Masking the energy behaviour of encryption algorithms

Abstract

Smart cards are vulnerable to both invasive and noninvasive attacks. Specifically, noninvasive attacks using power and timing measurements to extract the cryptographic key have drawn a lot of negative publicity for smart card usage. The power measurement techniques rely on the data-dependent energy behaviour of the underlying system. Further, power analysis can be used to identify the specific portions of the program being executed to induce timing glitches that may in turn help to bypass key checking. Thus, it is important to mask the energy consumption when executing the encryption algorithms. The instruction set architecture of a simple five-stage pipelined smart card processor with secure instructions to mask the energy differences due to key-related data-dependent computations in DES and Rijndael encryptions is augmented. The secure versions operate on the normal and complementary versions of the operands simultaneously to mask the energy variations due to value-dependent operations. However, this incurs the penalty of increased overall energy consumption in the data-path components. Consequently, we employ secure versions of instructions only for critical operations; that is we use secure instructions selectively, as directed by an optimising compiler. Using a cycle-accurate energy simulator, the effectiveness of this enhancement is demonstrated. The approach achieves energy masking of critical operations, consuming 83% less energy compared to existing approaches employing dual rail circuits.