Gate-level Leakage Assessment and Mitigation

Kathuria, Tarun

22 July 2019

Side-channel leakage, caused by imperfect implementation of cryptographic algorithms in hardware, has become a serious security threat for connected devices that generate and process sensitive data. This side-channel leakage can divulge secret information in the form of power consumption or electromagnetic emissions. The side-channel leakage of a crytographic device is commonly assessed after tape-out on a physical prototype. This thesis presents a methodology called Gate-level Leakage Assessment (GLA), which evaluates the power-based side-channel leakage of an integrated circuit at design time. By combining side-channel leakage assessment with power simulations on the gate-level netlist, GLA is able to pinpoint the leakiest cells in the netlist in addition to assessing the overall side-channel vulnerability to side-channel leakage. As the power traces obtained from power simulations are noiseless, GLA is able to precisely locate the sources of side-channel leakage with fewer measurements than on a physical prototype. The thesis applies the methodology on the design of a encryption co-processor to analyze sources of side-channel leakage. Once the gate-level leakage sources are identified, this thesis presents a logic level replacement strategy for the leakage sources that can thwart side-channel leakage. The countermeasures presented selectively replaces gate-level cells with a secure logic style effectively removing the side-channel leakage with minimal impact in area. The assessment methodology along with the countermeasures demonstrated is a turnkey solution for IP module designers and is also applicable to larger system level designs. / Master of Science / Consider how a lie detector machine works. It looks for subtle changes in a person’s pulse to tell if the person is telling the truth. This unintentional divulgence of secret information is called a side-channel leakage. Integrated circuits reveal secret information in a similar way through their power consumption. This is caused by the transistors, used to build these integrated circuits, switching in concert with the secret data being processed by the integrated circuit. Typically, integrated circuits are evaluated for side-channel leakage only after they have been manufactured into a physical prototype. If the integrated circuit is found vulnerable it is too expensive to manufacture the prototype again with an updated design. This thesis presents a methodology, Gate-level Leakage Assessment (GLA) to evaluate integrated circuits for side-channel leakage during their design process even before they are manufactured. This methodology uses simulations to identify the specific transistors in the design that cause side-channel leakage. Moreover, this thesis presents a technique to selectively replace these problematic transistors in the design with an implementation that thwarts side channel leakage.

Side-channel leakage

Countermeasures

Power analysis attacks

Power Analysis of Sub-threshold Logics for Security Applications

Haghighizadeh, Farhad

January 2012

Requirements of ultra-low power for many portable devices have drawn increased attention to digital sub-threshold logic design. Major reductions in power consumption and frequency of operation degradation due to the exponential decrease of the drain current in the sub-threshold region has made this logic an excellent choice, particularly for ultra-low power applications where performance is not the primary concern. Examples include RFID, wireless sensor networks and biomedical implantable devices. Along with energy consumption, security is another compelling requirement for these applications. Power analysis attacks, such as Correlation Power Analysis (CPA), are a powerful type of side channel attacks that are capable of performing a non-invasive attack with minimum equipment. As such, they present a serious threat to devices with secret information inside. This research analyzes sub-threshold logics from a previously unexplored perspective, side channel information leakage. Various transistor level and RTL circuits are implemented in the sub-threshold region as well as in the strong inversion region (normally the standard region of operation) using a 65 nm process. Measures, such as Difference of Mean Energies (DME), Normalized Energy Deviation (NED) and Normalized Standard Deviation (NSD) are employed to evaluate the implemented architectures. A CPA attack is also performed on more complex designs and the obtained correlation coefficients are used to compare sub-threshold and strong inversion logics. This research demonstrates that sub-threshold does not only increase the security against side channel attacks, but can also decrease the amount of leaked information. This research also shows that a circuit operating at sub-threshold consumes considerably less energy than the same circuit operating in strong inversion and the level of its instantaneous power consumption is significantly lower. Therefore, the noise power required to cover the secret information decreases and the attack may be dramatically more difficult due to major increase in the number of required power traces and run time. Thus, this research is important for identifying sub-threshold as a future viable technology for secure embedded applications.

Sub-threshold Circuits

Power Analysis Attacks

Electrical and Computer Engineering

Power Analysis of Sub-threshold Logics for Security Applications

Haghighizadeh, Farhad

January 2012

Requirements of ultra-low power for many portable devices have drawn increased attention to digital sub-threshold logic design. Major reductions in power consumption and frequency of operation degradation due to the exponential decrease of the drain current in the sub-threshold region has made this logic an excellent choice, particularly for ultra-low power applications where performance is not the primary concern. Examples include RFID, wireless sensor networks and biomedical implantable devices. Along with energy consumption, security is another compelling requirement for these applications. Power analysis attacks, such as Correlation Power Analysis (CPA), are a powerful type of side channel attacks that are capable of performing a non-invasive attack with minimum equipment. As such, they present a serious threat to devices with secret information inside. This research analyzes sub-threshold logics from a previously unexplored perspective, side channel information leakage. Various transistor level and RTL circuits are implemented in the sub-threshold region as well as in the strong inversion region (normally the standard region of operation) using a 65 nm process. Measures, such as Difference of Mean Energies (DME), Normalized Energy Deviation (NED) and Normalized Standard Deviation (NSD) are employed to evaluate the implemented architectures. A CPA attack is also performed on more complex designs and the obtained correlation coefficients are used to compare sub-threshold and strong inversion logics. This research demonstrates that sub-threshold does not only increase the security against side channel attacks, but can also decrease the amount of leaked information. This research also shows that a circuit operating at sub-threshold consumes considerably less energy than the same circuit operating in strong inversion and the level of its instantaneous power consumption is significantly lower. Therefore, the noise power required to cover the secret information decreases and the attack may be dramatically more difficult due to major increase in the number of required power traces and run time. Thus, this research is important for identifying sub-threshold as a future viable technology for secure embedded applications.

Sub-threshold Circuits

Power Analysis Attacks

Electrical and Computer Engineering

Exploiting On-Chip Voltage Regulators as a Countermeasure Against Power Analysis Attacks

Yu, Weize

24 May 2017

Non-invasive side-channel attacks (SCA) are powerful attacks which can be used to obtain the secret key in a cryptographic circuit in feasible time without the need for expensive measurement equipment. Power analysis attacks (PAA) are a type of SCA that exploit the correlation between the leaked power consumption information and processed/stored data. Differential power analysis (DPA) and leakage power analysis (LPA) attacks are two types of PAA that exploit different characteristics of the side-channel leakage profile. DPA attacks exploit the correlation between the input data and dynamic power consumption of cryptographic circuits. Alternatively, LPA attacks utilize the correlation between the input data and leakage power dissipation of cryptographic circuits. There is a growing trend to integrate voltage regulators fully on-chip in modern integrated circuits (ICs) to reduce the power noise, improve transient response time, and increase power efficiency. Therefore, when on-chip voltage regulation is utilized as a countermeasure against power analysis attacks, the overhead is low. However, a one-to-one relationship exists between the input power and load power when a conventional on-chip voltage regulator is utilized. In order to break the one-to-one relationship between the input power and load power, two methodologies can be considered: (a) selecting multi-phase on-chip voltage regulator and using pseudo-random number generator (PRNG) to scramble the activation or deactivation pattern of the multi-phase voltage regulator in the input power profile, (b) enabling random voltage/scaling on conventional on-chip voltage regulators to insert uncertainties to the load power profile. In this dissertation, on-chip voltage regulators are utilized as lightweight countermeasures against power analysis attacks. Converter-reshuffling (CoRe) technique is proposed as a countermeasure against DPA attacks by using a PRNG to scramble the input power profile. The time-delayed CoRe technique is designed to eliminate machine learning-based DPA attacks through inserting a certain time delay. The charge-withheld CoRe technique is proposed to enhance the entropy of the input power profile against DPA attacks with two PRNGs. The security-adaptive (SA) voltage converter is designed to sense LPA attacks and activate countermeasure with low overhead. Additionally, three conventional on-chip voltage regulators: low-dropout (LDO) regulator, buck converter, and switched-capacitor converter are combined with three different kinds of voltage/frequency scaling techniques: random dynamic voltage and frequency scaling (RDVFS), random dynamic voltage scaling (RDVS), and aggressive voltage and frequency scaling (AVFS), respectively, against both DPA and LPA attacks.

Hardware security

Side-channel attacks

Differential power analysis attacks

Leakage power analysis attacks

On-chip voltage regulation

Computer Engineering

Electrical and Computer Engineering

On studying Whitenoise stream-cipher against Power Analysis Attacks

Zakeri, Babak

17 December 2012

This report describes the works done since May 2010 to December 2012 on breaking Whitenoise encryption algorithm. It is mainly divided into two sections: Studying the stream-cipher developed by Whitenoise lab and its implementation on a FPGA against certain group of indirect attacks called Power Analysis Attacks, and reviewing the process of development and results of experiments applied on a power sampling board which was developed during this project. For the first part the algorithm and the implementation would be reverse engineered and reviewed. Various blocks of the implementation would be studied one by one against some indirect attacks. It would be shown that those attacks are useless or at least very weak against Whitenoise. A new scenario would then be proposed to attack the implementation. An improvement to the new scenario would also be presented to completely hack the implementation. However it would also be shown that the complete hack requires very accurate equipment, large number of computations and applying a lot of tests and thus Whitenoise seems fairly strong against this specific group of attacks. In the next section the requirements of a power consumption measurement setup would be discussed. Then the motivations and goals of building such a board would be mentioned. Some important concepts and consideration in building the board, such as schematic of the amplifier, multilayer designing, embedding a BGA component, star grounding, inductance reduction, and other concepts would be presented. Then the results of applied tests on the produced board would be discussed. The precision of the measurements, some pattern recognition along with some other results would be illustrated. Also some important characteristics such as linearity of measurements would be investigated and proved to exist. In the end some topics as possible future works, such as more pattern recognition, or observing the effect of masks on the power consumption would be suggested. / Graduate

Whitenoise

Power Analysis Attacks

Stream Cipher

Power Sampling Board

FPGA

Cryptography

Secured-by-design FPGA against side-channel attacks based on power consumption

Almohaimeed, Ziyad Mohammed

31 August 2017

Power Analysis Attacks pose serious threats to hardware implementations of cryptographic systems. To retrieve the secret key, the attackers can exploit the mutual information between power consumption and processed data / operations through monitoring the power consumption of the cryptosystems. Field Programmable Gate Arrays (FPGA) have emerged as attractive implementation platforms for providing hardware-like performance and software-like flexibility for cryptosystem developers. These features come at the expense of larger power consumption, which makes FPGAs more vulnerable to power attacks. Different countermeasures have been introduced in the literature, but as they have originally been developed for Application-Specific Integrated Circuits (ASIC), mapping them onto FPGAs degrades their effectiveness. In this work, we propose a logic family based on pass transistors, which essentially consists of hardware replication, that can be used to build FPGAs with constant power consumption. Since the power consumption is no longer related to processed data and operations, a quadruple robustness to attacks based on dynamic power consumption, static power consumption, glitches, and early evaluation effect is achieved. Such a secured-by-design FPGA will relieve the cryptosystems developers from doing advanced analog design to secure the cryptosystem implementation. Our pass-transistor logic family can also be used in implementing ASICs. The silicon area overhead costs are shown to be less than prior art, which makes our FPGA attractive to cryptosystems developers. / Graduate / 2018-07-26

Side-Channel Attacks

Power analysis attacks

Secured-by-Design FPGA

Differential Power Attacks

DPA

Correlation Power Attacks

CPA

Elliptic curve cryptography algorithms resistant against power analysis attacks on resource constrained devices / Algorithmes cryptographiques à base de courbes elliptiques résistant aux attaques par analyse de consommation

Houssain, Hilal

21 December 2012

Les systèmes de cryptographie à base de courbe elliptique (ECC) ont été adoptés comme des systèmes standardisés de cryptographie à clé publique (PKC) par l'IEEE, ANSI, NIST, SEC et WTLS. En comparaison avec la PKC traditionnelle, comme RSA et ElGamal, l'ECC offre le même niveau de sécurité avec des clés de plus petites tailles. Cela signifie des calculs plus rapides et une consommation d'énergie plus faible ainsi que des économies de mémoire et de bande passante. Par conséquent, ECC est devenue une technologie indispensable, plus populaire et considérée comme particulièrement adaptée à l’implémentation sur les dispositifs à ressources restreintes tels que les réseaux de capteurs sans fil (WSN). Le problème majeur avec les noeuds de capteurs chez les WSN, dès qu'il s'agit d’opérations cryptographiques, est les limitations de leurs ressources en termes de puissance, d'espace et de temps de réponse, ce qui limite la capacité du capteur à gérer les calculs supplémentaires nécessaires aux opérations cryptographiques. En outre, les mises en oeuvre actuelles de l’ECC sur WSN sont particulièrement vulnérables aux attaques par canaux auxiliaires (SCA), en particulier aux attaques par analyse de consommation (PAA), en raison de l'absence de la sécurité physique par blindage, leur déploiement dans les régions éloignées et le fait qu’elles soient laissées sans surveillance. Ainsi, les concepteurs de crypto-processeurs ECC sur WSN s'efforcent d'introduire des algorithmes et des architectures qui ne sont pas seulement résistants PAA, mais également efficaces sans aucun supplément en termes de temps, puissance et espace. Cette thèse présente plusieurs contributions dans le domaine des cryptoprocesseurs ECC conscientisés aux PAA, pour les dispositifs à ressources limitées comme le WSN. Premièrement, nous proposons deux architectures robustes et efficaces pour les ECC conscientisées au PAA. Ces architectures sont basées sur des algorithmes innovants qui assurent le fonctionnement de base des ECC et qui prévoient une sécurisation de l’ECC contre les PAA simples (SPA) sur les dispositifs à ressources limitées tels que les WSN. Deuxièmement, nous proposons deux architectures additionnelles qui prévoient une sécurisation des ECC contre les PAA différentiels (DPA). Troisièmement, un total de huit architectures qui incluent, en plus des quatre architectures citées ci-dessus pour SPA et DPA, deux autres architectures dérivées de l’architecture DPA conscientisée, ainsi que deux architectures PAA conscientisées. Les huit architectures proposées sont synthétisées en utilisant la technologie des réseaux de portes programmables in situ (FPGA). Quatrièmement, les huit architectures sont analysées et évaluées, et leurs performances comparées. En plus, une comparaison plus avancée effectuée sur le niveau de la complexité du coût (temps, puissance, et espace), fournit un cadre pour les concepteurs d'architecture pour sélectionner la conception la plus appropriée. Nos résultats montrent un avantage significatif de nos architectures proposées par rapport à la complexité du coût, en comparaison à d'autres solutions proposées récemment dans le domaine de la recherche. / Elliptic Curve Cryptosystems (ECC) have been adopted as a standardized Public Key Cryptosystems (PKC) by IEEE, ANSI, NIST, SEC and WTLS. In comparison to traditional PKC like RSA and ElGamal, ECC offer equivalent security with smaller key sizes, in less computation time, with lower power consumption, as well as memory and bandwidth savings. Therefore, ECC have become a vital technology, more popular and considered to be particularly suitable for implementation on resource constrained devices such as the Wireless Sensor Networks (WSN). Major problem with the sensor nodes in WSN as soon as it comes to cryptographic operations is their extreme constrained resources in terms of power, space, and time delay, which limit the sensor capability to handle the additional computations required by cryptographic operations. Moreover, the current ECC implementations in WSN are particularly vulnerable to Side Channel Analysis (SCA) attacks; in particularly to the Power Analysis Attacks (PAA), due to the lack of secure physical shielding, their deployment in remote regions and it is left unattended. Thus designers of ECC cryptoprocessors on WSN strive to introduce algorithms and architectures that are not only PAA resistant, but also efficient with no any extra cost in terms of power, time delay, and area. The contributions of this thesis to the domain of PAA aware elliptic curve cryptoprocessor for resource constrained devices are numerous. Firstly, we propose two robust and high efficient PAA aware elliptic curve cryptoprocessors architectures based on innovative algorithms for ECC core operation and envisioned at securing the elliptic curve cryptoprocessors against Simple Power Analysis (SPA) attacks on resource constrained devices such as the WSN. Secondly, we propose two additional architectures that are envisioned at securing the elliptic curve cryptoprocessors against Differential Power Analysis (DPA) attacks. Thirdly, a total of eight architectures which includes, in addition to the two SPA aware with the other two DPA awareproposed architectures, two more architectures derived from our DPA aware proposed once, along with two other similar PAA aware architectures. The eight proposed architectures are synthesized using Field Programmable Gate Array (FPGA) technology. Fourthly, the eight proposed architectures are analyzed and evaluated by comparing their performance results. In addition, a more advanced comparison, which is done on the cost complexity level (Area, Delay, and Power), provides a framework for the architecture designers to select the appropriate design. Our results show a significant advantage of our proposed architectures for cost complexity in comparison to the other latest proposed in the research field.

Attaques par canaux auxiliaires

Attaques par analyse de consommation

Multiplication scalaire

Wireless Sensor Networks

Elliptic Curve Cryptography

Side Channel Attacks

Power Analysis Attacks

Simple Power Analysis Attacks

Differential Power Analysis Attacks

Scalar Multiplication