Unrolled Cryptography on Silicon A Physical Security Analysis - - PowerPoint PPT Presentation

RUHR-UNIVERSITÄT BOCHUM

Unrolled Cryptography on Silicon A Physical Security Analysis

Thorben Moos Ruhr University Bochum, Horst Görtz Institute for IT Security, Germany September 15th, 2020

Section 1 Introduction

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 1

RUHR-UNIVERSITÄT BOCHUM

Target

Introduction

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 2

RUHR-UNIVERSITÄT BOCHUM

Background

Introduction

• Cryptographic primitives with high-speed (low-latency) performance in hardware

have received growing attention in the last decade

• This design goal requires a short critical path as a fully-unrolled combinatorial circuit

without memory elements

• PRINCE has been developed for high-speed single-cycle encryption and decryption

at moderate hardware cost

• Tempting for many different applications, e.g., memory encryption

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 3

RUHR-UNIVERSITÄT BOCHUM

PRINCE

Introduction

R0

RC0

R1

RC1

R2

RC2

R3

RC3

R4

RC4

R5

RC5

SR-1 M′ SR

R

• 1

6

RC6

R

• 1

7

RC7

R

• 1

8

RC8

R

• 1

9

RC9

R

• 1

10

RC10

R

• 1

11

RC11

PRINCEcore k0 k′

k1RCi S M k1 RCi S-1 M-1

Source: TikZ for Cryptographers, https://www.iacr.org/authors/tikz, Author Jérémy Jean

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 4

RUHR-UNIVERSITÄT BOCHUM

Motivation 1

Introduction

• Unrolled circuits are hard to protect against SCA attacks
• Glitch-resistant masking is arguably the most relevant class of SCA

countermeasures for hardware circuits

• It can not easily be applied to unrolled circuits as it requires registers as

synchronization stages

• Generic low-latency masking [1] causes an exponential increase in the circuit size

when trying to avoid register stages

• However, it has been reported that the high parallelism, asynchronicity and speed of

execution of unrolled circuits create an inherent resistance to side-channel attacks

Source: [1] Gross et al., Generic Low-Latency Masking in Hardware, TCHES Volume 2018 Issue 2

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 5

RUHR-UNIVERSITÄT BOCHUM

Motivation 2

Introduction

• Previous works on the physical security of unrolled PRINCE are all FPGA-based
• According to [2] an FPGA implementation occupies about 35× as much area,

consumes about 14× as much dynamic power and is more than 4× slower than an equivalent standard-cell-based ASIC design

• Hard to transfer conclusions from one platform to the other
• Static leakage of unrolled circuits has not been considered as a threat to such

implementations yet

Source: [2] Kuon et al., Measuring the Gap Between FPGAs and ASICs, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD), 2007

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 6

RUHR-UNIVERSITÄT BOCHUM

Gate-Level Simulations

Introduction

• 9 169 logic gates corresponding to 10 036 (GE), synthesized for 200 MHz
• 114 803 gate transitions (avg) for random plaintext and key transition, 96% glitches
• 56 920 gate transitions (avg) for random plaintext transition, 92% glitches

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 7

Section 2 Experimental Results

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 8

RUHR-UNIVERSITÄT BOCHUM

No Reset

Dynamic Power Analysis

100 200 300 400 500 600

Time samples

• 1

1

Power cons.

100 200 300 400 500 600

Time samples

0.05 0.1

Correlation

1 2 3 4 5

Number of measurements

105 0.08 0.1 0.12

Correlation

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 9

RUHR-UNIVERSITÄT BOCHUM

Plaintext Reset to Zero

Dynamic Power Analysis

100 200 300 400 500 600

Time samples

• 1

1

Power cons.

100 200 300 400 500 600

Time samples

100 200

t-statistics

50 100 150 200 250 300

Power consumption

100 200

• Frequ. of occur.

fixed random

2000 4000 6000 8000 10000

Number of measurements

100 200

t-statistics

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 10

RUHR-UNIVERSITÄT BOCHUM

Plaintext and Key Reset to Zero

Dynamic Power Analysis

100 200 300 400 500 600

Time samples

• 2
• 1

1

Power cons.

100 200 300 400 500 600

Time samples

• 60
• 40
• 20

t-statistics

50 100 150

Power consumption

100 200

• Frequ. of occur.

fixed random

2000 4000 6000 8000 10000

Number of measurements

20 40 60

t-statistics

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 11

RUHR-UNIVERSITÄT BOCHUM

Plaintext Reset to Random Value

Dynamic Power Analysis

100 200 300 400 500 600

Time samples

• 1

1

Power cons.

100 200 300 400 500 600

Time samples

10 20

t-statistics

50 100 150 200 250 300

Power consumption

20 40 60 80

• Frequ. of occur.

fixed random

2000 4000 6000 8000 10000

Number of measurements

10 20

t-statistics

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 12

RUHR-UNIVERSITÄT BOCHUM

Plaintext and Key Reset to Random Value

Dynamic Power Analysis

100 200 300 400 500 600

Time samples

• 2
• 1

1

Power cons.

100 200 300 400 500 600

Time samples

10 20

t-statistics

50 100 150 200 250 300

Power consumption

50 100

• Frequ. of occur.

fixed random

2000 4000 6000 8000 10000

Number of measurements

10 20

t-statistics

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 13

RUHR-UNIVERSITÄT BOCHUM

Plaintext and Key Reset to Random Value

Dynamic Power Analysis

Reset Type Attack Best Power Model Found

• Rec. Nib.

no reset CPA HD(S(pi−1,j ⊕ ˆ

kj), S(pi,j ⊕ ˆ kj))

16/16 plain zero CPA HD(S(0 ⊕ ˆ

kj), S(pi,j ⊕ ˆ kj))

7/16 plain and key zero CPA HD(S(0 ⊕ 0), S(pi,j ⊕ ˆ

kj))

5/16 plain random CPA HW(S(pi,j ⊕ ˆ

kj))

2/16 plain and key random CPA HW(S(pi,j ⊕ ˆ

kj))

3/16

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 14

RUHR-UNIVERSITÄT BOCHUM

Signal-to-Noise-Ratio (SNR)

Dynamic Power Analysis

2 4 6 8 10 12

Round

0.02 0.04

SNR 2 4 6 8 10 12 Round 0.1 0.2 0.3 0.4 SNR

2 4 6 8 10 12

Round

0.001 0.002 0.003

SNR

2 4 6 8 10 12

Round

0.01 0.02

SNR Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 15

RUHR-UNIVERSITÄT BOCHUM

Static Power Results

Static Power Analysis

50 100 150 200 250 300

Power consumption

100 200

• Frequ. of occur.

fixed random

2000 4000 6000 8000 10000

Number of measurements

50 100

t-statistics

1 2 3 4 5

Number of measurements

105 0.02 0.04

Correlation

1 2 3 4 5

Number of measurements

105 0.02 0.04

Correlation

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 16

RUHR-UNIVERSITÄT BOCHUM

Static Power Results

Static Power Analysis

Round Attack Best Power Model Found

• Rec. Nib.

first CPA LSB(S(pi,j ⊕ ˆ

kj))

15/16 last CPA LSB(S(ci,j ⊕ ˆ

k′

j))

16/16

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 17

RUHR-UNIVERSITÄT BOCHUM

Signal-to-Noise-Ratio (SNR)

Static Power Analysis 2 4 6 8 10 12

Round

0.01 0.02 0.03

SNR

static dynamic

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 18

RUHR-UNIVERSITÄT BOCHUM

Conclusion

• Protecting unrolled circuits without causing severe area or latency penalties is hard
• Some simple usage principles deliver promising results
• Resetting the plaintext input of an unrolled cipher to a random value between

encryptions makes is effective against information leakage through the dynamic power

• Static power adversaries can remain dangerous in such a scenario if clock control is

an option or if other mistakes are made

• Due to its nature the static power consumption is often the easiest way to extract the

full 128-bit key of unrolled PRINCE because each round can be targeted with the same effort

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 19

Thank you for your attention. Any questions?

Thorben Moos | Unrolled Cryptography on Silicon | September 15th, 2020 20