Novel Security Threats in Multi-Tenant FPGAs: Phase Tuning for Voltage Sensors in Remote Power Side-Channel Analysis Attacks on AES

Field-programmable gate arrays (FPGAs) are widely used in cloud servers as an acceleration solution for compute-intensive tasks. Cloud FPGAs are typically multi-tenant, enabling resource sharing among multiple users but are vulnerable to power side-channel analysis (SCA) attacks due to their programmability and runtime dynamic reconfigurability. It is well-known that the clock frequencies of the circuits on multi-tenant FPGAs affect power consumption, but their impact on remote correlation power analysis (CPA) attacks has largely been ignored in the literature. This work systematically evaluates how clock frequency variations influence the effectiveness of remote CPA attacks on multi-tenant FPGAs. We develop a theoretical model to quantify this impact and validate our findings through the CPA attacks on processors running AES-128 and SM4 cryptographic algorithms. Our results demonstrate that the runtime clock frequency significantly affects the performance of remote CPA attacks. Our work provides valuable insights into the security implications of frequency scaling in multi-tenant FPGAs and offers guidance on selecting clock frequencies to mitigate power side-channel risks.

Improving power analysis attack resistance using intrinsic noise in 3D ICs

This paper demonstrates the hardware implementation of a recently proposed low-power asynchronous Advanced Encryption Standard substitution box (S-Box) design that is capable of being resistant to side channel attack (SCA). A specified SCA standard evaluation field-programmable gate array (FPGA) board (SASEBO-GII) is used to implement both synchronous and asynchronous S-Box designs. This asynchronous S-Box is based on self-time logic referred to as null convention logic (NCL), which supports a few beneficial properties for resisting SCAs: clock free, dual-rail encoding, and monotonic transitions. These beneficial properties make it difficult for an attacker to decipher secret keys embedded within the cryptographic circuit of the FPGA board. Comparisons on the resistance to SCAs of both the original and proposed S-Box design are presented, using differential power analysis (DPA) and correlation power analysis (CPA) attacks. The power measurement results showed that the NCL S-Box had 22%-26% lower total power consumption than the original and was effective against DPA and CPA attacks. An important factor of successfully implementing DPA or CPA attacks, which is the number of power traces, is also analyzed in this paper.

Correlation power analysis (CPA) attacks on the hardware implementation of cryptographic algorithms can retrieve the cipher key by analyzing the correlation between hypothesized keys and the power measurement of that crypto hardware. The existing CPA attacks and the countermeasures are mainly for two-dimensional (2D) integrated circuits (ICs). There is a lack of study on CPA in the context of three dimensional(3D) ICs. To fill in this gap, this work investigates the impact of a 3D power distribution network (PDN) on the efficiency of CPA mounted on a cryptographic module, which is in one of the 3D planes. The Pearson correlation coefficient is used as a metric to assess the impact of different PDN types, circuit loads, and switching activities of the neighboring planes on the CPA efficiency.

Power analysis attacks as side channel analysis techniques of cryptographic devices have been mounted against block ciphers and public key but rarely against stream ciphers. There are no reports on correlation power analysis (CPA) attack against stream ciphers so far. This paper proposes a novel CPA against synchronous stream ciphers. Then we present two experiments of CPA attacks on stream ciphers A5/1 and E0. The experimental results indicate that CPA of synchronous stream ciphers is feasible.

With virtualized Field Programmable Gate Arrays (FPGAs) on the verge of being deployed to the cloud computing domain, there is a rising interest in resolving recently identified security issues. Those issues result from different trusted and untrusted entities sharing the FPGA fabric and the Power Distribution Network. Researchers were able to perform both side-channel and fault attacks between logically isolated designs on the same FPGA fabric, compromising security of cryptographic modules and other critical implementations. Side-channel attacks specifically are enabled by the vast degree of freedom given to developers when making use of the basic FPGA resources. Both ring oscillators as well as long delay lines, implemented using low-level FPGA primitives, have been shown to provide sufficient data for simple or correlation-based power analysis attacks. In order to develop new or apply known countermeasures onto designs and implementations in a virtualized multi-tenant FPGA, we seek to fully understand the underlying mechanisms and dependencies of chip-internal side-channel attacks. Although the impact of process variation and other physical design parameters on side-channel vulnerability has been investigated in previous works, remote attacks between logically isolated partitions in multi-tenant FPGAs introduce new and unique challenges. Thus, we systematically analyze the impact of physical mapping of both attacker and victim design on the success of correlation power analysis attacks on the Advanced Encryption Standard (AES). We report our findings on a Xilinx Zynq 7000-based platform, which show that the effect of global and local placement as well as routing and process variation on the success of side-channel attacks almost exceeds the impact of hiding countermeasures. This result reveals fundamental challenges in secure virtualization of FPGAs, which have been mostly ignored so far. Eventually, our results may also help vendors and hypervisors in developing zero overhead side-channel countermeasures based on adequate global and local placement of isolated designs on a multi-tenant FPGA.

Three-dimensional (3D) integration is envisioned as a natural defense to thwart side-channel analysis (SCA) attacks. However, there lack extensive studies on the unique feature of 3D power distribution network (PDN) noise and its impact on the efficiency of SCA attacks in 3D chips. This work fills the gap. Our experiments based on the real PDN and through-silicon via (TSV) models indicate that the noise from the other 3D planes is additive, which can significantly change the power profile of the crytpo unit in a 3D chip. We exploit the cross-plane PDN noise to develop a new counter-measure against the correlation power analysis (CPA) attacks in 3D integrated circuits (ICs). Simulation results show that the proposed method successfully improves the system resilience against CPA attacks and enhances the correlation difference by 29.1% and 18.7% over 2D and 3D baseline, respectively.

Emerging technologies such as Spin-transfer torque magnetic random-access memory (STT-MRAM) are considered potential candidates for implementing low-power, high density storage systems. The vulnerability of such nonvolatile memory (NVM) based cryptosystems to standard side-channel attacks must be thoroughly assessed before deploying them in practice. In this paper, we outline a generic Correlation Power Analysis (CPA) attack strategy against STT-MRAM based cryptographic designs using a new power model. In our proposed attack methodology, an adversary exploits the power consumption patterns during the write operation of an STT-MRAM based cryptographic implementation to successfully retrieve the secret key. In order to validate our proposed attack technique, we mounted a CPA attack on MICKEY-128 2.0 stream cipher design consisting of STT-MRAM cells with Magnetic Tunnel Junctions (MTJs) as storage elements. The results of the experiments show that the STT-MRAM based implementation of the cipher circuit is susceptible to standard differential power analysis attack strategy provided a suitable hypothetical power model (such as the one proposed in this paper) is selected. In addition, we also investigated the effectiveness of state-of-the-art side-channel attack countermeasures for MRAMs and found that our proposed scheme is able to break such protected implementations as well.

In CHES 2011, Sony Corporation proposed a very promising ultra-lightweight blockcipher named Piccolo and claimed it offers a sufficient security level against known cryptanalyses based on mathematical weaknesses. The correlation power analysis (CPA) attack against a round-based Piccolo-80 hardware implementation is discussed in this paper. We built a power consumption acquisition platform based on simulation for minimum overhead, presented a feasible CPA attack method based on HD model and the final round, and retrieved the final round key RK <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">24</sub> <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">L</sup> , RK <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">24</sub> <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">R</sup> and the whiten key WK <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sub> and WK <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sub> with 500 power traces. The results showed Piccolo-80 round-based hardware implementation is vulnerable to power analysis attack. To the best of our knowledge, this is the first paper to discuss power analysis attack against Piccolo.

Logic locking techniques have been widely investigated to thwart intellectual property (IP) piracy and reverse engineering attacks on integrated circuits. Although extensive research efforts have been made to examine the resilience of logic locking techniques against Boolean satisfiability (SAT) and key sensitization attacks, there still lacks a comprehensive assessment of different locking methods’ resilience against power-analysis attacks. In this work, we evaluate the success rate of differential power analysis (DPA) and correlation power analysis (CPA) attacks that are performed on the circuits encrypted with logic locking techniques applied at gate level or transistor level. To enhance the CPA attack resilience of the existing transistor-level locking techniques, we further propose a new strategy to search for optimal key insertion locations. Our analysis and experimental results indicate that gate-level locking and transistor-level locking should use different strategies to select the optimal key insertion locations. Our case studies confirm that the proposed key insertion strategy can improve the transistor-level locking technique’s resilience against CPA attacks.

KLEIN is a family of block ciphers whose lightweight features are suitable for resource‐constrained devices. However, the original design of KLEIN does not consider the potential attacks by power analysis methods. This paper presents power analysis attacks against an field‐programmable gate array (FPGA) implementation of KLEIN by the authors of KLEIN. The attacking strategy, attacking point, and complexity of our attacks via power analysis against KLEIN are discussed in detail. Besides, the implementation of the attacks is also described, and the experimental data is given. A lot of attacking experiments are launched by this paper; the best method in our experiment is Correlation Power Analysis (CPA) attack that requires only 4000 random plaintexts and 115 s to reveal the 64‐bit key of KLEIN, with the storage complexity nearly 212 and the success probability of attack nearly 100%. Finally, a defensive countermeasure against our attacks is proposed. Copyright © 2017 John Wiley &amp; Sons, Ltd.

A novel asynchronous S-Box design for AES cryptosystems is proposed and validated. The S-Box is considered as the most critical component in AES crypto-circuits since it consumes the most power and leaks the most information against side channel attacks. The proposed design completely based on a delay insensitive logic paradigm known as Null Conversion Logic (NCL). Asynchronous S-Box is based on self-time logic referred to as NCL which supports few beneficial properties for resisting SCAs such as clock free, duail rail encoding and monotonic transitions so that it consumes less power therefore suitable for energy constrained mobile crypto-applications. These beneficial properties make it difficult for an attacker to decipher secret key embedded within the cryptographic circuits of the FPGA board. Resistant to SCAs of both existing and proposed S-Box design are presented using differential power analysis (DPA) and correlation power analysis (CPA) attacks. The power measurement result showed that the NCL S-Box had lower total power consumption than original and effective against DPA and CPA attacks.

The low-entropy masking scheme (LEMS) is a costsecurity tradeoff solution that ensures a certain level of security with much lower overheads than a full-entropy masking scheme (FEMS). However, most existing LEMSs are based on a look-up-table (LUT) and limited to the first-order, which is vulnerable to classical higher-order correlation power analysis (CPA) attack and other special types of attack (e.g., collision attack). This paper proposes a new type of LEMS for a block cipher in which the S-box consists of power functions and an affine function. First, a low masking-complexity algorithm for evaluating S-boxes is developed by fully utilizing the property of a hybrid addition-chain (AC) named LUT-AC. Next, an LEMS for block ciphers is proposed. This LEMS provides two different masking modes to realize various cost-security tradeoff schemes. Due to the “masked invariant property” of the LUTAC, the masking complexity of the proposed LEMS is equal to O(d), whereas under FEMS it is equal to O(d2). Compared with existing LEMSs, the proposed LEMS has following advantages: higher security in terms of the masking entropy; resistance against collision attacks; and scalability to higher-order schemes. Per the proposed algorithm, an architecture without any nonlinear multiplication for evaluating AES is developed by replacing the LUT with seven scalar multiplications. The different LEMSs based on this architecture are developed. Their area overheads are evaluated by implementing different schemes in 65 nm CMOS process. The security of the first-order LEMS with rotation mode is verified by performing CPA on the SAKURA-G FPGA board. From the experimental success rates, it shows that the proposed first-order LEMS can resist CPA without revealing the correct subkey for up to 100 000 power traces, whereas the unprotected scheme is broken at 1100 traces.

Cryptographic systems can potentially suffer from various attacks which are a consequence of vulnearability of side channel information to analysis attacks. The nature of digital circuits is prone to electromagnetic and power analysis (EMA and PA) attacks. Interconnects in cryptographic circuits emanate information through electromagnetic signals which can be exploited using EMA. Complementary Metal Oxide Semiconductor (CMOS) circuits are vulnearable to leak of computational information through leakage and dynamic power consumption. Dynamic power consumption of cryptographic engines is a rich source to sink in the data under process. The hardware implementation of cryptographic algorithms undermine the security of encrypted system against non brute-force-attacks. The attackers collect and analyse the leakage information of cryptographic circuits to detect the secrete key. The parameters sensitivity of the device and circuits make the cryptographic engines vulnearable to fault injection and inherent inconsistency of the circuits. Dynamic and static power comprise two major components of power consumption of digital circuits. Both power components vary with data under process. This exhibits power consumption has data dependency in digital circuits. To make noisy power profile, various countermeasures have been proposed against Differential Power Analysis (DPA) attacks. In this research, false glitch cells is proposed to work as a countermeasure to generate random transitions and power spikes to scramble power profile. The mathematical foundation of security implications of false glitch cells against Correlation Power Analysis (CPA) attacks is investigated. Moreoever, the security efficiency of utilizing false glitch cells is verified with different metrics.

Random execution time-based countermeasures against power analysis attacks have reduced resource overheads when compared to balancing power dissipation and masking countermeasures. The previous countermeasures on randomization use either a small number of clock frequencies or delays to randomize the execution. This paper presents a novel random frequency countermeasure (referred to as RFTC) using the dynamic reconfiguration ability of clock managers of Field-Programmable Gate Arrays -- FPGAs (such as Xilinx Mixed-Mode Clock Manager -- MMCM) which can change the frequency of operation at runtime. We show for the first time how Advanced Encryption Standard (AES) block cipher algorithm can be executed using randomly selected clock frequencies (amongst thousands of frequencies carefully chosen) generated within the FPGA to mitigate power analysis attack vulnerabilities. To test the effectiveness of the proposed clock randomization, Correlation Power analysis (CPA) attacks are performed on the collected power traces. Preprocessing methods, such as Dynamic Time Warping (DTW), Principal Component Analysis (PCA) and Fast Fourier Transform (FFT), based power analysis attacks are performed on the collected traces to test the effective removal of random execution. Compared to the state of the art, where there were 83 distinct finishing times for each encryption, the method described in this paper can have more than 60,000 distinct finishing times for each encryption, making it resistant against power analysis attacks when preprocessed and demonstrated to be secure up to four million traces.