Leakage analysis checks IP cores against crypto vulnerability
The Athena Group has implemented for its cryptographic IP cores countermeasures against side-channel attacks that it claims have been tested to offer the best protection currently available.
Side-channel attacks, such as differential power analysis, let hackers in physical proximity to a target to extract cryptographic keys and break into the systems to steal sensitive data or reverse engineer encrypted code. Since the emergence of DPA in the late 1990s, circuit designers have sought countermeasures and their use is likely to become mandated in government systems through the FIPS 140-3 standard. However, although a number of countermeasures against side-channel attacks are known, their efficacy depends heavily on implementation.
In 2011, Athena licensed a number of the core countermeasure techniques from Rambus subsidiary Cryptographic Research (CRI) but then tested a variety of circuit implementations synthesized from RTL to determine how well they would be expected to stand up to attacks in practice.
Masking effectiveness
Research by a number of groups has attempted to determine the vulnerability of techniques such as Boolean masking to real-world attacks, which uses random data in calculations to hide the logic transitions that can be used, through changes in Hamming distance, to identify the result of a calculation. Patrick Schaumont’s group at Virginia Tech, for example has published techniques to determine the level of protection masking can achieve at the source-code level. But the Athena team found that circuit-level issues can reveal more information in practice than a source-code level analysis – which tend to assume ideal behavior on the part of the implementation circuitry – will reveal.
Security researchers warn no countermeasure against side-channel attack can be 100 per cent effective. Determined attackers will simply spend more resources to attempt a recovery and use more intensive techniques, such as power and clock upsets, to try to encourage the circuit to reveal information than it should. However, circuit-level countermeasures can push the number of analysis runs needed for a successful attack to such a high number – in the billions – that only the most motivated attacker would pursue.
“You have to look at the risk and consequences together,” said Athena CTO Jonathon Mellot.
Athena chose to employ the test vector leakage assessment (TVLA ) methodology developed by Gilbert Goodwill and colleagues from CRI, developed to overcome the main problem of evaluation-based testing in this field. If the test obtains a key, then the vulnerability of the implementation is known.
“But if it’s unsuccessful, you can’t be confident that a different attack won’t leak out the key,” said Stuart Audley, director of engineering.
TVLA looks at the potential for information leakage in general from an implementation. Athena developed its own testing system to analyze and verify the designs.
Iterative development
“When we started out we just used the simple ideas of masking, but it turns out those straightforward ideas will fail when you analyze them using TVLA. So we had to go through and iterate the designs. Sometimes we had to go back to the drawing board. We had to include our own concepts in addition to masking and now have the best TVLA results that have been announced,” Audley said. “One of the big issues with general masking is glitches. They leak the information even when the mask is being used. This is a big problem with many of the implementations that use countermeasures.”
The countermeasures are implemented in RTL and work with standard flows, Mellot said. The company has tested the cores multiple times on FPGA to ensure that changes in the random seed used for place-and-route and the resulting variation in logic location does not affect information leakage.
Athena has implemented DPA countermeasures for its entire TeraFire product line, which include dedicated AES, SHA, and random-number generator cryptography cores as well as the embedded F5200B security microprocessor, which supports government-recommended Suite B − public key, elliptic curve cryptography (ECC), AES, SHA, and RNG.