Hardware Security and Trust
License Information
This work is licensed under the Creative Commons BY-NC License
To view a copy of the license, visit:
http://creativecommons.org/licenses/by-nc/3.0/legalcode
Disclaimer
• We disclaim any warranties or representations as to the accuracy or completeness of this material.
• Materials are provided “as is” without warranty of any kind, either express or implied, including without
limitation, warranties of merchantability, fitness for a particular purpose, and non-infringement.
• Under no circumstances shall we be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of this material.
Scenario
• Security is all around…
– Identification, private communication, electronic signature, access control, electronic purse,
digital right management, software protection...
Motivation
• Hardware security and trust now play critical roles as computing is intimately integrated into many infrastructures that we depend on
• Hardware Security
– dealing with (secret) data in hardware devices
• Hardware Trust
Outline
• Hardware Security
– Side-Channel Attacks – Fault Attacks
– Manufacturing Test Issues
• Hardware Trust
– Counterfeiting
– Hardware Trojan Horses
HARDWARE SECURITY
• How to protect a (digital) secret:
– Secure storage of confidential data – Cryptographic capabilities
• Implementation:
– Crypto algorithms integrated as hardware devices
– E.g., smartcards, crypto-cores, crypto- processors, hardware security module
Scenario
Encryption/Decryption
Ciphering Cipher
text Deciphering
Plaintext Plaintext
• Algorithms:
Encryption
Decryption
K2
K1
Advanced Encryption Standard (AES) - 2001
AES: Generic HW Implementation
Round
Plain Text
Controller
Round Register
First Opera+on
Last Opera+on Round Key
Generator
Motivation
• Crypto-algorithms very strong, but…
• New threat: hardware implementation!!
Side Channel Attacks
• Power
• Electromagnetic
• Light
• …
Test Infrastructures
Fault Attacks
• Laser
• Electromagnetic
• …
Side-Channel Attacks
• Based on information gained from the non-primary interface of the physical implementation of a cryptosystem
– Timing information – Power consumption
– Electromagnetic leaks – Sound
Side Channel
Simple Power Analysis on RSA
14
Introduction Le TEMPEST Le clavier PS/2 Le RSA Perspectives... Conclusion
Impl´ementation : Exponentiation Modulaire
Input: X, N,
E = (ek−1, ...,e1,e0)2 Output: Z = XE mod N
1: Z := 1;
2: for i = k − 1 downto 0
3: Z := Z * Z mod N; – squaring 4: if (ei = 1) then
5: Z := Z * X mod N; – multiplication 6: end if
7: end for
Square Mutiply Square Square Mutiply Square Square Square
1 0 1 0 0 0
Waveform Operation Key Bits
Figure 6: Principe de la SEMA sur le RSA.
Input: !X, N, K=(kj-1, …, k1, k0)2!
Output: !Z = XK mod N!
!
1: !Z = 1;!
2: !for i=j-1 downto 0 {!
3: ! !Z = Z * Z mod N //Square!
4: ! !if (ki==1) {!
5: ! ! !Z = Z * X mod N //Multiply!
6: ! !}!
7: !}!
Differential Power Analsys
• Differential Power Analysis (DPA) attacks
– it requires the knowledge of the algorithm but not its physical implementation
– it is cheap and easy to perform
• The basic idea is to correlate the power consumed by the device and the
encryption data including the key
Power Consumption of CMOS
C Vdd
(a)
(b)
Idd
IN
IN
OUT
OUT
Idd
(a) Switching + Through
current
(b) Through
current
Current that flows from Vdd to GND when the p- channel transistor and n-channel transistor turn on
Power attack on XOR gate
Din
Vdd
Din
OUT
Idd
= 0
OUT = 1
Input patterns
• Target node: output of a gate within the circuit
• Sequence of input patterns:
– P0, P1, …, Pn
– T1(P0àP1), T2(P1àP2), ..., Tn(Pn-1àPn)
• Logic simulation to create two sets:
– (PA) transitions that make the target node to
commute from 0 to 1 and therefore that make the target gate to consume
– (PB) transitions that do not lead the target gate to participate to the power consumed by the circuit
DPA: Basic Principle
• We classified the two sets in such a way that the set PA always leads to a
component of power consumption that
is not present in the set PB
Average Average
Vectors belonging to PA
DPA: Performing the Attack
• Target node:
– output of a gate whose value depends on both the plain text under ciphering (primary inputs) and the secret key
• Basic idea:
– All the key suppositions
– For each key guess, creation of the two sets PA and PB
DPA: Target Node
Input 128
128
8 8
f
I1 I2
O = f (I1, I2)
Data f
Key O = f (Key, Data) Inputs: T1, T2, ..., T12 Key: Kx (8 bits)
T1 T2
Average
T4 T6 T8 T12
T1
0
T9 T1
T7 1
T3 T5 PA)
PB)
T1 T4
T6
T8 T12
T1
0
T9 T1
1
T7
T2
T3 T5 PA)
PB)
Average
K1
Kx
...
K256
...
PA – PB = PA – PB ≅ 0
T1 T4
T6
T8
T12
T1
0
T9
T1
1
T7
T2 T3
Average
T5
PA – PB ≅ 0 PA)
PB)
DPA: Result
Light Emission
Optical detector system
http://www.vvku.eu/cv/efa/background.html
Countermeasures
• Goal: removing the correlation between
processed data and the physical interface
• Methods:
– Adding noise (random power consumption, clock jitter, logic masking, random dummy calculations, …)
– Making constant the physical interface (dual logic, triple logic, …)
Motivation
• Crypto-algorithms very strong, but…
• New threat: hardware implementation!!
Side Channel Attacks
• Power
• Electromagnetic
• Light
• …
Test Infrastructures
Fault Attacks
• Laser
• Electromagnetic
• …
Fault Attacks
1 0 1 1 0 0 1 1 …
Encryption
Input Output
Hypothesis: Injection forces a ‘0’
on a single bit of the secret key 1) COK=E(P)
2) Calculate C’=E(P), while injecting a fault
3) If C’ = COK à target bit is ‘0’
else à target bit is ‘1’
Differential Fault Attacks
D
Hypothesis:
Single-bit fault in byte j
SR(j)
C
!D
SR(j) = SubByte( M
9j)
! SubByte( M
9j !e
j)
Fault Attacks
Fault Attacks
30
) ( )
( )
(t n t q v t
I = S × × xd
nS(t)= LET(t). e
!l2 4"D(t)!t
!
".D(t).t
( )3/2
l
#
$
%
%
%% S drain
#
$
%%
%
%%
%
dldS
SEE induced current lower than that collected by a PMOS-BIVS, and (b) the current it collects is lower than the current generating the SEE.
4. Improving BBICS efficiency
From the analyses drawn in section 3, we derived two solutions to improve BBICS efficiency (4.1 and 4.2).
4.1. Use of triple-well CMOS
Modern CMOS technologies generally offer a triple- well option. It consists in embedding the NMOS tran- sistors into P-type well (or Pwell) isolated from the Psubstrate. The Pwell containment is made laterally with Nwell implants and with a deep Nwell implant underneath. The deep Nwell and Nwell are electri- cally connected, both normally biased at 1.2V.
P−substrate
N+
N+ N+
Nwell
DNwell bias (floating) B (gnd)
N+
Pwell
N+ P+
S G
D (1.2V)
laser
Nwell
Nwell
DNwell bias (1.2V) B (gnd)
P−substrate Deep Nwell
Pwell
N+ P+
S G
D (1.2V)
laser Deep Nwell
Nwell
Figure 6: View of the laser induced currents in the Pwell-N+ and Pwell-Nwell junctions of a triple-well NMOS: deep Nwell unbiased (top), deep Nwell biased at 1.2V (bottom).
Our assumption was that an NMOS in an iso- lated Pwell will have a similar behavior regarding the SEE currents as a PMOS. For validation purposes, we performed the same measurements on a triple-well NMOS as those done on bulk CMOS transistors (with the same laser settings as reported in 3.1). First we let the deep Nwell unbiased, second we biased it at 1.2V (see respectively the top and bottom parts of Fig. 6). With a floating deep Nwell, a 2.3mA cur- rent flowed through the NMOS drain Pwell-N+junc- tion. With the deep Nwell biased at 1.2V, the NMOS
drain junction current diminished to 200µA, whereas a 6mA current flowed through the Pwell-deep Nwell junction. These figures are similar to those of the PMOS. Using triple-well CMOS creates more than an order of magnitude difference between the lower cur- rent contributing to SEE generation and the higher current potentially monitored by a BBICS. On basis of these experiments we recommend the use of triple- well CMOS to obtain an optimal use of BBICS.
4.2. Single BBICS architecture
We also developed a new BBICS architecture well suited for the monitoring of triple-well CMOS logic:
the ’single BBICS’ pictured in Fig. 7. It is de- signed to monitor simultaneously NMOS and PMOS:
itsNMOS bulkandPMOS bulkinputs are respec- tively connected to the corresponding Pwell and Nwell biasing contacts.
out
Gnd Mn4
LVT LVT
LVT
LVT HVT
HVT
HVT HVT HVT
Gnd Mn_reset out_d
reset
HVT Vdd
Mp_reset
outb_d resetb
’1’ => ’0’ ’0’ => ’1’
Vdd
Mp3 Vdd
Gnd Vdd
Gnd Mn1
Gnd
Vdd Mn2 outb
outb_d out_d
Mn_t Mp_t
Mp2 Mp1
Gnd Mn3
Vdd
Gnd Vdd
Mp4
NMOS_bulk
PMOS_bulk
Figure 7: Architecture of the single BBICS.
The core part of the single BBICS is a latch made of two cross-coupled inverters. In monitoring state, nodeoutis at low level while nodeoutbis high. Node outgoes high to indicate the detection of any SEE induced bulk current. The BBICS connection to the Pwell (resp. Nwell) of the monitored NMOS (resp.
PMOS) (nodeNMOS bulk, resp. nodePMOS bulk) is used as a bias contact to Gnd (resp. to Vdd) through the ON transistor Mn4 (resp. Mp4). When a particle hits a monitored sensitive area, the in- duced current (pictured in red) flows through the re- lated PN junction into (resp. from) the correspond- ing input of the single BBICS. A part of this cur- rent charges (resp. discharges) the gate capacitance of transistor Mn3 (resp. Mp3): nodeNMOS bulk’s (resp.PMOS bulk’s) voltage rises (resp. decreases), hence Mn3 (resp. Mp3) passes from OFF to ON state, making the core latch flip. Nodeoutgoes high indicating an SEE detection. Transistors Mn reset 5
Information
Redundancy Detectors
F igure 6.!"#$%!&'()*+,-.-/0/-!1$!-$2*+.-/0/-!-,)/#.*345+/4!6,5-1)!! )*%5-,1*$3!,#+'*1/+15#/!
V.! 7897:;<7=>?
A.!Multi-Level F ault Simulation vs Electrical Simulation
;3! 1'*)! )5@.)/+1*$3! A/! )'$A! 1'/! &/#6$#%,3+/)! $6! 1'/!
&#$&$)/4! %/1'$4B! C/! +$%&,#/! 1'/! /D/+51*$3! 1*%/! $6! 1'/!
%5-1*.-/0/-! )*%5-,1*$3! A*1'! #/)&/+1! 1$! &5#/! E)&*+/!
)*%5-,1*$3B!?*3+/!1'/!1#,3)*/31!+5##/31!4,1,@,)/!*)!2/3/#,1/4!
F5)1!$3/!1*%/!6$#!,--!1'/!)*%5-,1*$3)!6$#!,!2*0/3!-,)/#!@/,%G!
A/! 4*4! 3$1! 1,H/! *31$! ,++$531! 1'/! /D/+51*$3! 1*%/! 6$#! 1'/!
+5##/31!4,1,@,)/!+,-+5-,1*$3B!
C/! ',0/! )/1! 5&! ,! 6,5-1! )*%5-,1*$3! /D&/#*%/31! 6$#! /,+'!
+*#+5*1!1,H/3!6#$%!1'/!+$%@*3,1*$3,-!ISCAS85 @/3+'%,#H)!
,!"# $%&# '&()&!$*+,# -./011# 2&!3%4+56'7# 8&# *!9&3$&"# +#
+5##/31! &5-)/! -,)1*32! I3)! A*1'*3! ,! &.<J?! 1#,3)*)1$#! $6! ,3!
*30/#1/#! )1#5+15#/! *3! 1'/! +*#+5*1B! "$#! /,+'! @/3+'%,#H! A/!
&#$&/#-(! )/-/+1/4! 1'/! *30/#1/#! ,34! 1'/! /3/#2(! $6! 1'/! &5-)/!
)5+'!1',1!*1!%$4*6*/)!1'/!6*3,-!)1,1/!$6!1'/!+*#+5*1B!!
!
! !
F igure 7.!>'/!%5-1*.-/0/-!-,)/#.*345+/4!6,5-1!)*%5-,1*$3!&#$+/))!
!
>,@-/! I! )5%%,#*K/)! 1'/! /D&/#*%/31,-! #/)5-1)B! "$#! /,+'!
@/3+'%,#HG!A/!#/&$#1/4!*1)!)*K/!*3!/L5*0,-/31!2,1/)!,34!1'/!
35%@/#! $6! )*%5-,1/4! 0/+1$#)B! >'/! 3/D1! 1A$! +$-5%3)!
+$%&,#/! 1'/! /D/+51*$3! 1*%/)! $6! 1'/! 6,5-1! )*%5-,1*$3!
@/1A//3! 1'/! %5-1*.-/0/-! ,&&#$,+'! ,34! 1'/! 65--! E)&*+/!
)*%5-,1*$3B! >'/! *3+#/,)/! *3! )&//4! *)! 2*0/3! *3! 1'/! -,)1!
+$-5%3B!;1!#,32/)!6#$%!MNND!6$#!1'/!)%,--/)1!+*#+5*1G!5&!1$!
%$#/! 1',3! OPND! 6$#! 1'/! @*22/)1! @/3+'%,#HB! ?*3+/! 1'/!
/-/+1#*+,-!-/0/-!)*%5-,1*$3!*)!-*%*1/4!1$!,!0/#(!)%,--!&,#1!$6!
1'/! +*#+5*1G! 1'/! -,#2/#! 1'/! +*#+5*1G! 1'/! '*2'/#! 1'/! @/3/6*1! $6!
%5-1*.-/0/-!)*%5-,1*$3B!
T able 2.! :;<&5*4&!$+,#5&'),$'#=>#-?/@?AB#+!"#-./011#
Q*#+5*1)!
!!!!!!!!!"#$%&#'!#()*$+,'#*(! !!-,&.'!/#+&.,'#*(!0/1! !!
%#$%&#'! 2#34! 54%'*$/! 6&.'#78494.!! !:/;#%4! -,%'*$!
%<=>! ??>! @@! AB??C! DDB@E! <EAF!
%<GG! ?==! @@! AB?=>! EGBAD! C@<F!
%?=DD! ?C>! @>! AB?=>! ECB<E! CDDF!
%?GAE! ?CG! EA! AB>>E! ?>GB?>! DCCF!
%EEA! >A<! @@! AB<A<! ??GB>>! >GDF!
%>C@A! >G>! ?=C! >BAD>! =G=B@E! ?G?F!
%=D<A! <@C! ?@?! ?BG?C! C@CB@! =D=F!
%D=?D! CAE! ??=! <B>A<! @ADBAD! ?C@F!
%@DD>! @AD! ?C@! GB<>E! ?=DCBDC! ?<=F!
%C>EE! ?>EC! C=! EB=AE! ?><EB@D! ?DAF!
HA?! =?! ?=! ABA=! C! >AAF!
HA<! <?! ?C! ABA<! DBA=! ?>DF!
H?A! EG! ?>E! ABAG! >DBG@! >EEF!
!
B.!Laser-induced F ault Simulation for Crypto-circuit
?*3+/! 1'/! -,)/#.*345+/4! 6,5-1! *3F/+1*$3! %/1'$4! *)! $61/3!
5)/4! 1$! ,11,+H! 1'/! +#(&1$2#,&'*+! +'*&)G! A/! &/#6$#%/4!
/D&/#*%/31)!$3!,!+*#+5*1!*%&-/%/31*32!,!)*%&-*6*/4!0/#)*$3!
$6!1'/!)1,34,#4!/3+#(&1*$3!,-2$#*1'%!R7?!SMPTB!>'/!+*#+5*1!
*)! +$%&$)/4! $6! 6$5#! ?UJ8/)! ,34! $3/! <*DQ$-5%3)! @-$+H!
,34! A#,&&/4! @(! *3&51! ,34! $51&51! #/2*)1/#)B! >'/! +*#+5*1! *)!
4/)*23/4! *)!4/)*23/4!5)*32!,!C7DBE4#)1,34,#4!+/--!-*@#,#(B!
;3&51!0/+1$#)!,#/!&#$0*4/4!,1!,!MIP<EK!6#/L5/3+(B!
R--! )*%5-,1*=!'# &4),+$&# +# ,+'&5# 2&+4# F*$%# GCE4# '<=$#
)*K/B!>'/!)&$1!+$0/#)!,-%$)1!IN!)1,34,#4!+/--)!,)!)'$A3!*3!
"*25#/!VB!;3!1'/!6$--$A*32G!A/!,))5%/!1',1!1'/!-,)/#!/3/#2(!
',0/!,!53*6$#%!4*)1#*@51*$3!$0/#!1'/!)&$1B!
!
! !
F igure 8.!R))5%/4!-,)/#!)&$1!6$#!6,5-1!,11,+H)!)*%5-,1*$3!
!
C'/3!1'/!*3&51!0,-5/)!,#/!-$,4/4!6$#!?UJ8/)G!1'/!-,)/#!
,11,+H!*)!1#*22/#/4!A*1'!,!4/-,(!$6!INW!+-$+H!&/#*$4!A,*1*32!
6$#!1'/!*3&51!)*23,-)!1$!@/!)1,@-/B!>'/!*--5%*3,1*$3!+$31*35/)!
531*-! 1'/! 3/D1! ,+1*0/! +-$+H! /42/B! E$A/0/#G! ,61/#! 1'/! -,)/#!
)A*1+'/)!$66G!*1)!&>>&3$'#"=!0$#"*'+<<&+5!*%%/4*,1/-(!45/!1$!
1'/!,@)$#&1*$3!$6!&'$1$.2/3/#,1/4!+',#2/)B!>'*)!+,5)/)!1'/!
1#,3)*/31! 6,5-1! &5-)/! 1$! @/! A*4/#! 1',3! 1'/! -,)/#! ,11,+H!
45#,1*$3!X"*25#/!YZB!!!!!!
! !
F igure 9.!>*%*32!)+'/%,1*+!4*,2#,%!$6!-,)/#!*3F/+1*$3!
!
!
Validation via Fault Simulation: tLifting
Laser Detector
• Basic idea: using inverters to detect laser injections
Vdd 1.0
1.2
Laser spot = 3.25µm Laser power = 1.0w Technology = 90nm ST
0 0.2 0.4 0.6 0.8 1.0 1.2
-10 0 10 20 30
Vdd
‘1’ ‘0’
Laser Detectors
NMOS of INV3 PMOS of
INV0
INV0 INV3
NMOS of INV0
PMOS of INV3
INV0 INV3
1
S_INVP3
0
S_INVN3
0 0.2 0.4 0.6 0.8 1.0 1.2
-10 0 10 20 30
0 0.2
0.4 0.6 0.8 1.0 1.2
-10 0 10 20 30
Vth
Vth
Proposed Solution
…
1
Q
1
…
11
…
1
…
S_INVP3
Legend
S_INVN3
Error Detection Codes
= EDC Output code
prediction Operation
Code calculation
Operation 3 Operation 1
Operation 2
Op. 1*
Code Calcula+on
Code
Calcula+on =
Op. 3*
Op. 2*
Code
Calcula+on =
• Linear EDC: parity bits
– 1 parity bit for 128 data bits – 1 parity bit for each data byte
– 1 parity bit for each state "column"
– SubByte non linear
Which code ?
Fault Attacks vs Side-Channel
Side-Channel Attacks
Fault Attacks
Test
Infrastructures
Cryptanalysis
Motivation
• Crypto-algorithms very strong, but…
• New threat: hardware implementation!!
Side Channel Attacks
• Power
• Electromagnetic
• Light
• …
Test Infrastructures
Fault Attacks
• Laser
• Electromagnetic
• …
Manufacturing Test
• Circuit testing is mandatory to guarantee high quality of digital ICs
– Increase controllability and observability
• On the contrary, security fears testability
– Test infrastructure used for attacks
Scan-based Design
FF
FF
FF
...
... ...
Primary Inputs
Primary Outputs
Observability of all states
... ... Combinational Logic
Scan Enable
Scan In Scan Out
Controllability of all states
Scan-chain attack on AES
• AES
– Secure after 10 rounds
• Hypothesis:
– Round-register belongs to the scan chain
– Attacker controls test mode – Deterministic circuit
– Other FFs belong to the scan chain
• Attack:
SubBytes ShiftRows
MixColumns
Key Generation
PlainText – 128 bits
Secret Key 128 bits
b c
d e f a
ScanIn
Register Other FFs
ScanOut
Differential Scan Attack
• 2 vectors per step
• For each vector:
– Reset
– Normal mode, until first round – Test mode, to
shift out the response
ScanOut SubBytes
ShiftRows MixColumns
Round
Key Generation
Vector 1
CipherText – 128 bits Secret Key
128 bits
b1 c1
d1
e1 f1 a1
ScanIn
Register Other FFs
x1
Differential Scan Attack
SubBytes ShiftRows
MixColumns Key
Generation
Vector 2
Secret Key 128 bits
b2 c2
d2
e2 f2 a2
f1 x1
• 2 vectors per step
• For each vector:
– Reset
– Normal mode, until first round – Test mode, to
shift out the response
Avoiding other FFs
Register Other FFs
x2
Register Other FFs
x1 f1
f2
…00000000000… f1 xor f2
• Hypothesis:
– Other FFs are independent of the plaintext – Deterministic circuit
– After one round, they have always the same value
• Solution: XORing the output response
= e1 xor e2
Avoiding other FFs
Register Other FFs
x
Register Other FFs
x1 f1
f
• Hypothesis:
– Other FFs are independent of the plaintext – Deterministic circuit
– After one round, they have always the same value
• Solution: XORing the output response
SubBytes
ShiftRows
MixColumns
Round
Key Generation
PlainText – 128 bits
CipherText – 128 bits Secret Key
128 bits
b c
d
e f a
Register
Avoiding the chain
• Position of FFs within the scan chain is not known
• OutScanChain = array [N]
• We need a function such that:
• p = f (OutScanChain)
• f : array à number
Hamming Distance
S
S S S
MixColumns
(a1,a2) Constant k
(b1,b2)
(b1, b1 XOR1)
b1 = 226 b1 = 242
Signature Attack
S
S S S
MixColumns
(a1,a2) Constant
Parity (o1) XOR Parity (o2) k
(o1,o2)
(a1,a2)
P12
(a3,a4)
P34
(a5,a6)
P56
(a7,a8)
P78
SIGNATURE
Signature Table
• Signature depends on the key guess
• Signature table consists of the signature for each key
Observed difference Input Pairs
Guessed Key K1 K2 K3 KN
V1 V2 V3 VM
P11 P12 P13 P1M P21 P22 P23 P2M P31 P32 P33 P3M PN1 PN2 PN3 PNM
S
S S S
MixColumns (a1, a2)
Parity (HD) k
A Real Threat???
iPhone 4 Pinout Apple TV – Access to JTAG
XBOX 360
Countermeasures
• Leave the scan chain unbound (fuses)
• Built-In Self-Test
• On-chip test comparison
• Secure Test Access Mechanism
Countermeasures
• Leave the scan chain unbound (fuses)
• Built-In Self-Test
• On-chip test comparison
• Secure Test Access Mechanism
• Motivation:
– Avoid scan-based testing – Allow at-speed testing
– Reduced ATE cost
• But:
– Area overhead ?
Built-In Self-Test (BIST)
• Confusion
– making the relationship between the key and the ciphertext as complex and involved as
possible
• Diffusion
– a change in a single bit of the plaintext should result in changing the value of many
ciphertext bits
Properties of Crypto-Algorithms
• Diffusion
vstestability:
– every input bit influences many output bits (i.e. every input bit is in the logic cone of many output bits)
• the circuit is very observable
– the input logic cone of every output contains many inputs
• each fault is highly controllable
• Therefore these circuits are highly testable
Testability
• Diffusion and confusion de-correlate the output values from the input ones (both at encryption and round levels)
• It has been demonstrated that by feeding back the output to the input, the generated output sequence has random properties
[ B. Schneier, Applied Cryptography, Second Ed., John Wiley and Sons, 1996 ]
• AES/DES better than LFSR (proved by NIST tests)
Randomness
BIST Architecture
Round
Plain Text
Controller
Internal Register
First Opera+on
Last Opera+on Round Key
Generator Secret Key
AES Round Testability
MixColumns MixColumns MixColumns MixColumns
S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14 S15 S16
Faults in ShiftRows, MixColumns,
Addkey, and Register
are also tested by the
200 patterns Sbox Implementations:
- ROM à 256 patterns
- Logic à 200 – 220 patterns
Fault coverage: 100% always before 2400 clock cycles (several keys, several plaintexts)
Countermeasures
• Leave the scan chain unbound (fuses)
• Built-In Self-Test
• On-chip test comparison
• Secure Test Access Mechanism
On-Chip Test Comparison
ATE
SCAN OUTs SCAN INs
FUNCTIONAL I/O
SCAN ENABLE
Input
Pa7erns Expected
Responses
=
Fault/Diagnosis Information
ATE
SCAN OUT SCAN IN
FUNCTIONAL I/O
SCAN ENABLE
Input
Pa7erns Expected
Responses
Fault/Diagnosis Information 1
0 1
Sticky Mismatch Comparator
EXPECTED RESPONSE
Results
pass/fail
Countermeasures
• Leave the scan chain unbound (fuses)
• Built-In Self-Test
• On-chip test comparison
• Secure Test Access Mechanism
Scan Chain Testing
Shift In (Scan-Enable=1) Shift Out (Scan-Enable=1)
Capture (Scan-Enable=0)
#L clock cycles #L clock cycles
Scan Chain Testing
(delay fault testing with Launch On Capture)
Shift In (Scan-Enable=1) Shift Out (Scan-Enable=1)
Capture (Scan-Enable=0)
#L clock cycles #L clock cycles
Secure Test Access Mechanism
• How to start a test session
– Additional signal – Power on
– Authentication
• What to do in functional mode
– e.g., scrambling, avoiding shift mode, spy Flip Flops
• What to do when switching to test mode
– e.g., reset FFs
• What to do in test mode
– e.g., test key instead of actual secret key
Control
Power off
Normal mode
Functional Mode Normal Mode
Shift mode Test Mode
Secret key Test
key
Test Session Enable Test Session Enable
The smart test controller
CUT
S_en S_in
S_out
Smart Controller OUT_en S_en
S_en S_in
S_out
Attack
Test
[J. Darolt et al., IEEE IOLTS, 2013]
Detection of the test mode
Test Mode Normal Mode Protection Mode
Normal OUT_en = 0 MODE = normal COUNTER = #L
S_en=0
Flushing OUT_en = 0 MODE = test COUNTER -- S_en=1
S_en=0 and COUNTER>0
Stuck-At-Capture OUT_en = 1
MODE = test COUNTER=0 COUNTER=0
Delay-Capture OUT_en = 1 MODE = test COUNTER=0 S_en=0
Shifting OUT_en = 1 MODE = test COUNTER=0
S_en=1 S_en=0
S_en=1
S_en=0
S_en=1 S_en=1
The smart test controller
CUT
S_en S_in
S_out
SecretKey
normal test
KNormal KTest
Smart Controller OUT_en
MODE S_en
S_en S_in
S_out
HARDWARE TRUST
Counterfeiting
• Counterfeiting of integrated circuits has become a major challenge
– deficiencies in the existing test solutions – lack of low-cost and effective avoidance
mechanisms in place
• Numbers:
– $75 billion lost in 2013 (in semiconductors)
– E.g., 186 million fake mobile phones in 2013
Which is the cause?
• Complexity of the electronic systems
significantly increased over the past few decades
– To reduce production cost, they are mostly fabricated and assembled globally
• This globalization has led to an illicit
market willing to undercut the competition
with counterfeit and fake parts
Stories
• November 8, 2011, the United States Committee on Armed Services held a hearing on an
investigation of counterfeit electronic parts in the defense supply chain
• The investigation had revealed alarming facts:
materials used to make counterfeit electronic (a.k.a. e-waste) parts are shipped from the
United States and other countries
http://www.industryweek.com/procurement/ticking-time-bomb-counterfeit-electronic-parts
Stories (2)
• The e-waste is sent to cities like Shantou, China, where:
– It is disassembled by hand, washed in dirty river water, and dried on the city sidewalk
– It is sanded down to remove the existing part number or other markings that indicate its quality or
performance
– False markings are placed on the parts that lead the average person to believe they are new or high-
Stories (3)
The Untrusted Chain
Design Time
Specs Design
IP Tools TechLib
Manufacturing Time
Fabrication Test
Life Time
Distribution Use Life
IP Theft
Netlist / Mask Theft
Overbuilding
Untested Discarded
Counterfeit types: Recycled
• Electronic component that is recovered from a system and then modified to be misrepresented as a new component.
• Problems:
– lower performance – shorter lifetime
– damaged component, due to the reclaiming process (removal under very high temperature, aggressive physical removal from boards,
washing, sanding, repackaging, etc.)
Aging Detectors
• Sensor in the chip to capture the usage of the chip in the field
– It relies on aging effects of MOSFETs to change a ring oscillator frequency in
comparison with the golden one embedded in the chip.
• Antifuse-based Technology for Recording
Usage Time
Counterfeit types: Remarked
• Chemically or physically removing the original marking
• Goal:
– to drive up a component’s price on the open market – to make a dissimilar lot
fraudulently appear homogeneous
Counterfeit types: Overproduced
• Overproduction occurs when foundries sell components outside of contract with the
design house
• Problems:
– loss in profits for the design and IP owner
– reliability threats since they are often not subjected to the same
Hardware Metering
• A set of security protocols that enable the design house to achieve the post-
fabrication control of the produced ICs to prevent overproduction
– Physically Unclonable Functions – Post-Manufacturing Activation
– Adding a Finite-State Machine (FSM) which is initially locked and can be unlocked only with the correct sequence of primary inputs
– Logic Encryption
Physically Unclonable Functions
• Silicon PUFs exploit inherent physical
variations (process variations) that exist in modern integrated circuits
– variations are uncontrollable and
unpredictable, making PUFs suitable for IC identification and authentication
• Based on:
– Content of SRAMs at power-up
Logic Encryption
E1
E2 E3
Logic Encryption
K1
K2
Counterfeit types: Defective
• A part is considered defective if it
produces an incorrect response to post- manufacturing tests
• These parts should be destroyed, downgraded, or otherwise properly disposed of
• However, if they can be sold on the open markets, either knowingly by an untrusted entity or by a third party
Counterfeit types: Cloned
• A copy of a design, in order to eliminate the large development cost of a part
• Methods:
– Reverse engineering, – By obtaining IP illegally
(also called IP theft) – With unauthorized
knowledge transfer from
a person with access to the part design