Professional Documents
Culture Documents
Presentation Outline
Contre-mesures aux attaques
sur les circuits électroniques Introduction
Generic Countermeasures
Sylvain GUILLEY.
RTL Countermeasures
Secure-IC S.A.S.
Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures
Conclusions
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 1/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 2/108
Introduction
Generic Countermeasures
RTL Countermeasures
Unitary Countermeasure Evaluation Methodology
Goal of attacks
Attacks on Countermeasures
Conclusions
Presentation Outline
Extract a secret, that can be a data, a key or an algorithm.
Introduction
But attack paths are varied :
Generic Countermeasures I directly extract keys used by the crypto, by DPA or DFA
RTL Countermeasures (crypto devices) ;
I combine FI with a file read available in the API (memory
Unitary Countermeasure Evaluation Methodology smartcards) ;
I reverse-engineer and exploit a bug (XBOX) or cryptanalyze
Attacks on Countermeasures
(MiFARE).
Conclusions
Beware of buzz...
I The most discussed topics are not often the most relevant
ones
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 5/108 S.IGuilley, < sylvain.guilley@Secure-IC.com >
The most secure solutions are Counter-measures
maybe nottoa↵ordable
attacks 6/108
Introduction Introduction
Generic Countermeasures Generic Countermeasures
RTL Countermeasures RTL Countermeasures
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
Presentation Outline
Asymmetric
I Arrange for the system not to contain sensitive data
Introduction
I e.g. only signatures and certificates
Generic Countermeasures
Symmetric
RTL Countermeasures
I Whitebox crypto
Unitary Countermeasure Evaluation Methodology I Save the PIN hashed instead of encrypted
I Save the block cipher as a codebook (theoretical)
Attacks on Countermeasures I Leakage resilient and/or fault injection resilient
I See next slides
Conclusions
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 11/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 12/108
Observation attacks are easily thwarted by masking :
Observation attacks are easily thwarted by masking :
8r
⇣ 1 , r2 , r3 6= 0, ⌘
8r
⇣ 1 , r2 , r3 6= 0, ⌘ d+r ⇥ (N)
d+r2 ⇥ (N) (M ⇥ r1 e ) 2 ⇥ r1 mod r3 ⇥ N mod N =
(M + r1 ⇥ N) mod r3 ⇥ N mod N = M d mod N,
hence multiple degrees of freedom to mask cryptographic M d mod N, (see [Koc96, Sec. 10])
parameters [Joy03]. hence multiple degrees of freedom to mask cryptographic
parameters [Joy03].
Algorithm 2: RSA implementation protected against SCA and FIA. Algorithm 3: RSA implementation (Montgomery ladder)
Input : M 2 ZN , d = (dn 1 , · · · , d0 )2
Input : M 2 ZN , d = (dn 1, · · · , d0 ) 2
Output: M d 2 ZN or “Error”
Output: M d 2 ZN
1 Generate a random r 2 Z⇤N
1 R[1] 1
2 R[0] r
2 R[2] M
3 R[1] r 1
3 for i 2 J0, n 1K do
4 R[2] M
4 if di = 1 then
5 for i 2 J0, n 1K do
5 R[1] R[1] · R[2]
6 R[di ] R[di ] · R[2]
6 R[2] R[2] · R[2]
7 R[2] R[2]2
7 else
8 end
8 R[2] R[2] · R[1]
9 if R[0] · R[1] · M = R[2] then Final condition :
n 9 R[1] R[1] · R[1]
10 return r · R[1] R[2] = ((M 2 )2 ) · · · ) = M (2 )
10 end
11 else R[0] = r · M d
11 end
12 return “Error” R[1] = r 1 · M d
12 return R[1]
13 end
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 17/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 18/108
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
Protocol level [Koc05, §4] : if ⇡ 1 bit is leaked per 100 encryptions... Logarithmic key access speed with indices in a binary
table [Koc03]
Alice: Bob:
AESk0 AESk01
100⇥ k0 k0
hash hash
k1 k1
AESk1 AESk11
100⇥ k1 k1
hash hash
k2 k2
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 19/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 20/108
.
.
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
Logarithmic key access speed with indices in a binary Authenticated encryption [Koc11]
table [Koc03]
k0 Caption:
E kL D kR E: Symmetric block cipher
D: Symmetric inverse block cipher
k1 D kL E kR k4
D kR E kL kL : Public key for left accesses (., %)
E kL D kR kR : Public key for right accesses (&, -)
D kL E kR D kL E kR k0 : Private root key
k2 k3 k5 k6 ki>0 : Secondary private session keys
) also protects against related keys attacks [BK09] ! “The approach is well suited to problems such as firmware loading, RAM
encryption, network security, and FPGA bitstream encryption.”
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 21/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 22/108
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
Interactive Protocols : Fresh Re-Keying [MSGR10] Interactive Protocols : Fresh Re-Keying [MSGR10]
no leakage
k f r
k ⇤ = f (r, k)
m g y = gk⇤ (m)
The attacker monitors The attacker injects The attacker monitors The attacker injects
faulty outputs here Reader Smartcard faults on this side faulty outputs here Reader Smartcard faults on this side
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 26/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 27/108
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
The attacker monitors The attacker injects The attacker monitors The attacker injects
faulty outputs here Reader Smartcard faults on this side faulty outputs here Reader Smartcard faults on this side
challenge c1 challenge c1
c1 $ c1 $
e01 = Ek1 (c1 ) e1 = Ek1 (c1 ) e01 = Ek1 (c1 ) e1 = Ek1 (c1 )
answer e01 safe, because not output answer e01 safe, because not output
? ?
e01 = e1 e01 = e1
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 28/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 29/108
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
The attacker monitors The attacker injects The attacker monitors The attacker injects
faulty outputs here Reader Smartcard faults on this side faulty outputs here Reader Smartcard faults on this side
challenge c1 challenge c1
c1 $ c1 $
e01 = Ek1 (c1 ) e1 = Ek1 (c1 ) e01 = Ek1 (c1 ) e1 = Ek1 (c1 )
answer e01 safe, because not output answer e01 safe, because not output
? ?
e01 = e1 e01 = e1
challenge c2 challenge c2
c2 $ c2 $ r2 $
e02 = Ek2 (c2 ) e2 = Ek2 (c2 ) e02 = Ek2 (c2 r2 ) e2 = Ek2 (c2 r2 )
? answer e2 unsafe, because input is chosen ? answer (e2 , r2 ) safe, because input not chosen
e02 = e2 e02 = e2
envelop e3 envelop e3
e3 = Ek3 e1 e2 (d3 ) e3 = Ek3 e1 e2 (d3 )
safe, because does not involve k3 safe, because does not involve k3
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 30/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 31/108
Introduction
Resilience at Protocol-Level
Generic Countermeasures
Heuristic Countermeasures
RTL Countermeasures
Digital Sensors
Unitary Countermeasure Evaluation Methodology
Active Shield against Probing
Attacks on Countermeasures
Conclusions
Countermeasures Against Hardware Trojan Horses Insertion Implementing Noise Generators in FPGAs
This paper [GM11] presents some heuristic
countermeasures Common design: application
including cryptographic core
APPLICATION
Noise generation strategy FF FF
LOGIC
Configure remaining, 1 0
I Complementary with other countermeasures !
routable slices (flip-flops)
…
I Especially suitable for FPGAs if some resources remain as cyclic shift registers FF FF
available. 1 0
I Next slides courtesy of the authors (Tim Güneysu and Amir Preload sequence „01“ FF FF
CRYPTO
CORE
Moradi) 1 0
into shift registers
CE
Proposal #2: Write Collisions in BRAMs Proposal #3: Short Circuits in FPGAs
??
ADDRA
1 WEA
Establishing controlled SCs requires 1 0 0 0 0 1
0 1 Config.
INA
manual routing (via XDL)
A=1 BRAM 0
Input
SC
Output
1 0 1 0
AB BA
CHES 2011 | Nara, Japan | Tim Güneysu 12 CHES 2011 | Nara, Japan | Tim Güneysu 14
Output multiplexer
Proposal #4: Clock Disalignment using DCMs Proposal #5: Data Masking with BRAMs
0°
DCMA
CLKFSM
90°
Digital Clock Managers (DCM) support B Dual-ported BRAM allow simultaneous access and mask update in Q-box
PS
CLKI 180°
concurrent phase-shift channels 270° Active context (Q-box #1) used by cipher operation
S0 S1 CLKCiph.
Clock buffers can be configured as A
RNG Inactive context (Q-box #2) updates mask by concurrent process
S2
glitch-free clock multiplexers 45°
Context switch after update and cipher process are finished
DCMB
135°
PS+45°
Cascading clock muxes result in a 225°
C
randomly delayed, phase-shifted clock 315°
OUTA OUTB RNG
Clock Output Waveform
Cipher L(x)
Sc ramb ler
Mask m
RAM
Q-box
Context#3 Q-box #2 Current Mask m:
BRAM
A Context B
(inactive, INB F439AD0B8C…
CLKI Active (active,
S-box under
S- box
using m3) scrambling
using m ) π L(x )
B
CLKFSM 2 WEB
A FSM
ADDRA ADDRB
B
Active Context
C
CLKCiph.
CHES 2011 | Nara, Japan | Tim Güneysu 18 CHES 2011 | Nara, Japan | Tim Güneysu 22
Introduction
Resilience at Protocol-Level
Generic Countermeasures
Heuristic Countermeasures
RTL Countermeasures
Digital Sensors
Unitary Countermeasure Evaluation Methodology
Active Shield against Probing
Evaluations: CPA on individual CMs Attacks on Countermeasures
Conclusions
Countermeasures Against Hardware Trojan Horses Insertion
Plain AES-128@24Mh:
Sensor against optical fault injection [LCSK13]
104 measurements
3,000 traces req.
Clock disalignment
8 phase shift steps
107 measurements
3,000,000 traces req.
vdd
0 1 0 1 0 1 0 1
vss
E↵ect of laser spot on CMOS cells E↵ect of laser spot on CMOS cells
1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
vss vss
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 34/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 34/108
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 36/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 37/108
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
Random Active shield [BCC+ 12a, GBP+ 12] Counter-measures at the module’s level
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 38/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 39/108
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
Radiation suppression with a ferromagnetic film Last metal layer (M6) of an AES layout
Ferromagnetic material Ni80 Fe20 , aka Permalloy.
Experiment with a layer of 20 µm depth [BBD+ 07].
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 40/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 41/108
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
I
Figure 2 – Pixel-wise comparison between the AES layouts with 50%
0.4010 / 0.3798 : ECO P&R failed
CUR ; Between the original AES and (a) a single AND gate Trojan, (b) a
I NC : Even re-routing failed ! 128 AND gates trojan.
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 42/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 43/108
Introduction Introduction
Resilience at Protocol-Level Resilience at Protocol-Level
Generic Countermeasures Generic Countermeasures
Heuristic Countermeasures Heuristic Countermeasures
RTL Countermeasures RTL Countermeasures
Digital Sensors Digital Sensors
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Active Shield against Probing Active Shield against Probing
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Against Hardware Trojan Horses Insertion Countermeasures Against Hardware Trojan Horses Insertion
Conclusions Conclusions
Grid-correlation between the layouts Results on the SECMAT circuit (run CMP S12C6)
Trojaned GDSII Picture Genuine GDSII
⇡ 6⇡
CUR of 50% ; (a) 1 AND & (b) 128 AND gates Trojan
Added by
the Trojan
Introduction
I Prevention : it is almost impossible to insert a Trojan horse Generic Countermeasures
in ECO mode if CUR > 90%
I Detection (post-mortem) : The (visual) correlation decreases RTL Countermeasures
when the Trojan horse size and the CUR increase
Unitary Countermeasure Evaluation Methodology
I Medium cost detection with grid-based cross-correlation
between GDSII and photographic pictures of the circuit Attacks on Countermeasures
Conclusions
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 46/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 47/108
Introduction Introduction
The advantage of doing hardware – Introduction The advantage of doing hardware – Introduction
Generic Countermeasures Generic Countermeasures
Masking Masking
RTL Countermeasures RTL Countermeasures
Tweaked masking Tweaked masking
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Dual-rail Dual-rail
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Specifically Designed against RE Countermeasures Specifically Designed against RE
Conclusions Conclusions
Masking :
Story : “One shall trust his hardware”
splitting
Fact : X M k M
manipulating a variable leaks. Attacks : joint (X M, M) leaks on X .
Modulo : leakage function, noise.
X
x m m
x
! Joint leakage
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 48/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 49/108
Introduction Introduction
The advantage of doing hardware – Introduction The advantage of doing hardware – Introduction
Generic Countermeasures Generic Countermeasures
Masking Masking
RTL Countermeasures RTL Countermeasures
Tweaked masking Tweaked masking
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Dual-rail Dual-rail
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Specifically Designed against RE Countermeasures Specifically Designed against RE
Conclusions Conclusions
But the assumption of independent computations is an hypothesis Variable caching, because of forks
on the HW. Functionally inactive parts leak
Violation in time : CMOS leaks the activity
M ! Mmodelled , Munexpected
t X M
t +1 M
m
!
t=0 x m
Leakage
in activity:
t=1 m x logic !
| {zm} |{z}m = x.
t=0 t=1
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 50/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 51/108
Introduction Introduction
The advantage of doing hardware – Introduction The advantage of doing hardware – Introduction
Generic Countermeasures Generic Countermeasures
Masking Masking
RTL Countermeasures RTL Countermeasures
Tweaked masking Tweaked masking
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Dual-rail Dual-rail
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Specifically Designed against RE Countermeasures Specifically Designed against RE
Conclusions Conclusions
logger
m1
m2
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 52/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 53/108
Introduction Introduction
The advantage of doing hardware – Introduction The advantage of doing hardware – Introduction
Generic Countermeasures Generic Countermeasures
Masking Masking
RTL Countermeasures RTL Countermeasures
Tweaked masking Tweaked masking
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Dual-rail Dual-rail
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Specifically Designed against RE Countermeasures Specifically Designed against RE
Conclusions Conclusions
shares {s0 , s1 , · · · , sd }.
I To reconstruct s, all the si are required.
I
. Left Left Right Right
Example : d = 1, s = s0 s1 . masked
data (Li )
mask
(M Li ) Feistel function f
mask
(M Ri )
masked
data (Ri )
m0 m
) Boolean [GP99], multiplicative [AG01], affine [FMPR10], P S’ E
S(x kc ) xm
homographic [PR10], etc. P m0 S E
kc
IP IP
Everything is linear, but the sboxes (sic). a 7! a 1
mod X 8 + X 4 + X + 1, and a 1 = a254 = (((a2 ) ⇥ a)4 ) ⇥ ...
mod X 8 + X 4 + X + 1.
Left Left Right Right
I
masked mask mask masked
data (Li ) (M Li ) Feistel function f (M Ri ) data (Ri ) Squaring is linear
m0 m
P S’ E I We miss a secure AND
S(x kc ) xm
P m 0 S E
kc
FP
Ciphertext
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 56/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 57/108
⌅ Example (d = 2):
0 1
a0 b0 (a0 b1 r1,2 ) a1 b0 (a0 b2 r1,3 ) a 2 b0
@ r1,2 a 1 b1 (a1 b2 r2,3 ) a 2 b1 A
c0
r1,3 r2,3 a 2 b2
c1 c2 c3 c1
a0 b0 (a0 b1 r1,2 ) a1 b0 (a0 b2 r1,3 ) a 2 b0 c2
⌅ Ishai et al. prove (d/2)th-order security
I We prove dth-order security
CHES 2010 – Provably Secure Higher-Order Masking of AES CHES 2010 – Provably Secure Higher-Order Masking of AES
Warning for optimizations (here under Cadence) !
[RBG+ 15] Masking the S-box
The proposed addition chain:
x ⌅ one square
b2 ⌅ one mult
2
x ⌅ oneˆ4 (two squares)
⌅ one mult
3
x ⌅ oneˆ16 (four squares)
b4 ⌅ one mult
x 12 x254 ⌅ one mult
⌅ Total: 4 mult and 7
15 252
x x squares
b 16 ⌅ Memory: 3 registers
x240 ⌅ LUT forˆ2,ˆ4 andˆ16
fuite
X M F (M) simultanée
Notations a b
B2A : [Gou01] 1
I x is sensitive F
I
I [x 0 , r ] ! [A, r ] Logique
r is a random mask combinatoire
X M
S R
I x 0 is x Boolean-ly masked (cachée en
A2B : [CGV14, Alg. 7] mémoire) X0 M0
I x0 = x r
I A is x arithmetically masked F
I [A, r ] ! [x 0 , r ]
I x = A + r mod 2k a0 b0
0 0
X M F (M 0 )
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 62/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 63/108
Introduction Introduction
The advantage of doing hardware – Introduction The advantage of doing hardware – Introduction
Generic Countermeasures Generic Countermeasures
Masking Masking
RTL Countermeasures RTL Countermeasures
Tweaked masking Tweaked masking
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Dual-rail Dual-rail
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Specifically Designed against RE Countermeasures Specifically Designed against RE
Conclusions Conclusions
Leakage squeezing Rationale 3/3 RSM (Rotating Sbox Masking) mode of operation
First-order Boolean masking with “leakage squeezing”. The SB00
leakage model is more complex : X = HW(Y M) + HW(F (M)). 128 = 16 ⇥ 8
The role of the bijection F is to distribute in a more balanced way j 2 {0 15}
4
Barrel shifter
the sensible variable in the 2n + 1 classes de fuites (although
obtaining a completely balanced distribution is impossible). S00 S10 0
S15
Donnée sensible Y Fuite X
m0 m1 m15 M0
(privé) (public)
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 64/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 65/108
Introduction Introduction
The advantage of doing hardware – Introduction The advantage of doing hardware – Introduction
Generic Countermeasures Generic Countermeasures
Masking Masking
RTL Countermeasures RTL Countermeasures
Tweaked masking Tweaked masking
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Dual-rail Dual-rail
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Specifically Designed against RE Countermeasures Specifically Designed against RE
Conclusions Conclusions
In this expression, Z and M are n-bit vectors, i.e. live in Fn2 . Setting :
The leakage function L : Fn2 ! R depends on the hardware. I n = 8 bit,
I In a conservative perspective, L is assumed to be bijective.
I
I 16 masks only, and (Price metric)
In a realistic perspective, L is assumed to non-injective.
I provable security up to 2nd-order attacks (Security metric)
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 66/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 67/108
Introduction Introduction
The advantage of doing hardware – Introduction The advantage of doing hardware – Introduction
Generic Countermeasures Generic Countermeasures
Masking Masking
RTL Countermeasures RTL Countermeasures
Tweaked masking Tweaked masking
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Dual-rail Dual-rail
Attacks on Countermeasures Attacks on Countermeasures
Countermeasures Specifically Designed against RE Countermeasures Specifically Designed against RE
Conclusions Conclusions
ASM (instead of C)
Registers precharge
0.25
Shu✏ing
0.2
0.15
0.1
Attacks \ Countermeasures
First-order attack [MGH14] x x
0.05 Recover the o↵set [TEL14] . x
0 Collision on the sbox [KP14] x x
3.5 4 4.5 5 5.5 6 6.5 7 Collision 1st-last rounds [KP14] x x
Entropy H[M] of the mask M (in bit) Bivariate attacks [BBB+ 13] x
MIA [YE13] x
Mutual information of the leakage in Hamming weight with the sensitive
(1,2)
variable Z , for one solution that cancels ⇢Counter-measures
S. Guilley, < sylvain.guilley@Secure-IC.com > opt found by to the SAT-solver.
attacks 68/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 69/108
GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 9 GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 10
46, rue Barrault – 75634 Paris Cedex 13 – France 46, rue Barrault – 75634 Paris Cedex 13 – France
1. Reorder pins
2. Enlarge pins for overlap
3. Keep pins intersection
At that point:
GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 13 GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 14
46, rue Barrault – 75634 Paris Cedex 13 – France 46, rue Barrault – 75634 Paris Cedex 13 – France
No placement
No routing
Placement OK
Horizontal
routing OK
o Half of the placement rows are obstructed o Cells are duplicated by vertical flip (R0 MX)
o Half of the routing channel are obstructed o Routing is translated by:
(PITCH, ROW_HEIGHT) Vertical
routing OK
The method fully relies on the setting of appropriate constraints
GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 15 GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 16
46, rue Barrault – 75634 Paris Cedex 13 – France 46, rue Barrault – 75634 Paris Cedex 13 – France
WDDL example: before duplication WDDL example: after duplication
Note:
Results can be
visualized in a
backend tool
without
rewritting
(error-prone)
nor reloading
(not interactive)
design rules.
GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 17 GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 18
46, rue Barrault – 75634 Paris Cedex 13 – France 46, rue Barrault – 75634 Paris Cedex 13 – France
4 (TCL)
100 (C)
Regular Backend-duplicated
Execution time in the Place 1.9 s 6.2 s
example of DES: Route 39.0 s 80.0 s
Duplication - 77.5 s
GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 19 GET / Télécom Paris, CNRS LTCI (UMR 5141) Page 21
46, rue Barrault – 75634 Paris Cedex 13 – France 46, rue Barrault – 75634 Paris Cedex 13 – France
Introduction
The advantage of doing hardware – Introduction
Generic Countermeasures
Masking
RTL Countermeasures
Tweaked masking
Unitary Countermeasure Evaluation Methodology
Dual-rail
« Backend Duplication » Efficiency Assessment Attacks on Countermeasures
Conclusions
Countermeasures Specifically Designed against RE
comparator
• PUF – Physically (Physical) Unclonable Function RO RO RO
1 1 1 0/1
• Every semiconductor chip has intrinsic subtle variations in its physical properties. token 0 0 0
• These variations are unique to each chip and very hard to clone. RO RO RO
arbiter
• A PUF is based on such variations and considered an object’s fingerprint. speckle pattern 0 1 0 RO RO RO
• PUFs take the same input but respond with different outputs.
• Enables non-stored, internally-generated CSP management. Uses speckle pattern of Uses the delay difference Uses the difference of
• Building structures and evaluation metrics have been studied. transmitted laser of two signals oscillating frequencies
Pappu Srinivasa Ravikanth, "Physical One-Way Functions," PhD Thesis, MIT, 2001.
• Some technical considerations:
• A typical use of PUF involves a challenge (input) and response (output) scheme.
• An error correction scheme should be combined in use because a PUF does not generate the exactly
Coating PUF Butterfly PUF SRAM PUF
same output every time (it contains a partial errors due to the physical variations).
• Not designed to be a TRNG, but may be utilized to make a TRNG.
• Applications of PUFs fall into two categories:
• Anti-counterfeiting with product authentication (goes to other standardization groups: ISO TC247,
ISO/IEC SC31, SEMI, etc.)
• Information security : Non-stored CSP generation (above-mentioned)
• Related businesses are emerging.
• Purpose of standardization capacitive
• Before non-interoperable/interchangeable or low-reliability PUF applications are widely distributed, sensor
a well-considered standard must be established. http://commons.wikimedia.org/
• For a higher usability and reliability
• For building a wider market Uses the difference of Uses the difference of the initial state of memory
capacitive
3 load
Skoric, B., et al. "Experimental hardware for coating PUFs and optical PUFs,"
Security with Noisy Data. Springer London, 2007. 255-268.
PUFx
arbiter arbiter KEY1 KEY2 KEY3 KEY4
6
KEYx
Introduction Introduction
Generic Countermeasures Generic Countermeasures
RTL Countermeasures Tradeo↵ Cost / Security RTL Countermeasures Tradeo↵ Cost / Security
Unitary Countermeasure Evaluation Methodology Example : comparison dual-rail with masking Unitary Countermeasure Evaluation Methodology Example : comparison dual-rail with masking
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
Estimating the leakage does not always translate into Step #2/2 : Estimate resistance against attacks [SMY09]
attacks I Leakage and security metrics are complementary
I Leaking is a vulnerability ; attacks attempt to exploit it
Ex. 1 : Uncentered Templates I Preferred attacks are conducted on real measurements
I it’s no longer an ideal case !
k 8k[0], k[1..3] fixed: I o thorder success rate or guessing entropy are two
possibilities (see [SGV08])
counter S
S 8k[0], with di↵erent k[1..3]: 1
fixed D
inputs S
0.8
0
0 5000 10000 15000 20000 25000
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 78/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures
Traces for online attack to attacks 79/108
Introduction
Generic Countermeasures
RTL Countermeasures Tradeo↵ Cost / Security
Unitary Countermeasure Evaluation Methodology Example : comparison dual-rail with masking
Attacks on Countermeasures
Conclusions
2.5
Masking versus dual-rail are presented in chapters 9 and 7 of the 90
Unbalancedness α [%]
I
70 ing
Also, attack-wise : [MMS09]. sk r
60 Mabette 1.5
I And information-theoretic-wise : [GMN+ 11]. is
50
But still, this very ad hoc, and depends on the target. 40 1
30
20 ing r 0.5
Hidbette
Countermeasure Resource Weight Leakage (L) 10 is
0 0
n-bit mask 1+↵ (1 + ↵) · HW(m) ¼ ½ ¾1 2
1
2
2
2
3
2 2
4
2
5 6
2
7
2
8 9
2
Masking
n-bit masked data 1 1 · HW(x m) Noise standard deviation σ
n-bit true data 1+↵ (1 + ↵) · HW(x) Plot of domains where either masking or DPL leak less (n = 4).
Hiding
n-bit false data 1 1 · HW(x)
Introduction
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 82/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 83/108
Introduction Introduction
Generic Countermeasures Generic Countermeasures
RTL Countermeasures RTL Countermeasures
Attack on Information Hiding Attack on Information Hiding
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
Attacks on masking (w/o mask) (1/3) Attacks on masking (w/ mask) (2/3)
p(L = 0) = 1/16 p(L = 1) = 4/16 p(L = 2) = 6/16 p(L = 3) = 4/16 p(L = 4) = 1/16 p(L = 0) = 1/16 p(L = 1) = 4/16 p(L = 2) = 6/16 p(L = 3) = 4/16 p(L = 4) = 1/16
O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4 O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4
Correct key (i.e. physical L)
0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8
H(O|L = 0) = 0 H(O|L = 1) = 0 H(O|L = 2) = 0 H(O|L = 3) = 0 H(O|L = 4) = 0 ) H(O|L) = 0 bit H(O|L = 0) = 2.03 H(O|L = 1) = 1.81 H(O|L = 2) = 1.5 H(O|L = 3) = 1 H(O|L = 4) = 0 ) H(O|L) = 1.39 bit
O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4 O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4
Incorrect key (i.e. random L)
0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8
H(O|L = 0) = 2.03 H(O|L = 1) = 2.03 H(O|L = 2) = 2.03 H(O|L = 3) = 2.03 H(O|L = 4) = 2.03 ) H(O|L) = 2.03 bit H(O|L = 0) = 2.54 H(O|L = 1) = 2.54 H(O|L = 2) = 2.54 H(O|L = 3) = 2.54 H(O|L = 4) = 2.54 ) H(O|L) = 2.54 bit
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 84/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 85/108
Introduction
Generic Countermeasures R.V. L L|Z = 0 L|Z = 1 L|Z = 2 L|Z = 3 L|Z = 4
RTL Countermeasures Plain zero-o↵set with d = 0 mask (unprotected reference).
Attack on Information Hiding
Unitary Countermeasure Evaluation Methodology µ1 = E( · ) 2.000 0.000 1.000 2.000 3.000 4.000
Attacks on Countermeasures
HCI = 1
µ2 = E(( · µ1 )2 ) 1.000 0.000 0.000 0.000 0.000 0.000
Conclusions
µ3 = E(( · µ1 )3 ) 0.000 0.000 0.000 0.000 0.000 0.000
4
µ4 = E(( · µ1 ) ) 2.500 0.000 0.000 0.000 0.000 0.000
Attacks on masking (w/ mask) (3/3) Entropy [bit] 2.031 0.000 0.000
Plain zero-o↵set with d = 1 mask.
0.000 0.000 0.000
HCI = 2
µ2 = E(( · µ1 )2 ) 2.000 4.000 3.000 2.000 1.000 0.000
O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4 µ3 = E(( · µ1 )3 ) 0.000 0.000 0.000 0.000 0.000 0.000
Correct key (i.e. physical L)
4
µ4 = E(( · µ1 ) ) 11.000 40.000 21.000 8.000 1.000 0.000
Entropy [bit] 2.544 2.031 1.811 1.500 1.000 0.000
Plain zero-o↵set with d = 2 masks.
µ1 = E( · ) 6.000 6.000 6.000 6.000 6.000 6.000
HCI = 3
µ2 = E(( · µ1 )2 )
) 2nd-order CPA
HCI = 4
O|L = 0 O|L = 1 O|L = 2 O|L = 3 O|L = 4 µ2 = E(( · µ1 )2 ) 4.000 4.000 4.000 4.000 4.000 4.000
Incorrect key (i.e. random L)
3
µ3 = E(( · µ1 ) ) 0.000 0.000 0.000 0.000 0.000 0.000
4
µ4 = E(( · µ1 ) ) 46.000 52.000 49.000 46.000 43.000 40.000
Entropy [bit] 3.047 2.044 2.047 2.046 2.043 2.031
Plain zero-o↵set with d = 4 masks.
µ1 = E( · ) 10.000 10.000 10.000 10.000 10.000 10.000
HCI = 5
µ2 = E(( · µ1 )2 ) 5.000 5.000 5.000 5.000 5.000 5.000
3
µ3 = E(( · µ1 ) ) 0.000 0.000 0.000 0.000 0.000 0.000
4
µ4 = E(( · µ1 ) ) 72.500 72.500 72.500 72.500 72.500 72.500
0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8
Entropy [bit] 3.208 2.207 2.208 2.208 2.208 2.207
Var(O|L = 0) = 2 Var(O|L = 1) = 2 Var(O|L = 2) = 2 Var(O|L = 3) = 2 Var(O|L = 4) = 2 ) Var(O|L) = 2
Statistics about some leakage models on words of n = 4 bitwidth, without noise (i.e. = 0).
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 86/108
Introduction Introduction
Generic Countermeasures Generic Countermeasures
RTL Countermeasures RTL Countermeasures
Attack on Information Hiding Attack on Information Hiding
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
I If protected : ( · )2
Round 9
Evaluation
AES−DPL−no−EE
AES−DPL−EE Introduction
0.05
Operation: c = AESk (m)
Generic Countermeasures
MUTUAL INFORMATION
Precharge
0.04
= I(O; c[0] k10 [0]) [S is bijective]
Round 9
Precharge
Round 10
= I(O; c[0]) [k is constant]
0.03
RTL Countermeasures
Evaluation
Attack does not work in values...
Round 10
...but in Hamming weights. Unitary Countermeasure Evaluation Methodology
0.02
0 Conclusions
sbox final XOR
−0.01
0 200 400 600 800 1000 1200
TIME SAMPLES
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 90/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 91/108
Introduction Introduction
Generic Countermeasures Generic Countermeasures
RTL Countermeasures RTL Countermeasures
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
Recommendations for misc auxiliary functions [AG01] Mehdi-Laurent Akkar and Christophe Giraud.
An Implementation of DES and AES Secure against Some Attacks.
In LNCS, editor, Proceedings of CHES’01, volume 2162 of LNCS, pages 309–318. Springer, May
2001.
TRNG Paris, France.
[BBB+ 13] Pierre Belgarric, Shivam Bhasin, Nicolas Bruneau, Jean-Luc Danger, Nicolas Debande, Sylvain
I Avoid ring-based structures Guilley, Annelie Heuser, Zakaria Najm, and Olivier Rioul.
Time-Frequency Analysis for Second-Order Attacks.
In CARDIS, Lecture Notes in Computer Science. Springer, November 2013.
I Open-loop solutions exist : [Qué03], [DGH09] Berlin, Germany.
d1 d2
[BBD+ 07]
dn 1 dn
d d d d L. Bouhouch, A. Boyer, S. Ben Dhia, É. Sicard, and M. Fadel.
Amélioration des performances CEM d’un microcontrôleur à l’aide d’un film ferromagnétique.
D Q q1 D Q q2 D Q q3 D Q q4
In TELECOM 2007, 5th JFMMA, March 2007.
d Fes, Morocco. (Online PDF).
global clock
[BBD+ 14] Shivam Bhasin, Nicolas Bruneau, Jean-Luc Danger, Sylvain Guilley, and Zakaria Najm.
Analysis and improvements of the DPA contest v4 implementation.
In Rajat Subhra Chakraborty, Vashek Matyas, and Patrick Schaumont, editors, Security, Privacy, and
D Q
s Applied Cryptography Engineering - 4th International Conference, SPACE 2014, Pune, India, October
18-22, 2014. Proceedings, volume 8804 of Lecture Notes in Computer Science, pages 201–218.
Springer, 2014.
[BCC+ 12a] Sébastien Briais, Stéphane Caron, Jean-Michel Cioranesco, Jean-Luc Danger, Sylvain Guilley,
PUF Jacques-Henri Jourdan, Arthur Milchior, David Naccache, and Thibault Porteboeuf.
3D Hardware Canaries.
In CHES, September 9-12 2012.
I Avoid delay-PUF or hash the output to prevent modeling Leuven, Belgium. Full version [BCC+ 12b].
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 96/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 97/108
Introduction Introduction
Generic Countermeasures Generic Countermeasures
RTL Countermeasures RTL Countermeasures
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
[FMPR10] Guillaume Fumaroli, Ange Martinelli, Emmanuel Prou↵, and Matthieu Rivain. [GHK] Sylvain Guilley, Soshi Hamaguchi, and Yousung Kang.
Affine Masking against Higher-Order Side Channel Analysis. ISO/IEC NP 20897. Information technology – Security techniques – Security requirements, test and
In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography, evaluation methods for physically unclonable functions for generating nonstored security parameters.
volume 6544 of Lecture Notes in Computer Science, pages 262–280. Springer, 2010. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=69403.
[GBP+ 12] Sylvain Guilley, Sébastien Briais, Thibault Porteboeuf, Jean-Luc Danger, Jean-Michel Cioranesco, and [GM11] Tim Güneysu and Amir Moradi.
David Naccache. Generic side-channel countermeasures for reconfigurable devices.
Random Active Shield. In Bart Preneel and Tsuyoshi Takagi, editors, CHES, volume 6917 of LNCS, pages 33–48. Springer,
In FDTC, September 9 2012. 2011.
Leuven, Belgium. [GMN+ 11] Sylvain Guilley, Olivier Meynard, Maxime Nassar, Guillaume Duc, Philippe Hoogvorst, Houssem
Maghrebi, Aziz Elaabid, Shivam Bhasin, Youssef Souissi, Nicolas Debande, Laurent Sauvage, and
[GBPV10] Benedikt Gierlichs, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede.
Jean-Luc Danger.
Revisiting Higher-Order DPA Attacks : Multivariate Mutual Information Analysis.
Vade Mecum on Side-Channels Attacks and Countermeasures for the Designer and the Evaluator.
In CT-RSA, volume 5985 of LNCS, pages 221–234. Springer, March 1-5 2010.
In DTIS (Design & Technologies of Integrated Systems), IEEE. IEEE, March 6-8 2011.
San Francisco, CA, USA.
Athens, Greece. DOI : 10.1109/DTIS.2011.5941419 ; Online version :
[GCS+ 08] Sylvain Guilley, Sumanta Chaudhuri, Laurent Sauvage, Tarik Graba, Jean-Luc Danger, Philippe http://hal.archives-ouvertes.fr/hal-00579020/en/.
Hoogvorst, Vinh-Nga Vong, and Maxime Nassar.
[GNN+ 11] Sylvain Guilley, Philippe Nguyen, Robert Nguyen, Hassan Triqui, and Jean-Luc Danger.
Place-and-Route Impact on the Security of DPL Designs in FPGAs.
Smart-SIC Analyzer, September 26-27 2011.
In HOST (Hardware Oriented Security and Trust), IEEE, pages 29–35, Anaheim, CA, USA, jun 2008.
Panel Discussion – Tool Vendor / Laboratory. Non-Invasive Attack Testing Workshop (NIAT 2011),
[GCvDD02] Blaise Gassend, Dwaine E. Clarke, Marten van Dijk, and Srinivas Devadas. co-organized by NIST & AIST. Todai-ji Cultural Center, Nara, Japan. (PDF).
Silicon physical random functions.
[Gou01] Louis Goubin.
In Vijayalakshmi Atluri, editor, Proceedings of the 9th ACM Conference on Computer and
A Sound Method for Switching between Boolean and Arithmetic Masking.
Communications Security, CCS 2002, Washington, DC, USA, November 18-22, 2002, pages 148–160.
In Çetin Kaya Koç, David Naccache, and Christof Paar, editors, CHES, volume 2162 of Lecture Notes
ACM, 2002.
in Computer Science, pages 3–15. Springer, 2001.
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 98/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 99/108
Introduction Introduction
Generic Countermeasures Generic Countermeasures
RTL Countermeasures RTL Countermeasures
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 100/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 101/108
Introduction Introduction
Generic Countermeasures Generic Countermeasures
RTL Countermeasures RTL Countermeasures
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
[LCSK13] Donggeon Lee, Dooho Choi, Jungtaek Seo, and Howon Kim.
Reset Tree-Based Optical Fault Detection.
[MKP12] Amir Moradi, Markus Kasper, and Christof Paar.
Sensors, 13(5) :6713–6729, 2013.
Black-Box Side-Channel Attacks Highlight the Importance of Countermeasures - An Analysis of the
[LR10] Kerstin Lemke-Rust. Xilinx Virtex-4 and Virtex-5 Bitstream Encryption Mechanism.
Provable Security against Physical Attacks, February 19 2010. In Orr Dunkelman, editor, CT-RSA, volume 7178 of Lecture Notes in Computer Science, pages 1–18.
“Provable Security against Physical Attacks” Workshop, at Lorentz Center, Germany (online). Springer, 2012.
[MBKP11] Amir Moradi, Alessandro Barenghi, Timo Kasper, and Christof Paar. [MM12] Amir Moradi and Oliver Mischke.
On the vulnerability of FPGA bitstream encryption against power analysis attacks : extracting keys How Far Should Theory be from Practice ? Evaluation of a Countermeasure.
from Xilinx Virtex-II FPGAs. In CHES, September 9-12 2012.
In Yan Chen, George Danezis, and Vitaly Shmatikov, editors, ACM Conference on Computer and Leuven, Belgium.
Communications Security, pages 111–124. ACM, 2011.
[MMS09] T. Matsumoto, H. Mimura, and D. Suzuki.
[MGD11] Houssem Maghrebi, Sylvain Guilley, and Jean-Luc Danger. Complementary logics vs masked logics : Which countermeasure is a better selection ?
Leakage Squeezing Countermeasure Against High-Order Attacks. In IEEE, editor, ECCTD. European Conference on Circuit Theory and Design, pages 399–402, August
In WISTP, volume 6633 of LNCS, pages 208–223. Springer, June 1-3 2011. 23-27 2009.
Heraklion, Greece. DOI : 10.1007/978-3-642-21040-2 14. Antalya, Turkey.
[MGH14] Amir Moradi, Sylvain Guilley, and Annelie Heuser. [MOP06] Stefan Mangard, Elisabeth Oswald, and Thomas Popp.
Detecting Hidden Leakages. Power Analysis Attacks : Revealing the Secrets of Smart Cards.
In Ioana Boureanu, Philippe Owesarski, and Serge Vaudenay, editors, ACNS, volume 8479. Springer, Springer, December 2006.
June 10-13 2014. ISBN 0-387-30857-1, http://www.dpabook.org/.
12th International Conference on Applied Cryptography and Network Security, Lausanne, Switzerland. [MOPT12] Andrew Moss, Elisabeth Oswald, Dan Page, and Michael Tunstall.
[MKP11] Amir Moradi, Markus Kasper, and Christof Paar. Compiler assisted masking.
On the Portability of Side-Channel Attacks — An Analysis of the Xilinx Virtex 4 and Virtex 5 In CHES, September 9-12 2012.
Bitstream Encryption Mechanism. Leuven, Belgium.
Cryptology ePrint Archive, Report 2011/391, 2011.
http://eprint.iacr.org/2011/391/.
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 102/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 103/108
Introduction Introduction
Generic Countermeasures Generic Countermeasures
RTL Countermeasures RTL Countermeasures
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 104/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 105/108
Introduction Introduction
Generic Countermeasures Generic Countermeasures
RTL Countermeasures RTL Countermeasures
Unitary Countermeasure Evaluation Methodology Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures Attacks on Countermeasures
Conclusions Conclusions
[SGV08] François-Xavier Standaert, Benedikt Gierlichs, and Ingrid Verbauwhede. [TEL14] TELECOM ParisTech SEN research group.
Partition vs. Comparison Side-Channel Distinguishers : An Empirical Evaluation of Statistical Tests DPA Contest (4th edition), 2013–2014.
for Univariate Side-Channel Attacks against Two Unprotected CMOS Devices. http://www.DPAcontest.org/v4/.
In ICISC, volume 5461 of LNCS, pages 253–267. Springer, December 3-5 2008.
Seoul, Korea. [TMA11] Michael Tunstall, Debdeep Mukhopadhyay, and Subidh Ali.
Di↵erential Fault Analysis of the Advanced Encryption Standard Using a Single Fault.
[SHO08] Ying Su, Jeremy Holleman, and Brian P. Otis. In Claudio Agostino Ardagna and Jianying Zhou, editors, WISTP, volume 6633 of Lecture Notes in
A Digital 1.6 pJ/bit Chip Identification Circuit Using Process Variations. Computer Science, pages 224–233. Springer, 2011.
IEEE Journal of Solid-State Circuits, 43(1) :69–77, Jan 2008.
[TSK07] Pim Tuyls, Boris Skoric, and Tom Kevenaar.
[Sko] Sergei Skorobogatov. Security with Noisy Data : Private Biometrics, Secure Key Storage and Anti-Counterfeiting.
Research project : developing new technology for e↵ective side-channel analysis. Springer-Verlag New York, Inc., Secaucus, NJ, USA, December 2007.
Website : http://www.cl.cam.ac.uk/~sps32/qvl_proj.html. 1st Edition, ISBN 978-1-84628-983-5.
[SMY09] François-Xavier Standaert, Tal Malkin, and Moti Yung. [TYTF17] Tetsufumi Tanamoto, Shinichi Yasuda, Satoshi Takaya, and Shinobu Fujita.
A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. Physically Unclonable Function Using an Initial Waveform of Ring Oscillators.
In EUROCRYPT, volume 5479 of LNCS, pages 443–461. Springer, April 26-30 2009. IEEE Trans. on Circuits and Systems, 64(7) :827–831, 2017.
Cologne, Germany.
[VCS09] Nicolas Veyrat-Charvillon and François-Xavier Standaert.
[SS10] Daisuke Suzuki and Koichi Shimizu. Mutual Information Analysis : How, When and Why ?
The Glitch PUF : A New Delay-PUF Architecture Exploiting Glitch Shapes. In CHES, volume 5747 of LNCS, pages 429–443. Springer, September 6-9 2009.
In CHES, volume 6225 of Lecture Notes in Computer Science, pages 366–382. Springer, August 17-20 Lausanne, Switzerland.
2010.
Santa Barbara, CA, USA. [WYC+ 18] Meng-Yi Wu, Tsao-Hsin Yang, Lun-Chun Chen, Chi-Chang Lin, Hao-Chun Hu, Fang-Ying Su,
Chih-Min Wang, James Po-Hao Huang, Hsin-Ming Chen, Chris Chun-Hung Lu, Evans Ching-Song
[SSHA08] Akashi Satoh, Takeshi Sugawara, Naofumi Homma, and Takafumi Aoki. Yang, and Rick Shih-Jye Shen.
High-Performance Concurrent Error Detection Scheme for AES Hardware. A PUF scheme using competing oxide rupture with bit error rate approaching zero.
In Elisabeth Oswald and Pankaj Rohatgi, editors, CHES, volume 5154 of Lecture Notes in Computer In 2018 IEEE International Solid-State Circuits Conference, ISSCC 2018, San Francisco, CA, USA,
Science, pages 100–112. Springer, 2008. February 11-15, 2018, pages 130–132. IEEE, 2018.
S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 106/108 S. Guilley, < sylvain.guilley@Secure-IC.com > Counter-measures to attacks 107/108
Introduction
Generic Countermeasures
RTL Countermeasures
Unitary Countermeasure Evaluation Methodology
Attacks on Countermeasures
Conclusions