Security oriented codes: What we know and what we dont Osnat Keren - - PowerPoint PPT Presentation

ENICS -Emerging Nanoscaled Integrated Circuits and Systems Labs

Security oriented codes:

What we know and what we don’t

Osnat Keren Bar-Ilan University

On security oriented codes

Outline

Fault injection attacks & HW countermeasures Security oriented error detecting codes Codes in practice

* Open problems/design challenges are written in red

Bottom line: codes are worth using/paying for

Fault injection attacks

The attacker injects faults

Variations in supply voltage, variations in the external clock, temperature, white light, laser, .. The faults induce errors that modify the behavior of the device The attacker’s goal: Use the information

• btained from the incorrectly-functioning

hardware to retrieve classified information,

• r, substitute correct information by a wrong
• ne

Hardware Countermeasures

Algorithm/SW level Hardware level

Architecture level - hiding and masking (e.g., dummy cycles) Chip level - shielding, sensors and filters (e.g., temperature sensors) Logic block level - hardware redundancy

• Parallel computation
• Security oriented codes

Codes as a countermeasure

Example: A state machine with six states States @ after-office hours A-1000 B-1001 C-1010 States @ working hours D-1100 E-1101 F-1110 1) What is the worst way for an attacker to manipulate the FSM? 2) What is the best way for an attacker to manipulate the FSM? 3) Is there a better code?

Reliability versus security

Our goal: provide reliable and secure communication over a noisy channel with minimal cost Encoder – maps an information word into a codeword Channel – distorts the codeword Decoder – recover the information from the distorted word

Reliability versus security

• A code is a subset of legal words (codewords)
• In reliability-oriented codes the error correcting capability depends on the

minimum distance between the codewords (d) The error is detected & corrected The error is masked The error is detected Challenge: capacity achieving codes (solved)

Reliability versus security

Reliability Security Type of channel communication/ memory computation/memory Source of error mother nature (p<0.5) fault injection Error model additive errors (bit-flips) additive errors Error multiplicity small arbitrary Errors correlated with data no sometimes

• the channel

Question: is it the worst case scenario? Challenge: find a realistic error model

c e  

Reliability versus security

Reliability Security Data compression allowed not allowed Entropy high (k) all range (e.g, in FSM) Why to use codes? correct errors detect errors (correct?) Separability not mandatory mandatory

• the information

Challenge: codes with robust correction capability

Reliability versus security

Reliability Security Linear codes (parity,BCH,etc.) preferable “disaster” Random encoding? no-need better without What is random? error codeword What is fixed? codeword error Analyze average case worst case Performance criterion decoding error error masking probability Bounds

• the codes

1 d r  

r

Q q 

Challenge: random encoding MUST have a local, small, secured, TRNG Challenge: for a given r design codes with minimal Q

The attack model

An adversary can induce any error he chooses at any part of the circuit An adversary can jam the content of memory or replace it The attacker knows the codewords and their probability distribution Challenge: find a realistic model for the error Challenge: what to do after an attack is detected

For the ease of drawing…..

Detailed sketch codewords Group all codewords Red=codewords and their neighbors and their neighbors Blue= non codewords

Security oriented codes

Efficiency criterion - Maximal error masking probability

Robust code : Linear codes cannot provide security

max ( ) | |

e

e C C Q C



  

  

1 Q  Challenge: construct high rate, low HW overhead codes

Types of security oriented codes

• Deterministic encoding - partially robust codes for uniform distribution

Generalized Vasil’ev code(1962), Generalized Phelps code(1983), One Switching code (Etzion-Vardy 1994), Cubic code (Karpovsky-Taubin 2004)

• Deterministic encoding - robust codes for uniform distribution

Quadratic systematic code (Karpovsky et al 2007) Generalized punctured quadratic/cubic (Adamaty et al 2012, Neumeier-Keren 2013) Challenge: there are only two deterministic encoding high rate robust codes Challenge: design q-ary codes for multi-level memories

Types of security oriented codes

Deterministic encoding - robust t-error correcting codes

• An attacker can use the decoder to conceal the attack

Challenge: concatenation is not good enough, it results in low rate codes

Types of security oriented codes (cont.)

• Randomized encoding

AMD code (Cramer-Dodis 2008) Generalized Reed-Muller (Karpovsky-Wang 2014), Non-malleable codes (Dziembowski et al 2010) Hardening FSMs (Kahraman et al (2010)

Strong attack detecting codes Non-malleable codes

Challenge: non perfect RNG

Codes in practice

Non-Uniform Distribution –

some errors will be detected with a low probability or in the worst case, will never be detected .

 

Challenge: deterministic encoding for non-uniformly distributed codewords

Summary

Security oriented codes differ from reliability oriented codes Reliability oriented codes have a long history (since 1949) Security oriented codes are newborns – there are more problems than solutions:

Error model Not many deterministic-encoding high rate robust codes Error correction may conceal the attack (no good solutions) The code’s efficiency degrades when codewords are not equally likely to occur …….

Thank you

How to measure non-linearity?

• Linear logic function
• First order polynomial
• Non-linear function
• Correlation attack – entropy loss
• Algebraic attack - distance from linear func.
• Fault attack – autocorrelation

2 1 2 2 1 1

( ,... , )

n n n

l x x x a x a x a x    

1 1 2

2 | ( ) |

n f

Max W





 

 ( ) , ( )

f

W HW m      

1 2

( ( ))

f

Max W W





 