embedded security group - cosic · secure logic styles. ecrypt ii summer school on. design and...

Secure Logic StylesECRYPT II summer school onDesign and Security of Cryptographic Algorithms and Devices1. June 2011

Amir Moradi

Embedded Security Group

2


Agenda Power Consumption Characteristics of CMOS Circuits

– Glitches Solutions in Hardware

– Logic Styles– Dual-Rail Pre-charge concept– Examples– Problems– Overheads– Gains

ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi

3


Power Consumption Characteristics of CMOS Circuits The majority of today’s hardware are built using CMOS

technology– Complementary Metal Oxide Semiconductor– It is immune in presence of noise– It has very low static power consumption

• The main power consumption comes from dynamic part– The point that we get the “information leakage”

– Let’s see the details of a CMOS gate to understand its behavior when the inputs change


4


Power Consumption of CMOS Circuits (cont’d) A CMOS gate is built using two networks

– Pull-up and pull-down– Pull-up part is made by PMOS transistors

• Which can nicely pass HIGH (logical “1”)– Pull-down part by the NMOS transistors

• Which can nicely pass LOW (logical “0”)– The networks should be made in a way

that at each time instance when theinputs are stable, only one network is active.• Then, the static power consumption will be

very low– An example: a CMOS NAND gate


5


Power Consumption of CMOS Circuits (cont’d) Static power consumption

– The transistors (NMOS and PMOS) are not perfectly blocking and there is a leakage current flows

– This issue becomes more and more relevant, the smaller the used technology is

– Pull-up and pull-down networks have different leakage currents• Data-dependent static power

Dynamic power consumption– Short circuit current: When an input of the gates switches, the pull-

down and pull-down networks are both conductive for a short period of time• Data-dependent dynamic power if the output changes

– Charging current: Whenever the output switches, the output capacitance needs to be charged or discharged;

– charging leads to a high current • Data-dependent dynamic power if the output changes from LOW to HIGH

[Physical-Security.org]ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi

6


Power Consumption of CMOS Circuits A CMOS inverter: There are many other

parameters which affect the power of a CMOS gate, but we ignore them here

Generally for PA attacks, we take the most significant part into account– In short, the power

consumption depends on the processed data


7


Glitches How about a larger circuit? The power consumption of combinational circuits depends

strongly on some other points– One is glitches

– “Glitches in CMOS circuits are data dependent and have a strong impact on the dynamic power consumption” [DPABook]


8


Solutions in Hardware We need a scheme to prevent glitches

– a couple of methods in VLSI design to make glitch-free circuits

– not enough to prevent data-dependency• e.g., number of toggles still will be different for different

input changes

We need a scheme to prevent glitches and make the number of toggles fixed independent of input changes– Dual-Rail Pre-charge (DRP) logic


9


Each value (0/1) is presented by two lines There are two phases: pre-charge/evaluation Both lines go LOW in pre-charge phase Only one line goes HIGH in evaluation phase

There will be no glitch The number of toggles will be fixed

Dual-Rail Pre-charge (DRP) Logic


a1

a0pre-charge pre-chargeevaluation evaluation

To have constant power consumption, the

capacitance loads of complementary signals must

be the same

10


DRP Logic (first example, SABL) Sense Amplifier Based Logic (SABL) [TAV02] Constant power consumption for each gate Independent Time-Of-Evaluation (TOE)

– A gate evaluates when all complimentary signals are valid

All gates are connected to CLK and prechared all together Full-custom design tools should be used Overheads

– ~double area– half speed– much more energy consumption


11


SABL (cont’d) AND/NAND n-type SABL gate: CLK=0, pre-charge phase

– All signals go LOW CLK-> 1, start of evaluation phase q or qbar signal goes LOW when

both complementary a and b signals are valid Requirements

– The same capacitance for every comp. internal signal– The same resistance for every comp. path

Hard to achieve… ECRYPT II summer school | Albena | 1. June 2011 | Secure Logic Styles Amir Moradi

12


DRP Logic (second example, WDDL) Wave Dynamic Differential Logic [TV04] The same idea as SABL but using standard CMOS library AND/NAND WDDL gate:

– much simpler than SABL– much smaller than SABL– less resistant against DPA attacks

WDDL flip-flop:


13


WDDL (cont’d) Why less resistance than SABL?

– Complementary capacitance loads cannot be balanced

– Memory effect: charges stored in internal nodes of the gates are data-dependent

– Time-Of-Evaluation is also data-dependent– Also known as early propagation effect

• A gate evaluates the output before all complementary signal arrived

– For example, one AND gate may make the output 0 once seeing that one input is 0


14


Current Mode Logic Instead of the voltage levels in CMOS, the current passing

through the gate defines the logical value of the gate output In theory sum of the currents in a complementary circuit is

data-independent Static energy consumption was a problem, solved in DyCML

(Dynamic Current Mode Logic) [AE01] Like SABL needs full-custom

design flow Capacitive loads also affect Dedicated placement and routing

for complementary signals/transistorsshould be used


15


Randomization in Gate Level Each internal signal is masked by a mask bit Some schemes used one mask bit per internal signal

– Very high complexity– Very high area and power overhead

Others used a single mask bit for wholeof the circuit– Random Switching Logic

In combination with the DRP logic, they have made– Dual-rail Random Switching Logic– Masked Dual-rail Precharge Logic– …


16


RSL Random Switching Logic [SSI04] A NAND(NOR) RSL gate: r is a random bit changing every CLK cycle en signal commands the gate to evaluate no duality is used

– Number of toggles is data-dependent• Random bit is used to change this dependency

Glitches are prevented if the timing of en signal for each gate at each depth level is carefully observed


17


DRSL Dual-rail Random Switching Logic [CZ06] The dual-rail version of RSL AND/NAND DRSL gate: provides a dedicated circuit to

handle en signal of each gate prevents early propagation in evaluation phase

– but leads to information leakage in precharge phase can be implemented by semi-custom design tools


18


MDPL Masked Dual-rail Precharge Logic [PM05] can be seen as masked version of WDDL can be implemented by standard CMOS library Main block is a majority gate, the AND/NAND gate: Mask signal m changes

every clock cycle and isshared between all gates

suffers from early propagation effect– Practical investigation showed strong leakage


19


iMDPL Improved version of MDPL [PKZM07]

– to avoid the early propagation effect An Evaluation-Precharge Detection Unit (EPDU) added to

each MDPL gate: Very high area overhead Practical investigations showed

– decreased leakage– dependency of the resistance on the

imbalanced complimentary wires of the mask– still can be attacked


20


More Logic Styles More DRL Logics [BGLT06], [SMBY05] Asynchronous Logics [KSS+05], [KST06]

– have the same problem of imbalanced capacitances Charge Recovery Logics [TV042], [KM+08]

– made indeed to make low-power circuits– later their DPA-resistance was observed– a full-custom design process is required– area overhead is quite high while energy

consumption gets significantly decreased


21


Some Remarks Some of the logic styles only make the circuit complex without

adding sensible resistance against DPA attacks– since mostly evaluated in simulation domain

Some make the attacks harder– but the area/time/energy overheads are very high

• preventing to be taken by the designers The community somehow lost attention in this direction

– since it is believed that the gain of using such a logic style is much less than the difficulties, complexities, and overheads

– also the available simulation tools are not appropriate to be used in security evaluations of logic styles

Motivation (PhD candidates?)– More research in this area is required!


22


Thanks!Any questions?

[email protected]

23


References[DPABook] S. Mangard, E. Oswald, T. Popp. Power Analysis Attacks: Revealing

the Secrets of Smart Cards, Springer 2007.[TAV02] K. Tiri, M. Akmal, I. Verbauwhede. A Dynamic and Differential CMOS

Logic with Signal Independent Power Consumption…, ESSCIRC 2002, pp. 403-406, 2002.

[TV04] K. Tiri, I. Verbauwhede. A Logic Level Design Methodology for a Secure DPA …, DATE 2004, pp. 246-251, 2004.

[AE01] M.W. Allam, M.I. Elmasry. Dynamic Current Mode Logic…, IEEE Journal of Solid-State Circuits, 36(3), pp. 550-558, 2001.

[SSI04] D. Suzuki, M. Saeki, T. Ichikawa. Random Switching Logic: A Countermeasure against DPA…, ePrint Archive, 2004/346.

[CZ06] Z. Chen, Y. Zhou. Dual-Rail Random Switching Logic: A Countermeasure to Reduce…, CHES 2006, pp. 242–254.

[PM05] T. Popp, S. Mangard. Masked Dual-Rail Pre-charge Logic: DPA-Resistance…, CHES 2005, pp. 172-186.

[PKZM07] T. Popp, M. Kirschbaum, T. Zefferer, S. Mangard. Evaluation of the Masked Logic Style MDPL on a Prototype Chip, CHES 2007, pp. 81–94.


24


References[BGLT06] M. Bucci, L. Giancane, R. Luzzi, A. Trifiletti. Three-Phase Dual-Rail

Pre-Charge Logic, CHES 2006, pp. 232-241[SMBY05] D. Sokolov, J. Murphy, A. Bystrov, A. Yakovlev. Design and Analysis of

Dual-Rail Circuits for Security Applications. IEEE Tran. on Computers, 54(4), pp. 449-460, 2005.

[KSS+05] K.J. Kulikowski, M. Su, A.B. Smirnov, A. Taubin, M.G. Karpovsky, D. MacDonald. Delay Insensitive Encoding and Power Analysis…, ASYNC 2005, pp. 116-125.

[KST06] K.J. Kulikowski, A.B. Smirnov, A. Taubin. Automated Design of Cryptographic Devices Resistant to Multiple Side-Channel Attacks, CHES 2006, pp. 399-413.

[TV042] K. Tiri, I. Verbauwhede. Charge Recycling Sense Amplifier Based Logic: Securing Low Power…, ESSCIRC 2004, pp. 179-182.

[KM+08] M. Khatir, A. Moradi, A. Ejlali, M.T. Manzuri, M. Salmasizadeh. A Secure and Low-Energy Logic Style using Charge Recovery Approach, ISLPED 2008, pp. 259-264.


embedded security group - cosic · secure logic styles. ecrypt ii summer school on. design and...

Documents