Side-channel based watermarks for integrated circuits
-
Upload
independent -
Category
Documents
-
view
0 -
download
0
Transcript of Side-channel based watermarks for integrated circuits
Side-Channel based Watermarks for Integrated Circuits
Georg T. Becker1,2, Markus Kasper1, Amir Moradi1 and Christof Paar1,2
1 Ruhr-Universität Bochum2University of Massachusetts Amherst
Funded by the NSF Grant CCF-0916854
27.04.2010Georg T. Becker
2
Agenda
Motivation Spread Spectrum based Watermark Input modulated Watermark Attacks Piracy protection
27.04.2010Georg T. Becker
3
Motivation: IP Cores (Intellectual Property)
• Hardware blocks for certain functions (e.g., CPUs, coders…)• Increased re-use of previous implementations• Parts of the development can be bought from another party⇒Faster and cheaper hardware design
27.04.2010Georg T. Becker
4
Motivation: IP Cores + Security?
• Copyright violations of IP cores• IP cores may have embedded Trojans
27.04.2010Georg T. Becker
5
The question we want to solve:
Is our IP core in there?(Did they pay the $0.10 royalty?)
27.04.2010Georg T. Becker
6
Watermarks
Classical watermark Digital watermark
Goal: Impossible to forge Goal: Impossible to remove
27.04.2010Georg T. Becker
7
Watermarking for IP protection
Goals of IP watermarking:1. Detectability: The owner can detect whether or not his design is
used in an IC.2. Proof of ownership: The owner can prove towards a third party
that his design was used in an IC.
Possible attacks on IP watermarking:1. Removing attack: The attacker removes the watermark from
his/her IC design.2. Impersonation attack: The attacker tries to detect a watermark in a
foreign design and claims that this watermark is his own.
27.04.2010Georg T. Becker
8
A side-channel based watermark
Main idea of a side-channel based watermark:• Insert an artificial side-channel into the IP core• This side-channel leaks out a unique ID
⇒ IP owner can check ICs for their unique ID⇒ IP owner can prove copyright violations
27.04.2010Georg T. Becker
9
Our design approach
Based on side-channel hardware Trojan introduced at CHES 2009
Two different design approaches:1. A spread spectrum based watermark2. An input-modulated watermark
27.04.2010Georg T. Becker
10
Spread spectrum based watermarks
Two Components that are added to the IP core:1. A PRNG that generates a pseudo-random bit
sequence2. A Leakage Circuit (LC) that is attached to the
PRNG and that leaks out the bitstream
27.04.2010Georg T. Becker
11
Detecting a spread spectrum based watermark
1. Measure a single long power trace of the targeted device2. From this power trace derive exactly one power-value pi for each
of the n measured clock cycles. (e.g. by averaging the points of one clock cycle)
3. Compute the expected watermarking bit stream B=b1,…,bn
4. Generate different Hypotheses Hi by shifting the bit stream B:H1=b1,…,bn
H2=b2,…,bn,b1
…5. Correlate the Hypotheses Hi with the power-values P=p1,…,pn
6. If the un-shifted bit stream generates a significant correlation peak, the watermark is embedded in the targeted device.
27.04.2010Georg T. Becker
12
Practical results
Implemented: A 1st order DPA resistant AES implementation with an embedded spread-spectrum watermark.
Device: Xilinx Virtex-2 PRO XC2VP7-5 FPGA @ 24MHz
27.04.2010Georg T. Becker
13
Practical results
The used PRNG: A 32-bit LFSR with X32+X22+X2 +X1 and a fixed initial state.
The Leakage Circuit:16 look-up tables each configured as 16-bit circular shift registers filled with alternating ones and zeros that are only clocked at a logical “1”.
27.04.2010Georg T. Becker
14
Measurements fora spread spectrum watermark
a) While the AES core was idle b) While the AES core was busy
Side-channel analysis of the AES core with the embedded spread spectrum based watermark with 10,000 hypothesis over the number of Clock Cycles.
27.04.2010Georg T. Becker
15
Our design approach
Two different design ideas:1. A spread spectrum based watermark2. An input-modulated watermark
27.04.2010Georg T. Becker
16
Input-modulated watermark
Input-modulated watermark is based on 3 “modules”
1. Known-input bits: Some kind of known input to the IP core that has different values for different measurements 2. A combination function: A combination functions that maps the known-input bits to one output bit.3. A leakage circuit: The leakage circuit is attached to the output of the combination function.
27.04.2010Georg T. Becker
17
Input-modulated watermark
Know
n-inputbits
Combination function Leakage Circuit
The watermarking logic
Result: Side-channel leakage that depends on the combination function and the known-input bits.
LC
27.04.2010Georg T. Becker
18
Detecting an input-modulated watermark
Perform a differential side-channel analysis, use either different combination functions or different input bits as the hypotheses⇒ The correct combination function should generate a significant correlation peak
Practical results:• The same design as the Input-modulated Hardware Trojan introduced
in [1]• Just use only known inputs instead of secret information such as keys⇒ The practical results from [1] are also true for watermarks⇒ In [1] 20,000 traces were sufficient on a SASEBO board to use the
Trojan
[1] L. Lin, M. Kasper, T. Güneysu, C. Paar, W. Burleson, "Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering", CHES 2009
27.04.2010Georg T. Becker
19
Proof of ownership
Idea: Bind the watermark to a unique owner:
1. Generate the hash value of some kind of design ID (e.g. the part number)
2. Sign this hash value with the private key of the company
3. Transmit this signature with a side-channel based watermark
27.04.2010Georg T. Becker
20
Proof of ownership with a Spread Spectrum based Watermark
x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16
S1 S2 S3 S4 S5 S6 S7 S8
Leakage Generating Circuit• Store the signature in a
circular shift register• XOR the shift register with
the output of the PRNG• Leak this sequence out
using the Leakage Generating Circuit
27.04.2010Georg T. Becker
21
Proof of ownership with an Input Modulated Watermark
• Store the signature in internal registers• Subsequently feed the Signature bytewise as
input to the combination function
⇒The same way the input modulated trojan side-channel encodes the bytes of the secret key
27.04.2010Georg T. Becker
22
Attacks on Side-channel watermarks
1. Remove or destroy the logic that implements the watermark
- Reverse-engineering needed- The watermarking logic can consist of only a few hundred gates (difficult to
locate in large IP cores!)
2. Raise the noise of the side-channel- Only decreases the signal to noise ratio- Not possible if enough points are measured
3. Transmit an inverse bitstream with the same leakage behavior
- Synchronizing both signals is nearly impossible in practice- The watermark signal is secret
All 3 attacks are non-trivial!
27.04.2010Georg T. Becker
23
Sending an inverse bitstream
• AES core with spread spectrum watermark.
• PLUS: inverse watermark with the exact same PRNG and leakage circuit but with an inverted output of the PRNG.
• Result: Watermark still detectable (but with a much smaller SNR).
27.04.2010Georg T. Becker
24
Watermarks
Classical watermark Digital watermark
Goal: Impossible to forge Goal: Impossible to remove
27.04.2010Georg T. Becker
25
Goal: Make the watermark impossible to forge
• Store the watermark in a programmable part of the device.
• Watermark can be programmed over a device specific serial number
• Only the devices activated by the owner of the watermark will have the correct watermark.
⇒Mere cloning not possible!
Piracy Protection
27.04.2010Georg T. Becker
26
Conclusion
A new watermarking scheme for IP cores
Can be detected at the hardware level and is very robust
In practice probably only vulnerable to reverse engineering
Experimental results proved the feasibility of this approach
Can also be used to defend product piracy
Constructive use of side channels!