) p α=,( i ) (e)) E α,( ) : set of the events that single input change occurs p i ( e) : transition probability of the i th gate in the dynamic model corresponding to the event e Secure condition : N diff = 11

CHES 25 in Edinburgh Leakage Models against Enhanced DPAs (1/5) We consider the effectiveness of second-order DPAs from the viewpoint of our models Messerges's Second-Order DPA (M-2DPA)[12] The attacker analyzes two time points in power trances Waddle's second-order DPA (W-2DPA)[13] The attacker uses squaring power traces What is a secure condition against each analysis on CMOS logic circuit? 12

CHES 25 in Edinburgh Leakage Models against Enhanced DPAs (2/5) Leakage in M-2DPA on CMOS logic circuits We analyze the correlation of the signal transition of two points t,t Definition 3.(Leakage in M-2DPA): 2nd N diff ( Nα 1( t ) Nα 1( t)) ( Nα ( t ) Nα 2nd N diff = = = = = ( t)) Secure condition : 2nd N diff = 13

CHES 25 in Edinburgh Leakage Models against Enhanced DPAs (3/5) Secure condition : Standard DPA vs M-2DPA N diff = α 1 α= N (in any point ) 2nd N diff = = = N N diff α 1 α= N (in some point ) = N The circuit wherein equal leakage occurs at any point of time is not realistic 2nd N diff N 2nd diff = Ndiff = Secure condition of M-2DPA is equivalent to that of standard DPA in real circuit 14

CHES 25 in Edinburgh Leakage Models against Enhanced DPAs (4/5) Leakage in W-2DPA on CMOS logic circuits We use squaring power traces Definition 4. (Leakage in W-2DPA): V ( t) = ( s S( t ) s 2 p s ( t)) V diff = Vα= 1 = ( t) Vα ( t) Vdiff S (t) (t) p s : set of possible transition counts : probability that the transition occurs at s gates Secure condition : V diff = 15

CHES 25 in Edinburgh Leakage Models against Enhanced DPAs (5/5) Secure condition : Standard DPA vs W-2DPA Secure condition in W-2DPA is NOT equivalent to that of standard DPA We can detect the bias of the distribution of the transition probability In particular, if we assume the static model, masked CMOS logics are secure against standard DPA but not secure against W-2DPA stc stc ( N but V diff ) diff = 16

CHES 25 in Edinburgh Evaluation Results of Previously Known Countermeasures (1/5) We analyze previously known hardware countermeasures by using our models Our leakage models Standard DPA W-2DPA We evaluate AND-operation of each countermeasures WDDL-AND gate[6] (Complementary logics) Maked-AND[7] (Masked CMOS logics) MAND[11] (Masked CMOS logics) 17

CHES 25 in Edinburgh Evaluation Results of Previously Known Countermeasures (2/5) Result of WDDL in our models WDDL is secure against standard DPA in the static stc model ( N diff = ) If all input signals reach each complementary gate simultaneously, N and V diff = diff = else, N and because of the diff V diff difference of response speed on AND/OR-gate 18

selection bit α a = a = b = b = CHES 25 in Edinburgh Evaluation Results of Previously Known Countermeasures (3/5) Result of WDDL in our models Note the sign of the leakage! diff < N = 1 N = + 1 1 1 transition probability of the WDDL-AND gate CMOS gate AND OR AND OR AND OR AND OR prch = 1 prch = e ( Δa) e ( Δb) e ( Δa) e( Δb) 1 1/2 1/2 diff > 1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 1/2 1 prch : precharge signal in WDDL 19

CHES 25 in Edinburgh Evaluation Results of Previously Known Countermeasures (4/5) Results of Masked-AND and MAND Both are secure against standard DPA in the static stc model ( ) N diff = The delay conditions to be N diff exist N diff > V diff Note the sign of the leakage!, because the distribution of the transition probability is biased even in the static model 2

CHES 25 in Edinburgh Evaluation Results of Previously Known Countermeasures (5/5) Results of Masked-AND and MAND V = 5 / 8 V = 1/ 4 diff < diff < transition distribution of Masked-AND selection bit α a = a = 1 transition counts s 1 23 4 1 23 4 event probability p s 5/32 3/8 5/16 1/8 1/32 19/64 3/16 11/32 1/16 7/64 transition distribution of the MAND selection bit α a = a = 1 transition counts s event probability p s 1/4 1 1/2 2 1/4 3/8 1 1/4 2 3/8 Note the sign of the leakage! 21

CHES 25 in Edinburgh Experimental Results on FPGA (1/6) 22

CHES 25 in Edinburgh Experimental Results on FPGA (2/6) To verify the validity of our models, we also implement these countermeasures on FPGA and evaluate actual power traces Implementations on FPGA XCV1-6-BG56C FPGA of Xilinx Inc (Virtex 1) We implement a circuit of consisting AND-operation applying each countermeasure using automatic place-and-route tools 23

CHES 25 in Edinburgh Experimental Results on FPGA (3/6) Standard DPA trace on FPGA 2, samples N diff > 24

CHES 25 in Edinburgh Experimental Results on FPGA (4/6) Standard DPA trace on FPGA prch = 1 prch = N diff > prch = 1 N diff < prch = Magnified view of the WDDL 25

CHES 25 in Edinburgh Experimental Results on FPGA (5/6) W-2DPA trace on FPGA 2, samples stc V diff < 26

CHES 25 in Edinburgh Experimental Results on FPGA (6/6) W-2DPA trace on FPGA prch = 1 prch = V diff > prch = 1 V diff < prch = Magnified view of the WDDL 27

CHES 25 in Edinburgh Evaluation and Experimental Results Summary of our results Our experimental results on FPGA fully agree with considerations based on our leakage models The approach by complementary logics (WDDL) is very effective although the problem of the signal delay still remains It is difficult to resist various power analysis by the approach of data masking in general CMOS gates In [11], we proposed a construction of a special CMOS gate (RSL:Random Switching Logic), which is improved at the transistor level and satisfies secure condition. [11] Suzuki, M.Saeki and T.Ichikawa, ``Random Switching Logic: A Countermeasure against DPA based on Transition Probability," Cryptology eprint Archive, Report 24/346, 24. 28

CHES 25 in Edinburgh Standard DPA trace on FPGA 2, samples RSL 29

CHES 25 in Edinburgh W-2DPA trace on FPGA 2, samples RSL 3

CHES 25 in Edinburgh Evaluation system by logic simulation (DES-circuit)[14] Simulation result using our model Experimental result on FPGA [14] M. Saeki, D. Suzuki and T. Ichikawa, ``Construction of DPA Leakage Model and Evaluation by Logic Simulation, ISEC24-57, IEICE, July 24 (in Japanese) 31

CHES 25 in Edinburgh Standard DPA trances of AES circuit without countermeasure[11][2] 2, samples [2] T.Ichikawa, D. Suzuki and M. Saeki, ``An Attack on Cryptographic Hardware Design with Masking Method,"ISEC24-58, IEICE, July 24 (in Japanese) 32

CHES 25 in Edinburgh Standard DPA trances of AES circuit with masked-and operation[11][2] 2, samples 33

CHES 25 in Edinburgh Conclusions We proposed new DPA leakage models These models are based on the transition probability for each gate We also evaluated the effectiveness of Messerges's second-order DPA and Waddle's second-order DPA from the viewpoint of our models M-2DPA is essentially equivalent to the standard DPA W-2DPA can detect the bias of the distribution of the transition probability in CMOS logic circuits We analyzed previously known countermeasures by usign our models These results fully agree with our implementation results on FPGA We point out the weakness of previously known countermeasures 34

CHES 25 in Edinburgh Thanks for Listening 35

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback