IEEE JOURNAL ON EMERGING AND SELECTED …kresttechnology.com/krest-academic-projects/krest-mtech-projects... · IEEE JOURNAL ON EMERGING AND SELECTED TOPICS IN CIRCUITS AND SYSTEMS,

IEEE JOURNAL ON EMERGING AND SELECTED TOPICS IN CIRCUITS AND SYSTEMS, VOL. 4, NO. 2, JUNE 2014 203

A Methodology for Optimized Design of SecureDifferential Logic Gates for DPA Resistant Circuits

Erica Tena-Sánchez, Javier Castro, and Antonio J. Acosta

Abstract—Cryptocircuits can be attacked by third parties usingdifferential power analysis (DPA), which uses power consumptiondependence on data being processed to reveal critical information.To protect security devices against this issue, differential logicstyles with (almost) constant power dissipation are widely used.However, to use such circuits effectively for secure applicationsit is necessary to eliminate any energy-secure flaw in security inthe shape of memory effects that could leak information. Thispaper proposes a design methodology to improve pull-down logicconfiguration for secure differential gates by redistributing thecharge stored in internal nodes and thus, removing memoryeffects that represent a significant threat to security. To evaluatethe methodology, it was applied to the design of AND/NANDand XOR/XNOR gates in a 90 nm technology, adopting the senseamplifier based logic (SABL) style for the pull-up network. Theproposed solutions leak less information than typical SABL gates,increasing security by at least two orders of magnitude and withnegligible performance degradation. A simulation-based DPAattack on the Sbox9 cryptographic module used in the Kasumialgorithm, implemented with complementary metal–oxide–semi-conductor, SABL and proposed gates, was performed. The resultsobtained illustrate that the number of measurements neededto disclose the key increased by much more than one order ofmagnitude when using our proposal. This paper also discusseshow the effectivenness of DPA attacks is influenced by operatingtemperature and details how to insure energy-secure operationsin the new proposals.

Index Terms—Differential complementary metal–oxide–semi-conductor (CMOS) digital circuits, differential power analysis(DPA), information security, power consumption, side-channelattacks, substitution box, temperature influence on DPA attacks,very large scale integration (VLSI) design of cryptographic cir-cuits.

I. INTRODUCTION

I N THE current information and communication technologybased world, security is a major concern. Privacy is con-

sidered an important personal right. Commonly used deviceslike smart cards and other embedded devices need encryptiontechnology to guarantee security. Encryption security is typi-cally based on mathematically secure algorithms, designed to

Manuscript received January 30, 2014; revised February 20, 2014, March25, 2014; accepted March 26, 2014. Date of publication April 15, 2014; date ofcurrent version June 09, 2014. This work was supported in part by CSIC underProject 201450E034 and in part by the Spanish Governmentunder ProjectsTEC2010-16870 and IPT2012-0695-390000. This paper was recommended byGuest Editor S. Sethumadhavan.E. Tena-Sánchez and A. J. Acosta are with the Universidad de Sevilla and

the Instituto de Microelectrónica de Sevilla (CNM-CSIC), 41092 Seville, Spain(e-mail: [email protected]; [email protected]).J. Castro is with Anafocus, 41092 Seville, Spain (e-mail: jcastro@anafocus.

com).Digital Object Identifier 10.1109/JETCAS.2014.2315878

produce a ciphertext from a plaintext that can not be mathemat-ically attacked [1]. But even when such theoretical security isachieved, the physical implementation of the encryption algo-rithm leaks side-channel information that can be used by an at-tacker to reveal the secret key [2]–[6]. The physical implemen-tations of cryptographic devices therefore have to be carefullyconsidered.Side channel attacks (SCAs) on cryptographic devices use

certain physical information such as power consumption, timedelay, or electromagnetic radiation to find the secret key [2]–[5].SCAs can be noninvasive and usually require minimal equip-ment, hence they are easy to carry out [6]. Of all SCAs, dif-ferential power analysis (DPA) [4], [6]–[8], is one of the mostpowerful for its simplicity and effectiveness. DPA attacks arebased on the well known fact that dynamic power consumptionin a logic circuit is dependent on the data being processed bythe device.Thus, an attacker can obtain the secret key by measuring the

power supply current of a cryptographic device while it is per-forming an encryption, and by statistically analyzing of themea-sured power traces. Nanometric technologies with a drastic in-crease in leakage power are also vulnerable to similar leakage-associated attacks [9]–[11].Since the first DPA attack on smart cards in 1999 [4], dozens

of countermeasures have been proposed to deal with this typeof intrusion. They are shown in Fig. 1. The earliest methods ofcombatting DPA, such as the incorporation of random powerconsuming operations [12] and introduction of random delays[13], among others [14], proved generally to be ineffective,since they only slightly increase the number of measurementsto disclose (MTDs) required to recover the secret key [6].To maximize DPA attack prevention, numerous methods

based on protecting cryptosystems at algorithm level havebeen presented, with some noteworthy solutions being basedon duplication [15]–[17]. However, algorithm-based securitytechniques are very specific and difficult to automate, due totheir heavy dependence on specific cryptographic algorithm.On the other hand, circuit-level countermeasures are more

generic, since they are not constrained to one specific crypto-graphic algorithm. Once a practical method has been found, de-signers need worry no more about the security of implementa-tions for a specific algorithm, and this make automatic designfeasible. This type of solution falls into two categories: gatelevel mask circuits and complementary circuits.Masking at gate level is analyzed in [18], and some imple-

mentations of masked gate circuits are also described in [12],[19]. For instance, in the random-switching-logic (RSL) imple-mentation [19], a random signal is used to equalize output transi-

2156-3357 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

204 IEEE JOURNAL ON EMERGING AND SELECTED TOPICS IN CIRCUITS AND SYSTEMS, VOL. 4, NO. 2, JUNE 2014

Fig. 1. Countermeasures against DPA.

tion probability. The main weakness of these masking methodslies in the strict timing required. For example, output transitionsof logic gates are dependent on input signals when glitches exist[20], and some cases have been reported of successful attackson masked hardware implementations with glitches [21], [22].The other circuit-level category, sometimes known as hiding

[6] or complementary techniques, is the implementation of alogic circuit with power consumption theoretically independentof the data being processed, as proposed in [23]–[29]. The de-sign of this kind of secure cells has been an ongoing obsessionin the crypto-community, because they can be used for the hard-ware implementation of any kind of cryptographic algorithmfor either public-key or private-key cryptosystems, regardlessof the specific application. There are several approaches to cre-ating hiding countermeasures at circuit level with complemen-tary coding and data-independent power consumption. Thosebased on adiabatic logic, like for instance [30], offer relevantlow-power security features, but adiabatic designs require pre-cise timing (at least four supply-clock phases) and still needfurther development. To maximize hiding effects for securitypurposes using more conventional logic styles, dual rail withprecharge logic (DPL) families have been proposed to ensureone computation performed in every clock cycle showing ex-actly the same transition probability for every input condition[31], [32].In DPL, each Boolean variable is represented by a pair of

wires . When is valid, means. Signal is not valid if . Every computation

comprises one precharge (where is invalid), followed by oneevaluation (where is valid), and being complementary.Whatever the input situation, exactly one and only one ofand will toggle. The number of toggles per clock cycle isthus constant, as should be the overall power consumption.Considering the physical design technique used for DPL,

there are two main categories: those based on standard-cellimplementations, and those requiring full-custom implementa-tions.The classic example of standard-cell based implementation

is the so-called wave dynamic differential logic (WDDL) [33].In WDDL, the precharge value propagates from the inputs to

Fig. 2. Dynamic and dual-rail gate logic style. (a) Using NMOS transistorsto implement the DPDN block logic function. (b) Logic function implementedwith PMOS transistors (DPUN).

the outputs, like a wave. Its major advantage is the use of astandard-cell flow, which facilitates the synthesis process. Themain flaws are the early evaluation bias [32], which is difficultto mitigate, and glitch generation if WDDL is not implementedusing positive functions. Some improvements to WDDL havebeen reported, such as MDPL [26], iMDPL [34], STTL [35],and BCDL [36]. In [37], WDDL was duplicated in such a waythat the True and False networks were inverted between the twoWDDL instances. Basically, standard-cell based secure gatesare easily incorporated into FPGA implementations of cryp-tocircuits, but they usually offer lower security levels. Even acareful back-end process in ASIC does not ensure total security.For a complete description, and experimental results obtainedby attacking an WDDL AES ASIC, see [38]. No further refer-ence to this type of implementation will be made in this paper.Turning to full-custom solutions, SecLib (Secure Library

[39]) combines security countermeasures at protocol, architec-ture and back-end levels. At protocol level, the computationsare divided into two steps: computation of one iteration, andthe reinitialization of all the nets so that the circuit is readyto start a new computation afresh, for instance with all thenets in the same electrical state. At the architectural level, theresynchronization capabilities of quasi-delay-insensitive logicdisables anticipated evaluation by synchronizing the inputs.Gate timing is thus independent of the data. Finally, the desiredsymmetry is acquired by having a fully balanced cell layout.Although very powerful, SecLib is an integral solution that isnot easy to apply in standard synthesis processes, due to therequirements imposed by specific protocols and architectures.The other full-custom solutions are those based on differ-

ential logic styles. It has been reported that, if carefully de-signed, placed and routed, these solutions provide the best re-sults. The most relevant proposals have been Dynamic Cur-rent Mode Logic (DyCML) [40], Low-Swing Current ModeLogic (LSCML) [41], Sense Amplifier Based Logic (SABL)[23], Three-Phased Dual-Rail Pre-charge Logic (TDPL) [42],and Delay-Based Dual-Rail Pecharge Logic (DDPL) [43]. Dif-ferential circuits exploit their inherent symmetry to ensure sim-ilar consumptions for “0” and “1” evaluations, since both thetrue and complemented outputs are generated simultaneously.Fig. 2 shows a simplified scheme for a dynamic differentiallogic style. Such logic styles comprise a differential pull-down

TENA-SÁNCHEZ et al.: A METHODOLOGY FOR OPTIMIZED DESIGN OF SECURE DIFFERENTIAL LOGIC GATES FOR DPA RESISTANT CIRCUITS 205

TABLE IFEATURES AND PERFORMANCES OF FULL-CUSTOM SECURE DPL TECHNIQUES

network (DPDN) performing the logic function and a differ-ential pull-up network (DPUN) working in alternate prechargeand evaluation phases. They provide both the true and the com-plemented output in every clock cycle, with only one chargingevent, but care must be taken to ensure that a fixed amount ofcharge is used in every transition. TDPL and DDPL are in-sensitive to unbalanced routing capacitances [43], but TDPLneeds a third clock phase [42], and DDPL needs a timing codi-fication scheme requiring precise delay generation [43]. SABL[23] is a differential logic style that meets both requirements: ithas one charge event and uniform capacitance charges. SABLachieves better results because its internal structure suppress theinfluence of internal capacitances better than the reduced outputswing used by DyCML and LSCML [27], [45].Table I summarizes the features and performances of full-

custom secure DPL techniques. Average energy and deviationin energy are taken from [27], [40]–[43]. Data are normalized toSABL results. Main drawbacks limiting the usage of the tech-niques for secure applications are also included in the table.From the information given in Table I, it is clear that in en-ergy-secure systems, SABL gates provide the best trade-off inhardware resources, power and security, especially if balancedoutputs are provided. Although DDPL and TDPL can providemore security levels, the overhead in complexity makes recom-mendable the usage of SABL as reference technique.Although the above mentioned methods for complementary

circuits are intended to prevent DPA completely, they still leakside-channel information. Even ensuring DPA resistance, andtaking into account loading capacitances, symmetric routing andprocess-voltage variations, it has been demonstrated that SABLlogic, and hence all the differential styles, still leak some in-formation due to the asymmetric charging of the internal pull-down nodes [44]. Notwithstanding the back-end implementa-tion of crypto-hardware, the aim of this work is to present amethodology for optimizing the design of DPDN for differen-tial logic gates capable of implementing fully secured crypto-graphic blocks using any DPUN approach. The main contribu-tions of this paper are as follows.• A new methodology for optimizing DPDN, eliminatingstored charges in internal nodes, and avoiding harmfulmemory effects. Evaluation of the aforementioned DPDNstructures with regard to energy-secure operation, arisingsecurity flaws.

• Application of the methodology to improved AND/NANDand XOR/XNOR SABL gate designs, which serve as a testbed.

• Implementation of a case study (Sbox9) using differentAND and XOR gates as an application example.

• Simulated DPA attack on Sbox9 implemented usingcomplementary metal–oxide–semiconductor (CMOS)standard cells, SABL cells, and the improved SABL gates,to demonstrate the improvement in security resulting fromour proposal.

• Evaluation of the effect of temperature variations on theweaknesses of energy-secure cells. It will be demonstratedhow a DPA attack carried out at appropriate temperaturescreates severe security flaws.

The work presented in this paper is partially based on [44],where the initial idea of removing the charge in internal nodesof DPDN in a differential XOR gate was presented. This workpresents an improvement of the proposal in [44] as new alter-native method: 1) a novel complete methodology for removinginternal charges in any gate of any differential logic style is pre-sented, proving its suitability for secure implementations de-signing and simulating different digital gates; 2) performingsimulation-based DPA attacks on the substitution box of the Ka-sumi algorithm to assess the proposals; and 3) analyzing theeffect of temperature variation in the security of the proposalsagainst DPA attacks.The results can easily be extrapolated to other hard-

ware-based cryptographic systems (either public- or pri-vate-cryptosistems including any sbox, block- or stream-cipher,etc.), since the improvement in security was obtained usingbasic building blocks.The paper is organized as follows. Section II describes

the basic configuration of dynamic dual-rail structures, fo-cusing on their characteristics in relation to DPA applications.Section III reveals the structure of the proposed DPDN forgeneric differential logic gates. Specific considerations forthe AND/NAND and XOR/XNOR gates and some simulationresults evaluating the improvement in the DPDN proposals arepresented in Section IV. Section V shows the design and resultsof simulated DPA attack on a Sbox9 using different approaches.Section VI analyzes the impact of temperature variation on theeffectiveness of the DPA attacks, and finally conclusions andfuture work are presented in Section VII.

II. DPA RESISTANT DIFFERENTIAL LOGIC GATES

The basic circuit configuration of a differential DPL cell isshown in Fig. 2. The DPDN in Fig. 2(a) is mostly implementedwith NMOS transistors connected to the bottom clocked NMOStransistor. Without loss of generality, a DPA-resistant gate can


Fig. 3. SABL logic style [23].

also be constructed with the logic function implemented in theDPUN with PMOS transistors and a clocked PMOS transistoron the top, as shown in Fig. 2(b). For simplicity, we will use thescheme in Fig. 2(a).Asmentioned, SABL [23] fulfils all the requirements for DPA

resistance. Fig. 3 shows the DPUN structure for SABL. SABLoperates as follows: the clocked PMOS transistors (T6 and T8)in the DPUN are ON in the precharge phase , setting

. In the evaluation phase ,the sources of the NMOS transistors T7 and T10 are groundedthrough a discharge path in the DPDN and the switching actionof transistor M, which is always ON, making the logic functionat the output dependent on input values. The specific featuresthat make SABL resistant to DPA are 1) the presence of theclocked bottom transistor T11, 2) full symmetry in DPUN, and3) outputs of DPDN not connected to the gate of output inverters(T1/T2 and T3/T4). This last feature makes SABL superior toother simpler symmetric differential structures [23], [27].Even using an appropiate logic style such as SABL in the

DPUN, the DPDN must be fully symmetrical when imple-menting the logic, regardless of input values. Here, symmetrymeans that all the paths from to ground must have thesame transistor count and the same equivalent resistance andcapacitance in every node. To make DPDN effective againstDPA attacks, it should be fully symmetrical, with the samenumber of NMOS series transistors, and with similar resistancein every path. The gate will then operate with a constant delay(RC value), regardless of the specific input values. Fig. 4shows the typical implementation of the AND/NAND andXOR/XNOR DPDN reported in literature [45]. Note how theAND/NAND DPDN has been modified, with the additionof dummy transistors controlled by and , to achieve themaximum symmetry [45].Even with a fully symmetric DPDN, information could be

leaked if the evaluation of specific data leaves an indelible fin-gerprint that can be exploited by an attacker. To guarantee max-imum DPA protection, therefore, any kind of memory effectshould be removed. In both DPDNs in Fig. 4, for every inputcondition, the charge stored in the internal nodes (n1 and n2)should be equalized, because these nodes may store informa-tion about the previous state. Let us consider the implementa-tion of the XOR/XNOR DPDN shown in Fig. 4(b). Regardlessof the input values, nodes qXor and qXnor always see the same

capacitance, and output is always discharged through two se-ries-connected NMOS. However, the values stored in internalnodes n1 and n2 in the precharge phase will depend on the valueof input B in the previous evaluation, as demonstrated in [44].There will thus be a difference in power consumption regardlessof whether the value of B between two consecutive evaluationsis the same or not, as it can be seen in the waveforms in Fig. 5obtained from a simulation of a XOR/XNOR SABL gate imple-mented in a 90 nm technology.For example, the voltage value of node n1 in the precharge

is higher when input B was “0” in the previous evaluation,than when it was “1”. Hence, the power consumption of thenext evaluation would depend on the previous value, givingrise to an undesired memory effect and power consumptionwill be smaller when input B maintains its previous value thanwhen it changes. Similar results can be obtained for the internalnodes of the AND/NAND implementation shown in Fig. 6.When using these two DPDNs to perform the AND/NANDand XOR/XNOR logic functions, power consumption thereforevaries slightly depending on the internal nodes of the DPDN. Inthis regard, there exists a severe security hole in the transitionfrom precharge to evaluation, which could enable a potentialattacker to observe the supply current traces present exactly inthe vicinity of such transition.For any n-input precharge-based secure gate, it has been tra-

ditionaly considered by the research community [46] that “00”values restored in the outputs during precharge phase minimizethe number of possible input transitions with potentially dif-ferent power/ground current traces for the following evaluationphase to . For a two-input gate, the different (and unique)transitions considered in inputs and from precharge toevaluation were

Considering the above-mentioned mechanism, it is clear that theevaluation prior to the precharge phase influences the power/ground supply current of next evaluation if the memory effect isnot removed. The number of possible transitions with potentialdifferent power/ground current traces rises to 16 (four possibletransitions prior to each precharge for each of the four casesconsidered above), as opposed to the four transitions tradition-ally considered, making any potential attack much easier. Thenumber of different possible transitions for a n-input gate is .In next section, it will be shown how the DPDN can be pro-

vided with additional security features to operate in a memory-less fashion, in such a way that all internal nodes are charged/discharged in each precharge phase.

III. OPTIMIZATION METHODOLOGY FOR DPDN

To prevent the undesired effect described above, we proposea technique for matching the charge in internal nodes during theprecharge phase. This can be achieved principally in two maindifferent ways: 1) by recycling the charge and equalizing it by its


Fig. 4. Implementation of an (a) NMOS AND/NAND and (b) NMOS XOR/XNOR DPDN [45].

Fig. 5. Waveform displays for the SABL Xor/Xnor reference case. Internal (n1and n2) voltages show the dependence on input vector.

Fig. 6. Waveform displays for the SABL And/Nand reference case. Internal(n1 and n2) voltages show the dependence on input vector.

distribution between the internal nodes and 2) by charging/dis-charging all the internal nodes to the same final value. In bothcases, it suffices to add specific transistors that are in the ONstate only during precharge. Initially, the same depth was con-sidered for both branches of DPDN. If the logic function allowsdifferent branch lengths, dummy transistors must be added inthe same way as for the AND/NAND gate in Fig. 4(a) in orderto improve symmetry.

Fig. 7. Single-switch generic scheme for N-depth DPDN.

Single-Switch Solution (P): In any DPDN implementationfor a generic differential logic function, the intermediate nodesin the same depth level are tied together through a switch that isON during the precharge phase , setting an equal valueof voltage in nodes in the same level. The overhead associated tothis solution is one switch for each transistor level in the DPDNexcept for the first one, which generates the true and the com-plemented output. In the SABL structure, these are intercon-nected with the intermediate Vdd-gated NMOS transistor that isalways ON. For an N-depth DPDN, therefore, the overhead isN-1 switches. Considering ideal switches, this solution ensuresaccurate charge distribution during precharge and does not leakany information. From a practical point of view, since a CMOSswitch needs one PMOS and one NMOS transistor, as well asand , the associated overhead is very high, especially in

SABL solutions where only a single phase clk is needed. Thegeneration of a global or local becomes unpractical, and so aone-transistor switch represents a good trade-off between com-plexity and security achievements. A PMOS transistor that isON in the precharge phase therefore provides themost feasible solution. A generic scheme for a single-switch so-lution is shown in Fig. 7.Dual-Switch Solution (2P): The intermediate nodes in the

DPDN implementation are tied to supply/ground rails with in-dependent switches during precharge, forcing exactly the samevoltage in all nodes. Each DPDN level except for the first one,which generates the true and the complemented output, needsexactly one pair of switches. In the SABL structure, these are in-terconnected with the intermediate Vdd-gated NMOS transistor


Fig. 8. Dual-switch generic scheme for N-depth DPDN.

Fig. 9. AND/NAND DPDN with single-switch proposal.

that is always ON. Thus, for an N-depth DPDN, the overhead isswitches. As with the single-switch configuration, the

only feasible solution uses PMOS switches that are ON duringprecharge, connected to Vdd. Any other solution has importantdrawbacks: NMOS switches need to be controlled by unavail-able signal, PMOS switches are not suitable for GND con-nection because of their limited conduction of “0” and CMOSswitches are too expensive to implement. A generic scheme fora dual-switch solution is shown in Fig. 8.Let us consider an AND/NAND SABL gate to show the fea-

sibility of the two proposed solutions. The simulation results inFig. 6 show the undesired memory effect in the original SABLgate, designed in a 90 nm technology. The schematic for thesingle-switch solution applied to this gate is shown in Fig. 9and the corresponding simulation results in Fig. 10. In eachprecharge phase the action of the PMOS switch T1 ON equal-izes the intermediate voltage in internal nodes n1 and n2.Fig. 11 shows the schematic for the dual-switch solution ap-

plied to the AND/NAND DPDN implemented in the same 90nm technology. Here, two PMOS transistors T1 and T2 con-nected to internal nodes n1 and n2 are gated by the clock signal.In each precharge phase, when , the PMOS transistorsT1 and T2 are turned ON, setting an equal voltage value (Vdd)in nodes n1 and n2, as shown in the simulation results in Fig. 12.These two feasible solutions prevent the above-mentioned

memory effect and ensure that all evaluations start in the same

Fig. 10. Waveform displays for AND/NAND DPDN with single-switch pro-posal.

Fig. 11. AND/NAND DPDN with dual-switch proposal.

Fig. 12. Waveform displays for AND/NAND DPDN with dual-switch pro-posal.

initial conditions. A priori, the main drawbacks would be slightincreases in 1) area, 2) power consumption during the prechargephase, and 3) delay in the evaluation phase. Moreover, a sig-nificant improvement in security of the gate is expected, sincecloser power consumption and delay values can be achieved fordifferent input data.The proposedmethodology affects only the DPDN block, and

it can therefore be used in any DPUN proposal with similarbenefits to those obtained for SABL.


TABLE IINED AND NSD VALUES FOR THE DIFFERENT IMPLEMENTATION OF THE AND/NAND AND XOR/XNOR GATES

IV. IMPLEMENTATION AND SIMULATION RESULTS

To evaluate the effectiveness of the two techniques, theproposed methodology was applied to the design of two-inputAND/NAND and XOR/XNOR SABL gates in a 90 nm tech-nology. Although simple gates, they are the most commonlyused in current cryptohardware implementations. However, theproposals can be easily applied and their effectiveness verifiedwith more complex gates and other differential structures.Classic and proposed AND/NAND (XOR/XNOR) SABL

gates were designed in CADENCE using TSMC 90 nm( V) technology. They were simulated withSPECTRE under nominal conditions, i.e., typical model fortransistors, nominal Vdd and C. Monte-Carlo simula-tions considering process–temperature–voltage variations wereconducted, producing results equivalent to those typically ob-tained in this type of implementation in terms of security. Inputsand outputs of the gate being tested were passing through gatesof the same style, nominal clock frequency being 100 MHz.The input patterns were such that all possible combinationscould occur, and the power consumption for the 16 possiblesituations described in Section II was measured.Table II shows the simulation results for power consumption

in the evaluation and precharge phases for both implementationsof AND/NAND (XOR/XNOR) SABL; the one with the classicDPDN and the one with the improved DPDN. To quantify theDPA-resistance of the cell, we measured the minimum energyvalue (Min), the maximum energy value (Max), the mean en-ergy and the standard deviation for all the transitions.Energy per cycle has been computed as shown in (1) and (2)

(1)

(2)

From these values, we obtained the normalized energy devi-ation (NED) and the normalized standard deviation (NSD), ac-cording to (3) and (4), respectively. NED and NSD are usuallyconceived as an indirect measurement of DPA resistance [23],[29], [42], [43]

(3)

(4)

Since all these magnitudes are indicative only of DPA resis-tance, further DPA attacks were needed to evaluate the securityof the proposed solutions. However, it made no sense to per-form a DPA attack on a single gate, thus NED and NSD areconsidered as security measurement of the gate. The greater thedifference between the maximum and minimum values (highestNED and NSD), the higher the cell’s vulnerability to DPA at-tacks. Table II also shows average energy ( ) in the evalu-ation and precharge phases, total average energy ( Total),delay in the evaluation phase and the number of transistors percell.To quantify the DPA-resistance of the cells, let us consider

NED and NSD in the evaluation phase, as shown in Table II.Power consumption in the evaluation phase has a greater de-pendence on the data being processed because in the prechargephase nodes n1 and n2 are floating. For AND/NAND cells,the double-switch solution did not improve the NED and NSDvalues of the classic cell. However, the single-switch proposalimprove NED by a factor of 0.67, and NSD by a factor of0.54 in comparison with the classic-style solution. In the

XOR/XNOR cells, the results for the double-switch proposalimproved NED by a factor of 0.03 and NSD by a factor of0.02. The single-switch proposal for the XOR/XNOR gate

also provided better results than the classic cell, reducing NEDby a factor of 0.76, and NSD by factor of 0.78.The main drawbacks of the proposed solutions were

increases in total power consumption, area and delay degrada-tion. The AND/NAND cells increased power consumption byaround 1.17 for the double-switch proposal and 1.03 for thesingle-switch proposal. For the XOR/XNOR double-switch andsingle-switch proposals, the increases in power consumptionwere 1.28 and 1.02, respectively. In all the proposals, delaydegradation was less than 18% compared with the classic cell.The overhead in hardware resources, measured as the numberof transistors, was 5.5%(11%) for the single(double)-switchsolution. These overhead are negligible compared to theimprovement in security achieved (up to several orders ofmagnitude).In view of the results reported in Table II, it can be con-

cluded that the best choices for the AND/NAND and XOR/XNOR gates are, respectively, the single-switch and double-switch proposals. The simulation results show an improvementin security, with lower NED and NSD values. Since NED andNSD only indicate the DPA resistance of the gates, a DPA at-tack was simulated to assess the security of our proposals. Thisis described in the next section.


Fig. 13. Attacked circuit scheme.

V. CASE STUDY: DPA RESISTANT SBOX9

Although the NED andNSD values of the proposals provide agood idea of their robustness against DPA attacks, the definitiveway to measure security is actually to carry out DPA attack andsee what happens and to this end such an attack was simulated.A DPA attack aims to recover the secret key of a cripto-

graphic device, in which the input patterns and the cripto-graphic algorithm were known. The subject of this case studywas the 9-bit substitution box, henceforth calling Sbox9, usedin the Kasumi algorithm [47], a block enciphering system. It iswidely recognized that Sbox is the main source of significantleakage signals, and hence a prime target for DPA block-ciphercircuit attackers [6], [48]. Sbox9 can easily be implemented withonly two-input AND and two-input XOR gates [49]. The de-signed circuit scheme is shown in Fig. 13, where is a 9-bitinput pattern, is a 9-bit key, is the input data of the Sbox9obtained after a XOR operation between and is a 9-bitoutput data and is the measured current in the Sbox9during encryption.To evaluate the improvement produced by our proposals,

three different Sbox9s were designed, using: 1) CMOS gates,2) classic SABL gates, and 3) proposed AND/NAND andXOR/XNOR SABL gates. For a realistic and fair comparison,practical clock networks were considered to evaluate circuitoperating security under identical conditions.The Sbox9s, with 84AND/NAND and 95XOR/XNOR gates,

were designed in CADENCE using TSMC 90 nm (V) technology. They were simulated with SPECTRE under

nominal conditions, i.e., typical model for transistors, nominalVdd and C. The simulation environment was set withmaximum simulation resolution, capturing data every 10 ps,with a clock frequency of 500 MHz, and without noise sourcesin order to ensure the best possible conditions for an attacker.It is expected that obtained results would be extended to ex-perimental results on chips or simulation under more realisticconditions, as PVT variation, particular routing, layout non ide-alities, etc. Since only DPDN is modified, variations in securityvalues should affect all proposals in the same way.Fig. 14 shows the DPA attack flows [6]. First, an interme-

diate result of the executed algorithm had to be chosen. In thisspecific case, it was the output of the Sbox9, since this is a valuedependent on the input pattern (known) and the key (unknown).Power consumption of the Sbox9 then had to be measuredduring encryption. To do so, a large amount of known inputpatterns were generated, obtaining array .During each encryption run, a power consumption trace was

measured, thereby obtaining a matrix of size beingthe number of input patterns generated and the number ofpoints measured per trace. The next step was to calculate thehypothetical intermediate values for every possible key. To dothis, array was created, containing all thepossible keys; in this case, possible keys. With theinput patterns vector and the possible keys vector beingknown, it was easy to calculate the intermediate values matrix

, where ; andthe size of . The intermediate values were thenmapped to power consumption values and store in the matrixof hypothetical power consumption values . The intermediatevalues were mapped into hypothetical power consumptionvalues using the Hamming Distance (HD) model, which de-scribes the power consumption of CMOS circuits better thanother models like Hamming Weight (HW) model when theattacked device is known. In the HD model, the hypotheticalpower consumption of a transition is directly proportional to the

. Finally, the hypothetical power valueswere compared with the measured power traces, correlatingmatrix with matrix . The result of this correlation was matrixof size . The key with the maximum correlation

would be the correct key. In the reference proposal the securityflaw was in the neighborhood of the precharge to evaluationtransition, where the correlation takes maximum values, but inthe proposed solutions this security flaw disappeared.The DPA attack was carried out under MATLAB R2009a

after extracting power traces with a SPECTRE simulation of theSbox9 under input patterns.The first attack carried out was on the Sbox9 CMOS. 1250

random input patterns were applied, obtaining the results shownin Fig. 15, which shows the correlation versus number of inputpatterns for a random key (Key1). As a security metric, thenumber of measurements to disclosure (MTD) proposed in [50]was used, since this has been used in numerous studies as a se-curity metric for DPA resistant systems [11], [51]. MTD is theminimum number of input patterns required to obtain the correctkey of a cryptographic device. For the DPA attack with Key1, inSbox9 CMOS the MTD measured was 145. Fig. 16 shows theresults of the attack on Sbox9 SABL. As in Sbox9 CMOS, thesame 1250 input patterns were applied, and the MTD measuredincreased to 344, about 2.37 higher than vulnerable CMOS.Finally, the Sbox9 with the proposed gates was attacked. It canbe seen in Fig. 17 that even the 10 000 input patterns not onlyare not enough to reveal the correct key, but the key is not fore-seen to be disclosed.Since the simulation time of this last attack involves one day

and 53 min of electrical simulation and 28 min of MATLABprocessing, increasing the input patterns clearly becomes unfea-sible, thus demonstrating that the security of the proposed Sbox9designed with the AND/NAND (P) and XOR/XNOR (2P) pro-posals is very much higher than that of the classic SABL.The results of the simulation-based DPA attacks on the three

different Sbox9s are reported in Table III. For each Sbox9, thetable gives the number of transistors used for the design, thenumber of input patterns used in the attack, the measured MTDfor Key1 and the average MTD. Average MTD has been calcu-lated after the attack with eight different random keys for every


Fig. 14. DPA flow using correlation and simulation setup for Sbox9.

Fig. 15. Correlation coefficients versus trace number for the standard cell im-plementation of the Sbox9 (1250 input patterns for Key1).

Fig. 16. Correlation coefficients versus trace number for the classic SABL im-plementation of the Sbox9 (1250 input patterns for Key1).

Sbox9 proposals. As expected, CMOS logic was found to beunsuitable for cryptographic applications because its MTD is

Fig. 17. Correlation coefficients versus trace number for the improved SABLimplementation of the Sbox9 (10000 input patterns for Key1).

TABLE IIISIMULATION DPA ATTACK RESULTS

lower than that of classic SABL and much lower that of our pro-posal. Based on the results obtained in Section IV, it can be saidthat the NED and NSD values predict the improved security ofour proposals compared with classic SABL cells. From resultsin Table III, we obtained an improvement of at least one orderof magnitude in security (

being strictly verified, although the NED andNSD values obtained for the single gates, and the poor evidencesof the correct key curve appearing in Fig. 17 predict an improve-ment of several orders of magnitude.

VI. DPA ATTACK UNDER TEMPERATURE VARIATIONS

In the previous sections, we have shown how the security flawcaused by the memory-effect in internal nodes in the DPDNwas


TABLE IVDPA SIMULATION RESULTS FOR TEMPERATURE VARIATIONS

(almost) eliminated by applying the appropriate methodology.In energy-secure systems, such weaknesses should be detectedin advance in order to guarantee adequate security levels.Furthermore, we have also noticed that additional security

flaws may be caused by variations in the temperature of thecryptographic device during encryption. This phenomenonshould be carefully studied in modern energy/temperature-se-cure cryptographic devices in order to protect them against DPAattacks. Basically, as will be demonstrated, temperature varia-tion during DPA attacks modifies the number of input patternsneeded to recover the correct key. To show the temperaturerange in which the vulnerability (strength) of the proposal isminimum (maximum), it was decided to simulate DPA attacksat different temperatures.The effect of temperature on the operation of CMOS-based

electronic circuits has been extensively studied in the literature[52], [53]. Two main temperature-related effects have been re-ported at a transistor level: mobility degradation and a decreasein threshold voltage, producing a noticeable reduction in oper-ation speed as the temperature rises. Power consumption alsoincreases with rising temperatures, and this increases exponen-tially for leakage power [10]. However, the effect of operatingtemperature on the security of cryptohardware has not beeninvestigated in depth, excepting leakage power analysis [11].Thermal attacks have traditionally been based on increasing/de-creasing the temperature until the device fails [54], consideredas a fault injection attack. The scope of this section is quite dif-ferent. Here, the circuits were attacked while fully operative,the objective being to analyze the vulnerability of our proposalswhen subjected to temperature variations. In [55], it is claimedthat vulnerability increases with rising temperatures, becausevariation in power consumption decreases. However, the mul-tiple dependence of related CMOS parameters on temperaturemake it necessary to simulate full scale attacks in order to reachdefinitive conclusions.The simulations were performed on the Sbox9 using the same

setup and test conditions described in Section V, with a temper-

ature range set that caused no malfunction in the cryptographicdevice; i.e., from 0 C up to 85 C.Table IV shows the simulated DPA attack results with the

different temperature variations. In each attack, the same 2000input patterns were applied. For each temperature, Table IVshows the MTD, the maximum correlation values (Max. Corr.),the differences between the maximum correlation value and thesecond maximum value (Diff. Corr.), and the maximum corre-lation point of the DPA attack for the CMOS and classic SABLsolutions with a random key. The maximum correlation valueand the difference correlation value metrics illustrate more ac-curately how temperature affects correlation values. The valueof the maximum correlation point attack given for the classicSABL Sbox9 and the CMOS Sbox9 increased with temperaturein both cases. The maximum correlation point varies in time,and so a preliminary study had to be made before the attack tocorroborate the resolution in the acquired data. No results are in-cluded for the proposed Sbox9 with the enhanced AND/NANDand XOR/XNOR SABL gates, since these proposals offer max-imum security for all the temperatures selected (the keys are notretrieved). The results for the classic SABL Sbox9 at 0 C and5 C are not shown because the DPA attacks were unsuccessfulat these temperatures.Fig. 18 represents MTD–Max.Corr.–Diff.Corr. versus tem-

perature. The CMOS Sbox9 clearly presents similar MTDvalues regardless of temperature. This means that the attackcould be effective at any temperature, so no conclusions canbe drawn with regard to attack/defense. On the other hand,the Max. Corr. and the Diff. Corr. values increase with tem-perature, meaning that the correct key peak increases with thetemperature in comparison with the incorrect keys.However, the behavior of classic SABL Sbox9 shown in

Fig. 19 was quite interesting. Security was considerably reducedin several windows. More specifically, temperatures between15 C to 35 C and 60 C to 85 C made the cryptocircuitmore vulnerable to DPA attacks, while at temperatures lowerthan 10 C and 40 C to 50 C, system security increased. The


Fig. 18. MTD, the maximum correlation values (Max. Corr.), and the differ-ences between the maximum correlation value and the second maximum value(Diff. Corr.) for DPA attack under temperature variations of Sbox9 CMOS.

Fig. 19. MTD, the maximum correlation values (Max. Corr.), and the differ-ences between the maximum correlation value and the second maximum value(Diff. Corr.) for DPA attack under temperature variations of Sbox9 ClassicSABL.

optimal temperature range was lower than 10 C, where theDPA attack using 2000 input patterns was unsuccessful.These results are quite interesting, but requiring further work

to be theoretically explained and to make possible a predictionfrom design characteristics. It seems to be clear that tempera-ture variation brings opposite effect in security characteristics,as it has been demonstrated for Physical Unclonable Functions[56] and True RandomNumber Generators [57], where postpro-cessing units are needed to increase security.In view of these results, the circuit can be protected by inten-

tionally cooling/heating it if the chosen operating temperature

TABLE VSIMULATION RESULTS OF SINGLE GATES

range lies in the less vulnerable area. In this regard, it is neces-sary to evaluate the selected proposal to detect window vulner-ability.

VII. CONCLUSION AND FUTURE WORK

This paper has presented a methodology for improving theDPDN of differential logic gates used in cryptographic applica-tions. Two new mechanisms were presented to remove chargein the pull-down of a differential gate and eliminate the memoryeffect. Both of them—the single-switch solution and the double-switch solution—can be used in any differential structure for se-curity applications. Using our configuration, the DPA-resistanceof the gate was improved, with minimum performance degrada-tion.The applicability of the proposed methodology was

demonstrated by designing the two-input AND/NANDand XOR/XNOR gates. In a first phase of design, twometrics—NED and NSD—were used to quantify the po-tential DPA-resistance of the proposed gates. Using theresults of the single gate simulations shown in Table V, wewere able to choose the best proposal for the AND/NANDgate (single-switch solution) and the XOR/XNOR gate(double-switch solution) for further analysis. As can be seen,neither power degradation nor delay were significant, makingthe proposals suitable for use in low power applications.To evaluate the DPA-resistance of the proposed gates, part

of a cryptographic algorithm was developed: the Sbox9 of theKasumi algorithm. Sbox9 was designed with three differentstrategies: 1) CMOS gates, 2) classic SABL gates, and 3) theproposed AND/NAND (P) and XOR/XNOR SABL (2P) gates.After simulating DPA attacks, we obtained the following results(as expected): the CMOS logic is not suitable for cryptographicapplications, the classic SABL Sbox9 is more resistant toDPA attacks than the CMOS variant, but is considerably morevulnerable than our proposal. The DPA attacks showed thatour proposal increases DPA-resistance by much more than oneorder of magnitude with respect to the classic SABL Sbox9.A new study was carried out to determine security varia-

tion in cryptosystems when a DPA attack is performed undertemperature variations. To detect the security flaws caused bytemperature variations, DPA attacks at different temperatureswere simulated for Sbox9 CMOS, SABL classic and proposal.The results obtained indicated that CMOS circuits were vulner-able regardless of temperature, but in the case of classic SABLSbox9, cryptocircuits operating at temperatures lower than 10C are extremely more secure. Cooling the circuit intentionallycan therefore help to protect the circuit against DPA attacks. No


results are shown for the DPA attack with temperature varia-tions on the proposed Sbox9 with the enhanced AND/NANDand XOR/XNOR SABL gates, because the proposals offer max-imum security for all the temperatures selected (the keys are notretrieved).As future work, the implementation of different Sboxes and

block- or stream-cipher is going to be considered to apply theproposed methodology. The comparison with other strategies,not necessarily based on full-custom solutions, will enable theright selection of the best proposals for secure cryptosistems. Insuch comparisons, PVT variations, interconnects, and nonsym-metric layouts will take an important role. Finally, a thermal-aware mechanism to on-chip temperature sensing and able tocool/heat the cryptoprocessor will be developed, in order to dy-namically operate in the most secure temperature.

REFERENCES[1] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source

Code in C, 2nd ed. New York: Wiley, 1996.[2] P. Kocher, “Timing attacks on implementations of Diffie-Hellman,

RSA, DSS, other systems,” in Proc. Int. Cryptol. Conf., 1996, pp.104–113.

[3] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Examining smart-card security under the threat of power analysis attacks,” IEEE Trans.Comput., vol. 51, no. 5, pp. 541–552, May 2002.

[4] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Proc.Int. Cryptol. Conf., 1999, pp. 388–397.

[5] Y. Hayashi, N. Homma, T. Mizuki, T. Aoki, H. Sone, L. Sauvage, andJ. L. Danger, “Analysis of electromagnetic information leakage fromcryptographic devices with different physical structures,” IEEE Trans.Electromagn. Compatibil., vol. 55, no. 3, pp. 571–580, Jun. 2013.

[6] S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Re-vealing the Secrets of Smart Cards. New York: Springer, 2007.

[7] M. Alioto, M. Poli, and S. Rocchi, “A general power model of differ-ential power analysis attacks to static logic circuits,” IEEE Trans. VeryLarge Scale (VLSI) Syst., vol. 18, no. 5, pp. 711–724, May 2010.

[8] P. Liu, H. Chang, and C. Lee, “A low overhead DPA countermeasurecircuit based on ring oscillators,” IEEE Trans. Circuits Syst. II, Exp.Briefs, vol. 57, no. 7, pp. 546–550, Jul. 2010.

[9] L. Lin and W. Burleson, “Leakage-based differential power analysis(LDPA) on sub-90 nmCMOS cryptosystems,” inProc. IEEE Int. Symp.Circuits Syst., 2008, pp. 252–255.

[10] M. Alioto, L. Giancane, G. Scotti, and A. Trifiletti, “Leakage poweranalysis attacks: A novel class of attacks to nanometer cryptographiccircuits,” IEEE Trans. Circuits Syst. I: Reg. Papers, vol. 57, no. 2, pp.355–367, Feb. 2010.

[11] M. Alioto, S. Bongiovanni, M. Djukanovic, G. Scotti, and A. Trifiletti,“Effectiveness of leakage power analysis attacks on DPA-resistantlogic styles under process variations,” IEEE Trans. Circuits Syst. I,Reg. Papers, vol. 61, no. 2, pp. 429–442, Feb. 2014.

[12] E. Trichina, D. De Seta, and L. Germani, “Simplified adaptive multi-plicative masking for AES and its secure implementation,” in Proc. Int.Workshop Cryptogr. Hardware Embed. Syst., 2002, pp. 187–197.

[13] M. Bucci, R. Luzzi,M. Guglielmo, andA. Trifiletti, “A countermeasureagainst differential power analysis based on random delay insertion,”in Proc. IEEE Int. Symp. Circuits Syst., 2005, pp. 3547–3550.

[14] G. B. Ratanpal, R. D. Williams, and T. N. Blalock, “An on-chip signalsuppression countermeasure to power analysis attacks,” IEEE Trans.Depend. Secure Comput., vol. 1, no. 3, pp. 179–189, Jul./Sep. 2004.

[15] L. Goubin and J. Patarin, “DES and diferential power analysis—The“duplication” method,” in Proc. Int. Workshop Cryptogr. HardwareEmbed. Syst., 1999, pp. 158–172.

[16] M.-L. Akkar and C. Giraud, “An implementation of DES and AES, se-cure against some attacks,” in Proc. Int. Workshop Cryptogr. HardwareEmbed. Syst., 2001, pp. 309–318.

[17] E. Oswald, S. Mangard, N. Pramstaller, and V. Rijmen, “Aside-channel analysis resistant description of the AES S-Box,” inProc. Int. Workshop Fast Software Encrypt., 2005, pp. 413–423.

[18] Y. Ishai, A. Sahai, and D. Wagner, “Private circuits: Securing hard-ware against probing attacks,” in Proc. Int. Cryptol. Conf., 2003, pp.463–481.

[19] D. Suzuki, M. Saeki, and T. Ichikawa, Random switching logic: Acountermeasure against DPA based on transition probability Rep. 2004/346, 2004 [Online]. Available: http://eprint.iacr.org

[20] S. Mangard, T. Popp, and B. M. Gammel, “Side-channel leakage ofmasked CMOS gates,” in Topics Cryptol., 2005, pp. 351–365.

[21] S. Mangard, N. Pramstaller, and E. Oswald, “Successfully attackingmasked AES hardware implementations,” inProc. Int. Workshop Cryp-tograph. Hardware Embed. Syst., 2005, pp. 157–171.

[22] M. Alam, S. Ghosh, M. J. Mohan, D. Mukhopadhyay, D. R. Chowd-hury, and I. S. Gupta, “Effect of glitches against masked AES S-boximplementation and countermeasure,” IET Inf. Security, vol. 3, no. 1,pp. 34–44, Mar. 2009.

[23] K. Tiri, M. Akmal, and I. Verbauwhede, “A dynamic and differentialCMOS logic with signal independent power consumption to withstanddifferential power analysis on smart cards,” in Proc. Eur. Solid-StateCircuits Conf., 2002, pp. 403–406.

[24] S. Guilley, L. Sauvage, F. Flament, V.-N. Vong, P. Hoogvorst, and R.Pacalet, “Evaluation of power constant dual-rail logics countermea-sures against DPA with design time security metrics,” IEEE Trans.Comput., vol. 59, no. 9, pp. 1250–1263, Sep. 2010.

[25] Z. Toprak and Y. Leblebici, “Low-power current mode logic forimproved DPA-resistance in embedded systems,” in Proc. IEEE Int.Symp. Circuits Syst., 2005, pp. 1059–1062.

[26] T. Popp and S.Mangard, “Implementation aspects of the DPA-resistantlogic style MDPL,” in Proc. IEEE Int. Symp. Circuits Syst., 2006, p. 4.

[27] F. Macé, F.-X. Standaert, and J.-J. Quisquater, “Information theoreticevaluation of side-channel resistant logic styles,” in Proc. Int. Work-shop Cryptogr. Hardware Embed. Syst., 2007, pp. 427–442.

[28] M. Bucci, L. Giancane, R. Luzzi, and A. Trifiletti, “A flip-flop forthe DPA resistant three-phase dual-rail pre-charge logic family,” IEEETrans. Very Large Scale (VLSI) Syst., vol. 20, no. 11, pp. 2128–2132,Nov. 2012.

[29] L. Giancane, P. Marietti, M. Olivieri, G. Scotti, and A. Trifiletti, “Anew dynamic differential logic style as a countermeasure to power anal-ysis attacks,” in Proc. IEEE Int. Conf. Electron., Circuits Syst., 2008,pp. 364–367.

[30] B.-D. Choi, K. E. Kim, K.-S. Chung, and D. K. Kim, “Symmetric adi-abatic logic circuits against differential power analysis,” ETRI J., vol.32-1, pp. 166–168, Feb. 2010.

[31] T. Popp and S. Mangard, “Masked dual-rail pre-charge logic: DPA-re-sistance without routing constraints,” in Proc. Int. Workshop Cryptogr.Hardware Embed. Syst., 2005, pp. 172–186.

[32] D. Suzuki andM. Saeki, “Security evaluation of DPA countermeasuresusing dual-rail pre-charge logic style,” in Proc. Int. Workshop Cryp-togr. Hardware Embed. Syst., 2006, pp. 255–269.

[33] K. Tiri and I. Verbauwhede, “A logic level design methodology for asecure DPA resistant ASIC or FPGA implementation,” inProc. Design,Automat. Test Eur. Conf. Exhibit., 2004, pp. 246–251.

[34] A. Moradi, M. Kirschbaum, T. Eisenbarth, and C. Paar, “Maskeddual-rail precharge logic encounters state-of-the-art power analysismethods,” IEEE Trans. Very Large Scale (VLSI) Syst., vol. 20, no. 9,pp. 1578–1589, Sep. 2012.

[35] R. Soares, N. Calazans, V. Lomne, P. Maurine, L. Torres, and M.Robert, “Evaluating the robustness of secure triple track logic throughprototyping,” in Proc. 21st Annu. Symp. Integrat. Circuits Syst.Design, 2008, pp. 193–198.

[36] M. Nassar, S. Bhasin, J.-L. Danger, G. Duc, and S. Guilley, “BCDL:A high speed balanced DPL for FPGA with global precharge and noearly evaluation,” in Proc. Design, Automat. Test Eur. Conf. Exhibit.,2010, pp. 849–854.

[37] P. Yu and P. Schaumont, “Secure FPGA circuits using controlled place-ment and routing,” in Proc. 5th IEEE/ACM Int. Conf. Hardware/Soft-ware Codesign Syst. Synthesis, 2007, pp. 45–50.

[38] K. Tiri and I. Verbauwhede, “A digital design flow for secure integratedcircuits,” IEEE Trans. CAD Integrat. Circuits Syst., vol. 25, no. 7, pp.1197–1208, Jul. 2006.

[39] S. Guilley, F. Flament, R. Pacalet, P. Hoogvorst, and Y. Mathieu, “Se-cured CAD backend flow for power-analysis resistant cryptoproces-sors,” IEEE Design Test Comput., vol. 24, no. 6, pp. 546–555, Nov./Dec. 2007.

[40] M. W. Allam and M. I. Elmasry, “Dynamic current mode logic(DyCML): A new low-power high-performance logic style,” IEEE J.Solid-State Circuits, vol. 36, no. 3, pp. 550–558, Mar. 2001.

[41] I. Hassoune, F. Macé, D. Flandre, and J.-D. Legat, “Low-swing currentmode logic (LSCML): A new logic style for secure and robust smartcards against power analysis attacks,”Microelectron. J., vol. 37, no. 9,pp. 997–1006, Sep. 2006.


[42] M. Bucci, L. Giancane, R. Luzzi, and A. Trifiletti, “Three-phase dual-rail pre-charge logic,” in Proc. Int. Workshop Cryptograph. HardwareEmbed. Syst., 2006, pp. 232–241.

[43] M. Bucci, L. Giancane, R. Luzzi, G. Scotti, and A. Triletti, “Delay-based dual-rail precharge logic,” IEEE Trans. Very Large Scale (VLSI)Syst., vol. 19, no. 7, pp. 1147–1153, Jul. 2011.

[44] J. Castro, P. Parra, and A. J. Acosta, “An improved differential pull-down network logic configuration for DPA resistant circuits,” in Proc.IEEE Int. Conf. Microelectron., 2010, pp. 311–314.

[45] K. Tiri and I. Verbauwhede, “Design method for constant power con-sumption of differential logic circuits,” in Proc. Design, Automat. TestEur. Conf. Exhibit., 2005, pp. 628–633.

[46] K. Tanimura and N. D. Dutt, “HDRL: Homogeneous dual-rail logic forDPA attack resistive secure circuit design,” IEEE Embed. Syst. Lett.,vol. 4, no. 3, pp. 57–60, Sep. 2012.

[47] Third Generation Partnership Project, 3GPP TS 35.203, ETSI/SAGE,“Specification of the 3GPP confidentiality and integrity algorithms,”ver. 3.1.2, 1999.

[48] T. Sugawara, N. Homma, T. Aoki, and A. Satoh, “Differential poweranalysis of AES ASIC implementations with various S-box circuits,”in Proc. Eur. Conf. Circuit Theory Design, 2009, pp. 395–398.

[49] Third Generation Partnership Project, 3GPP TS 35.202, ETSI/SAGE,“Specification of the 3GPP confidentiality and integrity algorithms;Document 2: KASUMI specification,” ver. 7.0.0, Release 6, 2007.

[50] K. Tiri, D. Hwang, A. Hodjat, B. C. Lai, S. Yang, P. Schaumont,and I. Verbauwhede, “Prototype IC with WDDL and differentialrouting—DPA resistance assessment,” in Proc. Int. Workshop Cryp-togr. Hardware Embed. Syst., 2005, pp. 354–365.

[51] K. Tiri and I. Verbauwhede, “A VLSI design flow for secure side-channel attack resistant ICs,” in Proc. Design, Automat. Test Eur. Conf.Exhibit., 2005, pp. 7–11.

[52] R. Kumar and V. Kursun, “Reversed temperature-dependent propaga-tion delay characteristics in nanometer CMOS circuits,” IEEE Trans.Circuits Syst. II, Exp. Briefs, vol. 53, no. 10, pp. 1078–1082, Oct. 2006.

[53] S. Kalra, “Effect of temperature dependence on performance of dig-ital CMOS circuit technologies,” in Proc. Int. Conf. Signal Process.Commun., 2013, pp. 392–395.

[54] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan, “Thesorcerer’s apprentice guide to fault attacks,” Proc. IEEE, vol. 94, no.2, pp. 370–382, Feb. 2006.

[55] A. Vijaykumar, “DPA resistance of cryptographic circuits consideringtemperature and process variations,” M.S. thesis, Univ. Cincinnati,Cincinnati, OH, USA, Jul. 2012.

[56] R. Maes, V. Rozic, I. Vervauwhede, P. Koeberl, and E. Van Der Leest,“Experimental evaluation of physically unclonable functions in 65 nmCMOS,” in Proc. Eur. Solid-State Circuits Conf., 2012, pp. 486–489.

[57] M. Soucarros, C. Canovas-Dumas, J. Clediere, P. Elbaz-Vincent, andD. Real, “Influence of the temperature on true random number gen-erators,” in Proc. IEEE Int. Symp. Hardware-Oriented Security Trust,2011, pp. 24–27.

Erica Tena-Sánchez received the B.Sc. degreein telecommunications from the University ofCantabria, Cantabria, Spain, in 2010, and the Elec-tronics Engineering degree (with honors) and theM.Sc. degree in microelectronics from the Univer-sity of Seville, Seville, Spain, in 2012 and 2013,respectively.Since 2011, she has been with the Instituto de Mi-

croelectrónica de Sevilla (IMSE-CNM-CSIC)/Uni-versity of Seville, Seville, Spain. Her currentresearch interests lies in the field of CMOS digital

design of secure cryptographic circuits.

Javier Castro received the B.Sc. five-year degreein physics and the Ph.D. degree in microelectronics,both from the University of Seville, Seville, Spain,in 2003 and 2011, respectively.From 2003 to March 2013, he worked at the In-

stituto de Microelectrónica de Sevilla (IMSE-CNM-CSIC)/University of Seville. His main research inter-ests include low-power and low-noise CMOS digitalVLSI design and DPA-resistant cryptographic digitalcircuits. He currently works for AnaFocus, Seville,Spain, as a Digital Design Engineer.

Antonio J. Acosta received the B.Sc. five-year de-gree in physics and the Ph.D. degree in physics fromthe University of Seville, Seville, Spain, in 1989 and1995, respectively.He is Full Professor at the University of Seville

and Senior Researcher at the Instituto de Micro-electrónica de Sevilla (IMSE-CNM-CSIC), Seville,Spain. His current research interests lie in thefields of low-power and low-noise CMOS digitaland mixed-signal high-performance VLSI Design,timing in VLSI digital system, and cryptographic

circuits. He has co-authored more than 100 international scientific publicationsand has led a number of different national and European R&D projects.Dr. Acosta has served as a member of editorial boards for international jour-

nals and on program committees for several prestigious conferences. He wasGeneral Chair of the 2002 PATMOS International Workshop.

Documents

IEEE JOURNAL ON EMERGING AND SELECTED …kresttechnology.com/krest-academic-projects/krest-mtech-projects... · IEEE JOURNAL ON EMERGING AND SELECTED TOPICS IN CIRCUITS AND SYSTEMS,