1. Technical Field
The present invention relates to providing security to a logic system from attack through monitoring of observable features such as the power supply or electromagnetic radiation, in so called “side-channel attacks”. A side-channel attack may seek to obtain information concerning the contents of the system, such as a private key or crypto-engine data.
Any system that has a partially open clock data eye is susceptible to side-channel attack. It is not sufficient to close the eye partially: it must be fully closed to be secure. It is also not sufficient to add noise to a clock or data emitter to disguise the signal: statistical analysis of a noisy eye can determine very quickly what the data is with the noise removed. For a system to be secure from side channel attack, the emissions must be completely random, and this requires a closed clock eye diagram. Attempts described in the prior art other than a co-pending application by the same inventors all leave an open, or partially open, clock eye diagram.
Reports that a synchronous system with a partially open clock eye diagram is resistant to attack are due to limits in the abilities of the attacker rather than a formal basis for reliance on the system as being secure. For a provably secure system, the observable clock data eye must be closed.
2. Background of the Invention
Most logic circuits are implemented in standard CMOS where the techniques for design of such logic circuits are well known. It is typical that in the design of standard CMOS logic circuit elements current is drawn from the positive supply when the output of the logic circuit element changes from a logic-0 state to a logic-1 state. As an example a typical CMOS inverter may consist of a PFET and a NFET, the source of the PFET connected to the positive supply, the drain of the PFET connected to the output, the gate of the PFET connected to the input, the source of the NFET connected to the negative supply, the drain of the NFET connected to the output and the gate of the NFET connected to the input. The PFET and NFET are generally implemented as enhancement mode devices. Typically the load on the output of a CMOS inverter is a capacitor comprising parasitic capacitance due to the routing of the output signal to other logic gates and input capacitance of other logic gates. A logic-0 state applied to the input of the CMOS inverter will turn on the PFET, turn off the NFET and charge any capacitance on the output raising the output voltage to a logic-1 state. A logic-1 state applied to the input of the CMOS inverter will turn off the PFET and turn on the NFET forcing the output voltage to the negative supply generating a logic-0 state. Current flows from the positive supply into the output load of the CMOS inverter when the input changes from a logic-1 state to a logic-0 state. Current flows from the load of the CMOS inverter when the input changes from a logic-0 state to a logic-1 state. Current may also flow from the positive supply to the negative supply when the CMOS inverter changes state due to a period when both the PFET and NFET may be both turned on. In a highly synchronous system where many logic elements change state under direction of a clock current peaks may be detectable in the system supply current. It is these current peaks that may enable an observer to determine aspects of the system design that the system designer would rather remain private for reasons of security.
A typical example of where covert monitoring of the power supply current may reveal information to a third party is in smartcard security. Smartcards employ encryption techniques to ensure that neither a PIN number or an encryption private key is revealed to a third party. The key in the encryption scheme has been shown to be readable by monitoring smartcard power supply current. Techniques known as simple power analysis, differential power analysis and higher order differential power analysis have been used to reveal the private encryption key, thereby rendering the security worthless.
It is not always necessary to use such an intrusive technique such as breaking the power supply connections of a smartcard and monitoring the electrical current flow. Electromagnetic emissions occur as a result of current flow and may also be monitored to reveal the temporal position of current peaks, using very near field probes or Kelvin Probes on atomic force microscopes.
It has been explained that in standard CMOS logic gates as employed in an integrated circuit current peaks occur in the positive supply current when the output signal of a logic gate transitions from a logic-0 state to a logic-1 state. One attempt [U.S. Pat. No. 6,327,661] uses random noise generation and clock skipping to randomise the position of current peaks. Any form of introduction of random noise or changes in the clock rate will reduce the maximum data rate that can flow through the encryption engine. Such techniques also results in an increase of current consumption.
Another attempt [U.S. Pat. No. 6,507,130] to improve security relies on switching off the external supply during security-conscious operations and connecting to an internal capacitor which had previously been charged from the external supply. This method suffers from the requirement to have an on-card capacitor which may present a problem in terms of the card form-factor. The other problem with this approach is that it makes it possible to monitor the emissions from the capacitor using near field probes, which are nicely identified for the attacker simply by the switch in power.
Another attempt [U.S. Pat. No. 6,766,455] uses a zener diode and bipolar transistor as a rudimentary linear supply voltage regulator to isolate the internal supply and thereby current peaks from exiting the system. This method suffers from increased power consumption as well as not being suitable for the highest level of integration by using components that are non-standard in VLSI standard CMOS processes. There are other disadvantages and weaknesses created by this method.
Another attempt to make it more difficult to determine the internal workings of an integrated circuit is to use differential logic gates [IEEE Proceedings, ISCAS 2005, Low Power Current Mode Logic for Improved DPA-Resistance In Embedded Systems, Toprak and Leblebicic]. In differential logic gate there exists a true output and a complementary output, one of said outputs always generating a current spike in the positive supply when an output transition occurs.
Another attempt [U.S. Pat. No. 7,417,468] of reducing the current spikes is to employ specialised logic gates that have differential outputs, the differential outputs being reset to logic-0 and then pre-charged to a logic-1 prior to evaluation of the final logic output level. Again, current peaks occur at every logic transition.
Another attempt to de-correlate current peaks and logic state transitions [IEEE Proceedings, ISCAS 2005, A Novel CMOS Logic Style with Data Independent Power Consumption, Aigner et all relies on using ternary logic levels.
The above methods have been shown to have some effect in improving the security of the integrated circuit in resisting attempts to obtain knowledge of the integrated circuit operation or contents. However, all of these methods rely on one or more of the following; balancing edge speed of the inputs, generating equal delays for the true output and complementary output rising edges, and balancing the load capacitance which also includes balancing the routing capacitance. Any imbalance reduces the effectiveness of the differential gate in generating constant amplitude current spikes thereby allowing an intruder to simply increase the complexity of the averaging algorithm to obtain the knowledge sought. These differential systems can be compromised simply by reducing the supply voltage to the point where the differential pair saturates.
Varying the supply voltage, varying the clock frequency or varying both the supply voltage and clock frequency have been shown an increase in resistance to intruder attacks [DATE 2005, Power Attack Resistant Cryptosystem Design, A Dynamic Voltage and Frequency Switching Approach, Yang et al]. The improvement comes from the voltage variation, due the way it is implemented. The method takes a lot of power as it is a linear power supply, and it has a high bandwidth. Near field probing of the supply can detect the feedback to the supply, providing the current information. The technique relies on the use of a linear power supply that may be modulated rapidly in time which may require custom designed cells not available in many standard CMOS processes. Yet further, the use of linear power supplies implies increased current consumption.
Methods that try to prevent power analysis by random frequency variations of a single clock can be comprised both by statistical analysis of the operation of the system on known plain text, or just by synchronizing the power monitor to the clock edge.
A common issue with all of the above methods is that there may be one or more penalties associated with the implementation namely power consumption, circuit processing speed or area increase. There is a need for a method to increase the resistance of an integrated circuit to intruder attacks with minimal penalty of speed, area or power consumption.
It is noted that in order for an intruder to successfully attack an integrated circuit the intruder is required to align multiple power consumption or current consumption traces and perform statistical analysis on the data. Randomising the position of current peaks reduces the ability of the intruder to align successive power consumption or current consumption traces.
Changing the clock frequency can move the position of current peaks associated with logic state changes temporally. However, to modulate the clock frequency it is necessary to operate the system at a lower overall frequency than is possible with modulation, and the reduction in frequency is not generally beneficial. Further, in order to modulate the temporal position of current peaks over a wide time it is necessary to lower the clock frequency significantly which has ramifications on the overall performance of a system. Consider a synchronous logic system comprising of D-type flip-flops (DFF's) where a signal path exists between two DFF's passing through a block of combinatorial logic. The highest frequency that the system can be clocked is dependent to a large extent on the maximum propagation delay through the combinatorial logic. In a state-of-the art system where it is desired to operate the logic system at the highest possible clock speed, the clock period is chosen so that it is slightly larger than the worst-case propagation delay through the combinatorial logic. Any attempt to modulate the clock to move the current peaks associated with state transitions within the logic system will require that the average clock speed is reduced. It is desirable that the system clock operates at the highest frequency for highest performance. It is also desirable that current peaks are moved well away from their nominal temporal position in order to make side channel attacks more difficult. These two desires are at odds with one another. In general, it is desirable to be able to modulate the system clock with minimal impact to the speed of the logic system but solutions known in the prior art that use spread spectrum clocking do not achieve that.
In a synchronous system such as shown in FIG. 1, applying large amounts of clock modulation lowers the operating speed. Consider a synchronous logic system as in FIG. 1 where the maximum delay between any two states of the system is, for example, 20 ns—assume that this figure includes not just the combinatorial path delay but the delays inherent to correct DFF operation. With such a worst-case delay it is possible to operate the synchronous system at clock speeds up to 50 MHz. There exists no possibility of applying random modulation to the system clock as a random function is two-sided and would result in the clock period being less than the minimum allowed. This situation is shown in FIG. 2 where it can be seen that the eye diagram is 100% open and there is no possibility of modulating the clock without a reduction in operating frequency. To effect eye closure of, for example, 80% as shown in FIG. 3 the clock is modulated±40% then the clock period must be increased so that the remaining eye opening represents the worst-case propagation delay. In this example the clock period must be increased to 100 ns i.e. a reduction in operating frequency from 50 MHz to 10 MHz which is a significant penalty in operational speed and eye closure is not achieved. In the example of FIG. 3 the current peaks associated with state changes in synchronous logic are moved over a large portion of the clock period and security is improved but only at the expense of a large reduction in clock frequency. It is beneficial to avoid large reductions in clock speed when modulating the clock to randomise the temporal position of current peaks in a synchronous logic system.
Any systems with either internal clocks, or an external clock supplemented by an internal clock for the encryption engine can be compromised using a very near field probe. This form of attack is simplified by the packaging of smartcards, which generally used linished die, i.e. very thin due, and the rear surface is accessible after removing a local part of the package.
In many systems the clock may be modulated using an integrated circuit that is imposed between the original fixed-frequency clock and the synchronous logic block. Random modulation introduced in a spread-spectrum clock generator integrated circuit is typically only a few percent of the clock periods, for example the CY25811 spread-spectrum clock generator integrated circuit from Cypress Semiconductors Corporation allows double-sided modulation up to ±2% of the clock period. It is clear that as the amount of modulation is small then so too is the amount of movement of the current peaks. The amount of modulation in spread-spectrum clock generator chips is generally kept quite low so the designer of an integrated circuit or system does not have to guard-band the logic timing budget and not impact the maximum operating frequency. The use of such a low amount of modulation has little impact on improving the security since such techniques do not close the clock eye diagram. Accordingly, techniques such as spread spectrum clock generation do not provide much improvement in resistance against side-channel attacks.
Each foregoing prior art counter-attack methods has one or more of the following drawbacks in an integrated circuit or other physical implementation of an encryption engine: insufficient protection, large physical size, high power consumption, non-standard design flow, library availability to the implementation of a robust and practical encryption engine with high immunity to attack through simple, differential power analysis or higher order differential power analysis.
Any system employing a spread spectrum clock can be comprised easily because the statistical eye diagram for the clock can never be closed. It must be open at least as wide as the maximum propagation path between two registers.