# **Side-channel Power Resistance for Encryption Algorithms** using Dynamic Partial Reconfiguration

# I. Bow, N. Bete+, F. Saqib\*, W. Che^, C. Patel#, R. Robucci#, C. Chan and **Jim Plusquellic**

+Google, \*University of North Carolina, Charlotte, ^New Mexico State University, #University of Maryland, Baltimore Co., University of New Mexico

**Side-channel Power Resistance for Encryption Algorithms** using Dynamic Partial Reconfiguration

A Side Channel Attack countermeasure is proposed for FPGAs:

- Uses implementation diversity to construct multiple, functionally equivalent, implementations of replicated crypto engine components, e.g., SBOX • Leverages dynamic partial reconfiguration (DPR) to reconfigure regions of the FPGA, creating a moving target architecture
- The technique is called SPREAD, for Side-channel Power Resistance for Encryption Algorithms using Dynamic Partial Reconfiguration (**DPR**)

An embedded state machine periodically randomly selects an SBOX location and



|                                                                                   | Logic Implementation Diversity |         |       |                |        |        |       |               |         |       |        |        |        |        |           |             |       |        |          |
|-----------------------------------------------------------------------------------|--------------------------------|---------|-------|----------------|--------|--------|-------|---------------|---------|-------|--------|--------|--------|--------|-----------|-------------|-------|--------|----------|
| Ι                                                                                 | Dive                           | rsitv   | in st | anda           | ard co | ell us | sage  | after         | · Cad   | lence | e beh  | avio   | ral-to | o-net  | list      | svnt        | hesis | s is r | un       |
|                                                                                   | ong                            |         |       | lecor          | intic  | n of   | SBC   | <b>)</b> X ai | nd fo   | ur d  | iffer  | ent ci | tanda  | ard c  | ۔<br>11 آ | ,<br>librai | riec  |        |          |
|                                                                                   |                                | ι ν 1 1 |       | 10501          | ipuc   |        | SDC   |               | Table   | 1:    |        |        | lanuc  | nuc    |           | nora        |       |        |          |
| Gate                                                                              | INV                            | AND     | AND   | AND            | AND    | AND    | OR    | AO            | AO      | AO    | AO     | AO     | AO     | AO     | •••       | AO          | AO    | AO     | Total    |
| Гуре                                                                              |                                | 2       | 3     | 4              | 5      | 6      | 2     | 1             | 2       | 3     | 4      | 5      | 6      | 7      |           | n-2         | n-1   | n      |          |
| esign <sub>1</sub>                                                                | 8                              | 20      | 2     | 5              | 3      | 19     | 76    | 1             | 6       | 1     | 13     | 1      | 29     | 8      |           | 14          | 18    | -      | 300      |
| esign <sub>2</sub>                                                                | 8                              | X       | 14    | 8              | 1      | 17     | 84    | 1             | 9       | 1     | 4      | -      | 43     | 6      |           | 21          | 11    | 1      | 312      |
| esign <sub>3</sub>                                                                | 8                              | 25      | 4     | 6              | 24     | X      | 77    | -             | 8       | 1     | 10     | -      | 24     | 8      |           | 16          | 13    | -      | 312      |
| esign <sub>4</sub>                                                                | 8                              | 22      | 5     | 4              | 1      | 23     | 88    | -             | 9       | -     | X      | -      | 35     | 7      |           | 13          | 20    | -      | 317      |
| -                                                                                 | Гhe 1                          | table   | cell  | vəlu           |        | ve th  | ne nu | mhe           | r of i  | incta | nces   | ofe    | ach s  | tand   | ard       | cell        | nate  | tune   | <u> </u> |
| The table cell values give the number of mstances of each standard cell gate type |                                |         |       |                |        |        |       |               |         |       |        |        |        |        |           |             |       |        |          |
| included in the design                                                            |                                |         |       |                |        |        |       |               |         |       |        |        |        |        |           |             |       |        |          |
|                                                                                   |                                |         |       |                | -      |        |       |               |         |       |        |        |        |        |           |             |       |        |          |
|                                                                                   | ~ 11                           |         |       |                | 1.     | 0      | 1     | 4             |         |       |        |        | 1      |        | 1         | .1 .        |       |        | • 1      |
| (                                                                                 | Cells                          | s mar   | ked   | <b>`</b> -´ 10 | lenti  | ty sta | andai | rd ce         | ells th | nat w | /ere 1 | not u  | sed a  | at all | by        | the I       | RTL   | com    | pile     |
|                                                                                   |                                |         |       |                |        |        |       |               |         |       |        |        |        |        |           |             |       |        |          |
|                                                                                   | <b>7</b> 11                    |         | 1 1   | د <b>۹</b> •   | 1      | C (    | 1     | 1             | 11 /1   | 1 /   |        |        | 1      | C      | .1        | 1•1         | -     | C      |          |

#### reprograms it with a different implementation

The diverse implementations of SBOX each have different path delays

The cause-effect relationship between path delays and power transients reduces correlations leveraged by correlation power analysis (CPA)





9 10 11 12 13 14

Number of traces  $(2^x)$ 

Cells marked 'x' identify standard cells that were removed from the library before synthesis was run

**Logic Diversity Countermeasure** Partial bitstreams are generated for each SBOX version using Xilinx Vivado, and stored on the FPGA for fast and secure access by the DPR state machine For example, AES uses a series of 16 SBOXs in its datapath control ----



The countermeasure includes **two redundant SBOXs** to enable DPR to be carried out while encryption continues at full speed

- A state machine randomly selects an SBOX location and configures the shifters and MUXs to create a 'hole' for DPR
  - The 18th SBOX is simultaneously moved (much more frequently) to create additional diversity



In our preliminary experiments, we use a deterministic source (plaintext components) to determine which clock signals to the FFs are delayed

A **TRNG** will eventually be used to control which FFs are delayed and by how much



The sequence of operations carried out are as follows: • TEE loads SBOX partial bitstreams (SPB) into PL-side BRAM resources • DPR Controller starts TRNG to generate nonces to select SBOX location to DPR • DPR Controller synchronizes with AES to reconfigure shifters/MUXs • DRP Controller access ICAP to reconfigure the SBOX region

## **Setup for Proof-of-Concept Experiments**

### **Power Trace Characteristics and CPA**

ciphertext<sub>rnd-1</sub>

round key,

**Correlation Power Analysis Results** 

#### We use the SAKURA-X board as the FPGA platform for this research



Our proof-of-concept experiments are designed to find the optimal implementation diversity and clock jitter strategies

To accomplish this, we created three diverse implementations, V1, V2 and V3 and three clock jitter models, J1, J2 and J3 for a total of 12 static implementations The clock jitter models differ in the amount of delay introduced and the position of the plaintext bits that enabled clock jitter

We collected **30,000** traces for each of the 12 implementations and used a **CPA** attack and a Hamming weight model



8 9 10 11 12 13

Logic diversity model  $V_1$  (left), and with Clock jitter models J2 and J3

Number of traces  $(2^x)$ 

Number of traces  $(2^x)$ 









Department of Computer Science and Electrical Engineering