design of side-channel-attack resistive criptographic asics

Download Report

Transcript design of side-channel-attack resistive criptographic asics

LABORATORY FOR ELECTRONIC DESIGN AUTOMATION
Faculty of Electronic Engineering University of Nis
Authors:
MILENA STANOJLOVIĆ
PREDRAG PETKOVIĆ
1
 Introduction
 Strategies
against SCA
 Hardware protection of DPA
 Resistance to SCA WDDL and NSDDL
cells
 Conclusion
2
Data protection is very important in everyday life and for
that reason cryptography received a significant position.
Important information and secret keys can be obtained
by analyzing consumption encrypted hardware.
Some of the methods that allow easier breaking of codes
known as SPA (Simple Power Analysis), DPA (Differential
Power Analysis) and EMA (Electromagnetic Analysis).
Common to all these methods is analysis of information
that leaks from physically implemented hardware.
3
Attacks which make use of such inherent physical leakage are called side-channel attacks (SCA). SCA pose a
major threat because the physical implementations of
the cryptographic devices are difficult to control and
often result in unplanned leakage of information.
Typically, side-channel attacks do not require the device
to be opened or access to internal parts of the system.
4
The countermeasures proposed against DPA can be
grouped into three categories: randomizing, masking,
and blinding.
We are use a blinding method. One class of this method
is known as Dual-rail with Pre-charge Logic (DPL).
All signals are duplicated and have true and false
representations.
Good representatives of DPL are WDDL (Wave Dynamic
Differential Logic) and NSDDL (No Short-circuit current
Dynamic Differential Logic).
5

Using De-Morgan's laws it can be
shown that OR cell is
complementary to AND cell. This
concept of complementary cells is
used in WDDL method. The first
picture shows an encrypted AND
cell.
During pre-charge phase all
signals are set to low level.
During evaluating phase only
exactly one of outputs goes to
the high level.
Therefore only one load
capacitance will charge from
VDD.
6
The main difference between NSDDL and
WDDL is in the control logic. In addition
to pre-charge phase and evaluating
phase, phase of capacitor discharge (discharge phase) is introduced to.
During pre-charge phase signals
PRE and DIS are set to low logic
level.
Evaluating phase occurs when the
PRE signal reaches a high logic level.
Dis-charge phase lasts as long as
both PRE and DIS signals are at
high logic level.
7
Resistance to SCA WDDL and NSDDL cells
AND/NAND pri VDD=3.3V, T=300K, Tr=Tf=1ns, Ct/Cf=1
Metod
1.
2.
3.
4.
Average energy
consumption E*
Maximum relative
deviation of energy
Standard deviation
Normalized standard
deviation
SC WDDL
oWDDL
NSDDL
1.02pJ
0.96pJ
2.28pJ
10.14%
3.29%
2.92%
35.53fJ
10.98fJ
20.73fJ
3.47%
1.14%
0.91%
Three types of cells are simulated. First two cells are designed
using WDDL method. The first cell is designed based on standard
cells. This cell gave worse results compared to second cell in
which the dimensions of transistors are optimized. Therefore the
first cell will be excluded from further consideration.
The third cell is designed using NSDDL metod. In this case
similar results are obtained as with the second cell. Also power
consumption increased as it was expected.
8
Resistance to SCA WDDL and NSDDL cells
Resistance to SCA is tested for following conditions:
 mismatched loads,
 extremly increased temperature,
 different duration of falling and rising edges of inputs signals
 extreme changes of power supply voltage (Vdd)
9
optimizovana WDDL AND ćelija
Vdd=3.3V Ct/Cf=1
optimizovana WDDL AND ćelija
Vdd=3.3V, T=300K, Tr=Tf=1ns
0.06
Ct/Cf=1
0.02
Ct/Cf=0.85
0.00
Ct/Cf=1.15
1
-0.02
2
3
4
5
6
7
8
9
10
Ct/Cf=0.95
Ct/Cf=1.05
-0.04
Relativna promena
energije
Relativna promena
energije
0.03
0.04
0.02
0.01
T=300K, Tr=Tf=1ns
0.00
T=425K, Tr=Tf=1ns
1
-0.01
2
3
4
5
7
8
9
10
T=300K, Tr=Tf=4ns
-0.02
-0.03
-0.06
Kombinacija ulaznih signala
Kombinacija ulaznih signala
NSDDL AND ćelija
Vdd=3.3V, T=300K, Tr=Tf=1ns
NSDDL AND ćelija
Vdd=3.3V, Ct/Cf=1
0.015
0.015
0.01
Ct/Cf=1
0.005
Ct/Cf=0.85
0
-0.005
1
2
3
4
5
6
7
8
9
10
Ct/Cf=1.15
-0.01
Ct/Cf=0.95
-0.015
Ct/Cf=1.05
-0.02
-0.025
Relativna promena
energije
Relativna promena
energije
6
0.01
0.005
T=300K, TR=1ns
0
-0.005
1
2
3
4
5
6
7
8
-0.01
9
10
T=425K, TR=1ns
T=300K, TR=4ns
-0.015
-0.02
-0.025
Kombinacija ulaznih signala
Influence of mismatched loads to
relative change in energy for
a) oWDDL i b) NSDDL AND cells
Kombinacija ulaznih signala
Influence of extreme temperature and
signal dinamics to relative change in
energy for
a) oWDDL i b) NSDDL AND cells
10
optimizovana WDDL AND ćelija
T=300K, Ct/Cf=1, Tr=Tf=1ns
Relativna promena
energije
0.04
0.03
0.02
Vdd=3.3V
0.01
0
-0.01
Vdd=4.2V
1
2
3
4
5
6
7
8
9
10
Vdd=2.4V
-0.02
-0.03
-0.04
Kombinacija ulaznih signala
NSDDL AND ćelija
T=300K, Ct/Cf=1, Tr=Tf=1ns
Relativna promena
energije
0.015
0.01
0.005
Vdd=3.3V
0
-0.005
1
2
3
4
5
6
7
-0.01
8
9
10
All results indicate that the
NSDDL cell is more resistant to
SCA than optimized WDDL
cell.
Vdd=4.2V
Vdd=2.4V
-0.015
-0.02
-0.025
Kombinacija ulaznih signala
Influence of extreme values of Vdd to
relative change in energy for a)
oWDDL i b) NSDDL AND cells
11
Cryptography hardware methods for DPA protection are
based on designing structures with power consumption
independent of input signals dynamic.
Physical implementation of WDDL method is very hard to
achieve because it requires perfectly matched loads.
This problem is resolved in NSDDL method by introducing
Dnor circuitry.
12
Thank you for your attention
13