A Simulation-Based Methodology for Evaluating the DPA-Resistanceof Cryptographic Functional Units with

Application to CMOS and MCML Technologies

Francesco Regazzoni', Stephane Badel2, Thomas Eisenbarth3, Johann GroBschadl4, Axel Poschmann3,Zeynep Toprak2, Marco Macchetti5, Laura Pozzi6, Christof Paar3, Yusuf Leblebici2, and Paolo Ienne7

1 ALaRI - University of Lugano, Lugano, Switzerland. E-mail: regazzoni@alari. ch2 School of Engineering, EPFL, Lausanne, Switzerland. E-mail: {stephane. badel, zeynep. toprak, yusuf . leblebici}@epf 1. ch

3Horst Gortz Institute for IT Security, Ruhr University Bochum, Germany. E-mail: {eisenbarth, poschmann, paar}@crypto. rub. de4 Department of Computer Science, University of Bristol, United Kingdom. E-mail: j ohann. groszschaedl@cs. bris. ac. uk

5 C.E. Consulting (Altran Group), Milan, Italy. E-mail: mmacchetti@ceconsulting. it6Faculty of Informatics, University of Lugano, Lugano, Switzerland. E-mail: laura.pozziQunisi.ch

7 School of Computer and Communication Sciences, EPFL, Lausanne, Switzerland. E-mail: paolo. ienne@epf 1. ch

Abstract- This paper explores the resistance of MOS Cur-rent Mode Logic (MCML) against Differential Power Analysis(DPA) attacks. Circuits implemented in MCML, in fact, haveunique characteristics both in terms of power consumptionand the dependency of the power profile from the input signalpattern. Therefore, MCML is suitable to protect cryptographichardware from DPA and similar side-channel attacks.

In order to demonstrate the effectiveness of different logicstyles against power analysis attacks, the non-linear bijectivefunction of the Kasumi algorithm (known as substitution boxS7) was implemented with CMOS and MCML technology, anda set of attacks was performed using power traces derived fromSPICE-level simulations. Although all keys were discovered forCMOS, only very few attacks to MCML were successful.

I. INTRODUCTION

During the past ten years, a number of new techniquesfor attacking implementations of cryptographic algorithmshave been discovered. These techniques exploit informationleaking from a device (e.g., a smart card) while data isbeing processed. The term side-channel attacks summarizesall possible ways of collecting the leaked information: powerconsumption, timing, and electromagnetic emission are pos-sible examples [11]. Side-channel attacks which exploit thepower consumed by a device were reported for the first timein 1999 by Kocher et al [10]. The power consumption of adevice strongly depends on the data being processed, thusleaks information about the secret key. Among the differentvariants of power-based attacks, differential power analysis(DPA) and correlation power analysis (CPA) are of particularinterest since they do not require specific knowledge aboutthe implementation of the target device to be effective.

In this paper we analyse and demonstrate the robustnessof a special logic style, namely MOS Current Mode Logic(MCML), against DPA and CPA attacks. Previous papers onthis subject just argued robustness qualitatively or requiredhardware manufacturing to prove it. Contrary to past workwe evaluated the robustness of MCML with real attacks andwithout the need for manufacturing prototypes. In fact, we

developed a SPICE-level simulation environment that allowsto collect power traces in reasonable time, paving the wayto a more direct experimental study of DPA-resistance. Ourresults show that the traces obtained by simulating an S-boxrealised in MCML technology are difficult to attack. On theother hand, the same attacks were always successful whenperformed on a CMOS implementation of the S-box.

The remainder of this paper is organized as follows:Section II discusses related work, Section III overviews theKasumi algorithm, and Section IV describes the MCMLtechnology. The design flow proposed in this paper, includingsimulation-based power analysis, is explained in detail inSection V, and simulation results are presented in SectionVI. Finally, conclusions are drawn in Section VII.

II. BACKGROUND AND RELATED WORK

Side-channel cryptanalysis has emerged as a serious threatfor smart cards and other types of embedded systems per-forming cryptographic operations. Some side-channel attacksare an extremely powerful and practical tool for breakingcommercial implementations of cryptography. These attacksexploit the fact that any execution of a cryptographic algo-rithm on a physical device leaks information about sensitivedata (e.g., secret keys) involved in the computations. Manysources of side-channel information have been discovered inrecent years, including the power consumption and timingcharacteristics of a device [9], [10], as well as deliberatelyintroduced computational faults [3].

Simple power analysis (SPA) uses the leaked informationfrom a single computation, while differential power analysis(DPA) utilizes statistical methods to evaluate the informationobserved from multiple computations [10]. Currently, thereexists no perfect protection against DPA attacks. However, byapplying appropriate countermeasures, it is possible to makethe attacker's task more difficult. Proposed countermeasuresrange from algorithmic techniques [6], [16] over architecturalapproaches [13], [14], [8] down to hardware-related methods

1-4244-1058-4/07/$25.00 C 2007 IEEE 209

[15], [17]. All algorithmic and architectural countermeasureshave in common that they introduce either amplitude noise(to reduce the signal-to-noise ratio) or timing noise (toobscure the alignment of power traces). In both cases, morepower traces must be captured to mount an attack.A multitude of so-called DPA-resistant logic styles have

been proposed during the past five years. The idea behindthese logic styles is to tackle to problem of side-channelleakage at its actual root, namely at the hardware level. Thepower consumption of circuits realized with DPA-resistantlogic cells is uniform and, in the ideal case, independentof the processed data and the performed operations. The firstconcrete implementation of a DPA-resistant logic style wasreported by Tiri et al in 2002 [17]. Their Sense AmplifierBased Logic (SABL) combines the concepts of dual-raillogic and pre-charge logic [11]. SABL cells have a constantpower consumption, provided that they are designed andimplemented in a carefully balanced way. All SABL cellsof a circuit are connected to the clock signal and becomepre-charged simultaneously, which causes very high currentpeaks. Furthermore, SABL cells require at least twice asmuch silicon area as conventional CMOS cells and sufferalso from high delay. Besides the logic cells also the wiresconnecting these cells must be routed in a special balancedway to achieve a uniform power profile.

III. OVERVIEW OF THE KASUMI ALGORITHM

We focus on the block cipher Kasumi [1], which representsthe base of the standardized confidentiality algorithm of the3GPP (3rd Generation Partnership Project). Kasumi is aFeistel cipher with eight rounds and produces a 64-bit outputfrom a 64-bit input, whereby the secret key has a lengthof 128 bits. During encryption, the input I is divided intotwo 32-bit strings, called Lo and Ro. Then, for the followingi rounds, Li and Ri are defined as

Ri Li-l (1)

Li = Ri- I fi (Li_ 1, RKi ) (2)

where fi denotes the round function within Li and the roundkey RKi. The round function fi is constructed from sub-functions and has two different forms depending on whetherit is an even or odd round. It uses two S-boxes: S7, whichmaps a 7-bit input to a 7-bit output, and S9, which maps a9-bit input to a 9-bit output. These two S-boxes have beendesigned in such a way that they can be easily implementedusing a look-up table as well as combinatorial logic.

PlainTextKasumi S7 -- Register

SecretKey

Fig. 1. Overview of the considered part of the Kasumi Algorithm.

In this paper we focus on the S7 S-box. We implementedit as combinatorial logic composed of two level of AND-ORgates, as suggested in the standard specifications. Figure 1

shows a block diagram of the example that we consider inthis paper. The secret key is added to the plaintext and theresult is used to feed the substitution function. After thenon-linear transformation is calculated, the result is storedin a bank of D flip-flops. Such a setup coarsely reflects aone-round-per-clock-cycle implementation, and is the basicconfiguration for a DPA attack. A real implementation maydiffer from the one considered here; however our goal isto estimate the level of robustness intrinsically given by thelogic style, instead of attacking a particular implementationof the Kasumi block cipher.

IV. DESIGN OF DPA-RESISTANT FUNCTIONAL UNITSUSING MCML GATES

The circuit-level implementation of DPA-resistant logicgates requires systematic use of circuit techniques that: (i)have significantly suppressed power supply current levels,(ii) do not produce prominent current spikes or fluctuationsduring the switching events, and (iii) do not exhibit asignificant input pattern-dependence with respect to currentdrawn from the power supply [18]. It is worth noting thatthe classical CMOS logic gates do not fare particularly wellin any of these categories, and therefore, are not consideredto be a good choice for DPA-resistance, in general. StandardCMOS digital gates are notorious for generating sharp andinput-pattern dependent current pulses (also referred to asdelta-I noise [7], [2]) due to charging and discharging of thegate's parasitic capacitances and fan-out. This delta-I noiseis directly measurable as disturbances on the power suppliesand the substrate, which can be an important drawback whendesigning a DPA-resistant system.

Several different circuit design styles have been exploredas possible candidates for better DPA-resistance, includingdifferential circuit techniques like SABL [17] and CurrentMode Logic (CML). CML reduces the generated switchingnoise by about two orders of magnitude [19], [12], hencemaking it suitable for DPA-resistant hardware designs. Thisreduction is due to the differential and current steering natureof the logic style. The low delta-I noise generation combinedwith approximately the same amount of power dissipationas its CMOS counterpart makes the CML style an excellentcandidate for DPA-resistant logic gate design.

V/DD

Voutl

pMOSloaddevices

Vout2

Fig. 2. Schematic of an MCML buffer (or MCML inverter, depending onthe output signal definition).

210

A MOS Current Mode Logic (MCML) gate consists of atail current source, a current steering logic core, and adifferential load, as shown for the simplest MCML gate, theMCML buffer, in Figure 2. The operation of MCML circuitsis based on the principle of re-directing (or switching) thecurrent of a constant current source through a fully differen-tial network of input transistors, and utilizing the reduced-swing voltage drop on a pair of complementary load devicesas the output. Note that a logic inversion without additionaldelay is possible by simply exchanging the differential ter-minals. It is desired that the input voltage fully switches thetail current (Ibias) one way or the other. If the input pair isnot completely switched, part of the tail current is commonfor both input transistors and does not contribute in thedifferential output signal. Furthermore, if the input pair is notfully switched, the actual differential output current will besensitive to temperature and input pair offset voltage, whichis an undesirable property. The operation principle alreadysuggests that the power consumption is static (the circuitmust dissipate the same amount of current continuously)regardless of the switching activity and fan-out conditions.True differential operation of the circuit with small outputvoltage swing ensures fast switching times. Note that thepropagation delay is proportional to the output swing, andindependent of the power supply voltage. Other advantagesinclude better noise immunity compared to classical CMOSlogic circuits, and significantly less switching noise.The power dissipation of a CMOS gate is simply the

product of operation frequency and the charging/dischargingpower per unit switching. Thus, the average current a CMOSgate draws from the supply line increases linearly with theoperation frequency, while on the other hand, the operationfrequency has little impact on the power dissipation of anMCML gate. The supply current fluctuation in MCML gatesis typically 5% of the nominal tail current during switchingevents. Figure 3 shows the simulated current variation of anMCML buffer for a fan-out of 5. MCML circuits are alsomore robust against common-mode fluctuations (power sup-ply noise) due to their inherent common-mode rejection asa result of full differential signaling property.From the DPA-resistance point-of-view, it can be seen that

the supply-current variation of the MCML gate will remainsignificantly smaller during switching events, compared tothat of a conventional CMOS gate. At the same time, themagnitude of the supply-current variation is largely inde-pendent of the applied input vector, as well as of the fan-outload capacitance. The amount of static current dissipationcan be reduced dramatically while preserving all of theadvantages concerning the DPA-resistance, at a lower speed,when the transistor sizing is done to satisfy modest speedconstraints (e.g., a typical switching speed of 400MHz). It isdemonstrated in [19] that the designed MCML family usinga standard 0.18Ftm process technology with 400mVpp outputvoltage swing at 400MHz operation frequency, dissipatescomparable power with respect to its CMOS counterpartoperating at the same speed. In this work the bias current andactive load size of MCML gates were adjusted to reach these

- nom 46 uA \ll][nom46tiK ~~~~~~supply cur4nmt

min 42 M/:OUTBAR1 a:/OUTI/OtUT _ :/OUTBAR

- Unpltoutput voltages

_v)_=_A_

, .. .. .IL s1 L 1>0- 11 -, 7L 11 An I

Fig. 3. Simulated gate delay and supply current fluctuation of an MCMLbuffer for a fan-out of 5.

design specifications. The lower bound on voltage swing

was set to be 300mVpp to ensure complete current switchingeven at the worst case design corner. The ratio between thepower dissipation of the MCML XOR gate and the classicalCMOS XOR gate was found to be less than a factor of twoat this nominal frequency, which compares quite favorablywith other DPA-resistant circuit styles.The utility of the current-limited MCML gates in a DPA-

resistant design was demonstrated in [19], using the 7-inputKasumi S-box function consisting of 105 two-input ANDand 77 two-input XOR gates. It was also shown [19] that thepeak current fluctuation of the classical CMOS realization isin the order of 28mA, while the current fluctuation of theMCML version remains confined to a narrow band of about0.5mA, around the constant value of 11.5mA. A close-upview of the supply-current variation of the Kasumi S7 S-boxfunction block clearly indicates the significant input-patterndependence of the classical CMOS version. In contrast, thepower supply current of the MCML version does not exhibitany noticeable variation that depends on the applied inputpatterns. The standard variation of the CMOS supply currentis demonstrated to be in the order of lOmA (28mA peak),while the standard variation of the MCML supply currentremains less than 0.2mA (ImA peak) [19]. Possible effectsof measurement set-up on the readability of supply currentvariations in both circuits were also monitored in [19]. Theprobing instrument load was modelled, having a low-passfilter characteristic and the filtered output was monitored. Asexpected, the design based on CMOS logic still shows largevariations (400FtA peak), sufficient to be distinguished quiteeasily. On the other hand, the maximum current fluctuationin the MCML-based design remains below 25FtA, furtherincreasing DPA-resistance of the security-critical block.

V. DESIGN FLOW

The robustness of a hardware implementation of a blockcipher against power analysis attacks can be evaluated at

211

max sn iAI

A: (22.4i2n- 5J9 dt -t4 .llbp -2,.1 42m)

:09:24 2003

different stages of the design flow. The decisive proof isobtained when the actual fabricated microchip is attackedusing high frequency probes and an oscilloscope; nonethe-less, attacking the power consumption traces obtained withtransistor-level simulation can be useful to get a good ap-proximation of the actual level of DPA-resistance, and anindication of possible sources of weakness.The transistor-level simulation has been carried out at very

high timing resolution (about lps) and with no additionalnoise coming from the measurement device, other parts of thecircuit, or the environment. From one point of view, it istherefore a "best-case" attack; however there are certainlyother effects that can not be correctly modelled, such as theeffects of the fabrication process. An important advantage isthat in this way it is also possible to iterate the design flowto investigate further points of optimisation.

In the following we describe the design and simulationflow that we have used to obtain power traces for boththe CMOS and the MCML implementation of the Kasumisubstitution box S7. Both implementations have the sameblock structure (which is described in Section III), but theircode-entry and design process differs. The CMOS circuithas been described using the VHDL language, synthesizedwith Synopsys Design Compiler, and converted into SPICEformat. The technology library used for the CMOS circuitmodels the UMC 0.18Ftm process installed and licensed inthe EPFL Electrical Engineering Department. On the otherhand, the MCML circuit has been described by hand usingthe Spectre language, reflecting a two-level AND-XOR logicimplementation as suggested in the Kasumi specificationdocument. Therefore, it is expected that both the latency andarea of the second circuit are worse. However, the differentdesign approach is necessary since commercial synthesistools do not support non-standard differential logic librarieslike our MCML library.

The interconnection parasitics have not been taken intoaccount in the simulations, since a back-end phase followedby back-annotation would be necessary to do this. Such aback-end phase is meaningful only in the context of a com-plete description of the circuit considering also clock-treeexpansion, floorplanning, and place & route steps. Thus, ourresults will be indicative of the intrinsic robustness of thelogic primitives, more than the robustness of a particularimplementation of the system that includes the Kasumi blockcipher. Again, this is coherent with the goal of this paper.

Transistor level simulations have been performed withSynopsys Nanosim, at highest level of accuracy. The SPICEdescriptions of the UMC18 and the MCML logic librariesinstantiate the BSIM3 p-MOS and n-MOS transistor models[5]. Simulation results of Nanosim are comparable to thoseof SPICE, but the simulation process requires significantlyless time to be carried out. The global current absorptionof the two S-box circuits has been monitored and dumped atintervals of 1 ps. A post-processing step was performed onthe dumped values to obtain the continuous current vectorsreadable by the application that performs the statisticalanalysis, as described in the following Section.

VI. RESISTANCE AGAINST POWER ANALYSIS

In this section we describe the attacks we mounted on theCMOS and MCML implementations of the Kasumi S-boxand we compare the results.A typical DPA attack consists of the following steps: at

first, an intermediate key dependent result is selected asthe target, then the attacker encrypts (decrypts) a certainnumber of known plaintexts (ciphertexts) and measures thecorresponding power consumption traces. Subsequently, hy-pothetical intermediate values are calculated based on a keyguess and they are used as input of a selection function. Thisfunction is used to partition the power consumption tracesinto two sets, depending on the values of the intermediateresults. The difference of means of the two sets is thencalculated and shows a peak for the right key hypothesisin correspondence to the time frame where the informationis leaked. For all other key guesses and points in time, thedifference of means is close to zero.An improvement with respect to DPA attack, called corre-

lation power analysis (CPA), was discussed in [4]. It hypoth-esizes the Hamming weight of the targeted S-box output andevaluate the hypothesis statistically. The correlation P(P(t),H)between the power traces P,(t) and the hypothesis H iscalculated using the following equation:

cov(P(t),H)p(P(t),H) / 2 2

P(t) 'CH(3)

where 2 and u2 are the variance of the power tracesP (t) and the hypothesis H, while cov(P(t),H) denotesthe covariance of the two. The correlation P(P(t),H) is anormalized value between -1 < p < 1 where p = 1 (p =-1)means that the variables P(t) and H are perfectly correlated(anti-correlated) and p = 0 means there is no correlation atall. The adversary calculates the correlation for each keyhypothesis and chooses the key which shows the strongestcorrelation. Usually CPA shows better results than DPAbecause it uses hypotheses based on multiple bits rather thanthe single bit approach of DPA.

Mounting the Attacks

Using the simulation flow described in Section V, weattacked the S7 S-box of Kasumi. It is important to noticethe differences between the simulated and the real attack. Ina real environment, an attacker has to collect a huge numberof traces in order to filter out the noise. In fact, when powerconsumption of any device is measured, the collected tracesinclude noise. Increasing the number of traces, the noise canbe filtered out, as can be seen from Equation 4:

(4)P (t) = , f (g, t) +N (t)g

where P (t) is the total power consumptions of the device,f (g, t) is the power consumption of a gate g at time t, andN (t) is an uncorrelated normally distributed random variablethat represents the noise components.

212

Logic Style DPA (bit used in the selection function) CPALogicStyle 0 1 2 3 14 15 6 H.W.

CMOS 128 128 128 128 128 128 128 128MCML 0 0 0 0 5 0 0 4

TABLE I

SECRET KEYS FOUND BY DPA AND CPA ATTACKS.

The simulation environment we used is noise free: neitherwhite (thermal) noise nor algorithmic noise produced byother components appear in the power trace. Hence, to fullycharacterize the considered S-box, we need only 27 = 128measurements, one for each of the 128 different plain textinputs. Furthermore, the simulation was performed with avery high resolution both for the current (1IA) and the time(lOps), which is the best possible condition for an attacker.DPA and CPA were performed on the two implementations

of the Kasumi S-box shown in Figure 4, the first realizedusing CMOS technology and the second with MCML. Theattack was focused on the input of the register, as depicted inFigure 4, since for CML, it is the part that we implementedusing a completely differential logic. Hence this is the pointof the circuit that was supposed to be fully protected.

0C:~0

a)

0

a)00

Point of Attack

PlainText \Kasmi S gs

SecretKey

5e-0

4e-0

3e-0

2e-0

1e-0

-1e-0

-2e-0

-3e-0

1.2

0.8

0.6

0.4

0.2

0

-0.2

-0.4

Fig. 4. Point of attack for DPA and CPA.

Table I reports the number of secret keys found whileattacking the two different S-box implementations. We haverepeated the DPA attack using all possible S-box output bitsas selection function. The CPA attack has been performedwith a selection function based on the Hamming weight. Inall these cases our attacks on the CMOS logic were alwayssuccessful. The differential trace of the correct key (plottedin black) is the one that shows the highest peak, thus it isclearly distinguishable from the remaining ones, as can beseen from Figure 5 (DPA using selection function on bit 1)and Figure 6 (CPA on the Hamming weight). In the lattercase, a correlation value as high as P(P(t)1H)= I indicates thecorrect hypothesis.

The situation is completely different for the implementa-tion based on MCML. As can be seen from Figure 7, theblack line representing the correct key is not distinguishablefrom the remaining differential traces plotted in gray. Thesame situation is also valid for the correlation power attackdepicted in Figure 8.As reported in Table I, a total number of nine keys was

found. Although this result can not be considered insignifi-cant from a statistical point of view, it must be underlinedthat the successful attacks mounted to MCML do not showthe usual situation for differential power analysis (DPA)and correlation power analysis (CPA). As can be seen fromFigure 9, which shows an example of a successful DPA

0

00

-0C:a3)

1e-0

8e-0

6e-0

4e-0

2e-0

-2e-0

-4e-0

-6e-0

-8e-0

-1e-0

Correct key 23)6

)6

o6)6

0

)6

)6

)60 5 10 15 20 25 30 35 40 45 5

Time [10 ps]

Fig. 5. DPA on CMOS technology.

Correct key 77

5 10 15 20 25 30 35 40 45 5Time [10 ps]

Fig. 6. CPA on CMOS technology.

)7Correct key 23

)8

)8

)8

)8

0

)8

)8

)8

)8

)70 5 10 15 20 25 30 35 40 45

Time [10 ps]

s0

S0

50

Fig. 7. DPA on MCML technology.

attack on bit 4 of the S-box output, the differential tracecorresponding to the correct key has the same shape as allthe others rather than clearly indicating a peak, thus the keyguess results to be correct only because the correspondingtrace is the external one. As a consequence, in an attackmounted on a real device, it could be completely hidden byso-called ghost peaks (peaks of similar height correspondingto a wrong key guess), making the attack more difficult.

213

1.f,

0.15

0.1

0

a)

0

C0

0.05

0

-0.05

-0.1

-0.15

0 5 10 15 20 25 30 35 40 45

Time [10 ps]50

Fig. 8. CPA on MCML technology.

We want to stress that the attacks were mounted withina simulation environment, thus in ideal and best conditionfor an attacker, both in terms of sampling rate accuracy andabsence of noise. We are currently evaluating if this eventualdependence can be effectively exploited on a real device.

0

0-0

-0C:a3)

1 e-07

8e-08

6e-08

4e-08

2e-08

0

-2e-08

-4e-08

-6e-08

-8e-08

-1e-070 5 10 15 20 25 30 35 40 45

Time [10 ps]50

Fig. 9. Successful DPA attack on MCML technology.

VII. CONCLUSIONS

In this paper we introduced a simulation-based methodol-ogy for evaluating the resistance of cryptographic circuitsto power analysis attacks. We validated our methodologyon the MCML technology, and demonstrated the robustnessof MCML against DPA and CPA attacks. Contrary to pre-

vious papers on this subject, we did not argue robustnessjust qualitatively, but with real attacks. Furthermore, sinceour approach is based on SPICE-level simulations, it doesnot rely on the manufacturing of prototypes, which allowsa more direct experimental study of DPA-resistance.Our results show that the power traces obtained by simulat-

ing the non-linear bijective function of the Kasumi algorithmrealised in MCML are very difficult to attack, as opposed toa CMOS implementation for which the same attacks were

always successful. We are currently evaluating the robustnessof MCML against template attacks.

REFERENCES

[1] 3GPP 35.202 Technical Specification version 3.1.1. Kasumi S-boxfunction specifications. Available for download at http: //www.3gpp. org/ftp/Specs/archive/35-series/35.202/, 2002.

[2] M. Anis, M. Allam, and M. Elmasry. Impact of technology scalingon CMOS logic styles. IEEE Transactions on Circuits and SystemsII: Analog and Digital Signal Processing, 49(8):577-588, Aug. 2002.

[3] E. Biham and A. Shamir. Differential fault analysis of secret keycryptosystems. In Advances in Cryptology- CRYPTO '97, vol. 1294of Lecture Notes in Computer Science, pp. 513-525. Springer Verlag,1997.

[4] E. Brier, C. Clavier, and F. Olivier. Correlation power analysis with a

leakage model. In Cryptographic Hardware and Embedded Systems-CHES 2004, vol. 3156 of Lecture Notes in Computer Science, pp.

16-29, Springer Verlag, 2004.[5] BSIM3 Version 3.3.0 MOSFET Model. Avaliable for download at

http: //www-device. eecs.berkeley. edu/-bsim3, July 2005.[6] J.-S. Coron and L. Goubin. On Boolean and arithmetic masking

against differential power analysis. In Cryptographic Hardware andEmbedded Systems- CHES 2000, vol. 1965 of Lecture Notes inComputer Science, pp. 231-237. Springer Verlag, 2000.

[7] J. Gonzalez and A. Rubio. Low delta-I noise CMOS circuits based on

differential logic and current limiters. IEEE Transactions on Circuitsand Systems I: Fundamental Theory and Applications, 46(7):872-876,July 1999.

[8] J. Irwin, D. Page, and N. P. Smart. Instruction stream mutation fornon-deterministic processors. In Proceedings of the 13th IEEE In-ternational Conference on Application-specific Systems, Architecturesand Processors (ASAP 2002), pp. 286-295. IEEE Computer SocietyPress, July 2002.

[9] P. C. Kocher. Timing attacks on implementations of Diffie-Hellman,RSA, DSS, and other systems. In Advances in Cryptology -CRYPTO'96, vol. 1109 of Lecture Notes in Computer Science, pp. 104-113.Springer Verlag, 1996.

[10] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. InAdvances in Cryptology -CRYPTO '99, vol. 1666 of Lecture Notesin Computer Science, pp. 388-397. Springer Verlag, 1999.

[11] S. Mangard, E. Oswald, and T. Popp. Power Analysis Attacks:Revealing the Secrets of Smart Cards. Springer Verlag, 2007.

[12] S. Maskai, S. Kiaei, and D. Allstot. Synthesis techniques for CMOSfolded source-coupled logic circuits. IEEE Journal of Solid-StateCircuits, 27(8):1157-1167, Aug. 1992.

[13] D. May, H. L. Muller, and N. P. Smart. Non-deterministic processors.In Information Security and Privacy -ACISP 2001, vol. 2119 ofLecture Notes in Computer Science, pp. 115-129. Springer Verlag,2001.

[14] D. May, H. L. Muller, and N. P. Smart. Random register renamingto foil DPA. In Cryptographic Hardware and Embedded Systems-CHES 2001, vol. 2162 of Lecture Notes in Computer Science, pp.28-38. Springer Verlag, 2001.

[15] S. W. Moore, R. J. Anderson, P. Cunningham, R. Mullins, andG. Taylor. Improving smart card security using self-timed circuits.In Proceedings of the 8th International Symposium on AsynchronousCircuits and Systems (ASYNC 2002), pp. 193-200. IEEE ComputerSociety Press, 2002.

[16] A. G. Rostovtsev and 0. V. Shemyakina. AES side channel attackprotection using random isomorphisms. Cryptology ePrint Archive,Report 2005/087, avialable for download at http: //eprint. iacr.org, 2005.

[17] K. Tiri, M. Akmal, and I. M. Verbauwhede. A dynamic and differentialCMOS logic with signal independent power consumption to withstanddifferential power analysis on smart cards. In Proceedings of the 28thEuropean Solid-State Circuits Conference (ESSCIRC 2002), pp. 403-406. University of Bologna, Italy, 2002.

[18] K. Tiri and I. Verbauwhede. Securing encryption algorithms againstDPA at the logic level: Next generation smart card technology. InCryptographic Hardware and Embedded System -CHES 2003, vol.2779 of Lecture Notes in Computer Science, pp. 125-136. SpringerVerlag, 2003.

[19] Z. Toprak, A. K. Verma, Y Leblebici, P. lenne, and C. Paar. Designof low-power DPA-resistant cryptographic functional units. In Pro-ceedings of the 1st ECRYPT Workshop on Cryptographic Advances in

Secure Hardware (CRASH 2005), Leuven, Belgium, Sept. 2005.

214

Correct key 77

r

Correct key 1 17

_<_ ==-=W0S-Ew=X-- c - =S .. L h \. =

; =Wi f 2X0, #,o--EA:- X ?. wS ( >; H>>^- =

-''S :S't.==.=N t<' '

I I I I I I~~~~~~~~~~~~~~~~~~~~~~~~~~~~~