smart card security

1

Smart card security

Speaker: 陳 育 麟

Advisor: 陳 中 平 教授

2

Outline

Introduction of SCAs Cryptographic Algorithms Measurements Hamming Weight Simple Power Attack (SPA) Differential Power Attack (DPA) Countermeasures My Countermeasure: EPS Conclusion for EPS

3

Introduction of SCAs Side channel attacks (SCAs)

Security ICs are vulnerable to Side-Channel Attacks (SCAs). SCAs find the secret key by monitoring the power consumption, timing information, or electromagnetic radiation that is leaked by the switching behavior of digital CMOS gates, rather than theoretical weaknesses in the algorithms.

Cryptographic processing(Encrypt / Decrypt)

Secret keys

Input message

Output message

Side-channel Information:• Power consumption• Electromagnetic radiation• Timing …

Our focus

4

Introduction of SCAs (cont’) What kinds of SCAs?

1. Differential Fault Analysis (DFA) - Biham-Shamir (1997) 2.Timing Attacks - Kocher (1996) 3. Simple Power Analysis (SPA) - Kocher, Jaffe, Jun (1998) 4. Differential Power Analysis (DPA) - Kocher, Jaffe, Jun (1998)

Not very accurate!

Very accurate!

5

Cryptographic Algorithms

Data Encryption Standard (DES) Advanced Encryption Standard (AES) RSA Elliptic curve …

These cryptographic algorithms can be implemented by either software programming or specific hardware circuit.

6

Measurements

Tools Destructive Measurement Non-destructive Measurement

7

Measurements (cont’)

Tools

Current probe

Oscilloscope

Voltage probe

8

Measurements (1)

Destructive MeasurementA small resistor (e.g., 50Ω) is inserted in series with Vdd or GND.

decoupling capacitor

voltage probe

oscilloscope

IC VR

output

RVdd

GND

9

Measurements (2)

Non-destructive MeasurementWe need not modify the original circuit.

decoupling capacitor

current probe

oscilloscope

IC IVdd

IGND

output

Vdd

GND

10

Hamming Weight

Hamming Weight vs. Power Consumption

Vo

ltage o

r C

urren

t

Suggest that this curve is the power consumption profile of XOR.

11

Simple Power Attack (SPA)

Directly interpret the power consumption

rotate add conditional branch

ROTATE X1 ROTATE X2

1,2,3 … 16

2nd 3rdDifferent microprocessor instructions consume different power. Thus, the power consumption profiles are different.

12

Differential Power Attack (DPA) Use extra statistical methods

)])([(),(

),(,),(),( **

YX

YXY

Y

X

X

YXEYXCov

YXCovYXCovYXCovYX

13

Countermeasures

Power Consumption Balancing

consume (μW) compensate (μW) total (μW)

INST1 10 2 12

INST2 11 1 12

INST3 11.5 0.5 12

INST4 12 0 12

Table 1.

This technique is suitable to logic-level synthesis, but its performance is limit.

14

Countermeasures (1)

Addition of NoiseTo make the power consumption profile blur!

random digits VCODAC

C

random digits

oscillatorC

2C

4C

sw

sw

swfP dynamic

LCP dynamic

To guarantee the efficiency of these two methods, the frequency of the random digit generation might be several time higher than the frequency of the system clock, and the magnitude of the noise might be a lot larger than the original system. Thus, the power consumption is very high. By the way, the area overhead is too high.

Not resistant to DPA attack!Not a complete solution!

Related patent:US 6,327,661

15

Countermeasures (2.1)

Isolation circuit (1)

Patrick Rakers, Larry Connell, Tim Collins, D Russell “Secure Contactless Smartcard ASIC with DPA Protection”, IEEE Journal of Solid-State Circuits, 2001.

“…Of course, the finite rds and capacitive coupling from drain to gate of MP1 limit the extent of the isolation…,” the paper said.

Use an RC low-pass filter to blur the power consumption.

But …

Not blurred enough!Not power efficient!

Therefore …

16

Countermeasures (2.2)

Isolation circuit (2)

smart card smart card IC regulator IC

capacitor

17

Countermeasures (2.3)

Isolation circuit (3)

Quoted from:US Patent: 6,510,518 (Jan, 21, 2003)“Balanced Cryptographic Computational Method and Apparatus for Leak Minimization in SmartCards and Other Cryptosystems”

18

Countermeasures (3.1)

WDDL (1)WDDL stands for Wave Dynamic Differential Logic.It is based on ‘constant power consumption technique’.

K. Tiri, D. Hwang, A. Hodjat, B. Lai, S. Yang, P. Schaumont, and I. Verbauwhede, “A Side-Channel Leakage Free Coprocessor IC in 0.18μm CMOS for Embedded AES-based Cryptographic and Biometric Processing”, DAC, June 2005.

19

Countermeasures (3.2)

WDDL (2) WDDL / Standard CMOS:Area: 3XPower Consumption: 13.5XSpeed: 0.24X

WDDL Standard CMOS

Dynamic logic is sensitive to noise!

The overheads are too high!

Not an economic method!

But …

Resistant to both SPA and DPA attack!

The power consumption profile is completely blurred!

It is an effective method!

20

Countermeasures (3.3)

WDDL: Input buffers

I

Otrue

Ofalse

M1

clk = 0: precharge

clk = 1: evaluation

clk

I

Ofalse

Otrue

pre preeval evalI

Otrue

Ofalse

clk = 0: precharge

clk = 1: evaluation

clk

clk

21

Countermeasures (3.4)

SDDL: Core INV gates

Otrue

Ofalseclk

I false

I trueOtrue

Ofalse

I false

I true

clk

Core SDDL INV Gate (n-logic)

Core SDDL INV Gate (p-logic)

22

Countermeasures (3.5)

SDDL: Output buffers

Otrue

Ofalseclk

I false

I trueOtrue

Ofalse

I false

I true

clk

Core SDDL INV Gate (n-logic)

Core SDDL INV Gate (p-logic)

23

My Countermeasure: EPS

Embedded Power Supply (EPS) Technology:Charge sharing phenomenon.Dynamic regulation.

Main goal:1. Resistant to both SPA and DPA attack! 2. To make the power consumption profile completely blurred! (like ‘addition of noise’ or ‘WDDL’) 3. Area overhead: less than 10%4. On the power consumption side, very little is increased! (not more than 5%)5. On the performance side, very little is lost! (not more than 5%) 6. Very easy to integrate with other circuits!

24

My Countermeasure: EPS (cont’) Embedded Power Supply (EPS)

ENCRYPT

chargepre-storingcapacitor

Cps

(1 ~ 3) VDD, min

secure circuit

VDD

other circuits

||min, tptnDD VVV

During the encryption, the pMOS is off and the secure circuit uses the charges of the charge pre-storing capacitor to do the encryption. Thus, no side-channel information is leaked during the encryption.

By institute, the charge pre-storing capacitor is very large; therefore, It needs improvement.

The minimum supply voltage of standard CMOS logic is:

25

My Countermeasure: EPS (cont’) Improvement for EPS

encrypt

chargepre-storingcapacitor

Cps’

secure circuits

VDD

other circuits

SMT

system clock

Vref

QD

CK

secure clock

nQ

VEPS

VIPS

level shifter

This improvement takes more clocks to finish an encryption. However, this weakness can be avoided by using two charge pre-storing capacitor.

26

My Countermeasure: EPS (cont’) Further Improvement for EPS

nCH1

secure circuits

VDD

other circuits

SMT

system clock

Vref

secure clock

VEPS

VIPS

level shifter

Cps1

nCH2

nPW1 nPW2

control logic

Cps2

If the secure circuit is positive edge-triggered, the control logic will be negative edge-triggered.

27

Conclusion for EPS

Capacitor size:Cps >> Cps’ > Cps1 = Cps2

Area overhead:less than 10%

On the power consumption side, very little has been increased!

On the performance side, very little has been lost! Resistant to both SPA and DPA attack.

ENCRYPT

chargepre-storingcapacitor

Cps

(1 ~ 3) VDD, min

secure circuit

VDD

other circuits

nCH1

secure circuits

VDD

other circuits

SMT

system clock

Vref

secure clock

VEPS

VIPS

level shifter

Cps1

nCH2

nPW1 nPW2

control logic

Cps2

encrypt

chargepre-storingcapacitor

Cps’

secure circuits

VDD

other circuits

SMT

system clock

Vref

QD

CK

secure clock

nQ

VEPS

VIPS

level shifter

28

Thank you!