Resisting side-channel attacks starts with a proper security threat assessment.
In the late nineties, Paul Kocher, Josh Jaffe, and Ben Jun published a paper that caused many across industry sectors to reconsider what cryptographic implementations should look like. They described an exploit wherein an adversary could extract secrets from a device by analyzing the power consumption or electromagnetic emittance from the device when it was executing cryptographic operations. Successful extraction of secrets using this exploit could be done without breaking the cryptographic algorithms that protected the secret data. As an illustration, different bit values in a key result in different bit flips in the electronics, which result in different power consumption or electromagnetic emittance over the duration of the cryptographic operation. Deploying statistical and differential analysis on live or captured power or EM traces could be a powerful “side-channel attack” technique.
The research community started working on effective countermeasures which were picked up predominantly by the smart card industry to protect payment cards, set top box cards, and transportation cards. The ICs in these cards were all comprised of simple MCU designs with rudimentary hardware or software cryptographic algorithm implementations. With the exposed I/O pins on these devices, they were easy and cheap attack targets.
Over the last two decades, research on side-channel attacks resulted in a plethora of countermeasures used or discussed by the semiconductor industry. Hundreds of countermeasure proposals and improvements of existing countermeasure techniques have been published either as intellectual property, or as part of public research papers. In parallel, the side-channel attackers’ toolset and skills have continued to advance, including using deep learning techniques. The anticipated next generation of post-quantum cryptographic algorithms will need side-channel attack resistant implementations as well. All these developments result in the need for continuous investments in more effective and more robust countermeasures.
So, how does one implement side-channel attack countermeasures? A handful of semiconductor vendors with a long history in this domain have the capability to design, implement, test, and validate countermeasures successfully. As one would expect based on the history above, they have been playing a role in the smart card industry for a long time. The easy answer to the question above is “do not try this at home,” but get expert help instead. Many insufficiently strong attempts have failed and have led to compromised devices. The best course of action may be to turn to a party that has a proven track record, the research capabilities, as well as test and validation capabilities in house.
Back to implementing countermeasures. Like any security design, it all starts with the proper security threat assessment. What is the value of assets that your design needs to protect, how reproduceable will a successful attack potentially be, and what are expected to be the skillset and resources of the attackers in mind? Which leads to the next question. How does one quantify how robust the implemented countermeasures actually are? We’ll answer this second question a bit later in this article.
From an implementation standpoint, security architects will be able to choose from a vast number of countermeasure techniques. Which one or ones to select will be the next important question. The first level of defense will be to making your design SPA, or simple power attack, resistant. It is good to know that the execution of asymmetric cipher algorithms, in particular, tend to have different durations based on the value of the key used. One tends to implement an algorithm as efficiently (speed, area, and power consumption) as possible. But especially for asymmetric algorithms like RSA, an “efficient” implementation can expose the exponent used, which is often an important component of a very valuable private key, with little analysis effort or cost. The algorithm must in all cases, where private key material is used, be implemented in such a way that all operations take equal time, regardless of the value of the private key. This is fairly simple and straightforward to do and validate.
Beyond SPA, adversaries increasingly use more powerful attack techniques such as DPA (Differential Power Analysis), DEMA (differential electromagnetic analysis), CPA (correlation power analysis), HA (horizontal attack), TA (template attack), DA (doubling attack), MIA (mutual information analysis), Higher-order, and Machine Learning. All these attacks have in common the capturing of power or electromagnetic information, the so called “trace,” of more than one cryptographic operation.
Today, automation in capture and analysis allows for millions, or even hundreds of millions, of such traces to be captured in real-time and analyzed offline. Differential analysis techniques try to identify correlations between a power (or EM) signature and a particular value of a bit in a key. You can find more background on this topic here. Countermeasures against these side-channel attacks can be divided in the following classes: protocol countermeasures like fresh re-keying, algorithmic countermeasures like threshold implementations, noise countermeasures by inserting dummy or shuffling operations, and circuit or gate-level countermeasures by balancing timing of gate switching.
Many “DPA-resistant” cryptographic hardware or software solutions available for use in semiconductor designs still rely on so called logical blinding and plain masking solutions. Blinding techniques have long been successful in protecting asymmetric cipher algorithms where secret parameters are masked by combining them with one or more random factors. Since asymmetric algorithms involve mathematical operations, the blinding is done in a way that allows successful operation working with the blinded parameters. Plain boolean masking was once a sufficient countermeasure for symmetric cipher algorithms. It involves splitting the secret constants, such as symmetric keys, into multiple randomized parts.
While both blinding and masking are still valuable techniques, these logical operations do not protect against modern-day DPA attacks, are not layout independent, and tend to still reveal secrets in higher order analysis. Luckily for architects in the industry, there are published techniques to overcome the limitations of blinding and masking. LMDPL (LUT-based Masked Dual-Rail with Pre-charge Logic) is an evolution of earlier Dual Rail with Pre-Charge logic techniques that has proven successful on the Advanced Encryption Standard algorithm. Next to LMDPL, other techniques such as DOM (Domain Oriented Masking) also exists. Although these and other techniques are well documented, all of them are still challenging to implement for use in various layouts and CMOS nodes. The wrong combination of countermeasures can lead to less robust protection than properly deploying only individual components and can result in excessive overhead in area and performance if not implemented with great care.
In the end, even the most robust countermeasure needs its actual implementation validated and quantified. Failure to do so will result in unforeseen attack surfaces. If the technique is layout independent, porting the design onto a standard FPGA platform allows efficient testing and analysis of the implemented countermeasures. As said before, it can be challenging to quantify the robustness of a countermeasure. The industry has defined a Test Vector Leakage Analysis (TVLA) technique which is documented as ISO 17825:2016. The TVLA is based on statistical analysis and uses information on the actual algorithms for efficient testing. In a nutshell, a successful TVLA test over a given number of traces ensures that a tested algorithm implementation does not leak any (secret, nor non-secret) information. Successful TVLA testing also ensures customers of the robustness of countermeasures.
Additional Resources:
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply