The implications of simultaneous differential power analysis (DPA) and leakage power analysis (LPA) attacks are investigated on nanoscale cryptographic circuits which employ dynamic voltage scaling (DVS) or aggressive voltage scaling techniques. As compared with individually performing a DPA or an LPA attack on the corresponding cryptographic circuits, the number of required plaintexts to disclose the key with a 0.9 success rate reduces by 93.5% (as compared with DPA attacks) and 93.06% (as compared with LPA attacks), respectively, when the variance of supply voltage is 0.0833 V
Introduction: Power analysis attacks are non-invasive side-channel attacks to obtain critical information from cryptographic circuits [1] . Differential power analysis (DPA) attacks are typically performed through monitoring the dynamic power consumption of cryptographic circuits [1] . As the size of cryptographic circuits scales to nanometre level, the leakage power consumption becomes comparable with the dynamic power consumption [2] . Owing to the increased leakage power consumption in modern circuits, Alioto et al. [2] proposed leakage power analysis (LPA) attacks to exploit the leakage power dissipation of nanoscale cryptographic circuits as a side-channel attack.
Dynamic voltage scaling (DVS) and aggressive voltage scaling (AVS) techniques are proposed in [3, 4] as a countermeasure against power analysis attacks. These countermeasures randomly vary the supply voltage level and thereby generate random fluctuations in the power consumption profile. These fluctuations act as noise to mask the actual power consumption profile.
Both dynamic power consumption and leakage power consumption contain critical information of nanoscale cryptographic circuits. Although DPA and LPA attacks have previously been studied thoroughly [2, 5, 6] , to the best of our knowledge, the implications of the joint DPA and LPA attacks on the nanoscale cryptographic circuits have not yet been investigated. Our hypothesis is that if DPA and LPA attacks can be utilised together, the number of required plaintexts to disclose critical information would be greatly reduced.
In this Letter, the implications of joint DPA and LPA attacks on the nanoscale cryptographic circuits which employ DVS or AVS technique are investigated. It is analytically demonstrated that the number of plaintexts required to achieve a 0.9 success rate (SR) reduces over 93%.
DPA attacks on nanoscale cryptographic circuits with DVS or AVS technique: If an attacker inputs two different data (data1 and data2) to a nanoscale cryptographic circuit sequentially, the dynamic power consumption of the circuit P dyn1 is
where C L is the gate to load capacitance, f c is the clock frequency, V dd is the supply voltage, and α 0→1 is the number of transitions from 0 to 1 when input data switch from data1 to data2. If an attacker inputs data2 and data1 sequentially (input data2 first), the dynamic power consumption P dyn2 is
where α 1→0 is the number of transitions from 1 to 0 when input data switch from data1 to data2. The differential dynamic power dissipation P dyn2 − P dyn1 can be obtained as
After taking the logarithm of both sides, (3) can be written as
where log
is the signal that carries critical information related to the input data and 2log Vdd 2 is the noise which is induced by randomly scaling the supply voltage V dd . The SNR of DPA attacks SNR DPA on a circuit employing DVS or AVS technique can be defined as
where Var represents the variance operation.
LPA attacks on nanoscale cryptographic circuits with DVS or AVS technique: The leakage power dissipation of the corresponding nanoscale cryptographic circuit P leak1 and P leak2 while processing, respectively, data1 and data2 can be denoted as follows [2] ,
where I leak1 and I leak2 are the total leakage current induced, respectively, by data1 and data2. I H and I L are, respectively, the high level (input bit is high) and low level (input bit is low) leakage current. w 1 and w 2 are, respectively, the Hamming weight of data1 and data2. m is the total number of input bits for data1 and data2. The relationship between the Hamming weight (w 1 , w 2 ) and the parameters (α 0→1 , α 1→0 ) satisfies the following equation
Using (6) and (7), the differential leakage power dissipation P leak1 − P leak2 can be written as
where I 0,P (I 0,N ) is the process dependent leakage current for PMOS (NMOS), W P (W N ) is the gate width of PMOS (NMOS), V gs is the gate to source voltage (i.e., V gs is equal to 0 if the transistor is in off-state). n P (n N ) is the sub threshold slope factor of PMOS (NMOS), V t0,P (V t0,N ) is the threshold voltage of PMOS (NMOS), γ P V bs,P (γ N V bs,N ) is the substrate bias voltage of PMOS (NMOS), η P (η N ) is the drain induced barrier lowering (DIBL) coefficient of PMOS (NMOS), and V T is the thermal voltage. Note that V T is equal to k B T/q.
) ≈ 1. Equation (9) can therefore be approximated as
where A = η P /(n P V T ) and B = η N /(n N V T ). After taking the logarithm of both sides, (10) becomes
The SNR of LPA attacks SNR LPA on circuits employing DVS or AVS technique can be written as
Simultaneous DPA and LPA attacks on nanoscale cryptographic circuits with DVS or AVS technique: Both dynamic and leakage power consumption strongly depend on the input data pattern and supply voltage. If the input data information can be eliminated by analysing the dynamic power data and leakage power data, an attacker can estimate the variations of supply voltage. Alternatively, the uncertain noise that is induced by randomly scaling the supply voltage is greatly reduced. By substituting (3) into (10), the differential leakage power dissipation P leak1 − P leak2 can also be written as
The approximated (13) can be further processed to simplify the estimation of supply voltage V dd by the attackers as follows
where K = I 0,P W P e ((−Vt0,P +g P Vbs,P)/nPVT)
Since an attacker would not know the values of A and B, K can be assumed constant (i.e. A = B) by the attacker. The attacker can then get an approximated AV ′ dd by solving (14) and (3) can be written as
After taking the logarithm of (16), the SNR DPA+LPA of the joint DPA and LPA attacks on circuits with DVS or AVS technique can be written as
The next step is to calculate the possible variations of the intentional noise Var(N j (V dd )), ( j = 1, 2, 3) which is induced by randomly scaling the supply voltage level with either DVS or AVS. Assuming that those cryptographic circuits employ true random DVS or AVS technique, the supply voltage V dd would statistically have a uniform distribution. If the supply voltage V dd can take n discrete values ranging from V DD1 to V DD2 , the ith, (i = 0, 1, 2, …, n) supply voltage level V dd,i can be denoted as
The variance of N j (V dd ) can be denoted as
After the SNR of the power profile of a cryptographic circuit is obtained, the required number of plaintexts to disclose a secret key with a 0.9 SR N 0.9 can be estimated as [7] N 0.9 ≈ c× 1 r 2
where c is a SR dependent constant which is approximately 10 when SR is 0.9 [7] . As shown in Fig. 1 , the joint DPA and LPA attack significantly reduces the variance of noise that is generated by randomly scaling the supply voltage with DVS or AVS. The number of required plaintexts to disclose the key with a 0.9 SR reduces by 93.5% and 93.06% as compared with DPA and LPA attacks, respectively, when the variance of supply voltage is 0.0833 V DPA attack LPA attack joint DPA and LPA attack Fig. 2 Variance of V dd against the number of required plaintexts to achieve a SR of 0.9 under three different attacks on nanoscale cryptographic circuits employing either DVS or AVS technique
Conclusion: Security implications of simultaneous DPA and LPA attacks on nanoscale cryptographic circuits that employ DVS or AVS techniques are analytically investigated in this Letter. The variance of noise that is inserted by DVS or AVS as a countermeasure against power analysis attack is significantly reduced with simultaneous DPA and LPA. By utilising the correlation between the dynamic and leakage power data, the number of required plaintexts to leak the secret key with a 90% SR is reduced over 93%.
