electromagnetic transient faults injectiondutertre/doc_recherche/c_2012_2_cryptarchi_… · • may...
TRANSCRIPT
![Page 1: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/1.jpg)
Electromagnetic TransientFaults Injection
• François Poucheret• Philippe Maurine
• Amine Dehbaoui• Bruno Robisson• Assia Tria
• Jean-Max Dutertre
1
![Page 2: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/2.jpg)
Embedded Secure System Evolution
F
P100 W10 mW
∼∼∼∼ ××××104
∼∼ ∼∼×× ××1
02
3 G
Hz
10 M
Hz
Next Secure Devices ?
Nowadays Secure Devices
2
![Page 3: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/3.jpg)
Is it possible to inject fault in such systems ?
∼100 kgates, ∼ 30 MHz, ∼ 5 mm²
∼ 90 nm / 4 metal layers
∼ 1 Mgates, ∼ 1 GHz, ∼ 25 mm²
∼ 45 nm / 7-10 metal layers
Access to backside is difficult !BGA packages !!!
Easy access to frontsideand backside ! 3
![Page 4: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/4.jpg)
Motivations for EMP Injection
Access to backside isdifficult !
BGA packages !!!
• Does not require depackaging the target
• Does target the upper metal Layer (Vdd, Gnd, Clk)
• May bypass some countermeasures (light sensors, global power filtering …)
Seems adequate to inject faultin Secure SoC designed with
advanced technologies !
4
![Page 5: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/5.jpg)
Agenda
• What is a EMP platforms ? Is it low Cost ?
• Does it always works ?
• What is the effects of an EMP platform on IC?
• What is the resolution of an EMP ?
5
![Page 6: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/6.jpg)
EMP platforms
Pulse Generator
A control PC
A magnetic Probe
• Amplitude : 1 V - 100 V• Pulse width : 9 ns – 1 ms• rising / falling times : 5 ns• Very low jitter : < 45 ps
• Rohde & Schwartz magneticantenna (500µm diameter)
Low Amplitude Pulses
(CEA-EMSE)
High Amplitude Pulses
(LIRMM)
• Amplitude : 100 V – 1.2 KV• Not Available on the market• Must be home made
According to both the Amplitude and Repetition Rate
Pulse gen.
Motorizedstage
Target
Trigger signal
GP
IB
I/O
50 $
500 $1 $
6
![Page 7: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/7.jpg)
EMP Injection : Observation
Ignd
200 mA
100 ns
300mV Voltage Drop
High Amplitude Pulses :
• DeltaV= 900V • Width = 250 ns• 300 mV Voltage Drop
Low Amplitude Pulses :
• DeltaV= 50V • Width = 20 ns• 150 mV Voltage Drop (Vdd noise)
50 ns
150 mV
7
![Page 8: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/8.jpg)
EMP Injection : Design considerations
( )2
22
tDD
DD
IN
L
VV
V
µ
L
C
CaDelay
−⋅
⋅⋅=⋅⋅≈ ττ
D
CK
QLOGIC
D
CK
Q
CK
SETUPCK TTD2QQ2CK −−<+ δ
D]2QQ2CK[TT_Slackiming SETUPCK +−−−= δT
IC are designed to tolerate : Vdrops < 0.1⋅⋅⋅⋅ Vdd !!
IC are designed to tolerate : Vdrops < 0.1⋅⋅⋅⋅ Vdd !!
CK2Q Q2D
δδδδ
8
![Page 9: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/9.jpg)
EMP Injection: Effect
Vdd
Clock relatedTiming contraint
Clock relatedTiming contraint
65 nm65 nm
Designs are designed to operatecorrectly with such
timings !
Nominal VoltageMinimum Voltage
EM Pulse
9
![Page 10: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/10.jpg)
Validations & Experimental Results
1. Hardware AES50 MHz
Experiments
2. Hardware AES100 MHz
3. Hardware AES100 MHz + CM
• Xilinx Spartan 3• Core supply : 1.2 Volts • Clock speed : 50 MHz
• Tslack = 10 ns
• Xilinx Spartan 3• Core supply : 1.2 Volts • Clock speed : 100 MHz
• Tslack = 2 ns
• Xilinx Spartan 3• Core supply : 1.2 Volts • Clock speed : 100 MHz
• Tslack = 2 ns• Embedded countermeasure• Detection of timing violations
Round Exe
Key Exp
FSM
10
![Page 11: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/11.jpg)
Validation & Experimental Results
2500 injections :98% of faulted texts
@ 600 V350 Mono-bit faults
Hardware AES50 MHz
• Xilinx Spartan 3• Core supply : 1.2 Volts • Clock speed : 50 MHz
Tslack = 10 nsTslack = 10 ns
Multi-bits faultsLess than 16 bits
faulted
# of faulted bits
Multibits faultsMore than 16 bits faulted
11
![Page 12: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/12.jpg)
0 5 10 15 20 25 30
0
5
10
15
20
25
30
Round Exe
Key Exp
FSM
0
1
2
3
4
5
6
7
8
Faultedbytes
Faults cartography
• At each position, an EMP is injected during the last round of the AES• The corresponding faulted ciphertext (if any) is retrieved• This process is done for 1,000 encryptions of the same plaintext• This process is done for 30x30 different locations of the injection probe on top of the FPGA
• Localized effect of the EMP • Good correlation between the Floorplan and the cartography
EMP Injection Cartography
Nofaults
Metastableregion
Fault occurrence versus EMP amplitude
Tslack = 2 nsTslack = 2 ns
12
![Page 13: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/13.jpg)
0 5 10 15 20 25 30
0
5
10
15
20
25
30 0
1
2
3
4
5
6
7
8
Faultedbytes
Faults cartography
0 0,1 0,2 0,3 0,4 0,5 0,6
byte 0
byte 1
byte 2
byte 3
byte 4
byte 5
byte 6
byte 7
byte 8
byte 9
byte 10
byte 11
byte 12
byte 13
byte 14
byte 15
mono-bit faults
multi-bit faults
0 0,1 0,2 0,3 0,4 0,5 0,6
byte 0
byte 1
byte 2
byte 3
byte 4
byte 5
byte 6
byte 7
byte 8
byte 9
byte 10
byte 11
byte 12
byte 13
byte 14
byte 15
mono-bit faults
multi-bit faults
0 0,1 0,2 0,3 0,4 0,5 0,6
byte 0
byte 1
byte 2
byte 3
byte 4
byte 5
byte 6
byte 7
byte 8
byte 9
byte 10
byte 11
byte 12
byte 13
byte 14
byte 15
mono-bit faults
multi-bit faults
Localized Effect of the Voltage Drops
13
![Page 14: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/14.jpg)
• FPGA Spartan 3 XC3S1000 FT256• Techno 130nm• Operating voltage : 1.2 volts• Operating frequency : 100 MHz• Hardware AES implementation• countermeasure (detection of timing violations )
Voltage Drops Detection
14
![Page 15: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/15.jpg)
0 5 10 15 20 25 30
0
5
10
15
20
25
30 0
1
2
3
4
5
6
7
8
Faults cartography
• At each position, an EMP is injected during the last round of the AES• The corresponding faulted ciphertext (if any) is retrieved• The value of the alarm flag is stored• This process is done for 1,000 encryptions of the same plaintext• This process is done for 30x30 different locations of the injection probe on top of the FPGA
• Localized effect of the EMP • The EMP is detected only in some positions• Possibility to induce faults without triggerring the alarm
0 5 10 15 20 25 30
0
5
10
15
20
25
30
Alarms cartography
alarm
no alarm
Voltage Drops Detection
15
![Page 16: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/16.jpg)
16
Spatial Resolution ?
CST simulationsH field1 turns / ∅∅∅∅ 100 µm200 µm below the probe
D=0.7 mm
50 % of EnergyResolution of EMP Injection depends
of the IC !
![Page 17: Electromagnetic Transient Faults Injectiondutertre/doc_recherche/C_2012_2_cryptarchi_… · • May bypass some countermeasures (light sensors, global power filtering …) Seems adequate](https://reader033.vdocuments.site/reader033/viewer/2022060608/605f9b1bd6350a2996498db9/html5/thumbnails/17.jpg)
Conclusion & Further works
• Ability to inject single-bit and multi-bits faults into AES calculations
• Induced faults are timing faults due to voltage drops
• EMP amplitude depends on Timing slack (IC frequency an d technology)
• Localized effect : the coupling depends of the IC Layout
• May bypass power supply low-pass filtering
• May fault any paths (even non critical paths)
17