Random Delay Insertion: Effective Countermeasure against DPA on FPGAs

Transcription

1 Random Delay Insertion: Effective Countermeasure against DPA on FPGAs Lu, Yingxi Dr. Máire O Neill Prof. John McCanny Overview September 2004

2 PRESENTATION OUTLINE DPA and countermeasures Random Delay Insertion (RDI countermeasure Design parameters FPGA implementation Case study on AES Attacks against RDI

3 WHAT IS DPA? Side Channel Attack Reveal the security key stored in cryptographic implementations by monitoring physical characteristics, e.g. power, EM, timing. Differential Power Analysis One of the most effective SCA attacks. Analyzes the instantaneous power consumption of a security device.

4 Trigger Probe 2 WHAT IS DPA? Probe 1 Vcc R = 1 ohm Power Supply Ground Clock Generator Clk ( i i pt irh T, Bus T: Trace set. pt i : Plaintext t of round i. I/O irh i : Intermediate result under hypothesis of round i.

5 WHAT IS DPA? Plaintext Sequence Key-space under attack reduces from to Device Under Attack Oscilloscope Board Controller Mix Signal Oscilloscope AES Software Sub- -Key Spac ce Trace set: T plaintext : Power plaintext : key Pre-process Correlation function Test vectors

6 DPA COUNTERMEASURES To be effective, a cryptographic implementation should include multiple countermeasure techniques. Ephemeral keys, etc. Masking, etc. Precharged Random Delay Dual-Rail Insertion Logic, is etc. here.

7 DPA COUNTERMEASURES Each countermeasure has its weakness. Only applicable to specific applications. Ephemeral keys, etc. 5 no. of samples are required to break it - not sufficient. [Mangard et al.] ] Masking, etc. 10 power consumption. Precharged Dual-Rail Logic, etc. [Pramstaller et al.]

8 WHAT IS RDI? Delays can be inserted before the cryptographic execution to change the position of operations in the time-dimension.

9 WHAT IS RDI? RDI on microprocessor / smart- card can be easily attacked. [Clavier et, al.] Because, Length of delay corresponds Delays can be inserted before the cryptographic to length of the clock cycle - can execution to change the position be of easily operations identified. in the time-dimension. And therefore, the length of the delay is limited. Registers need to be included between the delay and the key- dependent operations. The above disadvantages DO NOT apply on FPGA & ASIC. The delay is not implemented by instructions. This work is the first RDI FPGA This work is the first RDI FPGA implementation.

10 DESIGN PARAMETERS P total = ( P data dependent + P + P data independen t P

11 DESIGN PARAMETERS P total = ( P data dependent + P + P data independen t C ( H, P total E ( H ( Pd + P + Pind E( H E( ( Pd + P + Pind Var ( H Var( P + P + P = d ind Q P d P Pind, H P, H P ind Given P d and given large C ( H, P total Var( P Var( P 1 E( H Pd E( H E( Pd Var( Pd Var( Pd = Var( H ( Var( P + Var( P + Var( P = ( H, P C d 1 1 Var SNR Var d ( P ( P d ind ( + Var P Following linear assumption, P : C ( H, P total 1 δ = k max max

12 DESIGN PARAMETERS P total = ( P data dependent + P + P data independen t ( H ( Pd + P + Pind E( H E( ( Pd + P + Pind Var ( H Var( P + P + P E C ( H, P total : discrete variable, 0 < <d max. δ : the deviation of. k : natural number, max = k δ. Q P P P, H P H P d = ind, Lower C(H, P total to achieve higher security - requires large max and k, but small δ. ind C ( H, P total Var( P Var( P 1 E( H Pd E( H E( Pd Var( Pd Var( Pd = Var( H ( Var( P + Var( P + Var( P Trade-off between d security and ind performance / cost. C( H, Pd 1 = 1 Var P SNR Var ( ( P d ind Given P d and given large ( + Var P Following linear assumption, P : C ( H, P total 1 δ = k max max

13 OPTIMUM PARAMETERS? Step 1. Measure the power traces from the original cryptographic implementation. ti Step 2. Modify the power traces with random delay up to max and down to δ. Step 3. Perform DPA on the shifted traces to check whether it is successful. Correct Key Hypothesis Time

14 FPGA IMPLEMENTATION Split Random Delay Insertion (Split-RDI Attackers can counteract Intermediate Result RDI using realignment algorithms to identify the delay. We split and apply the delay to multiple stages to protect our delay from such realignment attacks. Intermediate Result

15 FPGA IMPLEMENTATION Split Delay True Random logic [Bucci Number Delay et Insertion al.] Generator ] (Split-RDI [Schellekens et al.] ]

16 FPGA IMPLEMENTATION Now let s recall the parameters. a To lower the correlation, we should: C ( H, P total Increase max. But this increases the delay and reduces the speed. k 1 max = δ max Decrease δ. Significantly lowers correlation. But limited by k. I k B t i ifi tl i Increase k. But significantly increases power and area, a larger k implies more random bits.

17 CASE STUDY: : AES Step 1. Measure the power traces from the original cryptographic implementation. ti Step 2. Modify the power traces with random delay up to max and down to δ. Step 3. Perform DPA on the shifted traces to check whether it is successful.

18 CASE STUDY: : AES DPA results of shifted power traces measured from an original AES FPGA implementation. Correct Key Hypothesis k = 12 means 4 bits TRNG is required. C(H, P Wrong Key Hypothesis max (1/f sample δ = t s : RDI is effective when max > 12t s.

19 CASE STUDY: : AES DPA results of shifted power traces measured from an original AES FPGA implementation. Correct Key Hypothesis Correct Key Correct Hypothesis Key Hypothesis δ = 8ts δ = 10ts C(H, P P Wrong Key Hypothesis Effective Wrong Wrong Key Key Hypothesis max increases considerably with larger δ! max (1/f sample δ δ = 6t 8t s : s : RDI max is > effective 23t s. δ = when 10t s : max max > >33t 15t s..

20 CASE STUDY: : AES We finally implemented the RDI with the following parameters. δ = 2t s, max = 16t s, k = 8. (3 bits TRNG is required. RDI results in a low-cost DPA countermeasure (figures including the TRNG. Increase in Area Decrease in Speed Increase in Power RDI Masking MDPL WDDL RDI Masking MDPL WDDL RDI Masking MDPL WDDL

21 ATTACK AGAINST RDI We evaluated ated the above AES FPGA implementation with RDI applied under three DPA attack techniques. Original DPA attack. DPA attack with Sliding Window post-computation. DPA attack with realignment pre-computation. on Coefficient Average Correlatio 0. 1 SW DPA Correct Correct Key Key Hypothesis SW DPA Wrong Keys Original RDI. [Bucci et al.] DPA Correct Key 0.4L and Wrong 0.48LKeys0.56L L 0.16L 0.24L 0.32L Time Delay Time 0.64L on Coefficient Correct Key Hypothesis Split RDI Average Correlatio L 0.16L 0.24L 0.32L 0.4L 0.48L 0.56L 0.64L Time Delay WITHOUT Short delay RDI applied. d Full length WITH delay RDI applied. d

22 ATTACK AGAINST RDI A recently developed DPA attack in the frequency domain is also performed on the proposed p countermeasure. N 1 n κ x( n X ( κ = x( n ω N x n= 0 n l ( n l X ( κ ω N However, the effectiveness of such an attack depends on the DFT window size N.

23 CONCLUSIONS Random Delay Insertion technique is an effective countermeasure against DPA when implemented on FPGAs. The trade off between performance and design cost has been discussed. And RDI results in a low-cost DPA countermeasure. A Split-RDI with carefully chosen delay can be used to prevent realignment, Sliding Window DPA and the attack in the frequency domain. Thank you!