# Scaling Trends for Dual-Rail Logic Styles against Side-Channel Attacks: a Case-Study



# Kashif Nawaz, Dina Kamel, François-Xavier Standaert, Denis Flandre UCL Crypto Group, Belgium COSADE, April 2017

## Outline

- Motivation
- Shrink but Think...
- Countermeasures against SCA
- Contributions
- Performance evaluation methodology
- Security evaluation methodology
- Simulation Parameters
- Security analysis
- Conclusion

## Internet of things



Courtesy: i-scoop.com

## Side-Channel Attacks



Courtesy: venturebeat.com

## To Moore' and Beyond...



# Scaling – but Thinking security





















Thanks to dual-rail logic, we deal with signal reduction and achieve lower signals compared to CMOS...



CMOS





- Easier to implement
- Lesser area overhead
- Faster design time
- Can be implemented using standard cell libraries

Vulnerable to side-channel attack as power consumption is dependent on manipulated data







**DDSLL XOR** 

- Easier to implement
- Lesser area overhead
- Faster design time
- Can be implemented using standard cell libraries

Vulnerable to side-channel attack as power consumption is dependent on manipulated data



XOR CMOS

- Easier to implement
- Lesser area overhead
- Faster design time
- Can be implemented using standard cell libraries

 Vulnerable to side-channel attack as power consumption is dependent on manipulated data



 Ideally equalized power consumption irrespective of manipulated data

## CMOS vs Dual-rail logic Operation



## $I_{DD}$ in CMOS

## CMOS vs Dual-rail logic Operation



 $I_{\text{DD}}$  in CMOS



| Phase      | Clk  | Inputs     | Outputs |
|------------|------|------------|---------|
| Precharge  | Low  | Don't care | High    |
| Evaluation | High | Valid      | Valid   |













DDSLL provided a security level of x10 compared to CMOS in 65nm [15]

Imbalances in capacitances (dual-rail logics) lead to data dependencies which become exploitable [34,19,26,29,16]



DDSLL provided a security level of x10 compared to CMOS in 65nm [15]

Imbalances in capacitances (dual-rail logics) lead to data dependencies which become exploitable [34,19,26,29,16] Does it get **worse** *with scaling?* 



## Implementation







#### Implementation

#### AES 8-bit S-box

- CMOS styles implemented in 65nm and 28nm
- DDSLL styled using BDD implemented in 65nm and 28nm



**Evaluation** 

#### Low power operation

 All S-boxes operated from nominal voltage of technology to (nominal voltage – 500 mV)



#### Implementation

#### AES 8-bit S-box

- CMOS styles implemented in 65nm and 28nm
- DDSLL styled using BDD implemented in 65nm and 28nm

#### Low power operation

 All S-boxes operated from nominal voltage of technology to (nominal voltage – 500 mV)



## **Evaluation**

#### **Performance Metric**

- Energy-per-operation
- SNR

#### **Distinguisher**

- Points-of-Interest
- (PCA and Maximum signal)
  Noise level
- Noiseless

 Cautionary note: no routing parasitics or PVT variations are considered, so this is the ideal case; when included it should only add to the performance degradation in dual rail circuits.

• Performance Metrics

- Performance Metrics
  - We have 2 different logic styles, CMOS & DDSLL

- Performance Metrics
  - We have 2 different logic styles, CMOS & DDSLL
  - Both are being scaled down from 65nm to 28nm

- Performance Metrics
  - We have 2 different logic styles, CMOS & DDSLL
  - Both are being scaled down from 65nm to 28nm
  - Voltages are also scaled from nominal to nominal-0.5V

- Performance Metrics
  - We have 2 different logic styles, CMOS & DDSLL
  - Both are being scaled down from 65nm to 28nm
  - Voltages are also scaled from nominal to nominal-0.5V
  - Energy per operation, a relatively discriminant metric, is used for performance comparison since it integrates the total power over the time.

$$E_{op} = \int_{t} (P_{dyn} + P_{stat}) dt,$$
  
=  $\underbrace{\frac{1}{2} N_{sw} C_L V_{DD} V_{swing}}_{\text{Dynamic}} + \underbrace{V_{DD} I_{leak} T_{del}}_{\text{static}},$ 

- Security Metrics
  - Simulated traces without any physical noise  $L_t^i(X, N) = L_t^{simu}(X, N)$

- Security Metrics
  - Simulated traces without any physical noise  $L_t^i(X, N) = L_t^{simu}(X, N)$
  - A multivariate power trace, l, reduced to univariate using PCA l = PCA(l)

- Security Metrics
  - Simulated traces without any physical noise  $L_t^i(X, N) = L_t^{simu}(X, N)$
  - A multivariate power trace, l, reduced to univariate using PCA l = PCA(l)
  - Using Mangard's SNR,

$$SNR = \frac{\hat{var}_x(\hat{\mathsf{E}}_i(L_x^i))}{\hat{\mathsf{E}}_x(\hat{var}_i(L_x^i))},$$

- Security Metrics
  - Simulated traces without any physical noise  $L_t^i(X, N) = L_t^{simu}(X, N)$
  - A multivariate power trace, l, reduced to univariate using PCA l = PCA(l)
  - Using Mangard's SNR,

$$SNR = \frac{\hat{var}_x(\hat{\mathsf{E}}_i(L_x^i))}{\hat{\mathsf{E}}_x(\hat{var}_i(L_x^i))},$$

Since we have *noise-free* traces, we compute only the numerator corresponding to *maximizing* the signal,

$$\hat{\mathsf{var}}_x(\hat{\mathsf{E}}_i(L^i_x))$$

• Simulation settings:

• Simulation settings:

Standard V<sub>t</sub> transistors (no forward or reverse biasing effects)

- Simulation settings:
  - Standard V<sub>t</sub> transistors (no forward or reverse biasing effects)
  - From 1.2V nominal for 65nm LP and 1V nominal for 28nm FDSOI, simulated up to nominal-500 mV

- Simulation settings:
  - Standard V<sub>t</sub> transistors (no forward or reverse biasing effects)
  - From 1.2V nominal for 65nm LP and 1V nominal for 28nm FDSOI, simulated up to nominal-500 mV
  - > 10MHz frequency of operation

- Simulation settings:
  - Standard V<sub>t</sub> transistors (no forward or reverse biasing effects)
  - From 1.2V nominal for 65nm LP and 1V nominal for 28nm FDSOI, simulated up to nominal-500 mV
  - > 10MHz frequency of operation
  - Input signal which transitions from 0-1,0-2,....0-N where N=255 for security analysis

- Simulation settings:
  - Standard V<sub>t</sub> transistors (no forward or reverse biasing effects)
  - From 1.2V nominal for 65nm LP and 1V nominal for 28nm FDSOI, simulated up to nominal-500 mV
  - > 10MHz frequency of operation
  - Input signal which transitions from 0-1,0-2,....0-N where N=255 for security analysis
  - $\succ$  Random 1000-bit input signal for  $E_{op}$  calculation

- Simulation settings:
  - > Standard  $V_t$  transistors (no forward or reverse biasing effects)
  - From 1.2V nominal for 65nm LP and 1V nominal for 28nm FDSOI, simulated up to nominal-500 mV
  - > 10MHz frequency of operation
  - Input signal which transitions from 0-1,0-2,....0-N where N=255 for security analysis
  - > Random 1000-bit input signal for  $E_{op}$  calculation
  - > signal,  $S_{PCA}$  and energy per operation,  $E_{op}$  w.r.t  $V_{DD}$  computed

## Security analysis

Security vs Performance– PCA applied signal

- The x-axes represents the Energy per operation <u>ratio</u> between CMOS & DDSLL, i.e  $\frac{E_{op}^{CMOS}}{E_{op}^{DDSLL}}$
- The y-axes represent the <u>ratio</u> of the PCAapplied Signal between CMOS & DDSLL, i.e  $\frac{S^{PCA}_{CMOS}}{S^{PCA}_{DDSLL}}$

## Scaling Trends-CMOS/DDSLL- 65nm/28nm

Security vs Performance-PCA applied signal



- Nominal voltage for 65nm technology is 1.2V (1.2-0.7V)
- Nominal voltage for 28nm technology is 1V (1 0.5V)

## Scaling trends for CMOS - Performance

## Scaling trends for CMOS E<sub>op</sub>



## Scaling trends for CMOS - Security

Scaling trends for CMOS signal



## Conclusion

- Interest in DDSLL over CMOS vanishes as circuit sizes shrink.
  - Because the impact of imbalanced capacitances increases at lowerscaled technologies.
  - We believe this trend hold true for other types of dual-rail logic styles (like WDDL, DyCML, SABL)

## Conclusion

- Interest in DDSLL over CMOS vanishes as circuit sizes shrink.
  - Because the impact of imbalanced capacitances increases at lowerscaled technologies.
  - We believe this trend hold true for other types of dual-rail logic styles (like WDDL, DyCML, SABL)
- SNR reduction via signal reduction is likely to become increasingly challenging.
  - By contrast, scaling trends are positive for CMOS because of increase in (intrinsic) noise.

## Conclusion

- Interest in DDSLL over CMOS vanishes as circuit sizes shrink.
  - Because the impact of imbalanced capacitances increases at lowerscaled technologies.
  - We believe this trend hold true for other types of dual-rail logic styles (like WDDL, DyCML, SABL)
- SNR reduction via signal reduction is likely to become increasingly challenging.
  - By contrast, scaling trends are positive for CMOS because of increase in (intrinsic) noise.
- Designing efficient and noisy CMOS implementations is an interesting research challenge
  - Dual-rail logics may still be useful for other purposes such as ensuring independence for masking

# Thank you