Cryptography Reference
In-Depth Information
The resulting circuit is then placed and routed using Cadence Design Systems
SoC Encounter [77]. A parasitics file (in standard parasitic exchange format (SPEF)
format) is produced, along with the Verilog netlist of the circuit and an a standard
delay format (SDF) file for back annotation of the delays. The flow produces the
SPEF and SDF files and the Verilog netlists of the entire design.
Post-place and route simulation is then performed using ModelSim, with the pre-
viously generated SDF files to verify the functionality of the circuit and to generate
test vectors for transistor-level simulation that will be used to produce the simulated
power traces. Synposys' Nanosim is then executed to perform transistor-level sim-
ulation, using the SPEF file, the relative Verilog netlist, the SPICE models of the
technology cells and the transistor models. This simulation generates vector-based
time-varying power profiles which are stored in a text format. This data corresponds
to the simulated traces which are later used for mounting the power analysis attacks
and the security evaluation.
15.4 Evaluation of the Effects on Power Analysis Resistance
In this section we analyze the possible impact on power analysis resistance of a fault
detection circuitry added to a device to protect it against fault injection attacks using
state-of-the-art tools and methodologies.
We present below the results of several experiments focusing on the added
structural redundancy, attacking the previously described configuration (depicted
in Fig.
15.1
), where the result of the key addition is passed through the S-box.
In the first and second sets of experiments we explore how the different error
detection and correction codes affect the two most common power analysis schemes,
namely, the Differential Power Analysis (DPA) based on Kocher's difference of
means and the DPA based on Pearson's correlation coefficients which uses the
Hamming weight as model. These experiments were carried on using the noise-free
traces generated by the SPICE-level simulator.
In the first set of experiments we performed DPA attacks (based on Kocher's
difference of means) targeting all the output bits of the S-Boxes. These experiments
included attacks on the reference circuit (a straightforward implementation of the
AES standard) and on all the error detection codes described in Sect.
15.2
.Inthe
second set of experiments we performed attacks which use as model the Hamming
weight and as distinguisher Pearson's correlation coefficients, and we considered
situations where the adversary is both aware and unaware of the presence of the
particular error detection code used.
The purpose of the third set of experiments has been to conduct a fair and objective
comparison of the different error detection and correction circuits. To this end, we
used a metric based on information theory to provide an attack-independent eval-
uation of each error detection/correction circuit. Based on this, we report how the
number of information bits that are available to the attacker changes as a function of
the measurement noise.
