

B. Gierlichs A cautionary note about MDPL security

Introduction Attack strategy Experimental results Conclusion Motivation Masked Dual-rail Pre-charge Logic

### • Power analysis threatens black-box secure cryptography implemented in embedded devices (due to CMOS)

#### Countermeasures at software level:

- Ountermeasures at circuit level:

#### • Countermeasures at gate level:

Introduction Attack strategy Experimental results Conclusion Motivation Masked Dual-rail Pre-charge Logic

- Power analysis threatens black-box secure cryptography implemented in embedded devices (due to CMOS)
- Countermeasures at software level:
  - randomize the link between leakage and processed data (masking)
  - hide the leakage in the time domain (random order execution, random process interrupts)
- Ountermeasures at circuit level:

#### • Countermeasures at gate level:

B. Gierlichs

A cautionary note about MDPL security

#### ▲□▶▲□▶▲□▶▲□▶ 三日 のへで

2/22

◆□▶ ◆□▶ ◆目▶ ◆日▶ 三日 のへで

- Power analysis threatens black-box secure cryptography implemented in embedded devices (due to CMOS)
- Countermeasures at software level:
  - randomize the link between leakage and processed data (masking)
  - hide the leakage in the time domain (random order execution, random process interrupts)
- Countermeasures at circuit level:
  - hide the leakage in the time domain (sliding clock, asynchronous designs)
  - reduce the SNR (noise generators, current scramblers)
- Countermeasures at gate level:
  - randomize the link between leakage and processed data (masking)
  - reduce the leakage (SABL, WDDL, CML, etc.)





- Power analysis threatens black-box secure cryptography implemented in embedded devices (due to CMOS)
- Countermeasures at software level:
  - randomize the link between leakage and processed data (masking)
  - hide the leakage in the time domain (random order execution, random process interrupts)
- Countermeasures at circuit level:
  - hide the leakage in the time domain (sliding clock, asynchronous designs)
  - reduce the SNR (noise generators, current scramblers)

#### • Countermeasures at gate level:

- randomize the link between leakage and processed data (masking)
- reduce the leakage (SABL, WDDL, CML, etc.)

| B. Gierlichs | A cautionary note about MDPL security | CHES 2007, Vienna | 2/22 |
|--------------|---------------------------------------|-------------------|------|

Introduction Attack strategy Experimental results Conclusion Motivation Masked Dual-rail Pre-charge Logic

 MDPL is a masked logic style and builds up on standard CMOS cells (however, eventually it adopts masking and DRP)







 $maj(a_m, b_m, m) = 0$  $maj(a_m, b_m, m) = 1$ 

|                                |                                 |            |                           | NOC EIE < E >                           |
|--------------------------------|---------------------------------|------------|---------------------------|-----------------------------------------|
| B. Gierlichs                   | A cautionary note about MDPL    | security   | CHES 2007, Vienna         | 3/22                                    |
|                                |                                 |            |                           |                                         |
| Introduction Attack strategy E | experimental results Conclusion | Motivation | Masked Dual-rail Pre-char | ge Logic                                |
| masked                         |                                 |            |                           |                                         |
| pre-charged                    |                                 | valuate    |                           | <sup>2</sup><br>2<br>2<br>2<br>evaluate |

• MDPL is a masked logic style and builds up on standard CMOS cells (however, eventually it adopts masking and DRP) CMOS CMOS



Introduction Attack strategy Experimental results Conclusion Motivation Masked Dual-rail Pre-charge Logic

• MDPL is a masked logic style and builds up on standard CMOS cells (however, eventually it adopts masking and DRP)



 $maj(a_m, b_m, m) = 1$   $maj(a_m, b_m, m) = 0$ 



AND

MAJ

MAJ

 $\overline{q_m}$ 

 $a_m$ 

*b*,,,-

т

 $\overline{a_m}$ 

 $\overline{h}$ 

 $\overline{m}$ 



CMOS

MAJ

MAJ

MAJ

 $-q_{m}$ 

precharge



Motivation Masked Dual-rail Pre-charge Logic

CMOS

MAJ

precharge

evaluate

CHES 2007, Vienna

CMOS

MAJ

evaluate

precharge

CMOS

MAJ

evaluate

- we develop a probabilistic model of switching activity
- **A**, **B** are uniform on  $S := \{0, 1\}$

B. Gierlichs

- M's distribution on S depends on bias  $\alpha$  in the PRNG
- **T** is output transition on wire  $q_m$ ,  $\mathcal{T} := \{0 \rightarrow 0, 0 \rightarrow 1\}$
- $E(\mathbf{T} = t)$  is observable output transition energy
- $E(\mathbf{T} = \mathbf{0} \rightarrow \mathbf{1}) = \delta, E(\overline{\mathbf{T}} = \mathbf{0} \rightarrow \mathbf{1}) = \gamma$
- $\delta$  and  $\gamma$  are gate specific  $\Rightarrow$  attack a single AND gate

A cautionary note about MDPL security CHES 2007, Vienna

m

т

 $q_m$ 

 $\overline{q_m}$ 

• we develop a probabilistic model of switching activity

• M's distribution on S depends on bias  $\alpha$  in the PRNG

• **T** is output transition on wire  $q_m$ ,  $\mathcal{T} := \{0 \rightarrow 0, 0 \rightarrow 1\}$ 

•  $\delta$  and  $\gamma$  are gate specific  $\Rightarrow$  attack a single AND gate

•  $E(\mathbf{T} = t)$  is observable output transition energy

•  $E(\mathbf{T} = \mathbf{0} \rightarrow \mathbf{1}) = \delta, E(\mathbf{\overline{T}} = \mathbf{0} \rightarrow \mathbf{1}) = \gamma$ 

AND

 $a_m$ 

 $b_m$ 

 $\overline{a_m}$ 

 $\overline{b_m}$ 

 $\overline{m}$ 

• **A**, **B** are uniform on  $S := \{0, 1\}$ 

B. Gierlichs

Introduction Attack strategy Experimental results Conclusion

| <b>A</b> <sub>m</sub> | <b>B</b> <sub>m</sub> | М | bias         | Α | В | Т                           | T                           | Е        |
|-----------------------|-----------------------|---|--------------|---|---|-----------------------------|-----------------------------|----------|
| 0                     | 0                     | 0 | $\alpha$     | 0 | 0 | <b>0</b> ightarrow <b>0</b> | 0  ightarrow 1              | $\gamma$ |
| 0                     | 0                     | 1 | $1 - \alpha$ | 1 | 1 | <b>0</b> ightarrow <b>0</b> | 0  ightarrow 1              | $\gamma$ |
| 0                     | 1                     | 0 | $\alpha$     | 0 | 1 | <b>0</b> ightarrow <b>0</b> | $0 \rightarrow 1$           | $\gamma$ |
| 0                     | 1                     | 1 | $1 - \alpha$ | 1 | 0 | $0 \rightarrow 1$           | <b>0</b> ightarrow <b>0</b> | δ        |
| 1                     | 0                     | 0 | $\alpha$     | 1 | 0 | $0 \rightarrow 0$           | $0 \rightarrow 1$           | $\gamma$ |
| 1                     | 0                     | 1 | $1 - \alpha$ | 0 | 1 | $0 \rightarrow 1$           | 0  ightarrow 0              | δ        |
| 1                     | 1                     | 0 | $\alpha$     | 1 | 1 | $0 \rightarrow 1$           | <b>0</b> ightarrow <b>0</b> | δ        |
| 1                     | 1                     | 1 | $1 - \alpha$ | 0 | 0 | 0  ightarrow 1              | <b>0</b> ightarrow <b>0</b> | δ        |

#### $\mathbb{P}_{\mathbf{T}} = \{\mathbf{0} \to \mathbf{1} : \mathbf{0.75} - \mathbf{0.5}\alpha, \quad \mathbf{0} \to \mathbf{0} : \mathbf{0.25} + \mathbf{0.5}\alpha\}$

|            |                                    | <□> < □> < □> < ≥>         | <ul><li>(目) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1</li></ul> |
|------------|------------------------------------|----------------------------|--------------------------------------------------------------|
| B. Gierlie | chs A cautionary note about MDPL s | security CHES 2007, Vienna | 6/22                                                         |
|            |                                    |                            |                                                              |
|            |                                    |                            |                                                              |

Model Attack

| <b>A</b> <sub>m</sub> | <b>B</b> <sub>m</sub> | М | bias         | Α | в | т                 | T                 | Е        |
|-----------------------|-----------------------|---|--------------|---|---|-------------------|-------------------|----------|
| 0                     | 0                     | 0 | $\alpha$     | 0 | 0 | $0 \rightarrow 0$ | $0 \rightarrow 1$ | $\gamma$ |
| 0                     | 0                     | 1 | $1 - \alpha$ | 1 | 1 | $0 \rightarrow 0$ | $0 \rightarrow 1$ | $\gamma$ |
| 0                     | 1                     | 0 | $\alpha$     | 0 | 1 | 0  ightarrow 0    | $0 \rightarrow 1$ | $\gamma$ |
| 0                     | 1                     | 1 | $1 - \alpha$ | 1 | 0 | $0 \rightarrow 1$ | 0  ightarrow 0    | δ        |
| 1                     | 0                     | 0 | $\alpha$     | 1 | 0 | $0 \rightarrow 0$ | $0 \rightarrow 1$ | $\gamma$ |
| 1                     | 0                     | 1 | $1 - \alpha$ | 0 | 1 | $0 \rightarrow 1$ | $0 \rightarrow 0$ | δ        |
| 1                     | 1                     | 0 | $\alpha$     | 1 | 1 | $0 \rightarrow 1$ | $0 \rightarrow 0$ | $\delta$ |
| 1                     | 1                     | 1 | $1 - \alpha$ | 0 | 0 | $0 \rightarrow 1$ | $0 \rightarrow 0$ | δ        |

Suppose bits a and b are key-dependent intermediate results; based on a key guess, filter  $a \neq b$ 

 $\Theta = E(\mathbf{T}|a = b = 0) - E(\mathbf{T}|a = b = 1)$ correct guess:  $\Theta = 2\alpha\gamma - 2\alpha\delta + \delta - \gamma$ 

#### Introduction Attack strategy Experimental results Conclusion Model Attack



Suppose bits a and b are key-dependent intermediate results; based on a key guess, filter  $a \neq b$ 

 $\Theta = E(\mathbf{T}|a = b = 0) - E(\mathbf{T}|a = b = 1)$ 

|              |                                       | 《曰》《聞》《臣》《臣》 봄    | = ~~~ |
|--------------|---------------------------------------|-------------------|-------|
| B. Gierlichs | A cautionary note about MDPL security | CHES 2007, Vienna | 7/22  |

#### Introduction Attack strategy Experimental results Conclusion Model Attack

| <b>A</b> <i>m</i> | <b>B</b> <sub>m</sub> | Μ | bias         | Α | В | Т                 | T                           | Ε        |
|-------------------|-----------------------|---|--------------|---|---|-------------------|-----------------------------|----------|
| 0                 | 0                     | 0 | $\alpha$     | 0 | 0 | $0 \rightarrow 0$ | $0 \rightarrow 1$           | $\gamma$ |
| 0                 | 0                     | 1 | $1 - \alpha$ | 1 | 1 | $0 \rightarrow 0$ | $0 \rightarrow 1$           | $\gamma$ |
| 0                 | 1                     | 0 | $\alpha$     | 0 | 1 | $0 \rightarrow 0$ | $0 \rightarrow 1$           | $\gamma$ |
| 0                 | 1                     | 1 | $1 - \alpha$ | 1 | 0 | 0 → 1             | $0 \rightarrow 0$           | δ        |
| 1                 | 0                     | 0 | $\alpha$     | 1 | 0 | $0 \rightarrow 0$ | $0 \rightarrow 1$           | $\gamma$ |
| 1                 | 0                     | 1 | $1 - \alpha$ | 0 | 1 | $0 \rightarrow 1$ | $0 \rightarrow 0$           | δ        |
| 1                 | 1                     | 0 | $\alpha$     | 1 | 1 | 0  ightarrow 1    | <b>0</b> ightarrow <b>0</b> | δ        |
| 1                 | 1                     | 1 | $1 - \alpha$ | 0 | 0 | $0 \rightarrow 1$ | <b>0</b> ightarrow <b>0</b> | δ        |

Suppose bits a and b are key-dependent intermediate results; based on a key guess, filter  $a \neq b$ 

 $\Theta = E(\mathbf{T}|a=0, b=0) - E(\mathbf{T}|a=1, b=1)$ correct guess:  $\Theta = 2\alpha\gamma - 2\alpha\delta + \delta - \gamma$ 1 bit wrong:  $\Theta = 0$ 

B. Gierlichs



Suppose bits a and b are key-dependent intermediate results; based on a key guess, filter  $a \neq b$ 

 $\Theta = E(\mathbf{T}|a=0, b=0) - E(\mathbf{T}|a=1, b=1)$ correct guess:  $\Theta = 2\alpha\gamma - 2\alpha\delta + \delta - \gamma$ 1 bit wrong:  $\Theta = 0$ both bits wrong:  $\Theta = 2\alpha\delta - 2\alpha\gamma + \gamma - \delta$ <ロト < 団 > < 豆 > < 豆 > 三目目 のQC

| B. Gierlichs | A cautionary note about MDPL security | CHES 2007, Vienna |
|--------------|---------------------------------------|-------------------|
|--------------|---------------------------------------|-------------------|

Introduction Attack strategy Experimental results Conclusion Model Attack

- DPA peak correct guess:  $\Theta = 2\alpha\gamma 2\alpha\delta + \delta \gamma$
- DPA peak both bits wrong:  $\Theta = 2\alpha\delta 2\alpha\gamma + \gamma \delta$
- DPA peak 1 bit wrong:  $\Theta = 0$
- for any bias  $\alpha \neq 0.5$  and  $\delta \neq \gamma$  (no differential routing)
  - three different values for  $\Theta$  possible
  - a guess that is wrong in 1 bit is distinguishable without further knowledge about  $\alpha$ ,  $\delta$ ,  $\gamma$
  - this property can be exploited to sieve key candidates!

- DPA peak correct quess:  $\Theta = 2\alpha\gamma 2\alpha\delta + \delta \gamma$
- DPA peak both bits wrong:  $\Theta = 2\alpha\delta 2\alpha\gamma + \gamma \delta$
- DPA peak 1 bit wrong:  $\Theta = 0$
- for any bias  $\alpha \neq 0.5$  and  $\delta \neq \gamma$  (no differential routing)
  - three different values for  $\Theta$  possible
  - a guess that is wrong in 1 bit is distinguishable without
  - this property can be exploited to sieve key candidates!

|              |                      |              |          | < □ ► <         |            | <u>হ।</u> = ৩৭ |
|--------------|----------------------|--------------|----------|-----------------|------------|----------------|
| B. Gierlichs | A cautionary note    | about MDPL : | security | CHES 2007, Vie  | nna        | 10/2:          |
|              |                      |              |          |                 |            |                |
|              |                      |              |          |                 |            |                |
|              |                      |              |          |                 |            |                |
|              | Experimental results | Conclusion   | Platform | Standard Attack | Our attack |                |

- Side Channel Analysis Resistant Design flow SCARD
- 8051  $\mu$ C + AES-128 co-processor in CMOS and several secured logic styles, incl. MDPL
- Masks for MDPL generated on chip by controllable PRNG
- Measurements represent current drain in dedicated core VDD
- 2 sets of measurements:

B. Gierlichs

- 100 000 traces, 2GS/s, PRNG bias  $\alpha = 1$  (m = 0)
- 200 000 traces, 2GS/s, PRNG bias  $\alpha$  = unknown

9/22

A cautionary note about MDPL security CHES 2007, Vienna

## Masking disabled ( $\alpha = 1$ )

- Attack: correlation
- Target: simultaneous transition of four 8 bit registers
- prediction:  $H_i = HW(R_i \oplus D_i)$ , flip-flops not precharged
- Attacking 8 key bytes in parallel is not practical, however we want to
  - show that MDPL with disabled masking is vulnerable to a "standard" attack
  - show that MDPL with enabled masking resists the same "standard" attack
  - $\Rightarrow\,$  verify that the PRNG has been setup and started correctly



## Masking enabled ( $\alpha =$ ?)

(Correlation attack, correct key, 32 bit intermediate result)

5000

Time [samples at 2GS/s]

Wrong guess in either A or B

4000

A cautionary note about MDPL security

6000

7000

CHES 2007, Vienna

8000



DPA bias

0

1000

B. Gierlichs

2000

3000



- One 4 × 4-bit multiplier comprises 16 AND gates
- DPA against a single AND gate in a parallelized, pipelined, and MDPL protected VLSI circuit

・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・
 ・

9000

10000



- All key guesses which lead to a guess that is incorrect in 1 bit can be rejected without knowledge of α, δ, γ
- We verify that leakage occurs and can be exploited
- Attack next AND gate for further sieving...

A cautionary note about MDPL s

#### So what is the bias $\alpha$ ?

#### We don't know...

- We simulated a gate-level netlist of the PRNG
- Statistical analysis of 1 million output bits shows  $\alpha = 0.5001$
- This is not a bias, let's call  $\alpha$  a deviation

#### • Open questions:

- Does the chip conform to the simulation?
- Is such  $\alpha$  enough to enable our attack strategy?  $\rightarrow$  distinguish  $2\alpha\gamma - 2\alpha\delta + \delta - \gamma$  from 0
- If not: is it possible that our attack unintentionally exploited circuit anomalies?
- Thorough investigation in the near future...

| <□> <四> <回> <回> <回> <回> <回> <回> <回> < |                   |       |              | <日 > < 四 > < 四 > < 回 > < 回 > < 回 > < 回 > 三日 = |                   |       |  |  |
|---------------------------------------|-------------------|-------|--------------|-----------------------------------------------|-------------------|-------|--|--|
| security                              | CHES 2007, Vienna | 16/22 | B. Gierlichs | A cautionary note about MDPL security         | CHES 2007, Vienna | 17/22 |  |  |

Platform Standard Attack Our attack Experi

#### So what is the bias $\alpha$ ?

roduction Attack strategy Experimental results Conclusion

B. Gierlichs

- We don't know...
- We simulated a gate-level netlist of the PRNG
- Statistical analysis of 1 million output bits shows  $\alpha = 0.5001$
- This is not a bias, let's call  $\alpha$  a deviation
- Open questions:
  - Does the chip conform to the simulation'
  - Is such  $\alpha$  enough to enable our attack strategy?  $\rightarrow$  distinguish  $2\alpha\gamma - 2\alpha\delta + \delta - \gamma$  from 0
  - If not: is it possible that our attack unintentionally exploited circuit anomalies?
- Thorough investigation in the near future...

ntroduction Attack strategy Experimental results Conclusion Platform Standard Attack Our attack

#### So what is the bias $\alpha$ ?

- We don't know...
- We simulated a gate-level netlist of the PRNG
- Statistical analysis of 1 million output bits shows  $\alpha = 0.5001$
- This is not a bias, let's call  $\alpha$  a deviation
- Open questions:

B. Gierlichs

- Does the chip conform to the simulation?
- Is such  $\alpha$  enough to enable our attack strategy?  $\rightarrow$  distinguish  $2\alpha\gamma - 2\alpha\delta + \delta - \gamma$  from 0
- If not: is it possible that our attack unintentionally exploited circuit anomalies?
- Thorough investigation in the near future...

A cautionary note about MDPL security

CHES 2007, Vienna

• Statistical analysis of up to 1 million output bits shows



### Introduction Attack strategy Experimental results Conclusion

## Conclusion

- Probabilistic model for the output transition energy of non-linear MDPL gates
- Depends on the bias  $\alpha$  in the source of the randomness
- Output transition energy difference Θ can be exploited
- Requirements for our attack methodology:
  - slight and realistic PRNG "deviations"
  - unbalanced differential routing
  - knowledge about the circuit layout
- Theoretic approach is verified by experimental results based on a prototype chip

# Introduction Attack strategy Experimental results Conclusion Platform Standard Attack Our attack

## Update



- we pick each  $n^{th}$  bit  $\rightarrow$  new distribution, same properties
- for 200k samples we have  $0.4989 \le \alpha \le 0.5011$
- $\rightarrow \alpha$  gains  $\sim$  one order of magnitude
- number of curves is crucial for a successful attack
- attack might not work even for a "good" α, choose a different gate with a better δ γ contrast

B. Gierlichs A cautionary note about MDPL security CHES 2007, Vienna

<ロ> <0</p>

21/22

19/22

Introduction Attack strategy Experimental results Conclusion

B. Gierlichs



## Appendix Bibliography I

T. Popp, S. Mangard: Masked Dual-Rail Pre-charge Logic. In: J. R. Rao and B. Sunar (eds.): Cryptographic Hardware and Embedded Systems – CHES 2005, LNCS 3659, pp. 172–186, Springer, 2005

Bibliography

 Benedikt Gierlichs: DPA-Resistance without routing constraints? In: P. Paillier and I. Verbauwhede (eds.): Cryptographic Hardware and Embedded Systems – CHES 2007, LNCS 4727, pp. 107–120, Springer, 2007

