Abstract. Early propagation effect (EPE) is a critical problem in conventional dual-rail logic implementations against Side Channel Attacks (SCAs). Among previous EPE-resistant architectures, PA-DPL logic offers EPE-free capability at relatively low cost. However, its separate dual core structure is a weakness when facing concentrated EM attacks where a tiny EM probe can be precisely positioned closer to one of the two cores. In this paper, we present an PA-DPL dual-core interleaved structure to strengthen resistance against sophisticated EM attacks on Xilinx FPGA implementations. The main merit of the proposed structure is that every two routing in each signal pair are kept identical even the dual cores are interleaved together. By minimizing the distance between the complementary routings and instances of both cores, even the concentrated EM measurement cannot easily distinguish the minor EM field unbalance. In PA-DPL, EPE is avoided by compressing the evaluation phase to a small portion of the clock period, therefore, the speed is inevitably limited. Regarding this, we made an improvement to extend the duty cycle of evaluation phase to more than 40 percent, yielding a larger maximum working frequency. The detailed design flow is also presented. We validate the security improvement against EM attack by implementing a simplified AES co-processor in Virtex-5 FPGA.
Introduction
Power consumption and ElectroMagnetic (EM) attacks are the most studied attack types since Side Channel Attack (SCA) was introduced by Paul Kocher et al [1] . DPL (Dual-rail Pre-charge Logic) is experimentally proved to be an effective countermeasure against SCA by masking its data-dependent power or EM variations due to the complementary behavior between the True (T) and False (F) rails. In [2], the Early Propagation Effect (EPE), also called Early Evaluation/Pre-charge Effect is first time studied, revealing a potential defect in conventional DPL logic that can possibly impact the complementary balance between T and F rails. The difference of arrival time for the inputs of complementary gates (or LUTs on FPGA) is potential of generating unintentional data-dependent power or EM peaks. This is particularly critical in FPGA implementation due to the rigid routing resource. In recent years, several countermeasures for repairing the EPE problem were proposed, mainly depending on the use of dual-rail compound gates with complementary signal pairs. In this structure, the corresponding gates from dual rails are set side by side but routings are done automatically by the router, which may lead to non-identical routing paths between the complementary rails. A dual-core structure called PA-DPL (Precharge-Absorbed Dual-rail Precharge Logic) is proposed in [3] , which aims to resist EPE problem while keeping routing identical for the implementation on Xilinx FPGA with 6-input LUTs. However, separate placement for dual cores makes it vulnerable to concentrated EM attacks.
In this paper, we present a row-crossed interleaved structure to minimize dual rail unbalances caused by the non-identical routings. The main merit is that the identical routing for complementary net pairs can be maintained between both interleaved dualcores thereby increasing the resistance to concentrated EM attacks. We also mitigate the rigid timing in [3] by extending signal's duty cycle, which helps to increase the maximum working frequency. The complete design flow and security tests against attacks to interleaved PA-DPL will be given.
The rest of the paper is organized as follows. Section 2 presents an introduction to the EPE problem and briefly discusses related techniques. Section 3 details the proposed interleaved PA-DPL structure with identical routing. Implementation flows of this structure to a simplified AES co-processor are shown in section 4. Section 5 describes the experimental attacks and net delay results. The work conclusion and future work are given in section 6.
Related Work
Side channel analysis reveals the confidential information by analyzing side channel leakages from low level, namely physical level. Therefore, countermeasures on this level typically have better security performance than, for example, arithmetic protections. However, physical leakages can be affected by a lot of factors. Any minor asymmetry between the T and F rails can possibly lead to a detectable unbalanced compensation in DPL structure, such as compensation skew, switching time swing or glitch. Typically, routing length and process variation are considered to be two significant factors which impact the compensation between T and F rails [4].
The Problem of Early Propagation Effect
DPL is a common logic type with symmetrical structure and mirror behavior. DPL generates complementary logic behaviors from T and F rails and therefore obtains constant and stable switching pattern in overall view of power or EM curves from both rails. Figure 1 shows a compound XOR gate where complementary inputs between the 2 gates generate complementary outputs.
