Download - Smart card security
1
Smart card security
Speaker: 陳 育 麟
Advisor: 陳 中 平 教授
2
Outline
Introduction of SCAs Cryptographic Algorithms Measurements Hamming Weight Simple Power Attack (SPA) Differential Power Attack (DPA) Countermeasures My Countermeasure: EPS Conclusion for EPS
3
Introduction of SCAs Side channel attacks (SCAs)
Security ICs are vulnerable to Side-Channel Attacks (SCAs). SCAs find the secret key by monitoring the power consumption, timing information, or electromagnetic radiation that is leaked by the switching behavior of digital CMOS gates, rather than theoretical weaknesses in the algorithms.
Cryptographic processing(Encrypt / Decrypt)
Secret keys
Input message
Output message
Side-channel Information:• Power consumption• Electromagnetic radiation• Timing …
Our focus
4
Introduction of SCAs (cont’) What kinds of SCAs?
1. Differential Fault Analysis (DFA) - Biham-Shamir (1997) 2.Timing Attacks - Kocher (1996) 3. Simple Power Analysis (SPA) - Kocher, Jaffe, Jun (1998) 4. Differential Power Analysis (DPA) - Kocher, Jaffe, Jun (1998)
Not very accurate!
Very accurate!
5
Cryptographic Algorithms
Data Encryption Standard (DES) Advanced Encryption Standard (AES) RSA Elliptic curve …
These cryptographic algorithms can be implemented by either software programming or specific hardware circuit.
6
Measurements
Tools Destructive Measurement Non-destructive Measurement
7
Measurements (cont’)
Tools
Current probe
Oscilloscope
Voltage probe
8
Measurements (1)
Destructive MeasurementA small resistor (e.g., 50Ω) is inserted in series with Vdd or GND.
decoupling capacitor
voltage probe
oscilloscope
IC VR
output
RVdd
GND
9
Measurements (2)
Non-destructive MeasurementWe need not modify the original circuit.
decoupling capacitor
current probe
oscilloscope
IC IVdd
IGND
output
Vdd
GND
10
Hamming Weight
Hamming Weight vs. Power Consumption
Vo
ltage o
r C
urren
t
Suggest that this curve is the power consumption profile of XOR.
11
Simple Power Attack (SPA)
Directly interpret the power consumption
rotate add conditional branch
ROTATE X1 ROTATE X2
1,2,3 … 16
2nd 3rdDifferent microprocessor instructions consume different power. Thus, the power consumption profiles are different.
12
Differential Power Attack (DPA) Use extra statistical methods
)])([(),(
),(,),(),( **
YX
YXY
Y
X
X
YXEYXCov
YXCovYXCovYXCovYX
13
Countermeasures
Power Consumption Balancing
consume (μW) compensate (μW) total (μW)
INST1 10 2 12
INST2 11 1 12
INST3 11.5 0.5 12
INST4 12 0 12
Table 1.
This technique is suitable to logic-level synthesis, but its performance is limit.
14
Countermeasures (1)
Addition of NoiseTo make the power consumption profile blur!
random digits VCODAC
C
random digits
oscillatorC
2C
4C
sw
sw
swfP dynamic
LCP dynamic
To guarantee the efficiency of these two methods, the frequency of the random digit generation might be several time higher than the frequency of the system clock, and the magnitude of the noise might be a lot larger than the original system. Thus, the power consumption is very high. By the way, the area overhead is too high.
Not resistant to DPA attack!Not a complete solution!
Related patent:US 6,327,661
15
Countermeasures (2.1)
Isolation circuit (1)
Patrick Rakers, Larry Connell, Tim Collins, D Russell “Secure Contactless Smartcard ASIC with DPA Protection”, IEEE Journal of Solid-State Circuits, 2001.
“…Of course, the finite rds and capacitive coupling from drain to gate of MP1 limit the extent of the isolation…,” the paper said.
Use an RC low-pass filter to blur the power consumption.
But …
Not blurred enough!Not power efficient!
Therefore …
16
Countermeasures (2.2)
Isolation circuit (2)
smart card smart card IC regulator IC
capacitor
17
Countermeasures (2.3)
Isolation circuit (3)
Quoted from:US Patent: 6,510,518 (Jan, 21, 2003)“Balanced Cryptographic Computational Method and Apparatus for Leak Minimization in SmartCards and Other Cryptosystems”
18
Countermeasures (3.1)
WDDL (1)WDDL stands for Wave Dynamic Differential Logic.It is based on ‘constant power consumption technique’.
K. Tiri, D. Hwang, A. Hodjat, B. Lai, S. Yang, P. Schaumont, and I. Verbauwhede, “A Side-Channel Leakage Free Coprocessor IC in 0.18μm CMOS for Embedded AES-based Cryptographic and Biometric Processing”, DAC, June 2005.
19
Countermeasures (3.2)
WDDL (2) WDDL / Standard CMOS:Area: 3XPower Consumption: 13.5XSpeed: 0.24X
WDDL Standard CMOS
Dynamic logic is sensitive to noise!
The overheads are too high!
Not an economic method!
But …
Resistant to both SPA and DPA attack!
The power consumption profile is completely blurred!
It is an effective method!
20
Countermeasures (3.3)
WDDL: Input buffers
I
Otrue
Ofalse
M1
clk = 0: precharge
clk = 1: evaluation
clk
I
Ofalse
Otrue
pre preeval evalI
Otrue
Ofalse
clk = 0: precharge
clk = 1: evaluation
clk
clk
21
Countermeasures (3.4)
SDDL: Core INV gates
Otrue
Ofalseclk
I false
I trueOtrue
Ofalse
I false
I true
clk
Core SDDL INV Gate (n-logic)
Core SDDL INV Gate (p-logic)
22
Countermeasures (3.5)
SDDL: Output buffers
Otrue
Ofalseclk
I false
I trueOtrue
Ofalse
I false
I true
clk
Core SDDL INV Gate (n-logic)
Core SDDL INV Gate (p-logic)
23
My Countermeasure: EPS
Embedded Power Supply (EPS) Technology:Charge sharing phenomenon.Dynamic regulation.
Main goal:1. Resistant to both SPA and DPA attack! 2. To make the power consumption profile completely blurred! (like ‘addition of noise’ or ‘WDDL’) 3. Area overhead: less than 10%4. On the power consumption side, very little is increased! (not more than 5%)5. On the performance side, very little is lost! (not more than 5%) 6. Very easy to integrate with other circuits!
24
My Countermeasure: EPS (cont’) Embedded Power Supply (EPS)
ENCRYPT
chargepre-storingcapacitor
Cps
(1 ~ 3) VDD, min
secure circuit
VDD
other circuits
||min, tptnDD VVV
During the encryption, the pMOS is off and the secure circuit uses the charges of the charge pre-storing capacitor to do the encryption. Thus, no side-channel information is leaked during the encryption.
By institute, the charge pre-storing capacitor is very large; therefore, It needs improvement.
The minimum supply voltage of standard CMOS logic is:
25
My Countermeasure: EPS (cont’) Improvement for EPS
encrypt
chargepre-storingcapacitor
Cps’
secure circuits
VDD
other circuits
SMT
system clock
Vref
QD
CK
secure clock
nQ
VEPS
VIPS
level shifter
This improvement takes more clocks to finish an encryption. However, this weakness can be avoided by using two charge pre-storing capacitor.
26
My Countermeasure: EPS (cont’) Further Improvement for EPS
nCH1
secure circuits
VDD
other circuits
SMT
system clock
Vref
secure clock
VEPS
VIPS
level shifter
Cps1
nCH2
nPW1 nPW2
control logic
Cps2
If the secure circuit is positive edge-triggered, the control logic will be negative edge-triggered.
27
Conclusion for EPS
Capacitor size:Cps >> Cps’ > Cps1 = Cps2
Area overhead:less than 10%
On the power consumption side, very little has been increased!
On the performance side, very little has been lost! Resistant to both SPA and DPA attack.
ENCRYPT
chargepre-storingcapacitor
Cps
(1 ~ 3) VDD, min
secure circuit
VDD
other circuits
nCH1
secure circuits
VDD
other circuits
SMT
system clock
Vref
secure clock
VEPS
VIPS
level shifter
Cps1
nCH2
nPW1 nPW2
control logic
Cps2
encrypt
chargepre-storingcapacitor
Cps’
secure circuits
VDD
other circuits
SMT
system clock
Vref
QD
CK
secure clock
nQ
VEPS
VIPS
level shifter
28
Thank you!