Page 1
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Specific Countermeasures AgainstPhysical Attacks in FPGAs
Jean-Luc DANGER Shivam BHASIN Guillaume DUC TarikGRABA Sylvain GUILLEY Houssem MAGHREBI Olivier
MEYNARD Maxime NASSAR Laurent SAUVAGE NidhalSELMANE Youssef SOUISSI
Institut TELECOM / TELECOM-ParisTech/ CNRS – LTCI (UMR 5141)
Thursday, December 7th, 2010,Journee SocSip Securite
Jean-Luc Danger SOCSIP security 1/43
Page 2
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Presentation Outline
1 FPGA specificity and vulnerability
2 Overview of countermeasures in FPGAs
3 Protection by DPL in FPGAs
4 Protection by Masking in FPGAs
5 Conclusions
Jean-Luc Danger SOCSIP security 2/43
Page 3
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Specificityvulnerability
Presentation Outline
1 FPGA specificity and vulnerability
2 Overview of countermeasures in FPGAs
3 Protection by DPL in FPGAs
4 Protection by Masking in FPGAs
5 Conclusions
Jean-Luc Danger SOCSIP security 3/43
Page 4
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Specificityvulnerability
FPGA specificity
Price to pay for reconfigurability:Size 35X ⇒ 18X , Consumption 14X ASIC size (Kuon and all2007)
Many high-gain DFFsMany memories:
distributed: LUTsembedded
Many DSPsMany long lines and switches : Interconnect = 80% of thetotal area, and unknown
buffer
buffer
pass transistor
transmission gate
Jean-Luc Danger SOCSIP security 4/43
Page 5
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Specificityvulnerability
Vulnerability against side-channel attacks
Comparison between ASIC and FPGA in terms of power leakage:1 SecMat v3[ASIC]:
Shared power supply between all modules
2 SecMat v3[FPGA]:SecMat v3[ASIC] VHDL code synthesized in an Altera StratixEPS1S25Global power supply10,157 logic elements and 286,720 RAM bits for the whole SoCDES alone is 1,125 logic elements (LuT4)
The power traces acquired from those three circuits are availablefor download from http://www.dpacontest.org/.
Jean-Luc Danger SOCSIP security 5/43
Page 6
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Specificityvulnerability
SecMat v3[ASIC] – covariance with |LR[0]⊕ LR[1]|
SecMat v3[ASIC]:
Typical trace: 38 mV
Typical DPA: 0.6 mV
⇒ Side-channel leakage:1.5 %
Jean-Luc Danger SOCSIP security 6/43
Page 7
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Specificityvulnerability
SecMat v3[FPGA] – covariance with |LR[0]⊕ LR[1]|
SecMat v3[FPGA]:
Typical trace: 19 mV
Typical DPA: 0.19 mV
⇒ Side-channel leakage:1.0 %
Jean-Luc Danger SOCSIP security 7/43
Page 8
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Protocol-LevelRegister Transfer LevelNetlist Level
Presentation Outline
1 FPGA specificity and vulnerability
2 Overview of countermeasures in FPGAs
3 Protection by DPL in FPGAs
4 Protection by Masking in FPGAs
5 Conclusions
Jean-Luc Danger SOCSIP security 8/43
Page 9
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Protocol-LevelRegister Transfer LevelNetlist Level
Targeted strategies
Protocol-level:
Most wanted since provable
Register-Transfer Level:
Masking, boolean or algorithmic.Encrypted leakageGlitch-full circuits
Netlist or implementation level:
Hiding= DPL, Dual-rail with Precharge Logic
Degenerated counter-measures
Noise generator, Dummy instructions, Varying clock, etc.
Jean-Luc Danger SOCSIP security 9/43
Page 10
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Protocol-LevelRegister Transfer LevelNetlist Level
if ≈ 1 bit is leaked per 100 encryptions...
Alice: Bob:
...
...k0 k0
k1k1
100×
k1 k1
k2k2
100×
AESk0
AESk1 AES−1k1
hash
hash
hash
hash
AES−1k0
The FPGAs designs can take advantage of Reconfigurability tochange regularly the implementation.
Jean-Luc Danger SOCSIP security 10/43
Page 11
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Protocol-LevelRegister Transfer LevelNetlist Level
Masking
Principle
Every variable s, potentially sensible, is represented as a share{s0, s1, · · · , sn−1}To reconstruct s, all the si are required.
Example: n = 2, s.
= s0 ⊕ s1.
Constraints and Drawbacks
Leakage resistant since variables are never used plain.
Attractive but works only fine for registers.
Efforts done to protect also the combinational logic.
Sensitive to Hi-orders attacks.
Ineffective against Fault attacks.
Jean-Luc Danger SOCSIP security 11/43
Page 12
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Protocol-LevelRegister Transfer LevelNetlist Level
Encrypted Leakage
y = DES(x , kc)
Masked DFF
ki
x
Encrypted bitstream
Masked DESkb
kc
Side-channel:EMA, power
FPGA
y = DES(x , kc)
Masked DFF
x
Masked DESSide-channel:EMA, power
ASIC (tamper-proof)
personalization NVMki
kc
Trusted Platform Module
Jean-Luc Danger SOCSIP security 12/43
Page 13
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Protocol-LevelRegister Transfer LevelNetlist Level
Hiding by using DPL: Dual Rail with Precharge Logic
a↔ (af , at) DPL representation:
a is VALID if af ⊕ at = 1 . VALID.
= {VALID0,VALID1} or
VALID.
= {(1, 0), (0, 1)}.a is NULL if af ⊕ at = 0 . NULL
.= {NULL0,NULL1} or
NULL.
= {(0, 0), (1, 1)}.
NULL0
VALID1
NULL1
VALID0
Precharge:
Evaluation:(output disclosed)
Jean-Luc Danger SOCSIP security 13/43
Page 14
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Protocol-LevelRegister Transfer LevelNetlist Level
A common DPL: WDDL=Waveform Dynamic DifferentialLogic
Single−rail
Dual−rail
G
G
Bt
At
Af
Bf
QB
A
Qt
QfG ∗
A digital circuit and its WDDLequivalent
Precharge Evaluation
bt
yt
bf
yf
af
at
PRE/EVAL
Timing Diagram of a WDDLAND gate
Only positive gates could be used for netlist synthesis.Jean-Luc Danger SOCSIP security 14/43
Page 15
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Protocol-LevelRegister Transfer LevelNetlist Level
Important constraints in DPL : No glitches +
No Early Evaluation
Precharge Evaluation
at
∆t1 ∆t2
PRE/EVAL
bt
st
af
bf
sf
T ,F
T ,F
T ,F
st , sf
at , af
@t2
@t0
@t1
@t3
bt , bf
Cause of Early Evaluation
No Technological Biais
OR consumption = AND consumption
routing T = routing F
Jean-Luc Danger SOCSIP security 15/43
Page 16
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Presentation Outline
1 FPGA specificity and vulnerability
2 Overview of countermeasures in FPGAs
3 Protection by DPL in FPGAs
4 Protection by Masking in FPGAs
5 Conclusions
Jean-Luc Danger SOCSIP security 16/43
Page 17
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Security constraints 1/2
Logic without glitches and early propagation
⇒ Synchronization
The rules to be “synchronized”:
Rule 1: Evaluation starts after all the input signals are valid.
Rule 2: Precharge starts:1 Either after all the inputs becomes NULL1 but the outputs
need to be memorized or2 Or before the first input becomes NULL (which does not need
any memorization).
1NULL is the value in precharge phaseJean-Luc Danger SOCSIP security 17/43
Page 18
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Security constraint 2/2
Logic with a minimum of technological biais
Special care at placing and routing (but the FPGA vendorsgive few informations)
Use of the same logic structure for True and False (e.g.MDPL with majority gates)
Statistical balancing
Logic resistant to fault attacks
Detection capability or
Resilience
Jean-Luc Danger SOCSIP security 18/43
Page 19
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Cost and Speed constraints
Logic with a minimum cost
A few more than X2
Use of RAMs and DSP in FPGAs
Fast speed
speed divided by 2. Possible to be better?
Jean-Luc Danger SOCSIP security 19/43
Page 20
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Case study of BCDL: Balance Cell Differential Logic
The BCDL gate: Synchronization with Global Precharge
at
bt
PRE
Bundle data
. . .
af
bf
sf
at
bt T
af
bf F
st
. . .
. . .U/PRE
No need of memorization as a global precharge PRE isfaster than any inputs.U/PRE falls to 0 ⇒ precharge is forced immediately.U/PRE rises to 1 ⇒ evaluation begins after “unanimity to 1”.Tables T and F can be fully separated ⇒ huge complexitygain.
Jean-Luc Danger SOCSIP security 20/43
Page 21
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Exemple of a 2-input OR gate
Precharge Evaluation
at
btaf
bf
st
sf
U/PRE
PRE
Jean-Luc Danger SOCSIP security 21/43
Page 22
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Robustness against FA
In-Built Robustness against Fault Attacks
Automatically detects symmetric faults: {VALID0, VALID1}↓ or ↑−→ {NULL0, NULL1}(1→ 0 or 0→ 1).
“Error state” is propagated throughout the design ⇒ Faultresilience.
PRECHARGE Fault detection
1 state 6= {NULL0, NULL1}0 state 6= {VALID0, VALID1}
at
bt
PRE
Bundle data
. . .
af
bf
sf
at
bt T
af
bf F
st
. . .
. . .U/PRE
Jean-Luc Danger SOCSIP security 22/43
Page 23
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Fault Detection with DSP blocks
based on AxB = (−A)x(−B) ⇒(2A + 1)x(2B + 1) = (2A + 1)x(2B + 1)
Allows to detect and locate either during precharge orevaluation
mult
1
1
mult
1
1
=0
Bf
Af
Bt
At
FAUTE
Jean-Luc Danger SOCSIP security 23/43
Page 24
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Area
T and F easy to implement
Not limited to positive functions
separable1 additionnal input (U/PRE ) + duplication(T and F )Area of tables = 2.2n+1 < 22n if n > 2⇒ S-Box area = only 4 times the size of an unprotected one.
Total Area
= DFF(∗4) + [SYNC(a few gates) + T + F ] ∗ n.
Special case: MUX driven by single rail signal
No needs of synchronization.
Jean-Luc Danger SOCSIP security 24/43
Page 25
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Speed optimization
prechargeevaluation evaluationprecharge
T/2
T
WDDL orBasic BCDL
T/2
pre. pre.evaluation evaluation
1.5× T
Speed-optimized BCDL
T/4
Faster than other DPLs
Evaluation time > precharge time ⇒ performances ↗Speed / ∼ 1.25 ↔ 1.75
Jean-Luc Danger SOCSIP security 25/43
Page 26
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
results in FPGA Stratix for an AES implementation
Complexity and speed
ALM Reg RAM Max. freq. Max. throughput
no protection 1078 256 40 Kb 71.88 MHz 287.52 Mbps
WDDL 4885 1024 — 37.07 MHz 74.14 Mbps
BCDL 1841 1024 160 Kb 50.64 MHz 151.92 Mbps
CPA results
Attack processed on 150000 power consumption traces.
No subkey found for BCDL.
Jean-Luc Danger SOCSIP security 26/43
Page 27
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
MIA results for different subbytes implementations
Jean-Luc Danger SOCSIP security 27/43
Page 28
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Comparison with other DPLs in FPGAs
WDDL : Propagation of the NULL state with positivefunctions
RCDDL : WDDL with factored logic, which amplifies theearly evaluation
MDPL : T gate =F gate = Majority, random Mask tobalance the True and False networks
STTL : A third wire is added to synchronize with the laststable signal.
DRSL : As MDPL with a synchronization before evaluation
IWDDL : Isolated WDDL with separated T and F networksby means of superpipelining
BCDL : The logic presented here
MBCDL : BCDL with mask
Jean-Luc Danger SOCSIP security 28/43
Page 29
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
How to meet the DPL constraints in FPGAs ?Case study of BCDL
Comparison with other DPLs
Logic Compl. SpeedRobust. SCA Robust. FA
Design Constr.EE T. B. Fault Det.
WDDL * < 1/2 asym comb Positive gates
MDPL * < 1/2 3 asym comb MAJ gate + RNG
STTL * < 1/4 3 sym seq 50% more wiring
DRSL * < 1/2 partly 3 sym comb + RNG
IWDDL < 1/2·n 3 asym comb superpipeline
BCDL ** > 1/2 3 sym comb
MBCDL * > 1/2 3 3 sym comb + RNG
Jean-Luc Danger SOCSIP security 29/43
Page 30
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
Presentation Outline
1 FPGA specificity and vulnerability
2 Overview of countermeasures in FPGAs
3 Protection by DPL in FPGAs
4 Protection by Masking in FPGAs
5 Conclusions
Jean-Luc Danger SOCSIP security 30/43
Page 31
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
ROM Hardware masking
nn
n
X M
ROM
ROM
S SS
mk
x ⊕m
S ′
S
m′S(x ⊕ k)⊕m′
Masked DES implementedwith ROMs.
“Zero Offset” From Waddle et al., Peeters et al..
Activity:
A = HW [(x⊕m)⊕(S(x⊕k)⊕m′)]+HW [m⊕m′]
The register data Hamming distance is:
∆(x) = x ⊕ S(x ⊕ k)
The register mask Hamming distance is:
∆(m) = m ⊕m′
Then:
A = HW [∆(x)⊕∆(m)] + HW [∆(m)]
Jean-Luc Danger SOCSIP security 31/43
Page 32
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
Problem # 1: HO-attacks
2 4 6 41 3 5 70 2 4 6 8 3 5
4/164/16
1/16
2/16
8/16
16/16
4/16
1/16
6/16
2/16
6/16 6/16
4/16
8/16 8/16
HW (∆(x , k)) = 4HW (∆(x , k)) = 0 HW (∆(x , k)) = 1 HW (∆(x , k)) = 3
Activity A
HW (∆(x , k)) = 2
Power distributions of the five possible values of HW (∆(x , k)).
Theoretic MIA attack evaluationTable: Theoretical conditional entropy of the ROM masked DES.
Theoretical entropies The correct key Any wrong key
H(O|HW (∆(x , k))) 1.3992 bit 2.5442 bit
Jean-Luc Danger SOCSIP security 32/43
Page 33
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
Problem # 2: ROM too complex for FPGAs
Need of 22n memoryUse of external Mask recomposition with USM: UniversalS-Box Masking
x ⊕ k
S(x ⊕ k)S S
k
mx ⊕m
m′S(x ⊕ k)⊕m′
But attackable on the combinatorial logic!
Jean-Luc Danger SOCSIP security 33/43
Page 34
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
Solution #1: Squeezed leakage by encoding tables
S(x ⊕ k)⊕m′ B(m′)
x ⊕m B(m)
m
k
m′
ROM
or ROMGates
B
MR
B−1
S S S
Jean-Luc Danger SOCSIP security 34/43
Page 35
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
Solution #2: Squeezed leakage by encoding tables withUSM
network
LUT
network
LUT
ROM or LUT
networkLUT
network
#2
#1
#3
MR
S(x ⊕ k)⊕m′
B1(mr )xr ⊕mrxl ⊕ml
k
B1(ml )
L R MR ML
S
B2
PP
E E
B−11
B−13
B4
B−12
B3
S
B1
B−11
B−14
Jean-Luc Danger SOCSIP security 35/43
Page 36
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
Implementation results with leakage squeezing
Table 1: Complexity and speed results. “l. s.” denotes the “leakagesqueezing” countermeasure.
Implementation ALMs Block mem- M4Ks Throughput
-ory [bit] [Mbit/s]
Unprotected DES (reference) 276 0 0 929.4
DES masked USM 447 0 0 689.1
DES masked ROM 366 131072 32 398.4
DES masked ROM with l. s. 408 131072 32 320.8
DES masked USM with l. s. 488 0 0 582.8
Jean-Luc Danger SOCSIP security 36/43
Page 37
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
MIA results with leakage squeezing
Zoom
0
0.5
1
1.5
2
−20 −15 −10 −5 0 5 10 15 20
Mutu
al I
nfo
rmat
ion [
bit
]
SNR
Unprotected DESZero offset
DES masked ROM with l. s.DES masked USM with l. s.
0
0.0001
0.0002
0.0003
0.0004
0.0005
0.0006
−20 −15 −10 −5 0 5 10 15 20
Mu
tual
Info
rmati
on
[b
it]
SNR
DES masked ROM with l. s.DES masked USM with l. s.
Figure 1: Mutual information metric computed on several DESimplementations.
Jean-Luc Danger SOCSIP security 37/43
Page 38
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
Squeezed leakage by mask decomposition
θ−1
θ
M2M1
S S ′
m′
S(x ⊕ k)⊕m′
m′2m′1
m
k
x ⊕m
R
m1 m2
Jean-Luc Danger SOCSIP security 38/43
Page 39
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
Distributions obtained for different Θ
addition
Activity A 6 62 4 6 8 3 5 7 9 2 4 8 10 3 5 7 9 4 83 3 34 45 5 56 67 7 9978 10 10 108
5/
25
6
46/
25
659/
25
6
HW (∆(x))=0 HW (∆(x))=1 HW (∆(x))=3HW (∆(x))=2 HW (∆(x))=4
10/
25
68/
25
6
10/
25
63
3/
25
65
4/
25
6
31/
25
64
6/
25
6 64/
25
6
5/
25
615/
25
62
8/
25
64
9/
25
65
9/
25
65
7/
25
62
8/
25
61
5/
25
6
5/
25
61
5/
25
63
1/
25
64
6/
25
65
9/
25
65
1/
25
63
3/
25
61
1/
25
65/
25
6
12/
25
630/
25
64
5/
25
65
4/
25
65
9/
25
63
1/
25
61
5/
25
65/
25
6
5/
25
61
3/
25
63
1/
25
6
46/
25
64
1/
25
61
5/
25
6
alpha
Activity A 64 83 5 973 4 5 6 7 8 98 3 4 5 6 7 8 99 98765433 4 5 6 72 10 2 2 2 210 10 10 10
HW (∆(x))=0 HW (∆(x))=1 HW (∆(x))=3HW (∆(x))=2 HW (∆(x))=4
56/
25
67
0/
25
6
8/
25
62
8/
25
6
28/
25
6
28/
25
6
28/
25
6
28/
25
6
28/
25
6
1/
25
6
1/
25
6
1/
25
6
1/
25
6
1/
25
6
1/
25
6
1/
25
6
1/
25
6
1/
25
6
1/
25
6
70/
25
6
70/
25
6
70/
25
6
70/
25
6
28/
25
6
28/
25
6
28/
25
6
28/
25
68/
25
6
8/
25
6
8/
25
6
8/
25
6
8/
25
6
8/
25
6
8/
25
6
8/
25
6
8/
25
6
56/
25
6
56/
25
6
56/
25
6
56/
25
6
56/
25
6
56/
25
6
56/
25
6
56/
25
6
56/
25
6
Jean-Luc Danger SOCSIP security 39/43
Page 40
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Zero-offset implementationSqueezed Leakage
MIA by Squeezed leakage by mask decomposition
FPGA Acquisitions
SNR
−13.43
−0.2
0
0.2
0.4
0.6
0.8
1
1.2
−20 −15 −10 −5 0 5 10 15 20
Mutu
al I
nfo
rmat
ion [
bit
]
SNR
Zero offset implementationMask decomposition, XOR
Mask decomposition, additionMask decomposition, multiplication
Mask decomposition, alpha
Jean-Luc Danger SOCSIP security 40/43
Page 41
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Presentation Outline
1 FPGA specificity and vulnerability
2 Overview of countermeasures in FPGAs
3 Protection by DPL in FPGAs
4 Protection by Masking in FPGAs
5 Conclusions
Jean-Luc Danger SOCSIP security 41/43
Page 42
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
The FPGAs need efficient countermeasures to be protectedagainst physical attacks.
Three levels:Protocol:
Reconfiguration can be done in FPGAs
RTL : Masking by taking davantages of RAMs but care has tobe taken against HO-DPA. Exemples:
Leakage squeezingMask decomposition
Netlist : By using DPL. Examples:
STTL: no EE, need of 3rd wire, care of P/RBCDL: no EE, low complexity, care of P/RMBCDL: BCDL + easy P/R
Jean-Luc Danger SOCSIP security 42/43
Page 43
FPGA specificity and vulnerabilityOverview of countermeasures in FPGAs
Protection by DPL in FPGAsProtection by Masking in FPGAs
Conclusions
Thanks for your attention.Any question?
Jean-Luc Danger SOCSIP security 43/43