US-12626042-B2 - Side channel leakage source identification in an electronic circuit design

Abstract

A method of identifying, in a circuit design of an electronic circuit, a source of side channel leakage of the electronic circuit. The method comprises: a) simulating over a leakage time interval an operation of the circuit in response to at least one stimulus, thereby deriving for each one of the at least one stimulus per circuit part of the electronic circuit a respective simulated leakage quantity circuit part response over the leakage time interval; b) obtaining for each one of the at least one stimulus an expected leakage quantity response over the leakage time interval from a processing of each one of the at least one stimulus by a leakage model, the leakage model modelling a leak-quantity at a processing of a secure asset; c) determining respective circuit part correlations over the leakage time interval between the respective simulated leakage quantity circuit part responses and the expected leakage quantity responses; d) ranking the circuit parts based on the circuit part correlations between the respective simulated leakage quantity circuit part responses and the expected leakage quantity responses and e) identifying as the source of side channel leakage the circuit part for which a highest one of the circuit correlations has been determined between the expected leakage quantity responses and the respective simulated leakage quantity circuit part responses.

Inventors

• Yao Yuan
• Baris EGE
• Robert Patrick SCHAUMONT
• Tarun KATHURIA

Assignees

• RISCURE BEHEER B.V.

Dates

Publication Date

20260512

Application Date

20210615

Priority Date

20200624

Claims (17)

1. 1 . A method of identifying, in a circuit design of an electronic circuit, a source of side channel leakage of the electronic circuit, the method comprising: a) simulating over a leakage time interval an operation of the circuit in response to at least one stimulus, thereby deriving for each one of the at least one stimulus per circuit part of the electronic circuit a respective simulated leakage quantity circuit part response over the leakage time interval, the respective simulated leakage quantity circuit part response expressing a leakage of a leakage quantity from the circuit part responsive to the respective stimulus; b) obtaining for each one of the at least one stimulus an expected leakage quantity response over the leakage time interval from a processing of each one of the at least one stimulus by a leakage model, the leakage model modelling the leakage quantity at a processing of a secure asset; c) determining, per circuit part, a respective circuit part correlation over the leakage time interval between the respective simulated leakage quantity circuit part response to each one of the at least one stimulus, and the expected leakage quantity response to each one of the at least one stimulus; d) ranking the circuit parts based on the circuit part correlations between the respective simulated leakage quantity circuit part responses and the expected leakage quantity responses and e) identifying as the source of side channel leakage the circuit part for which a highest one of the circuit part correlations has been determined between the expected leakage quantity responses and the respective simulated leakage quantity circuit part responses.
2. 2 . The method according to claim 1 , wherein each circuit part is a respective gate of the electronic circuit, wherein the simulated leakage quantity circuit part responses comprise simulated logic states of the respective gate for each one of the at least one stimulus, wherein the expected leakage quantity responses comprise expected logic states of the leakage model for each one of the at least one stimulus, wherein the circuit part correlation is determined per gate from a correlation between the simulated logic states of the respective gate for each one of the at least one stimulus and the expected logic states of the leakage model for each one of the at least one stimulus.
3. 3 . The method according to claim 1 , further comprising determining the leakage time interval by: simulating the operation of the electronic circuit to obtain a simulated circuit activity trace of the electronic circuit; determining an expected logic sequence from the power leakage model; correlating over plural different time intervals the simulated circuit activity trace of the electronic circuit to the expected logic sequence; determining the leakage time interval using the time interval of the plural different time intervals exhibiting a highest correlation between the simulated circuit activity trace of the electronic circuit design and the expected logic sequence.
4. 4 . The method according to claim 1 , comprising at least two stimuli and wherein c) comprises counting per circuit part a number of stimuli for which the simulated leakage quantity circuit part response corresponds to the expected leakage quantity response to the one of the stimuli.
5. 5 . The method according to claim 1 , comprising at least two random stimuli, the leakage quantity circuit part response comprises responses to each one of the at least two random stimuli and the expected leakage quantity response by the power leakage model comprises expected leakage quantity responses to each one of the at least two random stimuli.
6. 6 . The method according to claim 1 , wherein the at least one stimulus comprise a first stimulus and a second stimulus, the method comprising deriving plural leakage quantity circuit part responses per stimulus, determining a statistical difference between the leakage quantity circuit part responses obtained with the first stimulus and the leakage quantity circuit part responses obtained with the second stimulus and establishing if the statistical difference exceeds a predetermined threshold.
7. 7 . The method according to claim 1 , wherein an aggregated stimulus is provided comprising at least two stimuli, and wherein in the simulation in a) the at least two stimuli are each provided to the circuit part, thereby deriving for each one of the at least two stimuli comprised in the aggregated stimulus, a respective simulated leakage quantity circuit part response from the circuit part of the electronic circuit.
8. 8 . The method according to claim 1 , wherein the leakage quantity comprises at least one of power consumption and electromagnetic radiation.
9. 9 . The method according to claim 1 , wherein the simulated leakage quantity circuit part responses comprises simulated circuit part logic states for each one of the at least one stimulus, the expected leakage quantity responses comprising expected logic states for each one of the at least one stimulus, and wherein the respective circuit part correlations are determined as a sum of correlations between the respective simulated circuit part logic state and the respective expected logic states, for each one of the at least one stimulus.
10. 10 . The method according to claim 1 , wherein in c) the circuit part correlations are each multiplied by a respective weight factor, the respective weight factor representing a power consumption of a logic gate of the respective circuit part.
11. 11 . The method according to claim 1 , wherein the leakage model is configured to output a sequence of subsequent logic states responsive to the respective stimulus.
12. 12 . The method according to claim 1 , wherein the secure asset is a predetermined encryption key or a predetermined decryption key, the leakage model being configured to model the processing of the predetermined encryption key or predetermined decryption key.
13. 13 . The method according to claim 1 , wherein the method comprises determining, using the power leakage model, a Hamming distance between the subsequent logic states.
14. 14 . The method according to claim 1 , wherein the secure asset is data transmitted by the electronic circuit, the leakage model being configured to model a transmission of the data by the electronic circuit.
15. 15 . The method according to claim 1 , wherein the method comprises determining, using the power leakage model, a Hamming weight of the subsequent logic states.
16. 16 . The method according claim 1 , wherein the circuit parts are logic gates.
17. 17 . A method of reducing at a design stage a susceptibility to side channel leakage an electronic circuit, comprising: i) providing an electronic circuit design of an electronic circuit comprising plural circuit parts; ii) detecting a source of side channel leakage of the electronic circuit according to the method of claim 1 ; iii) amending the design of the electronic circuit by reducing a susceptibility to side channel leakage of the circuit part identified as the source of the side channel leakage; and (iv) repeating ii) and iii) on the basis of the amended electronic circuit design.

Description

The invention relates to a method of identifying a circuit design part of an electronic circuit design as a source of side channel leakage. Furthermore the invention relates to a method of designing an electronic circuit. Side channel leakage may be understood as a leakage of information from an electronic data processing circuit. The leakage may be in the form of power consumption, emission of electromagnetic radiation, or other forms of side channel leakage, such as timing information (time a certain operation takes to execute), sound and photonic emissions. The process of attempting to derive information from the electronic data processing circuit may be indicated by the term side channel analysis. Side channel analysis, SCA, may be understood as an attack to derive information, such as the information of a cryptographic device. In principle any information on what is processed by the device is possible to retrieve in various levels. For instance, one can identify the precise timing of various parts of the code running on a device if some information on the underlying code is available to an attacker. In the case of a cryptographic device, the concept of ‘information’ in the context SCA generally refers to a secret key of a cryptographic algorithm. The hypothesis made in such an attack is that the physical outputs of a cryptographic device demonstrate a correlation with the internal state of the device when conducting cryptographic operations. Side channel analysis based on an analysis of power consumption may be identified as power analysis. Power analysis attacks are carried out by monitoring the power consumption on a cryptographic device, for example by using an oscilloscope. In this type of attack, one must first assume that there is correlation between the level of power consumption and cryptographic operations performed by the device. Originally, there were two main categories of power analysis attacks including simple power analysis (SPA) and DPA. In SPA, one monitors the power trace of a cryptographic device (as it performs a cryptographic function) and attempts to determine the secret key based on the measurement (e.g. voltage levels) produced. Modern implementations are typically SPA protected. Therefore, in practice, it can be rather difficult to deduce the values of a secret by SPA alone. However, although one may be unable to deduce the secret key using this technique, it does present the capability to identify the cryptographic algorithm and enable more powerful attacks which specifically exploit any weakness of an algorithm to take place. An example of a more powerful attack is DPA. This attack makes use of statistical techniques to identify differences in power traces, thus revealing data leakage which may result in the correct secret key being guessed. A hypothesised power model may be applied. In DPA, the goal is to accurately produce a power model of the device under attack. During an attack, the aim is to find correlation between a predicted output and the actual power output of a device. If the power model is accurate then a strong correlation should be demonstrated between the predicted output and actual output. Electronic computers (microcontrollers, FPGAs, etc) have two components to their power consumption. First, static power consumption is the power required to keep the device running. This static power depends on for example the number of transistors inside the device. Secondly, dynamic power consumption depends on the data moving around inside the device. Every time a bit is changed from a 0 to a 1 (or vice versa), some current is required to (dis)charge the data lines. Both static and dynamic power may be used. An example of a power model is the Hamming Weight Power Model. Traditionally, the Hamming weight of a value is the number of non-zeroes. For example, in the binary number 1100 0010 the Hamming weight would be 3. The assumption in using the Hamming Weight Power Model in power analysis attacks is that the number of bits set to 0 or 1 of an output is correlated with the power consumption of a device. The Hamming weight itself is then used as an arbitrary unit to model the consumption of power in a device. Hamming weight units can then be compared to the actual voltage levels of power traces captured when a device was performing cryptographic operations. This act of comparison is the process of finding correlation between the modelled power unit values and the actual power consumed. Another model for power consumption is the Hamming Distance model. The Hamming Distance between two binary numbers is the number of different bits in the numbers. For example, HammingDistance(00110000,00100011)=3 as there are 3 unequal bits in these two numbers. An efficient way to calculate the Hamming Distance is HammingDistance(x,y)=HammingWeight(x{circumflex over ( )}y) where {circumflex over ( )} is the XOR operator, and the Hamming Weight is the number of 1s in a binary number. Usin