Power Consumption Analysis and Hardware Security Arnaud Tisserand - - PowerPoint PPT Presentation

power consumption analysis and hardware security
SMART_READER_LITE
LIVE PREVIEW

Power Consumption Analysis and Hardware Security Arnaud Tisserand - - PowerPoint PPT Presentation

May 30, 2023 125 likes •763 views

Power Consumption Analysis and Hardware Security Arnaud Tisserand CNRS, Lab-STICC laboratory Cergy, December 2017 Applications with Security Needs Applications : smart cards, computers, Internet, telecommunications, set-top boxes, data storage,

slide-1
SLIDE 1

Power Consumption Analysis and Hardware Security

Arnaud Tisserand

CNRS, Lab-STICC laboratory

Cergy, December 2017

slide-2
SLIDE 2

Applications with Security Needs

Applications: smart cards, computers, Internet, telecommunications, set-top boxes, data storage, RFID tags, WSN, smart grids. . .

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 2/26

slide-3
SLIDE 3

Cryptographic Features

Objectives:

  • Confidentiality
  • Integrity
  • Authenticity
  • Non-repudiation
  • . . .

Cryptographic primitives:

  • Encryption
  • Digital signature
  • Hash function
  • Random numbers generation
  • . . .

Implementation issues in hardware:

  • Performances: speed, delay, throughput, latency
  • Cost: device (memory, size, weight), low power/energy consumption,

design

  • Security: protection against physical attacks

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 3/26

slide-4
SLIDE 4

Square and Multiply Algorithm for RSA

input : a , b , n where b = (bt−1bt−2 . . . b1b0)2

  • utput : ab mod n

r = 1 for i from 0 to t − 1 do i f bi = 1 then r = r · a mod n endif a = a2 mod n endfor return r This is the right to left version (there exists a left to right one)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 4/26

slide-5
SLIDE 5

Attacks

attack

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 5/26

slide-6
SLIDE 6

Attacks

attack

  • bservation

perturbation invasive

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 5/26

slide-7
SLIDE 7

Attacks

attack

  • bservation

perturbation invasive timing analysis power analysis EMR analysis fault injection probing reverse engineering EMR = Electromagnetic radiation

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 5/26

slide-8
SLIDE 8

Attacks

attack

  • bservation

perturbation invasive timing analysis power analysis EMR analysis fault injection probing reverse engineering theoretical EMR = Electromagnetic radiation

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 5/26

slide-9
SLIDE 9

Attacks

attack

  • bservation

perturbation invasive timing analysis power analysis EMR analysis fault injection probing reverse engineering theoretical advanced algorithms

  • ptimized programming

EMR = Electromagnetic radiation

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 5/26

slide-10
SLIDE 10

Side Channel Attacks (SCAs) (1/2)

Attack: attempt to find, without any knowledge about the secret:

  • the message (or parts of the message)
  • informations on the message
  • the secret (or parts of the secret)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 6/26

slide-11
SLIDE 11

Side Channel Attacks (SCAs) (1/2)

Attack: attempt to find, without any knowledge about the secret:

  • the message (or parts of the message)
  • informations on the message
  • the secret (or parts of the secret)

“Old style” side channel attacks:

+

clic clac good value bad value

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 6/26

slide-12
SLIDE 12

Side Channel Attacks (SCAs) (2/2)

A B E D M k Ek(M) k Dk(Ek(M)) = M General principle: measure external parameter(s) on running device in

  • rder to deduce internal informations

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 7/26

slide-13
SLIDE 13

Side Channel Attacks (SCAs) (2/2)

A B E D M k Ek(M) k Dk(Ek(M)) = M E measure k, M??? attack General principle: measure external parameter(s) on running device in

  • rder to deduce internal informations

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 7/26

slide-14
SLIDE 14

What Should be Measured?

Answer: everything that can “enter” and/or “get out” in/from the device

  • power consumption
  • electromagnetic radiation
  • temperature
  • sound
  • computation time
  • number of cache misses
  • number and type of error messages
  • ...

The measured parameters may provide informations on:

  • global behavior (temperature, power, sound...)
  • local behavior (EMR, # cache misses...)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 8/26

slide-15
SLIDE 15

Power Consumption Analysis

General principle:

  • 1. measure the current i(t) in the cryptosystem
  • 2. use those measurements to “deduce” secret informations

VDD

i(t) crypto.

R

traces

secret key = 962571. . .

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 9/26

slide-16
SLIDE 16

Simple Power Analysis (SPA)

Source: [4]

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 10/26

slide-17
SLIDE 17

Simple Power Analysis (SPA)

Source: [4]

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 10/26

slide-18
SLIDE 18

Limits of the SPA

Example of behavior difference: (activity into a register) t t + 1 0000000000000000 0000000000000000

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 11/26

slide-19
SLIDE 19

Limits of the SPA

Example of behavior difference: (activity into a register) t t + 1 0000000000000000 0000000000000000 1111111111111111 0000000000000001

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 11/26

slide-20
SLIDE 20

Limits of the SPA

Example of behavior difference: (activity into a register) t t + 1 0000000000000000 0000000000000000 1111111111111111 0000000000000001 Important: a small difference may be evaluated has a noise during the measurement traces cannot be distinguished Question: what can be done when differences are too small?

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 11/26

slide-21
SLIDE 21

Limits of the SPA

Example of behavior difference: (activity into a register) t t + 1 0000000000000000 0000000000000000 1111111111111111 0000000000000001 Important: a small difference may be evaluated has a noise during the measurement traces cannot be distinguished Question: what can be done when differences are too small? Answer: use statistics over several traces

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 11/26

slide-22
SLIDE 22

Differential Power Analysis (DPA)

cryptosystem

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 12/26

slide-23
SLIDE 23

Differential Power Analysis (DPA)

cryptosystem internal state

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 12/26

slide-24
SLIDE 24

Differential Power Analysis (DPA)

cryptosystem internal state select bit b to attack b = 1 b = 0

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 12/26

slide-25
SLIDE 25

Differential Power Analysis (DPA)

cryptosystem internal state select bit b to attack b = 1 b = 0 implementation

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 12/26

slide-26
SLIDE 26

Differential Power Analysis (DPA)

cryptosystem internal state select bit b to attack b = 1 b = 0 implementation power model

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 12/26

slide-27
SLIDE 27

Differential Power Analysis (DPA)

cryptosystem internal state select bit b to attack b = 1 b = 0 implementation power model power(Hb=1) power(Hb=0)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 12/26

slide-28
SLIDE 28

Differential Power Analysis (DPA)

cryptosystem internal state select bit b to attack b = 1 b = 0 implementation power model power(Hb=1) power(Hb=0) measures

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 12/26

slide-29
SLIDE 29

Differential Power Analysis (DPA)

cryptosystem internal state select bit b to attack b = 1 b = 0 implementation power model power(Hb=1) power(Hb=0) measures comparison correct hypothesis

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 12/26

slide-30
SLIDE 30

Side Channel Attack on ECC

encryption signature etc

protocol level

[k]P ADD(P, Q) DBL(P)

curve level

x±y x×y . . .

field level

Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 13/26

slide-31
SLIDE 31

Side Channel Attack on ECC

encryption signature etc

protocol level

[k]P ADD(P, Q) DBL(P)

curve level

x±y x×y . . .

field level

Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 13/26

slide-32
SLIDE 32

Side Channel Attack on ECC

encryption signature etc

protocol level

[k]P ADD(P, Q) DBL(P)

curve level

x±y x×y . . .

field level

DBL DBL DBL DBL DBL DBL

Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 13/26

slide-33
SLIDE 33

Side Channel Attack on ECC

encryption signature etc

protocol level

[k]P ADD(P, Q) DBL(P)

curve level

x±y x×y . . .

field level

DBL DBL DBL DBL DBL DBL ADD ADD

Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 13/26

slide-34
SLIDE 34

Side Channel Attack on ECC

encryption signature etc

protocol level

[k]P ADD(P, Q) DBL(P)

curve level

x±y x×y . . .

field level

DBL DBL DBL DBL DBL DBL ADD ADD

0 0 0 1 1

Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P)

  • simple power analysis (& variants)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 13/26

slide-35
SLIDE 35

Side Channel Attack on ECC

encryption signature etc

protocol level

[k]P ADD(P, Q) DBL(P)

curve level

x±y x×y . . .

field level

DBL DBL DBL DBL DBL DBL ADD ADD

0 0 0 1 1

Scalar multiplication operation for i from 0 to t − 1 do if ki = 1 then Q = ADD(P, Q) P = DBL(P)

  • simple power analysis (& variants)
  • differential power analysis (& variants)
  • horizontal/vertical/templates/. . . attacks

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 13/26

slide-36
SLIDE 36

Countermeasures

Principles for preventing attacks:

  • embed additional protection blocks
  • modify the original circuit into a secured version
  • application levels: circuit, architecture, algorithm, protocol. . .

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 14/26

slide-37
SLIDE 37

Countermeasures

Principles for preventing attacks:

  • embed additional protection blocks
  • modify the original circuit into a secured version
  • application levels: circuit, architecture, algorithm, protocol. . .

Countermeasures:

  • electrical shielding
  • detectors, estimators, decoupling
  • use uniform computation durations and power consumption
  • use detection/correction codes (for fault injection attacks)
  • provide a random behavior (algorithms, representation, operations. . . )
  • add noise (e.g. masking, useless instructions/computations)
  • circuit reconfiguration (algorithms, block location, representation of
  • values. . . )

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 14/26

slide-38
SLIDE 38

Low-Level Coding and Circuit Activity

Assumptions:

  • b is a bit (i.e. b ∈ {0, 1}, logical or mathematical value)
  • electrical states for a wire

: VDD (logical 1) or GND (logical 0)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 15/26

slide-39
SLIDE 39

Low-Level Coding and Circuit Activity

Assumptions:

  • b is a bit (i.e. b ∈ {0, 1}, logical or mathematical value)
  • electrical states for a wire

: VDD (logical 1) or GND (logical 0) Low-level codings of a bit: b = 0 b = 1 standard GND VDD

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 15/26

slide-40
SLIDE 40

Low-Level Coding and Circuit Activity

Assumptions:

  • b is a bit (i.e. b ∈ {0, 1}, logical or mathematical value)
  • electrical states for a wire

: VDD (logical 1) or GND (logical 0) Low-level codings of a bit: b = 0 b = 1 standard GND VDD dual rail r0 =VDD r1 =GND (1, 0)DR r0 =GND r1 =VDD (0, 1)DR

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 15/26

slide-41
SLIDE 41

Low-Level Coding and Circuit Activity

Assumptions:

  • b is a bit (i.e. b ∈ {0, 1}, logical or mathematical value)
  • electrical states for a wire

: VDD (logical 1) or GND (logical 0) Low-level codings of a bit: b = 0 b = 1 standard GND VDD dual rail r0 =VDD r1 =GND (1, 0)DR r0 =GND r1 =VDD (0, 1)DR

cycles b r0 r1

slide-42
SLIDE 42

Low-Level Coding and Circuit Activity

Assumptions:

  • b is a bit (i.e. b ∈ {0, 1}, logical or mathematical value)
  • electrical states for a wire

: VDD (logical 1) or GND (logical 0) Low-level codings of a bit: b = 0 b = 1 standard GND VDD dual rail r0 =VDD r1 =GND (1, 0)DR r0 =GND r1 =VDD (0, 1)DR

cycles b r0 r1

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 15/26

slide-43
SLIDE 43

Circuit Logic Styles

Countermeasure principles: uniformize circuit activity and exclusive coding

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 16/26

slide-44
SLIDE 44

Circuit Logic Styles

Countermeasure principles: uniformize circuit activity and exclusive coding Solution based on precharge logic and dual-rail coding:

cycles pc r0 r1

evaluation b = 0 precharge invalid evaluation b = 0 precharge invalid evaluation b = 1 precharge invalid

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 16/26

slide-45
SLIDE 45

Circuit Logic Styles

Countermeasure principles: uniformize circuit activity and exclusive coding Solution based on precharge logic and dual-rail coding:

cycles pc r0 r1

evaluation b = 0 precharge invalid evaluation b = 0 precharge invalid evaluation b = 1 precharge invalid

Solution based on validity line and dual-rail coding: r1 r0 valid Important overhead: silicon area and local storage (registers)

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 16/26

slide-46
SLIDE 46

Circuit-Level Protections for Arithmetic Operators

References: [2] and [3]

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 17/26

slide-47
SLIDE 47

Protected Multipliers

Unprotected

50 100 150 200 250 100 200 300 400 500 #transitions cycles Mastrovito 233 200 225 250 cycles Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 18/26

slide-48
SLIDE 48

Protected Multipliers

Unprotected

50 100 150 200 250 100 200 300 400 500 #transitions cycles Mastrovito 233 200 225 250 cycles

Protected Overhead: Area/time < 10 % References: PhD D. Pamula [5] Articles: [8], [7], [6]

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 18/26

slide-49
SLIDE 49

Protected ECC Accelerator

100 200 300 50 100 150 200 250 300 350 #transit. cycles DBL operation Mastrovito Unprotected Activity trace 0.00 0.02 0.04 0.06 0.08 current [mA] DBL operation Mastrovito Unprotected Current measures 100 200 300 #transit. DBL operation Mastrovito Protected Activity trace 0.00 0.04 0.08 0.12 0.16 current [mA] DBL operation Mastrovito Protected Current measures 100 200 300 #transit. ADD operation Mastrovito Protected Activity trace

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 19/26

slide-50
SLIDE 50

Double-Base Number System

Standard radix-2 representation: k =

t−1

  • i=0

ki2i = kt−1 kt−2 . . . k2 k1 k0

t explicit digits

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 20/26

slide-51
SLIDE 51

Double-Base Number System

Standard radix-2 representation: k =

t−1

  • i=0

ki2i = kt−1

2t−1

kt−2

2t−2

. . .

. . .

k2

22

k1

21

k0

20 t explicit digits implicit weights

Digits: ki ∈ {0, 1}, typical size: t ∈ {160, . . . , 600}

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 20/26

slide-52
SLIDE 52

Double-Base Number System

Standard radix-2 representation: k =

t−1

  • i=0

ki2i = kt−1

2t−1

kt−2

2t−2

. . .

. . .

k2

22

k1

21

k0

20 t explicit digits implicit weights

Digits: ki ∈ {0, 1}, typical size: t ∈ {160, . . . , 600} Double-Base Number System (DBNS): k =

n−1

  • j=0

kj2aj3bj =

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 20/26

slide-53
SLIDE 53

Double-Base Number System

Standard radix-2 representation: k =

t−1

  • i=0

ki2i = kt−1

2t−1

kt−2

2t−2

. . .

. . .

k2

22

k1

21

k0

20 t explicit digits implicit weights

Digits: ki ∈ {0, 1}, typical size: t ∈ {160, . . . , 600} Double-Base Number System (DBNS): k =

n−1

  • j=0

kj2aj3bj = kn−1 an−1 bn−1 . . . . . . . . . k1 a1 b1 k0 a0 b0 n (2, 3)−terms explicit “digits” explicit ranks aj, bj ∈ N, kj ∈ {1} or kj ∈ {−1, 1}, size n ≈ log t

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 20/26

slide-54
SLIDE 54

Double-Base Number System

Standard radix-2 representation: k =

t−1

  • i=0

ki2i = kt−1

2t−1

kt−2

2t−2

. . .

. . .

k2

22

k1

21

k0

20 t explicit digits implicit weights

Digits: ki ∈ {0, 1}, typical size: t ∈ {160, . . . , 600} Double-Base Number System (DBNS): k =

n−1

  • j=0

kj2aj3bj = kn−1 an−1 bn−1 . . . . . . . . . k1 a1 b1 k0 a0 b0 n (2, 3)−terms explicit “digits” explicit ranks aj, bj ∈ N, kj ∈ {1} or kj ∈ {−1, 1}, size n ≈ log t DBNS is a very redundant and sparse representation:

1701 = (11010100101)2

1701 = 243 + 1458 = 2035 + 2136 = (1, 0, 5), (1, 1, 6) = 1728 − 27 = 2633 − 2033 = (1, 6, 3), (−1, 0, 3) = 729 + 972 = 2036 + 2235 = (1, 0, 6), (1, 2, 5) . . .

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 20/26

slide-55
SLIDE 55

Randomized DBNS Recoding of the Scalar k

encryption signature etc

protocol level

[k]P ADD(P, Q) DBL(P) TPL(P)

curve level

x±y x×y . . .

field level

On-the-fly DBNS random recoding for the scalar k randomly recode windows of the scalar k on-the-fly: 1 + 2 ⇆ 3 1 + 3 ⇆ 22 1 + 23 ⇆ 32 . . . control number of reductions (←) and expansions (→) Point tripling operation Q = TPL(P) = P + P + P k

ki block time

recoding rules possible rules

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 21/26

slide-56
SLIDE 56

Randomized DBNS Recoding of the Scalar k

encryption signature etc

protocol level

[k]P ADD(P, Q) DBL(P) TPL(P)

curve level

x±y x×y . . .

field level

On-the-fly DBNS random recoding for the scalar k randomly recode windows of the scalar k on-the-fly: 1 + 2 ⇆ 3 1 + 3 ⇆ 22 1 + 23 ⇆ 32 . . . control number of reductions (←) and expansions (→) Point tripling operation Q = TPL(P) = P + P + P k

ki block time

recoding rules possible rules

recoded ki (,ki+1)

random choice

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 21/26

slide-57
SLIDE 57

Randomized DBNS Recoding of the Scalar k

encryption signature etc

protocol level

[k]P ADD(P, Q) DBL(P) TPL(P)

curve level

x±y x×y . . .

field level

On-the-fly DBNS random recoding for the scalar k randomly recode windows of the scalar k on-the-fly: 1 + 2 ⇆ 3 1 + 3 ⇆ 22 1 + 23 ⇆ 32 . . . control number of reductions (←) and expansions (→) Point tripling operation Q = TPL(P) = P + P + P k

ki block time

recoding rules possible rules

recoded ki (,ki+1)

random choice

DBNS is redundant ⇒ security ր DBNS is sparse ⇒ 20–30 % speed ր Ref: [1] Chabrier, Pamula & Tisserand. Asilomar 2009

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 21/26

slide-58
SLIDE 58

ANR PAVOIS Integrated Circuit

ECC 256 bits 65 nm CMOS 1.5 mm2

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 22/26

slide-59
SLIDE 59

Conclusion

  • Side channel and fault attacks are serious threats
  • Attacks are more and more efficient (many variants)
  • Security analysis is mandatory at all levels (specification, algorithm,
  • peration, implementation)
  • Security = trade-off between performances, robustness and cost
  • Security = func( secret value, attacker capabilities )
  • security = computer science + microelectronics + mathematics

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 23/26

slide-60
SLIDE 60

Conclusion

  • Side channel and fault attacks are serious threats
  • Attacks are more and more efficient (many variants)
  • Security analysis is mandatory at all levels (specification, algorithm,
  • peration, implementation)
  • Security = trade-off between performances, robustness and cost
  • Security = func( secret value, attacker capabilities )
  • security = computer science + microelectronics + mathematics

Current works examples:

  • Methods/tools for automating security analysis
  • Circuit reconfiguration (representations, algorithms)
  • Circuits with reduced activity variations
  • Representation of numbers with error detection/correction “codes”
  • Design space exploration
  • CAD tools with security improvement capabilities

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 23/26

slide-61
SLIDE 61

References I

[1] T. Chabrier, D. Pamula, and A. Tisserand. Hardware implementation of DBNS recoding for ECC processor. In Proc. 44rd Asilomar Conference on Signals, Systems and Computers, pages 1129–1133, Pacific Grove, California, U.S.A., November 2010. IEEE. [2] J. Chen, A. Tisserand, E. M. Popovici, and S. Cotofana. Robust sub-powered asynchronous logic. In J. Becker and M. R. Adrover, editors, Proc. 24th International Workshop on Power and Timing Modeling, Optimization and Simulation (PATMOS), pages 1–7, Palma de Mallorca, Spain, September 2014. IEEE. [3] J. Chen, A. Tisserand, E. M. Popovici, and S. Cotofana. Asynchronous charge sharing power consistent Montgomery multiplier. In J. Sparso and E Yahya, editors, Proc. 21st IEEE International Symposium on Asynchronous Circuits and Systems (ASYNC), pages 132–138, Mountain View, California, USA, May 2015. [4] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Proc. Advances in Cryptology (CRYPTO), volume 1666 of LNCS, pages 388–397. Springer, August 1999. [5] D. Pamula. Arithmetic Operators on GF(2m) for Cryptographic Applications: Performance - Power Consumption - Security Tradeoffs. Phd thesis, University of Rennes 1 and Silesian University of Technology, December 2012.

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 24/26

slide-62
SLIDE 62

References II

[6] D. Pamula, E. Hrynkiewicz, and A. Tisserand. Analysis of GF(2233) multipliers regarding elliptic curve cryptosystem applications. In 11th IFAC/IEEE International Conference on Programmable Devices and Embedded Systems (PDeS), pages 271–276, Brno, Czech Republic, May 2012. [7] D. Pamula and A. Tisserand. GF(2m) finite-field multipliers with reduced activity variations. In 4th International Workshop on the Arithmetic of Finite Fields, volume 7369 of LNCS, pages 152–167, Bochum, Germany, July 2012. Springer. [8] D. Pamula and A. Tisserand. Fast and secure finite field multipliers. In Proc. 18th Euromicro Conference on Digital System Design (DSD), pages 653–660, Madeira, Portugal, August 2015. [9] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 25/26

slide-63
SLIDE 63

The end, questions ?

Contact:

  • mailto:arnaud.tisserand@univ-ubs.fr
  • http://www-labsticc.univ-ubs.fr/~tisseran
  • CNRS, Lab-STICC Laboratory

University South Brittany (UBS), Centre de recherche C. Huygens, rue St Maud´ e, BP 92116, 56321 Lorient cedex, France Thank you

Arnaud Tisserand. CNRS – Lab-STICC. Power Consumption Analysis and Hardware Security 26/26