### Summary

# <span id="page-0-1"></span>Fault Injection Attacks and Countermeasures in Embedded Processors

Arnaud Tisserand

CNRS, Lab-STICC laboratory

ARCHI'17, Nancy



#### • Introduction

- Cryptographic Background See presentation from Jérémie Detrey for more details
- Side Channel Attacks
- Fault Injection Attacks
- Protections
- Conclusion and References

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 2/88

# [Applications with Security Ne](#page-0-0)eds

<span id="page-0-0"></span>

Applications: smart cards, computers, Internet, telecommunications, set-top boxes, data storage, RFID tags, WSN, smart grids. . .

Security Aspects





# Cryptographic Features

### Objectives:

- Confidentiality
- Integrity
- Authenticity
- Non-repudiation
- . . .

#### Cryptographic primitives:

- Encryption
- Digital signature
- Hash function
- Random numbers generation
- $\bullet$  . . . .

#### Implementation issues:

- Performances: speed, delay, throughput, latency
- Cost: device (memory, size, weight), low power/energy consumption, design
- Security: protection against attacks

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 6/88

# [Basic Cyphering](#page-1-0)

<span id="page-1-0"></span>Alice wants to secretly send a message to Bob in such a way Eve (eavesdropper/spy) should have **no** information



# Symmetric / Private-Key Cryptography



- A: Alice, B: Bob
- $M:$  plain text/message
- $\&$ : encryption/ciphering algorithm,  $D$ : decryption/deciphering algorithm
- $k$ : secret key to be shared by A and B
- $\mathcal{E}_k(\mathcal{M})$ : encrypted text
- $D_k(\mathcal{E}_k(\mathcal{M}))$ : decrypted text
- $\bullet$   $\mathsf{E}$  : eavesdropper/spy

# Symmetric Cryptography Limitation



Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 9/88

# Asymmetric / Public-Key Cryptography



- $k$ : B's public key (known to everyone including E)
- $\mathcal{E}_k(\mathcal{M})$ : ciphered text
- $\bullet$   $k'$ : B's private key (must be kept secret)
- $\bullet$   ${\mathcal D}_{k'}({\mathcal E}_k({\mathcal M}))$ : deciphered text

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 10/88

# [\[Trapdoor\] One Way Function](#page-2-0)

<span id="page-2-0"></span>One way function:  $f : x \mapsto y = f(x)$ 

- given  $x$ , computing  $y$  is easy
- given  $y$ , computing  $x$  is very hard

Trapdoor one way function:  $f : x \mapsto y = f(x)$ 

- given  $x$ , computing  $y$  is easy
- given  $y$ , computing  $x$  is very hard
- given some (secret) information and  $y$ , computing  $x$  is easy

Example: p and q primes, computing  $n = pq$  is easy but finding  $(p, q)$ knowing just  $n$  is very hard

# Symmetric or Asymmetric Cryptography?

Private-key or symmetric cryptography:

- simple algorithms
	- $\rightarrow$  fast computation
		- $\rightarrow$  limited cost (silicon area, energy)
- **e** requires a key exchange
- $\Theta$  key distribution problem for *n* persons

#### Public-key or asymmetric cryptography:

- **O** no key exchange required
- **O** only 2 keys per person (1 private, 1 public)
- **allows digital signature**
- **O** more complex algorithms
	- slower computation
	- $\rightarrow$  higher cost





Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 13/88





Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 14/88

# [RSA Asymmetric Cryptosystem \(1/](#page-3-0)2)

<span id="page-3-0"></span>Published in 1978 by Ron Rivest, Adi Shamir and Leonard Adlem[an \[](#page-20-0)19]

#### Key generation (Alice side)

- Choose two large prime integers  $p$  and  $q$
- Compute the modulus  $n = pq$
- Compute  $\varphi(n) = (p-1)(q-1)$
- Choose an integer e such that  $1 < e < \varphi(n)$  and  $gcd(e, \varphi(n)) = 1$
- Compute  $d = e 1 \text{ mod } \varphi(n)$
- Private key (kept secret by Alice):  $d$  and also  $p, q, \varphi(n)$
- Public key (published):  $(n, e)$

# RSA Asymmetric Cryptosystem (2/2)

Private key (Alice):  $d$  Public key (all):  $(n, e)$ 

- Encryption (Bob side):
	- convert the message M to an integer  $m$   $(1 \lt m \lt n \text{ and } \gcd(m, n) = 1)$

• compute the cipher text  $c = m^e$  mod n

#### Decryption (Alice side):

- compute  $m = c^d$  mod n
- convert the integer  $m$  to the message M

**Theoretical security:** integer factorization, *i.e.* computing  $(p, q)$  knowing  $n$ , is not possible when  $n$  is large enough

### Modular Exponentiation

Computation of operations such as :  $a^b$  mod n

$$
a^{b} = \underbrace{a \times a \times a \times a \times \ldots \times a \times a \times a}_{a \text{ appears } b \text{ times}}
$$

Order of magnitude of exponents:  $2^{\text{size of exponent}} \rightsquigarrow 2^{1024} \dots 2^{2048} \dots 2^{4096}$ 

Fast exponentiation principle:

$$
a^{b} = (a^{2})^{\frac{b}{2}}
$$
 when *b* is even  
=  $a \times (a^{2})^{\frac{b-1}{2}}$  when *b* is odd

Least significant bit of the exponent:  $bit = 0 \rightsquigarrow$  even and  $bit = 1 \rightsquigarrow$  odd

Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 17/88

# Square and Multiply Algorithm

input : a, b, n where  $b = (b_{t-1}b_{t-2}...b_1b_0)$  $\textsf{output}: \hspace{0.2cm} \textit{a}^{\textit{b}} \hspace{0.1cm} \textsf{mod} \hspace{0.1cm} \textit{n}$  $r = 1$ for *i* from 0 to  $t-1$  do if  $b_i = 1$  then  $r = r \cdot a \mod n$ endif  $a = a^2 \mod n$ endfor return  $r$ 

This is the right to left version (there exists a left to right one)

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 18/88

<span id="page-4-0"></span>





# $EMR = Electromagnetic radiation$

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 20/88

# Side Channel Attacks (SCAs) (1/2)

Attack: attempt to find, without any knowledge about the secret:

- the message (or parts of the message)
- informations on the message
- the secret (or parts of the secret)

### "Old style" side channel attacks:



Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 21/88





General principle: measure external parameter(s) on running device in order to deduce internal informations

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 22/88

# [What Should be Measure](#page-5-0)d?

<span id="page-5-0"></span>Answer: everything that can "enter" and/or "get out" in/from the device

- power consumption
- electromagnetic radiation
- temperature
- sound
- computation time
- number of cache misses
- number and type of error messages
- $\bullet$  ...

The measured parameters may provide informations on:

- global behavior (temperature, power, sound...)
- local behavior (EMR,  $#$  cache misses...)

# Power Consumption Analysis

#### General principle:

- 1. measure the current  $i(t)$  in the cryptosystem
- 2. use those measurements to "deduce" secret informations





Source: [11] Kocher, Jaffe and Jun. Differential Power Analysis, Crypto99

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 25/88

Simple Power Analysis (SPA)



### Source: [11]

# Differences & External Signature

An algorithm has a current signature and a time signature:



Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 26/88



Methods: interpretation of the differences in

- control signals
- computation time
- operand values
- $\bullet$  ...

# SPA in Practice

# Limits of the SPA



Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 29/88

Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 30/88

Differential Power Analysis (DPA) Example



# Template Attack



Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 31/88

Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17

# Differential Power Analysis (DPA)



# Electromagnetic Radiation Analysis (1/2)

General principle: use a probe to measure the EMR



#### EMR measurement:

- global EMR with a large probe
- local EMR with a micro-probe

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 33/88

# Electromagnetic Radiation Analysis (2/2)

EMR analysis methods:

- simple electromagnetic analysis: SEMA
- differential electromagnetic analysis: DEMA

Local EMR analysis may be used to determine internal architecture details, and then select weak parts of the circuit for the attack



 $\rightarrow$  X-Y table

Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 34/88

# <span id="page-8-0"></span>protocol level encryption protocol signature etc  $[k]$ P curve level  $ADD(P,Q)$  |  $\parallel$  DBL(P)  $P = DBL(P)$ field level  $x \pm y$   $x \times y$   $\sim$

# [Side Channel Attack on E](#page-8-0)CC



• horizontal/vertical/templates/. . . attacks

### Flip-Flops

There are many types of flip-flops, we will only focus on standard ones





Remark: ↑ is the rising clock edge



# Setup, Hold and Propagation Delays



- setup delay (t<sub>setup</sub>): data should be held steady before clock edge
- **hold** delay  $(t_{hold})$ : data should be held steady *after* clock edge
- propagation delay  $(t_{\text{propag}})$ : propagation time from D to Q

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 37/88

# [Presentation Scope](#page-9-0)

<span id="page-9-0"></span>In this presentation we will only deal with basic fault injection attacks at hardware level (their principles and some state-of-the-art examples)

Not covered topics (even if they are very interesting):

- Denial of Service (DoS)
- (Pure) Software attacks (cache hierarchy, branch prediction, TLB, etc.)
- Fault attacks using "strong" invasive methods (e.g. probing, FIB, very accurate lasers)
- Advanced combinations of faults, observation and mathematical attacks

### Fault Injection Attacks

**Objective:** alter the correct functioning of a system "from outside"

### Fault effects examples:

- modify a value in a register
- modify a value in the memory hierarchy
- modify an address (data location or code location)
- modify a control signal (e.g. status flag, branch direction)
- skip/modify the instruction decoding
- delay/advance propagation of internal control signals
- etc.

#### Also called perturbation attacks

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 38/88

### Fault Targets in a Toy Code

- 100 integer length = 64
- 101 huser = hash(read keyboard(), length)
- 102 href = get hash reference password()
- 103 if equal(href, huser) then
- 104 secure code()
- 105 else
- 106 error("unauthorized access")
- 107 exit()
- 108 other secure code()

### Fault Injection Techniques

#### Typical techniques:

- perturbation in the power supply voltage
- perturbation of the clock signal
- temperature (over/under-heating the chip)
- radiation or electromagnetic (EM) disturbances
- exposing the chip to intense lights or beams
- etc

#### Accuracy:

- time: part of clock cycle, clock cycle, code block (instruction sequence)
- space: gate, block, unit, core, chip, package
- value: set to a specific value, bit flip, stuck-at 0 or 1, random modification

# Perturbation on the Power Supply

### Principle:



- Nominal power supply (e.g.  $\approx$  [0.7, 1.2] V for current technologies)
- Non-nominal constant power supply (e.g. 0.7 V instead of 1.2 V)
- Glitches (dips, spikes) in the power supply at some selected moments

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 42/88

### [Under Powering Example](#page-10-0)

<span id="page-10-0"></span>Source[:](#page-20-2) paper [22] presented at EDCC 2008 conference

**Setup:** 130 nm smart card (1.2 V nominal  $V_{DD}$ ) with AES crypto-processor

**Measurement campaign:** triples (msg, key, cypher) recorded for 100  $V_{\text{DD}}$ in [775, 825] mV over 20,000 encryptions with comparison to a (RTL) simulation for one byte corruption in the state matrix at various rounds



Observed behavior is compatible with setup violation model on a critical path (bell shape due to only one or multiple paths)



More details in 2010 PhD thesis [21]

# Simple Power Glitch Generator

Dips in the power supply can be "easily" generated by a short circuit between the power lines  $V_{\text{DD}}$  and GND using a transistor (e.g. MOSFET)



See example in IACR Eprint article [13] (attack on 8-bit AVR microcontroller)

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 45/88

## Power Glitching Example

Source: FDTC 2008 conference paper [20]

Setup: AVR microcontroller with RSA implementation



Attack result: a power glitch causes to skip some instruction Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 46/88

[Perturbation on the External Clo](#page-11-0)ck

### <span id="page-11-0"></span>Princ[ipl](#page-20-3)e:



- Normal clock (at a given frequency, duty cycle  $\approx 50\%)$
- Clock with a modified duty cycle
- Glitched clock
- Etc.

Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 47/88

# Glitchy Clock Generation Example

Source: paper [8] published in J. Crypto. Eng. 2011

Setup: Virtex-II Pro FPGA (on SASEBO card) used to generate a "glitchy" clock for several programmable time parameters



Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 48/88

Fig. 5. Waveforms of glitchy-clock cycles for different glitch widths.

# Clock Glitch Attack Example

Source: paper [1] presented at FDTC 2011 conference

Setup: AVR ATMega 163 microcontroller @ 1MHz





Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 49/88



Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 50/88

**[Temperature](#page-12-0)** 

<span id="page-12-0"></span>Temperature can be used for two types of attacks:

- as a fault injection method
	- $\rightsquigarrow$  temperature impacts current in the circuit (blocks)
- as a side channel for analysis
	- $\rightsquigarrow$  current in the circuit (blocks) impacts chip temperature

#### Limits:

- Very slow variations (e.g. leakage @ bit/minute)
- Very coarse space accuracy

### Temperature Attacks Examples

Source: article [9] presented at CARDIS 2013 conference

Setup: ATMega162 microcontroller, PT100 thermometer circuit (100 ms) response time and 0.01 ◦C resolution), RSA implementation



Fig. 4: Slow temperature increase of all Fig. 5: The ATmega162 leaks the Ham-Hamming weights that are processed by ming weight of all 256 possible intermedithe ATmega162. ate values through the temperature.

# Temperature Effect on Memory

Heating the MCU around 150–160 °C  $\implies$  around 100 faults are injected during RSA decryptions (every 650 ms during 70 minutes), where about 31 can be exploited to guess secret bits of the exponent





Fig. 6: Heating plate with two PT100 sen- Fig. 7: Distribution of fault occurrence sors measuring the rear-side and front-side between 150 and  $160^{\circ}$ C. Mean faulttemperature of an ATmega162.

induction temperature is  $154.4\,^{\circ}\text{C}$ .

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 53/88

CACM vol 52, n 5, 2009, page 93 Figure 3: Visualizing memory decay. We loaded a bitmap image into memory on test machine A, then cut power for varying intervals. After 5s (left), the image is nearly indistinguishable from the original; it gradually becomes more degraded, as shown after 30, 60s, and 5 min. The chips remained close to room temperature. Even after this longest trial, traces of the original remain. The decay shows prominent patterns caused by regions with alternating ground states (horizontal bars) and by physical variations in the chip (fainter vertical bands).



By cooling (freezing) the memory, it can be read a "long" time after powering off the circuit

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 54/88

### [Electromagnetic Perturbation](#page-13-0)s

### <span id="page-13-0"></span>Principle:



- large antenna
- micro-antenna with motorized (X,Y,Z) stage/table

### Electromagnetic Attack Example

Source: article [12] presented at FDTC 2013 conference

Setup: 32-b Cortex-M3 ARM microprocessor (CMOS 130 nm SoC at 56 MHz), magnetic antenna with pulses in [-200, 200] V and [10, 200] ns



#### Loaded value: 12345678



### Principle:



- large illuminated area (flash light with microscope)
- small "spot" (laser with variable locations)

Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 57/88

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 58/88

# [Differential Fault Anal](#page-14-0)ysis

<span id="page-14-0"></span>Most of time, exploiting only one fault does not provide enough information

- Accurately injecting fault is difficult
- The fault causes a few perturbations

Then, use statistical correlation(s)

### Safe Error Attack

Principle: exploit the link (or the lack of link) between injected fault(s) during "useful" (or "useless") operations and the final result



## Safe Error Attack Example in Asymmetric Crypto



#### Useless or dummy operations are a bad idea

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 61/88

Fault Attack Example: Bit Flip on RSA Decryption



- choose a plaintext message  $M$
- encrypt M into  $\mathcal{C} = \mathcal{E}_{k}(\mathcal{M})$
- inject a fault by fliping  $d_i$  for a random i (d is the secret key)

\n- compute 
$$
\frac{\overline{M}}{\overline{M}} = \frac{c^{2^i \overline{d_i}}}{c^{2^i \overline{d_i}}}
$$
\n- test:  $\overline{M} = \frac{1}{c^{2^i}}$  mod  $N \implies d_i = 1$
\n- $\overline{M} = c^{2^i}$  mod  $N \implies d_i = 0$
\n

• retry for several  $i \implies$  get small parts of d, then mathematical attacks)

#### Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 62/88

### Countermeasures

#### Principles for preventing attacks:

- embed additional protection blocks
- modify the original circuit into a secured version
- application levels: circuit, architecture, algorithm, protocol...

#### Countermeasures:

- electrical shielding
- detectors, estimators, decoupling
- use uniform computation durations and power consumption
- use detection/correction codes (for fault injection attacks)
- provide a random behavior (algorithms, representation, operations. . . )
- add noise (e.g. masking, useless instructions/computations)
- circuit reconfiguration (algorithms, block location, representation of values. . . )

Many other fault attacks. . .

# Low-Level Coding and Circuit Activity

#### Assumptions:

- *b* is a bit (i.e.  $b \in \{0, 1\}$ , logical or mathematical value)
- electrical states for a wire  $\longrightarrow$  :  $V_{\text{DD}}$  (logical 1) or GND (logical 0)

#### Low-level codings of a bit:





Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 65/88

# Circuit Logic Styles

Countermeasure principles: uniformize circuit activity and exclusive coding

### Solution based on precharge logic and dual-rail coding:



Solution based on validity line and dual-rail coding:



### Important overhead: silicon area and local storage (registers) Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 66/88

Protected Multipliers

# [Countermeasure: Architecture](#page-16-0)

#### <span id="page-16-0"></span>Increase internal parallelism:

- replace one fast but big operator
- by several instances of a small but slow one





References: PhD D. Pamula [14] Articles: [17], [16], [15]





Warning: old dedicated accelerator (similar behavior is expected for our new one) Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 69/88

# Circuit-Level Protections for Arithmetic Operators



References: [6] and [7]

Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 70/88

<span id="page-17-0"></span>

[Accelerator Specifications](#page-17-0)

- - $\triangleright$  low energy (& power consumption)
	- $\blacktriangleright$  large area used at each clock cycle
	- $\blacktriangleright$  curves, algorithms, representations (points/elements),  $k$  recoding, ...
	-



**Data:** w-bit  $(32, \ldots, 128)$  except for k digits, **control:** a few bits per unit Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 72/88

# Accelerator Architecture

## Register File ( $\approx$  Dual Port Memory)



Control signals: addresses (port A, port B), read/write, write enable

Specific addressing model for  $GF(q)$  elements (through an intermediate address table with hardware loop)

- linear addresses, SW: LOAD  $\mathbb{Q} \times \implies$  HW: loop  $x[0], x[1], \ldots, x[\ell 1]$
- randomized addresses
- Arnaud Tisserand. CNRS Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 73/88

## Key Management Unit



- On-the-fly recoding of k: binary,  $\lambda$ -NAF ( $\lambda \in \{2, 3, 4, 5\}$ ), variants (fixed/sliding), double-base [4] and multiple-base [5] number systems (w/wo randomization), addition chains [18], other ?
- Specific private path in the interconnect (no key leaks in RF or FUs)

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 74/88

# [Arithmetic Level Countermeasure](#page-18-0)s

<span id="page-18-0"></span>Redundant number system  $=$ 

- a way to improve the performance of some operations
- a way to represent a value with different representations



**Important property:**  $\forall i \quad [R_i(k)]$ **P** = [k]**P** 

Proposed solution: use [ran](#page-19-2)dom redundant repre[sen](#page-19-3)tations of k

### Double-Base Number System

Standard radix-2 representation:

k = Xt−1 i=0 ki2 <sup>i</sup> = kt−<sup>1</sup> 2 t−1 kt−<sup>2</sup> 2 t−2 . . . . . . k2 2 2 k1 2 1 k0 2 0 t explicit digits implicit weights

Digits:  $k_i \in \{0, 1\}$ , typical size:  $t \in \{160, ..., 600\}$ 

### Double-Base Number System (DBNS):



$$
a_j, b_j \in \mathbb{N}, \quad k_j \in \{1\} \text{ or } k_j \in \{-1, 1\}, \quad \text{size } n \approx \log t
$$

DBNS is a very redundant and sparse representation:  $1701 = (11010100101)_2$ 



### Randomized DBNS Recoding of the Scalar k



Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 77/88

# <span id="page-19-4"></span>Resources: C[onferences, W](#page-19-4)orkshops, Journals, etc

- [International Association for Cryptologic Research \(IAC](http://www.iacr.org/)R) Eprint Archives
- [ACM Special Interest Group on Security, Audit and Control \(SIGSAC](http://www.sigsac.org/))
- [IEEE Computer Society's Technical Committee on Security and](http://www.ieee-security.org/) Privacy (TCSP)
- <span id="page-19-2"></span>• [French](http://www.ieee-security.org/) national working group on Code & Crypto (C2) of the GDR IM
- [French national working group on Security of Embedded Systems of](https://crypto.di.ens.fr/c2:main) [the GDR SoC-SiP](http://www2.lirmm.fr/journees_securite/)
- <span id="page-19-3"></span>• [Conferenc](http://www2.lirmm.fr/journees_securite/)es, workshops: CHES, FDTC, COSADE, CARDIS, CryptArchi ...
- <span id="page-19-1"></span><span id="page-19-0"></span>• [J](http://labh-curien.univ-st-etienne.fr/cryptarchi/)ournals: Journa[l of Cry](http://www.chesworkshop.org/)[ptograph](#page-0-1)i[c Engineerin](https://cosade.telecom-paristech.fr/)[g, IEEE Tr](https://www.cardis.org/)ans. on [Computers, Circuits and Systems, VLSI Sy](http://link.springer.com/journal/13389)stems, . . ..

# Conclusion

- Side channel and fault attacks are serious threats
- Attacks are more and more efficient (many variants)
- Security analysis is mandatory at all levels (specification, algorithm, operation, implementation)
- Security  $=$  trade-off between performances, robustness and cost
- Security  $=$  func( secret value, attacker capabilities )
- security  $=$  computer science  $+$  microelectronics  $+$  mathematics

### Current works examples:

- Methods/tools for automating security analysis
- Circuit reconfiguration (representations, algorithms)
- Circuits with reduced activity variations
- Representation of numbers with error detection/correction "codes"
- Design space exploration
- CAD tools with security improvement capabilities

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 78/88

### References I

Surveys: Proc. IEEE 2006 [2], Proc. IEEE 2012 [3], IEEE TVLSI 2013 [10]

- [1] J. Balasch, B. Gierlichs, and I. Verbauwhede. An in-depth and black-box characterization of the effects of clock glitches on 8-bit MCUs. In Proc. 8th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pages 105–114, Nara, Japan, September 2011. IEEE.
- [2] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan. The sorcerer's apprentice guide to fault attacks. Proceedings of the IEEE, 94(2):370–382, February 2006.
- [3] A. Barenghi, L. Breveglieri, I. Koren, and D. Naccache. Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures. Proceedings of the IEEE, 100(11):3056–3076, November 2012.
- [4] T. Chabrier, D. Pamula, and A. Tisserand. Hardware implementation of DBNS recoding for ECC processor. In Proc. 44rd Asilomar Conference on Signals, Systems and Computers, pages 1129–1133, Pacific Grove, California, U.S.A., November 2010. IEEE.
- [5] T. Chabrier and A. Tisserand. On-the-fly multi-base recoding for ECC scalar multiplication without pre-computations. In A. Nannarelli, P.-M. Seidel, and P. T. P. Tang, editors, Proc. 21st Symposium on Computer Arithmetic (ARITH), pages 219–228, Austin, TX, U.S.A, April 2013. IEEE Computer Society.
- [6] J. Chen, A. Tisserand, E. M. Popovici, and S. Cotofana. Robust sub-powered asynchronous logic. In J. Becker and M. R. Adrover, editors, Proc. 24th International Workshop on Power and Timing Modeling, Optimization and Simulation (PATMOS), pages 1–7, Palma de Mallorca, Spain, September 2014. IEEE.
- [7] J. Chen, A. Tisserand, E. M. Popovici, and S. Cotofana. Asynchronous charge sharing power consistent Montgomery multiplier. In J. Sparso and E Yahya, editors, Proc. 21st IEEE International Symposium on Asynchronous Circuits and Systems (ASYNC), pages 132–138, Mountain View, California, USA, May 2015.

### References II

- [8] S. Endo, T. Sugawara, N. Homma, T. Aoki, and A. Satoh. An on-chip glitchy-clock generator for testing fault injection attacks. Journal of Cryptographic Engineering, 1(4):265–270, December 2011.
- [9] M. Hutter and J.-M. Schmidt. The temperature side channel and heating fault attacks. In A. Francillon and P. Rohatgi, editors, Proc. 12th International Conference on Smart Card Research and Advanced Applications (CARDIS), volume 8419 of LNCS, pages 219–235, Berlin, Germany, November 2013.
- [10] D. Karaklajic, J.-M. Schmidt, and I. Verbauwhede. Hardware designer's guide to fault attacks. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 21(12):2295–2306, December 2013.
- [11] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis.

In Proc. Advances in Cryptology (CRYPTO), volume 1666 of LNCS, pages 388–397. Springer, August 1999.

- [12] N. Moro, A. Dehbaoui, K. Heydemann, B. Robisson, and E. Encrenaz. Electromagnetic fault injection: Towards a fault model on a 32-bit microcontroller. In Proc. 10th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pages 77–88, Santa Barbara, CA, USA, August 2013. IEEE.
- [13] C. O'Flynn. Fault injection using crowbars on embedded systems. Technical Report 810, IACR Cryptology ePrint Archive, August 2016.
- [14] D. Pamula. Arithmetic Operators on GF(2<sup>m</sup>) for Cryptographic Applications: Performance - Power Consumption - Security Tradeoffs. Phd thesis, University of Rennes 1 and Silesian University of Technology, December 2012.
- [15] D. Pamula, E. Hrynkiewicz, and A. Tisserand. Analysis of GF(2<sup>233</sup>) multipliers regarding elliptic curve cryptosystem applications. In 11th IFAC/IEEE International Conference on Programmable Devices and Embedded Systems (PDeS), pages 271–276, Brno, Czech Republic, May 2012.

Arnaud Tisserand. CNRS-Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 81/88

## References III

- [16] D. Pamula and A. Tisserand. GF(2<sup>m</sup>) finite-field multipliers with reduced activity variations. In 4th International Workshop on the Arithmetic of Finite Fields, volume 7369 of LNCS, pages 152–167, Bochum, Germany, July 2012. Springer.
- [17] D. Pamula and A. Tisserand. Fast and secure finite field multipliers. In Proc. 18th Euromicro Conference on Digital System Design (DSD), pages 653–660, Madeira, Portugal, August 2015.
- [18] J. Proy, N. Veyrat-Charvillon, A. Tisserand, and N. Melon Full hardware implementation of short addition chains recoding for ECC scalar multiplication. In Actes Conférence d'informatique en Parallélisme, Architecture et Système (ComPAS), Lille, France, June 2015.
- [19] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.
- [20] J. Schmidt and C. Herbst. A practical fault attack on square and multiply. In Proc. 5th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pages 53–58, Washington, DC, USA, August 2008. IEEE.
- [21] N. Selmane. Attaques en fautes globales et locales sur les cryptoprocesseurs AES : mise en œuvre et contremesures Phd thesis, Télécom ParisTech, December 2010.
- [22] N. Selmane, S. Guilley, and J.-L. Danger. Practical setup time violation attacks on AES. In Proc. 7th European Dependable Computing Conference (EDCC), Kaunas, Lithuania, 2008.

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 82/88

# Good Books (in French)

<span id="page-20-3"></span>Histoire des codes secrets Simon Singh 1999 Livre de poche



<span id="page-20-5"></span><span id="page-20-4"></span><span id="page-20-2"></span><span id="page-20-1"></span><span id="page-20-0"></span>

Mathématiques, espionnage et piratage informatique Joan Gomez 2010 Le monde est mathématique, RBA

# Good Books (in French)

Cryptographie appliquée Bruce Schneier 1997, 2ème édition **Wiley** ISBN: 2–84180–036–9





Cours de cryptographie Gilles Zémor 2000 Cassini ISBN: 2–84225–020–6

# Good Books (in French)







Micro et nano-électronique Bases, Composants, Circuits Hervé Fanet 2006 Dunod ISBN: 2–10–049141–5

#### Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 85/88

Arnaud Tisserand. CNRS – Lab-STICC. Fault Injection Attacks and Countermeasures in Embedded Processors, ARCHI'17 86/88

Good Books (in English)

Handbook of Applied Cryptography Alfred J. Menezes, Paul C. van Oorschot and [Scott A. Vanstone](mailto:arnaud.tisserand@univ-ubs.fr) 2001 [CRC Press](http://www-labsticc.univ-ubs.fr/~tisseran)

Web: http://cacr.uwaterloo.ca/hac/

ISBN:0-8493-8523-7



Good Books (in English)

CMOS VLSI Design A Circuits and Systems Perspective Neil Weste and David Harris 3rd edition, 2004 Addison Wesley ISBN: 0–321–14901–7



Power Analysis Attacks



## Revealing the Secrets of Smart Cards Stefan Mangard, Elisabeth Oswald and Thomas Popp 2007 Springer ISBN:978-0-387-30857-9

The end, questions ?

#### Contact:

- mailto:arnaud.tisserand@univ-ubs.fr
- http://www-labsticc.univ-ubs.fr/~tisseran
- CNRS, Lab-STICC Laboratory University South Brittany (UBS), Centre de recherche C. Huygens, rue St Maudé, BP 92116, 56321 Lorient cedex, France