1



## A Design Methodology for a DPA-Resistant Cryptographic LSI with RSL Techniques

#### Minoru Saeki<sup>1</sup>, Daisuke Suzuki<sup>1,2</sup> Koichi Shimizu<sup>1</sup>, Akashi Satoh<sup>3</sup>

<sup>1</sup> Mitsubishi Electric Corporation, Information Technology R&D Center <sup>2</sup> Graduate School of Environmental and Information Sciences, Yokohama National University <sup>3</sup> Research Center for Information Security, National Institute of Advanced Industrial

Science and Technology (AIST)



Summary (1/2)

#### Motivation

Proposed RSL as a DPA countermeasure(2004) [3]

Improved RSL against high-order DPA(2005) [4]

We did not have a chance to implement and evaluate RSL circuits on a real ASIC. But we got the chance last year.

Today, we present our new RSL techniques and show the feasibility and high DPA resistance of new RSL circuits.



Summary (2/2)

#### **Results**

#### Pseudo RSL

- ✓ Emulating RSL function using a standard cell library
- **<u>> The design methodology using RSL techniques</u>** 
  - ✓ How to realize the timing control of RSL circuits
- Experimental results using the prototype LSI
  - ✓ Confirmed very high CPA/DPA resistance of the pseudo RSL-AES using <u>1,000,000</u> waveforms
  - ✓ The first result demonstrating glitch suppression effectiveness on a real ASIC



## Random Switching Logic (1/2)

#### Basic Idea

✓ Randomize the transition probability of each gate

✓ Suppress glitches

✓ Realize above functions in a single logic cell

input  $x = a \oplus r_x, y = b \oplus r_y, r_x, r_y, r_z$ , en output  $z = (a \cdot b \oplus r_z \oplus 1) \cdot$  en begin en  $\langle = 0; /*$  Suppress glitches \*/  $x_z <= x \oplus (r_x \oplus r_z); /* Re-mask x */$   $y_z <= y \oplus (r_y \oplus r_z); /* Re-mask y */$   $z <= RSL-NAND (x_z, y_z, r_z, en); /* Input data to the RSL gate */$  $en <math>\langle = 1$  after max\_delay( $x_z, y_z, r_z); /*$  Assert en after data signals are fixed \*/

4







## Pseudo RSL(1/2)

#### Equivalent circuit of an RSL-NAND gate





## Pseudo RSL (2/2)

#### **Equivalent circuit of an RSL-NAND gate**

<Example 2>





### Security evaluation of pseudo RSL(1/2)

#### **Bias of signal transitions at MAJI output**



- ✓ Considering glitches, the signal transition probability of the MAJI output is biased.
- ✓ Bias is never propagated beyond the NOR2B gate.



### Security evaluation of pseudo RSL(2/2)

#### Assumption

Pseudo RSL is sufficiently secure against DPA if the following condition is met.

 $k/2 \ll \varepsilon$ 

- $\checkmark \varepsilon$  : lower limit of the bias detectable by DPA
- ✓ k : the number of MAJI gates sharing the same input signal

<Example : pseudo RSL-AES circuit>

- Max value of k : 2
- Gate counts : about 30Kgate.
- > Average signal transition counts per a cycle : 15,000

#### As shown later, bias of 1/15,000 can not be detected by DPA.

9

MITSUBISHI ELECTRIC

## How to design RSL circuits(1/4) Separation of circuit blocks



10

NG

11



## How to design RSL circuits(2/4)



MITSUBISHI ELECTRIC

## How to design RSL circuits(3/4) Toggle count DPA by logic simulation

<Example 1 : without pseudo RSL>



MITSUBISHI

# How to design RSL circuits(4/4) Toggle count DPA by logic simulation <Example 2 : with pseudo RSL>





## Implementation result

#### Performance evaluation

| <b>Evaluation item</b>                               | without RSL [14] | with pseudo RSL   |
|------------------------------------------------------|------------------|-------------------|
| Gate counts                                          | 14.5 Kgate       | <b>30.5 Kgate</b> |
| Maximum delay of timing paths                        | <b>16.77</b> ns  | 14.77 ns(*)       |
| Maximum operation frequency                          | 59.6 MHz         | 33.8 MHz          |
| <b>Processing performance</b> (at $f_{\text{max}}$ ) | 763 Mbps         | <b>432 Mbps</b>   |

(\*) Pseudo RSL-AES uses both the clock edges.

✓ Gate counts are doubled and performance is halved.
✓ Three times more efficient than WDDL.

#### **Implementation environment**

| Process         | TSMC 130-nm CL013G [10]                    |
|-----------------|--------------------------------------------|
| Logic synthesis | <b>Design Compiler version 2004.12.SP4</b> |
| Simulator       | NC-Verilog version 05.40-p004              |

MITSUBISHI FL FCTRIC

## Experimental environment(1/5)Target board and prototype LSI





#### **Experimental board (SASEBO-R)**

#### **Prototype LSI**

Changes for the Better

CHES 2009 in Lausanne

MITSUBISHI ELECTRIC

## Experimental environment(2/5)



MITSUBISHI ELECTRIC

## Experimental environment(3/5)

#### Evaluation equipments and parameters

| Parameters                 | Explanation                                              |  |
|----------------------------|----------------------------------------------------------|--|
| Target device              | TSMC 130-nm cryptographic LSI on SASEBO-R                |  |
| <b>Operating frequency</b> | 24 MHz (standard setting on the board)                   |  |
| Measuring point            | Resistance (2.2 $\Omega$ ) between power supply and ASIC |  |
| Oscilloscope               | Agilent DSO8104A                                         |  |
| Sampling frequency         | 2 GHz                                                    |  |
| Number of power traces     | <b>1,000,000 traces</b>                                  |  |

## Experimental environment(4/5)

#### **Four evaluation modes of RSL-AES**

**Our pseudo RSL-AES has the following four operation modes.** 

(a) <u>*combined*</u> : random masking and the glitch suppressing

(b) <u>*Suppressing*</u> : only the glitch suppressing

(c) *masking* : only the random masking

(d) <u>*none*</u> : disabling both the functions

MITSUBISHI ELECTRIC

## Experimental environment(5/5)

#### Comparison of power traces



Changes for the Better





We performed the following attacks in each mode.

- CPA (Hamming distance model)
- 1-bit DPA (SubBytes input, NAND gate input)
- 8-bit DPA (SubBytes input, NAND gate input)



## CPA results

selection functions : Hamming distance of data registers



21

Changes for the Better



## 1-bit DPA results(1/2)

selection functions : SubBytes input







selection functions : NAND gate input signals





## 8-bit DPA results(1/2)

#### selection functions : SubBytes input





## 8-bit DPA results(2/2)

selection functions : NAND gate input signals



MITSUBISHI ELECTRIC

## 1-bit DPA against all SubBytes(1/2)

selection functions : SubBytes input



MITSUBISHI ELECTRIC

## 1-bit DPA against all SubBytes(2/2)

selection functions : NAND gate input signals





## The problem solved (new)

Differences between pre and post layout delay estimations caused some timing violations of pseudo RSL.





## The problem solved (new)

> Feedback the post-layout timing information to layout



## Summary of experimental results

> <u>combined</u> mode has very high resistance against all attacks.

masking mode quite improves resistance but insufficient for some selection functions.

Suppressing mode itself has little effect upon resistance but achieves very high resistance when combined with <u>masking</u> mode



## Conclusion

• We proposed pseudo RSL using a standard library.

- We introduced how to design RSL circuits and developed a prototype LSI.
- We confirmed very high DPA/CPA resistance of our pseudo RSL-AES circuit.



Changes for the Better

## Thanks for Listening