EPSRC have awarded our cryptography group over £800,000 to investigate a novel new secure processor architecture. The project involves working with a number of leading companies in the area including AIST, Cryptography Research Inc, SiVenture and XMOS Ltd. The project will be led by Dr Dan Page, with his co-applicants Dr Elisabeth Oswald and Prof. Nigel Smart. Many of the topics researched in this project are taught in our undergraduate and Msc programmes. This is a feature of a research-led university like Bristol where teaching and research are closely linked.
Side-channel attacks are a genre of physical attack based on the assumption that one can passively observe an algorithm being executed by some hardware device, and infer details about the internal state of computation from the features that occur. A typical side-channel attack consists of a collection phase that provides the attacker with profiles of execution, and an analysis phase which recovers otherwise secret information from the profiles. Focusing on power and EM based attacks in particular, countermeasures against side-channel attack are increasingly well understood on a case by case basis; at a high-level they can be classified as either hiding (breaking the link between execution and profiles) or masking (breaking the link between execution and algorithm). Approaches to hiding style countermeasures typically attempt to make each profile constant for all secrets, or entirely random; in both cases the premise is that a profile can no longer be correlated to the secret information.
There are a number of approaches to implementing these sorts of countermeasure. At the highest-level, one can consider alternate algorithms (or implementation approaches) that realise hiding or masking in software. On one hand this approach is very algorithm-specific and can imply a significant performance penalty; on the other hand, no alterations are required to the hardware on which the software executes. At the lowest-level, one can consider using so-called secure logic styles; the basic idea is to replace CMOS cell libraries with alternatives which, for example, consume a constant amount of power regardless of the result they compute. The major disadvantage of this approach is the resulting overhead in terms of area; the major advantage is that the approach is largely algorithm-agnostic, i.e. is a general solution which can be automatically applied.
The research programme within this proposal aims, in a sense, to adopt an approach between these two extremes. The crux of the research is the alteration of a general purpose processor so that countermeasures against side-channel attack are implemented at the micro-architectural level. The processor will retain the same Instruction Set Architecture (ISA) and hence the same functional characteristics, but the behavioural characteristics will prevent leakage of information via, for example, power analysis. Our focus is on aspects of the micro-architecture which can be randomised in some way. We suggest that this approach will afford a level of flexibility and "algorithm agility" representing an attractive trade-off between security and other metrics. Specifically, it permits high-level algorithmic countermeasures to be automatically supported by the hardened processor platform (meshing with the ideal of tiered countermeasures rather than a single panacea), while largely avoiding the overhead and sensitivity to underlying process technolog