Protecting integrated circuits against side-channel and fault attacks with dynamic encoding

International audienceWith the Internet of Things, an increasing amount of sensitive data have to be communicated and hence encrypted. Low-cost hardware attacks such as fault analysis or side-channel analysis threaten the implementation of cryptographic algorithms. Many countermeasures have been proposed against either of these attacks, however, only a few countermeasures protect efficiently an implementation against both attacks. These joint countermeasures usually have a prohibitive area and power overhead, and require up to thousands of bits of fresh randomness at each encryption. Therefore, they may not be suited to protect lightweight algorithms in resource-constrained devices. In this paper, we propose a new joint countermeasure against both attacks, called dynamic encoding. It has a smaller power and area overhead than existing joint countermeasures and requires at most 8 random bits at each encryption. It is particularly adapted to protect sequential logic and lightweight algorithms based on shift registers, and it can be extended to protect combinational logic as well. It consists in a power balancing at algorithmic level and provides an inherent fault detection. Simulations with several levels of noise indicate that dynamic encoding provides an efficient protection against side-channel analysis with up to 100,000 traces

SWARD: A Secure WAke-up RaDio against Denial-of-Service on IoT devices

ISBN: 978-1-4503-5731-9International audienceWake-up radios are mechanisms that control the sleep and active modes of energy-constrained Internet of Things (IoT) nodes. These radios detect predetermined wake-up tokens and switch the devices to an active state. Such systems are vulnerable to a kind of Denial-of-Service attacks called Denial-of-Sleep, where attackers continuously send wake-up tokens to deplete the battery of the nodes. We propose a protocol to mitigate these attacks that includes a novel solution to generate hard-to-guess wake-up tokens at every wake-up. Simulations show that under standard operating conditions, it has a negligible energy overhead (0.03%), while it increases the lifetime of an IoT node by more than 40 times under Denial-of-Sleep attack. Finally, we compare our protocol to related work against Denial-of-Sleep attacks, and explain why it is both more resilient and more energy-efficient than existing approaches

Dynamic encoding, a lightweight combined countermeasure against hardware attacks

International audienceWith the Internet of Things (IoT) an increasing amount of sensitive data have to be communicated and hence encrypted. Low-cost hardware attacks such as fault analysis (FA) or side-channel analysis (SCA) threaten the implementation of cryptographic algorithms. Many countermeasures have been proposed against either of these attacks, however, only a few countermeasures protect efficiently an implementation against both attacks. These combined countermeasures usually have a prohibitive area and power overhead, and require up to thousands of bits of fresh randomness at each encryption. Therefore, they may not be suited to protect lightweight algorithms in resource-constrained devices. In this paper, we propose a new combined countermeasure, which is particularly adapted to protect lightweight algorithms based on shift registers. It achieves an efficient power balancing at algorithmic level, and provides an inherent fault detection with a better coverage than most existing combined countermeasures. Furthermore, it has a smaller power and area overhead than existing combined countermeasures, and requires at most 8 random bits at each encryption

AES datapath optimization strategies for low-power low-energy multisecurity-level internet-of-things applications

International audienceConnected devices are getting attention because of the lack of security mechanisms in current Internet-of-Thing (IoT) products. The security can be enhanced by using standardized and proven-secure block ciphers as advanced encryption standard (AES) for data encryption and authentication. However, these security functions take a large amount of processing power and power/energy consumption. In this paper, we present our hardware optimization strategies for AES for high-speed ultralow-power ultralow-energy IoT applications with multiple levels of security. Our design supports multiple security levels through different key sizes, power and energy optimization for both datapath and key expansion. The estimated power results show that our implementation may achieve an energy per bit comparable with the lightweight standardized algorithm PRESENT of less than 1 pJ/b at 10 MHz at 0.6 V with throughput of 28 Mb/s in ST FDSOI 28-nm technology. In terms of security evaluation, our proposed datapath, 32-b key out of 128 b cannot be revealed by correlation power analysis attack using less than 20 000 traces

Exposing Data Value On a Risc-V Based SoC

International audienceWith the threat of side-channel attacks on embedded systems, hardware designers are increasingly relying on side-channel leakage assessment to strengthen their chips. Traditionally performed with the aim of protecting encryption algorithms, these leakage analyses are progressively carried out on the micro-architecture elements of various circuits. In most works, the authors supposed and exploited Hamming Distance and Hamming Weight leakage models for CPU instructions disassembly or attacking cryptographic algorithms. In this paper we first confirm and harness these leakage models on interconnect bus and registers of a RISC-V based ASIC SoC (28 nm bulk) through a template attack, thus, giving the expected success rate and the average number of traces needed and we introduce a data value recovery attack on the interconnect bus. Actually, we consider our recorded leakage to be the direct leakage of the value of the data as opposed to its Hamming weight or distance. We present a stochastic model approach to compute the leakage coefficients of each bit in the data and a template attack to recover a given byte of the data. We also describe and discuss a scenario that helps infer the full data value using the template attack in a divide and conquer approach

A near-instantaneous and non-invasive erasure design technique to protect sensitive data stored in secure SRAMs

International audienceOn-chip memories, and in particular SRAMs, are among the most critical components in terms of data security because they might contain sensitive data such as secret keys. Whenever a tampering event is detected, one should be able to erase efficiently and rapidly the full content of a memory holding such sensitive data, but current solutions based on simple power-off leadto very long erasure times. In this paper, we present a non-invasive design technique based on an innovative mechanism to remove electric charges from SRAM bitcells still powered on, beforerefreshing them with a new content not correlated with the previous one. The particularity of this novel hardware countermeasure is to be natively compatible with any SRAM circuit designed from pushed-rule foundry bitcells. We have designed and characterized an 8kB SRAM in 22nm FD-SOI process technology exploiting the proposed security strategy demonstrating an erase operation accomplished in the nanosecond time scale (versus 295$\mu$s with the conventional power-off solution) at the cost of an additional area of less than 5%. We have also shown that our solution is more efficient than a solution without prior erasure consisting in writing identical data to all memory addresses in a single clock cycle (1 ns). The use of the latter drops the ratio of zeroized addresses at 92%, while increasing the operating energy consumption by 2.1x under nominal operating conditions

SamurAI: A Versatile IoT Node With Event-Driven Wake-Up and Embedded ML Acceleration

International audienceIncreased capabilities such as recognition and self-adaptability are now required from IoT applications. While IoT node power consumption is a major concern for these applications, cloud-based processing is becoming unsustainable due to continuous sensor or image data transmission over the wireless network. Thus optimized ML capabilities and data transfers should be integrated in the IoT node. Moreover, IoT applications are torn between sporadic data-logging and energy-hungry data processing (e.g. image classification). Thus, the versatility of the node is key in addressing this wide diversity of energy and processing needs. This paper presents SamurAI, a versatile IoT node bridging this gap in processing and in energy by leveraging two on-chip sub-systems: a low power, clock-less, event-driven Always-Responsive (AR) part and an energy-efficient On-Demand (OD) part. AR contains a 1.7MOPS event-driven, asynchronous Wake-up Controller (WuC) with a 207ns wake-up time optimized for sporadic computing, while OD combines a deep-sleep RISC-V CPU and 1.3TOPS/W Machine Learning (ML) for more complex tasks up to 36GOPS. This architecture partitioning achieves best in class versatility metrics such as peak performance to idle power ratio. On an applicative classification scenario, it demonstrates system power gains, up to 3.5x compared to cloud-based processing, and thus extended battery lifetime

SamurAI: a 1.7MOPS-36GOPS Adaptive Versatile IoT Node with 15,000x Peak-to-Idle Power Reduction, 207ns Wake-up Time and 1.3TOPS/W ML Efficiency

International audienceIoT node application requirements are torn between sporadic data-logging and energy-hungry data processing (e.g. image classification). This paper presents a versatile IoT node covering this gap in processing and energy by leveraging two on-chip sub-systems: a low power, clock-less, event-driven Always-Responsive (AR) part and an energy-efficient On-Demand (OD) part. The AR contains a 1.7MOPS event-driven, asynchronous Wake-up Controller (WuC) with 207ns wake-up time optimized for short sporadic computing. OD combines a deep-sleep RISC-V CPU and 1.3TOPS/W Machine Learning (ML) and crypto accelerators for more complex tasks. The node can perform up to 36GOPS while achieving 15,000x reduction from peak-to-idle power consumption. The interest of this versatile architecture is demonstrated with 105μW daily average power on an applicative classification scenari