Techniques to Prevent Power Analysis on Encryption Hardware

CS252 Final Project

By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer

•Smart Card

•Differential Power Analysis

•Divide-and-conquer approach

Smart Card

• Processing Power (Intel 8051, Motorola 6805)

• Data Storage (EEPROM, FLASH, ROM, RAM)

• IO & Power Source (Contact, Contactless)

Smart Cards

B) Inductive Coupling

Asynchronous: RF/ID and RF/DC

ISO 7816-3 (similar to RS232 operating at 9600 baud with even parity)

Power: A) Smart Card Reader

Synchronous: powered, clocked and addressed

under control of the outside world

Differential Power Analysis

• Semiconductor logic gates – consuming power

– producing electromagnetic radiation

• DPA: plaintext or ciphertext => encryption or decryption keys

– Observes m encryption operation– Captures power traces T[1..m][1..k] (k samples each)– records the ciphertexts C[1..m]– Delta D[1..k] (by finding the difference between the averages of the traces for which D(c,b,ks) is

one and the average of the traces for which D(c,b,ks) is zero.)

Measure a circuit’s power consumption

• a small (50 ohm) resistor is inserted in series with the power or ground input

Vcc

Vout

R = 50 ohm

I = Vout/R

DPA Traces

DEFENSES

• Still being studied

• Balancing computation with complements

• Splitting bits into randomized shares

• Special circuit design techniques

• Randomize order

• Complicated, costly

Divide-and-conquer approach

• Build a simple ALU which implements sensitive operations (ROT, ADD, XOR, S[key])

• Make it power analysis resistant (Continue Research: IC layer, glu-logical, Computer Architecture)

• Design control logical normally (8bit CPU or ROM based Machine)

Control: CPU or ROM Based Machine

sequencercontrol

datapath control

micro-PC-sequencer:fetch,dispatch,sequential

microinstruction ()

DispatchROMOpcode

-Code ROM

DecodeDecode

To DataPath

Decoders implement our -code language:

For instance:rt-ALUrd-ALUmem-ALU

ALU & SBox

S[Akey]

WEEN

SBoxAKey[7:0]

+

8ns

8

ROT

10ns

XOR

8ns

8

•Basic Units:ROTADDXORSBox

•Shielding will be less complex•Communication: (ALU, Sbox, Ctrl)

ALU

ADVANTAGES

• Smaller than an entire cipher• reduce cost of expensive

techniques• Easier to apply complex

design principles• Model interactions• Reused

S[key]

CPUALU

SBOX

IO

PROBLEMS:

• communication between controller and ALU can be slow

• Asynchronous (Req, Ack, ALU takes more than one clock cycle time)

• Synchronous (ALU need run in a fast clock rate)

• some cipher specific techniques (eg. Randomized Sbox lookups) are harder to apply

References

• Smart Cards: http://www.sjug.org/jcsig/others/smart_card.htm

• Differential Power Analysis: http://www.cryptography.com/dpa/Dpa.pdf