EnergyAware Design Techniques for Differential Power Analysis Protection - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

EnergyAware Design Techniques for Differential Power Analysis Protection

Description:

Hardware-based technique that combines power-managed design paradigm and randomization: ... Computing 13 18 would only require 5 bits per operand. ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 19
Provided by: albert126
Category:

less

Transcript and Presenter's Notes

Title: EnergyAware Design Techniques for Differential Power Analysis Protection


1
Energy-Aware Design Techniques for Differential
Power Analysis Protection
  • Luca Benini, Alberto Macii, Enrico Macii,
  • Elvira Omerbegovic, Massimo Poncino, Fabrizio
    Pro
  • Università di Bologna, Bologna, Italy
  • Politecnico di Torino, Torino, Italy
  • BullDAST s.r.l., Torino, Italy
  • Università di Verona, Verona, Italy

2
Outline
  • Motivation.
  • Security attacks based on DPA.
  • Power Maskable Units.
  • Experimental Results.
  • Conclusions.

3
Motivation
  • Cryptography is an effective way to ensure
    privacy and confidentiality during data
    processing and transmission.
  • Security protocols have cryptographic algorithms
    as basic building blocks.
  • Hardware implementation of such algorithms are
    subject to external attacks
  • Guessing of secret key based on observation of
    physical quantities.
  • Ex Power consumption DPA (Dynamic
    Power Analysis) observes temporal power profile.

4
DPA Attacks
  • Basic principle
  • Output dependency on some bits of the key allows
    to determine such bits.
  • How to avoid DPA attacks?
  • Hardware-based techniques
  • Introduce random source to reduce the amount of
    leaked information.
  • Significant increase of power consumption.

Power
Encryption/Decryption
output
input
Secret key K
5
Our Contribution
  • Hardware-based technique that combines
    power-managed design paradigm and randomization
  • DPA resilience at no power increase!!
  • Requires design of power-maskable units
  • Based on randomized precomputation.

6
Power-Managed Units
  • Example of precomputation

A
R1
I
Oa
Ia
n
0 1
O
B
R2
Ob
Ib
m
Advantageous if (1-p) PA p PB Poverhead lt
PA
p Prob(Sel1)
Sel
7
Power-Managed Units (2)
  • Problem Power management schemes incompatible
    with the objective of masking power consumption
  • High variations in the power consumption over
    time.

Original
Precomputation
8
Power Maskable Units
  • SolutionApply precomputation randomly.
  • Conventional randomization exploits redundant
    hardware that adds noise to a given
    functionality.
  • This addition is done at the cost of extra power
    consumption.

9
Power Maskable Units (2)
  • Example of randomized precomputation

A
R1
Oa
Ia
I
n
0 1
O
Ib
Ob
B
R2
m
Sel
s
Randomizer
p Prob(Sel)q Prob(Randomizer)
Prob(s) pq
10
Power Maskable Units (3)
Original
Precomputation
Precomp Random.
11
Power Maskable Arithmetic Units
  • The precomputation paradigm works well for units
    with explicit common case computations
  • Ex Comparator can decide its result based on
    MSB.
  • Not very effective for typical arithmetic units
  • The generated power management logic has very low
    activation probability.
  • Ex Adder.
  • SolutionWe propose an alternative architecture
    to implement arithmetic units.

12
Power Maskable Arithmetic Units (2)
  • Exploit the fact that in some cycles arithmetic
    operations are executed on input data that do not
    use the full range
  • Example
  • Assume operands expressed on 32 bits.
  • Computing 1318 would only require 5 bits per
    operand.
  • Arithmetic units consume unnecessary power

13
Power Maskable Arithmetic Units (3)
  • Need to design a generic unit consisting of
  • A full-size block (e.g., N32 bits).
  • A smaller block (n bits).
  • To be used anytime the input range is smaller or
    equal to n.
  • Example
  • Adder

14
Results - Power Maskable Units
  • We have built a library of power-maskable units
  • Based on traditional precomputation
  • Comparator (32 bits).
  • Add-comparator (32 bits).
  • Residue-to-weighted number converter (32 bits).
  • Based on new architecture
  • Adder (32 bits and n12).
  • Multiplier (32 bits and n12).

15
Results - Power Maskable Units (2)
  • Power simulations are performed on different
    input streams
  • Worst Precomputation never occurs.
  • Best Precomputation is always active.
  • Real1 and Real2 Represent typical examples of
    usage of the units.
  • Average power (over all units) does not increase
    after the randomizer is added to the precomputed
    architecture.

16
Results - Power Maskable Units (3)
17
Results - Case Study
  • Methodology experimented on the design of a
    cryptoprocessor implementing RSA.
  • Synthesis flow
  • SYNOPSYS DesignCompiler.
  • 0.18µm CMOS library by STMicroelectronics.
  • No increase in average power

18
Conclusion
  • We have presented a novel design technique for
    protecting cryptoprocessors from DPA attacks.
  • A significant amount of scrambling is introduced
    in the power profile increasing the DPA
    resilience, but without increasing circuit power.
  • The viability, effectiveness and robustness of
    the proposed methodology has been demonstrated
    through an extensive set of experiments.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "EnergyAware Design Techniques for Differential Power Analysis Protection" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!