1

Prototype IC with WDDL and Differential Routing – DPA Resistance Assessment

K. Tiri, D. Hwang, A. Hodjat, B. Lai, S. Yang, P. Schaumont, I. Verbauwhede

tiri@ee.ucla.edu

This work was supported in part by

National Science Foundation (CCR-0098361), UC-Micro 02-079 and 03-088, Panasonic Foundation,

SUN Microsystems, Atmel corporation and the Fannie and John Hertz Foundation

Kris Tiri CHES 2005, 09/01/05 2

Outline

� Side-channel attacks

� IC system architecture

� Resisting DPA attacks

� Secure digital design flow

� Prototype IC

� Insecure coprocessor as benchmark

� DPA resistance experimental results

� Conclusions

2

Kris Tiri CHES 2005, 09/01/05 3

Side-channel attacks

Current Probe

� 128-bit AES encryption cracked under 3 min.

start encryption

11 clock cycles

supply current

start signal

Kris Tiri CHES 2005, 09/01/05 4

Fingerprint

sensor

2MB SRAM

LEON Processor

Secure ASIC

LEON Processor

Boot PROM I/F

AMBA Peripheral

Bus

32bits Memory Bus

Comparator

LEON Processor

AES

coprocessor

comparator

Template

storage

Regular processor

Boot ROM

RS232

LEON processor

UART1

UART2

cache

AHB

controller

Memory

controller

Boot

PROM I/F

AHB/APB

bridge

AMB A

Peripheral

Bus

32bits Memory Bus

Integer unitAHB I /F D cache

2KBI cache

2KB

Fingerprint

sensor

2MB SRAM

LEON Processor

Secure ASIC

LEON Processor

Boot PROM I/F

AMBA Peripheral

Bus

32bits Memory Bus

Comparator

LEON Processor

AES

coprocessor

comparator

Template

storage

Regular processor

Boot ROM

RS232

LEON processor

UART1

UART2

cache

AHB

controller

Memory

controller

Boot

PROM I/F

AHB/APB

bridge

AMB A

Peripheral

Bus

32bits Memory Bus

Integer unitAHB I /F D cache

2KBI cache

2KB

ThumbPod device

� Biometrically-driven

electronic key

� Strong, secure bond between owner and key

� Components:

� Microprocessor

� Fingerprint sensor

� Wireless transceiver

� Secure coprocessor

� Security partitioning

3

Kris Tiri CHES 2005, 09/01/05 5

AES encryption core

� Advanced Encryption Standard optimized for speed: 128-bit key, 128-data

� Sbox table lookup, on the fly key scheduling

� 11 cycles per encryption

� OFB, CBC, and ECB modes without loss in throughput

KEY

SCHEDULE

XORSUBSHIFT

ROW

MIX

COLUMN

KEY

DIN

DOUT

RA

RB RC

Kris Tiri CHES 2005, 09/01/05 6

Resisting DPA attacks

� Protection against class of power analyses

� Independent of algorithm/arithmetic

� Correct by construction

� Distributed solution

basic building blocksame power for every transition

� Asymmetric power consumption

4

Kris Tiri CHES 2005, 09/01/05 7

Secure digital design flow

script lib.v

logic synthesis

logic design

behavior.v design specs

rtl.v

cell substitution

fat_lib.lef diff_lib.lef

place &

route

fat.v fat.def

interconnect decomposition

diff.def layout

stream out

Few key modifications with minimal influence in backend of regular synchronous

static CMOS standard cell design flow

Kris Tiri CHES 2005, 09/01/05 8

Wave Dynamic Differential Logic

single switching event per cycle

Secure digital design flow (cnt’d)

� Static CMOS standard cell

� Dual rail with precharge

� Interconnect: dominant

� Balancing interconnect: crucial

Differential Routing

constant load capacitance

AOI221X2 gate

C0

OAI221X1

AOI22 1X1A0

A1

B0

B1

Y

Y

INVX2

INVX2A0

A1

B0

B1

C0

AOI221X2 gate

C0

OAI221X1

AOI22 1X1A0

A1

B0

B1

Y

Y

INVX2

INVX2A0

A1

B0

B1

C0

5

Kris Tiri CHES 2005, 09/01/05 9

Prototype IC in 0.18µm CMOS

� WDDL, differential route � Single-ended, regular route

AES

AES

AES

AES

Kris Tiri CHES 2005, 09/01/05 10

DPA attack setup

leon sparc coprocessor IC

synchr. signal

current probe

6

Kris Tiri CHES 2005, 09/01/05 11

� Unprotected AES � Protected AES

Supply current traces

encryption

supply current

Kris Tiri CHES 2005, 09/01/05 12

� Unprotected AES � Protected AES

Supply current traces (cnt’d)

encryption

supply current

7

Kris Tiri CHES 2005, 09/01/05 13

DPA resistance assessment

� Estimate power consumption in round 11 + 1

� Compare Hamming distances & measurements

� 16*28 key guesses vs. 2128 key guesses

R11

max fcost(K11) = corr(Pmeasurement,Pestimation) K11

where Pmeasurement = max(Isupply,11+1)

Pestimation = HamDist(D11,C11)

D11 = sub-1(shiftrow-1(K11 ⊗ C11))

D11XORSUB

SHIFT

ROW

MIX

COLUMN

DIN

DOUT

RB RC

KEY

C11

K11

C11C11R11+1

Kris Tiri CHES 2005, 09/01/05 14

DPA attack

� Unprotected key byte (15K meas.)

Measurements

to Disclosure

8

Kris Tiri CHES 2005, 09/01/05 15

DPA attack (cnt’d)

� Protected key byte (1,500K meas.)

Kris Tiri CHES 2005, 09/01/05 16

Results

Parameter Unprotected AES Protected AES

Gate Count (eq. gates) [K] 79 245

Area [mm2] 0.79 2.45

Maximum Frequency (@1.8V) [MHz] 330.0 85.5*

Maximum Throughput (@1.8V) [Gb/s] 3.84 0.99

Power Consumption (@1.8V, 50 MHz) [mW] 54 200†

Measurements to Disclosure‡

min 320 21,185

mean 2,133 255,391

max 8,168 1,276,186

Key bytes not found (@1.5M Meas.) n/a 5 *Duty factor of clock > 50% to guarantee precharge of all gates

†Estimation based on area ratio AES vs. Entire System

‡Based on correctly guessed key bytes

9

Kris Tiri CHES 2005, 09/01/05 17

Security tradeoff - figure of merit

� Three times area, and four times power consumption and minimum clock period

� Security partitioning minimizes cost for complex systems

� Secure coprocessor orders of magnitude faster and expends less energy than software on main processor

� Figure of merit: (throughput /power consumption)� Secure coprocessor: 2.9Gb/s/W.

� C code on embedded Sparc: 0.0011Gb/s/W

Kris Tiri CHES 2005, 09/01/05 18

Conclusions

� Power supply current

� Major & easy side-channel leakage source

� Design approach

� Secure digital design flow

� Prototype IC in 0.18µm CMOS

� Demonstrated DPA countermeasure implemented and tested in actual silicon