Skip to main content
Log in

On measurable side-channel leaks inside ASIC design primitives

Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

Leaks inside semi-custom application-specific integrated circuit design primitives are rigorously investigated. The study is conducted by measuring a dedicated test element group chip with a small magnetic field probe on the chip surface. Measurement targets are standard cells and a memory macro cell. Leaks inside the primitives are focused, as many of conventional countermeasures place measurability boundaries on these primitives. Firstly, it is shown that the current-path leak: a leak based on input-dependent active current path within a standard cell (Takahashi 2012; Takahashi and Matsumoto IEICE Electron Express 9:458–463, 2012) is measurable. Major gate-level countermeasures [Random Switching Logic (RSL), MDPL, and WDDL] become vulnerable if the current-path leak is considered. Secondly, it is shown that the internal-gate leak: a leak based on non-linear sub-circuit within an XOR cell is measurable. It can be exploited to bias the distribution of the random mask. Thirdly, it is shown that the geometric leak: a leak based on geometric layout of the memory matrix structure is measurable. It is a leak correlated to integer representation (cf. Hamming weight) of the memory address. We also show that a ROM-based countermeasure (dual-rail RSL memory; Hashimoto et al. 2012) becomes vulnerable with the geometric leak. A general transistor-level design method to counteract the current-path and internal-gate leaks is also shown.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20

Notes

  1. Takahashi’s result on RSL is summarized in Appendix A.

  2. Note that direction of magnetic flux should also be considered for detailed discussion.

References

  1. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) Advances in Cryptology–CRYPTO ’99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 1999. Proceedings, Lecture Notes in Computer Science, vol. 1666, pp. 388–397. Springer, Berlin (1999)

  2. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer-Verlag, New York (2007)

  3. Suzuki, D., Saeki, M., Ichikawa, T.: DPA leakage models for CMOS logic circuits. In: Rao, J.R., Sunar, B. (eds.) Cryptographic Hardware and Embedded Systems–CHES 2005: 7th International Workshop, Edinburgh, UK, Aug 29-Sept 1, 2005. Proceedings, Lecture Notes in Computer Science, vol. 3659, pp. 366–382. Springer, Berlin (2005)

  4. Maghrebi, H., Prouff, E., Guilley, S., Danger, J-L.: A first-order leak-free masking countermeasure. In: Topics in Cryptology–CT-RSA2012, The Cryptographers Track at the RSA Conference 2012, pp. 156–170. Springer, Berlin (2012)

  5. Moradi, A., Mischke, O., Eisenbarth T.: Correlation-enhanced power analysis collision attack. In: Mangard, S., Standaert, F.-X. (eds.) Cryptographic Hardware and Embedded Systems–CHES 2010: 12th International Workshop, Santa Barbara, USA, August 17–20, 2010. Proceedings, Lecture Notes in Computer Science, vol. 6225, pp. 125–139, Springer, Berlin (2010)

  6. Suzuki, D., Saeki, M., Ichikawa, T.: Random switching logic: a countermeasure against DPA based on transition probability. In: IACR Cryptology ePrint Archive 2004/346. http://eprint.iacr.org/2004/346.pdf (2004)

  7. Mangard, S., Schramm, K.: Pinpointing the side-channel leakage of masked AES hardware implementations. In: Goubin, L., Matsui, M. (eds.) Cryptographic Hardware and Embedded Systems–CHES 2006: 8th International Workshop, Yokohama, Japan, Oct 10–13, 2006. Proceedings, Lecture Notes in Computer Science, vol. 4249, pp. 76–90, Springer, Berlin (2006)

  8. Peeters, E., Standaert, F.-X., Quisquater, J.-J.: Power and electromagnetic analysis: improved model, consequences and comparisons. Integr. VLSI J. 40(1), 52–60 (January 2007)

    Google Scholar 

  9. Takahashi, Y.: Cryptographic module evaluation methods for resistance against power analysis attacks. Doctoral thesis, Yokohama National University (2012) (in Japanese)

  10. Takahashi, Y., Matsumoto, T.: A proper security analysis method for CMOS cryptographic circuits. IEICE Electron. Express. 9(6), 458–463 (2012)

    Google Scholar 

  11. Hashimoto, Y., Iwai, K., Shiozaki, M., Asagawa, S., Ukai, S., Fujino, T.: AES cryptographic circuit utilizing dual-rail RSL memory technique. In: 29th Symposium on Cryptography and Information, Security (2012) (in Japanese)

  12. Li, Y., Sakiyama, K., Gomisawa, S., Fukunaga, T., Takahashi, J., Ohta, K.: Fault sensitivity analysis. In: Mangard, S., Standaert, F.-X. (eds.) Cryptographic Hardware and Embedded Systems–CHES 2010: 12th International Workshop, Santa Barbara, USA, Aug 17–20, 2010. Proceedings, Lecture Notes in Computer Science, vol. 6225, pp 320–334. Springer, Berlin (2010)

  13. Silicon zoo: Megamos chip XOR gate. http://www.siliconzoo.org/megamos.html (2013). Retrieved 20 Feb 2014

  14. Hoogvorst, P., Duc, G., Danger, J-L.: Software implementation of dual-rail representation. In: 2nd International Workshop on Constructive Side-Channel Analysis and Secure Design-COSADE 2011:Darmstadt, Germany, 24–25 Feb 2011

  15. Shah, S., Velegalati, R., Kaps, J., Hwang, D.: Investigation of DPA resistance of block RAMs in cryptographic implementations on FPGAs. In: 2010 International Conference on Reconfigurable Computing and FPGAs (ReConFig), pp. 274–279, 13–15 Dec 2010

  16. Konur, E., Ozelci, Y., Arikan, E., Eksi, U.: Power analysis resistant SRAM. In: Automation Congress, 2006. WAC’06, pp. 1–6, 24–26 July 2006

  17. Rožić, V., Dehaene, W., Verbaushede, I.: Design solutions for securing SRAM cell against power analysis. In: 2012 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 122–127, 3–4 June 2012

  18. Side-channel Attack Standard Evaluation Board (SASEBO-RII). http://www.morita-tech.co.jp/SAKURA/en/hardware/SASEBO-RII.html (2013). Retrieved 20 Feb 2014

  19. Tiri, K., Verbauwhede, I.: A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In: Design, Automation and Test in Europe Conference and Exhibition, 2004. Proceedings, vol. 1, pp. 246–251, 16–20 Feb 2004

  20. Tiri, K., Schaumont, P.: Changing the odds against masked logic. In: SAC’06 Proceedings of the 13th International Conference on Selected Areas in Cryptography, pp. 134–146. Springer, Berlin (2007)

  21. Uyemura, J.P.: Introduction to VLSI Circuits and Systems. Wiley, New York (2001)

Download references

Acknowledgments

The authors appreciate Dr. Yoshio Takahashi for his pioneering work on the current-path leak [9, 10] which stimulated this study. The authors would like to thank the anonymous reviewers at CHES 2013 and JCEN for their valuable comments.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Takeshi Sugawara.

Additional information

This research was supported by Japan Science and Technology Agency (JST) CREST Dependable VLSI Systems Project.

Appendices

Appendix A: Summary of results by Takahashi

The current-path leak is originally introduced by Takahashi [9, 10] to attack RSL. His result is briefly summarized in this Appendix.

RSL NAND (Fig. 21) maps \((x_R, y_R, R)\) to \(\overline{x \cdot y} \oplus R\) where \(x_R\) and \(y_R\) are masked data (i.e., raw data \(x\) and \(y\) masked with \(R\)). Current paths at evaluation phase where the output transits from 0 to 1 are considered. Possible current paths are summarized in Fig. 21. There are four possible cases namely (i) ch1, (i) ch2, (iii) ch3 , and (iv) ch1 + ch2 + ch3. All the three paths are established only in the case iv, thus abnormal ON-resistance is expected. As a result, the case iv is distinct from other cases.

Fig. 21
figure 21

RSL NAND and its active current path on low-to-high transitions

Figure 22 summarizes a new transition table considering the current-path leak. In the table, symbol \(\alpha \) represents the case iv where all the three path are ON, while \(\beta \) represents the cases i–iii where one out of three paths is ON (see Fig. 21). When the mask \(R\) is averaged out, we get the right-most column. The input \((x, y)=(0, 0)\) is distinct from others. It is a raw-data dependent leak.

Fig. 22
figure 22

Transition table of RSL NAND considering the current-path leak

Appendix B: Dual-rail RSL memory

The dual-rail RSL memory [11] is a ROM-based countermeasure that implements a function mapping from \((x \oplus r, r, r')\) to \(S[x] \oplus r'\) where \(S[\cdot ]\) is a Sbox, and \(r\) and \(r'\) are random masks. Its basic ideas are:

  1. 1.

    Combining random masking technique (address and data lines for ROM) and the dual-rail precharge logic technique (ROM peripheral circuits such as decoders and sense amplifiers)

  2. 2.

    Using the domino-RSL gates at the boundary between masked I/O lines and dual-railed ROM internal circuits

  3. 3.

    One-hot decoded row/column selection signals

  4. 4.

    ROM cells with dual-rail bit-lines

As also mentioned in the paper [17], regular memory structure is suitable for implementing dual-rail and precharge techniques. That is because the balanced layout of dual-rail lines and glitch-free timing control are easier to achieve in the memory structure compared to logic circuits. Figure 23 shows internal structure of the dual-rail RSL memory. It is operated as follows. Firstly, single-ended input \(x \oplus r\) is unmasked and converted to dual-rail signal \((x, \overline{x})\) using the domino XOR gate at the boundary. Then, the dual-rail signal is fed to row/column decoders. Due to the dual-rail and precharge technique with one-hot decoded selection signals, the total toggle count in the decoding is independent of the input address. The cell array is similar to the one shown in Fig. 4, but hard-wired cell with dual-rail bit-lines are employed. When the ROM content is read from the cell array in the form of dual-rail signal, it is converted back to a single-ended signal with new mask \(r'\) at the MUX circuit.

Fig. 23
figure 23

Internal structure of the dual-rail RSL memory

Rights and permissions

Reprints and permissions

About this article

Cite this article

Sugawara, T., Suzuki, D., Saeki, M. et al. On measurable side-channel leaks inside ASIC design primitives. J Cryptogr Eng 4, 59–73 (2014). https://doi.org/10.1007/s13389-014-0078-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-014-0078-6

Keywords

Navigation