Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep....
Transcript of Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep....
![Page 1: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/1.jpg)
Breaking the BitstreamDecryption of FPGAs05. Sep. 2012
Amir MoradiEmbedded Security Group, Ruhr University Bochum, Germany
![Page 2: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/2.jpg)
2
Embedded Security Group
Acknowledgment Christof Paar
Markus Kasper
Timo Kasper
Alessandro Barenghi
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 3: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/3.jpg)
3
Embedded Security Group
Outline Side‐Channel Attacks (in general)
– DPA/CPA Xilinx Bitstream Encryption
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 4: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/4.jpg)
4
Embedded Security Group
Side‐Channel Attacks Physical attacks
– observing physical characteristics e.g.,• power consumption• running time• electromagnetic radiation
of a cryptographic DEVICE– usually divide‐and‐conquer scheme– recovering the relation between the side‐channel leakage and processed data
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 5: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/5.jpg)
5
Embedded Security Group
How to Measure Side‐Channel Leakages Running Time ‐> straightforward by a counter/timer Power Consumption
– a resistor, an oscilloscope
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 6: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/6.jpg)
6
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 7: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/7.jpg)
7
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 8: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/8.jpg)
8
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 9: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/9.jpg)
9
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 10: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/10.jpg)
10
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 11: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/11.jpg)
11
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 12: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/12.jpg)
12
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 13: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/13.jpg)
13
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 14: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/14.jpg)
14
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 15: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/15.jpg)
15
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac eb
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 16: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/16.jpg)
16
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 17: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/17.jpg)
17
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 18: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/18.jpg)
18
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1
Diff. of Means
…
powerLSB 1,powerLSB 0
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 19: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/19.jpg)
19
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1
0.0010.002
…
0.020
…
0.001
Diff. of Means
…
powerLSB 1,powerLSB 0
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 20: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/20.jpg)
20
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1
0.0010.002
…
0.020
…
0.001
Diff. of Means
…
powerLSB 1,powerLSB 0
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 21: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/21.jpg)
21
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1
0.0010.002
…
0.020
…
0.001
Diff. of Means
…
powerLSB 1,powerLSB 0
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 22: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/22.jpg)
22
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 23: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/23.jpg)
23
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 24: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/24.jpg)
24
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 25: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/25.jpg)
25
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 26: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/26.jpg)
26
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 27: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/27.jpg)
27
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 28: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/28.jpg)
28
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 29: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/29.jpg)
29
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 30: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/30.jpg)
30
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 31: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/31.jpg)
31
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 32: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/32.jpg)
32
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 33: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/33.jpg)
33
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 34: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/34.jpg)
34
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3
Correlation
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 35: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/35.jpg)
35
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3
Correlation
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 36: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/36.jpg)
36
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3
Correlation
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 37: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/37.jpg)
37
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3
0.0110.060
…
0.231
…
0.095
Correlation
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 38: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/38.jpg)
38
Embedded Security Group
Challenges Measurement quality Knowledge about the target device
– Mostly in evaluation labs (perfect situation)
How about a real‐world scenario
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 39: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/39.jpg)
39
Embedded Security Group
FPGAs = Reconfigurable Hardware
Case Study: Xilinx Bitstream Encryption
Widely used in • routers• consumer products• automotive, machinery• military• > million gates
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 40: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/40.jpg)
40
Embedded Security Group
FPGAs = Reconfigurable Hardware
Case Study: Xilinx Bitstream Encryption
Widely used in • routers• consumer products• automotive, machinery• military• > million gates
Config file• Configuration loaded
at power‐up• bitstream ≈ Mbits
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 41: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/41.jpg)
41
Embedded Security Group
Bitstream/Configuration
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 42: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/42.jpg)
42
Embedded Security Group
Bitstream/Configuration
PCB board
SRAM FPGA
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 43: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/43.jpg)
43
Embedded Security Group
Bitstream/Configuration
PCB board
SRAM FPGA
E2PROM
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 44: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/44.jpg)
44
Embedded Security Group
Bitstream/Configuration
PCB board
SRAM FPGA
E2PROMFactory
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 45: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/45.jpg)
45
Embedded Security Group
Bitstream/Configuration
PCB board
SRAM FPGA
E2PROMFactory
Power‐up
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 46: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/46.jpg)
46
Embedded Security Group
Bitstream Encryption
PCB board
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 47: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/47.jpg)
47
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 48: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/48.jpg)
48
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 49: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/49.jpg)
49
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
E2PROM
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 50: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/50.jpg)
50
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
E2PROMFactoryInternet
Firmware UpdateECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 51: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/51.jpg)
51
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
E2PROMFactoryInternet
Firmware Update
Power‐up
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 52: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/52.jpg)
52
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
E2PROMFactoryInternet
Firmware Update
Power‐upAttacker? =
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 53: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/53.jpg)
53
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
E2PROMFactoryInternet
Firmware Update
Power‐upAttacker? =
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 54: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/54.jpg)
54
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
DEC
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 55: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/55.jpg)
55
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
DEC
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 56: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/56.jpg)
56
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
DEC
VCC‐IO VCC‐AUXVCC‐INT
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 57: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/57.jpg)
57
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
DEC
VCC‐IO VCC‐AUXVCC‐INT
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 58: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/58.jpg)
58
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
Power‐upDEC
VCC‐IO VCC‐AUXVCC‐INT
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 59: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/59.jpg)
59
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
Power‐upDEC
VCC‐IO VCC‐AUXVCC‐INT
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 60: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/60.jpg)
60
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
Power‐upDEC
VCC‐IO VCC‐AUXVCC‐INT
E2PROMunencrypted bitstream
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 61: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/61.jpg)
61
Embedded Security Group
Challenges structure analysis protocol analysis
– bit‐wise feeding the encrypted bitstream– developing a sophisticated configuration device
trigger signal– start of each ciphertext block
visual inspection
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 62: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/62.jpg)
62
Embedded Security Group
Some Figures
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 63: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/63.jpg)
63
Embedded Security Group
Some Figures
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 64: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/64.jpg)
64
Embedded Security Group
There are several documents by Xilinx on bistream structure but still some parts related to encryption stay unclear
Analysis and comparison of plain and encrypted bitstream revealed that : The selection of the decryption key from the storage is readable Initialization Value of the CBC mode embedded in bitstream The decryption engine is enabled by a bitstream command
Plain EncryptedBitstream Structural Analysis
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 65: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/65.jpg)
65
Embedded Security Group
Find the when the decryption takes place Must occur after at least a whole ciphertext block
(64 bit) is in Should take place in less than 64 bits being sent in
to match on-the-fly decryption Compare the power consumptions of encrypted
and unencrypted bitstreams to reveal the time position
The JTAG clock is driven by us We can freeze the programming process
Decryption Timing
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 66: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/66.jpg)
66
Embedded Security Group
Power Traces?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 67: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/67.jpg)
67
Embedded Security Group
Ciphertexti‐1
Power Traces?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 68: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/68.jpg)
68
Embedded Security Group
CiphertextiCiphertexti‐1
Power Traces?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 69: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/69.jpg)
69
Embedded Security Group
CiphertextiCiphertexti‐1
Decryption (Ciphertexti‐1)
Power Traces?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 70: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/70.jpg)
70
Embedded Security Group
Two clock cycles after a ciphertext block is in, the decryption is performed
Unencrypted bitstream Encrypted bitstream
Decryption Phase
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 71: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/71.jpg)
71
Embedded Security Group
Encryption engine far smaller than the whole FPGA circuit
The device embeds a CPU (PowerPC403) in the fabric
As the PPC is not used to perform the decryption, its power consumption is irrelevant for the analysis
Since the PPC is clocked at 300MHz by an internal clock source, band-stop filtering the power traces removes its contribution
Insulating the encryption engine
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 72: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/72.jpg)
72
Embedded Security Group
Zoomed Traces/Filtering
Timewise variance of 10k encryptions
Filtered
Raw Filtered
Raw
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 73: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/73.jpg)
73
Embedded Security Group
To successfully perform the attack, hypotheses on the decryption engine architecture must be made
Switching activity of buffers storing intermediate values are good candidates for a power model
DES cipher state buffer switching activity was modeled during a cipher round
Switching activity conditioned by 6 bits of the key at a time was predicted (64 key hypotheses)
Consumption model: switching activity of the round buffer
Power consumption/architecture hypotheses
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 74: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/74.jpg)
74
Embedded Security Group
Assumed Internal Architecture
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 75: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/75.jpg)
75
Embedded Security Group
Assumed Internal Architecture
Round based implementation of DES
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 76: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/76.jpg)
76
Embedded Security Group
Assumed Internal Architecture
Round based implementation of DES Separate stage for initial and final permutation
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 77: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/77.jpg)
77
Embedded Security Group
Assumed Internal Architecture
Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycleECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 78: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/78.jpg)
78
Embedded Security Group
Assumed Internal Architecture
Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycle Internal 64 bit buffer stores cipher stateECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 79: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/79.jpg)
79
Embedded Security Group
Architecture Hypothesis Validation Need to validate the architecture hypothesis before the
attack
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 80: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/80.jpg)
80
Embedded Security Group
Architecture Hypothesis Validation Need to validate the architecture hypothesis before the
attack
Correlating to HW of Ciphertextsand output of each DES
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 81: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/81.jpg)
81
Embedded Security Group
Architecture Hypothesis Validation Need to validate the architecture hypothesis before the
attack
Correlating to HW of Ciphertextsand output of each DES
Correlating to HD of consecutiveround outputs
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 82: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/82.jpg)
82
Embedded Security Group
Attack on 6 bits of the 1st DES the key (round 1)
Final Attack Results
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 83: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/83.jpg)
83
Embedded Security Group
Attack on 6 bits of the 1st DES the key (round 1)
The key is recoverable with ~ 50000 decryption power measures (less than a single bitstream decryption for almost all V2Pro devices) The attack is still possible with lowpass filtered and decimated traces up to 100MSa/s A single attack to recover 6 bits of a DES key takes a couple of seconds on a common desktop Complete 3DES key recovered in 2-3 minutes of computation
Final Attack Results
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 84: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/84.jpg)
84
Embedded Security Group
Successful Side Channel attack estimating a very small part of the active digital logic Correlation power analysis is scale invariant, as long as there are correlated variations
No explicit SCA countermeasures present, sheer size of the platform thought to be enough Proper filtering of the obtained signal removes non-relevant consumption
Mainly security through obscurity Methodic reverse engineering leads to figuring out the structure
Final Attack Results
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 85: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/85.jpg)
85
Embedded Security Group
How about more recent devices V4, V5, S6?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 86: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/86.jpg)
86
Embedded Security Group
Visual Inspection
CLK
normal
ENC
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 87: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/87.jpg)
87
Embedded Security Group
Visual Inspection
CLK
normal
ENC
average over 10k tracesECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 88: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/88.jpg)
88
Embedded Security Group
Filtering
CLK
zoomfilter
ENC
peak extraction, AES‐256ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 89: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/89.jpg)
89
Embedded Security Group
Known Steps guessing the architecture guessing the power model known‐key scenario check their validity
Finally after 3 months…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 90: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/90.jpg)
90
Embedded Security Group
Architecture (AES‐256)
Bit flips in registers (Hamming distance) as the model
Findings
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 91: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/91.jpg)
91
Embedded Security Group
Model for Power Consumption Hamming Distance of state register R
Problem: At least 64‐bit hypothesis to attack power consumption of 32‐bit leakage
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 92: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/92.jpg)
92
Embedded Security Group
Model for Power Consumption
Exploit linearity 32‐bit hypotheses to attack
single bit power model Fine in theory, but can we detect the leakage of a single
bit in practice?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 93: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/93.jpg)
93
Embedded Security Group
The Attack 235 (= 34,359,738,368) keys to test 60,000 power traces 128 GiB of 32‐bit floating point results Can be done but not practical on CPUs
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 94: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/94.jpg)
94
Embedded Security Group
GPUs for Power Analysis Used System
– 4x Nvidia Tesla C2070 GPUs– Each one has 6 GB of RAM and 448 cores– Clocked at 1.15 GHz
HDD is not the bottleneck Full attack in around 4.5 hours (V4, 60k traces)
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 95: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/95.jpg)
95
Embedded Security Group
Result Virtex‐4 60k traces
Other Columns show similar results Virtex‐5:
The same attack works (6.5 hours, 90k traces)
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 96: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/96.jpg)
96
Embedded Security Group
Lessons Learned Bitstream encryption is vulnerable to SCA New modern CMOS technology can be attacked in
practice (90nm/65nm/45nm) Reusing crypto cores simplifies analyses Attacks on 32‐bit hypotheses are realistic threats GPUs are a nice tool for attacks where computation
time dominates
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
![Page 97: Breaking the Bitstream Decryption of FPGAs · Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f83a2b163859c76330e4cf9/html5/thumbnails/97.jpg)
97
Embedded Security Group
Recent Results and ongoing Work Up to know, the broken devices:
– Virtex‐II pro– Virtex‐4– Virtex‐5– Spartan‐6– Actel (Microsemi) S. Skorobogatov, C. Woods
• http://eprint.iacr.org/2012/296 Those which come soon or later
– Virtex‐6– Kintex‐7– Stratix‐II (Altera)
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi