Vulnerability modeling of cryptographic hardware to power analysis attacks

Vulnerability modeling of cryptographic hardware to power analysis attacks

ARTICLE IN PRESS INTEGRATION, the VLSI journal 42 (2009) 468–478 Contents lists available at ScienceDirect INTEGRATION, the VLSI journal journal hom...
Download PDF
649KB Sizes 0 Downloads 79 Views
Report

ARTICLE IN PRESS INTEGRATION, the VLSI journal 42 (2009) 468–478

Contents lists available at ScienceDirect

INTEGRATION, the VLSI journal journal homepage: www.elsevier.com/locate/vlsi

Vulnerability modeling of cryptographic hardware to power analysis attacks$ Amir Moradi a,, Mahmoud Salmasizadeh b, Mohammad Taghi Manzuri Shalmani a, Thomas Eisenbarth c a b c

Department of Computer Engineering, Sharif University of Technology, Tehran, Iran Electronics Research Center, Sharif University of Technology, Tehran, Iran ¨rtz Institute for IT Security, Ruhr University Bochum, Germany Horst Go

a r t i c l e in f o

a b s t r a c t

Article history: Received 2 March 2008 Received in revised form 16 September 2008 Accepted 26 January 2009

Designers and manufacturers of cryptographic devices are always worried about the vulnerability of their implementations in the presence of power analysis attacks. This article can be categorized into two parts. In the first part, two parameters are proposed to improve the accuracy of the latest hypothetical power consumption model, so-called toggle-count model, which is used in power analysis attacks. Comparison between our proposed model and the toggle-count model demonstrates a great advance, i.e., 16%, in the similarity of hypothetical power values to the corresponding values obtained by an analog simulation. It is supposed that the attacker would be able to build such an accurate power model. Thus, in the second part of this article we aim at evaluating the vulnerability of implementations to power analysis attacks which make use of our proposed power model. Simple power analysis, various types of differential power analysis, and correlation power analysis are taken into account. Then, some techniques are proposed to examine the vulnerability of implementations to such kinds of power analysis attacks. & 2009 Elsevier B.V. All rights reserved.

Keywords: SPA DPA Glitches Toggle-count DPA Vulnerability

1. Introduction In 1996, Kocher introduced the information leakage of implementations [11]. He showed that the response time of an implementation of public key cryptographic algorithms such as RSA and DSS is correlated to the secret values. Thus, it was called timing attack. Also, he mentioned that power consumption and electromagnetic radiation of cryptographic hardware may be used to reveal secret information while the cryptographic algorithms are secure against the known cryptanalysis methods. In 1999, Kocher et al. presented practical results of a powerful attack which used power consumption values of a cryptographic device [12]. In fact, two methods were introduced to extract the secret key through power consumption channel: simple power analysis (SPA) and differential power analysis (DPA) attacks. SPA is a technique for which secret information such as secret key parts are discovered directly via visual inspection of the power consumption traces. Preventing SPA attacks is not so hard; many techniques have been proposed so far such as the avoidance of key dependent conditional branches in microprocessors [12] and

$

This project is partially supported by Iran National Science Foundation.

 Corresponding author.

E-mail addresses: [email protected], [email protected] (A. Moradi), [email protected] (M. Salmasizadeh), [email protected] (M.T. Manzuri Shalmani), [email protected] (T. Eisenbarth). 0167-9260/$ - see front matter & 2009 Elsevier B.V. All rights reserved. doi:10.1016/j.vlsi.2009.01.001

noise addition to power consumption traces [2]. However, DPA attacks are capable for revealing the secret key of implementations which have been equipped by SPA countermeasures. In a typical DPA attack, the attacker repeats the power consumption measurement for alternative input values; then, statistical tools help to specify the correct secret key among the other hypotheses. Afterwards side channel attacks were taken into consideration by many researchers. Several techniques have been proposed as countermeasure against power analysis attacks. In contrast, many approaches have been introduced to improve the functionality and the applicability of DPA attacks on resistant implementations. For instance, the insertion of dummy instructions in microprocessor-based implementations was proposed to counteract DPA attacks [6] by misaligning the power consumption traces. Then, the frequency-based DPA attack [9] was introduced to defeat this countermeasure. Indeed, fast Fourier transform (FFT) helps to solve the misalignment problem of the power traces. Also, masking techniques were used to randomize the power values. When this method is used at gate level, each logic signal is masked by a random bit [27]. However, in [17] it was shown that gate level masking can not prevent the information leakage because of the difference between the arrival time of the inputs and the mask signals. Moreover, second order and higher order DPA attacks [15] were proposed to use two or more points of power consumption traces to attack masked implementations.

ARTICLE IN PRESS A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478

On the other hand, dual-rail and pre-charge logic styles were introduced to make the power consumption of implementations alike for all possible states such as sense amplifier-based logic (SABL) [26] and wave dynamic differential logic (WDDL) [28]. The mixture of pre-charge logic and gate level masking led to Random Switching Logic (RSL) [25] and masked dual-rail pre-charge logic (MDPL) [22]. Although the use of these logic styles improves the resistance against the side channel attacks, they must be applied at the transistor or even deeper design levels. Consequently, there are many limitations on their usage such as area, power consumption, and performance. Moreover, the masking technique is applied at the algorithm level too. In this case, an input value, i.e., plaintext or ciphertext, is masked with a random generated value, i.e., mask. Then, the effect of the mask value is removed at the end of the encryption/ decryption process. In fact, an algorithmic masking scheme changes the correlation between the input values and the power consumption traces. The power consumption values correlate with the internal values processed, but the relation between the internal and input values depends on the mask values which are generated randomly. The algorithmic masking schemes can be applied at every unit of a cryptographic algorithm, but the complexity of the masking removal process depends on the nonlinearity of the unit masked. Many approaches have been published to make a masked AES-Sbox [5,10,21,27] because other operations of AES encryption/decryption are linear and easy to mask [1]. The security or the vulnerability of different algorithmic masking schemes has been analyzed theoretically, and the security of some of them has been proven [21]. Therefore, the masking techniques were being considered as an effective method to resist power analysis attacks until Mangard et al. presented the result of a practical power analysis attack which could reveal the secret key of two masked AES implementations [18]. In fact, they changed the hypothetical power consumption model. The hamming weight/distance of the processed data was the conventional power consumption model in typical DPA attacks, but Mangard et al. used the fact that glitches in combinational CMOS circuits play the most significant role in the power consumption. They applied the number of toggles instead of the hamming weight as the hypothetical power model. They showed that two masked implementations of AES-128 encryption algorithm are vulnerable as well as the unmasked one. Although the security of the used masking schemes has been proven, the theoretical analyses have been performed on the base of the old hypothetical power model. Accordingly, the usage of a more accurate power model led to a successful attack. Later in [19], Mangard et al. showed that the XOR gates of the mask multipliers cause the information leakage of the implemented masked S-boxes. Although they proposed two techniques to prevent the leakage, the resistant implementations might be vulnerable against a DPA attack which uses a more accurate power model. The first goal of this paper is to define a more accurate hypothetical power consumption model. The improvement of the proposed modifications in the hypothetical power model are verified by the simulation results. We do not intend to design a more powerful DPA attack. However, as the second aim we propose a theoretical method to evaluate the vulnerability of implementations using our proposed power model. In other words, we introduce some techniques to be used by the designers of the cryptographic devices. They can use these techniques to examine the vulnerability of their designs before the implementation. The proposed methods are based on the simulation results of the combinational logic circuits. Thus, some parts of the hardware which should be secured must be simulated for all possible intermediate values. The proposed methods examine the vulnerability to various kinds of power analysis attacks.

469

The rest of the article is organized as follows. In Section 2, we recall the principles of the previous power consumption models and the toggle-count model presented in [18]. Some new parameters are proposed to improve the accuracy of the togglecount model in Section 3. In Section 4, the simulation results of the achieved improvement using our proposed model are shown. We illustrate the usage of our model for vulnerability evaluation in Section 5. Finally, Section 6 presents the conclusions of our research. 2. Power consumption models The power analysis attack scenario is to discover some secret information (a part of the main key or an intermediate value which depends on the main key) using power consumption traces measured during the computation of the algorithm. In fact, an attacker attempts to discover the correlation between the power traces and the secret values. In SPA attacks, the secret information is exploited directly by examining (in some cases by visual inspection) the power traces. Since the instruction flow of some software implementations of cryptographic algorithms depends on the secrets, investigating the power traces may helps recovering the instruction flows and consequently the secret key. In fact, the SPA attacks reveal the dependency of the operations and the power values. On the other hand, template attacks [8], a powerful branch of SPA, reveal the dependency of data processed and the power values too. Since the software implementations are not the main target of our analysis in this article, the aim of SPA in our discussions relates to a branch where dependency of the processed data is taken into account. However, in DPA attacks, especially in correlation-based one, the attacker creates a hypothetical model (at the abstract level) to estimate the instantaneous power consumption of the attacked device. These estimations are compared with the measured power traces. Statistical methods such as mean and correlation coefficient help the comparisons to exploit the secrets. In power analysis attacks there is a hypothetical model which predicts the instantaneous power consumption values of the device using the design details and the input and/or output values of the attacked part. In [12], it has been shown that there is a direct correlation between the power consumption and the hamming weight of the values stored in registers. PðtÞ /

n X

Ri ðtÞ,

(1)

i¼1

where PðtÞ is the estimated power consumption at time t, n is the number of single-bit registers, and Ri ðtÞ denotes the value stored in the ith register at time t. This model works for bipolar circuits, which are usually not used for the design of digital circuits any more. Furthermore this model can be applied for many contemporary microprocessors/microcontrollers containing a precharged data/address bus. Thus, in this case the power consumption values are proportional to the hamming weight of the transferred values. Nowadays almost all application specific digital integrated circuits are implemented in CMOS technology. The dominant factor of the power consumption of a CMOS gate (in technologies with l490 nm) is the dynamic power consumption [13]. Therefore, the power consumption of a register depends on its transition rather than on its current state. It has been shown that the power consumption for a 0 ! 1 and a 1 ! 0 transition is higher than for a 0 ! 0 or a 1 ! 1 transition. Hence the number of the changed bits in the registers correlates with the instantaneous power consumption of the CMOS circuits during load time. This power consumption model is called the hamming distance model,

ARTICLE IN PRESS 470

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478

described by the following equation. PðtÞ /

n X

Ri ðtÞ  Ri ðt  1Þ.

(2)

i¼1

The applicability of the hamming distance model has been proved in many DPA attacks [3,12,15,23]. Fig. 1 shows the power traces sampled during the load of an 8-bit register in different states. However, the power consumption of the cryptographic devices are not actually similar to what is presented in Fig. 1 because the power consumption of a device depends not only on the number of changed bits of the registers, but also on the power consumption of the combinational circuits located in the output of the changed registers, see Fig. 2. Consequently, if there is a combinational circuit at the output of the registers, the results shown in Fig. 1 will not be correct, and the SPA attacks are not successful in most cases. In order to deal with such a problem, the DPA attack has been introduced by Kocher et al. [12]. In fact, a conventional DPA attack tries to detect the difference between the power consumption values of two sets, using no specific hypothetical model to estimate the power consumption values. In a conventional DPA attack the effect of a single-bit register on the power consumption is used to determine the correct hypothesis. Afterwards a general method of DPA attacks was introduced in [14] which uses the effect of all changed bits. Appendix A gives more details of the DPA attacks. In contrast, a correlation power analysis attack [4] makes use of a hypothetical power model. In fact, it is a general case of the DPA attacks that uses a hypothetical power model to estimate the power consumption values and compare the estimations with the actual power values in order to distinguish the correct guess. The simplest power model for CMOS circuits is illustrated by Eq. (2). Also, the statistical techniques help to avoid the effect of the combinational circuits on power values and to determine the correct prediction. In fact, the effect of a combinational circuit could be considered as noise in power consumption values of registers. The security or vulnerability of countermeasures has been analyzed using the conventional DPA concepts illustrated above.

Security of some masking methods [1,5,10,21] has been proven by assuming certain power consumption characteristics. However, when Mangard et al. published the results of a successful attack on two masked AES ASIC implementations [18], the efficiency of the masking schemes to prevent the information leakage was put in doubt. Mangard et al. changed the hypothetical power consumption model and constructed a more accurate one. The combinational circuits that are located in the output of the changed registers play the main role in their proposed model. They supposed that the attacker knows the design details of the combinational circuits, means the back-annotated netlist of some parts of the attacked device. In fact, they introduced the togglecount model as the number of toggles that occur in the combinational circuits after the change in registers. PðtÞ /

m X

g i ðtÞ,

(3)

i¼1

where m is the number of internal signals, g i ðtÞ denotes the number of toggles occurring in the ith signal at the period of ½t; t þ , and  is determined according to the delay of the longest path of the combinational circuit. Consider register A in Fig. 2, and suppose that x has been stored in. When the clock signal triggers the register to load value y, several glitches happen in the combinational circuit. As mentioned previously, transitions play the significant role in the power consumption of CMOS circuits. Mangard et al. [18] used this fact and introduced the number of toggles as a new hypothetical power consumption model. Fig. 3 shows one example of glitches occurring after the change in input of an AES S-box. It is well known that the glitches happen in combinational circuits because of the delay in logic gates, and the delay of the logic gates depends on many parameters namely the used process technology and supply voltage, V DD . Although most of the glitches happen sequentially not simultaneously, the effect of glitches on power consumption are added accumulatively and appear as a peak in power consumption traces such as examples shown in R Fig. 4. Moreover, 0 V DD  IðtÞ dt is defined to measure the power consumption. Accordingly, the number of toggles is a reasonable

Fig. 1. Sampled power consumption traces for different states of an 8-bit register.

RegisterA A

y

Register Q1

x Q8

H

Combinational Circuit

clock

A

Q1

H

Q8

clock ENB

ENB

Fig. 2. Block diagram of a typical circuit.

ARTICLE IN PRESS A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478

02 /bSbox/A 02 /bSbox/Q 77

471

b3 16

06 04 0c

48

40

41

c1

c3 c3

43

47 47

66

6d 6d

[7] [6] [5] [4] [3] [2] [1] [0] 1ns

2ns

3ns

4ns

Fig. 3. The glitches that occur at the output of AES-Sbox, if the input changes form 02hex to b3hex .

/bSbox/A

Power Consumption

/bSbox/Q

Fig. 4. Example of sampled power consumption and glitches in an implementation of AES S-box.

method to estimate the power consumption values. Mangard et al. used this concept and applied the toggle-count model in a correlation-based power analysis attack called toggle-count DPA attack [18]. In this scenario, the attacker simulates the combinational circuit for all possible values, that is x and y in Fig. 2. For an 8-bit register the attacker has to simulate the circuit 256  255 times and count the number of toggles in each simulation separately. Statistical tools such as the correlation coefficient help to discover the secret value using the comparison between simulated results and the measured power traces; see Appendix B for more details of the toggle-count DPA attack. If the attacker can find the correct values x and/or y, the implementation is vulnerable. In [18] it is shown that weak implementations cause information leakage even though masking techniques were employed. Thus, many parameters which affect the occurrence of glitches determine the vulnerability of implementations to DPA attacks. Note that power consumption values can be estimated in different levels of simulation: behavioral, logical, and analog levels [16]. The quality and the precision of the estimation depends on the chosen level of simulation. Simulation at behavioral level is the fastest and has the lowest precision. Also, it is suitable only for special parts of the implementations such as a data/address bus. On the other hand, analog simulators are the most precise tools, but the analog simulation of large circuits are very time consuming. For instance, we needed roughly 50 days/PC to simulate an AES S-box for all possible changes in its 8-bit input with Synopsys HSPICE simulator. Consequently, logic simulators are frequently used because of their moderate quality

and speed. The toggle-count model is based on the results of a logic simulation which is performed on the back-annotated netlist of the combinational circuit of the attacked/evaluated device. In fact, in the next section we aim at improving the precision of a logic level model, toggle-count model.

3. Enhanced toggle-count model: our proposed power model As mentioned above, the number of toggles has been considered as the hypothetical power consumption model in [18]. The authors showed that if the attacker uses the more accurate hypothetical model, she might have a better chance to discover the secret information. In this section, some parameters are proposed to improve the accuracy of this model. We do not want to design a new attack; however, we suppose that the attacker could use an accurate model to estimate the instantaneous power consumption. Then, we apply the new model to evaluate the vulnerability of implementations. Power consumption of a CMOS element includes P static , Pshort-circuit , and Pswitch [13]: Ptotal ¼ P static þ P short-circuit þ Pswitch , X Pstatic ¼ ðLeakage Current  Supply VoltageÞ,

(4) (5)

Pshort-circuit ¼ bðV DD  2V t Þ3 Pstatic is approximately constant during the operation of the circuit. Thus, we propose PðtÞ in our hypothetical model by HPðtÞ ¼ a  HP short-circuit ðtÞ þ g  HP switch ðtÞ,

(8)

ARTICLE IN PRESS 472

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478

where HP means hypothetical power consumption. According to the CMOS technology concepts, the required current to charge and discharge the capacitive load is the dominant factor of the power consumption in technologies bigger than 90 nm. The designers should justify the coefficients according to the specification of the implementation. Note that the role of P switch in power consumption values will be more important using the novel nanometer technologies. It should be noted that in submicron technologies, static power is much more than dynamic power and is the dominant factor in power consumption values. Since the static power does not play any role in power analysis attacks (because it does not depend on the data processed), our proposed model to estimate the power consumption still is feasible. One important point in modeling the power consumption of cryptographic devices is that the power values estimated by a hypothetical power model are not actual power values in Watt, but they are proportional to the real values. 3.1. Gate fanouts According to Eq. (7), P switch depends on C L (we used the so-called lumped-C model to describe the charging power consumption of CMOS cells). When the output of a CMOS gate changes from HI to LO or vice versa, the load capacitance C L at the gate output is charged or discharged. Therefore, the amount of C L influences the power consumption, and C L depends on the fanout of the gates. The effect of the fanouts has not been considered by toggle-count model. Thus, we propose the following equations: HPshort-circuit ðtÞ ¼

n X

g i ðtÞ,

(9)

i¼1

HPswitch ðtÞ ¼

n X

g i ðtÞ  f i .

(10)

i¼1

VDD

VDD

HI toggles

charging

LO toggles

Vss

discharging Vss

Fig. 5. The different effects of HI and LO toggles on Pswitch .

saved energy will be released as heat in the n type transistor. In this case, no current is observed through V DD or V SS. In fact, just HI toggles participate in P switch : HPswitch ðtÞ ¼

n X ðhg i ðtÞ  f i Þ.

(12)

i¼1

It should be noted that the difference between HI and LO toggles has been reported first in [24]. The authors have shown that observing the different effect of HI and LO transitions allows making a new model, signed distance, to estimate the power consumption of a cryptographic device more accurately than hamming weight and hamming distance models. In short, Eqs. (8), (11), and (12) are proposed as the new hypothetical power consumption model. In the next section, the comparison between our proposed model and the toggle-count model is illustrated.

Here f i indicates the number of fanout gates of the ith gate. 4. Comparison of the hypothetical power models 3.2. LO and HI toggles According to Eq. (6), P short-circuit relates to the small time interval that the gate output changes. The transition length, i.e., the duration of time that there is a route from V DD to V SS , affects P short-circuit . However, in Eqs. (3) and (9) it is supposed that HI and LO transitions at the gate output consume the same amount of energy. HI and LO toggles might be different because of the used process technology, the difference between W=L ratios, etc. Thus, Eq. (9) is modified as follows: HPshort-circuit ðtÞ ¼

n X ðkh  hg i ðtÞ þ kl  lg i ðtÞÞ,

(11)

The implementation of an AES S-box which is presented in [7] is considered to evaluate the accuracy of our proposed model. We simulated the implementation using HSPICE and TSMC 0:18 mm standard cell library with 1.8 V supply voltage for all possible changes in input signals, i.e., 255  256 states. In fact, this step has been performed to obtain values which are close to real power consumption values. On the other hand, its back-annotated netlist was simulated logically to get the number of toggles of each signal for each state. 4.1. Training phase

i¼1

where hg i ðtÞ and lg i ðtÞ are the number of HI and LO toggles respectively in the ith gate at the period of ½t; t þ . kh and kl coefficients are determined by the implementation technology and especially by the W=L ratios of the n and p type transistors. In other words, kh =kl is proportional to the ratio of the rise time by the fall time. W=L ratios are not the same for all transistors with the same type in a circuit; consequently, the rise/fall time ratios differ. However, we can determine the average ratio for kh =kl. Obviously, if the effect of HI and LO transitions are the same, kh equals kl , and Eqs. (9) and (11) will be equivalent. HI and LO toggles affect Pswitch more significantly. It is shown in Fig. 5 that when the output of a CMOS element changes form LO to HI, the capacitive load will be charged, and the charging current is observed through V DD or V SS route. However, when it changes from HI to LO, the charged capacitance will be discharged and the

In order to use our proposed hypothetical power model, the designer has to justify the parameters, i.e., a, g, kh , and kl . As mentioned, a and g balance the effect of short-circuit and switching power consumption. In fact, the ratio of Pshort-circuit by Pswitch of a simple inverter gate could be used as a=g ratio. The designer can simulate a mere NOT gate with the used process technology specification to obtain P short-circuit by Pswitch ratio. Note that the result of hypothetical power models are not actually in Watt but are proportional to values which are close to real power values. Thus, the magnitudes of a and g are not important; just their ratio affects the hypothetical power values. For instance, our simulation results (with Synopsys HSPICE and TSMC 0:18 mm standard cell library) show that P switch plays the most significant role (approximately 75%) in power consumption values. Thus, we assumed a=g ¼ 1=3 to examine the precision of our proposed model.

ARTICLE IN PRESS A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478

473

Fig. 6. Diagrams of hypothetical power values and analog simulated ones.

Table 1 Correlation coefficient between the hypothetical power models and the values obtained from a analog simulation for an implementation of an AES-Sbox.

amplitude, respectively). SNR ¼

Set 1

Set 2

Correlation coefficient

Analog simulated Analog simulated

Toggle-count model [18] Our proposed model

0.775 0.938

difference between the effect of LO and HI toggles. As mentioned, W=L ratio of n type and p type transistors plays the most significant role in kh =kl ratio. For example, in our simulations W=L of the n type transistors equals 5, and it is 15 for the p type. The simulation results show that average of rise/fall time equals 1.2. Therefore, we set kh and kl coefficients as 1.1 and 0.9, respectively. As same as a=g ratio, the magnitudes of kh and kl are not important and their ratio influences our hypothetical model, but we recommend to keep kh þ kl ¼ 2 in order to make a=g and kh =kl ratios independent. 4.2. Comparison The simulation results and the given parameters were used by toggle-count model and our proposed one to obtain hypothetical power values. Fig. 6 shows the mean diagrams of analog simulated and hypothetical power consumption values for all possible input values of the simulated AES S-box. It is quite obvious that the diagram of the proposed hypothetical model is more similar to the diagram of analog simulated values. However, for theoretical analysis the correlation coefficient is used to compare the similarity of diagrams. According to Table 1, which shows the comparison between the correlation coefficients, our proposed model shows a higher accuracy than the toggle-count model. In fact, the precision is improved 0:938  0:775 ¼ 16%. Although the proposed hypothetical model is more accurate than the previous ones and it can be used to attack implementations that are resistant to the toggle-count DPA attack, we do not aim at evaluating the effectiveness of a DPA attack using our proposed model. Instead, in the next section we apply this model to evaluate the vulnerability of implementations to power analysis attacks.

5. Use of a hypothetical power model for vulnerability evaluation Signal-to-noise ratio (SNR) is a term for the power ratio between the signal and the noise. Eq. (13) represents its general formula (P and A denotes average power and RMS



Asignal Anoise

2

.

(13)

However, the general definition of an SNR in a digital environment is given by SNR ¼

kh and kl that are applied in Eq. (11) are used to make

Psignal ¼ P noise

VarðsignalÞ . VarðnoiseÞ

(14)

In case of the power analysis attacks, the SNR quantifies how much information is leaking from the power consumption traces. The higher the SNR, the higher is the leakage [16]. In fact, the signal corresponds to the component of the power consumption that is exploitable by the attacker. Also, the noise component is the sum of all types of noise in power consumption traces. Essentially, there are two kinds of noise in power consumption traces: (i) electronic noise and (ii) switching noise. When a power measurement of a fixed operation on some fixed data is repeated, the measurement is different for every repetition. This noise component of the power consumption is denoted by electronic noise. The sources of electronic noise are manifold. Some of these noise sources are noise of power supply, noise of clock generator, and quantization noise. In contrast, variations of power traces that are caused by cells that are not relevant for the attack is known as switching noise. The amount of switching noise depends not only on the measurement setup but also strongly on the architecture of the attacked device. Obviously, the higher the switching noise, the smaller is the SNR. Thus, we suppose that the power consumption traces do not contain the switching noise component because we want to evaluate the cryptographic device in a worst case scenario. As a consequence, noise components in our estimation of the SNR correspond only to the electronic noise. Now, the open problem is how the probability of a successful attack is exploited from the SNR. We suppose that the attacker has access to the implementation details. Hence, she knows the design architecture and some parameters of the implementation such as the used fabrication technology. Therefore, she can use our proposed hypothetical model to estimate the power consumption values accurately. Our purpose is to examine whether she will succeed to discover the secret key using known power analysis attacks or not. If so, the designer must modify the architecture to make a resistant implementation. The purpose of vulnerability modeling is to find the probability of a successful attack. Definition: success rate of a power analysis attack is the ratio of number of states where the secret key can be found correctly over the number of all states for the secret key. In other words, the designer of a cryptographic device uses all possible values for the secret key (or a part of the secret key)

ARTICLE IN PRESS 474

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478

and perform power analysis attacks to determine for which one the attacker might be able to discover the secrets correctly. To clarify the definition, consider the device shown by Fig. 7. We have simulated the device for 100 random plaintexts for each 16 possible secret keys, i.e., 1600 times. The aim of the attack is to find the 4-bit secret key for all possible cases. Since simulated power values do not contain electronic noise, usually using these power values leads to successful attacks. Thus, we have added normally distributed electronic noise to each point of power traces manually. Table 2 shows the result of attacks for standard deviation of 2 mA for electronic noise. According to this table, the attacks have been successful for nine cases. Thus, the success rate 9 ¼ 0:5625. This process have been repeated for different equals 16 values of noise standard deviation, and finally the diagram shown by Fig. 8 has been obtained. We have repeated task illustrated using real power consumption traces of a Spartan-II FPGA that implements an 8-bit XOR followed by an AES S-box. Since the secret key is an 8-bit value, 1000 measurements have been done for each of 256 secret keys.

Note that in this case, the measurements include electronic noise. As described for the previous attacked device, additional electronic noise have been added to power values in order to calculate the success rate vs. noise standard deviation which is shown by Fig. 9. Now, Fig. 10 shows the success rate of both attacks over the SNR. Obviously, both attacks roughly lead to the same diagram. Therefore, we can define a function which describes the probability of a successful attack (success rate) on the base of the SNR. To the best of our knowledge, SNRs are usually expressed in terms of the logarithmic decibel scale. In decibels, the SNR is, by definition, 10 times the logarithm of the power ratio: SNR ðdBÞ ¼ 10  log10



 VarðsignalÞ . VarðnoiseÞ

We propose to use the inverse of SNR (dB) to determine the probability, FðSNRÞ ¼ 100:1VarðnoiseÞ=VarðsignalÞ ¼

Fig. 7. Block diagram of the attacked device.

Table 2 Attack results for noise standard deviation of 2 mA. Correct key

0

1

2

3

4

5

6

7

8

9

a

b

c

d

e

f

Revealed value Success

0 p

2

2 p

3 p

c

5 p

6 p

7 p

a

9 p

3

b p

9

e

e p

6

(15)

1 , VarðsignalÞpffiffiffiffiffiffi 10  10 VarðnoiseÞ

where Fð Þ is a cumulative distribution function (cdf). In fact, the calculated SNR is used to obtain the probability. As presented in [16], SNRs that are bigger than 1 lead to a successful attack. Also, it has been shown that a successful attack can be performed even with lower SNRs (such as 0.1), but in this case much more measurements are needed in comparison with the higher SNRs. Fig. 11 shows the diagram of our proposed distribution function. Obviously, the diagram matches above discussions about the SNRs and the probability of a successful attack. As mentioned previously, if the designer tends to obtain the exact amount of the power consumption in Watt, he has to use an analog simulator which needs a great amount of time to simulate all states of the intermediate values. Consequently, the hypothetical power consumption models, such as our proposed one, are used for estimation.

Success Rate

1 0.8 0.6 0.4 0.2 0 0.001

0.0015

0.002

0.0025

0.003

Noise Standard Deviation [A] Fig. 8. Success rate over noise standard deviation.

Success Rate

1 0.8 0.6 0.4 0.2 0 0.003

0.0035

0.004

(16)

0.0045

0.005

0.0055

Noise Standard Deviation [A] Fig. 9. Success rate of a real attack over noise standard deviation.

0.006

ARTICLE IN PRESS A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478

475

Success Rate

1 0.8

AES attack PRESENT attack

0.6 0.4 0.2 0 1

2

3

4

5

6

SNR Fig. 10. Success rate over SNR.

Fig. 11. Diagram of the distribution function.

We define HPðx; yÞ, the amount of power consumption observed when input signals change from x to y, as follows: HPðx; yÞ ¼ Our hypothetical power model ða; g; kh ; kl ; F; Gðx ! yÞÞ. (17) The designer defines a, g, kh , and kl according to the parameters of the implementation. F is the set of f i , i.e., the number of fanouts for each internal signal. Gðx ! yÞ is the set of hg i and lg i , the number of HI and LO toggles that occur when input signals change from x to y. However, as described the hypothetical power consumption values, HPðÞ, are not actual power values in Watt, but they are approximately proportional to real power consumption of the attacked/evaluated device. Thus, an estimation for HVarðsignalÞ, the hypothetical variance, is given by HVarðsignalÞ ¼

n X 1 ðHPi  HPÞ2 .  n  1 i¼1

(18)

As pointed out, hypothetical power consumption values are proportional to real power values: HPðx; yÞ ¼ f  Pðx; yÞ.

(19)

Consequently, the hypothetical variance of power consumption values can be rewritten as follows: HVarðsignalÞ ¼ ¼

n1

n X 2  ðP i  PÞ2 ¼ f  VarðsignalÞ.

5.1. SPA attack In SPA attacks the attacker tries to extract the secret information from power consumption traces directly. In most cases, the goal of SPA is to extract the hamming weight or the hamming distance of the processed data by measuring a lot of traces and averaging to reduce the measurement noise (which is the base of some template attacks). Consequently, the secret key hypotheses will be bounded to a smaller group. Some functions which might be used by the attacker to examine the dependency of power values to hamming weight of hamming distance are defined as follows. Note that X means the average of all possible values for variable X. HPHW x ðhÞ ¼ HPðx; yÞ

for HWðxÞ ¼ h,

(21)

HPHW y ðhÞ ¼ HPðx; yÞ

for HWðyÞ ¼ h,

(22)

HPHW xy ðhÞ ¼ HPðx; yÞ HPHW z ðhÞ ¼ HPðx; yÞ

n X 1 ðf  P i  f  PÞ2  n  1 i¼1

f2

similarly depends on these parameters. Then, the designer should calculate the SNR and the probability of a successful attack for different values of noise standard deviation. As a result, a diagram which describes the probability of a successful attack over noise standard deviation such as that one shown by Fig. 12 is obtained. In fact, this diagram determines a threshold for noise standard deviation to have a successful attack. Fig. 12 shows that the threshold for the device which is under evaluation is about 1 mW. Although noise standard deviation depends on measurement setup, power supply, environmental noise, and etc, it is about 1–6 mW for the cases using usual and not professional equipments [16]. Thus, the evaluated device whose diagram shown by Fig. 12 will be vulnerable in the presence of suitable measurement equipments. The method described above is a general view of our proposed technique. In the following subsections we illustrate techniques to evaluate the vulnerability to various power analysis attacks using the proposed method.

(20)

i¼1

The designer can use the analog simulators for a few number of intermediate values to estimate the average power consumption in Watt, P. This means that he can extract f coefficient by HP=P ratio. Consequently, he can use the hypothetical power values to estimate VarðsignalÞ with a reasonable accuracy. As described, variance of noise, the other term in SNR which is required to calculate the probability of a successful attack, depends on several parameters. Thus, the vulnerability of a device

for HWðx  yÞ ¼ h, for HWðf ðyÞÞ ¼ h,

(23) (24)

f ðyÞ in Eq. (24) is the function of the circuit under evaluation in which the input changes from x to y. We can now calculate VarðsignalÞ (and consequently the SNR) for each of above functions. It should be noted that if the circuit which is under evaluation is resistant using one of the function defined, it does not mean that the circuit is resistant against SPA attacks. On the other hand, if the threshold of noise standard deviation for one of the defined functions shows a high level of vulnerability, it is not needed to check other functions. Note that the defined functions in Eqs. (21)–(24) are not the sole functions which can be defined for SPA attacks. They can rather be seen as examples to illustrate our evaluation method.

ARTICLE IN PRESS 476

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478

Fig. 12. A sample diagram of success rate over noise standard deviation.

5.2. DPA attack In typical first order DPA attacks, a partition function divides power consumption values into two sets based on one bit of x, y, x  y, or something similar. Thus, some functions are defined as follows: HPbx ði; vÞ ¼ HPðx; yÞ

for ðx & 2i Þ ¼ v  2i ,

HPby ði; vÞ ¼ HPðx; yÞ

for ðy & 2i Þ ¼ v  2i ,

HPbxy ði; vÞ ¼ HPðx; yÞ

i

(25) (26) i

for ððx  yÞ & 2 Þ ¼ v  2 ,

(27)

HPbw ðj; vÞ ¼ HPðx; yÞ

for ðf ðxÞ & 2j Þ ¼ v  2j ,

(28)

HPbz ðj; vÞ ¼ HPðx; yÞ

for ðf ðyÞ & 2j Þ ¼ v  2j ,

(29)

HPbwz ðj; vÞ ¼ HPðx; yÞ

for ððf ðxÞ  f ðyÞÞ & 2j Þ ¼ v  2j .

(30)

In fact, above functions are the mean of the power consumption values on the base of ith bit, i.e., v. Also, in Eqs. (25)–(30) ‘&’ means logical AND operation. Consequently, the following functions are defined to determine the difference between the power consumption values (differential hypothetical power, DHP) that have been classified using the introduced partition functions: ðHPbx ði; 1Þ  HPbx ði; 0ÞÞ2 , 2 2 ðHPby ði; 1Þ  HP by ði; 0ÞÞ DHPy ðiÞ ¼ , 2 ðHPbxy ði; 1Þ  HP bxy ði; 0ÞÞ2 DHPxy ðiÞ ¼ , 2 2 ðHPbw ðj; 1Þ  HPbw ðj; 0ÞÞ DHPw ðjÞ ¼ , 2 ðHPbz ðj; 1Þ  HP bz ðj; 0ÞÞ2 DHPz ðjÞ ¼ , 2 ðHPbwz ðj; 1Þ  HP bwz ðj; 0ÞÞ2 DHPwz ðjÞ ¼ . 2

DHP x ðiÞ ¼

(31) (32) (33) (34) (35) (36)

Obviously, i is less than the bit-length of input signals of the implemented combinational circuit, and j is less than the output signals bit-length. In fact, the functions which are defined in Eqs. (31)–(36) are the variance of the illustrated partition functions. Similarly, the SNRs are calculated and the vulnerability (for different values f noise standard deviation) can be evaluated. In addition to the presented functions, other ones can be defined to partition the power consumption values on the base of other relations between x, y, f ðxÞ, and f ðyÞ. We introduced some examples to present our proposed model. 5.3. Correlation power analysis attacks As mentioned previously, in correlation power analysis attacks the attacker estimates hypothetical power consumption for

intermediate values depending on input and key hypotheses. Then, the correlation coefficient between the hypothetical power values and the sampled power traces distinguishes the correct hypothesis among others. What makes an implementation to be vulnerable to correlation power analysis attack is the difference between the power consumption values for alternative inputs. In other words, if the power consumption values are the same for all input values, no tool, e.g., correlation coefficient, can recover the relation between sampled and hypothetical power values. Accordingly, the most general case of hypothetical power consumption values, HPðx; yÞ, is taken into account to calculate VarðsignalÞ and SNR. In a limited case, Px ðdÞ, Py ðdÞ, Pxy ðdÞ, and P z ðdÞ are defined as follows: HPx ðdÞ ¼ HPðd; yÞ; HPxy ðdÞ ¼ HPðx; yÞ HPz ðdÞ ¼ HPðx; yÞ

HPy ðdÞ ¼ Pðx; dÞ,

(37)

for ðx  yÞ ¼ d,

(38)

for f ðyÞ ¼ d.

(39)

Note that one of the results presented in [18] is a correlation power analysis attack which uses toggle-count model. It was shown that Py ðdÞ differs significantly for alternative d values in an implementation of AES S-box. Then, the performed attack could discover the secret key. Zero-input DPA attack, which was presented in [19], uses the case where power consumption values have a significant minimum for zero input. Then, a simple hypothetical power model has been defined to be used in a correlation power analysis attack. Some parameters are defined to evaluate the vulnerability of implementations to this simplified attack. ðHPx ðdÞ  minðHP x ðdÞÞÞ2 , 2 2 ðmaxðHPx ðdÞÞ  HPx ðdÞÞ , ¼ 2

HPeakminx ¼

(40)

HPeakmaxx

(41)

HPeakminx and HPeakmaxx estimate the variance of a simple hypothetical power consumption model which uses the minimum/maximum of HP x ðdÞ. Similarly, the distance between the peak and the average can be computed for other functions illustrated. Then, the vulnerability can be evaluated using the variances estimated.

6. Conclusions In the first part of this article, we have represented the hypothetical power consumption models applied in the various power analysis attacks. We have focused on the most precise one, called toggle-count model. Two parameters were proposed to enhance its accuracy: (i) the effect of the number of fanouts on

ARTICLE IN PRESS A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478

switching power consumption, P switch , and (ii) the different effects of HI and LO toggles on P switch and P short-circuit . The comparison between our proposed model and the toggle-count model shows an improvement (16%) in the similarity to an analog simulation results. Although our proposed hypothetical power consumption model can be used to attack on some resistant implementations, our aim was to use it in vulnerability evaluation. In other words, we suppose that the attacker can build a very accurate model to predict power values. Thus, we examine the vulnerability of the implementation using the assumed power model. Some methods have been illustrated to evaluate the vulnerability of implementations against various power analysis attacks. We have considered SPA, typical DPA, and correlation power analysis attacks to examine the vulnerability. In fact, we have used the concept of SNR for evaluating the vulnerability of a cryptographic device to power analysis attacks. We defined a function to compute the probability of a successful attack according to the SNR. As a summary, using the following steps enables designers to evaluate the vulnerability of designs prior to chip production:

 The hypothetical power consumption values are obtained 





using the results of a logical simulation for all possible states of intermediate values. The mean of actual power consumption is estimated using an analog simulator for a few number of intermediate values. Thus, f, the coefficient between hypothetical and real power values, is calculated easily. The SNR of the desired function which may be used in a power analysis attack is computed using the hypothetical power values, f, and different values for noise standard deviation. Finally, the threshold of noise standard deviation to have a successful power analysis attack is determined.

Appendix A. Typical DPA attack Suppose that an implementation of the AES encryption algorithm is the attacked device. Also, assume that an 8-bit Addroundkey which is followed by an S-Box block at the first round are taken into account in this attack. The 8-bit Addroundkey is the XOR result of 8-bit of the plaintext, p, and 8-bit of the secret key, k. Moreover, the result of S-Boxðp  kÞ is stored in an 8-bit register. The attack scenario is started by sampling power consumption values for random plaintexts, p1 ; p2 ; . . . ; pn , when the desired register is loaded. Thus, we obtain n power consumption values, v1 ; v2 ; . . . ; vn . Suppose that the LSB of the desired register is selected as the partition function. PFðp; kÞ ¼ LSBðSBoxðp  kÞÞ. Partition function is used to classify the sampled power values in two groups, S0 and S1 . S0 ðkÞ ¼ fvi jPFðpi ; kÞ ¼ 0g;

S1 ðkÞ ¼ fvi jPFðpi ; kÞ ¼ 1g

We aim at finding the correct value for the 8-bit of the secret key, k. Thus, S0 ðkÞ and S1 ðkÞ are created for all possible values of k. Then, the difference between the average of two sets are computed for each value of the guessed secret key. dðkÞ ¼ jS0 ðkÞ  S1 ðkÞj. Finally, the correct hypothesis is distinguished by the biggest difference, dðkÞ. 0

k ¼ arg maxðdðkÞÞ. k

477

Kocher et al. have discussed the theoretical analysis of the illustrated procedure in [12].

Appendix B. Toggle-count DPA attack Consider the device introduced in Appendix A, but suppose that the considered register is placed between Addroundkey and S-Box block. It is supposed that we know the detailed information of the S-Box block architecture. Means, we access to its backannotated netlist. First, we simulate the netlist for all possible changes in 8-bit input register, i.e., 256  255 states. The number of toggles in internal signals is counted for each simulation round. Consequently, we obtain TCðx; yÞ ¼ Number of toggles when input register changes from x to y

Then, the hypothetical power model is defined as follows: HPðzÞ ¼ TCðx; yÞ for y ¼ z. Similarly, n power consumption values, v1 ; v2 ; . . . ; vn , are obtained for n random plaintexts, p1 ; p2 ; . . . ; pn . Thus, we can create a vector on the base of the sampled values. SampledVectorðiÞ ¼ vi . Also, 256 vectors are constructed according to the key hypotheses. HypotheticalVector k ðiÞ ¼ HPðk  pi Þ. The correlation coefficient between SampledVector and each HypotheticalVector is computed separately: CCðkÞ ¼ Correlation coefficient ðSampledVector; HypotheticalVector k Þ.

Finally, the correct hypothesis is distinguished by the biggest coefficient. 0

k ¼ arg maxðCCðkÞÞ. k

The theoretical analysis of the correlation power analysis attacks is illustrated in [4], and some details about the togglecount model can be found in [18]. References [1] M.-L. Akkar, C. Giraud, An implementation of DES and AES, secure against some attacks, in: Cryptographic Hardware and Embedded Systems—CHES 2001, Lecture Notes in Computer Science, vol. 2162, Springer, Berlin, 2001, pp. 309–318. [2] L. Benini, E. Omerbegovic, A. Macii, M. Poncino, E. Macii, F. Pro, Energy-aware design techniques for differential power analysis protection, in: Proceeding of the 40th Design Automation Conference—DAC 2003, ACM, New York, 2003, pp. 36–41. ¨ rs, E. Oswald, B. Preneel, Power analysis attacks on an FPGA— [3] S. Berna O first experimental results, in: Cryptographic Hardware and Embedded Systems—CHES 2003, Lecture Notes in Computer Science, vol. 2779, Springer, Berlin, 2003, pp. 35–50. [4] E. Brier, C. Clavier, F. Olivier, Correlation power analysis with a leakage model, in: Cryptographic Hardware and Embedded Systems—CHES 2004, Lecture Notes in Computer Science, vol. 3156, Springer, Berlin, 2004, pp. 16–29. [5] J. Blo¨mer, J. Guajardo, V. Krummel, Provably secure masking of AES, in: Selected Areas in Cryptography—SAC 2004, Lecture Notes in Computer Science, vol. 3357, Springer, Berlin, 2005, pp. 69–83. [6] M. Bucci, R. Luzzi, M. Guglielmo, A. Trifiletti, A countermeasure against differential power analysis based on random delay insertion, in: Proceedings of the IEEE International Symposium on Circuits and Systems—ISCAS 2005, IEEE, New York, 2005, pp. 3547–3550. [7] D. Canright, A very compact S-box for AES, in: Cryptographic Hardware and Embedded Systems—CHES 2005, Lecture Notes in Computer Science, vol. 3659, Springer, Berlin, 2005, pp. 441–455. [8] S. Chari, J.R. Rao, P. Rohatgi, Template attacks, in: Cryptographic Hardware and Embedded Systems—CHES 2002, Lecture Notes in Computer Science, vol. 2523, Springer, Berlin, 2002, pp. 13–28. [9] C.H. Gebotys, S. Ho, C.C. Tiu, EM analysis of Rijndael and ECC on a wireless Java-based PDA, in: Cryptographic Hardware and Embedded Systems—CHES 2005, Lecture Notes in Computer Science, vol. 3659, Springer, Berlin, 2005, pp. 250–264.

ARTICLE IN PRESS 478

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478

[10] J.D. Golic´, C. Tymen, Multiplicative masking and power analysis of AES, in: Cryptographic Hardware and Embedded Systems—CHES 2002, Lecture Notes in Computer Science, vol. 2523, Springer, Berlin, 2003, pp. 198–212. [11] P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in: Advances in Cryptology—CRYPTO ’96, Lecture Notes in Computer Science, vol. 1109, Springer, Berlin, 1996, pp. 104–113. [12] P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in: Advances in Cryptology—CRYPTO ’99, Lecture Notes in Computer Science, vol. 1666, Springer, Berlin, 1999, pp. 388–397. [13] S.M. Kang, Y. Leblebici, CMOS Digital Integrated Circuits: Analysis and Design, McGraw-Hill, New York, 2002. [14] T.-H. Le, J. Cle´die`re, C. Canovas, B. Robisson, C. Servie`re, J.-L. Lacoume, A proposition for correlation power analysis enhancement, in: Cryptographic Hardware and Embedded Systems—CHES 2006, Lecture Notes in Computer Science, vol. 4249, Springer, Berlin, 2006, pp. 174–186. [15] T.S. Messerges, Using second-order power analysis to attack DPA resistant software, in: Cryptographic Hardware and Embedded Systems—CHES 2000, Lecture Notes in Computer Science, vol. 1965, Springer, Berlin, 2000, pp. 238–251. [16] S. Mangard, E. Oswald, T. Popp, Power Analysis Attacks, Revealing the Secrets of Smart Cards, Springer, Berlin, 2007 ISBN 0-387-30857-1. [17] S. Mangard, T. Popp, B.M. Gammel, Side-channel leakage of masked CMOS gates, in: Topics in Cryptology—CTRSA 2005, The Cryptographers’ Track at the RSA Conference, Lecture Notes in Computer Science, vol. 3376, Springer, Berlin, 2005, pp. 351–365. [18] S. Mangard, N. Pramstaller, E. Oswald, Successfully attacking masked AES hardware implementations, in: Cryptographic Hardware and Embedded Systems—CHES 2005, Lecture Notes in Computer Science, vol. 3659, Springer, Berlin, 2005, pp. 157–171. [19] S. Mangard, K. Schramm, Pinpointing the side-channel leakage of masked AES hardware implementations, in: Cryptographic Hardware and Embedded Systems—CHES 2006, Lecture Notes in Computer Science, vol. 4249, Springer, Berlin, 2006, pp. 76–90. [21] E. Oswald, S. Mangard, N. Pramstaller, V. Rijmen, A side-channel analysis resistant description of the AES S-box, in: Fast Software Encryption—FSE 2005, Lecture Notes in Computer Science, vol. 3557, Springer, Berlin, 2005, pp. 413–423. [22] T. Popp, S. Mangard, Masked dual-rail pre-charge logic DPA-resistance without routing constraints, in: Cryptographic Hardware and Embedded Systems—CHES 2005, Lecture Notes in Computer Science, vol. 3659, Springer, Berlin, 2005, pp. 172–186. [23] E. Peeters, F.-X. Standaert, N. Donckers, J.-J. Quisquater, Improved higherorder side-channel attacks with FPGA experiments, in: Cryptographic Hardware and Embedded Systems—CHES 2005, Lecture Notes in Computer Science, vol. 3659, Springer, Berlin, 2005, pp. 309–323. [24] E. Peeters, F.-X. Standaert, J.-J. Quisquater, Power and electromagnetic analysis: improved model, consequences and comparisons, in: Integration, the VLSI Journal, vol. 40, Elsevier, Amsterdam, 2007, pp. 52–60. [25] D. Suzuki, M. Saeki, T. Ichikawa, Random switching logic: a countermeasure against DPA based on transition probability, Cryptology ePrint Archive, Report 2004/346, 2004 hhttp://eprint.iacr.org/i. [26] K. Tiri, M. Akmal, I. Verbauwhede, A dynamic and differential CMOS logic with signal independent power consumption to withstand differential power analysis on smart cards, in: Proceedings of the European Solid-State Circuits Conference, IEEE, New York, 2002, pp. 403–406. [27] E. Trichina, T. Korkishko, Small size, low power, side channel-immune AES coprocessor: design and synthesis results, in: Advanced Encryption Standard—AES, Lecture Notes in Computer Science, vol. 3373, Springer, Berlin, 2005, pp. 113–127. [28] K. Tiri, I. Verbauwhede, A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation, in: Proceedings of the Design, Automation and Test in Europe Conference—DATE 2004, IEEE Computer Society, Silver Spring, MD, 2004, pp. 46–251.

Amir Moradi received the B.Sc. degree in Computer Engineering from Shahid Beheshti University in Iran, in 2001. He also received the M.Sc. and Ph.D. degrees in Computer Engineering from Sharif University of Technology in Iran, in 2004 and 2008, respectively. Currently, he is a post-doc researcher at the Embedded Security Group of Horst Go¨rtz Institute for IT-Security in Ruhr University of Bochum, Germany. His research interests are in the areas of side channel attacks and the implementation of cryptographic algorithms.

Mahmoud Salmasizadeh received the B.Sc. and M.Sc. degrees in Electrical Engineering from Sharif University of Technology in Iran, in 1972 and 1989, respectively. He also received the Ph.D. degree in Information Technology from Queensland University of Technology in Australia, in 1997. Currently he is an assistant professor in Electronic Research Center and adjunct assistant professor in Electrical Engineering Department at Sharif University of Technology, Tehran, Iran. His research interests include cryptography and network security. He is the founding member and the head of scientific committee, Iranian Society of Cryptology.

Mohammad T. Manzuri Shalmani received his B.Sc. and M.Sc. in Electrical Engineering from Sharif University of Technology (SUT), Iran, in 1984 and 1988, respectively. He also received the Ph.D. degree in Electrical and Computer Engineering from Vienna University of Technology, Austria, in 1995. Currently, he is an associate professor in Computer Engineering Department of SUT, Tehran, Iran. His main research interests include digital signal processing, cryptography, image processing, and data communications.

Thomas Eisenbarth is a Ph.D. candidate in the Department of Electrical Engineering at Ruhr University Bochum, where he is also a research assistant with the Embedded Security Group of the Horst Go¨rtz Institute for IT Security. His research interests include embedded security, efficient implementation of cryptographic algorithms, and physical security. Eisenbarth has an M.Sc. in Electrical Engineering and Computer Science from Ruhr University Bochum. He is a student member of the IEEE Computer Society and the International Association of Cryptologic Research (IACR).