A Design Flow and Evaluation Framework for DPA-resistant Instruction - - PowerPoint PPT Presentation

a design flow and evaluation framework for dpa resistant
SMART_READER_LITE
LIVE PREVIEW

A Design Flow and Evaluation Framework for DPA-resistant Instruction - - PowerPoint PPT Presentation

Sep 18, 2023 146 likes •645 views

A Design Flow and Evaluation Framework for DPA-resistant Instruction Set Extensions Francesco Regazzoni 1,4 , Alessandro Cevrero 2,3 , Franois-Xavier Standaert 1 , Stephane Badel 3 , Theo Kluter 2 , Philip Brisk 2 , Yusuf Leblebici 3 , and Paolo

slide-1
SLIDE 1

A Design Flow and Evaluation Framework for DPA-resistant Instruction Set Extensions

Francesco Regazzoni1,4, Alessandro Cevrero2,3, François-Xavier Standaert1, Stephane Badel3, Theo Kluter2, Philip Brisk2, Yusuf Leblebici3, and Paolo Ienne2

1UCL Crypto Group, Université catholique de Louvain, Louvain-la-Neuve, Belgium. 2School of Computer and Communication Sciences - EPFL, Lausanne, Switzerland. 3School of Engineering - EPFL, Lausanne, Switzerland. 4ALaRI - University of Lugano, Lugano, Switzerland.

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 1
slide-2
SLIDE 2 A Motivating Example

ALU ISE A B Memory Register File ISE ISE IMM.

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 2
slide-3
SLIDE 3 A Motivating Example

ALU ISE A B Memory Register File ISE ISE IMM.

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 3
slide-4
SLIDE 4 A Motivating Example

ALU ISE A B Memory Register File ISE ISE IMM.

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 4
slide-5
SLIDE 5 A Motivating Example

ALU ISE A B Memory Register File ISE ISE IMM.

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 5
slide-6
SLIDE 6 A Motivating Example

ALU ISE A B Memory Register File ISE ISE IMM.

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 6
slide-7
SLIDE 7 A Motivating Example

ALU ISE A B Memory Register File ISE ISE IMM.

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 7
slide-8
SLIDE 8 A Motivating Example Something easier? Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 8
slide-9
SLIDE 9 A Motivating Example

ALU A B Memory Register File ISE ISE IMM. ISE

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 9
slide-10
SLIDE 10 A Motivating Example

B ALU ISE A Memory Register File ISE ISE IMM.

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 10
slide-11
SLIDE 11 A Motivating Example

B ALU ISE A Memory Register File ISE ISE IMM.

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 11
slide-12
SLIDE 12 Contributions and Goals

Bring a security metric to the forefront of design variables to be optimized Create an automated design flow for combining protected and non protected logic styles Explore type and amount of protected circuit vs level of security trade offs

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 12
slide-13
SLIDE 13 Needed Bri ks

Tool for extracting ISE...

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 13
slide-14
SLIDE 14 Needed Bri ks

Tool for extracting ISE...

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 13
slide-15
SLIDE 15 Needed Bri ks

Tool for extracting ISE... Protected logic and its design flow...

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 13
slide-16
SLIDE 16 Needed Bri ks

Tool for extracting ISE... Protected logic and its design flow...

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 13
slide-17
SLIDE 17 Needed Bri ks

Tool for extracting ISE... Protected logic and its design flow... Simulation environment...

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 13
slide-18
SLIDE 18 Needed Bri ks

Tool for extracting ISE... Protected logic and its design flow... Simulation environment...

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 13
slide-19
SLIDE 19 Needed Bri ks

Tool for extracting ISE... Protected logic and its design flow... Simulation environment... Metric...

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 13
slide-20
SLIDE 20 Needed Bri ks

Tool for extracting ISE... Protected logic and its design flow... Simulation environment... Metric...

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 13
slide-21
SLIDE 21 Needed Bri ks

Tool for extracting ISE... Protected logic and its design flow... Simulation environment... Metric...

Main question

Can I really plug all the bricks together and

  • btain something meaningful?
Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 13
slide-22
SLIDE 22 Outline 1 What we put together 2 Validation of our design flow 3 Results and comments Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 14
slide-23
SLIDE 23 The CMOS Design Flo w

processor HDL code ISE HDL code Protected Library crypto.c software CMOS Library

0101001. 1100001. 1100001. 0101001.

Security Evaluaton ISE Extractor Protected Synth and P&R CMOS Synth and P&R crypto_ISE.c SPICE level simulation

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 15
slide-24
SLIDE 24 The Pro esso r Customization

processor HDL code ISE HDL code Protected Library crypto.c software CMOS Library

0101001. 1100001. 1100001. 0101001.

Security Evaluaton ISE Extractor Protected Synth and P&R CMOS Synth and P&R crypto_ISE.c SPICE level simulation

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 16
slide-25
SLIDE 25 The Prote ted Design Flo w

processor HDL code ISE HDL code Protected Library crypto.c software CMOS Library

0101001. 1100001. 1100001. 0101001.

Security Evaluaton ISE Extractor Protected Synth and P&R CMOS Synth and P&R crypto_ISE.c SPICE level simulation

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 17
slide-26
SLIDE 26 The Hyb rid Design Flo w

processor HDL code ISE HDL code Protected Library crypto.c software CMOS Library

0101001. 1100001. 1100001. 0101001.

Security Evaluaton ISE Extractor Protected Synth and P&R CMOS Synth and P&R crypto_ISE.c SPICE level simulation

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 18
slide-27
SLIDE 27 The Simulation Environment

processor HDL code ISE HDL code Protected Library crypto.c software CMOS Library

0101001. 1100001. 1100001. 0101001.

Security Evaluaton ISE Extractor Protected Synth and P&R CMOS Synth and P&R crypto_ISE.c SPICE level simulation

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 19
slide-28
SLIDE 28 The Design Evaluation

processor HDL code ISE HDL code Protected Library crypto.c software CMOS Library

0101001. 1100001. 1100001. 0101001.

Security Evaluaton ISE Extractor Protected Synth and P&R CMOS Synth and P&R crypto_ISE.c SPICE level simulation

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 20
slide-29
SLIDE 29 Outline 1 What we put together 2 Validation of our design flow 3 Results and comments Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 21
slide-30
SLIDE 30 F eatures
  • f
Op enRISC

OpenRISC 1000 ISA 32 bit 5 stages pipeline ISE support 100 MHz Compiler: cross-compiler gcc 3.4.4

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 22
slide-31
SLIDE 31 F eatures
  • f
CMOS and MCML

CMOS target library: commercial 0.18µm Protected logic: MOS Current Mode Logic (MCML)

◮ Standard cell Library (roughly 150 gates) ◮ High speed, fully differential, almost constant power consumption ◮ Differential routing (wire pairs along the same path) ◮ Fully automated design flow

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 23
slide-32
SLIDE 32 F eatures
  • f
Info rmation Theo ry Metri

Measures asymptotic resistance against the strongest attacker Independent from the DPA scenario Overcomes limitations of specific leakage models Main Steps:

◮ Inputs: power consumption trace, secret key ◮ Add white noise ◮ Reduce the dimension using PCA ◮ Compute the mutual information

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 24
slide-33
SLIDE 33 F eatures
  • f
PRESENT

Lightweight block cipher 4 bit S-box addRoundKey, sBoxLayer

// Cal ulate S-b
  • x
(plaintext X OR k ey) int PRESENT(int plaintext, int k ey) {

1

int result = 0; // initialize the result

2

plaintext = plaintext ^k ey; // p erfo rm the xo r with the k ey

3

result = S[plaintext℄; // p erfo rm the S-b
  • x

4

return result; }; // return the result Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 25
slide-34
SLIDE 34 P a rtitioning
  • f
the PRESENT algo rithm S-b
  • x

sbox result

Plain Text key Plain Text key

sbox result

Plain Text key

sbox result

Plain Text key

sbox result

Plain Text key

sbox result

full ISE XOR + S-box ISE S-box ISE XOR ISE Full CMOS

protected logic non protected logic Legend

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 26
slide-35
SLIDE 35 Example
  • f
ISE and its Sour e Co de // Cal ulate S-b
  • x
(plaintext X OR k ey) int PRESENT(int plaintext, int k ey) {

1

int result = 0; // initialize the result

2

plaintext = plaintext ^k ey; // p erfo rm the xo r with the k ey

3

result = S[plaintext℄; // p erfo rm the S-b
  • x

4

return result; }; // return the result

SBOX (std-cell)

MCML-CMOS converter key-reg CMOS -MCML converter 4 4 4 4

XOR+S-box ISE

// Cal ulate S-b
  • x
(plaintext X OR k ey) int PRESENT_X OR+S-b
  • x-ISE(int
plaintex) {

1

int result = 0; // initialize the result // instantiate the new instru tion s-b
  • x(pt
^k ey)

2

Instr_1(plaintex, result);

3

return result; }; // return the result Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 27
slide-36
SLIDE 36 Example
  • f
ISE and its Sour e Co de // Cal ulate S-b
  • x
(plaintext X OR k ey) int PRESENT(int plaintext, int k ey) {

1

int result = 0; // initialize the result

2

plaintext = plaintext ^k ey; // p erfo rm the xo r with the k ey

3

result = S[plaintext℄; // p erfo rm the S-b
  • x

4

return result; }; // return the result

SBOX (std-cell) converter key-reg converter

4 4 4 4

XOR+S-box ISE

// Cal ulate S-b
  • x
(plaintext X OR k ey) int PRESENT_X OR+S-b
  • x-ISE(int
plaintex) {

1

int result = 0; // initialize the result // instantiate the new instru tion s-b
  • x(pt
^k ey)

2

Instr_1(plaintex, result);

3

return result; }; // return the result Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 28
slide-37
SLIDE 37 Outline 1 What we put together 2 Validation of our design flow 3 Results and comments Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 29
slide-38
SLIDE 38 It is p
  • ssible!
PC F eatures:

CPU: Intel(R) Core(TM)2 Quad CPU Q6700 GHz 2.6 Memory: 4 GB

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 30
slide-39
SLIDE 39 It is p
  • ssible!
PC F eatures:

CPU: Intel(R) Core(TM)2 Quad CPU Q6700 GHz 2.6 Memory: 4 GB

Example p rogram 470 lo k y les (b
  • t+ ipher)

SPICE Level Simulation (Synopsys Nanosim resolution: 1ps): Total simulated time 4700ns Total simulation time more or less 20 minutes 2.8s per clock cycle (full processor simulation core+ISE) Security Evaluation 4 hours per partitioning

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 30
slide-40
SLIDE 40 It is p
  • ssible!
PC F eatures:

CPU: Intel(R) Core(TM)2 Quad CPU Q6700 GHz 2.6 Memory: 4 GB

Example p rogram 470 lo k y les (b
  • t+ ipher)

SPICE Level Simulation (Synopsys Nanosim resolution: 1ps): Total simulated time 4700ns Total simulation time more or less 20 minutes 2.8s per clock cycle (full processor simulation core+ISE) Security Evaluation 4 hours per partitioning

F ull ase study

Worst case: 15 days on a single PC Parallelizable! Actual experiment: 2 days on 8 PCs

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 30
slide-41
SLIDE 41 Se urit y Evaluation

10

−6

10

−5

10

−4

10

−3

10

−2

10

−1

10 10

1

0.5 1 1.5 2 2.5 3 3.5 4

noise standard deviation mutual information [bit] full CMOS XOR ISE S−box ISE XOR + S−box ISE full ISE

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 31
slide-42
SLIDE 42 Se urit y Evaluation

10

−6

10

−5

10

−4

10

−3

10

−2

10

−1

10 10

1

0.5 1 1.5 2 2.5 3 3.5 4

noise standard deviation mutual information [bit]

Treshold

full CMOS XOR ISE S−box ISE XOR + S−box ISE full ISE

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 32
slide-43
SLIDE 43 Comments
  • n
Area
  • upation
and P
  • w
er Consumption

Area difference between largest and smallest ISE: 0.2% Most protected core:

◮ power consumption increased by 47.9% ◮ area increased by 6.7%

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 33
slide-44
SLIDE 44 Comments
  • n
Area
  • upation
and P
  • w
er Consumption

Area difference between largest and smallest ISE: 0.2% Most protected core:

◮ power consumption increased by 47.9% ◮ area increased by 6.7%

Size of the PRESENT S-box MCML library optimized for high-speed, not low-power

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 33
slide-45
SLIDE 45 Con lusions

It is possible to put everything together Our results confirm the previous ones ISEs in protected logic styles could be a reasonable countermeasure Our design flow enables a deeper design space exploration

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 34
slide-46
SLIDE 46 F uture W
  • rks
and Op en p roblems

One step in a direction, but...

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 35
slide-47
SLIDE 47 F uture W
  • rks
and Op en p roblems

One step in a direction, but... Nice design flow... use it!

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 35
slide-48
SLIDE 48 F uture W
  • rks
and Op en p roblems

One step in a direction, but... Nice design flow... use it! Great! Obtained promising chips... make them!

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 35
slide-49
SLIDE 49 Questions?

Acknowledgments

Sp eak er: F ran es o Regazzoni Design Flo w and Evaluation F ramew
  • rk
fo r DP A-resistant ISE P . 36