1 / 21

Safety verification against DPA for AES Engine

Safety verification against DPA for AES Engine. Jeff Hao, Bo Zhai, Kushal Shah. Outline. Motivation Background Our Technique Symbolic Simulation Approach SAT Solver Approach Results Conclusion. Motivation. Advanced Encryption Standard (AES)

saxton
Download Presentation

Safety verification against DPA for AES Engine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Safety verification against DPA for AES Engine Jeff Hao, Bo Zhai, Kushal Shah

  2. Outline • Motivation • Background • Our Technique • Symbolic Simulation Approach • SAT Solver Approach • Results • Conclusion

  3. Motivation • Advanced Encryption Standard (AES) • Can be cracked by monitoring power consumption during encryption • Differential Power Analysis (DPA) • How can we know a design is safe? • Use techniques from class to analyze design robustness to DPA

  4. Background • Advanced Encryption Standard (AES) • Encryption used extensively worldwide • Only successful attacks have been side channel attacks that take advantage of • Timing information • Power consumption • Electromagnetic leaks • Sound • DPA takes advantage of varying power consumption in the circuit

  5. Background • AES algorithm

  6. Background • Dynamic Power Analysis (DPA) • Analyzes multiple runs of encryption with different key guesses • Looks for observable events in power trace • Only sure way to guard against DPA • No correlation between power consumption and processed data

  7. A Z B Symbolic Simulation Approach • Create variables that represent if a particular node transitions • Gates become a function of current state and whether nodes transition • Intractable Sz = A’B’SASB + A’BSASB’ + AB’SA’SB + AB(SA+SB)

  8. SAT Solver Approach • Turn the circuit into a SAT instance • Create an extra copy of the original circuit • Current State • Next State • For each node, XOR the current state and next state • 1  node transitions • 0  node does not transition

  9. SAT Solver Approach (cont) • Use SAT solver to find a satisfying assignment • Search for more satisfying assignments • Want range of possible number of transitions • Smaller range  less dependence of power consumption on circuit inputs

  10. SAT Solver • Max_ones • Modified version of MiniSat by Mark Liffiton • Adds an objective function • atLeast(lower_bound) • atMost(upper_bound) • Iteratively finds better solutions

  11. SAT Solver Approach

  12. SAT Solver Approach Current State Next State Copy the circuit

  13. SAT Solver Approach Current State Next State Remove registers, and connect current and next states

  14. SAT Solver Approach Current State Next State XOR each node

  15. SAT Solver Approach Current State Next State Run through a SAT solver and get a satisfying assignment Total transitions = 0

  16. SAT Solver Approach Current State Next State Try again with a new bound: atLeast(1) Total Transitions = 2

  17. Simplifications • Glitch-free Logic • Switches can be modeled statically • Balanced Logic • 0->1 and 1->0 consume the same power • Power sensitivity • Sampling speed • Only measure average power over one clock cycle

  18. Results • AES core • 34027 variables, 129306 clauses • Min: 0 / 11171 = 0% • Max: 2300 / 11171 = 20.6% (best it could find) • DES core from opencores.org • 5104 variables, 20578 clauses • Min: 0 / 1618 = 0% • Max: 575 / 1618 = 35.5% • DES has a wider range of transitions

  19. Conclusion • Large variation in switching activity indicates greater vulnerability to DPA • AES is better than DES • Needs to be tested on more designs • Lessons learned • Symbolic simulation is hard • SAT solver has limitations • Runs out of memory on a 16-GB machine! • Can run for hours with no solution

  20. Future Work • Make improvements to SAT • Simplify SAT instance before using solver • Create a more intelligent SAT solver • Use more realistic library to synthesize designs • Capture power variations within a clock cycle • Factor in propagation delay of signals • Model glitches • Account for differences in power between 0  1 and 1  0 transitions

  21. Thank you!

More Related