CN117155540A - Method, apparatus, device, chip and storage medium for determining side channel security - Google Patents

Method, apparatus, device, chip and storage medium for determining side channel security Download PDF

Info

Publication number
CN117155540A
CN117155540A CN202311431271.8A CN202311431271A CN117155540A CN 117155540 A CN117155540 A CN 117155540A CN 202311431271 A CN202311431271 A CN 202311431271A CN 117155540 A CN117155540 A CN 117155540A
Authority
CN
China
Prior art keywords
chip
data
power consumption
side channel
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311431271.8A
Other languages
Chinese (zh)
Other versions
CN117155540B (en
Inventor
范逸凡
朱凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Open Security Research Inc
Original Assignee
Open Security Research Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Open Security Research Inc filed Critical Open Security Research Inc
Priority to CN202311431271.8A priority Critical patent/CN117155540B/en
Publication of CN117155540A publication Critical patent/CN117155540A/en
Application granted granted Critical
Publication of CN117155540B publication Critical patent/CN117155540B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Design And Manufacture Of Integrated Circuits (AREA)

Abstract

The application discloses a method, a device, equipment, a chip and a storage medium for determining side channel security, wherein the method comprises the following steps: acquiring circuit information of a chip and test data for signing and checking the chip; wherein the circuit information includes: the gate-level netlist is integrated with a standard element library to form complete circuit design information after layout and wiring treatment; signing and checking the chip based on the circuit information and the test data to obtain power consumption data of the chip in a first time period; and determining the security of the chip under the side channel attack based on the power consumption data and the test data. According to the method provided by the embodiment of the application, when the security of the chip under the side channel attack is found to be unsatisfied with the requirement, the chip design can be flexibly modified at lower cost, and the validity and the reliability of the determined security conclusion can be ensured.

Description

Method, apparatus, device, chip and storage medium for determining side channel security
Technical Field
The present application relates to the field of information system security technologies, and in particular, to a method, an apparatus, a device, a chip, and a storage medium for determining side channel security.
Background
The security of the chip is seriously threatened by the attack from the side channel, and in order to test the security of the chip under the attack of the side channel, the prior art carries out the security analysis of the side channel on the chip by collecting the power consumption data of the chip entity. The chip entity refers to a chip product manufactured according to design data after the chip design is completed, namely, a chip used in practical application. The scheme in the prior art has poor flexibility, and a chip with side channel potential safety hazard cannot be quickly modified at low cost.
Disclosure of Invention
The application provides at least a method, a device, equipment, a chip and a storage medium for determining side channel security.
The technical scheme of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a method for determining side channel security, where the method includes: acquiring circuit information of a chip and test data for signing and checking the chip; wherein the circuit information includes: the gate-level netlist is integrated with a standard element library to form complete circuit design information after layout and wiring treatment; signing and checking the chip based on the circuit information and the test data to obtain power consumption data of the chip in a first time period; and determining the security of the chip under the side channel attack based on the power consumption data and the test data.
In a second aspect, an embodiment of the present application provides an apparatus for determining side channel security, where the apparatus includes: the acquisition unit is used for acquiring circuit information of the chip and testing data for signing and checking the chip; wherein the circuit information includes: the gate-level netlist is integrated with a standard element library to form complete circuit design information after layout and wiring treatment; the signing and checking unit is used for signing and checking the chip based on the circuit information and the test data to obtain the power consumption data of the chip in the first time period; and the determining unit is used for determining the security of the chip under the side channel attack based on the power consumption data and the test data.
In a third aspect, an embodiment of the present application provides an apparatus for determining side channel security, the apparatus including a memory and a processor; wherein the memory is used for storing computer executable instructions; and a processor coupled to the memory for implementing the method as in the first aspect by executing the computer-executable instructions.
In a fourth aspect, an embodiment of the present application provides a chip, including: a processor for calling and running a computer program from a memory, so that a device on which the chip is mounted performs the method as in the first aspect.
In a fifth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program which, when executed by at least one processor, implements a method as in the first aspect.
In the embodiment of the application, the circuit information of the chip (including the complete circuit design information formed by integrating the gate-level netlist with the standard component library after the layout and wiring treatment) and the test data for signing the chip can be obtained, the chip can be signed based on the circuit information and the test data, the power consumption data of the chip in a first time period can be obtained, and the security of the chip under the side channel attack can be determined based on the power consumption data and the test data. Since the chip signing and verification occurs in the chip design stage, if the security of the chip under the side channel attack is found to be unsatisfied in the stage, the chip design can be flexibly modified at lower cost. Meanwhile, the power consumption data can be determined by using complete circuit design information in the signing process, so that the power consumption data of the chip can be more accurately simulated, and the effectiveness and reliability of the determined security conclusion can be ensured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
FIG. 1 is a schematic diagram of a general flow of a chip design;
fig. 2 is a flowchart illustrating a method for determining side channel security according to an embodiment of the present application;
fig. 3 is a second flowchart of a method for determining side channel security according to an embodiment of the present application;
fig. 4 is a schematic diagram of a composition structure of an apparatus for determining side channel security according to an embodiment of the present application;
fig. 5 is a schematic diagram of a hardware entity of an apparatus for determining side channel security according to an embodiment of the present application.
Detailed Description
For a more complete understanding of the nature and the technical content of the embodiments of the present application, reference should be made to the following detailed description of embodiments of the application, taken in conjunction with the accompanying drawings, which are meant to be illustrative only and not limiting of the embodiments of the application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used in the embodiments of the application is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict. It should also be noted that the term "first\second\third" in relation to embodiments of the present application is used merely to distinguish similar objects and does not represent a particular ordering for the objects, it being understood that the "first\second\third" may be interchanged in a particular order or sequence, where allowed, to enable embodiments of the present application described herein to be practiced in an order other than that illustrated or described herein.
It should be understood that the term "and/or" in the embodiment of the present application is merely an association relationship describing the association object, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
The security of the chip is severely compromised by attacks from the side channels. In order to test the security of the chip under side channel attack, side channel security analysis may be performed. The side channel security analysis is an analysis method for analyzing the password realization (comprising a password chip, a password module, a password system and the like) and evaluating the side channel attack resistance of the password realization. Modern cryptographic algorithms exist in cryptographic devices in the form of hardware circuits, and various physical information such as power consumption, electromagnetism and the like can be leaked in the use process of the hardware circuits, and side channel attacks can directly or indirectly acquire relevant information in the computing process of the cryptographic algorithms by using the physical information so as to recover keys. Side channel security analysis can be generally divided into two categories, one category depending on analysis of statistics of physical information, and one category judging the security capability of a circuit by implementing side channel attack.
The existing side channel security analysis schemes can be divided into a chip side channel security analysis scheme after silicon and a chip side channel security analysis scheme before silicon.
In the chip side channel security analysis scheme after silicon, an oscilloscope, an electromagnetic probe, or the like may be used to collect power consumption data or electromagnetic data of a chip (chip entity), so that the collected data is used to perform relevant energy analysis (Correlation Power Analysis, CPA) on the chip to evaluate the side channel security of the chip. The technology has low flexibility in improving the chip design, high cost in repairing the chip after the potential safety hazard is found, and is unfavorable for the quick production and marketing of the chip, and the power consumption data acquired by the oscillograph needs to be subjected to preprocessing such as alignment denoising, so that the preprocessing effect influences the evaluation result to a great extent.
In the chip-side channel security analysis scheme before silicon, logic simulation can be performed on a chip design diagram of a Register-Transfer Level (RTL) or a Gate-Level (Gate-Level) without layout wiring, and chip power consumption is simulated by signal conversion activity in a circuit, so that test vector leakage evaluation (Test Vector Leakage Assessment, TVLA) is performed on simulated power consumption data to determine whether the chip meets a user-defined security Level. The technology uses a circuit design diagram (RTL or a gate-level chip design diagram without layout and wiring) in the early stage of chip design to simulate power consumption at a logic level, and lacks various physical properties of a chip, wherein the physical properties include but are not limited to capacitance and resistance information on a circuit link, crosstalk between wires, burrs and the like, and side channel leakage introduced in the physical synthesis stage of the chip cannot be detected.
In view of this, embodiments of the present application provide a method, apparatus, device, chip, and storage medium for determining side channel security. The method can obtain the power consumption data of the chip by signing the chip, and further determine the security of the chip under the side channel attack based on the power consumption data and the test data. Since chip signing occurs in the chip design stage (pre-silicon stage), the chip design can be flexibly modified at a lower cost when the security of the chip under side channel attack is found to be unsatisfactory. Meanwhile, the power consumption data can be determined by using complete circuit design information in the signing process, so that the power consumption data of the chip can be more accurately simulated, and the effectiveness and reliability of the determined security conclusion can be ensured.
It should be noted that, in the embodiment of the present application, the "security of the chip under the attack of the side channel" may also be referred to as "side channel security", or may also be referred to as "side channel physical security".
For ease of understanding, fig. 1 shows a general flow of chip design. As shown in fig. 1, the general flow of chip design may include S101 to S104:
s101, chip function logic design.
In a conventional chip design process, a chip designer performs chip functional logic design to obtain an RTL code (e.g., RTL code 11 in fig. 1).
S102, chip logic synthesis.
In this step, logic synthesis may be performed based on RTL code (e.g., RTL code 11 of FIG. 1) to obtain a gate level netlist (e.g., gate level netlist 12 of FIG. 1).
S103, chip layout synthesis.
The chip layout is integrated, i.e. the layout and the wiring are performed to obtain the chip layout (such as the chip layout 13 in fig. 1).
S104, chip signing and checking.
Before the chip is streamed, the chip needs to be signed and checked to obtain a GDS-II file (such as GDS-II file 14 in FIG. 1). Wherein GDS-II is an abbreviation of english "Graphic Data System II", which is a file format for describing and recording semiconductor chip designs. Through chip signing and checking, whether the design of the chip meets various requirements can be verified.
As described above, logic simulation is typically performed based on RTL or gate-level chip design drawings to evaluate side channel security of the chip. This process occurs when the RTL code 11 is obtained at S101 or when the gate level netlist 12 is obtained at S102. In contrast, the method of the embodiment of the application innovatively proposes that the side channel security analysis can be performed in the remainder of the conventional signing. For example, through extensive scientific experiments and summaries of the applicant, in S104 (i.e. a chip signing stage), the power consumption data obtained by simulating the chip by using the signing tool may be used to analyze the side channel security of the chip, and the analysis result may be returned to the chip designer as a part of the signing report, for example.
Embodiments of the present application will be described in detail below with reference to the accompanying drawings.
An embodiment of the present application provides a method for determining side channel security, as shown in fig. 2, where the method may include:
s201, obtaining circuit information of a chip and test data for signing and checking the chip.
The circuit information and the test data can be used for signing and checking the chip to obtain the power consumption data of the chip in the first time period.
By way of example, the circuit information may include, for example: layout information of the circuit (chip layout information). The layout information of the circuit refers to complete circuit design information which is synthesized by a gate-level netlist and a standard element library after layout and wiring treatment.
In some embodiments, the circuit information may further include: resistance information and capacitance information. In one possible approach, the resistance information and the capacitance information may be obtained, for example, via a standard parasitic parameter format (Standard Parasitic Extraction Format, SPEF) file. The SPEF file is a file describing a resistance value, an inductance value, and a capacitance value in a chip circuit after layout wiring, and since a current loop of a chip is narrow and short, inductance of the chip is generally not considered, and thus parasitic parameters included in the SPEF file are typically the resistance value and the capacitance value.
The test data used for signing and checking the chip can be understood as a test case set for realizing the chip signing and checking. As an example, the test data may include, for example: data (e.g., keys) for configuring/setting the internal memory cells of the chip, and data (e.g., plaintext data) for configuring/setting the inputs of the chip.
As one implementation, the test data may include: at least one piece of plaintext data, and a key for encrypting the at least one piece of plaintext data. For example, the test data may be composed ofnEach test vector may include a piece of plaintext data and a key for encrypting the plaintext data. The plaintext data in each test vector can be obtained by a random generation mode; the keys in each test vector are identical and can be obtained, for example, by means of random generation or manual setting.
S202, signing and checking the chip based on the circuit information and the test data to obtain the power consumption data of the chip in the first time period.
In this step, the chip may be checked based on the circuit information and the test data obtained in S101, so as to obtain power consumption data of the chip in the first period, where the power consumption data may be used to determine security of the chip under a side channel attack. Since the chip signing and verification occurs in the chip design stage, if the security of the chip under the side channel attack is found to be unsatisfied in the stage, the chip design can be flexibly modified at lower cost. In addition, because the circuit information comprises layout information (namely complete circuit design information) of the circuit, compared with a power consumption simulation scheme of a logic level by using a circuit design diagram in an early stage of chip design, the method provided by the embodiment of the application can more accurately simulate the power consumption data of the chip in a first time period by determining the power consumption data by using the circuit information (the layout information of the circuit) in a later stage of chip design, and further can ensure the validity and the reliability of a side channel security conclusion obtained based on the power consumption data.
Illustratively, taking circuit information including layout information, resistance information and capacitance information of a circuit as an example, signing the chip based on the circuit information and test data to obtain power consumption data of the chip in a first period of time, for example, the following steps 21) and 22) may be implemented:
21 Based on the layout information, the resistance information, the capacitance information and the test data of the circuit, performing time sequence checking on the chip to obtain signal switching data.
The signal switching data can be used for representing the signal switching condition of the chip in the first time period. As an example, the signal switching situation of the chip may be, for example, a situation where the chip switches between 0 and 1. For example, when the signal switching data is represented by a graph, the horizontal axis of the graph may be time (including each time instant in the first period of time) and the vertical axis may be a signal state (including 0 or 1). Based on the graph, the states of the signals of the chip at various moments in the first time period and the switching conditions of the signal states between the various moments can be known.
In the time sequence signing and checking process, all time sequence paths in the chip synchronous circuit can be analyzed to check whether time sequence violations exist. The time sequence checking can be realized by using a time sequence checking tool. For example, layout information, resistance information, capacitance information (e.g., resistance information and capacitance information may be provided by a SPEF file), and test data may be input to a timing verification tool, which may output a timing file containing signal switching data after timing verification.
In one possible manner, performing time sequence signing on the chip based on layout information, resistance information, capacitance information and test data of the circuit to obtain signal switching data may include: based on layout information, resistance information, capacitance information and test data of the circuit, performing time sequence signing on the chip to obtain delay data of the chip; signal switching data is determined based on the delay data.
The delay data can be used for representing the delay condition of signal transmission on each time sequence path of the chip. In other words, in the time sequence signing and checking process, the delay condition of signal transmission on each time sequence path can be calculated first, and then the signal switching condition of the chip in the first time period is deduced based on the delay condition, so as to obtain the signal switching data.
By way of example, the delay data of the chip may include, for example, at least one of: input-output path delay (IOPATH delay), INTERCONNECT delay (INTERCONNECT delay), setup time required for each unit of the chip, and hold time required for each unit of the chip. Wherein, the establishment time required by each unit of the chip can be obtained in the process of performing establishment (SETUP) time sequence check by the time sequence checking tool; the retention time required for each unit of the chip may be obtained during the time series checking process performed by the time series checking tool.
It should be noted that "delay" in the embodiment of the present application may also be replaced by "delay".
22 Based on the resistance information, the capacitance information and the signal switching data, performing power consumption checking on the chip to obtain the power consumption data of the chip in the first time period.
The power consumption signing and checking can be realized by using a power consumption signing and checking tool. For example, resistance information, capacitance information (e.g., provided by a SPEF file), and signal switching data (e.g., provided by a timing file) may be input to the power consumption signing tool, so that the power consumption signing tool may obtain and output power consumption data of the chip in the first period of time based on the resistance information, the capacitance information, and the signal switching data.
In one possible approach, the power consumption data may include a total power consumption value obtained by adding Leakage power consumption (Leakage power), internal power consumption (Internal power), and switching power consumption (Switch power). The leakage power consumption is related to the characteristics of the process library of the element, and refers to the power consumption caused by leakage when the element is not switched. Leakage power consumption may be provided, for example, by a standard cell library that may be read by a power consumption signing tool when performing power consumption signing. The internal power consumption is the sum of the power consumption caused by charge and discharge and the power consumption caused by short circuit inside the element; the switching power consumption refers to power consumption caused by charging and discharging of the load capacitor. The internal power consumption and the switching power consumption may be collectively referred to as dynamic power consumption, which is generally generated when signals on a circuit are switched, so that the dynamic power consumption may be calculated based on signal switching data.
In some embodiments, when the power consumption signing tool performs power consumption signing, relevant configuration information can be read, such as related library files, manufacturing process information provided by suppliers, working temperature, power supply voltage and the like, and the configuration information can be used for assisting the power consumption signing tool in simulating to obtain required power consumption data.
In one possible way, the number of power consumption data in the first period of time is the same as the number of test vectors in the test data. For example, for an input timing signing toolnThe power consumption signing and checking tool can simulate the test vectors to obtain corresponding test vectorsnAnd (5) strip power consumption data. By way of example, the firstiThe bar power consumption data may be expressed as:T_i={t_ijthe starting time is less than or equal toj-end time, -wherein,t_ijis the firstiThe first power consumption datajPower consumption value at time (total power consumption value).
According to the method of the embodiment, the chip can be checked based on the circuit information and the test data, so that the power consumption data of the chip in the first time period can be obtained. Because the circuit information (such as layout information, resistance information and capacitance information) of the chip is combined in the chip signing and checking process, the power consumption data of the chip in the first time period can be simulated more accurately, and the validity and the reliability of the side channel security conclusion obtained based on the power consumption data are guaranteed.
S203, determining the security of the chip under the side channel attack based on the power consumption data and the test data.
In this step, the security of the chip under the side channel attack may be determined based on the power consumption data obtained in S202 and the test data acquired in S101.
Illustratively, determining the security of the chip under side channel attacks based on the power consumption data and the test data may include: based on the power consumption data and the test data, a side channel security analysis algorithm is adopted to determine the security of the chip under the side channel attack. The side channel security analysis algorithm may include, for example, at least one of: TVLA algorithm, combuck-Lycra divergence (Kullback-Leibler Divergence, KL divergence) algorithm, CPA algorithm. In other words, in order to determine the security of the chip under the side channel attack, the embodiment of the application can use at least one side channel security analysis algorithm of the TVLA algorithm, the KL divergence algorithm and the CPA algorithm to perform side channel security analysis on the chip, thereby determining the security of the chip under the side channel attack.
The implementation flow of the side channel security analysis algorithm is described below.
Illustratively, the step of determining the security of the chip under side channel attack using the TVLA algorithm may include the following steps 31) to 33):
31 Dividing the power consumption data into two sets based on plaintext data in the test data.
For example, if the plaintext in the test vector corresponding to a certain piece of power consumption data is in binary statebBit 0, the power consumption data can be divided into setsTIn_0, otherwise, the power consumption data may be partitioned into setsT1. Wherein,bthe value of (2) may be arbitrarily specified, for example.
32 Using a t-test algorithm to determine the difference between the two sets.
By means of a t-test algorithm, the t-statistic between the two sets at each time instant in the first time period can be calculated (noted ast_score). Corresponding to each momentt_scoreThe absolute value of (c) may be used to reflect the statistical difference in the power consumption data at that time in the two sets, with a larger absolute value indicating a larger difference.
33 Determining the security of the chip under side channel attack based on the magnitude of the difference.
For example, if the firstjCorresponding to the momentt_scoreThe absolute value of (a) is greater than or equal to a predetermined threshold (e.g., noted as a first predetermined threshold), then the set can be consideredT0 and setT1 is at the firstjThe power consumption data at the moment have significant difference, so that side channel leakage exists, or the security of the chip under the side channel attack does not meet the requirement.
The detailed steps for determining the security of the chip under side channel attack using the TVLA algorithm will be given later and will not be described in detail herein.
Illustratively, the step of determining the security of the chip under side channel attacks using the KL-divergence algorithm may include the following steps 34) to 36):
34 Dividing the power consumption data into two sets based on plaintext data in the test data.
For example, if the plaintext in the test vector corresponding to a certain piece of power consumption data is in binary statebBit 0, the power consumption data can be divided into setsTIn_0, otherwise, the power consumption data may be partitioned into setsT1. Wherein,bthe value of (2) may be arbitrarily specified, for example.
35 Determining the KL divergence between the probability distributions of the two sets.
In this step, a KL divergence between the probability distributions of the two sets at each time instant in the first time period may be calculated using a KL divergence calculation formula. Assuming that the probability distributions of the two sets are respectively noted asP1 andP0, then the KL divergence between the probability distributions of the two sets can be expressed as
P1 andPKL divergence between 0 is measured byP0 is approximatelyP1, reflect the information loss ofP1 andPthe larger the difference of 0, the larger the KL divergence, indicating the larger the difference of the two.
36 Determining the security of the chip under the side channel attack based on the magnitude of the KL divergence.
For example, if the firstjThe time-of-day corresponding KL divergence is greater than or equal to a predetermined threshold (e.g., noted as a second predetermined threshold), then the collection may be consideredT0 and setT1 is at the firstjThe power consumption data at the moment have significant difference, so that side channel leakage exists, or the security of the chip under the side channel attack does not meet the requirement.
The detailed steps for determining the security of the chip under side channel attack using the KL divergence algorithm will be given later and will not be described in detail here.
Illustratively, the step of determining the security of the chip under side channel attacks using the CPA algorithm may include the following steps 37) and 38):
37 Guessing the correct key based on the plaintext data and the power consumption data in the test data to obtain a guessed key.
When guessing the correct key, all possible key values may be grouped into a set of key candidates. For each key candidate in the set of key candidates, a pearson correlation coefficient vector corresponding to each key candidate may be calculated. Further, by comparing the magnitudes of the pearson correlation coefficients contained in the respective pearson correlation coefficient vectors, a guess key can be obtained. For example, assume that the largest pearson correlation coefficient exists at the first pIn the pearson correlation coefficient vector corresponding to the key candidate, then the first key may be usedpThe key candidates are used as guess keys.
38 A) determining the security of the chip under side channel attacks based on whether the guess key and the correct key are identical.
After deriving the guess key, the security of the chip under side channel attacks may be determined based on whether the guess key and the correct key (which may be included in the test data, for example) are identical. For example, if the guess key is the same as the correct key, the chip may be considered to have insufficient capability of resisting side channel attacks under the power consumption data of the given scale (the power consumption data in the first period of time), or the security of the chip under the side channel attacks may not meet the requirements.
The detailed steps for determining the security of a chip under side channel attack using the CPA algorithm will be given later and will not be described in detail here.
According to the method of the embodiment, any algorithm of TVLA algorithm, KL divergence algorithm and CPA algorithm can be adopted to determine the security of the chip under the side channel attack, or two or more algorithms can be combined to determine the security of the chip under the side channel attack, so that the validity and the reliability of the obtained side channel security conclusion can be ensured.
In some embodiments, the method may further comprise: and generating a side channel security analysis report. The side channel security analysis report may include, for example: and determining whether the chip is safe under the side channel attack based on the side channel security analysis algorithm.
As an example, when the side channel security analysis algorithm employed includes multiple algorithms, the side channel security analysis report may include conclusions drawn from the respective algorithms. For example, when the adopted side channel security analysis algorithm comprises a TVLA algorithm, a KL divergence algorithm and a CPA algorithm, the conclusion about whether the chip is secure under the side channel attack or not, which is respectively obtained based on the TVLA algorithm, the KL divergence algorithm and the CPA algorithm, may be included in the side channel security analysis report. The conclusion may be, for example, "secure (i.e., the security of the chip under side channel attack meets the requirements)" or "unsafe (i.e., the security of the chip under side channel attack does not meet the requirements)".
As an example, when the adopted side channel security analysis algorithm includes a plurality of algorithms, the side channel security analysis report may further include: and (3) determining the comprehensive conclusion based on the conclusion drawn by each algorithm. For example, when the adopted side channel security analysis algorithm comprises a TVLA algorithm, a KL divergence algorithm and a CPA algorithm, if the TVLA algorithm, the KL divergence algorithm and the CPA algorithm all reach the conclusion that they are secure, the output is secure, otherwise the output is unsafe.
As an example, parameters used by the respective algorithms and some intermediate results obtained may also be included in the side channel security analysis report. For example, for a TVLA algorithm, at least one of the following may be included: TVLA calculationThe data size of the power consumption data (such as the number of the power consumption data) used by the method; dividing the power consumption data into two sets of dividing criteria; a first preset threshold; corresponding to each momentt_scoreThe method comprises the steps of carrying out a first treatment on the surface of the Corresponding to each momentt_scoreAnd comparing the result with a first preset threshold value. For the KL divergence algorithm, at least one of the following may be included: the data size of the power consumption data (such as the number of pieces of power consumption data) used by the KL divergence algorithm; dividing the power consumption data into two sets of dividing criteria; a second preset threshold; KL divergence corresponding to each moment; and comparing the KL divergence corresponding to each moment with a second preset threshold value. For the CPA algorithm, at least one of the following may be included: the size of the data amount of the power consumption data (such as the number of pieces of the power consumption data) used by the CPA algorithm; a correct key; guessing the key; the largest pearson correlation coefficient.
According to the method of the embodiment, the side channel safety analysis report can be generated based on the output result of the side channel safety analysis algorithm, so that a chip designer can repair a chip with side channel safety hidden danger in time based on the side channel safety analysis report.
In order to facilitate understanding of the embodiments of the present application, a possible implementation procedure of the method for determining side channel security provided by the embodiments of the present application is described below.
An embodiment of the present application provides a method for determining side channel security, as shown in fig. 3, where the method may include:
s301, inputting the chip layout 31, the test vector 32 and the SPEF file 33 into the time sequence signing module 301 to obtain a time sequence file 34.
In this step, the timing verification module 301 may perform timing verification on the chip by using a timing verification tool, for example, and the timing verification tool may generate the timing file 34 according to the input information.
Wherein, the chip layout 31 refers to: the gate-level netlist is integrated with a standard component library to form a complete chip circuit design file after layout and wiring treatment.
Test vector 32 may be determined, for example, by a specific implemented side channel security analysis algorithm. Test vector 32 may also be understood as a test case set according to the specific requirements of side channel security analysis, including data (e.g., keys) for configuring/setting the internal memory cells of the chip, and data (e.g., plaintext) for configuring/setting the inputs of the chip.
The SPEF document 33 is used to describe a resistance value, an inductance value, and a capacitance value in a chip circuit after layout wiring, and since a current loop of a chip is narrow and short, inductance of the chip is generally not considered, and thus parasitic parameters included in the SPEF document 33 are typically a resistance value and a capacitance value.
By way of example, one possible implementation procedure for timing signing a chip using a timing signing tool is described below.
The time sequence signing and checking tool is used for verifying the logic functions of static time sequence analysis, crosstalk delay, constraint consistency check and the like of the chip in the traditional chip signing and checking process. The scheme of the embodiment can generate the time sequence file 34 corresponding to the test vector 32 by means of the time sequence checking tool, the time sequence file 34 can be used as the input of the power consumption checking module 302, and then the power consumption checking module 302 generates the power consumption data 35 corresponding to the test vector 32.
In the process of timing signing, all timing paths in the synchronous circuit are analyzed to check whether timing violations exist, the process can calculate the delay condition of signal transmission on each timing path, and the generated timing file 34 can contain the following four delay data, for example:
delay data 1: IOPATH delay: the delay of the appointed unit, it calculates the load according to the output wire and conversion time of the input signal;
delay data 2: INTERCONNECT delay time: the point-to-point delay based on the path is the wire delay from the output pin of the driving unit to the input pin of the driven unit;
Delay data 3: results of SETUP timing check: the value of the set-up time required for each unit is given by the characteristic value in the process library;
delay data 4: results of HOLD timing check: the value comprising the hold time required for each cell is given by the eigenvalues in the process library.
Based on the delay data 1 to the delay data 4, the time sequence signing tool can infer the signal switching condition of each link in the chip circuit at each moment to obtain signal switching data, and the signal switching data can be contained in the time sequence file 34 to provide support for the power consumption signing module 302 to simulate the power consumption.
By way of example, the generating step of the timing file 34 may include, for example, the following steps 3011) to 3014):
3011 Building a design environment: establishing a search path and a link path, reading in a chip layout, a SPEF file and a library file, linking a top-level design, inputting a test vector, and establishing a connection load model, a port load, a drive and a transmission time.
3012 Declaration of timing constraints: clock period, waveform, and latency are defined to account for delays in the input and output ports (e.g., including IOPATH delays and INTERCONNECT delays).
3013 Declaring a timing exception: including multi-cycle paths, illegal paths. In some embodiments, maximum and minimum delays, path splitting, and failure arcs may also be declared.
3014 Performing a timing analysis and generating a correlation file: the SETUP timing check and HOLD timing check are performed, and the timing file 34 and the timing analysis report are generated based on the result check timing of the SETUP timing check and HOLD timing check.
S302, inputting the SPEF file 33 and the time sequence file 34 into the power consumption signing module 302 to obtain power consumption data 35.
In this step, the power consumption signing module 302 may use a power consumption signing tool to sign power consumption of the chip to obtain the power consumption data 35. For example, the power consumption signing tool may simulate to generate power consumption data 35 based on the SPEF file 33, the timing file 34, and related configuration information (e.g., related library files, vendor provided manufacturing process information, operating temperature, power supply voltage, etc.). For one-time power consumption signing, the generated power consumption data 35 may be represented as a time sequence, that is, the power consumption of the chip at the current moment is recorded according to the time sequence. The unit of power consumption is typically nanowatt (nW), and the time interval between adjacent recording moments is equal.
Illustratively, the Power consumption may be divided into leakage Power consumption, internal Power consumption, and switching Power consumption, i.e., total Power consumption (Total Power) =leakage Power consumption+internal Power consumption+switching Power consumption. The leakage power consumption is related to the characteristics of the process library of the element, is provided by a standard unit library and refers to the power consumption caused by leakage when the element is not switched; the internal power consumption is the sum of the power consumption caused by charge and discharge and the power consumption caused by short circuit inside the element; the switching power consumption refers to power consumption caused by charging and discharging of the load capacitor. The internal power consumption and the switching power consumption can be collectively referred to as dynamic power consumption, and the dynamic power consumption is usually generated when signals on the circuit are switched, so that the dynamic power consumption can be calculated based on signal switching data.
In this embodiment, the power consumption signing tool calculates the overall power consumption of the chip simulation circuit according to the signal switching data contained in the timing file 34, the resistance capacitance data of the circuit itself (provided by the SPEF file 33) and some related standard cell libraries, and finally generates a set time range [ start time, end time ]]The power consumption waveform (corresponding to the first period in the foregoing embodiment), i.e., the power consumption data required for the side channel security analysis. In some embodiments, a piece of power consumption data may also be expressed as:T={t_jthe starting time is less than or equal tojEnd time, whereint_jIs the firstjAnd simulating power consumption of the chip at the moment. As one implementation, the start time and the end time corresponding to each piece of power consumption data are the same.
As an example, the step of generating power consumption data using the power consumption signing tool may for example comprise the following steps 3021) to 3025):
3021 Setting the power consumption analysis mode of the power consumption signing tool to be a time-based power consumption analysis mode.
3022 Reading chip layout and related library files, including a composite current source (Composite Current Source, CCS) power consumption library file, a standard cell library, and a SPEF file 33.
3023 Setting operating conditions and parameters, typically including vendor provided manufacturing process information, operating temperature, and supply voltage.
2024 Reading in the timing file 34 obtains circuit switching activity data (i.e., the aforementioned signal switching data).
3025 Simulation and reporting of power consumption data.
It should be noted that, although the power consumption simulation based on the signing and verification can accurately simulate the power consumption of the chip, the time consumption may be long, so in the power consumption simulation stage (power consumption signing and verification stage), a distributed computing method may be adopted to improve the simulation efficiency. For example, the step of power consumption signing may be performed in parallel with multiple devices.
S303, inputting the power consumption data 35 and the test vector 32 into a side channel security analysis module 303 to obtain a side channel security analysis report 36.
In this step, the side channel security analysis module 303 may analyze the security of the chip under the side channel attack by using a side channel security analysis algorithm (such as TVLA analysis method, KL divergence analysis method, CPA analysis method) based on the input power consumption data 35 and the test vector 32, to obtain a side channel security analysis report 36.
For each test vector, via timing analysis (timing signing) and power consumption simulation (power consumption signing)XCan obtain the test vectorXCorresponding simulated power consumption dataT. Exemplary, if applicable, depending on the power consumption data, with the remaining settings remaining unchanged TAnalyzing to obtain test vectorXIs considered to be a side channel leakage. The side channel leakage brings potential safety hazard to the chip, so that the sensitive information of the user of the chip is illegally acquired.
S304, ending.
The side channel security analysis algorithm employed in the embodiments of the present application is described below.
As an example, this embodiment may use 3 algorithms to comprehensively evaluate the side channel security of the chip, namely TVLA algorithm, KL divergence algorithm, and CPA algorithm. The TVLA algorithm and the KL divergence algorithm analyze whether the chip has side channel leakage from a pure statistical angle, wherein the TVLA algorithm adopts a hypothesis test method, the T-test is used for analyzing whether the two subsets divided under a certain standard have distribution differences, and the KL divergence algorithm analyzes the difference sizes of the two subsets from the angle of information entropy. CPA is one of the most effective side channel attack methods at present, is also commonly used for side channel security analysis, and can evaluate the side channel attack resistance of a chip from the angle of attack practice so as to judge whether side channel leakage exists.
Table 1 shows the analysis steps and security evaluation criteria of TVLA algorithm, KL divergence algorithm, and CPA algorithm.
TABLE 1 analysis steps of TVLA algorithm, KL divergence algorithm and CPA algorithm and safety evaluation criteria
The unified preamble steps for executing the above 3 side channel security analysis algorithms are: for a set of test vectors differing only in plaintextXA corresponding set of power consumption data is generated. The test vector setXIncludednA test vector of (a)iThe test vectors are expressed asX_iData related to the chip memory unit and inputs, such as plaintext, key, etc., may be included in each test vector. In the test vector setXIn the method, all test vectors are different in plaintext only, and the plaintext can be obtained in a random generation mode. By usingk_cRepresenting the keys in the respective test vectors (i.e. the correct keys),x_irepresenting test vectorsX_iIn the plain text. Under the condition of keeping the rest settings unchanged, the chip signing and checking tools are respectively input with the chip signing and checking toolsnTest vectors, which can be obtained by simulationnForming a power consumption data set by using the power consumption dataTWherein the firstiThe bar power consumption data is expressed ast_it_iMiddle (f)jThe power consumption value at the moment is expressed ast_ij
The following describes the detailed steps of TVLA algorithm, KL-divergence algorithm, and CPA algorithm in the embodiments of the present application, respectively.
TVLA algorithm:
first, according to the plaintext in the test vector under binary systembWhether or not the bit is 1, the power consumption data is gatheredTDivided into two sets, respectively denoted asT_0 andT_1. for example, if the power consumption data t_iThe plaintext in the corresponding test vector is in binary systembBit 0, willt_iSplit into setsTIn_0, otherwiset_iSplit into setsT1. For [ start time, end time ]]Power consumption at each moment in range, pair aggregationT0 andTcarrying out t-test on the data in_1, and calculating to obtain t-statistics [ (]t_score)。
First, thejThe step of t-test of time of day may comprise the following steps a) to d):
a) SelectingTAll power consumption data in_0 setjThe power consumption values at the moment form a sample set 0, and the data volume of the sample set 0 is as followsn0, takeT1 st of all power consumption data in setjThe power consumption values at the moment form a sample set 1, and the data volume of the sample set 1 is as followsn_1;
b) For power consumption values in sample set 0t0_r(1≤rn0) calculating the mean valuemean0, as shown in equation (1):
(1);
for the power consumption values in sample set 1t1_s(1≤sn1) calculating the mean valuemean1, as shown in equation (2):
(2);
c) For power consumption values in sample set 0t0_r(1≤rn0) calculating variancevar0, as shown in equation (3):
(3);
for the power consumption values in sample set 1t1_s(1≤sn1) calculate variancevar1, as shown in equation (4):
(4);
d) Calculate the firstjT-statistics of time of dayt_scoreAs shown in formula (5):
(5);
the absolute value of the t-statistic represents the statistical difference between sample set 0 and sample set 1, with a larger absolute value representing a larger difference between the two sample sets. If the first is jThe absolute value of the t-statistic of time instant is greater than a preset threshold (e.g., the first preset threshold), then the set is consideredT0 and setT1 is at the firstjThere is a significant difference in the power consumption data at the time instant, and thus there is side channel leakage.
KL divergence algorithm:
the KL divergence algorithm can be prolonged to divide the power consumption data set in the TVLA algorithm, namelyTBinary in corresponding plaintextbThe value of the bits is divided intoT0 andT1. For [ start time, end time ]]Power consumption at each moment in range, pair aggregationT0 andTdata in_1 calculate KL divergence. The step of calculating the KL divergence may comprise the following steps e) to h):
e) SelectingTAll power consumption data in_0 setjThe power consumption values at the moment form a sample set 0, and the data volume of the sample set 0 is as followsn0, recording the maximum power consumption value asmax0, minimum value ofmin0; taking outT1 st of all power consumption data in setjThe power consumption values at the moment form a sample set 1, and the data volume of the sample set 1 is as followsn1, recording the maximum power consumption value asmax1, minimum value ofmin1, letmaxIs thatmax0 andmaxthe larger value in 1,minis thatmin0 andminsmaller value in 1.
f) Interval [min,max]Equally divided intohEqual parts, length of each partIs->Interval [minmax]Is divided into subintervals [minmin+/>),/>,…,/>,/>
g) The number of sample data values in each interval of the sample set 0 and the sample set 1 is counted, f_0(z) Indicating that the sample data in sample set 0 has the value ofzThe number of intervals divided byn_0,f_1(z) Indicating that the value of the sample data in the sample set 1 is at the firstzThe number of intervals divided byn1, obviously have,/>f_0(z) And (3) withf_1(z) May be used to approximate the probability distribution for sample set 0 and sample set 1, respectively.
h) Probability distribution for sample set 0PProbability distribution of 0 and sample set 1P1, calculateP1 to 1PKL divergence of 0, as shown in equation (6):
(6);
probability distributionP1 to 1PKL divergence of 0 is measured byP0 is approximatelyP1 reflects the difference of the two probability distributions, the larger the KL divergence, the larger the difference of the two. If the first isjWhen the KL divergence of the moment is larger than a preset threshold (such as the second preset threshold), the aggregation is consideredT0 and setT1 is at the firstjThere is a significant difference in the power consumption data at the time instant, and thus there is side channel leakage.
CPA algorithm:
CPA algorithm, in which the above-described power consumption data set can be used, evaluates the side channel security of a chip by whether or not a key can be successfully recovered under a given amount of power consumption dataTAn attempt is made to recover the key. The following describes the implementation steps of the CPA algorithm by taking an advanced encryption standard (Advanced Encryption Standard, AES) encryption chip as an example.
Inputs to the CPA algorithm include: plaintext in a test vector setx={x_1,x_2, …,xN, where x/uiRepresent the firsti(1≤in) Plaintext in the test vectors; power consumption data setT={{t_11,t_12, …,t_1m}, …, {t_n1,t_n2, …,t_nm}},t_ijRepresent the firstiPower consumption data corresponding to each test vectorj(1≤jm) Power consumption value at time. The output of the CPA algorithm includes: guessing a keyk_gAnd the largest pearson correlation coefficientmax_corr
The implementation steps of the CPA algorithm may include the following steps i) to k):
i) Re-partitioning a power consumption data set into time-dependent partitionsT={t1,t2, …,tm}, where the firstjIndividual vectorstj={t_1j,t_2j, …,t_nj};
j) Grouping all possible key values into a set of key candidates, for each key candidate in the set of key candidatesk_p(1≤pPPFor the total number of key candidates in the set of key candidates), the following steps j 1) to j 3) are performed:
j1 Based on a)k_pFor plaintext setClosing devicexEach plaintext in (a)x_iCalculating to obtain correspondingd_id_i=k_pExclusive ORx_ i
j2 Calculation of (c)d_iHamming weight of (v)HW_i. Because of 1-1%inTherefore, a vector can be obtainedHW={HW_1,HW_2, …,HW_n}。
The hamming weight of a number is the number of 1 in the binary representation of the number.
j3 Calculation of (c)HWAnd (3) withTEach vector of (3)tjPearson correlation coefficient of (c)c_jObtaining a vectorc_p={c_1,c_2, …,c_m}。
k) Comparing each key candidate valuek_pCorresponding pearson correlation coefficient vectorc_pSelecting the coefficient with the largest pearson correlation max_corrKey candidates of (2) as guess keysk_gAnd outputting.
For example, the maximum pearson correlation coefficientmax_corrExists in the pearson correlation coefficient vectorcIn 2, then, the key candidatek_2 is the guessing keyk_g
If the CPA algorithm outputs the guess keyk_gAnd if the CPA attack is the same as the correct key (namely the key set in the test vector), the CPA attack is considered to be successful, which means that the chip does not have enough capability of resisting the side channel attack under the power consumption data of the given scale and does not meet the requirement of the side channel security.
And integrating analysis results of the three side channel security analysis algorithms to finally form a side channel security analysis report of a chip. The report may include, for example, the parameters and analysis results of the three analysis items, and a comprehensive conclusion.
As an example, the side channel security analysis report of the chip may include, for example, the following:
analysis results and related parameters obtained by TVLA algorithm: size of power consumption datasetnDividing criteria for data sets (e.g. according to the first in binary form of plaintextbBit division), preset threshold of t-statistics, each time instantt-statistics, comparison results of the t-statistics at each moment and a preset threshold (for example, 0 indicates that the t-statistics are smaller than the preset threshold, 1 indicates that the t-statistics are larger than or equal to the preset threshold), and TVLA safety analysis conclusion (for example, if 1 exists in the comparison results, output is unsafe, otherwise, output is safe);
Analysis results and related parameters obtained by KL divergence algorithm: size of power consumption datasetnDividing criteria for data sets (e.g. according to the first in binary form of plaintextbBits are divided), a preset threshold value of KL divergence, KL divergence at each momentComparing the KL divergence of each moment with a preset threshold value (for example, 0 indicates that the KL divergence is smaller than the preset threshold value, 1 indicates that the KL divergence is larger than or equal to the preset threshold value), and outputting a safety analysis conclusion of the KL divergence (for example, if 1 exists in the comparison result, outputting unsafe, otherwise outputting safe);
analysis results and related parameters obtained by CPA algorithm: size of power consumption datasetnCorrect keyk_c(i.e., the key set in the test vector), guess the keyk_gMaximum pearson correlation coefficientmax_corrCPA security analysis conclusion (e.g., ifk_gEqual tok_cOutput unsafe, otherwise output safe);
comprehensive analysis results: for example, if the TVLA algorithm, KL divergence algorithm, and CPA algorithm all draw conclusions that are safe, then the output is safe, otherwise the output is unsafe.
The embodiment can simulate the power consumption condition of the chip in the pre-silicon stage based on the signing, so as to analyze and evaluate the side channel safety of the chip. The signing tool can perform high-accuracy simulation on chip power consumption, and can immediately deliver chips with potential safety hazards to designers for repair.
According to the method, the side channel safety evaluation is carried out on the chip before the silicon, so that the flexibility of repairing and adjusting the chip can be improved, and the time and money cost of repeatedly modifying the chip can be reduced. Meanwhile, the method adopts a circuit description file (chip layout) at the later stage of chip design and combines physical attribute information (such as capacitance resistance information) of the chip to perform time-based power consumption simulation, so that an accurate power consumption simulation result can be generated, and omission of contralateral channel leakage detection is reduced. In addition, the power consumption data obtained through simulation in the embodiment of the application does not need to carry out additional preprocessing such as alignment denoising, and the obtained power consumption data can be directly used for analysis, so that the influence on an evaluation result due to poor preprocessing effect is avoided.
The preferred embodiments of the present application have been described in detail above with reference to the accompanying drawings, but the present application is not limited to the specific details of the above embodiments, and various simple modifications can be made to the technical solution of the present application within the scope of the technical concept of the present application, and all the simple modifications belong to the protection scope of the present application. For example, the specific features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various possible combinations are not described further. As another example, any combination of the various embodiments of the present application may be made without departing from the spirit of the present application, which should also be regarded as the disclosure of the present application. For example, on the premise of no conflict, the embodiments described in the present application and/or technical features in the embodiments may be combined with any other embodiments in the prior art, and the technical solutions obtained after combination should also fall into the protection scope of the present application.
Based on the foregoing embodiments, the embodiments of the present application provide a corresponding apparatus for determining side channel security. The apparatus includes modules included, and sub-modules included by the modules may be implemented by a processor in a computer device having information processing capabilities; of course, the method can also be realized by a specific logic circuit; in practice, the processor may be a central processing unit (Central Processing Unit, CPU), microprocessor (Microprocessor Unit, MPU), digital signal processor (Digital Signal Processor, DSP) or field programmable gate array (FieldProgrammable Gate Array, FPGA), etc.
An embodiment of the present application provides an apparatus for determining side channel security, as shown in fig. 4, an apparatus 400 for determining side channel security (hereinafter referred to as apparatus 400) may include: an acquiring unit 401, configured to acquire circuit information of a chip and test data for signing the chip; wherein the circuit information includes: the gate-level netlist is integrated with a standard element library to form complete circuit design information after layout and wiring treatment; a signing unit 402, configured to sign the chip based on the circuit information and the test data, to obtain power consumption data of the chip in a first period; a determining unit 403, configured to determine the security of the chip under the side channel attack based on the power consumption data and the test data.
In some embodiments, the circuit information further includes: resistance information and capacitance information; the signing unit 402 includes: the time sequence signing sub-unit is used for carrying out time sequence signing on the chip based on the circuit design information, the resistance information, the capacitance information and the test data to obtain signal switching data, wherein the signal switching data is used for representing the signal switching condition of the chip in a first time period; and the power consumption signing sub-unit is used for signing the power consumption of the chip based on the resistance information, the capacitance information and the signal switching data to obtain the power consumption data of the chip in the first time period.
In some embodiments, the timing signoff subunit is specifically configured to: based on the circuit design information, the resistance information, the capacitance information and the test data, performing time sequence checking on the chip to obtain delay data of the chip; determining signal switching data based on the delay data; wherein the delay data includes at least one of: input-output path delay, interconnect delay, setup time required for each cell of the chip, hold time required for each cell of the chip.
In some embodiments, the determining unit 403 is specifically configured to: based on the power consumption data and the test data, the security of the chip under the side channel attack is determined by adopting a side channel security analysis algorithm, wherein the side channel security analysis algorithm comprises at least one of the following: test vector leakage assessment algorithm, kurbak-leber divergence algorithm, and correlation energy analysis algorithm.
In some embodiments, the determining unit 403 is specifically configured to: dividing power consumption data into two sets based on plaintext data in test data under the condition that a side channel security analysis algorithm comprises a test vector leakage evaluation algorithm; determining the difference between the two sets by adopting a t-test algorithm; determining the security of the chip under the side channel attack based on the difference; dividing power consumption data into two sets based on plaintext data in test data under the condition that a side channel security analysis algorithm comprises a kurbaker-leibler divergence algorithm; determining a kurbak-leibler divergence between probability distributions of the two sets; the magnitude of the radix Yu Kuer barker-lebler divergence determines the security of the chip under side channel attack; under the condition that the side channel security analysis algorithm comprises a related energy analysis algorithm, a correct key is guessed based on plaintext data and power consumption data in test data to obtain a guessed key; the security of the chip under side channel attacks is determined based on whether the guess key and the correct key are identical.
In some embodiments, the apparatus 400 further comprises: a generating unit, configured to generate a side channel security analysis report, where the side channel security analysis report includes: and determining whether the chip is safe under the side channel attack based on the side channel security analysis algorithm.
In some embodiments, the test data comprises: at least one piece of plaintext data, and a key for encrypting the at least one piece of plaintext data.
The description of the apparatus embodiments above is similar to that of the method embodiments above, with similar advantageous effects as the method embodiments. In some embodiments, the functions or modules/units included in the apparatus provided by the embodiments of the present application may be used to perform the methods described in the foregoing method embodiments, and for technical details that are not disclosed in the embodiments of the apparatus of the present application, reference should be made to the description of the embodiments of the method of the present application.
It should be noted that, in the embodiment of the present application, if the method is implemented in the form of a software functional module, and sold or used as a separate product, the method may also be stored in a computer readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or some of contributing to the related art may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes. Thus, embodiments of the application are not limited to any specific hardware, software, or firmware, or any combination of hardware, software, and firmware.
The embodiment of the application also provides equipment for determining the side channel security, which comprises a memory and a processor, wherein the memory stores a computer program capable of running on the processor, and the processor realizes part or all of the steps in the method when executing the program.
The embodiment of the application also provides a chip. The chip comprises: and a processor for calling and running the computer program from the memory, so that the device on which the chip is mounted performs part or all of the steps of the above method.
Embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs some or all of the steps of the above method. The computer readable storage medium may be transitory or non-transitory.
Embodiments of the present application also provide a computer program comprising computer readable code which, when run in a device, causes a processor in the device to perform some or all of the steps of the method described above.
Embodiments of the present application also provide a computer program product comprising a non-transitory computer-readable storage medium storing a computer program which, when read and executed by a computer, performs some or all of the steps of the above method. The computer program product may be realized in particular by means of hardware, software or a combination thereof. In some embodiments, the computer program product is embodied as a computer storage medium, in other embodiments the computer program product is embodied as a software product, such as a software development kit (Software Development Kit, SDK), or the like.
It should be noted here that: the above description of various embodiments is intended to emphasize the differences between the various embodiments, the same or similar features being referred to each other. The above description of the apparatus, chip, storage medium, computer program and computer program product embodiments is similar to that of the method embodiments described above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the embodiments of the apparatus, chip, storage medium, computer program and computer program product of the present application, reference should be made to the description of the embodiments of the method of the present application.
An embodiment of the present application provides an apparatus for determining side channel security, as shown in fig. 5, where an apparatus 500 for determining side channel security (hereinafter referred to simply as apparatus 500) includes a processor 510, and the processor 510 may call and run a computer program from a memory to implement a method in the embodiment of the present application.
In some embodiments, as shown in fig. 5, device 500 may also include memory 520. Wherein the processor 510 may call and run a computer program from the memory 520 to implement the method in an embodiment of the application. Wherein the memory 520 may be a separate device from the processor 510 or may be integrated into the processor 510.
In some embodiments, as shown in fig. 5, the device 500 may further include a transceiver 530, and the processor 510 may control the transceiver 530 to communicate with other devices, and in particular, may transmit information or data to other devices, or receive information or data transmitted by other devices. Wherein the transceiver 530 may include a transmitter and a receiver. The transceiver 530 may further include antennas, the number of which may be one or more.
It should be appreciated that reference throughout this specification to "one embodiment," "an embodiment," or "some embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment," "in an embodiment," or "in some embodiments" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the sequence number of each step/process described above does not mean that the execution sequence of each step/process should be determined by its functions and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present application. The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of the units or modules is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units; can be located in one place or distributed to a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read Only Memory (ROM), a magnetic disk or an optical disk, or the like, which can store program codes.
Alternatively, the above-described integrated units of the present application may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the related art in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a removable storage device, a ROM, a magnetic disk, or an optical disk.
The foregoing is merely an embodiment of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application.

Claims (11)

1. A method of determining side channel security, the method comprising:
Acquiring circuit information of a chip and test data for signing and checking the chip; wherein the circuit information includes: the gate-level netlist is integrated with a standard element library to form complete circuit design information after layout and wiring treatment;
signing and checking the chip based on the circuit information and the test data to obtain power consumption data of the chip in a first time period;
and determining the security of the chip under the side channel attack based on the power consumption data and the test data.
2. The method of claim 1, wherein the circuit information further comprises: resistance information and capacitance information;
the signing and checking the chip based on the circuit information and the test data to obtain the power consumption data of the chip in a first time period comprises the following steps:
based on the circuit design information, the resistance information, the capacitance information and the test data, performing time sequence checking on the chip to obtain signal switching data, wherein the signal switching data is used for representing the signal switching condition of the chip in the first time period;
and carrying out power consumption signing on the chip based on the resistance information, the capacitance information and the signal switching data to obtain the power consumption data of the chip in a first time period.
3. The method of claim 2, wherein the performing timing signing on the chip based on the circuit design information, the resistance information, the capacitance information, and the test data to obtain signal switching data comprises:
based on the circuit design information, the resistance information, the capacitance information and the test data, performing time sequence checking on the chip to obtain delay data of the chip;
determining the signal switching data based on the delay data;
wherein the delay data comprises at least one of:
input-output path delay, interconnect delay, setup time required for each unit of the chip, hold time required for each unit of the chip.
4. A method according to any one of claims 1 to 3, wherein said determining the security of the chip under side channel attacks based on the power consumption data and the test data comprises:
based on the power consumption data and the test data, determining the security of the chip under the side channel attack by adopting a side channel security analysis algorithm, wherein the side channel security analysis algorithm comprises at least one of the following:
Test vector leakage assessment algorithm, kurbak-leber divergence algorithm, and correlation energy analysis algorithm.
5. The method of claim 4, wherein the step of determining the position of the first electrode is performed,
the step of determining the security of the chip under the side channel attack by adopting the test vector leakage evaluation algorithm comprises the following steps:
dividing the power consumption data into two sets based on plaintext data in the test data;
determining a difference between the two sets using a t-test algorithm;
determining the security of the chip under side channel attack based on the magnitude of the difference;
the step of determining the security of the chip under side channel attack by adopting the kurbak-lebur divergence algorithm comprises the following steps:
dividing the power consumption data into two sets based on plaintext data in the test data;
determining a kurbak-leber divergence between probability distributions of the two sets;
determining the security of the chip under side channel attack based on the magnitude of the kurbak-lebur divergence;
the step of determining the security of the chip under side channel attack by adopting the correlation energy analysis algorithm comprises the following steps:
guessing a correct key based on plaintext data in the test data and the power consumption data to obtain a guessed key;
The security of the chip under side channel attack is determined based on whether the guess key and the correct key are the same.
6. The method according to claim 4, wherein the method further comprises:
generating a side channel security analysis report, the side channel security analysis report comprising:
and determining whether the chip is safe under the side channel attack or not based on the side channel security analysis algorithm.
7. A method according to any one of claim 1 to 3, wherein,
the test data includes: at least one piece of plaintext data, and a key for encrypting the at least one piece of plaintext data.
8. An apparatus for determining side channel security, the apparatus comprising:
the device comprises an acquisition unit, a verification unit and a verification unit, wherein the acquisition unit is used for acquiring circuit information of a chip and testing data for signing the chip; wherein the circuit information includes: the gate-level netlist is integrated with a standard element library to form complete circuit design information after layout and wiring treatment;
the signing and checking unit is used for signing and checking the chip based on the circuit information and the test data to obtain the power consumption data of the chip in a first time period;
And the determining unit is used for determining the security of the chip under the side channel attack based on the power consumption data and the test data.
9. An apparatus for determining side channel security, the apparatus comprising:
a memory for storing computer executable instructions;
a processor, coupled to the memory, for implementing the method of any one of claims 1 to 7 by executing the computer-executable instructions.
10. A chip, the chip comprising:
a processor for calling and running a computer program from a memory, causing a device on which the chip is mounted to perform the method of any one of claims 1 to 7.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by at least one processor, implements the method of any one of claims 1 to 7.
CN202311431271.8A 2023-10-31 2023-10-31 Method, apparatus, device, chip and storage medium for determining side channel security Active CN117155540B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311431271.8A CN117155540B (en) 2023-10-31 2023-10-31 Method, apparatus, device, chip and storage medium for determining side channel security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311431271.8A CN117155540B (en) 2023-10-31 2023-10-31 Method, apparatus, device, chip and storage medium for determining side channel security

Publications (2)

Publication Number Publication Date
CN117155540A true CN117155540A (en) 2023-12-01
CN117155540B CN117155540B (en) 2024-07-05

Family

ID=88910548

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311431271.8A Active CN117155540B (en) 2023-10-31 2023-10-31 Method, apparatus, device, chip and storage medium for determining side channel security

Country Status (1)

Country Link
CN (1) CN117155540B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532973A (en) * 2013-10-25 2014-01-22 东南大学 Differential power attack testing method for DES (data encryption standard) algorithm circuit
CN103530474A (en) * 2013-10-25 2014-01-22 东南大学 AES (advanced encryption standard) algorithm circuit oriented method for testing differential power attack
CN103812642A (en) * 2014-01-24 2014-05-21 天津大学 Security detection method for design of cryptographic algorithm hardware
CN106817215A (en) * 2016-12-07 2017-06-09 清华大学 Supply network verification method on a kind of piece for bypass attack
CN112232006A (en) * 2020-10-26 2021-01-15 海光信息技术股份有限公司 Standard cell library verification method and device, electronic equipment and storage medium
CN112287626A (en) * 2020-10-26 2021-01-29 浙江大学 Method for fitting power consumption change waveform of chip logic gate by switch current model based on static time sequence information
CN116842883A (en) * 2023-07-06 2023-10-03 平头哥(上海)半导体技术有限公司 Power consumption analysis method and device, electronic equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532973A (en) * 2013-10-25 2014-01-22 东南大学 Differential power attack testing method for DES (data encryption standard) algorithm circuit
CN103530474A (en) * 2013-10-25 2014-01-22 东南大学 AES (advanced encryption standard) algorithm circuit oriented method for testing differential power attack
CN103812642A (en) * 2014-01-24 2014-05-21 天津大学 Security detection method for design of cryptographic algorithm hardware
CN106817215A (en) * 2016-12-07 2017-06-09 清华大学 Supply network verification method on a kind of piece for bypass attack
CN112232006A (en) * 2020-10-26 2021-01-15 海光信息技术股份有限公司 Standard cell library verification method and device, electronic equipment and storage medium
CN112287626A (en) * 2020-10-26 2021-01-29 浙江大学 Method for fitting power consumption change waveform of chip logic gate by switch current model based on static time sequence information
CN116842883A (en) * 2023-07-06 2023-10-03 平头哥(上海)半导体技术有限公司 Power consumption analysis method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN117155540B (en) 2024-07-05

Similar Documents

Publication Publication Date Title
Buhan et al. Sok: Design tools for side-channel-aware implementations
US8850608B2 (en) Embedded ring oscillator network for integrated circuit security and threat detection
Kumar et al. Efficient simulation of EM side-channel attack resilience
Macé et al. Information theoretic evaluation of side-channel resistant logic styles
Li et al. A survey of hardware trojan detection, diagnosis and prevention
Burchard et al. Autofault: towards automatic construction of algebraic fault attacks
Leveugle A new approach for early dependability evaluation based on formal property checking and controlled mutations
CN108052838B (en) Leakage positioning system and method for chip encryption design
WO2006006198A1 (en) Electric power calculating apparatus, electric power calculating method, tamper resistance evaluating apparatus, and tamper resistance evaluating method
Ma et al. EMSim: A Fast Layout Level Electromagnetic Emanation Simulation Framework for High Accuracy Pre-Silicon Verification
Shekarian et al. Neutralizing a design-for-hardware-trust technique
Kiaei et al. Gate-level side-channel leakage assessment with architecture correlation analysis
Yao et al. Pre-silicon architecture correlation analysis (PACA): Identifying and mitigating the source of side-channel leakage at gate-level
CN117155540B (en) Method, apparatus, device, chip and storage medium for determining side channel security
Aigner et al. Side channel analysis resistant design flow
Li et al. Hardware Trojan detection acceleration based on word-level statistical properties management
Yao et al. Verification of power-based side-channel leakage through simulation
Maruthi et al. Hardware trojan detection using power signal foot prints in frequency domain
US11520960B1 (en) Register transfer level based side channel leakage assessment
Rao et al. Post-layout estimation of side-channel power supply signatures
Kiaei et al. Gate-Level Side-Channel Leakage Ranking with Architecture Correlation Analysis
CN106503549B (en) Quickly generate the method for electromagnetism side channel time domain simulation waveform
Dehbaoui et al. Enhancing electromagnetic analysis using magnitude squared incoherence
Nešković et al. SystemC model of power side-channel attacks against ai accelerators: Superstition or not?
CN109740214B (en) Method and device for constructing turnover counting model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant