Physical Time-Varying Transfer Functions as Generic Low-Overhead
  Power-SCA Countermeasure by Ghosh, Archisman et al.
1Physical Time-Varying Transfer Functions as
Generic Low-Overhead Power-SCA Countermeasure
Archisman Ghosh, Debayan Das and Shreyas Sen
School of Electrical and Computer Engineering, Purdue University, IN, USA
Abstract—Mathematically-secure cryptographic algorithms
leak significant side-channel information through their power
supplies when implemented on a physical platform. These side-
channel leakages can be exploited by an attacker to extract the
secret key of an embedded device. The existing state-of-the-art
countermeasures mainly focus on the power balancing, gate-
level masking, or signal-to-noise (SNR) reduction using noise
injection and signature attenuation, all of which suffer either
from the limitations of high power/area overheads, performance
degradation or are not synthesizable. In this article, we propose a
generic low-overhead digital-friendly power SCA countermeasure
utilizing physical Time-Varying Transfer Functions (TVTF) by
randomly shuffling distributed switched capacitors to signifi-
cantly obfuscate the traces in the time domain. System-level
simulation results of the TVTF-AES implemented in TSMC 65nm
CMOS technology show > 4000× minimum traces to disclosure
(MTD) improvement over the unprotected implementation with
∼ 1.25× power and ∼ 1.2× area overheads, and without any
performance degradation.
Index Terms—Power Side-Channel Attack, Low-overhead
Countermeasure, Physical Obfuscation, Time-varying transfer
function, Synthesizable, Generic.
I. INTRODUCTION
In today’s data-driven internet-connected (IoT) world, se-
curity and confidentiality of communication and computing
are of utmost importance. To address these needs, various
cryptographic algorithms have been proposed till date, which
are computationally secure. However, as these algorithms
are implemented on a physical substrate, it leaks critical
’side-channel’ information in the form of power consump-
tion [1], [2], electromagnetic (EM) emanation [3], [4], cache
hits/misses [5], [6], and so on. These side-channel leakages
can be exploited by attackers to extract the secret key from a
cryptographic device. In this article, we focus on the power
SCA attack on an AES-128 engine.
Power analysis attack is one of the most common side-
channel attacks on embedded systems. The time-complexity
of breaking an AES-128 engine is reduced from 2128 for a
brute-force attack to 212 for a power SCA attack, as the key
search space reduces to 28 = 256 possibilities for each of the
16 key bytes.
Power SCA is performed by measuring the power consump-
tion of a target device during the encryption phase. Every
captured trace is synchronized with a chosen plaintext (PT)
or a known ciphertext (CT). The attacker can either feed
A. Ghosh, D. Das, and S. Sen are with the School of Electrical and
Computer Engineering, Purdue University, West Lafayette, IN, 47906 USA
email: (ghosh69@purdue.edu, das60@purdue.edu, shreyas@purdue.edu).
Fig. 1. Power SCA attack setup using Chipwhisperer on an 8-bit Atmega
microcontroller running AES-128 encryption.
chosen PTs to the target device or record the output CT, while
capturing the power traces. Once the traces are collected, a
differential/correlational power analysis (DPA/CPA) attack [1],
[2] is performed using a hamming weight (HW) or a hamming
distance (HD) model. The HW leakage model considers the
number of ones on the data bus during a switching activity,
while HD model takes into account the number of bits switch-
ing from one state to the next. HW models are useful for soft-
ware crypto implementations on various microcontrollers (as
in this work), while HD models are typically used for attacks
on hardware crypto implementations where the operations are
highly parallelized and the same register is updated each clock
cycle to store the updated state.
Fig. 1 shows an overview of the power SCA attack set-
up using the Chipwhisperer platform [7]. Traces are collected
from an unprotected software AES-128 engine running on
an 8-bit Atmega microcontroller for varying chosen input
plaintexts which has been provided by Chipwhisperer board to
the micro-controller. The traces from the Xmega target board
is transferred to the PC, where a CPA attack is performed to
extract the secret 128-bit key. In this work, we use the HW
model for the leakage from the microcontroller device and
target the output of the 1st round S-box for the CPA attack.
The correct key byte is distinguished by the sharp spike in
ar
X
iv
:2
00
3.
07
44
0v
1 
 [c
s.C
R]
  1
6 M
ar 
20
20
2correlation (ρ) between the hypothetical HW leakage and the
measured traces at the particular time instant where the target
operation (1st round S-box) occurs for that key byte.
In this work, we focus on one particular key byte (13th byte,
as it required the minimum number of traces to break for the
unprotected implementation) to demonstrate the resiliency of
our proposed countermeasure.
A. Motivation
Although power analysis attacks have been known for more
than two decades, the threat of power SCA is increasing
with the growth of miniaturized and resource-constrained IoT
devices. These small devices consist of low-power 8/16-bit
microcontrollers which have high signal-to-noise ratio (SNR)
making them more vulnerable to SCA attacks compared to the
64-bit processors (more ‘noise’). In case of 64 bit processor,
algorithmic noise is more. For side channel analysis, attack
model are built byte-wise or nibble-wise. Hence it has more
chance to correlate to bytes being attacked for 8-bit/16 it ar-
chitectures. On the other hand, parallel operations are done in
64-bit. Hence, development of a low-overhead countermeasure
is extremely critical to protect these embedded devices against
power SCA attacks.
In addition to low-overhead requirements, a countermeasure
can be easily incorporated into a product if it is generic and
synthesizable. Generic countermeasures are preferred from
an industry standpoint as it helps to maintain legacy of the
existing crypto algorithms and can be used as a wrapper
without any modification to the crypto core. Synthesizable
countermeasures helps in scalability across different technol-
ogy nodes and does not require manual efforts, aiding to non-
recurring engineering costs. These are important factors for an
industry to adopt a particular countermeasure, and all of these
have motivated the design of the proposed technique.
This article demonstrates a time-varying transfer func-
tion based low-overhead physical countermeasure utilizing
switched capacitors to reduce the information content of the
leakage from the crypto engine. Using time-varying transfer
functions (TVTF) by efficient randomization of physical re-
sources in the form of switched capacitors, the traces are
significantly obfuscated, without any performance degradation
This is a low-overhead circuit-level generic countermeasure
and can be extended to any other crypto algorithms. Moreover,
the circuit is entirely digital and can be synthesized (barring
the capacitors), aiding technology scaling.
B. Contribution
The specific contributions of this work are:
• This paper proposes physical time-varying transfer func-
tions (TVTF) to obfuscate the leakage due to the crypto
operations in the power traces. TVTF is achieved by ef-
ficient randomization of distributed switching capacitors.
• With the proposed TVTF, we mathematically and exper-
imentally demonstrate the effect of multiple capacitors
charging from supply/driving the AES at a given phase,
revealing that randomly choosing a single capacitor each
for charging/driving AES is the best choice to achieve
the maximum power SCA protection.
• System-level simulation results in TSMC 65nm CMOS
technology shows that the power SCA immunity is
enhanced by > 4000× compared to the unprotected
implementation with only 20%, 25% area and power
overheads respectively, and without any performance
degradation. Moreover, the proposed countermeasure is
generic and digital-friendly allowing scalability across
different technologies.
• The paper proposes a solution and represents a mathemat-
ical model for it. All the components are assumed to be
ideal to validate the immunity provided by our counter-
measure with respect to the unprotected implementation.
Practically, system noise would exist which will make the
SNR of the power signatures even lower enhancing the
MTD.
C. Paper Organization
The remainder of the paper is organized as follows. Section
II discusses existing state-of-the-art in detail, along with the
analysis of previously proposed switched capacitor based
countermeasures. In section III, theoretical background and
analysis of the proposed TVTF countermeasure is presented.
Section IV discusses more experiments and shows a mathemat-
ical formulation to evaluate the efficacy of the proposed TVTF
based multi-phase switched capacitor technique. Next, section
V presents the implementation results, followed by section
VI which analyses the tuning knobs for MTD improvement.
Finally, section VII concludes the paper.
II. BACKGROUND AND RELATED WORKS
A. State-of-the-art Power SCA Countermeasures
The state-of-the-art hardware countermeasure for power
SCA resistance can be broadly classified into three categories -
logical, architectural and physical. The first category of logical
countermeasures focus on designing SCA resistant logic styles
to equalize the power in each cycle of the clock. This includes
dual-rail precharge (DRP) logic style [8] and logic-level hiding
like the sense amplifier based logic (SABL) [9], both of which
require custom library cell design, and also incurs a large area
overhead. Other logic-level hiding techniques like the wave
dynamic differential logic (WDDL) [10], [11], and bridge
boost logic (BBL) [12] also fall under this category, however,
they are based on single rail standard cell libraries. WDDL was
the first power SCA resistant circuit validated in silicon with
a MTD of 21K, incurring a 3× area, 4× power, overheads
as well as 4× performance degradation. Logic level masking
at the gate level include masked dual-rail pre-charge logic
[13], [14], which can be built using the standard library cells,
however, it suffers from high area and power overheads.
The second category is architectural countermeasures,
which can utilizes time or amplitude distortions to hide the
leakage. Random insertion of dummy operations, shuffling of
operations, clock randomization, random order execution fall
in this category of architecture-level hiding. These shuffling
techniques involving randomizing the order of instructions are
3Fig. 2. a) Switched Capacitor Current Equalizer Countermeasure proposed in [15], [16]. It has 3 phases of operations: 1. charging load capacitor 2. charging
crypto core from load capacitor 3. Reset the load capacitor voltage value to a predefined voltage value. b) 2 phase switch capacitor without current equalizer
solution. Switching activity explained in Table I. Similar solution is proposed in [17]. c) Multiple capacitor based circuit. Switching is mentioned at Table II.
limited by the number of instructions that can be shuffled de-
pending on each algorithm, and does not provide high level of
protection [18]. Clock randomization based countermeasures
including dynamic voltage and frequency scaling (DVFS) has
been shown to be defeated by observing the clock edges at
the supply [19]. Masking schemes in the architecture level
include boolean masking, masking multipliers and random pre-
charge. All these countermeasures are typically algorithm and
architecture specific and hence is not generic as it requires
modifications in the algorithm itself.
The final category of power SCA protection is the phys-
ical countermeasures. The most well-known scheme in this
category is noise injection. However, noise insertion suffers
from extremely high area and power overheads [20], [21].
Other techniques in this category are based on supply isolation.
Low-dropout (LDO) regulators have been shown to provide
power SCA resilience [22]. However, it has also been shown
that an ideal series LDO implementation is inherently insecure
[21], [23]. Buck-converter based integrated voltage regulators
(IVRs) suffer from area overhead due to embedded passives
[24]. An on chip signal suppression based countermeasure
has been proposed in [25]. Recently, Das et al. [21], [23]
proposed signature attenuation to enhance the minimum traces
to disclosure (MTD) significantly. Although signature suppres-
sion is an efficient SNR reduction technique, utilizes mixed-
signal circuit (high output impedance current source biased
in saturation), which are not easily scalable across different
technology nodes. Hence, there is a strong need of synthesized
physical generic low-overhead solution.
Another physical-level countermeasure proposed by Toku-
naga et al. utilizes a switched capacitor technique to isolate the
AES engine from the power supply [15], [16]. This is a novel
circuit-level technique as it improves the MTD significantly
(> 2500×) but suffers from performance degradation. Let us
look into the operation of this circuit in the following sub-
section. Further improvement has been discussed in [26] to
reduce crosstalk further which is claimed to be more immune
to SCA attacks.
B. Switched Capacitor Current Equalizer Countermeasure
The idea behind the switched capacitor current equalizer is
to isolate the AES engine from the supply using a charging
capacitor [15]. This countermeasure, as shown in Fig. 2a.
TABLE I
SWITCHING PATTERN FOR THE 2-PHASE SWITCHED CAPACITOR WITHOUT
RESET
Time instance Connected to VDD Connected to AES
t2n C1 C2
t2n+1 C2 C1
has three phases of operation. In the first phase, switch S1
is closed and the load capacitor gets charged. In the second
phase of operation, switch S2 is closed and the capacitor is
connected to the crypto core, with complete isolation with the
supply. In the third phase of this circuit (switch S3 closed),
the load capacitor is discharged (reset) to a fixed voltage so
that the residual charge is not passed to the supply in the next
phase (first phase: S1 closed).
To accommodate these three phases of operation, three
identical switched capacitor modules are utilized providing
uninterrupted AES operations. While this countermeasure
provides high protection guarantees, it suffers from an 2×
throughput degradation. Iso-performance would require using
high values of capacitances, leading to > 2× area penalty.
It needs to be noted that the third phase (reset) of operation
is extremely important so that the discharged capacitor (con-
nected to AES in second phase) is not directly connected to
the power supply.
Challenges of Reset Phase: The reset phase of the
countermeasure involves a bias voltage which renders it
non-synthesizable and would not scale across different tech-
nologies. Also, every time resetting switch capacitors to a
predefined voltage value increases voltage swing across the
capacitor, which increments power overhead. Hence, let us
now try to leverage the switched capacitor based technique
without the reset phase.
C. Evaluation of Switched Capacitor Protection without Reset
To make the switched capacitor current equalizer circuit syn-
thesizable, we need to get rid of the third phase of operation,
where the capacitors are getting reset to a fixed bias (analog)
voltage. The modified circuit shown in Fig. 2b. consists of two
4a)
b)
Non-linear effect and Memory-effect with Multi-phase Switched Capacitor
With minimal
Measurement noise,
R=10 ohm
Without any
Measurement noise,
R=10 ohm
Tsw = 4 ns
Memory effect from prev ious cycles 
for Tsw <RC
c)
Fig. 3. (a, b): Effect of residue voltage addition for multi-phase capacitor with and without measurement noise. Measurement noise is added to emulate
the original noise present in the captured traces, to see the effect of signature attenuation due to the capacitor. It should be noted that this work focuses on
physical time-domain shuffling and to analyze the efficacy of the proposed physical TVTF countermeasure, no additional measurement noise is added in the
rest of the paper, unless mentioned otherwise. (c): Memory effect (shown for baseline 2-phase circuit) helps in cases of very high time constant (RC) or at
higher switching frequencies. At our chosen RC (in the flat region, C = 200pF , R = 10Ω), MTD is not increased. Also in the zone where memory effect
is useful, increasing switching frequency will increase power overheads, while high R, C choices will increase the area overhead.
TABLE II
SWITCHING PATTERN FOR THE 3-PHASE SWITCHED CAPACITOR
Time instance Connected to VDD Connected to AES
t6n C1 C2 C3
t6n+1 C1
t6n+2 C1 C3 C2
t6n+3 C3
t6n+4 C2 C3 C1
t6n+5 C2
phases with two load capacitors. In the first phase (t0), the
capacitor (C1) is connected to the AES core, while the other
capacitor (C2) is connected to the supply for charging. In the
alternate phase (t1), C2 drives the crypto engine while C1 is
charged from the supply. The residual voltage on a capacitor
after it has been been connected to the AES is given by,
Vres = VDD − 1
C
∫ tn+T
tn
iAESdt (1)
where iAES , T and C are the AES current, switching period
and capacitance of each unit capacitor respectively. Hence, the
supply current as a function of time is given as,
isup(t) =
VDD − Vres
R
e−
t
RC (2)
where R is the ON resistance of the switch. From Eqn. 2,
it is clear that the entire residue (integrated voltage) gets
connected to the supply thereby leaking through the power
supply. Similar approach has been taken in [17]. In this
work, capacitors have been included in packaging instead of
IC, which makes it vulnerable to invasive attack. And, this
isolation just changes the traces in a deterministic manner
which means in case of CPA, correlation point will change
though it will still correlate. Attenuation due to capacitors will
slightly increase MTD.
It is interesting to note that we observe very small improve-
ment in MTD (< 10×) with the 2-phase switched capacitor
without reset compared to an unprotected implementation
(initial MTD ∼ 30), since this circuit does not achieve any
supply isolation.
Next, we study the effect of multiple phases of the switched
capacitors without reset and examine if addition of multiple
phases which causes non-linear transformation to power trace
has any significant role in providing SCA protection.
D. Multi-phase Switched Capacitor Implementation
Here, we explore the effects of non-linearity (NL) and
memory by charging multiple capacitors together in a phase,
while another capacitor drives the AES engine in that phase.
Fig. 2c. shows a three-phase switched capacitor circuit without
any reset phase. Note that we refer to this circuit as three-phase
because of the three capacitors (N = 3) which connect to the
AES one at a time. Table II shows the switching activity for
the three capacitors. This strategy can be extended to larger
number of distributed switching capacitors.
1) Effect of Non-Linearity due to Multi-Cap Charging:
Integration is a non-linear operation. Using capacitor integrates
current trace over a specified time to introduce non-linearity.
On the other hand, if those capacitors can be onnected to AES
and VDD in different time, it can create time variance too.
Fig. 3(a) shows that the effect of just introducing non-linearity
does not create any time-variance to enhance the MTD. Note
that in Fig. 3(a), the effect of signature attenuation due to the
load capacitor is not present, which is a simulation (modeling)
artifact. As the AES power traces are collected from a real
device and fed to the circuit simulator (Cadence Virtuoso) as
a current piece-wise linear file (ipwlf), any amplitude reduction
of the signature would also reduce the measurement noise
in that signal, keeping SNR constant. This is an artifact for
which previous works on signature attenuation [21] have also
considered small noise injection to emulate the measurement
noise initially present in the power traces. However Fig. 3(a)
drives the fact that increasing the number of phases does not
have any impact in the time-domain obfuscation of power
trace.
5A
c
tu
a
l 
T
ra
c
e
M
o
d
if
ie
d
T
ra
c
e
VC5
VC2
VC4
VC3
VC1
VC8
VC7
VC6
VC12
VC9
VC11
VC10
VC14
VC13
VC16
VC15
Time Varying Transfer Function (TVTF) : explained with example  trace
Time 
Sample
Capacitor 
connected 
to AES
Capacitor 
connected 
to VDD
…. …. ….
205 C9 C1
217 C1 C9
229 C12 C4
241 C4 C12
253 C6 C14
265 C14 C6
277 C12 C4
289 C11 C3
301 C8 C16
313 C15 C7
325 C16 C8
337 C6 C14
349 C7 C15
361 C10 C2
373 C8 C16
385 C4 C12
397 C14 C6
…. …. ….250 300 350 450 500400
Fig. 4. This figure shows an example of TVTF-based randomization within a single cycle. AES trace is integrated and shuffled utilizing Algorithm I providing
significant obfuscation in the modified power traces. It should be noted that this figure only shows obfuscation within one cycle, but in general, the obfuscation
is not limited to a particular cycle and the information content of one cycle may be spread to few cycles later depending on the randomization algorithm,
which chooses when a particular capacitor is charged from the supply.
Hence, any influence on the MTD is solely due to the
signature attenuation as the voltage fluctuation across the AES
gets suppressed by the load capacitor and part of it gets
reflected through the ON switch during the charging phase.
To observe this effect of signature attenuation, we inject a
small amount of noise calculated from the initial SNR (20dB)
of the captured traces. With the peak AES current of 3mA,
SNR of 20dB implies that the measurement noise present in
the signal is 0.3mA. Emulating this measurment noise, we
observe the effect of signature attenuation with the increase
in total capacitance as shown in Fig. 3(b). Now, 2-phase
(2 unit capacitors) switched capacitor implementation shows
higher MTD than the 3-6-phase implementations as the unit
capacitance becomes higher (total capacitance is constant for
iso-area overhead).
2) Effect of Memory on MTD: Next, we analyze the effect
of memory of the distributed switched capacitor architecture
on the MTD. After a capacitor has been connected to the
AES engine, it has been discharged upto a certain voltage.
Now if we do not allow it to charge back completely, i.e.,
if the switching period is much lower than the RC time
constant (Tsw < RC, R being the ON resistance of the
switch and C is the unit capacitance of the 2-phase switched
capacitor), then the effect of previous samples can be spread
across multiple next cycles, leading to power trace distortion.
However, as seen from Fig. 3c, this obfuscation due to the
memory effect is rather small and only increases the MTD
slightly. Also, to leverage this small benefit would mean that
the switching frequency (fsw) is increased leading to a trade-
off with the power overhead. Another way to satisfy the
condition is to increase either capacitor size or decreasing
device size. (hence increasing impedance of the switches.)
But, increasing capacitance highers area overhead. Decreasing
device size beyond a point (length of the device according to
different technology) is impossible and MTD does not increase
much with respect to resistance of switches operating in linear
region as shown in Fig. 3c. Hence, partial charging is not
an efficient technique to enhance MTD as information is still
being leaked despite some distortion in power trace.
From these observations, we can conclude that multi-phase
switched capacitor does not produce significant distortion
of the power traces and can be broken easily. Definitely
increasing the capacitance increases the signature suppression
enhancing MTD at the cost of very high area overheads.
Hence, our goal is to achieve high power SCA protection
with low capacitances (low area overhead) and utilize physical
time-based obfuscation techniques. It should be noted that
for the rest of this work, we do not consider the effect
of measurement noise, unless mentioned otherwise, as we
focus on the evaluating the efficacy of physical time-domain
obfuscation, rather than the effect of signature attenuation.
This work utilizes the multi-phase distributed switched
6capacitor technique with physical time-domain pseudo-random
obfuscation of the traces and demonstrate high SCA immunity
with low area and power overheads and without any perfor-
mance degradation.
III. MULTI-PHASE SWITCHED CAPACITOR WITH
PHYSICAL TIME-VARYING TRANSFER FUNCTION
In the previous sections, it has been shown that multi-phase
capacitors in itself does not provide sufficient immunity to
protect against power SCA attacks. Without the reset phase,
the residual voltage of the capacitors leaks to the power supply
and breaks within a small MTD. Now, if we can somehow
randomize these multi-phase switching capacitors driving the
crypto module such that they connect to the power supply at
different points in time, the information content can be reduced
significantly as the encryption traces become obfuscated across
different points in time.
Fig. 4 shows an pictorial representation of the concept.
Note that power traces will be available to the attacker
in randomly obfuscated manner. We implement a pseudo-
random algorithm to determine the capacitor that is being
charged at a time and also the one which drives the AES.
This allows physical shuffling of the distributed load capacitors
and obfuscates the traces across different time samples. It is
important to note that this is different from algorithm shiflling
which has been introduced in multiple literature as it is done in
VDD level with switch capacitor. Hence it is generic and easily
applicable to any other crypto-algorithm. Algorithm 1 presents
physical TVTF technique for the randomized shuffling of
the capacitors, by choosing only 1 capacitor (out of n total
capacitors - n− phase switched capacitor implementation) to
drive the AES and another to be charged from the supply at
a particular time. Each clock cycle is divided into n different
phases and two capacitors are chosen by the algorithm, one
for charging and the other drives the AES engine.
The algorithm is synthesized using hardware description
language (HDL) by incorporating linear feedback shift reg-
isters (LFSR) as shown in Fig. 5. For the 10-phase TVTF
switched capacitor implementation, we utilize 2-level stochas-
tic LFSRs to obtain a high periodicity of 28−1 = 255. A 4-bit
LFSR is used to stochastically sub-sample the 8-bit LFSR to
produce a 4-bit output. Similarly, we can increase the width of
1st LFSR and by appropriately sub-sampling it using proper
multiplexer, we can get larger periodicity of output values.
Algorithm 1: Obfuscation Algorithm for TVTF
1 Take n number of capacitor.
2 Precharge the capacitors.
3 Divide it in 2 different arrays .
4 while Encryption is not done do
5 Pick randomly 1 from ’to be charged’ array and
connect it to VDD.
6 Pick randomly 1 cap. From ’to supply AES’ array
and connect to AES.
7 After dt time put back those 2 capacitors in
alternative arrays.
HDL version of Algorithm 1 takes two random number
generated by both the LFSRs and ensures two numbers are
different, so that a capacitor can not be connected to supply
and AES at the same time. Hence, AES can never be connected
to supply directly. This block also decodes the logic to turn
on one switch for both the charging and discharging switches.
This strategy of physical time-varying transfer function
based shuffling obfuscates the signal drastically and reduces
the information content as shown in Fig. 4. If there are n
number of capacitors in the switched capacitor array, any
random capacitor can be chosen in
(
n
1
)
different possible ways.
The probability of one particular capacitor to be charged at
a time sample is 1n−1 . Hence, MTD will depend on the
pattern of repetition of the shuffled capacitors and thus
we employ 2-stage LFSRs (Fig. 5) to leverage high level of
randomness.
It should be noted that the power consumption of a LFSR
is much lower compared to the AES itself. Hence, it will be
very difficult for an attacker to retrieve the initial seed of the
LFSR from the power traces. The seed can be programmed
once by the manufacturer.After every operation done value of
LFSR will be stored. This updated LFSR value will never be
reset to initial seed, instead, updated value will act as seed
for next operation. Thus, the chance of physical attack by
collecting traces every time just after switching on the circuit
and collecting the power traces.
In this section, we have discussed the proposed TVTF
approach by choosing one capacitor each (
(
n
1
)
) for charging
and discharging phase respectively out of the n-capacitor array.
In the next section, we will evaluate the effect of choosing
multiple capacitors (m) each for charging and discharging
phases (
(
n
m
)
). Note that, the proposed architecture is fully
synthesizable except the capacitors which have been used to
store the charges for small amount of time and used as supply
of crypto –engine (AES here). Control unit is all digital and
through the power switch, it is connected to capacitors. Ports
from control unit are available to make direct connection to
the capacitors making the circuit digital technology scalable.
IV. TVTF WITH MULTI-PHASE SWITCHED CAP:
EVALUATION OF
(
n
m
)
APPROACH
This section analyzes the effect of choosing multiple capac-
itors for charging and discharging at each phase of operation.
As mentioned earlier, it should be noted that we divide the
clock cycle into n phases, where n is the total number of
capacitors in the switched capacitor array.
We can choose m capacitors out of the n total capacitors in(
n−m
m
)
different ways. Now, we need to ensure that the charg-
ing of these m capacitors through the supply does not overlap
with the time points for another encryption. This combination
can occur in
(
(n−m−m)
n
)
=
(
(n−2m)
m
)
different ways. Even if one
of the m capacitors are being charged from the supply at the
same time points, information gets leaked.
Hence, the probability of information not leaking through
the supply is given as,
pnot leak =
(
n−2m
m
)(
n−m
m
) (3)
7Crypto 
Core
VDD
C1 C2 C10
sw9:0 sw19:10
Physical pseudo-random Switched Capacitor based TVTF architecture
2
b0(1:0)
.
.
.
.
.
.
.
s0
s3
r0
r1
r6
r7
8 bit 
LFSR
4 bit 
LFSR
2:1 
MUX
2:1 
MUX
b3(1:0)
s3
s2
s0
.
.
.
Digital Logic 
(Algorithm I)
Charging 
Switches(sw9:0 )
Digital Logic generates 2 
distinct random  numbers to 
turn on one switch each for 
charging and discharging 
respectively.
Discharging 
Switches(sw19:10 )
Fig. 5. Final Architecture of physical TVTF based multi-phase switched capacitor.
Hence, the probability of information leakage is given as
(Pleak)
Pleak = 1− Pnot leak
= 1−
(
n−2m
m
)(
n−m
m
)
= 1− (n− 2m)(n− 2m− 1)...(n− 3m+ 1)
(n−m)(n−m− 1)...(n− 2m+ 1) (4)
Now (n−2m)(n−2m−1)...(n−3m+1)(n−m)(n−m−1)...(n−2m+1) ≤ n−2n−1∀ m
n−2
n−1 is Pnot leak for m=1. Equality condition exists for m=1.
Hence for integer m > 1 probability of information leakage
is more.
Hence, with n-phase switched capacitor array,
(
n
1
)
(m = 1)
is the best possible TVTF strategy for physical time-domain
obfuscation, as it reduces the information leakage by the
maximum amount.
V. RESULTS : DESIGN SPACE EXPLORATION
Power traces have been collected from an 8-bit Atmel
microcontroller running AES-128 encryption, using the Chip-
whisperer platform. The clock frequency of the software AES
is 125MHz and has a peak current of 3mA (average current
∼ 1mA). A CPA attack performed on this unprotected AES-
128 showed an MTD of ∼ 20 traces.
A. Choice of Switch ON resistance & Unit Capacitance
As discussed earlier, to minimize the area overhead, a total
capacitance of 200pF is chosen. Now we need to determine
the optimal value of the unit capacitors such that there is no
performance degradation of the crypto engine. Fig. 6 shows
the effect of the switch ON resistance (R) and the choice of
the unit capacitor (C) on the voltage droop across the AES
core. Tolerating a maximum voltage drop of 0.1V, we see that
with R = 10Ω, we can support a minimum unit capacitance of
20pF. This also implies that the maximum limit to our number
of phases/capacitors (n) becomes 10.
Fig. 6. Choice of the switch ON resistance (R) and the unit capacitance (C) is
shown. For our TVTF-based switched capacitor circuit implementation, switch
resistance (R) is chosen as 10Ω and individual unit capacitors is chosen to
be 20pF to avoid any performance degradation (voltage droop < 100mV ).
B. Effect of increasing the number of Phases
Figure 8 shows that increasing the number of unit capac-
itors, and hence the phases of operation in a clock cycle
increase the MTD significantly. Also, Figure 8 shows that the
effect of memory due to the previous time cycles (Tsw < RC)
has negligible effect on MTD. We also see that 10 phases
(or capacitors) gives a higher MTD, and hence we choose
10 as the number of optimal phases. It should be noted
that increasing the number of phases has trade-off with the
power consumption (due to higher switching frequencies) and
performance.
As discussed in section III, next set of results are ob-
tained by choosing multiple capacitor from an array of 10
capacitors. With increase of number of capacitors chosen at
a time(m) reduces MTD. Even though we might expect a
8Fig. 7. a) Correlation between Hamming weight matrix and current traces
after 200 traces for unprotected AES. b) Correlation between Hamming weight
matrix and protected current traces for TVTF-AES.
TVTF: Effect of switched capacitor phases
MTD α Number of Phases
Without noise.  
MTD increment 
of 1000x w.r.t.
Fig. 4
Fig. 8. MTD increases as the number of phases (unit capacitors) are increased.
The memory effect for Tsw < RC is quite small and does not justify
the associated power overhead trade-off. Hence, the proposed TVTF circuit
operates in the region of Tsw > RC.
higher degree of randomization due to multiple capacitors
getting charged/discharged, we see the opposite trend, which
is consistent with our analysis in Section III. We see that
for n = 10,m = 1 gives the maximum MTD, as seen
from Figure 9. This also reveals that TVTF allows for an
area-efficient solution with very low values of unit capacitor.
Although low values of capacitor has trade-offs with the
performance degradation, as discussed earlier. Figure 7(a)
TABLE III
MTD IMPROVEMENT BY TUNING PERIODICITY OF PRNG (NUMBER OF
CAPACITORS AND TOTAL CAPACITANCE ARE FIXED )
Periodicity MTD
23 − 1 700
216 − 1 66000
232 − 1 92000
shows peak in correlation for the correct key with only 200
power traces, while the protected implementation does not
show any correlation spikes (Figure 7(b)).
C. Effect of Choosing multiple capacitors (
(
n
m
)
) with TVTF
Finally, Fig. 10 shows the MTD plots with respect to
number of traces analyzed for the proposed solution. For the
TVTF based switched capacitor with 10 evenly distributed
capacitors (n = 10, m = 1), we achieve an MTD of ∼ 30K
traces (Fig. 10(a)).
Next, we study the effects of uneven distribution of unit
capacitors and also covering 2 clock cycles to achieve higher
levels of randomization.
D. Effect of Periodicity of PRNG
Pseudo random number generator is the backbone of TVTF
architecture. It has been observed with increase of periodicity,
MTD has been increased significantly. This observation is
tabulated in Table III. Note that, periodicity changes inversely
effect the probability of getting same trace at same time point,
which increases MTD.
E. Effect of unequal capacitors
Further randomization can be achieved with unequal capac-
itance values, while maintaining a fixed total capacitance of
200pF. With this, MTD can be further enhanced (Fig. 10(c).
This is because according to equation 1 as the voltage residue
value depends on individual capacitance. Hence presence of
different capacitors further distorts the signal and increases
protection by 2.5× and increases the MTD to 80K traces
(4000×) with iso-area overhead.
Voltage sample at nth time sample will be obfuscated ac-
cording to proposed algorithm and will be available at different
time sample for different cycle as shown in Fig. 11. But
we see from equation 1 capacitance value can further distort
voltage trace as it is the co-efficient of current integration
term. Hence introducing different capacitance value will lead
to MTD increment.
To check the sole effect of spread vector due to uneven
capacitance value, we take a sample signal. We scale the signal
according to effect of vector due to spread of capacitance
value and correlate it with our initial signal. We observe
change in correlation co-efficient as shown in Fig. 10b. Note
that with 20% in capacitance value spread gives a significant
improvement in MTD ( 4000x as shown in Fig. 10)c. We can
leverage this constraint to reduce correlation value even more
9Total Cap.= 200 pF
Effect of Multiple capacitor (nCm) driving AES in a random fashion
a) b)
Fig. 9. a)Effect of the choice of number of capacitors (m) at a time from a pool of 10 capacitors (n = 10) on MTD. As discussed previously, increasing m
does not enhance MTD as the probability of information leakage is increased. This also implies that a low value of unit capacitor is sufficient to leverage
the benefits of TVTF-based time shuffling, but it has trade-offs with the throughput/performance. b)Effect of multiple capacitors for a fixed total cap (200pF)
shows that the MTD is maximum when a single capacitor (m=1) is chosen by the TVTF algorithm, each for the charging and discharging. The decreasing
trend with respect to m supports the mathematical justification in Section IV that the
(n
1
)
is a better randomization than
(n
m
)
for m ≥ 2.
200pF
Even cap.
200pF
Uneven cap.,
1 cycle coverage
Change of correlation co-efficient vs. Number of Traces Analyzed
a)
200pF
Uneven cap.
c)
MTD ~80K
MTD ~80K
C
o
rr
e
la
ti
o
n
 c
o
-e
ff
ic
ie
n
t
Percentage spread of Capacitance value
0 10 20 30 40 50 60
0.9
0.95
1
b)
C
o
rr
e
la
ti
o
n
 c
o
-e
ff
ic
ie
n
t
Traces Analyzed Traces AnalyzedC
o
rr
e
la
ti
o
n
 c
o
-e
ff
ic
ie
n
t
Fig. 10. a) MTD plot for the TVTF-based switched capacitor technique shows an MTD ∼ 30K (1500× improvement) with equally distributed unit capacitors
(20pF each) across 10 phases. b) With unequal capacitance ranging from 16pF-24pF with a total capacitance of 200pF produces protection up to MTD > 80K
traces which is > 4000× compared to the unprotected AES implementation.
Obfuscation due to uneven capacitors
time
          
        
      
          
     
     
Even Cap
time
          
        
      
          
     
     
Uneven Cap
1st level of obfuscation 1
st level of obfuscation
2nd level
of obfuscation
Fig. 11. It is shown in Equation 1 voltage residue depends on capacitance
value of each capacitor. Introducing unevenness in capacitance adds an extra
level of randomization.
which will increase MTD number significantly. Remember
that, increasing spread of capacitance value implies reducing
the minimum capacitance value which will increase maximum
droop. It can adversely effect the efficiency of the circuit. To be
on safer side, average capacitance has to be increased. Hence
area overhead will be increased.
Effect of multi-cycle operation : We also analyze the
effect of operating across multiple cycles with higher total
capacitances and the same unit capacitance. Instead of cov-
ering 1 cycle with distributed capacitor, more cycles can be
covered with increasing number of phases which will definitely
increase order of randomization and increase MTD). This has
some drawbacks too. Capacitances of distributed units can not
be reduced significantly, as it increases the voltage drop the
AES leading to performance degradation. Hence, in this case
most obvious solution is to increase the value of capacitors,
which again cause the area overhead.
10
Fig. 12. Test vector leakage assessment results show significant amount of
decrease in statistical t-value in protected version which implies encryption
engine with proposed countermeasure is way less leaky with respect to
straightforward implementation.
F. Test vector leakage assessment
Surely, attacking using CPA is an indication but does not
completely declare extra security. Different type of power
analysis attacks have been introduced and researches are going
on for further improvement on attack models and algorithms.
Hence, it is important to calculate amount of meaningful
leakage by an encryption engine. Test vector leakage assess-
ment (TVLA) is one of the most trusted leakage assessment
algorithm. |t|−value of 4.5 does not have any data dependent
leakage. AES with TVTF crosses the threshold of 4.5 after
2.5K traces while unprotected has a much higher value (11.5)
even with only 5 traces. We observe maximum |t| − value of
8.37 in the protected AES version against 190.1 of unprotected
version after 7.5K traces. Trend has been shown in Fig. 12.
G. Immunity against correlational power analysis on sliding
window based integrated trace
Traditional CPA assumes a single leakage point and expects
it to be correlated with attack model. Crypto algorithms
(specially in software implementations) might have multiple
leakage points which is usually located near each other [27].
To test the immunity of our countermeasure, it has attacked
using this algorithm. Proposed countermeasure has an MTD
of 15000 at ideal simulation. MTD has been further increased
to 97000 in presence of slight measurement noise as shown
in Fig. 13. It has been observed that software AES trace has
a tendency to correlate at multiple points. These correlation
points normally stay close to each other. Hence in integrated
trace, this increases chance of getting correlated. This will not
necessarily be better in other type of implementation where
only one correlation point exists.
Table IV compares this work with existing solutions.
WDDL [10] suffers from high overheads and performance
degradation. Switch capacitor current equalizer circuit by
C
o
rr
e
la
ti
o
n
 C
o
-e
ff
ic
ie
n
t
Traces Analyzed
MTD 15K at Ideal 
Simulation environment
CPA on integrated trace
Comparable to graph at fig 
12a. (MTD ~30K)
Fig. 13. Correlational power attack on integrated trace has shown an
improvement over normal CPA. At ideal situation, MTD is 15000 in protected
version.
Carlos et. al [15] also suffers from performance degradation
and is a mixed-signal circuit. IVR [24] based countermeasure
does not increase MTD to a large number. On a different
note, Digital LDO based countermeasure [22] has higher area
overhead with capacitor. Proposed countermeasure has an
area-overhead of 4% without the capacitors.
H. Area and Performance analysis
Power overhead depends on 3 components.
1. Power lost while charging the capacitors and have been
given by,
Pl = 0.5 × fswitching × unit capacitance × (δV )2 =
0.125 mW ,where δV is the maximum voltage drop.
2. Another component is the switching power, Pswitching
= fswitching × Cgate cap × V 2DD = 50 uW, where Cgate cap
is the gate capacitance of switch.
3. Pseudo-random number generator (PRNG) is another
cause of power overhead. For a 10-bit LFSR, the power
overhead is given by PPRNG = PLFSR×2+Plogic = 150µW .
Final power overhead,
Pov = Pl + PPRNG + Pswitching = 325µW .
Hence, the power overhead can be given as,
PAES+Pov
PAES
= 0.325+1.321.32 = 1.24×.
Similarly Area overhead will have 3 components - area
due to capacitors (Acap), area of PRNG (APRNG) and area
of the PMOS switch (Asw). Hence, area overhead is given
as, Aov = Acap +APRNG +Asw = 0.03 mm2.
Area of AES in 65nm TSMC CMOS technology is ≈ 0.15
mm2. Hence, the relative area overhead = Aov+AAESAAES
= 0.15+0.030.15 = 1.2×.
Table III summarises the MTD improvements and overhead
comparison with respect to the existing state of the art coun-
termeasures.
11
TABLE IV
OVERHEAD COMPARISON OF TIME VARYING TRANSFER FUNCTION (TVTF) WITH THE EXISTING STATE-OF-THE-ART COUNTERMEASURES
Parameters This Work TCAS-I’18 [21] JSSC ’06 [10] ISSCC ’09 [15] ISSCC ’17 [24] ISSCC ’19 [22]
Technology 65nm 130nm 180nm 130nm 130nm 130nm
Technique used TVTF ASNI WDDL Sw. Capacitor IVR Digital LDO
Power 1.24x 1.68x 4x 2.66x 2x 1.35x
Area 1.2x 1.6x 3x 1.25x 2x 1.38x1
Performance Degradation 0 0 4x 2x 0 1.1x
MTD 4000x 1000x 30x 2500x 100x 4210x
Comments Digital-friendly Mixed-signal Mixed-signal Mixed-signal mixed-signal Digital-friendly
1Large metal-insulator-metal (MIM) load capacitor (1.9nF) not considered in the area overheads.
I. Remarks
Power overhead linearly increases with higher switching
frequency. At switching frequency of 1.25GHz, the power
consumption becomes 325µW . Again from Fig. 10, it is
evident that increasing number of phases per clock cycle of
AES increases MTD, hence providing more immunity. Clearly,
we can infer from these two trends that the number of phases
can be used as a tuning knob to optimize between MTD and
the power efficiency.
Note that, in this work, we have chosen captured traces from
a software AES running on an 8-bit Atmel microcontroller,
and performed system-level simulations in Cadence Virtuoso.
Although this a physical circuit-level countermeasure, it can
be used as a wrapper both for hardware as well as software
implementations of AES. The primary reason of choosing a
software AES was to deal with low initial MTD values which
helps in faster analysis of the proposed countermeasure.
Note that this paper mainly focuses on power side channel
attack. Though EM side channel attack is also a threat to
consider, it is beyond the scope of this work. But, this solution
can be extended to EM Side channel attack too. Analysis has
been shown in [28] that low level metal layers radiates very
less amount of leakage from the IC. Hence capacitors shuffling
logic as well as AES charging logic can be implemented using
low level metal layer before it routes to highly radiating metal
layers for charging of supply capacitors. EM probe will detect
shuffled traces in this solution which is already immune to
side channel attack.
VI. TUNING KNOB TO INCREASE THE RESISTANCE OF
PROPOSED COUNTERMEASURE
This section summarizes the key factors that allows to
increase immunity of proposed countermeasure even more at
the cost of area or power overhead.
• Number of Phases: Number of phases is one of the
most important parameter to increase MTD. Number
of phases implies increase in randomization within a
given time window. Hence, probability of getting same
traces at a particular point reduces further which helps
to increase MTD. Fig. 8 shows the trend. Note that
increasing number of phases requires higher switching
frequency producing higher power overhead.
• Effect of uneven capacitors: Residue trace depends on
the capacitance value of capacitors as discussed previ-
ously. Changing the capacitance of each capacitor and
making it slightly uneven for each other further distorts
the trace thus reducing the information.
• Periodicity of PRNG: Periodicity of PRNG implies
repetitive pattern in capacitor connection to VDD and
AES. Hence increment in periodicity increases random
shuffling and helps in MTD increment.
VII. CONCLUSIONS
Power side-channel attack is a prominent attack on encryp-
tion ICs. This works proposes TVTF: a physical time-varying
transfer function countermeasure to significantly obfuscate
the power traces in the time-domain utilizing multi-phase
switched capacitors. TVTF performs efficient randomization
of the switched capacitors to obfuscate the traces.
Previously, shuffling based architectural countermeasures
have been proposed which randomize the order of instructions,
but there are limited number of instructions which can be shuf-
fled and are specific to a particular algorithm and architecture.
DVFS-based countermeasures based on clock randomization
were shown to be broken previously by observing the clock
edges at the power supply, since it preserves the order of the
instructions.
The proposed TVTF-based switched capacitor countermea-
sure provides a generic, low-overhead (1.2× area, 1.25×
power overhead), and digital-friendly solution. The capacitors
are not synthesizable, but the rest of the countermeasure is
completely digital which makes it scalable across different
technologies. Finally, it achieves a power SCA protection
of > 4000× compared to the unprotected implementation
without any performance degradation.
REFERENCES
[1] Paul Kocher, Joshua Jaffe, and Benjamin Jun. Differential Power
Analysis. In Michael Wiener, editor, Advances in Cryptology —
CRYPTO’ 99, number 1666 in Lecture Notes in Computer Science, pages
388–397. Springer Berlin Heidelberg, August 1999.
[2] Eric Brier, Christophe Clavier, and Francis Olivier. Optimal Statistical
Power Analysis. Technical Report 152, Cryptology ePrint Archive,
Report, 2003.
[3] Jean-Jacques Quisquater and David Samyde. ElectroMagnetic Analysis
(EMA): Measures and Counter-measures for Smart Cards. In Smart
Card Programming and Security, Lecture Notes in Computer Science,
pages 200–210. Springer, Berlin, Heidelberg, 2001.
[4] Karine Gandolfi, Christophe Mourtel, and Francis Olivier. Electro-
magnetic Analysis: Concrete Results. In Cryptographic Hardware and
Embedded Systems — CHES 2001, Lecture Notes in Computer Science,
pages 251–261. Springer, Berlin, Heidelberg, May 2001.
12
[5] Paul C. Kocher. Timing Attacks on Implementations of Diffie-Hellman,
RSA, DSS, and Other Systems. In Neal Koblitz, editor, Advances in
Cryptology — CRYPTO ’96, number 1109 in Lecture Notes in Computer
Science, pages 104–113. Springer Berlin Heidelberg, August 1996.
[6] David Brumley and Dan Boneh. Remote Timing Attacks Are Practical.
In Proceedings of the 12th Conference on USENIX Security Symposium
- Volume 12, SSYM’03, pages 1–1, Berkeley, CA, USA, 2003. USENIX
Association.
[7] Colin O’Flynn and Zhizhang (David) Chen. ChipWhisperer: An Open-
Source Platform for Hardware Embedded Security Research. In Em-
manuel Prouff, editor, Constructive Side-Channel Analysis and Secure
Design, Lecture Notes in Computer Science, pages 243–260. Springer
International Publishing, 2014.
[8] Jean-Luc Danger, Sylvain Guilley, Shivam Bhasin, and Maxime Nas-
sar. Overview of Dual rail with Precharge logic styles to thwart
implementation-level attacks on hardware cryptoprocessors. In 2009
3rd International Conference on Signals, Circuits and Systems (SCS),
pages 1–8, November 2009.
[9] K. Tiri, M. Akmal, and I. Verbauwhede. A dynamic and differential
CMOS logic with signal independent power consumption to withstand
differential power analysis on smart cards. In Proceedings of the 28th
European Solid-State Circuits Conference, pages 403–406, September
2002.
[10] D. D. Hwang, K. Tiri, A. Hodjat, B. C. Lai, S. Yang, P. Schaumont, and
I. Verbauwhede. AES-Based Security Coprocessor IC in 0.18um CMOS
With Resistance to Differential Power Analysis Side-Channel Attacks.
IEEE Journal of Solid-State Circuits, 41(4):781–792, April 2006.
[11] K. Tiri and I. Verbauwhede. A logic level design methodology for a
secure DPA resistant ASIC or FPGA implementation. In Automation
and Test in Europe Conference and Exhibition Proceedings Design,
volume 1, pages 246–251 Vol.1, February 2004. ISSN: 1530-1591.
[12] Shengshuo Lu, Zhengya Zhang, and Marios Papaefthymiou. 1.32ghz
high-throughput charge-recovery AES core with resistance to DPA
attacks. In 2015 Symposium on VLSI Circuits (VLSI Circuits), pages
C246–C247, June 2015. ISSN: 2158-5601, 2158-5636.
[13] Thomas Popp and Stefan Mangard. Masked Dual-Rail Pre-charge Logic:
DPA-Resistance Without Routing Constraints. In Josyula R. Rao and
Berk Sunar, editors, Cryptographic Hardware and Embedded Systems –
CHES 2005, Lecture Notes in Computer Science, pages 172–186, Berlin,
Heidelberg, 2005. Springer.
[14] Thomas Popp, Mario Kirschbaum, Thomas Zefferer, and Stefan Man-
gard. Evaluation of the Masked Logic Style MDPL on a Prototype
Chip. In Cryptographic Hardware and Embedded Systems - CHES 2007,
Lecture Notes in Computer Science, pages 81–94. Springer, Berlin,
Heidelberg, September 2007.
[15] C. Tokunaga and D. Blaauw. Secure AES engine with a local switched-
capacitor current equalizer. In 2009 IEEE International Solid-State
Circuits Conference - Digest of Technical Papers, pages 64–65,65a,
February 2009.
[16] C. Tokunaga and D. Blaauw. Securing Encryption Systems With a
Switched Capacitor Current Equalizer. IEEE Journal of Solid-State
Circuits, 45(1):23–31, January 2010.
[17] Adi Shamir. Protecting smart cards from passive power analysis with
detached power supplies. In CHES, 2000.
[18] Nicolas Veyrat-Charvillon, Marcel Medwed, Ste´phanie Kerckhof, and
Franc¸ois-Xavier Standaert. Shuffling against Side-Channel Attacks: A
Comprehensive Study with Cautionary Note. In Xiaoyun Wang and
Kazue Sako, editors, Advances in Cryptology – ASIACRYPT 2012,
Lecture Notes in Computer Science, pages 740–757, Berlin, Heidelberg,
2012. Springer.
[19] Karthik Baddam and Mark Zwolinski. Evaluation of Dynamic Voltage
and Frequency Scaling as a Differential Power Analysis Countermea-
sure. In 20th International Conference on VLSI Design held jointly with
6th International Conference on Embedded Systems (VLSID’07), pages
854–862, January 2007. ISSN: 1063-9667, 2380-6923.
[20] Tim Gu¨neysu and Amir Moradi. Generic Side-Channel Countermeasures
for Reconfigurable Devices. In Cryptographic Hardware and Embedded
Systems – CHES 2011, Lecture Notes in Computer Science, pages 33–
48. Springer, Berlin, Heidelberg, September 2011.
[21] Debayan Das, Shovan Maity, Saad Bin Nasir, Santosh Ghosh, Arijit
Raychowdhury, and Shreyas Sen. ASNI: Attenuated Signature Noise In-
jection for Low-Overhead Power Side-Channel Attack Immunity. IEEE
Transactions on Circuits and Systems I: Regular Papers, 65(10):3300–
3311, October 2018.
[22] Arvind Singh, Monodeep Kar, Sanu Mathew, Anand Rajan, Vivek De,
and Saibal Mukhopadhyay. 25.3 A 128b AES Engine with Higher
Resistance to Power and Electromagnetic Side-Channel Attacks Enabled
by a Security-Aware Integrated All-Digital Low-Dropout Regulator. In
2019 IEEE International Solid- State Circuits Conference - (ISSCC),
pages 404–406, February 2019. ISSN: 2376-8606, 0193-6530.
[23] Debayan Das, Shovan Maity, Saad Bin Nasir, Santosh Ghosh, Arijit
Raychowdhury, and Shreyas Sen. High efficiency power side-channel
attack immunity using noise injection in attenuated signature domain.
In 2017 IEEE International Symposium on Hardware Oriented Security
and Trust (HOST), pages 62–67, May 2017.
[24] M. Kar, A. Singh, S. Mathew, A. Rajan, V. De, and S. Mukhopadhyay.
8.1 Improved power-side-channel-attack resistance of an AES-128 core
via a security-aware integrated buck voltage regulator. In 2017 IEEE
International Solid-State Circuits Conference (ISSCC), pages 142–143,
February 2017.
[25] Girish B. Ratanpal, Ronald D. Williams, and Travis N. Blalock. An on-
chip signal suppression countermeasure to power analysis attacks. IEEE
Transactions on Dependable and Secure Computing, 1:179–189, 2004.
[26] Amir Moradi and Franc¸ois-Xavier Standaert. Moments-correlating dpa.
In Proceedings of the 2016 ACM Workshop on Theory of Implementation
Security, pages 5–15, 2016.
[27] Dor Fledel and Avishai Wool. Sliding-window correlation attacks against
encryption devices with an unstable clock. In IACR Cryptology ePrint
Archive, 2018.
[28] Debayan Das, Mayukh Nath, Baibhab Chatterjee, Santosh Ghosh, and
Shreyas Sen. Stellar: A generic em side-channel attack protection
through ground-up root-cause analysis. 2019.
