Hardware Security and Trust

Hardware Security and Trust

License Information

This work is licensed under the Creative Commons BY-NC License

To view a copy of the license, visit:

http://creativecommons.org/licenses/by-nc/3.0/legalcode

Disclaimer

•  We disclaim any warranties or representations as to the accuracy or completeness of this material.

•  Materials are provided “as is” without warranty of any kind, either express or implied, including without

limitation, warranties of merchantability, fitness for a particular purpose, and non-infringement.

•  Under no circumstances shall we be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of this material.

Scenario

•  Security is all around…

– Identification, private communication, electronic signature, access control, electronic purse,

digital right management, software protection...

Motivation

•  Hardware security and trust now play critical roles as computing is intimately integrated into many infrastructures that we depend on

•  Hardware Security

– dealing with (secret) data in hardware devices

•  Hardware Trust

Outline

•  Hardware Security

– Side-Channel Attacks – Fault Attacks

– Manufacturing Test Issues

•  Hardware Trust

– Counterfeiting

– Hardware Trojan Horses

HARDWARE SECURITY

•  How to protect a (digital) secret:

– Secure storage of confidential data – Cryptographic capabilities

•  Implementation:

– Crypto algorithms integrated as hardware devices

– E.g., smartcards, crypto-cores, crypto- processors, hardware security module

Scenario

Encryption/Decryption

   Ciphering   ^Cipher

text  Deciphering  

Plaintext Plaintext

•  Algorithms:

Encryption

Decryption

K2

K1

Advanced Encryption Standard (AES) - 2001

AES: Generic HW Implementation

Round  

Plain Text

Controller

Round Register

First  Opera+on  

Last  Opera+on   Round  Key  

Generator  

Motivation

•  Crypto-algorithms very strong, but…

•  New threat: hardware implementation!!

Side Channel Attacks

•  Power

•  Electromagnetic

•  Light

•  …

Test Infrastructures

Fault Attacks

•  Laser

•  Electromagnetic

•  …

Side-Channel Attacks

•  Based on information gained from the non-primary interface of the physical implementation of a cryptosystem

– Timing information – Power consumption

– Electromagnetic leaks – Sound

Side Channel

Simple Power Analysis on RSA

14

Introduction Le TEMPEST Le clavier PS/2 Le RSA Perspectives... Conclusion

Impl´ementation : Exponentiation Modulaire

Input: X, N,

E = (e_k−1, ...,e₁,e₀)₂ Output: Z = X^E mod N

1: Z := 1;

2: for i = k − 1 downto 0

3: Z := Z * Z mod N; – squaring 4: if (e_i = 1) then

5: Z := Z * X mod N; – multiplication 6: end if

7: end for

Square Mutiply Square Square Mutiply Square Square Square

1 0 1 0 0 0

Waveform Operation Key Bits

Figure 6: Principe de la SEMA sur le RSA.

Input: !X, N, K=(k_j-1, …, k₁, k₀)_2!

Output: !Z = X^K mod N!

!

1: !Z = 1;!

2: !for i=j-1 downto 0 {!

3: ! !Z = Z * Z mod N //Square!

4: ! !if (k_i==1) {!

5: ! ! !Z = Z * X mod N //Multiply!

6: ! !}!

7: !}!

Differential Power Analsys

•  Differential Power Analysis (DPA) attacks

– it requires the knowledge of the algorithm but not its physical implementation

– it is cheap and easy to perform

•  The basic idea is to correlate the power consumed by the device and the

encryption data including the key

Power Consumption of CMOS

C V_dd

(a)

(b)

I_dd

IN

IN

OUT

OUT

I_dd

(a) Switching + Through

current

(b) Through

current

Current that flows from Vdd to GND when the p- channel transistor and n-channel transistor turn on

Power attack on XOR gate

D_in

V_dd

D_in

OUT

I_dd

= 0

OUT = 1

Input patterns

•  Target node: output of a gate within the circuit

•  Sequence of input patterns:

–  P₀, P₁, …, P_n

–  T₁(P₀àP₁), T₂(P₁àP₂), ..., T_n(P_n-1àP_n)

•  Logic simulation to create two sets:

–  (PA) transitions that make the target node to

commute from 0 to 1 and therefore that make the target gate to consume

–  (PB) transitions that do not lead the target gate to participate to the power consumed by the circuit

DPA: Basic Principle

•  We classified the two sets in such a way that the set PA always leads to a

component of power consumption that

is not present in the set PB

Average Average

Vectors belonging to PA

DPA: Performing the Attack

•  Target node:

– output of a gate whose value depends on both the plain text under ciphering (primary inputs) and the secret key

•  Basic idea:

– All the key suppositions

– For each key guess, creation of the two sets PA and PB

DPA: Target Node

Input ¹²⁸

128

8 8

f

I₁ I₂

O = f ^(I₁^{, I}₂⁾

Data f

Key O = f (Key, Data) Inputs: T₁, T₂, ..., T₁₂ Key: K_x (8 bits)

T₁ T₂

Average

T₄ T₆ T₈ T₁₂

T₁

0

T₉ T₁

T₇ 1

T₃ T₅ PA)

PB)

T₁ T₄

T₆

T₈ ^T12

T₁

0

T₉ T₁

1

T₇

T₂

T₃ T₅ PA)

PB)

Average

K₁

K_x

...

K₂₅₆

...

PA – PB = PA – PB ≅ 0

T₁ T₄

T₆

T₈

T₁₂

T₁

0

T₉

T₁

1

T₇

T₂ T₃

Average

T₅

PA – PB ≅ 0 PA)

PB)

DPA: Result

Light Emission

Optical detector system

http://www.vvku.eu/cv/efa/background.html

Countermeasures

•  Goal: removing the correlation between

processed data and the physical interface

•  Methods:

– Adding noise (random power consumption, clock jitter, logic masking, random dummy calculations, …)

– Making constant the physical interface (dual logic, triple logic, …)

Motivation

•  Crypto-algorithms very strong, but…

•  New threat: hardware implementation!!

Side Channel Attacks

•  Power

•  Electromagnetic

•  Light

•  …

Test Infrastructures

Fault Attacks

•  Laser

•  Electromagnetic

•  …

Fault Attacks

1 0 1 1 0 0 1 1 …

Encryption

Input Output

Hypothesis: Injection forces a ‘0’

on a single bit of the secret key 1)  C_OK=E(P)

2)  Calculate C’=E(P), while injecting a fault

3)  If C’ = C_OK à target bit is ‘0’

else à target bit is ‘1’

Differential Fault Attacks

D

Hypothesis:

Single-bit fault in byte j

SR(j)

C

D

( M

)

( ^M

^e

)

Fault Attacks

Fault Attacks

30

) ( )

( )

(t n t q v t

I = _S × × _xd

nS(t)= LET(t). e

!l² 4"D(t)!t

!

".D(t).t

( )^3/2

l

#

$

%

%

%% S drain

#

$

%%

%

%%

%

dldS

SEE induced current lower than that collected by a PMOS-BIVS, and (b) the current it collects is lower than the current generating the SEE.

4. Improving BBICS efficiency

From the analyses drawn in section 3, we derived two solutions to improve BBICS efficiency (4.1 and 4.2).

4.1. Use of triple-well CMOS

Modern CMOS technologies generally offer a triple- well option. It consists in embedding the NMOS tran- sistors into P-type well (or Pwell) isolated from the Psubstrate. The Pwell containment is made laterally with Nwell implants and with a deep Nwell implant underneath. The deep Nwell and Nwell are electri- cally connected, both normally biased at 1.2V.

P−substrate

N+

N+ N+

Nwell

DNwell bias (floating) B (gnd)

N+

Pwell

N+ P+

S G

D (1.2V)

laser

Nwell

Nwell

DNwell bias (1.2V) B (gnd)

P−substrate Deep Nwell

Pwell

N+ P+

S G

D (1.2V)

laser Deep Nwell

Nwell

Figure 6: View of the laser induced currents in the Pwell-N⁺ and Pwell-Nwell junctions of a triple-well NMOS: deep Nwell unbiased (top), deep Nwell biased at 1.2V (bottom).

Our assumption was that an NMOS in an iso- lated Pwell will have a similar behavior regarding the SEE currents as a PMOS. For validation purposes, we performed the same measurements on a triple-well NMOS as those done on bulk CMOS transistors (with the same laser settings as reported in 3.1). First we let the deep Nwell unbiased, second we biased it at 1.2V (see respectively the top and bottom parts of Fig. 6). With a floating deep Nwell, a 2.3mA cur- rent flowed through the NMOS drain Pwell-N⁺junc- tion. With the deep Nwell biased at 1.2V, the NMOS

drain junction current diminished to 200µA, whereas a 6mA current flowed through the Pwell-deep Nwell junction. These figures are similar to those of the PMOS. Using triple-well CMOS creates more than an order of magnitude difference between the lower cur- rent contributing to SEE generation and the higher current potentially monitored by a BBICS. On basis of these experiments we recommend the use of triple- well CMOS to obtain an optimal use of BBICS.

4.2. Single BBICS architecture

We also developed a new BBICS architecture well suited for the monitoring of triple-well CMOS logic:

the ’single BBICS’ pictured in Fig. 7. It is de- signed to monitor simultaneously NMOS and PMOS:

itsNMOS bulkandPMOS bulkinputs are respec- tively connected to the corresponding Pwell and Nwell biasing contacts.

out

Gnd Mn4

LVT LVT

LVT

LVT HVT

HVT

HVT HVT HVT

Gnd Mn_reset out_d

reset

HVT Vdd

Mp_reset

outb_d resetb

’1’ => ’0’ ’0’ => ’1’

Vdd

Mp3 Vdd

Gnd Vdd

Gnd Mn1

Gnd

Vdd Mn2 outb

outb_d out_d

Mn_t Mp_t

Mp2 Mp1

Gnd Mn3

Vdd

Gnd Vdd

Mp4

NMOS_bulk

PMOS_bulk

Figure 7: Architecture of the single BBICS.

The core part of the single BBICS is a latch made of two cross-coupled inverters. In monitoring state, nodeoutis at low level while nodeoutbis high. Node outgoes high to indicate the detection of any SEE induced bulk current. The BBICS connection to the Pwell (resp. Nwell) of the monitored NMOS (resp.

PMOS) (nodeNMOS bulk, resp. nodePMOS bulk) is used as a bias contact to Gnd (resp. to Vdd) through the ON transistor Mn4 (resp. Mp4). When a particle hits a monitored sensitive area, the in- duced current (pictured in red) flows through the re- lated PN junction into (resp. from) the correspond- ing input of the single BBICS. A part of this cur- rent charges (resp. discharges) the gate capacitance of transistor Mn3 (resp. Mp3): nodeNMOS bulk’s (resp.PMOS bulk’s) voltage rises (resp. decreases), hence Mn3 (resp. Mp3) passes from OFF to ON state, making the core latch flip. Nodeoutgoes high indicating an SEE detection. Transistors Mn reset 5

Information

Redundancy Detectors

F igure 6.!"#$%!&'()*+,-.-/0/-!1$!-$2*+.-/0/-!-,)/#.*345+/4!6,5-1)!! )*%5-,1*$3!,#+'*1/+15#/!

V.! 7897:;<7=>?

A.!Multi-Level F ault Simulation vs Electrical Simulation

;3! 1'*)! )5@.)/+1*$3! A/! )'$A! 1'/! &/#6$#%,3+/)! $6! 1'/!

&#$&$)/4! %/1'$4B! C/! +$%&,#/! 1'/! /D/+51*$3! 1*%/! $6! 1'/!

%5-1*.-/0/-! )*%5-,1*$3! A*1'! #/)&/+1! 1$! &5#/! E)&*+/!

)*%5-,1*$3B!?*3+/!1'/!1#,3)*/31!+5##/31!4,1,@,)/!*)!2/3/#,1/4!

F5)1!$3/!1*%/!6$#!,--!1'/!)*%5-,1*$3)!6$#!,!2*0/3!-,)/#!@/,%G!

A/! 4*4! 3$1! 1,H/! *31$! ,++$531! 1'/! /D/+51*$3! 1*%/! 6$#! 1'/!

+5##/31!4,1,@,)/!+,-+5-,1*$3B!

C/! ',0/! )/1! 5&! ,! 6,5-1! )*%5-,1*$3! /D&/#*%/31! 6$#! /,+'!

+*#+5*1!1,H/3!6#$%!1'/!+$%@*3,1*$3,-!ISCAS85 @/3+'%,#H)!

,!"# $%&# '&()&!$*+,# -./011# 2&!3%4+56'7# 8&# *!9&3$&"# +#

+5##/31! &5-)/! -,)1*32! I3)! A*1'*3! ,! &.<J?! 1#,3)*)1$#! $6! ,3!

*30/#1/#! )1#5+15#/! *3! 1'/! +*#+5*1B! "$#! /,+'! @/3+'%,#H! A/!

&#$&/#-(! )/-/+1/4! 1'/! *30/#1/#! ,34! 1'/! /3/#2(! $6! 1'/! &5-)/!

)5+'!1',1!*1!%$4*6*/)!1'/!6*3,-!)1,1/!$6!1'/!+*#+5*1B!!

!

! !

F igure 7.!>'/!%5-1*.-/0/-!-,)/#.*345+/4!6,5-1!)*%5-,1*$3!&#$+/))!

!

>,@-/! I! )5%%,#*K/)! 1'/! /D&/#*%/31,-! #/)5-1)B! "$#! /,+'!

@/3+'%,#HG!A/!#/&$#1/4!*1)!)*K/!*3!/L5*0,-/31!2,1/)!,34!1'/!

35%@/#! $6! )*%5-,1/4! 0/+1$#)B! >'/! 3/D1! 1A$! +$-5%3)!

+$%&,#/! 1'/! /D/+51*$3! 1*%/)! $6! 1'/! 6,5-1! )*%5-,1*$3!

@/1A//3! 1'/! %5-1*.-/0/-! ,&&#$,+'! ,34! 1'/! 65--! E)&*+/!

)*%5-,1*$3B! >'/! *3+#/,)/! *3! )&//4! *)! 2*0/3! *3! 1'/! -,)1!

+$-5%3B!;1!#,32/)!6#$%!MNND!6$#!1'/!)%,--/)1!+*#+5*1G!5&!1$!

%$#/! 1',3! OPND! 6$#! 1'/! @*22/)1! @/3+'%,#HB! ?*3+/! 1'/!

/-/+1#*+,-!-/0/-!)*%5-,1*$3!*)!-*%*1/4!1$!,!0/#(!)%,--!&,#1!$6!

1'/! +*#+5*1G! 1'/! -,#2/#! 1'/! +*#+5*1G! 1'/! '*2'/#! 1'/! @/3/6*1! $6!

%5-1*.-/0/-!)*%5-,1*$3B!

T able 2.! :;<&5*4&!$+,#5&'),$'#=>#-?/@?AB#+!"#-./011#

Q*#+5*1)!

!!!!!!!!!"#$%&#'!#()*$+,'#*(! !!-,&.'!/#+&.,'#*(!0/1! !!

%#$%&#'! 2#34! 54%'*$/! 6&.'#78494.!! !:/;#%4! -,%'*$!

%<=>! ??>! @@! AB??C! DDB@E! <EAF!

%<GG! ?==! @@! AB?=>! EGBAD! C@<F!

%?=DD! ?C>! @>! AB?=>! ECB<E! CDDF!

%?GAE! ?CG! EA! AB>>E! ?>GB?>! DCCF!

%EEA! >A<! @@! AB<A<! ??GB>>! >GDF!

%>C@A! >G>! ?=C! >BAD>! =G=B@E! ?G?F!

%=D<A! <@C! ?@?! ?BG?C! C@CB@! =D=F!

%D=?D! CAE! ??=! <B>A<! @ADBAD! ?C@F!

%@DD>! @AD! ?C@! GB<>E! ?=DCBDC! ?<=F!

%C>EE! ?>EC! C=! EB=AE! ?><EB@D! ?DAF!

HA?! =?! ?=! ABA=! C! >AAF!

HA<! <?! ?C! ABA<! DBA=! ?>DF!

H?A! EG! ?>E! ABAG! >DBG@! >EEF!

!

B.!Laser-induced F ault Simulation for Crypto-circuit

?*3+/! 1'/! -,)/#.*345+/4! 6,5-1! *3F/+1*$3! %/1'$4! *)! $61/3!

5)/4! 1$! ,11,+H! 1'/! +#(&1$2#,&'*+! +'*&)G! A/! &/#6$#%/4!

/D&/#*%/31)!$3!,!+*#+5*1!*%&-/%/31*32!,!)*%&-*6*/4!0/#)*$3!

$6!1'/!)1,34,#4!/3+#(&1*$3!,-2$#*1'%!R7?!SMPTB!>'/!+*#+5*1!

*)! +$%&$)/4! $6! 6$5#! ?UJ8/)! ,34! $3/! <*DQ$-5%3)! @-$+H!

,34! A#,&&/4! @(! *3&51! ,34! $51&51! #/2*)1/#)B! >'/! +*#+5*1! *)!

4/)*23/4! *)!4/)*23/4!5)*32!,!C7DBE4#)1,34,#4!+/--!-*@#,#(B!

;3&51!0/+1$#)!,#/!&#$0*4/4!,1!,!MIP<EK!6#/L5/3+(B!

R--! )*%5-,1*=!'# &4),+$&# +# ,+'&5# 2&+4# F*$%# GCE4# '<=$#

)*K/B!>'/!)&$1!+$0/#)!,-%$)1!IN!)1,34,#4!+/--)!,)!)'$A3!*3!

"*25#/!VB!;3!1'/!6$--$A*32G!A/!,))5%/!1',1!1'/!-,)/#!/3/#2(!

',0/!,!53*6$#%!4*)1#*@51*$3!$0/#!1'/!)&$1B!

!

! !

F igure 8.!R))5%/4!-,)/#!)&$1!6$#!6,5-1!,11,+H)!)*%5-,1*$3!

!

C'/3!1'/!*3&51!0,-5/)!,#/!-$,4/4!6$#!?UJ8/)G!1'/!-,)/#!

,11,+H!*)!1#*22/#/4!A*1'!,!4/-,(!$6!INW!+-$+H!&/#*$4!A,*1*32!

6$#!1'/!*3&51!)*23,-)!1$!@/!)1,@-/B!>'/!*--5%*3,1*$3!+$31*35/)!

531*-! 1'/! 3/D1! ,+1*0/! +-$+H! /42/B! E$A/0/#G! ,61/#! 1'/! -,)/#!

)A*1+'/)!$66G!*1)!&>>&3$'#"=!0$#"*'+<<&+5!*%%/4*,1/-(!45/!1$!

1'/!,@)$#&1*$3!$6!&'$1$.2/3/#,1/4!+',#2/)B!>'*)!+,5)/)!1'/!

1#,3)*/31! 6,5-1! &5-)/! 1$! @/! A*4/#! 1',3! 1'/! -,)/#! ,11,+H!

45#,1*$3!X"*25#/!YZB!!!!!!

! !

F igure 9.!>*%*32!)+'/%,1*+!4*,2#,%!$6!-,)/#!*3F/+1*$3!

!

!

Validation via Fault Simulation: tLifting

Laser Detector

•  Basic idea: using inverters to detect laser injections

Vdd _1.0

1.2

Laser spot = 3.25µm Laser power = 1.0w Technology = 90nm ST

0 0.2 0.4 0.6 0.8 1.0 1.2

-10 0 10 20 30

Vdd

‘1’ ‘0’

Laser Detectors

NMOS of INV3 PMOS of

INV0

INV0 INV3

NMOS of INV0

PMOS of INV3

INV0 INV3

1

S_INVP3

0

S_INVN3

0 0.2 0.4 0.6 0.8 1.0 1.2

-10 0 10 20 30

0 0.2

0.4 0.6 0.8 1.0 1.2

-10 0 10 20 30

V_th

V_th

Proposed Solution

…

1

Q

1

…

1

…

1

…

S_INVP3

Legend

S_INVN3

Error Detection Codes

= EDC Output code

prediction Operation

Code calculation

Operation 3 Operation 1

Operation 2

Op.  1*  

Code     Calcula+on  

Code    

Calcula+on   =

Op.  3*  

Op.  2*  

Code    

Calcula+on   =

•  Linear EDC: parity bits

– 1 parity bit for 128 data bits – 1 parity bit for each data byte

– 1 parity bit for each state "column"

– SubByte non linear

Which code ?

Fault Attacks vs Side-Channel

Side-Channel Attacks

Fault Attacks

Test

Infrastructures

Cryptanalysis

Motivation

•  Crypto-algorithms very strong, but…

•  New threat: hardware implementation!!

Side Channel Attacks

•  Power

•  Electromagnetic

•  Light

•  …

Test Infrastructures

Fault Attacks

•  Laser

•  Electromagnetic

•  …

Manufacturing Test

•  Circuit testing is mandatory to guarantee high quality of digital ICs

– Increase controllability and observability

•  On the contrary, security fears testability

– Test infrastructure used for attacks

Scan-based Design

FF

FF

FF

...

... ...

Primary Inputs

Primary Outputs

Observability of all states

... ... Combinational Logic

Scan Enable

Scan In Scan Out

Controllability of all states

Scan-chain attack on AES

•  AES

–  Secure after 10 rounds

•  Hypothesis:

–  Round-register belongs to the scan chain

–  Attacker controls test mode –  Deterministic circuit

–  Other FFs belong to the scan chain

•  Attack:

SubBytes ShiftRows

MixColumns

Key Generation

PlainText – 128 bits

Secret Key 128 bits

b c

d e f a

ScanIn

Register Other FFs

ScanOut

Differential Scan Attack

•  2 vectors per step

•  For each vector:

–  Reset

–  Normal mode, until first round –  Test mode, to

shift out the response

ScanOut SubBytes

ShiftRows MixColumns

Round

Key Generation

Vector 1

CipherText – 128 bits Secret Key

128 bits

b₁ c₁

d₁

e₁ f₁ a₁

ScanIn

Register Other FFs

x₁

Differential Scan Attack

SubBytes ShiftRows

MixColumns Key

Generation

Vector 2

Secret Key 128 bits

b₂ c₂

d₂

e₂ f₂ a₂

f₁ x₁

•  2 vectors per step

•  For each vector:

–  Reset

–  Normal mode, until first round –  Test mode, to

shift out the response

Avoiding other FFs

Register Other FFs

x₂

Register Other FFs

x₁ f₁

f₂

…00000000000… f₁ xor f₂

•  Hypothesis:

–  Other FFs are independent of the plaintext –  Deterministic circuit

–  After one round, they have always the same value

•  Solution: XORing the output response

= e₁ xor e₂

Avoiding other FFs

Register Other FFs

x

Register Other FFs

x₁ f₁

f

•  Hypothesis:

–  Other FFs are independent of the plaintext –  Deterministic circuit

–  After one round, they have always the same value

•  Solution: XORing the output response

SubBytes

ShiftRows

MixColumns

Round

Key Generation

PlainText – 128 bits

CipherText – 128 bits Secret Key

128 bits

b c

d

e f a

Register

Avoiding the chain

•  Position of FFs within the scan chain is not known

•  OutScanChain = array [N]

•  We need a function such that:

•  p = f (OutScanChain)

•  f : array à number

Hamming Distance

S

S S S

MixColumns

(a₁,a₂) ^Constant k

(b₁,b₂)

(b₁, b₁ XOR1)

b₁ = 226 b₁ = 242

Signature Attack

S

S S S

MixColumns

(a₁,a₂) ^Constant

Parity (o₁) XOR Parity (o₂) k

(o₁,o₂)

(a₁,a₂)

P₁₂

(a₃,a₄)

P₃₄

(a₅,a₆)

P₅₆

(a₇,a₈)

P₇₈

SIGNATURE

Signature Table

•  Signature depends on the key guess

•  Signature table consists of the signature for each key

Observed difference Input Pairs

Guessed Key K₁ K₂ K₃ K_N

V₁ V₂ V₃ V_M

P₁₁ P₁₂ P₁₃ P_1M P₂₁ P₂₂ P₂₃ P_2M P₃₁ P₃₂ P₃₃ P_3M P_N1 P_N2 P_N3 P_NM

S

S S S

MixColumns (a₁, a₂)

Parity (HD) k

A Real Threat???

iPhone 4 Pinout Apple TV – Access to JTAG

XBOX 360

Countermeasures

•  Leave the scan chain unbound (fuses)

•  Built-In Self-Test

•  On-chip test comparison

•  Secure Test Access Mechanism

Countermeasures

•  Leave the scan chain unbound (fuses)

•  Built-In Self-Test

•  On-chip test comparison

•  Secure Test Access Mechanism

•  Motivation:

– Avoid scan-based testing – Allow at-speed testing

– Reduced ATE cost

•  But:

– Area overhead ?

Built-In Self-Test (BIST)

•  Confusion

– making the relationship between the key and the ciphertext as complex and involved as

possible

•  Diffusion

– a change in a single bit of the plaintext should result in changing the value of many

ciphertext bits

Properties of Crypto-Algorithms

•  Diffusion

testability:

–  every input bit influences many output bits (i.e. every input bit is in the logic cone of many output bits)

•  the circuit is very observable

–  the input logic cone of every output contains many inputs

•  each fault is highly controllable

•  Therefore these circuits are highly testable

Testability

•  Diffusion and confusion de-correlate the output values from the input ones (both at encryption and round levels)

•  It has been demonstrated that by feeding back the output to the input, the generated output sequence has random properties

[ B. Schneier, Applied Cryptography, Second Ed., John Wiley and Sons, 1996 ]

•  AES/DES better than LFSR (proved by NIST tests)

Randomness

BIST Architecture

Round  

Plain Text

Controller

Internal Register

First  Opera+on  

Last  Opera+on   Round  Key  

Generator   Secret Key

AES Round Testability

MixColumns MixColumns MixColumns MixColumns

S₁ S₂ S₃ S₄ S₅ S₆ S₇ S₈ S₉ ^S10 S₁₁ S₁₂ S₁₃ S₁₄ S₁₅ S₁₆

Faults in ShiftRows, MixColumns,

Addkey, and Register

are also tested by the

200 patterns Sbox Implementations:

- ROM à 256 patterns

- Logic à 200 – 220 patterns

Fault coverage: 100% always before 2400 clock cycles (several keys, several plaintexts)

Countermeasures

•  Leave the scan chain unbound (fuses)

•  Built-In Self-Test

•  On-chip test comparison

•  Secure Test Access Mechanism

On-Chip Test Comparison

ATE  

SCAN OUTs SCAN INs

FUNCTIONAL I/O

SCAN ENABLE

Input  

Pa7erns   Expected  

Responses  

=

Fault/Diagnosis Information

ATE  

SCAN OUT SCAN IN

FUNCTIONAL I/O

SCAN ENABLE

Input  

Pa7erns   Expected  

Responses  

Fault/Diagnosis Information 1

0 1

Sticky Mismatch Comparator

EXPECTED RESPONSE

Results  

pass/fail

Countermeasures

•  Leave the scan chain unbound (fuses)

•  Built-In Self-Test

•  On-chip test comparison

•  Secure Test Access Mechanism

Scan Chain Testing

Shift In (Scan-Enable=1) Shift Out (Scan-Enable=1)

Capture (Scan-Enable=0)

#L clock cycles #L clock cycles

Scan Chain Testing

(delay fault testing with Launch On Capture)

Shift In (Scan-Enable=1) Shift Out (Scan-Enable=1)

Capture (Scan-Enable=0)

#L clock cycles #L clock cycles

Secure Test Access Mechanism

•  How to start a test session

–  Additional signal –  Power on

–  Authentication

•  What to do in functional mode

–  e.g., scrambling, avoiding shift mode, spy Flip Flops

•  What to do when switching to test mode

–  e.g., reset FFs

•  What to do in test mode

–  e.g., test key instead of actual secret key

Control

Power off

Normal mode

Functional Mode Normal Mode

Shift mode Test Mode

Secret key Test

key

Test Session Enable Test Session Enable

The smart test controller

CUT

S_en S_in

S_out

Smart Controller OUT_en S_en

S_en S_in

S_out

Attack

Test

[J. Darolt et al., IEEE IOLTS, 2013]

Detection of the test mode

Test Mode Normal Mode Protection Mode

Normal OUT_en = 0 MODE = normal COUNTER = #L

S_en=0

Flushing OUT_en = 0 MODE = test COUNTER -- S_en=1

S_en=0 and COUNTER>0

Stuck-At-Capture OUT_en = 1

MODE = test COUNTER=0 COUNTER=0

Delay-Capture OUT_en = 1 MODE = test COUNTER=0 S_en=0

Shifting OUT_en = 1 MODE = test COUNTER=0

S_en=1 S_en=0

S_en=1

S_en=0

S_en=1 S_en=1

The smart test controller

CUT

S_en S_in

S_out

SecretKey

normal test

KNormal KTest

Smart Controller OUT_en

MODE S_en

S_en S_in

S_out

HARDWARE TRUST

Counterfeiting

•  Counterfeiting of integrated circuits has become a major challenge

– deficiencies in the existing test solutions – lack of low-cost and effective avoidance

mechanisms in place

•  Numbers:

–  $75 billion lost in 2013 (in semiconductors)

–  E.g., 186 million fake mobile phones in 2013

Which is the cause?

•  Complexity of the electronic systems

significantly increased over the past few decades

– To reduce production cost, they are mostly fabricated and assembled globally

•  This globalization has led to an illicit

market willing to undercut the competition

with counterfeit and fake parts

Stories

•  November 8, 2011, the United States Committee on Armed Services held a hearing on an

investigation of counterfeit electronic parts in the defense supply chain

•  The investigation had revealed alarming facts:

materials used to make counterfeit electronic (a.k.a. e-waste) parts are shipped from the

United States and other countries

http://www.industryweek.com/procurement/ticking-time-bomb-counterfeit-electronic-parts

Stories (2)

•  The e-waste is sent to cities like Shantou, China, where:

–  It is disassembled by hand, washed in dirty river water, and dried on the city sidewalk

–  It is sanded down to remove the existing part number or other markings that indicate its quality or

performance

–  False markings are placed on the parts that lead the average person to believe they are new or high-

Stories (3)

The Untrusted Chain

Design Time

Specs Design

IP Tools TechLib

Manufacturing Time

Fabrication Test

Life Time

Distribution Use Life

IP Theft

Netlist / Mask Theft

Overbuilding

Untested Discarded

Counterfeit types: Recycled

•  Electronic component that is recovered from a system and then modified to be misrepresented as a new component.

•  Problems:

–  lower performance –  shorter lifetime

–  damaged component, due to the reclaiming process (removal under very high temperature, aggressive physical removal from boards,

washing, sanding, repackaging, etc.)

Aging Detectors

•  Sensor in the chip to capture the usage of the chip in the field

– It relies on aging effects of MOSFETs to change a ring oscillator frequency in

comparison with the golden one embedded in the chip.

•  Antifuse-based Technology for Recording

Usage Time

Counterfeit types: Remarked

•  Chemically or physically removing the original marking

•  Goal:

–  to drive up a component’s price on the open market –  to make a dissimilar lot

fraudulently appear homogeneous

Counterfeit types: Overproduced

•  Overproduction occurs when foundries sell components outside of contract with the

design house

•  Problems:

– loss in profits for the design and IP owner

– reliability threats since they are often not subjected to the same

Hardware Metering

•  A set of security protocols that enable the design house to achieve the post-

fabrication control of the produced ICs to prevent overproduction

– Physically Unclonable Functions – Post-Manufacturing Activation

– Adding a Finite-State Machine (FSM) which is initially locked and can be unlocked only with the correct sequence of primary inputs

– Logic Encryption

Physically Unclonable Functions

•  Silicon PUFs exploit inherent physical

variations (process variations) that exist in modern integrated circuits

– variations are uncontrollable and

unpredictable, making PUFs suitable for IC identification and authentication

•  Based on:

– Content of SRAMs at power-up

Logic Encryption

E1

E2 E3

Logic Encryption

K1

K2

Counterfeit types: Defective

•  A part is considered defective if it

produces an incorrect response to post- manufacturing tests

•  These parts should be destroyed, downgraded, or otherwise properly disposed of

•  However, if they can be sold on the open markets, either knowingly by an untrusted entity or by a third party

Counterfeit types: Cloned

•  A copy of a design, in order to eliminate the large development cost of a part

•  Methods:

– Reverse engineering, – By obtaining IP illegally

(also called IP theft) – With unauthorized

knowledge transfer from

a person with access to the part design