The blockchain is based on a consensus protocol, the aim of which is to share and replicate ordered data between peers in a distributed network. The protocol stack, embedded in the network's peer devices, relies on a proof mechanism that certifies the timestamp and ensures a degree of fairness within the network.
The consensus protocols used in the blockchains deployed today are not suitable for embedded systems, as they require too many communication and/or computing resources for the proof. A number of research projects, such as IOTA and HashGraph, deal with this subject and will be analysed in the state of the art.
The aim of this thesis is to build a consensus protocol that is frugal in terms of communications and computing resources, and whose protocol stack will be implemented in a secure embedded device. This protocol must be based on the proof of elapsed time from our laboratory's work, which is also frugal, called Proof-of-Hardware-Time (PoHT), and must satisfy the properties of finality and fairness. The complete architecture of a peer node in the network will be designed and embedded on an electronic board including a microprocessor and several hardware security components, in such a way that the proof resource cannot be parallelized. Communication between peers will be established in a distributed manner.

The cybersecurity of our infrastructures is at the very heart in the digital transition on-going, and security must be ensured throughout the entire chain. At the root of trust lies the hardware, integrated circuits providing essential functions for the integrity, confidentiality and availability of processed information.
But hardware is vulnerable to physical attacks, and defence has to be organised. Among these attacks, some are more tightly coupled to the physical characteristics of the silicon technologies. An attack using a pulsed laser in the near infrared is one of them and is the most powerful in terms of accuracy and repeatability. Components must therefore be protected against this threat.
As the FD-SOI is now widely deployed in embedded systems (health, automotive, connectivity, banking, smart industry, identity, etc.) where security is required. FD-SOI technologies have promising security properties as being studied as less sensitive to a laser fault attack. But while the effect of a laser fault attack in traditional bulk technologies is well handled, deeper studies on the sensitivity of FD-SOI technologies has to be done in order to reach a comprehensive model. Indeed, the path to security in hardware comes with the modelling of the vulnerabilities, at the transistor level and extend it up to the standard cells level (inverter, NAND, NOR, Flip-Flop) and SRAM. First a TCAD simulation will be used for a deeper investigation on the effect of a laser pulse on a FD-SOI transistor. A compact model of an FD-SOI transistor under laser pulse will be deduced from this physical modelling phase. This compact model will then be injected into various standard cell designs, for two different objectives: a/ to bring the modelling of the effect of a laser shot to the level of standard cell design (where the analog behaviour of a photocurrent becomes digital) b/ to propose standard cell designs in FD-SOI 10nm technology, intrinsically secure against laser pulse injection. Experimental data (existing and generated by the PhD student) will be used to validate the models at different stages (transistor, standard cells and more complex circuits on ASIC).
Ce sujet de thèse est interdisciplinaire, entre conception microélectronique, simulation TCAD et simulation SPICE, tests de sécurité des systèmes embarqués. Le candidat sera en contact/encadré avec deux équipes de recherche; conception microélectronique , simulation TCAD et sécurité des systèmes embarqués.

Contacts: romain.wacquez@cea.fr, jean-frederic.christmann@cea.fr, sebastien.martinie@cea.fr

The first worldwide deployment of a blockchain dates back to 2010 with Bitcoin, which introduced a completely digital monetary system and a crypto-currency, bitcoin. Within Bitcoin, all transactions are publicly accessible and traceable, which should generate trust between stakeholders. However, the traceability of transactions, and ultimately of the crypto-currency, does not imply the traceability of users authenticated by an account address, or more precisely by a set of account addresses that are independent of each other. In this context, it can be complex to trace the individuals or legal entities owning the crypto-currency.

Crypto-currency is not the only use case supported by blockchain technology. The deployment of Ethereum in 2014, based on the use of smart contracts, opened up many other uses, in particular the protection of identifying data. In this area, the need for traceability versus furtivity can vary greatly from one use case to another. For example, on a blockchain that records the access of a worker owning an employment certificate to an industrial site, no information enabling the worker to be identified or his activity to be traced should appear. On the other hand, in the case of data collected by IoT sensors and processed by remote Edge devices, traceability of data and processing is desirable.

The thesis proposes to study different techniques for tracing digital assets on a blockchain, for stealthing their owners, and offering the possibility of auditing and identification by an authorised body. The aim is to build embedded devices, Edge or personal possibly embedding artificial intelligence, secured by hardware components, integrating different cryptographic solutions and account, data or identity wallet structures to meet the needs of the different use cases envisaged.

The design of integrated circuits requires, at the end of the chain, circuit editing and failure analysis tools. One of these tools is the probing of electrical potential levels using an electron beam available in a SEM (Scanning Electron Microscope) to determine the electrical signal present in an area of the circuit, which may be a metal level or a transistor. This electronic probing technique was widely used in the 90s, and then partially abandoned despite a few recurrent publications on the technique. In recent years, this technique has been revived by using the backside of the component, probing via the silicon substrate and accessing the active areas of the component.
These debugging and failure analysis tools are also tools for attacking integrated circuits. This thesis topic falls within the scope of hardware cybersecurity and so-called invasive attacks. The PhD student will implement this electron beam probing technique on commercial SEMs and under conditions of use specific to cybersecurity. Various techniques will be considered to improve the probed signals and their use.

Work carried out within CEA-Leti has shown that physical attacks can be a threat to the security mechanisms of SoCs (System on Chips). Indeed, fault injections by electromagnetic disturbance have already led to an escalation of privileges by authenticating with an illegitimate password, or more recently have made it possible to bypass one of the highest levels of security of a SoC, which is the Secure Boot. However, the technologies integrated into this type of targets are increasingly sophisticated with Package-on-Package (PoP) electronic devices and technological nodes less than or equal to 7 nm, such as the new Samsung S20. Implementing these attacks requires cutting-edge equipment not currently commercially available (very small diameter probe, high transient current pulse generator, magnetometer and current broadband sensors with high spatial resolution, etc.). The thesis defended in 2022 by Clément Gaine [1] within our team made it possible to study several components of the EM injection chain, in particular a main element such as the electromagnetic injection probe.
Other fields are to be explored, in particular the complete injection chain from the pulse generator to the creation of an electromotive force in the target, induced by the EM probe via very high current gradients (di/dt). Mastering the complete chain makes it possible to design the most suitable injection system to characterize a smartphone type target and resolve the obstacles linked to this type of target such as: the complex microarchitecture, the multilayer software stack, the complex packaging with in particular the stacking of several components on the same chip (PoP).
The main objective of this thesis is to study a new EM injection approach and its potential to circumvent certain security mechanisms of a smartphone. This will allow hardware security characterization tools to evolve in order to meet the growing needs for the security characterization of SoCs. In terms of exploitation, the FORENSIC domain is aimed at circumventing and/or supplementing the limits of legal data mining techniques based on “0-day” vulnerabilities by exploiting flaws in hardware implementations that cannot be corrected on the same target model.
To achieve this objective, the PhD student will first be required to characterize, test and validate the new ultra-fast switching attack approach and the magnetometric and amperometric measurement means recently developed in the laboratory. At the same time, the doctoral student will carry out bibliographical and experimental work on the physiological risk potentially linked to exposure to short-term EM pulses. The results will be used to define new protocols allowing operators to carry out their EM injection experiments in a secure environment and to develop standards in this area if necessary. Secondly, the doctoral student will devote part of his work to modeling the transient magnetic flux and the transfer of induced power in high or low impedance targets, with a focus on the impact of the orientation of the field as well as the polarity of the pulse on the fault or glitch model on different types of transistors (NMOS, PMOS, JFET).

[1] https://cea.hal.science/search/index/?q=*&authFullName_s=Cl%C3%A9ment%20Gaine
More here : https://vimeo.com/441318313 (project video)