Efficient acquisition techniqueof side -channel information
using event-model simulation
COSADE workshopMarch 7th-8th, 2013
Toshiya Asai and Masaya Yoshikawa Department of Information Engineering
Meijo University
Télécom ParisTech
1. MotivationEfficiency of vulnerability evaluation in design stage
2. Proposed methodEvent-model simulation for power waveform
Table of Contents
Event-model simulation for power waveform acquisition
3. Experimental resultsSome highlight data with prototype LSI
4. Summary and future plans
1. MotivationEfficiency of vulnerability evaluation
2. Proposed methodEvent-model simulation for power waveform acquisition
Table of Contents
acquisition
3. Experimental resultsSome highlight data using prototype LSI
4. Summary and future plans
1. Evaluation of tamper resistance in LSI design stage
2. Technical issues①Efficiency of power simulation
Motivation (1/2)
Efficiency of power simulation②Efficiency of attack simulation
3. Improvements in this studyImproves efficiency of power simulation by the event-model simulation (proposed method)
Effieciency of power waveform simulation
Motivation (2/2)
Fast SPICE simulator (NanoSim, etc)
more
Verilog Sim. + PrimeTimePX(Synopsys)
Precision Speed
faster
more precise
1. MotivationEfficiency of vulnerability evaluation
2. Proposed methodEvent-model simulation for power waveform acquisition
Table of Contents
acquisition
3. Experimental resultsSome highlight data using prototype LSI
4. Summary and future plans
Concept of event-model simulation
Proposed method (1/5)
Power waveform of transition event(by SPICE sim.) Power waveform(by SPICE sim.)
Timing Informationof transition event(by verilog sim.)
Power waveformfor attack simulation
Procedure of event-model simulationProposed method (2/5)
Crypto.LSI
((((SPICE))))
SPICESPICESPICESPICE
simulationsimulationsimulationsimulation
v (Y)v (Y)v (Y)v (Y)
Event-model extractionVerification blockVerification blockVerification blockVerification block
iiii (VDD)(VDD)(VDD)(VDD)
iiii (VSS)(VSS)(VSS)(VSS)
Step 1
Shorttest bench
Power consumptionPower consumptionPower consumptionPower consumption
waveformwaveformwaveformwaveform
Superposition ofevent-model
at transition timing
ΣiΣiΣiΣi (VDD)(VDD)(VDD)(VDD)
ΣiΣiΣiΣi (VSS)(VSS)(VSS)(VSS)
VerilogVerilogVerilogVerilog
simulationsimulationsimulationsimulation Transition timing listof
verification block
Step 2
Requirednumber
ofwaveforms
Crypto.LSI
((((verilog ))))
Procedure of event-model simulationProposed method (2/5)
Crypto.LSI
((((SPICE))))
SPICESPICESPICESPICE
simulationsimulationsimulationsimulation
v (Y)v (Y)v (Y)v (Y)
Event-model extractionVerification blockVerification blockVerification blockVerification block
iiii (VDD)(VDD)(VDD)(VDD)
iiii (VSS)(VSS)(VSS)(VSS)
Step 1
Shorttest bench
Power consumptionPower consumptionPower consumptionPower consumption
wwwwaveformaveformaveformaveform
Superposition ofevent-model
at transition timing
ΣiΣiΣiΣi (VDD)(VDD)(VDD)(VDD)
ΣiΣiΣiΣi (VSS)(VSS)(VSS)(VSS)
VerilogVerilogVerilogVerilog
ssssimulationimulationimulationimulation Transition timing listof
verification block
Step 2
Requirednumber
ofwaveforms
Crypto.LSI
((((verilog ))))
Procedure of event-model simulationProposed method (2/5)
Crypto.LSI
((((SPICE))))
SPICESPICESPICESPICE
simulationsimulationsimulationsimulation
v (Y)v (Y)v (Y)v (Y)
Event-model extractionVerification blockVerification blockVerification blockVerification block
iiii (VDD)(VDD)(VDD)(VDD)
iiii (VSS)(VSS)(VSS)(VSS)
Step 1
Shorttest bench
Power consumptionPower consumptionPower consumptionPower consumption
wwwwaveformaveformaveformaveform
Superposition ofevent-model
at transition timing
ΣiΣiΣiΣi (VDD)(VDD)(VDD)(VDD)
ΣiΣiΣiΣi (VSS)(VSS)(VSS)(VSS)
VerilogVerilogVerilogVerilog
ssssimulationimulationimulationimulation Transition timing listof
verification block
Step 2
Requirednumber
ofwaveforms
Crypto.LSI
((((verilog ))))
Procedure of event-model simulationProposed method (2/5)
Crypto.LSI
((((SPICE))))
SPICESPICESPICESPICE
simulationsimulationsimulationsimulation
v (Y)v (Y)v (Y)v (Y)
Event-model extractionVerification blockVerification blockVerification blockVerification block
iiii (VDD)(VDD)(VDD)(VDD)
iiii (VSS)(VSS)(VSS)(VSS)
Step 1
Shorttest bench
Power consumptionPower consumptionPower consumptionPower consumption
wwwwaveformaveformaveformaveform
Superposition ofevent-model
at transition timing
ΣiΣiΣiΣi (VDD)(VDD)(VDD)(VDD)
ΣiΣiΣiΣi (VSS)(VSS)(VSS)(VSS)
VerilogVerilogVerilogVerilog
simulationsimulationsimulationsimulation Transition timing listof
verification block
Step 2
Requirednumber
ofwaveforms
Crypto.LSI
((((verilog ))))
Procedure of event-model simulationProposed method (2/5)
Crypto.LSI
((((SPICE))))
SPICESPICESPICESPICE
simulationsimulationsimulationsimulation
v (Y)v (Y)v (Y)v (Y)
Event-model extractionVerification blockVerification blockVerification blockVerification block
iiii (VDD)(VDD)(VDD)(VDD)
iiii (VSS)(VSS)(VSS)(VSS)
Step 1
Shorttest bench
Power consumptionPower consumptionPower consumptionPower consumption
wwwwaveformaveformaveformaveform
Superposition ofevent-model
at transition timing
ΣiΣiΣiΣi (VDD)(VDD)(VDD)(VDD)
ΣiΣiΣiΣi (VSS)(VSS)(VSS)(VSS)
VerilogVerilogVerilogVerilog
simulationsimulationsimulationsimulation Transition timing listof
verification block
Step 2
Requirednumber
ofwaveforms
Crypto.LSI
((((verilog ))))
Procedure of event-model simulationProposed method (2/5)
Crypto.LSI
((((SPICE))))
SPICESPICESPICESPICE
simulationsimulationsimulationsimulation
v (Y)v (Y)v (Y)v (Y)
Event-model extractionVerification blockVerification blockVerification blockVerification block
iiii (VDD)(VDD)(VDD)(VDD)
iiii (VSS)(VSS)(VSS)(VSS)
Step 1
Shorttest bench
Power consumptionPower consumptionPower consumptionPower consumption
waveformwaveformwaveformwaveform
Superposition ofevent-model
at transition timing
ΣiΣiΣiΣi (VDD)(VDD)(VDD)(VDD)
ΣiΣiΣiΣi (VSS)(VSS)(VSS)(VSS)
VerilogVerilogVerilogVerilog
simulationsimulationsimulationsimulation Transition timing listof
verification block
Step 2
Requiredbumber
ofwaveforms
Crypto.LSI
((((verilog ))))
Procedure of event-model simulationProposed method (2/5)
Crypto.LSI
((((SPICE))))
SPICESPICESPICESPICE
simulationsimulationsimulationsimulation
v (Y)v (Y)v (Y)v (Y)
Event-model extractionVerification blockVerification blockVerification blockVerification block
iiii (VDD)(VDD)(VDD)(VDD)
iiii (VSS)(VSS)(VSS)(VSS)
Step 1
Shorttest bench
Power consumptionPower consumptionPower consumptionPower consumption
waveformwaveformwaveformwaveform
Superposition ofevent-model
at transition timing
ΣiΣiΣiΣi (VDD)(VDD)(VDD)(VDD)
ΣiΣiΣiΣi (VSS)(VSS)(VSS)(VSS)
VerilogVerilogVerilogVerilog
simulationsimulationsimulationsimulation Transition timing listof
verification block
Step 2
Requirednumber
ofwaveforms
Crypto.LSI
((((verilog ))))
Procedure of event-model simulationProposed method (2/5)
Crypto.LSI
((((SPICE))))
SPICESPICESPICESPICE
ssssimulationimulationimulationimulation
v (Y)v (Y)v (Y)v (Y)
Event-model extractionVerification blockVerification blockVerification blockVerification block
iiii (VDD)(VDD)(VDD)(VDD)
iiii (VSS)(VSS)(VSS)(VSS)
Step 1
Shorttest bench
Power consumptionPower consumptionPower consumptionPower consumption
wwwwaveformaveformaveformaveform
Superposition ofevent-model
at transition timing
ΣiΣiΣiΣi (VDD)(VDD)(VDD)(VDD)
ΣiΣiΣiΣi (VSS)(VSS)(VSS)(VSS)
VerilogVerilogVerilogVerilog
simulationsimulationsimulationsimulation Transition timing listof
verification block
Step 2
Requirednumber
ofwaveforms
Crypto.LSI
((((verilog ))))
Extracted current waveformExtracted current waveformExtracted current waveformExtracted current waveform
of each cellof each cellof each cellof each cell
SPICEsimulation
Crypto. LSI
SPICE netlist・Post layout netlist・Parasitic extraction data
i(VDD)
Proposed method (3/5)Step 1
Short test bench(AES: 2~3 encryption)
Curve fitting
Extracted current waveformExtracted current waveformExtracted current waveformExtracted current waveform
of each cellof each cellof each cellof each cell
SPICEsimulation
Crypto. LSI
SPICE netlist・Post layout netlist・Parasitic extraction data
i(VDD)
Proposed method (3/5)Step 1
Short test bench(AES: 2~3 encryption)
Curve fitting
VCD File(Value Change Dump)
Crypto. LSI
(Verilog)
Timingsimulation
Transition timng listin verification block
XU123 TimeX1 1 TimeX2 0 TimeX3 1
Extraction of cells
XU124 TimeY1 0 TimeY2 1 TimeY3 0
Proposed method (4/5)Step 2
Adjusts the delay with SPICE simulation( verilog:TYP SPICE: 25℃)
・・・
XU123XU123XU123XU123 outputoutputoutputoutput
XU123XU123XU123XU123 Rise i (Rise i (Rise i (Rise i (VDD)VDD)VDD)VDD)
XU123XU123XU123XU123 Fall i (Fall i (Fall i (Fall i (VDD)VDD)VDD)VDD)
Superposition ofSuperposition ofSuperposition ofSuperposition of all waveformsall waveformsall waveformsall waveforms
・・・
Σi (VDDΣi (VDDΣi (VDDΣi (VDD))))Waveform of verification blockWaveform of verification blockWaveform of verification blockWaveform of verification block
EventEventEventEvent----modelsmodelsmodelsmodels
VCD File(Value Change Dump)
Crypto. LSI
(Verilog)
Timingsimulation
Transition timng listin verification block
XU123 TimeX1 1 TimeX2 0 TimeX3 1
Extraction of cells
XU124 TimeY1 0 TimeY2 1 TimeY3 0
Proposed method (4/5)Step 2
Adjusts the delay with SPICE simulation( verilog:TYP SPICE: 25℃)
・・・
XU123XU123XU123XU123 outputoutputoutputoutput
XU123XU123XU123XU123 Rise i (Rise i (Rise i (Rise i (VDD)VDD)VDD)VDD)
XU123XU123XU123XU123 Fall i (Fall i (Fall i (Fall i (VDD)VDD)VDD)VDD)
Superposition ofSuperposition ofSuperposition ofSuperposition of all waveformsall waveformsall waveformsall waveforms
・・・
Σi (VDDΣi (VDDΣi (VDDΣi (VDD))))Waveform of verification blockWaveform of verification blockWaveform of verification blockWaveform of verification block
EventEventEventEvent----modelsmodelsmodelsmodels
VCD File(Value Change Dump)
Crypto. LSI
(Verilog)
Timingsimulation
Transition timng listin verification block
XU123 TimeX1 1 TimeX2 0 TimeX3 1
Extraction of cells
XU124 TimeY1 0 TimeY2 1 TimeY3 0
Proposed method (4/5)Step 2
Adjusts the delay with SPICE simulation( verilog:TYP SPICE: 25℃)
・・・
XU123XU123XU123XU123 outputoutputoutputoutput
XU123XU123XU123XU123 Rise i (Rise i (Rise i (Rise i (VDD)VDD)VDD)VDD)
XU123XU123XU123XU123 Fall i (Fall i (Fall i (Fall i (VDD)VDD)VDD)VDD)
Superposition ofSuperposition ofSuperposition ofSuperposition of all waveformsall waveformsall waveformsall waveforms
・・・
Σi (VDDΣi (VDDΣi (VDDΣi (VDD))))Waveform of verification blockWaveform of verification blockWaveform of verification blockWaveform of verification block
EventEventEventEvent----modelsmodelsmodelsmodels
VCD File(Value Change Dump)
Crypto. LSI
(Verilog)
Timingsimulation
Transition timng listin verification block
XU123 TimeX1 1 TimeX2 0 TimeX3 1
Extraction of cells
XU124 TimeY1 0 TimeY2 1 TimeY3 0
Adjusts the delay with SPICE simulation( verilog:TYP SPICE: 25℃)
Proposed method (4/5)Step 2
・・・
XU123XU123XU123XU123 outputoutputoutputoutput
XU123XU123XU123XU123 Rise i (Rise i (Rise i (Rise i (VDD)VDD)VDD)VDD)
XU123XU123XU123XU123 Fall i (Fall i (Fall i (Fall i (VDD)VDD)VDD)VDD)
Superposition ofSuperposition ofSuperposition ofSuperposition of all waveformsall waveformsall waveformsall waveforms
・・・
Σi (VDDΣi (VDDΣi (VDDΣi (VDD))))Waveform of verification blockWaveform of verification blockWaveform of verification blockWaveform of verification block
EventEventEventEvent----modelsmodelsmodelsmodels
Partial generation of required waveforms
Proposed method (5/5)
1 2 3 4 5 6 7 8 9 10 Ciphertext
AES-128 10-rounds
Attack timing
1 2 3 4 5 6 7 8 9 10 Ciphertext
Attack timing
Generates waveforms partially
・・・・Faster acquisition・・・・Smaller data size
1. MotivationEfficiency of vulnerability evaluation
2. Proposed methodEvent-model simulation for power waveform acquisition
Table of Contents
acquisition
3. Experimental resultsSome highlight data using prototype LSI
4. Summary and future plans
Rise edge Fall edge
output signal output signal
Expermental results(1/4)Step 1 : modeling
VDD current
VSS current
VDD current
VSS current
・・・・0.18µm CMOS technology LSI・・・・AES SubBytes :::: composite field・・・・Plots waveforms of all cells in SubBytes
Expermental results(2/4)Step 2 : waveform generation
Conventional(PrimeTime PX)
Proposed(Event-model simulation)
・AES Round 10・SubBytes :composite field
Partial waveform generation (AES round-10)
i (VDD)
Expermental results(3/4)
Encryption 1'st 2'nd 3'rd 4'th
i (VSS)
0 500 1000 1500 2000 2500 3000 3500 4000
VCS + PrimeTimePX
CustomSim(SPICE)
SPICE - PrimeTime PX ( 100 encryption)
Expermental results(4/4)Comparison of processing time
・AES SubBytes:composite field・Processing for one SubBytes block・Machine:Xeon W3565 3.2GHz / 8GB
57m8s
67s
0 1000 2000 3000 4000 5000 6000
VCS + Proposed method
(Partial Generation)
VCS + PrimeTimePX
[sec]
PrimeTimePX - Proposed method ( 10,000 encryption)
0 500 1000 1500 2000 2500 3000 3500 4000
[sec]
81m22s
7m20s
0 500 1000 1500 2000 2500 3000 3500 4000
VCS + PrimeTimePX
CustomSim(SPICE)
SPICE - PrimeTime PX ( 100 encryption)
Expermental results(4/4)Comparison of processing time
・AES SubBytes:composite field・Processing for one SubBytes block・Machine:Xeon W3565 3.2GHz / 8GB
57m8s
67s
0 1000 2000 3000 4000 5000 6000
VCS + Proposed method
(Partial Generation)
VCS + PrimeTimePX
[sec]
PrimeTimePX - Proposed method ( 10,000 encryption)
0 500 1000 1500 2000 2500 3000 3500 4000
[sec]
81m22s
7m20s
0 500 1000 1500 2000 2500 3000 3500 4000
VCS + PrimeTimePX
CustomSim(SPICE)
SPICE - PrimeTime PX ( 100 encryption)
Expermental results(4/4)Comparison of processing time
・AES SubBytes:composite field・Processing for one SubBytes block・Machine:Xeon W3565 3.2GHz / 8GB
57m8s
67s
0 1000 2000 3000 4000 5000 6000
VCS + Proposed method
(Partial Generation)
VCS + PrimeTimePX
[sec]
PrimeTimePX - Proposed method ( 10,000 encryption)
0 500 1000 1500 2000 2500 3000 3500 4000
[sec]
81m22s
7m20s
1. MotivationEfficiency of vulnerability evaluation
2. Proposed methodEvent-model simulation for power waveform acquisition
Table of Contents
acquisition
3. Experimental resultsSome highlight data using prototype LSI
4. Summary and future plans
■SummaryProposed method ― event-model simulation・Utilizes tools of EDA vendors・Takes balance between precision and speed・Confirmed availability with prototype LSI
Summary and future plans
・Confirmed availability with prototype LSI
■Future plans・Improves efficiency・Applies to electro-magnetic analysis
Thank you for your attention
Expermental results
0 500 1000 1500 2000 2500 3000 3500 4000
VCS + PrimeTimePX
CustomSim(SPICE)
SPICE - PrimeTime PX ( 100 encryption)
Comparison of processing time・AES SubBytes:composite field・Processing for one SubBytes block・Machine:Xeon W3565 3.2GHz / 8GB
57m8s
67s
[sec]
Simulation Power Calculation
0 1000 2000 3000 4000 5000 6000
VCS + Proposed method (Partial)
VCS + Proposed method
VCS + PrimeTimePX
[sec]
PrimeTimePX - Proposed method (10,000 encryption)
Simulation Power Calculation
81m22s
21m36s
7m20s