 A6 and the insecurity of masking schemes in low-noise environments. Is it visible? Thank you very much for the nice introduction and hello to everyone. So this is another talk about static power side channel analysis. And in this case, we do not analyze how aging makes such attacks more difficult. But we analyze how downscaling the technology size actually makes them more dangerous in smaller technology nodes. And to this end we have developed two prototypes. One is the same that was analyzed in the previous talk. It's a 65 nanometer chip and the other one is a 90 nanometer chip. One of the both chips can be seen at the top of the slide actually. And we compare those both chips regarding their leakage and their security on silicon. And afterwards I talk about the implications this development of the static power side channel has on masking schemes on silicon. Okay, I will do the introduction quite shortly because Amir introduced most of the topics already. So what's known about static power side channel analysis? First of all CMOS logic gates as well as memory elements have a severely data dependent static power consumption. You can see that in every standard cell library you find characterization information for which input certain gate leaks how much current. These leakage currents get significantly larger by downscaling the physical feature size. As Amir said, it's not necessarily overcoming the dynamic power consumption, but it's definitely getting larger. Most of the currents are getting exponentially larger up to some certain degree. And of course it makes attacks much more feasible in the smaller technologies. First attacks have been presented so practical attacks have been presented at chess 2014 for FPGA platforms and at day 2015 and 17 for ASIC platforms. The important point is actually that when an attacker obtains clock control he can measure the static currents to almost arbitrary precision because it's a persistent effect. I can measure it as long as I want. I can average out all the electronic and the measurement noise and I can achieve measurements with a very low noise influence. And the other thing that was only shown on a very old technology by now is that control over the operating conditions, so the temperature and the supply voltage significantly enhances the ability of the attacker to extract the secrets and extract information even though it accelerates device aging it still pays off. To perform such kind of attacks you need a dedicated measurement setup. It's the same that you have seen in pictures in the previous talk and here is just a schematic. You have a climate chamber here it's set to 90 degrees Celsius and a relative humidity to 10%. Inside the climate chamber we have a measurement board with a mountain ASIC on it and in the VDD pass of the power supply of the ASIC we have a shunt resistor. We measure the voltage drop over this shunt resistor with our DC amplifier. We simplify the output of the DC amplifier goes into the low pass filter and finally into the scope. So a sample measurement would for example look like this and we are really only interested in the DC shift so every variation during that measurement period is completely noise. Further measurements may look like this or this or this or this or this. So this is what you see when you look at the scope and do measurements for different plaintexts for different inputs. The ASICs that we have used in this technology. So here are the two schematic layouts on the left side of the 65 nanometer ASIC and on the right side from the 90 nanometer ASIC. Both of those have been developed, have been derived from the exactly identical RTL code and they have been implemented using the exact same design procedure. Of course and both are two times two millimeter size. Of course due to the larger cell size of 90 nanometer cells the core area of the 90 nanometer chip is a bit larger. You can see that if you look closely and also the utilization so the density of standard cells on this 90 nanometer chip is larger but it shouldn't affect our comparison as it shouldn't affect the static power consumption. Okay as a first step to evaluate the influence of operating conditions on our chips. We choose an instant so as a first preliminary test nothing crypto but some register stuff. We choose a 1024 bit high fan out input register and we fill it completely either with zeros or with ones. Then we measure the static power consumption and see whether we can distinguish those measurements. It's a high fan out register because the cells so the 1024 bit flip flops they have an average fan out of 11 and it looks for example like this. One bit looks like this. I put a zero to its input. I clock once and the output goes to on average 11 further cells. So my secret or my state that I want to check is not only leaked by 1024 cells but actually by about 12,000 cells. That may sound a lot but it's still less than 0.1% of the whole area of the chip. Okay let's look like what they what it looks like on the 90 nanometer ASIC under normal operating conditions. We have measured at 1.2 volt it's a nominal supply voltage and 20 degrees Celsius. We can see that the data dependency is clearly visible. For the inputs all once we get the blue shape the blue distribution and for the input all zeros we get the red distribution. In order to quantify the distinguishability of the distributions we threw a t-test onto that data. And here are the values for the difference of means between the distributions which is 4 micro ampere roughly. And the average total current flowing through the ASIC was 96 micro amperes. In the following slides the difference of means will be the most interesting metric because the temperature will induce some noise. In those measurements that can easily be removed but here we report the raw data so we didn't remove the noise and hue. We'll see that it has some influence on the t-value obviously. So what we do as a first step is just increasing the supply voltage from 1.2 volts to 1.6 volts. Nothing else still 20 degrees still on the climate chamber and we already get a 5 volt increase in like all the metrics basically. So the current drawn by the ASIC is 5 times as large and also the difference of means between our data distributions is 4.5 times as large. So therefore you don't even need a heating chamber just some constant temperature. You increase the voltage and you get like significantly better exploitability. When we do something similar with the temperature so we go back to 1.2 volt but increase the temperature from 20 degrees to 90 degrees Celsius. Then we get a slightly smaller increase in the difference of means which is about 3.5. But the average total current of the ASIC is actually increased much more. Now we combine those two techniques, increase the voltage and the temperature and we get about an 8-fold increase by controlling the operating conditions in the exploitability of this experiment. Okay, so the 32 microamperes as difference of means keeps that in mind for a second because on the 65 nanometer ASIC under normal operating conditions we are already starting at 38 microamperes as a difference between the distributions of the same instance implemented by the same standard cells by two different low power CMOS technologies. Yeah, we can also see the t-test value going up to almost 5000 and here we do basically the same tricks. So we increase the temperature, we get about a 3-fold increase, we increase, so sorry, this was the supply voltage. Now we increase the temperature, so only the temperature and get already a 7-fold increase. So the temperature has a much higher impact on the 65 nanometer ASIC than it has on the 90 nanometer ASIC which is an interesting fact I think. If we combine those two we get in total a 12-fold increase in the difference of means to distinguish those two distributions. If we want to compare those values I've listed them all here and marked like the most important ones. It can not only be seen that the 65 nanometer technology is at normal operating conditions already in order of magnitude more susceptible to attacks but it's also more susceptible to changes of the operating conditions. Now we want to move to crypto because we don't care about registers. And we chose Nibble serial present implementation. It's completely unprotected and we have set on both chips and then we measure 50,000 measurements at 1.6 volt and 90 degrees. On the 90 nanometer ASIC you can see that the difference in the means between the two distributions and also the difference in the variance between the two distributions fixed versus random is much smaller. So the 65 nanometer ASIC is much very exploitable. You can see that also when we target an S-box output for a CPA. Here you can see that the difference of means is increased roughly 12-fold and the measurements to disclosure. So the measurements that we need to break the implementation is decreased by a factor of about 20. Now I want to talk about the implications on masking. So we have seen that 65 nanometer ASIC is actually the one that's most susceptible and at increased voltage and increased temperature. It's most susceptible so we take this one into account following from here. Yeah and basically two things have been indicated before in literature. The first one is that if you have a very low noise masking schemes cannot provide the desired security. So with low noise measurements you can break masking schemes with comparably few traces. It's still a lot so it provides security but not as much as desired. And the second one is that moment based analysis techniques, especially in higher orders like higher order DPA, higher order TVLA lead to false negatives when we have a super low noise. And we will see that in the following slides. So the most simple example of Boolean masking is just having one bit and it's shared into a couple of shares and leaked independently at the same time univariately through the static power consumption. And if we have one share so basically unprotected we can distinguish the distributions in the first order. If we have two shares we need the second order and the third order, the fourth order and the fifth order. And what is interesting is that our T value degrades like really fast. So from almost 400 it goes down to almost 20. And that even though it doesn't seem to be much more difficult to distinguish the two distributions, I mean they are having a little more overlapping parts but that's basically all the trick. So we look into this a little further and only take the first 1000 trace into account. After the first 1000 traces our shapes of the distributions are not that smooth but they are more spiky. But still by visual inspection you can distinguish the two distributions very clearly and you can give a good guess for each measurement in which group it falls. However it doesn't matter at what order we try to distinguish those two distributions with the t-test. We cannot do it because in a single moment there is not enough information to distinguish the two distributions with confidence. This is a false negative in the sense that the t-test may report no leakage at any order while actually the distributions are distinguishable and the device is attackable. When we take two other methods into account we can see that the distributions are actually distinguishable with confidence. The first one is some order conversion, it's based on a manual slicing of the distributions and then performing a first order t-test on the distributions and the second one is the G-square test which is very suitable for this scenario because it can compare full distributions instead of comparing a single statistical moment of two distributions. We can not only observe this for the fifth order but it basically looks like this. Even though you have a very low noise the regular t-test indicates a steep increase in the number of traces to detect the leakage by increasing the order but actually it seems to be more linear from the one share case to the five share case. Now we want to see whether that also holds on measurements that are not like single bits so we performed a DPA on an AS threshold implementation core on both types of chips which has three shares and provides first order security and here we see a third order DPA using the t-test distinguishing an S-box output bit and we can see that the correct key candidate can be distinguished from the other ones then we take the two other methods perform the same attack and we can see that they also can distinguish but the G-square test needs almost only half of the number of traces that the regular t-test and the order conversion require to be successful. Finally I want to say something about clock control. There is more in the paper I only have time for one slide on this and the information is actually just a cautionary note that when you have a cipher core, some coprocessors, some crypto-croprocessor and after an encryption or before or in between encryptions you leave it idle and you don't reset everything but leave some sensitive intermediate values in there and you don't care about them anymore because you're not computing on them you just don't mind and you don't reset everything and take the key away then you can even perform such attacks without any clock control and this is an example of a round-based skinny implementation where after the last round we don't clear the register, the state register but keep everything but takes the cipher text away and for the next encryption we just start the next encryption. In such cases it can be really dangerous and even devices where clock control is not a possibility they may be susceptible. Okay, the conclusion is the potency of the static power cycle increases significantly for smaller CMOS feature sizes that operating conditions can significantly boost available information and this is especially true for smaller nanometer chips that when you have a very low noise level you need to be careful with masking schemes and especially the evaluation of masking schemes that might run into issues with moment-based analysis techniques and finally that if sensitive intermediates remain in a circuit for more than a couple of clock cycles you can exploit them even without the attacker obtaining clock control. Okay, thank you for your attention. Thank you. Are there questions? Okay, so I have one question. So you showed the effect on the leakage increasing the power supply voltage and the temperature but we saw in a previous presentation that if you do that for a longer time you get the same effect as aging. So what happens if you just do it only briefly like you did? Is there an effect remaining afterwards if you go back to the nominal supply voltage and temperature? Sure, I mean the effects are remaining and you get the same effects that were explained in the previous talk but for this text that we have presented here we took a fresh chip and none of the attacks actually took weeks. So the effect is not that significant in these measurements. Thank you. Hi, thanks for the talk. I have a small question. One of your earlier slides I think it was section two. Can you move? Sorry, I need to move closer. Is that better? Thanks for the talk. So in one of your earlier slides I think it was section two you were showing some plots and I was wondering since you focus on the noise so much what was the underlying assumption for the noise? Is it still Gaussian? Because the plot that you were showing was like a camel hump or a bimodal distribution. I think that was section two. Yeah, that's one. Yes. Okay, so this is actually the temperature induced noise that I was talking about that you can easily cancel out by pre-processing the traces. What you observe, so they were randomly interleaved, fixed and random, but let's just assume it's not randomly interleaved but directly interchanging. So then you have four ones, four zeros, four ones, four zeros. So you have this kind of shape and it doesn't move like this for the number of measurements but it may move like this because in the climate chamber the regulation units always try to keep up the temperature, it goes a little down, it goes a little up and what you can do is just having some high pass filter on through that whole set of measurements and then you see perfectly Gaussian shapes again. Thank you. Let's thank Torben again and also all the speakers of the session.