Side Channel Analysis Resistant Design Flow
M. Aigner1, S. Mangard1, F.Menichelli2, R.Menicocci2, M.Olivieri2, T. Popp1, G. Scotti2, and A. Trifiletti2
1
IAIK – Institute for Applied Information Processing and Communications, Graz University of Technology, Graz, Austria
e-mail: Manfred.Aigner@iaik.tugraz.at
2
DIE - Dipartimento di Ingegneria Elettronica, Università di Roma "La Sapienza", Roma, Italy
e-mail: trifiletti@mail.die.uniroma1.it
Abstract— The threat of side-channel attacks (SCA) is of
crucial importance when designing systems with cryptographic
hardware or software. The FP6-funded project SCARD1,
enhances the typical micro-chip design flow in order to provide
a means for designing side-channel resistant circuits and
systems. Appropriate SCA-simulation tools and SCA analysis
for the designer of secure systems are part of the project goals.
We consider these enhancements for traditional design flows of
micro-chips as necessary in order to enable the design for the
next generation of secure and dependable devices. SCARD is
in its final phase, the final result, a SCARD chip designed by
using the developed design flow is currently implemented.
I. INTRODUCTION
Since the publication of DPA by Paul Kocher in 1999 [1]
development of SCA countermeasures is part of secure
design for systems with cryptographic hardware or software.
Especially smart cards and related micro-chip systems have
shown considerable vulnerabilities in this respect. Side-
channel attacks analyze and exploit the information produced
by some system by, for example, measuring its power
consumption or the electro-magnetic emanation of this
system. From these traces the attacker can potentially make
conclusions about the secret data involved in a computation
inside the system. Meanwhile, simple power analysis (SPA),
differential power analysis (DPA), and their related attacks,
simple and differential electro-magnetic emanation analyses
(SEMA, DEMA) became known to a broader public, and
thus pose the biggest threat. In the following, we will refer to
these side-channel analysis methods and related attacks by
using the acronym SCA.
The SCARD consortium works on enhancements of the
typical micro-chip design flow – from high level system
description over register transfer layer description down to
gate level netlists, and finally placement & routing of the
micro-chip – in order to provide a means for designing side-
channel resistant circuits and systems. We studied the whole
1
The project “Side-Channel Analysis Resistant Design
Flow – SCARD” is sponsored by the EC IST programme
FP6 under the contract nr. IST-2002-507270.
0-7803-9390-2/06/$20.00 ©2006 IEEE 2909
phenomenon of SCA in a consistent manner, developed
appropriate analysis setups for SCA-attacks and designed
effective tools for designers of secure systems. Those
extensions of the established semi-custom design flow of
micro-chips are necessary in order to effectively design SCA
secure devices. So far implementation of SCA
countermeasures demands application of full-custom design
strategies which prevents straightforward re-use or
technology transfer of the products.
The objectives of the project SCARD are:
1. To research side-channel attacks and
countermeasures at both, hardware and software
level by consistently structuring the problem
domain, and by improving side-channel attacks in
order to test systems with respect to side-channel
resistance;
2. To model and simulate side-channel effects;
3. To establish a semi-custom design flow for micro-
chips or parts thereof with clear guidelines and
appropriate synthesis tools in order to be able to
design and implement SCA resistant circuits.
II. RESEARCH OF SCA AND COUNTERMEASURES
To enable a secure design flow, it was decided to embed
the SCA countermeasures into the basic building blocks for
digital circuit design, namely into the logic cells of a
standard cell library. Research for secure logic styles,
compatible to automatic synthesis and place and route, was
necessary. Previously known approaches ([2],[3]) have been
investigated for their suitability for application in cell
libraries and several new logic styles have been proposed.
Serious problems were discovered with existing
solutions, like the side channel leakage of masked logic
styles due to glitches [4], or the unreachable routing
requirements of dual-rail-precharge logic styles. New secure
logic styles were developed to avoid these problems, the
most promising one is an approach that combines masking
and dual-rail precharge [5].
ISCAS 2006
 In a complementary approach Software countermeasures
were investigated. Several different implementations of
AES, combining masking and randomization, as SCA
countermeasures were developed and analyzed. The
vulnerabilities due to glitches appearing in the insecure logic
were shown and the added security level by software
controlled randomization was assessed.
Up to now, people involved in side channel power
analysis has performed power consumption measurements
by inserting a small resistor in series with the VDD or ground
pin of the device under attack. In such approach, noise on the
power supply, bonding wires, IC-package, PCB parasitics,
and the measurement setup parasitics heavily contributes to
degrade the measured signal.
In order to perform current measurements with a higher
gain-bandwidth product, smaller insertion error and reduced
sensitivity to parasitics, a novel active circuit has been
proposed and implemented within the SCARD project. The
active circuit allows us to provide the supply voltage to the
device under test and to detect and amplify the current
waveforms. We have been able to show that the active setup
allows us to increase the gain-bandwidth product of more
than 20 dB, to strongly reduce the equivalent impedance of
the measurement setup and to reduce the sensitivity of the
measurement with respect to the parasitic capacitance due to
the on-chip power supply distribution.
Experiments in which the proposed active measurement
circuit has been used to acquire the current traces of a simple
crypto core implemented on an FPGA, have shown about a
20 dB increase in sensitivity with respect to the resistor
based measurement.
The active circuit has then been used in the SCARD
measurement setup, which is based on two different boards:
a “digital board” which provides all control and clock signals
needed to configure the SCARD test-chip and to carry out
the measurements and an “analog board” on which the
SCARD test-chip and the active supply and measurement
circuitry are arranged. The Analog SCARD test board has
been placed in a metal box in order to improve the shielding.
Measurements on the SCARD test-chip are ongoing and
preliminary results have confirmed the effectiveness of the
novel measurement approach.
III. SCARD MODELLING & SIMULATION TECHNOLOGY
Designers of secure crypto systems can distribute and
limit the costs of assessing the susceptibility of their designs
to SCA attacks by using a series of SCA tests, integrated in
several steps of their design flow. Those tests can help in
detecting SCA vulnerabilities as soon as possible, so to
optimize the costs for design adjustment.
Apart from a final assessment produced by testing
physical prototypes, a SCA test basically consists in
simulating specific SCA attacks, which requires:
2910
1. Proper models for both the execution of the crypto
operation and the generation of the corresponding
relevant traces;
2. Proper tools for the processing of the traces.
SCA tests can be implemented—with variable efficiency,
significance, and costs—at several abstraction levels. Some
applications of design-time SCA testing are described in [6],
[7], and [8], for the power analysis context, and in [9], for the
electromagnetic analysis context.
Within the SCARD project, the activity on SCA modeling
and simulation mainly focused on SCA tests based on power
analysis, which were intensively explored at several
abstraction levels.
At high level, SystemC functionalities were exploited to
analyze the susceptibility of a microcontroller system to
selected SCA attacks. The reference system was based on
ARM7 CPU and the analysis covered both software
(compiled C-code) and hardware (crypto-peripheral)
implementations of AES128 [10], with or without specific
countermeasures.
Cycle-accurate SystemC models were used for the
SW/HW crypto operation. As for power trace generation, we
used models based on Hamming measures (weight and
several kinds of distance) involving the status of the CPU or
of the crypto-peripheral, contributed from all the relevant
registers. For greater accuracy, we included some
coefficients to weight the power contributes of some
registers with possibly high loads (e.g., bus drivers).
A prototypal SCA simulation platform, where many features
are user configurable, was produced and exploited for
intensive attack simulation, by means of an off-line
processing of power traces. As an example of positive result,
we mention the fast discovery of an implementation
weakness in a countermeasure for a HW AES.
The main motivation for power estimation during HDL
development was to determine the SCA resistance during the
development process. We developed a method that allows
investigation for SCA susceptibility during logic simulation
of HDL models. This includes all levels of HDL models,
starting from high level architectural and behavioral
descriptions, down to gate level.
Two prototypes of the HDL power estimator have been
implemented; one stand-alone tool, based on VCD outputs of
HDL simulators, the other is directly embedded into
Mentor’s Modelsim via the PLI interface. Both methods
were applied during the development of the SCARD chip
and were especially helpful to avoid SCA leakages on the
interfaces between secure and insecure parts that were not
considered initially.
Though not modeled in the standard design flow of
digital integrated circuits, bond wires and package parasitics
play an important role in determining the frequency response
of the current measurement setup.
 Within the SCARD project we have developed a
methodology to extract an accurate spice model of the
overall measurement setup starting from the VDD/GND pin
of the IC up to the oscilloscope probe tips and applied it to
the specific case of the SCARD test-chip measurement
modeling.
The proposed method allows us to account for:
1. Parasitic capacitance and resistance (Cchip and
Rchip) between the VDD and GND pins of a given
IC due to the on-chip supply distribution lines;
2. Parasitic effects due to bonding and package
which are accurately modeled starting from 3D
EM simulations or S-parameters measurements;
3. PCB and cable parasitics modeled as lumped LC
networks;
4. Oscilloscope probes parasitic capacitance and
resistance.
A key point of the proposed methodology is the
extraction of an accurate spice macro-model of bonding and
package of a given IC starting from the physical description
(i. e. geometrical dimensions) of a given package and the
dimensions of the integrated circuit.
The proposed approach is based on lumped RLC
networks whose parameters are obtained by means of a
fitting between the Scattering-parameters obtained by
simulating the spice model and the S-parameters of the
physical structure obtained by 3D full wave simulations or
by measurements. Some commercial tools are available to
carry out the extraction of this kind of model; we have used
the Cadence IC Package Modeling (PKG) tool been used to
perform the full wave simulations and the fitting procedure.
The accurate model of the SCARD test-chip bonding and
package has then been included in the spice model of the
overall measurement setup; the complete model has then
been ported to the CADENCE Analog Artist environment.
IV. SCARD SEMI-CUSTOM DESIGN FLOW
The method promoted by SCARD counteracts SCA on
the level of secure logic cells. A digital circuit is composed
of a limited number of different cells for storage (flip-flops)
and logic computation (AND, OR, NAND etc.). Data
depending power consumption of those cells are the reason
why SCA works and circuits implemented in standard
CMOS logic style. Dual Rail Pre-Charge (DRP) logic styles
are known since publication of K.Tiri [11] to prevent SCA
on that level, but they have several disadvantages. SCA
protection is only given if the pair of differential output wires
of each gate have absolutely balanced capacity. Theoretically
this could be achieved by perfectly parallel routing of
differential wires, but unfortunately this contradicts rules for
routing to prevent crosstalk. Masked logic styles use random
numbers to de-correlate the continuous power consumption
from the values of processed data. Different approaches on
masking on gate level have been published and patents have
been filed [3], but SCARD researchers showed that glitches
can leak side-channel information that can be used to mount
2911
attacks on masked circuits [12]. The new logic style MDPL
performs masking with random values to de-correlate its
power consumption and uses the DRP principle to avoid
glitches [5].
The SCARD design flow is based on standard tools for
digital circuit design. It was extended by a netlist conversion
tool [13] that performs the conversion from single rail logic
to dual rail and attaches necessary interface-cells to combine
the secure modules with insecure designs in standard CMOS.
After standard synthesis the netlist is transformed and the
cells from a standard CMOS library are exchanged with
secure cells with equal functionality. In a following step a
standard synthesizer is used to add the clock-tree and to
insert buffers to meet the timing requirements. For MDPL no
special constraints are necessary for the place-and-route step.
For the two implementations of DRP cores, special steps for
parallel routing of differential signals were performed.
SCA investigations based on the power traces generated
by the HDL power estimation methods throughout the
various steps of the design flow proofed to be very useful
during the design of the system.
V. THE SCARD CHIP
The SCARD chip is currently in a final implementation
phase. It is specified in a way to demonstrate the potential of
the project results. By implementing it, we show that the
design flow developed in SCARD can be used to design
chip-card like circuits. The chip contains different
implementations of an 8051 controller core that is available
in the open domain2. For cryptographic operation, a
hardware AES module is attached to the core. Fig. 1 shows
the overall architecture of the chip. The µP-core is
implemented in six different versions on the chip, five
versions with SCA countermeasures and one plain version in
standard CMOS for reference measurements (not all versions
are include into the sketch).
Figure 1: SCARD Chip Concept
2
8051 IP core provided by Oregano Systems: see
http://www.oregano.at/ip/8051.htm
 Internal RAM structures of the controller are
implemented as flip-flops to allow easy synthesis. One core
in DRP style is additionally equipped with an SCA protected
XRAM block that was developed in SCARD.
Additional control logic for selection of one active core,
switching of inputs and output signals and deactivation of all
other cores is part of the design. A scenario to favor SCA
attacks is considered to measure and evaluate the level of
SCA protection achieved by the countermeasures. Therefore
the chip will not be equipped with additional sensors and
noise generators that are often integrated into chip card
products. Trigger outputs are available to signal starting
points of operations that are planned to attack. The different
cores have identical functionality, we expect therefore for the
first time fair comparisons of the protection level for
different SCA countermeasures. Implementation on the same
technology will furthermore allow fair comparison of the
specific costs in terms of throughput, area and power
consumption. The controllers will be fully programmable by
code that is provided on an external ROM component.
VI. CONCLUSION
SCARD has produced many interesting results, which
can be well appreciated when thinking about the unique
scenario now available for the project partners. The relevant
advantage is the availability of a common platform,
consisting of the developed chip, tools, and methodologies,
for further SCA research. In fact, different approaches for
SCA countermeasures are implemented in the same
technology - on the same chip - together with an unprotected
reference design. Moreover, complete information from all
abstraction layers, from specification via HDL model to
several netlists, are available to produce, by simulation, a
deep understanding of physical measurements. Back
annotation of the power models for accurate power
simulation on higher levels can also be performed. Finally,
an assessment of efficiency and/or effectiveness of software
and/or hardware countermeasures can be given.
We are optimistic that the developed methods will be
integrated into design-flows for commercial security
systems, although some important characteristics like
throughput optimization or low-power considerations are not
applied in the first step towards a SCA-secure design flow.
Future research includes area, power and throughput
optimization, as well as EM-attacks and even better
measurement setups.
AKNOWLEDGEMENTS
This work has been generated by the SCARD consortium
and is supported by the European Commission under the
Sixth Framework Programme (Project SCARD, Contract
Number IST-2002-507270).
2912
View publication stats
REFERENCES
[1] P. C. Kocher, J. Jaffe, and B. Jun., “Differential Power Analysis.” In
Michael Wiener, Advances in Cryptology - CRYPTO ’99, 19th
Annual International Cryptology Conference, Santa Barbara,
California, USA, August 15- 19, 1999, Proceedings, volume 1666 of
Lecture Notes in Computer Science, pages 388–397. Springer, 1999.
[2] K. Tiri and I. Verbauwhede. “A Logic Level Design Methodology for
a Secure DPA Resistant ASIC or FPGA Implementation”. In 2004
Design, Automation and Test in Europe Conference and Exposition
(DATE 2004), 16-20 February 2004, Paris, France, pages 246–251.
IEEE Computer Society, 2004.
[3] F. Klug, O. Kniffler, and B. Gammel. “Rechenwerk, Verfahren zum
Ausführen einer Operation mit einem verschlüsselten Operanden,
Carry-Select-Addierer und Kryptographieprozessor. German Patent
DE 10201449 C1, January 2002.
[4] S. Mangard, T. Popp, B. Gammel, “Side-Channel Leakage of Masked
CMOS Gates”, Proceedings of the RSA Conference 2005
Cryptographers' Track (CT-RSA 2005, February 14-18, 2005, San
Francisco, USA), Lecture Notes in Computer Science (LNCS),
Springer Verlag, 2005
[5] T. Popp, S. Mangard, "Masked Dual-Rail Pre-Charge Logic: DPA-
Resistance without Routing Constraints", Proceedings of the
Workshop on Cryptographic Hardware and Embedded Systems 2005
(CHES 2005, August 29 - September 1, 2005, Edinburgh, Scotland),
Lecture Notes in Computer Science (LNCS), Springer Verlag, 2005
[6] J.I. den Hartog and E.P. de Vink, “Virtual Analysis and Reduction of
Side-Channel Vulnerabilities of Smartcards”, Proceedings of 2nd
International Workshop on Formal Aspects in Security and Trust -
FAST 2004, IFIP 173.
[7] S. Berna Ors, F. Gurkaynak, E. Oswald, and B. Preneel, “Power-
Analysis Attack on an ASIC AES implementation”, Proceedings of
the IEEE International Conference on Information Technology:
Coding and Computing - ITCC’04, vol. 2, pp. 546-552.
[8] M. Bucci, M. Guglielmo, R. Luzzi, and A. Trifiletti, “A Power
Consumption Randomization Countermeasure for DPA-Resistant
Cryptographic Processor”, Integrated Circuit and System Design -
Power and Timing Modeling, Optimization and Simulation -
PATMOS 2004, Lecture Notes in Computer Science, 3254, pp. 481-
490, 2004.
[9] H. Li, A.T. Markettos, and S. Moore, “Security Evaluation Against
Electromagnetic Analysis at Design Time”, Workshop on
Cryptographic Hardware and Embedded Systems - CHES 2005,
Lecture Notes in Computer Science, 3659, pp. 280-292, 2005.
[10] AES, Advanced Encryption Standard, FIPS 197, Available at
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.
[11] Kris Tiri and Ingrid Verbauwhede. “Securing Encryption Algorithms
against DPA at the Logic Level: Next Generation Smart Card
Technology.” In Colin D. Walter, Cetin Kaya Koc, and Christof Paar,
editors, Cryptographic Hardware and Embedded Systems - CHES
2003, 5th International Workshop, Cologne, Germany, September 8-
10, 2003, Proceedings, volume 2779 of Lecture Notes in Computer
Science, pages 137–151. Springer, 2003.
[12] S. Mangard, N. Pramstaller, and E. Oswald. "Successfully Attacking
Masked AES Hardware Implementations", Proceedings of the
Workshop on Cryptographic Hardware and Embedded Systems 2005
(CHES 2005, August 29 - September 1, 2005, Edinburgh, Scotland),
Lecture Notes in Computer Science (LNCS), Springer Verlag, 2005
[13] E. Valentini, R.Ulmer, E. Haselwandter and T. Popp, “Configurable
Logic Style Translation Based on an OpenAccess Engine” to be
published in the proceedingsof IEEE International Conference on
Electronics, Circuits and Systems (ICECS), December 2005