An EDA-Friendly Protection Scheme

against Side-Channel

Attacks Ali Galip Bayrak1

Nikola Velickovic1, Francesco Regazzoni2, David Novo1, Philip Brisk3 and Paolo Ienne1

2

Side-Channel Attacks

Cryptographic Processing Unit

Secret Key

Physical Device

Plaintext Ciphertext

Physical Observable

(e.g., power consumption)

f(plaintext, key) ~ powerKNOWN KNOWNRECOVERKNOWN

3

Protection Schemes

Main Idea: f(plaintext, key) power

How? Constant or random power consumption

Examples Software Hardware

Constant - SABL (Tiri et al. 2002)MCML (Toprak et al. 2005)

Random Dummy operation insertionMasking (Coron et al. 2000)

MDPL (Popp et al. 2005)iMDPL (Popp et al. 2007)GALS (Gurkaynak et al. 2005)RCDD (Boey et al. 2010)SIRO (Zafar et al. 2010)

4

Motivation

Area: 2X (SABL) – 20X (iMDPL)Energy: 3.5X (WDDL) – 18X (MDPL)

Non-CMOS (SABL, MCML)Algorithm specific (GALS)Technology dependent (WDDL, MDPL)

Fixed overhead (almost all)

Low cost

Fully automated

Tradeoff Security vs. Efficiency

5

Unprotected Circuit

Com

bin

ato

rial

Cir

cu

it

D

D

D

D

Q

Q

Q

Q

CLK

CLK

Qall

Input

Output

6

Protected Circuit

Com

bin

ato

rial

Cir

cu

it

D

D

D

D

Q

Q

Q

Q

Input

OutputCLK

Clo

ck

Ran

dom

izati

on RCLK0

RCLK1

RCLK2

RCLK3

RCLK0

Qall

RCLK1

RCLK2

RCLK3

7

Protected Circuit

RCLK0

Qall

RCLK1

RCLK2

RCLK3

TorigΔ

Tprotected

8

Clock Randomization

CLK0

CLK1

CLK2

CLKN-1

δ

2δ

(N-1)δ =Δ

… … …

Delayed Clocks

MUX RCLKi

Random ClocksSafe Clock Switching Zone

RND

9

Protected Circuit

Com

bin

ato

rial

Cir

cu

it

D

D

D

Q

Q

Q

Input

OutputCLK

Clo

ck

Ran

dom

izati

on RCLK0

RCLK1

RCLKM-1

RCLK0

Qall

RCLK1

RCLK2

RCLK3

… …

10

Automated Design Flow

High-Level Description

(VHDL/Verilog)

clockrenaming

random clock

generation

code

CodeModification

ModifiedHigh-Level Description

Logic Synthesis

timingconstraints

SynthesizedCircuit

Place &Route

ProtectedIC

Layout

RCLK(i) := MUX(CLK,RND,..)

if (rising_edge(CLK))

if (rising_edge(RCLK(2)))

create_clock … RCLK[0]set_clock_uncertainty … DELTA RCLK[0]

11

Experimental SetupFPGA experiments:

Platform: SASEBO (Side-channel Attack Standard Evaluation Board) G-II.

Two Xilinx FPGAs: Virtex-5 and Spartan- 3A.Toolchain: Xilinx ISE 14.

ASIC experiments:Technology: 65nm STM CMOS standard cell library.Toolchain:

Synopsys Design Compiler for synthesis,Cadence Encounter for placement and routing,Mentor Graphics Modelsim for simulations and Synopsys Nanosim for power estimation.

12

Experimental SetupAES-128 implementation

Design parameters:N: number of delayed clocks.M: number of random clocks.Δ: total amount of delay.

Performance parameters (normalized for unprotected):

Security, Area, Speed and Energy

13

# Clocks vs. Security

• M (number of random clocks) = 8 ✔ [AES-specific]• Bigger N (number of delayed clocks) ✔• >300X security improvement

14

Total Delay vs. Security

• Bigger Δ for a fixed N ✔• Bigger N for a fixed Δ ✔?• 70X secure for N=Δ=16• 300X secure for N=16, Δ=64

15

Total Delay vs. Area

• 8% overhead for 70X security point (Δ=16)• 15% overhead for 300X security point (Δ=64)

16

Total Delay vs. Speed

• 2.3X slowdown for 70X security point (Δ=16)• 7X slowdown for 300X security point (Δ=64)

17

Comparison

• For the embedded systems subject to power analysis attacks, area and energy are much more important than speed!

18

Conclusions• Fully automated design-flow. • Platform and technology agnostic.• Can be applied to any given

implementation.• Does not need security expertise.

• Less overhead than competing countermeasures.• Area and energy efficient.

• Security increase is drastic.• More than 300X with modest overhead.