Side-Channel based Watermarks for Integrated Circuits

Georg T. Becker1,2, Markus Kasper1, Amir Moradi1 and Christof Paar1,2

1 Ruhr-Universität Bochum2University of Massachusetts Amherst

Funded by the NSF Grant CCF-0916854

27.04.2010Georg T. Becker

2

Agenda

Motivation Spread Spectrum based Watermark Input modulated Watermark Attacks Piracy protection

27.04.2010Georg T. Becker

3

Motivation: IP Cores (Intellectual Property)

• Hardware blocks for certain functions (e.g., CPUs, coders…)• Increased re-use of previous implementations• Parts of the development can be bought from another party⇒Faster and cheaper hardware design

27.04.2010Georg T. Becker

4

Motivation: IP Cores + Security?

• Copyright violations of IP cores• IP cores may have embedded Trojans

27.04.2010Georg T. Becker

5

The question we want to solve:

Is our IP core in there?(Did they pay the $0.10 royalty?)

27.04.2010Georg T. Becker

6

Watermarks

Classical watermark Digital watermark

Goal: Impossible to forge Goal: Impossible to remove

27.04.2010Georg T. Becker

7

Watermarking for IP protection

Goals of IP watermarking:1. Detectability: The owner can detect whether or not his design is

used in an IC.2. Proof of ownership: The owner can prove towards a third party

that his design was used in an IC.

Possible attacks on IP watermarking:1. Removing attack: The attacker removes the watermark from

his/her IC design.2. Impersonation attack: The attacker tries to detect a watermark in a

foreign design and claims that this watermark is his own.

27.04.2010Georg T. Becker

8

A side-channel based watermark

Main idea of a side-channel based watermark:• Insert an artificial side-channel into the IP core• This side-channel leaks out a unique ID

⇒ IP owner can check ICs for their unique ID⇒ IP owner can prove copyright violations

27.04.2010Georg T. Becker

9

Our design approach

Based on side-channel hardware Trojan introduced at CHES 2009

Two different design approaches:1. A spread spectrum based watermark2. An input-modulated watermark

27.04.2010Georg T. Becker

10

Spread spectrum based watermarks

Two Components that are added to the IP core:1. A PRNG that generates a pseudo-random bit

sequence2. A Leakage Circuit (LC) that is attached to the

PRNG and that leaks out the bitstream

27.04.2010Georg T. Becker

11

Detecting a spread spectrum based watermark

1. Measure a single long power trace of the targeted device2. From this power trace derive exactly one power-value pi for each

of the n measured clock cycles. (e.g. by averaging the points of one clock cycle)

3. Compute the expected watermarking bit stream B=b1,…,bn

4. Generate different Hypotheses Hi by shifting the bit stream B:H1=b1,…,bn

H2=b2,…,bn,b1

…5. Correlate the Hypotheses Hi with the power-values P=p1,…,pn

6. If the un-shifted bit stream generates a significant correlation peak, the watermark is embedded in the targeted device.

27.04.2010Georg T. Becker

12

Practical results

Implemented: A 1st order DPA resistant AES implementation with an embedded spread-spectrum watermark.

Device: Xilinx Virtex-2 PRO XC2VP7-5 FPGA @ 24MHz

27.04.2010Georg T. Becker

13

Practical results

The used PRNG: A 32-bit LFSR with X32+X22+X2 +X1 and a fixed initial state.

The Leakage Circuit:16 look-up tables each configured as 16-bit circular shift registers filled with alternating ones and zeros that are only clocked at a logical “1”.

27.04.2010Georg T. Becker

14

Measurements fora spread spectrum watermark

a) While the AES core was idle b) While the AES core was busy

Side-channel analysis of the AES core with the embedded spread spectrum based watermark with 10,000 hypothesis over the number of Clock Cycles.

27.04.2010Georg T. Becker

15

Our design approach

Two different design ideas:1. A spread spectrum based watermark2. An input-modulated watermark

27.04.2010Georg T. Becker

16

Input-modulated watermark

Input-modulated watermark is based on 3 “modules”

1. Known-input bits: Some kind of known input to the IP core that has different values for different measurements 2. A combination function: A combination functions that maps the known-input bits to one output bit.3. A leakage circuit: The leakage circuit is attached to the output of the combination function.

27.04.2010Georg T. Becker

17

Input-modulated watermark

Know

n-inputbits

Combination function Leakage Circuit

The watermarking logic

Result: Side-channel leakage that depends on the combination function and the known-input bits.

LC

27.04.2010Georg T. Becker

18

Detecting an input-modulated watermark

Perform a differential side-channel analysis, use either different combination functions or different input bits as the hypotheses⇒ The correct combination function should generate a significant correlation peak

Practical results:• The same design as the Input-modulated Hardware Trojan introduced

in [1]• Just use only known inputs instead of secret information such as keys⇒ The practical results from [1] are also true for watermarks⇒ In [1] 20,000 traces were sufficient on a SASEBO board to use the

Trojan

[1] L. Lin, M. Kasper, T. Güneysu, C. Paar, W. Burleson, "Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering", CHES 2009

27.04.2010Georg T. Becker

19

Proof of ownership

Idea: Bind the watermark to a unique owner:

1. Generate the hash value of some kind of design ID (e.g. the part number)

2. Sign this hash value with the private key of the company

3. Transmit this signature with a side-channel based watermark

27.04.2010Georg T. Becker

20

Proof of ownership with a Spread Spectrum based Watermark

x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16

S1 S2 S3 S4 S5 S6 S7 S8

Leakage Generating Circuit• Store the signature in a

circular shift register• XOR the shift register with

the output of the PRNG• Leak this sequence out

using the Leakage Generating Circuit

27.04.2010Georg T. Becker

21

Proof of ownership with an Input Modulated Watermark

• Store the signature in internal registers• Subsequently feed the Signature bytewise as

input to the combination function

⇒The same way the input modulated trojan side-channel encodes the bytes of the secret key

27.04.2010Georg T. Becker

22

Attacks on Side-channel watermarks

1. Remove or destroy the logic that implements the watermark

- Reverse-engineering needed- The watermarking logic can consist of only a few hundred gates (difficult to

locate in large IP cores!)

2. Raise the noise of the side-channel- Only decreases the signal to noise ratio- Not possible if enough points are measured

3. Transmit an inverse bitstream with the same leakage behavior

- Synchronizing both signals is nearly impossible in practice- The watermark signal is secret

All 3 attacks are non-trivial!

27.04.2010Georg T. Becker

23

Sending an inverse bitstream

• AES core with spread spectrum watermark.

• PLUS: inverse watermark with the exact same PRNG and leakage circuit but with an inverted output of the PRNG.

• Result: Watermark still detectable (but with a much smaller SNR).

27.04.2010Georg T. Becker

24

Watermarks

Classical watermark Digital watermark

Goal: Impossible to forge Goal: Impossible to remove

27.04.2010Georg T. Becker

25

Goal: Make the watermark impossible to forge

• Store the watermark in a programmable part of the device.

• Watermark can be programmed over a device specific serial number

• Only the devices activated by the owner of the watermark will have the correct watermark.

⇒Mere cloning not possible!

Piracy Protection

27.04.2010Georg T. Becker

26

Conclusion

A new watermarking scheme for IP cores

Can be detected at the hardware level and is very robust

In practice probably only vulnerable to reverse engineering

Experimental results proved the feasibility of this approach

Can also be used to defend product piracy

Constructive use of side channels!

27.04.2010Georg T. Becker

27

Thank you for your attention!

Any questions?