Side-channel attacks and countermeasures in the design of secure IC's devices for cryptographic applications

Abstract--- A lot of devices which are daily used have to guarantee the retention of sensible data. Sensible data are ciphered by a secure key by which only the key holder can get the data. For this reason, to protect the cipher key against possible attacks becomes a main issue. The research activities in hardware cryptography are involved in finding new countermeasures against various attack scenarios and, in the same time, in studying new attack methodologies. During the PhD, three different logic families to counteract Power Analysis were presented and a novel class of attacks was studied. Moreover, two different activities related to Random Numbers Generators have been addressed

Beware Your Standard Cells! On Their Role in Static Power Side-Channel Attacks

The increase in leakage power from advanced tech nodes elevates the risk of static power side-channel (S-PSC) attacks. While protective measures exist, they involve a security cost trade-off. Hardware Trojans, particularly PSC-based ones, represent another significant threat. Despite acknowledging the link between static power leakage, advanced tech nodes, and vulnerability to S-PSC attacks, the role of the components at the heart of this sensitive interplay – the standard cells – has not been extensively studied in commercial-grade IC design. We analyze this relationship for commercial 28nm and 65nm nodes using a regular AES design. Our CAD framework permits design optimization while assessing S-PSC vulnerability. Contrary to the belief that high-performance designs are more vulnerable, we find timing constraints and threshold-voltage cell ratios are pivotal factors. Also, we discover that an attacker can deploy highly effective, stealthy PSC-based Trojans without any gate overheads or compromising timing paths

A flip-flop implementation for the DPA-resistant Delay-based Dual-rail Pre-charge Logic family

Delay-based Dual-rail Pre-charge Logic (DDPL) is a logic style introduced with the aim of hiding power consumption in cryptographic circuits when a Power Analysis (PA) attack is mounted. Its particular data encoding allows to make the adsorbed current constant for each data input combination, irrespective of capacitive load conditions. The purpose is breaking the link between dynamic power and data statistics and preventing power analysis. In this work we present a novel implementation of a dynamic differential master-slave flip-flop which is compatible with the DDPL data encoding. Efforts were made in order to design a fully dynamic master-slave architecture which does not require a conversion of the signals from dynamic to static domain. Moreover it will be shown that the area occupied is also reduced due to a compact differential layout. Simulations performed using a 65nm-CMOS process showed that the proposed circuit exhibits good performances in terms of average power and NED (Normalized Energy Deviation) as required in transistor level countermeasures against power analysis, and it outperforms other previously published DPA-resistant flip-flops in the real case of unbalanced load conditions. © 2013 Department of Microelectronics and Computer Science, Technical University of Lodz

Simulated power analysis attacks on a DDPL crypto-core without routing constraints

Delay-based Dual-rail Pre-charge Logic (DDPL) is a logic style introduced with the aim of hiding power consumption in cryptographic circuits in order to prevent Power Analysis (PA) attacks. Its particular data encoding allows to make the adsorbed current constant for each data input combination, irrespective of capacitive load conditions, which allows to design a PA-resistant circuit without routing constraints. In this work we present a fair comparison between SABL, a well-known state of the art transistor level countermeasure which is sensitive to the capacitive mismatches on the complementary lines and requires a customized routing procedure, and DDPL. After having provided a power model for describing the leakage sources for the above mentioned logics, a simple cryptographic circuit has been designed for both SABL and DDPL, and a CPA attack has been mounted. Simulations results show that when capacitive load unbalances are considered, DDPL strongly outperforms SABL in terms of number of traces required for disclose the secret key. © 2013 IEEE

Security evaluation and optimization of the delay-based dual-rail pre-charge logic in presence of early evaluation of data

Delay-based Dual-rail Pre-charge Logic (DDPL) has been introduced for counteracting power analysis attacks. Basically DDPL allows to achieve a constant power consumption for each data transition even in presence of capacitive load mismatches, thanks to an asynchronous two-phases evaluation. Unlikely other secure logic styles, in DDPL the clock frequency does not fix the security level since it depends on the value of the delay Δ between the complementary signals, which can be designed to be lower than 1ns using current CMOS technologies. However no works exist in which the DPA-resistance of DDPL is tested in presence of early evaluation, due to the different arrival times of the signals. The aim of this work is to provide and validate through transistor level simulations a theoretical model of the variations of the delay Δ during the evaluation phase for each possible data configuration in order to assess the effect of the early evaluation in DDPL, and to design early evaluation free DDPL gates. Moreover a case study crypto-core implemented both with basic and optimized DDPL gates has been designed in which a Correlation Frequency Power Analysis (CFPA) attack is mounted so to detect any leakage on simulated current traces

A power-balanced sequential element for the delay-based dual-rail precharge logic style

Delay-based Dual-rail Pre-charge Logic (DDPL) is a logic style introduced with the aim of hiding power consumption in cryptographic circuits when a Power Analysis (PA) attack is mounted. Its particular data encoding allows to make the adsorbed current constant for each data input combination, irrespective of capacitive load conditions. The purpose is to break the link between dynamic power and data statistics and preventing power analysis. In this work we present a novel implementation of a dynamic differential master-slave flip-flop which is compatible with the DDPL data encoding. Efforts were made in order to design a completely dynamic master-slave architecture which does not require a conversion of the signals from dynamic to static domain. Moreover we show that the area occupied is also reduced due to a compact differential layout. Simulations performed using a 65nm-CMOS process showed that the proposed circuit exhibits good performance in terms of NED (Normalized Energy Deviation) and CV (Coefficient of Variation) of the current samples as required in transistor level countermeasures against power analysis, and it outperforms other previously published DPA-resistant flip-flops in the real case of unbalanced load conditions

SC-DDPL: A Novel Standard-Cell Based Approach for Counteracting Power Analysis Attacks in the Presence of Unbalanced Routing

n this paper we present the Standard Cell Delay-based Dual-rail Pre-charge Logic (SC-DDPL), a novel logic style which is able to counteract Power Analysis Attacks (PAAs) also in the presence of capacitive mismatch at the output of dual-rail gates. The SC-DDPL is based on a standard-cell design flow and it is suitable to be implemented on ASICs or FPGAs without any routing constraint on differential lines, supporting the Time Enclosed Logic protocol along with a DPL structure. The security provided by SC-DDPL has been firstly investigated in simulation on some basic logic gates, designed adopting a commercial 40nm CMOS technology. Simulated experiments have highlighted the capability of SC-DDPL gates to guarantee a high-level of security also in presence of extreme capacitive mismatch, exhibiting strongly reduced NED/NSD metrics, as well as a reduction of the FED, compared to a reference RTZ-based WDDL implementation. In order to compare the proposed logic against other state-of-the-art countermeasures we have implemented a 4bit PRESENT crypto-core adopting several logic styles, evaluating different security metrics on a 65nm Intel Cyclone-IV FPGA. Experimental results have confirmed that the SC-DDPL outperforms other gate-level countermeasures in terms of security metrics with a reasonable area and power consumption overhead

Design methodologies for cryptographic hardware with countermeasures against side channel attacks

Since the protection of sensible data is considered a major concern in modern devices, the importance of technological aspects have to be addressed properly. Although cryptographic algorithms are considered trustworthy in terms of cryptanalitic resilience, devices that implement such algorithms may not be physically secure. It has been proved that physical emissions in electronics devices can be related to devices' activity. Hence, hardware implementations of cryptographic algorithms have to deal with unavoidable physical emissions.The verification of robustness of an architecture with a given SCA has to deal with the evaluation of data-dependency of the target physical emission. Attacks Exploiting Static Power (AESP) are a sub-class of PAAs that benefit of the data-dependency of the static currents. In my research activity, I demonstrated how AESP can be very powerful in recovering secret key even from dynamic PAA-protected implementations in nanometer technologies. Moreover, the temperature dependency of this side-channel has been evaluated, since each static current related phenomenon is strongly dependent from the working temperature of the device under attack. Making use of this additional dependency, it is possible to simplify the extraction of information through static power consumption. A multivariate analysis of static power consumption using the working-temperature as additional domain has been investigated, and a brand new profiled attack, Template Attack Exploiting Static Power (TAESP) has been presented. In addition, a new measurement setup for mounting AESP and TAESP has been proposed during the PhD. The proposed measurement setup makes use of only low-cost off-the-shelf components and featuring a control-loop for the working temperature of the device under attack. In this work, a DC pico-ammeter is used in place of the classical Digital Storage Oscilloscope (DSO) to measure static power consumption at steady state. A novel logic style named Delay-based Dynamic Differential Logic (DDDL or D3L) has been proposed as a new logic-level countermeasure against PAAs. The new logic style has been conceived to be implemented using only standard-cells, usually provided with each digital design kit. The D3L makes use of the Time Enclosed Logic (TEL) signaling, which has been recently demonstrated to outperform the conventional Return-to-Zero (RTZ) protocol in terms of security if mismatch effects are properly taken into account. The new library is presented with a template for 2-input Boolean operands and also a sequential gate is described. Simulations on the novel logic style are provided using a 40nm CMOS design kit, provided by STMicroelectronics. Since it is possible to easily design the D3L library using VHDL (or Verilog), an synthesizable description for two FPGAs (Xilinx Spartan-6 and Altera Cyclone-IV) has been formalized. Dynamic and static power attacks and evaluations have been practically performed on the Altera Cyclone-IV, using a 4-bit PRESENT-based crypto-core as case study, making also a comparison between D3L with other popular FPGA-compatible dual-rail pre-charge logic styles used to counteract PAAs. During the research activity, also an analog approach in counteracting PAAs has been investigated. The analog-approach is not well explored in literature, but it offers several possibility and benefits in counteracting the steal of information through power consumption. Two countermeasure schemes based on a feedback-loop architecture and with a pure current-mode approach have been presented, named On-chip Current Equalizer (OCE) and improved On-chip Current Equalizer (iOCE). The purpose of OCE and iOCE is to maintain the current consumption constant neglecting the data-dependent activities that take place in the cryptographic circuit. OCE and iOCE aim to equalize the instantaneous current consumption as well as the energy per cycle. An intense experimental activity regarding the test and security evaluation of the 65nm SERPAES prototype chip has been carried out during the PhD. The SERPAES, designed at our laboratory, contains five implementations of AES-128 block cipher and two full-custom designed prototype implementations of 4-bit data-path of the SERPENT block cipher. AES implementations are designed with RTL-level countermeasures, aiming to randomize the power consumption of the data-path. Experimental analysis of PAA-resilience on AES-4 core have been performed, giving actual and information theoretic security metrics. The protection scheme implemented on AES-4 is based on the adoption of the Secure Double Rate Register (SDRR), aiming to randomize the power consumption of combinational network and registers. In addition, an evaluation of the security and robustness to PAAs has been performed on the full-custom section of the SERPAES chip, containing two implementations of 4-bit data-path based on round-0 of the SERPENT block cipher. SERPENT-based cores are implemented using the following full-custom logics: Sense Amplifier-Based Logic (SABL) and improved Delay-based Dual-rail Pre-charge Logic (iDDPL). PAA evaluations on both cores have been carried out giving a fair comparison of state-of-the-art full-custom PAA-countermeasures. The comparison has been performed for different cases of capacitive unbalance, in order to measure the performance of both logic styles in tolerating capacitive mismatches