220 likes | 326 Views
DPA Proof Architecture Evaluation. N. Valette 1 2 , L. Torres 2 , G. Sassatelli 2 , F. Bancel 1 and N. Bérard 1 1 STMicroelectronics, Smartcard Division 2 LIRMM, Microelectronics Department nicolas.valette@st.com / nicolas.valette@lirmm.fr. Outline. Attacks: State of the Art
E N D
DPA Proof Architecture Evaluation N. Valette1 2, L. Torres2, G. Sassatelli2, F. Bancel1 and N. Bérard1 1 STMicroelectronics, Smartcard Division 2 LIRMM, Microelectronics Department nicolas.valette@st.com / nicolas.valette@lirmm.fr
Outline • Attacks: State of the Art • Real DPA description • DPA by simulation • Conclusion and future work
Attacks : State of the Art Electro-magnetic emanations Power consumption Smartcard processing data Smartcard processing data Noise Temperature • Different kinds of attacks • Side channels attacks which use leaking information : • Simple Power Analysis (SPA), Differential Power Analysis (DPA), Timing Analysis, Electromagnetic Analysis, Noise Analysis, Temperature Analysis … • Fault Injection which is a non-invasive attack : • Glitches injection, Light Injection, Irradiation … • Reverse engineering which is an invasive attack • To obtain a complete view of the chip layout (different layers)
Differential Power Analysis • The DPA is the most common attack against Smartcards. • It allows to guess the unknown secret key of a cryptographic coprocessor. • It is based on a statistical repartition of power consumption : • Acquisition of power traces • Statistical analysis of power traces • It can be realized on most cryptographics algorithms
Review of DES Li Ki Ri F function Ri+1 Li+1 K SBOX P SBOX E In Out CTL = L16 f (K16,R16) CTR = R16
Real DPA Attack on DES (1) Solve for D CTL = L16 f (K16,R16) CTR = R16 DPA attack on 6-bits of K16 corresponding to SBOX0 : 1. Make an hypothesis on 6-bits of K16 2. Create 2 groups : S0 and S1 3. Get a CTO and its power trace 4. Reverse-calculate the D – bit (from CTO and K16) 5. If (D = 1) then add power trace to S1 else add power trace to S0 D = CTL f (K16,CTR)
Real DPA Attack on DES (2) D = 0 D = 1
Practical results Complete trace: 16 rounds are visible Reference trace Differential Traces : Right hypothesis Wrong hypothesis Wrong hypothesis
DPA : From real attack to simulation 1) REAL ACQUISITION 1) ACQUISITION BY SIMULATION Vdd Cryptographic process CTi Random Plain Texts Cipher Texts CT1 P&R netlist corresponding to a cryptographic function CT0 Pi Power Traces PTi P1 PT1 Unknown Key PT0 P0 Gnd 2) STATISTICAL REPARTITION CTi Cipher Texts Key Hypothesis CT1 CT0 Repartition Function Pi Power Traces P1 P0 Right Key Hypothesis
DPA on DES by simulation Li Ki Ri F function Ri+1 Li+1 Data entering Sboxes K SBOX P SBOX E K In Output of Sboxes Out 6 In Out SBOX0 4 6 6
DPA Flow Set of Power Traces without RC Set of Power Traces with RC Analysis P&R DSPF File Simulations with Eldo Simulations with Eldo RTL Description of SBOX0 Synthesis Opus Analysis Gated Netlist Eldo Netlist
Results Without RC With RC
Example of architecture evaluation on a DES L K R P SBOX E RTL model synthesized in different ways (with the same library) CTr CTl
Runs description • Run 3 : Automatic synthesis, optimised for area and timing (initial netlist) • Run 5 : Initial netlist with RC load • Run 9 : Idem run5 with different key • Run 10 : Initial netlist plus buffers near outputs • Run 11 : idem run3 • Run 12 : Synthesis only with OR2, NOR2, AND2, NAND2 and INV. • Run 13 : Synthesis with OR2, NOR2, AND2, NAND2 and INV with low bufferization (netlist_LP) • Run 14 : run13 with RC load • Run 15 : Initial netlist plus some distributed buffers • Run 16 : Initial netlist plus few distributed buffers • Run 17 : Automatic synthesis optimised for power consumption (netlist_LP2)
Improvements of the DPA benchmak • Compare simulation results with a real attack • Use the gated netlist of a DES product and its RC load. • Attack this product by simulation to know how many samples are needed to differentiate the right key • Make a real attack on the chip to obtain the number of needed samples • Correlate these numbers of samples
Conclusion and future works • Correlate DPA simulation results with real DPA attack • Evaluate counter measures (at RTL, Gate or P&R level): • Area cost • Security level • Development cost • Evaluate partial or full reconfigurable architectures: use of LUT-based elements to: • be DPA-proof • provide flexibility
Any questions ? nicolas.valette@st.com / nicolas.valette@lirmm.fr