A formal study of two physical countermeasures against side channel

863KB taille 2 téléchargements 241 vues

A formal study of two physical countermeasures against side channel attacks PROOFS’2012

Sébastien Briais

Sylvain Guilley

Jean-Luc Danger

2012, September 13th

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

1. Introduction 2. Combinational Circuits 3. Formalisation of WDDL and BCDL 4. Discussion 5. Conclusion

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Outline 1. Introduction 2. Combinational Circuits 1. Language 2. Formal semantics, equivalences 3. Formalisation of WDDL and BCDL 1. Preliminaries 2. WDDL 3. BCDL 4. Discussion 5. Conclusion 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Physical Attacks

Cryptographic devices need to be protected.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Physical Attacks

Cryptographic devices need to be protected. Side-Channel Attacks Passive attacks. Power consumption, electromagnetic radiation, computation time... may leak sensitive data.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Physical Attacks

Cryptographic devices need to be protected. Side-Channel Attacks Passive attacks. Power consumption, electromagnetic radiation, computation time... may leak sensitive data. Extra logic is required in order to mask the sensitive data or to balance the leakage.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Dual-rail Precharge Logic Aims at making the device activity independent on the data being processed.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Dual-rail Precharge Logic Aims at making the device activity independent on the data being processed. A signal is represented by a pair of wires: T = 10, F = 01.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Dual-rail Precharge Logic Aims at making the device activity independent on the data being processed. A signal is represented by a pair of wires: T = 10, F = 01. A cycle of computation alternates two phases: precharge phase: propagation of NULL = {(0, 0)} through the combinational part of the circuit. evaluation phase: the data is processed by the combinational part of the circuit.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Dual-rail Precharge Logic Aims at making the device activity independent on the data being processed. A signal is represented by a pair of wires: T = 10, F = 01. A cycle of computation alternates two phases: precharge phase: propagation of NULL = {(0, 0)} through the combinational part of the circuit. evaluation phase: the data is processed by the combinational part of the circuit.

Many proposals: WDDL, STTL, DRSL, BCDL, . . .

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Dual-rail Precharge Logic Aims at making the device activity independent on the data being processed. A signal is represented by a pair of wires: T = 10, F = 01. A cycle of computation alternates two phases: precharge phase: propagation of NULL = {(0, 0)} through the combinational part of the circuit. evaluation phase: the data is processed by the combinational part of the circuit.

Many proposals: WDDL, STTL, DRSL, BCDL, . . . Possible vulnerabilities: Glitches Early evaluation 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Dual-rail Precharge Logic Aims at making the device activity independent on the data being processed. A signal is represented by a pair of wires: T = 10, F = 01. A cycle of computation alternates two phases: precharge phase: propagation of NULL = {(0, 0)} through the combinational part of the circuit. evaluation phase: the data is processed by the combinational part of the circuit.

Many proposals: WDDL, STTL, DRSL, BCDL, . . . Possible vulnerabilities: Glitches Early evaluation 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Outline 1. Introduction 2. Combinational Circuits 1. Language 2. Formal semantics, equivalences 3. Formalisation of WDDL and BCDL 1. Preliminaries 2. WDDL 3. BCDL 4. Discussion 5. Conclusion 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Outline 1. Introduction 2. Combinational Circuits 1. Language 2. Formal semantics, equivalences 3. Formalisation of WDDL and BCDL 1. Preliminaries 2. WDDL 3. BCDL 4. Discussion 5. Conclusion 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Syntax A combinational circuit is a directed acyclic graph of logical gates.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Syntax A combinational circuit is a directed acyclic graph of logical gates.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Syntax A combinational circuit is a directed acyclic graph of logical gates. Combinational circuits Let G be a set of logical gates.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Syntax A combinational circuit is a directed acyclic graph of logical gates. Combinational circuits Let G be a set of logical gates. We define by induction the set of combinational circuits over G: P, Q ::= 0

empty circuit

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Syntax A combinational circuit is a directed acyclic graph of logical gates. Combinational circuits Let G be a set of logical gates. We define by induction the set of combinational circuits over G: P, Q ::= 0 | g

g

logical gate g ∈ G

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Syntax A combinational circuit is a directed acyclic graph of logical gates. Combinational circuits Let G be a set of logical gates. We define by induction the set of combinational circuits over G: P, Q ::= 0 | g | I

a single wire

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Syntax A combinational circuit is a directed acyclic graph of logical gates. Combinational circuits Let G be a set of logical gates. We define by induction the set of combinational circuits over G: P, Q ::= 0 | g | I | Y

a fork

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Syntax A combinational circuit is a directed acyclic graph of logical gates. Combinational circuits Let G be a set of logical gates. We define by induction the set of combinational circuits over G: P, Q ::= 0 | g | I | Y | X

a swap

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Syntax A combinational circuit is a directed acyclic graph of logical gates. Combinational circuits Let G be a set of logical gates. We define by induction the set of combinational circuits over G: P, Q ::= 0 | g | I | Y | X | P | Q

P

parallel composition

Q

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Syntax A combinational circuit is a directed acyclic graph of logical gates. Combinational circuits Let G be a set of logical gates. We define by induction the set of combinational circuits over G: P, Q ::= 0 | g | I | Y | X | P | Q | P ; Q

P

Q

sequential composition

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Well-formedness Circuit with n inputs and m outputs T (g ) = (n, m) g :n⊗m 0:0⊗0 P1 : n1 ⊗ m1

I:1⊗1 P2 : n2 ⊗ m2

P1 | P2 : n1 + n2 ⊗ m1 + m2

g ∈G

Y :1⊗2 P1 : n ⊗ m

X:2⊗2 P2 : m ⊗ p

P1 ; P2 : n ⊗ p

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Well-formedness Circuit with n inputs and m outputs T (g ) = (n, m) g :n⊗m 0:0⊗0 P1 : n1 ⊗ m1

I:1⊗1 P2 : n2 ⊗ m2

P1 | P2 : n1 + n2 ⊗ m1 + m2

g ∈G

Y :1⊗2 P1 : n ⊗ m

X:2⊗2 P2 : m ⊗ p

P1 ; P2 : n ⊗ p

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Well-formedness Circuit with n inputs and m outputs T (g ) = (n, m) g :n⊗m 0:0⊗0 P1 : n1 ⊗ m1

I:1⊗1 P2 : n2 ⊗ m2

P1 | P2 : n1 + n2 ⊗ m1 + m2

g ∈G

Y :1⊗2 P1 : n ⊗ m

X:2⊗2 P2 : m ⊗ p

P1 ; P2 : n ⊗ p

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Example: a half-adder G = {AND, XOR}

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Example: a half-adder G = {AND, XOR}

Half :=(Y | Y) ; (I | X | I) ; (AND | XOR)

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Example: a half-adder G = {AND, XOR}

Half :=(Y | Y) ; (I | X | I) ; (AND | XOR) Half is a combinational circuit with 2 inputs and 2 outputs, i.e. Half : 2 ⊗ 2.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Outline 1. Introduction 2. Combinational Circuits 1. Language 2. Formal semantics, equivalences 3. Formalisation of WDDL and BCDL 1. Preliminaries 2. WDDL 3. BCDL 4. Discussion 5. Conclusion 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Preliminary definitions

Alphabet, words, concatenation. An alphabet Σ is a finite set of letters. A word u over Σ is a finite sequence of letters u = u1 · · · un where ui ∈ Σ. The set of words over Σ is noted Σ∗ . The integer n is the length of u and noted |u|. The empty word is noted and is the unique word of length 0. The set of words of length n is noted Σn . The concatenation of u = u1 · · · un and v = v1 · · · vm is defined u • v := u1 · · · un v1 · · · vm .

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Formal semantics C computes y on input x The semantics of circuits is given by a relation of Σ∗ × Σ∗ . x ∈ Σ∗

E(g )(x) = y ∈ Σ∗ g x

I a P1 x 1

a

a∈Σ

y1

y Y a

P2 x2

P1 | P2 x1 • x2

y1 • y2

aa y2

g ∈G

0

a∈Σ

X ab

P1 x

y

ba

a, b ∈ Σ

P2 y

P1 ; P2 x

z

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

z

Formal semantics C computes y on input x The semantics of circuits is given by a relation of Σ∗ × Σ∗ . x ∈ Σ∗

E(g )(x) = y ∈ Σ∗ g x

I a P1 x 1

a

a∈Σ

y1

y Y a

P2 x2

P1 | P2 x1 • x2

y1 • y2

aa y2

g ∈G

0

a∈Σ

X ab

P1 x

y

ba

a, b ∈ Σ

P2 y

P1 ; P2 x

z

z

E(g ) is a partial function Σ∗ * Σ∗ , defined consistently w.r.t. the typing function. 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Formal semantics C computes y on input x The semantics of circuits is given by a relation of Σ∗ × Σ∗ . x ∈ Σ∗

E(g )(x) = y ∈ Σ∗ g x

I a P1 x 1

a

a∈Σ

y1

y Y a

P2 x2

P1 | P2 x1 • x2

aa

g ∈G

0

a∈Σ

y2

y1 • y2

P ' Q ⇐⇒ ∀x, y : P x

X ab

P1 x

y

ba

P2 y

P1 ; P2 x y ⇐⇒ Q x

a, b ∈ Σ

z y

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

z

Structural congruence ≡ identifies circuits that only differ in some minor wiring details. It is the smallest congruence that satisfies the following equations: (P1 | P2 ) | P3 ≡ P1 | (P2 | P3 ) P | 0 ≡ 0| P ≡ P

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Structural congruence ≡ identifies circuits that only differ in some minor wiring details. It is the smallest congruence that satisfies the following equations: (P1 | P2 ) | P3 ≡ P1 | (P2 | P3 ) P | 0 ≡ 0| P ≡ P (P1 ; P2 ) ; P3 ≡ P1 ; (P2 ; P3 ) If P : n ⊗ m then In ; P ≡ P ; Im ≡ P

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Structural congruence ≡ identifies circuits that only differ in some minor wiring details. It is the smallest congruence that satisfies the following equations: (P1 | P2 ) | P3 ≡ P1 | (P2 | P3 ) P | 0 ≡ 0| P ≡ P (P1 ; P2 ) ; P3 ≡ P1 ; (P2 ; P3 ) If P : n ⊗ m then In ; P ≡ P ; Im ≡ P If P1 : n ⊗ m and P2 : m ⊗ p then (P1 ; P2 ) | (P3 ; P4 ) ≡ (P1 | P3 ) ; (P2 | P4 )

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Structural congruence ≡ identifies circuits that only differ in some minor wiring details. It is the smallest congruence that satisfies the following equations: (P1 | P2 ) | P3 ≡ P1 | (P2 | P3 ) P | 0 ≡ 0| P ≡ P (P1 ; P2 ) ; P3 ≡ P1 ; (P2 ; P3 ) If P : n ⊗ m then In ; P ≡ P ; Im ≡ P If P1 : n ⊗ m and P2 : m ⊗ p then (P1 ; P2 ) | (P3 ; P4 ) ≡ (P1 | P3 ) ; (P2 | P4 ) Y ; (I | Y) ≡ Y ; (Y | I) Y; X ≡ Y X ; X ≡ I| I X ; (Y | Y) ≡ (Y | Y) ; (I | X | I) ; (X | X) ; (I | X | I) 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Some results If P : n ⊗ m and P : n0 ⊗ m0 then n = n0 and m = m0 . If P ≡ Q then P : n ⊗ m ⇐⇒ Q : n ⊗ m. If P x

y then P : |x| ⊗ |y |.

If P : n ⊗ m and P x

y then |x| = n and |y | = m.

If P : n ⊗ m then for any x such that |x| = n there exists y such that P x y. If P x

y and P x

z then y = z.

' is a congruence. If P and Q are ill-formed then P ' Q. ≡⊆'.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Outline 1. Introduction 2. Combinational Circuits 1. Language 2. Formal semantics, equivalences 3. Formalisation of WDDL and BCDL 1. Preliminaries 2. WDDL 3. BCDL 4. Discussion 5. Conclusion 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Outline 1. Introduction 2. Combinational Circuits 1. Language 2. Formal semantics, equivalences 3. Formalisation of WDDL and BCDL 1. Preliminaries 2. WDDL 3. BCDL 4. Discussion 5. Conclusion 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Definitions In the following, let Σ = {0, 1}. We pose T = 10, F = 01, N = 00 et E = 11. NULL = {N}, VALID = {T , F }, FAULT = {E }.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Definitions In the following, let Σ = {0, 1}. We pose T = 10, F = 01, N = 00 et E = 11. NULL = {N}, VALID = {T , F }, FAULT = {E }. Let be the partial order defined by: T

F N

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Definitions In the following, let Σ = {0, 1}. We pose T = 10, F = 01, N = 00 et E = 11. NULL = {N}, VALID = {T , F }, FAULT = {E }. Let be the partial order defined by: T

F N

Let ∼ be the equivalence relation on Σ2 whose equivalence classes are NULL, VALID and FAULT. We extend these definitions to words of even length.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Definitions In the following, let Σ = {0, 1}. We pose T = 10, F = 01, N = 00 et E = 11. NULL = {N}, VALID = {T , F }, FAULT = {E }. Let be the partial order defined by: T

F N

Let ∼ be the equivalence relation on Σ2 whose equivalence classes are NULL, VALID and FAULT. We extend these definitions to words of even length. For u ∈ Σ∗ , we let [u] ∈ VALID∗ be the corresponding word in dual-rail logic. example: [0110] = FTTF = 01101001 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Outline 1. Introduction 2. Combinational Circuits 1. Language 2. Formal semantics, equivalences 3. Formalisation of WDDL and BCDL 1. Preliminaries 2. WDDL 3. BCDL 4. Discussion 5. Conclusion 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a b

s

⇒

at bt

st

af bf

sf

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a b

s

⇒

at bt

st

af bf

sf

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a b

a

s

⇒

at af

⇒

s

at bt

st

af bf

sf

st sf

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a b

a

s

⇒

at af

at bt

st

af bf

sf

⇒

s

st sf

a

a

⇒

at af

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

at af

Transformation process a b

a

s

a

b

b

a

at bt

st

af bf

sf

⇒

s

⇒

at af

st sf

⇒

at af bt bf

bt bf at af

a

a

⇒

at af

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

at af

Transformation process a b

a

s

a

b

b

a

at bt

st

af bf

sf

⇒

s

⇒

at af

st sf

a

⇒

at af bt bf

bt bf at af

a

a

a a

⇒ ⇒

at af

at af

at

at af at af

af

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a b

a

s

a

b

b

a

at bt

st

af bf

sf

⇒

s

⇒

at af

st sf

a

⇒

at af bt bf

bt bf at af

a

P Q

a

a a

⇒

⇒ ⇒

at af

at af

at

at af at af

af

JPK JQK

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a b

a

s

a

b

b

a

at bt

st

af bf

sf

⇒

s

⇒

at af

st sf

a

⇒

at af bt bf

bt bf at af

a

P Q

P

⇒

a

a

⇒

a

⇒

at af

at af

at

at af at af

af

JPK JQK

Q

⇒

JPK

JQK

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties JPK fulfils the DPL invariants. If JPK x If JPK x

y and x ∈ NULL∗ then y ∈ NULL∗ . y and x ∈ VALID∗ then y ∈ VALID∗ .

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties JPK fulfils the DPL invariants. If JPK x If JPK x

y and x ∈ NULL∗ then y ∈ NULL∗ . y and x ∈ VALID∗ then y ∈ VALID∗ .

The transformation is sound. If P x y then JPK [x] [y ].

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties JPK fulfils the DPL invariants. If JPK x If JPK x

y and x ∈ NULL∗ then y ∈ NULL∗ . y and x ∈ VALID∗ then y ∈ VALID∗ .

The transformation is sound. If P x y then JPK [x] [y ]. No glitches are possible. JPK x

y

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties JPK fulfils the DPL invariants. If JPK x If JPK x

y and x ∈ NULL∗ then y ∈ NULL∗ . y and x ∈ VALID∗ then y ∈ VALID∗ .

The transformation is sound. If P x y then JPK [x] [y ]. No glitches are possible. JPK x x0

y

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interpretation of models the transition of signals from precharge state (NULL) to evaluation state (VALID).

at af bt bf t

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interpretation of models the transition of signals from precharge state (NULL) to evaluation state (VALID).

at af bt bf t NN

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interpretation of models the transition of signals from precharge state (NULL) to evaluation state (VALID).

at af bt bf t NN TN

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interpretation of models the transition of signals from precharge state (NULL) to evaluation state (VALID).

at af bt bf t TN

TF

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties JPK fulfils the DPL invariants. If JPK x If JPK x

y and x ∈ NULL∗ then y ∈ NULL∗ . y and x ∈ VALID∗ then y ∈ VALID∗ .

The transformation is sound. If P x y then JPK [x] [y ]. No glitches are possible. JPK x x0

y

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties JPK fulfils the DPL invariants. If JPK x If JPK x

y and x ∈ NULL∗ then y ∈ NULL∗ . y and x ∈ VALID∗ then y ∈ VALID∗ .

The transformation is sound. If P x y then JPK [x] [y ]. No glitches are possible. JPK x JPK x 0

y y0

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties JPK fulfils the DPL invariants. If JPK x If JPK x

y and x ∈ NULL∗ then y ∈ NULL∗ . y and x ∈ VALID∗ then y ∈ VALID∗ .

The transformation is sound. If P x y then JPK [x] [y ]. No glitches are possible. JPK x JPK x 0

y y0

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Outline 1. Introduction 2. Combinational Circuits 1. Language 2. Formal semantics, equivalences 3. Formalisation of WDDL and BCDL 1. Preliminaries 2. WDDL 3. BCDL 4. Discussion 5. Conclusion 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a aft b bft c cft

a, b, c, . . .

g

s˜

.. .

⇒ pre

.. . Tg [˜ s]

at , b t , c t , . . .

Fg

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a aft b bft c cft

a, b, c, . . .

g

s˜

.. .

⇒ pre

.. . Tg [˜ s]

at , b t , c t , . . .

Fg

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a aft b bft c cft

a, b, c, . . .

g

s˜

.. .

.. .

⇒

Tg

pre

[˜ s]

Fg

at , b t , c t , . . .

P Q

⇒

JPK JQK

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a aft b bft c cft

a, b, c, . . .

g

s˜

.. .

.. .

⇒

Tg

pre

[˜ s]

Fg

at , b t , c t , . . .

P Q

JPK

⇒ pre

JQK

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a aft b bft c cft

a, b, c, . . .

g

s˜

.. .

.. .

⇒

Tg

pre

[˜ s]

Fg

at , b t , c t , . . .

P Q

JPK

⇒ pre

JQK

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Transformation process a aft b bft c cft

a, b, c, . . .

g

s˜

.. .

.. .

⇒

Tg

pre

[˜ s]

Fg

at , b t , c t , . . .

P Q

JPK

⇒ pre

JQK

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties JPK fulfils the DPL invariants. If Jg K 1x If JPK ˆ1x If JPK ˆ0x

y then y ∈ NULL∗ . y and x ∈ NULL∗ then y ∈ NULL∗ . y and x ∈ VALID∗ then y ∈ VALID∗ .

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties JPK fulfils the DPL invariants. If Jg K 1x If JPK ˆ1x If JPK ˆ0x

y then y ∈ NULL∗ . y and x ∈ NULL∗ then y ∈ NULL∗ . y and x ∈ VALID∗ then y ∈ VALID∗ .

The transformation is sound. If P x y then JPK ˆ0[x] [y ].

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties JPK fulfils the DPL invariants. If Jg K 1x If JPK ˆ1x If JPK ˆ0x

y then y ∈ NULL∗ . y and x ∈ NULL∗ then y ∈ NULL∗ . y and x ∈ VALID∗ then y ∈ VALID∗ .

The transformation is sound. If P x y then JPK ˆ0[x] [y ]. No glitches are possible. If JPK px ˆ py ˆ , x x 0 and JPK px ˆ 0

py ˆ 0 then y y 0 .

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties There is no early-evaluation. If JPK ˆ0x y and y ∈ VALID∗ then x ∈ VALID∗ . (provided that P does not contain gates with 0 outputs)

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties There is no early-evaluation. If JPK ˆ0x y and y ∈ VALID∗ then x ∈ VALID∗ . (provided that P does not contain gates with 0 outputs) The transformation is complete. If JPK ˆ0x 0 y 0 and y 0 ∈ VALID∗ then there exists x, y such that x 0 = [x], y 0 = [y ] and P x (provided that P does not contain gates with 0 outputs)

y.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties There is no early-evaluation. If JPK ˆ0x y and y ∈ VALID∗ then x ∈ VALID∗ . (provided that P does not contain gates with 0 outputs) The transformation is complete. If JPK ˆ0x 0 y 0 and y 0 ∈ VALID∗ then there exists x, y such that x 0 = [x], y 0 = [y ] and P x (provided that P does not contain gates with 0 outputs)

y.

The secured circuit behaves the same on equivalent inputs. JPK px ˆ

y

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties There is no early-evaluation. If JPK ˆ0x y and y ∈ VALID∗ then x ∈ VALID∗ . (provided that P does not contain gates with 0 outputs) The transformation is complete. If JPK ˆ0x 0 y 0 and y 0 ∈ VALID∗ then there exists x, y such that x 0 = [x], y 0 = [y ] and P x (provided that P does not contain gates with 0 outputs)

y.

The secured circuit behaves the same on equivalent inputs. JPK px ˆ ∼ px ˆ 0

y

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interpretation of ∼ ∼ equates words which have the same amount of information, i.e. in which corresponding dual-rail signals have the same nature.

at

at

af

af

bt

bt

bf

bf t 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

t

Interpretation of ∼ ∼ equates words which have the same amount of information, i.e. in which corresponding dual-rail signals have the same nature.

at

at

af

af

bt

bt

bf

bf t NN

t NN

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interpretation of ∼ ∼ equates words which have the same amount of information, i.e. in which corresponding dual-rail signals have the same nature.

at

at

af

af

bt

bt

bf

bf t TN

t FN

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interpretation of ∼ ∼ equates words which have the same amount of information, i.e. in which corresponding dual-rail signals have the same nature.

at

at

af

af

bt

bt

bf

bf t TF

t FF

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties There is no early-evaluation. If JPK ˆ0x y and y ∈ VALID∗ then x ∈ VALID∗ . (provided that P does not contain gates with 0 outputs) The transformation is complete. If JPK ˆ0x 0 y 0 and y 0 ∈ VALID∗ then there exists x, y such that x 0 = [x], y 0 = [y ] and P x (provided that P does not contain gates with 0 outputs)

y.

The secured circuit behaves the same on equivalent inputs. JPK px ˆ ∼ px ˆ 0

y

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties There is no early-evaluation. If JPK ˆ0x y and y ∈ VALID∗ then x ∈ VALID∗ . (provided that P does not contain gates with 0 outputs) The transformation is complete. If JPK ˆ0x 0 y 0 and y 0 ∈ VALID∗ then there exists x, y such that x 0 = [x], y 0 = [y ] and P x (provided that P does not contain gates with 0 outputs)

y.

The secured circuit behaves the same on equivalent inputs. JPK px ˆ ∼ JPK px ˆ 0

y y0

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Properties There is no early-evaluation. If JPK ˆ0x y and y ∈ VALID∗ then x ∈ VALID∗ . (provided that P does not contain gates with 0 outputs) The transformation is complete. If JPK ˆ0x 0 y 0 and y 0 ∈ VALID∗ then there exists x, y such that x 0 = [x], y 0 = [y ] and P x (provided that P does not contain gates with 0 outputs)

y.

The secured circuit behaves the same on equivalent inputs. JPK px ˆ ∼ JPK px ˆ 0

y ∼ y0

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Back to WDDL

at bt

st

af bf

sf

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Back to WDDL

at = 0 bt = 0

st = 0

af = 1 bf = 0

sf = 1

The ANDWDDL gate suffers from early-evaluation. x = 0100 6∈ VALID∗ and y = 01 ∈ VALID∗

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Back to WDDL

at = 0 bt = 0

st = 0

af = 1 bf = 0

sf = 1

The ANDWDDL gate suffers from early-evaluation. x = 0100 6∈ VALID∗ and y = 01 ∈ VALID∗ The ANDWDDL gate behaves differently on equivalent inputs. x = 0100 and y = 01

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Back to WDDL

at = 1 bt = 0

st = 0

af = 0 bf = 0

sf = 0

The ANDWDDL gate suffers from early-evaluation. x = 0100 6∈ VALID∗ and y = 01 ∈ VALID∗ The ANDWDDL gate behaves differently on equivalent inputs. x = 0100 ∼ x 0 = 1000 and y = 01 y 0 = 00

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Outline 1. Introduction 2. Combinational Circuits 1. Language 2. Formal semantics, equivalences 3. Formalisation of WDDL and BCDL 1. Preliminaries 2. WDDL 3. BCDL 4. Discussion 5. Conclusion 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Discussion at bt

st

af bf

sf

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Discussion at bt

st

af bf

sf

a aft b bft

BCDL fixes WDDL by adding a synchronisation barrier.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Discussion at bt

st

af bf

sf

a aft b bft

BCDL fixes WDDL by adding a synchronisation barrier. How to address the race between the synchronisation signal and the data signals? (DRSL vulnerability)

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Discussion at bt a aft b bft

af bf

st

sf

BCDL fixes WDDL by adding a synchronisation barrier. How to address the race between the synchronisation signal and the data signals? (DRSL vulnerability) How to discriminate this circuit?

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Discussion at bt a aft b bft

af bf

st

sf

BCDL fixes WDDL by adding a synchronisation barrier. How to address the race between the synchronisation signal and the data signals? (DRSL vulnerability) How to discriminate this circuit? Measure the activity of circuits and show that the activity of a circuit is constant on equivalent inputs, i.e. x ∼ x 0 ⇒ µC (x) = µC (x 0 ) 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Outline 1. Introduction 2. Combinational Circuits 1. Language 2. Formal semantics, equivalences 3. Formalisation of WDDL and BCDL 1. Preliminaries 2. WDDL 3. BCDL 4. Discussion 5. Conclusion 2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Summary

We defined a calculus to describe combinational circuits.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Summary

We defined a calculus to describe combinational circuits. We defined formally WDDL and BCDL securisation process.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Summary

We defined a calculus to describe combinational circuits. We defined formally WDDL and BCDL securisation process. We proved the correctness of these two transformations.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Summary

We defined a calculus to describe combinational circuits. We defined formally WDDL and BCDL securisation process. We proved the correctness of these two transformations. Regarding security properties, we identified some necessary conditions to fulfil.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Perspectives

Apply the model to other dual-rail styles.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Perspectives

Apply the model to other dual-rail styles. Refine the model.

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

The End

Thank You

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Rotations On words → − = and, for a ∈ Σ, u ∈ Σ∗ , ← − = and, for a ∈ Σ, u ∈ Σ∗ ,

− → = au ua ← − = ua au

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Rotations On words → − = and, for a ∈ Σ, u ∈ Σ∗ , ← − = and, for a ∈ Σ, u ∈ Σ∗ ,

− → = au ua ← − = ua au

We define by induction on n ∈ N the circuit rorn : ror0 := 0 ror1 := I rorn+2 :=(In | X) ; (rorn+1 | I) We have rorn x

− y ⇐⇒ |x| = n ∧ y = → x

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Rotations On words → − = and, for a ∈ Σ, u ∈ Σ∗ , ← − = and, for a ∈ Σ, u ∈ Σ∗ ,

− → = au ua ← − = ua au

We define by induction on n ∈ N the circuit roln : rol0 := 0 rol1 := I roln+2 :=(roln+1 | I) ; (In | X) We have roln x

− y ⇐⇒ |x| = n ∧ y = ← x

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Rotations On words → − = and, for a ∈ Σ, u ∈ Σ∗ , ← − = and, for a ∈ Σ, u ∈ Σ∗ ,

− → = au ua ← − = ua au

We also have that: rorn ; roln ≡ In roln ; rorn ≡ In

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interleaving

On words 9 := and for a, b ∈ Σ, u, v ∈ Σ∗ , (au) 9 (bv ) := ab(u 9 v )

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interleaving

On words 9 := and for a, b ∈ Σ, u, v ∈ Σ∗ , (au) 9 (bv ) := ab(u 9 v ) We define by induction on n ∈ N the circuit intn : int0 := 0 intn+1 :=(I | rorn+1 | In ) ; (I | I | intn ) We have intn x

y ⇐⇒ x = u • v ∧ |u| = |v | = n ∧ y = u 9 v

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interleaving

On words 9 := and for a, b ∈ Σ, u, v ∈ Σ∗ , (au) 9 (bv ) := ab(u 9 v ) We define by induction on n ∈ N the circuit unintn : unint0 := 0 unintn+1 :=(I | I | unintn ) ; (I | roln+1 | In ) We have unintn x

y ⇐⇒ y = u • v ∧ |u| = |v | = n ∧ x = u 9 v

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

Interleaving

On words 9 := and for a, b ∈ Σ, u, v ∈ Σ∗ , (au) 9 (bv ) := ab(u 9 v ) We also have that:

intn ; unintn ≡ I2n unintn ; intn ≡ I2n

2012 All rights reserved | Public document, property of Secure-IC S.A.S.

A formal study of two physical countermeasures against side channel

des documents recommandant