This paper presents up-to-date side-channel attacks and their countermeasures. A classification of side-channel attacks and countermeasures is done and how to design a model of side-channel attack is presented. A novel transistor-level countermeasure approach, three-phase dual-rail pre-charge logic (TDPL), against side-channel attacks based on analysis of crypto core's leakage currents is explained. Algorithms and models to predict the input vector for maximum and minimum leakage current in CMOS and TDPL gates are reviewed. Extensive transistor level simulations on basic gates implemented in 65 nm CMOS technology are presented and a methodology to analyze this data and compare CMOS vs. TDPL as a possible countermeasures. The results of this study show that leakage current can be easily exploited as a side channel by an attacker to extract information about the secret key in cryptographic hardware in CMOS crypto-design, while TDPL can be a reliable countermeasure to use in future design of smart cards.
INTRODUCTION
Smart cards are perhaps some of the most widely used electronic devices today, and in many cases these devices are in the front-line, defending citizens and systems against attacks on information security [1] . e most important characteristic of a smart card is security and there are four components that guarantee it: card body, chip hardware, operating system and application. ere are few di erent approaches in systematic classi cation of attacks on smart cards: invasive, semi-invasive and non-invasive. However, the most e cient group of attacks are non-invasive attacks (also called passive or side-channel attacks), and they are based on weaknesses in implementation of so ware or hardware.
Side-channel attacks (SCA) bene t from side channel information, which is collected by measuring some physical quantity [2] : power consumption, electromagnetic radiation, execution time, computation faults ( Fig.  1 ). Especially one of these side-channel attacks has attracted much attention since it has been announced and it is called Power Analysis Attack [3] . is attack exploits the dependence of the dynamic or static power consumption on the inputs of a cryptographic algorithm, i.e. the input ciphertext (plaintext) that is to be decrypted (encrypted) and the secret key. e general idea of a side-channel attack is that all available knowledge of a smart card's hardware has to be used in order to design a model of a sidechannel attack which will help in nding a hidden key.
at knowledge usually obtains information about implemented cryptographic algorithm and technology used for integrating cryptographic hardware. Fig. 1 . Side-channel attack types [4] .
e most important step in one side-channel attack is to make the best possible model of a side-channel attack (Fig. 2) . As seen in this gure, the model of a side-channel does not have to bee highly sophisticated or complicated, it is rather simple. One of input parameters of the model has to be a key or a part of a key. e fact that the output of a side-channel model is dependent of the secret key is it's most important characteristic. is model dependence has to be equal to the realistic dependence between the output and the secret key implemented in the cryptographic core. In order to reveal the secret key in cryptographic core, the attacker makes the hypothetis of the key and nds out through side-channel model is it correct. is hypothesis is usually related to the Hamming weight of the key or some segment of the key. Main idea of this attack is based on measuring the real side-channel information and comparing it to hypothetical side-channel output. Di erent statistical methods used in side-channel attacks ask from attacker to measure the side-channel output more than once. e more of these measurements there are, the better are aproximated di erences in attacker's model of a side-channel.
e succes of a side-channel attacks surely depends on the implemented technology. Nowadays, CMOS is by far the most commonly used in digital integrated circuits. However, in sub-100 nm technologies dynamic power is no longer the dominant contribution to the chip power budget because of the much faster increase of leakage (i.e., static) power at each technology generation [5] . at is the reason why dependence of leakage current on input and other data in CMOS logic and new countermeasure logic will be analyzed in this paper. e remainder of this paper is organized as follows. Section II will examine all available countermeasure styles for side-channel attacks. In Section III leakage current and its data dependence has been studied on basic l-type gates [6] of CMOS and TDPL technology, using a 65-nm CMOS cell library from STMicroelectronics in the Cadence environment. Section IV shows the results of measured resistances of CMOS and TDPL technologies against side-channel attacks based on analysis of leakage current. Conclusions are reported in Section V.
COUNTERMEASURE STYLES
With new characteristics of leakage current in new technologies in the recent years, a wide extent of hardware countermeasures have been proposed in the technical literature. ese countermeasures can be classi ed according to the involved abstraction level during the design ow: system-level, gate-level and transistor-level. Systemlevel techniques include adding noise to the device power consumption [7] , duplicating logics with complementary operations [8] , active supply current ltering with power consumption compensation, passive ltering, battery on chip and detachable power supply, etc. Gate-level countermeasures include circuital techniques which can be implemented using logic gates available in a standard-cell library, e.g. random masking [9] , random pre-charging, state transitions and Hamming weights balancing. Transistor-level techniques are created as a countermeasure for power analysis attacks and consist of the adoption of a logic family whose power consumption is independent of the processed data.
CMOS is the most popular transistor-level approach, also implemented in all so ware libraries of standard smart card cells, but not e cient as a countermeasure for PA attacks. Static Complementary CMOS logic only consumes energy from the power supply when its output has a 0-1 transition. In fact, during the 1-0 transition the energy previously stored in the output capacitance is dissipated and in the two events of a 0-0 or a 1-1 transition no power is used. is asymmetric power demand provides the information used in PA to nd the secret key. A logic style with data-independent power consumption does not reveal this information. When logic values are measured by charging and discharging capacitances we need to use a xed amount of energy for every transition. e most e cient logic styles that have these characteristics and combine dual-rail and precharge logic are SABL (Sense Ampli er Based Logic) [10] , WDDL (Wave Dynamic Differential Logic) [11] , 3sDL (3-state Dynamic Logic) [12] and one of recently proposed -TDPL ( ree-Phase DualRail Precharge Logic) [13] , [14] .
In a dual-rail pre-charge (DRP) logic style, signals are encoded as two complementary wires and power consumption is constant under the hypothesis that the outputs drive the same capacitive load. is fact means that if we have di erent values of capacitors, the power consumption in periods will not be constant. is is the reason for adding one more phase -discharge, so the power consumption can be independent on the values of capacitors. During the rst phase (precharge), the output lines of a generic logic gate are both charged to VDD. In the second phase -evaluation phase, the output depends on the value of input. In the last phase -discharge phase, both outputs are discharged to VSS (Fig. 3, Fig. 4) . Fig. 3 . An example of a TDPL circuit -TDPL inverter. e proposed approach has already been tested by others, but mostly as a logic style against attacks based on analysis of crypto cores' dynamic currents. It has to be noted that leakage current can be measured in a similar way as the dynamic current is measured in traditional PA attacks and that leakage power measurements are in principle simpler to carry out [15] , [16] .
In this study, l-type model Mosfets both for CMOS and TDPL logic circuits are used, using a 65-nm CMOS cell library from STMicroelectronics in the Cadence environment.
LEAKAGE CURRENT AND ITS DATA DEPENDENCE
e results of the experiments carried out on basic ltype CMOS gates showing the sensitivity of the leakage current of these gates to input data variations are reported in Table I . It has to be noted that if we sort leakage currents associated to their logic levels in ascending order, the same order is preserved with temperature variations. It means, for example, that in a 2-input XOR gate, logic input 01 is able to generate the maximum leakage current for all temperature values. Table II reports leakage current simulations on standard TDPL gates. For NOT and XOR TDPL gates, whose structures are symmetric, leakage currents are independent on the input value. For NAND TDPL gate slight differences in leakage current values can be seen, but not enough evident to be precisely connected to the input data. With temperature rise, leakage current order is preserved for TDPL NAND gate, and leakage current values grow for the others. Both in Table I and II presented leakages are in Amperes and temperatures in Celsius degrees.
ANALYSED MEASURED RESISTANCES OF CMOS AND TDPL TECHNOLOGIES
In order to show the di erence between use of CMOS and TDPL technology as a countermeasure against sidechannel attacks based on analysis of leakage currents, a simple study is done. e obtained results for the three analyzed gates at the temperature 25° are summarized in Table III . Comparison of these technologies has been analyzed through two factors: NED (Normalized Energy Deviation) and NSD (Normalized Standard Deviation).
e energy per cycle
is adopted as gure of merit to measure the resistance against leakage current analysis attacks. NED is de ned as 
As expected, TDPL gates show extremely balanced energy consumption, and they are independent to input data values. 
CONCLUSION
Since leakage current can become a problem to take into account during crypto-core design, especially for crypto-cores implemented in technologies with gate length under 0,1 μm which exhibit a high leakage power consumption, through a simple case study we have shown that TDPL 65nm technology is better as a countermeasure in comparison to CMOS 65nm technology.
