Contre-Mesures Aux Attaques Sur Les Circuits Electroniques Presentation Outline

Introduction Introduction
Generic Countermeasures Generic Countermeasures

RTL Countermeasures RTL Countermeasures
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
Presentation Outline
Contre-mesures aux attaques
sur les circuits électroniques Introduction
Generic Countermeasures
Sylvain GUILLEY.
RTL Countermeasures
Secure-IC S.A.S.
Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures
Conclusions
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 1/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 2/108
Introduction
RTL Countermeasures
Goal of attacks
Conclusions
Extract a secret, that can be a data, a key or an algorithm.
Introduction
But attack paths are varied :
Generic Countermeasures I directly extract keys used by the crypto, by DPA or DFA
RTL Countermeasures (crypto devices) ;
I combine FI with a file read available in the API (memory
Unitary Countermeasure Evaluation Methodology smartcards) ;
I reverse-engineer and exploit a bug (XBOX) or cryptanalyze
(MiFARE).
Conclusions
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 3/108

Source of information to stay tuned

I Defense : against all attacks
Conferences
I Attack : one is enough !
I CHES : . . . . . . Cryptographic Hardware & Embedded Systems
I HOST : . . . . . . . . . . . . . . Hardware-Oriented Security and Trust
I CARDIS : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Smartcards
I COSADE : . . . COnstructive Side-channel Analysis for DEsign
I SPACE : . . . . . . . Security, Privacy, and Applied Cryptography
Engineering
Beware of buzz...
I The most discussed topics are not often the most relevant
ones
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 5/108 S.IGuilley, < sylvain.guilley@Secure-IC.com >
The most secure solutions are Counter-measures
maybe nottoa↵ordable
attacks 6/108
State-of-the-Art about Countermeasures

But hopefully, attacks depend on the algorithms they target
It is not mandatory to protect every algorithm with the same level I Many patents, some very generic.
of attention. I Many publications, usually too focused.
FIPS 140 chart (ISO/IEC 17825 – JTC 1/SC 27/WG 3 N310292) I No industrial tool !
I (but one scholar paper about automation accepted at
Algorithm TA SPA DPA
CHES’2012 [MOPT12])
Symmetrical Yes Yes Yes
Asymmetrical Yes Yes Yes
TRNG No No No
I The first countermeasure design is usually incorrect.
Code (e.g. PIN) Yes Yes Yes ?
I It is good to design with evaluation in head, so as to iterate.
I There is a bunch of countermeasures that are broken right
from the start.
Classification Attempt Generic protections against SCA + FIA
I Palliative versus curative countermeasures :

I Security by obscurity versus by design
I Physical security objective :
I Tamper resistant or evident (CC versus FIPS)
Against FIA
Against SCA
I Verification
I Randomize I
I Generic : Data : with codes
I Data : with masks I
I
Control : with
Works against all attacks I Control : with shu✏ing check-points
I Dedicated : I Balance I Tolerate :
I Optimized for a given algorithm
I I denial of exploitation
Tolerate : resilience
I infective countermeasures
Resilience at Protocol-Level Resilience at Protocol-Level
I Technology dependent or independent
Heuristic Countermeasures
Digital Sensors Digital Sensors
Active Shield against Probing Active Shield against Probing
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Asymmetric
I Arrange for the system not to contain sensitive data
Introduction
I e.g. only signatures and certificates
Symmetric
RTL Countermeasures
I Whitebox crypto
Unitary Countermeasure Evaluation Methodology I Save the PIN hashed instead of encrypted
I Save the block cipher as a codebook (theoretical)
Attacks on Countermeasures I Leakage resilient and/or fault injection resilient
I See next slides
Conclusions
Observation attacks are easily thwarted by masking :
Observation attacks are easily thwarted by masking :
8r
⇣ 1 , r2 , r3 6= 0, ⌘
8r
⇣ 1 , r2 , r3 6= 0, ⌘ d+r ⇥ (N)
d+r2 ⇥ (N) (M ⇥ r1 e ) 2 ⇥ r1 mod r3 ⇥ N mod N =
(M + r1 ⇥ N) mod r3 ⇥ N mod N = M d mod N,
hence multiple degrees of freedom to mask cryptographic M d mod N, (see [Koc96, Sec. 10])
parameters [Joy03]. hence multiple degrees of freedom to mask cryptographic
parameters [Joy03].
Perturbation attacks are fought thanks to similar properties :

Perturbation attacks are fought thanks to similar properties :
I Randomness can also be injected within the algorithm, so as
I Randomness can also be injected within the algorithm, so as
to enable verifications afterwards [BHT09].
to enable verifications afterwards [BHT09].
Or use Verify Sign = Id.
Or use Verify Sign = Id.
This paper by Jean-Sébastien CORON (@ AsiaCrypt 2009) [CM09]

proves that RSA with PSS is provably secure against random fault This paper by Jean-Sébastien CORON (@ AsiaCrypt 2009) [CM09]
injection attacks in the random oracle model, and side-channel proves that RSA with PSS is provably secure against random fault
attacks. But... [FGL+ 13]. injection attacks in the random oracle model, and side-channel
attacks. But... [FGL+ 13].
Algorithm 1: RSA implementation (unprotected) Algorithm 1: RSA implementation (unprotected)

Input : M 2 ZN , d = (dn 1, · · · , d0 ) 2 Input : M 2 ZN , d = (dn 1, · · · , d0 ) 2
Output: M d 2 ZN Output: M d 2 ZN
1 R[1] 1 1 R[1] 1
2 R[2] M 2 R[2] M
3 for i 2 J0, n 1K do 3 for i 2 J0, n 1K do
4 if di = 1 then 4 if di = 1 then
5 R[1] R[2] · R[1] 5 R[1] R[2] · R[1]
6 end 6 end
7 R[2] R[2]2 7 R[2] R[2]2
8 end 8 end
9 return R[1] 9 return R[1]
Algorithm 2: RSA implementation protected against SCA and FIA. Algorithm 2: RSA implementation protected against SCA and FIA.
Input : M 2 ZN , d = (dn 1 , · · · , d0 )2 Input : M 2 ZN , d = (dn 1 , · · · , d0 )2
Output: M d 2 ZN or “Error” Output: M d 2 ZN or “Error”
1 Generate a random r 2 Z⇤N 1 Generate a random r 2 Z⇤N
2 R[0] r 2 R[0] r
3 R[1] r 1 3 R[1] r 1
4 R[2] M 4 R[2] M
5 for i 2 J0, n 1K do 5 for i 2 J0, n 1K do
6 R[di ] R[di ] · R[2] 6 R[di ] R[di ] · R[2]
7 R[2] R[2]2 7 R[2] R[2]2
8 end 8 end
9 if R[0] · R[1] · M = R[2] then 9 if R[0] · R[1] · M = R[2] then
10 return r · R[1] 10 return r · R[1]
11 else 11 else
12 return “Error” 12 return “Error”
13 end 13 end
Algorithm 2: RSA implementation protected against SCA and FIA. Algorithm 3: RSA implementation (Montgomery ladder)
Input : M 2 ZN , d = (dn 1 , · · · , d0 )2
Input : M 2 ZN , d = (dn 1, · · · , d0 ) 2
Output: M d 2 ZN or “Error”
Output: M d 2 ZN
1 Generate a random r 2 Z⇤N
1 R[1] 1
2 R[0] r
2 R[2] M
3 R[1] r 1
3 for i 2 J0, n 1K do
4 R[2] M
4 if di = 1 then
5 for i 2 J0, n 1K do
5 R[1] R[1] · R[2]
6 R[di ] R[di ] · R[2]
6 R[2] R[2] · R[2]
7 R[2] R[2]2
7 else
8 end
8 R[2] R[2] · R[1]
9 if R[0] · R[1] · M = R[2] then Final condition :
n 9 R[1] R[1] · R[1]
10 return r · R[1] R[2] = ((M 2 )2 ) · · · ) = M (2 )
10 end
11 else R[0] = r · M d
11 end
12 return “Error” R[1] = r 1 · M d
12 return R[1]
13 end
Heuristic Countermeasures Heuristic Countermeasures
In summary : Asymmetric Crypto is Fairly Easy to protect
Resilience against passive attacks

I Ephemeral keys is the solution :
Other techniques [if SPA is impossible] 1. Indexed key update : [Koc03, Koc05]
2. Fresh rekeying : [MSGR10]
I Secret splitting : M d1 ⇥ M d2 = M d1 +d2 .
I (1) is applicable to scenarios, such as bitstream decryption
I Side-Channel Atomicity. of an FPGA
I ¨ SPA is easier for ECC since double & add are di↵erent I Indeed, attacks are out : [MBKP11, MKP11, MKP12]
formulas (in general). I Limits : key scheduling is expensive
Protocol level [Koc05, §4] : if ⇡ 1 bit is leaked per 100 encryptions... Logarithmic key access speed with indices in a binary
table [Koc03]
Alice: Bob:
AESk0 AESk01
100⇥ k0 k0
hash hash
k1 k1
AESk1 AESk11
100⇥ k1 k1
hash hash
k2 k2
.
.
Logarithmic key access speed with indices in a binary Authenticated encryption [Koc11]
table [Koc03]
k0 Caption:
E kL D kR E: Symmetric block cipher
D: Symmetric inverse block cipher
k1 D kL E kR k4
D kR E kL kL : Public key for left accesses (., %)
E kL D kR kR : Public key for right accesses (&, -)
D kL E kR D kL E kR k0 : Private root key
k2 k3 k5 k6 ki>0 : Secondary private session keys
) also protects against related keys attacks [BK09] ! “The approach is well suited to problems such as firmware loading, RAM
encryption, network security, and FPGA bitstream encryption.”
Interactive Protocols : Fresh Re-Keying [MSGR10] Interactive Protocols : Fresh Re-Keying [MSGR10]
no leakage
k f r
k ⇤ = f (r, k)
m g y = gk⇤ (m)
The concept is the utilization of an ephemeral key k ? .

The concept is the utilization of an ephemeral key k ? .
Resilience against active attacks Case-study : secure messaging

I Recall AES can be broken with one (C , C ? ) pair [TMA11]
I Against cryptography (DFA) : [GSDS10]
Assumptions
I Do not encrypt twice the same message I The reader is easily
I Randomize the input protected
I Do not output directly the result Easy to protect
I The smartcard is hard to
I Hash it. But beware of safe error attacks
protect
I Against the rest (control, that can be altered by skipping
instructions) : I Symmetric cryptography (E)
I Chain at protocol-level I Shared keys :
I k1 : external authenticate
I k2 : internal authenticate
DPA can be thwarted easily (at protocol-level) I k3 : secure canal
) We focus on fault injection attacks encryption Difficult to protect
I Evaluating the resilience to
fault attacks only
Example on Smartcards Protocols 1/6 Example on Smartcards Protocols 2/6
The attacker monitors The attacker injects The attacker monitors The attacker injects
faulty outputs here Reader Smartcard faults on this side faulty outputs here Reader Smartcard faults on this side
envelop e3 envelop (e3 , r3 ) r3 $

e3 = Ek3 (d3 ) e3 = Ek3 (d3 r3 )
unsafe, because input is chosen safe, because input not chosen
challenge c1 challenge c1
c1 $ c1 $
e01 = Ek1 (c1 ) e1 = Ek1 (c1 ) e01 = Ek1 (c1 ) e1 = Ek1 (c1 )
answer e01 safe, because not output answer e01 safe, because not output
? ?
e01 = e1 e01 = e1
unsafe, since a fault can safe, because operations are chained

bring us here (depend on more than one bit).
(external authentication is skipped) In addition, it is more efficient!
envelop (e3 , r3 ) r3 $ envelop e3

e3 = Ek3 (d3 r3 ) e3 = Ek3 e1 (d3 )
safe, because input not chosen safe, because does not involve k3
c1 $ c1 $
e01 = Ek1 (c1 ) e1 = Ek1 (c1 ) e01 = Ek1 (c1 ) e1 = Ek1 (c1 )
answer e01 safe, because not output answer e01 safe, because not output
? ?
e01 = e1 e01 = e1
c2 $ c2 $ r2 $
e02 = Ek2 (c2 ) e2 = Ek2 (c2 ) e02 = Ek2 (c2 r2 ) e2 = Ek2 (c2 r2 )
? answer e2 unsafe, because input is chosen ? answer (e2 , r2 ) safe, because input not chosen
e02 = e2 e02 = e2
envelop e3 envelop e3
e3 = Ek3 e1 e2 (d3 ) e3 = Ek3 e1 e2 (d3 )
safe, because does not involve k3 safe, because does not involve k3
Introduction
Resilience at Protocol-Level
RTL Countermeasures
Digital Sensors
Active Shield against Probing
Conclusions
Countermeasures Against Hardware Trojan Horses Insertion Implementing Noise Generators in FPGAs
This paper [GM11] presents some heuristic
countermeasures Common design: application
including cryptographic core
APPLICATION
Noise generation strategy FF FF
LOGIC
Configure remaining, 1 0
I Complementary with other countermeasures !
routable slices (flip-flops)
…
I Especially suitable for FPGAs if some resources remain as cyclic shift registers FF FF
available. 1 0
I Next slides courtesy of the authors (Tim Güneysu and Amir Preload sequence „01“ FF FF
CRYPTO
CORE
Moradi) 1 0
into shift registers
CE
Run noise generator

in synch with crypto core
CHES 2011 | Nara, Japan | Tim Güneysu 7
Proposal #2: Write Collisions in BRAMs Proposal #3: Short Circuits in FPGAs
CLB Switch box

Write collision when concurrently writing data to Short circuits (SC) can be created in
the same address of dual-ported memories (BRAM) the FPGA‘s routing network [BKT10]
B=0 INB
Slices
Opposite driving directions in inverter pair 1 WEB SCs in output multiplexers of switch boxes
result in uncertain outcome [GP09,G10] ADDRB
Power restriction limits currents < 100 µA
??
ADDRA
1 WEA
Establishing controlled SCs requires 1 0 0 0 0 1
0 1 Config.
INA
manual routing (via XDL)
A=1 BRAM 0
Input
SC
Output
1 0 1 0
AB BA
CHES 2011 | Nara, Japan | Tim Güneysu 12 CHES 2011 | Nara, Japan | Tim Güneysu 14
Output multiplexer
Proposal #4: Clock Disalignment using DCMs Proposal #5: Data Masking with BRAMs
0°
DCMA
CLKFSM
90°
Digital Clock Managers (DCM) support B Dual-ported BRAM allow simultaneous access and mask update in Q-box
PS
CLKI 180°
concurrent phase-shift channels 270° Active context (Q-box #1) used by cipher operation
S0 S1 CLKCiph.
Clock buffers can be configured as A
RNG Inactive context (Q-box #2) updates mask by concurrent process
S2
glitch-free clock multiplexers 45°
Context switch after update and cipher process are finished
DCMB
135°
PS+45°
Cascading clock muxes result in a 225°
C
randomly delayed, phase-shifted clock 315°
OUTA OUTB RNG
Clock Output Waveform
Cipher L(x)
Sc ramb ler
Mask m
RAM
Q-box
Context#3 Q-box #2 Current Mask m:
BRAM
A Context B
(inactive, INB F439AD0B8C…
CLKI Active (active,
S-box under
S- box
using m3) scrambling
using m ) π L(x )
B
CLKFSM 2 WEB
A FSM
ADDRA ADDRB
B
Active Context
C
CLKCiph.
CHES 2011 | Nara, Japan | Tim Güneysu 18 CHES 2011 | Nara, Japan | Tim Güneysu 22
Introduction
RTL Countermeasures
Digital Sensors
Evaluations: CPA on individual CMs Attacks on Countermeasures
Conclusions
Countermeasures Against Hardware Trojan Horses Insertion
Plain AES-128@24Mh:
Sensor against optical fault injection [LCSK13]
104 measurements
3,000 traces req.
Individual/all noise generators combined:

Parameters used: r=16 (instances), s=36 (width)
5x104 measurements
8,000 traces req.
Clock disalignment
8 phase shift steps
107 measurements
3,000,000 traces req.
Memory masking with dual-ported BRAMs

108 measurements
Not successful (using first-order attack)
CHES 2011 | Nara, Japan | Tim Güneysu 26
Introduction
RTL Countermeasures
Digital Sensors
Countermeasures Against Hardware Trojan Horses Insertion
Conclusions
E↵ect of laser spot on CMOS cells
vdd
0 1 0 1 0 1 0 1
vss

E↵ect of laser spot on CMOS cells E↵ect of laser spot on CMOS cells
vdd vdd laser shot
1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
vss vss
E↵ect of laser spot on CMOS cells A summary of the countermeasures embedded in a

smartcard
Courtesy of Assia Tria, CEA/LETI.

Active shield 1/2 Active shield 2/2
Random Active shield [BCC+ 12a, GBP+ 12] Counter-measures at the module’s level
Designer’s view Attacker’s view

area to
open
Radiation suppression with a ferromagnetic film Last metal layer (M6) of an AES layout
Ferromagnetic material Ni80 Fe20 , aka Permalloy.
Experiment with a layer of 20 µm depth [BBD+ 07].
(a) (b) (c)

Figure 1 – Last metal layer (M6) of an AES layouts (1200 µm ⇥
1200 µm), with Circuit Utilization Rate of 50% ; (a) original AES, (b)
AES with a 1-AND gate, (c) AES with 128 AND gates.
Cross-correlation results Pixel-wise comparison between the AES layouts
Table 1 – Cross-correlation between the genuine AES layout and the

trojaned ones.
Trojan horse size (Count of AND gates)

1 2 4 8 16 32 64 128
50% 0.9991 0.9972 0.9981 0.9950 0.9933 0.9918 0.9815 0.9668
60% 0.9987 0.9968 0.9959 0.9955 0.9944 0.9893 0.9788 0.9670
70% 0.9989 0.9981 0.9918 0.9941 0.9881 0.9850 0.9594 0.9067
CUR 80% 0.9999 0.9965 0.9898 0.9957 0.9780 0.9711 0.8970 0.8509
90% 0.9988 0.9990 0.9983 0.9962 0.9832 0.9572 0.8858 0.4010
95% 0.9997 0.9984 0.9980 0.9889 0.9589 0.9115 0.8824 0.8202
99% 0.9917 0.938 0.9714 0.9527 0.3798 NC NC NC
(a) (b)
I
Figure 2 – Pixel-wise comparison between the AES layouts with 50%
0.4010 / 0.3798 : ECO P&R failed
CUR ; Between the original AES and (a) a single AND gate Trojan, (b) a
I NC : Even re-routing failed ! 128 AND gates trojan.
Grid-correlation between the layouts Results on the SECMAT circuit (run CMP S12C6)
Trojaned GDSII Picture Genuine GDSII
⇡ 6⇡
CUR of 50% ; (a) 1 AND & (b) 128 AND gates Trojan
Added by
the Trojan
|N CC| = 1.56% > |N CC| = 0.67%
Figure 3 – Cross-correlation for the comparison of the layout with

CUR of 95% ; (a) 1 AND & (b) 128 AND gates Trojan Trojan (left) / original layout (right) and an image (center).
Resilience at Protocol-Level The advantage of doing hardware – Introduction
Heuristic Countermeasures Masking
Digital Sensors Tweaked masking
Active Shield against Probing Dual-rail
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Specifically Designed against RE
Conclusion on Hardware Trojan Horses Insertions Presentation Outline
Introduction
I Prevention : it is almost impossible to insert a Trojan horse Generic Countermeasures
in ECO mode if CUR > 90%
I Detection (post-mortem) : The (visual) correlation decreases RTL Countermeasures
when the Trojan horse size and the CUR increase
I Medium cost detection with grid-based cross-correlation
between GDSII and photographic pictures of the circuit Attacks on Countermeasures
Conclusions
The advantage of doing hardware – Introduction The advantage of doing hardware – Introduction
Masking Masking
Tweaked masking Tweaked masking
Dual-rail Dual-rail
Countermeasures Specifically Designed against RE Countermeasures Specifically Designed against RE
Masking :
Story : “One shall trust his hardware”
splitting
Fact : X M k M
manipulating a variable leaks. Attacks : joint (X M, M) leaks on X .
Modulo : leakage function, noise.
X
x m m
x
! Joint leakage
Masking Masking
Dual-rail Dual-rail
But the assumption of independent computations is an hypothesis Variable caching, because of forks
on the HW. Functionally inactive parts leak
Violation in time : CMOS leaks the activity
M ! Mmodelled , Munexpected
t X M
t +1 M
m
!
t=0 x m
Leakage
in activity:
t=1 m x logic !
| {zm} |{z}m = x.
t=0 t=1
Masking Masking
Dual-rail Dual-rail
Anyway, we need to trust the HW, because a secure software

cannot resist a register-logger “insider” attack !
Research on this topic
X ! X , logger
The logger can leak the value, in side-channel or simply via a
backdoor... ) We need trusted hardware.
I For instance, if shares are assumed to leak independently,

sound masking countermeasures can be built. But what if
m they “overlap” ? [CVG+ 12].
I HW security X
⇠
=)⇠
⇠
X
X HD security.
I Another paper shows the contrary [MM12] :
m0 I HD security X
⇠
=)⇠
⇠
X
X HW security.
logic
logger
m1
m2
Masking Masking
Dual-rail Dual-rail
Masking is “Secret Sharing” Computing Masked DES [PS08]

Principle Everything is linear, but the sboxes.
Message Mask
I Every variable s, potentially sensible, is represented as a set of IP IP
shares {s0 , s1 , · · · , sd }.
I To reconstruct s, all the si are required.
I
. Left Left Right Right
Example : d = 1, s = s0 s1 . masked
data (Li )
mask
(M Li ) Feistel function f
mask
(M Ri )
masked
data (Ri )
m0 m
) Boolean [GP99], multiplicative [AG01], affine [FMPR10], P S’ E
S(x kc ) xm
homographic [PR10], etc. P m0 S E
kc
I Leakage resistant since variables are never used plain. FP
I Attractive but works only fine for registers. Ciphertext
S.IGuilley, < sylvain.guilley@Secure-IC.com >

E↵orts done to protect also theCounter-measures
combinational logic.
to attacks 54/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 55/108
Masking Masking
Dual-rail Dual-rail
Computing Masked DES [PS08] Computing Masked AES

Everything is linear, but the sboxes.
Message Mask
IP IP
Everything is linear, but the sboxes (sic). a 7! a 1
mod X 8 + X 4 + X + 1, and a 1 = a254 = (((a2 ) ⇥ a)4 ) ⇥ ...
mod X 8 + X 4 + X + 1.
Left Left Right Right
I
masked mask mask masked
data (Li ) (M Li ) Feistel function f (M Ri ) data (Ri ) Squaring is linear
m0 m
P S’ E I We miss a secure AND
S(x kc ) xm
P m 0 S E
kc
Next slides courtesy of the authors of [RP10].
FP
Ciphertext
Ishai-Sahai-Wagner (ISW) Scheme Ishai-Sahai-Wagner (ISW) Scheme

Principle Example: AND gate for d = 2
⌅ AND gates encoding: L L (ai )i (bi )i $ $ $
I Input: (ai )i , (bi )i L
s.t. i ai = a, i bi = b
I Output: (ci )i s.t. c i = ab
i
M M M M
ci = ai bi = a i bj
i i i i,j
⌅ Example (d = 2):
0 1
a0 b0 (a0 b1 r1,2 ) a1 b0 (a0 b2 r1,3 ) a 2 b0
@ r1,2 a 1 b1 (a1 b2 r2,3 ) a 2 b1 A
c0
r1,3 r2,3 a 2 b2
c1 c2 c3 c1
a0 b0 (a0 b1 r1,2 ) a1 b0 (a0 b2 r1,3 ) a 2 b0 c2
⌅ Ishai et al. prove (d/2)th-order security
I We prove dth-order security
CHES 2010 – Provably Secure Higher-Order Masking of AES CHES 2010 – Provably Secure Higher-Order Masking of AES
Warning for optimizations (here under Cadence) !
[RBG+ 15] Masking the S-box
The proposed addition chain:
x ⌅ one square
b2 ⌅ one mult
2
x ⌅ oneˆ4 (two squares)
⌅ one mult
3
x ⌅ oneˆ16 (four squares)
b4 ⌅ one mult
x 12 x254 ⌅ one mult
⌅ Total: 4 mult and 7
15 252
x x squares
b 16 ⌅ Memory: 3 registers
x240 ⌅ LUT forˆ2,ˆ4 andˆ16
CHES 2010 – Provably Secure Higher-Order Masking of AES

Caption : AN = and, EO = xor.
Introduction
The advantage of doing hardware – Introduction
Masking
RTL Countermeasures
Implementation Results (8051) Unitary Countermeasure Evaluation Methodology
Conclusions
Tweaked masking
Dual-rail
Countermeasures Specifically Designed against RE
Method K cycles ms (31MHz) RAM (bytes) ROM (bytes)

Unprotected Implementation Computing Masked RC5 [Riv94] (idem SHA...)
Na. 3 0.1 32 1150
First-Order Masking
[Messerges FSE’00] 10 0.3 256+35 1553
[Oswald+ FSE’05] 77 2.5 42 3195 Everything is linear, but in
Our scheme (d=1) 129 4 73 3153 di↵erent groups : (F2 , )
Second-Order Masking and (Z232 , ).
[Schramm+ CT-RSA’06] 594 19 512+90 2336
[Rivain+ FSE’08] 672 22 256+86 2215 =)
Our scheme (d=2) 271 9 79 3845
Third-Order Masking
Our scheme (d=3) 470 15 103 4648
Conversion
between [Deb12] :
I Boolean masking, and
I arithmetic masking.
CHES 2010 – Provably Secure Higher-Order Masking of AES
Masking Masking
Dual-rail Dual-rail
Example at order 1 (let k = 8, 16, 32) Leakage squeezing, Schematic [MGD11]

n bits n bits
fuite
X M F (M) simultanée
Notations a b
B2A : [Gou01] 1
I x is sensitive F
I
I [x 0 , r ] ! [A, r ] Logique
r is a random mask combinatoire
X M
S R
I x 0 is x Boolean-ly masked (cachée en
A2B : [CGV14, Alg. 7] mémoire) X0 M0
I x0 = x r
I A is x arithmetically masked F
I [A, r ] ! [x 0 , r ]
I x = A + r mod 2k a0 b0
0 0
X M F (M 0 )
Principle of the first-order masking scheme improvement by the

leakage squeezing technique.
Masking Masking
Dual-rail Dual-rail
Leakage squeezing Rationale 1/3 Leakage squeezing Rationale 2/3

First-order Boolean masking. The leakage model becomes :
Reference. Without protection, we have : X = HW(Y ).
X = HW(Y M) + HW(M) 2 {0, · · · , 2n}. There still remains a
Notations : X 2 Fn2 , hence HW(X ) 2 {0, · · · , n}. There is a trivial
link between the observable leaks and the sensitive variable.
link between the observed leak and the sensitive variable.
Typically, if X = 2n 1 = 0xf (n = 4), the mask M does not
Donnée sensible Y Fuite X fullfil its camouflage duty.
(privé) (public)
Donnée sensible Y Fuite X
{0x0} 0 (privé) (public)
{0x1, 0x2, 0x4, 0x8} 1 {0x0} 0

1
{0x3, 0x5, 0x9, 0x6, 0xa, 0xc} 2 {0x1, 0x2, 0x4, 0x8} 2
3
{0x7, 0xb, 0xd, 0xe} 3 {0x3, 0x5, 0x9, 0x6, 0xa, 0xc} 4
5
{0xf} 4 {0x7, 0xb, 0xd, 0xe} 6
7
{0xf} 8
Masking Masking
Dual-rail Dual-rail
Leakage squeezing Rationale 3/3 RSM (Rotating Sbox Masking) mode of operation
First-order Boolean masking with “leakage squeezing”. The SB00
leakage model is more complex : X = HW(Y M) + HW(F (M)). 128 = 16 ⇥ 8
The role of the bijection F is to distribute in a more balanced way j 2 {0 15}
4
Barrel shifter
the sensible variable in the 2n + 1 classes de fuites (although
obtaining a completely balanced distribution is impossible). S00 S10 0
S15
Donnée sensible Y Fuite X
m0 m1 m15 M0
(privé) (public)
{0x0} 0 SubBytes SubBytes ... SubBytes

1
{0x1, 0x2, 0x4, 0x8} 2 m1 m2 m0 M1
3
{0x3, 0x5, 0x9, 0x6, 0xa, 0xc} 4
5
{0x7, 0xb, 0xd, 0xe} 6
j 2 {0 15} Barrel shifter
7
4
{0xf} 8 128 = 16 ⇥ 8
Masking Masking
Dual-rail Dual-rail
RSM leakage [NSGD12]
Table 2 – Implementation results for reference and protected AES

Unprotected RSM Overhead
I Masked sboxes Z 7! Mout S(Z Min ).
Number of ALUTs (%) 2136 (8%) 2734 (10%) 28%
I
Number of M4K ROM Blocs (%) 20 (14%) 24 (17%) 20%
L(Z , M) = L (Z M) . Frequency (MHz) 133 88 34%
In this expression, Z and M are n-bit vectors, i.e. live in Fn2 . Setting :
The leakage function L : Fn2 ! R depends on the hardware. I n = 8 bit,
I In a conservative perspective, L is assumed to be bijective.
I
I 16 masks only, and (Price metric)
In a realistic perspective, L is assumed to non-injective.
I provable security up to 2nd-order attacks (Security metric)
Masking Masking
Dual-rail Dual-rail
Trade-o↵ [NGD11] Example of countermeasures combination [BBD+ 14]

Attacks on DPACv4 implementation and corresponding countermeasures
0.4
Mutual information I[HW[Z⊕M];Z] (in bit)

0.35
ASM (instead of C)
Registers precharge
One mask per sbox

0.3
0.25
Shu✏ing
0.2
0.15
0.1
Attacks \ Countermeasures
First-order attack [MGH14] x x
0.05 Recover the o↵set [TEL14] . x
0 Collision on the sbox [KP14] x x
3.5 4 4.5 5 5.5 6 6.5 7 Collision 1st-last rounds [KP14] x x
Entropy H[M] of the mask M (in bit) Bivariate attacks [BBB+ 13] x
MIA [YE13] x
Mutual information of the leakage in Hamming weight with the sensitive
(1,2)
variable Z , for one solution that cancels ⇢Counter-measures
S. Guilley, < sylvain.guilley@Secure-IC.com > opt found by to the SAT-solver.
attacks 68/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 69/108
a $ (af , at ) DPL representation : Faults typology on DPL :

I I Only results on
a is VALID if af at = 1 .
. evaluation are
Regular Backend Flow in ASIC Design
VALID = {VALID0, VALID1} or
. observable.
VALID = {(1, 0), (0, 1)}. a) Floorplan split into rows
I b) Instances Ix of the netlist are dispatched into the placement rows
I a is NULL if af at = 0 . Asymmetric faults : The cells share the supply (power or VDD / ground or VSS) lines
. #
c) Routes are created over the cells
NULL = {NULL0, NULL1} or {VALID0, VALID1} !
. E.g. in HCMOS9GP, cell pins are in M1, thus M2 – M6 is devoted to interconnection
NULL = {(0, 0), (1, 1)}. NULL0, caused by global (M1 can be used to route side-by-side cells.)
perturbations (e.g. VC
glitch, overclocking,
under-powering).
I Symmetric faults :
# or "
{VALID0, VALID1} !
Flavors of DPL – gate g style : {NULL0, NULL1},
I DPL w/ EE : caused by local
9a VALID, g (a, NULL) = VALID. perturbations (e.g. laser
or EM injection). GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 6
I DPL w/o EE : 46, rue Barrault – 75634 Paris Cedex 13 – France
8a VALID, g (a, NULL) = NULL.

Secured Cells Come in Pairs: SABL & DI gates WDDL example: placement strategy
NAND (R0) NOR (MX)
placed into row i Placed into row i+1
SABL: DI:
After they are flipped

R0 and MX,
dual gates are much
alike!
GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 9 GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 10
46, rue Barrault – 75634 Paris Cedex 13 – France 46, rue Barrault – 75634 Paris Cedex 13 – France
Making Standard Cells Compliant with WDDL « Backend-duplication » overview

Each dual pair must have a
compatible interface.
The transformation done

on the abstracts (LEF
description) + pins metal
consists in:
1. Reorder pins
2. Enlarge pins for overlap
3. Keep pins intersection
At that point:
- dual cells have similar

layout in transistor
- the port position allow
for a differential routing
« Backend-duplication »: placement « Backend-duplication »: routing
Flip Placement Translate routing
« Backend-duplication » Realization WDDL example: constraints

Before duplication After duplication
No vertical
routing
No placement
No routing
Placement OK
Horizontal
routing OK
o Half of the placement rows are obstructed o Cells are duplicated by vertical flip (R0 MX)
o Half of the routing channel are obstructed o Routing is translated by:
(PITCH, ROW_HEIGHT) Vertical
routing OK
The method fully relies on the setting of appropriate constraints
WDDL example: before duplication WDDL example: after duplication
Note:
Results can be
visualized in a
backend tool
without
rewritting
(error-prone)
nor reloading
(not interactive)
design rules.
Implementation Reducing the cross-coupling: routing constraints

+3 lines added in the Makefile:
Routing forbidden: tracks obstrusted = shield

LoC:
4 (TCL)
100 (C)
Verilog 400 (Perl)

DEF 200 (Perl)
Regular Backend-duplicated
Execution time in the Place 1.9 s 6.2 s
example of DES: Route 39.0 s 80.0 s
Duplication - 77.5 s
Introduction
The advantage of doing hardware – Introduction
Masking
RTL Countermeasures
Tweaked masking
Dual-rail
« Backend Duplication » Efficiency Assessment Attacks on Countermeasures
Conclusions
Countermeasures Specifically Designed against RE
In FPGAs ; example for Altera [GCS+ 08].
GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 22

46, rue Barrault – 75634 Paris Cedex 13 – France

Masking Masking
Dual-rail Dual-rail
Against probing Against delayering

I Spaghetti routing I PUF : Physically Unclonable
I Shield, passive or active Functions [GHK]
The FIPS 140 Approach Multiple Chip Cryptographic Modules (Security Level 4) I Optical PUF [Pap01]
Security Construction: Multiple Chip Cryptographic I Coating PUF [TSK07]
Module (Security Level 4) I SRAM PUF [HBF09]
I Glitch PUF [SS10]
I Arbiter PUF [GCvDD02]
I Loop PUF [CDGB12]
I Initial Waveform of Ring
Oscillators [TYTF17]
I Memory contention
PUF [Gün12]
I Oxide rupture
PUF [WYC+ 18]
I Transistor voltage
Kerstin Lemke-Rust (H BRS) On Security Evaluation Testing 19 Feb 2010 29 / 32
threshold [SHO08]
I NVM : Non-Volatile Memory
Courtesy of [LR10].
Examples of PUF
Overview Examples of PUFs
• Background
Optical PUF Arbiter PUF Ring-Oscillator PUF
• Management issues on Critical Security Parameter (CSP) storage on crypto chips.
• Key generation – generated keys are stored
• Random number generation – a random seed is stored for PRNG 0 0 0
• Stored values may be taken out and copied by using reverse-engineering techniques. 1 1 1 D RO RO RO
comparator
• PUF – Physically (Physical) Unclonable Function RO RO RO
1 1 1 0/1
• Every semiconductor chip has intrinsic subtle variations in its physical properties. token 0 0 0
• These variations are unique to each chip and very hard to clone. RO RO RO
arbiter
• A PUF is based on such variations and considered an object’s fingerprint. speckle pattern 0 1 0 RO RO RO
• PUFs take the same input but respond with different outputs.
• Enables non-stored, internally-generated CSP management. Uses speckle pattern of Uses the delay difference Uses the difference of
• Building structures and evaluation metrics have been studied. transmitted laser of two signals oscillating frequencies
Pappu Srinivasa Ravikanth, "Physical One-Way Functions," PhD Thesis, MIT, 2001.
• Some technical considerations:
• A typical use of PUF involves a challenge (input) and response (output) scheme.
• An error correction scheme should be combined in use because a PUF does not generate the exactly
Coating PUF Butterfly PUF SRAM PUF
same output every time (it contains a partial errors due to the physical variations).
• Not designed to be a TRNG, but may be utilized to make a TRNG.
• Applications of PUFs fall into two categories:
• Anti-counterfeiting with product authentication (goes to other standardization groups: ISO TC247,
ISO/IEC SC31, SEMI, etc.)
• Information security : Non-stored CSP generation (above-mentioned)
• Related businesses are emerging.
• Purpose of standardization capacitive
• Before non-interoperable/interchangeable or low-reliability PUF applications are widely distributed, sensor
a well-considered standard must be established. http://commons.wikimedia.org/
• For a higher usability and reliability
• For building a wider market Uses the difference of Uses the difference of the initial state of memory
capacitive
3 load
Skoric, B., et al. "Experimental hardware for coating PUFs and optical PUFs,"
Security with Noisy Data. Springer London, 2007. 255-268.
Key Generation Using PUF

Arbiter PUF
• The same circuit design is used for all the chips to configure PUFs
• The same challenge is given to each PUF
• Utilizes the delay difference of two selector chains • The PUFs generate different keys
• Challenge: Selection signals of the selectorst1
0 0 0 0
• Response: Output of the arbiter D
Challenge
1 1 1 1
response
1 1 1 1 0/1 +1
stimulus 0 0 0 0
t2 arbiter
challenge 0 1 1 0 Circuit design
of the PUF
Arbiter implemented using D-FF
D D PUF1 PUF2 PUF3 PUF4

1 0
PUFx
arbiter arbiter KEY1 KEY2 KEY3 KEY4
6
KEYx
RTL Countermeasures Tradeo↵ Cost / Security RTL Countermeasures Tradeo↵ Cost / Security
Unitary Countermeasure Evaluation Methodology Example : comparison dual-rail with masking Unitary Countermeasure Evaluation Methodology Example : comparison dual-rail with masking
Presentation Outline Cost versus Security tradeo↵

Evaluating Security is Though
Introduction
I The cost of the countermeasure is usually easy to quantify (in
Generic Countermeasures terms of designers performance metrics) ;
I But as for security, things are more complicated.
RTL Countermeasures
Regarding security, there are two ways :
I Pragmatic :
Attacks on Countermeasures I FIPS140 : tests
I CC : resistance to experts in attacks
Conclusions I Attacks and leakage metrics.
But both are hard to evaluate fairly.
Pragmatic Step #1/2 : Estimate the leakage [SMY09]

I Leakage can be estimated in simulations.
SmartCards I Advantage [VCS09] : I(K ; O) = I(K ; M(S)) if
I Do it yourself O = M(S) + N (0, 2 = 1/SNR2 ).
I Manipulation attacks are difficult due
I DIY with a
board : to the sub-micrometric size of the die 1.2
Zero offset implementation
Mask decomposition, XOR
I SASEBO I Very few attack platforms available : 1 Mask decomposition, addition
Mask decomposition, multiplication
I GIAnT I CRI DPA WorkStation [KJJ09] Mask decomposition, alpha
Mutual Information [bit]

0.8
I PHOBOS I BrightSight Sideways
0.6
I SCARF I Riscure Inspector
I Secure-IC Smart-SIC
I O↵-the-shelf 0.4
Analyzer [GNN+ 11]

I Subcontract I ESCRYPT cycurDPA
0.2
(CESTI, other I QuoVadis Labs [Lab, Sko] 0
labs, security ) A priori, the attack’s cost is high. . . -0.2

-20 -15 -10 -5 0 5 10 15 20
industry)
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 76/108 S. Guilley, < sylvain.guilley@Secure-IC.com > SNR
Counter-measures to attacks 77/108
Estimating the leakage does not always translate into Step #2/2 : Estimate resistance against attacks [SMY09]
attacks I Leakage and security metrics are complementary
I Leaking is a vulnerability ; attacks attempt to exploit it
Ex. 1 : Uncentered Templates I Preferred attacks are conducted on real measurements
I it’s no longer an ideal case !
k 8k[0], k[1..3] fixed: I o thorder success rate or guessing entropy are two
possibilities (see [SGV08])
counter S
S 8k[0], with di↵erent k[1..3]: 1
fixed D
inputs S
0.8
First order success rate

S
0.6
0.4 EPA on Mask decomposition
Ex. 2 : Mutual information of bijective partitionings VPA on Mask decomposition

MMIA on Mask decomposition
EPA on Zero offset
0.2
1 VPA on Zero offset
I(O; S (x k) 0x00) = I(O; x k)) = I(O; x) if k is constant. MMIA on Zero offset
0
0 5000 10000 15000 20000 25000
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 78/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures
Traces for online attack to attacks 79/108
Introduction
RTL Countermeasures Tradeo↵ Cost / Security
Unitary Countermeasure Evaluation Methodology Example : comparison dual-rail with masking
Conclusions
2.5
Masking versus dual-rail are presented in chapters 9 and 7 of the 90
DPA book [MOP06]. 80 2
Unbalancedness α [%]
I
70 ing
Also, attack-wise : [MMS09]. sk r
60 Mabette 1.5
I And information-theoretic-wise : [GMN+ 11]. is
50
But still, this very ad hoc, and depends on the target. 40 1
30
20 ing r 0.5
Hidbette
Countermeasure Resource Weight Leakage (L) 10 is
0 0
n-bit mask 1+↵ (1 + ↵) · HW(m) ¼ ½ ¾1 2
1
2
2
2
3
2 2
4
2
5 6
2
7
2
8 9
2
Masking
n-bit masked data 1 1 · HW(x m) Noise standard deviation σ
n-bit true data 1+↵ (1 + ↵) · HW(x) Plot of domains where either masking or DPL leak less (n = 4).
Hiding
n-bit false data 1 1 · HW(x)

RTL Countermeasures Tradeo↵ Cost / Security RTL Countermeasures
Attack on Information Hiding
Unitary Countermeasure Evaluation Methodology Example : comparison dual-rail with masking Unitary Countermeasure Evaluation Methodology
Indicative cost of the counter-measures Presentation Outline
Introduction
Overhead Generic Countermeasures

Level Specificities
Throughput Surface
RTL Countermeasures
Protocol /= 1 ⇠1 NVM required
RTL /= 1 ⇥= 2 (ˆ= 2 for sboxes) TRNG required Unitary Countermeasure Evaluation Methodology
Netlist /= 2 ⇥= 3 (⇥= 4 for sboxes) Auto-sufficient
Note : the performances can be improved when customized for a
given algorithm. Conclusions
Attack on Information Hiding Attack on Information Hiding
Attacks on masking (w/o mask) (1/3) Attacks on masking (w/ mask) (2/3)
p(L = 0) = 1/16 p(L = 1) = 4/16 p(L = 2) = 6/16 p(L = 3) = 4/16 p(L = 4) = 1/16 p(L = 0) = 1/16 p(L = 1) = 4/16 p(L = 2) = 6/16 p(L = 3) = 4/16 p(L = 4) = 1/16
O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4 O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4
Correct key (i.e. physical L)

) 2nd-order dependence
) 1st-order dependence
0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8
H(O|L = 0) = 0 H(O|L = 1) = 0 H(O|L = 2) = 0 H(O|L = 3) = 0 H(O|L = 4) = 0 ) H(O|L) = 0 bit H(O|L = 0) = 2.03 H(O|L = 1) = 1.81 H(O|L = 2) = 1.5 H(O|L = 3) = 1 H(O|L = 4) = 0 ) H(O|L) = 1.39 bit
O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4 O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4
Incorrect key (i.e. random L)
0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8
H(O|L = 0) = 2.03 H(O|L = 1) = 2.03 H(O|L = 2) = 2.03 H(O|L = 3) = 2.03 H(O|L = 4) = 2.03 ) H(O|L) = 2.03 bit H(O|L = 0) = 2.54 H(O|L = 1) = 2.54 H(O|L = 2) = 2.54 H(O|L = 3) = 2.54 H(O|L = 4) = 2.54 ) H(O|L) = 2.54 bit
Introduction
Generic Countermeasures R.V. L L|Z = 0 L|Z = 1 L|Z = 2 L|Z = 3 L|Z = 4
RTL Countermeasures Plain zero-o↵set with d = 0 mask (unprotected reference).
Unitary Countermeasure Evaluation Methodology µ1 = E( · ) 2.000 0.000 1.000 2.000 3.000 4.000
HCI = 1
µ2 = E(( · µ1 )2 ) 1.000 0.000 0.000 0.000 0.000 0.000
Conclusions
µ3 = E(( · µ1 )3 ) 0.000 0.000 0.000 0.000 0.000 0.000
4
µ4 = E(( · µ1 ) ) 2.500 0.000 0.000 0.000 0.000 0.000
Attacks on masking (w/ mask) (3/3) Entropy [bit] 2.031 0.000 0.000
Plain zero-o↵set with d = 1 mask.
0.000 0.000 0.000
µ1 = E( · ) 4.000 4.000 4.000 4.000 4.000 4.000

p(L = 0) = 1/16 p(L = 1) = 4/16 p(L = 2) = 6/16 p(L = 3) = 4/16 p(L = 4) = 1/16
HCI = 2
µ2 = E(( · µ1 )2 ) 2.000 4.000 3.000 2.000 1.000 0.000
O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4 µ3 = E(( · µ1 )3 ) 0.000 0.000 0.000 0.000 0.000 0.000
4
µ4 = E(( · µ1 ) ) 11.000 40.000 21.000 8.000 1.000 0.000
Entropy [bit] 2.544 2.031 1.811 1.500 1.000 0.000
Plain zero-o↵set with d = 2 masks.
µ1 = E( · ) 6.000 6.000 6.000 6.000 6.000 6.000
HCI = 3
µ2 = E(( · µ1 )2 )
) 2nd-order CPA
3.000 3.000 3.000 3.000 3.000 3.000

3
µ3 = E(( · µ1 ) ) 0.000 -3.000 -1.500 0.000 1.500 3.000
4
µ4 = E(( · µ1 ) ) 25.500 25.500 25.500 25.500 25.500 25.500
0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 Entropy [bit] 2.839 1.762 1.822 1.836 1.822 1.762
Var(O|L = 0) = 4 Var(O|L = 1) = 3 Var(O|L = 2) = 2 Var(O|L = 3) = 1 Var(O|L = 4) = 0 ) Var(O|L) = 2
µ1 = E( · ) 8.000 8.000 8.000 8.000 8.000 8.000
HCI = 4
O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4 µ2 = E(( · µ1 )2 ) 4.000 4.000 4.000 4.000 4.000 4.000
3
µ3 = E(( · µ1 ) ) 0.000 0.000 0.000 0.000 0.000 0.000
4
µ4 = E(( · µ1 ) ) 46.000 52.000 49.000 46.000 43.000 40.000
Entropy [bit] 3.047 2.044 2.047 2.046 2.043 2.031
µ1 = E( · ) 10.000 10.000 10.000 10.000 10.000 10.000
HCI = 5
µ2 = E(( · µ1 )2 ) 5.000 5.000 5.000 5.000 5.000 5.000
3
µ3 = E(( · µ1 ) ) 0.000 0.000 0.000 0.000 0.000 0.000
4
µ4 = E(( · µ1 ) ) 72.500 72.500 72.500 72.500 72.500 72.500
0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8
Entropy [bit] 3.208 2.207 2.208 2.208 2.208 2.207
Var(O|L = 0) = 2 Var(O|L = 1) = 2 Var(O|L = 2) = 2 Var(O|L = 3) = 2 Var(O|L = 4) = 2 ) Var(O|L) = 2
Statistics about some leakage models on words of n = 4 bitwidth, without noise (i.e. = 0).
Attack on Information Hiding Attack on Information Hiding
Models M(S) (classification by [SGV08]) Side-channel attacks : Notion of order d

Partition-based :
I If unprotected :
I ( · )4 I04
M(s) = |s| ; Hamming weight ; Bus cleared in SW
I M(s) = |s R| ; Hamming weight ; Bus precharged in SW I03
( · )3 I02 ⇥ I12
I M(s) = |s s 1 | ; Hamming distance ; typical of HW
I I02 I0 ⇥ I1 ⇥ I2 ⇥ I3 I02 I12
M(s) = s · s 1 + (1 )s · s 1 ; Idem, but in near-field EMA ( · )2 ( · )2
I If protected : ( · )2
I M(s) = s. WARNING : 2n values ! I0 I0 I1 I2 I3 I0 I1

I Difficult to be more inventive if the countermeasure is sound...
time time time
I M(S) = (S1 , S2 ) ; Multi-variate MIA (MMIA [GBPV10]) (a) Zero-o↵set HO-CPA (b) Product HO-CPA (c) HO collision-correlation
Comparison-based : (profiled attacks)

I M(S) = E (O|S) ; templates
Attacks on DPL Presentation Outline

0.06
Round 9
Evaluation
AES−DPL−no−EE
AES−DPL−EE Introduction
0.05
Operation: c = AESk (m)
MUTUAL INFORMATION
I(O; S 1 (c[0] k10 [0]))
Precharge
0.04
= I(O; c[0] k10 [0]) [S is bijective]
Round 9
Precharge
Round 10
= I(O; c[0]) [k is constant]
0.03
RTL Countermeasures
Evaluation
Attack does not work in values...
Round 10
...but in Hamming weights. Unitary Countermeasure Evaluation Methodology
0.02
0.01 Attacks on Countermeasures
0 Conclusions
sbox final XOR
−0.01
0 200 400 600 800 1000 1200
TIME SAMPLES
Recommendations for symmetric algorithms Recommendations for asymmetric algorithms

No timing constraints
I Against SCA : 1st order masking and/or shu✏ing RSA : use PKCS
I Against DFA : check by decryption I Secure against all attacks (the input is formatted randomly,
and thus unknown to the attacker)
Otherwise use Akashi Satoh’s trick [SSHA08] I Just protect against SPA, by key blinding or side-channel
atomicity [CMCJ04]
I Against SCA : 1st order masking and/or shu✏ing
I Against DFA : check encryption with decryption hardware Plain RSA
I Exponent splitting (doubles the cost) if SPA secure.
For hardware
I Against SCA and DFA : Use masked dual-rail
Recommendations for misc auxiliary functions [AG01] Mehdi-Laurent Akkar and Christophe Giraud.
An Implementation of DES and AES Secure against Some Attacks.
In LNCS, editor, Proceedings of CHES’01, volume 2162 of LNCS, pages 309–318. Springer, May
2001.
TRNG Paris, France.
[BBB+ 13] Pierre Belgarric, Shivam Bhasin, Nicolas Bruneau, Jean-Luc Danger, Nicolas Debande, Sylvain
I Avoid ring-based structures Guilley, Annelie Heuser, Zakaria Najm, and Olivier Rioul.
Time-Frequency Analysis for Second-Order Attacks.
In CARDIS, Lecture Notes in Computer Science. Springer, November 2013.
I Open-loop solutions exist : [Qué03], [DGH09] Berlin, Germany.
d1 d2
[BBD+ 07]
dn 1 dn
d d d d L. Bouhouch, A. Boyer, S. Ben Dhia, É. Sicard, and M. Fadel.
Amélioration des performances CEM d’un microcontrôleur à l’aide d’un film ferromagnétique.
D Q q1 D Q q2 D Q q3 D Q q4
In TELECOM 2007, 5th JFMMA, March 2007.
d Fes, Morocco. (Online PDF).
global clock
[BBD+ 14] Shivam Bhasin, Nicolas Bruneau, Jean-Luc Danger, Sylvain Guilley, and Zakaria Najm.
Analysis and improvements of the DPA contest v4 implementation.
In Rajat Subhra Chakraborty, Vashek Matyas, and Patrick Schaumont, editors, Security, Privacy, and
D Q
s Applied Cryptography Engineering - 4th International Conference, SPACE 2014, Pune, India, October
18-22, 2014. Proceedings, volume 8804 of Lecture Notes in Computer Science, pages 201–218.
Springer, 2014.
[BCC+ 12a] Sébastien Briais, Stéphane Caron, Jean-Michel Cioranesco, Jean-Luc Danger, Sylvain Guilley,
PUF Jacques-Henri Jourdan, Arthur Milchior, David Naccache, and Thibault Porteboeuf.
3D Hardware Canaries.
In CHES, September 9-12 2012.
I Avoid delay-PUF or hash the output to prevent modeling Leuven, Belgium. Full version [BCC+ 12b].
attacks [RSS+ 10].

[CM09] Jean-Sébastien Coron and Avradip Mandal.

[BCC+ 12b] Sébastien Briais, Stéphane Caron, Jean-Michel Cioranesco, Jean-Luc Danger, Sylvain Guilley, PSS Is Secure against Random Fault Attacks.
Jacques-Henri Jourdan, Arthur Milchior, David Naccache, and Thibault Porteboeuf. In ASIACRYPT, volume 5912 of LNCS, pages 653–666. Springer, December 6-10 2009.
3D Hardware Canaries. Tōkyō, Japan.
Cryptology ePrint Archive, Report 2012/324, 2012.
[CMCJ04] Benoı̂t Chevallier-Mames, Mathieu Ciet, and Marc Joye.
http://eprint.iacr.org/2012/324/.
Low-Cost Solutions for Preventing Simple Side-Channel Analysis : Side-Channel Atomicity.
[BHT09] Arnaud Boscher, Helena Handschuh, and Elena Trichina. IEEE Trans. Computers, 53(6) :760–768, 2004.
Blinded Fault Resistant Exponentiation Revisited.
In FDTC, pages 3–9. IEEE Computer Society, September 6 2009. [CVG+ 12] Jean-Sébastien Coron, Praveen Kumar Vadnala, Christophe Giraud, Emmanuel Prou↵, Soline Renner,
Lausanne, Switzerland. and Matthieu Rivain.
Conversion of Security Proofs from One Model to Another : A New Issue.
[BK09] Alex Biryukov and Dmitry Khovratovich. In COSADE, Lecture Notes in Computer Science. Springer, May 3–4 2012.
Related-Key Cryptanalysis of the Full AES-192 and AES-256. Darmstaft, Germany.
In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of Lecture Notes in Computer Science, pages
1–18. Springer, 2009. [Deb12] Blandine Debraize.
Efficient and provable Secure Methods for Switching from Arithmetic to Boolean Masking.
[CDGB12] Zouha Cherif, Jean-Luc Danger, Sylvain Guilley, and Lilian Bossuet. In CHES, September 9-12 2012.
An Easy-to-Design PUF based on a single oscillator : the Loop PUF. Leuven, Belgium.
In DSD, September 5-8 2012.
Çeşme, Izmir, Turkey ; (Online PDF). [DGH09] Jean-Luc Danger, Sylvain Guilley, and Philippe Hoogvorst.
High Speed True Random Number Generator based on Open Loop Structures in FPGAs.
[CGV14] Jean-Sébastien Coron, Johann Großschädl, and Praveen Kumar Vadnala. Microelectronics Journal, 40(11) :1650–1656, November 2009.
Secure Conversion between Boolean and Arithmetic Masking of Any Order. DOI : 10.1016/j.mejo.2009.02.004.
In Lejla Batina and Matthew Robshaw, editors, Cryptographic Hardware and Embedded Systems -
CHES 2014 - 16th International Workshop, Busan, South Korea, September 23-26, 2014. [FGL+ 13] Pierre-Alain Fouque, Nicolas Guillermin, Delphine Leresteux, Mehdi Tibouchi, and Jean-Christophe
Proceedings, volume 8731 of Lecture Notes in Computer Science, pages 188–205. Springer, 2014. Zapalowicz.
Attacking RSA-CRT signatures with faults on Montgomery multiplication.
J. Cryptographic Engineering, 3(1) :59–72, 2013.
[FMPR10] Guillaume Fumaroli, Ange Martinelli, Emmanuel Prou↵, and Matthieu Rivain. [GHK] Sylvain Guilley, Soshi Hamaguchi, and Yousung Kang.
Affine Masking against Higher-Order Side Channel Analysis. ISO/IEC NP 20897. Information technology – Security techniques – Security requirements, test and
In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography, evaluation methods for physically unclonable functions for generating nonstored security parameters.
volume 6544 of Lecture Notes in Computer Science, pages 262–280. Springer, 2010. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=69403.
[GBP+ 12] Sylvain Guilley, Sébastien Briais, Thibault Porteboeuf, Jean-Luc Danger, Jean-Michel Cioranesco, and [GM11] Tim Güneysu and Amir Moradi.
David Naccache. Generic side-channel countermeasures for reconfigurable devices.
Random Active Shield. In Bart Preneel and Tsuyoshi Takagi, editors, CHES, volume 6917 of LNCS, pages 33–48. Springer,
In FDTC, September 9 2012. 2011.
Leuven, Belgium. [GMN+ 11] Sylvain Guilley, Olivier Meynard, Maxime Nassar, Guillaume Duc, Philippe Hoogvorst, Houssem
Maghrebi, Aziz Elaabid, Shivam Bhasin, Youssef Souissi, Nicolas Debande, Laurent Sauvage, and
[GBPV10] Benedikt Gierlichs, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede.
Jean-Luc Danger.
Revisiting Higher-Order DPA Attacks : Multivariate Mutual Information Analysis.
Vade Mecum on Side-Channels Attacks and Countermeasures for the Designer and the Evaluator.
In CT-RSA, volume 5985 of LNCS, pages 221–234. Springer, March 1-5 2010.
In DTIS (Design & Technologies of Integrated Systems), IEEE. IEEE, March 6-8 2011.
San Francisco, CA, USA.
Athens, Greece. DOI : 10.1109/DTIS.2011.5941419 ; Online version :
[GCS+ 08] Sylvain Guilley, Sumanta Chaudhuri, Laurent Sauvage, Tarik Graba, Jean-Luc Danger, Philippe http://hal.archives-ouvertes.fr/hal-00579020/en/.
Hoogvorst, Vinh-Nga Vong, and Maxime Nassar.
[GNN+ 11] Sylvain Guilley, Philippe Nguyen, Robert Nguyen, Hassan Triqui, and Jean-Luc Danger.
Place-and-Route Impact on the Security of DPL Designs in FPGAs.
Smart-SIC Analyzer, September 26-27 2011.
In HOST (Hardware Oriented Security and Trust), IEEE, pages 29–35, Anaheim, CA, USA, jun 2008.
Panel Discussion – Tool Vendor / Laboratory. Non-Invasive Attack Testing Workshop (NIAT 2011),
[GCvDD02] Blaise Gassend, Dwaine E. Clarke, Marten van Dijk, and Srinivas Devadas. co-organized by NIST & AIST. Todai-ji Cultural Center, Nara, Japan. (PDF).
Silicon physical random functions.
[Gou01] Louis Goubin.
In Vijayalakshmi Atluri, editor, Proceedings of the 9th ACM Conference on Computer and
A Sound Method for Switching between Boolean and Arithmetic Masking.
Communications Security, CCS 2002, Washington, DC, USA, November 18-22, 2002, pages 148–160.
In Çetin Kaya Koç, David Naccache, and Christof Paar, editors, CHES, volume 2162 of Lecture Notes
ACM, 2002.
in Computer Science, pages 3–15. Springer, 2001.
[Koc96] Paul C. Kocher.

[GP99] Louis Goubin and Jacques Patarin. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems.
DES and Di↵erential Power Analysis. The “Duplication” Method. In Neal Koblitz, editor, Advances in Cryptology - CRYPTO ’96, 16th Annual International Cryptology
In CHES, LNCS, pages 158–172. Springer, Aug 1999. Conference, Santa Barbara, California, USA, August 18-22, 1996, Proceedings, volume 1109 of
Worcester, MA, USA. Lecture Notes in Computer Science, pages 104–113. Springer, 1996.
[GSDS10] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, and Nidhal Selmane. [Koc03] Paul C. Kocher.
Fault Injection Resilience. Leak-resistant cryptographic indexed key update, March 25 2003.
In FDTC, pages 51–65. IEEE Computer Society, August 21 2010. United States Patent 6,539,092 filed on July 2nd, 1999 at San Francisco, CA, USA.
Santa Barbara, CA, USA. DOI : 10.1109/FDTC.2010.15 ; Complete version :
http://hal.archives-ouvertes.fr/hal-00482194/en/. [Koc05] Paul C. Kocher.
Design and Validation Strategies for Obtaining Assurance in Countermeasures to Power Analysis and
[Gün12] Tim Güneysu. Related Attacks, September 26-29 2005.
Using Data Contention in Dual-ported Memories for Security Applications. Honolulu, Hawai, USA ; NIST’s Physical Security Testing Workshop. Website :
Signal Processing Systems, 67(1) :15–29, 2012. http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-3/physec/physecdoc.html.
[HBF09] Daniel E. Holcomb, Wayne P. Burleson, and Kevin Fu. [Koc11] Paul Kocher.
Power-Up SRAM State as an Identifying Fingerprint and Source of True Random Numbers. Complexity and the challenges of securing SoCs.
IEEE Trans. Computers, 58(9) :1198–1210, september 2009. In Leon Stok, Nikil D. Dutt, and Soha Hassoun, editors, Proceedings of the 48th Design Automation
Conference, DAC 2011, San Diego, California, USA, June 5-10, 2011, pages 328–331. ACM, 2011.
[Joy03] Marc Joye.
Ingénierie cryptographique : Aspects sécuritaires et algorithmiques, September 2003. [KP14] Sebastian Kutzner and Axel Poschmann.
Toulouse, France. http://joye.site88.net/theses/Joye_HDR.pdf. On the Security of RSM — Presenting 5 First- and Second-order Attacks.
In COSADE (to appear), Lecture Notes in Computer Science. Springer, April 14-15 2014.
[KJJ09] Paul C. Kocher, Joshua M. Ja↵e, and Benjamin C. Jun.
Paris, France.
Di↵erential power analysis method and apparatus, September 8 2009.
United States Patent, number 7,587,044. [Lab] QuoVadis Labs.
Website : http://www.quovadislabs.com/.
[LCSK13] Donggeon Lee, Dooho Choi, Jungtaek Seo, and Howon Kim.
Reset Tree-Based Optical Fault Detection.
[MKP12] Amir Moradi, Markus Kasper, and Christof Paar.
Sensors, 13(5) :6713–6729, 2013.
Black-Box Side-Channel Attacks Highlight the Importance of Countermeasures - An Analysis of the
[LR10] Kerstin Lemke-Rust. Xilinx Virtex-4 and Virtex-5 Bitstream Encryption Mechanism.
Provable Security against Physical Attacks, February 19 2010. In Orr Dunkelman, editor, CT-RSA, volume 7178 of Lecture Notes in Computer Science, pages 1–18.
“Provable Security against Physical Attacks” Workshop, at Lorentz Center, Germany (online). Springer, 2012.
[MBKP11] Amir Moradi, Alessandro Barenghi, Timo Kasper, and Christof Paar. [MM12] Amir Moradi and Oliver Mischke.
On the vulnerability of FPGA bitstream encryption against power analysis attacks : extracting keys How Far Should Theory be from Practice ? Evaluation of a Countermeasure.
from Xilinx Virtex-II FPGAs. In CHES, September 9-12 2012.
In Yan Chen, George Danezis, and Vitaly Shmatikov, editors, ACM Conference on Computer and Leuven, Belgium.
Communications Security, pages 111–124. ACM, 2011.
[MMS09] T. Matsumoto, H. Mimura, and D. Suzuki.
[MGD11] Houssem Maghrebi, Sylvain Guilley, and Jean-Luc Danger. Complementary logics vs masked logics : Which countermeasure is a better selection ?
Leakage Squeezing Countermeasure Against High-Order Attacks. In IEEE, editor, ECCTD. European Conference on Circuit Theory and Design, pages 399–402, August
In WISTP, volume 6633 of LNCS, pages 208–223. Springer, June 1-3 2011. 23-27 2009.
Heraklion, Greece. DOI : 10.1007/978-3-642-21040-2 14. Antalya, Turkey.
[MGH14] Amir Moradi, Sylvain Guilley, and Annelie Heuser. [MOP06] Stefan Mangard, Elisabeth Oswald, and Thomas Popp.
Detecting Hidden Leakages. Power Analysis Attacks : Revealing the Secrets of Smart Cards.
In Ioana Boureanu, Philippe Owesarski, and Serge Vaudenay, editors, ACNS, volume 8479. Springer, Springer, December 2006.
June 10-13 2014. ISBN 0-387-30857-1, http://www.dpabook.org/.
12th International Conference on Applied Cryptography and Network Security, Lausanne, Switzerland. [MOPT12] Andrew Moss, Elisabeth Oswald, Dan Page, and Michael Tunstall.
[MKP11] Amir Moradi, Markus Kasper, and Christof Paar. Compiler assisted masking.
On the Portability of Side-Channel Attacks — An Analysis of the Xilinx Virtex 4 and Virtex 5 In CHES, September 9-12 2012.
Bitstream Encryption Mechanism. Leuven, Belgium.
Cryptology ePrint Archive, Report 2011/391, 2011.
http://eprint.iacr.org/2011/391/.
[PS08] Gilles Piret and François-Xavier Standaert.

Security Analysis of Higher-Order Boolean Masking Schemes for Block Ciphers (with Conditions of
[MSGR10] Marcel Medwed, François-Xavier Standaert, Johann Großschädl, and Francesco Regazzoni. Perfect Masking).
Fresh Re-Keying : Security against Side-Channel and Fault Attacks for Low-Cost Devices. IET Information Security, 2(1) :1–11, 2008.
In AFRICACRYPT, volume 6055 of LNCS, pages 279–296. Springer, May 03-06 2010. DOI : 10.1049/iet-ifs :20070066.
Stellenbosch, South Africa. DOI : 10.1007/978-3-642-12678-9 17.
[Qué03] Patrick Le Quéré.
[NGD11] Maxime Nassar, Sylvain Guilley, and Jean-Luc Danger. High Rate Random Number Generator, November 19 2003.
Formal Analysis of the Entropy / Security Trade-o↵ in First-Order Masking Countermeasures against Patent EP1159673, (also WO0146797), http://www.freepatentsonline.com/EP1159673.html.
Side-Channel Attacks.
In INDOCRYPT, volume 7107 of LNCS, pages 22–39. Springer, December 11-14 2011. [RBG+ 15] Debapriya Basu Roy, Shivam Bhasin, Sylvain Guilley, Jean-Luc Danger, and Debdeep Mukhopadhyay.
Chennai, Tamil Nadu, India. DOI : 10.1007/978-3-642-25578-6 4. From Theory to Practice of Private Circuit : A Cautionary Note.
In The 33rd IEEE International Conference on Computer Design (ICCD ’15), pages 296–303, October
[NSGD12] Maxime Nassar, Youssef Souissi, Sylvain Guilley, and Jean-Luc Danger. 18-21 2015.
RSM : a Small and Fast Countermeasure for AES, Secure against First- and Second-order Zero-O↵set New York City, USA. DOI : 10.1109/ICCD.2015.7357117.
SCAs.
In DATE, pages 1173–1178. IEEE Computer Society, March 12-16 2012. [Riv94] Ronald L. Rivest.
Dresden, Germany. (TRACK A : “Application Design”, TOPIC A5 : “Secure Systems”). The RC5 Encryption Algorithm.
In FSE, pages 86–96, 1994.
[Pap01] Ravikanth S. Pappu. Revised version at (Online PDF version).
Physical One-Way Functions.
PhD thesis, Massachusetts Institute of Technology, March 2001. [RP10] Matthieu Rivain and Emmanuel Prou↵.
Provably Secure Higher-Order Masking of AES.
[PR10] Emmanuel Prou↵ and Thomas Roche. In Stefan Mangard and François-Xavier Standaert, editors, CHES, volume 6225 of LNCS, pages
Attack on a Higher-Order Masking of the AES Based on Homographic Functions. 413–427. Springer, 2010.
In Guang Gong and Kishan Chand Gupta, editors, INDOCRYPT, volume 6498 of Lecture Notes in
Computer Science, pages 262–281. Springer, 2010. [RSS+ 10] Ulrich Rührmair, Frank Sehnke, Jan Sölter, Gideon Dror, Srinivas Devadas, and Jürgen Schmidhuber.
Modeling attacks on physical unclonable functions.
In Proceedings of the 17th ACM conference on Computer and communications security, CCS ’10,
pages 237–249, New York, NY, USA, 2010. ACM.
[SGV08] François-Xavier Standaert, Benedikt Gierlichs, and Ingrid Verbauwhede. [TEL14] TELECOM ParisTech SEN research group.
Partition vs. Comparison Side-Channel Distinguishers : An Empirical Evaluation of Statistical Tests DPA Contest (4th edition), 2013–2014.
for Univariate Side-Channel Attacks against Two Unprotected CMOS Devices. http://www.DPAcontest.org/v4/.
In ICISC, volume 5461 of LNCS, pages 253–267. Springer, December 3-5 2008.
Seoul, Korea. [TMA11] Michael Tunstall, Debdeep Mukhopadhyay, and Subidh Ali.
Di↵erential Fault Analysis of the Advanced Encryption Standard Using a Single Fault.
[SHO08] Ying Su, Jeremy Holleman, and Brian P. Otis. In Claudio Agostino Ardagna and Jianying Zhou, editors, WISTP, volume 6633 of Lecture Notes in
A Digital 1.6 pJ/bit Chip Identification Circuit Using Process Variations. Computer Science, pages 224–233. Springer, 2011.
IEEE Journal of Solid-State Circuits, 43(1) :69–77, Jan 2008.
[TSK07] Pim Tuyls, Boris Skoric, and Tom Kevenaar.
[Sko] Sergei Skorobogatov. Security with Noisy Data : Private Biometrics, Secure Key Storage and Anti-Counterfeiting.
Research project : developing new technology for e↵ective side-channel analysis. Springer-Verlag New York, Inc., Secaucus, NJ, USA, December 2007.
Website : http://www.cl.cam.ac.uk/~sps32/qvl_proj.html. 1st Edition, ISBN 978-1-84628-983-5.
[SMY09] François-Xavier Standaert, Tal Malkin, and Moti Yung. [TYTF17] Tetsufumi Tanamoto, Shinichi Yasuda, Satoshi Takaya, and Shinobu Fujita.
A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. Physically Unclonable Function Using an Initial Waveform of Ring Oscillators.
In EUROCRYPT, volume 5479 of LNCS, pages 443–461. Springer, April 26-30 2009. IEEE Trans. on Circuits and Systems, 64(7) :827–831, 2017.
Cologne, Germany.
[VCS09] Nicolas Veyrat-Charvillon and François-Xavier Standaert.
[SS10] Daisuke Suzuki and Koichi Shimizu. Mutual Information Analysis : How, When and Why ?
The Glitch PUF : A New Delay-PUF Architecture Exploiting Glitch Shapes. In CHES, volume 5747 of LNCS, pages 429–443. Springer, September 6-9 2009.
In CHES, volume 6225 of Lecture Notes in Computer Science, pages 366–382. Springer, August 17-20 Lausanne, Switzerland.
2010.
Santa Barbara, CA, USA. [WYC+ 18] Meng-Yi Wu, Tsao-Hsin Yang, Lun-Chun Chen, Chi-Chang Lin, Hao-Chun Hu, Fang-Ying Su,
Chih-Min Wang, James Po-Hao Huang, Hsin-Ming Chen, Chris Chun-Hung Lu, Evans Ching-Song
[SSHA08] Akashi Satoh, Takeshi Sugawara, Naofumi Homma, and Takafumi Aoki. Yang, and Rick Shih-Jye Shen.
High-Performance Concurrent Error Detection Scheme for AES Hardware. A PUF scheme using competing oxide rupture with bit error rate approaching zero.
In Elisabeth Oswald and Pankaj Rohatgi, editors, CHES, volume 5154 of Lecture Notes in Computer In 2018 IEEE International Solid-State Circuits Conference, ISSCC 2018, San Francisco, CA, USA,
Science, pages 100–112. Springer, 2008. February 11-15, 2018, pages 130–132. IEEE, 2018.
Introduction
RTL Countermeasures
Conclusions
[YE13] Xin Ye and Thomas Eisenbarth.

On the Vulnerability of Low Entropy Masking Schemes.
In CARDIS, Lecture Notes in Computer Science. Springer, November 2013.
Berlin, Germany.

Contre-Mesures Aux Attaques Sur Les Circuits Electroniques Presentation Outline

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Contre-Mesures Aux Attaques Sur Les Circuits Electroniques Presentation Outline

Uploaded by

Copyright:

Available Formats

Introduction Introduction

Generic Countermeasures Generic Countermeasures

S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 3/108

Source of information to stay tuned

State-of-the-Art about Countermeasures

Classification Attempt Generic protections against SCA + FIA

I Palliative versus curative countermeasures :

Perturbation attacks are fought thanks to similar properties :

This paper by Jean-Sébastien CORON (@ AsiaCrypt 2009) [CM09]

Algorithm 1: RSA implementation (unprotected) Algorithm 1: RSA implementation (unprotected)

In summary : Asymmetric Crypto is Fairly Easy to protect

Resilience against passive attacks

The concept is the utilization of an ephemeral key k ? .

Resilience against active attacks Case-study : secure messaging

Example on Smartcards Protocols 1/6 Example on Smartcards Protocols 2/6

envelop e3 envelop (e3 , r3 ) r3 $

Example on Smartcards Protocols 3/6 Example on Smartcards Protocols 4/6

unsafe, since a fault can safe, because operations are chained

envelop (e3 , r3 ) r3 $ envelop e3

Example on Smartcards Protocols 5/6 Example on Smartcards Protocols 6/6

Run noise generator

CLB Switch box

Power restriction limits currents < 100 µA

Individual/all noise generators combined:

Memory masking with dual-ported BRAMs

E↵ect of laser spot on CMOS cells

S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 34/108

vdd vdd laser shot

E↵ect of laser spot on CMOS cells A summary of the countermeasures embedded in a

Courtesy of Assia Tria, CEA/LETI.

Active shield 1/2 Active shield 2/2

Designer’s view Attacker’s view

(a) (b) (c)

Cross-correlation results Pixel-wise comparison between the AES layouts

Table 1 – Cross-correlation between the genuine AES layout and the

Trojan horse size (Count of AND gates)

|N CC| = 1.56% > |N CC| = 0.67%

Figure 3 – Cross-correlation for the comparison of the layout with

Conclusion on Hardware Trojan Horses Insertions Presentation Outline

Anyway, we need to trust the HW, because a secure software

I For instance, if shares are assumed to leak independently,

Masking is “Secret Sharing” Computing Masked DES [PS08]

I Every variable s, potentially sensible, is represented as a set of IP IP

I Leakage resistant since variables are never used plain. FP

I Attractive but works only fine for registers. Ciphertext

S.IGuilley, < sylvain.guilley@Secure-IC.com >

Computing Masked DES [PS08] Computing Masked AES

Next slides courtesy of the authors of [RP10].

Ishai-Sahai-Wagner (ISW) Scheme Ishai-Sahai-Wagner (ISW) Scheme

CHES 2010 – Provably Secure Higher-Order Masking of AES

Method K cycles ms (31MHz) RAM (bytes) ROM (bytes)

Example at order 1 (let k = 8, 16, 32) Leakage squeezing, Schematic [MGD11]

Principle of the first-order masking scheme improvement by the

Leakage squeezing Rationale 1/3 Leakage squeezing Rationale 2/3

{0x1, 0x2, 0x4, 0x8} 1 {0x0} 0

{0x0} 0 SubBytes SubBytes ... SubBytes

RSM leakage [NSGD12]

Table 2 – Implementation results for reference and protected AES

Trade-o↵ [NGD11] Example of countermeasures combination [BBD+ 14]

Mutual information I[HW[Z⊕M];Z] (in bit)

One mask per sbox

a $ (af , at ) DPL representation : Faults typology on DPL :