IEEE ARITH 17 Cape Cod, 27th – 29th June 2005 Data Dependent Power Use in Multipliers Colin D. Walter David Samyde

Slides:



Advertisements
Similar presentations
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Advertisements

Models of Computation Prepared by John Reif, Ph.D. Distinguished Professor of Computer Science Duke University Analysis of Algorithms Week 1, Lecture 2.
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **
CENG536 Computer Engineering department Çankaya University.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
CPSC 335 Dr. Marina Gavrilova Computer Science University of Calgary Canada.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
UNIVERSITY OF MASSACHUSETTS Dept
Contemporary Logic Design Arithmetic Circuits © R.H. Katz Lecture #24: Arithmetic Circuits -1 Arithmetic Circuits (Part II) Randy H. Katz University of.
Copyright 2008 Koren ECE666/Koren Part.6a.1 Israel Koren Spring 2008 UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Digital Computer.
An Extra-Regular, Compact, Low-Power Multiplier Design Using Triple-Expansion Schemes and Borrow Parallel Counter Circuits Rong Lin Ronald B. Alonzo SUNY.
ECEN 248 Integer Multiplication, Number Format Adopted from Copyright 2002 David H. Albonesi and the University of Rochester.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
Computer Arithmetic Nizamettin AYDIN
Binary Addition CSC 103 September 17, 2007.
Template attacks Suresh Chari, Josyula R. Rao, Pankaj Rohatgi IBM Research.
Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK Colin D Walter.
9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.
Topic: Arithmetic Circuits Course: Digital Systems Slide no. 1 Chapter # 5: Arithmetic Circuits.
André Seznec Caps Team IRISA/INRIA 1 Analysis of the O-GEHL branch predictor Optimized GEometric History Length André Seznec IRISA/INRIA/HIPEAC.
CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.
Term 2, 2011 Week 1. CONTENTS Problem-solving methodology Programming and scripting languages – Programming languages Programming languages – Scripting.
Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.
A Reconfigurable Low-power High-Performance Matrix Multiplier Architecture With Borrow Parallel Counters Counters : Rong Lin SUNY at Geneseo
Merkle-Hellman Knapsack Cryptosystem
Chapter 5: Hashing Part I - Hash Tables. Hashing  What is Hashing?  Direct Access Tables  Hash Tables 2.
Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST.
Sliding Windows Succumbs to Big Mac Attack Colin D. Walter
Logic and computers 2/6/12. Binary Arithmetic /6/ Only two digits: the bits 0 and 1 (Think: 0 = F, 1.
Digital Logic Design (CSNB163)
Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli Colin D. Walter formerly: (Manchester,
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
CS 232: Computer Architecture II Prof. Laxmikant (Sanjay) Kale.
M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: (Manchester, UK)
M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)
Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli Colin D. Walter formerly: (Manchester,
1. Computing Systems Lecture 3 Binary Representation & Boolean Logic Binary and Logic 2.
Remote Timing Attacks are Practical David Brumley Dan Boneh [Modified by Somesh.
1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)
WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter
Recursive Architectures for 2DLNS Multiplication RESEARCH CENTRE FOR INTEGRATED MICROSYSTEMS - UNIVERSITY OF WINDSOR 11 Recursive Architectures for 2DLNS.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Computing Systems Lecture 3 Binary Representation & Boolean Logic Binary and Logic 1.
1 The ALU l ALU includes combinational logic. –Combinational logic  a change in inputs directly causes a change in output, after a characteristic delay.
Efficient Montgomery Modular Multiplication Algorithm Using Complement and Partition Techniques Speaker: Te-Jen Chang.
Unit 1 Introduction Number Systems and Conversion.
Simple Power Analysis of
Invitation to Computer Science, C++ Version, Fourth Edition
Multiplier Design [Adapted from Rabaey’s Digital Integrated Circuits, Second Edition, ©2003 J. Rabaey, A. Chandrakasan, B. Nikolic]
UNIVERSITY OF MASSACHUSETTS Dept
Invitation to Computer Science, Java Version, Third Edition
ECE 434 Advanced Digital System L13
ECE 434 Advanced Digital System L12
Distinguishing Exponent Digits by Observing Modular Subtractions
Arithmetic Logical Unit
University of Texas at Austin
UNIVERSITY OF MASSACHUSETTS Dept
Data Wordlength Reduction for Low-Power Signal Processing Software
UNIVERSITY OF MASSACHUSETTS Dept
Comparison of Various Multipliers for Performance Issues
UNIVERSITY OF MASSACHUSETTS Dept
UNIVERSITY OF MASSACHUSETTS Dept
UNIVERSITY OF MASSACHUSETTS Dept
Colin D. Walter Comodo CA, Bradford, UK
Presentation transcript:

IEEE ARITH 17 Cape Cod, 27th – 29th June 2005 Data Dependent Power Use in Multipliers Colin D. Walter David Samyde Work partly done at DICE, UCL, Louvain-la-Neuve, Belgium

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Overview Background & Aims History Cryptographic Context Multiplier Models Gate Switching Activity Hamming & Booth Weight Multipliers Lab Results Conclusions

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Background Power used by a multiplier is data dependent. Similarly, EMR from a multiplier depends on current state & new inputs. Inexpensive equipment can measure the variations. So secret data may leak during cryptographic use. The main leakage in smart cards is from buses. First order leakage depends on Hamming weight, which can be made constant. The multiplier is the next most leaky HW component of a crypto co-processor.

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Aims There are HW counter-measures, such as Faraday cages, and SW blinding counter-measures. It is unclear if these are totally effective. So investigate which multiplier designs & arithmetic representations might reduce power/EMR variations. 1.Build model to simulate power consumption. 2.Apply to standard designs and compare them. 3.Develop “better” multipliers...

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 History Occasional (public) refs in old patents: To ensure that the data carrier consumes the same amount of current whether the requested operation is authorized or unauthorized, a bit is stored in the memory in either event. [Abstract, US Patent , filed Aug 1978] Kocher et al (C RYPTO 1996, 1999): Timing and Power Attacks – the concepts made public. Walter (CHES 2001): How to extract private RSA key from power variation of single decryption in presence of standard SW counter-measures. Flynn & Oberman (Wiley, 2001) “Advanced Computer Arithmetic Design”

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Cryptographic Context Smartcard : 8- or 16-bit multipliers for RSA. Long integers A, B in modular products have ~2 7 digits. Each digit x digit mult n a i x b j has ~2 7 cases with same a i (or b j ). Take average power trace as b j (resp. a i ) varies. (Generally, some average must be taken to eliminate noise) Does result characterise a i or mask its value? Any revealed characteristics can be used to distinguish multipliers in the exp n alg m, and hence determine the secret exponent.

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Multiplier Model Standard Add-and-Shift Multiplier: 3-to-2 full adders (counters) & 2 bit half adders. Wallace tree arrangement for adders/ HAs. Build model with input word length k as parameter. For convenience, assume all gate switching (A ND, X OR, etc) consumes same power. (Easy to drop this assumption.) Count gates switched for all initial states and all inputs. Draw graphs and look for distinguishing characteristics.

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Gate Switching Activity Clearly, Hamming weight is leaked by knowledge of switch counts. (Hamming Weight = #1 bits in binary string.) No. of Gate Switchings averaged over initial states for 3-bit multiplier 2nd Argument Digit st Argument Digit Digit wt 3 Digits wt 2 Digits wt 1 Digit wt 0

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Hamming Weight Multiplier Similar results hold for exhaustive simulations as word size increases. Complexity too great for 16-bit words or larger: O(2 4k k 2 ) for k-bit words. Need to build a Hamming weight multiplier where inputs are Ham g Wt s and output is average gate switching activity – and with polynomial complexity, if possible. Solution: For k-bit multiplier & input a with HW(a) = h, send probability h/k of a bit 1 along the wire, and compute probabilities of gates switching.

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Results Gate Switching in 8-bit Multiplier as function of input Ham Wts. Comparison of gate counts gives excellent match between HWt multiplier and binary multiplier, all k. So model can be used to predict gate activity in larger cases. HW(a) HW(b) Gates

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Evaluation The model also accurately predicts the Ham Wt of the output. The 3-D graphs (actual vs model results) have the same features. Hamming Wt of Output (k = 16): HW(a) HW(b) HW(a×b)

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Booth 2 Multiplier A 2-bit Booth Multiplier was built: One input is given a base 4 re-coding of one argument using digits –2, –1, – 0, +0, +1, +2. These multiples of the other input (the multiplicand) feed into a tree of compressors. Graphs show that gate switching (& leakage) depends on: i)The Hamming Wt of the multiplicand ii)The “Booth” Weight of the multiplier: Booth Wt is defined by summing: 0 for recoded digit +0( is added) 2 for recoded digit –0( is added, with correction) 1 for all other digits d(dM is added for multiplicand M)

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Booth Weight Multiplier Can a HWt / BWt multiplier be built for the Booth multiplier like the Ham Wt add-and-shift multiplier? This would predict gate switching from HWt and BWt inputs without combinatorial explosion. The Add-and-Shift case assumed compressor input bits were independent. This was reasonably accurate. Addends and make this unreasonable for a Booth weight multiplier. Alignment of bits in 2M & shifted 1M also reduces independence. Solution not yet worked out.

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Multiplier Comparison Overall gate switching was less in the Booth multiplier than the Add-and-Shift multiplier. Area is larger for Booth multiplier with expected digit sizes. So leakage is less, but there is a silicon cost. More complex multipliers are unlikely in most smartcards.

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Lab Results The DICE lab at UCL was used to measure power variation and EMR in several multipliers. Only add-and-shift designs were available. EMR at a variety of frequencies yields much more discriminating leakage than a simple gate count, which approximated the power leakage data. So the models agreed with lab results, but the lab results might be used to extract further information.

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 Conclusions Power use in standard multipliers is closely related to input Hamming (or re-coded) weights; Simplified poly time models can enable good accuracy for power use, so designs can be tested easily in the search for less leaky hardware; Some multiplier designs (such as one with 2-bit Booth re-coding) leak less information about Hamming wts than others (such as the standard Add-and-Shift multiplier).

IEEE ARITH 17 Cape Cod, 27th – 29th June /17 IACR CHES Aug – 1 Sept Edinburgh Scotland

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.