EnergyAware Design Techniques for Differential Power Analysis Protection - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

EnergyAware Design Techniques for Differential Power Analysis Protection

Description:

Hardware-based technique that combines power-managed design paradigm and randomization: ... Computing 13 18 would only require 5 bits per operand. ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 19
Provided by: albert126
Category:

less

Transcript and Presenter's Notes

Title: EnergyAware Design Techniques for Differential Power Analysis Protection


1
Energy-Aware Design Techniques for Differential
Power Analysis Protection
  • Luca Benini, Alberto Macii, Enrico Macii,
  • Elvira Omerbegovic, Massimo Poncino, Fabrizio
    Pro
  • Università di Bologna, Bologna, Italy
  • Politecnico di Torino, Torino, Italy
  • BullDAST s.r.l., Torino, Italy
  • Università di Verona, Verona, Italy

2
Outline
  • Motivation.
  • Security attacks based on DPA.
  • Power Maskable Units.
  • Experimental Results.
  • Conclusions.

3
Motivation
  • Cryptography is an effective way to ensure
    privacy and confidentiality during data
    processing and transmission.
  • Security protocols have cryptographic algorithms
    as basic building blocks.
  • Hardware implementation of such algorithms are
    subject to external attacks
  • Guessing of secret key based on observation of
    physical quantities.
  • Ex Power consumption DPA (Dynamic
    Power Analysis) observes temporal power profile.

4
DPA Attacks
  • Basic principle
  • Output dependency on some bits of the key allows
    to determine such bits.
  • How to avoid DPA attacks?
  • Hardware-based techniques
  • Introduce random source to reduce the amount of
    leaked information.
  • Significant increase of power consumption.

Power
Encryption/Decryption
output
input
Secret key K
5
Our Contribution
  • Hardware-based technique that combines
    power-managed design paradigm and randomization
  • DPA resilience at no power increase!!
  • Requires design of power-maskable units
  • Based on randomized precomputation.

6
Power-Managed Units
  • Example of precomputation

A
R1
I
Oa
Ia
n
0 1
O
B
R2
Ob
Ib
m
Advantageous if (1-p) PA p PB Poverhead lt
PA
p Prob(Sel1)
Sel
7
Power-Managed Units (2)
  • Problem Power management schemes incompatible
    with the objective of masking power consumption
  • High variations in the power consumption over
    time.

Original
Precomputation
8
Power Maskable Units
  • SolutionApply precomputation randomly.
  • Conventional randomization exploits redundant
    hardware that adds noise to a given
    functionality.
  • This addition is done at the cost of extra power
    consumption.

9
Power Maskable Units (2)
  • Example of randomized precomputation

A
R1
Oa
Ia
I
n
0 1
O
Ib
Ob
B
R2
m
Sel
s
Randomizer
p Prob(Sel)q Prob(Randomizer)
Prob(s) pq
10
Power Maskable Units (3)
Original
Precomputation
Precomp Random.
11
Power Maskable Arithmetic Units
  • The precomputation paradigm works well for units
    with explicit common case computations
  • Ex Comparator can decide its result based on
    MSB.
  • Not very effective for typical arithmetic units
  • The generated power management logic has very low
    activation probability.
  • Ex Adder.
  • SolutionWe propose an alternative architecture
    to implement arithmetic units.

12
Power Maskable Arithmetic Units (2)
  • Exploit the fact that in some cycles arithmetic
    operations are executed on input data that do not
    use the full range
  • Example
  • Assume operands expressed on 32 bits.
  • Computing 1318 would only require 5 bits per
    operand.
  • Arithmetic units consume unnecessary power

13
Power Maskable Arithmetic Units (3)
  • Need to design a generic unit consisting of
  • A full-size block (e.g., N32 bits).
  • A smaller block (n bits).
  • To be used anytime the input range is smaller or
    equal to n.
  • Example
  • Adder

14
Results - Power Maskable Units
  • We have built a library of power-maskable units
  • Based on traditional precomputation
  • Comparator (32 bits).
  • Add-comparator (32 bits).
  • Residue-to-weighted number converter (32 bits).
  • Based on new architecture
  • Adder (32 bits and n12).
  • Multiplier (32 bits and n12).

15
Results - Power Maskable Units (2)
  • Power simulations are performed on different
    input streams
  • Worst Precomputation never occurs.
  • Best Precomputation is always active.
  • Real1 and Real2 Represent typical examples of
    usage of the units.
  • Average power (over all units) does not increase
    after the randomizer is added to the precomputed
    architecture.

16
Results - Power Maskable Units (3)
17
Results - Case Study
  • Methodology experimented on the design of a
    cryptoprocessor implementing RSA.
  • Synthesis flow
  • SYNOPSYS DesignCompiler.
  • 0.18µm CMOS library by STMicroelectronics.
  • No increase in average power

18
Conclusion
  • We have presented a novel design technique for
    protecting cryptoprocessors from DPA attacks.
  • A significant amount of scrambling is introduced
    in the power profile increasing the DPA
    resilience, but without increasing circuit power.
  • The viability, effectiveness and robustness of
    the proposed methodology has been demonstrated
    through an extensive set of experiments.
Write a Comment
User Comments (0)
About PowerShow.com