Role of Power Grid in Side Channel Attack andPower-Grid-Aware Secure Design

Xinmu Wang1, Wen Yueh2, Debapriya Basu Roy3, Seetharam Narasimhan1, Yu Zheng1,Saibal Mukhopadhyay2, Debdeep Mukhopadhyay3, and Swarup Bhunia1

1Case Western Reserve University, Cleveland, Ohio, USA2Georgia Institute of Technology, Atlanta, Georgia, USA

3Indian Institute of Technology, Kharagpur, West Bengal, IndiaEmail: xxw58@case.edu

ABSTRACTSide-channel attack (SCA) is a method in which an at-tacker aims at extracting secret information from cryptochips by analyzing physical parameters (e.g. power). SCAhas emerged as a serious threat to many mathematically un-breakable cryptography systems. From an attacker’s pointof view, the difficulty of mounting SCA largely depends onSignal-to-Noise Ratio (SNR) of the side-channel informa-tion. It has been shown that SNR primarily depends onalgorithmic and circuit-level implementation, measurementnoise, as well as device thermal noise. However, to thebest of our knowledge, there has not been any study onthe effect of power delivery network (PDN) on SCA resis-tance. We note that the PDN plays a significant role in SNRof measured supply current. Furthermore, SCA resistancestrongly depends on the operating frequency due to RLCstructure of a power grid. In this paper, we analyze the ef-fect of power grid on SCA and provide quantitative resultsto demonstrate the frequency-dependent SCA resistance dueto PDN-induced noise. This property can potentially beexploited by an attacker to facilitate the attack by operat-ing a device at favorable frequency points. On the otherhand, from a designer’s perspective, one can explore coun-termeasures to secure the device at all operating frequencieswhile minimizing the design overhead. Based on this ob-servation, we propose a frequency-dependent noise-injectionbased compensation technique to efficiently protect againstSCA. Simulation results using realistic PDN model as wellas experimental measurements using FPGA test board vali-date the observations on role of PDN in SCA and the efficacyof the proposed compensation approach.

Categories and Subject DescriptorsK.6.5 [Security and Protection]: Physical security

General TermsDesign, Security

KeywordsSide-channel attack (SCA), DPA, SCA resistance, power de-livery network, noise injection

Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.DAC ’13, May 29 - June 07 2013, Austin, TX USACopyright 2013 ACM 978-1-4503-2071-9/13/05 ...$15.00.

1. INTRODUCTIONThe development of cryptography has greatly improved

the security of encryption systems with respect to mathe-matical cryptanalysis. Traditional cryptanalysis considersonly the input and output logic values to break the cipher.In this case, mathematical strength renders many modernciphers rather invulnerable since the only possible brute-force attacks are not feasible in terms of computing time.However, these mathematically secure ciphers fail to claimthe infeasibility of cryptanalysis due to Side Channel At-tack (SCA). In SCA, secret information like the encryptionkey can be leaked through the physical parameters of theciphers in various forms such as power profile [1], timing in-formation [2], [3], and electromagnetic emissions [4]. Amongdifferent forms of SCAs, Power Analysis Attack (PAA) hasemerged as one of the most significant attacks and has beenwidely studied. In PAA, the confidential information isextracted from the supply current signature of a crypto-chip. The relevant secret information is immersed amidstsignificant amount of noise; and the difficulty of successfullymounting an SCA attack, usually measured by the numberof measurements required to disclose the secret information,largely depends on the Signal-to-Noise Ratio (SNR) of theside-channel information. Previous investigations [5], [6]have shown that the SNR is mainly determined by the al-gorithmic and circuit-level implementation of a chip. Forexample, pipelined implementation of Advanced EncryptionStandard (AES) would be more difficult for SCA comparedwith non-pipelined AES [7]. Furthermore, device thermalnoise [6] and measurement noise due to imperfect measure-ment instrument and operations can also considerably lowerthe SNR.

We note that the power delivery network (PDN) of acrypto-chip plays an important role in affecting the SNRof the measured supply current by causing a non-linear dis-tortion in the supply current. It intrinsically limits propa-gation of useful information to supply current. However, tothe best of our knowledge, there has been no study on ana-lyzing the effect of PDN on the effectiveness of SCA. In fact,extracting information directly from the ideal power profilecan be overly optimistic in modeling the true behavior of achip. Accurate characterization of PDN’s role in SCA can besignificant in precise security analysis and design of securecrypto chips. In particular, it can provide the following ben-efits: 1) it provides a designer with more realistic measureof SCA resistance at design time; 2) it enables integrationof the right level of protection; and 3) as we observe later,the PDN causes variation in SCA resistance with operatingfrequency, which helps a designer to choose right frequencyof operation and/or accomplish balanced protection acrossfrequency spectrum.

In particular, the paper makes the following key contribu-tions.

1. It analyzes the effect of power grid on SCA and providemathematical analysis as well as quantitative results todemonstrate the frequency dependent SCA resistancedue to PDN-induced noise. Since PDN can be modeledas an RLC network, it re-shapes the supply current ina frequency dependent manner, effectively producingdifferent SCA resistance levels with varying operatingfrequencies.

2. It performs validation of PDN’s impact on SCA re-sistance through simulation verifications using real-istic model of PDN. It shows a strong dependenceof SCA resistance on operating frequency. Moreover,it demonstrates the effect through experimental mea-surements using SASEBO, a standard evaluation boardfor SCA [8].

3. Based on the observation on the role of PDN, it pro-poses a power-grid aware design methodology for crypto-chips using a noise injection approach that balancesSCA resistance at different frequency points. We char-acterize the hardware overhead and analyze the effec-tiveness of the approach with both simulations andexperiments in SASEBO.

The remainder of the paper is organized as follows. Sec-tion 2 provides background and motivational observations onthe impact of PDN on SCA. Section 3 analyzes the frequency-dependent effect on SCA due to PDN. A corresponding noiseinjector circuit is proposed in Section 4. Simulation and ex-perimental results are presented in Section 5 and Section 6to demonstrate the frequency-dependent nature of PDN andprove the effectiveness of the noise injection mechanism. Weconclude and provide future directions in Section 7.

2. BACKGROUND AND MOTIVATION2.1 Previously Studied Noise Sources for SCA

The information beneficial for extracting confidential in-formation from crypto chips in SCA attack comes from thedynamic switching current of circuit components (logic gates)when processing certain intermediate key-related results. Cir-cuitry corresponding to the remaining part of the switchingcurrent can be viewed as noise sources. As has been studiedin previous research [5] [6], there are several major noise con-tributors in SCA, including intrinsic noise sources due to thephysical implementation, and external noise sources whichare caused by environmental factors and imperfect measure-ment instruments/operations. The most significant intrin-sic noise is contributed by dynamic switching of the circuitbesides the attacked gates. For example, when performingSCA on 128-bit AES, the secret key is revealed byte by byte,namely the attack is performed on each Substitution-Box (S-Box) at a time, while considering as noise the switching ofthe remaining 15 S-Boxes as well as the irrelevant gates inthe S-Box under consideration. Intuitively one can suggestthat the spectral power of such systematic noise is muchlarger than the attack information itself, which is, however,conquered by statistical analysis in SCA methods. Anotherintrinsic noise is the jitter on the attacked gates [5]. Thiscould cause the misalignment during power trace accumula-tion in statistical analysis of the power traces and thus lowerthe efficiency of the attack. Besides, intrinsic noise alsoincludes S-Box inter-bit correlation and the thermal noisedue to random movement of charge carriers within conduc-tors [6]. External noise is caused by unstable environmentfactors e.g. varying temperature, imperfect measurementinstrument e.g. A/D used to sample the power signals couldintroduce quantization noise [6], as well as imperfect opera-tions by human users.

Figure 1: AES supply current (a) with ideal powersupply; (b) with PDN.

Figure 2: Frequency spectrum of AES supply cur-rent (a) with ideal power supply; (b) with PDN.

Figure 3: Correlation between predicted and mea-sured power at 333.3 MHz clock frequency (a) withideal power supply; (b) with PDN.

2.2 MotivationThe power grid impedance has a frequency dependent

transfer function which affects the supply current. Thischanges the supply current profile when it passes throughthe PDN from inside the chip to the external pin for mea-surement. The effect causes distortion to the supply currentwaveforms. Fig. 1 and Fig. 2 show the time-domain andfrequency spectral difference, respectively, between the sup-ply current simulated with ideal power supply and the PDNmodel with 45nm Predictable Technology Model (PTM) [9].Such distortion can create difficulty for SCA. Fig. 3 demon-strates the effect of PDN when Correlation Power Analy-sis (CPA) [10] is performed on a cipher to crack the key(blue curves correspond to wrong keys and red curves corre-spond to the correct key), showing decreased correlation co-efficients and increased Measurement To Disclosure (MTD),i.e. the number of power traces required to extract the key,in the presence of PDN. More importantly, due to the RLCproperties of PDN, the masking effect differs with differentoperating frequencies. Just like the circuit intrinsic noisecan be viewed as a linear additive noise in SCA, PDN canbe considered as a noise source which causes a non-lineardistortion on power traces.

3. FREQUENCY-DEPENDENT EFFECT OFPDN ON SCA

To analyze the SCA resistance introduced by the powergrid, Correlation Power Analysis (CPA) is used through-out the paper as the statistical tool to perform SCA. Pre-vious study [11] categorizes the noise sources in SCA intotwo types: 1) Additive power consumed by circuit compo-nents other than the attacked gates, which effectively de-creases the SNR of SCA; 2) Random disarrangement of themoment when the target switching activity of the attackhappens, which prevents effective data alignment when per-

forming correlation. The number of encryptions that needto be sampled to reveal the key (MTD) is determined mainlyby the correlation ρkc,tc , where kc is the correct key and tcis the moment when the attacked gates switch [20]. Gen-erally less samples of power traces are needed in the caseof larger ρkc,tc . The effect of the two noise sources listedabove, characterized as SNR and p̂, respectively, on ρkc,tcare formulated as in [11]:

ρmax =ρ(H,Q)√1 + 1

SNR

∗ p̂ ∗√V ar(P )

V ar(P̂ )(1)

ρmax is the maximum correlation coefficient between H(hypothetical power consumption) and the measured powerconsumption. Q denotes the power consumption of the at-tacked gates when processing the target intermediate result;and N refers to the additive noise. t̂c refers to the momentwith the largest probability p̂ that locates the power con-sumption of the attacked gates. P is the sum of power at tcand P̂ is the sampled sum of power at moment t̂c. SNR is

defined as V ar(Q)V ar(N)

. Note the SNR DC component has no im-

pact on SCA hence the equation only captures the variance[11].

The lower bound of the power samples that is required tocrack the key can be computed approximately as follows [11]:

S = 3 + 8(Zα

ln( 1+ρmax1−ρmax

))2 (2)

The quantile Za is the distance between the distributionsρ = 0 and ρ = ρmax. From this we can again confirm thenegative dependency of MTD on the maximum correlationcoefficient.

The power grid imposes a frequency-domain distortion onthe supply current due to its RLC property. The frequencydependent impedance responses also differ for the attackedgates (Q) and uncorrelated gates (N) due to the cell place-ments. Under these assumptions, Q and N are functions ofthe sampling frequency and location, which can be expressedas follows:

Q =∑x=i,j

PDN(fs,x) · qx, (3)

N =∑y=i,j

PDN(fs,y) · ny (4)

PDN(fs,x) models the PDN distortion factor at frequencyfs and grid location coordinate x. The gate power qx andnx are the individual gates contributing to the collectiveinstantious current Q and N, respectively. The frequency-dependent effect modulates the attacked gates’ current am-plitude and noise SNR depending on the design floorplan.In addition to the primary additive effect directly impactingthe SNR, a secondary effect from supply swing may rear-range tc. During a high switching activity cycle, the currentdemand from gates lowers the instantaneous supply VDD,and localized supply droop affects switching moment as thegate switching speed is directly propotional to VDD at highvoltage. Such effect may be localized on a reasonable sizedPDN and may increase the current spread V ar(P̂ ) and de-crease p̂. These parameter changes collaboratively decreasethe actual ρmax and thus lead to a requirement of a largersample size S to recover the key, effectively increasing thedifficulty of SCA.

Saint-Laurent et al. have shown that supply noise affectsthe circuit timing in both device-dominated or interconnect-dominated scenarios [12]. An accurate analytical model re-quires parameterizing the supply network topology and tech-nology dependent models. In order to reduce the complex-ity, one may collect the current profile from the functional

Figure 4: Impulse response of PDN.

core operating under ideal VDD and then apply the currentprofile to the power grid, utilizing advanced circuit simula-tors to determine the interactions. Such methdology maybe extended to precomputed supply impedance at each gridnode and apply to function PDN(fs,x); e.g. Fig. 4 pro-vides a single impulse response sweep of the PDN modelwhich may be used to estimate the frequency dependentfactor for a particular PDN region. This allows the attackerto estimate SNR, but falls short to estimate the effect of√V ar(P )/V ar(P̂ ) and p̂ in Eq. (1). The model simpli-

fies the supply-to-transistor interaction to a frequency de-pendent component, hence cannot capture this interactionintroduced by the time-varying supply noise. Therefore, toquantify this frequency-dependent noise injected from thePDN, we built a framework to simulate the crypto system(AES) and PDN together at different operating frequencies.Correlation power analysis is performed on the external sup-ply current corresponding to different operating frequencies.

4. NOISE INJECTOR CIRCUITBased on the observation of the frequency-dependent SCA

resistance of cryptographic chips, we propose a frequency-dependent noise-injection based compensation technique toequalize the SCA resistance at all frequency points with theone exhibiting the maximum SCA resistance. As shown inFig. 5, the noise injector (NI) consists of a frequency detec-tor, a control unit, a digitally-controlled delay line, an arrayof noise injection units, and an optional initialization finitestate machine (FSM). The frequency detector takes the sys-tem clock as the input and pass the detected frequency valueto the control unit. The control unit plays two roles: 1) itdetermines the number of NI units to enable; 2) it deter-mines the phase delay of the NI clock with respect to thesystem clock. An NI unit can be implemented with an FSMusing deliberately assigned state encoding to cause varyingswitching current over clock cycles or a linear feedback shiftregister (LFSR). The number of enabled NI units determinesthe amplitude of the NI-induced additive noise. A digitally-controlled delay line is employed to generate a phase delaybetween NI clock and the system clock. A phase delay be-tween the NI and system clock is necessary because withineach clock cycle, only a limited duration of the switching

Figure 5: Block diagram of the proposed noise in-jector circuitry to compensate frequency-dependentSCA resistance.

Figure 6: Noise injector design flow.

current (the part that corresponds to switching of the at-tacked gates) is of interest for SCA. Using a delayed versionof the system clock for NI allows one to focus the additivenoise to the critical time duration of a cycle thus mask theinformation-leaking switching. From another perspective, alightweight NI circuit whose switching current duration ismerely as long as that of the attacked components can beadequate, since the rest of the original circuit switching isirrelevant. More importantly, since the NI draws extra cur-rent from the power supply, it may cause increased supplyvoltage droop, which can make the functional circuits switchslower therefore leading to circuit performance degradation.Short duration of NI is desirable to minimize the negativeinfluence on circuit performance. The function of the controlunit is essentially a mapping between the system clock fre-quency and the number of enabled NI units/NI clock phasedelay.

This information can be obtained from a characterizationof a chip during the design stage, and stored in a look-uptable in the control unit. The optimal NI phase delay is firstcaptured by figuring out the moment that has the most key-related switching and the average switching duration of theNI unit. In CPA, since we do not know the time instant ofthe critical switching, correlation is performed between thehypothetical power consumption with the measured powerat each time sampling point for each hypothetical key. Thiswill lead to a correlation coefficient matrix R of size T×K (Tis # of time samples, K is # of hypothetical keys). Becausehypothetical power consumption predicted by the correctkey is strongly correlated with the measured power at themoment of the critical switching, the two will lead to themaximum correlation coefficient in R (More information onCPA can be found in Section 9.4). Therefore by simply ob-serving the position of the highest value in R, one can figureout the correct key as well as the index of the time momentof the critical switching tc [13]. With known switching dura-tion of the NI unit, a preferable NI clock phase delay can bederived to align the center (near the peak value) of the noisecurrent with tc. Fig. 5(b) illustrates the critical switchingduration and tc of one encryption. Actual alignment mayexperience some deviations due to intra-die process varia-tions, which is expected to be minimal for reasonable logicdepth (e.g. >6). With the optimal NI clock phase delay, aniterative test can be performed to characterize the numberof NI units to be enabled. Some extent of conservativenessis necessary to tolerate post-silicon deviations due to man-ufacturing factors.

After obtaining the number of NI units for each frequency,we re-perform the simulation with PDN with the calculatednumber of NI units enabled. The difference in SCA resis-tance can be corrected according to the simulation results.The flow of designing NI for a generic cipher is provided inFig. 6. Details on the NI design is provided in Section 9.3.

5. SIMULATION RESULTSHSPICE simulation was performed using 45nm CMOS

Predictable Technology Model (PTM) [9] on an AES cryptooperator with PDN. The PDN model is described in Section

Figure 7: Frequency-dependent MTD of Side-Channel Attack (SCA).

Figure 8: Noise injection FSM: (a) state transitiondiagram; (b) switching current.

9.2. In our simulation, we use a simplified cryptographicoperator corresponding to the AES datapath for encryptingone byte plaintext. This is sufficient to demonstrate the ef-fectiveness of the proposed NI structure on a generic crypto-graphic chip that resembles AES datapath. This is becauseit is equivalent to removing the irrelevant datapath elementin SCA to reduce the noise level when recovering a particu-lar key-byte. The crucial non-linear component S-Box andthe downstream logic for key-related operations are all pre-served, which is the target of most SCA attacks [14]. Themethodology can also be readily applied to any other cipher.Moreover, we only simulate the last round in each encryp-tion by inputting to the cipher the results of the second lastround obtained from functional simulation. The descriptionon the simulated datapath is provided in Section 9.4.

The blue curve in Fig. 7 demonstrates the frequency de-pendent Measurement-To-Disclosure (MTD) obtained fromHSPICE simulation. MTD refers to the minimum numberof power traces required to recover the key and is a com-monly used measure for SCA resistance. The highest SCAresistance appears at 33.33 MHz clock frequency. We callit as SCA resistance reference point. The overall MTDs arefairly low (below 1000) compared to the MTD level of practi-cal SCAs [15], which is due to the simplified crypto operatorused. Multiple peaks and valleys appear at other frequenciesand the entire curve exhibits a non-monotonic trend due tothe complex RLC property of the power grid. Our goal isto bring the SCA resistance at all frequencies above the ref-erence point in order to compensate the PDN-induced SCAresistance imbalance.

To achieve this, we implement a noise injection circuit thatintroduces frequency-dependent IDDT (transient power sup-ply current) noise as discussed in Section 4. A simple 4-bitFinite State Machine (FSM) is implemented as the NI unitto match the smaller crypto operator size. More complexcipher circuits may choose larger FSMs to achieve a big-ger range of noise current variation. Fig. 8(a) illustrates thestate transition diagram of the FSM. The rst signal will resetthe FSM to state a, and ld signal allows initializing the FSMto any valid state. When both signals are deasserted, theFSM behaves like a counter, i.e. repetitively goes througha loop of states. The state encoding is deliberately assignedin order to cause significantly varying switching current overcycles, assuming switching of state elements dominates theoverall IDDT. Such variation is expected to be uncorrelatedwith the hypothetical power consumption yet repeats deter-ministically with the FSM state looping. When the numberof enabled FSMs is large enough so that the total amplitude

of the noise current is comparable with that of the originalcircuit current, the key-related switching may be masked toa large extent thus improving SCA resistance. The switch-ing current of an FSM during each state transition is shownin Fig. 8(b). The corresponding numbers of flipping stateelements are marked on the transition arrow in Fig. 8(a).

The MTDs after inclusion of the NI is shown as the redcurve in Fig. 7. MTDs at all frequencies are pulled up toor above the reference point. They are not uniformly at thereference point because the MTD at particular frequenciesis more sensitive to noise than at others. Furthermore, theinjected noise current is not guaranteed to align with theswitching of the key-related components in a perfectly uni-form way. However, all frequencies achieved SCA resistanceno worse than the reference point with minimal hardwareoverhead. The MTD values along with the number of NIunits enabled at each frequency are provided in Table 1.

Table 2 provides the area and power overhead introducedby the NI. The NI consists of an array of 3 FSMs; whilethe control unit is composed of a SRAM based look-up ta-ble storing the frequency-dependent clock phase delay andNI units enabling information, as well as a decoder for gen-erating the FSM array enable signals. The area percentageoverhead is relatively large because of the tiny crypto opera-tor we used in our simulation. In fact, the overhead exhibitsgood scalability with the increasing size of the circuit. Forthe FSM array, as a large system behaves equivalently as anoise injector itself for the key-byte being attacked, the ex-tra noise level (therefore the size of the FSM array) requiredto compensate the PDN-induced SCA resistance imbalancecould be at the same level as that of a simple crypto oper-ator. For the control unit, the majority part is the look-uptable (98.6% of the control unit area) storing two types of in-formation: 1) Digits for controlling NI clock phase delay; 2)Values for setting the NI units enable signals. The requiredphase delay range might increase with the circuit size as thecritical path delay (thus the key-related component switch-ing) may increase. However, this increase should be tinycompared with the extent of circuit size scaling up, as mod-ern IC designs always minimize the critical path delay to asatisfactory level with design techniques such as pipeliningto meet the performance requirement. We may consider thephase delay range as almost independent of the circuit size.With a fixed resolution, the bit-width of the delay selectingsignal should remain unchanged. Though the bit-width ofthe NI units enable signal might increase for a larger circuitin accordance with a larger NI unit array; with binary en-coding the increase is on the order of O(log2(p)), where pis NI array size growth rate and is far less than that of thecircuit size. For example, a control unit in a complete AESwould only incur less than 0.86% area overhead.

The power consumption overhead is dominated by theFSM array, which is, however, frequency dependent. Thevalues shown in the table correspond to the worst case whereall three FSMs are enabled. In reality, at most frequencies,one FSM is sufficient and the dynamic and leakage poweroverhead would be 11.2% and 5.7% (unused FSMs can begated to minimized the leakage), respectively. In addition,the percentage overhead will reduce for the same reasonas for area with circuit size scaling up. The control unitconsumes minimal power because the look-up table is onlywritten once with the pre-characterized value during systempower-up. Consequently, the output decoder does not haveswitching activities either. This overhead could be furtherminimized by reusing the on-chip SRAMs for the look-uptable.

Large instantaneous current drawn from the power sup-ply may potentially create considerable voltage drop andlead to logic circuit delay failure or embedded memory cell

Table 2: Area and power overhead of the NIParam/Ckt Simple FSM array Control unit

cipher (overhead) (overhead)

Area(µm2) 942.8 133.8(+14.2%) 219.6(+23.3%)AvgPwr(µW) 104.8 < 35.2(< 33.6%) 1.63(+1.6%)AvgLkg(µW) 22.4 < 3.8(< 16.9%) 0.10(+0.4%)

hold-failure. In our experiment, the NI is designed to op-erate within the crypto core noise margin and the supplynoise did not cause any functional failure. Also, since thenoise current is superimposed to a short duration of the ci-pher switching current, the cipher is subject to extra supplynoise for a limited duration within each cycle. This typeof noise injection ensures the functional core does not sufferfrom significant performance degradation. In larger crypto-graphic circuit, the percentage overhead induced by NI willreduce significantly as discussed above, and the additionalsupply noise will also be smaller when a larger PDN is used.

6. EXPERIMENTAL RESULTSCorrelation Power Analysis (CPA) based SCA was per-

formed on normal AES (with 128-bit key) and AES withNI at various frequencies on Side-Channel Attack StandardEvaluation BOard (SASEBO) [8]. More details about theexperimental setup can be found in Section 9.5. Table 3shows the CPA analysis for normal AES. Each cell of thetable contains the average key ranking at a particular clockfrequency with certain number of power traces. For eachS-Box, we calculate the correlation coefficients for all hypo-thetical key bytes and sort them in descending order, wherekey ranking indicates the position of the correct key byte.Averaging the key rankings for all the S-Boxes leads us to theaverage key rankings that are shown in the table. Zero valueof average key ranking indicates that all the 16 key bytes arerecovered. Non-zero value means for certain S-Box(es) thekey byte(s) is not recovered. The closer the average keyranking is to zero, the more key bytes are correctly recov-ered. Observation can be made from Table 3 that MTDvaries significantly with the clock frequency, indicating afrequency-dependent SCA resistance. For example, MTD is5000 at 10 MHz and 40 MHz yet 9000 at 30 MHz. 30 MHzis considered as the SCA reference point as it exhibits thehighest SCA resistance. Because the property of SASEBOpower grid is completely different from the PDN model usedin our simulation, the way in which SCA resistance varieswith frequency does not need to correlate with that of thesimulation results.

Table 4 contains key rankings of AES with NI, where theNI unit is implemented with a 16-bit LFSR (see Section 9.3).With maximum 4 NI units enabled, SCA resistance at allfrequencies are improved to above the reference point (9000traces). In fact, because AES circuit has different placementand routing when being mapped alone to SASEBO for pre-characterization and with NI for measurement, the noisecurrent could not align perfectly with the critical switchingof AES. In Application Specific Integrated Circuits (ASICs),we would expect to achieve compensation with smaller NI.

7. CONCLUSIONWe have presented a study on the role of PDN on side-

channel attacks in crypto chips. Through mathematicalanalysis and quantitative results we have shown that PDNcan significantly affect SCA resistance and the impact isfrequency-dependent. Simulation verification is performedusing a PDN modeled as RLC network with equivalent dis-tributed power mesh derived from Pentium 4 processor. Ex-perimental study on AES is performed using a standard SCAevaluation board. Both simulation and experimental resultsconsistently show significant frequency-specific role of PDNin SCA. An attacker, who gains physical access to a crypto

Table 1: PDN-induced Frequency-dependent SCA resistance and MTDFreq. 2.86 3.33 4 5 6.67 10 11.11 12.5 13.33 16.67 20 25 33.33 50 100 200 333.33(MHz)MTD 300 200 140 180 200 300 190 150 150 300 300 120 900 160 500 200 70

# enabled 1 1 1 1 2 1 3 3 2 1 3 2 ref 3 1 1 1FSMs

MTD w/ 1400 900 1900 1000 900 1000 900 1200 1600 1700 2300 900 ref 1800 3000 900 900noise

Table 3: DPA on normal AES at various frequenciesTraces 10 MHz 15 MHz 20 MHz 25 MHz 30 MHz 40 MHz 45 MHz 50 MHz 55 MHz 60 MHz1000 26.75 38.6875 42.6875 43.1875 39.5625 15.375 39.125 36.3125 55.0625 72.56252000 11.938 14.8125 18.6875 23.4375 21.0625 16.125 11.1875 18.0625 26 12.53000 2.125 7.1875 9.25 2.9375 3.875 1.25 1.3125 5 17.5625 1.754000 0.25 1.625 3.375 1.125 0.875 0.375 0.9375 0.4375 4.25 0.8755000 0 0.25 0.5 0.25 0.375 0 0.4375 0.1875 2.5625 0.6256000 0 0.3125 0 0.4375 0.3125 0.0625 0 0.43757000 0.125 0.5 0.0625 0 0.258000 0 0.125 0 0.18759000 0 0

Table 4: DPA on noisy AES at various frequenciesTraces 10 MHz 15 MHz 20 MHz 25 MHz 30 MHz 40 MHz 45 MHz 50 MHz 55 MHz 60 MHz1000 43.5 37.3125 40.1875 24.875 54.3125 38.4375 66.75 53.3125 43.4375 58.52000 17.25 11.3125 18.5 17.5625 27.5625 17.4375 39.875 17.1875 26.3125 21.18753000 3.5 16.3125 19.875 7.6875 4.625 11 17.1875 12.875 6.1875 134000 1.9375 7.3125 19.125 9.375 4.3125 6.75 5.25 3.1875 2.9375 9.1255000 1.375 1.75 6.9375 6.375 1.125 3.8125 0.375 3.0625 1.0625 4.18756000 1.375 0.5 7.3125 2.1875 0.4375 7.0625 0.1875 3.75 3.875 2.3757000 1.625 0.125 5.75 1.3125 0.625 7.0625 0.125 0.1875 1.75 2.1258000 0.5625 0.4375 1.5625 0.125 0.3125 10.1875 0.3125 0.875 1.75 1.259000 0.1875 0.125 1.6875 0.13 0.5625 7.75 0.1875 0.4375 0.5625 1.3125

system, can leverage on this trait to work under a favor-able clock frequency for stealing the key. Accurate estima-tion of PDN’s role in SCA would help prevent such a sce-nario and enable designer of a crypto chip to incorporateright level of countermeasures across the frequency spec-trum. We have presented a secure design approach basedon frequency-dependent noise injection to compensate forthe PDN-induced SCA resistance imbalance by introduc-ing commensurate masking noise. Through simulations andhardware measurements we show that such an approach canimprove the overall SCA resistance at all frequencies withrelatively low hardware overhead. Future work would focuson evaluating the effect of PDN through current measure-ments in custom crypto-chip; developing an integrated PDN-aware design flow for automatic synthesis of compensationcircuitry; and extension of the technique to cryptographicchips with various SCA countermeasures.

8. REFERENCES[1] P. C. Kocher et al., “Differential Power Analysis,”

CRYPTO, 1999.

[2] P. C. Kocher et al., “Timing Attacks onImplementations of Diffie-Hellman, RSA, DSS, andOther Systems,” CRYPTO, 1996.

[3] J. F. Dhem et al., “Practical Implementation of theTiming Attack,” CARDIS, 1998.

[4] W. V. Eck et al., “Electromagnetic Radiation fromVideo Display Units: An Eavesdropping Risk”Computers and Security, v. 4, 1985.

[5] S. Guilley et al., “Differential Power Analysis Modeland Some Results,” CARDIS, 2004.

[6] T. S. Messerges et al., “Investigations of Power AnalysisAttacks on Smartcards,” USENIX Workshop onSmartcard Technology, 1999.

[7] F.-X. Standaert et al., “Power Analysis of an FPGAImplementation of Rijndael: Is Pipelining a DPACountermeasure?” CHES, 2004.

[8] Available Online:http://staff.aist.go.jp/akashi.satoh/SASEBO/en/index.html

[9] Available Online: http://ptm.asu.edu/

[10] E. Brier et al., “Correlation Power Analysis with aLeakage Model,” CHES, 2004.

[11] S. Mangard et al., “Hardware Countermeasuresagainst DPA - A Statistical Analysis of TheirEffectiveness,” CT-RSA, 2004.

[12] M. Saint-Laurent et al., “Impact of power-supply noiseon timing in high-frequency microprocessors,” IEEETransactions on Advanced Packaging, Feb. 2004.

[13] S. Mangard et al.,“Power Analysis Attacks- Revealingthe Secrets of Smart Cards,” Springer 2007.

[14] K. Tanimura et al., “HDRL: Homogeneous Dual-RailLogic for DPA Attack Resistive Secure Circuit Design,”IEEE Embedded System Letters, Vol. 4, No. 3, Sep2012.

[15] Z. Chen et al., “Using Virtual Secure Circuit toProtect Embedded Software from Side-ChannelAttacks,” IEEE Transactions on Computers, 2011.

[16] M. Joye et al., “On Second-Order Differential PowerAnalysis,” CHES, 2005.

[17] K. Tiri et al., “Side-Channel Attack Pitfalls,” DAC,2007.

[18] M. S. Gupta et al., “Understanding Voltage Variationsin Chip Multiprocessors using a DistributedPower-Delivery Network,” DATE & Exhibition, 2007.

[19] K. Tiri et al., “Simulation Models for Side-ChannelLeaks,” DAC, 2005.

[20] T. S. Messerges et al., “Examining Smart-CardSecurity under the Threat of Power Analysis Attacks,”IEEE transactions on Computers, 51(5), 2002.

[21] A. Prabhakaran et al., “Side-Channel Analysis ofBlock Ciphers Using CERG-GMU Interface onSASEBO-GII,” Master’s Thesis, ECE Department,George Mason University, Fairfax, Virginia, USA, May2011.

[22] N.H.E.Weste et al., “CMOS VLSI Design - a Circuitsand Systems Perspective,” 4th edition, Addison-Wesley.

[23] B. W. Garlepp et al., “A Portable Digital DLL forHigh-Speed CMOS Interface Circuits,” IEEE Journal ofSolid-State Circuits, Vol. 34, No. 5, May 1999.

[24] Y. Moon et al., “An All-Analog Multiphase Delay-LockedLoop Using a Replica Delay Line for Wide-Range Operationand Low-Jitter Performance,” IEEE Journal of Solid-StateCircuits, Vol. 35, No. 3, March 2000.

9. APPENDIX

9.1 Side-Channel Attack (SCA)Side-Channel Attack (SCA) refers to the process of ex-

tracting the encryption/decryption key from a cryptographicdevice by monitoring certain physical parameters, e.g. powerconsumption or electromagnetic emission, of the device dur-ing its operation. In this paper, we only consider SCAsthrough power consumption. Generally, the secret key is fig-ured out through statistical analysis of the recorded powertraces of the device and certain hypothetical power con-sumption predicted based on certain model. Since SCAwas introduced, many approaches of statistical analysis havebeen developed to achieve powerful SCA, e.g. in presenceof SCA-resistant design techniques. These approaches in-clude Single-Power Analysis (SPA) [1], Differential-PowerAnalysis (DPA) [1], higher-order DPA [16], and CorrelationPower Analysis (CPA) [10]. We use CPA throughout thepaper, which is a potent SCA analysis method because ofthe accurate alignment of the target switching moment whencorrelation coefficient is computed.

Fig. 9 illustrates the basic concept of SCA on AES. Thepower of the device is measured through the voltage dropacross a resistor in series with the voltage source. Plain-texts (PTs) are applied at the input and Ciphertexts (CTs)are computed by the cryptographic engine with the secretkey stored inside the device. The target moment of tran-sient supply current is usually associated with processingof certain intermediate result. The key is extracted pieceby piece [15]. For example, in the illustrative diagram inFig. 9, one byte of the key K[7:0] can be derived based onknowledge of CTs. In particular, a hypothetical intermedi-ate result (IR) can be computed based on one hypotheticalK[7:0] and the known CT, with the publicly known AESalgorithm. By enumerating 256 possible K[7:0], all possi-ble hypothetical IRs can be obtained. In this demonstratedarchitecture, the target switching activity happens in thelast round (cycle) of AES, caused by overwriting of registersholding values of IRs with new values of CTs. Thus theHamming Distance between IR and CT can serve as the hy-pothetical power consumption for one encryption with wellempirical verification. Since the exact time when the targetswitching takes place is unknown, correlation can be per-formed between the hypothetical power and each samplingpoint during the encryption to find out the peak correlationcoefficient. This would answer both the correct key byte andthe moment of the target switching activity.

9.2 PDN ModelThe power network used in this work references the 2D dis-

tributed design of [18]. The RLC network uses an equivalentdistributed power mesh derived from the lumped impedancemodel of a Pentium 4 processor. The off-chip impedances

Figure 9: SCA attack on a cryptographic device.

Figure 10: PND model: (a) Off-chip PDN; (b) on-chip 3D PDN.

Table 5: PDN model parameters [18]Parameters R(OHM) L(H) C(F)

PCB 94µ(s)/166.6µ(p) 21p 240µPKG 1000µ(s)/541.5µ(p) 120p 26µBUM 300m 0.5p -GRID 50m 5.6f 71.5p

are modeled with RLC ladders in Fig. 10(a). The first seg-ment of the ladder models the board-level lump impedanceand the second segment of the ladder models the packageimpedance. The package ladder is evenly distributed to thepoints on the on-die grid with partially-lumped solder bumpimpedance. The RLC distribution of the on chip power dis-tribution network is shown in Fig. 10(b). On the 12x12 gridpoints, the gates are distributed on PDN according to thesynthesis component number. Table 5 provides RLC pa-rameters of the PDN model used in this work. The Hspicesimulator performs transistor level simulation on an identi-cal testbench for circuits with and without supply network.

9.3 Details of Noise Injector DesignTo realize a tunable delay between the NI clock and the

system clock, a Digitally-Controlled Delay Line (DCDL) isused [22]. DCDL is a chain of delay elements, which is, inour case, inverting buffers. A DCDL contains even numberof inverting buffers, each of which has a tunable propagationdelay. Fig. 11 demonstrates two implementations of DCDLinverting buffer. In Fig. 11(a) the controllable propagationdelay is realized through tunable load capacitance of the in-verting buffer; while Fig. 11(b) is a current-starved inverterwith tunable resistance in series with the power supply. Inreality, ICs usually have on-chip Phase-Locked Loops (PLLs)or Delay-Locked Loops (DLLs) for clock generation. In thiscase, the required DCDL can leverage the on-chip DLLs,which usually have superior performance, i.e. able to pro-vide infinite phase range and very high resolution (on theorder of 10ps) [23], and operate over a wide frequency rangewith low jitters [24]. More importantly, their performancedoes not suffer remarkably from process variations. Thiswould make a high-quality controllable delay line withoutincurring area or power overhead.

The purpose of the NI unit array is to incorporate a cer-tain level of switching current each cycle; and the switchingcurrent should vary significantly between cycles in order tomask the SCA relevant switching. The switching currentamplitude should be comparable to that of the original cir-cuit; however, the switching duration can be as short as thatof the attacked gates, therefore the overall power consump-tion overhead can be maintained rather low. This means weneed a circuit that can cause significant amount of switchingwithin short durations and varying amplitude among cycles.This can be achieved by using FSMs with arbitrary state en-coding. Since the functionality of the FSM is not of interest,the state transition can be designed to be counter-like witharbitrary state encoding. Therefore, the next state logic isreasonably simple because it is not a function of the pri-

mary inputs except for state initialization. This is enabledby the low requirement on the switching duration. Here “ar-bitrary” means the Hamming distances between each pair ofadjacent states should vary as much as possible. Because ifthe next state logic is simple enough, the flip-flop switchingwill dominate the NI unit switching current. By carefully se-lecting the state encoding, an NI unit can exhibit desirabledegree of random switching variations. In particular, we im-plement two types of NI unit: 1) FSM with state encodingto achieve adjacent state Hamming Distance variation; 2)Linear Feedback Shift Register (LFSR). We choose LFSR ofa small size (16-bit in our case) to provide good granularityof the injected noise. An optional initialization FSM canbe used to enable NI units with different states. ExampleLFSR structures are given in Fig. 12.

9.4 Model of SCA on AESAES is widely used as a standard encryption system, which

has three variations marked by different key lengths: 128,192, and 256 bits. Larger key length provides higher strengthagainst mathematical cryptanalysis, but also incurs morerounds in the computation. Fig. 13(a) illustrates the en-cryption datapath of an AES with 128-bit key, which spec-ifies the four operations that the computation is composedof: SubBytes, ShiftRows, MixColumns and AddRoundKey(shown as the XOR circuit). Among these operations, Sub-Bytes is the only non-linear component, which is the ba-sis for preventing mathematical cryptanalysis. The entireencryption flow of AES with 128-bit key involves one ini-tial AddRoundKey and 11 rounds of repeated four opera-tions (the last round does not contain a MixColumns opera-tion) before the final cipher text (CT) is generated. In eachround, the round key that is used to XOR with the inter-mediate cipher texts, is derived from the input key throughkey scheduling. However, since there is a known linear re-lationship between the input key and the round key, theinput key can be easily computed after obtaining the roundkey (e.g. K11 in our case). In AES, operations are per-formed with the unit of one byte, therefore SCA can breakone byte of the key at one time. Although computationscorresponding to the rest of the key, which correspond toconsiderably larger circuit part compared to that related toSCA, introduce significant amount of noise for SCA, thekey byte under consideration can still be correctly extractedthrough practically achievable number of measurements andstatistical analysis. This forms the primary reason that SCAexponentially reduces the computation time compared withbrute-force attack, since it lowers the number of trials from2128 to 16 × 28.

In this work, we use correlation power analysis (CPA) [10]as the SCA method to extract the key. The principle ofcorrelation test is that the power profile predicted by thecorrect key guess will have the maximum correlation withthe measured power profile among those predicted by allkey guesses. The predicted power profile is defined by theHamming Distance of R1 between round 11 (with value of

Figure 11: Element of digitally controlled delayline with: (a) tunable load capacitance; (b) tunablecurrent-starved inverter.

Figure 12: Example LFSR structures.

Figure 13: AES datapath: (a) Encryption datapathof AES [17]; (b) Simplified circuit used in simulation.

D11) and the next cycle (with value CT). This is becausethat on one hand, with known cipher text (CT), D11 canbe back-traced given guessed K11. Hence, the Hammingdistance is a non-linear function of the guessed K11. De-spite the existence of intrinsic and external noise, the cor-rect key can be revealed by correlation of large numberof cycles of measurements. The computation of correla-tion test to reveal the correct key can be expressed in asmaxK11corr(Pmodel, Pmeasurement) [19], where

Pmodel = HammingDistance(Sub−1(ShiftRow−1

(K11 ⊕ C11)), C11)

Since we do not know the time instance when the switch-ing of the attacked registers occurs, correlation should beperformed for each time sample (considering the switchingof the attacked gate aligns to some extent in all encryp-tions). Thus the maximum correlation coefficient can revealthe moment of the key-related switching along with the cor-rect key. The circuit model of the simulated datapath isgiven in Fig. 13(b).

9.5 Power Attack SetupSuccessful power attack on a specific cryptographic algo-

rithm requires proper understanding of the vulnerabilities ofan implementation of the algorithm and developing attackstrategies exploiting those vulnerabilities. However, success-ful attack also depends upon correct acquisition of the powertraces. Hence developing a proper setup which will enable usto collect power traces accurately is of primary importance.Block diagram of the power attack setup developed by us isshown in Fig. 14. Fig. 15 and 16 illustrate the experimentalsetup and SASEBO under experimentation, respectively.

1. SASEBO BOARD: Side-Channel Attack StandardEvaluation BOard (SASEBO) [8] has two FPGAs onboard. One is known as control FPGA (Spartan 3A

PC

3.2 GHz)(CORE i3

SASEBO− GII

MIXED SIGNAL

OSCILLOSCOPE

(MSO4034B, 350 Mhz,

2.5 GS/s

Signal Trigger

Power Trace

Plain Text

Cipher Text

Figure 14: Block diagram of power attack setup.

Figure 15: Experimental setup for CPA based powerattack.

Figure 16: SASEBO under experimentation.

XC3S400A) and another as cryptographic FPGA (Vir-tex 5 xc5vlx50). Control FPGA contains the codes forcommunication with CPU [21]. It acts as a controller,which provides input and required control signals tocryptographic FPGA. Cryptographic FPGA containsthe implementation of the cryptographic algorithm tobe attacked. Communication with CPU is done througha USB cable. Plain texts are given to this board throughCPU and cipher texts are sent to CPU for verification.Signals from this board is given to oscilloscope to plotpower traces.

2. Oscilloscope: The oscilloscope is used for acquiringpower traces. Upon receiving trigger signal, power tracesis obtained and is sent to CPU. Triggering is very im-portant for obtaining power traces, as it indicates startof the encryption and helps us to identify the desiredpower traces.

3. CPU: The heart of this setup is the CPU. The wholesetup along with the operation of the other compo-nents are controlled by the CPU. CPU/SASEBO andCPU/oscilloscope interfaces are developed using C#codes. Plain texts are sent to FPGA and cipher textsare received for the verification. Power traces are re-ceived from the oscilloscope and are used to attack thecrypto chip.

In the experiment, the control FPGA is fed by an exter-nal clock signal generated by a function generator. Powertraces at different frequencies are obtained by varying thegenerated clock frequency.