Power Side Channels in Security ICs: Hardware Countermeasures

Power side-channel attacks are a very effective cryptanalysis technique that can infer secret keys of security ICs by monitoring the power consumption. Since the emergence of practical attacks in the late 90s, they have been a major threat to many cryptographic-equipped devices including smart cards, encrypted FPGA designs, and mobile phones. Designers and manufacturers of cryptographic devices have in response developed various countermeasures for protection. Attacking methods have also evolved to counteract resistant implementations. This paper reviews foundational power analysis attack techniques and examines a variety of hardware design mitigations. The aim is to highlight exposed vulnerabilities in hardware-based countermeasures for future more secure implementations

Sophisticated security verification on routing repaired balanced cell-based dual-rail logic against side channel analysis

Conventional dual-rail precharge logic suffers from difficult implementations of dual-rail structure for obtaining strict compensation between the counterpart rails. As a light-weight and high-speed dual-rail style, balanced cell-based dual-rail logic (BCDL) uses synchronised compound gates with global precharge signal to provide high resistance against differential power or electromagnetic analyses. BCDL can be realised from generic field programmable gate array (FPGA) design flows with constraints. However, routings still exist as concerns because of the deficient flexibility on routing control, which unfavourably results in bias between complementary nets in security-sensitive parts. In this article, based on a routing repair technique, novel verifications towards routing effect are presented. An 8 bit simplified advanced encryption processing (AES)-co-processor is executed that is constructed on block random access memory (RAM)-based BCDL in Xilinx Virtex-5 FPGAs. Since imbalanced routing are major defects in BCDL, the authors can rule out other influences and fairly quantify the security variants. A series of asymptotic correlation electromagnetic (EM) analyses are launched towards a group of circuits with consecutive routing schemes to be able to verify routing impact on side channel analyses. After repairing the non-identical routings, Mutual information analyses are executed to further validate the concrete security increase obtained from identical routing pairs in BCDL

Secure and Energy-Efficient Processors

Security has become an essential part of digital information storage and processing. Both high-end and low-end applications, such as data centers and Internet of Things (IoT), rely on robust security to ensure proper operation. Encryption of information is the primary means for enabling security. Among all encryption standards, Advanced Encryption Standard (AES) is a widely adopted cryptographic algorithm, due to its simplicity and high security. Although encryption standards in general are extremely difficult to break mathematically, they are vulnerable to so-called side channel attacks, which exploit electrical signatures of operating chips, such as power trace or magnetic field radiation, to crack the encryption. Differential Power Analysis (DPA) attack is a representative and powerful side-channel attack method, which has demonstrated high effectiveness in cracking secure chips. This dissertation explores circuits and architectures that offer protection against DPA attacks in high-performance security applications and in low-end IoT applications. The effectiveness of the proposed technologies is evaluated. First, a 128-bit Advanced Encryption Standard (AES) core for high-performance security applications is designed, fabricated and evaluated in a 65nm CMOS technology. A novel charge-recovery logic family, called Bridge Boost Logic (BBL), is introduced in this design to achieve switching-independent energy dissipation and provide intrinsic high resistance against DPA attacks. Based on measurements, the AES core achieves a throughput of 16.90Gbps and power consumption of 98mW, exhibiting 720x higher DPA resistance and 30% lower power than a conventional CMOS counterpart implemented on the same die and operated at the same clock frequency. Second, an AES core designed for low-cost and energy-efficient IoT security applications is designed and fabricated in a 65nm CMOS technology. A novel Dual-Rail Flush Logic (DRFL) with switching-independent power profile is used to yield intrinsic resistance against DPA attacks with minimum area and energy consumption. Measurement results show that this 0.048mm2 core achieves energy consumption as low as 1.25pJ/bit, while providing at least 2604x higher DPA resistance over its conventional CMOS counterpart on the same die, marking the smallest, most energy-efficient and most secure full-datapath AES core published to date.PHDElectrical EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/138791/1/luss_1.pd

Side-channel attacks and countermeasures in the design of secure IC's devices for cryptographic applications

Abstract--- A lot of devices which are daily used have to guarantee the retention of sensible data. Sensible data are ciphered by a secure key by which only the key holder can get the data. For this reason, to protect the cipher key against possible attacks becomes a main issue. The research activities in hardware cryptography are involved in finding new countermeasures against various attack scenarios and, in the same time, in studying new attack methodologies. During the PhD, three different logic families to counteract Power Analysis were presented and a novel class of attacks was studied. Moreover, two different activities related to Random Numbers Generators have been addressed

Explointing FPGA block memories for protected cryptographic implementations

Modern Field Programmable Gate Arrays (FPGAs) are power packed with features to facilitate designers. Availability of features like huge block memory (BRAM), Digital Signal Processing (DSP) cores, embedded CPU makes the design strategy of FPGAs quite different from ASICs. FPGA are also widely used in security-critical application where protection against known attacks is of prime importance. We focus ourselves on physical attacks which target physical implementations. To design countermeasures against such attacks, the strategy for FPGA designers should also be different from that in ASIC. The available features should be exploited to design compact and strong countermeasures. In this paper, we propose methods to exploit the BRAMs in FPGAs for designing compact countermeasures. BRAM can be used to optimize intrinsic countermeasures like masking and dual-rail logic, which otherwise have significant overhead (at least 2X). The optimizations are applied on a real AES-128 co-processor and tested for area overhead and resistance on Xilinx Virtex-5 chips. The presented masking countermeasure has an overhead of only 16% when applied on AES. Moreover Dual-rail Precharge Logic (DPL) countermeasure has been optimized to pack the whole sequential part in the BRAM, hence enhancing the security. Proper robustness evaluations are conducted to analyze the optimization for area and security

EVALUATION OF RESISTANCE TO SCA FOR DIFFERENT ARCHITECTURES OF ENCRYPTED CELL

This paper deals with a top down design of an example multiplexer cell that exhibits high immunity to Side Channel Attack (SCA). Four different solutions of the encrypted multiplexer cell are revised, and the best design adopted. The post-layout simulations prove resistance of the multiplexer logic cell to the SCA. Since the physical layout structure and the functionality of this kind of design is based on symmetry, concerns were expressed as to what will be the effectiveness of the method under real production conditions. To get a proper answer to that, the adequacy of the chosen design for the multiplexer cell, which uses the "No Short-circuit Current Dynamic Differential Logic" (NSDDL) method, is confirmed by observing a Normalized Standard Deviation (NSD)

IDPAL – A Partially-Adiabatic Energy-Efficient Logic Family: Theory and Applications to Secure Computing

Low-power circuits and issues associated with them have gained a significant amount of attention in recent years due to the boom in portable electronic devices. Historically, low-power operation relied heavily on technology scaling and reduced operating voltage, however this trend has been slowing down recently due to the increased power density on chips. This dissertation introduces a new very-low power partially-adiabatic logic family called Input-Decoupled Partially-Adiabatic Logic (IDPAL) with applications in low-power circuits. Experimental results show that IDPAL reduces energy usage by 79% compared to equivalent CMOS implementations and by 25% when compared to the best adiabatic implementation. Experiments ranging from a simple buffer/inverter up to a 32-bit multiplier are explored and result in consistent energy savings, showing that IDPAL could be a viable candidate for a low-power circuit implementation. This work also shows an application of IDPAL to secure low-power circuits against power analysis attacks. It is often assumed that encryption algorithms are perfectly secure against attacks, however, most times attacks using side channels on the hardware implementation of an encryption operation are not investigated. Power analysis attacks are a subset of side channel attacks and can be implemented by measuring the power used by a circuit during an encryption operation in order to obtain secret information from the circuit under attack. Most of the previously proposed solutions for power analysis attacks use a large amount of power and are unsuitable for a low-power application. The almost-equal energy consumption for any given input in an IDPAL circuit suggests that this logic family is a good candidate for securing low-power circuits again power analysis attacks. Experimental results ranging from small circuits to large multipliers are performed and the power-analysis attack resistance of IDPAL is investigated. Results show that IDPAL circuits are not only low-power but also the most secure against power analysis attacks when compared to other adiabatic low-power circuits. Finally, a hybrid adiabatic-CMOS microprocessor design is presented. The proposed microprocessor uses IDPAL for the implementation of circuits with high switching activity (e.g. ALU) and CMOS logic for other circuits (e.g. memory, controller). An adiabatic-CMOS interface for transforming adiabatic signals to square-wave signals is presented and issues associated with a hybrid implementation and their solutions are also discussed

Side-Channel Attacks and Countermeasures for the MK-3 Authenticated Encryption Scheme

In the field of cryptography, the focus is often placed on security in a mathematical or information-theoretic sense; for example, cipher security is typically evaluated by the difficulty of deducing the plaintext from the ciphertext without knowledge of the key. However, once these cryptographic schemes are implemented in electronic devices, another class of attack presents itself. Side-channel attacks take advantage of the side effects of performing a computation, such as power consumption or electromagnetic emissions, to extract information outside of normal means. In particular, these side-channels can reveal parts of the internal state of a computation. This is important because intermediate values occurring during computation are typically considered implementation details, invisible to a potential attacker. If this information is revealed, then the assumptions of a non-side-channel-aware security analysis based only on inputs and outputs will no longer hold, potentially enabling an attack. This work tests the effectiveness of power-based side-channel attacks against MK-3, a customizable authenticated encryption scheme developed in a collaboration between RIT and L3Harris Technologies. Using an FPGA platform, Correlation Power Analysis (CPA) is performed on several different implementations of the algorithm to evaluate their resistance to power side-channel attacks. This method does not allow the key to be recovered directly; instead, an equivalent 512-bit intermediate state value is targeted. By applying two sequential stages of analysis, a total of between 216 and 322 bits are recovered, dependent on customization parameters. If a 128-bit key is used, then this technique has no benefit to an attacker over brute-forcing the key itself; however, in the case of a 256-bit key, CPA may provide up to a 66-bit advantage. In order to completely defend MK-3 against this type of attack, several potential countermeasures are discussed at the implementation, design, and overall system levels

STUDY OF SINGLE-EVENT EFFECTS ON DIGITAL SYSTEMS

Microelectronic devices and systems have been extensively utilized in a variety of radiation environments, ranging from the low-earth orbit to the ground level. A high-energy particle from such an environment may cause voltage/current transients, thereby inducing Single Event Effect (SEE) errors in an Integrated Circuit (IC). Ever since the first SEE error was reported in 1975, this community has made tremendous progress in investigating the mechanisms of SEE and exploring radiation tolerant techniques. However, as the IC technology advances, the existing hardening techniques have been rendered less effective because of the reduced spacing and charge sharing between devices. The Semiconductor Industry Association (SIA) roadmap has identified radiation-induced soft errors as the major threat to the reliable operation of electronic systems in the future. In digital systems, hardening techniques of their core components, such as latches, logic, and clock network, need to be addressed. Two single event tolerant latch designs taking advantage of feedback transistors are presented and evaluated in both single event resilience and overhead. These feedback transistors are turned OFF in the hold mode, thereby yielding a very large resistance. This, in turn, results in a larger feedback delay and higher single event tolerance. On the other hand, these extra transistors are turned ON when the cell is in the write mode. As a result, no significant write delay is introduced. Both designs demonstrate higher upset threshold and lower cross-section when compared to the reference cells. Dynamic logic circuits have intrinsic single event issues in each stage of the operations. The worst case occurs when the output is evaluated logic high, where the pull-up networks are turned OFF. In this case, the circuit fails to recover the output by pulling the output up to the supply rail. A capacitor added to the feedback path increases the node capacitance of the output and the feedback delay, thereby increasing the single event critical charge. Another differential structure that has two differential inputs and outputs eliminates single event upset issues at the expense of an increased number of transistors. Clock networks in advanced technology nodes may cause significant errors in an IC as the devices are more sensitive to single event strikes. Clock mesh is a widely used clocking scheme in a digital system. It was fabricated in a 28nm technology and evaluated through the use of heavy ions and laser irradiation experiments. Superior resistance to radiation strikes was demonstrated during these tests. In addition to mitigating single event issues by using hardened designs, built-in current sensors can be used to detect single event induced currents in the n-well and, if implemented, subsequently execute fault correction actions. These sensors were simulated and fabricated in a 28nm CMOS process. Simulation, as well as, experimental results, substantiates the validity of this sensor design. This manifests itself as an alternative to existing hardening techniques. In conclusion, this work investigates single event effects in digital systems, especially those in deep-submicron or advanced technology nodes. New hardened latch, dynamic logic, clock, and current sensor designs have been presented and evaluated. Through the use of these designs, the single event tolerance of a digital system can be achieved at the expense of varying overhead in terms of area, power, and delay