Cryptosystems for smartcard are required to provide protection from Differential Power Analysis (DPA) attack. Self-timed circuit based cryptosystems demonstrate considerable resistance against DPA attack, but they take substantial circuit area. A novel approach offering up to 30% area reduction and maintaining DPA protection level close to DIMS scheme is proposed.
Introduction
As security critical devices such as smartcard are being widely used, a variety of different attacks to detect critical personal information continue to emerge. Among such various type of attacks, Differential Power Analysis (DPA) [1] is considered as a powerful method to smartcards and many countermeasures against DPA attack have been developed. Of the countermeasures, self-timed circuit technique [2] , which is based on Delay-Insensitive Min-term Synthesis (DIMS), is widely accepted for its efficiency in equalizing power consumption with different data values. In this letter, a new approach to design an area efficient self-timed circuit is presented. Comparisons of the proposed scheme with DIMS based circuit are presented to demonstrate the area reduction and comparable DPA countermeasure performance.
Differential Power Analysis
Power Analysis (PA) uses correlation between internal secret key and discrete time power signal measured externally to break a cryptographic system. DPA is also based on PA, but it depends on statistical method to enhance attack efficiency. Consider a cryptographic system performing simple XOR operation with a randomly selected plain-text input and an internal secret key of the same bit width. Then the cipher-text is obtained as
where i is the sequence number of M plain-text inputs and j indicates bit position out of N bits for each plain-text input. 
Based on the classifications, average power of the discrete time signal at time t for each set is given by
Where 
From the DPA bias signal
is a distinctively positive spike, the j-th bit of the secret key is considered as one and zero for a negative spike [3] . These procedures are repeated until whole secret key bits are detected.
Proposed Scheme Based on Self-Timed Circuit
To date, most DPA countermeasures exploiting self-timed circuit have been DIMS based. Self-timed circuits designed by DIMS approach show little power consumption difference arising from processing binary data zero and one, so they demonstrate good power consumption equalization characteristics. The other approaches based on synchronous circuit to balance power consumption have also been discussed [4] , [5] . The dynamic logic based circuit Sense Amplifier Based Logic (SABL) demonstrates very small power consumption difference, but its instant high peak current during pre-charge phase is a disadvantage for smartcard applications where power supply condition is not quite stable. In addition to this, since SABL is basically designed for synchronous based circuit using CLK signal for pre-charge and evaluation phase control, SABL is not adequate for selftimed control scheme. While DIMS approach adopts special self-timed cell called "C-element," proposed scheme based on Self-Timed circuit consisting of Standard Cells (STSC) employs standard cell. Use of such standard cell for other applications has been discussed in [6] . It is known that the STSC circuit is faster and takes less area comparing with DIMS, but it is not speed independent. With smartcard application, however, the STSC circuit is more efficient than DIMS circuit, because area cost is the most important factor and speed independency is less stringent. As an example of DIMS and STSC circuits, Fig. 1 illustrates the implementation of 1 bit logical XOR function with internal secret key for one of two inputs to each gate.
Performance Simulation with DPA Attack
To compare the resistance performance, 32 bit XOR function was implemented by three different schemes. Circuit power simulation was performed by PowerMill TM Software on 0.25 µm 2.5 V process with BSIM3V3 model and 10 ps simulation time resolution. Figure 2(a) shows the results of synchronous XOR case with DPA attack. With about 6,000 random plain-text external inputs, D[t] of a positive spike for the secret key bit value "1" and a negative spike for the secret key bit value "0" were contrastingly observed at t≈550 ps, leading to successful detection of secret key bit. Figure 2 (b) in different scale of current for better interpretation shows the results of STSC and DIMS circuits with DPA attack. It is seen in the figure that no distinctive spike pattern between secret key zero and one is observed even with 10 times more severe attack, e.g., 10 × 6, 000 random plaintext inputs, applied to both circuits, causing unsuccessful detection of internal secret key. 
SNR Analysis
In order to compare security level numerically, SNR (≡ P SIGNAL /P NOISE ) defined in [7] was used for performance measure. The root-mean square of D[t] difference with one bit of a plain-text input changed is defined as P SIGNAL and the root-mean square of average power waveform over all the inputs used for simulation is considered as P NOISE . The SNR values of three 32 bit logical functions by three different schemes are pictorially compared in Fig. 3 . Note that lower SNR value is more desirable, since it means that it is more difficult to extract distinctive DPA bias signal D[t] when attacking a cryptosystem. When comparing with DIMS scheme, SNR of XOR function (XOR32) by STSC scheme is about 4 dB higher than that of DIMS scheme. For other logical functions 32 bit AND and 32 bit full adder, SNRs of STSC scheme are close to those of DIMS scheme. Throughout three different logical functions, SNRs of synchronous circuit (Synch.) are significantly higher than those of two other schemes. 
Comparison of Area Cost
In order to compare the area cost, 1024 bit Montgomery multiplier block widely used for RSA cryptosystem was implemented by three different schemes. Table 1 lists in percentage the number of transistors necessary for implementation of each 1 bit logical function. It is seen in the table that synchronous circuit based scheme is the most efficient, followed by STSC scheme and DIMS scheme. Since the area cost is proportional to the number of transistors required, STSC based scheme causes about 30% overall reduction(= 100×[281−198]/281) of area cost, as compared to DIMS scheme.
Conclusions
In this letter, an area efficient design method with selftimed circuit for DPA attack countermeasure has been proposed. The STSC based self-timed circuit has already been studied for other applications. However, its application for DPA resistant circuit and corresponding performances are firstly discussed in this paper. Comparing with popular DIMS based approach, proposed scheme reduces area cost by about 30%, while maintaining similar security level.
