## Masking and Dual-rail Logic Don't Add Up

Patrick Schaumont schaum@vt.edu

Secure Embedded Systems Group ECE Department



Kris Tiri kris.tiri@intel.com

Digital Enterprise Group Intel Corporation



## **Our Contributions**

- 1. Using a simple *statistical* technique, we can break single-bit masked secure logic styles including
  - 1. RSL [Suzuki 2004]
  - 2. MDPL [Popp 2005]
  - 3. DRSL [Chen 2006]
- 2. Side channel resistance obtained by combining masking and dual-rail logic is not routing-independent

#### **Preliminaries: Masked Hardware Signals**



#### **Preliminaries: Masked Logic**



### Preliminaries: Random Switching Logic



### **Our Experiment: Sbox in RSL**



- Gate-level DUT Implementation 970 RSL gates
- Cycle-based simulation, abstracting all timing effects
- Power Model = toggle counting on DUT gate outputs

#### **Power Probability Distribution for SBOX** 0.09 *r* = 1 0.08 ł ٨ r = 00.07 total 0.06 0.05 0.04 0.03 0.02 0.01 0 **465** 475 **495** 505 470 480 485 500 490 **Toggle Count**

## Explaining the Cause of Symmetry

| unmasked<br>value              | masked value     |                 |
|--------------------------------|------------------|-----------------|
|                                | $\mathbf{r} = 0$ | <b>r</b> = 1    |
|                                | prechg eval      | prechg eval     |
| Transitions in single RSL gate |                  |                 |
| ' <b>O</b> '                   |                  | 1 toggle        |
| '1'                            | 1 toggle         |                 |
| Transitions in 970 RSL gates   |                  |                 |
| 970 - n '0'                    |                  | (970 -n) toggle |
| n '1'                          | n toggle         |                 |

#### 0.09 r = 10.08 r = 00.07 0.06 970 0.05 2 970 - n n 0.04 0.03 0.02 0.01 0 **465** 475 480 485 **490 495** 505 500 470 **Toggle Count**

# **Power Probability Distribution for SBOX**

#### An Attack using the Power PDF





## Preliminaries: Masking and DRP

- Dual-Rail Precharge Logic encodes each value as a complementary signal pair
- In combination with masking: MDPL [Popp 2005]

| unmasked<br>value                      | masked value                                                                                   |                                                                                                |
|----------------------------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
|                                        | $\mathbf{r} = 0$<br>prechg eval                                                                | <b>r</b> = <b>1</b><br>prechg eval                                                             |
| Transitions in single MDPL gate<br>'0' | $\begin{array}{ccc} \overline{q} & 0 \longrightarrow 1 \\ q & 0 \longrightarrow 0 \end{array}$ | $\begin{array}{ccc} \overline{q} & 0 \longrightarrow 0 \\ q & 0 \longrightarrow 1 \end{array}$ |
| '1'                                    | $\begin{array}{ccc} \overline{q} & 0 \longrightarrow 0 \\ q & 0 \longrightarrow 1 \end{array}$ | $\begin{array}{ccc} \overline{q} & 0 \longrightarrow 1 \\ q & 0 \longrightarrow 0 \end{array}$ |

## Preliminaries: Masking and DRP

- Dual-Rail Precharge Logic encodes each value as a complementary signal pair
- In combination with masking: MDPL [Popp 2005]

| unmasked<br>value                      | masked value                    |                                    |
|----------------------------------------|---------------------------------|------------------------------------|
|                                        | $\mathbf{r} = 0$<br>prechg eval | <b>r</b> = <b>1</b><br>prechg eval |
| Transitions in single MDPL gate<br>'0' | q toggle                        | q toggle                           |
| '1'                                    | q toggle                        | q toggle                           |

### **Impact of Routing Imbalances**



#### **Impact of Routing Imbalances**



## **Impact of Routing Imbalances**



## **Evaluation using Actual Layout Data**



- AES-128 using 16K Dual-rail gates in 0.18 μm CMOS
- Cycle-based simulation using weighted toggle counts
- Weights from layout (no routing constraints)

#### **Estimated Power PDF of AES**





### Masking Constant Signals: Binary Effect



## Masking Varying Signals: Gaussian Effect



#### An attack on the AES Power PDF



# **Related Work**

- In software implementations, masking is attacked by combining multiple power samples or by precharacterization of the implementation
  - [Messerges 2000] Second Order DPA
  - [Peeters 2005] Maximum-likelihood
  - [Oswald 2007] Template Attacks
- For cases where mask and masked signal cannot be observed separately, Waddle proposes the use of squared power samples
  - [Waddle 2004] Zero-Offset DPA
- Our technique demonstrates direct observation of the mask value, without the need for circuit characterization.
  - We have demonstrated this with known masked circuit styles

## Conclusions

- Masking and Dual-Rail Logic are not additive for sidechannel resistance
- Secure Circuit Styles *cannot* be developed without considering the system-level perspective on security
- Effective countermeasures against our attack will need to address the following question: "How can we add a mask without adding information?"
  - When a mask is used to hide the PDF of a data signal, the masking process itself should not reveal the mask PDF