Differential Scan-Based Side-Channel Attacks and Countermeasures (Differentiële scan-gebaseerde nevenkanaalaanvallen en tegenmaatregelen)

Cryptographic circuits are vulnerable to various side-channel attacks that target their hardware implementations to extract secret information stored inside them. One such side-channel is the scan chain based Design-for-Test (DfT) infrastructure employed for thorough and faster testing of VLSI circuits. Removing the connectivity of scan chains after manufacturing test prevents such attacks, but also makes in-field test and updates of the circuits impossible. In some applications, such as set-top box decoders, the firmware updates happen through the JTAG port internally connected to the scan chains. Hence, scan chains must be left intact and at the same time protected from these attacks. Moreover, the cost in terms of area and test time overhead must be kept to a minimum to make it feasible to incorporate the security mechanism on a reasonably priced commercial product.This work first investigates the scan attack vulnerability of symmetric-key and public-key hardware implementations, and then presents suitable countermeasures to address the aforementioned trade-off between testability, security and test cost. The thesis first presents scan attacks on hardware implementations of the symmetric-key block cipher AES and the public-key ciphers RSA and ECC in the presence of advanced DfT structures such as test compression and X-handling schemes. In addition, state-of-the-art power analysis side-channel and fault attack countermeasures are analyzed to evaluate whether they are suitable in warding off scan attacks. The thesis also investigates the practical security provided by various scan attack countermeasures (such as partial scan and scan chain scrambling) thatare proposed in the literature. At the algorithmic level, blinding and randomization based schemes that protect against Differential Power Analysis (DPA) attacks are shown to be secure against scan attacks, whereas countermeasures against Simple Power Analysis (SPA) and Fault Attacks are found to be ineffective against scan attacks. At the RTL level, Multiple Input Signature Register (MISR)-based time compaction schemes are found be inherently secure against scan attacks, provided only the final MISR signature is observable and not the intermediate states. New countermeasures are also proposed at the system level in the form of a secure JTAG architecture based on an ECC-based Schnorr Protocol and at the gate level in the form of a noise injector integrated with the test compression schemes.Another major contribution of the thesis is secure Cryptographic SoC Testing. As part of our research work, scan attack resistant Secure Test Wrappers (STWs) have been designed that integrate a challenge-response based secure entity authentication protocol with the IEEE 1500 standard Test Wrapper. Two variants of STWs are proposed; one based on a lightweight block cipher KATAN and the other using Physically Unclonable Functions (PUFs). Another work performed in this direction is integrating efficient multiplier-based pseudo-random Logic Built-In Self-Test (LBIST) solutionswith STWs. This helps in providing a flexible self-testing option for the cryptographic SoC and maintaining a high level of testability and security, while simultaneously reducing the test overhead.Preface i Abstract iii Samenvatting v Contents vii List of Figures xv List of Tables xix List of Abbreviations xxi 1 Introduction and Background 1 1.1 Introduction to Testing and Structural Testing . . . . . . . . . . . 3 1.1.1 Structural vs. Functional Testing . . . . . . . . . . . . . . . 3 1.1.2 Fault Models . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.3 Scan-Based Structural Design-for-Test (DfT) . . . . . . . . 4 1.1.4 Logic Built-In Self-Test (LBIST) . . . . . . . . . . . . . . . 5 1.1.5 Time Compaction . . . . . . . . . . . . . . . . . . . . . . . 6 1.1.6 Multiple Input Signature Register (MISR) . . . . . . . . . . 7 1.2 Test Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2.1 Space Compaction . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.2 X-State Handling . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.2.1 X-Tolerant Schemes . . . . . . . . . . . . . . . . . 9 1.2.2.2 X-masking Schemes . . . . . . . . . . . . . . . . . 10 1.3 Introduction to Scan Attacks . . . . . . . . . . . . . . . . . . . . . 11 1.3.1 Attack Principle . . . . . . . . . . . . . . . . . . . . . . . . 12 1.3.2 Attack Target . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.3.3 Attacker Scenario and Assumptions . . . . . . . . . . . . . 12 1.3.4 Classical Differential Scan Attacks . . . . . . . . . . . . . . 13 1.3.5 Advanced Encryption Standard (AES) . . . . . . . . . . . . 14 1.3.6 Modified Differential Scan Attacks . . . . . . . . . . . . . . 14 1.3.7 Recent Differential Scan Attack . . . . . . . . . . . . . . . . 17 1.3.8 Test Compression and security . . . . . . . . . . . . . . . . 19 1.4 Scan attack countermeasures . . . . . . . . . . . . . . . . . . . . . 19 1.5 Summary of Contributions . . . . . . . . . . . . . . . . . . . . . . . 20 2 Differential Scan Attacks on Advanced DfT Schemes 23 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.2 Differential Scan Attacks on Symmetric-Key Implementations . . . 24 2.2.1 Attack Strategy . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.2.2 Distributions Considered . . . . . . . . . . . . . . . . . . . 26 2.2.3 Scan Attack on AES Hardware in the Presence of XOR compaction with X-Tolerance . . . . . . . . . . . . . . . . 28 2.2.4 Scan Attack on AES Hardware in the Presence of XOR Compaction with Static X-Masking . . . . . . . . . . . . . . 31 2.2.4.1 Description of the Attack . . . . . . . . . . . . . . 31 2.2.4.2 DSA on XOR Compaction with Static X-Masking 32 2.2.4.3 DSA on XOR Compaction, Static X-Masking and OPMISR . . . . . . . . . . . . . . . . . . . . . . . 35 2.2.5 Scan Attack on AES Hardware in the Presence of XOR Compaction with Dynamic X-Masking . . . . . . . . . . . 36 2.3 Differential Scan Attacks on Public Key Implementations . . . . . 38 2.3.1 Differential Scan Attacks on RSA . . . . . . . . . . . . . . . 39 2.3.1.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.3.1.2 Target RSA Hardware Implementation . . . . . . 41 2.3.1.3 Differential scan Attack Mode . . . . . . . . . . . 41 2.3.1.4 Description of the Scan Attack on RSA . . . . . . 43 2.3.1.5 Practical Aspects of the Attack . . . . . . . . . . . 44 2.3.1.5.1 Leakage Analysis . . . . . . . . . . . . . . . . . . . . . . . 44 2.3.1.5.2 Timing Aspects . . . . . . . . . . . . . . . . . . . . . . . 46 2.3.1.6 Attack Tool . . . . . . . . . . . . . . . . . . . . . . 48 2.3.1.7 Experimental Results . . . . . . . . . . . . . . . . 49 2.3.1.8 Previous Work . . . . . . . . . . . . . . . . . . . . 50 2.3.2 Differential Scan Attacks on ECC . . . . . . . . . . . . . . 51 2.3.2.1 Elliptic Curve Cryptosystems . . . . . . . . . . . . 51 2.3.2.2 Attacker Scenario . . . . . . . . . . . . . . . . . . 52 2.3.2.3 Target ECC Implementation . . . . . . . . . . . . 52 2.3.2.4 Differential Scan Attack on ECC . . . . . . . . . . 53 2.3.2.5 Proposed Distinguishing Scan Attack . . . . . . . 53 2.3.2.6 Leakage Analysis . . . . . . . . . . . . . . . . . . . 56 2.3.2.7 Inherent Countermeasure . . . . . . . . . . . . . . 58 2.3.2.8 Timing Estimate . . . . . . . . . . . . . . . . . . . 58 2.3.2.9 Scan Attack Experimental Setup . . . . . . . . . . 59 2.3.2.10 Experimental Results and Discussion . . . . . . . 59 2.3.2.10.1 Scan attack timing and number of points . . . . . . . . . . . . . . . . . . . . . . . 59 2.3.2.10.2 Scan Attack on ECC in Presence of Advanced DfT Methods . . . . . . . . . . . . . . . . . . . . . . . 60 2.3.2.11 Previous Work . . . . . . . . . . . . . . . . . . . . 60 2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3 Scan Attack Countermeasures 63 Part I: Countermeasures from other side-channel attacks 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.2 Side Channel Attacks and countermeasures . . . . . . . . . . . . . 65 3.3 Mathematical Modeling and Attack Scenarios . . . . . . . . . . . . 66 3.3.1 Mathematical Analysis of DSA on PKC . . . . . . . . . . . 66 3.3.2 DfT Configuration and Leaking Slices . . . . . . . . . . . . 66 3.3.3 Handling the Mask Decoder . . . . . . . . . . . . . . . . . . 68 3.4 Scan Attacks with SPA Countermeasures in Place . . . . . . . . . 69 3.5 Scan Attacks with DPA Countermeasures in Place . . . . . . . . . 71 3.6 Scan Attacks with Fault Attack Countermeasures in Place . . . . . 72 3.6.1 Safe-Error Analysis . . . . . . . . . . . . . . . . . . . . . . . 73 3.6.2 Small Subgroup Attack and Curve Integrity Check . . . . . 74 3.7 Summary of Vulnerabilities and Countermeasures . . . . . . . . . . 74 Part II: Countermeasures Specific for Scan Attacks 3.8 Explicit Scan Attack Countermeasures . . . . . . . . . . . . . . . . 75 3.8.1 Insertion of inverters in the scan structure . . . . . . . . . . 75 3.8.2 State Dependent Scan Flip-Flops . . . . . . . . . . . . . . . 76 3.8.3 Scan Chain Scrambling . . . . . . . . . . . . . . . . . . . . 76 3.8.4 Removing All Traces of Secret Information in Test Mode . 77 3.8.5 Modified Partial Scan . . . . . . . . . . . . . . . . . . . . . 77 3.8.6 Lock and Key Technique . . . . . . . . . . . . . . . . . . . . 78 3.8.7 Design for Secure Test . . . . . . . . . . . . . . . . . . . . . 80 3.8.8 Masking Schemes . . . . . . . . . . . . . . . . . . . . . . . . 80 3.8.9 On-Chip Comparison . . . . . . . . . . . . . . . . . . . . . 81 3.8.10 Self-Test of Cryptographic Hardware . . . . . . . . . . . . . 81 3.9 Differential Scan Attack on Scan Attack Countermeasures . . . . . 82 3.9.1 Combined Scan attack on AES with Test Compression and Scan Attack Countermeasures in Place . . . . . . . . . . . . 82 3.9.2 Scan Attack on RSA in the Presence of Proposed Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 3.9.3 Scan Attack on ECC in the Presence of Proposed Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 3.10 Noise Injector Countermeasure . . . . . . . . . . . . . . . . . . . . 85 3.10.1 Design of the Noise Injector . . . . . . . . . . . . . . . . . . 86 3.10.2 Security Analysis of the Noise Injector . . . . . . . . . . . . 87 3.10.3 Impact on Test Coverage and Overheads . . . . . . . . . . . 87 3.11 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 4 Secure Test Infrastructure 91 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 4.2 Secure JTAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 4.2.1 Introduction and Motivation . . . . . . . . . . . . . . . . . 92 4.2.2 Existing Secure JTAG Approaches . . . . . . . . . . . . . . 95 4.2.3 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . . . 97 4.2.4 Schnorr Protocol . . . . . . . . . . . . . . . . . . . . . . . . 99 4.2.5 Proposed ECC Based Schnorr Authentication Protocol . . . 99 4.2.6 Public Key Verification . . . . . . . . . . . . . . . . . . . . 99 4.2.7 Hardware Integration of JTAG with Schnorr Controller . . 101 4.2.8 Implementation of the ECC Processor . . . . . . . . . . . . 102 4.2.9 Point Addition and Point Doubling in Affine Coordinates . 103 4.2.10 Formulae used for ECC Point Addition and Doubling in Projective Coordinates . . . . . . . . . . . . . . . . . . . . . 104 4.2.11 Hardware Implementation of space-time optimized ECC modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 4.2.11.1 Design I: ECC over Projective Coordinates . . . . 104 4.2.11.2 Design II: ECC over Affine Coordinates . . . . . . 106 4.2.12 Area and Timing Costs . . . . . . . . . . . . . . . . . . . . 108 4.2.12.1 Area Overhead . . . . . . . . . . . . . . . . . . . . 108 4.2.12.2 Timing Overhead . . . . . . . . . . . . . . . . . . 109 4.3 Secure Test Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . 111 4.3.1 Cryptographic SoC . . . . . . . . . . . . . . . . . . . . . . . 111 4.3.2 Secure Testing and SoC Integration Testing Environment . 112 4.3.3 Standard IEEE 1500 Test Wrapper . . . . . . . . . . . . . . 113 4.3.4 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . 114 4.3.5 Katan-Based Secure Test Wrapper (STW) . . . . . . . . . . 114 4.3.5.1 Challenge Response Protocol . . . . . . . . . . . . 114 4.3.5.2 KATAN Lightweight Block Cipher . . . . . . . . . 116 4.3.5.3 True Random Number Generators (TRNGs) using Ring Oscillators . . . . . . . . . . . . . . . . . . . 117 4.3.5.4 Security Analysis of the Test Protocol . . . . . . . 118 4.3.5.5 Key Distribution Problem and Possible Solutions . 118 4.3.5.6 Hardware Implementation . . . . . . . . . . . . . . 119 4.3.5.7 Area Results . . . . . . . . . . . . . . . . . . . . . 120 4.3.6 PUF-Based Secure Test Wrapper . . . . . . . . . . . . . . . 120 4.3.6.1 Physically Unclonable Functions (PUFs) . . . . . 121 4.3.6.2 PUF-Based STW . . . . . . . . . . . . . . . . . . 122 4.3.6.3 Trust Model and Assumptions . . . . . . . . . . . 123 4.3.6.4 Secure Test Wrapper Activation Mechanism . . . 123 4.3.6.5 Security of the Mechanism . . . . . . . . . . . . . 124 4.3.6.6 Hardware Implementation . . . . . . . . . . . . . . 125 4.3.6.7 Area Results . . . . . . . . . . . . . . . . . . . . . 125 4.4 Secure Built-In Self Test . . . . . . . . . . . . . . . . . . . . . . . . 125 4.4.1 Overall Strategy . . . . . . . . . . . . . . . . . . . . . . . . 126 4.4.2 Testing of Public-Key Modules . . . . . . . . . . . . . . . . 128 4.4.3 Testing of Symmetric-Key Modules . . . . . . . . . . . . . . 128 4.4.4 Testing of Other Non-Cryptographic Modules . . . . . . . . 130 4.4.5 Test Fail-Safe Scenario . . . . . . . . . . . . . . . . . . . . . 130 4.4.6 Time Overhead of the Security Mechanism . . . . . . . . . 131 4.4.7 Area Overhead of the Security Mechanism . . . . . . . . . . 131 4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 5 Conclusions and Future Work 133 A OCSP-like public-key authentication protocol 137 B ECC-based Schnorr Protocol 139 Bibliography 141 Curriculum Vitae 153 List of Publications 155nrpages: 186status: publishe