180 likes | 355 Views
An EDA-Friendly Protection Scheme against Side -Channel Attacks . Ali Galip Bayrak 1 Nikola Velickovic 1 , Francesco Regazzoni 2 , David Novo 1 , Philip Brisk 3 and Paolo Ienne 1. Side-Channel Attacks. Plaintext. Ciphertext. Cryptographic Processing Unit. Secret Key. Physical
E N D
An EDA-Friendly Protection Scheme against Side-Channel Attacks Ali Galip Bayrak1 Nikola Velickovic1, Francesco Regazzoni2, David Novo1, Philip Brisk3 and Paolo Ienne1
Side-Channel Attacks Plaintext Ciphertext Cryptographic Processing Unit Secret Key Physical Observable (e.g., power consumption) Physical Device f(plaintext, key) ~ power KNOWN KNOWN RECOVER KNOWN
Protection Schemes Main Idea: f(plaintext, key) power How? Constant or random power consumption
Motivation Area: 2X (SABL) – 20X (iMDPL) Energy: 3.5X (WDDL) – 18X (MDPL) Low cost Non-CMOS (SABL, MCML) Algorithm specific (GALS) Technology dependent (WDDL, MDPL) Fixed overhead (almost all) Fully automated Tradeoff Security vs. Efficiency
Unprotected Circuit CLK Input Qall Q D CLK Output Q D Combinatorial Circuit Q D Q D
Protected Circuit RCLK0 Input RCLK1 RCLK2 RCLK3 Q D RCLK0 CLK Qall Output Q D RCLK1 Combinatorial Circuit Clock Randomization Q D RCLK2 Q D RCLK3
Protected Circuit Tprotected Δ Torig RCLK0 RCLK1 RCLK2 RCLK3 Qall
Clock Randomization CLK0 δ CLK1 MUX RCLKi 2δ CLK2 … … … RND (N-1)δ =Δ CLKN-1 Safe Clock Switching Zone Random Clocks Delayed Clocks
Protected Circuit RCLK0 Input RCLK1 RCLK2 RCLK3 Q D RCLK0 CLK Qall Output Q D RCLK1 Combinatorial Circuit Clock Randomization … … Q D RCLKM-1
Automated Design Flow Code Modification Logic Synthesis Place & Route Synthesized Circuit High-Level Description (VHDL/Verilog) Protected IC Layout Modified High-Level Description random clock generation code timing constraints clock renaming create_clock … RCLK[0] set_clock_uncertainty … DELTA RCLK[0] RCLK(i) := MUX(CLK,RND,..) if (rising_edge(CLK)) if (rising_edge(RCLK(2)))
Experimental Setup FPGA experiments: Platform: SASEBO (Side-channel Attack Standard Evaluation Board) G-II. Two Xilinx FPGAs: Virtex-5andSpartan- 3A. Toolchain: Xilinx ISE 14. ASIC experiments: Technology: 65nm STM CMOS standard cell library. Toolchain: Synopsys Design Compiler for synthesis, Cadence Encounter for placement and routing, Mentor Graphics Modelsimfor simulations and Synopsys Nanosimfor power estimation.
Experimental Setup AES-128 implementation Design parameters: N: number of delayed clocks. M: number of random clocks. Δ: total amount of delay. Performance parameters (normalized for unprotected): Security, Area, Speed and Energy
# Clocks vs. Security • M (number of random clocks) = 8 ✔ [AES-specific] • Bigger N (number of delayed clocks) ✔ • >300X security improvement
Total Delay vs. Security • Bigger Δ for a fixed N ✔ • Bigger N for a fixed Δ✔? • 70X secure for N=Δ=16 • 300X secure for N=16, Δ=64
Total Delay vs. Area • 8% overhead for 70X security point (Δ=16) • 15% overhead for 300X security point (Δ=64)
Total Delay vs. Speed • 2.3X slowdown for 70X security point (Δ=16) • 7X slowdown for 300X security point (Δ=64)
Comparison • For the embedded systems subject to power analysis attacks, area and energyare much more important than speed!
Conclusions • Fully automated design-flow. • Platform and technology agnostic. • Can be applied to any given implementation. • Does not need security expertise. • Less overhead than competing countermeasures. • Area and energy efficient. • Security increase is drastic. • More than 300X with modest overhead.