J. Shanghai Jiaotong Univ. (Sci.), 2014, 19(2): 169-172

DOI: 10.1007/s12204-014-1486-6

A Standard Cell-Based Leakage Power Analysis AttackCountermeasure Using Symmetric Dual-Rail Logic

ZHU Nian-hao∗ (���), ZHOU Yu-jie (���), LIU Hong-ming (���)(School of Electronic Information and Electrical Engineering, Shanghai Jiaotong University, Shanghai 200240, China)

© Shanghai Jiaotong University and Springer-Verlag Berlin Heidelberg 2014

Abstract: Leakage power analysis (LPA) attacks aim at finding the secret key of a cryptographic device frommeasurements of its static (leakage) power. This novel power analysis attacks take advantage of the dependenceof the leakage power of complementary metal oxide semiconductor (CMOS) integrated circuits on the data theyprocess. This paper proposes symmetric dual-rail logic (SDRL), a standard cell LPA attack countermeasure thattheoretically resists the LPA attacks. The technique combines standard building blocks to make new compoundstandard cells, which are close to constant leakage power consumption. Experiment results show SDRL is apromising approach to implement an LPA-resistant crypto processor.Key words: correlation power analysis, cryptograph, differential power analysis, leakage power analysis (LPA),power analysis, simple power analysisCLC number: TN 918 Document code: A

0 Introduction

With the massive spreading out of inexpensive in-tegrated circuits which are able to store and processconfidential data, the phenomena that more and moreresearch on information security issue have been sprungup[1]. Recently, power analysis attack has extensivelyshown to be a major threat to the security of data thatare processed and stored in cryptographic devices, suchas smart cards, because power analysis attacks can gen-erally be performed using relatively cheap equipment[2].

In traditional dynamic power analysis attacks[3], dif-ferential power analysis (DPA), simple power analysis(SPA) and correlation power analysis (CPA) are threetypical ways to analyze dynamic power traces whichare recorded during intermediate data are processed[4].The DPA, SPA and CPA are exhaustively studied inthe past ten years. But they all exploit dynamic powerto recover keys, nothing with leakage power.

As complementary metal oxide semiconductor(CMOS) technology is scaled down, leakage power ispredicted to become dominant than dynamic power[5].Reference [6] proposed leakage power analysis (LPA)attack which is a novel class of attack to nanometercryptographic circuits. LPA attacks are recently shown

Received date: 2013-03-06Foundation item: the Software and Integrated Circuit

Industries Development Foundation of Shanghai(No. 12Z116010001)

∗E-mail: zhunianhao2005@163.com

to be a new serious threat to information security ofsmart cards, but countermeasures to LPA attacks havenot been exhaustibly researched so far. Hence, counter-measure to LPA attack is very urgent and essential[7-8].

This paper proposes symmetric dual-rail logic(SDRL), a standard cell LPA attack countermeasurethat theoretically resists the LPA attacks. The tech-nique combines standard building blocks to make newcompound standard cells, which are close to constantpower consumption. Dual-rail logic has been proposedto thwart dynamic power analysis attack for manyyears, but in this work we use dual-rail logic in LPAattack. That is the novelty of this work.

1 Overview of LPA Attack

1.1 Leakage of Standard CMOS Logic Gate

The leakage current of standard CMOS logic gatesstrongly depends on their input patterns[9]. As an ex-ample, we simulated a two-input NAND gate imple-mented with standard logic style in 65 nm CMOS tech-nology such as in Fig. 1(a). The input pattern is I ={00, 01, 10, 11}, and corresponding leakage power isP = {P00, P01, P10, P11}. Tables 1 and 2 explicitlyshow that the leakage of a two-input NAND gate hasa strong dependence on input patterns, with a devia-tion of 10.692 nW leakage power. Furthermore, it isapparent that the leakage only depends on the Ham-ming weight of input patterns. That is the basic theorythat is employed to implement LPA attack[10].

170 J. Shanghai Jiaotong Univ. (Sci.), 2014, 19(2): 169-172

A

BY

A

BY

A

BY

(a) Standard NAND gate (b) SDRL NAND gate

Fig. 1 Two types of NAND gates

Table 1 Leakage power of two types of gate(65 nm technology at 25◦C)

A B Standard NAND/nW SDRL NAND/nW

0 0 0.403 9.91

0 1 1.74 5.93

1 0 4.93 5.93

1 1 7.68 9.91

Table 2 Fluctuation of two types of gate (65 nmtechnology at 25◦C)

Power of

standard NAND/nW

Power of

SDRL NAND/nW

Mean 3.688 7.92

Deviation 10.692 5.28

1.2 LPA Attack to Advanced Encryption Stan-dard S-Box

In this part, we implement an LPA attack to ad-vanced encryption standard (AES) crypto core inFig. 2. Flow of LPA attack is given in the relatedwork[6]. For the sake of simplicity, let us assume, withno loss of generality, that the key is fixed to 0x2B. Inthe first step, we chose output of S-box as internal datathat were physically generated within the circuit. Inthe second step, we applied 256 different plain wordsfrom 0 to 255 and measured the corresponding leak-age power of cryptographic chip. In the third step, weguessed all possible keys. In the fourth step, ideal leak-age power was estimated according to hamming weight.In the last step, correlation coefficients for all possiblekeys were calculated. The right key might lead thehighest correlation coefficient among all possible key.In Fig. 3, the dashed line is the correlation coefficientwhen key is 0x2B, while solid lines are the correlationcoefficients when keys are equal to other values. It isapparent that the correct key 0x2B leads the highest

8-bitplainword

8-bitcipherword

8-bit secret key

S-box

Fig. 2 Structure of AES S-box crypto core

0 20 40

0x2BOther values

60 80 100−1.0

−0.5

0

0.5

1.0

Cor

rela

tion

coe

ffic

ient

Number of power sample

Fig. 3 LPA attack to AES crypto core

value among all possible keys. So LPA attack is suc-cessful to AES crypto core which is implemented withstandard CMOS logic.

2 Symmetric Dual-Rail Logic

2.1 Standard NAND GateFigure 1(a) is a standard NAND gate, which is a nor-

mal standard CMOS cell. Tables 1 and 2 show the leak-age of standard NAND gate. The leakage of standardNAND gate is contributed by negative channel metaloxide semiconductor (NMOS) or/and positive channelmetal oxide semiconductor (PMOS) transistor becausethis device is in the cut off region.

When input is I = 00, the leakage current of NADNgate is equal to leakage current of 2 NMOS transistorsbecause this two device is in cut off region. And wheninput is I = 01 or I = 10, the leakage current of NADNgate is equal to leakage current of NMOS and PMOStransistor. Then when input takes I = 11, the leakagecurrent of NAND gate is equal to leakage current of twoPMOS transistors. Because of the difference betweenleakage current of NMOS transistor and leakage currentof PMOS transistor, the relation of leakage power ofstandard is theoretically in the following.

P00 �= P01, P01 = P10

P01 �= P11, P00 �= P11

}. (1)

Figure 4 shows simulation leakage power of standard

200 400 600 8000

2

4

6

8

10

Time/ns

Pow

er/n

W

Fig. 4 Standard NADN gate leakage power

J. Shanghai Jiaotong Univ. (Sci.), 2014, 19(2): 169-172 171

NAND gate. Input patterns are respectively 00, 01,10 and 11 from 0ns to 800ns in 65 nm technology. Itdemonstrates that leakage power of standard NANDgate varies with the input pattern with a deviation of10.692nW. We can see that standard NAND gate can-not thwart LPA attack because leakage of a two-inputNAND gate has a strong dependence on input pattern,with a deviation of 10.692 nW leakage power.2.2 SDRL NAND Gate

Figure 1(b) shows how to organize SDRL NANDgate. The complementary cell of wave dynamic dif-ferential logic (WDDL) is an OR cell[11]. In contrast,the complementary cell of SDRL is the same as the pri-mary cell. Primary cell and complementary cell havethe same parameters such as channel width and chan-nel length, so leakage of primary cell always equals tothe leakage of complementary, when they are appliedwith the same input pattern.

The input pattern applied to primary cell and com-plementary cell is always complementary. That is tosay, the input pattern of the complementary cell is al-ways negations of the input pattern of the primary cellat any time. Because the input pattern is always com-plementary, devices of the primary cell, which are incut off region, are always in conduction on region ofcounterpart device of complementary. From the dis-cussion above, we can see that, the devices of SDRLgate, which are in the cut off region, are always twoPMOSs and two NMOSs whenever the input patter isapplied. We denote P00 is the leakage power of SDRLgate when the input pattern I = 00 is applied into theprimary cell, and P01, P10, P11 are the leakage powerof SDRL gate when input pattern I = 01, 10, 11 areapplied into the primary cell. From above all, we caninfer the equations in the following.

P00 = P01, P01 = P10

P01 = P11, P00 = P11

}. (2)

From Eq. (2), we can have a conclusion that the leak-age current of SDRL gate is always the same wheneverthe input pattern is applied. We simulate the leakagecurrent of SDRL NAND gate in spice model. Figure5 is the simulation result of SDRL NAND gate. Inputpattern is respectively 00, 01, 10 and 11 from 0 ns to

200 400 600 80002

4

6

8

10

Time/ns

Pow

er/n

W

Fig. 5 SDRL NADN gate leakage power

800ns in 65 nm technology. The leakage power of SDRLNAND gate has the minimum dependence on input pat-terns, because its deviation is 5.28 nW leakage powers.2.3 Generalized SDRL Logic Circuit

In this part, we will certify that one can simply dupli-cate an original circuit so as to make a complementarycircuit of SDRL logic gates.

Remark 1 The sufficient conditions that A is theinput of the corresponding complementary cell to a pri-mary cell with an input A are that

Pr(A = 1) = Pr(A = 0),

where Pr stands for probability.If we use differential logic to implement the interface

of crypto core with other part of whole chip, this con-dition is easily met. And negations of primary circuitinputs satisfy Remark 1.

Remark 2 Outputs of primary and complementarycell from an SDRL logic gate satisfy Remark 1 if theinputs of the SDRL cell also satisfy Remark 1.

We can analyze SDRL NAND gate and NOR gate bytheir logic definitions, it is easily to find Remark 2 istrue, if the number of NAND gate and NOR gate areapproximately equal.

Even though we feed negation of primary inputs intothe complementary cells, the outputs from the comple-mentary cells are not negation of primary inputs, butdescendant cell still work as SDRL.

Remark 3 A chain of cell works as a complemen-tary circuit is a duplication of the primary circuit, andif the inputs of these circuits satisfy Remark 1.

Since Remarks 1 and 2 are true, Remark 3 is true.2.4 In SDRL Design Flow

In SDRL, one can duplicate the original circuit, andthe duplicated circuit works as complementary cells.First, we take an original circuit and conduct place androute. Second, we duplicate the design and put is nextto the original circuit from outside, the duplicated cir-cuit works as complementary cells. This method alsoduplicates the wire delay and capacitance that bringseven better power balancing.

3 Experiment Results

3.1 Experiment SetupIn this part, we implement AES S-box in Fig. 2 with

two types of logic, one is standard CMOS logic, andthe other is SDRL logic proposed in this paper. Wecarry LPA attacks to these two circuits. We make com-parisons in LPA attack resistance to demonstrate thatSDRL logic can thwart LPA attack. We also use post-layout simulation to validate our proposed countermea-sure, because layout can exert strong influence on thepower of dual-rail logic.3.2 Comparison in LPA Attack Resistance

Attacker should apply hundreds of input patterns tocryptographic circuit and record and store hundreds of

172 J. Shanghai Jiaotong Univ. (Sci.), 2014, 19(2): 169-172

traces to recovery the secret key. Figure 3 shows LPAattack to AES S-box without countermeasure, whileFig. 6 demonstrates LPA attack to AES S-box withcountermeasure proposed in this paper. For the sakeof simplicity, let us assume, with no loss of generality,that the key is fixed to 0x2B. In LPA attack, if theguessed key leads to the highest correlation coefficient,the guessed key is the correct key. We plotted the cor-rect key 0x2B as dashed line. It is very apparent thatAES S-box without any countermeasure cannot resistLPA attack.

In Fig. 6, the correct key 0x2B cannot lead the high-est correlation coefficient. Attacker cannot recovery thesecret key. So it is clear that AES S-box with counter-measure presented in this paper can thwart LPA attack.Post simulation of AES S-box is shown in Fig. 7. It isapparent that correct key cannot lead the highest cor-relation coefficient.

0 20 40 60 80 100−0.2

−0.1

0

0.1

0.2

Number of power sample

Cor

rela

tion

coe

ffic

ient

Correct key 0x2B, Error keys

Fig. 6 LPA attack to AES crypto core implemented withSDRL logic

0 20 40 60 80 100−0.25

−0.15

−0.05

0.05

0.15

0.25

Number of power sample

Cor

rela

tion

coe

ffic

ient

Correct key 0x2B, Error keys

Fig. 7 LPA attack to AES engine with SDRL bypost-layout simulation

4 Conclusion

We have presented a technique to thwart LPA attackthat uses a logic style with data independent leakagepower consumption. The technique achieves perfect se-curity from the results of our experiment. We observe

that SDRL logic can thwart LPA attack. SDRL is apromising countermeasure to LPA attack.

References

[1] Alioto M, Poli M, Rocchi S. A general powermodel of differential power analysis attacks to staticlogic circuits [J]. IEEE Transactions on Very LargeScale Integration (VLSI) Systems, 2010, 18(5): 711-724.

[2] Popp T. An introduction to implementation at-tacks and countermeasures [C]//Proceedings of the7th IEEE International Conference on Formal Meth-ods and Models for Co-Design. Piscataway, NJ, USA:IEEE Press, 2009: 108-115.

[3] Brier E, Clavier C, Olivier F. Correlation poweranalysis with a leakage model [J]. Cryptographic Hard-ware and Embedded Systems, 2004, 3156: 16-29.

[4] Guneysu T, Moradi A. Generic side-channel coun-termeasures for reconfigurable devices [J]. Crypto-graphic Hardware and Embedded Systems, 2011, 6917:33-48.

[5] Abdollahi F, Fallah F, Pedram M. Leakage cur-rent reduction in CMOS VLSI circuits by input vectorcontrol [J]. IEEE Transactions on Very Large Scale In-tegration (VLSI) Systems, 2004, 12(2): 140-154.

[6] Alioto M, Giancane L, Scotti G, et al. Leakagepower analysis attacks: A novel class of attacks tonanometer cryptographic circuits [J]. IEEE Transac-tions on Circuits and Systems. I: Regular Papers, 2010,57(2): 355-367.

[7] Lin L, Burleson W. Leakage-based differential poweranalysis (LDPA) on sub-90nm CMOS cryptosystems[C]//Proceedings of IEEE International Symposium onCircuits and Systems. Seattle, Piscataway, NJ, USA:IEEE Press, 2008: 252-255.

[8] Djukanovic M, Giancane L, Scotti G, et al. Im-pact of process variations on LPA attacks effectiveness[C]//Proceedings of Second International Conferenceon Computer and Electrical Engineering. Piscataway,NJ, USA: IEEE Press, 2009: 102-106.

[9] Djukanovic M, Giancane L, Scotti G, et al.Leakage power analysis attacks: Effectiveness onDPA resistant logic styles under process variations[C]//Proceedings of IEEE International Symposium onCircuits and Systems (ISCAS). Piscataway, NJ, USA:IEEE Press, 2011: 2043-2046.

[10] Alioto M, Giancane L, Scotti G, et al. Leakagepower analysis attacks: Theoretical analysis and im-pact of variations [C]// Proceedings of 16th IEEE In-ternational Conference on Electronics, Circuits, andSystems. Piscataway, NJ, USA: IEEE Press, 2009: 85-88.

[11] Tiri K, Verbauwhede I. A logic level design method-ology for a secure DPA resistant ASIC or FPGA im-plementation [C]// Proceedings of Design, Automationand Test in Europe Conference and Exhibition. Piscat-away, NJ, USA: IEEE Press, 2004: 246-251.