Philippe Hoogvorst

Differential Power Analysis Model and Some Results

CMOS gates consume different amounts of power whether their output has a falling or a rising edge. Therefore the overall power consumption of a CMOS circuit leaks information about the activity of every single gate. This explains why, using differential power analysis (DPA), one can infer the value of specific nodes within a chip by monitoring its global power consumption only.

CMOS structures suitable for secured hardware

Unsecured electronic circuits leak physical syndromes correlated to the data they handle. Side-channels attacks, like SPA or DPA, exploit this information leakage. We provide balanced and memoryless CMOS structures for a 2-input secured NAND gate.

Security Evaluation of WDDL and SecLib Countermeasures against Power Attacks

Logic styles with constant power consumption are promising solutions to counteract side-channel attacks on sensitive cryptographic devices. Recently, one vulnerability has been identified in a standard-cell-based power-constant logic called WDDL. Another logic, nicknamed SecLib, is considered and does not present the flaw of WDDL. In this paper, we evaluate the security level of WDDL and SecLib. The methodology consists in embedding in a dedicated circuit one unprotected DES coprocessor along with two others, implemented in WDDL and in SecLib. One essential part of this paper is to describe the conception of the cryptographic ASIC, devised to foster side-channel cryptanalyses, in a view to model the strongest possible attacker. The same analyses are carried out successively on the three DES modules. We conclude that, provided that the back-end of the WDDL module is carefully designed, its vulnerability cannot be exploited by the state-of-the-art attacks. Similarly, the SecLib DES module resists all assaults. However, using a principal component analysis, we show that WDDL is more vulnerable than SecLib. The statistical dispersion of WDDL, which reflects the correlation between the secrets and the power dissipation, is proved to be an order of magnitude higher than that of SecLib.

Evaluation of Power Constant Dual-Rail Logics Countermeasures against DPA with Design Time Security Metrics

Cryptographic circuits are nowadays subject to attacks that no longer focus on the algorithm but rather on its physical implementation. Attacks exploiting information leaked by the hardware implementation are called side-channel attacks (SCAs). Among these attacks, the differential power analysis (DPA) established by Paul Kocher et al. in 1998 represents a serious threat for CMOS VLSI implementations. Different countermeasures that aim at reducing the information leaked by the power consumption have been published. Some of these countermeasures use sophisticated back-end-level constraints to increase their strength. As suggested by some preliminary works (e.g., by Li from Cambridge University), the prediction of the actual security level of such countermeasures remains an open research area. This paper tackles this issue on the example of the AES SubBytes primitive. Thirteen implementations of SubBytes, in unprotected, WDDL, and SecLib logic styles with various back-end-level arrangements are studied. Based on simulation and experimental results, we observe that static evaluations on extracted netlists are not relevant to classify variants of a countermeasure. Instead, we conclude that the fine-grained timing behavior is the main reason for security weaknesses. In this respect, we prove that SecLib, immune to early-evaluation problems, is much more resistant against DPA than WDDL.

Place-and-route impact on the security of DPL designs in FPGAs

Straightforward implementations of cryptographic algorithms are known to be vulnerable to attacks aimed not at the mathematical structure of the cipher but rather at the weak points of the electronic devices which implement it. These attacks, known as side-channel attacks, have proved to be very powerful in retrieving secret keys from any kind of unprotected electronic device. Amongst the various protection strategies, side-channel hiding is very popular and well studied. The principle of information hiding is to make any leak constant, thus uncorrelated to the device internal secrets. The so-called ldquodual-rail with precharge logicrdquo (DPL) style is indicated to achieve that goal. For DPL protection to be effective, it further requires a carefully balanced layout so as to obtain equal propagation delays and power consumption on both rails. In this article, we study to which extent the differential place-and-route constraints must be strict in FPGA technology. We describe placement techniques suitable for Xilinx and Altera FPGAs, and quantify the gain of balance they confer. On the one hand, we observed that Xilinx fitting tool achieves naturally good balancing results. On the other hand, the symmetry can be greatly improved with Altera devices, using a manual placement, leading to unprecedented dual netlists balancing.

Java card operand stack: fault attacks, combined attacks and countermeasures

Until 2009, Java Cards have been mainly threatened by Logical Attacks based on ill-formed applications. The publication of the Java Card 3.0 Connected Edition specifications and their mandatory on-card byte code verification may have then lead to the end of software-based attacks against such platforms. However, the introduction in the Java Card field of Fault Attacks, well-known from the cryptologist community, has proven this conclusion wrong. Actually, the idea of combining Fault Attacks and Logical Attacks to tamper with Java Cards appears as an even more dangerous threat. Although the operand stack is a fundamental element of all Java Card Virtual Machines, the potential consequences of a physical perturbation of this element has never been studied so far. In this article, we explore this path by presenting both Fault Attacks and Combined Attacks taking advantage of an alteration of the operand stack. In addition, we provide experimental results proving the practical feasibility of these attacks and illustrating their efficiency. Finally, we describe different approaches to protect the operand stacks integrity and compare their cost with a particular interest on the time factor.

Physical Design of FPGA Interconnect to Prevent Information Leakage

In this article we discuss dual/multi-rail routing techniques in an island style FPGA for robustness against side-channel attacks. We present a technique to achieve dual-rail routing balanced in both timing and power consumption with the traditional subset switchbox. Secondly, we propose two switchboxes (namely: Twist-on-Turn & Twist-Always) to route every dual/multi-rail signal in twisted pairs, which can deter electromagnetic attacks. These novel switchboxes can also be balanced in power consumption albeit with some added cost. We present a layout with pre-placed switches and pre-routed balanced wires and extraction statistics about the expected balance. As conclusion, we discuss various overheads associated with these techniques and possible improvements.

Secured CAD Back-End Flow for Power-Analysis-Resistant Cryptoprocessors

Side-channel attacks threaten the security of any electronic device. We have developed a comprehensive back-end design flow that natively protects constant-power cryptoprocessors against side-channel attacks that exploit instant power consumption. The proposed methodology uses a fully custom, balanced cell library and an innovative place-and-route method. All the design steps in this methodology take place at the layout level. We apply the described flow to the quasi-delay-insensitive (QDI) SecLib library with a shielded routing method derived from back-end duplication, using legacy CAD tools for the back-end steps. In this article, we investigate the feasibility of implementing optimally secured unmasked logic. We argue that it is possible to thwart all known power attacks, at least on carefully designed netlist schematics.

POMP or how to design a massively parallel machine with small developments

The design of a SIMD machine is usually complex because it leads to developing an efficient Processing Element and to writing all the softwares required by the chip and the control of the machine. We propose a different approach by using an efficient 32-bit off-the-shelf processor with its software environment (compiler and assembler) and a programmable gate array for the network. It limits the development to the minimum and leads to a rather general SIMD cluster built with off-the-shelf chips which can be considered as a SIMD transputer.

A synthesis of side-channel attacks on elliptic curve cryptography in smart-cards

Elliptic curve cryptography in embedded systems is vulnerable to side-channel attacks. Those attacks exploit biases in various kinds of leakages, such as power consumption, electromagnetic emanation, execution time, .... The integration of countermeasures is required to thwart known attacks. No single countermeasure can cover the whole range of attacks; thus many of them shall be combined. However, as each of them has a non negligible cost, one cannot simply apply all of them. It is necessary to wisely select countermeasures, depending on the context and on the trade-off between security and performance. This paper summarizes the side-channel attacks and countermeasures on Elliptic Curve Cryptography. For each countermeasure, the cost in time and space is given. Some attacks are clarified such as the doubling attack; others are improved like the horizontal SVA, and new attacks are described like the horizontal attack against the unified formulae.