15-2: Power and Electromagnetic Side-Channel Attack

Meizhi Wang, Shanshan Xie, Ping Na Li, Aseem Sayal, Ge Li, Vishnuvardhan V. Iyer, Aditya Thimmaiah, Michael Orshansky, Ali E. Yilmaz, and Jaydeep P. KulkarniECE Department, University of Texas at AustinE-mail: [email protected], [email protected]

15-2: Power and Electromagnetic Side-Channel Attack Resilient Secure AES Core utilizing Galvanic Isolation approach with Integrated Charge Pump based Power Management

28 April 2021 Circuit Research Labhttps://sites.utexas.edu/CRL/

https://sites.utexas.edu/CRL/

• Side Channel Analysis (SCA)

• Prior Work: Power SCA resilient approaches

• Motivation: Susceptibility to the ground bounce

• Proposed Work

- Principle of Galvanic Isolation (GI)

- Proposed GI-AES architecture

• Test-chip measurement

- Die photo, Measurement summary

- Power SCA

- EM SCA

• Comparison & Conclusion

Outline

2

Outline

3




• Proposed Work





- Power SCA

- EM SCA


4

https://www.keirex.com/e/Kti072_SecurityMeasure_e.html

Side Channel Analysis

• Easy physical access

• Inexpensive

• High successful rate

https://www.keirex.com/e/Kti072_SecurityMeasure_e.html

Outline

5




• Proposed Work





- Power SCA

- EM SCA


Prior Work: Power SCA resilient approaches

• Constant Current Signature

• Randomized Current Signature

6



- (a) Switch Capacitor Current Equalizer


7

(a)

C

Φ1

Φ2

Φ3

VIN

VREF

IIN

IOUT

VOUT

CL




- (b) Shunt Regulator


8

(a) (b)

VTARGET

IOUT

VOUT

CL

IIN

VIN

IBLEED

Control

C

Φ1

Φ2

Φ3

VIN

VREF

IIN

IOUT

VOUT

CL






- (c) Low Drop Out Regulator

9

(a) (b)

(c)

VTARGET

IOUT

VOUT

CL

IIN

VIN

IBLEED

Control

C

Φ1

Φ2

Φ3

VIN

VREF

IIN

IOUT

VOUT

CL

VREF

VIN

IIN

IOUT

VOUT

CL







- (d) Buck Converter

10

(a) (b)

(c) (d)

VTARGET

IOUT

VOUT

CL

IIN

VIN

IBLEED

Control

C

Φ1

Φ2

Φ3

VIN

VREF

IIN

IOUT

VOUT

CL

VREF

VIN

IIN

IOUT

VOUT

CL

IOUT

CL

VOUT

C

L

VIN

Φ1

Φ2








- (e) Switched-Capacitor Voltage Regulator

11

(a) (b)

(c) (d) (e)

VTARGET

IOUT

VOUT

CL

IIN

VIN

IBLEED

Control

C

Φ1

Φ2

Φ3

VIN

VREF

IIN

IOUT

VOUT

CL

VIN

CFLY

Φ1

Φ2

VOUT

Φ2

CL

Φ1

IOUT

IIN

VREF

VIN

IIN

IOUT

VOUT

CL

IOUT

CL

VOUT

C

L

VIN

Φ1

Φ2








- (e) Switched-Capacitor Voltage Regulator

12

(a) (b)

(c) (d) (e)

No VSS pins are isolated in these

approaches

VTARGET

IOUT

VOUT

CL

IIN

VIN

IBLEED

Control

C

Φ1

Φ2

Φ3

VIN

VREF

IIN

IOUT

VOUT

CL

VIN

CFLY

Φ1

Φ2

VOUT

Φ2

CL

Φ1

IOUT

IIN

VREF

VIN

IIN

IOUT

VOUT

CL

IOUT

CL

VOUT

C

L

VIN

Φ1

Φ2

Outline

13




• Proposed Work





- Power SCA

- EM SCA


Motivation: Susceptibility to the ground bounce

14

• Ball grid array (BGA) pins near to crypto core may reveal circuit VSS bounce that can be used for side-channel analysis

time(ns)

V(m

V)

CLK 100MHz

Correct key

Incorrect key

MTD=6000

50 Vss bounce traces of the final encryption round

co

rre

lati

on

traces

(a) (b)

Crypto

Core

Simulation flow

15

𝑁e = No. of encryptions𝑁n = No. of VSS nodes

Simulation results on a 128-bit AES computing core

16

• Correlation attack shows key byte 1 is revealed using 6000 traces

time(ns)

V(m

V)

CLK 100MHz

Correct key

Incorrect key

MTD=6000


co

rre

lati

on

traces

(a) (b)

time(ns)

V(m

V)

CLK 100MHz

Correct key

Incorrect key

MTD=6000


co

rre

lati

on

traces

(a) (b)

• Implement a 128b Advanced Encryption standard (AES) core

• Simulated VSS bounce waveforms for correlation attack

Outline

17




• Proposed Work





- Power SCA

- EM SCA


Principle of Galvanic Isolation (GI)

• Isolates two electrical systems, preventing direct current flow and breaking ground loops between two circuits.

18

• Transformer:

- Primary (input) side potentially lethal transient

voltages and currents

- Secondary side is completely isolated for safety

N:1

SecondaryPrimary

Transformer: Isolated

energy transfer

Principle of Galvanic Isolation (GI)

• Isolates two electrical systems, preventing direct current flow and breaking ground loops between two circuits.

19

• Transformer:

- Primary (input) side potentially lethal transient

voltages and currents

- Secondary side is completely isolated for safety

- Flyback converter:

- Inductor based Galvanic Isolation topology

- Protecting low voltage devices from high

voltages transients

N:1

SecondaryPrimary

Transformer: Isolated

energy transfer

N:1VOUT

CL

VIN

C

D

Flyback converter

Outline

20




• Proposed Work





- Power SCA

- EM SCA


• Apply capacitor based Galvanic Isolation topology to minimize ground bounce susceptibility

• Primary side: external power domain

• Secondary side: crypto core power domain

Proposed GI AES

21

Galvanic Isolation

Crypto Logic

Compute Domain

External

Power Domain

L1 L2

GND1 GND2


• Primary side: external power domain• Scan chain Interface

• Power management unit


Proposed GI AES

22

Galvanic Isolation

Crypto Logic

Compute Domain

External

Power Domain

L1 L2

GND1 GND2

VTOP

VBOTVSS

VCC

Capacitor

Bank

128 bit

AES

Core

Scan Chain Interface

Power Management Unit Control

Data


• Primary side: external power domain• Scan chain Interface

• Power management unit


• Capacitor bank

• A 128-bit AES core

Proposed GI AES

23

Galvanic isolation decouples AES engine compute domain and external power domain completely

Galvanic Isolation

Crypto Logic

Compute Domain

External

Power Domain

L1 L2

GND1 GND2

VTOP

VBOTVSS

VCC

Capacitor

Bank

128 bit

AES

Core

Scan Chain Interface

Power Management Unit Control

Data

• 3D illustration:

- AES in deep N-well, isolated P-substrate, powered by 𝑉𝑇𝑂𝑃 𝑉𝐵𝑂𝑇

- Capacitor bank (*2 layers drawn for illustration purpose)

- PMU and scan chain interface

Proposed GI AES

24

*MoM capacitors (only two metal layers are shown for illustration purpose)

3D illustration of AES in deep N-well and capacitor bank,

PMU and scan chain interface

GI-AES Architecture: System overview

25

• Scan chain interface for data exchanging

GI-AES Architecture: Main blocks

26

Scan chain

• A 128b AES Engine for data encryption

• Operating in 𝑉𝑇𝑂𝑃/𝑉𝐵𝑂𝑇 power domain


27

AES Engine

• Capacitance based galvanic isolation

• Power AES in 𝑉𝑇𝑂𝑃/𝑉𝐵𝑂𝑇 domain during encryption


28

Capacitor Bank

• Control capacitor bank to maintain functional 𝑉𝑇𝑂𝑃/𝑉𝐵𝑂𝑇 voltage range


29

PMU

GI-AES Architecture: Design techniques

• Header and footer transistors: decouple 𝑉𝑇𝑂𝑃/𝑉𝐵𝑂𝑇 rail from VCC/VSS rail

• Isolate the external and the internal power domain (AES).

30

1

1

1

• Deep N well: covering the AES engine, isolating the local substrate

AES ground is completely isolated


31

2

2


• Capacitor banks: charge pump based voltage doubler circuit

32

3

3

• 𝐶0 as the main capacitor and multiple smaller capacitor pairs

• Multi-stage voltage doubler circuit


33

3

3

S1A1

S1B1

S1A2

S1B2

S1AB

S2B2

S2AB

S2A1

S2A2

S3A1

S3A2

S3B2

S3AB

S3B1S2B1

C0

• Three operation phases: Precharge, Compute, Charge sharing


34

3

Precharge phase:• Header and footer are connected• All capacitors are fully charged to VCC/VSS

Compute CLK

Boost-1

Boost-2

CS

VCC

Vtop

Vbot

VSS

Vdelta < Vcrit

Precharge Compute Charge share



35

3


Compute phase:• Header and footer are disconnected• Capacitor bank powers AES Core• Voltage boostings are triggered sequentially

Compute CLK

Boost-1

Boost-2

CS

VCC

Vtop

Vbot

VSS

Vdelta < Vcrit




36

3


Compute phase:• Header and footer are disconnected• Capacitor bank powers AES Core• Voltage boostings are triggered sequentially

Charge sharing• Discharge capacitors to mask real charge

consumption

Compute CLK

Boost-1

Boost-2

CS

VCC

Vtop

Vbot

VSS

Vdelta < Vcrit



37

4

4• Dual rail sense amp: trigger the next boosting stage if 𝑉𝑇𝑂𝑃 and 𝑉𝐵𝑂𝑇 are below 𝑉𝑟𝑒𝑓

• Current signature remain the same in each cycle, not prone to SCA


• Charge share transistor: discharges all the capacitors to certain predefined voltage.

• Uniform on 𝑉𝑇𝑂𝑃 and 𝑉𝐵𝑂𝑇 before each precharge cycle

38

5

5


Dual rail sense amp (uniform current signature) as a level shifter to transfer signal from voltage level VTOP/VBOT to voltage level VCC/VSS .

39

6

6

Outline

40




• Proposed Work





- Power SCA

- EM SCA


Die photo, Measurement Summary

• Technology: 40 𝑛𝑚 CMOS

• [email protected]𝑉: 23 𝑚𝑊

• Area(𝑚𝑚2):• AES Core 0.032

• Level Shifter 0.00795

• PMU 0.00136

• Capacitor Switches 0.00429

• Capacitor Bank 0.178

• Total Area 0.2236

41

Outline

42




• Proposed Work





- VSS bounce SCA

- EM SCA


VSS Bounce SCA Measurement: Setup

• VSS bounce waveforms and cipher text collected by the oscilloscope are used for SCA

43

Oscilloscope

Function

GeneratorTest-chip and

Microcontroller

Power supply

• Oscilloscope measurement show successful multiple voltage boosting

VSS Bounce SCA: Stand alone charge pump circuit

44

1.2V

0V

8μs

S1A1

S1B1

S1A2

S1B2

S1AB

S2B2

S2AB

S2A1

S2A2

S3A1

S3A2

S3B2

S3AB

S3B1S2B1

C0

Charge pump design architecture

• 6 major steps in one GI AES operation and successful 𝑉𝑇𝑂𝑃/𝑉𝐵𝑂𝑇 boostings are demonstrated in the oscilloscope measurements

VSS Bounce SCA: Flow chart & Timing diagram

45

BOOST2

BOOST1 AES Core

CLK

CLKKey Ready

Data Ready

AES Busy

Idle

CS

VBOT

VTOP

Compute

5

2

3

41

46

1V

0.51V

GI AES timing diagram & Vtop Vbot waveformsGI AES flow chart

VCC VSS

VSS Bounce SCA Measurement

46

AES Core CLK

AES Busy

VSS1

VSS2

VSS3

VSS4

VSS2

VSS1

VSS4

VSS3

20ns

Baseline AES

AES Core CLK

AES Busy

25ns

100mV

VSS1

VSS2

VSS3

VSS4

GI AES

• Four randomly located VSS nodes for ground bounce monitoring

VSS Bounce SCA: Correlation attack

47

• Target on the last encryption round

• Baseline AES Key Byte 1 is revealed with 5000 traces.

• The correct key has a distinct high correlation value.

traces key guesses

traces

co

rre

lati

on

co

rre

lati

on

co

rre

lati

on

Correct key Incorrect key

MTD = 50001.47X

(a) Baseline AES

(b) GI AES

The correct key is not yet found

after 3 millions traces by CPA

Correlation attack results

VSS Bounce SCA: Correlation attack

48

traces key guesses

traces

co

rre

lati

on

co

rre

lati

on

co

rre

lati

on

Correct key Incorrect key

MTD = 50001.47X

(a) Baseline AES

(b) GI AES

The correct key is not yet found

after 3 millions traces by CPA

Correlation attack results• Target on the last encryption round

• Baseline AES Key Byte 1 is revealed with 5000 traces.

• The correct key has a distinct high correlation value.

• GI AES :

• The secret key is not revealed within 3 million traces

• Improving power SCA resilience by >600X

VSS Bounce SCA: Test vector leakage assessment (TVLA)

49

• Run encryption on two data sets, each containing 20,000 fixed plaintexts and 20,000 random plaintexts.

time (ns)

frequency (MHz)

|t-v

alu

e|

|t-v

alu

e|

Time domain

• GI AES reduces max |t-value| under 4.5 threshold value

• Improving TVLA results by 6.5X in time domain

time (ns)

frequency (MHz)

|t-v

alu

e|

|t-v

alu

e|

time (ns)

frequency (MHz)|t

-va

lue

||t

-va

lue

|

VSS Bounce SCA: Test vector leakage assessment (TVLA)

50

• Run encryption on two data sets, each containing 20,000 fixed plaintexts and 20,000 random plaintexts.

time (ns)

frequency (MHz)

|t-v

alu

e|

|t-v

alu

e|

Time domain

tim

e (

ns

)

fre

qu

en

cy (

MH

z)

|t-value| |t-value|


• Improving TVLA results by 6.5X in time domain

Frequency domaintime (ns)

frequency (MHz)

|t-v

alu

e|

|t-v

alu

e|


• Improving TVLA results by 25X in requencydomain

tim

e (

ns

)

fre

qu

en

cy (

MH

z)

|t-value| |t-value|

Outline

51




• Proposed Work





- Power SCA

- EM SCA


EM SCA Measurement Setup

• The EM SCA attack uses a 10-mm H-field probe 1-mm above the package.

52

Oscilloscope

MATLAB

Test-chip andMicrocontroller

EM Probe with holder

EM SCA Measurement & Correlation EM Attack (CEMA)

• EM waveforms at the last encryption cycle- CLK: 15 𝑀𝐻𝑧

- Correlation EM Attack window size 100 𝑛𝑠

53

tracestracestime (ns)

co

rre

lati

on

Vo

lta

ge

(V)

co

rre

lati

on

(a.3) Baseline AES EM SCA

MTD = 10000

(a.4) GI AES EM SCA(a.2) Baseline AES EM field

Correct key

Incorrect key

Correct key

Incorrect key

EM SCA window

size: 100 ns

CLK 15MHz


co

rre

lati

on

Vo

lta

ge

(V)

co

rre

lati

on


MTD = 10000


Correct key

Incorrect key

Correct key

Incorrect key

EM SCA window

size: 100 ns

CLK 15MHz

EM waveforms

EM SCA Measurement & Correlation EM Attack (CEMA)

• EM waveforms at the last encryption cycle- CLK: 15 𝑀𝐻𝑧

- Correlation EM Attack window size 100 𝑛𝑠

54


co

rre

lati

on

Vo

lta

ge

(V)

co

rre

lati

on


MTD = 10000


Correct key

Incorrect key

Correct key

Incorrect key

EM SCA window

size: 100 ns

CLK 15MHz


co

rre

lati

on

Vo

lta

ge

(V)

co

rre

lati

on


MTD = 10000


Correct key

Incorrect key

Correct key

Incorrect key

EM SCA window

size: 100 ns

CLK 15MHz

• Baseline AES: Key Byte 1 is revealed with ~9000 traces.

• GI-AES secret key not revealed even within 2 million traces, improving resilience by >220X.

EM waveforms

CEMA results: Baseline & GI AES


co

rre

lati

on

Vo

lta

ge

(V)

co

rre

lati

on


MTD = 10000


Correct key

Incorrect key

Correct key

Incorrect key

EM SCA window

size: 100 ns

CLK 15MHz

tracestracestime (ns)c

orr

ela

tio

n

Vo

lta

ge

(V)

co

rre

lati

on


MTD = 10000


Correct key

Incorrect key

Correct key

Incorrect key

EM SCA window

size: 100 ns

CLK 15MHz

9

Outline

55




• Proposed Work





- Power SCA

- EM SCA


ParametersISSCC’17

[3]

ISSCC'19

[4]

ISSCC'20

[5]VLSI'20 [6]

This Work

Baseline Proposed Improvement

Technology 130nm 130nm 65nm 14nm 40nm -

AES Power (mW) 10.5 10.9 1.2 8%+ 10 23 -2.3X

AES Frequency 40MHz 80MHz 50MHz 100MHz 50MHz 40MHz -20%

Area (mm2) 10.002135 1.75 0.205 10%+ 0.032 20.0456 -1.425X

Countermeasure

Type

Integrated

Voltage

Regulator

Digital

LDO

Regulator

Current

Attenuation

Digital LDO,

Arithmetic-

Galvanic

Isolation

Improved

Vcc, Vss, and

substrate

isolation

CPA MTD

(1 Byte)>100,000 8.4M 1B 1B 5,000 > 3M > 600X+

Time Domain

Max |t-value|2.5 11.9

5.2

(1M traces)

4.5

(250M)24 3.7 6.5X

Frequency

Domain

Max |t-value|

4 - -4.5

(250M)97 3.9 25X

EM SCA MTD

(1 Byte)- 6M 1B 1B 9,000 > 2M > 220X+

1Area overheads only 2Area includes level shifters, PMU and capacitor switches

Comparison

56

Conclusion

• VSS ground bounce can reveal the secret keys if tapped by the attacker.

• Proposed galvanic isolation technique for VCC, VSS and substrate isolation improves both power and EM resilience.

• Measured results from a 128-bit AES core show

- >600X improvement against correlation power attack (CPA)

- >220X improvement against coarse-grained EM SCA attack

- 20% lower frequency,

- 2.3X more power

- 0.0136 𝑚𝑚2larger area.

57

Acknowledgements

This research is supported in parts by Intel, Silicon

Labs, and NSF. Authors would like to thank TSMC for

chip fabrication, Dr. Sanu Mathew, Dr. Raghavan Kumar,

and Dr. Vivek De for helpful technical discussions.

58

59

What will happen if you use the AES within a SoC, will be possible to isolate the full SoC?

It’s not applicable to isolate the full SoC. Because capacitor based GlavanicIsolation design will require a huge capacitor bank to supply the full SoC, which is not area nor power efficient.

Isolating the AES core alone is sufficient to increase its resilience and because of the dual rial sense amp as level shifters, the AES core can exchange data with the SoC with no concerns.

60

ParametersISSCC’09

[1]

ISSCC’11

[2]

ISSCC’17

[3]

ISSCC'19

[4]

ISSCC'20

[5]VLSI'20 [6]

This Work

Baseline Proposed Improvement

Technology 130nm 130nm 130nm 130nm 65nm 14nm 40nm -

AES Power (mW) 33.32 - 10.5 10.9 1.2 8%+ 10 23 -2.3X

AES Frequency 100MHz 50MHz 40MHz 80MHz 50MHz 100MHz 50MHz 40MHz -20%

Area (mm2) 1.37 1.886 10.002135 1.75 0.205 10%+ 0.032 20.0456 -1.425X

Countermeasure

Type

SC Current

Equalizer

Duplicated

Data Paths

Integrated

Voltage

Regulator

Digital

LDO

Regulator

Current

Attenuation

Digital LDO,

Arithmetic-

Galvanic

Isolation

Improved

Vcc, Vss, and

substrate

isolation

CPA MTD

(1 Byte)10M 1M >100,000 8.4M 1B 1B 5,000 > 3M > 600X+

Time Domain

Max |t-value|- - 2.5 11.9

5.2

(1M traces)

4.5

(250M)24 3.7 6.5X

Frequency

Domain

Max |t-value|

- - 4 - -4.5

(250M)97 3.9 25X

EM SCA MTD

(1 Byte)- 800,000 - 6M 1B 1B 9,000 > 2M > 220X+

1Area overheads only 2Area includes level shifters, PMU and capacitor switches

Comparison

61

Comparison table reference

[1] C. Tokunaga, et al., ISSCC, 2009

[2] M. Doulcier-Verdier, et al., ISSCC, 2011

[3] M. Kar, et al., ISSCC, 2017

[4] A. Singh, et al., ISSCC, 2019

[5] D. Das, et al., ISSCC, 2020

[6] R. Kumar, et al., VLSI, 2020

62

Prior Work: Power SCA resilient approaches reference

C. Tokunaga, and D. Blaauw “Securing Encryption Systems with a Switched Capacitor Current Equalizer” IEEE Journal of Solid State Circuits (JSSC), pp. 23-31, Vol. 45, No. 1, January 2010

A. Singh, M. Kar, J. Ko, and S. Mukhopadhyay, “Exploring power attack protection of resource constrained encryption engines using integrated low-drop-out regulators,” in International Symposium on Low Power Electronics

Design, 2015, pp. 134–139.

M. Kar, A. Singh, S. Mathew, A. Rajan, V. De, S. Mukhopadhyay, “Improved Power-Side-Channel-Attack Resistance of an AES-128 Core via a Security-Aware Integrated Buck Voltage Regulator” Proceedings of International Solid State Circuits Conference (ISSCC), 2017, pp. 142-143

D4. D. Das, S. Maity, S. B. Nasir, S. Ghosh, A. Raychowdhury, and S. Sen, “High Efficiency Power Side-Channel Attack Immunity using Noise Injection in Attenuated Signature Domain”, CoRR, abs/1703.10328, 2017

63

Documents

15-2: Power and Electromagnetic Side-Channel Attack