edps2019 #2 1 nagata - ieee-edps.com
TRANSCRIPT
Side Channel Attacks
Makoto NagataGraduate School of Science, Technology and Innovation
Kobe University1-1 Rokkodai, Nada, Kobe, Japan
IEEE EDPS 2019, Milpitas
Copyright Makoto Nagata, Kobe University -2-
Outline
Physical attacksOn-chip security sensor circuitsSimulation technique of side-channel leakageConclusions
Copyright Makoto Nagata, Kobe University -3-
Advent of Adversary among IC Chips
H/W Trojans
Crypto attacks
Copyright Makoto Nagata, Kobe University -4-
Physical Attacks in Dimensions
Safety zone at IC chip
5mm**Magnified
Leakage observed on PCB〜100mm
Leakage through far EM emanation
1m〜
Objective: Securing crypto-engines in the areas of ICs
Copyright Makoto Nagata, Kobe University -5-
Physical Attack Isolation Walls at Chip Level
Plain text, Cipher text, Secret key
Passive attack
Core VSSCore clock
Data I/F
Cryptographic processor
PMC PLLCore VDD
Active attackCryptographic device
Copyright Makoto Nagata, Kobe University -6-
Passive Attack -- Power Noise AnalysisAnalysis models (Attacker)- Simple power analysis (SPA)- Differential power analysis (DPA)- Correlation power analysis (CPA)- Local EM analysis (LEMA)
EM probe(Attacker)
IC chip with crypto engine
Package and PCB
EM emanation
Copyright Makoto Nagata, Kobe University -7-
Active Attack -- Laser Fault Injection
PlaintextFaulty
Ciphertext
CorrectCiphertext
Cryptographic Core
DifferentialFault Analysis
Estimated Key
PreciseLFIKey
CandidateKey
Candidate2128 Key Space 28 Key Space
Secret KeyExposure
FF
Laser Fault Injection(LFI)
High resolution fault injection both in time and space, 1-bit fault potentially leads to leakage of 121-bit key (@AES-128)
Copyright Makoto Nagata, Kobe University -8-
Attack Measures and Packaging Structures
IC chipPackage substrate
EM wave, Laser
Passive attacks
Side channel attack (SCA)
EM, Photon, Volt., Current
Active attacks
Fault attack (FA)
EM, Laser, ESD,Glitch
ASIC Wire bonding,Flip chip
Plastic mold, CoB, etc.
FPGA 3D stacking, Fan out
Si interposer, MCM, etc.
Assembly structure
Physical media
Copyright Makoto Nagata, Kobe University -9-
Outline
Physical attacksOn-chip security sensor circuitsSimulation technique of side-channel leakageConclusions
Copyright Makoto Nagata, Kobe University -10-
Crypto Core
Micro EM probe
EMemanation
LEMA Attack Sensor
Freq
uenc
y
Sensor-to-Probe Distance
fLC1
fLC2
AttackDetection
Crypto Core
fLC1fLC2
Dual SensorCoils
EM observation impossible w/o disturbance to fields -- “invasive attack” is not true
Copyright Makoto Nagata, Kobe University -11-
LEMA Sensor Circuit DetailsSensor Coil L1
LCen1
LCclk1
Control
AttackDetection
Detection
f LC1-
f LC2
LCclk2
LCen2
Sens
or C
ore
for
L 2
L2
Ccode2
ROclk2
ROen2
n
ROclk1
ROen1
Ccode1
Calib
ratio
nx2n
C Bank Calib
ratio
n
Sens
or C
ore
for
L 1
Copyright Makoto Nagata, Kobe University -12-
LEMA Sensor Features
No frequency reference needed Robust and yet low-cost countermeasure Different coil shapes further enhance robustness Dual EM-probe attack almost impossible
Fully-digital oscillator-based sensor circuit Detection: 2 Racing Digital Counters (2RDC) Calibration: Ring Oscillator (RO) + 2RDC
N. Homma et al., “Design Methodology and Validity Verification for a Reactive Countermeasure Against EM Attacks," IACR Journal of Cryptology, Dec. 2015.
Copyright Makoto Nagata, Kobe University -13-
Design Example
Crypto Core (e.g. AES)
M6
M5
S-BOX[0:7] S-BOX[8:15]
L1 L2Sensor Core Circuit
4-Turn Coil L1
Dual Sensor Coils
3-Turn Coil L2
Supply-Current Equalizer
128bit Composite-TypeAES Cryptographic Core 48
0m
4-Turn Coil L1
Dual sensor coils
Copyright Makoto Nagata, Kobe University -14-
Detection Range Measurements
Probe-to-Chip Distance Z [mm]
0
1.0
2.0
3.0
4.0
5.0
6.0
0 0.05 0.1 0.15 0.2
f LC
Shift
[%
]
fLC1
fLC2
Crypto Chip
Z
Micro EMProbe
128bit AES Chip
Micro EM Probe
Copyright Makoto Nagata, Kobe University -15-
Demonstration of EM Probe Detection
1/4 Divided Clock Frequency Spectrum
Frequency [MHz]440 500Frequency [MHz]440 500
3-Turn Coil L2
4-Turn Coil L1
L2
L1
Probe Approach to L1No Probe Approach
5.2% Shift
Copyright Makoto Nagata, Kobe University -16-
LFI Attack Sensor
p+ n+n+
P-Substrate
G D
Electron-HolePairs
HoleCapture
*E. Neto et al., “Using Bulk Built-in Current Sensors to Detect Soft Errors,“ IEEE Micro, 2006.
10
Photocurrent
LFI to Cross-CoupledInverter in FF
01
MN
Bulk-Current Sensor*
Copyright Makoto Nagata, Kobe University -17-
Distributed Bulk-Current Sensor
Crypto Core w/ Distributed Sensor
VDDVSS
SensorArray
VDD
VSS
MP1 MP2
MN1MN2
Sensor Frontend [286F2/Cell]
RST
RSTAlarm
BodyP
MP2
MN1
MN2
BodyN
Wired ORBodyP
MP2
MN1
MN2
BodyN
BulkP
MP1 MP2
MN1MN2
BulkN
Sensor Back-End
Copyright Makoto Nagata, Kobe University -18-
LFI Detection Measurements
*K. Matsuda et al., “A 286 F2/Cell Distributed Bulk-Current Sensor and Secure Flush Code Eraser Against Laser Fault Injection Attack on Cryptographic Processor,“ IEEE J. Solid-State Circuits, 2019.
Copyright Makoto Nagata, Kobe University -19-
LFI Detection Sensor Demonstration
Copyright Makoto Nagata, Kobe University -20-
Outline
Physical attacksOn-chip security sensor circuitsSimulation technique of side-channel leakageConclusions
Copyright Makoto Nagata, Kobe University -21-
Side-Channel Analysis
► Analysis (or attacks in a malicious case) to extract a secret key from power-noise waveforms
► Simulation technique to evaluate security risks in design against diversified leakage models
Correlation Power Analysis (CPA)
...I(t)
Cypher text #1 #2 #10000
Power noise voltage drops at the clock cycle of interest
Time(ns)
Powe
r cur
rent
(a.u.
)Vo
ltage
dro
p (a
.u.)
Hamming distance
Voltage range to correlate with internal activity with Hamming distance between before and after the crypto computation
Voltage dropSimple Power Analysis (SPA)
I(t)
CLKCrypto computation on scalar multiplication algorithm (e.g. point doubling, point addition)
110....
Power noise during encryption
0010203_0405067....Guessed key
Copyright Makoto Nagata, Kobe University -22-
CPS* Model for Diagnosis and Analysis*Chip-Package-System board
Full-system level simulation of power-noise SC leakage
RLGC
LWire RDie_effective
CDecap CDie_effective
ZDD
Packagemodel
PCBmodel
Chip model
VDD
VSS
Powerconverter
Digital circuit of interest
Copyright Makoto Nagata, Kobe University -23-
Challenges► Challenge1: Chip Package System(CPS) board-level power-noise
SC leakage modeling and simulation
“CPA” with one CLK cycle wave for thousands of plain text
power noiseCLK
2000~
power noiseCLK
“SPA” with thousands of CLK cycles of public-key encrypt
1
Public-key cryptography –Simple Power Analysis (“SPA”), a single power-noise waveform over thousands of CLK cycles, very long time power noise simulation is required.
Private-key cryptography –Correlation Power Analysis (“CPA”), power-noise waveforms for thousands of different plain texts, very large set of power noise simulation is required.
► Challenge2: Analysis (attacks) by simulation to derive a secret key from IC chip level power noise waveforms
Side-channel leakage is assessed on countermeasure crypto ICs in a design phase.
Copyright Makoto Nagata, Kobe University -24-
► Noise paths and noise sources(1) Full chip PDN modeling include silicon substrate w/o dynamic power simulation
► Power-noise SC leakage simulation
Case1: Private-key (e.g. AES) – power-noise waveforms for thousands of plain texts (#1~#10000)(different test vectors for short CLK cycles)
Chip Power Model of Crypto Engines
(2) Core level power modeling w/o full chip Si sub. and PDN
extraction
Case2: Public-key (e.g. RSA, DSA, ECDSA) -- a single power-noise waveform of several thousand CLK cycles
Copyright Makoto Nagata, Kobe University -25-
Silicon Experiments
► 128bit AES crypto IC chip 3 mm x 4 mm 130 nm CMOS process Private key cryptographic (AES) Single power domain (1.5V)
► Evaluation board and system 7.3 cm x 10.0 cm 4 layers of interconnect Chip on Board (CoB) assembly Daughter board to micro controller
Au wire
CoB assembly
AES Core
Copyright Makoto Nagata, Kobe University -26-
Power-Noise SC Leakage Simulation Results►Case study: private-key cryptographic IC chip AES encryption engine Operation frequency: 34 MHz
Test Chip Layout
voltage probingnode(METAL6)
VDD
VSS
for a singlewaveform
Last round of encryption Simulated Power Noise Waveform
1.0 3.0 5.0 7.0 9.0 11.0 (ns)
1.5001.4981.4961.4941.4921.490
1.502(V)
V for Hammingdistance
1500 data set is captured
#of cells # of wires # of viasFull IC chip 231036 13674 41265
Memory Threads CPU timePDN modeling 2726MB 8 3.0 hourpower noise modeling 2348MB 8 8.5 minpower noise simulation 229MB 1 2.8 sec
►Power noise on VDD during crypto operation of last round (12 ns) in C-P-S simulation# of plain texts: 1500
►Simulation cost evaluation server: Intel Xeon CPU ES-2699 v4 (2.2GHz)
Active gate count=34K
Copyright Makoto Nagata, Kobe University -27-
Acceleration of Simulation
► Traditional full-chip level simulation takes longer computation time due to impedance extracted from physical layout of an IC chip in long sim. time.
► Proposed flow iteratively updates the active part of CPM while keeping passive networks (e.g. PDN) and focuses on dynamic power noise data.
Passive part of CPM
Active part of CPM
Full chip CPM modeling
AES core CPM modeling
Cost of CPM Extraction
Required resource and time
CPU
time (
hour
)
Advancedflow(proposed)
Traditionalflow
x21.2 faster
Cost of SimulationCPU : 2.2GHz (2core), Memory usage : 2.3GB
Copyright Makoto Nagata, Kobe University -28-
Summary
Exploration of on-chip protection circuits against a varietyof physical attacks in passive and active manner.Chip-package system board simulation technique towardthe design of crypto circuits for resiliency, and also todesign of attack sensors.Research spaces of on-chip protection against H/W Trojans.
Acknowledgments: The authors would like to deeply thank Dr. Norman Chang forcollaborative research works on SC leakage analysis, and Profs. Noriyuki Miura, NaofumiHomma, Yuichi Hayashi and Kazuo Sakiyama for scientific discussions.