2019.4.24 Japan-French Security Workshop, Kyoto



## Deployment of EMC-Compliant IC Chip Techniques in Design for Hardware Security

## Makoto Nagata

Graduate School of Science, Technology and Innovation, Kobe University, Japan

nagata@cs.kobe-u.ac.jp http://www.edu.kobe-u.ac.jp/stin-secafy/index.html



## Kobe University, Japan



Around 16,000 students (1,200 oversea students), 1,600 teaching members.

## **Research lab. overview**





- 19 students (5 under graduate, 10 master course, 4 doctoral course), 8 staffs (including professors/guest professors.)
- Design methodologies of IC chips and systems for hardware security and safety – "Secafy," with deep background of analog, digital, mixed-signal IC techniques.

## **FR-JP** partnership

# Creating a safe and robust digitally-connected world

Professors Makoto Nagata and Jean-Luc Danger and Associate Professor Noriyuki Miura are united in their belief that the root of trust in the safety and security of electronic systems lies in robustly designed hardware. Here they describe the research goals of their long-term collaboration





Prof Makoto Nagata

Prof Jean-Luc AP Noriyuki Miura

Could you begin with a brief description of your backgrounds and research interests?

Danger

the Secafy Laboratory at Kobe University?

MN: Secafy stands for hardware security and safety and we believe it is vital to design these principles into hardware from the very beginning. I see hardware as being the root of trust on which the security of networks can be built. We are focused on measuring the susceptibility of integrated circuits (ICs)

connectivity. However, all practical hardware is exposed to unseen radio waves, which can sometimes affect the performance of a chip, particularly in VLSI. Therefore, it is important to ensure devices are robust and continue to perform well even in harsh environmental conditions.

JLD: Cyber attacks are increasingly common.

Makoto Nagata, Jean-Luc Danger, Noriyuki Miura, "Creating a Safe and Robust Digitally-Connected World," Impact, Vol. 2018, No. 11, pp. 22-25, Dec. 2018. DOI:10.21820/23987073.2018.11.22

Copyright Makoto Nagata, Kobe University -5-

# IC chips and systems in critical applications



Hardware security to be assessed in productization or assured by design of IC chips and electronics assembly for critical applications

- ✓ Security performance (Cryptography, Digital signature, Attack resistance, etc.)
- ✓ Authenticity, Validation, Authentication of IC chips
- ✓ Side-channel leakage suppression, Fault injection tolerance

Copyright Makoto Nagata, Kobe University -6-

## **EMC as automotive standards**



#### ECE-R10\* (Rev. 5 in 2014)

- Immunity to radiated and conducted disturbances (EMS)
- Control of unwanted radiated and conducted emissions (EMI)

\*The United Nations Economic Commission for Europe

## **Physical attacks in dimensions**



- Physical dimensions at board, package and chip levels.
- EM radiation, EM sensing, EM injection

## **Power noise problems in IC chip**



Relevant to side-channel (SC) concerns in cryptographic chips

## **IC chip level EMC test standards**

Generic IC EMC Test Spe

| 5.1.1 C                                                       | onducted RF test methods                                 |                                                                            |                                                              |
|---------------------------------------------------------------|----------------------------------------------------------|----------------------------------------------------------------------------|--------------------------------------------------------------|
| The conducte                                                  | ed RF tests have to be performed for all ICs             | method name                                                                | reference                                                    |
| conducted<br>emission                                         | direct coupling via 150 Ω / 1 Ω network                  | 150 Ω / 1 Ω method                                                         | IEC61967-4                                                   |
| conducted immunity                                            | direct RF-power injection via DC block<br>capacitor      | direct power injection (DPI)                                               | IEC62132-4                                                   |
| 5.1.2 R                                                       | adiated RF test methods                                  | icated ICs, see chapter 7.2.1.                                             |                                                              |
| The radiated                                                  |                                                          |                                                                            |                                                              |
| The radiated                                                  | coupling method                                          | method name                                                                | reference                                                    |
| The radiated<br>test type<br>radiated<br>emission             | coupling method<br>E- and H-field radiation of entire IC | method name<br>(G)TEM-cell method                                          | IEC61967-2                                                   |
| The radiated<br>test type<br>radiated<br>emission<br>radiated | coupling method   E- and H-field radiation of entire IC  | method name     (G)TEM-cell method     IC stripline     (G)TEM-cell method | reference       IEC61967-2       IEC61967-8       IEC62132-2 |

IEC61967-6: Magnetic probe method, measurement of IC chip for conducted EM emission in 150 kHz – 1 GHz.

Table 3: Radiated test methods

IEC62132-4: Direct RF power injection method, measurement of IC chip for <u>conducted EM immunity</u> in 150 kHz – 1 GHz.



20

## Side channel information leakage



Digital data paths are main channels of cryptographic processing.

Power current consumption and electromagnetic (EM) emanation are potential <u>side channels</u> that might deliver secret information.

Copyright Makoto Nagata, Kobe University -11-

## Side channel information leakage



## **Relevance between EMC and HWS**

- ►Electromagnetic emission → Side channel leakage (passive information leakage)
- $\blacktriangleright$ EMI analysis  $\rightarrow$  SCA analysis

EMS

EMI

- **EMS** analysis  $\rightarrow$  Fault analysis
- In-depth understandings of IC-chip level EMC, toward the quality design of IC chips for HWS

## **Deployment of EMC techs. for HWS**

- ►Electromagnetic emission → Side channel leakage (passive information leakage)
- $\blacktriangleright$  EMI analysis  $\rightarrow$  SCA analysis



- $\blacktriangleright$  EMS analysis  $\rightarrow$  Fault analysis
- **EMS** resiliency -**?**-- Fault resiliency

Copyright Makoto Nagata, Kobe University -14-

## **EMI simulation framework**



| Passive part of EMI<br>models | Active part of EMI<br>models | Challenges               |
|-------------------------------|------------------------------|--------------------------|
| S-parameters or               | Power current models         | Scenarios to properly    |
| equivalent circuits of        | of active circuits with      | activate crypto circuits |
| PCB, package and IC           | multiple power               | for EMI simulation       |
| chip                          | domains (PDs)                | toward HWS               |

## **PDN impedance model**



C-P-B integrated passive model, capturing AC impedance seen from power source side (VDD).

### **Power noise: C-P-B active interaction**



- Power current (I<sub>DD</sub>, active part of IC) interacts with PDN AC impedance.
- C-P-B integrated models for power noise in IC chips and PCB.

## **Chip power model**



CPM -- A power delivery network involving multiple power current models.

## Liner network model (passive part)



- Liner network model (Passive CPM)
- ✓ Behavioral of PDN of IC
- ✓ SPICE compatible model
- ✓ Reduced and distributed RC network among ports (hundreds or thousands ports)
- ✓ Require : Layout data, technology profile

## **Power current model (active part)**



- SPICE simulation: I(t) LUT for in/out condition, load caps
- Post-layout extraction logic cell level: C<sub>esc</sub>, R<sub>esr</sub>



Cell based -- logic cells are characterized in power current model.

Copyright Makoto Nagata, Kobe University -20-

## C-P-S\* model for diagnosis and analysis

\*Chip-Package-System board



Full-system level simulation of power side-channel leakage

On-die diagnosis of physical attacks

## Silicon test vehicle



\*D. Fujimoto, et al., "Side-Channel Leakage on Silicon Substrate of CMOS Cryptographic Chip," HOST 2014.

## SC leakage measurement system



- Exploration of physical mechanisms of SC information leakage.
- A test chip directly mounted on an interposer, in the measurement system built on FPGA board called "SASEBO-R2."

## **Simulation versus measurements**



- CPM of AES circuits in C-P-S EMI simulation
- On-chip noise monitoring (OCM) of AES circuits
- The overall shape of the waveform and size of peak drops are almost consistent.

## **SC** leakage simulation flow



\*correlated power analysis (CPA)

Time-domain simulation for a set of plain texts to be encrypted with a private key.

## PS current wvfms for CPA (sim.)



# Cost of simulation for 10,000 plain texts

| Model                            | cost     |
|----------------------------------|----------|
| Full transistor<br>(pre-layout)  | 115 days |
| Full transistor<br>(post-layout) | Unlikely |
| Active PS<br>current model       | 10 hours |

280 times acceleration is achieved.

\*D. Fujimoto, *et al.*, "A Fast Power Current Analysis Methodology Using Capacitor Charging Model for Side Channel Attack Evaluation," HOST 2011.

## CPA sim. and meas.



Correlation between Hamming distance and PS waveforms

## **EMS simulation framework**



| External part of EMS                       | Internal part of EMS                    | Challenge                                      |
|--------------------------------------------|-----------------------------------------|------------------------------------------------|
| Limited to the direct<br>and associated RF | On-die paths of ESD<br>I/O rings and Si | Specification of the<br>most sensitive part of |
| significance                               | to PDN of circuits                      | disturbance                                    |

## **EMS simulation model**



The whole model captures chip-package-system board interaction

## **EMC simulation for HWS**



Propagation of power current (EMI) or disturbance (EMS) in linear network

Creation of power current (EMI) or response to disturbance (EMS) in nonlinear operation of semiconductor devices

## **Summary**

- "IC-chip level EMC simulation" is established with chip power models (CPM) and chip-package-system board integrated models (CPS).
- Deployment of "IC-chip level EMC simulation" faces the challenges to be solved:

EMI: Full-system level power noise emission for private key and public crypto processors.

EMS: Response of crypto processors to intentional disturbances by EM, Laser and other physical equivalents.

Acknowledgements: This work was in part supported by Technology and Innovation (CSTI), Cross-ministerial Strategic Innovation Promotion Program (SIP), "Cyber-Security for Critical Infrastructure" (funding agency: NEDO).