Smart card security

1
Smart card security
Speaker ? ? ? Advisor ? ? ? ??
2
Outline

• Introduction of SCAs
• Cryptographic Algorithms
• Measurements
• Hamming Weight
• Simple Power Attack (SPA)
• Differential Power Attack (DPA)
• Countermeasures
• My Countermeasure EPS
• Conclusion for EPS

3
Introduction of SCAs

• Side channel attacks (SCAs)Security ICs are
  vulnerable to Side-Channel Attacks (SCAs). SCAs
  find the secret key by monitoring the power
  consumption, timing information, or
  electromagnetic radiation that is leaked by the
  switching behavior of digital CMOS gates, rather
  than theoretical weaknesses in the algorithms.

• Side-channel Information
• Power consumption
• Electromagnetic radiation
• Timing

Our focus
Cryptographic processing (Encrypt / Decrypt)
Input message
Output message
Secret keys
4
Introduction of SCAs (cont)

• What kinds of SCAs? 1. Differential Fault
  Analysis (DFA) - Biham-Shamir (1997)
  2.Timing Attacks - Kocher (1996) 3. Simple
  Power Analysis (SPA) - Kocher, Jaffe, Jun
  (1998) 4. Differential Power Analysis (DPA)
  - Kocher, Jaffe, Jun (1998)

Not very accurate!
Very accurate!
5
Cryptographic Algorithms

• Data Encryption Standard (DES)
• Advanced Encryption Standard (AES)
• RSA
• Elliptic curve

These cryptographic algorithms can be implemented
by either software programming or specific
hardware circuit.
6
Measurements

• Tools
• Destructive Measurement
• Non-destructive Measurement

7
Measurements (cont)

• Tools

Voltage probe
Oscilloscope
Current probe
8
Measurements (1)

• Destructive MeasurementA small resistor (e.g.,
  50O) is inserted in series with Vdd or GND.

9
Measurements (2)

• Non-destructive MeasurementWe need not modify
  the original circuit.

10
Hamming Weight

• Hamming Weight vs. Power Consumption

Suggest that this curve is the power consumption
profile of XOR.
Voltage or Current
11
Simple Power Attack (SPA)

• Directly interpret the power consumption

1,2,3 16
2nd
3rd
Different microprocessor instructions consume
different power. Thus, the power consumption
profiles are different.
ROTATE X1
ROTATE X2
12
Differential Power Attack (DPA)

• Use extra statistical methods

13
Countermeasures

• Power Consumption Balancing

This technique is suitable to logic-level
synthesis, but its performance is limit.
14
Countermeasures (1)

• Addition of NoiseTo make the power consumption
  profile blur!

To guarantee the efficiency of these two methods,
the frequency of the random digit generation
might be several time higher than the frequency
of the system clock, and the magnitude of the
noise might be a lot larger than the original
system. Thus, the power consumption is very high.
By the way, the area overhead is too high.
Not resistant to DPA attack!Not a complete
solution!
Related patentUS 6,327,661
15
Countermeasures (2.1)

• Isolation circuit (1)

Use an RC low-pass filter to blur the power
consumption.
But
Of course, the finite rds and capacitive
coupling from drain to gate of MP1 limit the
extent of the isolation, the paper said.
Therefore
Not blurred enough!Not power efficient!
Patrick Rakers, Larry Connell, Tim Collins, D
Russell Secure Contactless Smartcard ASIC with
DPA Protection, IEEE Journal of Solid-State
Circuits, 2001.
16
Countermeasures (2.2)

• Isolation circuit (2)

17
Countermeasures (2.3)

• Isolation circuit (3)

Quoted fromUS Patent 6,510,518 (Jan, 21,
2003)Balanced Cryptographic Computational
Method and Apparatus for Leak Minimization in
SmartCards and Other Cryptosystems
18
Countermeasures (3.1)

• WDDL (1)WDDL stands for Wave Dynamic
  Differential Logic.It is based on constant
  power consumption technique.

K. Tiri, D. Hwang, A. Hodjat, B. Lai, S. Yang, P.
Schaumont, and I. Verbauwhede, A Side-Channel
Leakage Free Coprocessor IC in 0.18µm CMOS for
Embedded AES-based Cryptographic and Biometric
Processing, DAC, June 2005.
19
Countermeasures (3.2)

• WDDL (2)

WDDL / Standard CMOSArea 3XPower Consumption
13.5XSpeed 0.24X

• Resistant to both SPA and DPA attack!
• The power consumption profile is completely
  blurred!
• It is an effective method!

But

• Dynamic logic is sensitive to noise!
• The overheads are too high!
• Not an economic method!

WDDL
Standard CMOS
20
Countermeasures (3.3)

• WDDL Input buffers

21
Countermeasures (3.4)

• SDDL Core INV gates

Core SDDL INV Gate (n-logic)
Core SDDL INV Gate (p-logic)
22
Countermeasures (3.5)

• SDDL Output buffers

Core SDDL INV Gate (n-logic)
Core SDDL INV Gate (p-logic)
23
My Countermeasure EPS

• Embedded Power Supply (EPS) TechnologyCharge
  sharing phenomenon.Dynamic regulation.
• Main goal1. Resistant to both SPA and DPA
  attack! 2. To make the power consumption profile
  completely blurred! (like addition of noise
  or WDDL) 3. Area overhead less than 104. On
  the power consumption side, very little is
  increased! (not more than 5)5. On the
  performance side, very little is lost! (not
  more than 5) 6. Very easy to integrate with
  other circuits!

24
My Countermeasure EPS (cont)

• Embedded Power Supply (EPS)

The minimum supply voltage of standard CMOS logic
is
During the encryption, the pMOS is off and the
secure circuit uses the charges of the charge
pre-storing capacitor to do the encryption. Thus,
no side-channel information is leaked during the
encryption.
By institute, the charge pre-storing capacitor is
very large therefore, It needs improvement.
25
My Countermeasure EPS (cont)

• Improvement for EPS

This improvement takes more clocks to finish an
encryption. However, this weakness can be avoided
by using two charge pre-storing capacitor.
26
My Countermeasure EPS (cont)

• Further Improvement for EPS

If the secure circuit is positive edge-triggered,
the control logic will be negative edge-triggered.
27
Conclusion for EPS

• Capacitor sizeCps gtgt Cps gt Cps1 Cps2
• Area overheadless than 10
• On the power consumption side, very little has
  been increased!
• On the performance side, very little has been
  lost!
• Resistant to both SPA and DPA attack.

28
Thank you!