What do ultra low power requirements mean for secure hardware? · PDF fileWhat do ultra low power requirements mean for secure hardware? Saibal Mukhopadhyay School of ECE, Georgia

G IGASC ALE

RELIABLE

EN ERGYEFFIC IEN TN AN OSY STEM S LAB

G IGASC ALE

RELIABLE


What do ultra low power requirements mean for secure hardware?

Saibal Mukhopadhyay School of ECE, Georgia Institute of Technology

Gigascale Reliable Energy Efficient Nanosystem (GREEN) Lab School of Electrical and Computer Engineering, Georgia Tech

Exploring reliable, energy efficient computing solutions at nanometer nodes — from devices to circuits to systems

Intel Corporation IBM Qualcomm

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Emerging Computing Applications

Servers

Deskto

p

Lapto

p

Smart Pho

ne

IoTs

Wearables

Gro

wth

rate

Source: International Data Corporation (IDC)

High performance

Mobile, low power

Compute small,

everywhere

20%

80%

40%

60%

2

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


1

6.7

13

25

50

6.3 6.7 6.9 7.4 7.9

0

10

20

30

40

50

60

2003 2008 2010 2015 2020

IoT Predictions

25 Billion

Sensors, Smart Objects, Wearables, Healthcare

World Population

Tablets, Laptops, Phones

Side Channel

Attack

One connected thing per person

3

Inflection Point

50

Billion Objects

Secure Private Trustworthy

Information

Leakage

Emerging Computing Applications

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Power performance Spectrum

4

Power

Per

form

ance GPU

Multi-core processors

Servers

Cell-phone processors

Wearable medical sensors

Internet-of-things

Environment sensors

Energy autonomous systems

Growing space for ultra-low power computing

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


5

A critical challenge moving forward

How do we secure embedded systems and SoCs operating under tight power budgets?

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


6

Low-power and Security

Low-power requirements of secure hardware – Challenge? Or Opportunities ?

Hardware Trojan

Power Attack

EM attack

Cryptanalysis

Reverse engineering

Counterfeit

Tampering

Voltage scaling

Voltage regulators

Power gating

Logic design

Architecture

Activity control

Clock gating

Adaptive circuits

Hardware Security Vulnerabilities Low-power techniques

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


•  Side Channels Leaking Encryption Specific Information: •  Power Trace Measurements – Most commonly used side channel •  Electromagnetic Emissions

Focus of this Talk

Smart Cards FPGA

Processors

7

Low-power requirements in encryption engines and protection against side channel attack

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


An Example Application: Distributed Video Surveillance with Self-power Sensors

Image sensing Node

wireless link

Datarate reduc*on (pre-‐processing and compression)

Receiver

Limited bandwidth and dynamic channel condi*on

Noise tolerance (Adap*ve modula*on)

Desirable quality of important informa*on

S. Mukhopadhyay, PI, Supported by Office of Naval Research, US

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Self-powered Image Sensors

…

Pre-‐processor MJPEG

CMOS sensor

SRAM

(edge map)

TransmiBer

Power management

Clock generator

BaBery

Other Energy

transducers

Energy harvesting from sensor

2mm x 2mm design, 130nm CMOS

138.7

80.0 61.5

10

100

1000

0.6 0.7 0.8 0.9 1.0

Ene

rgy

per f

ram

e (u

J)

SSIM of ROI

MJPEG

H.264/AVC intra

MJPEG + Pre-processing

J. Ko, IEEE TMSCS

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Area and Power Cost of Securing the Transmitted Image

10

11

12

13

14

15

2000000 2500000 3000000 3500000 4000000

Com

puta

tion

Ener

gy

per

fram

e (u

J)

Area (um2)

Baseline MJPEG

Baseline MJPEG + pre-‐processor (fixed QF/threshold)

Variable QF MJPEG + pre-‐processor + system controller

+0.6% area +1.6% energy

+ EncrypIon module (AES)

+ EncrypIon module (Simon)

+4.6% area +17% energy

We need security at very low area and energy cost

10

+0.8% area +1.8% energy

+6.2% area +19% energy

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Low-power requirement is a challenge to design power-attack

secure crypto engines

11

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Low Area/Power Cryptography

Technique Area* Power*

Adiabatic Logic Circuits 1.56X 0.24X

Serialization (8-bit datapath)

0.5X 0.11X

Using Composite Field Arithmetic

1.1X 0.08X

Register reduction, clock gating, bus specific clock

0.9X 0.56X

Sequence Switch Coding No data 0.9X

•  RTL level low power techniques - clock gating, register reduction.

•  SBOX function can be optimized with different mathematical realization of composite field arithmetic

•  Serialization and hardware reuse is one of the popular way to minimize the hardware cost.

Significant past effort exists on low-power crypto.

Little quantitative analysis exists on how these techniques impact resistance against power attack.

12

*The factors are obtained from corresponding references

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Encryption Schemes

Key 128-bit

SBox (128-bit)

Parallel AES

AddRoundKey

(128-bit)

MixColumn (128-bit)

ShiftRow (128-bit)

128-bit datapath PlainText 128-bit

Algorithmic noise for targeted byte

SBox (8-bit)

Serial AES

AddRoundKey (8-bit)

MixColumn (8-bit)

ShiftRow (8-bit)

8-bit datapath

Key 128-bit

PlainText 128-bit

No algorithmic noise for targeted byte

Serial encryption designs are more susceptible to power attacks – valid for both serial AES and SIMON

SIMON Round

SIMON 1-bit datapath

Key 128-bit

PlainText 128-bit

No algorith-mic noise for targeted bit

13

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Correlation Power Attack Characteristics

14

(( )( ))( , )( ) ( )i j

E P P HD HDt kP HD

ρσ σ− −

=

Parallel AES Serialized AES SIMON

Serial designs are observed to be more prone to side-channel attack.

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Design Tradeoffs

15

1 1

0.1

0.4

0.02 0.08

0

0.2

0.4

0.6

0.8

1

1.2

Area Power

Parallel AES Serial AES SIMON

Area Power Latency (#cycles)

MTD

High performance parallel AES

1 1 1 1

Compact ser ia l AES

0.1 0.4 125 0.05

SIMON 0.02 0.08 1150 0.05

MTD - minimum-traces- to-disclosure

Low-power achieved by serialization and hardware re-use can degrade the resistance to side-channel attack.

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Counter-Measures Against Power Attacks

Encryption Algorithm Design

Switching Activity

Current Pattern

Measurement

Insert NOPs Masking Randomizing

Logic styles Current Equalizer Package PDN Noise Injection

Device Noise Thermal Noise M e a s u r e m e n t Noise

Key

Plain Text

Recorded Trace

16

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Overhead of Countermeasures

Countermeasure Type Area* Perf.*

Random Order Execution

Arch.

15k NA

Multiprocessor Arch 2X 0.4%

Random Isomorphism 2.5-3X 50%

PDDL/WDDL

Logic

2.3X NA

MDPL 4-5X 50%

iMDPL 18-19X 70%

Current Equalizer Physical

1.25X 50%

Clock Randomization 1.1X NA

•  Most of the commercially used countermeasures (DDL, MDPL, iMDPL etc) have appreciable cost to area, power, and/or performance

17

*The factors are obtained from corresponding references

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Design Challenge

Counter-Measure Design Domain

Area-Overhead

Power Overhead Performance Overhead

18

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Low-power requirement is a new challenge to design power-attack

secure crypto engines

19

Low-power techniques provide new avenues to improve power-attack

resistance of crypto engines

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


20

Illustrative examples •  Low-voltage and adaptive circuits for power

attack protection

•  Integrated voltage regulators for power attack protections

Low-power Techniques for Power Attack Protection

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Clock Randomization for Power Attack Security

DELAY0

DELAY1

DELAYn-‐1

PRNG

CLKIN

CLKOUTCLOCKMUX

CLKIN

CLK0

CLK1

CLKn-‐1

o  With randomization of clock edges, the processing time/instant of critical instructions can be randomized

o  Techniques— q  Random Clock q  Random Phase Shift q  Globally Async Locally Sync Clocking

(GALS)

DQCK

DQCK

DQCK

PRNG

PRNG

PRNG

CLKIN

DQCK

CLKIN

CLKOUTXOR

CLKIN

CLKOUT

Random Clock

Random Phase Shift

Power (mW) MTD (# of traces)

AES unprotected 87.8 10k

Random Clock 105.1 (+20%) >300k (>30x)

Random Phase Shift 105.4 (+20%) >300k (>30x)

Ref: Renato Menicocci et al, “Experiments on Two Clock Countermeasures against Power Analysis Attacks”, MIXDES’14 Ref: Rafael L. Soares et al, “ A Robust Architectural Approach for Cryptographic Algorithms using GALS Pipelines”, DATC’11

No Attack

21

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Exploiting DVFS for Power Attack Protection

•  DVFS techniques, widely used for power management, can be exploited against SCA

•  V/F registers store random combinations of VDD and frequency

•  Design parameters are number of V/F pair and time interval between each transition

•  Resistance to power attack demonstrated with increased trace entropy

Energy Overhead

Time Overhead

Power Trace Entropy (bits)

Time Trace Entropy (bits)

Without DVFS 0 0 4.96 0

With DVFS -27% 16% 5.42 6.02

Ref: Shengui Yang et al, “Power Attack Resistant Crypto System Design: A Dynamic Voltage and Frequency Switching Approach”, DATE’05

text

DVFS Scheduler

DVFS FeedbackLoop

Desired V/F Register

Timing Information from OS

EncryptionEngine/CPU

22

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


CKIN

TCKIN

TCKP (with noise)noiseTCKP (w/o noise)

AC: Adaptive Clocking

TCKP(=nTCKIN) tracks the instantaneous noise

Adaptive Circuits for Low-power Operation under Noise

Pipeline with Programmable

Time-Borrowing

PTDN

n

CGmodecontrol

clock buffers

CLKi

CK

EN

...

Mode control

VCO

ClockModulator

Vcontrol

CKp

powergate

VDD

CK

IN

Time-borrowing and Clock gating/stretching

K. Chae and S. Mukhoapdhyay, TCAS2014, TCAS-II 2012, TCAS-II, 2014 23

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Can Adaptive Circuits help in Power Attack Protection?

24

0.6

0.8

1

1.2

Conv. PTB PTB + AC V

olta

ge (

V) Tolerable Voltage Droop Min. Op. Voltage

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


25

Illustrative examples •  Low-voltage and adaptive circuits for power attack

protection

•  Integrated voltage regulators for power attack protection

Low-power Techniques for Power Attack Protection

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Power Delivery and Low-power Operation

26 Time

Curr

ent

or v

olta

ge

Current step

Voltage droop

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Advantages of Integrated Voltage Regulators

§  IVRs eliminate R/L/C parasitic of power traces in package and PCB §  DC-DC conversion on-the processor chip (buck converter)

§  Less current through package traces => less power loss in PCB

§  Faster transient response reduces power supply noise §  Need less voltage margin => better power efficiency

§  Faster output voltage transition §  Allow more frequent power-state transitions

27

IVR

3.3V or higher

Encryption Engine

Integrated Circuit

Buck (Down-Conversion)

1.2V

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Existing Systems with Off-chip Voltage Regulators

3.3V

Off-chip Voltage Regulation Module (VRM)

Mount power attack at Vdd/GND pins

VRM

Encryption Engine

Integrated Circuit

1.2V

28

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Power Attack Protection using Integrated Voltage Regulators

29

Inductive IVR

LDO

Encryption Engine

Integrated Circuit

Mount power attack at LDO inputs

1.2V VRM

1.3V

IVR

3.3V or higher

Encryption Engine

Integrated Circuit

Buck (Down-Conversion)

1.2V IVR

20mV - 100mV

Encryption Engine

Integrated Circuit

Boost (Up-Conversion)

1.2V

Ener

gy

Har

vest

er

Integrated Low-Dropout-Regulator (Analog/Digital) 29

Mount power attack at IVR inputs

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


IVR for Power Attack Protection

30

Plain Text

Physical Design Measurement Package Encryption

Algorithm Key

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Leveraging IVR for Power Attack Protection

31

Plain Text

Physical Design Measurement Encryption

Algorithm Key

Raw Current

Transformed Current

Voltage Regulator Package

Integrated Voltage Regulator

Low-Drop-Out Regulators

Inductive VR

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


An Example of Fully Integrated Inductive Voltage Regulator

•  Frequency dependent transfer function of the loop changes small signal load current

•  Addition of pulsating current at the switching frequency

M. Kar et. al, CICC 2014, GOMACTECH 2014, TCAD (under prep)

32

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Why IVR-based Countermeasure?

Load Current for one AES Encryption

Measured IVR input current (with package)

Relevant Information (1st SBOX opn )

Pulsating Current at Switching Frequency FSW)

Cur

rent

(A

)

Correlation with load current, µ:0.048 σ:0.02

•  IVR introduces non-linear transformation in the load current before the trace is measured at the inputs.

•  The input current is weakly correlated with the AES load current.

•  However low correlation ≠> no attack

Cur

rent

(A

)

Case-study of an 128-bit AES Engine

33 M. Kar et. al, CICC 2014, GOMACTECH 2014, IEEE TCAD (under prep)

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Correlation Power Attack (CPA)

34

Raw AES Current

Transformed AES Current through PDN

CPA attack was successful without IVR

MTD ~ 500

MTD ~ 500

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


35

Design 2, BW 55MHz Design 1,

BW 62MHz

CPA with IVR

IVR design can be tuned to enhance

power attack resistance

Design 2

No attack was possible with 20000 traces

MTD ~ 500

Design 1

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Inductive IVR Design Space Exploration

36

BW(MHz) L (nH) C (uF) 48 5 10

55 5 7.5

62 4 7.5

88 3 5

IVR Design Space

Power Efficiency Transient Performance

Cost of Integration

Increasing difficulty of integration

Information Leakage

0.7

1.2

1.7

2.2

40 50 60 70 80 90 Normalized

SeB

ling Time

Bandwidth (MHz)

SeBling Time vs BW

0

0.5

1

1.5

2

2.5

40 50 60 70 80 90

Normalized

Pow

er

Loss

Bandwidth (MHz)

PL vs BW

Improved Power Efficiency

Improved Transient response

Improved Power Attack Resistance

Settling time: Time the IVR output takes to settle after a sharp load transient (10mA to 500mA)

Power Loss: Summation of conduction, ripple and switching losses in IVR

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Countermeasure using Analog Low-Drop-Out Regulator

MTD ~25

Overhead Analysis of Analog LDO-based Protection

Area Power Performance

1.4% 5% (active) 500nW (stby)

0.4%

No Attack for 20k traces

AES Input Current LDO

Input Current

A. Singh et. al., ISLPED 2015

37

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Conclusion

§ Securing power constrained devices is a major challenge for current and future embedded systems.

§  Low power constraints can be a bottleneck to enable strong encryption scheme and/or countermeasures.

§  Low-power techniques provide new avenues to enhance countermeasures to attacks.

38

What do low power requirements mean for secure hardware?

New opportunities for embedded systems security

G IGASC ALE

RELIABLE


G IGASC ALE

RELIABLE


Acknowledgement

PhD Students § Monodeep Kar, GREEN Lab, ECE, Gatech, § Arvind Singh, GREEN Lab, ECE, Gatech,

Industrial Collaborators § Vivek De, Intel Labs, Hillsboro, OR § Anand Rajan, Intel Labs, Hillsboro, OR Academic Collaborators § Marilyn Wolf, ECE, Gatech § Swarup Bhunia, ECE, UFL

39

Documents

What do ultra low power requirements mean for secure hardware? · PDF fileWhat do ultra low power requirements mean for secure hardware? Saibal Mukhopadhyay School of ECE, Georgia