1 / 17

Data Dependent Power Use in Multipliers Colin D. Walter Colin.Walter@comodo David Samyde

Data Dependent Power Use in Multipliers Colin D. Walter Colin.Walter@comodo.com David Samyde David.Samyde@FemtoNano.com Work partly done at DICE, UCL, Louvain-la-Neuve, Belgium. Overview. Background & Aims History Cryptographic Context Multiplier Models Gate Switching Activity

samuele
Download Presentation

Data Dependent Power Use in Multipliers Colin D. Walter Colin.Walter@comodo David Samyde

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Dependent Power Use in Multipliers Colin D. Walter Colin.Walter@comodo.com David Samyde David.Samyde@FemtoNano.com Work partly done at DICE, UCL, Louvain-la-Neuve, Belgium

  2. Overview • Background & Aims • History • Cryptographic Context • Multiplier Models • Gate Switching Activity • Hamming & Booth Weight Multipliers • Lab Results • Conclusions

  3. Background • Power used by a multiplier is data dependent. • Similarly, EMR from a multiplier depends on current state & new inputs. • Inexpensive equipment can measure the variations. • So secret data may leak during cryptographic use. • The main leakage in smart cards is from buses. First order leakage depends on Hamming weight, which can be made constant. • The multiplier is the next most leaky HW component of a crypto co-processor.

  4. Aims • There are HW counter-measures, such as Faraday cages, and SW blinding counter-measures. • It is unclear if these are totally effective. • So investigate which multiplier designs & arithmetic representations might reduce power/EMR variations. • Build model to simulate power consumption. • Apply to standard designs and compare them. • Develop “better” multipliers...

  5. History • Occasional (public) refs in old patents: To ensure that the data carrier consumes the same amount of current whether the requested operation is authorized or unauthorized, a bit is stored in the memory in either event. [Abstract, US Patent 4211919, filed Aug 1978] • Kocher et al (CRYPTO 1996, 1999): Timing and Power Attacks – the concepts made public. • Walter (CHES 2001): How to extract private RSA key from power variation of single decryption in presence of standard SW counter-measures. • Flynn & Oberman (Wiley, 2001) “Advanced Computer Arithmetic Design”

  6. Cryptographic Context Smartcard : 8- or 16-bit multipliers for RSA. Long integers A, B in modular products have ~27 digits. Each digit x digit multn ai x bj has ~27 cases with same ai (or bj). Take average power trace as bj (resp. ai) varies. (Generally, some average must be taken to eliminate noise) Does result characterise ai or mask its value? Anyrevealed characteristics can be used to distinguish multipliers in the expn algm, and hence determine the secret exponent.

  7. Multiplier Model Standard Add-and-Shift Multiplier: 3-to-2 full adders (counters) & 2 bit half adders. Wallace tree arrangement for adders/ HAs. Build model with input word length k as parameter. For convenience, assume all gate switching (AND, XOR, etc) consumes same power. (Easy to drop this assumption.) Count gates switched for all initial states and all inputs. Draw graphs and look for distinguishing characteristics.

  8. Gate Switching Activity No. of Gate Switchings averaged over initial states for 3-bit multiplier Clearly, Hamming weight is leaked by knowledge of switch counts. (Hamming Weight = #1 bits in binary string.) Digit wt 3 20 2nd Argument Digit Digits wt 2 15 Digits wt 1 10 Digit wt 0 5 0 1 2 4 5 3 6 7 1st Argument Digit

  9. Hamming Weight Multiplier Similar results hold for exhaustive simulations as word size increases. Complexity too great for 16-bit words or larger: O(24kk2) for k-bit words. Need to build a Hamming weight multiplierwhere inputs are Hamg Wts and output is average gate switching activity– and with polynomial complexity, if possible. Solution: For k-bit multiplier & input a with HW(a) = h,send probability h/k of a bit 1 along the wire, and compute probabilities of gates switching.

  10. Results Gates 200 Gate Switching in 8-bit Multiplier as function of input Ham Wts. Comparison of gate countsgives excellent match between HWt multiplier and binary multiplier, all k. So model can be used to predict gate activity in larger cases. 175 150 125 100 8 6 4 75 2 0 HW(b) 2 4 0 6 8 HW(a)

  11. Evaluation Hamming Wt of Output (k = 16): The model also accurately predicts the Ham Wt of the output. The 3-D graphs (actual vs model results) have the same features. HW(a×b) HW(b) HW(a)

  12. Booth 2 Multiplier A 2-bit Booth Multiplier was built: One input is given a base 4 re-coding of oneargument using digits –2, –1, – 0, +0, +1, +2. These multiples of the other input (the multiplicand)feed into a tree of compressors. Graphs show that gate switching (& leakage) depends on: • The Hamming Wt of the multiplicand • The “Booth” Weight of the multiplier: Booth Wt is defined by summing: 0 for recoded digit +0 (000...00 is added) 2 for recoded digit –0 (111...11 is added, with correction) 1 for all other digits d (dM is added for multiplicand M)

  13. Booth Weight Multiplier Can a HWt / BWt multiplier be built for the Booth multiplier like the Ham Wt add-and-shift multiplier? This would predict gate switching from HWt and BWt inputs without combinatorial explosion. The Add-and-Shift case assumed compressor input bits were independent. This was reasonably accurate. Addends 111...11 and 000...00 make this unreasonable for a Booth weight multiplier. Alignment of bits in 2M & shifted 1M also reduces independence. Solution not yet worked out.

  14. Multiplier Comparison • Overall gate switching was less in the Booth multiplier than the Add-and-Shift multiplier. • Area is larger for Booth multiplier with expected digit sizes. • So leakage is less, but there is a silicon cost. • More complex multipliers are unlikely in most smartcards.

  15. Lab Results • The DICE lab at UCL was used to measure power variation and EMR in several multipliers. Only add-and-shift designs were available. • EMR at a variety of frequencies yields much more discriminating leakage than a simple gate count, which approximated the power leakage data. • So the models agreed with lab results, but the lab results might be used to extract further information.

  16. Conclusions • Power use in standard multipliers is closely related to input Hamming (or re-coded) weights; • Simplified poly time models can enable good accuracy for power use, so designs can be tested easily in the search for less leaky hardware; • Some multiplier designs (such as one with 2-bit Booth re-coding) leak less information about Hamming wts than others (such as the standard Add-and-Shift multiplier).

  17. IACR CHES 2005 Edinburgh Scotland 28 Aug – 1 Sept

More Related