Nanoscale Devices Power Analysis and Scaling Trends

Power Analysis of Nanoscale Devices

Transistor Scaling: Trend

Device Scaling : Side Effects Increased contribution of leakage current higher energy consumption by the transistors even in absence of switching. Significant device variability more difficult to fabricate identical chips.

Impact on Classical Power Analysis Hamming weight (distance) model fails at 65 nm and smaller technologies. Conventional DPA / CPA attacks may give rise to a false sense of security for an implementation. Linear leakage models fail to capture the parasitical effects during computations. New challenges for profiled attacks (Template attack or Stochastic attack) with increase in device variability.

Supply Voltage Scaling vs. Variability Left: 1.2 V power supply, Right: 0.5 V power supply ; Up: simulations, Down: actual measurements CONCLUSION: Decrease in supply voltage leads to an increase in variance over the chips.

Voltage Scaling vs. Information Leakage Mutual Information between an input X and corresponding leakage L in function of noise standard deviation for various dimension leakages. Left: simulations, Right: actual measurements CONCLUSIONS: 1. Decrease of power supply implies reduction of information leakage. 2. Higher dimensional leakages provide more information.

Independent Leakage Assumption Idea: Independent computations give rise to independent leakage. In actual implementations, this may not be valid for locally connected parts of a circuit. Reason: Cross-talk: current flowing in one wire of a bus may significantly influence the adjacent ones, both in terms of delay and power consumption. Scope for research: Integration of coupling effects in power analysis to minimize the local dependencies.

Comparison of Non-profiled attacks Average success rate of different non-profiled distinguishers with model estimations while performing the attacks. CONCLUSION:Power attack strategies performing on-the-fly model estimations, such as using MIA or stochastic models are promising approaches to tackle the issue of increased variability of nanoscale devices.

Gate-level Differential Power Analysis

CMOS technology Source: Wikipedia

Universal gates using CMOS logic Source: Application-Specific Integrated Circuits by Michael John Sebastian Smith, Addison-Wesley Publishing Company.

Power consumption of a CMOS circuit Source: http://www.eeherald.com/section/design-guide/Low-Power-VLSI-Design.html

Power analysis attack Form of side-channel attacks based on analyzing the power consumption of a cryptographic device Power analysis attacks generally of two types 1. Simple Power Analysis (SPA) 2.Differential Power Analysis (DPA) SPA involves visual inspections of the graphs of current used by a device over time. DPA consists of both a visual method and a statistical analysis method.

Power analysis methodology The correct key is revealed by finding the best match between the measurements and the hypothetical power consumption from different key guesses.

DPA Overview More powerful and more difficult to prevent than SPA The goal of DPA attacks is to reveal the secret keys based on a large amount of power traces. Procedure: 1. Measuring the power consumption 2. Finding the hypothetical power consumption and the correlation with the key 3. Implementing statistical analysis on the power consumption and hypothetical power consumption values

Basis of DPA attacks Statistical Analysis: 1.Correlation Coefficient 2.Difference of Means 3.Distance of Means Power Models: 1.Bit Model 2.Hamming-Weight Model 3.Hamming-Distance Model

DPA countermeasures at gate level Source: H.Marzouqi, M.Qutayri, K.Salah , Review of gate-level differential power analysis and fault analysis countermeasures. , IET Information Security, 2012.

WDDL Wave dynamic differential logic (WDDL): - Based on the SABL design - Single switching event per cycle that is independent of the input signals DRAWBACK: - Area and Performance overheads due to additional gates and differential routes.

Dual spacer Dual-rail logic Dual Spacer: - Based on having the pre-charge value alternate between the all-zeros and the all-ones signals (called spacers). - Design principle: The switching factor of the OR gate and the AND gate differ intrinsically DRAWBACK: - Requires extra gates to control the value of the spacer and to alternate between the two spacers

RCDDL Reduced complementary dynamic and differential logic (RCDDL): - Depends on reusing the logic of the true data path to generate the complementary output - does not limit the usage of negative logic as in other DPL DRAWBACK: - The RCDDL logic is very difficult to implement using standard-cell library due to some design constraints

STTL Secure triple track logic (STTL) - Uses a third control wire to determine the validity of the signal and to control the evaluation process on the logic based on the states of the input signal. - Valid signals should be delayed in order to be activated after all input signals are valid DRAWBACK: - Requires special care when implemented either in ASIC or FPGA in order to buffers can be used to delay the validity signals

BCDL Balanced cell-based differential logic (BCDL): - Uses synchronisation cells with global pre-charge signal to avoid the early propagation - A promising DPA-resistant logic style due to compact size and performance DRAWBACK: - Issues regarding routing complexity to all logical cells required for the global pre-charge signal

WDDL without EE and HDRL WDDL without Early Evaluation: - Maps both true and false signals of inputs to the direct and complementary logic - the gate outputs a valid signal if all inputs are in the steady state and valid DRAWBACK: - Provides protection intrinsically against the EE problem and at the expense of LUTs occupancy

HDRL Homogeneous dual-rail logic (HDRL) - Design based on the observations of the ground voltage current instead of the usual supply voltage current of the circuit - Same cells are used for the complementary and the true data paths DRAWBACK: - Unlike the WDDL, two networks need to connect all LUTs that require protection, the pre-charge and the extra double frequency signal

MDPL Masked dual-rail pre-charge logic (MDPL): - Involves randomising the power traces - Masking and DPL principle combined into one logic style DRAWBACK: - Area and design time overhead introduced by necessity of a PRNG implementation - Severe leakage on the MDPL implementation due to the EE problem

Improved MDPL Improved MDPL: - Addition of an evaluation-precharge detection unit (EPDU) before the input of the original MDPL cell. - EPDU ensures that the evaluation phase starts after all the input signals are in evaluation-ready state DRAWBACK: - An additional area overhead gets introduced over the original MDPL to solve the problem of EE - Recent attack reported that exploits the leakage from the mask tree

DRSL Dual-rail random switching logic (DRSL): - Built on the random switching logic (RSL) - RSL gate involves a standalone logical gate that does need complementary control DRAWBACK: - Overhead and synchronisation issues due to requirement of both local and global pre-charge signals

PMRML Pre-charge masked Reed Muller logic (PMRML): - Based on Fixed Polarity Reed Muller (FPRM) form of the Boolean functions - In cascaded PMRML cells, separate pre-charge signals are generated to meet timing constraints and synchronization DRAWBACK: - Difficult for FPGA or ASIC implementation as it requires separate control and firing procedure for pre-charge timing constraint

Automation of Power Analysis Counter- -measures

Framework Ali Galip Bayrak, Francesco Regazzoni, Philip Brisk, Fran ois-Xavier Standaert, Paolo Ienne : A First Step Towards Automatic Application of Power Analysis Countermeasures , DAC 2011

Information Leakage Analysis Goal: To identify the instructions corresponding to sensitive operations Steps: I.a. Compilation of the crypto algorithm I.b. Power trace collections of its hardware implementation for different pairs of plaintext and key I.c. Compression of samples to get a single power value for each clock cycle using maximum extraction technique II. Analysis of the power trace using a sensitivity metric (Mutual Information) III. Association of each clock cycle with an assembly instruction from the dynamic execution trace

Transformation Target Identification Goal: To precisely inform the compiler where to insert the countermeasure Example: In a masking scheme, it is necessary to define at which portions of the code a variable should be masked or unmasked. A Simple Solution: Pass the instructions having high sensitivity to the code protection unit to replace them with other instructions.

Code Protection Goal: To modify the codes in the recognized sensitive portions Method: Random precharging -- randomly precharges datapath before and after a critical instruction using random operand values. Idea: If the values on the critical components are randomized, the total power consumption will also be randomized, since the Hamming distance between a uniform random variable and a fixed value is also uniformly random. This increases the effort to mount a successful attack significantly. Limitation: Random precharging fails to protect codes in devices where the power consumption is proportional to the Hamming weight of the processed data.