

#### Reliability analysis of digital sensors against perturbations of FPGAs

Sylvain Guilley<sup>1,2</sup>, Richard Newell<sup>3</sup> and Thibault Porteboeuf<sup>2</sup>

> TELECOM-ParisTech <sup>2</sup> Secure-IC S.A.S. <sup>3</sup> Microsemi Corp.



Wicrosemi 2014 All rights reserved | Public document, property of Secure-IC S.A.S.



THE TRUSTED COMPUTING COMPANY 🛲

### 1. Introduction

- 2. Detecting fault attacks
- 3. Digital sensor®
- 4. Technological dispersion
- 5. Design and tolerances



## Two constraints to be met simultaneously...

### Security / Reliability

- Security: detecting as many faults as possible
- **Reliability**: detecting only necessary faults



## **Fault attacks**

#### Many means:

- Clock
- Voltage
- Temperature

Dedicated sensors?





# State-of-the-art industrial solutions

#### **Dedicated sensors**

- Frequency monitors
- Voltage monitors
- Temperature monitors

### Problem

- Analog, hence costly to tune
- Many alarms arrive in parallel: management is complex

SECURE 🚺 🐼 Microsemi 2014 All rights reserved | Public document, property of Secure-IC S.A.S.

# **Digital sensor**<sup>®</sup>

Sensor performance:

© SECURE



Sincrosemi 2014 All rights reserved | Public document, property of Secure-IC S.A.S.

## Design Example: Frequency Sensitivity



Microsemi 2014 All rights reserved | Public document, property of Secure-IC S.A.S.

## Design Example: Voltage Sensitivity



# Main technical characteristics

- Simple API
- Stable
- Small
- Descreet, more difficult to recognize
- Melted with the rest of the SoC, more difficult to bypass
- Low power

© SECURE

- Clock gating possible
- Even more obscured in FPGA implementations



# Main technical characteristics

- Simple API
- Stable
- Small
- Descreet, more difficult to recognize
- Melted with the rest of the SoC, more difficult to bypass
- Low power

© SECURE

- Clock gating possible
- Even more obscured in FPGA implementations



Secure-IC S.A.S. 2014 All rights reserved | Public document, property of Secure-IC S.A.S.

# Main technical characteristics

- Simple API
- Stable
- Small
- Descreet, more difficult to recognize
- Melted with the rest of the SoC, more difficult to bypass
- Low power

© SECURE

- Clock gating possible
- Even more obscured in FPGA implementations



Secure-IC S.A.S. 2014 All rights reserved | Public document, property of Secure-IC S.A.S.

# Advantage



## Add 2nd Sensor – Test Opposite Conditions



C Microsemi. 2014 All rights reserved | Public document, property of Secure-IC S.A.S.

## Sorts of variations







### Correlated and Uncorrelated Effects [WLB+05]



- If  $\tau_1$ - $\tau_4$  are random, uncorrelated with mean  $\tau$  and variance  $\rho^2$  then the delay from A to B is  $4\tau \not\sim 2\rho$
- If  $\tau_1 \text{-} \tau_4$  are random, correlated with mean  $\tau$  and variance  $\rho^2$  then the delay from A to B is  $4\tau \not \sim 4\rho$
- If  $\tau_1$ - $\tau_8$  are random, uncorrelated with mean  $\tau$  and variance  $\rho^2$  then the difference in arrival time between B and C is  $0\pm\sqrt{8}\sigma$
- If  $\tau_1 \tau_8$  are random, correlated with mean  $\tau$  and variance  $\rho^2$  then the difference in arrival time between B and C is 0

Joe Watts, Nanotech Workshop on Compact Modeling 2005

© SECURE

**ON DEMAND BUSINESS** 

## Best / worst cases

#### Worst case

- Correlated in the digital sensor
- Non-correlated between the digital sensor & critical path

In the sequel, we model only uncorrelated noise (*in transistors*).



# In 65 nm technology



© SECURE

- Monte-Carlo simulation, under Cadence
- 37 identical buffers, ×4 drive
- 1000 runs

Secure-IC S.A.S.

# Orders of magnitude

### $1 \times$ buffer

- 90 ps delay
- 6.0 ps variation
- $10 \times$  buffer
  - 90 ps delay
  - 2.3 ps variation

Typical chain: 40 gates,  $\approx$  4 ns delay, but only 14 ps standard deviation!

Indeed, uncorrelated variances add, thus the standard deviation only grow with the square root of the number of delay elements.

© SECURE 🕼 🌕 Microsemi 2014 All rights reserved | Public document, property of Secure-IC S.A.S.



#### Probability density functions in the digital sensor setup.

## Computations

#### Definitions

- **False positives**: a fault is reported but there was none.
- **False negatives**: a fault has not been detected.

Equations (example for the probability of false positives)

$$\begin{split} \mathbb{P}_{\mathsf{FP}} &= \mathbb{P}(T_{\mathsf{sensor}} > T_{\mathsf{clock}}) = \mathbb{E}(\mathbbm{1}_{T_{\mathsf{sensor}} > T_{\mathsf{clock}}}) \\ &= \iint \phi_{t_{\mathsf{sensor}},\sigma_{\mathsf{sensor}}^2}(t) \cdot \phi_{t_{\mathsf{clock}},\sigma_{\mathsf{clock}}^2}(t') \cdot \mathbbm{1}_{t > t'} \, \mathrm{d}t \, \mathrm{d}t' \\ &= \int_{-\infty}^{+\infty} \int_{-\infty}^{t} \phi_{t_{\mathsf{sensor}},\sigma_{\mathsf{sensor}}^2}(t) \cdot \phi_{t_{\mathsf{clock}},\sigma_{\mathsf{clock}}^2}(t') \, \mathrm{d}t \, \mathrm{d}t' \end{split}$$

where  $\phi_{\mu,\sigma^2}(t) = \frac{1}{\sqrt{2\pi\sigma^2}} \exp{-\frac{(t-\mu)^2}{2\sigma^2}}$  is the probability density function of the a normal law  $\mathcal{N}(\mu, \sigma^2)$ .

SECURE 🕼 🛇 Microsemi 2014 All rights reserved | Public document, property of Secure-IC S.A.S.

## Illustrative "Receiver Operating Characteristic" (ROC)



Microsemi 2014 All rights reserved | Public document, property of Secure-IC S.A.S.

## **Advanced considerations: Improvements**

- Exposure probability: tampering happens only maybe between zero and some few hours over the life of the part (< 100 ppm)</p>
- In case of environmental modifications, user logic and sensor track one another, hence they can never cross each other. But this is ideal: do delays remain proportionate under these circumstances?



© SECURE 🕡 🥯 Microsemi 2014 All rights reserved | Public document, property of Secure-IC S.A.S.

# **Bibliographical References**

[BSGD09] Shivam Bhasin, Nidhal Selmane, Sylvain Guilley, and Jean-Luc Danger. Security Evaluation of Different AES Implementations Against Practical Setup Time Violation Attacks in FPGAs In HOST (Hardware Oriented Security and Trust), pages 15-21. IEEE Computer Society, July 27th 2009. DOI: 10.1109/HST.2009.5225057: In conjunction with DAC-2009, Moscone Center, San Francisco, CA. USA. [SBG<sup>+</sup>09] Nidhal Selmane, Shivam Bhasin, Sylvain Guilley, Tarik Graba, and Jean-Luc Danger. WDDL is Protected Against Setup Time Violation Attacks. In FDTC, pages 73-83. IEEE Computer Society, September 6th 2009. In conjunction with CHES'09, Lausanne, Switzerland. DOI: 10.1109/FDTC.2009.40; Online version: http://hal.archives-ouvertes.fr/hal-00410135/en/. Nidhal Selmane, Shivam Bhasin, Sylvain Guilley, and Jean-Luc Danger, [SBGD11] Security evaluation of application-specific integrated circuits and field programmable gate arrays against setup time violation attacks. IET Information Security, 5(4):181-190, December 2011. DOI: 10 1049/jet-ifs 2010 0238 [WLB<sup>+</sup>05] Josef Watts, Ning Lu, Calvin Bittner, Steven Grundon, and Jeffrey Oppold. Modeling FET Variation within a chip as a Function of Circuit Design and Lavout Choices. In WCM (Workshop on Compact Modeling), May 8-12 2005. Anaheim Marriott & Convention Center, Anaheim, CA, USA; http://www.nsti.org/Nanotech2005/WCM2005/ (in Association with Eighth International Conference on Modeling and Simulation of Microsystems MSM 2005).



#### Reliability analysis of digital sensors against perturbations of FPGAs

Sylvain Guilley<sup>1,2</sup>, Richard Newell<sup>3</sup> and Thibault Porteboeuf<sup>2</sup>

> TELECOM-ParisTech <sup>2</sup> Secure-IC S.A.S. <sup>3</sup> Microsemi Corp.



Wicrosemi 2014 All rights reserved | Public document, property of Secure-IC S.A.S.