Abstract. In this paper, we propose new models for directly evaluating DPA leakage from logic information in CMOS circuits. These models are based on the transition probability for each gate, and are naturally applicable to various actual devices for simulating power analysis. We also report the effectiveness of the previously known enhanced DPA on our model. Furthermore, we demonstrate the weakness of previously known hardware countermeasures for both our model and FPGA and suggest secure conditions for the hardware countermeasure.
Introduction
SPA (Simple Power Analysis) and DPA (Differential Power Analysis), proposed by P.Kocher, have become a threat to the security of cryptographic implementation such as SmartCard [1] . Ever since these proposals, cryptographic researchers have begun to consider not only mathematical attacks but side-channel attacks as well. This work has resulted in several proposed countermeasures, particularly against DPA. These countermeasures can be roughly classified into the following two groups:
Coron addresses countermeasures for public-key encryption algorithms [2] . Employing masked data with random numbers, Akkar uses countermeasures for block ciphers [3] . We consider the above mentioned examples to be algorithmic. On the other hand, SABL (Sense Amplifier Based Logic) [4] [5] based on the DCVSL (Differential Cascode Voltage Switch Logic), SDDL (Simple Dynamic Differential Logic) based on the CMOS circuit using the SABL methodology, and WDDL (Wave Dynamic Differential Logic) [6] belong to the circuit level.
Generally, ASICs, such as microprocessors and cryptographic co-processors, are implemented based on the CMOS technology. We believe that countermeasures at the circuit level, such as WDDL and Masked-AND [7] , are the most fundamental techniques because these are related to power consumption and are applicable to various cryptographic algorithms.
The manner in which the effectiveness of a countermeasure can be demonstrated is important. In this paper, we consider a methodology for the security evaluation of CMOS circuits at the outset. Some attempts have already been made to systematically analyze DPA leakage [8] [9] [10] . Constructing a power consumption model is an effective method for the analysis of the effectiveness of countermeasures. For instance, the model based on the analog characteristics of CMOS circuits [8] , the model based on the Hamming weight [9] , and the simplification model in Ref. [8] based on the transition of data registers [10] were proposed in 1999, 2000, and 2002, respectively. Each model is complex or insufficient in terms of the reason for the leakage, because the aim of the model is to simulate power consumption itself or to determine the bias of data, not the bias of power consumption. We now present new models that determines the origin of the leakage. These models are based on signal transition probability for each gate(see also [11] ), and are not only more accurate than the digital model [9] but are also more easily applicable than the analog models [8] [10] . We will point out that the evaluation results of some primitive logics using our models are very similar to the actual power analysis using FPGA.
Next, we discuss the relation between enhanced DPAs and our leakage model. Recently, various analysis technics were proposed as enhanced DPA [12] [13] . The countermeasure should satisfy the requisite tolerance for these technics. In this paper, we also discuss the effectiveness of the previously known enhanced DPAs from the viewpoint of our model. Finally, we demonstrate the weakness of previously known hardware countermeasures for both our model and FPGA and suggest secure conditions on the CMOS logic circuit.
Leakage Model for CMOS Circuit
The current evaluation model against DPA is constructed by simulating the power consumption of the circuit. In general, there are two approaches. One method constructs a detailed model of a characteristic of the analog device [8] [10] . In this case, the power consumption can be estimated with high accuracy. However, the estimation of the power consumption is largely dependent on the device; thus, it tends to become complex. The other method roughly estimates the power consumption assuming a certain digital model; for example, it estimates the power consumption based on the Hamming weights [12] . In this approach, it is possible to construct simple models and evaluate power consumption without device dependency. However, the result might not accurately reflect the behavior of the actual device.
In the following section, we propose a more detailed model that improves on the flipping model introduced in Ref. [15] for CMOS circuits. Hereafter, we refer to this model as the leakage model. The primary concept of the model is mainly to evaluate only the leakage information for DPA. Power consumption itself is not considered in this model.
Leakage Model Based on Transition Probability
Power consumption in CMOS circuits is summarized by the following equation [16] :
where C L is the loading capacitance, f clk is the clock frequency, V dd is the supply voltage, p t is the transition probability of the signal, I sc is the direct-path short circuit current, and I leakage is the leakage current. The first term results from the charge/discharge of the loading capacitance. The second term depends on I sc , which arises when both the NMOS and PMOS transistors are simultaneously active. The third term represents power consumption caused by the leakage current, which is primarily determined by the characteristics of the CMOS process.
DPA is an attack in which the attacker estimates the intermediate value in the encryption/decryption process, classifies the patterns of power consumption based on this estimate, and obtains the secret information from the measured differences. Here, only p t is dependent on the intermediate value in Eq.(1). Other parameters are fixed when the circuit is constructed. We assume that the power difference in DPA measurements occurs because the transition probability of the signal is biased according to the intermediate value. A detailed discussion of the bias of the transition probability is presented below.
Generally, the signal transitions also depend on the delay in the transistors and the wiring in the CMOS device as well as on the logic functions of the circuits. Thus, we consider the leakage model in either of the following cases:
: An ideal circuit with no delay and transient hazard in transistor and wiring. -Dynamic Model : A real circuit wherein a transient hazard is generated due to the delay.
In order to clarify the discussion, we analyze the generalized circuit as shown in Fig. 1 . This circuit is constructed with k gates and n inputs x 1 ,x 2 ,...,x n and feedback paths from the combinational circuit to the registers. The transition of the output signal at the ith gate is expressed as
where ∆x is a transition of the input signal and f i is a Boolean function at the output of the ith gate. In the following section, we define the leakage model by considering the bias of the probability of ∆f (i) = 1 in cases where α = 0 or α = 1, with α being the value of the signal used by the attacker for grouping. We will refer to this signal a selection bit. 
Static Leakage Model
We assume that x 1 ,x 2 ,...,x n in Fig. 1 are independent variables 3 . In the static model, the expectation of the transition frequency in one clock cycle is expressed as
where p stc α,(i) is the transition probability at the output of the ith gate corresponding to the value of the selection bit α. 
where p stc x,(i) is the transition probability of ∆f (i) = 1 under the condition that ∆x 1 , ..., ∆x n are n independent variables.
If N stc diff = 0, it is possible that the correlation peak is observed in DPA measurements from Eq. (1). Generally, a normal nonlinear logic using a CMOS standard cell library has N stc diff = 0. Some examples are provided below.
Example 1: AND-XOR We consider the static leakage in Fig. 2 (a) with random inputs. If the selection bit is x 1 , we get
Namely,
x i = 1 and ∆x i = 1 occur with a probability 1/2. Here, the input states (x 2 , ∆x 1 , ∆x 2 ) that assume ∆f x1=1,(1) = 1 are (0,0,1), (1,0,1), (1,1,0), and (1,1,1). Hence, we have
Thus, the static leakage in Fig.2 (a) is
The fact that AND-XOR is a basic element for S-boxes implies that a normal implementation of a block cipher necessarily has static leakage.
Example 2: n-AND Under a condition similar to that in Example 1, the static leakage of n-input AND gates shown in Fig. 2 
(b) is
where the selection bit α ∈ {x 1 , · · · , x n }.
Example 3: Buffer Tree The static leakage of two-input AND gates connected to n buffers ( Fig. 2 (c) ) is
where the selection bit is x 1 or x 2 . Stated simply, the static leakage at the gate with a large fan-out is amplified.
Based on Definition 1, the static leakage has the property described in the following section.
Property 1: Consecutive Static Leakage An equal amount of static leakage occurs both in the cycle when the selection bit appears and in the next cycle.
Based on Eq. (2), it is evident that the transitions related to the selection bit occur in the cycle when the selection bit appears and in the next cycle as well. In cryptographic circuits, ∆x 1 ,...,∆x n are generally independent random variables. Thus, two static leakages of equal amounts occur for two consecutive cycles because two biased state transitions occur (random state → state dependent on α, state dependent on α → random state). This implies that two similar DPA peaks are observed for two consecutive clock cycles in the DPA measurements if the target device is ideal.
Dynamic Leakage Model
In an actual cryptographic circuit, the delay time depends on the signal route. In addition, each route tends to be non-uniform. Such non-uniformity is particularly remarkable in the circuits designed with automatic synthesis/layout.
As in Section 2.2, we consider the transition probability in Fig. 1 . We assume that the transitions ∆x 1 , ..., ∆x n of the registers reach each gate at different times. Here, the transition of the Boolean function ∆f (i) occurs only when transitions of the registers reach the ith gate. Based on these facts, we can evaluate the transition probability at a certain timing by supposing that only the transition corresponding to the timing is a variable and that others are 0. We define Dynamic Leakage using this probability. 
where E(i) is the set of events with the possibility that transition occurs in the state after α appeared at the ith gate in ∆t, and p dyc α,(i) (e) is the probability of ∆f (i) = 1 under the condition that the transition of the input signal corresponding to e is a variable and the others are 0.
Here, we consider the relation between the transitions of the registers ∆x 1 ,..., ∆x n and the event e ∈ E(i) that depends on the selection bit α. If the circuit has not been redundantly constructed and ∆t ≥ 2 cycles, E(i) contains at least n events corresponding to the transitions of the registers in the state wherein α appeared. This does not depend on the order of the signal transitions. It should be noted that these events are distributed between two cycles according to the delay time, which was fixed when the circuit was constructed, for each signal to propagate. Additionally, it is possible for two or more transitions to occur by the same transition of the register if the propagation route is different. In this case, the transitions corresponding to each route are treated as independent variables in Eq. (2). In the following section, we evaluate the dynamic leakage in Fig. 2 .
Example 4: AND-XOR We consider the circuit, shown in Fig. 2(a) , on the dynamic model. If ∆t ≥ 2 cycles, we get
2 ), e(∆x 3 ), e(∆x 4 )}. Based on Eq.(6), ∆f 3 at each event is
If x 1 is the selection bit, we have
Similarly, in ∆f (1) , we have
The dynamic leakage of Fig. 2(a) is N dyc diff = 1. It should be noted that the difference between x 1 and x ′ 2 at the delay time determines the timing whereby dynamic leakage occurs in the circuit. N dyc diff occurs during the cycle when the predicted x 1 appears if x ′ 2 is slower than x 1 , and it occurs during the next cycle if the delay condition is converse.
Example 5: n-AND
Under a condition similar to that in Example 4, the dynamic leakage, shown in Fig. 2 (b) , is
Finally, we describe a property common to static and dynamic leakage.
Property 2. (Complementary Leakage from AND-and OR-gate)
The static/dynamic leakages of an equal amount but of opposite polarity occur from thw AND-and OR-gate(or, the NAND-and NOR-gate) respectively, under the same input and delay time condition.
This implies that there is the possibility that the leakage of the entire circuit is counterbalanced. In actuality, a countermeasure using this property has been proposed [17] .
Enhanced Leakage Models
Thus far, some analysis technics that enhance standard DPA have been proposed. Here, we define the leakage model corresponding to these enhanced DPA and consider the effectiveness of each technic from the viewpoint of our model. In particular, we focus on Messerges's second-order DPA (M-2DPA) [12] and Waddle's second-order DPA (W-2DPA) [13] which are basically enhanced versions of DPA.
Standard Second-Order Attack
In standard DPA, the attacker analyzes power traces according to the average power difference at a specific time. On the other hand, in M-2DPA, the attacker analyzes power traces between two points. First, we define the leakage model of M-2DPA based on the signal transition in the following section. 
M-2DPA is an evaluation method that analyzes the correlation of the signal transition of two points. This implies that the correlation of the power consumption of two specific circuit components is evaluated. Moreover, this also implies that the correlation between cycles in the same circuit is evaluated if the combinational circuit is constructed with the loop architecture.
Next, we consider the condition to be secure against M-2DPA in CMOS logic circuits considering this leakage model. If a certain circuit is secure against standard DPA, the secure condition N diff = 0 is satisfied at any time in Eqs. (5) and (8) . In this case, we have N α=1 (t) = N α=0 (t) and N α=1 (t ′ ) = N α=0 (t ′ ). Thus, this circuit obviously satisfies N 2nd diff = 0. This implies that if the CMOS logic circuit is secure against standard DPA, it is also secure against M-2DPA. On the other hand, if a certain circuit is insecure against the standard DPA, we have N α=1 (t) − N α=0 (t) = k t ( = 0) and N α=1 (t ′ ) − N α=0 (t ′ ) = k t ′ at any two points t and t ′ , where k t and k t ′ are the leakages against the standard DPA at each time. In this case, if k t ′ = k t = 0 is satisfied at any point, this circuit satisfies N 2nd diff = 0. However, the circuit wherein equal leakage occurs at any point of time is not realistic. Namely, if the circuit is insecure against standard DPA, it is also insecure against M-2DPA in real circuits.
Taking the abovementioned facts into consideration using our models, we arrive at the following conclusion: -Messerges's second-order DPA is an attack that is essentially equivalent to the standard DPA in CMOS logic circuits.
M-2DPA is useful only when the spike is made easily visible, the DPA trace with intuitive understanding is obtained, or the number of samples is decreased. In the construction of the hardware countermeasure, we have to consider only the the standard DPA.
Attack by Squaring Power Traces
Zero-Offset 2DPA, which was proposed by Waddle et al., is an analysis technic, which is characterized by the use of squaring power traces [13] . We will refer to this technic as the W-2DPA. In this section, we consider the effectiveness of W-2DPA from the viewpoint of our model.
Definition 4. (Leakage by
Waddle's Second-Order DPA) Let S(t) be the set of transition frequencies with a possibility to occur at time t in the combinational circuit. Let p s (t) be the probability that the transition occurs in s gates at time t. The leakage by Waddle's Second-Order DPA V diff is
Here, we compare the secure condition of W-2DPA and standard DPA. Based on Definition 4, it is necessary to satisfy the following equation for V diff = 0.
In standard DPA, on the other hand, if (s·p α=1,s (t)) is equal to (s·p α=0,s (t)), N diff = 0 is satisfied. Thus, each secure condition is obviously different. This consideration suggests the following conclusion.
-Waddle's second-order DPA can detect the bias of the distribution of the transition probability in CMOS logic circuits.
W-2DPA is an analysis technic that is essentially different from standard DPA, and we must consider this technic in the construction of the hardware countermeasure. Actually, masked CMOS logics are weak against W-2DPA, even if the static model is assumed. These results are described in Section 4. Next, we enhance Definition 4 more effectively. Generally, it is difficult to compute p s (t) in the entire circuit when the dynamic model is assumed. Therefore, we enhance Definition 4 such that it is applicable to the actual device for simulating power analysis. 
Our models which are based on the transition probability can evaluate the security strength of the circuit in advance by extracting the transition of each gate from the netlist 4 for the logic simulation. In Ref. [14] , we point out that the evaluation results of logic simulation using our models are very similar to the actual circuits without countermeasures. 
Evaluation for Previously Known Countermeasures
There are two approaches to the construction of countermeasures at the circuit level. The first approach uses complementary behavior and makes power consumption independent of data. The second uses data masking in combinational circuits and renders intermediate data unpredictable. In this section, we review a typical example based on each approach and evaluate each countermeasure by using our leakage models.
Previously Known Countermeasures on the CMOS Circuit
Wave Dynamic Differential Logic Tiri et al. proposed Wave Dynamic Differential Logic (WDDL) [6] which is based on dynamic and differential logic and constructed with CMOS standard cell libraries. Figure 3 (a) shows the basic components of WDDL. As the first step, WDDL executes a precharge at the beginning of the combinational logic. It only contains three logic gates, i.e., AND, OR, and NOT. In addition, they proposed a method for the implementation of WDDL using FPGA. Figure 3 (b) shows the Masked-AND operation as proposed by Trichina [7] . Masked-AND is a method of calculating "(a · b) ⊕ r z " using the above 5 input data, x, y, r x , r y and r z . Hence, the computations, as shown in Fig. 3 (b) , can be performed without compromising on the bits of actual data. In addition, Blömer et al. insist that this approach is "Provably Secure" against DPA in Ref. [19] .
Masked-AND Operation
MAND Figure 3 (c) describes MAND proposed by Shimizu [18] . It is based on data masking and is characterized by the use of a dual-rail circuit.
Analysis for Complementary Logics
Based on Property 2, a complementary logic has the possibility of counterbalancing the leakage. WDDL is a method that refines this consideration. We consider the circuit shown in Fig. 3 (a) . At the end of the precharge phase (prch = 0), all output signals of the WDDL gates are at 0. Thus, the transitions for each gate in the evaluation phase (prch = 1) are equal to the wire value. In the case of the WDDL-AND gate,
Based on this, we obtain N stc diff = 0 because a transition occurs only at either one of the gates without any relation to the value of a or b.
Next, we consider the dynamic model. Here, we assume that the transition ∆b arrives at the gates later than transition ∆a. Table 1 shows the transition probability of each CMOS gate corresponding to each selection bit in this condition.
On the basis of the data listed in Table 1 , if ∆t in Definition 2 is long enough and both e(∆a) and e(∆b) occur for that time, N dyc diff = 0 is satisfied without any relation to the selection bit. However, if the attacker can observe power traces in ∆t that contains e(∆a), and not contain e(∆b) 5 , he can detect the bias of the transition frequency. It should be noted that it is difficult to observe the opposite case(only containing e(∆b)) because of some capacitance in the actual device. In the example of Table 1 , the dynamic leakage of the WDDL-AND gate is N dyc diff = −1 in evaluation phase when a is the selection bit. Although it is necessary to consider all arrival sequences of input signals when conducting a more detailed evaluation, we omit the details here. In the precharge phase, the dynamic leakage of the WDDL-AND gate is N dyc diff = 1 for Table 1 when b is the selection bit and ∆t contains e(∆a), and not contain e(∆b). It is noteworthy that the polarity of the leakage changes in the evaluation and precharge phases. In addition, the reason for the leakage of W-2DPA is similar to that mentioned above.
A similar observation applies to other countermeasures using complementary logic. On the basis of this consideration, the secure condition concerning complementary gates (logic) against DPA and W-2DPA is as follows:
-All input signals reach each complementary gate (logic) simultaneously.
Generally, it is difficult to implement this condition via circuits. In particular, it is not guaranteed in the LSI designed by the automatic synthesis/layout.
Analysis for Masked CMOS Logic
Generally, in order to extract the absolutely necessary results (e.g., a · b) from the masked operation results (e.g., (a ⊕ r x ) · (b ⊕ r y )), the DPA countermeasures based on data masking need to operate some unnecessary terms (e.g., (a ⊕ r x ) · r y ). Several methods have been proposed regarding the manner in which the operations should be divided. In this section, we will consider and evaluate Masked-AND [7] and MAND [18] .
Masked-AND When evaluating the Masked-AND circuit with Definition 1, it satisfies N stc diff = 0 because the wire value of each gate is randomized as mentioned in Ref. [19] . On the other hand, when evaluating the circuit with Definition 2, there is a possibility that N dyc diff = 0. In Ref. [20] , we analyze the abovementioned facts in more detail.
For this example, the output of gate 6 in Fig. 3 (b) is expressed as x · r y ⊕ r x · r y ⊕z. Here, if we assume that the signal transition occurs in order of x, r x and r y , the transition of gate 6 caused by e(∆r y ) can be expressed as x · ∆r y ⊕ r x · ∆r y = a · ∆r y . It follows that p dyc a=1,(6) (e(∆r y )) = 1/2, p dyc a=0,(6) (e(∆r y )) = 0. Thus, the leakage from gate 6 brought about by e(∆r y ) is N dyc diff = 1/2. Furthermore, since an XOR-gate propagates transitions of its input signal, gate 7 whose input is the output of gate 6 causes the same leakage as that of gate 6. The same is also the case with gate 8.
As mentioned above, it can be stated that the Masked-AND circuit may have the bias of signal transition according to secret information when a certain delay condition is met. The leakage in the dynamic model of Masked-AND is also analyzed in Ref. [21] , where a similar result is obtained.
Next, we discuss evaluating the Masked-AND circuit with Definition 5. For simplicity, we consider only four AND-gates in Fig. 3 (b) here. Table 2 lists the transition counts and their event probability when the selection bit is a, where s ∈ {0, 1, 2, 3, 4} is the total transition count of these AND-gates.
The following can be qualitatively inferred from Table 1 : If both a and b are 0, the four AND-gates from gate 1 to gate 4 in Fig. 3 (b) , execute the same logical operation and often exhibit similar behavior. On the other hand, they often behave differently if a or b is not 0. Actually, the event probability of s = 4 is p 4 = 7/64 when a = 0, while it is p 4 = 1/32 when a = 1. In a similar manner, the event probability differs depending on a predictable signal value. Quantitatively, from Table 1 and Definition 5, V ′ diff = −5/8 when the selection bit is a or b. Therefore, the Masked-AND circuit can be attacked with W-2DPA.
MAND The same observation applies to MAND. Here, we describe the case that is not secure against W-DPA even if it is secure against standard DPA. We focus on the delay relation between the MUX data signals and the MUX select signals in MAND, and consider the leakage separately in the following two delay conditions:
(or "delay(x), delay(r x ) < delay(y), delay(r y )") -Condition 2 : "delay(x) < delay(y) < delay(r x )" and "delay(x) < delay(r y ) < delay(r x )" (or "delay(r x ) < delay(y) < delay(x)" and "delay(r x ) < delay(r y ) < delay(x)") Condition 1 states that transitions according to x and r x occur at the events of the select signals. In addition, the condition in parentheses is a similar one, ex-cluding the cycle when the transition occurs. Condition 2 states that transitions according to either x or r x occur at the events of the select signals. First, we evaluate the leakage in Condition 1. The transitions of ψ 1 and ψ 2 at the events of the select signals are ∆ψ 1 (e(∆y)) = x · ∆y ⊕ r x · ∆y = a · ∆y, ∆ψ 2 (e(∆r y )) = x · ∆r y ⊕ r x · ∆r y = a · ∆r y .
Namely, if the selection bit is a, we have Finally, we evaluate the leakage against W-2DPA. We show the probability distribution of MAND in the static model in Table 3 . On the basis of this table, we have V ′ diff = −1/4. Thus, MAND is insecure against W-2DPA even if the static model is assumed.
Additionally, we consider the leakage against W-2DPA in Condition 2, which is secure against standard DPA. Although the data signal transitions influence both ψ 1 and ψ 2 , the transitions of select signals influence only either one of the two. Since W-2DPA is an attack that paid attention to the distribution of the transition probability at the entire circuit, we consider the influence of the data signal transition here. The transitions of ψ 1 and ψ 2 at the events of the data signals in Condition 2 are ∆ψ 1 (e(∆r x )) = ∆r x · y ⊕ ∆r x , ∆ψ 2 (e(∆r x )) = ∆r x · r y ⊕ ∆r x . Thus, the transition count is s ∈ {0, 2} at (e(∆r x )), assuming b = 0. Furthermore, each event probability is p 0 = 3/4 and p 2 = 1/4. On the other hand, the transition count is s ∈ {0, 1} at (e(∆r x )) assuming b = 1 and each event probability is p 0 = 1/2 and p 2 = 1/2. Therefore, since we have V ′ diff = −1/2, Condition 2 is insecure against W-2DPA even if it is secure against the standard DPA.
Experimental Results and Considerations
We evaluate the effectiveness of the previously known countermeasures by using FPGA. In this section, we show experimental results of elementary bricks of previously known countermeasures implemented on FPGA. The evaluation environment is the general one shown in Table 4 . An XCV1000-6-BG560C FPGA of Xilinx Inc. is mounted on the target board. Additionally, automatic placeand-route tools were used for all layout design. Figure. 4 shows the experimental results of standard DPA for each countermeasure (i.e., normal-AND, WDDL, Masked-AND, and MAND).
Standard DPA
In Fig. 4 , the average power enlarges at time t 4 and time t 5 when the WDDL circuit is activated. The first half (t 4 ) is an evaluation phase, and the latter half (t 5 ) is a precharge phase of WDDL. Figure. 5 is a magnified view of the WDDL part in Fig. 4 . There appears a small downward peak at time t 4 and a small upward peak at time t 5 , each of which are caused by timing differences between the input signal a and input signal b because automatic place-and-route tools were used. These peaks are in good agreement with the forecast by the evaluation based on our leakage model.
The Masked-AND circuit is activated at time t 7 where an upward peak (as shown in the considerations in Section 4.3) is observed. Since this peak is caused by transient hazards, it is relatively small as compared to that of the normal-AND.
At time t 9 , the MAND circuit is activated and an upward peak appears. As mentioned above, automatic place-and-route tools were used; thus, Condition 1 and Condition 2 shown in Section 4 are mixed. Therefore, leakage from Condition 1 can be observed. Here too, as in the Masked-AND case, the peak is relatively small as compared to that of the normal-AND because it is caused by transient hazards. In Fig. 6 , the same MAND circuit as that in Fig. 4 is activated at time t 1 . As evident from standard DPA traces in Fig. 6 at time t 1 , leakage is observed when the selection bit is a, but it is not observed when the selection bit is b. The MAND circuit that satisfies Condition 2 is activated between time t 3 and time t 8 The MAND circuit that satisfies Condition 2 6 . In this case, it is evident that leakage is not observed by standard DPA even if the selection bit is a. These results are in good agreement with the forecast in Section 4. Fig. 7 shows the experimental results of W-2DPA for each countermeasure (i.e., normal-AND, WDDL, Masked-AND, and MAND). The sample data used for the analysis is the same as the one used for standard DPA (Fig. 4) . Fig. 8 is a magnified view of the WDDL part in Fig. 7 . Peaks in Fig. 5 and Fig. 8 look similar, as indicated in the considerations in the previous section.
W-2DPA
It should be noted that the peaks of Masked-AND and MAND are static in this case; hence, they are as large as that of normal-AND. In the case of starndard DPA, peaks of Masked-AND and MAND are caused by transient hazards; hence, they are not so large. In 6 Toward a Perfect Countermeasure
Secure conditions of CMOS logic circuits against standard DPA and W-2DPA are N diff = 0 and V ′ diff = 0 without dependence on any selection bits. The approach by complementary logics is very effective although the problem of the signal delay persists. Actually, the leakage of WDDL is the least in our experimental results. We predict that a manual layout strengthens WDDL.
The approach by data masking requires both main operation (e.g., x · y) and cancel operation (e.g., x · r y , y · r x , and r x · r y ). When these operations are separately implemented by the CMOS logic gate, the probability distribution of the transition count in the entire circuit is different depending on sensitive information (see Section 5) . A consideration of both the static model and dynamic model reveals that this fact occurs. Therefore, we suppose that it is difficult to resist various power analysis by the approach of data masking in a general CMOS gate. The solution to this is to construct a special CMOS gate, which is improved at the transistor level and satisfies secure condition. For further details of a countermeasure based on this consideration, see Ref. [11] .
Conclusion
In this paper, we proposed leakage models of the CMOS logic circuits based on signal transition. These models are naturally applicable to various actual devices for simulating power analysis.
In addtiton, we evaluated the effectiveness of Messerges's second-order DPA (M-2DPA) and Waddle's second-order DPA (W-2DPA) from the viewpoint of our model. Thus, we demonstrated that M-2DPA is essentially equivalent to the standard DPA, and W-2DPA can detect the bias of the distribution of the transition probability in CMOS logic circuits.
Moreover, we analyzed previously known countermeasures by both our models and FPGA, and confirmed that the DPA traces on FPGA corresponded to the result obtained using our models. We emphasize the occurrence of the leakage in the previously known countermeasures. In particular, we pointed out that the masked CMOS logics have the similar weakness to standard CMOS logic without countermeasure against W-2DPA because the distribution of the transition probability are statically different.
