Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Silicon-level Solutions against DPA & DFA
Sylvain GUILLEY Laurent SAUVAGE Jean-Luc DANGERNidhal SELMANE Renaud PACALET
Institut TELECOM / TELECOM-ParisTechCNRS – LTCI (UMR 5141)
FDTC’08, Sunday, August 10th, 2008, 08:30 – 09:10,Mayflower Hotel, Colonial Room, Washington DC, USA.
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 1
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Presentation Outline
1 Introduction
2 Circuits in STM 130 nm technology
3 Attack on Power + EM LeakageDPA OraclesStudy of the Power Leakage on ASICs & FPGAsDPL Logics (e.g. WDDL) Suffering from Early Evaluation
4 Non-Intrusive Fault AttacksTheoretical DFAPractical DFAConclusions & Perspectives
5 General Conclusions and Open Problems
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 2
Objective 5-year collaboration with STM ( )
Rationale for non-invasive attacks
A thorough study of the vulnerabilities is required ...
... to come up with sound protections.
Methodology
Validation by the experience is absolutely mandatory
Hence: dedicated circuits, namely the following ASICs:
SecMat v1,3/2,2,3 academic smartcards.
Fair knowledge of the underlying physics:
How does the circuit leak?How do faults appear?
Attacks fine-tuning:DPA < CPA < enhanced-CPA < PPA < blind attacks .
What’s next? ⇒ http://www.dpacontest.org/.
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Presentation Outline
1 Introduction
2 Circuits in STM 130 nm technology
3 Attack on Power + EM LeakageDPA OraclesStudy of the Power Leakage on ASICs & FPGAsDPL Logics (e.g. WDDL) Suffering from Early Evaluation
4 Non-Intrusive Fault AttacksTheoretical DFAPractical DFAConclusions & Perspectives
5 General Conclusions and Open Problems
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 4
Circuits to Study DPA & DFA: SecMat v1, 3/2, 2, 3
RAM64(for AES)
4×
ROM2k
AES
CPU
DES2
(for DES)
DES1
RAM2563×
(for CPU)
SDES
RAM32k
(5)
(9)
(10)
(6)
(7)
(1)
(2)
(3)
(4)
(8)
(11)
(12)
(13)
DEScombi
DESref
AES
0.2 mm2
32 kbytes
RAM
0.8 mm2
DES
WDDL
SecLib
DES
DES
Regular
Features of the circuit
Smartcard with encryptionaccelerators and an e-FPGA
Programmation in ANSI C
Hardware driver: ACME Foxrunning GNU / Linux 2.4.31
4.4 mm2, 2.4 × 106 tr.
HCMOS9GP 130 nm techno
Manufacturing via CMP runS12C7 1 of 03/01/07
3 power domains
Vertical insulation of P−
and N− wells
SW controllable clock-gating+ scan-chain
One Run-Time Reconfigurableembedded FPGA [4]
Slave of the CPU (6502)
8 × 8 LuT4
Three functionally identical DESmodules
From the same VHDLsource code:
1 Unprotected, andreference DES cipher
2 WDDL DES3 SecLib DES
Protected instances areDPA-resistant [5]
Template Attacks on DES [1]
Using 32 points of interestfor every SBOX
Template = couple (average,standard deviation)
Estimated for instance forevery 8×26 sub-keys of DES
Successful attack
Classification rate for onetrace: 100 %
Templates built from 20 000power traces on DES
100 selected pts of interest
Computation time: ∼ 1minute on genie.enst.fr
(Intel Xeon @ 3 GHz)
Attack of protected DES:SecLib and WDDL
So far: security gain > 350
Result: WDDL < SecLibsecurity-wise
Either under-powering orover-clocking the crypto module
Mimics a contact-lesssmartcard attack
Practical attack on AES =G. Piret & J.-J. Quisquater
Status
RTL simulation . . . . . . . . . 4
FPGA emulation . . . . . . . . 4
Real-world ASIC . . . . . . . . .4
Real-world FPGA . . . . . . . .4
Nidhal SELMANE’s Masterof Science + PhD work
SW Reverse-Engineering:
ρH,W.= correlation between
H: power modelW : experimental waves
Our State-of-the-Art
Reverse-engineering of:
Data . . . . . . . . . . . . . . . . . 6
Code . . . . . . . . . . . . . . . . . 4
Addresses . . . . . . . . . . . . .4
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
DPA OraclesStudy of the Power Leakage on ASICs & FPGAsDPL Logics (e.g. WDDL) Suffering from Early Evaluation
Presentation Outline
1 Introduction
2 Circuits in STM 130 nm technology
3 Attack on Power + EM LeakageDPA OraclesStudy of the Power Leakage on ASICs & FPGAsDPL Logics (e.g. WDDL) Suffering from Early Evaluation
4 Non-Intrusive Fault AttacksTheoretical DFAPractical DFAConclusions & Perspectives
5 General Conclusions and Open Problems
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 12
DPAdiff, DPAcov and CPA Oracles
Amongst the many oracles that have been proposed, we focus onthree of them, noted:
1 DPAdiff: Differential Power Analysis (difference of means),
2 DPAcov: Differential Power Analysis (covariance) and
3 CPA: Correlation Power Analysis,
defined in equations (1), (2) and (3).
DPAdiff
The idea behind the DPAdiff is to exhibit an asymptotic differencebetween the behaviors.The “difference of means” criterion introduced by Paul Kocher is:
DPAdiff.=
1
m0
∑
i/Di=0
Ti −1
m1
∑
i/Di=1
Ti , (1)
where m0 and m1 denote the number of traces for each decision.More specifically,
m0.= #i ∈ [0, m[/Di = 0 and, symmetrically,
m1.=
∑m−1i=0 Di , with the following complementation property
m0 + m1 = m.
DPAcov
A seemingly different approach consists in computing a covariancebetween the m traces and their associated decision functions. TheDPA covariance estimator is:
DPAcov.=
1
m
∑
i
Ti × Di −1
m
∑
i
Ti ×1
m
∑
i
Di . (2)
It extracts the contribution of Di : only the net i is selected out ofthe whole netlist j [7].
DPAdiff versus DPAcov
The two definitions of the DPA actually coincide, as far as thedecision function is balanced:
Proof.
Assuming that m0 = m1 = m/2,
DPAcov =1
m
∑
i
Ti ×
(
Di −1
2
)
=1
2m
∑
i
Ti × (−1)Di
Covariance withthe characterfunction of D.
=1
4DPAdiff .
Mono-bit versus Multi-bit DPA
Vectorial Decision Function D
D ∈ 0, 1n
Dominant practice: assumebits are indiscernible
Hence partition tracesaccording to |D| ∈ [0, n]
Several philosophies:1 Thomas S.
MESSERGES [11]: pruneall but |D| = 0 or n, andcontinue a la mono-bit
2 Eric BRIER [3]: weightthe partitions with |D|
3 Thanh-Ha LE [9,8]:weight the partitions with(−1,−2, 0,+2,+1)
0
500
1000
1500
2000
2500
1 2 3 4 5 6 7 8
# tra
ces to b
reak the p
art
ial key
DES S-Box
Mono-bit: (-1, +1)4 bits: (-2, -1, 0, +1, +2)
CPA
By definition [3], CPA is a normalization of the DPA. It is definedas a correlation coefficient, estimated by:
CPA.=
DPAcov
σT · σD
∈ [−1, +1] , (3)
where σX is the standard deviation of the random variable X , forwhich an unbiased empirical estimator is√
1m−1
∑m−1i=0
(
Xi −1m
∑m−1j=0 Xj
)2.
DPAcov versus CPA (1/2)
DPAcov after 1k traces
-0.4
-0.2
0
0.2
0.4
0.6
0.8
1
1.2
3224168
Diffe
rence o
f p
ote
ntia
l [m
V]
Time [clock cycles]
Correctpeaks
Noisy peak(@ clock 38)
DPA differential trace
Averaging over 1k traces
CPA after 1k traces
-30
-20
-10
0
10
20
30
3224168C
orr
ela
tion f
acto
r [-
10
0%
:+1
00
%]
Time [clock cycles]
Correctpeaks
CPA differential traceEstimation over 1k traces
DPAcov versus CPA (2/2)
DPAcov after 10k traces
-0.4
-0.2
0
0.2
0.4
0.6
0.8
1
1.2
3224168
Diffe
rence o
f p
ote
ntia
l [m
V]
Time [clock cycles]
Correctpeaks
Noisy peak(@ clock 38)has vanished
DPA differential trace
Averaging over 10k traces
CPA after 10k traces
-30
-20
-10
0
10
20
30
3224168C
orr
ela
tion f
acto
r [-
10
0%
:+1
00
%]
Time [clock cycles]
Correctpeaks
CPA differential traceEstimation over 10k traces
Comparison between SecMat v1,3[ASIC] &SecMat v3[FPGA] in terms of power leakage
SecMat v1[ASIC]:
Dedicated power supply for the DES moduleNo clock tree (non-fatal bug)
SecMat v3[ASIC]:
Shared power supply between all modulesClock tree OK
SecMat v3[FPGA]:
SecMat v3[ASIC] VHDL code synthesized in an Altera StratixEPS1S25Global power supply10,157 logic elements and 286,720 RAM bits for the whole SoCDES alone is 1,125 logic elements (LuT4)
NEW! The power traces acquired from those three circuits areavailable for download from http://www.dpacontest.org/.
SecMat v1[ASIC] – covariance with |LR[0] ⊕ LR[1]|
-20
0
20
40
60
80
-8 0 8 16
Vo
lta
ge
[m
V]
Time [clock periods]
Average power trace
-20
0
20
40
60
80
-8 0 8 16
Vo
lta
ge
[m
V]
Time [clock periods]
Covariance result (same scale as the average power trace)
SecMat v1[ASIC]:
Typical trace: 92 mV
Typical DPA: 3.0 mV
⇒ Side-channel leakage:3.3 %
-0.5
0
0.5
1
1.5
2
2.5
3
-8 0 8 16
Voltage [
mV
]
Time [clock periods]
Covariance result (zoomed)
SecMat v3[ASIC] – covariance with |LR[0] ⊕ LR[1]|
0
5
10
15
20
25
30
35
40
0 8 16 24
Vo
lta
ge
[m
V]
Time [clock periods]
Average power trace
0
5
10
15
20
25
30
35
40
0 8 16 24
Vo
lta
ge
[m
V]
Time [clock periods]
Covariance result (same scale as the average power trace)
SecMat v3[ASIC]:
Typical trace: 38 mV
Typical DPA: 0.6 mV
⇒ Side-channel leakage:1.5 %
0
0.1
0.2
0.3
0.4
0.5
0.6
0 8 16 24
Voltage [
mV
]
Time [clock periods]
Covariance result (zoomed)
SecMat v3[FPGA] – covariance with |LR[0] ⊕ LR[1]|
-15
-10
-5
0
5
10
15
20
0 8 16 24 32
Vo
lta
ge
[m
V]
Time [clock periods]
Average power trace
-15
-10
-5
0
5
10
15
20
0 8 16 24 32
Vo
lta
ge
[m
V]
Time [clock periods]
Covariance result (same scale as the average power trace)
SecMat v3[FPGA]:
Typical trace: 19 mV
Typical DPA: 0.19 mV
⇒ Side-channel leakage:1.0 %
64/(2, 125 × 1 + (10, 157 −2, 125) × 0.5) ≈ 1 % ⇒ OK
0
0.05
0.1
0.15
0.2
0 8 16 24 32
Vo
ltage [
mV
]
Time [clock periods]
Covariance result (zoomed)
Early Evaluation in WDDL Illustrated
WDDL example andvulnerability:
A1
B1
C1
D1
Y1
A0
B0
C0
D0
Y0
|1
|2‘True’ half
&1
&2‘False’ half
-50
0
50
100
150
3002001000
Insta
nt pow
er
[µW
]
Time [ps]
-50
0
50
100
150
3002001000
Insta
nt pow
er
[µW
]
Time [ps]
B1:
A1:
C1:
A0:
B0:
C0:
D1:
D0:
Y1:
Y0:
B1:
A1:
C1:
A0:
B0:
C0:
D1:
D0:
Y1:
Y0:
SDF Simulation on Altera [6]
⇒ DES sbox #3
0
20
40
60
80
100
0 2 4 6 8 10
Bin
co
un
t [%
]
Delay [ns]
wire_c3b6_truewire_3c49_false
The 64 evaluation dates.
SecMat v1[ASIC] –Simulation of WDDL with 1 ns early evaluation
-1.5
-1
-0.5
0
0.5
1
1.5
2
2.5
3
-8 0 8 16
Voltage [
mV
]
Time [clock periods]
SecMat v1[ASIC] (@ 20 Gsample/s)
EarlyLate
Early-Late
-1.5
-1
-0.5
0
0.5
1
1.5
2
2.5
3
-2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12V
oltage [
mV
]
Time [nanoseconds]
SecMat v1[ASIC] (@ 20 Gsample/s)
EarlyLate
Early-Late
SecMat v3[ASIC] –Simulation of WDDL with 1 ns early evaluation
-0.2
-0.1
0
0.1
0.2
0.3
0.4
0.5
0.6
0 8 16 24
Voltage [
mV
]
Time [clock periods]
SecMat v3[ASIC] (@ 5 Gsample/s)
EarlyLate
Early-Late
-0.2
-0.1
0
0.1
0.2
0.3
0.4
0.5
0.6
-2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12V
oltage [
mV
]
Time [nanoseconds]
SecMat v3[ASIC] (@ 5 Gsample/s)
EarlyLate
Early-Late
SecMat v3[FPGA] –Simulation of WDDL with 1 ns early evaluation
-0.1
-0.05
0
0.05
0.1
0.15
0.2
0 8 16 24 32
Voltage [
mV
]
Time [clock periods]
SecMat v3[FPGA] (@ 10 Gsample/s)
EarlyLate
Early-Late
-0.1
-0.05
0
0.05
0.1
0.15
0.2
-2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12V
oltage [
mV
]
Time [nanoseconds]
SecMat v3[FPGA] (@ 10 Gsample/s)
EarlyLate
Early-Late
Summary about Power Leakage
1.0 % signal in 99 % algorithmic noise for a 32-bit register.
Hence a | log2(0.0132 )| = 11.6-bit ADC for an acquisition w/o
noise ...
... or at least 211.6−8 = 12 times averaging with an 8-bitADC.
For unprotected circuits,high Y-resolution is the key of success.
For protected circuits,high X-resolution is the key of success.
Hand-Made ElectroMagnetic SensorsStranded copper core PCB Loop
denuded coaxial cable (1) coil (2) coil (3)
Field: ~E Field: ~H Field: ~H
1cm
1cm
3 4
1cm
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
DPA OraclesStudy of the Power Leakage on ASICs & FPGAsDPL Logics (e.g. WDDL) Suffering from Early Evaluation
ElectroMagnetic Attacks (EMA)
# traces to break the key
Sensor Averaging Sbox #1 All sboxes
50 Ω resistor 1× 176 940
50 Ω resistor 64× 231 518
Antenna (1) 256× 1,695 1,883
Antenna (2) 256× 1,066 1,786
Antenna (3) 256× 707 1,008
Less noise in power than in EMA measurements
However, EMA measurements are definitely less intrusive
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 31
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Theoretical DFAPractical DFAConclusions & Perspectives
Presentation Outline
1 Introduction
2 Circuits in STM 130 nm technology
3 Attack on Power + EM LeakageDPA OraclesStudy of the Power Leakage on ASICs & FPGAsDPL Logics (e.g. WDDL) Suffering from Early Evaluation
4 Non-Intrusive Fault AttacksTheoretical DFAPractical DFAConclusions & Perspectives
5 General Conclusions and Open Problems
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 32
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Theoretical DFAPractical DFAConclusions & Perspectives
DFA on AES:Attack of Gilles Piret & Jean-Jacques Quisquater [12]
Fault Model
A “byte-flip” fault is expected: this is a relaxed constraintw.r.t. Eli Biham & Adi Shamir’s DFA.
The fault spatio-temporal location needs not be known.
Attack Scenario
The key is retrieved by columns.
For all the 1 020 = 255 × 4 hypotheses, find a collision.
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 33
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Theoretical DFAPractical DFAConclusions & Perspectives
G. Piret & J.-J. Quisquater in 2003
SubBytes
ShiftRows
AddRoundKey
SubBytes
ShiftRows
MixColumns
AddRoundKey
Rou
nd
10R
ound
9
d9()[0]
differenceprecomputed
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 34
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Theoretical DFAPractical DFAConclusions & Perspectives
G. Piret & J.-J. Quisquater in 2003
differencereturned state
=
=
=
SubBytes
ShiftRows
AddRoundKey
SubBytes
ShiftRows
MixColumns
AddRoundKey
SubBytes
ShiftRows
MixColumns
AddRoundKey
Rou
nd
10R
ound
9R
ound
8
d8()d9()[0]
differences change!
Kill 4 birds withone stone
A fault at round 8yields 4 faults atround 9! This isoptimal. . .
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 35
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Theoretical DFAPractical DFAConclusions & Perspectives
Faults Injection: Setup-Time Violation Attack Sketch
RAM64(for AES)
4×
ROM2k
CPU
DES2
(for DES)
DES1
RAM2563×
(for CPU)
AES
SDES
RAM32k
V
Setup met Setup violated
Q’
QD
Q’
QD
clk clk
V ↓ ⇒ Tpropagation ↑
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 36
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Theoretical DFAPractical DFAConclusions & Perspectives
Occurrence [based on 2 000 000 encryptions on SecMat v1]
0
10
20
30
40
50
60
70
80
90
100
760 770 780 790 800 810 820 830
Occurr
ence [%
]
Voltage [mV]
FaultsSingle errors
Multiple errors
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 37
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Theoretical DFAPractical DFAConclusions & Perspectives
Round statistics
0
5
10
15
20
25
R10
R9
R8
R7
R6
R5
R4
R3
R2
R1
% o
f fa
ults
Round
Temporal localization
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 38
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Theoretical DFAPractical DFAConclusions & Perspectives
Coverage About 20 % of Errors are Exploitable
0
10
20
30
40
50
60
70
80
90
100
760 770 780 790 800 810 820 830
Covera
ge [%
]
Voltage [mV]
Detected errorsExploitable errors in R7Exploitable errors in R8
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 39
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Theoretical DFAPractical DFAConclusions & Perspectives
Sbox statistics
0
5
10
15
20
25
30
S15
S14
S13
S12
S11
S10
S9
S8
S7
S6
S5
S4
S3
S2
S1
S0
% o
f fa
ults
Sbox
Spatial localization
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 40
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Theoretical DFAPractical DFAConclusions & Perspectives
Conclusion on DFA
Confer to EDCC’08 [13] for the complete vulnerability analysis
Non-intrusive DFA are possible
Realized on SecMat v1[ASIC] and on an FPGA (forthcomingpresentation @ NTMS’08).
Works also if the clock frequency is changed
Similar work done on DES successfully:randomness of errors is high enough for Biham & Shamir’sattack [2]
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 41
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Presentation Outline
1 Introduction
2 Circuits in STM 130 nm technology
3 Attack on Power + EM LeakageDPA OraclesStudy of the Power Leakage on ASICs & FPGAsDPL Logics (e.g. WDDL) Suffering from Early Evaluation
4 Non-Intrusive Fault AttacksTheoretical DFAPractical DFAConclusions & Perspectives
5 General Conclusions and Open Problems
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 42
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
DPA & DFA Canonical Counter-Measures
DPA Counter-Measures
Combinatorial Logic:
2× for WDDL10× for SecLib
Routing:
4× for WDDL (2 × 2)9× for WDDL with shield(3 × 3)
DFA Counter-Measures
Captors: intensive, i.e. 6∝area,
Error detection codes: α ∝area, with α ≪ 1.
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 43
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Comparison between attacks
For an attack to be successful:
DPA: about 1k traces
DFA: 120 % × 2 = 10 interactions (only!).
Defense cost:
DPA: at least 2× overhead
DFA: a couple of sensors + “cheap” coding logic
In summary:
DPA: easy to protect; but expensive
DFA: difficult to protect; but inexpensive
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 44
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Open Problems
How to choose the most suitable correlation in CPA?
How to make DPA counter-measures acceptable?
How to efficiently merge DPA & DFA countermeasures?
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 45
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
Acknowledgements
We sincerely acknowledge the compilation work done byhttp://www.sidechannelattacks.com/.
Advanced Systems Technologies (AST) division ofSTMicroelectronics (Rousset in France and Milano in Italy).
French Conseil Regional de la Region PACA.
The Secure-IC team for intellectual support.
DPA book [10], as a good introduction for students.
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 46
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
References[1] Moulay Abdelaziz El Aabid, Sylvain Guilley, and Philippe Hoogvorst.
Template Attacks with a Power Model.Cryptology ePrint Archive, Report 2007/443, December 2007.http://eprint.iacr.org/2007/443/.
[2] Eli Biham and Adi Shamir.Differential Fault Analysis of Secret Key Cryptosystems.In CRYPTO, volume 1294 of LNCS, pages 513–525. Springer, 1997.
[3] Eric Brier, Christophe Clavier, and Francis Olivier.Correlation Power Analysis with a Leakage Model.Proc. of CHES’04, 3156:16–29, August 11–13 2004.ISSN: 0302-9743; ISBN: 3-540-22666-4; DOI: 10.1007/b99451; Cambridge, MA, USA.
[4] Sumanta Chaudhuri, Sylvain Guilley, Florent Flament, Philippe Hoogvorst, and Jean-Luc Danger.An 8x8 Run-Time Reconfigurable FPGA Embedded in a SoC.In DAC, pages 120–125, Anaheim, CA, USA, jun 2008.
[5] S. Guilley, F. Flament, R. Pacalet, Ph. Hoogvorst, and Y. Mathieu.Security Evaluation of a Secured Quasi-Delay Insensitive Library.In DCIS, full text in HAL, http: // hal. archives-ouvertes. fr/ hal-00283405/ en/ , pages 1–7, November2008.DCIS’08, Grenoble, France.
[6] Sylvain Guilley, Sumanta Chaudhuri, Laurent Sauvage, Tarik Graba, Jean-Luc Danger, Philippe Hoogvorst,Ving-Nga Vong, and Maxime Nassar.Shall we trust WDDL?In Future of Trust in Computing, volume 2, Berlin, Germany, jun 2008.
[7] Sylvain Guilley, Philippe Hoogvorst, Renaud Pacalet, and Johannes Schmidt.Improving Side-Channel Attacks by Exploiting Substitution Boxes Properties.
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 47
IntroductionCircuits in STM 130 nm technology
Attack on Power + EM LeakageNon-Intrusive Fault Attacks
General Conclusions and Open Problems
In BFCA – http: // www. liafa. jussieu. fr/ bfca/ , pages 1–25, 2007.May 02–04, Paris, France.
[8] Thanh-Ha Le, Cecile Canovas, and Jessy Clediere.An overview of side channel analysis attacks.In ASIACCS, pages 33–43, 2008.
[9] Thanh-Ha Le, Jessy Clediere, Cecile Canovas, Bruno Robisson, Christine Serviere, and Jean-Louis Lacoume.A Proposition for Correlation Power Analysis Enhancement.In CHES, volume 4249 of LNCS, pages 174–186. Springer, 2006.Yokohama, Japan.
[10] Stefan Mangard, Elisabeth Oswald, and Thomas Popp.Power Analysis Attacks: Revealing the Secrets of Smart Cards.Springer, December 2006.ISBN 0-387-30857-1, http://www.dpabook.org/.
[11] Thomas S. Messerges, Ezzy A. Dabbish, and Robert H. Sloan.Investigations of Power Analysis Attacks on Smartcards.In USENIX — Smartcard’99, pages 151–162, May 10–11 1999.Chicago, Illinois, USA (Online PDF).
[12] Gilles Piret and Jean-Jacques Quisquater.A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad.In CHES, volume 2779 of LNCS, pages 77–88. Springer, 2003.(Online PDF version).
[13] Nidhal Selmane, Sylvain Guilley, and Jean-Luc Danger.Setup Time Violation Attacks on AES.In EDCC, The seventh European Dependable Computing Conference, pages 91–96, Kaunas, Lithuania, may2008.ISBN: 978-0-7695-3138-0, DOI: 10.1109/EDCC-7.2008.11.
S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 48