Kris Tiri

Securing Encryption Algorithms against DPA at the Logic Level: Next Generation Smart Card Technology

This paper describes a design method to secure encryption algorithms against Differential Power Analysis at the logic level. The method employs logic gates with a power consumption, which is independent of the data signals, and therefore the technique removes the foundation for DPA. In a design ex- periment, a fundamental component of the DES algorithm has been imple- mented. Detailed transistor level simulations show a perfect security whenever the layout parasitics are not taken into account.

A digital design flow for secure integrated circuits

Small embedded integrated circuits (ICs) such as smart cards are vulnerable to the so-called side-channel attacks (SCAs). The attacker can gain information by monitoring the power consumption, execution time, electromagnetic radiation, and other information leaked by the switching behavior of digital complementary metal-oxide-semiconductor (CMOS) gates. This paper presents a digital very large scale integrated (VLSI) design flow to create secure power-analysis-attack-resistant ICs. The design flow starts from a normal design in a hardware description language such as very-high-speed integrated circuit (VHSIC) hardware description language (VHDL) or Verilog and provides a direct path to an SCA-resistant layout. Instead of a full custom layout or an iterative design process with extensive simulations, a few key modifications are incorporated in a regular synchronous CMOS standard cell design flow. The basis for power analysis attack resistance is discussed. This paper describes how to adjust the library databases such that the regular single-ended static CMOS standard cells implement a dynamic and differential logic style and such that 20 000+ differential nets can be routed in parallel. This paper also explains how to modify the constraints and rules files for the synthesis, place, and differential route procedures. Measurement-based experimental results have demonstrated that the secure digital design flow is a functional technique to thwart side-channel power analysis. It successfully protects a prototype Advanced Encryption Standard (AES) IC fabricated in an 0.18-mum CMOS

Prototype IC with WDDL and differential routing – DPA resistance assessment

Wave dynamic differential logic combined with differential routing is a working, practical technique to thwart side-channel power attacks. Measurement-based experimental results show that a differential power analysis attack on a prototype IC, fabricated in 0.18μm CMOS, does not disclose the entire secret key of the AES algorithm at 1,500,000 measurement acquisitions. This makes the attack de facto infeasible. The required number of measurements is larger than the lifetime of the secret key in most practical systems.

AES-Based Security Coprocessor IC in 0.18-

Security ICs are vulnerable to side-channel attacks (SCAs) that find the secret key by monitoring the power consumption or other information that is leaked by the switching behavior of digital CMOS gates. This paper describes a side-channel attack resistant coprocessor IC fabricated in 0.18-

muhbox m

muhbox m

CMOS With Resistance to Differential Power Analysis Side-Channel Attacks

CMOS consisting of an Advanced Encryption Standard (AES) based cryptographic engine, a fingerprint-matching engine, template storage, and an interface unit. Two functionally identical coprocessors have been fabricated on the same die. The first coprocessor was implemented using standard cells and regular routing techniques. The second coprocessor was implemented using a logic style called wave dynamic differential logic (WDDL) and a layout technique called differential routing to combat the differential power analysis (DPA) side-channel attack. Measurement-based experimental results show that a DPA attack on the insecure coprocessor requires only 8000 encryptions to disclose the entire 128-bit secret key. The same attack on the secure coprocessor does not disclose the entire secret key even after 1 500 000 encryptions.

Place and Route for Secure Standard Cell Design

Side channel attacks can be effectively addressed at the circuit level by using dynamic differential logic styles. A key problem is to guarantee a balanced capacitive load at the differential outputs of the logic gates. The main contribution to this load is the capacitance associated with the routing between cells. This paper describes a novel design methodology to route a design in which multiple differential pairs are present. The methodology is able to route 20K+ differential routes. The differential routes are always routed in adjacent tracks and the parasitic effects between the two wires of each differential pair are balanced. The methodology is developed on top of a commercially available EDA tool. It has been developed as part of a secure digital design flow to protect security applications against Differential Power Analysis attacks. Experimental results indicate that a perfect protection is attainable with the aid of the proposed differential routing strategy.

A VLSI Design Flow for Secure Side-Channel Attack Resistant ICs

The paper presents a digital VLSI design flow to create secure, side-channel attack (SCA) resistant integrated circuits. The design flow starts from a normal design in a hardware description language, such as VHDL or Verilog, and provides a direct path to an SCA resistant layout. Instead of a full custom layout or an iterative design process with extensive simulations, a few key modifications are incorporated in a regular synchronous CMOS standard cell design flow. We discuss the basis for side-channel attack resistance and adjust the library databases and constraints files of the synthesis and place-and-route procedures accordingly. Experimental results show that a DPA (differential power analysis) attack on a regular single ended CMOS standard cell implementation of a module of the DES algorithm discloses the secret key after 200 measurements. The same attack on a secure version still does not disclose the secret key after more than 2000 measurements.

Masking and Dual-Rail Logic Don't Add Up

Masked logic styles use a random mask bit to de-correlate the power consumption of the circuit from the state of the algorithm. The effect of the random mask bit is that the circuit switches between two complementary states with a different power profile. Earlier work has shown that the mask-bit value can be estimated from the power consumption profile, and that masked logic remains susceptible to classic power attacks after only a simple filtering operation. In this contribution we will show that this conclusion also holds for masked pre-charged logic styles and for all practical implementations of masked dual-rail logic styles. Up to now, it was believed that masking and dual-rail can be combined to provide a routing-insensitive logic style. We will show that this assumption is not correct. We demonstrate that the routing imbalances can be used to detect the value of the mask bit. Simulations as well as analysis of design data from an AES chip support this conclusion.

Securing embedded systems

A top-down, multiabstraction layer approach for embedded security design reduces the risk of security flaws, letting designers maximize security while limiting area, energy, and computation costs