1 Introduction
1.1 Contribution
1.2 Outline
2 Memory encryption and authentication
2.1 Threat model and requirements
2.2 Memory encryption
2.3 Memory authentication
3 Side-channel attacks
3.1 Simple power analysis
3.2 Differential power analysis
3.3 Profiled attacks
3.4 DPA countermeasures
3.4.1 Masking
3.4.2 Frequent re-keying
4 Re-keying for memory encryption
4.1 The re-keying operation
4.2 Re-keying and plaintext confidentiality
4.2.1 Unknown plaintext template attacks
5 DPA-secure memory encryption and authentication
5.1 Construction
5.1.1 Read operation
5.1.2 Write operation
5.2 Authenticity
5.2.1 Handling corruption
5.2.2 Recovering from corruption
5.3 Side-channel discussion
5.3.1 Passive attacks
5.3.2 Passive attacks and memory tampering
5.3.3 Passive attacks, memory tampering and restarts
6 Higher-order DPA security
6.1 Concept
6.2 Masking details
6.3 Side-channel discussion
6.4 Implementation aspects
7 Instantiation
7.1 Meas-v1
7.2 Meas-v2
8 Implementation
8.1 Platform
8.2 Memory layout
8.3 Address translation
8.4 MEAS pipeline
8.4.1 Data flow
CPU Address Port
. The Request Modifier
then splits and aligns the request according to the block size of the data (leaf) nodes. It further issues the respective key load requests within intermediate tree nodes. The Memory Reader
fetches the required (encrypted) data from the main memory via the Memory Read Port
. The Key Injector
then inserts the key to be used for decryption into the data stream fetched from memory. This key might either be a root key stored in the Secure Root
, or be the result of a previous key load request that is obtained by the Key Processing
module. The Decryption
module performs the actual decryption procedure according to our instances in Sect. 7.Key Processing Module
. For read requests, the decrypted data is filtered according to the original CPU request by the Data Filter
and returned to the CPU via the CPU Read Port
by the Read Responder
. To correctly handle CPU read requests with wrapping burst functionality, the Wrap Burst Cache
performs a re-ordering of the decrypted data if necessary. For write requests, the Data Modifier
modifies the decrypted data according to the data received from the CPU via the CPU Write Port
. This is where the actual read–modify–write procedure takes place. The modified data is encrypted again using the Encryption
module and written to the main memory via the Memory Write Port
by the Memory Writer
.Secure Root
can implement an arbitrary number of roots to support multiple parallel trees in memory. Multiple roots effectively reduce both the tree height and the memory overhead in case more secure memory is available on the secure chip. To further improve the performance of read requests, the Meas pipeline incorporates a Key Cache
for faster key retrieval within the tree. For this purpose, the Cache Fetcher
queries the cache for the key requested in a key load request. On a hit, the key load request is dropped and the key forwarded. Otherwise, the key load request is forwarded without modification. The Key Cache
is filled using the Cache Writer
, which receives the keys to be stored in the cache from the Key Processing
module.8.4.2 Re-keying
Secure Root
for the root keys themselves, and in the Key Processing
module for non-root keys stored within the tree. In particular, besides filtering out the decryption keys from the decrypted data in key load requests, the Key Processing
updates the respective keys during write requests. The new key is generated by the pseudo-random number generator PRNG
. This PRNG
uses a Keccak[400] instance that is initialized with a random secret and that securely sequeezes a secret, pseudo-random stream. The freshly generated keys are provided to the Data Modifier
to update the keys in the respective write requests and for encryption.Auth. | Conf. | DPA security | Parallelizable | Memory overhead | ||
---|---|---|---|---|---|---|
Read | Write | |||||
Meas
|
\(\checkmark \)
|
\(\checkmark \)
|
\(\checkmark \)
|
\(\frac{a}{a-1} \cdot \frac{s_{key}}{s_b} + \frac{s_{tag}}{s_b}\)
| ||
PAT |
\(\checkmark \)
|
\(\checkmark \)
|
\(\checkmark \)
|
\(\frac{a}{a-1} \cdot \frac{s_{tag}+s_{nonce}}{s_b}\)
| ||
TEC tree |
\(\checkmark \)
|
\(\checkmark \)
|
\(\checkmark \)
|
\(\checkmark \)
|
\(\frac{a}{a-1} \cdot \frac{s_{tag}+s_{nonce}}{s_b}\)
| |
Merkle tree |
\(\checkmark \)
|
\(\checkmark \)
|
\(\checkmark \)
|
\( \frac{a}{a-1} \cdot \frac{s_{hash}}{s_b}\)
|