1 Project Overview

The goal of the G3card project is to explore the suitability of asynchronous logic in Smart Card processors as a means of increasing their robustness to attacks.

Asynchronous logic dates back to the early computers. Their component and other tolerances were not tightly controlled – circuits were built from discrete components, some of which were individually made. Means of detecting the completion of computations had to be provided. Eventually, a `synchronous’ design style emerged using clocks to take all the worst case tolerances into account.. A few specialised asynchronous components remained, e.g. in communications, with buffers and synchronisers used to join the outside world to the clock-driven circuits. Recently, though, there has been a resurgence of interest in asynchronous circuits, as they have a number of virtues (such as low power and low RF emissions) that make them attractive in specific applications. Also, as feature sizes decrease into the deep submicron and transistor counts in ASICs climb past the million mark, the proportion of an ASIC given over to clock distribution and synchronisation increases alarmingly.

Smart cards and other single-chip security processors were considered to be subject to two basic types of attack – invasive, where physical manipulation of the chip e.g. by drilling holes using a focused ion beam and attaching probes to get extra access to internal signals, and non-invasive, where there is no physical tampering but internal secrets may be deduced by monitoring the power consumed by the device or the time it takes to complete a transaction.

The project aimed to improve the resistance of security processors to non-invasive attacks. One observation was many methods of attack used the chip’s clock to provide a reference for attacking the card. Removing the clock should make attacks harder. In addition, one asynchronous design style involves `dual-rail’ logic, in which the logic is balanced; each bit is signalled on a pair of wires with (for example) HL meaning `0’ and LH meaning `1’. In theory, such circuits can be built so that the correlation between the power consumed and the data being processed is zero.

In addition, some attacks involve inducing transient faults in the target device by causing a particular component to fail, for example by inserting transients into the clock or power signals. Using dual-rail logic, it is possible to use the HH state as an alarm signal, and arrange matters so that the failure of a single transistor will result in a reset or safe deadlock. It should thus be possible to design out another large class of potential attacks.

To test this principle, the project set out to build several different asynchronous processors, in order to gather knowledge and experience in an area where there is at present none.

The test processors are versions of existing processors, so that comparisons can be made:

1. XAP – a simpler 16 bit processor currently used for cheaper and lower performance and power applications such as pagers.

2. SmartMIPS – a 32 bit processor jointly designed by MIPS Technologies and Gemplus for smarcard applications. (Only some key blocks will be implemented in asynchronous technology.)

3. ARM – this is the market leading general purpose 32 bit processor which is widely licensed for applications such as mobile phones and set-top boxes.

Until now, the countermeasures used to defend against both invasive and non-invasive attacks have been ad-hoc, employing a variety of hardware and software tricks of ever-increasing complexity. These not only make maintenance and further development of smartcard products expensive, they also impose a significant cost in both silicon area and software performance, and are vulnerable to new twists on the established attack techniques.

The project started from a belief that the time had come for a different approach – taking a whole systems approach. Much of the software countermeasures implemented today might be avoidable, or at least considerably reduced, if the hardware was intrinsically more difficult to attack. Since a major part of a smartcard’s code consists of software countermeasures to non-invasive attacks, and this is in ROM, this can be traded off against the extra silicon area for hardware countermeasures.

In addition to developing more secure variants of the three chips mentioned above, the project also has two people working on developing new types of attack. In addition to the existing invasive and non-invasive attack techniques, they have developed a new, `semi-invasive’ attack technology which greatly increases the competitive advantage enjoyed by the protective technologies we have created.

Finally, we took a new look at how hardware countermeasures could be used by an operating system, and especially how to allow multiple programs to run safely without being able to interfere with each other. To complement this, we have also looked at a typical demanding algorithm for key generation and looked at what techniques can be applied here to reduce emissions and opportunities for “cracking”.