Shivam Bhasin

Hardware Trojan Horses in Cryptographic IP Cores

Detecting hardware trojans is a difficult task in general. In this article we study hardware trojan horses insertion and detection in cryptographic intellectual property (IP) blocks. The context is that of a fabless design house that sells IP blocks as GDSII hard macros, and wants to check that final products have not been infected by trojans during the foundry stage. First, we show the efficiency of a medium cost hardware trojans detection method if the placement or the routing have been redone by the foundry. It consists in the comparison between optical microscopic pictures of the silicon product and the original view from a GDSII layout database reader. Second, we analyze the ability of an attacker to introduce a hardware trojan horse without changing neither the placement nor the routing of the cryptographic IP logic. On the example of an AES engine, we show that if the placement density is beyond 80%, the insertion is basically impossible. Therefore, this settles a simple design guidance to avoid trojan horses insertion in cryptographic IP blocks: have the design be compact enough, so that any functionally discreet trojan necessarily requires a complete replace and re-route, which is detected by mere optical imaging (and not complete chip reverse-engineering).

BCDL: a high speed balanced DPL for FPGA with global precharge and no early evaluation

In this paper, we present BCDL (Balanced Cell-based Dual-rail Logic), a new counter-measure against Side Channel Attacks (SCA) on cryptoprocessors implementing symmetrical algorithms on FPGA. BCDL is a DPL (Dual-rail Precharge Logic), which aims at overcoming most of the usual vulnerabilities of such counter-measures, by using specific synchronization schemes, while maintaining a reasonable complexity. We compare our architecture in terms of complexity, performances and easiness to design with other DPLs (WDDL, IWDDL, MDPL, iMDPL, STTL, DRSL, SecLib). It is shown that BCDL can be optimized to achieve higher performances than any other DPLs (more than 1/2 times the nominal data rate) with an affordable complexity. Finally, we implement a BCDL AES on an FPGA and compare its robustness against DPA by using the number of Measurements To Disclosure (MTD) required to find the key with regards to unprotected AES. It is observed that the SCA on a BCDL implementation failed for 150,000 power consumption traces which represents a gain greater than 20 w.r.t. the unprotected version. Moreover the fault attack study has pointed out the natural resistance of BCDL against simple faults attacks.

WDDL is Protected against Setup Time Violation Attacks

In order to protect crypto-systems against side channel attacks various countermeasures have been implemented such as dual-rail logic or masking. Faults attacks are a powerful tool to break some implementations of robust cryptographic algorithms such as AES and DES. Various kind of fault attacks scenarios have been published. However, very few publications available in the public literature detail the practical realization of such attacks. In this paper we present the result of a practical fault attack on AES in WDDL and its comparison with its non-protected equivalent. The practical faults on an FPGA running an AES encrypt or are realized by under-powering it and further exploited using Pirets attack. The results show that WDDL is protected against setup violation attacks by construction because a faulty bit is replaced by a null bit in the cipher text. Therefore, the fault leaks no exploitable information. We also give a theoretical model for the above results. Other references have already studied the potential of fault protection of the resynchronizing gates (delay-insensitive). In this paper, we show that non-resynchronizing gates (hence combinatorial DPL such as WDDL) are natively immune to setup time violation attacks.

Countering early evaluation: an approach towards robust dual-rail precharge logic

Wave Dynamic Differential Logic (WDDL) is a hiding countermeasure to thrawt side channel attacks (SCA). It suffers from a vulnerability called Early Evaluation, i.e. calculating output before all inputs are valid. This causes delay biases in WDDL even when synthesized with positive gates. s a consequence, the design can be attacked, although with extra effort, through side channel. However, WDDL is an appealing logic since it has already been reported to natively resist against multiple asymmetric faults. In this article, we suggest a Dual Rail Precharge Logic (DPL), similar to WDDL, free from early evaluation by design. We demonstrate practically that the early evaluation accounts for major part of the leakage. We also provide basic guidelines for designing such a DPL. This DPL can resist against side channel attacks and fault attacks at the same time. In line with the current security evaluation methodology, we use differential power analysis and mutual information to compare the modified WDDL with the traditional WDDL. To compare robustness w.r.t security, we conduct a proof-of-concept experiment that compares the two logics with identical implementations (P&R) apart from the logic style. The sensitive side channel leakage is reduced by half in the DPL without the early evaluation flaw.

Overview of Dual rail with Precharge logic styles to thwart implementation-level attacks on hardware cryptoprocessors

The security of cryptographic implementations relies not only on the algorithm quality but also on the countermeasures to thwart attacks aiming at disclosing the secrecy. These attacks can take advantage of leakages of the secret appearing through the power consumption or the electromagnetic radiations also called “Side Channels”. This is for instance the case of the Differential Power Analysis (DPA) or the Correlation Power Analysis (CPA). Fault injections is another threatening attack type targeting specific nets in a view to change their value. The major principle to fight the side-channel attack consists in making the power consumption constant. The masking method allows the designer to get a power consumption which has a constant mean and a variance given by a random variable. Another manner is the Hiding method which consists in generating a constant power consumption by using a Dual-rail with Precharge phase Logic (DPL). This paper presents an overview of the various logic styles that have been promoted in the last six years, with an emphasis on their relative advantages and drawbacks.

A look into SIMON from a side-channel perspective

SIMON is a lightweight block cipher, specially designed for resource constrained devices that was recently presented by the National Security Agency (NSA). This paper deals with a hardware implementation of this algorithm from a side-channel point of view as it is a prime concern for embedded systems. We present the implementation of SIMON on a Xilinx Virtex-5 FPGA and propose a low-overhead countermeasure using first-order Boolean masking exploiting the simplistic construction of SIMON. Finally we evaluate the side-channel resistance of both implementations.

Time-Frequency Analysis for Second-Order Attacks

Second-order side-channel attacks are used to break first-order masking protections. A practical reason which often limits the efficiency of second-order attacks is the temporal localisation of the leaking samples. Several pairs of leakage samples must be combined which means high computational power. For second-order attacks, the computational complexity is quadratic. At CHES ’04, Waddle and Wagner introduced attacks with complexity (mathcal {O}(n log _2 n)) on traces collected from a hardware cryptographic implementation, where (n) is the window size, by working on traces auto-correlation. Nonetheless, the two samples must belong to the same window which is (normally) not the case for software implementations. In this article, we introduce preprocessing tools that improve the efficiency of bi-variate attacks (while keeping a complexity of (mathcal {O}(n log _2 n))), even if the two samples that leak are far away one from the other (as in software). We put forward two main improvements. Firstly, we introduce a method to avoid losing the phase information. Next, we empirically notice that keeping the analysis in the frequency domain can be beneficial for the attack. We apply these attacks in practice on real measurements, publicly available under the DPA Contest v4, to evaluate the proposed techniques. An attack using a window as large as 4000 points is able to reveal the key in only 3000 traces.

Combined SCA and DFA Countermeasures Integrable in a FPGA Design Flow

The main challenge when implementing cryptographic algorithms in hardware is to protect them against attacks that target directly the device. Two strategies are customarily employed by malevolent adversaries: observation and differential perturbation attacks, also called SCA and DFA in the abundant scientific literature on this topic. Numerous research efforts have been carried out to defeat respectively SCA or DFA. However, few publications deal with concomitant protection against both threats. The current consensus is to devise algorithmic countermeasures to DFA and subsequently to synthesize the DFA-protected design thanks to a DPA-resistant CAD flow. In this article, we put to the fore that this approach is the best neither in terms of performance nor of relevance. Notably, the contribution of this paper is to demonstrate that the strongest SCA countermeasure known so far, namely the dual-rail with precharge logic styles that do not evaluate early, happen surprisingly to be almost natively immune to most DFAs. Therefore, unexpected two-in-one solutions against SCA and DFA indeed exist and deserve a closer attention, because they ally simplicity with efficiency. In particular, we illustrate a logic style, called WDDL without early evaluation (WDDL w/o EE), and a design flow that realizes in practice one possible combined DPA and DFA counter-measure especially suited for reconfigurable hardware.

Security evaluation of different AES implementations against practical setup time violation attacks in FPGAs

Security evaluation of various AES implementation against practical power attacks has been reported in literature. However, to the authors knowledge, very few of the fault attacks reported on AES have been practically realized. Since sbox is a crucial element in AES, in this article, we evaluate the security of some unprotected AES implementations differing in sbox construction, targeted for FPGA. Here the faults have been generated practically by underpowering the targeted circuit. Then we correlate our results with the underlying architecture, along a methodology already suggested in other articles, albeit theoretically. We also carry out an extensive characterization of the faults, in terms of temporal localization. On the basis of our results, we reach the conclusion that the two cheaper implementations in terms of silicon area are also the more vulnerable against DFA when implemented without counter-measures.

A survey on hardware trojan detection techniques

Hardware Trojans recently emerged as a serious issue for computer systems, especially for those used in critical applications such as medical or military. Trojan proposed so far can affect the reliability of a device in various ways. Proposed effects range from the leakage of secret information to the complete malfunctioning of the device. A crucial point for securing the overall operation of a device is to guarantee the absence of hardware Trojans. In this paper, we survey several techniques for detecting malicious modification of circuit introduced at different phases of the design flow. We also highlight their capabilities limitations in thwarting hardware Trojans.