IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: · PDF file ·...

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 62, NO. 1, JANUARY 2015 149

DPA-Secured Quasi-Adiabatic Logic (SQAL) forLow-Power Passive RFID Tags Employing S-Boxes

Moshe Avital, Hadar Dagan, Itamar Levi, Osnat Keren, and Alexander Fish, Member, IEEE

Abstract—Low-power mobile devices such as RFID tags andWSNs that employ AES cryptographic modules are susceptibleto differential power analysis (DPA) attacks. This paper presentsa novel secured quasi-adiabatic logic (SQAL) technology that isboth low-power and DPA immune. The efficiency of the SQALtechnology was evaluated on an 8-bit AES-128 SBOX block andproved to be robust against DPA attacks. Compared to otheradiabatic and non-adiabatic logic styles, the SQAL technologyachieves better results in terms of power consumption and areaoverhead.

Index Terms—Adiabatic logic, AES, differential power analysis(DPA), passive RFID, secured quasi-adiabatic logic (SQAL).

I. INTRODUCTION

R ADIO frequency identification (RFID) tags and wirelesssensor network (WSN) devices are extensively used

in many practical applications. This includes goods trackingand management, healthcare, finance (e.g. electronic wallets),transportation (e.g. smart car keys and public transportationtickets), and many more [1]–[3]. As these devices commonlystore secure or personal information, they are vulnerable tomany threats, such as tag tracking, jamming, blocking, cloning,and eavesdropping [4]. Another significant threat to thesedevices is that their secret key can be revealed by non-invasiveside channel attacks [5]. These attacks utilize informationthat leaks from the device during its normal operation in theform of power consumption, electromagnetic emission, timingproperties, etc.A differential power analysis (DPA) attack is considered the

most powerful side channel attack. It exploits the correlationbetween the instantaneous power consumed by the device andthe processed data and the secret key. A DPA does not requireany information about the actual hardware implementation ofthe device. Many hardware based countermeasures have beendeveloped over the years [6], [7]. These solutions have been im-plemented at several hierarchical levels including architecture,the block level, the register transfer level (RTL), and the circuitlevel [8]–[11]. The main countermeasures at the circuit levelinclude sense-amplifier based logic (SABL) [12] and wave dy-namic dual-rail logic (WDDL) [13]. Bothmethods aim to flatten

Manuscript received March 28, 2014; revised July 30, 2014 and September08, 2014; accepted September 09, 2014. Date of publicationDecember 24, 2014;date of current version January 06, 2015. This paper was recommended by As-sociate Editor V. Chandra.The authors are with the Faculty of Engineering, Bar-Ilan Univer-

sity, Ramat-Gan 52900, Israel (e-mail: [email protected]; [email protected]; [email protected]; [email protected]; [email protected]).Color versions of one or more of the figures in this paper are available online

at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TCSI.2014.2359720

the power profile by calculating the output and its complementfor each logic gate. However, these methods are not suitable forapplications where the power consumption is the main concern.Specifically, they are not suitable for passive RFID devices [14],[15].Ultra low power adiabatic logic and quasi-adiabatic logic

were introduced in the 1990s. They were first considered as acountermeasure against DPA attacks in [16]–[19]. Adiabaticlogic operates at very low frequencies. Usually, this is consid-ered their main drawback, which is why they are not used inmany applications. However, they can be used in RFID devicesthat work at low frequencies.In this paper, a novel DPA-secured quasi-adiabatic logic

(SQAL) is presented. The SQAL is based on the efficientcharge recovery logic (ECRL) style [20]. The ECRL cannotprovide security against DPA attacks as its (topology-wise)inherent asymmetric behavior leaks information. The SQALlogic solves this problem by introducing symmetry not justwithin a cycle, but also between two successive operations.The new logic style presented in this paper is compact, energy,and area-efficient, uses only four clocked voltage sources, andmost importantly, provides security against DPA attacks. Thispaper is the first to examine the efficiency of adiabatic solutionsin terms of immunity under DPA attacks. Simulation resultsconducted using a standard 180 nm CMOS technology nodeon a 8-bit AES S-Box show the advantages of the proposedmethodology over existing solutions in the context of security.The rest of this paper is organized as follows: Section II

presents the security perspective of the efficient charge recoverylogic (ECRL), Section III presents the proposed DPA-securedquasi-adiabatic logic (SQAL), Section IV evaluates the secu-rity of the SQAL technology using the AES 8-bit SBOX as abenchmark circuit and, Section V evaluates the performance ofthe SQAL. Section VI concludes the paper.

II. CONVENTIONAL ECRL LOGIC—THE SECURITYPERSPECTIVE

An ideal adiabatic circuit makes it possible to transfer thecharge stored in the capacitor back to the voltage source. Thereader is referred to Appendix for a description of adiabaticlogic fundamentals. In practice, it is complicated to reuse thisenergy and hence quasi-adiabatic circuits are usually consid-ered, since fully adiabatic circuits are not practical [21].In this paper, we deal with efficient charge recovery logic

(ECRL) [20] and its derivatives which all are quasi-adiabaticsolutions. In what follows, we briefly introduce the advantagesof ECRL logic and analyze why it is not immune to DPA attacks.To the best of our knowledge, this is the first paper to analyzeECRL from a security prospective.

1549-8328 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

150 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 62, NO. 1, JANUARY 2015

Fig. 1. ECRL XOR-XNOR gate: (a) Schematic view (b) Operating Signals.

A. ECRL Principles and Advantages

Conventional implementations of cryptographic algorithms,and in particular the AES substitution-box (SBOX) block, con-sist of a relatively large number of XOR gates, and severalNAND gates [24]. For this reason, we focus on the descriptionof an XOR-XNOR gate.A standard ECRL XOR-XNOR gate is depicted in Fig. 1(a),

and its operating signals are shown in Fig. 1(b). The gate op-erates as follows: each clock cycle is divided into four phases:Wait, Evaluate, Hold, and Recover. Supply clock is generatedby a dedicated circuit. Examples of such design are discussedin detail and analyzed in [21].An adiabatic operation requires a negligible voltage differ-

ence between the source and the drain of a transistor during atransition [25]. Thus, during theWait phase the input signals areprepared (by the previous logic gates); then, during the Evaluatephase the input signals stay stable and the gate outputs are cal-culated (one output goes high); next, during the Hold phase theinput signals go low while the clocked VDD stays high; andfinally, during the Recover phase the clocked VDD goes low,discharging the output nodes for energy recycling purposes. In-herently, the inputs, which are the outputs of the previous level,are then synchronized with the phases of the power sources.This logic style is considered quasi-adiabatic, since the P-type

devices stop conducting the current back to the source when thesource voltage crosses (the transistor threshold voltage),causing non-adiabatic energy losses of approximately

, where is the node capacitance.Evaluation is a combination of two co-existing processes:

charging one output and removing the redundant charge (dis-charging) from the second output. Fig. 2(a) presents a specificexample of an Evaluation phase where an XOR/XNOR ECRLgate is fed with input signals . In this case, the capac-itor is charged through , and is charged throughboth and . As can be seen in Fig. 2(b), when the input sig-nals are , the same number of transistors of the sametype is used for charging the and . Theoretically,as the same number of transistors of identical type is connectedto and , they have the same capacitance. Thissymmetry is also true for the (Evaluation) discharging process.The same symmetry holds for inputs and .During the Recover phase, the high output is discharged

through a PMOS transistor back to the power supply until itreaches approximately . Again, this process is inputindependent.

Fig. 2. Illustration of the Evaluation phase logic for ECRL XOR-XNOR gate,using: (a) , (b) .

The symmetry is with respect to the value of the inputs and theoutputs; i.e., the capacitance that is charged/discharged duringthe Evaluate and Recover phases, and the charging path charac-teristics are independent of the input/output values. Therefore,theoretically, the ECRL structure does not leak any informationabout the inputs during the Evaluate phase or about the outputsduring the Recover phase. This makes the ECRL logic a perfectcandidate for security applications. However, as we show next,the ECRL has a significant drawback which makes it useless forthese applications.

B. The ECRL Operation Leaks Information

Recall that the ECRL logic operates in four phases. Thepower profile during the Evaluate, Hold, and Recover phases isnot correlated with the current input/output values as long as theinitial conditions are the same. However, in practice, the initialconditions depend on the data; the quasi-adiabatic dischargemechanism during the Recover phase does not discharge theinternal capacitances ( and ) of the logic gate. Duringthe successive Wait phase, depending on the new inputs, someof these capacitances are discharged and some still have charge.Consequently, the Evaluate phase starts with a data dependentinitial condition which is a function of the previous and thecurrent inputs. In turn, the power profile during the Evaluatephase leaks information.Fig. 3(a) depicts the simulated consumed current of a single

ECRL XOR-XNOR gate during five successive operations withinput pairs . Fig. 3(b) shows the de-tailed current behavior during four phases of one cycle for theinput that follows . As previously ex-plained, each clock cycle is divided into the following phases:Wait, Evaluate, Hold, and Recover. During the first phase of thecycle the current consumption is almost zero and does not de-pend on the inputs. During the evaluation phase, the gate out-puts are calculated and as a result the current consumption de-pends on the two successive outputs that are computed fromthe inputs. In our case, the output changes from 0 to 1 (since

). In turn, the current peak in this scenariois twice as large as the peak current in the following cycle, whenthe inputs change from to . The adiabaticoperation can be clearly observed during the Recovery phase,when the current flows back to the trapezoidal voltage source.As we show next, a strong correlation between the cur-

rent signal and the data is observed. Denote bythe ’ th binary output vector. The

Hamming weight (HW) of is defined as:

(1)

AVITAL et al.: DPA-SECURED QUASI-ADIABATIC LOGIC (SQAL) FOR LOW-POWER PASSIVE RFID TAGS 151

Fig. 3. (a) Consumed current for the ECRL XOR gate; a strong correlationbetween the current signal and the Hamming weights is observed. (b) Detailedcurrent behavior during the four phases: Wait, Evaluation, Hold, and Recoveryof one cycle for input that follows .

Fig. 4. The modified SQAL XOR-XNOR gate: (a) Schematic view. (b) Oper-ating signals.

and define the Hamming distance (HD) between and as

(2)

In Fig. 4(a) we demonstrate that for a single gate, the HDindicates whether a logic change in the output occurred. It isclear from Fig. 3 that whenever , a higher peak currentoccurs, as compared to . This implies that there is acorrelation between the consumed current during theEvaluationphase and the distance (HD) between two successive outputs.By (partially) controlling the input sequence a DPA attacker canobtain information from the resulting correlation.This problem was recently addressed in [16]; the author sug-

gests “resetting” the initial conditions of all nodes by addingmore transistors which are activated in an additional phase.Here, we address this problem from a different angle.

III. THE PROPOSED DPA-SECURED QUASI-ADIABATIC LOGIC

In this section we present a new quasi-adiabatic SQAL whichaims to solve the problem of the ECRL logic. In contrast to theECRL, the initial conditions of the Evaluate phase are not data

Fig. 5. Current waves for the modified SQAL XOR gate; the correlation be-tween the current signal and the Hamming weights is barely observed.

dependent and therefore the power and current profiles of SQALgates do not leak information. We start with a description of aXOR-XNOR gate, then we present the AND-NAND, OR-NOR,and NOT-NNOT gate which is mainly used as a buffer.The main idea is to prepare the circuit for the Evaluate phase

during the Wait phase. This preparation includes removingthe remaining charge from the internal capacitors (whichdetermines the initial conditions). Fig. 4(a) shows how thisconcept is implemented in a XOR/XNOR gate; an additionaldischarge transistor M9 is added between the internal nodes.This transistor is controlled by an additional Discharge signal,which is synchronized with the Wait phase. The transistor isturned on at the beginning of the Wait phase (while the newinput signals are being generated by the previous logic stage).Regardless of the value of the new inputs, any internal nodein the gate has a discharge path to the ground. Consequently,no charge is left from the previously evaluated inputs. Notethat in adiabatic logic and especially in RFID applications, theduration of each one of the phases is long enough with respectto the typical switching time of the transistors. Therefore, thedischarge operation is completed long before the end of theWait phase. To emphasize the fact that the first phase has anadditional functionality, we call it the Wait & Discharge phase,as shown in Fig. 4(b).Note that power supply generation circuits for the SQAL

logic can be designed using the same principles as used forECRL. To see specific design examples the reader is referredto the fundamental papers [21], [22].Unlike existing solutions, the main advantage of this solution

is that no additional phase or clocked VDDs are required. More-over, only one additional transistor is used to solve the problem,such that the SQALXOR gate is only composed of 9 transistors.Fig. 5 depicts the simulation results with the same setup as in

Fig. 4. The aforementioned advantages of the proposed solutionemerge clearly.The structures of the NAND and NOR gates are presented in

Fig. 6(a) and Fig. 6(b), respectively.Unlike the XOR gate, the NAND and NOR gates are asym-

metric by nature. As previously, the PDNs should be designed insuch a way that the discharge and charge paths are equal for eachinput signal. Such a symmetric design will definitely come at theexpense of redundancy. For instance, considering the OR-NORgate, the output logic functions can be derived as follows:

(3)


Fig. 6. SQAL gates: (a) AND-NAND. (b) OR-NOR.

Fig. 7. Detailed description of the 8-bit SBOX module based on [29].

The operating concept behind the OR-NOR and AND-NAND gates is similar to the XOR-NXOR gate. However, inthis case three additional Discharge transistors are required, asshown in Fig. 6. Once again, the charge and discharge paths arealmost data independent.As seen in Fig. 6, the transistor count for the AND-NAND

and OR-NOR gates is substantially higher than for the XOR-XNOR gate (15 transistors versus 9). However, as explained inthe next section, most of the gates used in the SBOXmodule areXOR gates. Therefore, the implementation cost of the SBOX isacceptable.A NOT-NNOT gate, which is also required as a buffer for the

implementation of the SBOX, consists of five transistors, one ofwhich is used for Discharge.

IV. SQAL: SECURITY EVALUATION

In this section, we evaluate the SQAL technology in terms ofimmunity to DPA attacks. First, we briefly present the chosenbenchmark circuit. Then, we describe the DPA attack mecha-nism and finally evaluate the SQAL efficiency under this attackin comparison to CMOS.

A. The Benchmark Circuit: 8-bit SBOX (AES Algorithm)

We evaluate our proposed technology on an 8-bit SBOXcircuit used by the AES-128 cryptographic algorithm. Themodule was implemented in TowerJazz 180 nm standardCMOS technology with 0–1.8 V Clocked VDD, using a Ca-dence Virtuoso environment. A full description of the AESalgorithm [26] is beyond the scope of this paper. Here we focuson the AddRoundKey and SubBytes (SBOX) operations sincethese AES operations are vulnerable to DPA attacks [27], [28].The chosen benchmark circuit is composed of eight XOR

gates performing the AddRoundKey operation between the in-puts and the secret key, and an 8-bit SBOX block, togethercalculating:

(4)

The SBOX is the only non-linear operation implementing theAES algorithm; it is composed of Galois field (GF) inverse op-eration (cyclic inverse) and a linear transformation. The internal

TABLE IGATE COUNT FOR THE TEST CIRCUIT

The area overhead is normalized to . For details see Table II.

architecture of the benchmark circuit is constructed according to[29] where the inverse is calculated in , instead of in

. This serves to decrease the number of required arith-metic calculations as follows: The 8-bit entry (referred to as )is represented as

(5)

where stands for the 4 MSBs, and stands for the 4 LSBs.Then, takes the form:

(6)

The conversion between these two field representations requireslinear transformations, referred to as and .The architecture of the SBOX which realizes (6) is shown in

Fig. 7. Additional buffers are required for synchronization. Infact, the SQAL logic family requires two system clocks (eightphases) to perform the computation. The internal blocks, shownin Fig. 7, are described in [29].The benchmark circuit was implemented in both SQAL and

CMOS technologies. Table I shows the number of logic gatesused. The number of XOR-NXOR and AND-NAND gates isequal in both. However, since SQAL operates in four phases, alarger number of NOT-NNOT gates is required.

B. Evaluation of the SQAL Technology

In this subsection we briefly describe how a DPA attack wasconducted in a Cadence environment, and present simulationresults that demonstrate the efficiency of the SQAL technologyas compared to CMOS. We evaluate the immunity of this tech-nology to a multi-bit correlation-based DPA attack [27]. Theattack takes place in three phases:1) Current Profile Measurements: The benchmark circuit is

fed with N random input plaintexts: . Foreach input stream, the consumed current traces are collected,and organized as a matrix:

(7)

where represents the sampled time, ; anddenotes the input plaintext for .

2) Current Modeling: For each input plaintext , andkey guess , the ciphertext; i.e., the encrypted plaintext,

, is computed.A current peak is likely to appear when bits change their

values: in some logic styles current peaks occur mainly aftertransitions (as in CMOS), and in some cases both


and transitions generate current peaks. The tran-sition occurs when and theand transition occurs when .A multi-bit DPA attack targets several bits; it models the cur-

rent peak height as the sum of the changes on the output bus. Forinstance, in the CMOS realization of the attacked device, thecurrent model , say, for input and wouldbe:

(8)

where denotes the Hamming distance of thebit on the output bus, when the inputs and were fedto the test-circuit, and is the Hamming weight of .Note that the current model is a matrix,

(9)

where, for example, .As was shown in Section II-B, in the case of quasi-adiabatic

logic where the function and its complement are calculated ineach cycle, HD alone (without multiplication with HW) is moreappropriate.3) Calculation of the Correlation Matrix: The final step is

to correlate these two matrices, which means that for each keyand time , the correlation coefficient for the columns of

these two matrices is calculated. As a result, a correlationmatrix is computed

(10)

The attacker does not know the correct key (denoted by), or the exact time the output bus calculation takes place

(referred to as ). Therefore, the attacker looks for the entryin that carries the maximal value. If the DPA attackis successful, the maximal value appears in row andcolumn .The test-circuit was constructed in a Cadence Virtuoso en-

vironment as stated previously, both using CMOS and SQALlogic styles. The DPA attack itself was performed in a Matlabenvironment. The arbitrary 8-bit secret key was chosen to be

.The eight-bit signal is generated by a random number

generator (RNG) in the Cadence Virtuoso environment (usingVerilog-A language). To perform the DPA attack, which willbe explained further below, the random input signals and thecurrent drawn from the trapezoidal power sources are measuredand collected for analysis in the Matlab environment.Recall that the strength of the SQAL technology relies on its

symmetry with respect to the value of the inputs and the outputs.We examined its sensitivity to variations from this symmetrydue to process variations which may harm the symmetric oper-ation of the circuit. Note that it is common in security orientedapplications to consider the worst case scenario. The worst casewas defined as follows: The layout of each of the SQAL gateswas constructed. In addition to the ideal case design (with ex-traction), the largest difference in the parasitic capacitance wasconsidered. This difference was extracted from Monte-Carlosimulations. The maximum capacitance difference from the sta-tistical simulation was applied to each asymmetric node of each

Fig. 8. Layout of SQAL XOR-XNOR gate.

Fig. 9. DPA attacks: (a) a successful using CMOS implementation; (b) non-successful example using the SQAL implementation.

gate of the whole module. This design thus captures the mostasymmetric current consumption possible for this module. Typ-ical values of the added capacitances were 2% of the existingcapacitance. The layout of SQAL XOR-XNOR gate is shownin Fig. 8.As can be seen, a symmetric layout was implemented such

that its wire lengths, pins and layers are identical at each pair ofcomplementary nodes (e.g., XOR and XNOR nodes).In the simulated DPA attack, inputs were fed to the

test-circuit. Note that in real-life DPA attacks, a higher numberof inputs is used (typically around 10 000). However, in ourCMOS case it was not necessary to collect a large numberof samples since there was no electrical noise, and since thetest-circuit was not a full chip with additional digital and analogmodules that consume current; rather, it was a stand-alonemodule. This is shown in Fig. 9(a). The figure shows that whena CMOS implementation is used, it is possible to break thetest-circuit key even when using samples. Note thatfor the correct key guess, , the correlation was close tounity (0.9831), and was much higher than the second maximalcorrelation (0.4519), leading to a signal-to-noise-ratio (SNR)of 2.175. Note that the SNR value reflects the difficulty dis-tinguishing between the correct key and the wrong keys. It isdefined as the ratio between the correlation value of the correctkey, and the second maximal correlation of a wrong key guess[30].In contrast to the CMOS implementation, when imple-

menting the test-circuit using SQAL topology, the correct keyshowed a low correlation coefficient, as seen from Fig. 9(b).Moreover, in this case there was no key guess which led to acorrelation coefficient above 0.5.In addition, further simulations of the test circuit using the

SQAL topology with a higher number of random input samples


Fig. 10. SNR of CMOS, SyAL, and SQAL as a function of number of the inputsamples N, where .

Fig. 11. Average energy consumption per cycle for different technology fami-lies.

validated its immunity to DPA attacks. Fig. 10 presents the SNRas a function of the number of samples N.It shows that even up to samples, the SNR of

SQAL is below unity. The SNR of SQAL is also compared toCMOS and SyAL. SyALwas chosen since it has low power con-sumption (refer to Fig. 11), which is also suitable for the targetapplication. Compared to the SQAL topology, Fig. 10 showsthe vulnerability of the test circuits to DPA attacks when usingCMOS and SyAL topologies, since their SNR values are higherthan unity. It was also observed that in SQAL the correlationcoefficients of all the key guesses decreased as the number ofsamples N increased, and again, they were all below 0.5. As aresult, the correct key could not be revealed.

V. SQAL: PERFORMANCE EVALUATION

This section discusses the energy consumption of the pro-posed SQAL topology, and presents its advantages in terms ofthe required trapezoidal voltage sources, transistor count and en-ergy consumption, compared to other logic families. Recall thatthis technology targets low power applications such as RFIDtags. Therefore, the main evaluation criteria are area (numberof voltage sources and transistors) and energy efficiency.There are two common ways to implement trapezoidal

voltage sources. They are either implemented using voltagegenerators that comprise operational amplifiers or by usingswitch-capacitor converters (SCC) with dynamic output volt-ages. While operational amplifiers consume a non-negligibleamount of static current, the conventional SCCs have a powerefficiency of around 80%. Therefore, the number of trapezoidalvoltage sources directly affects the energy consumption of theentire chip and its area.

TABLE IIREQUIRED TRAPEZOIDAL VOLTAGE SOURCES, TRANSISTOR COUNTCOMPARISON AND DESIGN AREA NORMALIZED TO

The proposed logic topology incorporates only 4 trapezoidalvoltage sources. To the best of our knowledge, this number issmaller than the number of voltage sources in other quasi-adi-abatic logic families. The number of voltage sources and thenumber of transistors is shown in Table II.It is clear from the table that the SQAL requires fewer tran-

sistors than other non-conventional technology; nevertheless,is it about three times larger than CMOS. Note as well fromthe table that the SQAL and the SyAL families consume quitesimilar area. Though SQAL transistor count is lower due toless charge recovery NMOS transistors, some SQAL gates arelarger due to sizing optimization. Therefore the total area is a bitbigger, which makes SQAL attractive also for low area appli-cations. As expected from the transistor count, the SQAL con-sumes a lower area than the CSSAL, but a higher area com-pared to SABL and CMOS. Note, however, that CMOS cannotprovide security at the gate level, and the energy it consumesmakes it less suitable for this type of application. With respectto CMOS and SABL transistor counts and normalized areas,though SABL requires more transistors, most of them are smallsized NMOS transistors. In CMOS, however, equal number ofNMOS and PMOS transistors exists. This means that the lowmobility PMOS devices which dissipates larger area will makeCMOS design much larger.Fig. 11 presents the energy consumption (over 100 cycles)

of each technology as a function of the operation frequency. Itis obvious from the figure that the energy consumption of theSQAL family is lower than any other logic family.It is clear as well that CMOS and SABL dissipate more power

since they do not employ the adiabatic concept. As for the otherlogic styles, even though the SyAL and the CSSAL are adia-batic logic families, they consume more power than the SQALdue to larger numbers of transistors. In addition, five and twelvetrapezoidal voltage sources are needed in the SyAL and CSSAL,respectively, making their structures much more complicated.Note that in general, in RFID operation frequencies (severalKHz’s to several MHz’s), the quasi-adiabatic logic styles con-sume less energy than other technologies. This is due to adia-batic charging.


Fig. 12. RC network charging using a voltage ramp.

VI. CONCLUSION

In this paper, we presented and analyzed a novel quasi-adi-abatic logic immune to DPA attacks. This logic is suitable forlow-power devices which operate in low and middle frequen-cies, e.g. RFID tags. The proposed DPA-secured quasi-adia-batic logic (SQAL) topology proved to be secure against side-channel attacks. It has a low energy consumption, requires onlyfour phases of trapezoidal power sources, and is implementedusing a small number of transistors.

APPENDIXAPPENDIX—ADIABATIC LOGIC FUNDAMENTALS

The general idea behind adiabatic switching is to charge anoutput capacitor using a constant current source [23]. In contrastto a conventional RC network with a constant voltage source,here the energy consumption depends on the resistance. Thisunique property helps to control the energy consumption persingle operation. As mentioned previously, the ability to controlenergy consumption is essential in the context of security, sinceinformation can be derived from the power profile.It is more practical to use a ramp voltage source than a current

source (as depicted in Fig. 12).The voltage on the capacitor is:

(11)where is the ramp time period.Similarly, the current is:

(12)By choosing it is possible to a) reduce energy

consumption, and b) flatten the power profile. For , forthe voltage is approximately , and for

it approaches . Recall that we are interested in thecurrent behavior, as it represents the power profile; the currentin case of is actually constant: for wehave and for it vanishes to 0.It is important to point out that the assumption is re-

alistic in RFID applications. A typical clock frequency in theseapplications is less than 10 s of MHz, which translates to Ts onthe order of 10 ns to 100 ns. A typical RC in standard VLSI tech-nologies is definitely smaller than 0.1 ns. Consequently, RFIDlogic can operate with a constant and low switching current andtherefore achieve a constant (and low) power profile.

REFERENCES

[1] E. Ilie-Zudor, Z. Kemény, F. van Blommestein, L. Monostori, and A.van der Meulen, “A survey of applications and requirements of uniqueidentification systems and RFID techniques,” Comput. Ind., vol. 62,pp. 227–252, Apr. 2011.

[2] C. Wei, W. Shengling, and C. Xiuzhen, “Virtual track: Applicationsand challenges of the RFID system on roads,” IEEE Netw., vol. 28, no.1, pp. 42–47, Jan.–Feb. 2014.

[3] R. Tesoriero, J. Gallud, M. Lozano, and V. Penichet, “Using active andpassive RFID technology to support indoor location-aware systems,”IEEE Trans. Consum. Electron., vol. 54, no. 2, pp. 578–583,May 2008.

[4] A. Juels, “RFID security and privacy: A research survey,” IEEE J. Sel.Areas Commun., vol. 24, pp. 381–394, Feb. 2006.

[5] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” inProc. 19th Annu. Int. Cryptol. Conf. Adv. Cryptol. (CRYPTO ’99), pp.388–397.

[6] S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Re-vealing the Secrets of Smart Cards, ser. Advances in Information Se-curity. New York: Springer-Verlag, 2007.

[7] T. Popp, S.Mangard, and E.Oswald, “Power analysis attacks and coun-termeasures,” IEEE Design Test Comput., vol. 24, no. 6, pp. 535–543,Nov.–Dec. 2007.

[8] J. S. Coron and G. Louis, On Boolean and Arithmetic Masking AgainstDifferential Power Analysis. Berlin/Heidelberg, Germany: Springer,2000, pp. 231–237.

[9] H. Qu, J. Xu, and Y. Yan, “A random delay design of processor againstpower analysis attacks,” in Proc. 10th IEEE Int. Conf. Solid-State In-tegr. Circuit Technol. (ICSICT), Nov. 2010, pp. 254–256.

[10] K. H. Boey, Y. Lu, M. O’Neill, and R. Woods, “Random clock againstdifferential power analysis,” in Proc. IEEE Asia Pacific Conf. CircuitsSyst. (APCCAS), Dec. 2010, pp. 756–759.

[11] G. B. Ratanpal, R. D. Williams, and T. N. Blalock, “An on-chip signalsuppression countermeasure to power analysis attacks,” IEEE Trans.Dependable Secure Comput., vol. 1, pp. 179–189, Jul.–Sep. 2004.

[12] K. Tiri and I. Verbauwhede, “A logic level design methodology for asecure DPA resistant ASIC or FPGA implementation,” inProc. Design,Autom., Test Eur. Conf. Exhib., Feb. 2004, vol. 1, pp. 246–251.

[13] K. Tiri, M. Akmal, and I. Verbauwhede, “A dynamic and differentialCMOS logic with signal independent power consumption to withstanddifferential power analysis on smart cards,” in Proc. Solid-State Cir-cuits Conf. (ESSCIRC), Sep. 2002, pp. 403–406.

[14] A. Moradi and A. Poschmann, “Lightweight cryptography and DPAcountermeasures: A survey,” in Financial Cryptography and Data Se-curity. Berlin/Heidelberg, Germany: Springer , 2010, pp. 68–79.

[15] A. Kramer, J. S. Denker, S. C. Avery, A. G. Dickinson, and T. R.Wick, “Adiabatic computingwith the 2N-2N2D logic family.,” in IEEESymp. VLSI Circuits Dig. Tech. Papers, Jun. 1994, pp. 25–26.

[16] B. Choi, K. E. Kim, K. Chung, and D. K. Kim, “Symmetric adiabaticlogic circuits against differential power analysis,” ETRI J., vol. 32, pp.166–168, Feb. 2010.

[17] M. Khatir and A. Moradi, “Secure adiabatic logic: A low-energy DPA-resistant logic style,” IACR Eprint archive, 2008.

[18] C. Monteiro, T. Yasuhiro, and S. Toshikazu, “Low power secure AESS-box using adiabatic logic circuit,” in Proc. IEEE Faible TensionFaible Consommation (FTFC), , Jun. 2013, pp. 1–4.

[19] C.Monteiro, T. Yasuhiro, and S. Toshikazu, “DPA resistance of charge-sharing symmetric adiabatic logic.,” in Proc. IEEE Int. Symp. CircuitsSyst. (ISCAS), May 2013, pp. 2581–2584.

[20] Y. Moon and D. K. Jeong, “An efficient charge recovery logic circuit,”IEEE J. Solid-State Circuits, vol. 31, no. 4, pp. 514–522, Apr. 1996.

[21] Y. Yibin and K. Roy, “QSERL: Quasi-static energy recovery logic,”IEEE J. Solid-State Circuits, vol. 36, no. 2, pp. 239–248, Feb. 2001.

[22] J. Lim, D. G. Kim, and S. I. Chae, “nMOS reversible energy recoverylogic for ultra-low-energy applications,” IEEE J. Solid-State Circuits,vol. 35, no. 6, pp. 865–875, Jun. 2000.

[23] P. Teichmann, Adiabatic Logic: Future Trend and System Level Per-spective. New York: Springer, 2011.

[24] Z. Xinmiao and K. K. Parhi, “Implementation approaches for the ad-vanced encryption standard algorithm,” IEEE Circuits Syst. Mag., vol.2, no. 4, pp. 24–46, 4th Quarter, 2002.

[25] M. P. Frank, “Common mistakes in adiabatic logic design and how toavoid them,” in Proc. Int. Conf. Embedded Syst. Appl. (ESA ’03), pp.216–222.

[26] J. Daemen and V. Rijmen, The Design of Rijndael: AES—The Ad-vanced Encryption Standard. New York: Springer, 2002.

[27] P. Kocher, J. Jaffe, B. Jun, and P. Rohatgi, “Introduction to differentialpower analysis,” Cryptogr. Eng. J., vol. 1, pp. 5–27, Jan. 2011.


[28] S. Guilley, P. Hoogvorst, and R. Pacalet, “Differential power analysismodel and some results,” in Smart Card Research and Advanced Ap-plications VI. New York: Springer, 2004, pp. 127–142.

[29] X. Zhang and K. P. Keshab, “High-speed VLSI architectures for theAES algorithm.,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst.,vol. 12, no. 9, pp. 957–967, Sep. 2004.

[30] T. Messerges, E. Dabbish, and R. Sloan, “Examining smart-card secu-rity under the threat of power analysis attacks,” IEEE Trans. Comput.,vol. 51, no. 5, pp. 541–552, May 2002.

Moshe Avital received his B.Sc. and M.Sc. degreesin mathematics and electrical engineering from Ben-Gurion University, Be’er Sheva, Israel, in 2006. Hewas a System-Architecture Engineer with Texas In-struments from 2007 to 2011. He is currently workingtoward his Ph.D. degree at Bar-Ilan University, Is-rael. His research interests include low-voltage dig-ital design, countermeasures against side-channel at-tacks on cryptographic systems.

Hadar Dagan received his B.Sc. and M.Sc. degreesin electrical engineering from Ben-Gurion Univer-sity, Be’er Sheva, Israel, in 2010 (summa cum laude)and 2013. He is currently working as a PhysicalDesign Engineer at Advanced Micro-Devices Inc.,Israel. His research interests include digital andanalog circuit design for low-power applications,radio-frequency identification (RFID) devices,countermeasures against side-channel attacks forsecure cryptographic systems, and signal processing.

Itamar Levi received his B.Sc. and M.Sc. degrees inelectrical and computer engineering as a part of a di-rect excellence student track from Ben-Gurion Uni-versity, Israel, in 2012 and 2013, respectively. As of2011, he has worked at the VLSI Systems Center,Ben-Gurion, Israel, where he is responsible for var-ious aspects of VLSI systems design: low-energy de-sign, dual mode logic family and digital systems op-timization. Currently, he is pursuing his Ph.D. degreein electrical engineering from Bar-Ilan University, Is-rael. His research interests are hardware security and

cryptography.

Osnat Keren received her M.Sc. degree in ElectricalEngineering from the Technion-Israeli Institute ofTechnology and her Ph.D. degree from the Tel-AvivUniversity, Israel, in 1988 and 1999 respectively.From 1988 to 1994 she was a Chip Design andSenior DSP Engineer at National Semiconductor,and from 1999 to 2003 she was the Senior Scientistat Millimetrix Broadband Networks. Since 2004, Dr.Keren has been with the Faculty of Engineering atBar-Ilan University, Israel.

Alexander Fish received his B.Sc. degree in elec-trical engineering from the Technion, Israel Instituteof Technology, Haifa, Israel, in 1999. He completedhis M.Sc. in 2002 and his Ph.D. (summa cum laude)in 2006, respectively, at Ben-Gurion University,Israel. In October 2012 he joined the Faculty ofEngineering at Bar Ilan University, Israel, as an As-sociate Professor and the head of the nanoelectronicstrack. His research interests include the developmentof secure hardware, ultra low power memory arrays,CMOS image sensors and energy efficient design

techniques for low voltage digital and analog VLSI chips.

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: · PDF file ·...

Documents

Transcript of IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: · PDF file ·...