Florent Flament

Evaluation of Power Constant Dual-Rail Logics Countermeasures against DPA with Design Time Security Metrics

Cryptographic circuits are nowadays subject to attacks that no longer focus on the algorithm but rather on its physical implementation. Attacks exploiting information leaked by the hardware implementation are called side-channel attacks (SCAs). Among these attacks, the differential power analysis (DPA) established by Paul Kocher et al. in 1998 represents a serious threat for CMOS VLSI implementations. Different countermeasures that aim at reducing the information leaked by the power consumption have been published. Some of these countermeasures use sophisticated back-end-level constraints to increase their strength. As suggested by some preliminary works (e.g., by Li from Cambridge University), the prediction of the actual security level of such countermeasures remains an open research area. This paper tackles this issue on the example of the AES SubBytes primitive. Thirteen implementations of SubBytes, in unprotected, WDDL, and SecLib logic styles with various back-end-level arrangements are studied. Based on simulation and experimental results, we observe that static evaluations on extracted netlists are not relevant to classify variants of a countermeasure. Instead, we conclude that the fine-grained timing behavior is the main reason for security weaknesses. In this respect, we prove that SecLib, immune to early-evaluation problems, is much more resistant against DPA than WDDL.

Countering early evaluation: an approach towards robust dual-rail precharge logic

Wave Dynamic Differential Logic (WDDL) is a hiding countermeasure to thrawt side channel attacks (SCA). It suffers from a vulnerability called Early Evaluation, i.e. calculating output before all inputs are valid. This causes delay biases in WDDL even when synthesized with positive gates. s a consequence, the design can be attacked, although with extra effort, through side channel. However, WDDL is an appealing logic since it has already been reported to natively resist against multiple asymmetric faults. In this article, we suggest a Dual Rail Precharge Logic (DPL), similar to WDDL, free from early evaluation by design. We demonstrate practically that the early evaluation accounts for major part of the leakage. We also provide basic guidelines for designing such a DPL. This DPL can resist against side channel attacks and fault attacks at the same time. In line with the current security evaluation methodology, we use differential power analysis and mutual information to compare the modified WDDL with the traditional WDDL. To compare robustness w.r.t security, we conduct a proof-of-concept experiment that compares the two logics with identical implementations (P&R) apart from the logic style. The sensitive side channel leakage is reduced by half in the DPL without the early evaluation flaw.

First principal components analysis: a new side channel distinguisher

Side Channel Analysis (SCA) are of great concern since they have shown their efficiency in retrieving sensitive information from secure devices. In this paper we introduce First Principal Components Analysis (FPCA) which consists in evaluating the relevance of a partitioning using the projection on the first principal directions as a distinguisher. Indeed, FPCA is a novel application of the Principal Component Analysis (PCA). In SCA like Template attacks, PCA has been previously used as a pre-processing tool. The originality of FPCA is to use PCA no more as a preprocessing tool but as a distinguisher. We conducted all our experiments in real life context, using a recently introduced practiceoriented SCA evaluation framework. We show that FPCA is more performant than first-order SCA (DoM, DPA, CPA) when performed on unprotected DES architecture. Moreover, we outline that FPCA is still efficient on masked DES implementation, and show how it outperforms Variance Power Analysis (VPA) which is a known successful attack on such countermeasures.

Combined SCA and DFA Countermeasures Integrable in a FPGA Design Flow

The main challenge when implementing cryptographic algorithms in hardware is to protect them against attacks that target directly the device. Two strategies are customarily employed by malevolent adversaries: observation and differential perturbation attacks, also called SCA and DFA in the abundant scientific literature on this topic. Numerous research efforts have been carried out to defeat respectively SCA or DFA. However, few publications deal with concomitant protection against both threats. The current consensus is to devise algorithmic countermeasures to DFA and subsequently to synthesize the DFA-protected design thanks to a DPA-resistant CAD flow. In this article, we put to the fore that this approach is the best neither in terms of performance nor of relevance. Notably, the contribution of this paper is to demonstrate that the strongest SCA countermeasure known so far, namely the dual-rail with precharge logic styles that do not evaluate early, happen surprisingly to be almost natively immune to most DFAs. Therefore, unexpected two-in-one solutions against SCA and DFA indeed exist and deserve a closer attention, because they ally simplicity with efficiency. In particular, we illustrate a logic style, called WDDL without early evaluation (WDDL w/o EE), and a design flow that realizes in practice one possible combined DPA and DFA counter-measure especially suited for reconfigurable hardware.

Enhancement of simple electro-magnetic attacks by pre-characterization in frequency domain and demodulation techniques

SPA/SEMA (Simple Power/Electro-magnetic Analysis) attacks performed on public-key cryptographic modules implemented on FPGA platforms are well known from the theoretical point of view. However, the practical aspect is not often developed in the literature. But researchers know that these attacks do not always work, like in the case of an RSA accelerator. Indeed, SEMA on RSA needs to make a difference between square and multiply which use the same logic; this contrast with SEMA on ECC, which is easier since doubling and add that are two different operations from the hardware point of view. In this paper, we wonder what to do if a SEMA fails to succeed on a device. Does it mean that no attack is possible? We show that hardware demodulation techniques allow the recording of a signal with more information on the leakage than a raw recording. Then, we propose a generic and fast method enabling to find out demodulation frequencies. The effectiveness of our methods is demonstrated through actual experiments using an RSA processor on the SASEBO FPGA board. We show cases where only demodulated signals permit to defeat RSA.

Entropy-based power attack

Recent works have shown that the mutual information is a generic side-channel distinguisher, since it detects any kind of statistical dependency between leakage observations and hypotheses on the secret. In this study the mutual information analysis (MIA) is tested in a noisy real world design. It indeed appears to be a powerful approach to break unprotected implementations. However, the MIA fails when applied on a DES cryptoprocessor with masked substitution boxes (Sboxes) in ROM. Nevertheless, this masking implementation remains sensitive to Higher-Order Differential Power Analysis (HO-DPA). For instance, an attack based on a variance analysis clearly shows the vulnerabilities of a first order masking countermeasure. We propose a novel approach to information-theoretic HO attacks, called the Entropy-based Power Analysis (EPA). This new attack gives a greatest importance to highly informative partitions and in the meantime better distinguishes between the key hypotheses. A thorough empirical evaluation of the proposed attack confirms the overwhelming advantage of this new approach when compared with MIA.

Evaluation of countermeasure implementations based on Boolean masking to thwart side-channel attacks

This paper presents hardware implementations of a DES cryptoprocessor with masking countermeasures and their evaluation against side-channel attacks (SCAs) in FPGAs. The masking protection has been mainly studied from a theoretical viewpoint without any thorough test in a noisy real world designs. In this study the masking countermeasure is tested with first-order and higher-order SCAs on a fully-fledged DES. Beside a classical implementation of the DES substitution boxes (S-Boxes) a simple structure called Universal Substitution boxes with Masking (USM) is proposed. It meets the constraint of low complexity as state-of-the-art masked S-Boxes are mostly built from large look-up tables or complex calculations with combinatorial logic gates. However attacks on USM has underlined some security weaknesses. ROM masked implementation exhibits greater robustness as it cannot be attacked with first-order DPA. Nevertheless any masking implementation remains sensitive to Higher-Order Differential Power Analysis (HO-DPA) as shown in a proposed attack. This attack is based on a variance analysis of the observed power consumption and it clearly shows the vulnerabilities of masking countermeasures.

DPL on Stratix II FPGA: What to Expect?

FPGA design of side channel analysis countermeasure using unmasked dual-rail with precharge logic appears to be a great challenge. Indeed, the robustness of such a solution relies on careful differential placement and routing, whereas both FPGA layout and FPGA EDA tools are not developed for such purposes. However, assessing the security level which can be achieved with them is an important issue, as it is directly related to the suitability to use commercial FPGA instead of proprietary custom FPGA for this kind of protection. In this article, we experimentally prove that differential placement and routing of an FPGA implementation can be done with a granularity fine enough to improve the security gain. However, the gain is lower than for ASICs. We expect that an in-depth analysis of routing resources power consumption could help bridge the gap.

Exploiting dual-output programmable blocks to balance secure dual-rail logics

FPGA design of side-channel analysis countermeasures using unmasked dual-rail with precharge logic appears to be a great challenge. Indeed, the robustness of such a solution relies on careful differential placement and routing whereas both FPGA layout and FPGA EDA tools are not developed for such purposes. However, assessing the security level which can be achieved with them is an important issue, as it is directly related to the suitability to use commercial FPGA instead of proprietary custom FPGA for this kind of protection. In this article, we experimentally gave evidence that differential placement and routing of an FPGA implementation can be done with a granularity fine enough to improve the security gain. However, so far, this gain turned out to be lower for FPGAs than for ASICs. The solutions demonstrated in this article exploit the dual-output of modern FPGAs to achieve a better balance of dual-rail interconnections. However, we expect that an in-depth analysis of routing resources power consumption could still help reduce the interconnect differential leakage.

An 8×8 run-time reconfigurable FPGA embedded in a SoC

This paper presents a RTR FPGA embedded in a system on chip fabricated in 130 nm CMOS process. Various aspects of the design flow, from automation to floor-planning are discussed. We explain the measures taken in the FPGA design to guarantee RTR functionality free of electrical conflicts, and we present a flow based on Altera synthesis tools to implement IPs(hardware blocks) in this FPGA. We demonstrate the full functionality with experiments on the FPGA, and as conclusion we highlight the limitations and future research directions.