The Design and Evaluation Methodology of Dependable VLSI for Tamper Resistance

Transcription

1 DLSI International Symposium The Design and Evaluation Methodology of Dependable VLSI for Focusing on the security of hardware modules - Tamper resistant cryptographic circuit - Evaluation tools for tamper resistance - Physical Unclonable Function (PUF) Takeshi Ritsumeikan Univ. Yohei AIST(Advanced Industrial Science and Technology) Masaya Meijo University Daisuke Mitsubishi Electric 1

2 Contents 2 Introduction to cryptographic modules and Side channel attacks The aspect of Side channel attacks (SCAs) The Effect of on-chip Capacitance The Effect of on-chip Metal Shielding The Effect of finer device fabrication process The AES cryptographic circuit against SCAs Countermeasure against Power Analysis Countermeasure against EM Analysis The evaluation platform SASEBO Smartcard-type evaluation board new Secure Key Storage using Physical Unclonable Functions

3 IC card Automotive Security SIM card Cryptographic circuit Embedded Systems Security Smart meter 1. INTRODUCTION TO CRYPTOGRAPHIC MODULES AND SIDE CHANNEL ATTACKS 3

4 The research target in tamper resistant security LSI 4 The design methodology for tamper resistant LSI The evaluation tools for tamper resistance Secure system utilizing Physical Unclonable Function Fault Attack Illegal Clock (e.g. Glitch) Power Supply fluctuation Input Noise Security LSI module Invasive Attack Open Package Laser or EM Injection Malicious Input Abnormal Output Regular Input/Output Side Channel Information Reverse Engineering Probing electro signal Processing Time Current /Voltage EM Radiation Cloning Attack Side Channel Attack

5 Cryptographic module and Side Channel Information Cryptography for Realizing Security Functions (exam.) 1 Authentication: Read/write permissions to HDD are granted to authorized users 2 Encryption: HDD data are encrypted in case of loss or theft 5 Authorized User Security Functions (LSI) Storage (HDD) 1 Authentication Request Challenge Response Authentic ation Authentication Key : KA Secret Information Key : KA 2 Encryption Plaintext M Encryption Key : KE Encryption Cipher text C Decryption Side Channel Information Processing Time Current /Voltage EM Radiation

6 Side Channel Attack 6 Secret key is revealed by exploiting side channel information from crypto module Consumption Power or EM leakage are used as an information Evaluation Board SASEBO-RII Plain Text Control & Analysis software for revealing secret key Power Cryptographic Module EM Probe Cipher Text Oscilloscope AES Chip

7 The attacking points on AES crypto circuit Plain Text 16Byte RoundKey 0 Key 16Byte 7 Hamming Distance(HD) Data Register SubBytes SEL Data Registers 16Byte SEL Temp Key Registers Hamming Weight(HW) Sbox input(output) Power consumption is correlated to the HD of resisters and HW of Sbox input Round10 Sbox01 Sbox02 ShiftRows Round 1-9 MixColumns SEL Sbox15 16Byte Sbox16 1Byte 16Byte Cipher Text RoundKey Byte Key Expansion

8 (Text) Plain Cipher Safe Cryptographic Device Side channel information Threat Power Attack Power Consumption EM Attack Electromagnetic wave 2. THE ASPECT OF SIDE CHANNEL ATTACKS 8

9 The Effect of Capacitance 9 The Power leakage is considered to be reduced by the on-chip or off-chip decoupling capacitor On-chip Capacitor make vulnerable to EMA attack with HW correlation PA attack EMA attack Capacitor s Effect Capacitor s Effect SAMPLE: Non-countermeasured AES (Sbox:Composite Field)

10 Number of revealed keys [Bytes] The Effect of Metal Shielding 10 The Metal Shielding reduce the EM leakage The secret key can still be exploited by the increased number of traces Metal Shielding is not a perfect solution against EM attack SAMPLE: I/O masked dual rail ROM (The countermeasured AES circuit against Power Analysis) M etal 5 M etal 4 M etal 3 Metal Shielding layers VDD GND VDD GND ROM Cell (PO, M 1) Without metal-shield With metal-shield Number of traces

11 The Effect of Finer fabrication process 11 The Power and EM attack are tested in 65 and 28nm FPGA EM attack getting powerful in the finer process Reason: Static Power leakage is dominant 65nm 28nm Solid line : EM Attack Dotted line : Power Attack (28nm) (65nm) [mw] dynamic

12 3. THE AES CRYPTOGRAPHIC CIRCUIT AGAINST SCAS 12

13 S-Box1 S-Box2 S-Box16 Dependable VLSI (Our countermeasure) I/O Masked Dual Rail ROM (MDR-ROM) AES IN MDR-ROM provides constant power consumption irrespective of input value 2K bit MDR-ROM is used in the SubByte transformation on the AES circuit Other linear circuits are masked by the additive mask AES IN 13 dual-rail complementary operation Round key R m [127:0] 128 Round key Masked In Data one hot transition Unmask Data Mask Data IO-masked dual-rail (MDR) ROM Sense Amp 3 4 Masked Out Data Sub Bytes SEL 128 Shift Rows Round10 Round1-9 Mix Columns Round key DFF IO- masked dual- rail ROM SEL R um [127:0] 128 non-linear circuit AES OUT AES applied IO-masked dual-rail ROM Sub Bytes SEL 128 Shift Rows Round10 Round1-9 Mix Columns Round key DFF SEL 128 AES OUT Advanced Encryption Standard (AES)

14 (Our countermeasure) I/O Masked Dual Rail ROM (MDR-ROM) MDR-ROM provides constant power consumption irrespective of input value 2K bit MDR-ROM is used in the SubByte transformation on the AES circuit Other linear circuits are masked by the additive mask dual-rail complementary operation one hot transition Unmask Data Mask Data Sense Amp 4 Masked In Data Masked Out Data IO-masked dual-rail (MDR) ROM SBox

15 Evaluation results of MDR-ROM 15 Dual rail RSL memory is used for S-box and other circuits are designed in Standard ASIC flow Power overhead is 50 % of no countermeasure Sufficient PA resistance is demonstrated compared with other countermeasures (WDDL, MDPL,MAO,TI) MDR ROM Information Leakage No Leakage Small area Low Power

16 EM leakage on MDR-ROM MDR-ROM demonstrate high resistance against Power Attack MDR-ROM has a EM leakage called Geometric Leak This type of leakage is discovered for the 1st time in the world on our experiments (presented at CHES 2013, invited to submit on Journal of Cryptographic Engineering ) 16 EM Probe Position UnMask Data Sense Amp Masked Data Masked Data Mask Data Masked Data

17 IO- Masked Dual Rail ROM IO- Masked Dual Rail ROM Dependable VLSI Multiplicative masking is also introduced in addition to additive mask Inverse operation on Galois Field is tabled on the MDR-ROM The addresses except for zero are randomly accessed regardless of the input data Sbox is commonly used for encryption and decryption (New countermeasure) Hybrid Masked Dual Rail ROM (HMDR-ROM) The number of MDR-ROM is half 17 Memory Cell Array Memory Cell Array

18 EMA resistance on HMDR-ROM 18 Geometric leakage is diminished and high EMA resistance is obtained in HMDR-ROM Additive mask:off Multiplicative mask:off Additive mask:on Multiplicative mask:off Additive mask:on Multiplicative mask:on

19 FPGA Board SASEBO-GIII Analysis Software Compact Scanner for EM Analysis 4. THE EVALUATION PLATFORM SASEBO 19

20 Development of SCA Test Environment SASEBO: Side-channel Attack Standard Evaluation Board Provides a uniform experimental environment to academic, industrial and governmental researchers Facilitates research of side-channel attacks Outcome Commercially available and globally used in >100 institutes >1100 academic papers use/cite SASEBO (1/Nov/2013, Google scholar) Included in world s de-facto standard SCA evaluation tools SASEBO-RII ASIC evaluation SASEBO-GIII 28-nm Kintex-7 MiMICC 45-nm Spartan-6 Compact automatic EM scanner Photo from the Riscure s INSPECTOR brochure

21 Smartcard-type evaluation board w/45-nm FPGA MiMICC: Minature Measurement IC Card H/W-implemented cipher algorithms (etc.) on a smartcard can be tested Physical dimensions are almost ISO/IEC 7810 ID-1 compliant ISO/IEC 7816 (T=0) data transfer protocol is supported 21 Smartcard emulation circuit ATR sender APDU operator UART I/F Memory mapped I/F 0000 FFFF User application circuit User application circuit Card reader (SASEBO-W)

22 EMA Demonstration Using MiMICC 22 Secret key extraction from AES on the smartcard Key length = 128 bits (16 bytes). Block length = 128 bits. Without countermeasures EM radiation from the chip is measured and analyzed Analysis tool MiMICC EM radiation Loop antenna Oscilloscope Amplifier Power source SASEBO-W Oscilloscope Loop antenna MiMICC AES is running on the smartcard board MiMICC. EM radiation is measured with loop antenna. Cipher text Extract secret key Waveform Statistical analysis tool

23 5. SECURE KEY STORAGE USING PHYSICAL UNCLONABLE FUNCTIONS 23

24 PUF extracts physical variation in each device Physical Unclonable Function 24 Unique and Unclonable ID(Identification code) can be produced We proposed arbiter base DTM PUF with high uniqueness Challenges [ C0, C1, C2,, CN-1] #1 #2 #3 #1 [ 0, 0, 0,, 0 ] #2 [ 1, 0, 0,, 0 ] #3 [ 0, 1, 0,, 0 ] PUF #A PUF #B Responses PUF #C N Conventional Arbiter Challenges x N multiplexors D dt Δt Response Ddt DTM method (Delay time measurement)

25 PUF based Key Generation 25 IDs produced by PUF has the instability Fuzzy Extractor is used for error correction Fuzzy Extractor (FE) 訂正符号例 Correction 入力 出力 in Error Code out Generation 初期鍵生成処理 RNG ENC Generate PUF Initial Responses レスポンス #A 初期鍵 Initial Key W Hash C W C ヘルパー Helper データ Data Reproduced 再生成鍵 Key ^ W Hash ^ C Reproduction 再生成処理 ENC DEC C W [1] Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data Regenerate Responses レスポンス PUF #A

26 Secure Key Storage using PUF 26 Authentication key had to be stored in secure memory PUF Encrypted authentication key (2) can be stored in the standard memory Authentication key can be produced by (1) (2) (3) Initial Key Generation RNG (1)Challenges ENC PUF Hash (1)Challenges PUF Key (2)Helper Data (1) (2) (3) Authentication Key AES (3)PUF Encrypted Authentication Key PUF Reproduce Key DEC ENC Hash PUF Key Authentication Key cannot be produced without PUF AES Authentication Key

27 SUMMARY 27 Side channel attacks (SCAs) is a serious threat for cryptographic modules which are used in IC card, smart meter or automobile The countermeasures against SCAs is not easy On chip capacitor is effective against power analysis but vulnerable against EM analysis Metal Shielding is not perfect countermeasure against EM analysis EM analysis is still powerful on finer device fabrication process The AES cryptographic circuit against SCAs are designed I/O Masked Dual Rail ROM (MDR-ROM) is a good countermeasure against power analysis, but EM leak called geometric leak was found Hybrid Masked Dual Rail ROM (HMDR-ROM) is free from geometric leak The FPGA on the smartcard is newly designed, and EM analysis is successfully demonstrated by using SASEBO-W board Stable PUF Key generation by Fuzzy-Extractor, and authentication system using PUF-protected key are demonstrated