DTIS Review of Fault Injection Mechanisms and Consequences on Countermeasures Design. Bruno Robisson Jean-Baptiste Rigaud Assia Tria
|
|
- Edwin Gallagher
- 5 years ago
- Views:
Transcription
1 DTIS th International Conference on Design & Technology of Integrated Systems in Nanoscale Era Review of Fault Injection Mechanisms and Consequences on Countermeasures Design Jean-Max Dutertre Jacques J.A. Fournier Amir-Pasha Mirbaha Bruno Robisson Jean-Baptiste Rigaud Assia Tria David Naccache Ecole normale supérieure Département SAS Équipe mixte CEA-LETI/ENSMSE Site Georges Charpak Centre Microélectronique de Provence 880, route de Mimet Gardanne Département d Informatique Équipe de cryptographie 45, rue d Ulm Paris
2 Outline! Focus " Fault attacks on cryptosystems.! Outline " Introduction " Fault injection means Laser Timing constraints violation (clock, voltage, temperature) " Countermeasures " Security evaluation of hardware duplication " Conclusion 2 / 22
3 Introduction " Fault attacks on physical implementation of cryptosystems M K C Faulty cipher text Disturb the ciphering process through unusual environmental conditions in order to : reduce the ciphering complexity (e.g. round reduction number) Differential Fault Attack = comparison between correct and faulty cipher texts retrieve information on the encryption process (i.e. information leakage) 3 / 22
4 Introduction " DFA s requirements (strong) Fine control on: location, timing (choice of the injection cycle), focalization (i.e. number of faulted bits). C. Giraud: DFA on AES, Lecture Notes in Computer Science, 2005, Springer Berlin / Heidelberg, Volume 3373 G. Piret, J.- J. Quisquater: A DifferenMal Fault ANack Technique Against SPN Structures, with ApplicaMon to the AES, CHES 2003, LNCS 2779, Springer- Verlag 4 / 22
5 ! Laser as a fault injection means Fault injection means Semi-invasive: chemical/mechanical opening while preserving functionality Rear side Front side Fault injection mechanism: photoelectric effect (hν > E bandgap ) reversed biased PN junction data dependent sensitive areas 5 / 22
6 Fault injection means " Photoelectric effect Laser Drain ( V DD ) current (ma) E Diffusion n + depletion region Substrate P (Gnd) Instant response Delayed response time (ns) Current transient beam energy pulse duramon voltage transient 6 / 22
7 Fault injection means " Voltage transient: propagates through combinational logic without memorization propagates through combinational logic with memorization Single Event Transient - SET memory flip (SRAM, register) Single Event Upset - SEU fault injection " Experimental results single-bit and single-byte fault injection control of the injection time (~ 10ns) focalization : 1µm M. Agoyan, J.- M. Dutertre, A.- P. Mirbaha, D. Naccache, A.- L. RiboNa, A. Tria: How to flip a bit?, 16th InternaMonal On- Line TesMng Symposium, / 22
8 Fault injection means! Timing constraints violation Non-invasive " Synchronous IC principle (reminder) propagation delay n-1 m-1 data Combinational D Q logic D Q Dff i Dff i+1 clk data are captured on the clock s rising edge time between two rising edges (i.e. clock period) depends on the propagation delay 8 / 22
9 Fault injection means n-1 m-1 data clk Combinational D Q logic D pmax D Q Dff i Dff i+1 D clk#q T clk + T skew - δ su Timing constraint: T clk > D clk!q + D pmax - T skew + δ su Violating this timing constraint results in fault injection 9 / 22
10 Fault injection means " Clock glitches over clocking A well known approach decreasing the clock period until faults appear by setup time violation T clk clk propagation delay + setup time T clk fault clk drawback : faults are injected at each clock cycle no timing control 10 / 22
11 Fault injection means local over clocking (or clock glitching) timing constraint violation by modifying one clock cycle T clk clk T clk - Δ clk fault injection cycle choice fault-nature fine tuning through Δ fine control (one-bit, two-bits faults) 11 / 22
12 Experimental results on an AES cryptosystem Fault injection means Test campaign pseudo-code : send random key K and plaintext T to the test chip Δ 0 first reported fault T clk - Δ = critical time (K, T) single bit fault > 90% M. Agoyan, J.- M. Dutertre, D. Naccache, B. Robisson, A. Tria: When Clocks Fail: On CriMcal Paths and Clock Faults, CARDIS / 22
13 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 No fault D 6 D 7 T clk = ps 13 / 22
14 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 No fault D 6 D 7 T clk -Δ 13 / 22
15 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 No fault D 6 D 7 T clk -Δ 13 / 22
16 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 No fault D 6 D 7 T clk -Δ 13 / 22
17 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 Single bit fault D 6 D 7 T clk -Δ 13 / 22
18 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 2 faulted bits D 6 D 7 T clk -Δ 13 / 22
19 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 3 faulted bits D 6 D 7 T clk -Δ 13 / 22
20 Fault injection means " Voltage deprivation at nominal frequency V DD D pmax ( D clk!q, δ su, T skew ) T clk < D clk!q + D pmax - T skew + δ su D pmax + δ su + slack n inputs combinational logic D 0 D 1 D m-1 m outputs T clk 14 / 22
21 Fault injection means " Voltage deprivation at nominal frequency V DD D pmax ( D clk!q, δ su, T skew ) T clk < D clk!q + D pmax - T skew + δ su D pmax + δ su + slack n inputs D 0 combinational D 1 logic D m-1 m outputs T clk 14 / 22
22 Fault injection means " Voltage deprivation: experimental results critical time increases as V DD decreases picoseconds T clk 1 st fault (V DD = 1.07V) 15 / 22
23 Fault injection means " Temperature increase at nominal frequency 16 / 22
24 " Temperature increase: experimental results D pmax ( D clk!q, δ su, T skew ) Fault injection means T clk 1 st fault (210 C) 17 / 22
25 Countermeasures! Countermeasures against fault attacks " Cutting the access point " Environment monitoring " Fault detection/correction 18 / 22
26 Countermeasures " Cutting the access point Internal clock Power lines filtering Metallic shielding Glue logic 18 / 22
27 Countermeasures " Environment monitoring Internal clock Power lines filtering Metallic shielding Glue logic Voltage sensor Light sensor Temperature sensor Frequency sensor 18 / 22
28 Countermeasures " Fault detection/correction Internal clock Power lines filtering Metallic shielding Glue logic Hardware redundancy Duplication Triplication with vote ECC Parity bits Timing redundancy Voltage sensor Light sensor Temperature sensor Frequency sensor 18 / 22
29 Security evaluation of hardware duplication! Security evaluation of hardware duplication " Laser attacks against hardware duplication input AES RoundExe AES RoundExe comp. output AES output AES M. Doulcier, J.- M. Dutertre, J. J.- A. Fournier, J.- B. Rigaud, B. Robisson, A. Tria: A Side- Channel and Fault- ANack Resistant AES Circuit Working on Duplicated Complemented Values, In Solid State Circuits Conference (ISSCC 2011) 19 / 22
30 Security evaluation of hardware duplication! Security evaluation of hardware duplication " Laser attacks against hardware duplication input laser spot AES RoundExe AES RoundExe comp. faulty output AES faulty output AES faulty output AES alarm M. Doulcier, J.- M. Dutertre, J. J.- A. Fournier, J.- B. Rigaud, B. Robisson, A. Tria: A Side- Channel and Fault- ANack Resistant AES Circuit Working on Duplicated Complemented Values, In Solid State Circuits Conference (ISSCC 2011) 19 / 22
31 Security evaluation of hardware duplication! Security evaluation of hardware duplication " Laser attacks against hardware duplication input laser spot AES RoundExe AES RoundExe faulty output AES comp. alarm faulty output AES faulty output AES high fault nb. inconsistent with DFA s requirements M. Doulcier, J.- M. Dutertre, J. J.- A. Fournier, J.- B. Rigaud, B. Robisson, A. Tria: A Side- Channel and Fault- ANack Resistant AES Circuit Working on Duplicated Complemented Values, In Solid State Circuits Conference (ISSCC 2011) 19 / 22
32 Security evaluation of hardware duplication " Timing constraint violation attacks on hardware duplication Clock alteration fault location = critical paths input single bit fault AES RoundExe AES RoundExe comp. faulty output AES faulty output AES faulty output AES alarm M. Agoyan, S. Bouquet, M. Doulcier, J.- M. Dutertre, J. J.- A. Fournier, J.- B. Rigaud, B. Robisson, and A. Tria: Design of a duplicated fault detecmng aes chip and yet using clock set- up Mme violamons to extract 13 out of 16 bytes of the secret key, SMART SYSTEMS INTEGRATION to be published, / 22
33 Security evaluation of hardware duplication " Timing constraint violation attacks on hardware duplication Clock alteration fault location = critical paths input single bit fault Probability of CM dismiss: AES RoundExe AES RoundExe comp. faulty output AES = faulty output AES faulty output AES alarm Hardware duplication is broken: DFA s schemes apply M. Agoyan, S. Bouquet, M. Doulcier, J.- M. Dutertre, J. J.- A. Fournier, J.- B. Rigaud, B. Robisson, and A. Tria: Design of a duplicated fault detecmng aes chip and yet using clock set- up Mme violamons to extract 13 out of 16 bytes of the secret key, SMART SYSTEMS INTEGRATION to be published, / 22
34 Conclusion! Overview of faults attacks on cryptosystems " Strong requirements regarding the injected faults " Laser as a fault injection means " Fault injection through timing constraint violation! Overview of countermeasures against fault attacks! Security evaluation of hardware duplication broken by clock alteration! General conclusion: " Take care of properties of fault injection means " CM design is still research work dutertre@emse.fr 21 / 22
35 Experimental results on an AES cryptosystem (con t) critical time distribution (10,000 tries) Fault injection means 22 / 22
A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS
A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS FDTC2012 Ronan Lashermes, Guillaume Reymond, Jean-Max Dutertre, Jacques Fournier, Bruno Robisson and Assia Tria 9 SEPTEMBER 2012 INTRODUCTION Introduction
More information«Differential Behavioral Analysis»
«Differential Behavioral Analysis» Bruno ROBISSON Pascal MANET CEA-LETI SESAM Laboratory (joint R&D team CEA-LETI/EMSE), Centre Microélectronique de Provence Avenue des Anémones, 13541 Gardanne, France
More informationFault Model Analysis of Laser-Induced Faults in SRAM Memory Cells
Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells Cyril Roscian, Alexandre Sarafianos, Jean-Max Dutertre, Assia Tria To cite this version: Cyril Roscian, Alexandre Sarafianos, Jean-Max
More informationConcurrent Error Detection in S-boxes 1
International Journal of Computer Science & Applications Vol. 4, No. 1, pp. 27 32 2007 Technomathematics Research Foundation Concurrent Error Detection in S-boxes 1 Ewa Idzikowska, Krzysztof Bucholc Poznan
More informationDIFFERENTIAL FAULT ANALYSIS ATTACK RESISTANT ARCHITECTURES FOR THE ADVANCED ENCRYPTION STANDARD *
DIFFERENTIAL FAULT ANALYSIS ATTACK RESISTANT ARCHITECTURES FOR THE ADVANCED ENCRYPTION STANDARD * Mark Karpovsky, Konrad J. Kulikowski, Alexander Taubin Reliable Computing Laboratory,Department of Electrical
More informationELECTROMAGNETIC FAULT INJECTION: TOWARDS A FAULT MODEL ON A 32-BIT MICROCONTROLLER
ELECTROMAGNETIC FAULT INJECTION: TOWARDS A FAULT MODEL ON A 32-BIT MICROCONTROLLER Nicolas Moro 1,3, Amine Dehbaoui 2, Karine Heydemann 3, Bruno Robisson 1, Emmanuelle Encrenaz 3 1 CEA Commissariat à l
More informationElectrical modeling of the photoelectric effect induced by a pulsed laser applied to an SRAM cell
Electrical modeling of the photoelectric effect induced by a pulsed laser applied to an SRAM cell A. Sarafianos, C. Roscian, Jean-Max Dutertre, M. Lisart, A. Tria To cite this version: A. Sarafianos, C.
More informationRandom Active Shield FDTC 2012, Leuven, Belgium.
Random Active Shield FDTC 2012, Leuven, Belgium. Sébastien BRIAIS 1, Jean-Michel CIORANESCO 2,3, Jean-Luc DANGER 1,4, Sylvain GUILLEY 1,4, David NACCACHE 3,5 and Thibault PORTEBOEUF 1. 1 Secure-IC S.A.S.,
More informationDifferential Fault Analysis of AES using a Single Multiple-Byte Fault
Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.
More informationDifferential Behavioral Analysis
Differential Behavioral Analysis Bruno Robisson and Pascal Manet CEA-LETI, SESAM Laboratory, Centre Microélectronique de Provence. Avenue des Anémones, 354 Gardanne, France bruno.robisson@cea.fr, pascal.manet@cea.fr
More informationIntroduction to Side Channel Analysis. Elisabeth Oswald University of Bristol
Introduction to Side Channel Analysis Elisabeth Oswald University of Bristol Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage and very briefly Part 3: Countermeasures Part
More informationEE 466/586 VLSI Design. Partha Pande School of EECS Washington State University
EE 466/586 VLSI Design Partha Pande School of EECS Washington State University pande@eecs.wsu.edu Lecture 8 Power Dissipation in CMOS Gates Power in CMOS gates Dynamic Power Capacitance switching Crowbar
More informationDPA-Resistance without routing constraints?
Introduction Attack strategy Experimental results Conclusion Introduction Attack strategy Experimental results Conclusion Outline DPA-Resistance without routing constraints? A cautionary note about MDPL
More informationPublic Key Perturbation of Randomized RSA Implementations
Public Key Perturbation of Randomized RSA Implementations A. Berzati, C. Dumas & L. Goubin CEA-LETI Minatec & Versailles St Quentin University Outline 1 Introduction 2 Public Key Perturbation Against R2L
More informationEECS150 - Digital Design Lecture 26 - Faults and Error Correction. Types of Faults in Digital Designs
EECS150 - Digital Design Lecture 26 - Faults and Error Correction April 25, 2013 John Wawrzynek 1 Types of Faults in Digital Designs Design Bugs (function, timing, power draw) detected and corrected at
More informationDesign for Manufacturability and Power Estimation. Physical issues verification (DSM)
Design for Manufacturability and Power Estimation Lecture 25 Alessandra Nardi Thanks to Prof. Jan Rabaey and Prof. K. Keutzer Physical issues verification (DSM) Interconnects Signal Integrity P/G integrity
More informationDifferential Fault Analysis on DES Middle Rounds
Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack
More informationObjective and Outline. Acknowledgement. Objective: Power Components. Outline: 1) Acknowledgements. Section 4: Power Components
Objective: Power Components Outline: 1) Acknowledgements 2) Objective and Outline 1 Acknowledgement This lecture note has been obtained from similar courses all over the world. I wish to thank all the
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationEECS 427 Lecture 14: Timing Readings: EECS 427 F09 Lecture Reminders
EECS 427 Lecture 14: Timing Readings: 10.1-10.3 EECS 427 F09 Lecture 14 1 Reminders CA assignments Please submit CA6 by tomorrow noon CA7 is due in a week Seminar by Prof. Bora Nikolic SRAM variability
More informationLecture 16: Circuit Pitfalls
Introduction to CMOS VLSI Design Lecture 16: Circuit Pitfalls David Harris Harvey Mudd College Spring 2004 Outline Pitfalls Detective puzzle Given circuit and symptom, diagnose cause and recommend solution
More informationUNISONIC TECHNOLOGIES CO., LTD L16B45 Preliminary CMOS IC
UNISONIC TECHNOLOGIES CO., LTD L16B45 Preliminary CMOS IC 16-BIT CONSTANT CURRENT LED SINK DRIVER DESCRIPTION The UTC L16B45 is designed for LED displays. UTC L16B45 contains a serial buffer and data latches
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationA Proposition for Correlation Power Analysis Enhancement
A Proposition for Correlation Power Analysis Enhancement Thanh-Ha Le 1, Jessy Clédière 1,Cécile Canovas 1, Bruno Robisson 1, Christine Servière, and Jean-Louis Lacoume 1 CEA-LETI 17 avenue des Martyrs,
More informationStudy of a Parity Check Based Fault-Detection Countermeasure for the AES Key Schedule
Study of a Parity Check Based Fault-Detection Countermeasure for the AES Key Schedule Christophe Clavier 1, Julien Francq 2, and Antoine Wurcker 1 1 Université de Limoges, XLIM-CNRS Limoges, France christophe.clavier@unilim.fr
More informationEECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs)
EECS150 - igital esign Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Nov 21, 2002 John Wawrzynek Fall 2002 EECS150 Lec26-ECC Page 1 Outline Error detection using parity Hamming
More informationPARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM
PARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM Nabihah Ahmad Department of Electronic Engineering, Faculty of Electrical and Electronic Engineering, Universiti
More informationEECS150 - Digital Design Lecture 26 Faults and Error Correction. Recap
EECS150 - Digital Design Lecture 26 Faults and Error Correction Nov. 26, 2013 Prof. Ronald Fearing Electrical Engineering and Computer Sciences University of California, Berkeley (slides courtesy of Prof.
More informationOn the Masking Countermeasure and Higher-Order Power Analysis Attacks
1 On the Masking Countermeasure and Higher-Order Power Analysis Attacks François-Xavier Standaert, Eric Peeters, Jean-Jacques Quisquater UCL Crypto Group, Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium.
More informationLecture 9: Clocking, Clock Skew, Clock Jitter, Clock Distribution and some FM
Lecture 9: Clocking, Clock Skew, Clock Jitter, Clock Distribution and some FM Mark McDermott Electrical and Computer Engineering The University of Texas at Austin 9/27/18 VLSI-1 Class Notes Why Clocking?
More informationName: Answers. Mean: 83, Standard Deviation: 12 Q1 Q2 Q3 Q4 Q5 Q6 Total. ESE370 Fall 2015
University of Pennsylvania Department of Electrical and System Engineering Circuit-Level Modeling, Design, and Optimization for Digital Systems ESE370, Fall 2015 Final Tuesday, December 15 Problem weightings
More informationESE 570: Digital Integrated Circuits and VLSI Fundamentals
ESE 570: Digital Integrated Circuits and VLSI Fundamentals Lec 24: April 19, 2018 Crosstalk and Wiring, Transmission Lines Lecture Outline! Crosstalk! Repeaters in Wiring! Transmission Lines " Where transmission
More information! Crosstalk. ! Repeaters in Wiring. ! Transmission Lines. " Where transmission lines arise? " Lossless Transmission Line.
ESE 570: Digital Integrated Circuits and VLSI Fundamentals Lec 24: April 19, 2018 Crosstalk and Wiring, Transmission Lines Lecture Outline! Crosstalk! Repeaters in Wiring! Transmission Lines " Where transmission
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationESE 570: Digital Integrated Circuits and VLSI Fundamentals
ESE 570: Digital Integrated Circuits and VLSI Fundamentals Lec 18: March 27, 2018 Dynamic Logic, Charge Injection Lecture Outline! Sequential MOS Logic " D-Latch " Timing Constraints! Dynamic Logic " Domino
More informationOutline. EECS Components and Design Techniques for Digital Systems. Lec 18 Error Coding. In the real world. Our beautiful digital world.
Outline EECS 150 - Components and esign Techniques for igital Systems Lec 18 Error Coding Errors and error models Parity and Hamming Codes (SECE) Errors in Communications LFSRs Cyclic Redundancy Check
More informationIIT KHARAGPUR FDTC September 23, South Korea, Busan. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67
IIT KHARAGPUR Differential Fault Analysis on the Families of SIMON and SPECK Ciphers Authors: Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) FDTC 2014 South Korea, Busan September
More informationHold Time Illustrations
Hold Time Illustrations EE213-L09-Sequential Logic.1 Pingqiang, ShanghaiTech, 2018 Hold Time Illustrations EE213-L09-Sequential Logic.2 Pingqiang, ShanghaiTech, 2018 Hold Time Illustrations EE213-L09-Sequential
More informationELCT201: DIGITAL LOGIC DESIGN
ELCT201: DIGITAL LOGIC DESIGN Dr. Eng. Haitham Omran, haitham.omran@guc.edu.eg Dr. Eng. Wassim Alexan, wassim.joseph@guc.edu.eg Following the slides of Dr. Ahmed H. Madian Lecture 10 محرم 1439 ه Winter
More informationClock Glitch Attacks in the Presence of Heating
Clock Glitch Attacks in the Presence of Heating Barış Ege¹, Thomas Korak², Michael Hutter² and Lejla Batina¹ ¹ Radboud University Nijmegen, ICIS Digital Security Group, The Netherlands ² Graz University
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationEEE2135 Digital Logic Design
EEE2135 Digital Logic Design Chapter 7. Sequential Circuits Design 서강대학교 전자공학과 1. Model of Sequential Circuits 1) Sequential vs. Combinational Circuits a. Sequential circuits: Outputs depend on both the
More informationNTE74HC299 Integrated Circuit TTL High Speed CMOS, 8 Bit Universal Shift Register with 3 State Output
NTE74HC299 Integrated Circuit TTL High Speed CMOS, 8 Bit Universal Shift Register with 3 State Output Description: The NTE74HC299 is an 8 bit shift/storage register with three state bus interface capability
More informationCorrelation Power Analysis. Chujiao Ma
Correlation Power Analysis Chujiao Ma Power Analysis Simple Power Analysis (SPA) different operations consume different power Differential Power Analysis (DPA) different data consume different power Correlation
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationEECS 427 Lecture 15: Timing, Latches, and Registers Reading: Chapter 7. EECS 427 F09 Lecture Reminders
EECS 427 Lecture 15: Timing, Latches, and Registers Reading: Chapter 7 1 Reminders CA assignments CA7 is due Thursday at noon ECE Graduate Symposium Poster session in ECE Atrium on Friday HW4 (detailed
More informationEE141Microelettronica. CMOS Logic
Microelettronica CMOS Logic CMOS logic Power consumption in CMOS logic gates Where Does Power Go in CMOS? Dynamic Power Consumption Charging and Discharging Capacitors Short Circuit Currents Short Circuit
More informationMODULE 5 Chapter 7. Clocked Storage Elements
MODULE 5 Chapter 7 Clocked Storage Elements 3/9/2015 1 Outline Background Clocked Storage Elements Timing, terminology, classification Static CSEs Latches Registers Dynamic CSEs Latches Registers 3/9/2015
More informationNTE4035B Integrated Circuit CMOS, 4 Bit Parallel In/Parallel Out Shift Register
NTE4035B Integrated Circuit CMOS, 4 Bit Parallel In/Parallel Out Shift Register Description: The NTE4035B is a 4 bit shift register in a 16 Lead DIP type package constructed with MOS P Channel an N Channel
More informationDigital Integrated Circuits Designing Combinational Logic Circuits. Fuyuzhuo
Digital Integrated Circuits Designing Combinational Logic Circuits Fuyuzhuo Introduction Digital IC Dynamic Logic Introduction Digital IC EE141 2 Dynamic logic outline Dynamic logic principle Dynamic logic
More informationEECS 141 F01 Lecture 17
EECS 4 F0 Lecture 7 With major inputs/improvements From Mary-Jane Irwin (Penn State) Dynamic CMOS In static circuits at every point in time (except when switching) the output is connected to either GND
More informationCMPEN 411. Spring Lecture 18: Static Sequential Circuits
CMPEN 411 VLSI Digital Circuits Spring 2011 Lecture 18: Static Sequential Circuits [Adapted from Rabaey s Digital Integrated Circuits, Second Edition, 2003 J. Rabaey, A. Chandrakasan, B. Nikolic] Sp11
More informationChapter 8. Low-Power VLSI Design Methodology
VLSI Design hapter 8 Low-Power VLSI Design Methodology Jin-Fu Li hapter 8 Low-Power VLSI Design Methodology Introduction Low-Power Gate-Level Design Low-Power Architecture-Level Design Algorithmic-Level
More informationHomework 2 due on Wednesday Quiz #2 on Wednesday Midterm project report due next Week (4 pages)
EE241 - Spring 2013 Advanced Digital Integrated Circuits Lecture 12: SRAM Design ECC Timing Announcements Homework 2 due on Wednesday Quiz #2 on Wednesday Midterm project report due next Week (4 pages)
More informationSide-Channel Leakage in Masked Circuits Caused by Higher-Order Circuit Effects
Side-Channel Leakage in Masked Circuits Caused by Higher-Order Circuit Effects Zhimin Chen, Syed Haider, and Patrick Schaumont Virginia Tech, Blacksburg, VA 24061, USA {chenzm,syedh,schaum}@vt.edu Abstract.
More informationError-free protection of EC point multiplication by modular extension
Error-free protection of EC point multiplication by modular extension Martin Seysen February 21, 2017 Giesecke & Devrient GmbH, Prinzregentenstraße 159, D-81677 München, e-mail: m.seysen@gmx.de Abstract
More informationNovel Approaches for Improving the Power Consumption Models in Correlation Analysis
Novel Approaches for Improving the Power Consumption Models in Correlation Analysis Thanh-Ha Le, Quoc-Thinh Nguyen-Vuong, Cécile Canovas, Jessy Clédière CEA-LETI 17 avenue des Martyrs, 38 054 Grenoble
More informationECE 3060 VLSI and Advanced Digital Design. Testing
ECE 3060 VLSI and Advanced Digital Design Testing Outline Definitions Faults and Errors Fault models and definitions Fault Detection Undetectable Faults can be used in synthesis Fault Simulation Observability
More informationHow to Evaluate Side-Channel Leakages
How to Evaluate Side-Channel Leakages 7. June 2017 Ruhr-Universität Bochum Acknowledgment Tobias Schneider 2 Motivation Security Evaluation Attack based Testing Information theoretic Testing Testing based
More informationLOGIC CIRCUITS. Basic Experiment and Design of Electronics. Ho Kyung Kim, Ph.D.
Basic Experiment and Design of Electronics LOGIC CIRCUITS Ho Kyung Kim, Ph.D. hokyung@pusan.ac.kr School of Mechanical Engineering Pusan National University Digital IC packages TTL (transistor-transistor
More informationESE 570: Digital Integrated Circuits and VLSI Fundamentals
ESE 570: Digital Integrated Circuits and VLSI Fundamentals Lec 23: April 17, 2018 I/O Circuits, Inductive Noise, CLK Generation Lecture Outline! Packaging! Variation and Testing! I/O Circuits! Inductive
More informationLecture 9: Sequential Logic Circuits. Reading: CH 7
Lecture 9: Sequential Logic Circuits Reading: CH 7 Sequential Logic FSM (Finite-state machine) Inputs Current State COMBINATIONAL LOGIC Registers Outputs = f(current, inputs) Next state 2 storage mechanisms
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationFault Tolerant Computing CS 530 Fault Modeling
CS 53 Fault Modeling Yashwant K. Malaiya Colorado State University Fault Modeling Why fault modeling? Stuck-at / fault model The single fault assumption Bridging and delay faults MOS transistors and CMOS
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationUsing Second-Order Power Analysis to Attack DPA Resistant Software
Using Second-Order Power Analysis to Attack DPA Resistant Software Thomas S. Messerges Motorola Labs, Motorola 3 E. Algonquin Road, Room 7, Schaumburg, IL 696 Tom.Messerges@motorola.com Abstract. Under
More informationJin-Fu Li Advanced Reliable Systems (ARES) Lab. Department of Electrical Engineering. Jungli, Taiwan
Chapter 7 Sequential Circuits Jin-Fu Li Advanced Reliable Systems (ARES) Lab. epartment of Electrical Engineering National Central University it Jungli, Taiwan Outline Latches & Registers Sequencing Timing
More informationECEN 248: INTRODUCTION TO DIGITAL SYSTEMS DESIGN. Week 9 Dr. Srinivas Shakkottai Dept. of Electrical and Computer Engineering
ECEN 248: INTRODUCTION TO DIGITAL SYSTEMS DESIGN Week 9 Dr. Srinivas Shakkottai Dept. of Electrical and Computer Engineering TIMING ANALYSIS Overview Circuits do not respond instantaneously to input changes
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationΗΜΥ 307 ΨΗΦΙΑΚΑ ΟΛΟΚΛΗΡΩΜΕΝΑ ΚΥΚΛΩΜΑΤΑ Εαρινό Εξάμηνο 2018
ΗΜΥ 307 ΨΗΦΙΑΚΑ ΟΛΟΚΛΗΡΩΜΕΝΑ ΚΥΚΛΩΜΑΤΑ Εαρινό Εξάμηνο 2018 ΔΙΑΛΕΞΕΙΣ 12-13: esigning ynamic and Static CMOS Sequential Circuits ΧΑΡΗΣ ΘΕΟΧΑΡΙΔΗΣ (ttheocharides@ucy.ac.cy) (ack: Prof. Mary Jane Irwin and
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationBitslice Ciphers and Power Analysis Attacks
Bitslice Ciphers and Power Analysis Attacks Joan Daemen, Michael Peeters and Gilles Van Assche Proton World Intl. Rue Du Planeur 10, B-1130 Brussel, Belgium Email: {daemen.j, peeters.m, vanassche.g}@protonworld.com
More informationUniversity of Toronto Faculty of Applied Science and Engineering Edward S. Rogers Sr. Department of Electrical and Computer Engineering
University of Toronto Faculty of Applied Science and Engineering Edward S. Rogers Sr. Department of Electrical and Computer Engineering Final Examination ECE 241F - Digital Systems Examiners: J. Rose and
More informationDigital Integrated Circuits A Design Perspective
Digital Integrated Circuits A Design Perspective Jan M. Rabaey Anantha Chandrakasan Borivoje Nikolic Designing Sequential Logic Circuits November 2002 Sequential Logic Inputs Current State COMBINATIONAL
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationTopics to be Covered. capacitance inductance transmission lines
Topics to be Covered Circuit Elements Switching Characteristics Power Dissipation Conductor Sizes Charge Sharing Design Margins Yield resistance capacitance inductance transmission lines Resistance of
More informationA Fault Attack on the LED Block Cipher
A Fault Attack on the LED Block Cipher P. Jovanovic, M. Kreuzer and I. Polian Fakultät für Informatik und Mathematik Universität Passau D-94030 Passau, Germany philipp.jovanovic,martin.kreuzer,ilia.polian@uni-passau.de
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationExtending Glitch-Free Multiparty Protocols to Resist Fault Injection Attacks
Extending Glitch-Free Multiparty Protocols to Resist Fault Injection Attacks Okan Seker 1, Thomas Eisenbarth 1, and Rainer Steinwandt 2 1 Worcester Polytechnic Institute, Worcester, MA, USA {oseker,teisenbarth}@wpiedu
More informationEECS 579: Logic and Fault Simulation. Simulation
EECS 579: Logic and Fault Simulation Simulation: Use of computer software models to verify correctness Fault Simulation: Use of simulation for fault analysis and ATPG Circuit description Input data for
More informationLast Lecture. Power Dissipation CMOS Scaling. EECS 141 S02 Lecture 8
EECS 141 S02 Lecture 8 Power Dissipation CMOS Scaling Last Lecture CMOS Inverter loading Switching Performance Evaluation Design optimization Inverter Sizing 1 Today CMOS Inverter power dissipation» Dynamic»
More informationESE 570: Digital Integrated Circuits and VLSI Fundamentals
ESE 570: Digital Integrated Circuits and VLSI Fundamentals Lec 17: March 23, 2017 Energy and Power Optimization, Design Space Exploration, Synchronous MOS Logic Lecture Outline! Energy and Power Optimization
More informationPAST EXAM PAPER & MEMO N3 ABOUT THE QUESTION PAPERS:
EKURHULENI TECH COLLEGE. No. 3 Mogale Square, Krugersdorp. Website: www. ekurhulenitech.co.za Email: info@ekurhulenitech.co.za TEL: 011 040 7343 CELL: 073 770 3028/060 715 4529 PAST EXAM PAPER & MEMO N3
More informationImpact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers
Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,
More informationClock Strategy. VLSI System Design NCKUEE-KJLEE
Clock Strategy Clocked Systems Latch and Flip-flops System timing Clock skew High speed latch design Phase locked loop ynamic logic Multiple phase Clock distribution Clocked Systems Most VLSI systems are
More informationTopics. Dynamic CMOS Sequential Design Memory and Control. John A. Chandy Dept. of Electrical and Computer Engineering University of Connecticut
Topics Dynamic CMOS Sequential Design Memory and Control Dynamic CMOS In static circuits at every point in time (except when switching) the output is connected to either GND or V DD via a low resistance
More informationEE371 - Advanced VLSI Circuit Design
EE371 - Advanced VLSI Circuit Design Midterm Examination May 7, 2002 Name: No. Points Score 1. 18 2. 22 3. 30 TOTAL / 70 In recognition of and in the spirit of the Stanford University Honor Code, I certify
More informationLab 3 Revisited. Zener diodes IAP 2008 Lecture 4 1
Lab 3 Revisited Zener diodes R C 6.091 IAP 2008 Lecture 4 1 Lab 3 Revisited +15 Voltage regulators 555 timers 270 1N758 0.1uf 5K pot V+ V- 2N2222 0.1uf V o. V CC V Vin s = 5 V Vc V c Vs 1 e t = RC Threshold
More informationLecture 21: Packaging, Power, & Clock
Lecture 21: Packaging, Power, & Clock Outline Packaging Power Distribution Clock Distribution 2 Packages Package functions Electrical connection of signals and power from chip to board Little delay or
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationHard Fault Analysis of Trivium
1 Hard Fault Analysis of Trivium Yupu Hu, Fengrong Zhang, and Yiwei Zhang, arxiv:0907.2315v1 [cs.cr] 14 Jul 2009 Abstract Fault analysis is a powerful attack to stream ciphers. Up to now, the major idea
More informationSequential Logic Worksheet
Sequential Logic Worksheet Concept Inventory: Notes: D-latch & the Dynamic Discipline D-register Timing constraints for sequential circuits Set-up and hold times for sequential circuits 6.004 Worksheet
More informationINTEGRATED CIRCUITS. For a complete data sheet, please also download:
INTEGRATED CIRCUITS DATA SEET For a complete data sheet, please also download: The IC6 74C/CT/CU/CMOS ogic Family Specifications The IC6 74C/CT/CU/CMOS ogic Package Information The IC6 74C/CT/CU/CMOS ogic
More informationNext, we check the race condition to see if the circuit will work properly. Note that the minimum logic delay is a single sum.
UNIVERSITY OF CALIFORNIA College of Engineering Department of Electrical Engineering and Computer Sciences Last modified on May 1, 2003 by Dejan Markovic (dejan@eecs.berkeley.edu) Prof. Jan Rabaey EECS
More informationEntropy Extraction in Metastability-based TRNG
Entropy Extraction in Metastability-based TRNG Vikram B. Suresh Dept. of Electrical & Computer Engineering University of Massachusetts Amherst, USA vsuresh@ecs.umass.edu Wayne P. Burleson Dept. of Electrical
More informationNTE74HC109 Integrated Circuit TTL High Speed CMOS, Dual J K Positive Edge Triggered Flip Flop w/set & Reset
NTE74HC109 Integrated Circuit TTL High Speed CMOS, Dual J K Positive Edge Triggered Flip Flop w/set & Reset Description: The NTE74HC109 is a dual J K flip flip with set and reset in a 16 Lead plastic DIP
More informationSequential vs. Combinational
Sequential Circuits Sequential vs. Combinational Combinational Logic: Output depends only on current input TV channel selector (-9) inputs system outputs Sequential Logic: Output depends not only on current
More informationSummary. Secured Arithmetic Operators for Cryptography. Introduction. Terminology
Summary Secured Arithmetic Operators for Cryptography Arnaud Tisserand CNRS, IRISA laboratory, CAIRN research team Electrical and Computer Engineering Seminar University of Massachusetts Amherst November
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More information