Preying On The Vulnerable

The energy consumed by a hardware device such as an FPGA depends on the switching activity of its transistors, which in turn depends on the operations it is performing. An attacker who is passively measuring a device's power consumption or electromagnetic emissions will recover some aggregated and noisy information related to the sensitive data being processed. SPA and DPA attacks use this information to extract secret keys from a device.

For FPGAs without DPA countermeasures, the threat is two-fold: design IP such as the FPGA configuration bitstream or microcontroller firmware may be stolen and cloned, reverse engineered or modified if keys used to protect the bitstream are extracted using DPA. Moreover, DPA can also be used to reveal keys being used by cryptographic operations being performed within the FPGA fabric or embedded microcontroller. For example, if an FPGA is being used for secure (encrypted) communications, DPA may be able to recover the encryption keys and compromise the communication.

Platform-Level Vulnerabilities

Modern FPGA platforms provide a variety of hard IP blocks and features. Some FPGAs include microprocessors and math blocks, as well as security features such as bitstream decryption. In the absence of effective power analysis countermeasures, these components and their associated security protections could be subverted using SPA or DPA. Normally, vulnerabilities in these features cannot be corrected by end users of the FPGA and are common to all FPGAs of a given design, so the impact of vulnerabilities in platform-level elements can be severe. Platform level DPA vulnerabilities of FPGAs are now a major focus of security research, and several papers have been published recently on this topic.

One line of research has focused on FPGA bitstream protection. Most FPGA’s offer bitstream encryption as a mechanism to protect sensitive IP loaded into the fabric from unauthorised disclosure, modification or cloning. All FPGAs load an externally supplied configuration bitstream: during each power-up (for SRAM based FPGAs), or initially and during any field upgrade operations (for Flash-based FPGAs). An attacker who gets access to this raw bitstream could make clones of the product, reverse-engineer the IP, or make unauthorised modifications. Bitstream encryption mitigates this threat by installing a secret symmetric key into an FPGA. When loading the bitstream, the FPGA decrypts and authenticates the bitstream with its key.

Bitstream encryption is subject to DPA as an attacker has access to the encrypted bitstream and can monitor the power consumed by the FPGA while it is loading the bitstream. A series of papers published recently have highlighted that most current generation FPGAs are vulnerable to DPA — a power trace from a single load of a bitstream is sufficient to recover the FPGA’s decryption key using DPA.

There is a large body of published literature showing how to mount power analysis attacks against different cryptographic algorithms loaded on FPGAs. These papers show that, in the absence of countermeasures, cryptographic implementations in the FPGA fabric are highly susceptible to DPA attacks, and in some cases, also to SPA attacks.

Thus, for information assurance applications such as encrypted communications or protecting data at rest, DPA countermeasures must be employed if it is possible for a capable adversary to obtain power measurements while the system is operating.

Simple And Differential Power Analysis

SPA attacks recover the secret keys by directly observing features within individual power consumption measurements. Implementations that have significantly different power consumption depending on secret key bits are most vulnerable to SPA. For example, modular exponentiations for RSA or Diffie-Hellman commonly use a key-dependent sequence of square and multiply operations. The pattern of these operations reveals the value of the key. For unprotected devices, this pattern can often be observed from a single operation.


Figure 1: Power trace of a portion of an RSA exponentiation operation, which is vulnerable to simple power analysis (SPA). The square and multiply sequence are shown along with bits of the recovered secret exponent

Figure 1 shows the power trace from an RSA operation using a standard square and multiply sequence. The square and multiply operations have visibly different power profiles that are easy to distinguish. Each ‘1’ in the secret exponent consists of a squaring step (lower power) followed by a multiplication step (higher power), while a ‘0’ in the exponent involves only a squaring step. In Figure 1, steps involved in squaring-only operations have been highlighted in green, while steps involving both squaring and multiplication are highlighted in red.

DPA attacks employ statistical techniques that combine multiple power consumption measurements to extract secrets. DPA is effective even when the information available from any individual cryptographic transaction is small and masked by other activity and noise. The basic concept behind DPA is that the overall power consumption of a device is correlated to the computational intermediates it is processing at that time. By focusing on intermediates that depend only on a few bits of the key, it is possible to use power measurements to determine those bits of key. For every possible value of these key bits, one can predict the computational intermediate, and then look for correlations between the power measurements and bits of the predicted intermediate.


Figure 2: DPA: Correlation of power traces with a predicted intermediate for a correct guess (middle) versus an incorrect guess (bottom), both amplified 100 times vs. an averaged trace (top)

As shown in Figure 2, for a correct value of these key bits, correlation spikes are observed whenever the predicted intermediate is being processed. For all other (incorrect) values of the key bits, there are no correlation spikes, or the spikes are much smaller. The same divide-and-conquer approach can be repeated with other intermediates to determine other bits of the key.

As an example, Figure 3 shows a DPA attack on the sample AES implementation provided with the SASEBO-GII platform. This is a straightforward FPGA implementation of AES-128, with one round per clock cycle and the clock running at 24MHz. The top trace shows the average power trace from 10000 encryption operations, measured using a 1Ω resistor at the VCC side. The 11 dips correspond to the 11 clock cycles it takes to perform the AES operation. The bottom trace shows the correlation of power traces with a predicted intermediate in round 10 (cycle 11), for the correct guess of a key byte. The sharp rising edge in the correlation trace confirms that the guessed key byte is correct.


Figure 3: A DPA attack on an FPGA-based AES implementation. The top trace is the average AES trace, and the bottom trace shows the correlation between power traces with a predicted round 10 intermediate for the correct guess of a key byte

Less than 5ms of actual cryptographic computation time was observed; and only a minute of processing time on a PC was required for the analysis to extract the entire 16-byte key using the Cryptography Research DPA Workstation analysis software.

Countermeasures

Cryptography Research (CRI), now a division of Rambus, discovered SPA and DPA in the 1990s and developed and patented the fundamental techniques for securing systems against these attacks. Defending against DPA requires the careful application of these countermeasure techniques. Many products have been designed that pass stringent tests for DPA resistance.

Of the major FPGA companies, only Microsemi currently has a DPA patent license from CRI. The Microsemi SmartFusion2 family of SoC FPGAs are the only FPGAs currently on the market that have DPA protection for platform-level features. Most Microsemi FPGAs are available in a version with a ‘pass-through’ CRI patent license covering end-user or third-party implemented data security DPA countermeasures, such as might be loaded as gate-level logic in the FPGA fabric or executed as firmware by a hard or soft microcontroller.

At a high level, general categories of countermeasures to DPA exist.

Leakage reduction: These techniques make the leakage from a sequence of operations less dependent on the key or secret intermediates. Balancing techniques to reduce net variation in power consumption can be employed. The overall goal is to reduce the leakage signal-to-noise ratio, increasing the number of measurements an adversary requires for a successful attack.

Noise introduction: These techniques add noise into the power consumption measurements reducing the leakage-signal to noise ratio, thus increasing the number of power traces required. Noise can be generated in the amplitude domain (e.g., by consuming random amounts of power) or in the temporal domain (e.g., by randomising operation timing).

Obfuscation: By keeping algorithms secret, the attacker is forced to perform reverse engineering along with power analysis. Such countermeasures typically do not provide any security once an adversary understands the operation of the obscure function, but can increase the initial effort required for an attack.

Incorporating randomness: These categories include a broad range of techniques for randomising the data manipulated by the device in ways that still produce the correct result. For public key systems, techniques for masking or blinding of data and keys can be particularly effective. Similarly, for symmetric algorithms such as AES, techniques for masking intermediates and tables can be effective. These techniques force the attacker to employ more complex attacks, such as higher order DPA, that require a larger number of measurements.

Protocol level countermeasures: These approaches involve designing the cryptographic protocols to preserve security even if some information leaks from each cryptographic operation. Secrets are continually refreshed and updated so that an attacker is never able to get sufficient information to solve for any particular value. While these methods cannot be used with legacy protocols, designers who have flexibility in protocol design can use these methods to achieve the highest level of security against power analysis.

Because DPA attacks use signal processing to amplify leaked information, systems generally benefit from using multiple countermeasures. Designers need to consider which techniques to use, given their application’s security requirements and engineering constraints. The flexibility of FPGAs permits designers to iteratively refine and test their implementations until the desired level of DPA-resistance is achieved.

FPGAs are now available that have platform-level protections against DPA, defending the user’s IP from cloning, reverse engineering, or modification. Developers of end user applications requiring data security can build cryptographic implementations using these platforms that are themselves DPA resistant, protecting the end-application data. DPA countermeasures are essential whenever adversaries can gain physical access to a system and security is a priority.