Transcript CONTEXT - hardware that must keep data (usu. encryption keys

Techniques to Prevent Power Analysis on
Encryption Hardware
CS252 Final Project
By Shengliang Song & Nikita Borisov
Professor: Jan Rabaey & Kurt Keutzer
•Smart Card
•Differential Power Analysis
•Divide-and-conquer approach
Smart Card
• Processing Power (Intel 8051, Motorola
6805)
• Data Storage (EEPROM, FLASH, ROM,
RAM)
• IO & Power Source (Contact, Contactless)
Smart Cards
Power: A) Smart Card Reader
B) Inductive Coupling
Synchronous:
Asynchronous: RF/ID and RF/DC
powered, clocked and addressed
under control of the outside world
ISO 7816-3 (similar to RS232 operating at 9600
baud with even parity)
Differential Power Analysis
• Semiconductor logic gates
– consuming power
– producing electromagnetic
radiation
• DPA: plaintext or ciphertext
–
–
–
–
=> encryption or decryption keys
Observes m encryption operation
Captures power traces T[1..m][1..k] (k samples each)
records the ciphertexts C[1..m]
Delta D[1..k] (by finding the difference between the averages of the traces for which D(c,b,ks) is
one and the average of the traces for which D(c,b,ks) is zero.)
Measure a circuit’s power
consumption
• a small (50 ohm) resistor is inserted in
series with the power or ground input
Vcc
I = Vout/R
Vout
R = 50 ohm
DPA Traces
DEFENSES
•
•
•
•
•
•
Still being studied
Balancing computation with complements
Splitting bits into randomized shares
Special circuit design techniques
Randomize order
Complicated, costly
Divide-and-conquer approach
• Build a simple ALU which implements
sensitive operations (ROT, ADD, XOR,
S[key])
• Make it power analysis resistant (Continue
Research: IC layer, glu-logical, Computer Architecture)
• Design control logical normally (8bit CPU
or ROM based Machine)
Control: CPU or ROM Based Machine
sequencer
control
datapath control
-Code ROM
microinstruction ()
micro-PC
Opcode
-sequencer:
fetch,dispatch,
sequential
Dispatch
ROM
Decode Decode
To DataPath
Decoders
implement our code language:
For instance:
rt-ALU
rd-ALU
mem-ALU
ALU & SBox
10ns
ROT
8ns
8ns
X
O
R
+
8
8
WE
EN
AKey[7:0]
S[Akey]
SBox
•Basic Units:
ROT
ADD
XOR
SBox
•Shielding will be less complex
•Communication: (ALU, Sbox, Ctrl)
ALU
ADVANTAGES
IO
ALU
SBOX
CPU
• Smaller than an entire
cipher
• reduce cost of expensive
techniques
• Easier to apply complex
design principles
• Model interactions
• Reused
S[key]
PROBLEMS:
• communication between controller and
ALU can be slow
• Asynchronous (Req, Ack, ALU takes more
than one clock cycle time)
• Synchronous (ALU need run in a fast clock
rate)
• some cipher specific techniques (eg.
Randomized Sbox lookups) are harder to
apply
References
• Smart Cards:
http://www.sjug.org/jcsig/others/smart_card
.htm
• Differential Power Analysis:
http://www.cryptography.com/dpa/Dpa.pdf