On Measurable Side-Channel Leaks Inside ASIC Design Primitives

Leaks inside semi-custom ASIC (Application Specific Integrated Circuit) design primitives are rigorously investigated. The study is conducted by measuring a dedicated TEG (Test Element Group) chip with a small magnetic-field probe on the chip surface. Measurement targets are standard cells and a memory macro cell. Leaks inside the primitives are focused as many of conventional countermeasures place measurability boundaries on these primitives. Firstly, it is shown that current-path leak: a leak based on input-dependent active current path within a standard cell [1] is measurable. Major gate-level countermeasures (RSL, MDPL, and WDDL) become vulnerable if the current-path leak is considered. Secondly, it is shown that internal-gate leak: a leak based on non-linear sub-circuit within a XOR cell is measurable. It can be exploited to bias the distribution of the random mask. Thirdly, it is shown that geometric leak: a leak based on geometric layout of the memory matrix structure is measurable. It is a leak correlated to integer representation of the memory address. We also show that a ROM-based countermeasure (Dual-rail RSL memory [10]) becomes vulnerable with the geometric leak. A general transistor-level design method to counteract the current-path and internal-gate leaks is also shown.

[1]  Patrick Schaumont,et al.  Changing the Odds Against Masked Logic , 2006, Selected Areas in Cryptography.

[2]  Tsutomu Matsumoto,et al.  A proper security analysis method for CMOS cryptographic circuits , 2012, IEICE Electron. Express.

[3]  Daisuke Suzuki,et al.  DPA Leakage Models for CMOS Logic Circuits , 2005, CHES.

[4]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[5]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[6]  Ingrid Verbauwhede,et al.  A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[7]  Sylvain Guilley,et al.  A First-Order Leak-Free Masking Countermeasure , 2012, CT-RSA.

[8]  Fujino Takeshi,et al.  AES Cryptographic Circuit utilizing Dual-Rail RSL Memory Technique , 2012 .

[9]  Ingrid Verbauwhede,et al.  Design solutions for securing SRAM cell against power analysis , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[10]  Y. Ozelci,et al.  Power Analysis Resistant SRAM , 2006, 2006 World Automation Congress.

[11]  Stefan Mangard,et al.  Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations , 2006, CHES.

[12]  John P. Uyemura Introduction to VLSI Circuits and Systems , 2001 .

[13]  Jens-Peter Kaps,et al.  Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs , 2010, 2010 International Conference on Reconfigurable Computing and FPGAs.

[14]  Daisuke Suzuki,et al.  Random Switching Logic: A Countermeasure against DPA based on Transition Probability , 2004, IACR Cryptol. ePrint Arch..

[15]  Philippe Hoogvorst Software Implementation of Dual-Rail Representation , 2011 .

[16]  Yang Li,et al.  Fault Sensitivity Analysis , 2010, CHES.

[17]  Eric Peeters,et al.  Power and electromagnetic analysis: Improved model, consequences and comparisons , 2007, Integr..

[18]  Thomas Eisenbarth,et al.  Correlation-Enhanced Power Analysis Collision Attack , 2010, CHES.