Side-Channel Hardware Trojan for Provably-Secure SCA-Protected Implementations

Hardware Trojans have drawn the attention of academia, industry, and government agencies. Effective detection mechanisms and countermeasures against such malicious designs can only be developed when there is a deep understanding of how hardware Trojans can be built in practice, in particular, Trojans specifically designed to avoid detection. In this article, we present a mechanism to introduce an extremely stealthy hardware Trojan into cryptographic primitives equipped with provably-secure first-order side-channel countermeasures. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage, leading to successful key recovery attacks. Generally, such a Trojan requires neither addition nor removal of any logic which makes it extremely hard to detect. On ASICs, it can be inserted by subtle manipulations at the subtransistor level and on FPGAs by changing the routing of particular signals, leading to zero logic overhead. The underlying concept is based on modifying a securely masked hardware implementation in such a way that running the device at a particular clock frequency violates one of its essential properties, leading to exploitable leakage. We apply our technique to a threshold implementation of the PRESENT block cipher realized in two different CMOS technologies and show that triggering the Trojan makes the ASIC prototypes vulnerable.

[1]  Alex Biryukov,et al.  A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms , 2003, EUROCRYPT.

[2]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[3]  Vincent Rijmen,et al.  Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches , 2011, Journal of Cryptology.

[4]  Hai Zhou,et al.  Leakage power optimization with dual-V/sub th/ library in high-level synthesis , 2005, Proceedings. 42nd Design Automation Conference, 2005..

[5]  Christof Paar,et al.  Stealthy dopant-level hardware Trojans: extended version , 2013, Journal of Cryptographic Engineering.

[6]  Dennis Sylvester,et al.  A2: Analog Malicious Hardware , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[7]  Vincent Rijmen,et al.  Higher-Order Threshold Implementations , 2014, ASIACRYPT.

[8]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[9]  Lejla Batina,et al.  A Very Compact "Perfectly Masked" S-Box for AES , 2008, ACNS.

[10]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[11]  Tim Güneysu,et al.  Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering , 2009, CHES.

[12]  Stefan Mangard,et al.  Successfully Attacking Masked AES Hardware Implementations , 2005, CHES.

[13]  Yang Li,et al.  A Silicon-Level Countermeasure Against Fault Sensitivity Analysis and Its Evaluation , 2015, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[14]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[15]  Christof Paar,et al.  The First Thorough Side-Channel Hardware Trojan , 2017, ASIACRYPT.

[16]  Stefan Mangard,et al.  An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order , 2017, CT-RSA.

[17]  Amir Moradi,et al.  Side-Channel Resistant Crypto for Less than 2,300 GE , 2011, Journal of Cryptology.

[18]  Christof Paar,et al.  MOLES: Malicious off-chip leakage enabled by side-channels , 2009, 2009 IEEE/ACM International Conference on Computer-Aided Design - Digest of Technical Papers.

[19]  Mark Mohammad Tehranipoor,et al.  Hardware Trojan Detection and Isolation Using Current Integration and Localized Current Analysis , 2008, 2008 IEEE International Symposium on Defect and Fault Tolerance of VLSI Systems.

[20]  Christof Paar,et al.  A Design Methodology for Stealthy Parametric Trojans and Its Application to Bug Attacks , 2016, CHES.

[21]  Tim Güneysu,et al.  Side channels as building blocks , 2012, Journal of Cryptographic Engineering.

[22]  Puneet Gupta,et al.  Gate-length biasing for runtime-leakage control , 2006, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[23]  Vincent Rijmen,et al.  Efficient and First-Order DPA Resistant Implementations of Keccak , 2013, CARDIS.

[24]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[25]  Claude Carlet,et al.  Leakage Squeezing of Order Two , 2012, INDOCRYPT.

[26]  Christof Paar,et al.  Pushing the Limits: A Very Compact and a Threshold Implementation of AES , 2011, EUROCRYPT.

[27]  Hu He,et al.  R2D2: Runtime reassurance and detection of A2 Trojan , 2018, 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[28]  Vincent Rijmen,et al.  Threshold Implementations of all 3x3 and 4x4 S-boxes , 2012, IACR Cryptol. ePrint Arch..

[29]  Begül Bilgin,et al.  A Note on 5-bit Quadratic Permutations' Classification , 2017, IACR Trans. Symmetric Cryptol..

[30]  Andrey Bogdanov,et al.  Fides: Lightweight Authenticated Cipher with Side-Channel Resistance for Constrained Hardware , 2013, CHES.

[31]  Vincent Rijmen,et al.  Threshold implementations of small S-boxes , 2014, Cryptography and Communications.

[32]  Swarup Bhunia,et al.  Hardware Trojan: Threats and emerging solutions , 2009, 2009 IEEE International High Level Design Validation and Test Workshop.

[33]  Zainalabedin Navabi,et al.  Low power scheduling in high-level synthesis using dual-Vth library , 2015, Sixteenth International Symposium on Quality Electronic Design.

[34]  Vincent Rijmen,et al.  A Side-Channel Analysis Resistant Description of the AES S-Box , 2005, FSE.

[35]  Sylvain Guilley,et al.  Leakage Squeezing Countermeasure against High-Order Attacks , 2011, WISTP.

[36]  Amir Moradi,et al.  Side-Channel Analysis Protection and Low-Latency in Action - - Case Study of PRINCE and Midori - , 2016, ASIACRYPT.

[37]  Emmanuel Prouff,et al.  Statistical Analysis of Second Order Differential Power Analysis , 2009, IEEE Transactions on Computers.

[38]  Gordon L. Smith,et al.  Model for Delay Faults Based upon Paths , 1985, ITC.

[39]  Vincent Rijmen,et al.  A More Efficient AES Threshold Implementation , 2014, AFRICACRYPT.

[40]  Thomas Eisenbarth,et al.  Correlation-Enhanced Power Analysis Collision Attack , 2010, CHES.

[41]  Eli Biham,et al.  Bug Attacks , 2008, Journal of Cryptology.

[42]  Tim Güneysu,et al.  Hiding Higher-Order Side-Channel Leakage - Randomizing Cryptographic Implementations in Reconfigurable Hardware , 2017, CT-RSA.

[43]  Amir Moradi,et al.  Assessment of Hiding the Higher-Order Leakages in Hardware - What Are the Achievements Versus Overheads? , 2015, CHES.

[44]  Yiorgos Makris,et al.  Hardware Trojan detection using path delay fingerprint , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[45]  Erich Wenger,et al.  Suit up! -- Made-to-Measure Hardware Implementations of ASCON , 2015, 2015 Euromicro Conference on Digital System Design.

[46]  Thomas Zefferer,et al.  Evaluation of the Masked Logic Style MDPL on a Prototype Chip , 2007, CHES.

[47]  Amir Moradi,et al.  Leakage Assessment Methodology - A Clear Roadmap for Side-Channel Evaluations , 2015, CHES.

[48]  Robert Wille,et al.  Improved SAT-based ATPG: More constraints, better compaction , 2013, 2013 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[49]  Syed Kareem Uddin Trade-OFFS For Threshold Implementations Illustrated on AES , 2017 .

[50]  Begül Bilgin,et al.  Uniform First-Order Threshold Implementations , 2016, SAC.

[51]  Christof Paar,et al.  Masked Dual-Rail Precharge Logic Encounters State-of-the-Art Power Analysis Methods , 2012, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[52]  Tim Güneysu,et al.  Affine Equivalence and Its Application to Tightening Threshold Implementations , 2015, SAC.