Minoru Saeki

Security evaluation of DPA countermeasures using dual-rail pre-charge logic style

In recent years, some countermeasures against Differential Power Analysis (DPA) at the logic level have been proposed. At CHES 2005 conference, Popp and Mangard proposed a new countermeasure named Masked Dual-Rail Pre-Charge Logic (MDPL) which combine dual-rail circuits with random masking to improve Wave Dynamic Differential Logic (WDDL). The proposers of MDPL claim that it can implement secure circuits using a standard CMOS cell library without special constraints for the place-and-route because the difference of loading capacitance between all pairs of complementary logic gates in MDPL can be covered up by the random masking. In this paper, we especially focus the signal transition of the MDPL gate and evaluate the DPA-resistance of MDPL in detail. Our evaluation results show that the leakage occurs in the MDPL gates as well as WDDL gates when input signals have difference of delay time even if MDPL has an effectiveness on reducing the leakage caused by the difference of loading capacitance. Furthermore, we demonstrate the problem with different input signal delays by measurements of an FPGA and show the validity of our evaluation.

Random Switching Logic: A New Countermeasure against DPA and Second-Order DPA at the Logic Level

This paper proposes a new countermeasure, Random Switching Logic (RSL), against DPA (Differential Power Analysis) and Second-Order DPA at the logic level. RSL makes a signal transition uniform at each gate and suppresses the propagation of glitch to allow power consumption to be independent of predictable data. Furthermore, we implement basic logic circuits on the FPGA (Field Programmable Gate Array) by using RSL, and evaluate the effectiveness. As a result, we confirm the fact that the secure circuit can be structured against DPA and Second-Order DPA.

A Design Methodology for a DPA-Resistant Cryptographic LSI with RSL Techniques

A design methodology of Random Switching Logic (RSL) using CMOS standard cell libraries is proposed to counter power analysis attacks against cryptographic hardware modules. The original RSL proposed in 2004 requires a unique RSL-gate for random data masking and glitch suppression to prevent secret information leakage through power traces. However, our new methodology enables to use general logic gates supported by standard cell libraries. In order to evaluate its practical performance in hardware size and speed as well as resistance against power analysis attacks, an AES circuit with the RSL technique was implemented as a cryptographic LSI using a 130-nm CMOS standard cell library. From the results of attack experiments that used a million traces, we confirmed that the RSL-AES circuit has very high DPA and CPA resistance thanks to the contributions of both the masking function and the glitch suppressing function. This is the first result demonstrating reduction of the side-channel leakage by glitch suppression quantitatively on real ASIC.

An Analysis of Leakage Factors for Dual-Rail Pre-Charge Logic Style

In recent years, certain countermeasures against differential power analysis (DPA) at the logic level have been proposed. Recently, Popp and Mangard proposed a new countermeasure-masked dual-rail pre-charge logic (MDPL); this countermeasure combines dual-rail circuits with random masking to improve the wave dynamic differential logic (WDDL). They claimed that it could implement secure circuits using a standard CMOS cell library without special constraints for the place-and-route method because the difference between the loading capacitances of all the pairs of complementary logic gates in MDPL can be compensated for by the random masking. In this paper, we particularly focus on the signal transition of MDPL gates and evaluate the DPA-resistance of MDPL in detail. Our evaluation results reveal that when the input signals have different delay times, leakage occurs in the MDPL as well as WDDL gates, even if MDPL is effective in reducing the leakage caused by the difference in loading capacitances. Furthermore, in order to validate our evaluation, we demonstrate a problem with different input signal delays by conducting measurements for an FPGA.

Leakage Analysis of DPA Countermeasures at the Logic Level

In this paper, we propose new models for directly evaluating DPA leakage from logic information in CMOS circuits. These models are based on the transition probability for each gate, and are naturally applicable to various actual devices for simulating power analysis. Furthermore, we demonstrate the weakness of previously known hardware countermeasures for both our model and FPGA and suggest secure conditions for the hardware countermeasure.

Two Operands of Multipliers in Side-Channel Attack

The single-shot collision attack on RSA proposed by Hanleyi¾?eti¾?al. is studied focusing on the difference between two operands of multipliers. There are two consequences. Firstly, designing order of operands can be a cost-effective countermeasure.We show a concrete example in which operand order determines success and failure of the attack. Secondly, countermeasures can be ineffective if the asymmetric leakage is considered. In addition to the main results, the attack by Hanley et al. is extended using the signal-processing technique of the big mac attack. An experimental result to successfully analyze an FPGA implementation of RSA with the multiply-always method is also presented.

On measurable side-channel leaks inside ASIC design primitives

Leaks inside semi-custom application-specific integrated circuit design primitives are rigorously investigated. The study is conducted by measuring a dedicated test element group chip with a small magnetic field probe on the chip surface. Measurement targets are standard cells and a memory macro cell. Leaks inside the primitives are focused, as many of conventional countermeasures place measurability boundaries on these primitives. Firstly, it is shown that the current-path leak: a leak based on input-dependent active current path within a standard cell (Takahashi 2012; Takahashi and Matsumoto IEICE Electron Express 9:458–463, 2012) is measurable. Major gate-level countermeasures [Random Switching Logic (RSL), MDPL, and WDDL] become vulnerable if the current-path leak is considered. Secondly, it is shown that the internal-gate leak: a leak based on non-linear sub-circuit within an XOR cell is measurable. It can be exploited to bias the distribution of the random mask. Thirdly, it is shown that the geometric leak: a leak based on geometric layout of the memory matrix structure is measurable. It is a leak correlated to integer representation (cf. Hamming weight) of the memory address. We also show that a ROM-based countermeasure (dual-rail RSL memory; Hashimoto et al. 2012) becomes vulnerable with the geometric leak. A general transistor-level design method to counteract the current-path and internal-gate leaks is also shown.

Security Evaluations of MRSL and DRSL Considering Signal Delays

In recent years, some countermeasures have been proposed against differential power analysis (DPA) at the basic composition element level of logic circuits. We propose a countermeasure named random switching logic (RSL). RSL involves computation with data masking using a single logic gate and suppression of transient transitions using ENABLE signals generated independently of input data. Recently, some countermeasures that were proposed against DPA, such as MRSL and DRSL, adopted the concept of RSL. Although MRSL is based on RSL, it uses a different method to suppress the transient transitions. DRSL uses RSL to avoid the possibility of leakage caused by a difference in delays occurring in MDPL that combines dual-rail circuits with random masking. The important difference between these countermeasures and RSL is that they can vary the output transition timing depending on the input data patterns. In this paper, we focus on this feature to evaluate the DPA resistance of MRSL and DRSL. Experiments are also conducted on DPA resistance by using an FPGA to verify the evaluation results. It is confirmed that in both MRSL and DRSL, there is a possibility of leakage if a sufficient difference in delays exists in input signals.