Abstract. Variability is a central issue in deep submicron technologies, in which it becomes increasingly difficult to produce two chips with the same behavior. While the impact of variability is well understood from the microelectronic point of view, very few works investigated its significance for cryptographic implementations. This is an important concern as 65-nanometer and smaller technologies are soon going to equip an increasing number of security-enabled devices. Based on measurements performed on 20 prototype chips of an AES S-box, this paper provides the first comprehensive treatment of variability issues for side-channel attacks. We show that technology scaling implies important changes in terms of physical security. First, common leakage models (e.g. based on the Hamming weight of the manipulated data) are no longer valid as the size of transistors shrinks, even for standard CMOS circuits. This impacts both the evaluation of hardware countermeasures and formal works assuming that independent computations lead to independent leakage. Second, we discuss the consequences of variability for profiled side-channel attacks. We study the extend to which a leakage model that is carefully profiled for one device can lead to successful attacks against another device. We also define the perceived information to quantify this context, which generalizes the notion of mutual information with possibly degraded leakage models. Our results exhibit that existing side-channel attacks are not perfectly suited to this new context. They constitute an important step in better understanding the challenges raised by future technologies for the theory and practice of leakage resilient cryptography.
Abstract. In a recent work from Eurocrypt 2011, Renauld et al. discussed the impact of the increased variability in nanoscale CMOS devices on their evaluation against side-channel attacks. In this paper, we complement this work by analyzing an implementation of the AES S-box, in the DDSLL dual-rail logic style, using the same 65-nanometer technology. For this purpose, we first compare the performance results of the static CMOS and dual-rail S-boxes. We show that full custom design allows to nicely mitigate the performance drawbacks that are usually reported for dual-rail circuits. Next, we evaluate the side-channel leakages of these S-boxes, using both simulations and actual measurements. We take advantage of state-of-the-art evaluation tools, and discuss the quantity and nature (e.g. linearity) of the physical information they provide. Our results show that the security improvement of the DDSLL S-box is typically in the range of one order of magnitude (in terms of "number of traces to recover the key"). They also confirm the importance of a profiled information theoretic analysis for the worst-case security evaluation of leaking devices. They finally raise the important question whether dual-rail logic styles remain a promising approach for reducing the side-channel information leakages in front of technology scaling, as hardware constraints such as balanced routing may become increasingly challenging to fulfill, as circuit sizes tend towards the nanometer scale.
In this paper, we observe that minimum energy Emin of subthreshold logic dramatically increases when reaching 45 nm node. We demonstrate by circuit simulation and analytical modeling that this increase comes from the combined effects of variability, gate leakage and DIBL. We then investigate the new impact of MOSFET parameters on Emin in nanometer technologies. We finally propose an optimum MOSFET selection intended for subthreshold circuit designers, which favors low-Vt mid-Lg devices in standard 45nm GP technology. The use of such optimum MOSFETs yields 35% Emin reduction for a benchmark multiplier with good speed performances and negligible area overhead.
An important challenge associated with the current massive deployment of Radio Frequency Identification solutions is to provide security to passive tags while meeting their micro Watt power budget. This can either be achieved by designing new lightweight ciphers, or by proposing advanced low-power implementations of standard ciphers. In this paper, we show that the AES algorithm can fit into this micro Watt power budget by combining ultralow-voltage implementations with a proper selection of the process flavor in a low-cost nanometer CMOS technology. Interestingly, this approach only requires slight modifications to the standard EDA tool flow, without incurring the engineering costs of architecture optimizations. In order to demonstrate this claim, we successfully designed and manufactured an AES coprocessor in a 65 nm low-power CMOS process. We prove with measurement results obtained from a set of 20 manufactured dies that the proposed coprocessor can be safely operated down to 0.32 V with an energy per 128-bit encryption/decryption at least 2.75× lower than in previously published low-power AES implementations.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.