Among other threats, secure components are subjected to physical attacks whose aim is to recover the secret information they store. Most of the work carried out to protect these components generally consists in developing protections (or countermeasures) taken one by one. But this “countermeasure-centered” approach drastically decreases the performance of the chip in terms of power, speed and availability. In order to overcome this limitation, we propose a complementary approach: smart dynamic management of the whole set of countermeasures embedded in the component. Three main specifications for such management are required in a real-world application (for example, a conditional access system for pay-TV): it has to provide capabilities for the chip to distinguish between attacks and normal use cases (without the help of a human being and in a robust but versatile way); it also has to be based on mechanisms which dynamically find a trade-off between security and performance; all these mechanisms have to be formalized in a way that is clearly understandable by the designer. In this article, a prototype implementing such a security management system is described. The solution is based on a double-processor architecture: One processor embeds a representative set of countermeasures (and mechanisms to define their parameters) and executes the application code. The second processor, on the same chip, applies a given security strategy, but without requesting sensitive data from the first processor. The chosen strategy is based on fuzzy logic reasoning to enable the designer to describe, using a fairly simple formalism, both the attack paths and the normal use cases. A proof of concept has been proposed for the smart card part of a conditional access for pay-TV, but it could be easily fine-tuned for other applications.

The authors would like to thank the members of the Secure Architectures and Systems Laboratory for their contributions to this work. We would also like to thank the anonymous reviewers for their valuable comments and suggestions. This research was supported in part by the French government through the Smart On Smart (ANR-07-SESU-014-01) project.

Authors and Affiliations

1. CEA/EMSE, Secure Architectures and Systems Laboratory, Centre de Microélectronique de Provence, 880 Route de Mimet, 13541, Gardanne, France

   Bruno Robisson & Michel Agoyan

2. Viaccess-Orca, Les Collines de l’Arche, 92057, La Défense, France

   Patrick Soquet & Sébastien Le-Henaff

3. LIP6, 4 Place Jussieu, 75252, Paris, France

   Franck Wajsbürt & Pirouz Bazargan-Sabet

4. Trusted Logic, 6 rue de la Verrerie, 92190, Meudon, France

   Guillaume Phan

Corresponding author

Correspondence toBruno Robisson.

Appendix 1: Impact of protections

As explained in 2.3, we consider only the threat related to side-channel attacks (SCA) and differential fault attacks (DFA). In order to successfully mount such attacks, the attacker proceeds in a divide and conquer manner (i.e., he attacks small pieces of the key one by one). On each iteration of these attacks, he targets the result of one particular piece of computation, hereafter referred to the “targeted result.” It is, for example for SCA, the computation of a SBox during the first round. To mount a DFA, the attacker also needs the cipher text resulting from one or several faulty computations.

7.0.1 Impact of redundancy

FSCA We consider that the redundant computations generate identical power traces which could easily be added in the time domain by the attacker, decreasing the number of traces needed to recover the key by a factorRL.

FDFA As explained in Sect. 2.2.1, a redundant computation is associated with a comparison of the results in order to increment the counter\({ CE}\) if the results are different. To bypass the redundancy protection, the attacker will have to both avoid the update of the counter in case of error detection and realize several faults of the same value, noted\(e_0\), during the\({ RL}\) successive computations of the targeted result. The probability of realizing such a set of faults determines the number of realizations which are required to mount the attack. We shall callq the number of bits of the targeted result. If we consider that all the faults on these bits are equally probable, then the probability of realizing the same fault\(e_0\) (whose value does not matter) during the\({ RL}\) successive execution of the targeted instruction is equal to\((1/2^q)^{{ RL}-1}\). In classical DFA schemes, a fault generally has to affect 1 byte. So, the default value is chosen equal to\(q=8\).

FTime In our framework, the redundant computations are not performed in parallel. We also assume that the comparison of the results is negligible in terms of computation time. Thus, the redundancy countermeasure increases the computation time by a factorRL.

FNRJ We assume that the comparison of the results is negligible in terms of energy consumption. So, the redundancy countermeasure increases the energy consumption by a factor\({ RL}\) . Fig. 2 sums up discussions of 7.0.1.

7.0.2 Impact of insertion of dummy instructions

Let us call\({\mathcal {D}}\) the random variable equal to the number of instructions in the sequences of useful instructions. The domain of\({\mathcal {D}}\) is chosen equal to\(\{1;\ldots ;D\}\). Let us call\({\mathcal {N}}\) the random variable equal to the number of instructions in the sequences of useless instructions. The domain of this random variable is set equal to\(\{0;\ldots ;N\}\). We consider that the random variables\({\mathcal {N}}\) and\({\mathcal {D}}\) follow uniform distributions.

Let us also suppose that the\(m{\mathrm{th}}\) valid instruction should be the instruction which computes the targeted result. For the sake of simplicity, we consider that each instruction (useless or not) is executed in one clock cycle. The typical value form is equal to 100–200 which corresponds to a software implementation on a 32-bit processor of a round of an advanced encryption standard  [21]. So, the default value is chosen equal to\(m=150\). Let us define the random variable\({\mathcal {X}}\) equal to the number of the clock cycle associated with the execution of the instructionm.

Performances for the redundancy level countermeasure

Full size image

Each realizationx of this random variable is equal to\(x=\sum _{i=1}^k(d_i)+\sum _{i=1}^k(n_i)\), withk such that\(\sum _{i=1}^k(d_i)=m\), withi being the\(i{\hbox {th}}\) sequence of useless/useful instructions and with\(d_i\) and\(n_i\) the\(i{\hbox {th}}\) realizations, respectively, of the random variables\({\mathcal {D}}\) and\({\mathcal {N}}\). We have\(x=m+\sum _{i=1}^k(n_i)\). We consider that, because\(m \gg D\),x could be approximated by\(x \sim m + \sum _{i=1}^q(n_i) \) with\(q=2\cdot m/(D+1)\). In these conditions, the density of probability of\({\mathcal {X}}\) follows a normal distribution (\(\mu _X, \sigma _X\)) with:

For the sake of simplicity, we consider, as proposed in [7], thatm is uniformly distributed (with the probability 1 out of\(2\cdot \sigma _X\)) between\(m-\sigma _X\) and\(m+\sigma _X\).

FSCA In these conditions, the SCA peak is reduced by a factor\(2\cdot \sigma _X\) and the number of traces necessary to retrieve the key increases by a factor\(4\cdot \sigma _X^2\). But by using the sliding window method (with consists in reconstructing the peak by integrating the consumption traces on\(2\cdot \sigma _X\) samples) also described in [7], this saving in terms of number of power traces is only equal to\(2\cdot \sigma _X\).

FDFA In order to realize a DFA, we suppose that the attacker is able to target clock cycles comprising between\(m-\sigma _X\) and\(m+\sigma _X\). In these conditions, he has one chance out of\(2\cdot \sigma _X\) to modify the instructionm. The number of faulty realizations is thus increased by a factor\(2\cdot \sigma _X\).

FTime The formula 1 indicates that the computation time is increased by a factor\((1+N/2)\).

FNRJ Because we consider that useful and dummy instructions consume the same energy, the consumption of the circuit is also increased by a factor of\((1+N/2)\). Fig. 3 sums up discussions of 7.0.2.

Performances for the IDI countermeasure

Full size image

7.0.3 Impact of random power generator

FSCA According to [7], if we call\(\delta \) the amplitude of the SCA peak (i.e., the difference of the power consumption or electromagnetic radiation between data) and\(\sigma _c\) the standard deviation of the power consumption trace, the number of power traces necessary to recover the key has to be higher than\((\sigma _c/\delta )^2\). The activation of theRNG random generators increases this number by a factor\((1+{\textit{RNG}}^2)\).

FDFA We suppose that the RPG does not protect against differential fault attacks.

FTime As the RPG processes at the same time as the computation, computation time is not increased by its activation.

FNRJ We consider that the power consumption of an RNG is equal to\(\alpha \) times the temporal mean of\(\mu _c(t)\) (with\(\alpha =10\%\) because the random number generator is a small piece of hardware). In these conditions, the total energy consumption of the circuit is increased by a factor\(( 1 + \alpha \cdot RNG )\). Fig. 4 sums up discussions of 7.0.3.

Performances for the RPG countermeasures

Full size image

7.0.4 Combination of countermeasures

When the different countermeasures are combined, factors computed above for the different countermeasures are simply multiplied for side-channel attacks, for the time of computation and the energy consumption. For the DFA, the chance of making the same fault (in order to bypass detection of RL) on the targeted result (whose position is blurred with IDI) is equal to the chance obtained in the first occurrence (i.e.,\(1/(2^q \cdot 2 \cdot \sigma _X)\)) up to the redundancy level minus one. So we obtain. Fig. 5 sums up discussions of 7.0.4.

Performances for combination of the countermeasure

Full size image

Appendix 2: Fuzzy logic analysis

The process chosen for inferring a decision from fuzzy rules and inputs was first proposed by Mamdani in [17]. As reported in the following pseudo-code, this process consists in fuzzifying the inputs (according to the fuzzy subsets described in section 7.1), then computing (according to 7.2) the degree of truth of the rules described in Sect. 3.2, then aggregating the results of these rules (according to 7.3) and lastly “defuzzyfying” them to obtain the output values (according to 7.4). Only the computation of the misuse level is described in detail below.

1.1Fuzzy subsets

Definition The significance of the words (or “linguistic variables”) “low” and “high” for the inputs and outputs is defined with “fuzzy subsets.” Themembership function, denoted\(\mu _A\), of a fuzzy subsetA is a generalization of the characteristic function in classical set theory. It is any function mapping the valuess of the inputS to the real unit interval [0, 1]. The value\(\mu _A(s)\) is called themembership degree ofs in the fuzzy subsetA. This degree quantifies the grade of membership of the elements to the fuzzy subsetA: The value 0 means thats is not a member of the fuzzy set; the value 1 means thats is a full member of the fuzzy set. The values between 0 and 1 characterize fuzzy members, which belong to the fuzzy set only partially. The degree of membership also quantifies the degree of truth of the assertion “s is A” (which is true with a degree\(\mu _A(s)\)).

Membership functions for inputs Firstly consider the fuzzy sets associated with the value of the input\(S^i\). The eight membership functions (or fuzzy subsets) selected for each input\(S^i\) are presented in Table 6. For example, let us consider the voltage sensor input whose maximum value is equal to\({ VS}_{max}=10\). If this input is equal to 3 (and so is comprised between\({ VS}_{max}/5\) and\( 2 \cdot { VS}_{max}/5\)), it is considered “rather high” with a grade of truth of 1 / 4 and “very low” with a grade of truth of 1 / 2. If this voltage sensor value is equal to 7 (and so is comprised between\(3 \cdot { VS}_{max}/5\) and\( 4 \cdot { VS}_{max}/5\)), it is considered “high” with a grade of truth of 2 / 3 and “very very low” with a grade of 0.

Membership functions for outputs The outputs of the analysis mechanisms are the levels of anomaly and misuse. Their values are real values in [0, 1]. The two different membership functions “LOW” and “HIGH” considered for these outputs are described in Table 7.

Operations on fuzzy subsets The boolean operations such as AND, OR and NOT are also defined in fuzzy logic. In the following, we consider the standard Zadeh operators on fuzzy subsets\(A_0\) and\(A_1\), respectively, defined on variablex andy such as:

The extension of\(Z\_AND\) and\(Z\_OR\) to “n-ary” operators is trivially defined and denoted as:

The degree of truth of the premise is a real number in [0, 1] which depends on the values\(\mathbf {S}\) of the inputs. This degree of truth of the premise of the rulei is denoted\(pre_i(\mathbf {S})\).

1.2Compute the degree of truth of the rules

Computing the values of the premises The degree of truth of each premise is computed first by evaluating the degree of membership of the input\(S^i\) to fuzzy subsets. Then, if necessary, the Zadeh operators are applied according to the premise’s formula.

It is important to note that because we have chosen input membership functions that are discontinuous and because we have chosen Zadeh operators, regardless of the values of the entries and regardless of the different formulæ used to express the premisei, the result\(pre_i(\mathbf {S})\) is always an element of the set\(P=\{0;1/4;1/3;1/2;2/3;3/4;1 \}\).

Modification of the membership function of the conclusion of a rule In the method proposed by Mamdani, the degree of truth of the premise of a rule modifies the membership function of its conclusion. The modification consists in truncating the membership function\(A_k(y)\) of the conclusion with the value of the premise, that is:

In fuzzy logic inference mechanisms, all the rules are considered to fire in parallel. So, at first glance, the use of this logic could lead to inconsistency, that is, several rules could lead to different conclusions (for example, the misuse is both HIGH and LOW). The aim of aggregation of rules and defuzzification is to compute a unique value for the decision.

1.3Aggregation of rules

The different rules are considered to be linked together with the operator OR. So, combining the rules consists in taking for all\(y \in [0,1]\), the maximum value of the conclusions of the different rules, according to the following formula:

1.4Defuzzification

The operation of defuzzification consists in calculating a scalar value (also called “crisp” value) for the output membership function of the conclusion (\(\mu _{\mathcal {R}}(y|\mathbf {S})\)), obtained given a set of entries and a set of rules. Before explaining this process of defuzzification, this output membership function is rewritten by taking into account the properties of our set of rules. We distinguish the rules which conclude to a LOW value for misuse (noted “LOW-m” rules) and those which conclude to the HIGH values for misuse (noted “HIGH-m” rules). Without loss of generality, we reorder the rules so that those numbered from 0 to\(q-1\) are “LOW-m” rules and those numbered fromq top are “HIGH-m” rules. The considered set of rules is noted\({\mathcal {R}}\).

Hardware part of the prototype

Full size image

Output membership function rewriting The fuzzy subset of\(LOW-m\) is defined as:

In the same way, the fuzzy set associated with the “HIGH-y” rules is defined as:

As explained in section 7.2, the different premises\(pre_k\) are in the setP. So, let us define\(p_l\) and\(p_h\) and the membership functions\(\mu _{LOW-m}(y)^{p_l}\) and\(\mu _{LOW-m}(y)^{p_h}\) such as:

The output membership function for the outputy can in these conditions always be written in the following form:

Defuzzification techniques There are different kinds of defuzzification techniques to compute the crisp output from the output membership function. We have considered four of the more popular ones, called “centroid” (CT), “mean of max” (MM), “first of max” (FOM) and “last of max” (LM). For example, the FOM crisp value is computed using the formula:

Then, we have computed their values for the whole set of possible values of premises, that is, for all of the 49 membership functions\(\mu _{\mathcal {R}}(y)^{p_l,p_h}\) with\(P_h \in P\) and\(P_l \in P\). The results for first of max (“FOM”) are reported in Table 8.

Response of the system for an anomaly case (top) and for an attack case (bottom)

Full size image

Appendix 3: Architecture details

The details of the hardware implementation of the host, of the monitor and of the communication channels are described in Fig. 6.

Appendix 4: Simulations of scenarios

The second analysis consists in defining several attack and normal use scenarios and playing these scenarios on an algorithmic model of the prototype. For example, consider a scenario where the card is connected to a low-quality card reader. In such an abnormal case, the electrical connection between the two devices regularly triggers the voltage sensor. In the first part of the scenario (called I), there is no error and the level of security remains low, as represented in Fig. 7 (top). In this figure, thex-axis corresponds to the time and they-axis to the levels of security. In the second part (called II) of the scenario, the voltage sensor alone is triggered. The security level increases slowly (because we consider that these mistakes are not important). In the third part (called III) of the scenario, the MAC error sensor\({ ME}\) is also triggered. In this part, the security level increases quickly. In the last part of the scenario (called IV), the sensors stop being triggered and the security level decreases quickly. On the contrary, let us consider a laser attack scenario. In the first part of this scenario, there are no errors and the level of security remains low, as represented in Fig. 7 (bottom). In the second part, the light sensors are triggered because the attacker injects faults in the middle of a long sequence of correct commands. Even with this precaution, the level of security increases quickly (we consider that the triggers of the light sensor are important). We suppose that the attacker is able to detect this increase (the activation of the RPG when the system switches to the “unsafe” configuration is easy to detect) and that, in the third part of the scenario, he stops to inject faults. The level of security tends to decrease. But when the laser attack is restarted in the fourth part of the scenario, the monitor increases the security level very quickly until sensitive data are deleted.

Reprints and permissions