1 / 18

An EDA-Friendly Protection Scheme against Side -Channel Attacks

An EDA-Friendly Protection Scheme against Side -Channel Attacks . Ali Galip Bayrak 1 Nikola Velickovic 1 , Francesco Regazzoni 2 , David Novo 1 , Philip Brisk 3 and Paolo Ienne 1. Side-Channel Attacks. Plaintext. Ciphertext. Cryptographic Processing Unit. Secret Key. Physical

zubin
Download Presentation

An EDA-Friendly Protection Scheme against Side -Channel Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An EDA-Friendly Protection Scheme against Side-Channel Attacks Ali Galip Bayrak1 Nikola Velickovic1, Francesco Regazzoni2, David Novo1, Philip Brisk3 and Paolo Ienne1

  2. Side-Channel Attacks Plaintext Ciphertext Cryptographic Processing Unit Secret Key Physical Observable (e.g., power consumption) Physical Device f(plaintext, key) ~ power KNOWN KNOWN RECOVER KNOWN

  3. Protection Schemes Main Idea: f(plaintext, key) power How? Constant or random power consumption

  4. Motivation Area: 2X (SABL) – 20X (iMDPL) Energy: 3.5X (WDDL) – 18X (MDPL) Low cost Non-CMOS (SABL, MCML) Algorithm specific (GALS) Technology dependent (WDDL, MDPL) Fixed overhead (almost all) Fully automated Tradeoff Security vs. Efficiency

  5. Unprotected Circuit CLK Input Qall Q D CLK Output Q D Combinatorial Circuit Q D Q D

  6. Protected Circuit RCLK0 Input RCLK1 RCLK2 RCLK3 Q D RCLK0 CLK Qall Output Q D RCLK1 Combinatorial Circuit Clock Randomization Q D RCLK2 Q D RCLK3

  7. Protected Circuit Tprotected Δ Torig RCLK0 RCLK1 RCLK2 RCLK3 Qall

  8. Clock Randomization CLK0 δ CLK1 MUX RCLKi 2δ CLK2 … … … RND (N-1)δ =Δ CLKN-1 Safe Clock Switching Zone Random Clocks Delayed Clocks

  9. Protected Circuit RCLK0 Input RCLK1 RCLK2 RCLK3 Q D RCLK0 CLK Qall Output Q D RCLK1 Combinatorial Circuit Clock Randomization … … Q D RCLKM-1

  10. Automated Design Flow Code Modification Logic Synthesis Place & Route Synthesized Circuit High-Level Description (VHDL/Verilog) Protected IC Layout Modified High-Level Description random clock generation code timing constraints clock renaming create_clock … RCLK[0] set_clock_uncertainty … DELTA RCLK[0] RCLK(i) := MUX(CLK,RND,..) if (rising_edge(CLK)) if (rising_edge(RCLK(2)))

  11. Experimental Setup FPGA experiments: Platform: SASEBO (Side-channel Attack Standard Evaluation Board) G-II. Two Xilinx FPGAs: Virtex-5andSpartan- 3A. Toolchain: Xilinx ISE 14. ASIC experiments: Technology: 65nm STM CMOS standard cell library. Toolchain: Synopsys Design Compiler for synthesis, Cadence Encounter for placement and routing, Mentor Graphics Modelsimfor simulations and Synopsys Nanosimfor power estimation.

  12. Experimental Setup AES-128 implementation Design parameters: N: number of delayed clocks. M: number of random clocks. Δ: total amount of delay. Performance parameters (normalized for unprotected): Security, Area, Speed and Energy

  13. # Clocks vs. Security • M (number of random clocks) = 8 ✔ [AES-specific] • Bigger N (number of delayed clocks) ✔ • >300X security improvement

  14. Total Delay vs. Security • Bigger Δ for a fixed N ✔ • Bigger N for a fixed Δ✔? • 70X secure for N=Δ=16 • 300X secure for N=16, Δ=64

  15. Total Delay vs. Area • 8% overhead for 70X security point (Δ=16) • 15% overhead for 300X security point (Δ=64)

  16. Total Delay vs. Speed • 2.3X slowdown for 70X security point (Δ=16) • 7X slowdown for 300X security point (Δ=64)

  17. Comparison • For the embedded systems subject to power analysis attacks, area and energyare much more important than speed!

  18. Conclusions • Fully automated design-flow. • Platform and technology agnostic. • Can be applied to any given implementation. • Does not need security expertise. • Less overhead than competing countermeasures. • Area and energy efficient. • Security increase is drastic. • More than 300X with modest overhead.

More Related