Concealing Secrets in Embedded Processor Designs A B C Z - - PowerPoint PPT Presentation

concealing secrets in embedded processor designs
SMART_READER_LITE
LIVE PREVIEW

Concealing Secrets in Embedded Processor Designs A B C Z - - PowerPoint PPT Presentation

Aug 04, 2023 184 likes •517 views

0 Concealing Secrets in Embedded Processor Designs A B C Z Hannes Gross , Manuel Jelinek, Stefan Mangard, Thomas Unterluggauer, and Mario Werner Institute for Applied Information Processing and Communications Graz University of

slide-1
SLIDE 1

D O M

Concealing Secrets in Embedded Processor Designs

Concealing Secrets in Embedded Processor Designs

Hannes Gross, Manuel Jelinek, Stefan Mangard, Thomas Unterluggauer, and Mario Werner Institute for Applied Information Processing and Communications Graz University of Technology

A B C Z

slide-2
SLIDE 2

1

D O M

Concealing Secrets in Embedded Processor Designs

1

1

C

This work in one slide…

  • V-scale processor (RISC-V)

+

  • Domain-Oriented Masking

=

  • SCA protected V-scale
  • arbitrary protection level
  • flexible and updateable
  • transparent to software designers
  • open source:

https://github.com/hgrosz/vscale_dom

A B Z d + 1

slide-3
SLIDE 3

2

D O M

Concealing Secrets in Embedded Processor Designs

2

2

This work in numbers…

Unprotected

2.6 k 1.0 k 3 LUTs 1 registers 1 random bits pipeline stages

1st-Order

4.1 k 1.8 k 64

4 2nd-order

5.6 k 2.5 k 192

4

+ 57% + 80% + 37% + 39%

1) for Xilinx Kintex-7 FPGA

3 ∗

slide-4
SLIDE 4

3

D O M

Concealing Secrets in Embedded Processor Designs

3

3

Motivation

Masking is…  very effective SCA countermeasure  cumbersome  error prone  requires expertise  lots of evaluation work  for specific implementations  decomposition of complex functions  slows down the implementation

  • traces
slide-5
SLIDE 5

4

D O M

Concealing Secrets in Embedded Processor Designs

4

4

Boolean Masking from Different Perspectives

Boolean masking Masking Sharing ⋯ …

slide-6
SLIDE 6

5

D O M

Concealing Secrets in Embedded Processor Designs

5

5

Domain-Oriented Masking

CIRCUIT (insecure) CIRCUIT (insecure)

slide-7
SLIDE 7

6

D O M

Concealing Secrets in Embedded Processor Designs

6

6

Domain-Oriented Masking

  • ← 2
  • ← 2

slide-8
SLIDE 8

7

D O M

Concealing Secrets in Embedded Processor Designs

7

7

Domain-Oriented Masking

CIRCUIT (insecure) CIRCUIT (insecure)

, , … Domain A , , … , , … Domain B , , …

1 domains

slide-9
SLIDE 9

8

D O M

Concealing Secrets in Embedded Processor Designs

8

8

Linear Operations

Domain B

Domain A

slide-10
SLIDE 10

9

D O M

Concealing Secrets in Embedded Processor Designs

9

9

Nonlinear Operations

Domain B Domain A Z

  • `
slide-11
SLIDE 11

10

D O M

Concealing Secrets in Embedded Processor Designs

10

10

Protecting Arbitrary Circuits

CIRCUIT (insecure) CIRCUIT (insecure) transform

slide-12
SLIDE 12

11

D O M

Concealing Secrets in Embedded Processor Designs

11

11

  • Order Secure AND Gate
  • DOM-indep

Multiplier DOM-indep Multiplier

… …

  • 1. Calculation
  • 2. Resharing
  • 3. Integration
slide-13
SLIDE 13

12

D O M

Concealing Secrets in Embedded Processor Designs

12

12

  • 1. Calculation

⋯ ⋯

slide-14
SLIDE 14

13

D O M

Concealing Secrets in Embedded Processor Designs

13

13

  • 1. Calculation

⋯ ⋯

slide-15
SLIDE 15

14

D O M

Concealing Secrets in Embedded Processor Designs

14

14

  • 2. Resharing

⋯ ⋯ ⋯

slide-16
SLIDE 16

15

D O M

Concealing Secrets in Embedded Processor Designs

15

15

  • 2. Resharing

⋯ ⋯ ⋯

slide-17
SLIDE 17

16

D O M

Concealing Secrets in Embedded Processor Designs

16

16

  • 3. Integration

⋯ ⋯ ⋯

slide-18
SLIDE 18

17

D O M

Concealing Secrets in Embedded Processor Designs

17

17

RISC-V ISA

  • free and open RISC ISA
  • register sizes 32, 64 or 128 bit
  • only base integer instructions (I, E) mandatory
  • lots of extensions
  • multiplication/division (M)
  • atomic operations (A)
  • single- (F) and double-precision (D) floating

point ops

  • compressed instructions (C)
  • extensions (X)
  • no flags
slide-19
SLIDE 19

18

D O M

Concealing Secrets in Embedded Processor Designs

18

18

V-scale Processor

  • RV32IM instruction set
  • 32 x 32-bit registers
  • single-issue in-order 3-stage pipeline
  • combined decode & execute stage
  • write back stage with bypass functionality
  • AHB-Lite interface  either Harvard or von Neumann
  • open source

https://github.com/ucb-bar/vscale/

slide-20
SLIDE 20

19

D O M

Concealing Secrets in Embedded Processor Designs

19

19

DOM Protected V-scale Processor

  • High-level overview of changes
  • Protected (shared) parts
  • “I” instructions
  • data memory interface
  • register file
  • Unprotected parts
  • “M” instructions
  • instruction memory
  • instruction decoder
  • program counter
slide-21
SLIDE 21

20

D O M

Concealing Secrets in Embedded Processor Designs

20

20

DOM Protected V-scale Processor

slide-22
SLIDE 22

21

D O M

Concealing Secrets in Embedded Processor Designs

21

21

Protected ALU

  • Linear functions
  • Shifts
  • XOR
  • Nonlinear functions
  • AND (OR)
  • Adder
  • Two fresh random Z’s
slide-23
SLIDE 23

22

D O M

Concealing Secrets in Embedded Processor Designs

22

22

Protected Adder

  • Kogge-Stone Adder
  • Calculation split into “generate” and “propagate”
  • Logarithmic runtime (init. + 5 steps + postproc.)
  • Two Z shares
slide-24
SLIDE 24

23

D O M

Concealing Secrets in Embedded Processor Designs

23

23

Results

slide-25
SLIDE 25

24

D O M

Concealing Secrets in Embedded Processor Designs

24

24

Required Randomness

64 128 192 256 320 384 448 512 576 640 1 2 3 4

random bits protection order

slide-26
SLIDE 26

25

D O M

Concealing Secrets in Embedded Processor Designs

25

25

Influence on the Maximum Clock

10 20 30 40 50 60 1 2 3 4

fclk [MHz] protection order

slide-27
SLIDE 27

26

D O M

Concealing Secrets in Embedded Processor Designs

26

26

T-test – 1. Collect Traces for Constant Input

0x0001020304…

R

A

DOM V-Scale

slide-28
SLIDE 28

27

D O M

Concealing Secrets in Embedded Processor Designs

27

27

T-test – 2. Collect Traces for Constant Input

0x??????????…

R

B

DOM V-Scale

slide-29
SLIDE 29

28

D O M

Concealing Secrets in Embedded Processor Designs

28

28

T-test – 3. Calculate “t” Value

Null hypothesis: both trace sets have equal mean Pass criterion |t| < 4.5 for > 99.999% confidence

  • therwise fail
  • ||
  • ||
slide-30
SLIDE 30

29

D O M

Concealing Secrets in Embedded Processor Designs

29

29

T-test – Result

slide-31
SLIDE 31

30

D O M

Concealing Secrets in Embedded Processor Designs

30

30

Conclusions

  • SCA resistant RISC-V processor
  • DOM for arbitrary protection level

 Advantages

  • more flexible
  • transparent for SW designers
  • inherently a lot of noise
  • faster development of secure systems
  • faster than SW based masking
slide-32
SLIDE 32

31

D O M

Concealing Secrets in Embedded Processor Designs

31

31

Conclusions

 Drawbacks

  • requires a lot of randomness
  • slower than dedicated HW solutions
  • does not seal all leakages sources
slide-33
SLIDE 33

32

D O M

Concealing Secrets in Embedded Processor Designs

32

Concealing Secrets in Embedded Processor Designs

Hannes Gross, Manuel Jelinek, Stefan Mangard, Thomas Unterluggauer, and Mario Werner Institute for Applied Information Processing and Communications Graz University of Technology

The HECTOR project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644052. This work was partially supported by the TU Graz LEAD project "Dependable Internet of Things in Adverse Environments". This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No 681402).