Chenglu Jin

Security analysis of concurrent error detection against differential fault analysis

Differential fault analysis (DFA) poses a significant threat to advanced encryption standard (AES). Only a single faulty ciphertext is required to extract the secret key. Concurrent error detection (CED) is widely used to protect AES against DFA. Traditionally, these CEDs are evaluated with uniformly distributed faults, the resulting fault coverage indicates the security of CEDs against DFA. However, DFA-exploitable faults, which are a small subspace of the entire fault space, are not uniformly distributed. Therefore, fault coverage does not accurately measure the security of the CEDs against DFA. We provide a systematic study of DFA of AES and show that an attacker can inject biased faults to improve the success rate of the attacks. We propose fault entropy (FE) and fault differential entropy (FDE) to evaluate CEDs. We show that most CEDs with high fault coverage are not secure when evaluated with FE and FDE. This work challenges the traditional use of fault coverage for uniformly distributed faults as a metric for evaluating the security of CEDs against DFA.

NREPO: Normal basis Recomputing with Permuted Operands

Hardware implementations of cryptographic algorithms are vulnerable to natural and malicious faults. Concurrent Error Detection (CED) can be used to detect these faults. We present NREPO, a CED which does not require redundant computational resources in the design. Therefore, one can integrate it when computational resources are scarce or when the redundant resources are difficult to harness for CED. We integrate NREPO in a low-cost Advanced Encryption Standard (AES) implementation with 8-bit datapath. We show that NREPO has 25 and 50 times lower fault miss rate than robust code and parity, respectively. The area, throughput, and power are compared with other CEDs on 45nm ASIC. The hardware overhead of NREPO is 34.9%. The throughput and power are 271.6Mbps and 1579.3μW, respectively. One can also implement NREPO in other cryptographic algorithms.

Phase calibrated ring oscillator PUF design and implementation on FPGAs

A ring oscillator physical unclonable function (RO PUF) is an application-constrained hardware security primitive that can be used for authentication and key generation. PUFs depend on variability during the fabrication process to produce random outputs that are nevertheless stable across multiple measurements. Unfortunately, RO PUFs are known to be unstable especially when implemented on an Field Programmable Gate Array (FPGA). In this work, we comprehensively evaluate the RO PUFs stability on FPGAs, and we propose a phase calibration process to improve the stability of RO PUFs. The results show that the bit errors in our PUFs are reduced to less than 1%.

Advancing the state-of-the-art in hardware Trojans design

Electronic Design Automation (EDA) industry heavily reuses third party IP cores which are vulnerable to insertion of Hardware Trojans (HTs) at design time by third party IP core providers. State of the art research has shown that existing HT detection techniques, which claim to detect all publicly available HT benchmarks, can still be defeated by carefully designing new sophisticated HTs. The reason being that these techniques consider the HT landscape to be limited only to the publicly known HT benchmarks. However the adversary is not limited to these HTs and may devise new HT design principles to bypass these countermeasures. In this paper, we discover certain crucial properties of trigger activated HTs which lead to the definition of an exponentially large class of Deterministic Hardware Trojans HD that an adversary can (but is not limited to) design. The discovered properties serve as HT design principles which help us understand the tremendous ways available to an adversary to design a HT, and show that the existing publicly known HT benchmarks are just the tip of the iceberg on this huge landscape.

New clone-detection approach for RFID-based supply chains

Radio-Frequency Identification (RFID) tags have been widely used as a low-cost wireless method for detection of counterfeit product injection in supply chains. In order to adequately perform authentication, current RFID monitoring schemes need to either have a persistent online connection between supply chain partners and the back-end database or have a local database on each partner site. A persistent online connection is not guaranteed and local databases on each partner site impose extra cost and security issues. We solve this problem by introducing a new scheme in which a small Non-Volatile Memory (NVM) embedded in RFID tag is used to function as a tiny “encoded local database”. In addition our scheme resists “tag tracing” so that each partners operation remains private. Our scheme can be implemented in less than 1200 gates satisfying current RFID technology requirements.

Can Algorithm Diversity in Stream Cipher Implementation Thwart (Natural and) Malicious Faults

Hardware implementations of stream and other ciphers are vulnerable to natural faults. Moreover, attackers can launch fault attacks on these implementations. Concurrent error detection is used as a countermeasure against natural and malicious faults. We propose an algorithm diversity (AD) to detect natural and malicious faults in stream ciphers. We compare AD with hardware, time, and information redundancies. Hardware redundancy has 100% hardware overhead, but is not secure against fault attacks. Time redundancy has lower hardware overhead, but is vulnerable to faults that are injected in both the computation and recomputation. Information redundancy techniques, such as parity, cannot detect an even number of faulty bits. Information redundancy techniques, such as robust code, have higher fault miss rate (FMR) with higher hardware overhead. If robust code is configured to have lower FMR than AD in certain attacker model, the hardware overhead is excessively high. AD provides higher security compared to existing techniques. It enables a cost-effective tradeoff between security, performance overhead, and hardware overhead.

Mitigating Synchronized Hardware Trojan Attacks in Smart Grids

A hardware Trojan is a malicious circuit inserted into a device by a malicious designer or manufacturer in the circuit design or fabrication phase. With the globalization of semiconductor industry, more and more chips and devices are designed, integrated and fabricated by untrusted manufacturers, who can potentially insert hardware Trojans for launching attacks after the devices are deployed. Moreover, the most damaging attack in a smart grid is a large scale electricity failure, which can cause very serious consequences that are worse than any disaster. Unfortunately, this attack can be implemented very easily by synchronized hardware Trojans acting as a collective offline time bomb; the Trojans do not need to interact with one another and can affect a large fraction of nodes in a power grid. More sophisticatedly, this attack can also be realized by online hardware Trojans which keep listening to the communication channel and wait for a trigger event to trigger their malicious payloads; here, a broadcast message triggers all the Trojans at the same time. In this paper, we address the offline synchronized hardware Trojan attack, as it does not require the adversary to penetrate the power grid network for sending triggers. We classify two types of offline synchronized hardware Trojan attacks as type A and B: type B requires communication between different nodes, and type A does not. The hardware Trojans needed for type B turn out to be much more complex (and therefore larger in area size) than those for type A. In order to prevent type A attacks we suggest to enforce each power grid node to work in an unique time domain which has a random time offset to Universal Coordinated Time (UTC). This isolation principle can mitigate type A offline synchronized hardware Trojan attacks in a smart grid, such that even if hardware Trojans are implanted in functional units, e.g. Phasor Measurement Units (PMUs) and Remote Terminal Units (RTUs), they can only cause a minimal damage, i.e. sporadic single node failures. The proposed solution only needs a trusted Global Positioning System (GPS) module which provides the correct UTC together with small additional interface circuitry. This means that our solution can be used to protect the current power grid infrastructure against type A offline attacks without replacing any untrusted functional unit, which may already have embedded hardware Trojans.

FPGA Implementation of a Cryptographically-Secure PUF Based on Learning Parity with Noise

Herder et al. (IEEE Transactions on Dependable and Secure Computing, 2017) designed a new computational fuzzy extractor and physical unclonable function (PUF) challenge-response protocol based on the Learning Parity with Noise (LPN) problem. The protocol requires no irreversible state updates on the PUFs for security, like burning irreversible fuses, and can correct for significant measurement noise when compared to PUFs using a conventional (information theoretical secure) fuzzy extractor. However, Herder et al. did not implement their protocol. In this paper, we give the first implementation of a challenge response protocol based on computational fuzzy extractors. Our main insight is that “confidence information” does not need to be kept private, if the noise vector is independent of the confidence information, e.g., the bits generated by ring oscillator pairs which are physically placed close to each other. This leads to a construction which is a simplified version of the design of Herder et al. (also building on a ring oscillator PUF). Our simplifications allow for a dramatic reduction in area by making a mild security assumption on ring oscillator physical obfuscated key output bits.

Secure and Efficient Initialization and Authentication Protocols for SHIELD

With the globalization of semiconductor production, out-sourcing IC fabrication has become a trend in various aspects. This, however, introduces serious threats from the entire untrusted supply chain. To combat these threats, Defense Advanced Research Projects Agency (DARPA) proposed in 2014 the Supply Chain Hardware Integrity for Electronics Defense (SHIELD) program to design a secure hardware root-of-trust, called dielet, to be inserted into the host package of legitimately produced ICs. Dielets are RF powered and communicate with the outside world through their RF antennas. They have sensors which allow them to passively (without the need for power) record malicious events which can later be read out during an authentication protocol between the dielet and server with a smartphone as intermediary. This paper introduces a general framework for the initialization and authentication protocols in SHIELD with different adversarial models based on formally-defined security games. We introduce a “try-and-check” attack against DARPAs example authentication protocol in their call for SHIELD proposals which nullifies the effectiveness of SHIELDs main goal of being able to detect and trace adversarial activities with significant probability. We introduce the first concrete initialization protocol and, compared to DARPAs example authentication protocol, introduce an improved authentication protocol which resists the try-and-check attack. The area overhead of our authentication and initialization protocols together is only 64-bit NVM, one 8-bit counter and a TRNG based on a single SRAM-cell together with corresponding control logic. Our findings and rigorous analysis are of utmost importance for the teams which received DARPAs funding for implementing SHIELD.

Simulation and analysis of negative-bias temperature instability aging on power analysis attacks

Transistor aging is an important failure mechanism in nanoscale designs and is a growing concern for the reliability of future systems. Transistor aging results in circuit performance degradation over time and the ultimate circuit failure. Among aging mechanisms, Negative-Bias Temperature Instability (NBTI) has become the leading limiting factor of circuit lifetime. While the impact of transistor aging is well understood from the device point of view, very little is known about its impact on security, and in particular on power analysis attack. This paper fills the gap by evaluating the effects on power analysis attack. Our experimental results obtained using PRESENT algorithm show that CPA attacks are not significantly affected by aging, while the successful rate of template attack changes significantly.