asynchronous aes-side attack ieee

8/12/2019 Asynchronous AES-Side Attack IEEE

1/24

Asynchronous AES (Advanced Encryption

Standard) Key Expander and Round Function

Design for Improved Power Analysis Attack

Resistance

Siva Kotipalli 1 , Yong-Bin Kim 2 and Minsu Choi 3

1 Samsung Electronics, Austin, TX, USA

2 Department of Electrical and Computer Engineering,

Northeastern University, Boston, MA, USA

3 Department of Electrical and Computer Engineering,

Missouri University of Science & Technology, Rolla, MO, USA

Abstract

This work presents the design, hardware implementation and performance analysis of novel Asyn-

chronous AES (Advanced Encryption Standard) Key Expander and Round Function, which offer in-

creased Side-Channel Attack (SCA) resistance. These designs are based on a Delay Insensitive (DI) logic

paradigm known as Null Convention Logic (NCL), which supports a few useful properties for resisting

SCAs like dual-rail encoding, clock-free operation and monotonic transitions. Potential benets include

reduced and more uniform switching activities and reduced Signal-to-Noise (SNR) ratio. Thereby, theproposed designs leak less side-channel information than conventional approaches. To quantitatively

verify such improvements, software simulations for Functional verication and WASSO (Weighted

Average Simultaneous Switching Output) analysis simulations were carried out on both conventional

synchronous approach and the proposed NCL based approach using Mentor Graphics ModelSim and

Xilinx simulation tools. Hardware implementation was carried out on both the designs via a specied


2/24

2

Side channel Attack Standard Evaluation FPGA Board (SASEBO-GII) and the corresponding power

waveforms for both designs were collected. Along with the results of software simulations, we analyzed

this collected waveforms to validate the claims related to benets of the proposed crypto-hardware

design approach.

Index Terms

Advanced Encryption Standard; Null Convention Logic; Key Expander; Round Function; Security;

Side-Channel Attacks; WASSO Analysis; FPGA implementation; Power trace analysis.

I. INTRODUCTION

The Advanced Encryption Standard is the most widely used symmetric-key algorithm standard

in different security protocols [1]. Originally the algorithm was called Rijndael, but after its

selection as the candidate for AES due to its merits it gained popularity. It is used by hundreds of

millions of users worldwide to protect internet banking, wireless communications, and the data on

their hard disks. The Advanced Encryption Standard (AES) was conceived as reliable in providing

security for data until researchers proved that side channel attacks (SCA) were successful

in compromising. Since the detection of power analysis and EM analysis SCA effectiveness,

researchers have started exploring different approaches to design countermeasures.Wave Dynamic Differential Logic (WDDL) [2] and Sense Amplier Based Logic (SABL)

[3] are some of the previously proposed countermeasures of synchronous category. But both

these approaches suffer from timing related issues that could leak side-channel information. Jun

Wu et al. [4] proposed an asynchronous S-box design that proved to be power efcient and

side channel attack resistant. Chunchun Sui et al. [5] proposed a design approach that combines

aforementioned S-box design with Random Dynamic Voltage Scaling (RDVS) to boost SCA

resistance to greater extent.

This article proposes a scalable dual rail AES Key Expander and Round Function designs that

incorporate the merits of Null Convention Logic (NCL). In this work, these two modules are

then utilized to design a NCL based subset of the AES cryptosystem. The reason for calling it

a subset is that in an actual AES-128, the two modules are utilized for ten iterations. But for


3/24

3

the cryptosystem subset discussed in this work, we utilize the two modules only for a single

iteration.

This work has multiple contributions in the eld of improving SCA resistance of cryptosys-

tems:

1) The proposed approach contributes to a uniform and reduced switching activity in cryptosys-

tem and thereby curtail the leaked power and improve resistance against Power Analysis

SCA;

2) The anticipated improved switching prole also translates to uniform and reduced EM

radiation side channel information emanating from cryptosystem and boosts the resistance

of cryptosystem against EMA SCA [6];

3) The proposed Key Expander and Round Function designs allow easy scaling for imple-

menting it to entire AES algorithm of any of the following variants - 128, 192 or 256

bit;

4) They can also be easily scaled and implemented for different modes of AES like Electronic

Codebook (ECB), Cypher Feedback (CFB) and Cypherblock Chaining (CBC) modes;

5) Both the proposed designs incorporate a power efcient NCL combinational substitution

box design, which provides power benets when compared to the conventional approach;

6) The proposed design can also be effectively coupled with active frequency/voltage scaling

techniques such as RVDS (random voltage dynamic scaling) to enhance security to even

greater extent as demonstrated previously for the AES S-box in [5].

The rest of the article is arranged as follows. Section II gives a background of AES, NCL and

vulnerabilities of synchronous AES which are essential in understanding the proposed design

techniques. Section III details the inuence of switching activity on SCA followed by Section IV

which deals with the variation of SNR ratio. Section V describes the proposed NCL AES Key

Expander. Section VI describes the proposed NCL AES Round Function. Section VII discusses

the Results, which include the functional verication, WASSO analysis, hardware implementation

and power trace analysis for both the conventional and proposed designs. This is nally followed

by conclusion and future work.


4/24

4

I I . P RELIMINARIES AND R EVIEW

A. Advanced Encryption Standard

The AES algorithm is a symmetric block cipher that processes data blocks of 128 bits using

cipher keys of three different lengths: 128, 192 or 256 bits. Its operations are performed on the

State. The State is a two-dimensional array of bytes which contains the Plaintext, consisting

of four rows and N b columns, where N b is the block length divided by 32. Similarly, the Key

Schedule is a two-dimensional array of bytes which contains the Key.

At the start of the cipher operation, input Plaintext is copied to the State and input Key is

copied to the Key Schedule. After an initial Round Key addition, the State is transformed by a

Round Function implemented N r times. This number depends on the key length: N r = 10 for

128 bits, N r = 12 for 192 bits and N r = 14 for a key length of 256 bits.

SubBytes

ShiftRows

MixColumns

AddRoundKey

PlainText

Input_Key

Round_Key Round FunctionOutput

RoundFunction

AddRoundKey

RotateWord

SubWord

Round Constant

XOR

KeyExpander

Fig. 1. Block Diagram of AES Round Function with Key Expander

Figure 1 shows the two main components of AES. Key Expander and Round Function have

four basic byte-oriented transformations each, which are applied to the Key Schedule and the

State respectively. These transformations are succinctly described in Table I.

B. Vulnerability of Synchronous AES Design

The main aws of synchronous AES implementation is its vulnerability to side-channel

attacks (SCA). SCA utilize any of the following leakage information: power consumption,


5/24

5

Transformations in Key Expander Main FunctionRotateWord Single rotation on a column of Key ScheduleSubWord Nonlinear byte substitutionRound Constant Selection of round constantXOR Makes round key, round constant dependent

Transformations in Round Function Main FunctionSubByte Nonlinear byte substitutionShiftRow Inter-column diffusionMixColumn Inter-byte diffusion within columnsAddRoundKey Makes round function key dependent

TABLE ITRANSFORMATIONS PRESENT IN K EY E XPANDER AND ROUND F UNCTION

switching activity, timing information, electromagnetic leaks or acoustic information emanating

from cryptosystem to identify the secret key. The Power analysis SCA has proved to be an

effective approach to compromise security. The attack is based on the fact that the leaked power

consumption information actually contains information about the modules behavior. Out of the

different types of Power analysis attacks, the Differential Power Analysis (DPA) [7] are the most

effective at revealing the hidden private key. These DPA attacks make use of statistical analysis

and multiple waveforms to reveal the secret key [8].

Just as the power consumption of CMOS devices is data-dependent, the electromagnetic

radiation emanating from a cryptosystem is also data-dependent. This data-dependent radiation

is again the origin of side-channel information leakages. The leaked side-channel information

is analyzed by means of Electromagnetic Analysis (EMA) , which measures electromagnetic

elds near cryptographic device [6] and uses this data to compromise the security. But if we can

curtail the leakage of side channel information and thereby make it difcult for the attacker to

have sufcient information to identify the segments in the power waveform and EM radiation.We can secure the cryptosystem more effectively against these power analysis and EMA SCAs.


6/24

6

C. Null Convention Logic

NCL is a delay insensitive asynchronous paradigm. The delay insensitivity of NCL circuits

is achieved by dual-rail and quad-rail logic [9]. A dual rail signal can effectively represent four

states. Out of them, the three valid states are: DATA0, DATA1, NULL. The fourth state in which

both the rails are asserted is considered as an illegal state. The valid data states DATA0, DATA1

correspond to boolean logic 0, boolean logic 1, respectively. The control signal NULL is used for

asynchronous handshaking. The clock free operation is implemented via the two delay-insensitive

registers located on either side of the combinational circuit and the local handshaking signals.

The main benet of using dual-rail logic is that, constant power consumption can be achieved

since the signals are implemented by two complementary wires. Furthermore, due to delay

insensitive nature these DI circuits adhere to monotonic transitions between DATA and NULL,

so there is no glitching, unlike clocked Boolean circuits that produce substantial glitch power.

DI systems better distribute switching over time and area, reducing the switching activity, peak

power demand and system noise, unlike clocked boolean circuits where much of the circuitry

switches simultaneously at the clock edge. The downside is dual-rail method generally incurs

area overhead.

The independence of power consumption from input data and the overall reduction in powerconsumption, which are attributed to dual rail logic and monotonic transitions respectively, boost

the SCA resistance of AES cryptosystem. Additionally, the above mentioned merits also reduce

the electromagnetic interference making the AES more robust.

I I I . I NFLUENCE OF SWITCHING A CTIVITY ON SCA

A. Role of Switching Activity on Power Analysis SCA

The dynamic power consumption of CMOS gates is particularly relevant from a side-channel

point of view since it determines a simple relationship between a devices internal data and its

externally observable power consumption. It can be written as:

P dyn = A C L V 2

dd f (1)


7/24

7

In equation (1), P dyn is the power consumed, A is the switching activity factor, C L is

the switched capacitance, V dd is the supply voltage, and f is the clock frequency. This data-

dependent power consumption is the origin of side-channel information leakages. If we are able

to reduce the switching activity factor A in equation (1), that would directly translate to decreaseddynamic power consumption. Thomas S. Messerges et al. [10] discussed the role of SNR ratio

in determining the success probability of a DPA attack.

SN R = var (P expl )var (P noise )

(2)

The equation (2) can be used to estimate SNR [11], in this equation var (P expl ) is the

variance of exploitable component of power consumption and var (P noise ) is the variance of

noise component. By reducing this exploitable power information P expl we can lower the SNR

ratio. The lower the SNR ratio, lower is the leakage, so performing the DPA attack becomes

harder.

B. Role of Switching Activity on EMA SCA

The switching activity also inuences the EM radiation leaked from the cryptosystem. The

voltage uctuation caused by ground bounce can be expressed as [6]:

V = Lef f M dI dt

(3)

In this equation, Lef f is the effective parasitic inductance, M is the number of simultaneous

switching outputs, and dI/dt is the rate of change of the current. So it is clear that if we are

able to reduce the switching activity M , we can reduce the information leakage due to V , as

V M .

IV. VARIATION OF S IGNAL -TO -N OISE RATIO

As discussed in [11], each point of a power trace can be modeled as the sum of an operation-

dependent component P op , a data-dependent component P data , electronic noise P el.noise , and a


8/24

8

constant component P const . The relationship between different components of the power con-

sumption is given by (4) and in terms of variance it is given by (5).

P op + P data = P expl + P swnoise (4)

var (P op ) + var (P data ) = var (P expl ) + var (P swnoise ) (5)

In the context of a given attack scenario, the signal-to-noise ratio of a point of a power trace is

given by the following equation. The SNR quanties how much information is leaking from a

point of a power trace. The higher the SNR, the higher is the leakage.

SN R = var (P expl )

var (P noise ) =

var (P expl )

var (P elnoise ) + var (P swnoise ) (6)

The plot presented in Figure 2 is from [11] and represents distribution of power consumption

when a microcontroller transfers different data from the internal memory to a register. The x-axis

represents the voltage and the y-axis represents the probability of occurrence of corresponding

hamming weight for an 8-bit data. The gure reveals that for all data values with the same ham-

ming weight, the power consumption of the microcontroller is distributed in approximately the

same way. Generally, this is also the case for any cryptographic circuit, the power consumption

of the circuit is dependent on hamming weight of the data it process. This feature of hamming

weight dependent power consumption can be effectively employed for improving the security

using NCL. The reason for this is, because of NCL being a dual rail logic, hamming weights

of all the inputs remain same as each input has equal number of 1s and 0s.

So using this plot and applying it to the synchronous design and the proposed NCL based

design we see the benets. In the synchronous case, rst consider if we have a series of

three inputs applied to our cryptosystem as listed in Figures 3, 4. All the three inputs havedifferent hamming weights, so this causes three distinct power traces as the power consumption

is signicantly hamming weight dependent. Now consider the asynchronous case and serially

apply the same three inputs which were applied to the synchronous cryptosystem.

From Figures 3 & 4 we can observe that the number of 1s is the same for all the inputs


9/24

9

Fig. 2. Distribution of the power consumption in relation to HW (Hamming Weight) of data that is processed [11].

2 3 0 0 1 0 0 0 1 1

5 C 0 1 0 1 1 1 0 0

3

7 F 0 1 1 1 1 1 1 1

4

7

Fig. 3. Hamming weights of data in Conventional Design

2 3

5 C

801 01 10 01 01 01 10 10

01 10 01 10 10 10 01 01 8

7 F 01 10 10 10 10 10 10 10 8

Fig. 4. Hamming weights of data in NCL based Design

which enables equal hamming weight, as contrary to the synchronous case. This shows that due

to NCL, the var (P data ) decreases, as all the data have the same hamming weight and the resulting

power distribution will be more narrow than the power distribution which is more spread out

for the conventional approach due to varying hamming weights as presented in Figure 2.

2 3 0 0 1 0 0 0 1 1

5 C 0 1 0 1 1 1 0 07

7 F 0 1 1 1 1 1 1 1

0 0 1 1 0 1 1 1

3

3 72

1 0 0 0 1 0 0 18 9

6

Fig. 5. variations in number of bit transitions for differentdata for Conventional Design

2 3

5 C

8

01 01 10 01 01 01 10 10

01 10 01 10 10 10 01 01

NULL 00 00 00 00 00 00 00 008

NULL 00 00 00 00 00 00 00 008

7 F 01 10 10 10 10 10 10 10

NULL 00 00 00 00 00 00 00 008

8

Fig. 6. variations in number of bit transitions for differentdata for NCL based Design

Additionally due to NCL, the number of bit transitions are the same for any two input

transitions as the system alternates between DATA and NULL. From Figures 5, 6 we can


10/24

10

clearly see the random variations in the number of bit transitions occurring in the conventional

synchronous design and the constant number of bit transitions occurring in the NCL based design

for the same set of data. So this constant number of bit variations enable more uniformity to the

trace and thereby lead to a uniform SNR. Next, we analyze the effect of uniformly and randomlydistributed data on SNR.

In DPA, var (P op ) = 0 for uniformly distributed data, this is because the attacker performs

the same operation again and again with different data. Due to Uniformly distributed data,

var (P swnoise ) = 0. As discussed earlier, due to NCL, var (P data ) decreases and this leads to

reduced var (P expl ).

SN R = Reduced var (P expl )

var (P elnoise ) Reduced SNR (7)

For randomly distributed data, due to DPA, var (P op ) = 0 and due to NCL, var (P data ) decreases

as explained earlier. So equation 6 reduces to equation 8.

var (P data ) = var (P expl ) + var (P swnoise ) (8)

Randomly distributed data causes, var (P swnoise ) to increase as many of the bits are indepen-dently distributed and hence, they contribute to increased switching noise [11]. Consequently,

these factors lead to reduced var (P expl ) and nally a reduced SNR.

V. NCL AES K EY E XPANDER D ESIGN

The AES algorithm uses a Key Expander to calculate the round keys used in AddRoundKey

stage of the Round Function. The AES specication refers to this process as the KeyExpansion.

The motive behind the purpose of this unit is that generating multiple keys from an initial key

and using a unique key for each round, instead of using the same key for all the rounds greatly

increases the diffusion of bits. For this research we chose AES with a key size of 128 bits.

The controller for this NCL AES Key Expander and Round Function is shown in Figure 7.

In this control unit, the input data which is in ordinary binary format is read and is converted


11/24

11

into dual rail inputs by Single rail to Dual-rail convertor. Ko is the output acknowledgement

signal coming out of the NCL Round function and Key Expander. It acts like clock signal for

the other units in the controller. The converter and multiplexer (MUX) are controlled by Ko.

When Ko is 1, it means NCL Round function and Key expander are ready for NULL wavefront,then MUX will send all 0s to PlainText and Input Key to nullify the NCL Key Expander and

Round function. Otherwise, MUX will select the dual rail data that is output from the convertor.

The dual rail Input Key is fed as input to the NCL Key Expander and it generates the Round

Keys necessary for each encryption round of AES.

Ko feedback to Ki

256

Single Rail toDual Rail

Converter

256

0

256

0

Reset

2:1MUX

Ko Ki

PlainText [128:0]

Input_Key [128:0]

256

PlainText [128:0]Dual Rail

256

Input_Key [128:0]Dual Rail

2:1MUX

256NCL AES

KeyExpander

Round_Key [128:0]Dual Rail

256

To NCL AESRound Function

Control Unit

Fig. 7. Block Diagram of NCL AES Control Unit.

ButtonRSX

ButtonRSX

W 0 W 1 W 2 W 3

W 4 W 5 W 6 W 7

W 8 W 9 W 10 W 11

ButtonRSX

RotateWord

SubWord

XOR

Round Constant

Fig. 8. Block Diagram of AES Key Expander [12].


12/24

12

The block diagram of the architecture of Key Expander [12] is presented in Figure 8. The w 0 ,

w1 , w2 , w3 are the four columns of the Key Schedule. The columns of the Key Schedule which

have their index as a multiple of four undergo the RSX step along with the XOR operation,

all the remaining columns undergo XOR operations to generate the Round Key. As depicted inthe gure, Key Expander consists of the following modules:

RotateWord: This operation accepts an array of 4 bytes and rotates them 1 position to the

left. The RotWord function used by KeyExpansion is very similar to the ShiftRows routine used

by the encryption algorithm except that it works on a single column of the key schedule, instead

of the rows of the State array.

SubWord: The SubWord routine performs a byte-by-byte substitution on a given row of the

key schedule table using the NCL S-box. The substitutions in KeyExpansion operate exactly like

those in the SubBytes step of Round Function. The input byte to be substituted is fed as input to

the NCL combinational S-box, and this input then undergoes Multiplicative Inversion in GF( 28 )

and Afne Transformation during encryption. We employed the dual-rail combinational NCL

S-box proposed in [4] for this step, as this design already proved to be very power efcient and

resistant to SCA. The architecture of the S-box and the block diagram of its internal Multiplicative

Inversion module are presented in Figures 9 and 10.

Fig. 9. Combinational S-box architecture. Fig. 10. Block diagram of Multiplicative Inversion overGF(2 8 ) where MM is modular multiplication unit.


13/24

13

Round Constant module: This module uses an array Rcon, called the round constant table. In

the synchronous implementation, these round constants are 4 bytes each to match with a column

of the key schedule table. The AES KeyExpansion routine [1] requires 10 round constants, one

for each round of the AES algorithm. In our implementation we implement this as an array of round constants represented in dual rail notation.

XOR module: In this module we perform the XOR operation between the columns of the Key

Schedule with or without the round constant selected in previous step depending on the column

which is being calculated. In order to realize this XOR function in NCL we have to make use

of NCL XOR function designed using the NCL threshold gates:

0

A

B

0

1

0 1

01

1

Fig. 11. K-Map for XOR

THxor0

THxor0 Z 0

Z 1

A 1 A 0 B 1 B 0

Fig. 12. NCL XOR Function using

THxor gates

TH24comp

TH24comp Z 0

Z 1

A 1 A 0 B 1 B 0

Fig. 13. NCL XOR Function using

TH24comp gates

Unlike boolean logic, NCL has 27 fundamental threshold gates [9] to realize arbitrary logic. In

order to achieve the input-completeness and observability, it is important to choose appropriate

threshold gates. For the design of NCL XOR function, according to the Karnaugh Map in

Figure 11, the sum-of-product (SOP) expressions are Z 1 = A1 B 0 + A0 B 1 and Z 0 = A0 B 0 +

A1 B 1 . They can be realized by mapping them to THxor0 gates as shown in Figure 12. However,

two transistors can be eliminated for each rail of Z (when using static gates) by realizing this

same functionality using TH24comp gates. This is done by adding the two dont care terms,

representing the cases when both rails of either A or B are simultaneously asserted.

The new equations are: Z 1 = A1 B 0 + A0 B 1 + A0 A1 + B 0 B 1 and Z 0 = A0 B 0 + A1 B 1 + A0 A1 +

B 0 B 1 . The NCL XOR function realized using these equations and TH24comp gates is presented


14/24

14

in Figure 13 and this is used in our proposed design. This TH24comp based XOR offers a 10%

reduction in the number of transistors required compared to the approach using THxor0 gates.

VI. NCL AES R OUND F UNCTION

The top-level architecture of the proposed NCL AES Round Function design is presented in

Figure 14. The controller for this module was presented previously in Figure 7. This control

unit takes care of converting the ordinary PlainText and Input Key into dual rail notation. The

dual rail Input Key is fed as input to the NCL Key Expander and it generates the Round Key,

which along with the dual rail PlainText from the controller is fed to the AES Round Function.

NCL AES RoundFunction

ControlUnit

Round_Key [128:0]Dual Rail

PlainText [128:0]Dual Rail

Input_Key [128:0]Dual Rail

Ko

Ki

RoundFunc_op [128:0]DualRail

256

256 256

256

Reset

NCL AESKey

Expander

Fig. 14. Block Diagram of NCL AES Round Function Top-level architecture

The NCL AES Round Function consists of the following four steps which are performed

sequentially:

1) NCL SubBytes: This transformation is presented in Figure 15, where each dual-rail byte

of the State matrix is substituted independently by another one which is computed by the NCL

S-box. The S-box is a key element in the AES architecture as it signicantly inuences the

security, power consumption and throughput of the AES hardware. We are using the dual-rail

combinational NCL S-box proposed in [4] for this step as this design already proved to be very

power efcient and resistant to SCA.

2) NCL ShiftRows: The NCL ShiftRow transformation function presented in Figure 16,

performs byte transposition of all dual-rail NCL signals by using circular shifting, where each


15/24

15

row of dual rail State is rotated cyclically to left using 0, 1, 2 and 3-byte offset for encryption.

Fig. 15. NCL SubBytes Fig. 16. NCL ShiftRows

3) NCL MixColumns: In this transformation each column of the dual rail State matrix is

multiplied by a circulant maximum distance separable matrix. This MixColumns function shownin Figure 17, takes four dual-rail bytes as input and outputs four dual-rail bytes, where each

input byte affects all four output bytes. The multiplication of the state array element with 2 in the

dual rail domain is realized by 1-bit left shift of dual rail signals followed by a conditional NCL

XOR operation. The multiplication with 3 is implemented in a similar fashion but it involves an

additional NCL XOR operation.

4) NCL AddRoundKey: AddRoundKey transformation shown in Figure 18, performs a byte

level dual-rail XOR operation on the dual-rail output of MixColumn and corresponding dual-rail

round-key.

Fig. 17. NCL MixColumns Fig. 18. NCL AddRoundKey


16/24

16

VII. E XPERIMENTAL V ERIFICATION OF THE P ROPOSED D ESIGN

A. Functional Verication of Proposed Design

The traditional synchronous implementation and the proposed NCL AES Key Expander and

NCL AES Round Function have been implemented in VHDL. The functional verication simu-

lations of these designs were performed with Mentor Graphics ModelSim. The proposed designs

has been functionally veried completely using a large set of test vectors which were chosen from

[1]. A sample test vector is presented in Figure 19 and the corresponding functional verication

results are presented in Figures 20, 21 and 22.

Fig. 19. Test Vectors Fig. 20. Functional Verication Result for SynchronousDesign

Fig. 21. Functional Verication Result for the proposedNCL based Key Expander Design

Fig. 22. Functional Verication Result for the proposedNCL based Round Function Design


17/24

17

B. Weighted Average Simultaneous Switching Output Analysis

WASSO tool is an utility of Xilinx PlanAhead suite that validates signal integrity of the device

This analysis gives a measure of the amount of simultaneous switching occurring in the design.

So we used this analysis to determine the variation in switching activity across both the AES

Round Function designs. The results obtained were plotted and presented in Figure 23. The

implementation platform chosen for carrying out WASSO analysis is Xilinx Virtex-5 FPGA. As

switching activity directly depends on the number of simultaneously switching outputs, switching

activity can be reduced if SNR gets reduced.

Fig. 23. WASSO utilization plots for individual banks and neighbors.

From Figures 23 (a) and (b), it can be observed that the switching activity in the proposed

design is lessened to a considerable extent and is also more uniform as compared to its syn-

chronous counterpart. This reduction decreases the amount of unintentionally leaked information

and the uniformity makes it more difcult to exploit the remaining leaked information to carry

out SCAs.

C. Effects of Switching Activity on Signal-to-Noise ratio

According to equation (2), it is clear that SNR is directly proportional to var (P expl ). The P expl

is a combination of two quantities P oprn and P data . But var (P oprn ) is zero as we are considering

a DPA attack, in which we perform the same operation again and again but with different input


18/24

18

data. So var (P expl ) becomes equal to var (P data ). The P data is data dependent and is a function

of switching activity. So the reduction of switching activity observed from WASSO simulations

will translate into reduction of P data of all the points on the power trace. This overall reduction

of P data will translate into reduction of var (P expl ) and consequently reduction of SNR.Additionally as discussed previously, power consumption of a cryptosystem is heavily depen-

dant on hamming weight of data it processes. Due to this, equal hamming weights of all inputs

in our proposed design will enable our NCL design to maintain a uniform power consumption

and thereby a uniform SNR on power trace. Thus the proposed design enables the cryptosystem

to have a reduced and an uniform SNR, which is a key element for enhancing security.

By using the switching activity results we performed parametric simulations and plotted SNR

of NCL design in comparison to the synchronous approach. These approximate results are

presented in Figure 24(a). Using this SNR data, Figure 24(b) shows how variation in SNR,

inuences number of traces that an attacker must collect to perform a successful DPA attack.

As SNR ratio decreases, performance of this NCL based approach keeps getting better. So this

is the advantage of employing NCL for cryptosystem design.

Fig. 24. Comparison of SNR and Difculty of performing successful DPA for both designs

D. Power Benets

In AES implementations, the SubBytes transformation which entirely depends on the S-box

is the most crucial factor deciding the energy performance of the AES itself. More than 50% of

entire power is dependent on this step [13] [14] [15]. Due to the use of novel NCL S-box design


19/24

19

we achieve a 22% reduction in power consumption [4] at this Subbytes step. So this reduction

will cause signicant improvement in the energy efciency of the proposed NCL based design

approach.

E. Hardware Implementation and Power Trace Analysis

In the previous section, the performance of our proposed design was evaluated using software

simulations. However, to get a more accurate performance analysis, simulations on the hardware

implementation are necessary. In this section we discuss in detail the procedure used for hardware

implementation experiment of the proposed design and the synchronous AES. Additionally we

present the power trace data obtained from the power measurements on the hardware imple-

mentations and discuss the variations between this obtained data for the two designs. Figure 25

shows the Side-channel Attack Standard Evaluation Board (SASEBO-GII board) [16] that is

used as the basic platform in this experiment.

Fig. 25. Side-channel Attack Standard Evaluation FPGA Board (SASEBO-GII)

The reason for choosing this FPGA board as a platform for hardware implementation is that,

this board has been specically designed for security evaluation of cryptographic circuits and


20/24

20

for the purpose of side-channel attack experiments. There are two FPGA cores in this board

that can be utilized; The rst FPGA is a cryptographic FPGA which is a Xilinx Virtex-5 series

FPGA. The second one is the control FPGA which is a Spartan-3A series FPGA. These FPGAs

are connected through a general-purpose input/output common bus. The AES Round Functionand Key Expander circuits are implemented in the cryptographic FPGA and the conguration

circuit is programmed into the conguration FPGA. The purpose of separating these two circuits

is to prevent the power trace of the conguration circuit from interfering with the power trace of

the cryptographic circuit, so that the measurements of power traces, which decide the resistance

of the design to power analysis attacks can be done fairly.

For the purpose of power trace measurement, shunt resistors are present on FPGA board which

utilize core VDD and/or ground lines of cryptographic FPGA to give an accurate measurement

of the cryptographic FPGA power consumption. These measurements can be captured by an

oscilloscope via a voltage probe.

Figure 26 presents the experimental setup used for power trace analysis. For making a quali-

tative comparison in terms of security, between the quality of power traces of the conventional

design and the proposed NCL design we supply a set of three inputs to both the designs. As

the same inputs are applied to both the designs, this enables us to evaluate the performance of

different circuits to the same input data.

If we are able to prove that the following two features of the power trace are true for NCL

based design then we can conclude that the proposed approach enhances security. They are: (1)

The power trace is more uniform compared to synchronous design for the same input and (2)

The power trace of NCL based approach exhibits a higher degree of similarity between all the

three different input cases as compared to the similarity exhibited by synchronous approach.

So in order to perform a qualitative comparison, we applied a series of three Plaintexts whichare shown in Figure 27, to both cryptosystem designs and encrypted it with the same key. Then

we recorded the power traces for each of these cases for both designs and compared their quality

in terms of security. The results are presented in Figures 28, 29, 30, 31, 32 33.


21/24

21

Fig. 26. Experimental Setup for Power Trace Measure-ment.

Fig. 27. Plaintexts and Key used for Power TraceAnalysis.

Fig. 28. Power Trace of Synchronous cryptosystem

for Plaintext 1.

Fig. 29. Power Trace of Asynchronous cryptosystem for

Plaintext 1 (DATA).

Fig. 32. Power Trace of Synchronous cryptosystem

for Plaintext 3.

Fig. 33. Power Trace of Asynchronous cryptosystem for

Plaintext 3 (DATA).

From the Figures 29, 31, 33 we can clearly see that the power waveforms look considerably

similar for the proposed design in all the three cases even when the input plaintext is different. But


22/24

22

Fig. 30. Power Trace of Synchronous cryptosystemfor Plaintext 2.

Fig. 31. Power Trace of Asynchronous cryptosystem forPlaintext 2 (DATA).

on the contrary for synchronous design, from the Figures 28, 30, 32 we can see that the power

trace has clear variations between the three cases, as represented by ovals. These variations

as discussed previously can be effectively exploited to compromise security. But, in case of

proposed design we dont see any clear variations between the three traces. In addition to the

lack of this variations in the proposed design, we can also see that the waveforms are far more

uniform as compared to their synchronous counterparts.

So with this increased uniformity and high degree of similarity between power traces for

different plaintexts we can conclude that security is improved to a considerable extent due to

inherent benets of NCL.

Figure 34 shows the power trace corresponding to NULL - DATA wavefronts in the hardware

implemented design. Figure 35 presents the propagation delay in the hardware implementation

of the proposed design. After the input is applied, output arrives after 40ns.

VIII. C ONCLUSION AND F UTURE W OR K

A novel design approach for the two main components of NCL AES, which are the Key

Expander and Round function are reported and validated in this work. This research is being

used as the basis for a research project that aims to tapeout a silicon chip of NCL AES design,which can be used to carry out more performance evaluation experiments. Contrary to the existing

countermeasures which do not eliminate the source of SCA problem and try to nd solutions in

later stages, the proposed approach combines the merits of dual rail encoding with asynchronous

design approach to eliminate the source of the SCA problem, which is side channel information


23/24

23

Fig. 34. Power Traces of NULL - DATA wavefronts inhardware implementation of proposed design.

Fig. 35. Propagation Delay in NCL based design.

leakage. In addition to providing power analysis SCA resistance, our approach also enhances

resistance to EMA SCAs.

Qualitative comparisons between the proposed approach and the traditional synchronous design

have conducted to verify merits of the proposed design. Both software simulation and hardware

implementation results validate the effectiveness and correctness of our approach.

In this work we validated the benet of using NCL for cryptosystem design by using WASSO

and Power trace analysis. But in future the performance of this design can be evaluated by

performing an actual side channel attack like the DPA or Correlation Power Analysis (CPA),

as performed for NCL AES S-box in [17]. This will provide a more accurate view of the

cryptosystem resistance to side channel attacks. As stated previously further research may also

aim at efciently coupling this design with RDVS as demonstrated for S-box in [5] for improving

security to a greater extent.

R EFERENCES

[1] NIST, Advanced Encryption Standard (AES), FIPS PUB 197 . National Institute of Standards and Technology, Nov 2001.

[2] I. Verbauwhede, K. Tiri, and K. Tiri, A dynamic and differential cmos logic style to resist power and timing attacks on

security ics, iacr cryptology eprint archive , 2004.

[3] K. Tiri and I. Verbauwhede, A logic level design methodology for a secure dpa resistant asic or fpga implementation ,

2004.


24/24

24

[4] J. Wu, Y.-B. Kim, and M. Choi, Low-power side-channel attack-resistant asynchronous s-box design for aes cryptosys-

tems, in Proceedings of the 20th symposium on Great lakes symposium on VLSI , ser. GLSVLSI 10. New York, NY,

USA: ACM, 2010, pp. 459464.

[5] C. Sui, J. Wu, Y. Shi, Y.-B. Kim, and M. Choi, Random dynamic voltage scaling design to enhance security of ncl s-box,

in 2011 IEEE 54th International Midwest Symposium on Circuits and Systems (MWSCAS) , aug. 2011, pp. 1 4.

[6] T. Sugawara, Y.-I. Hayashi, N. Homma, T. Mizuki, T. Aoki, H. Sone, and A. Satoh, Information security applications,

H. Y. Youm and M. Yung, Eds. Berlin, Heidelberg: Springer-Verlag, 2009, ch. Mechanism behind Information Leakage

in Electromagnetic Analysis of Cryptographic Modules, pp. 6678.

[7] P. Kocher, J. Jaffe, and B. Jun, Introduction to differential power analysis and related attacks, Technical Report,

Cryptography Research Inc., San Francisco, California , 1998.

[8] S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks : Revealing the Secrets of Smart Cards . Springer-Verlag,

2007.

[9] S. Smith and J. Di, Designing asynchronous circuits using NULL convention logic (NCL), Synthesis Lectures on Digital

Circuits and Systems , vol. 4, no. 1, pp. 196, 2009.

[10] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, Examining smart-card security under the threat of power analysis

attacks, IEEE Trans. Comput. , vol. 51, pp. 541552, May 2002.

[11] S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks-Revealing the Secrets of Smart Cards . Springer, March 12,

2007.

[12] A. Kak, Lecture notes on computer and network security by avinash kak, March 2012. [Online]. Available:

https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture8.pdf

[13] An optimized s-box circuit architecture for low power aes design. in Cryptographic Hardware and Embedded Systems

- CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, August 13-15, 2002, Revised Papers , 2002, pp.

172186.

[14] M. Kim, J. Kim, and Y. Choi, Low power circuit architecture of aes crypto module for wireless sensor network.

[15] Gurkaynak and F. Kagan, GALS system design: side channel attack secure cryptographic accelerators . ETH, 2006.

[16] R. C. for Information Security, Side-channel attack standard evaluation board SASEBO-GII specication, September

2009. [Online]. Available: http://www.rcis.aist.go.jp/special/SASEBO/SASEBO-GII-en.html

[17] J. Wu, Y. Shi, and M. Choi, Fpga-based measurement and evaluation of power analysis attack resistant asynchronous

s-box, in Instrumentation and Measurement Technology Conference (I2MTC), 2011 IEEE , may 2011, pp. 1 6.

asynchronous aes-side attack ieee

Documents