Dina Kamel

A formal study of power variability issues and side-channel attacks for nanoscale devices

Variability is a central issue in deep submicron technologies, in which it becomes increasingly difficult to produce two chips with the same behavior. While the impact of variability is well understood from the microelectronic point of view, very few works investigated its significance for cryptographic implementations. This is an important concern as 65-nanometer and smaller technologies are soon going to equip an increasing number of security-enabled devices. Based on measurements performed on 20 prototype chips of an AES S-box, this paper provides the first comprehensive treatment of variability issues for side-channel attacks. We show that technology scaling implies important changes in terms of physical security. First, common leakage models (e.g. based on the Hamming weight of the manipulated data) are no longer valid as the size of transistors shrinks, even for standard CMOS circuits. This impacts both the evaluation of hardware countermeasures and formal works assuming that independent computations lead to independent leakage. Second, we discuss the consequences of variability for profiled side-channel attacks. We study the extend to which a leakage model that is carefully profiled for one device can lead to successful attacks against another device. We also define the perceived information to quantify this context, which generalizes the notion of mutual information with possibly degraded leakage models. Our results exhibit that existing side-channel attacks are not perfectly suited to this new context. They constitute an important step in better understanding the challenges raised by future technologies for the theory and practice of leakage resilient cryptography.

Nanometer MOSFET effects on the minimum-energy point of 45nm subthreshold logic

In this paper, we observe that minimum energy <i>E_min</i> of subthreshold logic dramatically increases when reaching 45nm node. We demonstrate by circuit simulation and analytical modeling that this increase comes from the combined effects of variability, gate leakage and DIBL. We then investigate the new impact of MOSFET parameters on <i>E_min</i> in nanometer technologies. We finally propose an optimum MOSFET selection intended for subthreshold circuit designers, which favors low-<i>V_t</i> mid-<i>L_g</i> devices in standard 45nm GP technology. The use of such optimum MOSFETs yields 35% <i>E_min</i> reduction for a benchmark multiplier with good speed performances and negligible area overhead.

Side-channel attacks from static power: when should we care?

Static power consumption is an increasingly important concern when designing circuits in deep submicron technologies. Besides its impact for low-power implementations, recent research has investigated whether it could lead to exploitable side-channel leakages. Both simulated analyses and measurements from FPGA devices have confirmed that such a static signal can indeed lead to successful key recoveries. In this respect, the main remaining question is whether it can become the target of choice for actual adversaries, especially since it has smaller amplitude than its dynamic counterpart. In this paper, we answer this question based on actual measurements taken from an AES S-box prototype chip implemented in a 65-nanometer CMOS technology. For this purpose, we first provide a fair comparison of the static and dynamic leakages in a univariate setting, based on worst-case information theoretic analysis. This comparison confirms that the static signal is significantly less informative than the dynamic one. Next, we extend our evaluations to a multivariate setting. In this case, we observe that simple averaging strategies can be used to reduce the noise in static leakage traces. As a result, we mainly conclude that (a) if the target chip is working at maximum clock frequency (which prevents the previously mentioned averaging), the static leakage signal remains substantially smaller than the dynamic one, so has limited impact, and (b) if the adversary can reduce the clock frequency, the noise of the static leakage traces can be reduced arbitrarily. Whether the static signal leads to more informative leakages than the dynamic one then depends on the quality of the measurements (as the former one has very small amplitude). But it anyway raises a warning flag for the implementation of algorithmic countermeasures such as masking, that require high noise levels.

Scaling trends of the AES S-box low power consumption in 130 and 65 nm CMOS technology nodes

In the recent years, the power consumption of the AES (Advanced Encryption Standard) S-box has been a target for intensive optimization as the power budget of security enhanced RFID (Radio Frequency Identification Devices) tags is limited to a few µW. In this paper, 0.13 µm and 65 nm CMOS technology nodes are thoroughly investigated in order to select the most appropriate one in terms of power consumption and computation delay. Schematic simulation results of full custom S-boxes show that the optimum choice in our context is the LP (Low Power) flavor of the 65 nm node with Standard Vt (SVT) devices. This leads to a power consumption below 100 nW at 100 kHz using nominal 1.2 V supply voltage, which is an order of magnitude lower than what was previously published in the open literature. The reported delay is 2.35 ns. Our study then extends the reduction of the power consumption further by reducing the supply voltage. The power consumption at 100 kHz decreases by 60 % as the supply voltage is reduced to 0.8 V.

Glitch-induced within-die variations of dynamic energy in voltage-scaled nano-CMOS circuits

Variability strongly impacts performances of nanometer CMOS digital circuits. In this paper, we experimentally study the effects of variability on dynamic energy consumption of 65nm logic circuits, considering deep voltage scaling for low-power applications. While we confirm that variations in dynamic energy at 1V are small and dominated by die-to-die correlated capacitance fluctuations, we report for the first time that within-die uncorrelated delay variability magnifies dynamic energy variations at lower voltages by a factor 5×. Indeed, random glitches are generated by variability-induced unbalanced logic paths, which affect the activity factor of combinatorial circuits. The associated normalized dynamic power variations at 0.4V are comparable to die-to-die leakage power variations.

Strong PUFs and their (physical) unpredictability: a case study with power PUFs

Physically Unclonable Functions are more and more important in the design of secure hardware, as they can ensure properties that conventional cryptography can not. In this paper we clarify the relations between strong PUFs and their unpredictability. For this purpose we first introduce an alternative definition for physical unpredictability, where the adversary can probe the physical responses of the Physical Function. We then illustrate physical unpredictability with a new instance of a PUF, based on the variability of the power consumption of a 65-nanometer chip. For this new PUF, we also evaluate the relation between robustness, unclonability and physical unpredictability. Our new definitions highlights the importance for designers to take into account if physical probing is possible or not (since the power of modeling attacks highly depends on this assumption). It also suggests that physical unpredictability is a generally useful tool for evaluating the unclonability of PUFs (since it can generate warning signals regarding the independence assumption that is frequently exploited for this purpose).

Understanding the limitations and improving the relevance of SPICE simulations in side-channel security evaluations

Simulation is a very powerful tool for hardware designers. It generally allows the preliminary evaluation of a chip’s performance before its final tape out. As security against side-channel attacks is an increasingly important issue for cryptographic devices, simulation also becomes a desirable option for preliminary evaluation in this case. However, its relevance highly depends on the proper modeling of all the attack peculiarities. For example, several works in the literature directly exploit SPICE-like simulations without considering measurement peripherals. But the outcome of such analyses may be questionable, as witnessed by the recent results of Renauld et al. at CHES 2011, which showed how far the power traces of an AES S-box implemented using a dynamic and differential logic style fabricated in 65nm CMOS can lie from their post-layout simulations. One important difference was found in the linear dependencies between the (simulated and actual) traces and the S-box input/output bits. While simulations exhibited highly non-linear traces, actual measurements were much more linear. As linearity is a crucial parameter for the application of non-profiled side-channel attacks (which are only possible under the assumption of “sufficiently linear leakages”), this observation motivated us to study the reasons of such differences. Consequently, this work discusses the relevance of simulation in security evaluations, and highlights its dependency on the proper modeling of measurement setups. For this purpose, we present a generic approach to build an adequate model to represent measurement artifacts, based upon real data from equipment providers for our AES S-box case study. Next, we illustrate the transformation of simulated leakages, from highly non-linear to reasonably linear, exploiting our model and regression-based side-channel analysis. While improving the relevance of simulations in security evaluations, our results also raise doubts regarding the possibility to design dual-rail implementations with highly non-linear leakages.

Enhanced performance of SERDES current-mode output driver using 0.13 µm PD SOI CMOS

A current-mode output driver that supports SERDES applications is implemented using 0.13 µm Bulk and PD SOI CMOS technologies. Schematic simulation results confirm the enhanced performance of PD SOI for very high-speed interfaces. The PD SOI current-mode driver shows a 3 times lower data dependent jitter than the Bulk current-mode driver at the same 3.125 Gbps data rate of XAUI standard.

Demonstrating an LPPN Processor

Secure authentication is a necessary feature for the deployment of low-cost IoT devices. Due to their conceptual simplicity, protocols based on the Learning Parity with Noise (LPN) problem have been proposed as promising candidates for this purpose. However, recent research has shown that some implementation issues may limit the practical relevance of such protocols. First, they require a (Pseudo) Random number Generator (RNG) which may be expensive. Second, this RNG may be an easy target for side-channel analysis. The recently introduced Learning with Physical Noise (LPPN) assumption aims at mitigating these two issues. It removes the need of an RNG by directly performing erroneous computations, which is expected to lead to more efficient implementations and improved side-channel security. So far, the LPPN assumption has only been analyzed mathematically, and its feasibility discussed based on simulations, putting forward the possibility to control the error rate of an implementation thanks to frequency/voltage overscaling. In this paper, we confirm these promises by demonstrating a first prototype implementation of LPPN in a 28nm FDSOI CMOS technology which occupies an area of 19,400 μ m ^2

Towards Securing Low-Power Digital Circuits with Ultra-Low-Voltage Vdd Randomizers

. We used a mixed 512-bit parallel/serial architecture in order to limit the exploitation of data-dependent errors with so-called filtering attacks. We additionally designed an on-chip feedback loop that adjusts a variable delay line in order to control the error rate, which prevents other attacks altering external parameters such as the supply voltage, operating temperature and clock frequency. Measurement results show that a simple authentication protocol based on LPPN would consumes 1 μJ per authentication at 0.45V supply. Combined with the excellent algorithmic properties of LPPN regarding security against side-channel and fault attacks, these concrete feasibility results therefore open the way towards the design of full authentication systems with high physical security, at lower cost than standard solutions based on block ciphers.