Current State of Design and Design Methods for Secure Hardware

Current State of Design and Design Methods forSecure Hardware

Patrick Schaumont

Bradley Department of Electrical and Computer EngineeringVirginia Tech

Blacksburg, VA

Shonan Workshop on Design Methods for Secure Hardware

Patrick Schaumont Design Methods for Secure Hardware Shonan Seminar 9/15/2014

About this talk

In this talkDefine design methods for secure hardware design

But this definition is incompleteuntil you ask lots of questions


About this talk

In this talkDefine design methods for secure hardware design

But this definition is incompleteuntil you ask lots of questions


Secure Hardware Design


10 years ago ..


.. when AES was still called Rijndael

Rijndael Chip (UCLA)• Full Rijndael (128/192/256 block/key) [Kuo CICC 02]• 173 KGE 180nm (!)


Race to the bottom: Low-footprint AES

AES• Since 2001, many AES designs that are very small (or very fast)•We measure progress through metrics (of area, time)


Race to the bottom: Low-footprint AES

AES• Since 2001, many AES designs that are very small (or very fast)•We measure progress through metrics (of area, time)


Hardware Design vs Secure Hardware Design

Hardware DesignDecomposing functionality into elementary hardware primitives suchas gates and flipflops, under specific constraints: performance, area,power, energy, ..

Secure Hardware DesignHardware design under a given set of threats (probing, faults,side-channel leakage, physical tampering, optical inspection, interferewith manufacturing, ..) with the purpose of thwarting those threats.

⇒ It’s hard to measure ’threat resistance’ (eg. not reported by tools).⇒ Metrics for secure hardware design are not yet common.












Design Methods


The computing landscape today

ElementsThe cloud with servers,backbone networking,bulk storageThe swarm of devicesin personal media,home environment,infrastructure


The computing landscape today

The CloudHomogeneous: High-end CPUs1000 users per computerCost Sensitive: Maximize users per machinePower Sensitive: Thermal issuesGrows unconstrained: Efficiency through Scale

The Swarm around the CloudHeterogeneous: 32-bit Micro downto dedicated hardware1000 computers per user (eventually ...)Cost Sensitive: Dedicated consumer-oriented devicesEnergy/Power Sensitive: Battery, Energy-harvestingConstrained in environment: Efficiency through Specialization


Design Pyramid for Applications in the Swarm


Design Pyramid for Applications


Design Pyramid for Applications


Design Pyramid for Secure Applications


Capturing the Trade-off in Security

RiskRisk is the potential for lossRisk = (Probablity of Incident) x (Cost of Incident)


Measuring Risk? SCA Example

Risk from Side-channel LeakageEvery encryption leaks some information It in every traceDifferential Techniques (DPA) combine Nt traces in an SCARisk ∼ P(successful SCA) ∼ Nt × It


Measuring Risk? SCA Example

Risk from Side-channel LeakageEvery encryption leaks some information It in every traceDifferential Techniques (DPA) combine Nt traces in an SCARisk ∼ P(successful SCA) ∼ Nt × It


All-hardware Countermeasures

Protect the hardware implementationCircuits that suppress side-channel leakage (Reduce It )Popular technique: Hiding using dual-rail logic [Tiri’04]Algorithm-independent solution will protect any crypto.cBUT at significant cost: Risk 100x ↓ for Area 3x ↑ and Power 4x ↑


All-hardware Countermeasures

Protect the hardware implementationCircuits that suppress side-channel leakage (Reduce It )Popular technique: Hiding using dual-rail logic [Tiri’04]Algorithm-independent solution will protect any crypto.cBUT at significant cost: Risk 100x ↓ for Area 3x ↑ and Power 4x ↑


Other SCA Countermeasures

Author Technique Technology SCA Area PerfGain Cost Cost(ratio) (ratio) (ratio)

Tiri’05 Hiding AES, ASIC 120x x3.1 (GE) x3.9 (fclock )Bhasin’11 Hiding AES, FPGA 10.9x x2 (RAM+LUT) x1.3 (fclock )Suzuki’10 Masking AES, ASIC x2.1 (GE) x1.8 (fclock )Moradi’11 Threshold AES, ASIC x4.5 (GE) x1.2 (time)Chen’13 VSC AES, SW 25x x3.3 (KB) x6.5 (time)Rivian’11 Masking AES, SW x36 (time)Genelle’11 Masking AES, SW x12 (time)GE = Gate Equivalent = Area of a NAND2 gate.


Crypto that thwarts SCA?

Protect the algorithm, intrinsicallyLimits the lifetime of secret key (Nt �)Technique: Leakage Resilient Cryptography [Dziembowski’08]Algorithm-specific technique: works on only one algorithm at atime


Leakage-resilient Design

Author Initializaton PropagationKocher’03 DES DESMedwed’10 GF MulGammel’10 GF Mul w AES AESKocher’11 Hash Tree HashMedwed’12 AES Tree


Design Trade-offs for SCA Countermeasures

A trade-off in three dimensions• Risk: Reduction in SCA success probability ∼ Nt × It• Flexibility: Turn off countermeasure when you don’t need it• Performance: Degradation under countermeasure


Summary: Metrics for Secure Hardware

Things we understand well• Measuring execution speed, time• Measuring gate count, memory footprint

Things we don’t understand well• Measuring tamper resistance (faults or side-channels)• Measuring probabilisitic properties (entropy for PUF, RNG)


Summary: Design Methods for Secure Hardware

Things we understand well• Classic hardware optimization paradigms (speed, area)• Dealing with threats by integrating protected modules• Transformation methods for single, selected threats

Things we don’t understand well• Generic Risk Assessment for a range of threats• Effects of composition and integration (of different countermeasures)• Cross-layer threats


Documents

Current State of Design and Design Methods for Secure Hardware