Blindsight: Blinding EM Side-Channel Leakage using Built-In Fully
  Integrated Inductive Voltage Regulator by Kar, Monodeep et al.
Blindsight: Blinding EM Side-Channel Leakage
Using Built-In Fully Integrated Inductive Voltage
Regulator
Monodeep Kar∗, Arvind Singh∗, Santosh Ghosh†, Sanu Mathew†,
Anand Rajan†, Vivek De†, Raheem Beyah∗ and Saibal Mukhopadhyay∗
∗School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA
Email: {monodeepkar, rathorearvind19, rbeyah, saibal.mukhopadhyay}@gatech.edu
†Intel, Hillsboro, OR, Email: {santosh.ghosh, sanu.k.mathew, anand.rajan, vivek.de}@intel.com
Abstract—Modern high-performance as well as power-
constrained System-on-Chips (SoC) are increasingly using hard-
ware accelerated encryption engines to secure computation,
memory access, and communication operations. The electro-
magnetic (EM) emission from a chip leaks information of the
underlying logical operation being performed by the chip. As
the EM information leakage can be collected using low-cost
instruments and non-invasive measurements, EM based side-
channel attacks (EMSCA) have emerged as a major threat to
security of encryption engines in a SoC. This paper presents the
concept of Blindsight where an high-frequency inductive voltage
regulator integrated on the same chip with an encryption engine
is used to increase resistance against EMSCA. High-frequency
(∼100MHz) inductive integrated voltage regulators (IVR) are
present in modern microprocessors to improve energy-efficiency.
We show that an IVR with a randomized control loop (R-
IVR) can reduce EMSCA as the integrated inductance acts as a
strong EM emitter and blinds an adversary from EM emission
of the encryption engine. The measurements are performed
on a prototype circuit board with a test-chip containing two
architectures of a 128-bit Advanced Encryption Standard (AES)
engine powered by a high-frequency (125MHz) R-IVR with
wirebond inductor. The EM measurements are performed under
two attack scenarios, one, where an adversary gains complete
physical access of the target device (EMSCA with Physical
Access) and the other, where the adversary is only in proximity
of the device (Proximity EMSCA). The resistance to EMSCA is
characterized considering a naive adversary as well as a skilled
one with intelligent post-processing capabilities. In both attack
modes, for a naive adversary, EM emission from a baseline IVR
(B-IVR, without control loop randomization) increases EMSCA
resistance compared to a standalone AES engine. However, a
skilled adversary with intelligent post-processing can observe
information leakage in Test Vector Leakage Assessment (TVLA)
test. Subsequently, we show that EM emission from the R-IVR
blinds the attacker and significantly reduces SCA vulnerability
of the AES engine. A range of practical side-channel analysis
including TVLA, Correlation Electromagnetic Analysis (CEMA),
and a template based CEMA shows that R-IVR can reduce
information leakage and prevent key extraction even against a
skilled adversary.
Index Terms—Hardware Security, Side Channel Attack, Elec-
tromagnetic Attacks, CEMA, TVLA, Template Attack, Integrated
Voltage Regulators, FIVR, EMI
I. INTRODUCTION
High performance encryption is becoming a standard feature
in modern hardware across different applications like protected
video streaming [1], data and memory protection [2], [3] and
financial data transaction. One of the most common crypto
algorithm to enhance security of servers, desktops, and mobile
platforms [2] is Advanced Encryption Standards (AES). The
latest processors and SoCs show a common trend of using ded-
icated accelerator for AES. A new instruction (AES-NI) has
been added as an extension to x86 instruction set and is being
widely used across Intel and AMD processors [2]. Similarly
ARM cortex processor series also has dedicated instructions
for AES and SHA-256. The hardware acceleration of AES en-
gines is also being actively studied for power constrained small
IoTs edge devices to support secure communication, leading to
design of energy-efficient AES engines [4]–[6]. As computing
continue to become more ubiquitous, ensuring security of the
encryption engines in computing and communication devices
against side channel attacks (SCA) is becoming increasingly
important and challenging. In particular, power dissipation and
electromagnetic (EM) emissions from modern SoCs can leak
compromising information and has emerged as key threats to
security of modern SoCs. Consequently, power and EM side
channel attack on AES architectures have received signifcant
attention over last decade [2], [7]–[11]. Although majority of
the works focus on inhibiting power attacks, preventing EM
attacks is gaining more importance in the era of mobile and
ubiquituous computing, due to the simplicity and inexpensive
nature of the EM attack. Mounting a power attack requires
physical probing of the target device i.e. a direct access to
the printed circuit board (PCB) and/or the exposed area of the
package which houses the chip. EM side channel signatures
on the other hand can be easily captured with in-expensive
EM probes [7] (Figure 1) by being in close proximity of the
device.
Traditional approaches to EM countermeasures involve
modifying the algorithm, architecture, or logic design of the
AES engines. But the challenge comes from the significant
power, performance, or area-overheads associated with these
ar
X
iv
:1
80
2.
09
09
6v
1 
 [c
s.C
R]
  2
5 F
eb
 20
18
Fig. 1. EM attack on a Smart-phone
approaches, making adoption of these techniques unattractive
to resource-constrained and performance-sensitive commercial
products. Operating systems like Android5.0 and Apple IoS
already suffer from slow memeory encryption, which suggests
that additional performance penalty for side-channel security is
unacceptable for commercial products [12]. Another option of
adding advanced EM shielding [8], [9] comes at the expense
of significantly increased packaging cost. Moreover recent
EM attacks have been demonstrated on finished products with
high-end packaging which came with EM shielding [13], [14].
In essence, eliminating the physical leakage of EM signals is
difficult and comes with high power and performance penalty
and increased cost. Therefore, this paper pursues an orthogonal
approach to thwarting EM side-channel attacks and develop
innovative techniques using existing components in modern
SoCs to modulate information content in the EM signatures
and reduce information leakage.
A voltage regulator module (VRM) converts the input
voltage from a voltage source (battery/power supply/harvested
energy) to a suitable voltage for the application circuit. Tra-
ditionally VRMs are used as seperate integrated circuits (ICs)
in the same board as the processor/SoC to generate different
voltage levels. However, driven by the needs to (i) reduce
noise in the power supply, (ii) enable fast dynamic voltage
scaling for reducing power, and (iii) creating multiple voltage
domain for efficient workload driven power management,
there is a growing trend in integrating a VRM with the
processors and SoCs in the same die [15]–[17]. Inductive
IVRs are switching voltage regulators with an inductance and
a capacitance. The recent commercial processors like Intel
Haswell and Xeon have demonstrated integration of inductive
IVRs, on the processor chip [15], [17]–[19]. In this paper,
we argue that the EM signatures from a targeted platform are
modified by the presence of an inductive IVR. The switching
nature of operation and presence of an inductor, typically
integrated close to the physical location of the application
circuits creates an interference in the measured EM signatures.
The interference is dictated by the current pattern through the
inductor.
Motivation:
Kar et. al. in [20] presented power side-channel attack
(PSCA) results for two configurations of an inductive IVR,
namely a baseline IVR (B-IVR) representing typical oper-
ating mode of any inductive IVR and randomized IVR (R-
IVR) where the control loop of the IVR is randomized. In
general the techniques for improving PSCA resistance are not
guaranteed to be effective for improving EMSCA resistance.
However, the current transformations through an IVR, which
are exploited for improving PSCA resistance, change the
current pattern through the inductor and therefore carry the
potential to be effective for improving EMSCA resistance as
well.
Contribution:
This paper presents the concept of Blindsight where a high-
frequency IVR is used to increase resistance against EMSCA.
We, for the first time, experimentally characterize EM emis-
sion of a system-on-chip (SoC) with embedded encryption
engine powered by an IVR. We demonstrate that an R-IVR
reduces EMSCA as the integrated inductance acts as a strong
EM emitter and blinds an adversary from EM emission of the
encryption engine.
We consider two attack scenarios, namely, (i) EMSCA with
physical access, where an adversary gained physical access to
the device and performs localized EMSCA on the SoC using a
probe with high spatial resolution; and (ii) Proximity EMSCA,
where the adversary can only get to a close proximity of the
target device and is forced to use a passive EM probe that
can measure signature from a larger distance but with lower
spatial resolution. We also consider adversaries with different
skill-sets: 1) a naive adversary that can only perform SCA on
the raw EM signal captured by the probes (no post-processing
skills) and 2) a skilled adversary who can perform intelligent
post-processing on the captured data.
Under the preceding attack model and adversary skills, we
characterize EM leakage from a prototype board carrying a
fabricated application-specific-integrated-circuit (ASIC) with
two 128-bit AES engines, powered by B-IVR and R-IVR.
We consider two architecturally different implementations of
the AES-128 algorithm. The first design, suitable for a high
throughput device such as desktop or server microprocessor
is referred to as HP-AES, and the second design, suitable
for a power constrained IoT device application is referred to
as LP-AES. To quantify the EMSCA resistance, Correlation
Electromagnetic Analysis (CEMA) which is a key-extraction
attack and Test Vector Leakage Assessment (TVLA) which is
a leakage analysis test are used.
The measurements and analysis performed in the paper
demonstrate following key observations:
• If IVR is not used (standalone AES mode), a naive (and
skilled) adversary can extract useful information from EM
leakage both with physical access, and from close proximity.
The measurement shows that using CEMA, the secret keys
from HP-AES and LP-AES engines can be extracted from
40,000 and 1,000 traces. As expected, the TVLA shows very
strong information leakage.
• If the attacker has physical access of the device and high
resolution spatial probe a skilled adversary can measure EM
signatures by placing the probe near specific pins of the SoC
package. In particular, we show that placing the probe near
the inductor node and the supply node of the IVR shows
strong information leakage in the B-IVR mode in a TVLA
test. However, no information leakage is measured at the
same locations when R-IVR is used.
• If the attacker can only come in the proximity of the device
and hence, uses low-resolution probe, a naive adversary
can extract secret key in the standalone mode, but fails to
extract key with IVR. A skilled adversary with appropri-
ate post-processing, can extract information from the EM
signatures in B-IVR mode in TVLA test for both HP-AES
and LP-AES. Moreover a successful CEMA was observed
on LP-AES with 40,000 traces, although HP-AES failed to
show a successful CEMA with 500,000 traces. However,
even for a skilled adversary, the R-IVR mode suppresses
information leakage and TVLA shows no noticeable leakage
with linear and higher-order statistics and CEMA was not
successful even with 500,000 traces, for both AES designs.
We proposed a new attack model by subtracting a template
EM signature from the measured signatures to remove the
effect of randomization, but no successful CEMA attack was
observed.
In summary, we show that, in addition to the performance
efficiency gained by the use of an IVR, various naive side-
channel attacks performed by measuring EM signature from
close proximity can be thwarted. A skilled adversary can
still extract information when a baseline IVR architecture is
used. However the R-IVR reduces vulnerability to EMSCA,
even for a highly-skilled adversary, by using a minor design
modification on the existing IVRs.
The rest of the paper is organized as follows: Section
II provides background on side-channel attack; Section III
discusses the preliminary concepts on the role of IVR in
power side-channel attack; Section IV describes the design
of the prototype system; Section V, section VI and section
VII present the measurement results corresponding to the two
attack scenarios described in this paper; Section VIII discusses
additional topics on the proposed method and Section IX
concludes the paper.
II. THREAT MODEL AND PRELIMINARIES
A. Threat Model: EMSCA
Due to the abundance of the connected devices as well
as their expected hostile operating conditions without any
supervision, it is becoming increasingly easy to snoop side
channel signatures from a device. The most exploited side
channels are power i.e. current flowing into the supply and
ground pins of the targeted hardware and EM emissions
from the targeted system during the encryption process. For
collecting power traces, it is necessary for the adversary to
make physical contact at the power pin of the target platform
and is difficult to perform on a finished product. Picking up
EM signatures from a device is non-invasive in nature and
therefore fits perfectly for a run-time attack on a device.
The past research shows successful key-recovery for both
symmetric ciphers (AES) and asymmetric ciphers (RSA, ECC
etc.) [21]–[23].
Several tiers of adversaries and attack scenarios have vary-
ing access/proximity to the device to be attacked. Depending
on the proximity to the devices, an intelligent adversary will
Fig. 2. Different EM probes used for analysis (a) A active probe with high
spatial resolution for EMSCA with physical access(b) Passive probes for
proximity EMSCA
also select an appropriate EM probe for the attack. We envision
two attack scenarios and choose appropriate probes for each
of them.
• EMSCA with Physical Access: In the first scenario, we
envision that the device has been captured by the adversary
and the adversary has the ability to deconstruct the device
and have direct access to the pins and traces. We have used
a Langer MFA-R near field probe with a 300µm resolution
and an active low noise amplifier to characterize the EM
leakage from different pins of the package as shown in
Figure 2a. The probe has a bandwidth of 6GHz which allows
accurate measurement of the high frequency EM radiations.
As pointed out in [24], EM probes like this indirectly
measure the power signature from the corresponding pin or
PCB trace. Due to high sensitivity to the distance between
the probe and the package pin, the probe has to be placed
right on top of the pin, as shown in Figure 2a.
• Proximity EMSCA: The second attack scenario considers
a case when the adversary does not have access to the actual
device, but can come within close proximity of the device to
be attacked. For example, the adversary can be standing in
line behind the victim, having an actual conversation with
the victim, or can place an inconspicuous item containing a
probe (as done in [23] by hiding a EM probe within a Pita
bread). Figure 2b shows two passive EM probes by Beehive
Corp. with significantly large loop area than the Langer
probe described earlier. The loop diameters are 0.85 in and
0.4 in for the larger and the smaller loop respectively. The
probe output powers into a 50 ohm load. These inexpensive
probes are easy to acquire and hide. Both the probes are
placed on top of the package at different locations for
characterizing EM leakage and will be described in further
detail in section VI-A.
Fig. 3. Effect of different countermeasures for PSCA on EMSCA
B. State of the Art: EM Countermeasures
Countermeasures are modification in the design of the hard-
ware to reduce side channel vulnerability. Different counter-
measures have been proposed by the researchers in past decade
to prevent side channel leakage, both for PSCA and EMSCA.
Majority of these countermeasures target power attacks and
aim at decorrelating the measured power signatures and data
at the intermediate steps of the algorithm. This can be achieved
by changing the intermediate steps of the encryption algorithm,
changing the architecture or using logic styles where the
power consumption is unrelated to the switching activity.
Each of these techniques change the design of the hardware
either in algorithm, architecture or physical implementation
level. A parallel category of PSCA countermeasures does not
modify the design of the encryption engine, rather uses generic
techniques like attenuation, noise addition and transformations
for reducing the correlation.
The nature of power and EM side channel are radically
different, therefore countermeasures for PSCA might not be
effective for EMSCA and vice-versa. In general, any PSCA
countermeasure that depends on isolation or attenuation of
the power signatures [11], [25], [26] and does not modify
the design of the encryption engine, may not reduce EM-
based side channel leakage as explained in Figure 3. This is
due to the fact that the leakage is not eliminated at source
and an EMSCA adversary has the location of the probes
as another degree of freedom. Therefore the adversary can
capture signature from a physical location which bypasses the
effect of many of these techniques.
For reducing EM leakage, one simple yet elegant solution
is to use any form of shield on top of the targeted device
as proposed by Plos et. al. in [9], however the solutions are
ad-hoc and difficult to achieve for a mass scale commercial
production. Poucheret et. al. proposed distribution of the leak-
ing electrical paths throughout the physical implementation of
the hardware to prevent EMSCA [27]. Doulcier-Verdier et.
al. used duplicated-complimented logic style to prevent both
PSCA and EMSCA [28]. A serious bottleneck of these types
of countermeasures is the energy-efficiency and design com-
plexity of the proposed techniques. While encryption bit-rate
is critical for high-performance systems, low-power devices
require lower-energy per encryption. Most of the proposed
countermeasures suffer from a performance penalty due to
added complexity for side channel protection. Moreover the
design and validation effort needed for incorporating these
countermeasure techniques further make them unattractive for
Fig. 4. (a) Circuit and system level diagram of inductive voltage regulators
(b) Traditional off-chip power delivery architecture vs. integrated voltage
regulators
use in general purpose products. Therefore there is a critical
need for finding a unique low cost solution for addressing both
PSCA and EMSCA.
C. Power Delivery and Voltage Regulators
Processors and SoCs require multiple supply voltages, also
known as power rails, for optimizing energy efficiency across
different operating conditions. Voltage regulators are therefore
one of the key components in the power delivery architecture
of a processor. Inductive voltage regulators are a popular
class of switching voltage regulators and widely used for their
superior power efficiency compared to other classes of VRM.
Working Principle of Inductive Regulators Figure 4a shows
the circuit diagram of an inductive regulator. The switches
M1 and M2 are continuously driven by two square waves at
frequency FSW. The duty cycle of the square waves determines
the output voltage. The inductor (L) and the capacitor (COUT)
create a bandpass filter whose cutoff frequency (FLC) is lower
than the switching frequency (FSW). The switching node VSW
resembles a square wave which is filtered out to create a steady
DC voltage VOUT. The output node drives different digital
blocks of a microprocessor or SoC. Every voltage regulator
requires a controller which ensures that if the load current
demand increases, the regulator can supply the required current
without the output voltage dropping. A feedback controller
senses the difference between the output voltage and the
reference voltage and adjusts the duty cycle to set the output
voltage at the desired value.
Integrated Inductive Voltage Regulators Traditional power
delivery architecture consists of multiple voltage regulator ICs,
VSW
ADC
Digital 
PID
Clk 
AES 
Engine
+
-
VREF
Err
Digital 
PWM
COUT
 
6
VOUT
DN
LR
VIN
DP M1
M2
EN
VOUT,DIG
Clk 
Fig. 5. Architecture of a security aware inductive IVR [20]. Loop randomizer
circuit and its effect on the inductor current are shown.
typically present in the motherboard/logic board. Integrated
voltage regulators (IVR) are voltage regulators integrated with
the digital circuits in the same silicon die. IVRs reduce the
volume and complexity of power delivery for multiple supply
voltages. Among various popular topologies of IVR, on-chip
low dropout regulators (LDO) have been used across multiple
generations of processors and SoCs. However LDOs have poor
power efficiency compared to switching regulators (inductive
buck and switched-capacitor) across a wide range of voltage-
frequency (V-F) states. Innovations in integrating tiny passives
(inductance and/or capacitance) with digital transistors in the
same silicon die or same package [29], enabled usage of
inductive IVRs in commercials products [15]. The reduced
value of the inductance requires the IVRs to switch at very
high frequency (∼100 of MHz), much higher than conven-
tional off-chip VRMs (≤1MHz). The switching frequency of
IVRs is closer to the operating frequency of digital circuits.
III. IVR AND EM SIDE CHANNEL ATTACK
This section motivates the potential use of inductive IVRs to
inhibit EM based side-channel attack. To motivate IVR based
EMSCA robustness, the section first summarizes the impact
of IVR on PSCA, and a security-aware IVR architecture to
reduce power side-channel leakage, as presented in [20].
Subsequently, the impact of an inductive IVR on EM side
channel leakage is elaborated and it is shown that the IVR
properties which improves PSCA robustness can also be
effective for improving EMSCA robustness.
A. IVR and Power Side-Channel Attack
Kar et. al. in [20] demonstrated that presence of an induc-
tive IVR affects the power side-channel leakage of a platform.
The authors made the observation that when an inductive IVR
supplies power to an encryption engine, the current signature
at the IVR output is isolated from the IVR input i.e. the
current drawn from the supply of the regulator (battery for
a laptop/handheld device and mains supply for a desktop).
However the input current is not completely independent of
the load current, rather it is a transformed version of the load
current. The improvement in the PSCA resistance is governed
by three different transformation of IVR’s load current to the
input current.
• Large Signal Transformation: The continuous switching of
switches M1 and M2 in the power stage creates a switching
current pattern at the IVR input.
• Small Signal Transformation: The load current signatures
are filtered by the frequency dependent transfer function of
the PID compensator in the feedback loop.
• Misalignment:The IVR switching clock is asynchronous
w.r.t the clock driving the encryption engine. The asyn-
chronous nature of these two clocks causes a one to many
mapping from load current to input current.
B. A Side-Channel-Security-Aware IVR
Figure 5 shows the overall architecture of a side-channel-
security aware IVR architecture, as presented in [20]. The
power stage of the IVR switches at 125MHz switching fre-
quency and package-bondwires are used as inductance. The
capacitor of the power stage is embedded within the die.
The IVR uses a digital feedback loop as a controller. A
digital controller first digitizes the output voltage using a high-
speed analog-to-digital converter (ADC) and the control algo-
rithm (proportional-integral-derivative (PID)) is implemented
in digital logic. The controller output is fed to a block called
digital pulse width modulator (DPWM) which converts the
digital input to the duty cycle of the square wave. All these
aforementioned blocks are part of any typical IVR architecture
and therefore it is referred to as a Baseline IVR (B-IVR) mode.
The design also contains an extra circuit called loop-
randomizer (LR), as described in [20]. LR inserts delay into
IVR’s control loop by delaying the power stage clock through
a chain of delay-elements. Each delay element can be set in
a bypass mode where the input signal bypasses the inverter.
A 4-bit maximal length LFSR generates a sequence of 15
pseudo-random outputs which determines how many inverters
are bypassed in the entire chain. LR creates a pseudo-random
perturbation in the IVR’s output voltage as well as its inductor
current, as shown in Figure 5. The mode when LR is enabled
is referred to as a randomized-IVR (R-IVR).
C. IVR and EM Side-Channel Leakage
EM radiation can be generated by two sources: Alternating
electric field source (high impedance) or alternating magnetic
field source (low impedance). An inductive regulator has two
main loops where high AC currents flow as shown in figure 6.
When the high-side switch M1 is on, the current flows from
VOUT
-
+Controller
Reference
Voltage
Digital 
Circuits
COUT
L
VSW
VDD
-
+
Current Loop 1
Current
Loop 2
M1
M2
M 1
 O
n
M
2  O
n M
1
 O
n M
2  O
n
di
dt
High
di
dt
High
Fig. 6. Current loops in an inductive regulator generating EM interference
supply via M1 and L to the COUT and the load. The current
flows back via ground to the input. The AC portion of the
current will flow via the input and output capacitors (Figure 6).
When M1 switches off, the inductor current will keep flowing
in the same direction, and the low side switch M2 is switched
on. The current flows via M2, L to the COUT and the load
and back via ground to M2. This loop is shown in blue. Both
these loops carry discontinuous currents, meaning that they
have sharp rising and falling edges at the beginning and end
of the active time. These sharp edges have fast rise and fall
times (high di/dt). Therefore they have a lot of high frequency
content.
Keeping EMSCA in context, these properties of an inductive
IVR make it unique compared to a LDO or a switched-
capacitor regulator. In-fact meeting the electromagnetic com-
pliance, as guide-lined by Federal Communication Commis-
sion (FCC), of inductive regulators is a major design challenge.
However for EMSCA protection, the same interference can be
exploited to the designers’ advantage.
D. Motivation and Contribution
The EM emission from the inductor is not guaranteed to
improve the EMSCA resistance, if the probing location can
be adjusted to pick up the signatures from the AES engine
without any interference from the inductor. This can happen
if the inductor is physically distant from the electrical paths of
the AES engine, and is true for commercial processors where
the voltage regulator IC is on the same board, but physically
distant from the processor. However, in any integrated VR, as
in recent processors such as Haswell, the small form factor
of the inductor ensures a compact placement close to the load
circuit. Therefore it is difficult to separate out the effect of
the inductor from that of the AES engine in the captured
EM signatures. As the interference from inductor is a direct
function of the current flowing through it, any properties of the
inductor current are critical to analyze the EMSCA resistance
of such a system. Moreover, the IVRs operate at frequencies
(≥100MHz) much closer to the processor’s clock frequency
( 1GHz), compared to off-chip VRs ( 1KHz). Hence, the EM
emissions from inductors in IVR are likely to more strongly
interfere with EM emissions from the processors. Therefore,
although off-chip VRs have shown to have little effect in
reducing information leakage from the processor (in fact, in
certain cases, off-chip VRs have shown to be a major source
of leakage [30]), the same conclusion cannot be drawn for
on-chip VRs. This paper for the first time presents an in-depth
measurement and characterization of the effect of IVR on EM
leakage from SoCs.
Although the architecture presented in [20] is focused on
protection against PSCA, we observe that the inductor current
of an IVR is also a function of the IVR input current. As the
EM emission from the inductor is also a direct function of the
current flowing through it, the architecture presented in [20] is
relevant to EMSCA as well. However the effect on EMSCA
resistance of the system is not addressed by the authors in
[20]. In this paper, we aim to perform EMSCA analysis on a
system of an inductive IVR and an AES engine for the B-IVR
and the R-IVR modes. The experimental characterization is
performed on a prototype circuit board composed of an ASIC,
fabricated in 130nm, containing two architectures of AES-
128 algorithm and the inductive IVR architecture proposed in
[20]. The prototype system represents a microcosm of a high-
performance or low-power SoC with hardware acceleration for
AES encryption. More importantly, the prototype makes the
AES engines more vulnerable as it does not include noise from
other components in a chip.
IV. PROTOTYPE SYSTEM
A. System Design
Figure 7 shows the prototype board for evaluation. The
designed ASIC is powered by standard USB connections. An
off-chip voltage regulator (LM317) is used to convert 5.0V
from the USB to 1.2V supply for the ASIC. The off-chip volt-
age regulator represents a traditional off-chip power delivery
architecture. Even if IVR is present in a processor/SoC, an off-
chip VRM is still needed to convert the platform input voltage
to a tolerable input voltage of the IVR. The plaintexts and
key of AES encryptions are written within the ASIC using an
Arduino through a standard serial-to-parallel-interface (SPI).
B. Architecture of the ASIC
The ASIC has two architectures of the AES-128 algorithm.
The die photo of the ASIC is shown in Figure 7. LR is run at
1/8th of the IVR’s sampling frequency. Therefore, the control
loop delay changes once every 4th switching cycle of the IVR.
LR creates a pseudo-random perturbation in the IVR’s output
voltage as well as its inductor current.
The AES-128 algorithm has a 10-round operation. The first
architecture, referred to as high-performance AES (HP-AES),
executes each AES round (all 16 bytes of the intermediate
state) in one cycle (Figure 7c) [31]. The latency for one
encryption is 11 cycles which makes the HP-AES suitable
for latency-critical applications like memory encryption. The
second AES architecture is referred to as low-power AES
(LP-AES) as it is suited more for a light-weight low-power
application (Figure 7d). The datapath consists of a single S-
BOX, 128 XORs for AddRoundKey, a word mix-column unit
and intermediate registers for data storage. The bytes of the
Fig. 7. (a) ASIC Micrograph with bondwires (b) Prototype PCB for characterization (c,d) Architectures of the implemented AES engines
intermediate states are processed serially, causing a higher
latency per encryption. The silicon area is significantly lower
which makes the LP-AES architecture suited more for edge
devices like wearables and sensor nodes. However designs
similar to LP-AES, where rounds are executed serially, are
found to be more vulnerable to correlation based attacks [32],
[33]. The round-keys for both architectures are generated on
the fly.
C. Packaging
Each silicon die is accompanied with a package which forms
the connections with the PCB. Packages play a critical role in
leakage of EM side channel signature as different components
of the package, mostly the parasitic inductance can amplify
or mask the desired signatures. The ASIC is packaged in a
Leadless Ceramic Package (LCC). The pads in the die are
attached with the package with bondwires. Each bondwire is
5.5mm long, 1.3mil thick and offers roughly 5.8nH inductance.
As the package is leadless, minimal inductance is offered by
the connections between the PCB and the package.
In any general purpose hardware platform, the details of
the pin mapping of the processor/microcontroller and the PCB
traces are publicly released. When such a system is attacked,
these information are typically exploited by the adversary to
find out the suitable points for probing. For example, authors in
[24] use the decoupling capacitor close to the microcontroller
core to pick up the EM signatures. We assume that the pin
mapping and the PCB routing of the prototype system is
known to an adversary. Figure 8 shows the pads of the ASIC
and their corresponding pins in the package. The IVR input,
ground and the indcutor pins are towards the top-right corner
of the chip. In order to characterize the AES without the effect
of the IVR, the power (VDD,AES) and ground (VSS,AES) pin
of the AES are separately connected to the package. These
pins won’t be present in a commercial chip: the power pin
would effectively be the IVR output and the ground pin would
be shorted internally to the IVR ground. The pins which do
Fig. 8. Pad assignment of the fabricated ASIC and the corresponding LCC
package
not carry side channel signatures are marked in black. The
parasitic inductance and resistance of a LCC package are sig-
nificantly higher than the advanced packages like flipchip/C4.
Although using this package enabled us to exploit the package
bondwires as IVR inductance, the higher inductance of the
bondwires connecting AES supply and ground to the package
creates EM emission directly from the AES engine, even when
the IVR is supplying the AES. Therefore, enhancing EM
side channel resistance for this prototype is more challenging
compared to a commercial IVR which would use some form
of integrate inductance (spiral inductance, silicon interposer,
on-die solenoid) in an advanced package.
IVR
 
AES
Fig. 9. Measurement scenarios a) AES is powered by an external voltage-
regulator and b) IVR is powering AES engine
D. Measurement Cases
Measurements were carried out at two different scenarios
as depicted in Figure 9.
• Standalone AES: The AES block and other peripheral
digital circuits are powered by the off-chip voltage regu-
lator (LM317). This mimics a traditional power delivery
architecture. To prove the point that having a strong EM
radiator near the encryption engine will have insignificant
effect on the EM leakage, we keep the IVR on i.e. the
IVR drives a steady load current. The switches M1 and
M2 switch continuously. Naturally the inductor carries
switching current and radiates strong EM signatures.
However, as the IVR does not supply the AES engine,
the inductor current and the corresponding EM emission
have no relation to the AES current.
• IVR-AES: The AES block is powered by the IVR. In
this mode, the emission from the IVR inductor is linked
with the AES activities. We evaluate the following two
modes for IVR-AES: in B-IVR, the LR is disabled and in
R-IVR, the LR is enabled which randomizes the control
loop.
E. Measurement Details
Placements of probes: Figure 10a shows the placement of
the high resolution active probe near the pins of the prototype
test-chip. Figure 10b shows the potential placement options
for the passive probes. The large loop probe spans the entire
package and hence, has one placement location (location 1)
as shown in figure 10b. The small loop probe has a higher
bandwidth and provides more resolution in the placement of
the probe (location 1 and 2, in Figure 10b).
Statistical Tests: The commonly used SCA resistance quan-
tification approaches focus on an adversary’s ability to extract
the unknown key of an encryption engine. Both CEMA and
differential elctromagnetic analysis (DEMA) have been used
as key extraction attack. Le et al. [34] have shown correlation
based attack to be more efficient than a DEMA or DPA
approach. A CEMA uses Pearsons correlation between the
measured side channel traces and a power-model to extract
the secret key. The power-model is constructed based on the
plaintext/ciphertext and guessed values of the key. The SCA
resistance is measured by computing the minimum number
of traces necessary to disclose the unknown key [minimum-
Fig. 10. Probing locations for different attack scenarios (a) EMSCA with
Physical access (b) Proximity EMSCA
number-of-traces-to-disclosure (MTD)]. A higher MTD im-
plies a stronger SCA resistance.
The CEMA-based approaches measure the ability to extract
an unknown key by an adversary, and hence, to a certain extent
depend on the adversary’s effort i.e. the number of measure-
ments, the complexity of the attack models and statistical tests
used for the attack. From a designer’s perspective, it is more
crucial to understand whether the measured signatures are
correlated to the internal data, irrespective of the outcome of a
CEMA attack. We use TVLA as suggested by Goodwill et. al.
[35] as a leakage test where the tester selects the key and set
of key-specific plaintexts to understand the data-dependency in
the captured signatures. We also used higher order statistical
moments in t-test to increase the probability of detection, as
suggested by Moradi et al. [36].
We use a semi-fixed dataset of 100,000 plaintexts for TVLA.
A sliding window of 200ns is used for analysis. For CEMA,
500,000 traces were captured for each different configuration
of IVR and AES and a sliding window of 80ns is used. A
small sliding window for CEMA ensures a better alignment
of the filtered traces. The peak correlation is calculated across
all filter bands and all-windows to determine the outcome of
the attack.
Signal Post-processing: A naive adversary aims to mount
the SCA on the raw EM signals captured by the probes.
However, any misalignment introduced in the chip can thwart
such attack and effectively makes an inductive IVR useful
in EMSCA protection. However, any skilled adversary would
post-process the data before mounting attacks. We assume
Fig. 11. (a) Sample traces captured in EMSCA with physical access from different pins of the chip and (b) the corresponding TVLA results
Fig. 12. TVLA result in R-IVR mode in EMSCA with physical access
the role of a skilled adversary and perform necessary post-
processing on the captured traces. As the EM signature from
a chip with an inductive IVR is a superposition of different
sources of EM emission, it is important to properly filter
and align the traces before performing any statistical analysis.
Another reason why filtering is critical for EMSCA is to
extract the useful signature from a coupled EM emission
where the EM leakage from the source is coupled with a
strong carrier [37]. The post-processing step involves filtering
and alignment: filtering removes unwanted noise as well as
demodulates any modulated signatures and alignment ensures
that the same execution step happens across all the captured
traces at a given time point. To align the captured traces, we
use bandpass filters with bands sliding from 30MHz up to
500MHz in steps of 10MHz. This also replicates the action
of a tunable receiver or a demodulator often used in a low-
cost EM attack [37]. The filtered signals are aligned using
cross correlation with the offset limit bounded by the filtering
frequency.
V. EMSCA WITH PHYSICAL ACCESS
The evaluation of the EMSCA with physical access is
performed through TVLA on the traces captured for HP-AES
encryptions. An EMSCA with physical access removes any
constraints of choosing a probe location and therefore can
significantly increase the analysis time, as multiple pins and
traces in the package can be probed for EMSCA. As TVLA
is generally considered to be a better indicator of leakage
compared to CEMA for the same number of measurements,
analysis is limited to TVLA on HP-AES.
Standalone AES: In standalone mode, the high resolution
probe is placed in location 1, near the supply (VDD,AES) and
ground (VSS,AES) line. The supply and the ground current of
the AES flow through the bondwires marked in pink and blue
respectively. The time-domain signatures picked up by the
probe in this condition are shown in the Figure 11. The rounds
of the HP-AES operation can be clearly identified from the
captured waveforms. Figure 11 also shows the TVLA results in
these conditions against the frequency bands used for filtering.
As expected, the t-value crosses the threshold of 4.5 at multiple
frequencies, clearly indicating signs of leakage.
B-IVR: When the AES engine is supplied by the IVR,
VDD,AES is disconnected. But two new locations in the ASIC
can potentially emit compromising EM radiation: the IVR
input (VIN,IVR) and inductor node (VIND). The signature picked
up near the inductor node (VIND) is shown for illustration in
Figure 11. The HP-AES operation cannot be visually identified
both in time-doamin as well as in spectrogram. However the
TVLA results show signs of leakage at both VIN,IVR and VIND
nodes.
The signature picked up by the high resolution probe is
conductive EM emission which is caused due to the current
passing through the corresponding pins. Therefore the behav-
ior of the captured signatures from a pin or a trace would
be similar to the PSCA properties of the current flowing
through the corresponding nodes. This property can explain
the observations above. According to the PSCA results shown
in [20], the B-IVR input shows TVLA leakage in power
signature, which is also observed here. Clearly IVRs can
impact the conductive EM emissions in the same way as PSCA
Fig. 13. EM signatures captured with the passive probes for a HP-AES encryption in the B-IVR mode (a) the small loop probe and (b) the large loop probe
behavior.
R-IVR: The TVLA results on the inductor node (VIND)
and the supply node (VDD,IVR) do not show any leakage in
the R-IVR mode. Figure 12 shows the TVLA data on the
inductor node (VIND). Although VSS,AES won’t be accessible
for a commercial chip, we performed a TVLA for the purpose
of characterization.
If a skilled adversary gains physical access to the device,
minor design components like sensitive current carrying traces,
package pins or supply decoupling capacitors (exploited by
authors in [24]) can be exploited for EMSCA. Attacks with
physical access have mostly been performed on commercial
single-board-computers or microcontrollers [7], [24]. For the
prototype under consideration, we identified the package pins
which can potentially emit exploitable EM signatures and
measurements using a high resolution probe show that the R-
IVR can protect against information leakage in EM signatures.
One of the security drawbacks of general-purpose products
is that the design of the package and the PCB are often
agnostic of EM emissions. For example, the normal practice
in IVR design is to internally connect the grounds node of
AES (VSS,AES) and IVR ((VSS,IVR), to ensure AES currents
flows to ground via the IVR. However, our prototype had the
ground node of the AES (VSS,AES) available as an external pin
to perform forensics on the chip operation. We have observed
that making VSS,AES available as a pin is a weak link for
Physical Access EMSCA. The signature picked near VSS,AES
node is similar for both standalone and B-IVR modes and
shows leakage in both modes. Even with R-IVR mode, VSS,AES
does show leakage in the TVLA test (Figure 12). This is
expected as R-IVR adds minimal noise at the supply node of
the AES. Therefore, the AES current flowing through VSS,AES
remains unchanged. Therefore, our measurement reaffirms that
internally connecting the grounds node of the AES engine with
that of the IVR, which is a standard practice for commercial
products, is necessary to secure the benefits of the R-IVR
under Physical Access attack. However, in the next section,
we will show that external availability of VSS,AES node does
not play a major role for Proximity EMSCA.
VI. PROXIMITY EMSCA ON B-IVR
The proximity EMSCA assumes that the attacker can be in
close proximity of the target device, which is the most realistic
attack scenario. As HP-AES is more robust to a CEMA, we
used TVLA and CEMA for experiments on HP-AES, whereas
only CEMA was used for experiments on LP-AES.
A. Characterization of Passive Probes
In standalone mode, the individual rounds of one HP-
AES encryption can be captured with both these probes. The
signatures picked up by the probes in a B-IVR configuration
are shown in Figure 13. Interestingly, for both locations of
the small loop probe, no visible signature of the AES rounds
can be identified in the spectrogram and both locations pick
up components at package resonance. As the probe is moved
from location 1 to location 2, components at the IVR clock
frequency and its harmonics increase due to proximity to the
inductance. For the large loop probe, the AES operation is
visible in the spectrogram. The probe bandwidth of the large
loop probe attenuates the IVR clock and its harmonics and
significantly increases SNR of the measurement.
B. High Performance AES (HP-AES)
Fig. 14. Proximity EMSCA using TVLA on HP-AES powered by B-IVR at (a) the locations for the small loop probe and (b) the large loop probe and (c)
peak t-value against traces used
1) TVLA Results: We used a semifixed dataset for TVLA
and results using upto 3rd order statistics is computed. A t-
value more than 4.5 for an input data-set containing more than
10,000 traces signifies 99.9999% confidence.
Standalone HP-AES: We start with the AES engine sup-
plied by the off-chip VRM. Signatures are captured for both
the passive probes placed in location 1 which is the middle
of the chip. Signatures captured by each of the probes show
t-value more than 4.5, clearly showing that the EM signature
contains leakage (Figure 14). The minimum number of traces
needed to cross a t-value of 4.5 was 2,000 for both the probes.
This experiment clearly shows that the unprotected AES has
significant EM information leakage. The component at the IVR
frequency is easily filtered out by the post-processing step.
Therefore having a strong EM radiator near the encryption
engine isn’t effective to protect against EMSCA.
B-IVR and HP-AES We didn’t observe any positive TVLA
on the raw EM traces without performing any post-processing.
After post-processing, the t-values are plotted against the
center frequency of the band-pass filters. Although the AES
operation cannot be visually distinguished from signatures at
location 1 using the small loop probe, TVLA shows leakage
at frequencies higher than 200MHz. This is due to the fact
that although the low frequency signatures are stronger, they
can easily be modulated, whereas the weaker high frequency
signals are unmodulated. However, the same probe placed at
location 2 i.e closer to the inductance shows weak leakage
at higher frequency. The possible reason of this behavior is
stronger signature obfuscation by the inductor due to proximity
of the probe to the bondwires. Another interesting observation
is that the 2nd order TVLA yielded higher t-value than the
first order. As the EM signatures are transformed by the
nonlinearity of the IVR, higher order statistics can be more
Fig. 15. CEMA on HP-AES powered with the external VRM for 100,000
traces (a) Correlation against time for byte 10 (b) Correlation vs traces
effective. For the large loop probe, leakage is observed at the
filter band centered at the AES clock frequency as well as the
IVR clock frequency and its harmonics. Although the gain
of the large loop probe drops significantly after 100MHz as
shown in Figure 14, the larger loop area helps to pick up
signatures at higher frequency successfully, leading to TVLA
leakage.
We also characterized the minimum number of traces to
cross the threshold of 4.5 for each probe at the frequency band
and TVLA order which showed highest leakage. The smaller
loop needs only 2,500 traces to cross the 4.5 threshold using a
2nd order TVLA. This is marginally better than the standalone
AES and suggests that the obfuscation by the IVR has little
effect. One possible reason can also be the placement of the
probe away from the inductance. The larger loop requires
20,000 samples to cross the 4.5 threshold. These results are
consistent with the observation of authors in [20] which found
that the B-IVR mode shows leakage in power signatures.
2) CEMA Results: The power-model for CEMA is chosen
to be the Hamming distance between the intermediate state at
the end of the 9th and the 10th round of the HP-AES. Figure
Fig. 16. CEMA on LP-AES in standalone mode and with B-IVR
15 shows the results of CEMA on the HP-AES supplied by
the off-chip VRM. A successful CEMA is observed after using
40,000 traces. The corresponding MTD plot is also shown. In
B-IVR mode, no successful attack was observed with 500,000
traces. This result matches with the observations in [20] where
no successful CPA was observed with 100,000 traces at the
IVR input.
C. Low Power AES (LP-AES)
1) Vulnerability: We used the Hamming weight of the
substitution-box (S-BOX) output in the first round as power-
model for attacking LP-AES. SBOX operations on the bytes
are executed serially in LP-AES as the engine has only
one SBOX hardware. As CEMA targets one byte at a time,
the power consumption of rest of the 15 S-BOX operations
doesn’t appear in the captured signatures unlike HP-AES and
therefore the power-model correlates better with the switching
activities/EM emission leading to higher vulnerability.
2) CEMA:
• LP-AES in the standalone configuration is extremely vul-
nerable to a CEMA as only 1,000 traces are enough to
recover a key-byte (Figure 16). This shows that all the sensor
nodes, wearables and other edge devices that use a serialized
lightweight AES implementation [38], are vulnerable to an
EMSCA using cheap EM probes.
• If the B-IVR supplies the AES, the resistance to a CEMA
increases by 30x as 30,000 traces were required for suc-
cessful recovery of a key-byte. A successful CEMA also
shows that the system EM signature which is a complex
superposition of the EM leakage from the LP-AES and
the EM emission from the inductor, is vulnerable against
a traditional Hamming-weight based power-model, without
the need of a complex power-model or statistical tests.
VII. PROXIMITY EMSCA ON R-IVR
The emission from a B-IVR supplying both the AES engines
is vulnerable, as demonstrated through TVLA and/or CEMA
in the earlier section. Next we enable the R-IVR mode and
reevaluate the EMSCA results with both the AES designs.
We only used the small loop probe for the following analysis
as the captured signatures showed stronger data-dependency
compared to the large loop probe.
A. TVLA
Figure 17a and 17b shows the time domain waveform of
the captured signature with small loop probe at location 1
Fig. 17. Captured signatures in the R-IVR mode in (a) time and (b)
spectrogram. (c) TVLA across different frequency bands with 100,000 traces
Fig. 18. CEMA results on the AES designs with R-IVR (a) MTD plot for
HP-AES (c) MTD plot for LP-AES
and the corresponding spectrogram when the randomization is
enabled in the IVR control loop. As the random delay inserted
into the control loop is controlled by a maximal length LFSR,
the time domain waveform shows a periodicity dictated by
the length of the LFSR. This indirectly creates a frequency
spreading or frequency dithering effect with an added degree
of randomness. No leakage was observed in the TVLA tests
with 100,000 traces (Figure 17c).
B. CEMA
CEMA was performed both on HP-AES and LP-AES in
the R-IVR mode. No successful attack was observed with
500,000 traces across all bands and all windows (Figure 18) for
both AES designs. HP-AES has a 16X improvement and LP-
AES has a 500X improvement in MTD from their respective
standalone configurations.
C. CPA using Templates
The randomness in the inductor current is manifested in
the captured EM signature of the system as shown in Figure
17. The maximum length 4-bit LFSR which inserts delays
proportional to the LFSR output into the IVR control loop,
Average
Pattern
Matching
Pattern
Matching
Pattern
Matching
-
+
-
+
-
+
A
n
a
ly
s
is
Average 
Template (TAVG)
Pattern 
Matching
Initial Template (TS)
T1
T2
Tn
S1,1:L
S2,1:L
Sn,1:L
SD1,1:L
SD2,1:L
SDn,1:L
600ns
Fig. 19. Steps of template based CEMA for proximity EMSCA in R-IVR mode
repeats itself after 15 combinations, causing the EM patterns to
repeat at a low frequency of ∼2MHz. For each measured trace,
the LFSR output can be at any one of the 15 possible values
and the magnitude of the trace at that point is dependent on
that value. Therefore CEMA and TVLA will not be successful
unless the effect of the randomization is canceled from the
recorded traces.
We introduce a different attack, referred to as template based
CPA, particularly when the LR mode is enabled. The steps
of the template based CPA are described in Figure 19. A
template of length 0.6µs is chosen from a randomly selected
trace and patterns of the same length matching with the initial
template are found for every trace. All the matched patterns
are averaged to generate an average template. We note that the
average template contains the EM signature, in absence of any
AES operation added with an averaged (over a large number
of plaintexts, the leakage at every point will be averaged) EM
leakage from the AES operations. Next a window is selected
for CEMA which is smaller in length than the template and
for each trace, the corresponding portion of the template that
matches with the window is subtracted. This generates a set of
traces without the steady state variations due to randomization.
CEMA is performed on the differential signals, both for the
HP-AES and the LP-AES and no successful CEMA was
observed with 500,000 traces.
VIII. DISCUSSIONS
A. Robustness Against Attack
One of the hypothesis for the proposed technique to work is
that the EM emission from the AES and the inductor interfere,
which is possible when the inductance is integrated closer to
the AES engine. With the recent trends in integrated inductor
design for power delivery [18], [39], this seems to be the
case. One possible attack mode can be if the adversary access
control over the IVR switching frequency. Changing the IVR
switching frequency changes the frequency spreading in the
R-IVR mode. However typically the switching frequencies of
the IVRs cannot be accessed through the firmwares, there-
fore achieving this requires a destructive and invasive attack.
Changing the total load current supplied by the IVR also
does not change the switching frequency. Another possible
caveat is that EM shielding is added to inductive IVRs to
ensure FCC compliance. An EM shielding should attenuate
the EM signatures, both from the AES as well as the IVR,
and therefore should help in prevention against EM attacks.
However tampering the EM shielding might compromise the
integrity of the proposed scheme.
B. Public Key Ciphers
Public key ciphers like ECDH/RSA are widely used for au-
thentication across many devices and have been demonstrated
to be vulnerable to EM attacks [22], [23]. Attacking a public
key cipher mainly relies on identifying distinct arithmetic
operations like addition/multiplication which is different than
SCA on AES where the side channel signatures change over
each clock cycle. Therefore attacks on the public key ciphers
are typically carried out at much lower frequency bands and
can be performed using inexpensive EM probes. The IVR,
without and with the randomization scheme, modifies the
EM signatures at frequencies ≥1MHz, which as demonstrated
above is effective for an AES. However as the frequency of
interest lies in the KHz range for public key ciphers, the
randomization, in its current form, might not be effective.
However, one possible solution is to use a low frequency on-
board VRM with a LFSR based control loop randomization,
operating at a lower frequency (∼KHz). This will modify the
frequency components in the measured EM traces near the
frequency of interest and possibly be effective for public key
ciphers.
IX. CONCLUSION
Protecting EM leakage from modern hardware devices with-
out power and performance penalty and increased packaging
cost is a challenging task. Blindside demonstrates that an
inductive IVR with a minor design modification can reduce
information leakage through EM. The measurement results
from the prototype system show that a high-frequency IVR
modulates the EM emission from the chip due to presence of
an integrated inductance. As an IVR operates at frequencies
close to that of a digital processor (≥100MHz), unlike an
off-chip VRM module that operate at much lower frequency
(∼100KHz), the EM emission from IVR interferes with the
EM emission from the AES engines. The system EM signa-
tures, measured using low-cost passive EM probes demonstrate
≥13x and 30x improvement in MTD for a high-performance
low-latency AES and a low-power low-area compact AES
design. If the control loop of the IVR is randomized, ≥13x and
≥500x improvement in MTD is achieved. As power delivery
with integrated inductance is becoming a key component in
improving energy efficiency of digital processors, the results
show promise in using a common IVR architecture ( [20]) for
reducing both power and EM leakage with minimal power,
performance, and area overhead.
REFERENCES
[1] R. Pantos and W. May, “Http live streaming,” 2017.
[2] J. Rott, “Intel advanced encryption standard instructions (aes-ni),” Tech-
nical Report, Technical Report, Intel, 2010.
[3] V. Costan and S. Devadas, “Intel sgx explained.” IACR Cryptology ePrint
Archive, vol. 2016, p. 86, 2016.
[4] S. Mathew, S. Satpathy, V. Suresh, M. Anders, H. Kaul, A. Agar-
wal, S. Hsu, G. Chen, and R. Krishnamurthy, “340 mv–1.1 v, 289
gbps/w, 2090-gate nanoaes hardware accelerator with area-optimized
encrypt/decrypt gf (2 4) 2 polynomials in 22 nm tri-gate cmos,” IEEE
Journal of Solid-State Circuits, vol. 50, no. 4, pp. 1048–1058, 2015.
[5] P. Hamalainen, T. Alho, M. Hannikainen, and T. D. Hamalainen, “Design
and implementation of low-area and low-power aes encryption hardware
core,” in Digital System Design: Architectures, Methods and Tools, 2006.
DSD 2006. 9th EUROMICRO Conference on. IEEE, 2006, pp. 577–
583.
[6] A. Moradi, A. Poschmann, S. Ling, C. Paar, and H. Wang, “Pushing
the limits: a very compact and a threshold implementation of aes.” in
Eurocrypt, vol. 6632. Springer, 2011, pp. 69–88.
[7] J. Longo, E. De Mulder, D. Page, and M. Tunstall, “Soc it to em:
electromagnetic side-channel attacks on a complex system-on-chip,”
in International Workshop on Cryptographic Hardware and Embedded
Systems. Springer, 2015, pp. 620–640.
[8] M. Yamaguchi, H. Toriduka, S. Kobayashi, T. Sugawara, N. Hommaa,
A. Satoh, and T. Aoki, “Development of an on-chip micro shielded-
loop probe to evaluate performance of magnetic film to protect a
cryptographic lsi from electromagnetic analysis,” in Electromagnetic
Compatibility (EMC), 2010 IEEE International Symposium on. IEEE,
2010, pp. 103–108.
[9] T. Plos, M. Hutter, and C. Herbst, “Enhancing side-channel analysis with
low-cost shielding techniques,” in Proceedings of Austrochip, 2008, pp.
90–95.
[10] G. B. Ratanpal, R. D. Williams, and T. N. Blalock, “An on-chip
signal suppression countermeasure to power analysis attacks,” IEEE
Transactions on Dependable and Secure Computing, vol. 1, no. 3, pp.
179–189, 2004.
[11] X. Wang, W. Yueh, D. B. Roy, S. Narasimhan, Y. Zheng, S. Mukhopad-
hyay, D. Mukhopadhyay, and S. Bhunia, “Role of power grid in
side channel attack and power-grid-aware secure design,” in Design
Automation Conference (DAC), 2013 50th ACM/EDAC/IEEE. IEEE,
2013, pp. 1–9.
[12] C. P. L. Gouva and J. L. Hernandez, “Implementing gcm on armv8.” in
CT-RSA, 2015, pp. 167–180.
[13] A. Zajic and M. Prvulovic, “Experimental demonstration of electro-
magnetic information leakage from modern processor-memory systems,”
IEEE Transactions on Electromagnetic Compatibility, vol. 56, no. 4, pp.
885–893, 2014.
[14] A. Do, S. T. Ko, A. T. Htet, T. Eisenbarth, and B. Sunar, “Elec-
tromagnetic side-channel analysis on intel atom processor,” Worcester
Polytechnic Institute, 2013.
[15] N. Kurd, M. Chowdhury, E. Burton, T. P. Thomas, C. Mozak,
B. Boswell, P. Mosalikanti, M. Neidengard, A. Deval, A. Khanna et al.,
“Haswell: A family of ia 22 nm processors,” IEEE Journal of Solid-State
Circuits, vol. 50, no. 1, pp. 49–58, 2015.
[16] E. J. Fluhr, S. Baumgartner, D. Boerstler, J. F. Bulzacchelli, T. Diemoz,
D. Dreps, G. English, J. Friedrich, A. Gattiker, T. Gloekler et al., “The
12-core power8 processor with 7.6 tb/s io bandwidth, integrated voltage
regulation, and resonant clocking,” IEEE Journal of Solid-State Circuits,
vol. 50, no. 1, pp. 10–23, 2015.
[17] B. Bowhill, B. Stackhouse, N. Nassif, Z. Yang, A. Raghavan, O. Men-
doza, C. Morganti, C. Houghton, D. Krueger, O. Franza et al., “The
xeon R© processor e5-2600 v3: A 22 nm 18-core product family,” IEEE
Journal of Solid-State Circuits, vol. 51, no. 1, pp. 92–104, 2016.
[18] H. K. Krishnamurthy, V. Vaidya, S. Weng, K. Ravichandran, P. Kumar,
S. Kim, R. Jain, G. Matthew, J. Tschanz, and V. De, “20.1 a digitally
controlled fully integrated voltage regulator with on-die solenoid induc-
tor with planar magnetic core in 14nm tri-gate cmos,” in Solid-State
Circuits Conference (ISSCC), 2017 IEEE International. IEEE, 2017,
pp. 336–337.
[19] H. K. Krishnamurthy, V. A. Vaidya, P. Kumar, G. E. Matthew, S. Weng,
B. Thiruvengadam, W. Proefrock, K. Ravichandran, and V. De, “A
500 mhz, 68% efficient, fully on-die digitally controlled buck voltage
regulator on 22nm tri-gate cmos,” in VLSI Circuits Digest of Technical
Papers, 2014 Symposium on. IEEE, 2014, pp. 1–2.
[20] M. Kar, A. Singh, S. Mathew, A. Rajan, V. De, and S. Mukhopadhyay,
“8.1 improved power-side-channel-attack resistance of an aes-128 core
via a security-aware integrated buck voltage regulator,” in Solid-State
Circuits Conference (ISSCC), 2017 IEEE International. IEEE, 2017,
pp. 142–143.
[21] T. Korak, T. Plos, and M. Hutter, “Attacking an aes-enabled nfc tag:
Implications from design to a real-world scenario,” Constructive Side-
Channel Analysis and Secure Design, pp. 17–32, 2012.
[22] D. Genkin, L. Pachmanov, I. Pipman, and E. Tromer, “Ecdh key-
extraction via low-bandwidth electromagnetic attacks on pcs,” in Cryp-
tographers Track at the RSA Conference. Springer, 2016, pp. 219–235.
[23] ——, “Stealing keys from pcs using a radio: Cheap electromagnetic
attacks on windowed exponentiation,” in International Workshop on
Cryptographic Hardware and Embedded Systems. Springer, 2015, pp.
207–228.
[24] J. Balasch, B. Gierlichs, O. Reparaz, and I. Verbauwhede, “Dpa, bitslic-
ing and masking at 1 ghz,” in International Workshop on Cryptographic
Hardware and Embedded Systems. Springer, 2015, pp. 599–619.
[25] C. Tokunaga and D. Blaauw, “Securing encryption systems with a
switched capacitor current equalizer,” IEEE Journal of Solid-State
Circuits, vol. 45, no. 1, pp. 23–31, 2010.
[26] W. Yu, O. A. Uzun, and S. Ko¨se, “Leveraging on-chip voltage regulators
as a countermeasure against side-channel attacks,” in Design Automation
Conference (DAC), 2015 52nd ACM/EDAC/IEEE. IEEE, 2015, pp. 1–6.
[27] F. Poucheret, L. Barthe, P. Benoit, L. Torres, P. Maurine, and M. Robert,
“Spatial em jamming: A countermeasure against em analysis?” in VLSI
System on Chip Conference (VLSI-SoC), 2010 18th IEEE/IFIP. IEEE,
2010, pp. 105–110.
[28] M. Doulcier-Verdier, J.-M. Dutertre, J. Fournier, J.-B. Rigaud, B. Ro-
bisson, and A. Tria, “A side-channel and fault-attack resistant aes
circuit working on duplicated complemented values,” in Solid-State
Circuits Conference Digest of Technical Papers (ISSCC), 2011 IEEE
International. IEEE, 2011, pp. 274–276.
[29] W. J. Lambert, M. J. Hill, K. Radhakrishnan, L. Wojewoda, and A. E.
Augustine, “Package embedded inductors for integrated voltage regu-
lators,” in Electronic Components and Technology Conference (ECTC),
2014 IEEE 64th. IEEE, 2014, pp. 528–534.
[30] S. Saab, A. Leiserson, and M. Tunstall, “Key extraction from the primary
side of a switched-mode power supply,” in Hardware-Oriented Security
and Trust (AsianHOST), IEEE Asian. IEEE, 2016, pp. 1–7.
[31] A. Satoh, S. Morioka, K. Takano, and S. Munetoh, “A compact rijndael
hardware architecture with s-box optimization,” in Asiacrypt, vol. 2248.
Springer, 2001, pp. 239–254.
[32] D. Mukhopadhyay and R. S. Chakraborty, Hardware security: Design,
threats, and safeguards. CRC Press, 2014.
[33] A. Singh, M. Kar, J. H. Ko, and S. Mukhopadhyay, “Exploring power
attack protection of resource constrained encryption engines using inte-
grated low-drop-out regulators,” in Low Power Electronics and Design
(ISLPED), 2015 IEEE/ACM International Symposium on. IEEE, 2015,
pp. 134–139.
[34] T.-H. Le, J. Cle´die`re, C. Canovas, B. Robisson, C. Servie`re, and J.-L.
Lacoume, “A proposition for correlation power analysis enhancement,”
in CHES, vol. 4249. Springer, 2006, pp. 174–186.
[35] B. J. Gilbert Goodwill, J. Jaffe, P. Rohatgi et al., “A testing methodology
for side-channel resistance validation,” in NIST non-invasive attack
testing workshop, 2011.
[36] T. Schneider and A. Moradi, “Leakage assessment methodology,” in
International Workshop on Cryptographic Hardware and Embedded
Systems. Springer, 2015, pp. 495–513.
[37] P. Rohatgi, “Electromagnetic attacks and countermeasures,” in Crypto-
graphic Engineering. Springer, 2009, pp. 407–430.
[38] F. Conti, R. Schilling, P. D. Schiavone, A. Pullini, D. Rossi, F. K.
Gu¨rkaynak, M. Muehlberghuber, M. Gautschi, I. Loi, G. Haugou et al.,
“An iot endpoint system-on-chip for secure and energy-efficient near-
sensor analytics,” IEEE Transactions on Circuits and Systems I: Regular
Papers, vol. 64, no. 9, pp. 2481–2494, 2017.
[39] N. Sturcken, R. Davies, H. Wu, M. Lekas, K. Shepard, K. Cheng,
C. Chen, Y. Su, C. Tsai, K. Wu et al., “Magnetic thin-film inductors for
monolithic integration with cmos,” in Electron Devices Meeting (IEDM),
2015 IEEE International. IEEE, 2015, pp. 11–4.
