techniques to prevent power analysis on encryption hardware cs252 final project by shengliang song...
TRANSCRIPT
![Page 1: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/1.jpg)
Techniques to Prevent Power Analysis on Encryption Hardware
CS252 Final Project
By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer
•Smart Card
•Differential Power Analysis
•Divide-and-conquer approach
![Page 2: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/2.jpg)
Smart Card
• Processing Power (Intel 8051, Motorola 6805)
• Data Storage (EEPROM, FLASH, ROM, RAM)
• IO & Power Source (Contact, Contactless)
![Page 3: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/3.jpg)
Smart Cards
B) Inductive Coupling
Asynchronous: RF/ID and RF/DC
ISO 7816-3 (similar to RS232 operating at 9600 baud with even parity)
Power: A) Smart Card Reader
Synchronous: powered, clocked and addressed
under control of the outside world
![Page 4: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/4.jpg)
Differential Power Analysis
• Semiconductor logic gates – consuming power
– producing electromagnetic radiation
• DPA: plaintext or ciphertext => encryption or decryption keys
– Observes m encryption operation– Captures power traces T[1..m][1..k] (k samples each)– records the ciphertexts C[1..m]– Delta D[1..k] (by finding the difference between the averages of the traces for which D(c,b,ks) is
one and the average of the traces for which D(c,b,ks) is zero.)
![Page 5: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/5.jpg)
Measure a circuit’s power consumption
• a small (50 ohm) resistor is inserted in series with the power or ground input
Vcc
Vout
R = 50 ohm
I = Vout/R
![Page 6: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/6.jpg)
DPA Traces
![Page 7: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/7.jpg)
DEFENSES
• Still being studied
• Balancing computation with complements
• Splitting bits into randomized shares
• Special circuit design techniques
• Randomize order
• Complicated, costly
![Page 8: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/8.jpg)
Divide-and-conquer approach
• Build a simple ALU which implements sensitive operations (ROT, ADD, XOR, S[key])
• Make it power analysis resistant (Continue Research: IC layer, glu-logical, Computer Architecture)
• Design control logical normally (8bit CPU or ROM based Machine)
![Page 9: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/9.jpg)
Control: CPU or ROM Based Machine
sequencercontrol
datapath control
micro-PC-sequencer:fetch,dispatch,sequential
microinstruction ()
DispatchROMOpcode
-Code ROM
DecodeDecode
To DataPath
Decoders implement our -code language:
For instance:rt-ALUrd-ALUmem-ALU
![Page 10: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/10.jpg)
ALU & SBox
S[Akey]
WEEN
SBoxAKey[7:0]
+
8ns
8
ROT
10ns
XOR
8ns
8
•Basic Units:ROTADDXORSBox
•Shielding will be less complex•Communication: (ALU, Sbox, Ctrl)
ALU
![Page 11: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/11.jpg)
ADVANTAGES
• Smaller than an entire cipher• reduce cost of expensive
techniques• Easier to apply complex
design principles• Model interactions• Reused
S[key]
CPUALU
SBOX
IO
![Page 12: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/12.jpg)
PROBLEMS:
• communication between controller and ALU can be slow
• Asynchronous (Req, Ack, ALU takes more than one clock cycle time)
• Synchronous (ALU need run in a fast clock rate)
• some cipher specific techniques (eg. Randomized Sbox lookups) are harder to apply
![Page 13: Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer](https://reader035.vdocuments.us/reader035/viewer/2022072012/56649e3f5503460f94b303d1/html5/thumbnails/13.jpg)
References
• Smart Cards: http://www.sjug.org/jcsig/others/smart_card.htm
• Differential Power Analysis: http://www.cryptography.com/dpa/Dpa.pdf