Design methodologies for cryptographic hardware with countermeasures against side channel attacks

Since the protection of sensible data is considered a major concern in modern devices, the importance of technological aspects have to be addressed properly. Although cryptographic algorithms are considered trustworthy in terms of cryptanalitic resilience, devices that implement such algorithms may not be physically secure. It has been proved that physical emissions in electronics devices can be related to devices' activity. Hence, hardware implementations of cryptographic algorithms have to deal with unavoidable physical emissions.The verification of robustness of an architecture with a given SCA has to deal with the evaluation of data-dependency of the target physical emission. Attacks Exploiting Static Power (AESP) are a sub-class of PAAs that benefit of the data-dependency of the static currents. In my research activity, I demonstrated how AESP can be very powerful in recovering secret key even from dynamic PAA-protected implementations in nanometer technologies. Moreover, the temperature dependency of this side-channel has been evaluated, since each static current related phenomenon is strongly dependent from the working temperature of the device under attack. Making use of this additional dependency, it is possible to simplify the extraction of information through static power consumption. A multivariate analysis of static power consumption using the working-temperature as additional domain has been investigated, and a brand new profiled attack, Template Attack Exploiting Static Power (TAESP) has been presented. In addition, a new measurement setup for mounting AESP and TAESP has been proposed during the PhD. The proposed measurement setup makes use of only low-cost off-the-shelf components and featuring a control-loop for the working temperature of the device under attack. In this work, a DC pico-ammeter is used in place of the classical Digital Storage Oscilloscope (DSO) to measure static power consumption at steady state. A novel logic style named Delay-based Dynamic Differential Logic (DDDL or D3L) has been proposed as a new logic-level countermeasure against PAAs. The new logic style has been conceived to be implemented using only standard-cells, usually provided with each digital design kit. The D3L makes use of the Time Enclosed Logic (TEL) signaling, which has been recently demonstrated to outperform the conventional Return-to-Zero (RTZ) protocol in terms of security if mismatch effects are properly taken into account. The new library is presented with a template for 2-input Boolean operands and also a sequential gate is described. Simulations on the novel logic style are provided using a 40nm CMOS design kit, provided by STMicroelectronics. Since it is possible to easily design the D3L library using VHDL (or Verilog), an synthesizable description for two FPGAs (Xilinx Spartan-6 and Altera Cyclone-IV) has been formalized. Dynamic and static power attacks and evaluations have been practically performed on the Altera Cyclone-IV, using a 4-bit PRESENT-based crypto-core as case study, making also a comparison between D3L with other popular FPGA-compatible dual-rail pre-charge logic styles used to counteract PAAs. During the research activity, also an analog approach in counteracting PAAs has been investigated. The analog-approach is not well explored in literature, but it offers several possibility and benefits in counteracting the steal of information through power consumption. Two countermeasure schemes based on a feedback-loop architecture and with a pure current-mode approach have been presented, named On-chip Current Equalizer (OCE) and improved On-chip Current Equalizer (iOCE). The purpose of OCE and iOCE is to maintain the current consumption constant neglecting the data-dependent activities that take place in the cryptographic circuit. OCE and iOCE aim to equalize the instantaneous current consumption as well as the energy per cycle. An intense experimental activity regarding the test and security evaluation of the 65nm SERPAES prototype chip has been carried out during the PhD. The SERPAES, designed at our laboratory, contains five implementations of AES-128 block cipher and two full-custom designed prototype implementations of 4-bit data-path of the SERPENT block cipher. AES implementations are designed with RTL-level countermeasures, aiming to randomize the power consumption of the data-path. Experimental analysis of PAA-resilience on AES-4 core have been performed, giving actual and information theoretic security metrics. The protection scheme implemented on AES-4 is based on the adoption of the Secure Double Rate Register (SDRR), aiming to randomize the power consumption of combinational network and registers. In addition, an evaluation of the security and robustness to PAAs has been performed on the full-custom section of the SERPAES chip, containing two implementations of 4-bit data-path based on round-0 of the SERPENT block cipher. SERPENT-based cores are implemented using the following full-custom logics: Sense Amplifier-Based Logic (SABL) and improved Delay-based Dual-rail Pre-charge Logic (iDDPL). PAA evaluations on both cores have been carried out giving a fair comparison of state-of-the-art full-custom PAA-countermeasures. The comparison has been performed for different cases of capacitive unbalance, in order to measure the performance of both logic styles in tolerating capacitive mismatches.