Lucas MAHIEU (Encadrant : Regis LEVEUGLE ) : Auto-test de cryptoprocesseurs : analyse d'efficacité
Cette page présente les résultats du sujet "Auto-test de cryptoprocesseurs : analyse d'efficacité" Étudiant : Lucas MAHIEU (2A-SLE 2016)
|Titre du projet||Auto-test de cryptoprocesseurs : analyse d'efficacité|
Nowadays, with the boom of communications and information, several application areas need to ensure confidentiality and authenticity of data through encryption solutions. In some cases, these primitives can take advantage of a very strong acceleration provided by the cryptographic accelerators: special purpose hardware architectures, able to execute only one or a few algorithms. Unfortunately these systems leak information through, for example, the computation time, power consumption, and electromagnetic radiation. These side-channel signal variations are not random, as they are strictly connected to the state of the circuit, which is the data processed in a given time. The use of statistical methods to retrieve sensitive information analyzing this information is called side channel cryptanalysis. It is possible to understand that the only way to prevent side-channel attacks is to avoid the correlation between the state of the system and the side-channel signal variation.
There are two approaches to achieve this: the first one consists in designing new cryptographic primitives intrinsically resistant to side channel attacks; the second approach is to accept that leakages are inevitable, but at the same time apply countermeasures in order to force the attacker to sustain a very complex work to retrieve any information about the data.
The first part of this paper will introduce a work suggesting a new countermeasure called the Galois Composite Fields Multiple Mapping .
The second part of this paper will deal with another important constraint due to the sensitivity of this application field : the testability.
In this paper, we propose to quantify the efficiency of a Built-In Self-Test scheme when the Galois Composite Fields Multiple Mapping countermeasure is implemented. The main motivation of this work is to evaluate if the Composite Fields used on AES can modify the Built-In Self Test results shown in  because the architecture is modified and this modification could impact the effectiveness of the auto-test method.
Buit-In Selt Test (BIST)
BIST techniques generally imply that the chip includes dedicated hardware to generate test patterns and analyze the output results. However, the overhead might be significant and unacceptable: for example, smart card chips have very strong area constraints, which may limit the implementation of additional hardware. The overhead may be reduced by using the cryptographic core itself to generate the patterns and to analyze the output response . With a minimal overhead, the core can test itself: the circuit is equipped with additional logic, which allows turning the device into self-testing mode. The BIST logic can be easily embedded into the encryption data path and into the key scheduler logic.
AES on Composite Fields (GCFAES)
A way to foil side-channel attacks which it is called GCFAES (Galois Composite Fields Advanced Encryption Standard): an architecture for the AES computation with Encryption Data Units redesigned to work on eight different Galois Composite Field mappings.
One of the most critical functional blocks of AES is the nonlinear layer, implemented by the SubBytes operation. For this reason, a large effort has been dedicated to the analysis and development of several implementations of the S-Boxes. These were implemented at the beginning as look-up tables, resulting thus in large blocks which also could not be pipelined when needed, which may be a major disadvantage. This technique maps each byte of the AES state, which is represented as an 8-bit Galois Field element GF(2^8), onto the composite field GF( 2^4 )^2.
Analysis of an implementation of BIST on GCFAES
The objective is to quantify the efficiency of a Built-In Self Test scheme when the Galois Composite Fields Multiple Mapping countermeasure is implemented. The main motivation of our work is to evaluate if the Composite Fields used for AES can modify the Built-In Self Test results shown in  because the architecture is modified.
In order to quantify this effectiveness we wanted to compare the fault coverage of a reference 128-bit AES with four S-Boxes under Built-In Self Test and the fault coverage of a BIST when the Circuit Under Test is a GCF AES. First, it is mandatory to study the precedent papers which dealt with these two concepts.  and  are the reference of our work. Then, a test procedure had to be set up. The idea is to produce a fault coverage ratio using Built-In Self Test on the reference AES or to use the results of . Indeed, the work made in this paper uses an architecture similar to ours, so the results are always relevant. Then in the same way, we have to get the fault coverage ratio of the same BIST architecture where the AES was replaced by the GCF AES tested in . The main complexity of our work is then to find a tool capable to compute the fault coverage ratio in these two cases. They are different ways to proceed in order to get this ratio. - a. Existing Commercial tools
- b. Injection during Simulation
To conclude this work, it is important to note that this context of research is more and more useful in our everyday life. Researcher are really active on these topics because it is really straightforward challenge: our security. The work we present in this paper expose and analyse a way to combine two important other works. This two other works are tackling two different but important problems, on the one hand, an implementation of a DPA countermeasure which propose to implement an AES architecture on Composite Fields. On the other hands, a proposition to use Built-In Self Test which permit to ensure a best testability to prevent hacking by manufacturing defect, adding the minimum of hardware. The question was to know if this BIST on GCFAS would be able to have the same fault coverage than with a standard AES, and what are the parameters of the fault coverage. We shown that stuck-at ‘1’ faults are detected as much as ‘0’ by BIST or by observing directly the AES’s output. Two kinds of test was made, first we determine that we can know with 95% of confidence that after 8 BIST iterations, 65% of permanent faults will be detected in the circuit under test. In that case, only 1 output BIST bit was observed, so it’s reasonably efficient. Moreover, we determine that the number of iteration increase the number of fault detected. Basically because the probability that the output is impacted increase with the ‘time’ that the data process into de circuit. The seconde conclusion was made observing 128 bits of the GCFAES outputs, forcing the number of mapping iteration to 1 and to change the mapping path on each test. In these conditions, the number of faults detected on every channels are identical and close to 75% (with 5% error margin).
Matteo Bollo, Paolo Maistri: Composite fields against side channel analysis for the advanced encryption standard. ICECS 2014: 542-545. Paolo Maistri, Cyril Excoffon, Régis Leveugle: Software Self-Testing of a Symmetric Cipher with Error Detection Capability. IOLTS 2008: 79-84. Régis Leveugle, A. Calvez, Paolo Maistri, Pierre Vanhauwaert: Statistical fault injection: Quantified error and confidence. DATE 2009: 502-506.
C. Paar, "Efficient VLSI Architectures for Bit-Parallel Computation in Galois Fields," Dissertation, Institute for Experimental Mathematics, Universität Essen, Germany, 1994.
N. K. Jha, and S. Gupta, "Testing of Digital Systems." Cambridge University Press, 2003, ch. 11-12. D. Hely, F. Bancel, M.-L. Flottes, B. Rouzeyre, “Secure scan techniques: a comparison”, 12th IEEE International On-Line Testing symposium, pp. 119-124, Como, Italy, July 10-12, 2006. B. Yang, K. Wu, and R. Karri , “Secure Scan: A Design-for-Test Architecture for Crypto Chips”, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 25, no. 10, pp. 2287- 2293, Oct. 2006. Jinyi Zhang, Qingfeng Zhang and Jiao Li. “A Novel TPG Method for Reducing BIST Test-Vector Size.” Proceedings of HDP’07, 2007. National Institute for Standards and Technology (NIST), “FIPS-197: Advanced Encryption Standard (AES)”, Federal Information Processing Standards Publications, November 2001. B. Yang, K. Wu, R. Karri, “Scan-based Side-Channel Attack on Dedicated Hardware Implementations of Data Encryption Standard”, International Test Conference, pp. 339-344, 2004. M. Doulcier, M.L. Flottes, B. Rouzeyre, “AES vs LFSR based test pattern generation. A comparative Study”, in Proceedings of the 8th IEEE Latin-American Test Workshop (LATW’07), 2007. A. Rudra, P. K. Dubey, C. S. Jutla, V. Kumar, J. R. Rao, P. Rohatgi, “Efficient Rijndael Encryption Implementation with Composite Field Arithmetic,” CHES 2001, pp. 171-184. E. Barkan and E. Biham. In How Many Ways Can You Write Rijndael? In ASIACRYPT 2002, vol. 2501 of LNCS, pp. 160-175. Springer, 2002. H. Raddum. More Dual Rijndaels. In AES Conference 2004, volume 3373 of LNCS, pages 142–147. Springer, 2004. D. Hely, F. Bancel, M.-L. Flottes, B. Rouzeyre, “Secure scan techniques: a comparison”, 12th IEEE International On-Line Testing symposium, pp. 119-124, Como, Italy, July 10-12, 2006. B. Yang, K. Wu, and R. Karri , “Secure Scan: A Design-for-Test Architecture for Crypto Chips”, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 25, no. 10, pp. 2287-2293, Oct. 2006. M. Doulcier, M.L. Flottes, B. Rouzeyre, “AES vs LFSR based test pattern generation. A comparative Study”, in Proceedings of the 8th IEEE Latin-American Test Workshop (LATW’07), 2007. B. Yang, R. Karri, “Crypto BIST: A Built-In Self Test Architecture for Crypto Chips”, Proc. of the 2nd Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC05), pp. 95-108, Edinburgh, 2005.