contents | 1-overview | 2-background | 3-results summary | 4-results details | 5-deliverables | 6-dissemination | 7-conclusions

2          Background

2.1        Self-timed logic

For over three decades, people have been building processors with a central clock. Research in the 1950's indicated that clocked designs were smaller when implemented using the technology of the day; a clock acts as a global synchroniser so that the data marches through the circuits to the beat of its drum. This is possible where wire delays are less significant than logic delays, so that the clock appears almost instantaneously everywhere on the chip. As we move to the new era of deep sub-micron CMOS with extremely high clock rates, this basic premise no longer holds true.

The predicted massive changes in implementation technology have prompted researchers around the world to re-evaluate and improve upon the self-timed circuit work of the 50’s. Recently, a self-timed version of the ARM – the Amulet – has been produced which delivers better MIPS per milliwatt than its synchronous equivalent. A self-timed version of the ARM CPU has been under development for a number of years and is on the verge of its first commercial exploitation in a telecommunications application. It employs a modular approach, based around a self-timed on-chip bus, and the asynchronous subsystem can readily be reconfigured for smart card applications.

A number of studies and investigations have been performed in the past  years on the MIPS architecture by Copenhagen University , University of California on self timed versions of these architectures .

In small processors, asynchronous design can also bring definite benefits. Self-timed variants of the XAP processor, a 16-bit processor for use in embedded applications, have the benefits of very low power (power consumption is data driven rather than clock driven), arithmetic fast enough for simple public key cryptography (a 16×16 multiply and 32/16 divide both take ~0.5µs on the self-timed version) and very low levels of radio frequency interference (the lack of a clock means that the stray RF is spread-spectrum).

The study of such processors has led to the realisation that they may offer further substantial advantages to the smart card designer.

Firstly, they remain operational over a wide voltage and temperature range, independently of an external clock, and this together with the spread spectrum nature of the emitted RF and the non-deterministic nature of program execution timing gives a high level of intrinsic protection against power attacks – both active and passive. This protection may be further enhanced at essentially no cost by using dual-rail[1] encoding techniques and by deliberately adding extra non-deterministic elements to the circuit.

Secondly, a significant limitation of clocked smart cards is the standard external clock frequency of 3.57 MHz. Although this is multiplied up by phase locked loops, this makes them more vulnerable to signal injection. It also means that performance is limited, as high ratio Phase Locked Loops (PLL) are not very stable. Computation performance is tied to the clock (or a multiple of it), with techniques to switch clock rates during cryptographic operations. However, a self-timed Central Processing Unit (CPU) can process the available data at whatever speed it can, and use the externally supplied clock only for Input/Output (I/O) control. This means, for example, that one could build a small, simple crypto coprocessor, which performs modular exponentiations by doing shift and add at high speed; a fully self-timed design should have the intrinsic ability to do public key cryptography.

Thirdly, the characteristics of self-timed circuits enable us to make them sensitive to changes in capacitance, resistance etc where we want to, and insensitive where we do not. This means that we can build in alarm mechanisms against probing in places where it would be a threat, such as register buffers, while reducing the rate of false alarms from normal environmental fluctuations. (These have been a significant problem with conventional smart cards; for example, low-clock-frequency detectors may be triggered by clock fluctuations as the card is first inserted into the reader.) Furthermore, the mechanisms used in self-timed logic can be extended to propagate alarm messages through a computation at very little extra cost. The effect is that the circuitry can be made intrinsically tamper-sensitive.

There will no doubt be other opportunities (and problems) discovered as work progresses. However, by bringing together the top self-timed logic teams with the top chip security teams, we intend to be the first into the field, make the important discoveries, and understand the technology several years in advance of everyone else – including not just industrial competitors but also attackers.

2.2        Attack technologies

First generation smart cards could be defeated simply by techniques such as reading out bus line signals using microprobes. Second generation devices are significantly more difficult to probe – they have physical security features providing some protection against probing.

Attack technology has progressed and second generation devices are now vulnerable:

1.      The development of the focused ion beam workstation (FIB) means that top metal layer defences can be defeated. Once rare, FIBs are now commonr[2], as an essential tool for researchers in nano-technology and preparing samples for electron microscopy.

2.      The development of power, and differential power, analysis has enabled severe attacks on all of the currently available smart card processors. Each bit change on the bus of a smart card chip typically causes an extra 300µA of current, a measurable amount, to be drawn from the supply. If implementation details of the card software are known, this can provide a direct attack by enabling the values of keys and other secrets to be read out.

Thus the level of protection which second generation smart cards offer against capable, motivated opponents is falling fast, and the number of people with access to the relevant attack tools and know-how is rising rapidly. Finally, the protection mechanisms that have been added to smart cards to date have been added piecemeal. As a result, the attack community has also evolved, step by step.

2.3        Societal needs

A number of important European projects depend on the security of smart cards. Two examples are the proposed directive on digital signatures, and the recent change in the regulations for the tachographs used to record heavy vehicle drivers’ hours

The first requires secure devices for the creation of digital signatures in order to promote trust in electronic commerce and online government. For the second, tachographs are due to move from paper recording charts to smart cards as soon as sufficiently secure smart cards can be manufactured. There are many other applications, particularly as multi-application smart cards start to become necessary e.g. for 3G mobile telephony/commerce.

A prerequisite for many of these applications is a device which is tamper-evident, i.e., on which the only feasible attacks involve its physical penetration with probing equipment. Current smart cards are not tamper-evident because of the ease with which non-invasive attacks can be carried out. They are therefore not suitable in their current form for many applications, ranging from electronic signature creation devices to drivers' cards for heavy goods vehicles. Other applications, such as health cards, may be held up by the general lack of trust in smart card security. The development of smart cards which are demonstrably tamper-evident is thus of enormous importance to the European Community's broader objectives.

The results of the project are expected to improve the non-invasive tamper resistance of smart cards.


[1] The key aim of dual-rail is to encode data validity with the value, so you need to encode {0, 1, invalid}. As this is more than two values it needs more than one wire. The sequence on the wire pair always alternates a value with invalid, such as 0n1n1n0n0n1n0n... (n=invalid) so the receiver can clearly see the transmitted symbols 0110010. On a single wire this would be indistinguishable from 01010 as there is no clock to define where one ‘1’ ends and the next starts.

[2] There are bureaux, which rent FIB time for a few hundred € per hour.

contents | 1-overview | 2-background | 3-results summary | 4-results details | 5-deliverables | 6-dissemination | 7-conclusions