Professional Documents
Culture Documents
Low Power Secure AES S-Box Using Adiabatic Logic Circuit: Cancio Monteiro Yasuhiro Takahashi, Toshikazu Sekine
Low Power Secure AES S-Box Using Adiabatic Logic Circuit: Cancio Monteiro Yasuhiro Takahashi, Toshikazu Sekine
Logic Circuit
Secret Key
Abstract—Numerous works on advanced encryption standard Byte
(AES) S-box architecture have been done using composite field
arithmetic in Galois field. However, to the best of our knowledge,
Plaintext 32-bit
less information is available on both a secure circuit and the low Byte
S-Box S-Box
power consumption. In this work, we implement our previous Circuit Output
proposed charge-sharing symmetric adiabatic logic (CSSAL) in
ATTACK POINT
an 8-bit S-box circuit using multi-stage positive polarity Reed-
Muller (PPRM) representation over composite field technique. Fig. 1. Attack point in a partial AES S-box circuit.
The logic sharing method for frequently same logic function
usage in the combination logic is applied. Consequently, the low- expanded [5]–[9] to simplify the finite field over GF (28 ) in
complexity, high resistive and the low-power consumption are the S-box transformation to GF ((24 )2 ) and GF (((22 )2 )2 ) for
achieved. The results in this paper are obtained from the SPICE low cost, low power consumption, and low complexity.
simulation with 0.18-µm 1.8-V standard CMOS technology at
operating frequency of 1.25-70 MHz. Base on the logic speed, A typical target point of attackers in a cryptosystem is
security performance and low-power requirement, we deduce that depicted in Fig. 1. The attackers may have control over
our proposed logic is applicable for contactless smart cards, RFID the plaintext by guessing the secret key values in statistical
tags, and wireless sensors. analysis from DPA measurement result in the output of the S-
box circuit. Therefore, the S-box circuit needs to be accurately
I. I NTRODUCTION designed to keep secrecy of processed private information. As
a countermeasure to the related issue, there are two types
In the last century, the modern cryptology has mainly fo- of adoption technique that have been implemented so far,
cused on cryptosystems resistant against side-channel analysis such as hiding and masking at the cell level. The goal of
(SCA), which has become a special threat for chipper design- hiding countermeasures is to make the power consumption of
ers, software developers, and hardware engineers working to the cryptographic devices independent of intermediate values
secure private information stored in cryptographic devices such and independent of the operation that are performed, which
as smart card, RFID tags, USB token, and wireless sensors. have reported by the sense amplifier based logic (SABL)
SCA can be used to unveil the secret key of cryptographic [10], wave dynamic differential logic (WDDL) [11], three-
devices by analyzing side-channel information, such as power phase dual-rail pre-charged logic (TDPL) [12]. Among those
consumption, computing time, and electromagnetic radiation. implemented logic styles in cell library, majority of them
Among these SCA attack techniques, differential power analy- applied conventional CMOS logic operation that causes the
sis (DPA) attacks are the most popular type of power analysis high spike current occurrence and huge energy consuming.
attacks to reveal the secret information in cryptosystem. A As a result, the DPA and DEMA attacks are a bit difficult to
DPA attack seeks to reveal the secret key of a smart card by avoid. Hence, our approach here is to implement our previously
statistically analyzing power fluctuations that occurs while the proposed CSSAL [13] in the 8-bit S-box circuit using PPRM
device encrypts and decrypts large blocks of data [1]. Apart representation [6] for low peak current transition and low
from the DPA attacks, the electromagnetic radiation attacks energy consumption by exploiting an adiabatic switch principle
in [2]–[3] have been extensively studied. DEMA attacks can [14]. In comparison to our work, we have also implemented in
reveal secret information because the current flow during the same S-box circuit using several dual-rail adiabatic logic
the switching of the CMOS gates causes a variation of the styles, such as SyAL [15], 2N-2N2P [16], and the ECRL [17].
surrounding electromagnetic field that can be monitored by All the comparative results describe in this work are done in
positioning an inductive probe around the microcontroller chip. the SPICE simulation at the cell level.
On the basis of cryptanalysis knowledge to unveil secure
information in the preceding data encryption standard, an II. P ROPOSED C HARGE -S HARING S YMMETRIC
efficient algorithm for both hardware and software implemen- A DIABATIC L OGIC
tations was standardized by the NIST in 2001 as the Advanced
A. Adiabatic Logic Technique
Encryption Standard (AES) [4], which operates over GF (28 )
for computational efficiency, high resistance to cryptanalysis, Adiabatic switching is commonly used in minimizing en-
hardware and software compatibility, and flexibility. Since the ergy lost during charging/discharging period at all nodes of
new AES standard was announced, much effort has been the circuit. The main idea of adiabatic switching is shown in
MP3 MP2
MN1 MN2
t τ t
(a) Step voltage ( τ = 0) (b) Ramped step voltage Disch
Supply current [ µA]
MN13
400 Disch Disch Disch
Peak supply current of conventional CMOS logic A A B B
MN5 MN6 MN9 MN10
200 Peak supply current of adiabatic logic MN14 MN15 MN16
B A A B
MN7 MN8 MN11 MN12
0
-400 Disch
0 2 4 6 8 10 12
Time [ns]
(c) MN17
Fig. 2. Comparison of the supply currents for the equivalent RC models of the RC model of RC model of RC model of 2N-2N2P,
CSSAL SyAL ECRL
CMOS logic (a) step voltage and adiabatic logic (b) ramped step voltage. (c) Out Out Out Out
The peak supply current of the adiabatic logic is significantly lower than that Out Out
of the conventional CMOS logic under the same parameters and conditions.
8
2
Econv. = CVdd /2; where, it is possible to reduce the charging CSSAL
Supply
4
energy only by reducing Vdd or capacitor C. Figure 1(c) shows Current
0
a comparison of peak supply current for equivalent RC models
of the conventional CMOS logic and the adiabatic logic. The -4
0 40 80 120 160
instantaneous peak supply current of the adiabatic logic is : CSSAL
Time-[ns]
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on September 07,2020 at 19:51:35 UTC from IEEE Xplore. Restrictions apply.
4 CSSAL
6 .8
4 Emax.: 6.76pJ
8
x 2 xλ x 4
δ −1 8 6 .7
δ 4
x−1 +
4
x x 4 affine
6 .6
4 Emin.: 6.5pJ
6 .5
0 3 2 6 4 9 6 128 16 0 19 2 224 256
Charge Evaluation 20
sharing Hold Recovery
10
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on September 07,2020 at 19:51:35 UTC from IEEE Xplore. Restrictions apply.
TABLE II. S IMULATION AND CALCULATION RESULTS OF 8- BIT S- BOX CIRCUIT IN PPRM REPRESENTATION USING PROPOSED CSSAL, S YAL,
2N-2N2P, AND ECRL, RESPECTIVELY AT 1.25 MH Z , 12.5 MH Z , AND 50 MH Z INPUT POWER CLOCK FREQUENCY
10
[3] A. Dehbaoui, S. Ordas, L. Torres, M. Robert, P. Maurine, “Implemen-
9 tation and efficiency evaluation of construction-based countermeasures
against electromagnetic analysis,” in Proc. of Int. Conf. Design and Tech.
8
of Integrated Systems in Nanoscale Era (DTIS ’11), Athens, Greece,
Energy dissipation-[nJ]
Authorized licensed use limited to: INDIAN INST OF INFO TECH AND MANAGEMENT. Downloaded on September 07,2020 at 19:51:35 UTC from IEEE Xplore. Restrictions apply.