Silicon-level Solutions against DPA & DFA

IntroductionCircuits in STM 130 nm technology

Attack on Power + EM LeakageNon-Intrusive Fault Attacks

General Conclusions and Open Problems

Silicon-level Solutions against DPA & DFA

Sylvain GUILLEY Laurent SAUVAGE Jean-Luc DANGERNidhal SELMANE Renaud PACALET

< [email protected]>

Institut TELECOM / TELECOM-ParisTechCNRS – LTCI (UMR 5141)

FDTC’08, Sunday, August 10th, 2008, 08:30 – 09:10,Mayflower Hotel, Colonial Room, Washington DC, USA.

S. Guilley, L. Sauvage, JL. Danger, N. Selmane & R. Pacalet Silicon-level Solutions against DPA & DFA 1

http://www.institut-telecom.fr/

http://www.telecom-paristech.fr/

http://www.cnrs.fr/

http://www.ltci.enst.fr/



http://www.cnrs.fr/

http://conferenze.dei.polimi.it/FDTC08/



http://www.cnrs.fr/




Presentation Outline

1 Introduction

2 Circuits in STM 130 nm technology

3 Attack on Power + EM LeakageDPA OraclesStudy of the Power Leakage on ASICs & FPGAsDPL Logics (e.g. WDDL) Suffering from Early Evaluation

4 Non-Intrusive Fault AttacksTheoretical DFAPractical DFAConclusions & Perspectives

5 General Conclusions and Open Problems




http://www.cnrs.fr/

Objective 5-year collaboration with STM ( )

Rationale for non-invasive attacks

A thorough study of the vulnerabilities is required ...

... to come up with sound protections.

Methodology

Validation by the experience is absolutely mandatory

Hence: dedicated circuits, namely the following ASICs:

SecMat v1,3/2,2,3 academic smartcards.

Fair knowledge of the underlying physics:

How does the circuit leak?How do faults appear?

Attacks fine-tuning:DPA < CPA < enhanced-CPA < PPA < blind attacks .

What’s next? ⇒ http://www.dpacontest.org/.

http://www.ST.com/

http://www.dpacontest.org/





1 Introduction








http://www.cnrs.fr/

Circuits to Study DPA & DFA: SecMat v1, 3/2, 2, 3

RAM64(for AES)

4×

ROM2k

AES

CPU

DES2

(for DES)

DES1

RAM2563×

(for CPU)

SDES

RAM32k

(5)

(9)

(10)

(6)

(7)

(1)

(2)

(3)

(4)

(8)

(11)

(12)

(13)

DEScombi

DESref

AES

0.2 mm2

32 kbytes

RAM

0.8 mm2

DES

WDDL

SecLib

DES

DES

Regular

Features of the circuit

Smartcard with encryptionaccelerators and an e-FPGA

Programmation in ANSI C

Hardware driver: ACME Foxrunning GNU / Linux 2.4.31

4.4 mm2, 2.4 × 106 tr.

HCMOS9GP 130 nm techno

Manufacturing via CMP runS12C7 1 of 03/01/07

3 power domains

Vertical insulation of P−

and N− wells

SW controllable clock-gating+ scan-chain

http://www.ansi.org/

http://www.lextronic.fr/fox/fox.htm

http://www.gnu.org/

http://www.linux.org/

http://cmp.imag.fr

One Run-Time Reconfigurableembedded FPGA [4]

Slave of the CPU (6502)

8 × 8 LuT4

Three functionally identical DESmodules

From the same VHDLsource code:

1 Unprotected, andreference DES cipher

2 WDDL DES3 SecLib DES

Protected instances areDPA-resistant [5]

Template Attacks on DES [1]

Using 32 points of interestfor every SBOX

Template = couple (average,standard deviation)

Estimated for instance forevery 8×26 sub-keys of DES

Successful attack

Classification rate for onetrace: 100 %

Templates built from 20 000power traces on DES

100 selected pts of interest

Computation time: ∼ 1minute on genie.enst.fr

(Intel Xeon @ 3 GHz)

Attack of protected DES:SecLib and WDDL

So far: security gain > 350

Result: WDDL < SecLibsecurity-wise

Either under-powering orover-clocking the crypto module

Mimics a contact-lesssmartcard attack

Practical attack on AES =G. Piret & J.-J. Quisquater

Status

RTL simulation . . . . . . . . . 4

FPGA emulation . . . . . . . . 4

Real-world ASIC . . . . . . . . .4

Real-world FPGA . . . . . . . .4

Nidhal SELMANE’s Masterof Science + PhD work

SW Reverse-Engineering:

ρH,W.= correlation between

H: power modelW : experimental waves

Our State-of-the-Art

Reverse-engineering of:

Data . . . . . . . . . . . . . . . . . 6

Code . . . . . . . . . . . . . . . . . 4

Addresses . . . . . . . . . . . . .4




DPA OraclesStudy of the Power Leakage on ASICs & FPGAsDPL Logics (e.g. WDDL) Suffering from Early Evaluation


1 Introduction








http://www.cnrs.fr/

DPAdiff, DPAcov and CPA Oracles

Amongst the many oracles that have been proposed, we focus onthree of them, noted:

1 DPAdiff: Differential Power Analysis (difference of means),

2 DPAcov: Differential Power Analysis (covariance) and

3 CPA: Correlation Power Analysis,

defined in equations (1), (2) and (3).

DPAdiff

The idea behind the DPAdiff is to exhibit an asymptotic differencebetween the behaviors.The “difference of means” criterion introduced by Paul Kocher is:

DPAdiff.=

1

m0

∑

i/Di=0

Ti −1

m1

∑

i/Di=1

Ti , (1)

where m0 and m1 denote the number of traces for each decision.More specifically,

m0.= #i ∈ [0, m[/Di = 0 and, symmetrically,

m1.=

∑m−1i=0 Di , with the following complementation property

m0 + m1 = m.

DPAcov

A seemingly different approach consists in computing a covariancebetween the m traces and their associated decision functions. TheDPA covariance estimator is:

DPAcov.=

1

m

∑

i

Ti × Di −1

m

∑

i

Ti ×1

m

∑

i

Di . (2)

It extracts the contribution of Di : only the net i is selected out ofthe whole netlist j [7].

DPAdiff versus DPAcov

The two definitions of the DPA actually coincide, as far as thedecision function is balanced:

Proof.

Assuming that m0 = m1 = m/2,

DPAcov =1

m

∑

i

Ti ×

(

Di −1

2

)

=1

2m

∑

i

Ti × (−1)Di

Covariance withthe characterfunction of D.

=1

4DPAdiff .

Mono-bit versus Multi-bit DPA

Vectorial Decision Function D

D ∈ 0, 1n

Dominant practice: assumebits are indiscernible

Hence partition tracesaccording to |D| ∈ [0, n]

Several philosophies:1 Thomas S.

MESSERGES [11]: pruneall but |D| = 0 or n, andcontinue a la mono-bit

2 Eric BRIER [3]: weightthe partitions with |D|

3 Thanh-Ha LE [9,8]:weight the partitions with(−1,−2, 0,+2,+1)

0

500

1000

1500

2000

2500

1 2 3 4 5 6 7 8

# tra

ces to b

reak the p

art

ial key

DES S-Box

Mono-bit: (-1, +1)4 bits: (-2, -1, 0, +1, +2)

CPA

By definition [3], CPA is a normalization of the DPA. It is definedas a correlation coefficient, estimated by:

CPA.=

DPAcov

σT · σD

∈ [−1, +1] , (3)

where σX is the standard deviation of the random variable X , forwhich an unbiased empirical estimator is√

1m−1

∑m−1i=0

(

Xi −1m

∑m−1j=0 Xj

)2.

DPAcov versus CPA (1/2)

DPAcov after 1k traces

-0.4

-0.2

0

0.2

0.4

0.6

0.8

1

1.2

3224168

Diffe

rence o

f p

ote

ntia

l [m

V]

Time [clock cycles]

Correctpeaks

Noisy peak(@ clock 38)

DPA differential trace

Averaging over 1k traces

CPA after 1k traces

-30

-20

-10

0

10

20

30

3224168C

orr

ela

tion f

acto

r [-

10

0%

:+1

00

%]

Time [clock cycles]

Correctpeaks

CPA differential traceEstimation over 1k traces

DPAcov versus CPA (2/2)

DPAcov after 10k traces

-0.4

-0.2

0

0.2

0.4

0.6

0.8

1

1.2

3224168

Diffe

rence o

f p

ote

ntia

l [m

V]

Time [clock cycles]

Correctpeaks

Noisy peak(@ clock 38)has vanished

DPA differential trace

Averaging over 10k traces

CPA after 10k traces

-30

-20

-10

0

10

20

30

3224168C

orr

ela

tion f

acto

r [-

10

0%

:+1

00

%]

Time [clock cycles]

Correctpeaks

CPA differential traceEstimation over 10k traces

Comparison between SecMat v1,3[ASIC] &SecMat v3[FPGA] in terms of power leakage

SecMat v1[ASIC]:

Dedicated power supply for the DES moduleNo clock tree (non-fatal bug)

SecMat v3[ASIC]:

Shared power supply between all modulesClock tree OK

SecMat v3[FPGA]:

SecMat v3[ASIC] VHDL code synthesized in an Altera StratixEPS1S25Global power supply10,157 logic elements and 286,720 RAM bits for the whole SoCDES alone is 1,125 logic elements (LuT4)

NEW! The power traces acquired from those three circuits areavailable for download from http://www.dpacontest.org/.

http://www.altera.com/

http://www.dpacontest.org/

SecMat v1[ASIC] – covariance with |LR[0] ⊕ LR[1]|

-20

0

20

40

60

80

-8 0 8 16

Vo

lta

ge

[m

V]

Time [clock periods]

Average power trace

-20

0

20

40

60

80

-8 0 8 16

Vo

lta

ge

[m

V]


Covariance result (same scale as the average power trace)

SecMat v1[ASIC]:

Typical trace: 92 mV

Typical DPA: 3.0 mV

⇒ Side-channel leakage:3.3 %

-0.5

0

0.5

1

1.5

2

2.5

3

-8 0 8 16

Voltage [

mV

]


Covariance result (zoomed)

SecMat v3[ASIC] – covariance with |LR[0] ⊕ LR[1]|

0

5

10

15

20

25

30

35

40

0 8 16 24

Vo

lta

ge

[m

V]


Average power trace

0

5

10

15

20

25

30

35

40

0 8 16 24

Vo

lta

ge

[m

V]



SecMat v3[ASIC]:


Typical DPA: 0.6 mV


0

0.1

0.2

0.3

0.4

0.5

0.6

0 8 16 24

Voltage [

mV

]



SecMat v3[FPGA] – covariance with |LR[0] ⊕ LR[1]|

-15

-10

-5

0

5

10

15

20

0 8 16 24 32

Vo

lta

ge

[m

V]


Average power trace

-15

-10

-5

0

5

10

15

20

0 8 16 24 32

Vo

lta

ge

[m

V]



SecMat v3[FPGA]:


Typical DPA: 0.19 mV


64/(2, 125 × 1 + (10, 157 −2, 125) × 0.5) ≈ 1 % ⇒ OK

0

0.05

0.1

0.15

0.2

0 8 16 24 32

Vo

ltage [

mV

]



Early Evaluation in WDDL Illustrated

WDDL example andvulnerability:

A1

B1

C1

D1

Y1

A0

B0

C0

D0

Y0

|1

|2‘True’ half

&1

&2‘False’ half

-50

0

50

100

150

3002001000

Insta

nt pow

er

[µW

]

Time [ps]

-50

0

50

100

150

3002001000

Insta

nt pow

er

[µW

]

Time [ps]

B1:

A1:

C1:

A0:

B0:

C0:

D1:

D0:

Y1:

Y0:

B1:

A1:

C1:

A0:

B0:

C0:

D1:

D0:

Y1:

Y0:

SDF Simulation on Altera [6]

⇒ DES sbox #3

0

20

40

60

80

100

0 2 4 6 8 10

Bin

co

un

t [%

]

Delay [ns]

wire_c3b6_truewire_3c49_false

The 64 evaluation dates.

SecMat v1[ASIC] –Simulation of WDDL with 1 ns early evaluation

-1.5

-1

-0.5

0

0.5

1

1.5

2

2.5

3

-8 0 8 16

Voltage [

mV

]


SecMat v1[ASIC] (@ 20 Gsample/s)

EarlyLate

Early-Late

-1.5

-1

-0.5

0

0.5

1

1.5

2

2.5

3

-2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12V

oltage [

mV

]

Time [nanoseconds]


EarlyLate

Early-Late

SecMat v3[ASIC] –Simulation of WDDL with 1 ns early evaluation

-0.2

-0.1

0

0.1

0.2

0.3

0.4

0.5

0.6

0 8 16 24

Voltage [

mV

]



EarlyLate

Early-Late

-0.2

-0.1

0

0.1

0.2

0.3

0.4

0.5

0.6

-2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12V

oltage [

mV

]

Time [nanoseconds]


EarlyLate

Early-Late

SecMat v3[FPGA] –Simulation of WDDL with 1 ns early evaluation

-0.1

-0.05

0

0.05

0.1

0.15

0.2

0 8 16 24 32

Voltage [

mV

]


SecMat v3[FPGA] (@ 10 Gsample/s)

EarlyLate

Early-Late

-0.1

-0.05

0

0.05

0.1

0.15

0.2

-2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12V

oltage [

mV

]

Time [nanoseconds]

SecMat v3[FPGA] (@ 10 Gsample/s)

EarlyLate

Early-Late

Summary about Power Leakage

1.0 % signal in 99 % algorithmic noise for a 32-bit register.

Hence a | log2(0.0132 )| = 11.6-bit ADC for an acquisition w/o

noise ...

... or at least 211.6−8 = 12 times averaging with an 8-bitADC.

For unprotected circuits,high Y-resolution is the key of success.

For protected circuits,high X-resolution is the key of success.

Hand-Made ElectroMagnetic SensorsStranded copper core PCB Loop

denuded coaxial cable (1) coil (2) coil (3)

Field: ~E Field: ~H Field: ~H

1cm

1cm

3 4

1cm




DPA OraclesStudy of the Power Leakage on ASICs & FPGAsDPL Logics (e.g. WDDL) Suffering from Early Evaluation

ElectroMagnetic Attacks (EMA)

# traces to break the key

Sensor Averaging Sbox #1 All sboxes

50 Ω resistor 1× 176 940

50 Ω resistor 64× 231 518

Antenna (1) 256× 1,695 1,883

Antenna (2) 256× 1,066 1,786

Antenna (3) 256× 707 1,008

Less noise in power than in EMA measurements

However, EMA measurements are definitely less intrusive




http://www.cnrs.fr/




Theoretical DFAPractical DFAConclusions & Perspectives


1 Introduction








http://www.cnrs.fr/





DFA on AES:Attack of Gilles Piret & Jean-Jacques Quisquater [12]

Fault Model

A “byte-flip” fault is expected: this is a relaxed constraintw.r.t. Eli Biham & Adi Shamir’s DFA.

The fault spatio-temporal location needs not be known.

Attack Scenario

The key is retrieved by columns.

For all the 1 020 = 255 × 4 hypotheses, find a collision.




http://www.cnrs.fr/





G. Piret & J.-J. Quisquater in 2003

SubBytes

ShiftRows

AddRoundKey

SubBytes

ShiftRows

MixColumns

AddRoundKey

Rou

nd

10R

ound

9

d9()[0]

differenceprecomputed




http://www.cnrs.fr/





G. Piret & J.-J. Quisquater in 2003

differencereturned state

=

=

=

SubBytes

ShiftRows

AddRoundKey

SubBytes

ShiftRows

MixColumns

AddRoundKey

SubBytes

ShiftRows

MixColumns

AddRoundKey

Rou

nd

10R

ound

9R

ound

8

d8()d9()[0]

differences change!

Kill 4 birds withone stone

A fault at round 8yields 4 faults atround 9! This isoptimal. . .




http://www.cnrs.fr/





Faults Injection: Setup-Time Violation Attack Sketch

RAM64(for AES)

4×

ROM2k

CPU

DES2

(for DES)

DES1

RAM2563×

(for CPU)

AES

SDES

RAM32k

V

Setup met Setup violated

Q’

QD

Q’

QD

clk clk

V ↓ ⇒ Tpropagation ↑




http://www.cnrs.fr/





Occurrence [based on 2 000 000 encryptions on SecMat v1]

0

10

20

30

40

50

60

70

80

90

100

760 770 780 790 800 810 820 830

Occurr

ence [%

]

Voltage [mV]

FaultsSingle errors

Multiple errors




http://www.cnrs.fr/





Round statistics

0

5

10

15

20

25

R10

R9

R8

R7

R6

R5

R4

R3

R2

R1

% o

f fa

ults

Round

Temporal localization




http://www.cnrs.fr/





Coverage About 20 % of Errors are Exploitable

0

10

20

30

40

50

60

70

80

90

100

760 770 780 790 800 810 820 830

Covera

ge [%

]

Voltage [mV]

Detected errorsExploitable errors in R7Exploitable errors in R8




http://www.cnrs.fr/





Sbox statistics

0

5

10

15

20

25

30

S15

S14

S13

S12

S11

S10

S9

S8

S7

S6

S5

S4

S3

S2

S1

S0

% o

f fa

ults

Sbox

Spatial localization




http://www.cnrs.fr/





Conclusion on DFA

Confer to EDCC’08 [13] for the complete vulnerability analysis

Non-intrusive DFA are possible

Realized on SecMat v1[ASIC] and on an FPGA (forthcomingpresentation @ NTMS’08).

Works also if the clock frequency is changed

Similar work done on DES successfully:randomness of errors is high enough for Biham & Shamir’sattack [2]


http://edcc.dependability.org/

http://www.ntms-conference.org/



http://www.cnrs.fr/





1 Introduction








http://www.cnrs.fr/




DPA & DFA Canonical Counter-Measures

DPA Counter-Measures

Combinatorial Logic:

2× for WDDL10× for SecLib

Routing:

4× for WDDL (2 × 2)9× for WDDL with shield(3 × 3)

DFA Counter-Measures

Captors: intensive, i.e. 6∝area,

Error detection codes: α ∝area, with α ≪ 1.




http://www.cnrs.fr/




Comparison between attacks

For an attack to be successful:

DPA: about 1k traces

DFA: 120 % × 2 = 10 interactions (only!).

Defense cost:

DPA: at least 2× overhead

DFA: a couple of sensors + “cheap” coding logic

In summary:

DPA: easy to protect; but expensive

DFA: difficult to protect; but inexpensive




http://www.cnrs.fr/




Open Problems

How to choose the most suitable correlation in CPA?

How to make DPA counter-measures acceptable?

How to efficiently merge DPA & DFA countermeasures?




http://www.cnrs.fr/




Acknowledgements

We sincerely acknowledge the compilation work done byhttp://www.sidechannelattacks.com/.

Advanced Systems Technologies (AST) division ofSTMicroelectronics (Rousset in France and Milano in Italy).

French Conseil Regional de la Region PACA.

The Secure-IC team for intellectual support.

DPA book [10], as a good introduction for students.


http://www.sidechannelattacks.com/

http://www.st.com/

http://www.trust-ic.com



http://www.cnrs.fr/




References[1] Moulay Abdelaziz El Aabid, Sylvain Guilley, and Philippe Hoogvorst.

Template Attacks with a Power Model.Cryptology ePrint Archive, Report 2007/443, December 2007.http://eprint.iacr.org/2007/443/.

[2] Eli Biham and Adi Shamir.Differential Fault Analysis of Secret Key Cryptosystems.In CRYPTO, volume 1294 of LNCS, pages 513–525. Springer, 1997.

[3] Eric Brier, Christophe Clavier, and Francis Olivier.Correlation Power Analysis with a Leakage Model.Proc. of CHES’04, 3156:16–29, August 11–13 2004.ISSN: 0302-9743; ISBN: 3-540-22666-4; DOI: 10.1007/b99451; Cambridge, MA, USA.

[4] Sumanta Chaudhuri, Sylvain Guilley, Florent Flament, Philippe Hoogvorst, and Jean-Luc Danger.An 8x8 Run-Time Reconfigurable FPGA Embedded in a SoC.In DAC, pages 120–125, Anaheim, CA, USA, jun 2008.

[5] S. Guilley, F. Flament, R. Pacalet, Ph. Hoogvorst, and Y. Mathieu.Security Evaluation of a Secured Quasi-Delay Insensitive Library.In DCIS, full text in HAL, http: // hal. archives-ouvertes. fr/ hal-00283405/ en/ , pages 1–7, November2008.DCIS’08, Grenoble, France.

[6] Sylvain Guilley, Sumanta Chaudhuri, Laurent Sauvage, Tarik Graba, Jean-Luc Danger, Philippe Hoogvorst,Ving-Nga Vong, and Maxime Nassar.Shall we trust WDDL?In Future of Trust in Computing, volume 2, Berlin, Germany, jun 2008.

[7] Sylvain Guilley, Philippe Hoogvorst, Renaud Pacalet, and Johannes Schmidt.Improving Side-Channel Attacks by Exploiting Substitution Boxes Properties.


http://eprint.iacr.org/2007/443/

http://hal.archives-ouvertes.fr/hal-00283405/en/

http://www.dcis.org/



http://www.cnrs.fr/




In BFCA – http: // www. liafa. jussieu. fr/ bfca/ , pages 1–25, 2007.May 02–04, Paris, France.

[8] Thanh-Ha Le, Cecile Canovas, and Jessy Clediere.An overview of side channel analysis attacks.In ASIACCS, pages 33–43, 2008.

[9] Thanh-Ha Le, Jessy Clediere, Cecile Canovas, Bruno Robisson, Christine Serviere, and Jean-Louis Lacoume.A Proposition for Correlation Power Analysis Enhancement.In CHES, volume 4249 of LNCS, pages 174–186. Springer, 2006.Yokohama, Japan.

[10] Stefan Mangard, Elisabeth Oswald, and Thomas Popp.Power Analysis Attacks: Revealing the Secrets of Smart Cards.Springer, December 2006.ISBN 0-387-30857-1, http://www.dpabook.org/.

[11] Thomas S. Messerges, Ezzy A. Dabbish, and Robert H. Sloan.Investigations of Power Analysis Attacks on Smartcards.In USENIX — Smartcard’99, pages 151–162, May 10–11 1999.Chicago, Illinois, USA (Online PDF).

[12] Gilles Piret and Jean-Jacques Quisquater.A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad.In CHES, volume 2779 of LNCS, pages 77–88. Springer, 2003.(Online PDF version).

[13] Nidhal Selmane, Sylvain Guilley, and Jean-Luc Danger.Setup Time Violation Attacks on AES.In EDCC, The seventh European Dependable Computing Conference, pages 91–96, Kaunas, Lithuania, may2008.ISBN: 978-0-7695-3138-0, DOI: 10.1109/EDCC-7.2008.11.


http://www.liafa.jussieu.fr/bfca/

http://www.springer.com/

http://www.dpabook.org/

http://www.usenix.org/publications/library/proceedings/smartcard99/messerges.html

http://www.dice.ucl.ac.be/crypto/files/publications/pdf119.pdf



http://www.cnrs.fr/

Documents

Silicon-level Solutions against DPA & DFA