Zakaria Najm

Side-channel leakage and trace compression using normalized inter-class variance

Security and safety critical devices must undergo penetration testing including Side-Channel Attacks (SCA) before certification. SCA are powerful and easy to mount but often need huge computation power, especially in the presence of countermeasures. Few efforts have been done to reduce the computation complexity of SCA by selecting a small subset of points where leakage prevails. In this paper, we propose a method to detect relevant leakage points in side-channel traces. The method is based on Normalized Inter-Class Variance (NICV). A key advantage of NICV over state-of-the-art is that NICV does neither need a clone device nor the knowledge of secret parameters of the crypto-system. NICV has a low computation requirement and it detects leakage using public information like input plaintexts or output cipher-texts only. It is shown that NICV can be related to Pearson correlation and signal to noise ratio (SNR) which are standard metrics. NICV can be used to theoretically compute the minimum number of traces required to attack an implementation. A theoretical rationale of NICV with some practical application on real crypto-systems are provided to support our claims.

Linear complementary dual code improvement to strengthen encoded circuit against hardware Trojan horses

Hardware Trojan Horses (HTH) are a serious threat to semiconductor industry with significant economic impact. We introduced in [10] a method called “encoded circuit”, which both prevents and detects HTH. We achieved this goal using Linear Complementary Dual (LCD) codes. In this paper, we achieve a lower overhead and a better tunability by using a Linear Complementary Pair (LCP) of codes, which are not necessarily dual. LCP have two security parameters dTrigger and dPayload, such that the knowledge of strictly less than dTrigger bits of the encoded state reveals no information about the actual state; in addition, any HTH which modifies strictly less than dPayload bits of encoded state, will produce an invalid codeword. The application on an 8-bit processor shows the improvement of the new LCP codes. We also show that it is possible to fully automate CAD flow to generate encoded circuits with LCP codes. Finally we encode a SIMON cryptographic co-processor and test its resistance against physical attacks like Side-Channel Analysis (SCA) and Fault Injection Analysis (FIA).

A look into SIMON from a side-channel perspective

SIMON is a lightweight block cipher, specially designed for resource constrained devices that was recently presented by the National Security Agency (NSA). This paper deals with a hardware implementation of this algorithm from a side-channel point of view as it is a prime concern for embedded systems. We present the implementation of SIMON on a Xilinx Virtex-5 FPGA and propose a low-overhead countermeasure using first-order Boolean masking exploiting the simplistic construction of SIMON. Finally we evaluate the side-channel resistance of both implementations.

Time-Frequency Analysis for Second-Order Attacks

Second-order side-channel attacks are used to break first-order masking protections. A practical reason which often limits the efficiency of second-order attacks is the temporal localisation of the leaking samples. Several pairs of leakage samples must be combined which means high computational power. For second-order attacks, the computational complexity is quadratic. At CHES ’04, Waddle and Wagner introduced attacks with complexity \(\mathcal {O}(n \log _2 n)\) on traces collected from a hardware cryptographic implementation, where \(n\) is the window size, by working on traces auto-correlation. Nonetheless, the two samples must belong to the same window which is (normally) not the case for software implementations. In this article, we introduce preprocessing tools that improve the efficiency of bi-variate attacks (while keeping a complexity of \(\mathcal {O}(n \log _2 n)\)), even if the two samples that leak are far away one from the other (as in software). We put forward two main improvements. Firstly, we introduce a method to avoid losing the phase information. Next, we empirically notice that keeping the analysis in the frequency domain can be beneficial for the attack. We apply these attacks in practice on real measurements, publicly available under the DPA Contest v4, to evaluate the proposed techniques. An attack using a window as large as 4000 points is able to reveal the key in only 3000 traces.

High precision fault injections on the instruction cache of ARMv7-M architectures

Hardware and software of secured embedded systems are prone to physical attacks. In particular, fault injection attacks revealed vulnerabilities on the data and the control flow allowing an attacker to break cryptographic or secured algorithms implementations. While many research studies concentrated on successful attacks on the data flow, only a few targets the instruction flow. In this paper, we focus on electromagnetic fault injection (EMFI) on the control flow, especially on the instruction cache. We target the very widespread (smartphones, tablets, settop-boxes, health-industry monitors and sensors, etc.) ARMv7-M architecture. We describe a practical EMFI platform and present a methodology providing high control level and high reproducibility over fault injections. Indeed, we observe that a precise fault model occurs in up to 96% of the cases. We then characterize and exhibit this practical fault model on the cache that is not yet considered in the literature. We comprehensively describe its effects and show how it can be used to reproduce well known fault attacks. Finally, we describe how it can benefits attackers to mount new powerful attacks or simplify existing ones.

Hardware trojan detection by delay and electromagnetic measurements

Hardware Trojans (HT) inserted in integrated circuits have received special attention of researchers. In this paper, we present firstly a novel HT detection technique based on path delays measurements. A delay model, which considers intra-die process variations, is established for a net. Secondly, we show how to detect HT using ElectroMagnetic (EM) measurements. We study the HT detection probability according to its size taking into account the inter-die process variations with a set of FPGA. The results show, for instance, that there is a probability greater than 95% with a false negative rate of 5% to detect a HT larger than 1.7% of the original circuit.

A low-entropy first-degree secure provable masking scheme for resource-constrained devices

The trend in the protection against side-channel analysis is to be more secure with little consideration for the cost. However in small devices like RFID, traditional security solutions might be impractical due to limited availability of resources. Thus designers are often forced to use imperfect but low-cost security solutions. When implementing masking countermeasures on a low-resource device, designers are not only limited in memory or power but also lacks a high-throughput source of randomness. In this paper, we stick to a formal security notion (1st-degree security), but seek a low-cost countermeasure against side-channel attacks. The proposed countermeasure is based on masking but needs only one bit of random to resist first-degree attacks like correlation power analysis. Furthermore the implementation also resists side-channel collision attacks once the entropy of random is increased to 16 bits. We show that security can be obtained at extremely low overhead and with as few as a couple of random bytes. This is supported by an application on PRESENT which is provably masked at first-degree for performance overhead of only 1%. Side-channel laboratory evaluations are also provided to support our claim.

PLL to the rescue: a novel EM fault countermeasure

Electromagnetic injection (EMI) is a powerful and precise technique for fault injection in modern ICs. This intentional fault can be utilized to steal secret information hidden inside of ICs. Unlike laser fault injection, tedious package decapsulation is not needed for EMI, which reduces an attackers cost and thus causes a serious information security threat. In this paper, a PLL-based sensor circuit is proposed to detect EMI reactively on chip. A fully automatic design flow is devised to integrate the proposed sensor together with a cryptographic processor. A high fault detection coverage and a small hardware overhead are demonstrated experimentally on an FPGA platform.

Analysis and Improvements of the DPA Contest v4 Implementation

DPA Contest is an international framework which allows researchers to compare their attacks under a common setting. The latest version of DPA Contest proposes a software implementation of AES-256 protected with a low-entropy masking scheme. The masking scheme is called Rotating Sbox Masking (RSM) which claims first-degree security. In this paper, we review the attacks submitted against DPA Contest v4 implementation to identify the common loop holes in the proposed implementation. Next we propose some ideas to improve the existing implementation to resist most of the proposed attacks at affordable performance overhead. Finally we compare our implementation with the original proposal in terms of complexity and side-channel leakage.

Hardware property checker for run-time Hardware Trojan detection

Nowadays, Hardware Trojans (HTs) become a real threat because of IC design and fabrication outsourcing trend. In the state of the art, many efforts were devoted to counter this threat, especially at netlist level. However, some clever HTs are actually a combination between a hardware and a software vulnerability, which, together, allow an exploitation. In this paper, we intend to detect such advanced HT, by resorting to a run-time detection. This method consists in identifying some high-level and critical behavioral invariants, and by checking them during the circuit operation. The assertion and Property Specification Language (PSL) is used to describe the properties to be checked. Then, a Hardware Property Checker (HPC) is created and integrated in the IC in order to verify these properties in runtime. We discuss how to define the critical properties for HPC. We also explain how this method is complementary with others, especially how the Hardware Checker can itself be protected against a tampering attempt. A case of study on LEON processor was performed to demonstrate the feasibility of this detection technique.