1RIEC, TOHOKU UNIVERSITY

Naofumi Homma

Recent topics on

hardware security

Tohoku University/RIEC, Japan TélécomParisTech/Comelec/SEN

RIEC, TOHOKU UNIVERSITY 2

Tohoku University

Main building

Founded in 1907 in Sendai

as Tohoku Imperial University

3rd national university in Japan

One of the largest national universities

10 undergraduate schools

15 graduate schools

5 research institutesResearch Institute of Electrical Communication (RIEC)

RIEC building

Sendai

Tokyo

1.5 h

RIEC, TOHOKU UNIVERSITY

Environmentally Conscious Secure

Information System Laboratory

(Professor: Naofumi Homma)

Tohoku University/RIEC, Japan

2009.6-2010.3/2016.9-2017.3:

Visiting Professor,

Telecom ParisTech/Comelec/SEN

Research Interests:

Computing Theory, Embedded

Systems, Information Security

Homma laboratory

3

Research team

2009-2010

RIEC, TOHOKU UNIVERSITY

Collaboration with Telecom ParisTech

4

SPACES Project (2010-2014)

Security evaluation of Physically Attacked

Cryptoprocessors in Embedded Systems

Collaborators:

Tohoku U, Kobe U, UEC, AIST

Telecom ParisTech, LIP6, Morpho

Developed board

SPACES chip

RIEC, TOHOKU UNIVERSITY

Outline

Introduction

What’s hardware security Side-channel attacks

Research activities and collaborations

Future prospects

5

RIEC, TOHOKU UNIVERSITY

Research on information security

Application

Network

Hardware

Today’s topic

Hardware Security

Application Security

Network Security

ICT devices

6

RIEC, TOHOKU UNIVERSITY

What is hardware security?

- Securing HW (and SW on HW)

- Anti-counterfeiting

- Attacks to hardware

7

Hardware for

Security(≒Security

Hardware)

Hardware with

Security(≒Secure

Hardware)

Expanding research field on all the matters related to security and secure HW

- Cryptographic processor

- Random Number Generator

- Physically Unclonable Function

- etc.

RIEC, TOHOKU UNIVERSITY

Device accessibility in IoT/IoE/CPS…

In room

Past

In town

Present Future

Attackers’ accessibility

Physical access to hardware becomes much easier Cyber security is coming close to HW security

Everywhere

8

RIEC, TOHOKU UNIVERSITY

Attacks from/to “things” in IoT era

Source: IEEE Spectrum 2015

9

RIEC, TOHOKU UNIVERSITY

Cryptographic modules

www.jreast.co.jp

www.sonyericsson.co.jp

www.orse.or.jp

www.jp.playstation.com

www.sharp.co.jp

www.sony.co.jp

www.apple.com

Cryptographic module is a part of our daily lives

Progress of IoT pushes security chips towards into many things

www.elstermetering.com

10

RIEC, TOHOKU UNIVERSITY

Crypto.

algorithm

Crypto.

algorithm

Attacks on cryptographic modules

Physical attack（Implementation attack） Attacks based on physical access to module

Cannot be addressed in cryptographic algorithm design

Plaintext

Cipher text

Sender Receiver

Steal Tamper

Attacker

Crypto. modulesEncryption key Decryption key

Steal Tamper Steal Tamper

Plaintext

11

RIEC, TOHOKU UNIVERSITY

Plaintext

CiphertextCrypto

module

Irregular inputs

(Fault injection

attacks)

Frequency/voltage

control, clock glitch,

EM interference

Physical attacks on crypto modules

Side-channel attacks have been drawing more attention as practical threats

Circuit pattern probing, FIB,

laser/EM irradiation

Destructive

Non-destructive TimingVoltage variation EM radiation

Side channel attacks

・・・

12

RIEC, TOHOKU UNIVERSITY

Side channel attacks on real products

Breaking Mifare DESFire MF3ICD40:

Power Analysis and Templates in the Real

World (CHES 2011)

Smartcards ever used in subway systems were

broken by side channel attacks

Get Your Hands Off My Laptop

(MIT Review 2014)

RSA key steal by grabbing a laptop chassis

Defend encryption systems against

side-channel attacks (EDN Network 2015)

Side channel attacks on FPGA, set-top box chip,

or mobile application processors

13

RIEC, TOHOKU UNIVERSITY

Cracking the cloud by side-channel attacks

Timing attack to Amazon web services（EC2）[2016]

Attacker and target use a shared cache memoryon a cloud server

– Secret key can be stolen by the time difference ofcache hit and miss

Side-channel attack without physical access

14

RIEC, TOHOKU UNIVERSITY

Differential power/EM analysis attack

A number of

measurements

(102-109)

Correlation

Coefficients

Correct key

Wrong keys

Power traces

C-

textC-

text...

C-

textC-

textC-

textC-

textC-

textC-

text

E-

Val.C-

text...

C-

textC-

textC-

textC-

textC-

textE-

val.

Estimated

sub-key

Estimated

power values

Statistical analysis using many side-channel info.

15

RIEC, TOHOKU UNIVERSITY

Why differential analysis works

Sub key

Cipher text

Sub

8

8

Intermediate

value

8 Calculate correlation

between measured and

estimated values

Candidates:

28 = 256

Intermediate data are determined by sub-key Substitution function with 8-bit input and sub-key

Bit operation orthogonal to other bit operations High peak appears only at a specific timing

Estimate power/EM

values from intermediate

values by Hamming

weight or distance

16

RIEC, TOHOKU UNIVERSITY

Example of differential EM analysis

DEMA on AES software in microcontroller Clock frequency: 8MHz

Sampling frequencies: 400MHz

Number of traces: 1000

EM probing over module Measured EM trace

17

RIEC, TOHOKU UNIVERSITY

Analysis result

Highest peak appears in correct key estimation

Corr

ela

tion

coeffic

ient

10-2

Sampled pointKey guess

Correct key: 209

18

RIEC, TOHOKU UNIVERSITY

Major ideas of countermeasures

Hiding: to remove data dependency Constant operation flow, complementary logic style…

Masking: to randomize intermediate data Bynames: secret sharing, threshold implementation…

M S MMS S SSSS S S SSSM M M M M

Encryption/

DecryptionMasking Unmasking

Random number

Input

（Plaintext）Output

(ciphertext)

Random number

W/O countermeasure W/ countermeasure

19

RIEC, TOHOKU UNIVERSITY

Current issues/challenges

Countermeasure works only if leak and

measurement assumption are valid

Can be defeated by attacks beyond assumptions

Measurement assumption (i.e., position, # of times,

SNR) is sometimes different from reality

Potential vulnerabilities by advancement of

measurement and analysis techniques

High security requires more HW/SW resources

Even countermeasures against simple attacks

sometimes require large overhead (e.g. x5)

20

RIEC, TOHOKU UNIVERSITY

Outline

Introduction

What’s hardware security Side-channel attacks

Research activities and collaborations

Future prospects

RIEC, TOHOKU UNIVERSITY

Security evaluation of

embedded systems

Cryptographic LSI

computing

EM information security

EM security analysis

method

High-speed/

Light-weight

crypto LSIs

Security

evaluation

platforms

Tamper-resistant

crypto LSIs

Research activities

Side-channel attacks &

countermeasures

Standards work

3-Turn Coil

L1

4-Turn Coil

L2

Understanding of

EM leakage and IEMI

22

RIEC, TOHOKU UNIVERSITY

Highly efficient hardware architecture [CHES ‘16]

http://phys.org/

23

RIEC, TOHOKU UNIVERSITY

Energy-efficient AES hardware [CHES ‘16]

24

Signal gating

Unification of

linear functions

Only one

4:1 selector

Redundant

GF arithmetic

optimization

RIEC, TOHOKU UNIVERSITY

Power estimation

Power estimation by gate-level dynamic

simulation calculating switching activities with

glitch effects

Our architecture achieved lowest power and

power-time (PT) product

25

Power [mW] @ 10 MHz PT product

Satoh et al. 4.05 316.31

Lutz et al. 3.43 234.96

Liu et al. 4.51 384.48

Mathew et al. 5.49 536.26

This work 2.76 129.63-45%-20%

RIEC, TOHOKU UNIVERSITY

New circuit-level countermeasure against physical

attacks “EM attack sensor”

Sense EM field variation caused by probe approach

Prevent microprobe-based EMAs on chip surface

Countermeasure technology [ISSCC2016]

Die photo of prototype sensor

Coil L1

Frequency

Shift

fre

quency s

pectr

um

Freq. shift caused by probing

Cryptographic LSI

Sensor

Coil

fLC

Micro EM Probe

M

Basic concept

28

RIEC, TOHOKU UNIVERSITY

Demonstration of EM attack sensor

Demo

29

RIEC, TOHOKU UNIVERSITY

Power

Consumption

AES core Sensor

0.25mW

(+9%)

Total(Sensor Overhead)

0.23mW 0.02mW

Layout Area0.49mm2

(+2%)0.48mm2 0.01mm2

Performance125.3ms

(-0.2%)125ms/Enc 0.3ms/Sense

2NAND Gate

Count

24.6k

(+1.2%)24.3k 0.3k

Wire Resource0.45

(+11%)0.40mm2 0.05mm2

Overhead of EM attack sensor

30

RIEC, TOHOKU UNIVERSITY

Evaluation platform for hardware security

29

Side-channel Attack Standard Evaluation

Board: SASEBO

Distributed to more than 100 companies,

universities, and research institutes

IP cores (HDL codes) of the ISO/IEC 18033-3

standard block ciphers

SASEBO-W for

Smartcard

implementation (2012)

SASEBO

SeriesRuhr Univ. Bochum (ドイツ)Darmstat Univ.

IAIK, Graz Univ. (オーストリア)

UCL Crypto Group (ベルギー)Katholieke Univ. Leuven

Luxembourg Univ. (ルクセンブルグ)

Indian Institute of Techinology (インド)

Weizmann Institute (イスラエル)

ETRI (韓国)ICUSamsung

NECマイクロシステム東北大学横浜国立大学電気通信大学防衛大学早稲田大学立命館大学茨城大学九州大学豊橋技術科学大学警察大学校

IPANICTNTTNTTデータ NHKSONY富士通日立東芝キヤノンTEDNEC

NIST (米国)

Virginia Tech. (米国)

CRI (米国)

LIMM (フランス)TELECOM Paris Tech

Univ. Bristol (イギリス)Queen’s Univ. belfast

BrightSite (オランダ)Riscure BV

Worcester Polytechnic Institute(米国)

Example of experiment

with SASEBO

Distribution map

RIEC, TOHOKU UNIVERSITY

Information security via EM radiation EM analysis at a distance with high sensitivity current probe Local EM analysis with on-chip micro EM probe

30

EM information security

Visualization of EM info

leakage on board

Fault occurrence and

propagation inside LSI

Far field Near field

Fault injection at a distance

from cable/antenna

RIEC, TOHOKU UNIVERSITY

Simulation of EM information leakage

Detailed analysis using Finite

Difference Time Domain

(FDTD) method

31

Target device

Extraction of wiring pattern

FDTD computation

RIEC, TOHOKU UNIVERSITY

Leakage source at VDD/GND pin of cryptographic LSI

Standing wave on power line

Information on current goes further through power cable connected to device

Visualization of EM information leakage

Detailed analysis using Finite Difference Time Domain

(FDTD) method

EM-field analysis

by FDTD method

35

RIEC, TOHOKU UNIVERSITY

EMC-based countermeasure (Decoupling capacitor)

Before After

EMC-based countermeasure

36

RIEC, TOHOKU UNIVERSITY

Future prospects

Systematic design methodology

No perfect security, but higher security

Security technology for IoT/IoE/CPS

Hardware-assisted cyber security

Security on things (e.g. cars and body devices)

Collaborations for cryptographic HW design

Applications to IoT sensors and battery-driven devices

HW security research has just appeared

Interdisciplinary collaborations are necessary!

42

RIEC, TOHOKU UNIVERSITY

Thank you for your attention