Analysis and Mitigation of Process Variation Impacts on Power-Attack Tolerance

1
Analysis and Mitigation of Process Variation
Impacts on Power-Attack Tolerance
Lang Lin, Wayne Burleson Department of
Electrical and Computer EngineeringUniversity of
Massachusetts Amherst This work is supported
by NSF Grant CNS-0627529, SRC and Intel
2
Embedded Security

• Embedded system
• Design metrics power, performance, area
• Secure embedded system
• Trusted Platform Module (TPM) secure key storage
• Embedded cryptosystem perform encryption/decrypti
  on
• Security-related metrics tamper-resistance,
  anti-counterfeiting, data integrity and
  confidentiality

System Designer
3
Embedded Security

• Embedded system
• Design metrics power, performance, area
• Secure embedded system
• Trusted Platform Module (TPM) secure key storage
• Embedded cryptosystem perform encryption/decrypti
  on
• Security-related metrics tamper-resistance,
  anti-counterfeiting, data integrity and
  confidentiality

Adversary
System Designer
4
Side-Channel Attacks

• Embedded security CANNOT be guaranteed by the
  strength of cryptographic algorithms!
• Side-Channel Attacks physical implementation of
  hardware can leak secret information to the
  adversary

Electromagnetic radiation
Fault injection (temperature, voltage, clock and
data corruption)
Power consumption
Execution time
Embedded cryptosystem
5
Power Analysis Attack

• Every computation process is inevitably
  accompanied by an amount of power consumption.
• Corr (Power, Logic values) gt
  0
• Can digital information leak through the power
  traces?
• Power Analysis Attack measure and
• analyze the data-dependent power traces
• to extract the secret digital information
• Simple Power Analysis (SPA)
• a one-to-one mapping
• Differential Power Analysis (DPA)
• Correlation Power Analysis (CPA)

A trace of the power supply current showing how
the power is correlated with the logic values
6
Procedure of DPA attack
Give known plaintexts
Measure power traces
Create a power profile

• Generate differential power curves (DPCs)
• Make a key guess
• Use a selection function (e.g. b2) to group the
  power traces
• Add and subtract
• Try all keys to get all DPCs

NO
Extract the key by a peak on the DPCs?
DPC
YES

Report the number of power traces
7
How to tolerate power attacks?

• Goal Corr (Power, Logic values) 0
• Signal-to-noise ratio (SNR) reduction
• Decrease the data-dependent power (power
  balancing circuits, e.g. dual-rail logic and
  differential pair routing)
• Increase the data-independent power (noise
  insertion)
• Drawbacks power balancing techniques are
  impractical due to variations noise can be
  statistically removed.
• Time de-synchronization
• Drawbacks difficult to implement (the logic
  functions should not be disturbed) and not always
  effective.

8
Power-Attack Tolerance ------ A new security
metric

• Parse the power traces
• Define the gate-level power-attack tolerance
  (PAT)
• SNR of Pdyn and Pleak
• PAT is the inverse of SNR

Dynamic power
Data-dependent Power
Active leakage power
Logic Gate
Pdyn 22N logic transition patterns Pleak 2N
logic combination patterns
N
9
Process Variations in Deep Submicron

• Deterministic design metrics become probabilistic
  with process variations
• Parameters transistor geometry, interconnect
  geometry, oxide thickness, doping profile, etc.
• Assume Gaussian distribution -gt analyze the
  Probability Density Function of design metrics
  (e.g., power and performance)
• Intra-die vs. inter-die process variations
• Process variation impacts on power
• Leakage power is extremely sensitive
• Dynamic power is also affected by the transistor
  size variations

• Question What is the impact of process
  variations on
• Dynamic Power-Attack Tolerance (DPAT)?
• Leakage Power-Attack Tolerance (LPAT)?

10
Experimental Setup

• Goal find the distribution function of PAT under
  realistic process variations.
• Device model 45nm Predictive Technology Model
  (www.eas.asu.edu/ptm/)
• Intra-die process variations ITRS 2006 reports
  for 45nm
• Threshold voltage Vth 42 variation (3s)
• Effective channel length Leff 12 variation (3s)
• Methodology
• Monte Carlo simulation in SPICE on standard-cell
• CMOS gate
• 8000 iterations to achieve accurate curve fitting
  

11
Probabilistic DPAT and LPAT with Process
Variation

• Results of PAT distribution function
• Use Weibull distribution function
• Asymmetric distribution
• Parameterized by
• to mimic other distribution
• functions
• Used in reliability and
• failure analysis

12
Result summary
DPAT LPAT
Vth / Leff variation Vth / Leff variation
Nominal 1.23 / 1.23 1.38 / 1.38
µ (PAT) 1.23 / 1.23 1.25 / 1.30
s (PAT) 0.017 / 0.014 0.277 / 0.243
Degradation probability 54 / 55 66 / 60

• Degradation probability the percentage of PAT
  less than the nominal value
• The distributions have different skews relative
  to the nominal
• More than 50 of both DPAT and LPAT are degraded
  due to Vth / Leff variations
• LPAT has worse degradation probability

13
Process Variation Impact on PAT for
DPA-resistant logic styles

• Sense Amplifier-Based Logic (SABL)
• Tolerate power attacks by power balancing
• circuit with 3-4x design overhead.
• Ideally infinite PAT but in reality, 10x larger
• than the PAT of equivalent CMOS gates.
• Process variation impacts
• Results 59-71 degradation probability
• LPAT degrades even worse, as low as CMOS gates

• Process variations significantly degrade the PAT
  
• of DPA-resistant logic!

14
Case study of DPA

• How does the process variation impact a
  Differential Power Analysis attack on a
  cryptosystem?
• Simulation-based DPA
• Targeting secret information the 6-bit subkey of
  the 5th Substitution-box (S-box) during the first
  round of DES
• Hspice simulate the power traces of a DES
  cryptosystem
• Perl manage the power traces and perform the DPA
  procedure to generate differential power curves
  (DPCs)
• Metric for DPA attack measurement to disclosure
  (MTD)
• Number of power traces needed to break a
  cryptosystem
• Depends on the cryptosystem implementations
• Simulation-based DPA attack gives lower MTD than
  real attacks, due to the noise-free environment

15
Process Variation Impacts on DPA

• Validate the MTD distribution
• Simulate enough power traces to find out the
  correct key
• Nominal MTD standard CMOS120 power traces
• SABL2300 power traces
• Given 42 Vth variation, perform Monte Carlo
  simulation to find the MTD
• Result MTD of SABL shows worse degradation
  probability

CMOS 45 degradation
SABL 57 degradation
nominal
nominal
16
Mitigation Transistor Sizing Optimization

• Goals
• Compensate for PAT uncertainty
• Increase the mean PAT
• Fine-grain transistor sizing
• Set global sizing constraint
• Find best-case PAT
• System-level simulation on MTD
• Resizing for MTD optimization
• Design optimized otherwise, run another
  iteration with reduced sizing constraints
• Optimization of SABL DES
• Degradation probability reduced from 57 to 18
  (achieved by 4 iterations)
• 0.9 power / 1.5 area overhead

17
Conclusions

• Process variations deteriorate the Power-Attack
  Tolerance (up to 61 for DPAT and 71 for LPAT),
  and hence facilitate DPA attacks.
• The advantage of DPA-resistant logic gates (e.g.
  SABL) is compromised by up to 57.
• Selective transistor upsizing in the gate library
  can mitigate the process variation impacts with
  minor design overhead.
• Future work
• Design methodology of secure embedded
  systems
• Evaluate the PAT at different abstraction levels
• Determine the dominant factors
• Modify gate library to trade-off security vs.
  overhead
• Selectively use modified library on critical
  circuits
• Extension to other side-channels

18
THANK YOU!