Architectural and Micro-architectural Countermeasures against Physical Attack

针对物理攻击的架构和微架构对策

• 批准号: EP/H001689/1
• 负责人: Daniel Page
• 金额: $ 104.92万
• 依托单位: University of Bristol
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2009
• 资助国家: 英国
• 起止时间: 2009 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FH001689%2F1
• 关键词: Architectural; Micro; architectural; Countermeasures; against

Advances in cryptanalysis are often produced by mathematicians who seek techniques to unravel the hard problems on which modern cryptosystems are based. Attacks based on the concept of physical security move the art of cryptanalysis from the mathematical domain into the practical domain of implementation. By considering the implementation of cryptosystems rather than purely their specification, researchers have found they can mount physical attacks which are of low cost, in terms of time and equipment, and are highly successful in extracting useful results. Recent examples that demonstrate the real-world impact of such attacks are those against the KeeLoq range of RFID devices used for car and building access control, and MIFARE contactless smart-cards (e.g. the ``Oyster'' cards used by the London Underground).Side-channel attacks are a genre of physical attack based on the assumption that one can passively observe an algorithm being executed by some hardware device, and infer details about the internal state of computation from the features that occur. A typical side-channel attack consists of a collection phase that provides the attacker with profiles of execution, and an analysis phase which recovers otherwise secret information from the profiles. Focusing on power and EM based attacks in particular, countermeasures against side-channel attack are increasingly well understood on a case by case basis; at a high-level they can be classified as either hiding (breaking the link between execution and profiles) or masking (breaking the link between execution and algorithm). Approaches to hiding style countermeasures typically attempt to make each profile constant for all secrets, or entirely random; in both cases the premise is that a profile can no longer be correlated to the secret information.There are a number of approaches to implementing these sorts of countermeasure. At the highest-level, one can consider alternate algorithms (or implementation approaches) that realise hiding or masking in software. On one hand this approach is very algorithm-specific and can imply a significant performance penalty; on the other hand, no alterations are required to the hardware on which the software executes. At the lowest-level, one can consider using so-called secure logic styles; the basic idea is to replace CMOS cell libraries with alternatives which, for example, consume a constant amount of power regardless of the result they compute. The major disadvantage of this approach is the resulting overhead in terms of area; the major advantage is that the approach is largely algorithm-agnostic, i.e. is a general solution which can be automatically applied.The research programme within this proposal aims, in a sense, to adopt an approach between these two extremes. The crux of the research is the alteration of a general purpose processor so that countermeasures against side-channel attack are implemented at the micro-architectural level. The processor will retain the same Instruction Set Architecture (ISA) and hence the same functional characteristics, but the behavioural characteristics will prevent leakage of information via, for example, power analysis. Our focus is on aspects of the micro-architecture which can be randomised in some way. We suggest that this approach will afford a level of flexibility and algorithm agility representing an attractive trade-off between security and other metrics. Specifically, it permits high-level algorithmic countermeasures to be automatically supported by the hardened processor platform (meshing with the ideal of tiered countermeasures rather than a single panacea), while largely avoiding the overhead and sensitivity to underlying process technology traditionally associated with secure logic styles.

密码分析的进步通常是由数学家创造的，他们寻求技术来解决现代密码系统所基于的难题。基于物理安全概念的攻击将密码分析的艺术从数学领域转移到实际的实现领域。通过考虑密码系统的实现，而不是纯粹的规范，研究人员发现他们可以进行物理攻击，在时间和设备方面成本低，并且在提取有用的结果方面非常成功。最近的例子证明了这种攻击对现实世界的影响，这些例子是针对用于汽车和建筑物访问控制的KeeLoq系列RFID设备以及MIFARE非接触式智能卡的攻击（例如，伦敦地铁使用的“牡蛎”卡）。侧信道攻击是一种物理攻击，其基于这样的假设，即人们可以被动地观察某个硬件设备正在执行的算法，并从出现的特征推断关于计算的内部状态的细节。一个典型的侧信道攻击包括一个收集阶段，为攻击者提供执行的配置文件，和一个分析阶段，从配置文件中恢复秘密信息。特别关注基于功率和EM的攻击，针对侧信道攻击的对策越来越多地在个案基础上得到很好的理解;在高级别上，它们可以被分类为隐藏（破坏执行和配置文件之间的联系）或掩蔽（破坏执行和算法之间的联系）。隐藏式对策的方法通常试图使每个配置文件对于所有秘密都是恒定的，或者完全随机;在这两种情况下，前提是配置文件不再与秘密信息相关。在最高级别，可以考虑在软件中实现隐藏或掩蔽的替代算法（或实现方法）。一方面，这种方法是非常特定于算法的，并且可能意味着显著的性能损失;另一方面，不需要改变软件执行的硬件。在最低级别，可以考虑使用所谓的安全逻辑风格;基本思想是用替代品取代CMOS单元库，例如，无论它们计算的结果如何，都消耗恒定的功率。这种方法的主要缺点是在面积方面产生的开销;主要优点是这种方法在很大程度上是算法不可知的，即是一种可以自动应用的一般解决方案。研究的关键是改变一个通用处理器，使对抗侧信道攻击的措施在微体系结构的水平上实现。处理器将保留相同的指令集架构（伊萨），因此具有相同的功能特性，但行为特性将通过例如功率分析来防止信息泄漏。我们的重点是微架构的方面，可以以某种方式随机化。我们建议，这种方法将提供一定程度的灵活性和算法的敏捷性，代表一个有吸引力的安全性和其他指标之间的权衡。具体而言，它允许高级算法对策由硬化处理器平台自动支持（与分层对策的理想相结合，而不是单一的灵丹妙药），同时在很大程度上避免了传统上与安全逻辑风格相关的底层处理技术的开销和敏感性。

项目成果

Side-channel attacks on the McEliece and Niederreiter public-key cryptosystems

针对 McEliece 和 Niederreiter 公钥密码系统的旁道攻击

• DOI: 10.1007/s13389-011-0024-9
• 发表时间: 2011
• 期刊: Journal of Cryptographic Engineering
• 影响因子: 1.9
• 作者: Avanzi R

Social norms explain prioritization of climate policy.

社会规范解释了气候政策的优先顺序。

• DOI: 10.1007/978-3-319-66399-9_10
• 发表时间: 2022
• 期刊: Climatic change
• 影响因子: 4.8
• 作者: Cole JC