Abstract: Side-channel attacks have emerged as the nondestructive threats of security vulnerability in cryptographic hardware. This paper provides an overview of the protection techniques with counter ways of utilizing sidechannel information leakage for combatting side-channel attacks as well as securing the authenticity of devices against counterfeits or even falsification.
[8] M. Nagata: "IC chip authentication and guarantee -as root problems of hardware security -," IEICE Fundamentals Review 
Introduction
IC chips nowadays play crucial roles in human society, such as for critical applications in the automotive, aviation and medical fields, and also for intelligent systems supporting our daily lives with Internet of Things (IoT) functionality. The security features of an IC chip have received general concerns in the past years [1, 2, 3] . Those are normally different from well-defined performance metrics such as computing ability, memory capacity or power efficiency, while represented by more abstracted items such as hardware trust and tamper resistance. A malicious entity may distribute IC chips in markets that are refurbished illegally from garbage, counterfeited for cheap manufacturing or even falsified with undesired functionality, as sketched in Fig. 1 . Public institutions, commercial investigators and web magazines have continuously reported the market statistics and distributions of such undesired electronic products in worldwide [4, 5, 6, 7, 8] .
Cryptography takes of prime roles for hardware security in ubiquitously distributed work nodes for IoT. However, a cryptographic engine can become seriously vulnerable if an external attacker invasively finds side channels leaking secret information like a private key, potentially in various physical variations of such as operation timings, power currents and electromagnetic (EM) fields, and in erroneous responses against intentionally injected faults and disturbances [9, 10, 11].
The security of an IC chip can be partly covered by the methods to prove an authentication of itself, to protect itself from attackers, or to make communications encrypted and to safely decrypt data, and so forth. In addition, the dependability is concurrently needed and requires the tolerance and adaptability to environmental disturbances such as electromagnetic fields for avoiding malicious attacks. The robustness is generally required, but technically covered by the integrity in design and the testability and diagnosis in fields. The design of an IC chip is thus required to cope with those versatile characteristics from different physical origins, while meeting the specified functionality and performance of circuits.
This paper describes design principles of cryptographic ICs and chips with the counter use of side-channel information, for the protection against malicious sidechannel attacks and compromised authenticity. Cryptographic ICs on a silicon chip draw power supply (PS) currents from a power source via power terminals on a printed circuit board (PCB) and create power noises on a power delivery network (PDN), as shown in Fig. 2 . The PDN includes series connections of on-chip wiring, bonding wires and package leads, and traces on a board, integrating paths for the PS current to flow. The power-noise waveform on the power nodes within circuits can be captured directly by an on-chip voltage monitor (OCM) or indirectly by a magnetic probe on top of the die. The waveforms can be also acquired by an oscilloscope probing terminals on a one-ohm resistor inserting the PDN in series on PCB [12] .
The PS current generally reflects logical activities of ICs in a chip and creates PS noise through interaction with PDN impedance that can be seen everywhere on the network. The PS noise waveforms were measured on a 65-nm CMOS prototype chip as shown in Fig. 3 (a) when an advanced encryption standard (AES) core as the most known private-key cryptographic IC was operating.
It is known that the amplitude of PS noise in the last clock cycle of a single AES operation reflects the number of flipped bits (Hamming distance, HD) in the data register for the encrypted output, in the sub-byte round design of the AES. This HD can be correlated with the guessed byte data of the preloaded secret key for a set of randomly generated plain texts. The byte value with the highest correlation among 256 possible candidates is considered the analyzed value. With more than 2000 waveforms for different input plain texts, the correlation finally achieves all the 16 key bytes to be analyzed, as shown in Fig. 3(b) .
The whole procedure of extracting key bytes from the measured or simulated waveforms is called correlated power analysis (CPA) and powerfully used for the side-channel attack (SCA). The AES in this experiments did not include any countermeasure structure. The industrial cryptographic IC should have been designed to be tolerant typically for the CPA with millions of waveforms.
The level of correlation is found to be higher for the on-chip waveforms than on-board counterparts, where the number of PS waveforms used for 16-byte correlation is smaller in the former. This can be in relation to the signal to noise ratio of information leakage and naturally stronger for the monitoring waveforms at the source of logic activities within the chip.
One of the design techniques for CPA tolerance uses a PDN conditioner of Fig. 4 , where the PS current drained from an IC chip is flattened by means of power current equalization [13] or power line regulation with such as switched power converters. It is confirmed in [14] that even a single key byte was not derived from the CPA with 800,000 or more waveforms. The PDN conditioner can therefore prevent from the board-level SCA.
This technique necessitates a large capacitor on the PDN in the chip to sufficiently supply power current to cryptographic circuits in operation. This can be a major drawback with the large area penalty and also complicate the design of the whole PDN accommodating multiple power domains as is the often case in system-on-chip integration. 3 Side-channel attack sensor
While the PDN conditioner can potentially prevent from the information leakage through power current flowing on the PCB, the leakage will never disappear on the part of PDN within the chip. The attacker can proximately place a micro EM probe over the die area, as depicted in Fig. 5 . The EM waves emanated from the PDN can be sensed by a tiny one-turn coil through magnetic coupling. It is also known that the local EM waveforms can be analyzed for their correlation to the key bytes of a secret key (CEMA).
It is assumed to be nondestructive and noninvasive in the baseline concept of the local EM attack. However, the EM field will be more or less perturbed by the approach of a micro EM probe due to magnetic coupling. The on-chip high Q sensor circuit can detect the change in the local EM field.
The idea was implemented in the design of dual-coil SCA sensor circuit of Fig. 6 [15] . The sensor can detect the presence of a single or multiple micro EM probes in dynamically moving or even statically positioned at the proximity of cryptographic circuits on a die, in a counter way of utilizing the side-channel effect of the change of near magnetic field. This technique will not degrade SCA tolerant designs at the algorithm, logic or even transistor levels [16, 17, 18] .
The dual sensor coils L1 and L2 are drawn over the cryptographic circuit to form two LC oscillators. When the micro EM probe approaches either one of the coils, the difference of oscillation frequencies (f LC ) emerges between the two LC oscillators. The subsequent digital counters convert the relative frequency difference in a digital code for the recognition of attack. This dual-coil structure eliminates the need of reference frequency, therefore suppresses the area and power penalties. The coils have different shapes and numbers of turns, allowing the sensor to detect the symmetrical placement of two probes even in the power-off state of the chip.
The SCA sensor is designed at the circuit level so as to be compatible to a fully digital design flow [19] . The LC oscillator uses gated CMOS inverters and an array of MOS gate capacitors as the part of standard logic cells. The n-turn inductors shape in rectangle with horizontal (x direction) and perpendicular (y direction) wirings in the metal stacks with via connections, concealed within the sea of logic gates and routings. Therefore, the whole of SCA sensor can be concurrently designed with cryptographic digital circuits, using standard methodologies of logical synthesis, automatic place and route, and logical and physical verifications.
In addition, the calibration mechanisms rely on the monotonic inverse dependence of the LC oscillator and digitally designed ring oscillators, for eliminating the faulty detection due to physical, temperature, and voltage variations. The calibration is executed according to a built-in digital controller, once for every intermittent detector operation.
The whole SCA circuits are characterized in physical properties by the simulation environment of Fig. 7 , combining a full-wave solver for the self and mutual inductance of coils and a circuit simulator for transistor-level response of the dual oscillators. The shape and number of turns of coils are tuned and optimized along with circuit parameters. The simulation can be used for exploration of detector performance against threat scenarios of attacks with micro EM probes in various shapes, vertical positions with intermediate materials, and horizontal locations with moving in random directions.
A prototype chip was fabricated in a 0.18-µm CMOS technology and assembled on a PCB. The SCA sensor with three and four turn coils was co- implemented with a 128-bit AES cryptographic circuit, and evaluated with a micro EM probe in the measurement system of Fig. 8 . The probe was manipulated with a manual positioner. The horizontal and vertical locations were measured by using an electronic optical scope. The oscillating frequencies of both LC oscillators were measured by a spectrum analyzer, as shown in Fig. 9 . The ports for monitoring oscillators were provided only for a prototype, with frequency dividers to reduce the output frequency.
When the EM probe is not in the setup, both LC oscillator match in oscillation frequency, after the calibration and tuning of oscillating parameters. On the other hand, once the probe comes to the proximity of the 128 bit AES core, the frequency of L1 deviates from the L2 in 5%. This frequency shift demonstrates the detection function of the SCA sensor.
The size of frequency shift is dependent on the strength of magnetic coupling, in monotonous relationship with the distance of the EM probe from the AES core, as shown in Fig. 10 . The range of distance reaches 200 µm from the surface of the die. This is sufficient for detecting attacks with the removal of top resin covering the die, often truly motivated by attackers toward successful CPA with high signalto-noise ratio. . In order to stabilize electronic conditions of transistors, the Si substrate is biased to V SS (ground) voltage commonly shared with digital cells, as shown in Fig. 11 . When digital circuits operate, PS current flows from V DD to V SS . Since multiple V SS lines are unified with p-type Si substrate with distributed p + contacts (taps), a part of PS current also flows through the substrate and creates potential gradients due to the interactions of currents with series resistances. This is traditionally called a substrate noise and can be observed in a distant location on a Si substrate from the digital circuits in operation. On the other hand, V DD lines are covered by n-type doped wells and isolated from the p-type Si substrate. If we have a probe conductively attached to the Si substrate, the voltage waveforms of substrate noise can be captured. The correlation of substrate noise with internal logic activities, namely, the level of HD in cryptographic circuits can be used to derive the most probable key bytes, exactly in the same manner as CPA and CEMA as well. This can be called correlated substrate noise analysis, CSNA.
Since substrate noise is physically confined within the die of an IC chip, it is not suppressed by the PDN conditioner. Moreover, the noise can be physically accessible even from the backside of the die, since the Si substrate is resistive and the voltage variation propagates throughout the body.
Experimental measurements of CSNA have been performed with on-chip substrate noise monitor circuitry in a 65 nm CMOS prototype chip of Fig. 12 . The probe locations to measure substrate noise were distributed in the chip, with the straight-line distance from an AES core in the range from 0.1 to 1.7 mm. The chip was mounted on an interposer and assembled on an evaluation PCB.
The level of CSNA was gauged as the range of substrate voltage variations among the waveforms captured for thousands of input plain texts in the last cycle of AES operation. The vertical axis of the Fig. 12 gives the maximum leakage, defined as the difference between the substrate voltage variations for the largest and smallest HDs, where the smaller number of waveforms to derive all the key bytes for the larger maximum leakage. It is clearly shown that the maximum leakage is almost identical for distant probes from the AES core and not much attenuated, while being very large in the vicinity. Therefore, CSNA is proven to be possible everywhere in the body or backside of a Si substrate, interestingly at the locations not explicitly connected by metallic wires to cryptographic circuits.
Substrate noise measurements for checking chip authenticity
Substrate noise sensitively reflects the logical activity of digital circuits including loading conditions, environmental variations, and switching scenarios. If an IC chip embeds on-chip monitor circuits (OCM) in the area that is accessible by a probe card with connections to automatic test equipment (ATE) as given in Fig. 13 , the side-channel measurements for CPA and CSNA can be used for security test [21] . It can be potentially useful for distinguishing counterfeited or falsified chips from regular ones by comparing on-chip measured waveforms or specially CSNA results at distant locations from cryptography cores. The substrate noise measurements can be stealthy and applicable to general algorithms toward the background classification [22] . The measurements can be performed on multiple dice at the wafer-level production test with ATE to eliminate the effect of device level variations, and designate statistically meaningful outliers as suspicious chips. The OCM on the substrate noise can be isolated from cryptographic circuits and therefore will not affect their operations.
Side-channel authentication system
Side-channel information leakage in general can be used for the authentication of IC chips [23] , as shown in Fig. 14. A verifier uses the side-channel information in close relation to security computation by a prover and confirms its authentication at high accuracy. The verifier shares secret information like a private key with the prover beforehand. This allows the verifier to utilize every side-channel data for authentication, while disabling an attacker with very limited part of side-channel leakage.
Conclusion
This paper overviewed protection techniques against side-channel information leakage and attacks. The dual-coil SCA sensor disables an attacker with proximate EM probes. On the other hand, side-channel information can be used in a counter way to help judging authenticity of an IC chip. The circuits and systems techniques to watch and utilize the side channel leakage will newly establish the methodology of securing devices. Further investigations will be performed on the proposed SCA sensors toward performance improvements and adaptability to system level security scenarios. It is also expected to extend the use of CSNA for security tests in combination with ATE systems, and also the general utilization of side-channel information for authentication of systems. 
