 second talk. The title is Hardware Masking Revisited and the speaker is Thomas de Knude from K.U.Lub and Cossack and he will name his co-authors I guess. Thank you. So my co-authors Mike and Amir, they're part of this work of course. I want to thank them for this work. So in this talk we're going to look at some foundational assumptions of hardware masking and for that we turn our attention to one of the seminal papers on this topic. There's a paper by Shari and co-authors and in that paper they take a scientific approach to counter the problem with DPA. So they create a model so they can reason inside the model about security of masking. In a first assumption they make the reasonable assumption that coupling and other type of these effects can be ignored and so they start from a linear model where the total power consumption of the circuits should be decomposable as the individual power consumptions of the shares of the masking scheme. Now they are aware of course that that is not always satisfied. There are effects like temperature, voltage, coupling that can violate that assumption and that is exactly what we investigate in this paper. But why would we stop there at this small list? We can have a look at our measurement setup which is based around Sakura G FPGA and we can list other parameters that we can control as well. Both can control as an attacker as well as a designer. So we have the supply voltage that we can influence. We have the shunt resistor that we can over which we measure that we can influence. We can influence the distance of the shares as designers. We can increase and decrease the temperature. We can increase the circuit size as designers and we can alter the clock frequency. Finally we can also alter the masking scheme itself, use higher order masking scheme or lower order masking scheme. In this talk we are going to investigate the effect of these parameters. For that we first are going to design a small experimental setup with a toy example just to investigate this whole list of parameters that could possibly influence the leakage. Afterwards we are going to look at the main question which we want to answer in this research is can we actually use these parameters to make mask implementations leak? And finally we will end with a summary and some implications of our work. But first our toy example. We decided to create a set of mixed column instances and chain them after one another. And this will form one share of our masking scheme. We can activate and deactivate the last three mixed columns here so we can play around with lower power consumption or higher consumption within our masking scheme. Secondly we route four of such instances which we call iterated mixed columns. We route them completely separated that is both emplacement and routing on the floor plan of our FPGA. Hopefully this translates to reality but we have no reason to believe why it wouldn't. And this way we can not only play around with the order of the masking scheme of this linear iterated mixed columns by for example having only a first order implementation by only considering the first two shares, having a second order implementation considering the first three shares or a third order implementation considering all the shares. We can also play around with the distance. We can look at a first order implementation only considering the first and the second mixed columns closer where shares are placed closer in this masking scheme or we can look at a first order implementation between mixed columns one and mixed columns four having our shares placed further away. With that we look at the parameters. So let's take a fixed chance resistor and we increase the power supply voltage and I think the clearest would be the purple line versus the black diamond line where we only increase the power supply. The rule we have there is the higher the supply voltage the higher the leakage. Taking the supply voltage fixed and lowering the chance resistor over which we measure that would be the black line to the purple line we see that the lower the chance resistor over which we measure the higher the leakage. As for the distance we compared these three first order mask implementations that is between the first column and the second one between the first and the third and the first and the fourth and we surprisingly see that distance does not matter much in the observed leakage. As for the temperature we varied from room temperature of 21 degrees over 50 degrees over 50 degrees up to 70 degrees for the temperature chamber and we nicely see that the higher the temperature the higher the leakage. For the circuit size and the clock frequency let's have a look at a constant clock frequency so we go from three mixed columns to six mixed columns. We see that the higher the larger the circuits or the more mixed columns are active the higher the leakage and now with a fixed number of mixed columns that would be for example the blue triangles and the brown stars we see that the higher the clock frequency the higher the leakage. The rule we can extract from that because both the circuit size and the clock frequency they're related to the peak to peak power consumption. We group them under the umbrella the higher the peak to peak power consumption the higher the leakage. As for the number of shares not surprisingly the lower number of shares the higher the leakage what is surprising though is that we see first order leakage in all these implementations the implementation with only two shares where we expect first order security leaks the fastest in the first order security but later we also see leakage in the second and third order implementations. We have to note that there was no second order leakage in the second order secure implementation and there is no third order leakage in the third order secure implementation. That's it for those parameters we listed at the start but we are working on an FPGA and on FPGAs wires consume quite a lot of power compared to on ASIC so we end these small experiments on the toy example with some with an experiment that will look at coupling between wiring of the FPGA for that we look at the structure of an FPGA that's basically a regular pattern of some lookup tables that can be wired together through switch matrices and while we don't have any specific concrete idea about how these look inside how these switch matrices are composed of we it's reasonable to assume that they consist of a bunch of transistors which can be configured to be either open switches or closed switches depending on the bitstream that is stored in the SRAM. Now let's say we have a first order implementation two shares are routed on the different red wires there x1 and x2 it's possible that open transistors have a leakage current and couple these and for that we need to design an experiment to check whether this is potentially a threat so we design a metric and the metric we use is the number of shared open switches that means for two given input wires we list all the possible output connections to which they can be routed and the higher that is the more of these units we have so that would be one unit and we increase we take a couple of switch matrices in a row and we increasingly routes wires through them and increase that that metric so we have three different experiments one where you have zero of those shared connections one where you have 20 of those shared connections in the middle here and the last one where we have the highest number of shared connections that's 20 and 16 so we actually need a lot of these redundant ones where we cannot really do anything just to get the wires on the right track we take those adjacent switch matrices we put them right in between two of our mixed columns and then we perform our tests and we see that the routing does not really influence the effect much so the observed leakage does not depend that much on the routing and I think with that we have enough parameters to play around to play around effectively to try to make masked implementations leak and for that we take established masking schemes from the literature we have a threshold implementation of present from posh man and co-authors we also have a domain oriented masking of a yes first and second ordered by a gross and co-authors and we have a D plus one threshold implementations as by myself and co-authors and what we get is a three shared first order presence implementation that in the regular conditions with a power supply voltage of one volt and one ohm shunt resistor does not leak but as soon as we increase that power supply voltage we get a nice leakage for this a yes implementations we have that all designs leak so both the first and second order implementations of domain oriented masking as well as the first and second order domain implementations of the d plus one ti and they leak a lot faster and stronger than our present implementation to conclude can we make masked implementation leak that's a clear yes how can we do that we can alter the leakage confidence by we can increase it by hiring the supply voltage by lowering the shunt resistor over which we measure by increasing the temperature in which we measure by increasing the peak to peak power consumption that's either increasing the clock frequency or if as a designer using larger circuits by lowering the number of shares which is not surprisingly if you only have one share basically have an unmasked implementation you leak anyway we also saw that leakage does not depend depends much on the distance you have between the shares nor does it depend on the number of open transistors or the leakage current in those open transistors between the shares for some implications the assumptions can be validated that is not surprising and in masking literature in hardware masking that has been shown by amongst others manga and co-authors with glitches and early signal propagation more surprisingly is that a correctly masked implementation where we take real care and making sure we translate the theory to the practice correctly can leak but it's in a lab environment so what is a real-world implication and that is where we can pose the question the main question of our future work is can this be exploited by an attacker and if so how also more related to practice if we look at asics what do we expect can we translate the results from fpga right away to asic perhaps not but one thing is sure we likely need more traces due to higher noise in the asics before we conclude before i open for questions some solutions temporal non-completeness would be a solution sadly it's very expensive it would mean that we don't process on more than these shares at any given point in time so at any clock cycle to achieve these order security so for a first order implementation that means we process the shares sequentially just as in software basically invalidating all the the strong advantages of hardware we could embed voltage regulators so an attacker could not raise the voltage of the power supply but then again you can always increase the temperature and make the design leak or tweak some other parameters just as in the talk of the fpga hammer yesterday we could isolate some supply voltages so basically share the supply voltage lines but it's not clear how to design non-linear musk implementations in that way finally we could deploy the leakage tests in addition to attacks so we could use a t-test in scenarios where it is strong to identify leakages of implementations fast but to validate finally i think it's a nice if a musking scheme is validated in a realistic environment and for that some authors have been using the moments correlating dpa and we'll see a talk about that tomorrow and with that i'm ready for your questions thank you thanks so much questions okay thanks for the sorry i was wondering if you add more external amplifiers will it like help you find the leakage more quickly um i have to direct that question to um no we do not add any more amplifiers so i guess we use a standard setup for for our measurements so i'm saying if you add more amplifiers will it help you to find the leakage more quickly uh externally oh sorry having the internal amplification i thought um i was i was referring do you hear me okay yeah no i was referring to the case that you have one circuit which is larger which consumes more energy and it has more effect on the amount of power consumption or energy consumption of the other part of the circuit which operates on the other share thank you amir more questions benefit test test test okay hi um thanks for the talk so what i missed maybe when you showed the the plots in which orders you found leakage and so on i i missed um in which orders that you expect to find leakage and why did you not expect like you said i think you said you found always first order leakage but no second or third order leakage um even though you use four shares so well it's always a surprise if you don't make a hypothesis right yeah but i think i missed the point there to do we expect of course we expect no leakage if we if we have a first order implementation we don't expect first or leakage we have a second order implementation we don't expect first and second order okay but so even if you use four shares you find only first order leakage yes and we did not find second or third but that may just be that the measurement setup was not good enough to see that there will be there will always be noise yeah there might be of course uh i think it could be but like you say it's just too noisy that we cannot see it okay thanks i would be surprised if it only is in the first order but not in the second order so the fact that there's noise in the second order must that okay thank you thanks we have time for one more question yeah all the way better no yeah i hear you not anymore uh what of which one of your uh conclusions hold for a six okay so the question if i get it right is which of our parameters uh would influence conclusions which of the conclusions of the conclusions observations and conclusions maybe go back to the slide yeah okay which of these of the solutions it's very hard to talk through this uh observations and conclusions hold for a six because they have totally different structures uh powers especially with respect to the ratio of leakage and uh active dynamic power so i mean some of these observations i would imagine that not necessarily hold for a six yes i agree i think the only way i can answer that question correctly is by performing these uh experiments on an asic although i don't think that it will be that different so for sure we need more traces but the temperature increasing the temperature on asic i would be surprised if that would not lead to higher leakage whether we can observe that or not it's it's then for the measurement setup but um it's it's fair to assume that similar problems will be there but that um more leak more traces are required to see it okay let's thank the speaker