Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Meizhi Wang, Shanshan Xie, Ping Na Li, Aseem Sayal, Ge Li, Vishnuvardhan V. Iyer, Aditya Thimmaiah, Michael Orshansky, Ali E. Yilmaz, and Jaydeep P. KulkarniECE Department, University of Texas at AustinE-mail: [email protected], [email protected]
15-2: Power and Electromagnetic Side-Channel Attack Resilient Secure AES Core utilizing Galvanic Isolation approach with Integrated Charge Pump based Power Management
28 April 2021 Circuit Research Labhttps://sites.utexas.edu/CRL/
• Side Channel Analysis (SCA)
• Prior Work: Power SCA resilient approaches
• Motivation: Susceptibility to the ground bounce
• Proposed Work
- Principle of Galvanic Isolation (GI)
- Proposed GI-AES architecture
• Test-chip measurement
- Die photo, Measurement summary
- Power SCA
- EM SCA
• Comparison & Conclusion
Outline
2
Outline
3
• Side Channel Analysis (SCA)
• Prior Work: Power SCA resilient approaches
• Motivation: Susceptibility to the ground bounce
• Proposed Work
- Principle of Galvanic Isolation (GI)
- Proposed GI-AES architecture
• Test-chip measurement
- Die photo, Measurement summary
- Power SCA
- EM SCA
• Comparison & Conclusion
4
https://www.keirex.com/e/Kti072_SecurityMeasure_e.html
Side Channel Analysis
• Easy physical access
• Inexpensive
• High successful rate
Outline
5
• Side Channel Analysis (SCA)
• Prior Work: Power SCA resilient approaches
• Motivation: Susceptibility to the ground bounce
• Proposed Work
- Principle of Galvanic Isolation (GI)
- Proposed GI-AES architecture
• Test-chip measurement
- Die photo, Measurement summary
- Power SCA
- EM SCA
• Comparison & Conclusion
Prior Work: Power SCA resilient approaches
• Constant Current Signature
• Randomized Current Signature
6
Prior Work: Power SCA resilient approaches
• Constant Current Signature
- (a) Switch Capacitor Current Equalizer
• Randomized Current Signature
7
(a)
C
Φ1
Φ2
Φ3
VIN
VREF
IIN
IOUT
VOUT
CL
Prior Work: Power SCA resilient approaches
• Constant Current Signature
- (a) Switch Capacitor Current Equalizer
- (b) Shunt Regulator
• Randomized Current Signature
8
(a) (b)
VTARGET
IOUT
VOUT
CL
IIN
VIN
IBLEED
Control
C
Φ1
Φ2
Φ3
VIN
VREF
IIN
IOUT
VOUT
CL
Prior Work: Power SCA resilient approaches
• Constant Current Signature
- (a) Switch Capacitor Current Equalizer
- (b) Shunt Regulator
• Randomized Current Signature
- (c) Low Drop Out Regulator
9
(a) (b)
(c)
VTARGET
IOUT
VOUT
CL
IIN
VIN
IBLEED
Control
C
Φ1
Φ2
Φ3
VIN
VREF
IIN
IOUT
VOUT
CL
VREF
VIN
IIN
IOUT
VOUT
CL
Prior Work: Power SCA resilient approaches
• Constant Current Signature
- (a) Switch Capacitor Current Equalizer
- (b) Shunt Regulator
• Randomized Current Signature
- (c) Low Drop Out Regulator
- (d) Buck Converter
10
(a) (b)
(c) (d)
VTARGET
IOUT
VOUT
CL
IIN
VIN
IBLEED
Control
C
Φ1
Φ2
Φ3
VIN
VREF
IIN
IOUT
VOUT
CL
VREF
VIN
IIN
IOUT
VOUT
CL
IOUT
CL
VOUT
C
L
VIN
Φ1
Φ2
Prior Work: Power SCA resilient approaches
• Constant Current Signature
- (a) Switch Capacitor Current Equalizer
- (b) Shunt Regulator
• Randomized Current Signature
- (c) Low Drop Out Regulator
- (d) Buck Converter
- (e) Switched-Capacitor Voltage Regulator
11
(a) (b)
(c) (d) (e)
VTARGET
IOUT
VOUT
CL
IIN
VIN
IBLEED
Control
C
Φ1
Φ2
Φ3
VIN
VREF
IIN
IOUT
VOUT
CL
VIN
CFLY
Φ1
Φ2
VOUT
Φ2
CL
Φ1
IOUT
IIN
VREF
VIN
IIN
IOUT
VOUT
CL
IOUT
CL
VOUT
C
L
VIN
Φ1
Φ2
Prior Work: Power SCA resilient approaches
• Constant Current Signature
- (a) Switch Capacitor Current Equalizer
- (b) Shunt Regulator
• Randomized Current Signature
- (c) Low Drop Out Regulator
- (d) Buck Converter
- (e) Switched-Capacitor Voltage Regulator
12
(a) (b)
(c) (d) (e)
No VSS pins are isolated in these
approaches
VTARGET
IOUT
VOUT
CL
IIN
VIN
IBLEED
Control
C
Φ1
Φ2
Φ3
VIN
VREF
IIN
IOUT
VOUT
CL
VIN
CFLY
Φ1
Φ2
VOUT
Φ2
CL
Φ1
IOUT
IIN
VREF
VIN
IIN
IOUT
VOUT
CL
IOUT
CL
VOUT
C
L
VIN
Φ1
Φ2
Outline
13
• Side Channel Analysis (SCA)
• Prior Work: Power SCA resilient approaches
• Motivation: Susceptibility to the ground bounce
• Proposed Work
- Principle of Galvanic Isolation (GI)
- Proposed GI-AES architecture
• Test-chip measurement
- Die photo, Measurement summary
- Power SCA
- EM SCA
• Comparison & Conclusion
Motivation: Susceptibility to the ground bounce
14
• Ball grid array (BGA) pins near to crypto core may reveal circuit VSS bounce that can be used for side-channel analysis
time(ns)
V(m
V)
CLK 100MHz
Correct key
Incorrect key
MTD=6000
50 Vss bounce traces of the final encryption round
co
rre
lati
on
traces
(a) (b)
Crypto
Core
Simulation flow
15
𝑁e = No. of encryptions𝑁n = No. of VSS nodes
Simulation results on a 128-bit AES computing core
16
• Correlation attack shows key byte 1 is revealed using 6000 traces
time(ns)
V(m
V)
CLK 100MHz
Correct key
Incorrect key
MTD=6000
50 Vss bounce traces of the final encryption round
co
rre
lati
on
traces
(a) (b)
time(ns)
V(m
V)
CLK 100MHz
Correct key
Incorrect key
MTD=6000
50 Vss bounce traces of the final encryption round
co
rre
lati
on
traces
(a) (b)
• Implement a 128b Advanced Encryption standard (AES) core
• Simulated VSS bounce waveforms for correlation attack
Outline
17
• Side Channel Analysis (SCA)
• Prior Work: Power SCA resilient approaches
• Motivation: Susceptibility to the ground bounce
• Proposed Work
- Principle of Galvanic Isolation (GI)
- Proposed GI-AES architecture
• Test-chip measurement
- Die photo, Measurement summary
- Power SCA
- EM SCA
• Comparison & Conclusion
Principle of Galvanic Isolation (GI)
• Isolates two electrical systems, preventing direct current flow and breaking ground loops between two circuits.
18
• Transformer:
- Primary (input) side potentially lethal transient
voltages and currents
- Secondary side is completely isolated for safety
N:1
SecondaryPrimary
Transformer: Isolated
energy transfer
Principle of Galvanic Isolation (GI)
• Isolates two electrical systems, preventing direct current flow and breaking ground loops between two circuits.
19
• Transformer:
- Primary (input) side potentially lethal transient
voltages and currents
- Secondary side is completely isolated for safety
- Flyback converter:
- Inductor based Galvanic Isolation topology
- Protecting low voltage devices from high
voltages transients
N:1
SecondaryPrimary
Transformer: Isolated
energy transfer
N:1VOUT
CL
VIN
C
D
Flyback converter
Outline
20
• Side Channel Analysis (SCA)
• Prior Work: Power SCA resilient approaches
• Motivation: Susceptibility to the ground bounce
• Proposed Work
- Principle of Galvanic Isolation (GI)
- Proposed GI-AES architecture
• Test-chip measurement
- Die photo, Measurement summary
- Power SCA
- EM SCA
• Comparison & Conclusion
• Apply capacitor based Galvanic Isolation topology to minimize ground bounce susceptibility
• Primary side: external power domain
• Secondary side: crypto core power domain
Proposed GI AES
21
Galvanic Isolation
Crypto Logic
Compute Domain
External
Power Domain
L1 L2
GND1 GND2
• Apply capacitor based Galvanic Isolation topology to minimize ground bounce susceptibility
• Primary side: external power domain• Scan chain Interface
• Power management unit
• Secondary side: crypto core power domain
Proposed GI AES
22
Galvanic Isolation
Crypto Logic
Compute Domain
External
Power Domain
L1 L2
GND1 GND2
VTOP
VBOTVSS
VCC
Capacitor
Bank
128 bit
AES
Core
Scan Chain Interface
Power Management Unit Control
Data
• Apply capacitor based Galvanic Isolation topology to minimize ground bounce susceptibility
• Primary side: external power domain• Scan chain Interface
• Power management unit
• Secondary side: crypto core power domain
• Capacitor bank
• A 128-bit AES core
Proposed GI AES
23
Galvanic isolation decouples AES engine compute domain and external power domain completely
Galvanic Isolation
Crypto Logic
Compute Domain
External
Power Domain
L1 L2
GND1 GND2
VTOP
VBOTVSS
VCC
Capacitor
Bank
128 bit
AES
Core
Scan Chain Interface
Power Management Unit Control
Data
• 3D illustration:
- AES in deep N-well, isolated P-substrate, powered by 𝑉𝑇𝑂𝑃 𝑉𝐵𝑂𝑇
- Capacitor bank (*2 layers drawn for illustration purpose)
- PMU and scan chain interface
Proposed GI AES
24
*MoM capacitors (only two metal layers are shown for illustration purpose)
3D illustration of AES in deep N-well and capacitor bank,
PMU and scan chain interface
GI-AES Architecture: System overview
25
• Scan chain interface for data exchanging
GI-AES Architecture: Main blocks
26
Scan chain
• A 128b AES Engine for data encryption
• Operating in 𝑉𝑇𝑂𝑃/𝑉𝐵𝑂𝑇 power domain
GI-AES Architecture: Main blocks
27
AES Engine
• Capacitance based galvanic isolation
• Power AES in 𝑉𝑇𝑂𝑃/𝑉𝐵𝑂𝑇 domain during encryption
GI-AES Architecture: Main blocks
28
Capacitor Bank
• Control capacitor bank to maintain functional 𝑉𝑇𝑂𝑃/𝑉𝐵𝑂𝑇 voltage range
GI-AES Architecture: Main blocks
29
PMU
GI-AES Architecture: Design techniques
• Header and footer transistors: decouple 𝑉𝑇𝑂𝑃/𝑉𝐵𝑂𝑇 rail from VCC/VSS rail
• Isolate the external and the internal power domain (AES).
30
1
1
1
• Deep N well: covering the AES engine, isolating the local substrate
AES ground is completely isolated
GI-AES Architecture: Design techniques
31
2
2
GI-AES Architecture: Design techniques
• Capacitor banks: charge pump based voltage doubler circuit
32
3
3
• 𝐶0 as the main capacitor and multiple smaller capacitor pairs
• Multi-stage voltage doubler circuit
GI-AES Architecture: Design techniques
33
3
3
S1A1
S1B1
S1A2
S1B2
S1AB
S2B2
S2AB
S2A1
S2A2
S3A1
S3A2
S3B2
S3AB
S3B1S2B1
C0
• Three operation phases: Precharge, Compute, Charge sharing
GI-AES Architecture: Design techniques
34
3
Precharge phase:• Header and footer are connected• All capacitors are fully charged to VCC/VSS
Compute CLK
Boost-1
Boost-2
CS
VCC
Vtop
Vbot
VSS
Vdelta < Vcrit
Precharge Compute Charge share
• Three operation phases: Precharge, Compute, Charge sharing
GI-AES Architecture: Design techniques
35
3
Precharge phase:• Header and footer are connected• All capacitors are fully charged to VCC/VSS
Compute phase:• Header and footer are disconnected• Capacitor bank powers AES Core• Voltage boostings are triggered sequentially
Compute CLK
Boost-1
Boost-2
CS
VCC
Vtop
Vbot
VSS
Vdelta < Vcrit
Precharge Compute Charge share
• Three operation phases: Precharge, Compute, Charge sharing
GI-AES Architecture: Design techniques
36
3
Precharge phase:• Header and footer are connected• All capacitors are fully charged to VCC/VSS
Compute phase:• Header and footer are disconnected• Capacitor bank powers AES Core• Voltage boostings are triggered sequentially
Charge sharing• Discharge capacitors to mask real charge
consumption
Compute CLK
Boost-1
Boost-2
CS
VCC
Vtop
Vbot
VSS
Vdelta < Vcrit
Precharge Compute Charge share
GI-AES Architecture: Design techniques
37
4
4• Dual rail sense amp: trigger the next boosting stage if 𝑉𝑇𝑂𝑃 and 𝑉𝐵𝑂𝑇 are below 𝑉𝑟𝑒𝑓
• Current signature remain the same in each cycle, not prone to SCA
GI-AES Architecture: Design techniques
• Charge share transistor: discharges all the capacitors to certain predefined voltage.
• Uniform on 𝑉𝑇𝑂𝑃 and 𝑉𝐵𝑂𝑇 before each precharge cycle
38
5
5
GI-AES Architecture: Design techniques
Dual rail sense amp (uniform current signature) as a level shifter to transfer signal from voltage level VTOP/VBOT to voltage level VCC/VSS .
39
6
6
Outline
40
• Side Channel Analysis (SCA)
• Prior Work: Power SCA resilient approaches
• Motivation: Susceptibility to the ground bounce
• Proposed Work
- Principle of Galvanic Isolation (GI)
- Proposed GI-AES architecture
• Test-chip measurement
- Die photo, Measurement summary
- Power SCA
- EM SCA
• Comparison & Conclusion
Die photo, Measurement Summary
• Technology: 40 𝑛𝑚 CMOS
• [email protected]𝑉: 23 𝑚𝑊
• Area(𝑚𝑚2):• AES Core 0.032
• Level Shifter 0.00795
• PMU 0.00136
• Capacitor Switches 0.00429
• Capacitor Bank 0.178
• Total Area 0.2236
41
Outline
42
• Side Channel Analysis (SCA)
• Prior Work: Power SCA resilient approaches
• Motivation: Susceptibility to the ground bounce
• Proposed Work
- Principle of Galvanic Isolation (GI)
- Proposed GI-AES architecture
• Test-chip measurement
- Die photo, Measurement summary
- VSS bounce SCA
- EM SCA
• Comparison & Conclusion
VSS Bounce SCA Measurement: Setup
• VSS bounce waveforms and cipher text collected by the oscilloscope are used for SCA
43
Oscilloscope
Function
GeneratorTest-chip and
Microcontroller
Power supply
• Oscilloscope measurement show successful multiple voltage boosting
VSS Bounce SCA: Stand alone charge pump circuit
44
1.2V
0V
8μs
S1A1
S1B1
S1A2
S1B2
S1AB
S2B2
S2AB
S2A1
S2A2
S3A1
S3A2
S3B2
S3AB
S3B1S2B1
C0
Charge pump design architecture
• 6 major steps in one GI AES operation and successful 𝑉𝑇𝑂𝑃/𝑉𝐵𝑂𝑇 boostings are demonstrated in the oscilloscope measurements
VSS Bounce SCA: Flow chart & Timing diagram
45
BOOST2
BOOST1 AES Core
CLK
CLKKey Ready
Data Ready
AES Busy
Idle
CS
VBOT
VTOP
Compute
5
2
3
41
46
1V
0.51V
GI AES timing diagram & Vtop Vbot waveformsGI AES flow chart
VCC VSS
VSS Bounce SCA Measurement
46
AES Core CLK
AES Busy
VSS1
VSS2
VSS3
VSS4
VSS2
VSS1
VSS4
VSS3
20ns
Baseline AES
AES Core CLK
AES Busy
25ns
100mV
VSS1
VSS2
VSS3
VSS4
GI AES
• Four randomly located VSS nodes for ground bounce monitoring
VSS Bounce SCA: Correlation attack
47
• Target on the last encryption round
• Baseline AES Key Byte 1 is revealed with 5000 traces.
• The correct key has a distinct high correlation value.
traces key guesses
traces
co
rre
lati
on
co
rre
lati
on
co
rre
lati
on
Correct key Incorrect key
MTD = 50001.47X
(a) Baseline AES
(b) GI AES
The correct key is not yet found
after 3 millions traces by CPA
Correlation attack results
VSS Bounce SCA: Correlation attack
48
traces key guesses
traces
co
rre
lati
on
co
rre
lati
on
co
rre
lati
on
Correct key Incorrect key
MTD = 50001.47X
(a) Baseline AES
(b) GI AES
The correct key is not yet found
after 3 millions traces by CPA
Correlation attack results• Target on the last encryption round
• Baseline AES Key Byte 1 is revealed with 5000 traces.
• The correct key has a distinct high correlation value.
• GI AES :
• The secret key is not revealed within 3 million traces
• Improving power SCA resilience by >600X
VSS Bounce SCA: Test vector leakage assessment (TVLA)
49
• Run encryption on two data sets, each containing 20,000 fixed plaintexts and 20,000 random plaintexts.
time (ns)
frequency (MHz)
|t-v
alu
e|
|t-v
alu
e|
Time domain
• GI AES reduces max |t-value| under 4.5 threshold value
• Improving TVLA results by 6.5X in time domain
time (ns)
frequency (MHz)
|t-v
alu
e|
|t-v
alu
e|
time (ns)
frequency (MHz)|t
-va
lue
||t
-va
lue
|
VSS Bounce SCA: Test vector leakage assessment (TVLA)
50
• Run encryption on two data sets, each containing 20,000 fixed plaintexts and 20,000 random plaintexts.
time (ns)
frequency (MHz)
|t-v
alu
e|
|t-v
alu
e|
Time domain
tim
e (
ns
)
fre
qu
en
cy (
MH
z)
|t-value| |t-value|
• GI AES reduces max |t-value| under 4.5 threshold value
• Improving TVLA results by 6.5X in time domain
Frequency domaintime (ns)
frequency (MHz)
|t-v
alu
e|
|t-v
alu
e|
• GI AES reduces max |t-value| under 4.5 threshold value
• Improving TVLA results by 25X in requencydomain
tim
e (
ns
)
fre
qu
en
cy (
MH
z)
|t-value| |t-value|
Outline
51
• Side Channel Analysis (SCA)
• Prior Work: Power SCA resilient approaches
• Motivation: Susceptibility to the ground bounce
• Proposed Work
- Principle of Galvanic Isolation (GI)
- Proposed GI-AES architecture
• Test-chip measurement
- Die photo, Measurement summary
- Power SCA
- EM SCA
• Comparison & Conclusion
EM SCA Measurement Setup
• The EM SCA attack uses a 10-mm H-field probe 1-mm above the package.
52
Oscilloscope
MATLAB
Test-chip andMicrocontroller
EM Probe with holder
EM SCA Measurement & Correlation EM Attack (CEMA)
• EM waveforms at the last encryption cycle- CLK: 15 𝑀𝐻𝑧
- Correlation EM Attack window size 100 𝑛𝑠
53
tracestracestime (ns)
co
rre
lati
on
Vo
lta
ge
(V)
co
rre
lati
on
(a.3) Baseline AES EM SCA
MTD = 10000
(a.4) GI AES EM SCA(a.2) Baseline AES EM field
Correct key
Incorrect key
Correct key
Incorrect key
EM SCA window
size: 100 ns
CLK 15MHz
tracestracestime (ns)
co
rre
lati
on
Vo
lta
ge
(V)
co
rre
lati
on
(a.3) Baseline AES EM SCA
MTD = 10000
(a.4) GI AES EM SCA(a.2) Baseline AES EM field
Correct key
Incorrect key
Correct key
Incorrect key
EM SCA window
size: 100 ns
CLK 15MHz
EM waveforms
EM SCA Measurement & Correlation EM Attack (CEMA)
• EM waveforms at the last encryption cycle- CLK: 15 𝑀𝐻𝑧
- Correlation EM Attack window size 100 𝑛𝑠
54
tracestracestime (ns)
co
rre
lati
on
Vo
lta
ge
(V)
co
rre
lati
on
(a.3) Baseline AES EM SCA
MTD = 10000
(a.4) GI AES EM SCA(a.2) Baseline AES EM field
Correct key
Incorrect key
Correct key
Incorrect key
EM SCA window
size: 100 ns
CLK 15MHz
tracestracestime (ns)
co
rre
lati
on
Vo
lta
ge
(V)
co
rre
lati
on
(a.3) Baseline AES EM SCA
MTD = 10000
(a.4) GI AES EM SCA(a.2) Baseline AES EM field
Correct key
Incorrect key
Correct key
Incorrect key
EM SCA window
size: 100 ns
CLK 15MHz
• Baseline AES: Key Byte 1 is revealed with ~9000 traces.
• GI-AES secret key not revealed even within 2 million traces, improving resilience by >220X.
EM waveforms
CEMA results: Baseline & GI AES
tracestracestime (ns)
co
rre
lati
on
Vo
lta
ge
(V)
co
rre
lati
on
(a.3) Baseline AES EM SCA
MTD = 10000
(a.4) GI AES EM SCA(a.2) Baseline AES EM field
Correct key
Incorrect key
Correct key
Incorrect key
EM SCA window
size: 100 ns
CLK 15MHz
tracestracestime (ns)c
orr
ela
tio
n
Vo
lta
ge
(V)
co
rre
lati
on
(a.3) Baseline AES EM SCA
MTD = 10000
(a.4) GI AES EM SCA(a.2) Baseline AES EM field
Correct key
Incorrect key
Correct key
Incorrect key
EM SCA window
size: 100 ns
CLK 15MHz
9
Outline
55
• Side Channel Analysis (SCA)
• Prior Work: Power SCA resilient approaches
• Motivation: Susceptibility to the ground bounce
• Proposed Work
- Principle of Galvanic Isolation (GI)
- Proposed GI-AES architecture
• Test-chip measurement
- Die photo, Measurement summary
- Power SCA
- EM SCA
• Comparison & Conclusion
ParametersISSCC’17
[3]
ISSCC'19
[4]
ISSCC'20
[5]VLSI'20 [6]
This Work
Baseline Proposed Improvement
Technology 130nm 130nm 65nm 14nm 40nm -
AES Power (mW) 10.5 10.9 1.2 8%+ 10 23 -2.3X
AES Frequency 40MHz 80MHz 50MHz 100MHz 50MHz 40MHz -20%
Area (mm2) 10.002135 1.75 0.205 10%+ 0.032 20.0456 -1.425X
Countermeasure
Type
Integrated
Voltage
Regulator
Digital
LDO
Regulator
Current
Attenuation
Digital LDO,
Arithmetic-
Galvanic
Isolation
Improved
Vcc, Vss, and
substrate
isolation
CPA MTD
(1 Byte)>100,000 8.4M 1B 1B 5,000 > 3M > 600X+
Time Domain
Max |t-value|2.5 11.9
5.2
(1M traces)
4.5
(250M)24 3.7 6.5X
Frequency
Domain
Max |t-value|
4 - -4.5
(250M)97 3.9 25X
EM SCA MTD
(1 Byte)- 6M 1B 1B 9,000 > 2M > 220X+
1Area overheads only 2Area includes level shifters, PMU and capacitor switches
Comparison
56
Conclusion
• VSS ground bounce can reveal the secret keys if tapped by the attacker.
• Proposed galvanic isolation technique for VCC, VSS and substrate isolation improves both power and EM resilience.
• Measured results from a 128-bit AES core show
- >600X improvement against correlation power attack (CPA)
- >220X improvement against coarse-grained EM SCA attack
- 20% lower frequency,
- 2.3X more power
- 0.0136 𝑚𝑚2larger area.
57
Acknowledgements
This research is supported in parts by Intel, Silicon
Labs, and NSF. Authors would like to thank TSMC for
chip fabrication, Dr. Sanu Mathew, Dr. Raghavan Kumar,
and Dr. Vivek De for helpful technical discussions.
58
59
What will happen if you use the AES within a SoC, will be possible to isolate the full SoC?
It’s not applicable to isolate the full SoC. Because capacitor based GlavanicIsolation design will require a huge capacitor bank to supply the full SoC, which is not area nor power efficient.
Isolating the AES core alone is sufficient to increase its resilience and because of the dual rial sense amp as level shifters, the AES core can exchange data with the SoC with no concerns.
60
ParametersISSCC’09
[1]
ISSCC’11
[2]
ISSCC’17
[3]
ISSCC'19
[4]
ISSCC'20
[5]VLSI'20 [6]
This Work
Baseline Proposed Improvement
Technology 130nm 130nm 130nm 130nm 65nm 14nm 40nm -
AES Power (mW) 33.32 - 10.5 10.9 1.2 8%+ 10 23 -2.3X
AES Frequency 100MHz 50MHz 40MHz 80MHz 50MHz 100MHz 50MHz 40MHz -20%
Area (mm2) 1.37 1.886 10.002135 1.75 0.205 10%+ 0.032 20.0456 -1.425X
Countermeasure
Type
SC Current
Equalizer
Duplicated
Data Paths
Integrated
Voltage
Regulator
Digital
LDO
Regulator
Current
Attenuation
Digital LDO,
Arithmetic-
Galvanic
Isolation
Improved
Vcc, Vss, and
substrate
isolation
CPA MTD
(1 Byte)10M 1M >100,000 8.4M 1B 1B 5,000 > 3M > 600X+
Time Domain
Max |t-value|- - 2.5 11.9
5.2
(1M traces)
4.5
(250M)24 3.7 6.5X
Frequency
Domain
Max |t-value|
- - 4 - -4.5
(250M)97 3.9 25X
EM SCA MTD
(1 Byte)- 800,000 - 6M 1B 1B 9,000 > 2M > 220X+
1Area overheads only 2Area includes level shifters, PMU and capacitor switches
Comparison
61
Comparison table reference
[1] C. Tokunaga, et al., ISSCC, 2009
[2] M. Doulcier-Verdier, et al., ISSCC, 2011
[3] M. Kar, et al., ISSCC, 2017
[4] A. Singh, et al., ISSCC, 2019
[5] D. Das, et al., ISSCC, 2020
[6] R. Kumar, et al., VLSI, 2020
62
Prior Work: Power SCA resilient approaches reference
C. Tokunaga, and D. Blaauw “Securing Encryption Systems with a Switched Capacitor Current Equalizer” IEEE Journal of Solid State Circuits (JSSC), pp. 23-31, Vol. 45, No. 1, January 2010
A. Singh, M. Kar, J. Ko, and S. Mukhopadhyay, “Exploring power attack protection of resource constrained encryption engines using integrated low-drop-out regulators,” in International Symposium on Low Power Electronics
Design, 2015, pp. 134–139.
M. Kar, A. Singh, S. Mathew, A. Rajan, V. De, S. Mukhopadhyay, “Improved Power-Side-Channel-Attack Resistance of an AES-128 Core via a Security-Aware Integrated Buck Voltage Regulator” Proceedings of International Solid State Circuits Conference (ISSCC), 2017, pp. 142-143
D4. D. Das, S. Maity, S. B. Nasir, S. Ghosh, A. Raychowdhury, and S. Sen, “High Efficiency Power Side-Channel Attack Immunity using Noise Injection in Attenuated Signature Domain”, CoRR, abs/1703.10328, 2017
63