SCAs against Embedded Crypto Devicesattackschool.di.uminho.pt/slides/slides_fxs1.pdf · 2014. 11....

UCL Crypto GroupMicroelectronics Laboratory SCAs against Embedded Crypto Devices - L1 1

SCAs against Embedded Crypto Devices

F.-X. Standaert

UCL Crypto Group, Universite catholique de Louvain

Lecture 1 - Hardware Implementations


Outline

I Different types of computing devices

I Two key concepts

I Hardware performance indicatorsI Implementation tradeoffs

I Technology scaling

I Design tradeoffs

I FPGAs

I Application to block ciphers

I Further readings


Different types of computing devices

I General purpose computers (e.g. microprocessors)I Software-programmed

I Reconfigurable devices (e.g. FPGAs)I Application Specific Integrated Circuits (e.g. AES)

I Hard-codedI Tradeoff: flexibility vs. performance


Sequential logic

I 1 cycle: read in memory - operate - store in memory

I Operation delay Top > than critical path Tph (in sec)

I Operation frequency fop = 1/Top (in Hz)


Abstraction levels (for memory & operations)


Hardware performance indicators

I Hardware cost (in gates, transistors or circuit size)

I Operation frequency (in Hz)

I Data throughput (in bit/sec)

I Data latency (in clock cycles)I Power and energy (in Watts and Joules)

I Not equivalent, e.g.I Power matters for RFID devicesI Energy matters for battery-supplied devices


Implementation tradeoffs

I Tph ∝ LD · CL·Vdd

Ion, with:

I LD the operation logic depth (in gates)I CL the load capacitance (in Farad)I Vdd the circuit supply voltageI Ion the MOSFET drain current in ON state

“Tph decreaseswith larger Vdd”


Implementation tradeoffs (II)

I Sources of power and energy consumptionI Ptot = Pdyn + Pstat

I Pdyn ∝ Ngates · CL · V 2dd · fop · α (1 + βsc)

I α: activity factor / β: short circuitsI Pstat ∝ Ileak · Vdd

I with Ileak increasing with smaller Vdd

“Minimum energy besttrades Pdyn and Pstat”(here with Top = Tph)

⇒ ∃ frequency/energy tradeoff


Technology scaling

I Pdyn dominates old technologies (down to 0.1µm)

I Pstat becomes significant in nanoscale devices

I Inter-device variability also increases with scaling !


Design tradeoffs

I Resources sharing, e.g. with the AES ByteSub

I Low cost design: 1 S-box, 16 cycles

I Fast design: 16 S-boxes, 1 cycles

I Low cost implies more control ⇒ less efficient


Design tradeoffs (II)

I Inner pipelining, e.g. with the AES round

Ideally: fop × 2(usually worse in practice)

Latency: 11 → 22 (cycles)

Throughput?

(128 bits/11 cycles) · fop(256 bits/22 cycles) · fop⇒ ideally ×2


Design tradeoffs (II)

I Inner pipelining, e.g. with the AES round

Ideally: fop × 2(usually worse in practice)

Latency: 11 → 22 (cycles)

Throughput?(128 bits/11 cycles) · fop(256 bits/22 cycles) · fop⇒ ideally ×2


Design tradeoffs (III)

I Further improvements of the throughput (fop fixed)

Parallelism (left) less efficient than outer pipelining (right)


FPGAs

I “Sea” of programmable logic blocks

I Connected with programmable routing

I Functionality determined by configuration bitsI Different technologies

I 0.18µm → 45 nmI Several manufacturers


FPGAs (II)


FPGAs (III)

I Logic blocksI From 3-input Look-Up Tables. . .

to 8-bit Arithmetic and Logic UnitsI The granularity of the device influences both the

design performances and configuration time

I Routing blocksI Structured according to the interconnect lengthI Major impact in final performances

I Embedded blocksI Memories, multipliers, . . .


(How to use) FPGAs (IV)

I Compared to ASICs: fabrication + packaging arereplaced by configuration (i.e. sending a programmingfile to the chip to determine the “gates” functionality)


FPGAs (V)

I Example: Xilinx logic block


Application to block ciphers

I Target FPGA 1 has logic blocks (LB1) made of:I Two 4-input LUTsI One 1-bit MUX to combine the LUTsI Two registers

I Target FPGA 2 has logic blocks (LB2) made of:I Four 6-input LUTsI Three 1-bit MUX to combine the LUTsI Four registers

I Embedded memory, with each block (MB) made of:I 4096-bit RAM memoriesI Dual-ported (i.e. 2 R/W operations per cycle)I Configurable (4096× 1, 2048× 2, . . . )


S-box implementations

I “Minimum memory” cost (in bits) of S1/S2? { . . . }I Cost of S1/S2 in LB1/LB2? { . . . }I Would you use the memory to implement S1/S2?


Block cipher design

I Consider an AES-like cipher with the following round:

I To be implemented in FPGA 1 with S-box S2

I With MixColumn in 256 LUTs and logic depth 2 LUTs

I And the full cipher iterating 11 rounds


Block cipher design

I What is the cost of one round in LUTs?I Design and evaluate the cost (in LUTs and regs) of:

I A 1-round loop architecture without pipelineI A 1-round loop architecture with maximum pipeline

I What is the latency (in cycles) of these architectures?I Assume TLUT = 10 ns, what is the throughput

achieved by these architectures (in bit/sec)?I Is this assumption realistic (physically speaking)?

I “Ideally”, what would happen if we move to a 2-roundloop architecture, or a 32-bit loop architecture?

I { . . . }


Examples

I FPGA implementations of the AES Rijndael

Index E,D? Key Sched. Feedback? Device Architecture

1. E only on-the-fly no Virtex-E 128-bit unrolled2. E only on-the-fly no Virtex-E 128-bit loop3. E/D precomputed yes Virtex-II 32-bit loop4. E/D precomputed yes Spartan-II 8-bit loop5. E/D precomputed yes Spartan-II PicoBlaze

Index LUTs Regs. Slices RAMBs Freq. Throughput1. 3516 3840 2784 100 92 MHz 11.7 Gbit/sec2. 3846 2517 2257 0 169 MHz 2 Gbit/sec3. 288 113 146 3 123 MHz 358 Mbit/sec4. - - 124 2 67 MHz 2.2 Mbit/sec5. - - 119 2 90 MHz 710 Kbit/sec


Summarizing

I Specialized hardware implementations (ASICs, FPGAs)can be used to reach high performances

I Many different metrics exist (cost, speed, . . . )

I Hardware Design optimization (e.g. sharing,pipelining) depends on algorithmic features

I Technology scaling can have high impact too!


Further readings

I International Technology Roadmap forSemiconductors, http://www.itrs.net/

I F. Rodriguez-Henriquez, F. Saqib, N.A. Diaz, C.K.Koc, Cryptographic Algorithms on ReconfigurableHardware, Springer, 2007.

I H. Kaeslin, Digital Integrated Circuit Design,Cambridge University Press, 2008.

I J.M. Rabaey, Digital Integrated Circuits: a DesignPerspective, second edition, Prentice Hall, 2003.


Thanks

SCAs against Embedded Crypto Devicesattackschool.di.uminho.pt/slides/slides_fxs1.pdf · 2014. 11....

Documents

Transcript of SCAs against Embedded Crypto Devicesattackschool.di.uminho.pt/slides/slides_fxs1.pdf · 2014. 11....