A generic framework for context-sensitive analysis of modular programs

Context-sensitive analysis provides information which is potentially more accurate than that provided by context-free analysis. Such information can then be applied in order to validate/debug the program and/or to specialize the program obtaining important improvements. Unfortunately, context-sensitive analysis of modular programs poses important theoretical and practical problems. One solution, used in several proposals, is to resort to context-free analysis. Other proposals do address context-sensitive analysis, but are only applicable when the description domain used satisfies rather restrictive properties. In this paper, we arg��e that a general framework for context-sensitive analysis of modular programs, Le., one that allows using all the domains which have proved useful in practice in the non-modular setting, is indeed feasible and very useful. Driven by our experience in the design and implementation of analysis and specialization techniques in the context of CiaoPP, the Ciao system preprocessor, in this paper we discuss a number of design goals for context-sensitive analysis of modular programs as well as the problems which arise in trying to meet these goals. We also provide a high-level description of a framework for analysis of modular programs which does substantially meet these objectives. This framework is generic in that it can be instantiated in different ways in order to adapt to different contexts. Finally, the behavior of the different instantiations w.r.t. the design goals that motivate our work is also discussed.

Side-Channel Attack Protection Techniques in FPGA Systems using Enhanced Dual-Rail Solutions

Esta tesis doctoral se centra principalmente en t��cnicas de ataque y contramedidas relacionadas con ataques de canal lateral (SCA por sus siglas en ingl��s), que han sido propuestas dentro del campo de investigaci��n acad��mica desde hace 17 a��os. Las investigaciones relacionadas han experimentado un notable crecimiento en las ��ltimas d��cadas, mientras que los dise��os enfocados en la protecci��n s��lida y eficaz contra dichos ataques a��n se mantienen como un tema de investigaci��n abierto, en el que se necesitan iniciativas m��s confiables para la protecci��n de la informaci��n persona de empresa y de datos nacionales. El primer uso documentado de codificaci��n secreta se remonta a alrededor de 1700 B.C., cuando los jerogl��ficos del antiguo Egipto eran descritos en las inscripciones. La seguridad de la informaci��n siempre ha supuesto un factor clave en la transmisi��n de datos relacionados con inteligencia diplom��tica o militar. Debido a la evoluci��n r��pida de las t��cnicas modernas de comunicaci��n, soluciones de cifrado se incorporaron por primera vez para garantizar la seguridad, integridad y confidencialidad de los contextos de transmisi��n a trav��s de cables sin seguridad o medios inal��mbricos. Debido a las restricciones de potencia de c��lculo antes de la era del ordenador, la t��cnica de cifrado simple era un m��todo m��s que suficiente para ocultar la informaci��n. Sin embargo, algunas vulnerabilidades algor��tmicas pueden ser explotadas para restaurar la regla de codificaci��n sin mucho esfuerzo. Esto ha motivado nuevas investigaciones en el ��rea de la criptograf��a, con el fin de proteger el sistema de informaci��n ante sofisticados algoritmos. Con la invenci��n de los ordenadores se ha acelerado en gran medida la implementaci��n de criptograf��a segura, que ofrece resistencia eficiente encaminada a obtener mayores capacidades de computaci��n altamente reforzadas. Igualmente, sofisticados cripto-an��lisis han impulsado las tecnolog��as de computaci��n. Hoy en d��a, el mundo de la informaci��n ha estado involucrado con el campo de la criptograf��a, enfocada a proteger cualquier campo a trav��s de diversas soluciones de cifrado. Estos enfoques se han fortalecido debido a la unificaci��n optimizada de teor��as matem��ticas modernas y pr��cticas eficaces de hardware, siendo posible su implementaci��n en varias plataformas (microprocesador, ASIC, FPGA, etc.). Las necesidades y requisitos de seguridad en la industria son las principales m��tricas de conducci��n en el dise��o electr��nico, con el objetivo de promover la fabricaci��n de productos de gran alcance sin sacrificar la seguridad de los clientes. Sin embargo, una vulnerabilidad en la implementaci��n pr��ctica encontrada por el Prof. Paul Kocher, et al en 1996 implica que un circuito digital es inherentemente vulnerable a un ataque no convencional, lo cual fue nombrado posteriormente como ataque de canal lateral, debido a su fuente de an��lisis. Sin embargo, algunas cr��ticas sobre los algoritmos criptogr��ficos te��ricamente seguros surgieron casi inmediatamente despu��s de este descubrimiento. En este sentido, los circuitos digitales consisten t��picamente en un gran n��mero de celdas l��gicas fundamentales (como MOS - Metal Oxide Semiconductor), construido sobre un sustrato de silicio durante la fabricaci��n. La l��gica de los circuitos se realiza en funci��n de las innumerables conmutaciones de estas c��lulas. Este mecanismo provoca inevitablemente cierta emanaci��n f��sica especial que puede ser medida y correlacionada con el comportamiento interno del circuito. SCA se puede utilizar para revelar datos confidenciales (por ejemplo, la criptograf��a de claves), analizar la arquitectura l��gica, el tiempo e incluso inyectar fallos malintencionados a los circuitos que se implementan en sistemas embebidos, como FPGAs, ASICs, o tarjetas inteligentes. Mediante el uso de la comparaci��n de correlaci��n entre la cantidad de fuga estimada y las fugas medidas de forma real, informaci��n confidencial puede ser reconstruida en mucho menos tiempo y computaci��n. Para ser precisos, SCA b��sicamente cubre una amplia gama de tipos de ataques, como los an��lisis de consumo de energ��a y radiaci��n ElectroMagn��tica (EM). Ambos se basan en an��lisis estad��stico y, por lo tanto, requieren numerosas muestras. Los algoritmos de cifrado no est��n intr��nsecamente preparados para ser resistentes ante SCA. Es por ello que se hace necesario durante la implementaci��n de circuitos integrar medidas que permitan camuflar las fugas a trav��s de "canales laterales". Las medidas contra SCA est��n evolucionando junto con el desarrollo de nuevas t��cnicas de ataque, as�� como la continua mejora de los dispositivos electr��nicos. Las caracter��sticas f��sicas requieren contramedidas sobre la capa f��sica, que generalmente se pueden clasificar en soluciones intr��nsecas y extr��nsecas. Contramedidas extr��nsecas se ejecutan para confundir la fuente de ataque mediante la integraci��n de ruido o mala alineaci��n de la actividad interna. Comparativamente, las contramedidas intr��nsecas est��n integradas en el propio algoritmo, para modificar la aplicaci��n con el fin de minimizar las fugas medibles, o incluso hacer que dichas fugas no puedan ser medibles. Ocultaci��n y Enmascaramiento son dos t��cnicas t��picas incluidas en esta categor��a. Concretamente, el enmascaramiento se aplica a nivel algor��tmico, para alterar los datos intermedios sensibles con una m��scara de manera reversible. A diferencia del enmascaramiento lineal, las operaciones no lineales que ampliamente existen en criptograf��as modernas son dif��ciles de enmascarar. Dicho m��todo de ocultaci��n, que ha sido verificado como una soluci��n efectiva, comprende principalmente la codificaci��n en doble carril, que est�� ideado especialmente para aplanar o eliminar la fuga dependiente de dato en potencia o en EM. En esta tesis doctoral, adem��s de la descripci��n de las metodolog��as de ataque, se han dedicado grandes esfuerzos sobre la estructura del prototipo de la l��gica propuesta, con el fin de realizar investigaciones enfocadas a la seguridad sobre contramedidas de arquitectura a nivel l��gico. Una caracter��stica de SCA reside en el formato de las fuentes de fugas. Un t��pico ataque de canal lateral se refiere al an��lisis basado en la potencia, donde la capacidad fundamental del transistor MOS y otras capacidades par��sitas son las fuentes esenciales de fugas. Por lo tanto, una l��gica robusta resistente a SCA debe eliminar o mitigar las fugas de estas micro-unidades, como las puertas l��gicas b��sicas, los puertos I/O y las rutas. Las herramientas EDA proporcionadas por los vendedores manipulan la l��gica desde un nivel m��s alto, en lugar de realizarlo desde el nivel de puerta, donde las fugas de canal lateral se manifiestan. Por lo tanto, las implementaciones cl��sicas apenas satisfacen estas necesidades e inevitablemente atrofian el prototipo. Por todo ello, la implementaci��n de un esquema de dise��o personalizado y flexible ha de ser tomado en cuenta. En esta tesis se presenta el dise��o y la implementaci��n de una l��gica innovadora para contrarrestar SCA, en la que se abordan 3 aspectos fundamentales: I. Se basa en ocultar la estrategia sobre el circuito en doble carril a nivel de puerta para obtener din��micamente el equilibrio de las fugas en las capas inferiores; II. Esta l��gica explota las caracter��sticas de la arquitectura de las FPGAs, para reducir al m��nimo el gasto de recursos en la implementaci��n; III. Se apoya en un conjunto de herramientas asistentes personalizadas, incorporadas al flujo gen��rico de dise��o sobre FPGAs, con el fin de manipular los circuitos de forma autom��tica. El kit de herramientas de dise��o autom��tico es compatible con la l��gica de doble carril propuesta, para facilitar la aplicaci��n pr��ctica sobre la familia de FPGA del fabricante Xilinx. En este sentido, la metodolog��a y las herramientas son flexibles para ser extendido a una amplia gama de aplicaciones en las que se desean obtener restricciones mucho m��s r��gidas y sofisticadas a nivel de puerta o rutado. En esta tesis se realiza un gran esfuerzo para facilitar el proceso de implementaci��n y reparaci��n de l��gica de doble carril gen��rica. La viabilidad de las soluciones propuestas es validada mediante la selecci��n de algoritmos criptogr��ficos ampliamente utilizados, y su evaluaci��n exhaustiva en comparaci��n con soluciones anteriores. Todas las propuestas est��n respaldadas eficazmente a trav��s de ataques experimentales con el fin de validar las ventajas de seguridad del sistema. El presente trabajo de investigaci��n tiene la intenci��n de cerrar la brecha entre las barreras de implementaci��n y la aplicaci��n efectiva de l��gica de doble carril. En esencia, a lo largo de esta tesis se describir�� un conjunto de herramientas de implementaci��n para FPGAs que se han desarrollado para trabajar junto con el flujo de dise��o gen��rico de las mismas, con el fin de lograr crear de forma innovadora la l��gica de doble carril. Un nuevo enfoque en el ��mbito de la seguridad en el cifrado se propone para obtener personalizaci��n, automatizaci��n y flexibilidad en el prototipo de circuito de bajo nivel con granularidad fina. Las principales contribuciones del presente trabajo de investigaci��n se resumen brevemente a continuaci��n: ������L��gica de Precharge Absorbed-DPL logic: El uso de la conversi��n de netlist para reservar LUTs libres para ejecutar la se��al de precharge y Ex en una l��gica DPL. ������Posicionamiento entrelazado Row-crossed con pares id��nticos de rutado en redes de doble carril, lo que ayuda a aumentar la resistencia frente a la medici��n EM selectiva y mitigar los impactos de las variaciones de proceso. ������Ejecuci��n personalizada y herramientas de conversi��n autom��tica para la generaci��n de redes id��nticas para la l��gica de doble carril propuesta. (a) Para detectar y reparar conflictos en las conexiones; (b) Detectar y reparar las rutas asim��tricas. (c) Para ser utilizado en otras l��gicas donde se requiere un control estricto de las interconexiones en aplicaciones basadas en Xilinx. ������Plataforma CPA de pruebas personalizadas para el an��lisis de EM y potencia, incluyendo la construcci��n de dicha plataforma, el m��todo de medici��n y an��lisis de los ataques. ������An��lisis de tiempos para cuantificar los niveles de seguridad. ������Divisi��n de Seguridad en la conversi��n parcial de un sistema de cifrado complejo para reducir los costes de la protecci��n. ������Prueba de concepto de un sistema de calefacci��n auto-adaptativo para mitigar los impactos el��ctricos debido a la variaci��n del proceso de silicio de manera din��mica. La presente tesis doctoral se encuentra organizada tal y como se detalla a continuaci��n: En el cap��tulo 1 se abordan los fundamentos de los ataques de canal lateral, que abarca desde conceptos b��sicos de teor��a de modelos de an��lisis, adem��s de la implementaci��n de la plataforma y la ejecuci��n de los ataques. En el cap��tulo 2 se incluyen las estrategias de resistencia SCA contra los ataques de potencia diferencial y de EM. Adem��s de ello, en este cap��tulo se propone una l��gica en doble carril compacta y segura como contribuci��n de gran relevancia, as�� como tambi��n se presentar�� la transformaci��n l��gica basada en un dise��o a nivel de puerta. Por otra parte, en el Cap��tulo 3 se abordan los desaf��os relacionados con la implementaci��n de l��gica en doble carril gen��rica. As�� mismo, se describir�� un flujo de dise��o personalizado para resolver los problemas de aplicaci��n junto con una herramienta de desarrollo autom��tico de aplicaciones propuesta, para mitigar las barreras de dise��o y facilitar los procesos. En el cap��tulo 4 se describe de forma detallada la elaboraci��n e implementaci��n de las herramientas propuestas. Por otra parte, la verificaci��n y validaciones de seguridad de la l��gica propuesta, as�� como un sofisticado experimento de verificaci��n de la seguridad del rutado, se describen en el cap��tulo 5. Por ��ltimo, un resumen de las conclusiones de la tesis y las perspectivas como l��neas futuras se incluyen en el cap��tulo 6. Con el fin de profundizar en el contenido de la tesis doctoral, cada cap��tulo se describe de forma m��s detallada a continuaci��n: En el cap��tulo 1 se introduce plataforma de implementaci��n hardware adem��s las teor��as b��sicas de ataque de canal lateral, y contiene principalmente: (a) La arquitectura gen��rica y las caracter��sticas de la FPGA a utilizar, en particular la Xilinx Virtex-5; (b) El algoritmo de cifrado seleccionado (un m��dulo comercial Advanced Encryption Standard (AES)); (c) Los elementos esenciales de los m��todos de canal lateral, que permiten revelar las fugas de disipaci��n correlacionadas con los comportamientos internos; y el m��todo para recuperar esta relaci��n entre las fluctuaciones f��sicas en los rastros de canal lateral y los datos internos procesados; (d) Las configuraciones de las plataformas de pruebas de potencia / EM abarcadas dentro de la presente tesis. El contenido de esta tesis se amplia y profundiza a partir del cap��tulo 2, en el cual se abordan varios aspectos claves. En primer lugar, el principio de protecci��n de la compensaci��n din��mica de la l��gica gen��rica de precarga de doble carril (Dual-rail Precharge Logic-DPL) se explica mediante la descripci��n de los elementos compensados a nivel de puerta. En segundo lugar, la l��gica PA-DPL es propuesta como aportaci��n original, detallando el protocolo de la l��gica y un caso de aplicaci��n. En tercer lugar, dos flujos de dise��o personalizados se muestran para realizar la conversi��n de doble carril. Junto con ello, se aclaran las definiciones t��cnicas relacionadas con la manipulaci��n por encima de la netlist a nivel de LUT. Finalmente, una breve discusi��n sobre el proceso global se aborda en la parte final del cap��tulo. El Cap��tulo 3 estudia los principales retos durante la implementaci��n de DPLs en FPGAs. El nivel de seguridad de las soluciones de resistencia a SCA encontradas en el estado del arte se ha degenerado debido a las barreras de implantaci��n a trav��s de herramientas EDA convencionales. En el escenario de la arquitectura FPGA estudiada, se discuten los problemas de los formatos de doble carril, impactos par��sitos, sesgo tecnol��gico y la viabilidad de implementaci��n. De acuerdo con estas elaboraciones, se plantean dos problemas: C��mo implementar la l��gica propuesta sin penalizar los niveles de seguridad, y c��mo manipular un gran n��mero de celdas y automatizar el proceso. El PA-DPL propuesto en el cap��tulo 2 se valida con una serie de iniciativas, desde caracter��sticas estructurales como doble carril entrelazado o redes de rutado clonadas, hasta los m��todos de aplicaci��n tales como las herramientas de personalizaci��n y automatizaci��n de EDA. Por otra parte, un sistema de calefacci��n auto-adaptativo es representado y aplicado a una l��gica de doble n��cleo, con el fin de ajustar alternativamente la temperatura local para equilibrar los impactos negativos de la variaci��n del proceso durante la operaci��n en tiempo real. El cap��tulo 4 se centra en los detalles de la implementaci��n del kit de herramientas. Desarrollado sobre una API third-party, el kit de herramientas personalizado es capaz de manipular los elementos de la l��gica de circuito post P&R ncd (una versi��n binaria ilegible del xdl) convertido al formato XDL Xilinx. El mecanismo y raz��n de ser del conjunto de instrumentos propuestos son cuidadosamente descritos, que cubre la detecci��n de enrutamiento y los enfoques para la reparaci��n. El conjunto de herramientas desarrollado tiene como objetivo lograr redes de enrutamiento estrictamente id��nticos para la l��gica de doble carril, tanto para posicionamiento separado como para el entrelazado. Este cap��tulo particularmente especifica las bases t��cnicas para apoyar las implementaciones en los dispositivos de Xilinx y su flexibilidad para ser utilizado sobre otras aplicaciones. El cap��tulo 5 se enfoca en la aplicaci��n de los casos de estudio para la validaci��n de los grados de seguridad de la l��gica propuesta. Se discuten los problemas t��cnicos detallados durante la ejecuci��n y algunas nuevas t��cnicas de implementaci��n. (a) Se discute el impacto en el proceso de posicionamiento de la l��gica utilizando el kit de herramientas propuesto. Diferentes esquemas de implementaci��n, tomando en cuenta la optimizaci��n global en seguridad y coste, se verifican con los experimentos con el fin de encontrar los planes de posicionamiento y reparaci��n optimizados; (b) las validaciones de seguridad se realizan con los m��todos de correlaci��n y an��lisis de tiempo; (c) Una t��ctica asint��tica se aplica a un n��cleo AES sobre BCDL estructurado para validar de forma sofisticada el impacto de enrutamiento sobre m��tricas de seguridad; (d) Los resultados preliminares utilizando el sistema de calefacci��n auto-adaptativa sobre la variaci��n del proceso son mostrados; (e) Se introduce una aplicaci��n pr��ctica de las herramientas para un dise��o de cifrado completa. Cap��tulo 6 incluye el resumen general del trabajo presentado dentro de esta tesis doctoral. Por ��ltimo, una breve perspectiva del trabajo futuro se expone, lo que puede ampliar el potencial de utilizaci��n de las contribuciones de esta tesis a un alcance m��s all�� de los dominios de la criptograf��a en FPGAs. ABSTRACT This PhD thesis mainly concentrates on countermeasure techniques related to the Side Channel Attack (SCA), which has been put forward to academic exploitations since 17 years ago. The related research has seen a remarkable growth in the past decades, while the design of solid and efficient protection still curiously remain as an open research topic where more reliable initiatives are required for personal information privacy, enterprise and national data protections. The earliest documented usage of secret code can be traced back to around 1700 B.C., when the hieroglyphs in ancient Egypt are scribed in inscriptions. Information security always gained serious attention from diplomatic or military intelligence transmission. Due to the rapid evolvement of modern communication technique, crypto solution was first incorporated by electronic signal to ensure the confidentiality, integrity, availability, authenticity and non-repudiation of the transmitted contexts over unsecure cable or wireless channels. Restricted to the computation power before computer era, simple encryption tricks were practically sufficient to conceal information. However, algorithmic vulnerabilities can be excavated to restore the encoding rules with affordable efforts. This fact motivated the development of modern cryptography, aiming at guarding information system by complex and advanced algorithms. The appearance of computers has greatly pushed forward the invention of robust cryptographies, which efficiently offers resistance relying on highly strengthened computing capabilities. Likewise, advanced cryptanalysis has greatly driven the computing technologies in turn. Nowadays, the information world has been involved into a crypto world, protecting any fields by pervasive crypto solutions. These approaches are strong because of the optimized mergence between modern mathematical theories and effective hardware practices, being capable of implement crypto theories into various platforms (microprocessor, ASIC, FPGA, etc). Security needs from industries are actually the major driving metrics in electronic design, aiming at promoting the construction of systems with high performance without sacrificing security. Yet a vulnerability in practical implementation found by Prof. Paul Kocher, et al in 1996 implies that modern digital circuits are inherently vulnerable to an unconventional attack approach, which was named as side-channel attack since then from its analysis source. Critical suspicions to theoretically sound modern crypto algorithms surfaced almost immediately after this discovery. To be specifically, digital circuits typically consist of a great number of essential logic elements (as MOS - Metal Oxide Semiconductor), built upon a silicon substrate during the fabrication. Circuit logic is realized relying on the countless switch actions of these cells. This mechanism inevitably results in featured physical emanation that can be properly measured and correlated with internal circuit behaviors. SCAs can be used to reveal the confidential data (e.g. crypto-key), analyze the logic architecture, timing and even inject malicious faults to the circuits that are implemented in hardware system, like FPGA, ASIC, smart Card. Using various comparison solutions between the predicted leakage quantity and the measured leakage, secrets can be reconstructed at much less expense of time and computation. To be precisely, SCA basically encloses a wide range of attack types, typically as the analyses of power consumption or electromagnetic (EM) radiation. Both of them rely on statistical analyses, and hence require a number of samples. The crypto algorithms are not intrinsically fortified with SCA-resistance. Because of the severity, much attention has to be taken into the implementation so as to assemble countermeasures to camouflage the leakages via "side channels". Countermeasures against SCA are evolving along with the development of attack techniques. The physical characteristics requires countermeasures over physical layer, which can be generally classified into intrinsic and extrinsic vectors. Extrinsic countermeasures are executed to confuse the attacker by integrating noise, misalignment to the intra activities. Comparatively, intrinsic countermeasures are built into the algorithm itself, to modify the implementation for minimizing the measurable leakage, or making them not sensitive any more. Hiding and Masking are two typical techniques in this category. Concretely, masking applies to the algorithmic level, to alter the sensitive intermediate values with a mask in reversible ways. Unlike the linear masking, non-linear operations that widely exist in modern cryptographies are difficult to be masked. Approved to be an effective counter solution, hiding method mainly mentions dual-rail logic, which is specially devised for flattening or removing the data-dependent leakage in power or EM signatures. In this thesis, apart from the context describing the attack methodologies, efforts have also been dedicated to logic prototype, to mount extensive security investigations to countermeasures on logic-level. A characteristic of SCA resides on the format of leak sources. Typical side-channel attack concerns the power based analysis, where the fundamental capacitance from MOS transistors and other parasitic capacitances are the essential leak sources. Hence, a robust SCA-resistant logic must eliminate or mitigate the leakages from these micro units, such as basic logic gates, I/O ports and routings. The vendor provided EDA tools manipulate the logic from a higher behavioral-level, rather than the lower gate-level where side-channel leakage is generated. So, the classical implementations barely satisfy these needs and inevitably stunt the prototype. In this case, a customized and flexible design scheme is appealing to be devised. This thesis profiles an innovative logic style to counter SCA, which mainly addresses three major aspects: I. The proposed logic is based on the hiding strategy over gate-level dual-rail style to dynamically overbalance side-channel leakage from lower circuit layer; II. This logic exploits architectural features of modern FPGAs, to minimize the implementation expenses; III. It is supported by a set of assistant custom tools, incorporated by the generic FPGA design flow, to have circuit manipulations in an automatic manner. The automatic design toolkit supports the proposed dual-rail logic, facilitating the practical implementation on Xilinx FPGA families. While the methodologies and the tools are flexible to be expanded to a wide range of applications where rigid and sophisticated gate- or routing- constraints are desired. In this thesis a great effort is done to streamline the implementation workflow of generic dual-rail logic. The feasibility of the proposed solutions is validated by selected and widely used crypto algorithm, for thorough and fair evaluation w.r.t. prior solutions. All the proposals are effectively verified by security experiments. The presented research work attempts to solve the implementation troubles. The essence that will be formalized along this thesis is that a customized execution toolkit for modern FPGA systems is developed to work together with the generic FPGA design flow for creating innovative dual-rail logic. A method in crypto security area is constructed to obtain customization, automation and flexibility in low-level circuit prototype with fine-granularity in intractable routings. Main contributions of the presented work are summarized next: ������Precharge Absorbed-DPL logic: Using the netlist conversion to reserve free LUT inputs to execute the Precharge and Ex signal in a dual-rail logic style. ������A row-crossed interleaved placement method with identical routing pairs in dual-rail networks, which helps to increase the resistance against selective EM measurement and mitigate the impacts from process variations. ������Customized execution and automatic transformation tools for producing identical networks for the proposed dual-rail logic. (a) To detect and repair the conflict nets; (b) To detect and repair the asymmetric nets. (c) To be used in other logics where strict network control is required in Xilinx scenario. ���������Customized correlation analysis testbed for EM and power attacks, including the platform construction, measurement method and attack analysis. ������A timing analysis based method for quantifying the security grades. ������A methodology of security partitions of complex crypto systems for reducing the protection cost. ������A proof-of-concept self-adaptive heating system to mitigate electrical impacts over process variations in dynamic dual-rail compensation manner. The thesis chapters are organized as follows: Chapter 1 discusses the side-channel attack fundamentals, which covers from theoretic basics to analysis models, and further to platform setup and attack execution. Chapter 2 centers to SCA-resistant strategies against generic power and EM attacks. In this chapter, a major contribution, a compact and secure dual-rail logic style, will be originally proposed. The logic transformation based on bottom-layer design will be presented. Chapter 3 is scheduled to elaborate the implementation challenges of generic dual-rail styles. A customized design flow to solve the implementation problems will be described along with a self-developed automatic implementation toolkit, for mitigating the design barriers and facilitating the processes. Chapter 4 will originally elaborate the tool specifics and construction details. The implementation case studies and security validations for the proposed logic style, as well as a sophisticated routing verification experiment, will be described in Chapter 5. Finally, a summary of thesis conclusions and perspectives for future work are included in Chapter 5. To better exhibit the thesis contents, each chapter is further described next: Chapter 1 provides the introduction of hardware implementation testbed and side-channel attack fundamentals, and mainly contains: (a) The FPGA generic architecture and device features, particularly of Virtex-5 FPGA; (b) The selected crypto algorithm - a commercially and extensively used Advanced Encryption Standard (AES) module - is detailed; (c) The essentials of Side-Channel methods are profiled. It reveals the correlated dissipation leakage to the internal behaviors, and the method to recover this relationship between the physical fluctuations in side-channel traces and the intra processed data; (d) The setups of the power/EM testing platforms enclosed inside the thesis work are given. The content of this thesis is expanded and deepened from chapter 2, which is divided into several aspects. First, the protection principle of dynamic compensation of the generic dual-rail precharge logic is explained by describing the compensated gate-level elements. Second, the novel DPL is originally proposed by detailing the logic protocol and an implementation case study. Third, a couple of custom workflows are shown next for realizing the rail conversion. Meanwhile, the technical definitions that are about to be manipulated above LUT-level netlist are clarified. A brief discussion about the batched process is given in the final part. Chapter 3 studies the implementation challenges of DPLs in FPGAs. The security level of state-of-the-art SCA-resistant solutions are decreased due to the implementation barriers using conventional EDA tools. In the studied FPGA scenario, problems are discussed from dual-rail format, parasitic impact, technological bias and implementation feasibility. According to these elaborations, two problems arise: How to implement the proposed logic without crippling the security level; and How to manipulate a large number of cells and automate the transformation. The proposed PA-DPL in chapter 2 is legalized with a series of initiatives, from structures to implementation methods. Furthermore, a self-adaptive heating system is depicted and implemented to a dual-core logic, assumed to alternatively adjust local temperature for balancing the negative impacts from silicon technological biases on real-time. Chapter 4 centers to the toolkit system. Built upon a third-party Application Program Interface (API) library, the customized toolkit is able to manipulate the logic elements from post P&R circuit (an unreadable binary version of the xdl one) converted to Xilinx xdl format. The mechanism and rationale of the proposed toolkit are carefully convoyed, covering the routing detection and repairing approaches. The developed toolkit aims to achieve very strictly identical routing networks for dual-rail logic both for separate and interleaved placement. This chapter particularly specifies the technical essentials to support the implementations in Xilinx devices and the flexibility to be expanded to other applications. Chapter 5 focuses on the implementation of the case studies for validating the security grades of the proposed logic style from the proposed toolkit. Comprehensive implementation techniques are discussed. (a) The placement impacts using the proposed toolkit are discussed. Different execution schemes, considering the global optimization in security and cost, are verified with experiments so as to find the optimized placement and repair schemes; (b) Security validations are realized with correlation, timing methods; (c) A systematic method is applied to a BCDL structured module to validate the routing impact over security metric; (d) The preliminary results using the self-adaptive heating system over process variation is given; (e) A practical implementation of the proposed toolkit to a large design is introduced. Chapter 6 includes the general summary of the complete work presented inside this thesis. Finally, a brief perspective for the future work is drawn which might expand the potential utilization of the thesis contributions to a wider range of implementation domains beyond cryptography on FPGAs.

Sophisticated security verification on routing repaired balanced cell-based dual-rail logic against side channel analysis

Conventional dual-rail precharge logic suffers from difficult implementations of dual-rail structure for obtaining strict compensation between the counterpart rails. As a light-weight and high-speed dual-rail style, balanced cell-based dual-rail logic (BCDL) uses synchronised compound gates with global precharge signal to provide high resistance against differential power or electromagnetic analyses. BCDL can be realised from generic field programmable gate array (FPGA) design flows with constraints. However, routings still exist as concerns because of the deficient flexibility on routing control, which unfavourably results in bias between complementary nets in security-sensitive parts. In this article, based on a routing repair technique, novel verifications towards routing effect are presented. An 8 bit simplified advanced encryption processing (AES)-co-processor is executed that is constructed on block random access memory (RAM)-based BCDL in Xilinx Virtex-5 FPGAs. Since imbalanced routing are major defects in BCDL, the authors can rule out other influences and fairly quantify the security variants. A series of asymptotic correlation electromagnetic (EM) analyses are launched towards a group of circuits with consecutive routing schemes to be able to verify routing impact on side channel analyses. After repairing the non-identical routings, Mutual information analyses are executed to further validate the concrete security increase obtained from identical routing pairs in BCDL.

A single point mutation in the pore region of the epithelial Na+ channel changes ion selectivity by modifying molecular sieving

The epithelial Na+ channel (ENaC) belongs to a new class of channel proteins called the ENaC/DEG superfamily involved in epithelial Na+ transport, mechanotransduction, and neurotransmission. The role of ENaC in Na+ homeostasis and in the control of blood pressure has been demonstrated recently by the identification of mutations in ENaC �� and �� subunits causing hypertension. The function of ENaC in Na+ reabsorption depends critically on its ability to discriminate between Na+ and other ions like K+ or Ca2+. ENaC is virtually impermeant to K+ ions, and the molecular basis for its high ionic selectivity is largely unknown. We have identified a conserved Ser residue in the second transmembrane domain of the ENaC �� subunit (��S589), which when mutated allows larger ions such as K+, Rb+, Cs+, and divalent cations to pass through the channel. The relative ion permeability of each of the ��S589 mutants is related inversely to the ionic radius of the permeant ion, indicating that ��S589 mutations increase the molecular cutoff of the channel by modifying the pore geometry at the selectivity filter. Proper geometry of the pore is required to tightly accommodate Na+ and Li+ ions and to exclude larger cations. We provide evidence that ENaC discriminates between cations mainly on the basis of their size and the energy of dehydration.

Functional transitions in myosin: Formation of a critical salt-bridge and transmission of effect to the sensitive tryptophan

For analyzing the mechanism of energy transduction in the ���motor��� protein, myosin, it is opportune both to model the structural change in the hydrolytic transition, ATP (myosin-bound) + H2O ��� ADP���Pi (myosin-bound) and to check the plausibility of the model by appropriate site-directed mutations in the functional system. Here, we made a series of mutations to investigate the role of the salt-bridge between Glu-470 and Arg-247 (of chicken smooth muscle myosin) that has been inferred from crystallography to be a central feature of the transition [Fisher, A. J., Smith, C. A., Thoden, J. B., Smith, R., Sutoh, K., Holden, H. M., & Rayment, I. (1995) Biochemistry 34, 8960���8972]. Our results suggest that whether in the normal, or in the inverted, direction an intact salt-bridge is necessary for ATP hydrolysis, but when the salt-bridge is in the inverted direction it does not support actin activation. Normally, fluorescence changes result from adding nucleotides to myosin; these signals are reported by Trp-512 (of chicken smooth muscle myosin). Our results also suggest that structural impairments in the 470���247 region interfere with the transmission of these signals to the responsive Trp.

Cyclic AMP regulates potassium channel expression in C6 glioma by destabilizing Kv1.1 mRNA

The tissue distributions and physiological properties of a variety of cloned voltage-gated potassium channel genes have been characterized extensively, yet relatively little is known about the mechanisms controlling expression of these genes. Here, we report studies on the regulation of Kv1.1 expressed endogenously in the C6 glioma cell line. We demonstrate that elevation of intracellular cAMP leads to the accelerated degradation of Kv1.1 RNA. The cAMP-induced decrease in Kv1.1 RNA is followed by a decrease in Kv1.1 protein and a decrease in the whole cell sustained K+ current amplitude. Dendrotoxin-I, a relatively specific blocker of Kv1.1, blocks 96% of the sustained K+ current in glioma cells, causing a shift in the resting membrane potential from ���40 mV to ���7 mV. These data suggest that expression of Kv1.1 contributes to setting the resting membrane potential in undifferentiated glioma cells. We therefore suggest that receptor-mediated elevation of cAMP reduces outward K+ current density by acting at the translational level to destabilize Kv1.1 RNA, an additional mechanism for regulating potassium channel gene expression.

Nedd4 mediates control of an epithelial Na+ channel in salivary duct cells by cytosolic Na+

Epithelial Na+ channels are expressed widely in absorptive epithelia such as the renal collecting duct and the colon and play a critical role in fluid and electrolyte homeostasis. Recent studies have shown that these channels interact via PY motifs in the C terminals of their ��, ��, and �� subunits with the WW domains of the ubiquitin-protein ligase Nedd4. Mutation or deletion of these PY motifs (as occurs, for example, in the heritable form of hypertension known as Liddle���s syndrome) leads to increased Na+ channel activity. Thus, binding of Nedd4 by the PY motifs would appear to be part of a physiological control system for down-regulation of Na+ channel activity. The nature of this control system is, however, unknown. In the present paper, we show that Nedd4 mediates the ubiquitin-dependent down-regulation of Na+ channel activity in response to increased intracellular Na+. We further show that Nedd4 operates downstream of Go in this feedback pathway. We find, however, that Nedd4 is not involved in the feedback control of Na+ channels by intracellular anions. Finally, we show that Nedd4 has no influence on Na+ channel activity when the Na+ and anion feedback systems are inactive. We conclude that Nedd4 normally mediates feedback control of epithelial Na+ channels by intracellular Na+, and we suggest that the increased Na+ channel activity observed in Liddle���s syndrome is attributable to the loss of this regulatory feedback system.

MgATP activates the �� cell KATP channel by interaction with its SUR1 subunit

ATP-sensitive potassium (KATP) channels in the pancreatic �� cell membrane mediate insulin release in response to elevation of plasma glucose levels. They are open at rest but close in response to glucose metabolism, producing a depolarization that stimulates Ca2+ influx and exocytosis. Metabolic regulation of KATP channel activity currently is believed to be mediated by changes in the intracellular concentrations of ATP and MgADP, which inhibit and activate the channel, respectively. The �� cell KATP channel is a complex of four Kir6.2 pore-forming subunits and four SUR1 regulatory subunits: Kir6.2 mediates channel inhibition by ATP, whereas the potentiatory action of MgADP involves the nucleotide-binding domains (NBDs) of SUR1. We show here that MgATP (like MgADP) is able to stimulate KATP channel activity, but that this effect normally is masked by the potent inhibitory effect of the nucleotide. Mg2+ caused an apparent reduction in the inhibitory action of ATP on wild-type KATP channels, and MgATP actually activated KATP channels containing a mutation in the Kir6.2 subunit that impairs nucleotide inhibition (R50G). Both of these effects were abolished when mutations were made in the NBDs of SUR1 that are predicted to abolish MgATP binding and/or hydrolysis (D853N, D1505N, K719A, or K1384M). These results suggest that, like MgADP, MgATP stimulates KATP channel activity by interaction with the NBDs of SUR1. Further support for this idea is that the ATP sensitivity of a truncated form of Kir6.2, which shows functional expression in the absence of SUR1, is unaffected by Mg2+.

Comparison of the ion channel characteristics of proapoptotic BAX and antiapoptotic���BCL-2

The BCL-2 family of proteins is composed of both pro- and antiapoptotic regulators, although its most critical biochemical functions remain uncertain. The structural similarity between the BCL-XL monomer and several ion-pore-forming bacterial toxins has prompted electrophysiologic studies. Both BAX and BCL-2 insert into KCl-loaded vesicles in a pH-dependent fashion and demonstrate macroscopic ion efflux. Release is maximum at ���pH 4.0 for both proteins; however, BAX demonstrates a broader pH range of activity. Both purified proteins also insert into planar lipid bilayers at pH 4.0. Single-channel recordings revealed a minimal channel conductance for BAX of 22 pS that evolved to channel currents with at least three subconductance levels. The final, apparently stable BAX channel had a conductance of 0.731 nS at pH 4.0 that changed to 0.329 nS when shifted to pH 7.0 but remained mildly Cl��� selective and predominantly open. When BAX-incorporated lipid vesicles were fused to planar lipid bilayers at pH 7.0, a Cl���-selective (PK/PCl = 0.3) 1.5-nS channel displaying mild inward rectification was noted. In contrast, BCL-2 formed mildly K+-selective (PK/PCl = 3.9) channels with a most prominent initial conductance of 80 pS that increased to 1.90 nS. Fusion of BCL-2-incorporated lipid vesicles into planar bilayers at pH 7.0 also revealed mild K+ selectivity (PK/PCl = 2.4) with a maximum conductance of 1.08 nS. BAX and BCL-2 each form channels in artificial membranes that have distinct characteristics including ion selectivity, conductance, voltage dependence, and rectification. Thus, one role of these molecules may include pore activity at selected membrane sites.

The selectivity of the hair cell���s mechanoelectrical-transduction channel promotes Ca2+ flux at low Ca2+ concentrations

The mechanoelectrical-transduction channel of the hair cell is permeable to both monovalent and divalent cations. Because Ca2+ entering through the transduction channel serves as a feedback signal in the adaptation process that sets the channel���s open probability, an understanding of adaptation requires estimation of the magnitude of Ca2+ influx. To determine the Ca2+ current through the transduction channel, we measured extracellular receptor currents with transepithelial voltage-clamp recordings while the apical surface of a saccular macula was bathed with solutions containing various concentrations of K+, Na+, or Ca2+. For modest concentrations of a single permeant cation, Ca2+ carried much more receptor current than did either K+ or Na+. For higher cation concentrations, however, the flux of Na+ or K+ through the transduction channel exceeded that of Ca2+. For mixtures of Ca2+ and monovalent cations, the receptor current displayed an anomalous mole-fraction effect, which indicates that ions interact while traversing the channel���s pore. These results demonstrate not only that the hair cell���s transduction channel is selective for Ca2+ over monovalent cations but also that Ca2+ carries substantial current even at low Ca2+ concentrations. At physiological cation concentrations, Ca2+ flux through transduction channels can change the local Ca2+ concentration in stereocilia in a range relevant for the control of adaptation.

Regulation of the human ether-a-gogo related gene (HERG) K+ channels by reactive oxygen���species

Human ether-a-gogo related gene (HERG) K+ channels are key elements in the control of cell excitability in both the cardiovascular and the central nervous systems. For this reason, the possible modulation by reactive oxygen species (ROS) of HERG and other cloned K+ channels expressed in Xenopus oocytes has been explored in the present study. Exposure of Xenopus oocytes to an extracellular solution containing FeSO4 (25���100 ��M) and ascorbic acid (50���200 ��M) (Fe/Asc) increased both malondialdehyde content and 2���,7���-dichlorofluorescin fluorescence, two indexes of ROS production. Oocyte perfusion with Fe/Asc caused a 50% increase of the outward K+ currents carried by HERG channels, whereas inward currents were not modified. This ROS-induced increase in HERG outward K+ currents was due to a depolarizing shift of the voltage-dependence of channel inactivation, with no change in channel activation. No effect of Fe/Asc was observed on the expressed K+ currents carried by other K+ channels such as bEAG, rDRK1, and mIRK1. Fe/Asc-induced stimulation of HERG outward currents was completely prevented by perfusion of the oocytes with a ROS scavenger mixture (containing 1,000 units/ml catalase, 200 ng/ml superoxide dismutase, and 2 mM mannitol). Furthermore, the scavenger mixture also was able to reduce HERG outward currents in resting conditions by 30%, an effect mimicked by catalase alone. In conclusion, the present results seem to suggest that changes in ROS production can specifically influence K+ currents carried by the HERG channels.

Type II regulatory subunits are not required for the anchoring-dependent modulation of Ca2+ channel activity by cAMP-dependent protein���kinase

Preferential phosphorylation of specific proteins by cAMP-dependent protein kinase (PKA) may be mediated in part by the anchoring of PKA to a family of A-kinase anchor proteins (AKAPs) positioned in close proximity to target proteins. This interaction is thought to depend on binding of the type II regulatory (RII) subunits to AKAPs and is essential for PKA-dependent modulation of the ��-amino-3-hydroxy-5-methyl-4-isoxazolepropionic acid/kainate receptor, the L-type Ca2+ channel, and the KCa channel. We hypothesized that the targeted disruption of the gene for the ubiquitously expressed RII�� subunit would reveal those tissues and signaling events that require anchored PKA. RII�� knockout mice appear normal and healthy. In adult skeletal muscle, RI�� protein levels increased to partially compensate for the loss of RII��. Nonetheless, a reduction in both catalytic (C) subunit protein levels and total kinase activity was observed. Surprisingly, the anchored PKA-dependent potentiation of the L-type Ca2+ channel in RII�� knockout skeletal muscle was unchanged compared with wild type although it was more sensitive to inhibitors of PKA���AKAP interactions. The C subunit colocalized with the L-type Ca2+ channel in transverse tubules in wild-type skeletal muscle and retained this localization in knockout muscle. The RI�� subunit was shown to bind AKAPs, although with a 500-fold lower affinity than the RII�� subunit. The potentiation of the L-type Ca2+ channel in RII�� knockout mouse skeletal muscle suggests that, despite a lower affinity for AKAP binding, RI�� is capable of physiologically relevant anchoring interactions.

Patch-clamp and amperometric recordings from norepinephrine transporters: Channel activity and voltage-dependent uptake

Transporters for the biogenic amines dopamine, norepinephrine, epinephrine and serotonin are largely responsible for transmitter inactivation after release. They also serve as high-affinity targets for a number of clinically relevant psychoactive agents, including antidepressants, cocaine, and amphetamines. Despite their prominent role in neurotransmitter inactivation and drug responses, we lack a clear understanding of the permeation pathway or regulation mechanisms at the single transporter level. The resolution of radiotracer-based flux techniques limits the opportunities to dissect these problems. Here we combine patch-clamp recording techniques with microamperometry to record the transporter-mediated flux of norepinephrine across isolated membrane patches. These data reveal voltage-dependent norepinephrine flux that correlates temporally with antidepressant-sensitive transporter currents in the same patch. Furthermore, we resolve unitary flux events linked with bursts of transporter channel openings. These findings indicate that norepinephrine transporters are capable of transporting neurotransmitter across the membrane in discrete shots containing hundreds of molecules. Amperometry is used widely to study neurotransmitter distribution and kinetics in the nervous system and to detect transmitter release during vesicular exocytosis. Of interest regarding the present application is the use of amperometry on inside-out patches with synchronous recording of flux and current. Thus, our results further demonstrate a powerful method to assess transporter function and regulation.

Two functionally distinct subsites for the binding of internal blockers to the pore of voltage-activated K+���channels

Many blockers of Na+ and K+ channels act by blocking the pore from the intracellular side. For Shaker K+ channels, such intracellular blockers vary in their functional effect on slow (C-type) inactivation: Some blockers interfere with C-type inactivation, whereas others do not. These functional differences can be explained by supposing that there are two overlapping ���subsites��� for blocker binding, only one of which inhibits C-type inactivation through an allosteric effect. We find that the ability to bind to these subsites depends on specific structural characteristics of the blockers, and correlates with the effect of mutations in two distinct regions of the channel protein. These interactions are important because they affect the ability of blockers to produce use-dependent inhibition.