Mitsuru Shiozaki

Reversing Stealthy Dopant-Level Circuits

A successful detection of the stealthy dopant-level circuit trojan, proposed by Becker et al. at CHES 2013 [1], is reported. Contrary to an assumption made by Becker et al., dopant types in active region are visible with either scanning electron microscopy SEM or focused ion beam FIB imaging. The successful measurement is explained by an LSI failure analysis technique called the passive voltage contrast [2]. The experiments are conducted by measuring a dedicated chip. The chip uses the diffusion programmable device [3]: an anti-reverse-engineering technique by the same principle as the stealthy dopant-level trojan. The chip is delayered down to the contact layer, and images are taken with 1 an optical microscope, 2 SEM, and 3 FIB. As a result, the four possible dopant-well combinations, namely i p+/n-well, ii p+/p-well, iii n+/n-well and iv n+/p-well are distinguishable in the SEM images. Partial but sufficient detection is also achieved with FIB. Although the stealthy dopant-level circuits are visible, however, they potentially make a detection harder. That is because the contact layer should be measured. We show that imaging the contact layer is at most 16-times expensive than that of a metal layer in terms of the number of images.

The arbiter-PUF with high uniqueness utilizing novel arbiter circuit with Delay-Time Measurement

Physical Unclonable Functions (PUFs) have been proposed to produce tamper-resistant device or create unique identifications of the secure systems. The conventional basic arbiter-PUF was fabricated with 0.18µm CMOS technology, and the uniqueness of generated multi-bit responses was evaluated. The uniqueness is inadequate than expected because some of multi-bit responses are never generated. In this study, we propose a novel arbiter-PUF utilizing a RG-DTM (Response Generation according to Delay Time Measurement) scheme. The uniqueness is evaluated by the standard deviation of the Hamming Distance distribution between generated 256-bit responses. The standard deviation on the proposed PUFs is greatly improved to 8.45 from 31 on the conventional PUFs.

Reversing stealthy dopant-level circuits

A successful detection of the stealthy dopant-level circuit (trojan), proposed by Becker et al. at CHES 2013 (LNCS 8086:197–214, 2013), is reported. Contrary to an assumption made by Becker et al. dopant types in active region are visible with either scanning electron microscopy (SEM) or focused ion beam (FIB) imaging. The successful measurement is explained by a technique called the passive voltage contrast (Rosenkranz J Mater Sci Mater Electron 22(10):1523–1535, 2011) which is used to analyze failures in large-scale integration (LSI). The experiments are conducted by measuring a dedicated chip. The chip uses the diffusion programmable device (Shiozaki et al. Diffusion programmable device: a device to prevent reverse engineering, IACR Cryptology ePrint Archive 2014/109 2014): an anti-reverse engineering technique by the same principle as the stealthy dopant-level trojan. The chip is delayered down to the contact layer, and images are taken with (1) an optical microscope, (2) SEM, and (3) FIB. As a result, the four possible dopant–well combinations, namely (i) p+/n-well, (ii) p+/p-well, (iii) n+/n-well and (iv) n+/p-well are distinguishable in the SEM images. Partial but sufficient detection is also achieved with FIB. Although the stealthy dopant-level circuits are visible, they potentially make a detection harder. That is because the contact layer should be measured. We show that imaging the contact layer is at most 16 times more expensive than that of a metal layer in terms of the number of images.

Side-channel attack resistant AES cryptographic circuits with ROM reducing address-dependent EM leaks

Side-channel attacks reveal the secret key of a cryptographic circuit by measuring power consumption or electromagnetic radiation during cryptographic operations. Side-channel information leaks that are exploited by power analysis (PA) and electromagnetic analysis (EMA) attacks are thought to be caused by consumption current. However, our research group recently found novel geometric leaks that only EMA attacks can target successfully. This paper studies the causes of memory-dependent EM geometric leaks. We find that the current flow from bit-lines to the ground through the activated ROM cell causes the geometric leaks. We propose a new ROM structure to reduce geometric leak, and use the new ROM to design an AES cryptographic circuit that is resistant to side-channel attacks. Our experiments confirm that the new ROM greatly reduces geometric leak and reveals no key data during PA or EMA attacks.

On measurable side-channel leaks inside ASIC design primitives

Leaks inside semi-custom application-specific integrated circuit design primitives are rigorously investigated. The study is conducted by measuring a dedicated test element group chip with a small magnetic field probe on the chip surface. Measurement targets are standard cells and a memory macro cell. Leaks inside the primitives are focused, as many of conventional countermeasures place measurability boundaries on these primitives. Firstly, it is shown that the current-path leak: a leak based on input-dependent active current path within a standard cell (Takahashi 2012; Takahashi and Matsumoto IEICE Electron Express 9:458–463, 2012) is measurable. Major gate-level countermeasures [Random Switching Logic (RSL), MDPL, and WDDL] become vulnerable if the current-path leak is considered. Secondly, it is shown that the internal-gate leak: a leak based on non-linear sub-circuit within an XOR cell is measurable. It can be exploited to bias the distribution of the random mask. Thirdly, it is shown that the geometric leak: a leak based on geometric layout of the memory matrix structure is measurable. It is a leak correlated to integer representation (cf. Hamming weight) of the memory address. We also show that a ROM-based countermeasure (dual-rail RSL memory; Hashimoto et al. 2012) becomes vulnerable with the geometric leak. A general transistor-level design method to counteract the current-path and internal-gate leaks is also shown.

Tamper-resistant authentication system with side-channel attack resistant AES and PUF using MDR-ROM

As a threat of security devices, side-channel attacks (SCAs) and invasive attacks have been identified in the last decade. The SCA reveals a secret key on a cryptographic circuit by measuring power consumption or electromagnetic radiation during the cryptographic operations. We have proposed the MDR-ROM scheme as the low-power and small-area counter-measure against SCAs. Meanwhile, secret data in a nonvolatile memory is analyzed by invasive attacks, and the cryptographic device is counterfeited and cloned by an adversary. We proposed to combine the MDR-ROM scheme with the Physical Unclonable Function (PUF) technique, which is expected as the counter-measure against the counterfeit, and the prototype chip was fabricated with a 180nm CMOS technology. In addition, the keyless entry demonstration system was produced in order to present the effectiveness of SCA resistance and PUF technique. Our experiments confirmed that this demonstration system achieved sufficient tamper resistance.

A stable key generation from PUF responses with a Fuzzy Extractor for cryptographic authentications

Physical Unclonable Functions (PUFs) extract inherent characteristics caused by fabrication process variations, and generate unique challenge-response pairs. Some bits of PUF responses are slightly unstable, then the Fuzzy Extractors (FEs) are used to correct the error bits. This paper proposes the new soft-decision FEs considering the instability caused by voltage fluctuation. We applied this method to our novel RG-DTM PUF fabricated by 0.18 μm CMOS technology. It was demonstrated that the block error rate is reduced to 1/10 compared to the conventional soft-decision FE.

Efficient DPA-Resistance Verification Method with Smaller Number of Power Traces on AES Cryptographic Circuit

The LSI design methodology against Differential Power Analysis (DPA) is important to realize a tamper-resistant cryptographic circuit. In order to verify the DPA resistance before ASIC fabrication, the DPA verification using FPGA is commonly used. However, power traces of ASIC differ from that of FPGA, so the DPA verification on FPGA cannot guarantee the DPA resistance on ASIC. On the other hand, it takes extremely long time to collect the simulated power traces using post-layout netlists of ASIC. Hence, the DPA-resistance verification method using smaller number of power traces is demanded. In this paper, we propose Equivalent Byte Method (EBM) which synchronizes the operation on all Substitution Boxes (S-Boxes) at the attacking round by controlling the plaintexts and the keys. In EBM, the power-consumption profiles of S-Boxes are emphasized by each other, and then the DPA analysis for a correct key is easily distinguished with smaller number of traces. In order to demonstrate the effectiveness of the proposed EBM, AES circuits using DPA-resistant techniques of WDDL and MDPL are implemented on FPGA. As a result, EBM revealed DPA-leak with 1/1000 ~ 1/50 power traces required for the general statistical method.

Development of evaluation environment for physical attacks against embedded devices

Physical attacks against cryptographic modules on embedded systems are different with theoretical analysis. Side-channel attacks, which are noninvasive physical attacks, exploit the measurable parameters of devices. In this study, we have developed a cryptographic LSI environment for testing side-channel attacks. The environment is designed such that small fluctuations in LSI power consumption can be measured. A printed circuit board, and control hardware and software are developed, and are available on our website to provide a uniform environment for side-channel testing of LSIs. Details of the developed environment are described in this paper, and its performance in measurements and tests is demonstrated through an experiment that replicates a side-channel attack.

Implementation and verification of DPA-resistant cryptographic DES circuit using Domino-RSL

Differential Power Analysis (DPA) which is one of the Side-Channel Attack techniques can easily extract the secret information such as a cryptographic key from the device by analyzing the power consumption. Some DPA-resistant techniques have been proposed to protect the secret information. However, these techniques require special CADs, which balance wiring capacitance and control the timing to activate the logics for enabling signals. We have proposed a DPA-resistant Domino-RSL technique to design and implement by the standard CAD tool easily. This DPA resistance is achieved by eliminating the correlation between power consumption and cryptography operation. In this paper, the design flow of the Domino-RSL technique is presented and the DPA resistance of a DES circuit, which was designed and fabricated with 0.18μm CMOS technology, is evaluated using the Side-channel Attack Standard Evaluation Board (SASEBO). The Domino-RSL DES circuit did never reveal the secret key even with 100,000 wave samples analysis.