Masking and Dual-rail Logic Don't Add Up

Size: px

Start display at page:

Download "Masking and Dual-rail Logic Don't Add Up"

Melanie Garrison
6 years ago
Views:

1 Masking and Dual-rail Logic Don't Add Up Patrick Schaumont Secure Embedded Systems Group ECE Department Kris Tiri Digital Enterprise Group Intel Corporation

2 Our Contributions 1. Using a simple statistical technique, we can break single-bit masked secure logic styles including 1. RSL [Suzuki 2004] 2. MDPL [Popp 2005] 3. DRSL [Chen 2006] 2. Side channel resistance obtained by combining masking and dual-rail logic is not routingindependent

3 Preliminaries: Masked Hardware Signals Secret Sequence Correlated Power Pattern C load Secret Sequence Secret Sequence Mask bit m XOR Uncorrelated Power Pattern C load XOR Secret Sequence

4 Preliminaries: Masked Logic Correlated Power Pattern r r Secret Sequence a b a r r Masked Gate Uncorrelated Power Pattern r b r

5 Preliminaries: Random Switching Logic Precharge Signal e r [Suzuki 2004] x y Masked AND(x,y) q e r q 0 X AND( x, y ) 1 1 OR( x, y ) = AND( a, b ) = q Complementary = OR( a, b ) = q

6 Our Experiment: Sbox in RSL Mask r DUT KEY PRNG 8 AES SBOX 8 out Gate-level DUT Implementation RSL gates Cycle-based simulation, abstracting all timing effects Power Model = toggle counting on DUT gate outputs

7 Power Probability Distribution for SBOX r = 1 r = 0 total Toggle Count

8 Explaining the Cause of Symmetry unmasked value Transitions in single RSL gate prechg masked value r = 0 r = 1 eval prechg eval '0' '1' toggle1 01 toggle1 0 0 Transitions in 970 RSL gates n n '0' '1' n toggle (970 -n) toggle

9 Power Probability Distribution for SBOX r = r = n n Toggle Count

10 An Attack using the Power PDF Equivalent to PDF of single-ended design r = 1 r = Toggle Count

11 An Attack using the Power PDF Average Observed Power Assume r = R Assume r = R 0.02 After folding the power PDF around the average value, DPA on Hamming Weight of input succeeds in only 30 power samples Toggle Count

12 Preliminaries: Masking and DRP Dual-Rail Precharge Logic encodes each value as a complementary signal pair In combination with masking: MDPL [Popp 2005] unmasked value Transitions in single MDPL gate '0' '1' prechg q q q q r = 0 r = 1 eval masked value prechg q q q q eval

13 Preliminaries: Masking and DRP Dual-Rail Precharge Logic encodes each value as a complementary signal pair In combination with masking: MDPL [Popp 2005] unmasked value Transitions in single MDPL gate '0' prechg masked value r = 0 r = 1 eval prechg q toggle q toggle eval '1' q toggle q toggle

14 Impact of Routing Imbalances r MDPL gate q q Cq r MDPL gate Cq unmasked value Transitions in single MDPL gate Δq ~ (Cq-Cq) '0' '1' prechg masked value r = 0 r = 1 eval prechg eval q toggle Δq q toggle Δqq toggle q toggle

15 Impact of Routing Imbalances unmasked value Transitions in single MDPL gate Δq ~ (Cq-Cq) '0' '1' prechg masked value r = 0 r = 1 eval prechg eval q toggle Δq q toggle Δqq toggle q toggle

16 Impact of Routing Imbalances unmasked value Transitions in single MDPL gate Δq ~ (Cq-Cq) '0' '1' prechg masked value r = 0 r = 1 eval prechg eval q toggle Δq q toggle Δqq toggle q toggle Transitions in 970 MDPL gates n '0' n '1' n Δq toggle n Δq toggle

17 Evaluation using Actual Layout Data key 128 KEY Round in 128 AES Round 128 out AES-128 using 16K Dual-rail gates in 0.18 μm CMOS Cycle-based simulation using weighted toggle counts Weights from layout (no routing constraints)

18 Estimated Power PDF of AES r = 1 r =

19 For each power sample in the trace... these signals remain constant... key 128 KEY Round... and these signals change in 128 AES Round 128 out

20 Masking Constant Signals: Binary Effect Distance is set by large and constant C load mismatch

21 Masking Varying Signals: Gaussian Effect Variation set by cumulated mismatch of many small C load

22 An attack on the AES Power PDF Assume r = R Average Observed Power Assume r = R After folding the power PDF around the average value, DPA on Hamming Weight of input succeeds in only 2000 power samples

23 Related Work In software implementations, masking is attacked by combining multiple power samples or by precharacterization of the implementation [Messerges 2000] Second Order DPA [Peeters 2005] Maximum-likelihood [Oswald 2007] Template Attacks For cases where mask and masked signal cannot be observed separately, Waddle proposes the use of squared power samples [Waddle 2004] Zero-Offset DPA Our technique demonstrates direct observation of the mask value, without the need for circuit characterization. We have demonstrated this with known masked circuit styles

24 Conclusions Masking and Dual-Rail Logic are not additive for sidechannel resistance Secure Circuit Styles cannot be developed without considering the system-level perspective on security Effective countermeasures against our attack will need to address the following question: "How can we add a mask without adding information?" When a mask is used to hide the PDF of a data signal, the masking process itself should not reveal the mask PDF

DPA-Resistance without routing constraints?

Introduction Attack strategy Experimental results Conclusion Introduction Attack strategy Experimental results Conclusion Outline DPA-Resistance without routing constraints? A cautionary note about MDPL