New Approaches On The Enhancement Of Side Channel Attack Measurements Against Cryptographic Devices by Bekmezci, Ahmet Emin
ISTANBUL TECHNICAL UNIVERSITYF GRADUATE SCHOOL OF SCIENCE
ENGINEERING AND TECHNOLOGY
NEW APPROACHES ON THE ENHANCEMENT OF SIDE CHANNEL
ATTACK MEASUREMENTS AGAINST CRYPTOGRAPHIC DEVICES
M.Sc. THESIS
Ahmet Emin BEKMEZCI˙
Department of Electronics and Communication Engineering
Electronics Engineering Programme
MAY 2014

ISTANBUL TECHNICAL UNIVERSITYF GRADUATE SCHOOL OF SCIENCE
ENGINEERING AND TECHNOLOGY
NEW APPROACHES ON THE ENHANCEMENT OF SIDE CHANNEL
ATTACK MEASUREMENTS AGAINST CRYPTOGRAPHIC DEVICES
M.Sc. THESIS
Ahmet Emin BEKMEZCI˙
(504121353)
Department of Electronics and Communication Engineering
Electronics Engineering Programme
Thesis Advisor: Prof. Dr. Serdar ÖZOG˘UZ
MAY 2014

I˙STANBUL TEKNI˙K ÜNI˙VERSI˙TESI˙F FEN BI˙LI˙MLERI˙ ENSTI˙TÜSÜ
KRI˙PTO AYGITLARINA KARS¸I YAPILAN YAN KANAL ATAK
ÖLÇÜMLERI˙NI˙N I˙YI˙LES¸TI˙RI˙LMESI˙ ÜZERI˙NE YENI˙ YAKLAS¸IMLAR
YÜKSEK LI˙SANS TEZI˙
Ahmet Emin BEKMEZCI˙
(504121353)
Elektronik ve Haberles¸me Mühendislig˘i Anabilim Dalı
Elektronik Mühendislig˘i Programı
Tez Danıs¸manı: Prof. Dr. Serdar ÖZOG˘UZ
MAYIS 2014

 
 
 
 
Ahmet Emin BEKMEZCI˙, a M.Sc. student of ITU Graduate School of Science En- 
gineering and Technology 504121353 successfully defended the thesis entitled “NEW 
APPROACHES ON THE ENHANCEMENT OF SIDE CHANNEL ATTACK MEA- 
SUREMENTS AGAINST CRYPTOGRAPHIC DEVICES”, which he/she prepared 
after fulﬁlling the requirements speciﬁed in the associated legislations, before the jury 
whose signatures are below. 
 
 
 
 
 
 
 
Thesis Advisor : Prof. Dr. Serdar ÖZOG˘ UZ .............................. 
Istanbul Technical University 
 
 
 
Jury Members : Asst. Prof. Dr. Sıddıka Berna Örs YALÇIN .............................. 
Istanbul Technical University 
 
 
 
Asst. Prof. Hakan GÜRKAN .............................. 
Is¸ık University 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Date of Submission : 5 May 2014 
Date of Defense : 30 May 2014 
 
 
 
 
v 
vi
To my dear mother,
vii
viii
FOREWORD
First and foremost, I would like to thank my supervisor, Prof. Serdar Özog˘uz and Asst.
Prof. Berna Örs Yalçın for their valuable support and guidance.
I would also like to express my sincerest thanks to TUBITAK(The Scientific and
Technological Research Council of Turkey) for providing financial support during my
M.Sc. studies.
Finally, I would like to express my gratefulness to my dear mother for her
unconditional support.
May 2014 Ahmet Emin BEKMEZCI˙
(Electrical and Electronics Engineer)
ix
x
TABLE OF CONTENTS
Page
FOREWORD........................................................................................................... ix
TABLE OF CONTENTS........................................................................................ xi
ABBREVIATIONS ................................................................................................. xiii
LIST OF TABLES .................................................................................................. xv
LIST OF FIGURES ................................................................................................xvii
SUMMARY ............................................................................................................. xix
ÖZET ....................................................................................................................... xxi
1. INTRODUCTION .............................................................................................. 1
1.1 Purpose of Thesis ........................................................................................... 2
1.2 Thesis Outline................................................................................................. 2
1.3 Simulations ..................................................................................................... 3
2. SIDE CHANNEL ATTACKS AGAINST CRYPTOGRAPHIC DEVICES .. 5
2.1 Cryptography and Cryptographic Devices ..................................................... 5
2.2 Attacks on Cryptographic Devices ................................................................. 5
2.3 Power Analysis Attacks.................................................................................. 7
2.3.1 Simple power analysis ............................................................................ 7
2.3.2 Differential power analysis..................................................................... 9
2.4 Measurement Setup ........................................................................................ 11
2.5 Quality Criteria for Measurements ................................................................. 12
2.5.1 Electronic noise ...................................................................................... 13
2.5.2 Switching noise ...................................................................................... 14
2.5.3 Bandwidth............................................................................................... 14
2.5.4 Clock frequency...................................................................................... 15
3. POWER MEASUREMENT CIRCUITS.......................................................... 17
3.1 Resistive Measurement Circuit....................................................................... 18
3.1.1 Circuit description of RMC.................................................................... 18
3.1.2 Main characteristics of RMC.................................................................. 19
3.1.3 Power measurement simulation of RMC................................................ 20
3.2 Supply Current Measuring Circuit(SCM) ...................................................... 21
3.2.1 Circuit description of SCM .................................................................... 21
3.2.2 Main characteristics of SCM.................................................................. 23
3.2.3 Power measurement simulation of SCM................................................ 25
3.3 CCII+ Based Supply Current Measuring Circuit ........................................... 25
3.3.1 Circuit description of CCII+ based SCM .............................................. 27
3.3.2 Main characteristics of CCII+ based SCM............................................. 28
3.3.3 Power measurement simulation of CCII+ based SCM........................... 32
3.4 Comparison of Power Measurement Circuits................................................. 32
xi
3.4.1 Simulated correlation values of DPA by using SCM circuit .................. 36
4. CONCLUSIONS AND RECOMMENDATIONS............................................ 37
REFERENCES........................................................................................................ 39
APPENDICES......................................................................................................... 41
APPENDIX A.1 ................................................................................................... 43
APPENDIX A.2 ................................................................................................... 45
CURRICULUM VITAE......................................................................................... 47
xii
ABBREVIATIONS
AES : Advanced Encryption Standard
CCII : Second Generation Current Conveyor
CMOS : Complementary Metal Oxide Semiconductor
DPA : Differential Power Analysis
EM : Electromagnetic
FPGA : Field Programmable Gate Array
HF : High Frequency
RMC : Resistive Measurement Circuit
RSA : Rivest-Shamir-Adleman
SCM : Supply Current Measuring Circuit
SNR : Signal to Noise Ratio
SPA : Simple Power Analysis
xiii
xiv
 
 
 
 
LIST OF TABLES 
 
 
Page 
 
Table 2.1  :  Double and add algorithm . ...................................................................9 
Table 3.1  :  Transistor aspect ratios of designed CCII+. .......................................... 27 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
xv 
xvi
 
 
 
 
LIST OF FIGURES 
 
 
Page 
 
Figure 2.1  :  Typical cryptography process. ............................................................. 5 
Figure 2.2  :  SASEBO-G side channel attack evaluation board. ................................6 
Figure 2.3  :  The  power  trace  of  the  microcontroller  performing  AES       
encryption. .........................................................................................8 
Figure 2.4  :  Detailed view of the power trace. .........................................................8 
Figure 2.5  :  Detailed view of the power trace. .........................................................9 
Figure 2.6  :  Block diagram of DPA attack steps. ................................................... 11 
Figure 2.7  :  Typical measurement setup. ............................................................... 12 
Figure 2.8  : Block diagram of typical measurement setup. ..................................... 12 
Figure 2.9 : Impedance measurement of a cryptographic FPGA. ............................ 15 
Figure 3.1  :  Actual current drawn from the chip. ................................................... 17 
Figure 3.2  :  Resistive measurement circuit(RMC). ................................................ 18 
Figure 3.3  :  RMC simulation circuit. .................................................................... 19 
Figure 3.4  :  Bias voltage of the FPGA in RMC. .................................................... 19 
Figure 3.5  :  Input impedance characteristic of RMC. ............................................ 20 
Figure 3.6  :  Power measurement simulation of RMC. ........................................... 20 
Figure 3.7  :  Supply current measurement circuit. .................................................. 22 
Figure 3.8  :  SCM simulation circuit. .................................................................... 23 
Figure 3.9  :  Bias voltage of FPGA in SCM. .......................................................... 24 
Figure 3.10 :  Frequency response of transimpedance gain for SCM compared 
with ideal response. .......................................................................... 24 
Figure 3.11 :  Input impedance characteristic of SCM. ............................................ 25 
Figure 3.12 :  Power measurement simulation of SCM. ........................................... 26 
Figure 3.13 :  Block diagram of an ideal CCII. ........................................................ 26 
Figure 3.14 : Schematic of a typical translinear CCII+ circuit. ................................ 27 
Figure 3.15 :  Realisation of modiﬁed CCII+. .......................................................... 27 
Figure 3.16 :  Schematic of CCII+ based SCM circuit. ............................................ 28 
Figure 3.17 :  Voltage transfer characteristic of CCII+. ............................................ 29 
Figure 3.18 :  Current transfer characteristic of CCII+. ............................................ 29 
Figure 3.19 :  Frequency response of voltage gain between Y and X terminals 
of CCII+. .......................................................................................... 30 
Figure 3.20 :  Frequency response of current gain between X and Z terminals of 
CCII+. .............................................................................................. 30 
Figure 3.21 :  Frequency dependency of the parasitic resistance at X terminal of 
CCII+. .............................................................................................. 31 
Figure 3.22 :  Bias voltage of FPGA in CCII+ based SCM. ...................................... 31 
xvii 
Figure 3.23 :  Frequency response of transimpedance gain for CCII+ based 
 SCM compared with ideal response. .................................................. 32 
Figure 3.24 :  Power measurement simulation of CCII+ based SCM......................... 33 
Figure 3.25 : Comparsion of bias voltages supplied to FPGA. .................................. 33 
Figure 3.26 : Comparison of power measurement simulations. ................................ 34 
Figure 3.27 : Comparison of maximum peak levels................................................. 35 
Figure 3.28 :  Comparsion of frequency response of transimpedance gains with 
 ideal response. .................................................................................. 35 
Figure 3.29 :  Simulated correlation values of DPA by using SCM circuit. ................. 36 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
xviii 
  
 
 
 
NEW APPROACHES ON THE ENHANCEMENT OF SIDE CHANNEL 
ATTACK MEASUREMENTS AGAINST CRYPTOGRAPHIC DEVICES 
 
 
SUMMARY 
 
 
Cryptographic devices play an important role in modern security systems. They are 
used to provide secrecy of information. Until recently, the strength of the algorithm 
was thought to be the main factor to provide information security. In 1998, Kocher 
stated that the power consumption of cryptographic devices differs according to 
operation it conducts and by using SPA and DPA attack methods the secret key can 
be revealed. After this study of Kocher, the conﬁdence for cryptographic devices 
demolished and it was realised that implementation should be considered as a part of 
algorithm in cryptographic device design. After this point, in order to see the level of 
the strength of their devices , designers started to perform side channel attacks against 
the chip they developed. This approach led to new researches on the improvement of 
side channel attacks. The success of side channel attack is directly related with the 
quality of the power measurement. Therefore, enhancement of measurement results 
is very essential in order to reduce the number of measurement needed to obtain 
successful attack. 
Generally, power measurements are obtained by replacing a small valued resistance 
between the power supply and cryptographic device. The voltage drop across the 
resistor is proportional to the power consumption of the chip. The measurements 
performed with a simple resistor connection do not provide accurate results because 
of the following reasons: Connected resistance behaves as a ﬁlter with the parasitic 
capacitances of the cryptographic device. This ﬁlter characteristic limits the bandwidth 
between cells of the cryptographic device and the oscilloscope. The connected resistor 
is a low valued component. Therefore, the measured voltage drop across the resistor 
becomes low and this causes a reduction in the sensitivity of the measurement. In 
addition, since the voltage drop across the resistor depends on the current drawn from 
the cryptographic device, the bias voltage of the cryptographic device is not constant. 
This unstable bias voltage results in a change of the circuit characteristic.The problems 
mentioned above are observed with the simulations given in Chapter 3. In order to 
remove these problems, SCM circuit is proposed in 2006. This circuit provides a 
stable bias voltage to device under attack with a feedback loop. Therefore, it provides 
stable circuit characteristic during measurements. In addition, by providing a wide 
bandwidth between the cells of the cryptographic device and oscilloscope, it ensures 
accurate tracking of power traces. Also, since the transimpedance of the SCM cirucit 
is high, the peak values of the power traces can be easily distinguished from the mean 
value. The measured voltage values of SCM circuit is 8.5 times greater than voltage 
values measured with resistor. This means a 10dB improvement in signal to noise 
ratio which corresponds to an improvement in measurement sensitivity. 
 
 
 
xix 
As an alternative to SCM circuit, second generation current conveyor based SCM
circuit(CCII+ based SCM) is introduced in this thesis. According to simulation results,
SCM and CCII+ based SCM shows similar performance. Less active elements are
used in CCII+ based SCM. Unlike standard SCM, inductor is grounded in CCII+
based SCM. Therefore, it can be replaced by an active only grounded inductance
simulator. According to these assessments, it has been seen that CCII+ based SCM
is more convenient than standard SCM for CMOS applications. In addition, according
to power measurement simulations, measurements conducted by SCM and CCI+
based SCM provide more quality measurement results compared with measurements
conducted by resistor. Therefore, the number of power traces namely, the effort to
obtain a successful power analysis attack is expected to be decreased by using SCM
and CCII+ based SCM as power measurement circuits.
xx
KRI˙PTO AYGITLARINA KARS¸I YAPILAN YAN KANAL ATAK
ÖLÇÜMLERI˙NI˙N I˙YI˙LES¸TI˙RI˙LMESI˙ ÜZERI˙NE YENI˙ YAKLAS¸IMLAR
ÖZET
Kripto aygıtlarında bilgi güvenlig˘inin sag˘lanması günümüz emniyet sistemleri için
çok önemlidir. Yakın bir zamana kadar, kripto aygıtlarında bilgi güvenlig˘inin
sag˘lanması için esas faktörün kullanılan algoritmanın kuvveti oldug˘u düs¸ünülüyor ve
aras¸tırmalarda algoritmaların matematiksel olarak nasıl gelis¸tirilebileceg˘i üzerinde
duruluyordu. 1998 yılında Kocher, kripto aygıtlarının çektig˘i gücün farklı is¸lemler
için farklı deg˘erler gösterdig˘ini ve bunları gözleyip SPA ve DPA atak yöntemlerini
kullanarak gizli anahtarın ele geçirilebileceg˘ini gösterdi. SPA atakları daha az
mesaj bulunan basit algoritmalar için kullanılırken DPA algoritmaları daha komplike
algoritmlar için kullanılıyor. DPA atakları için gereken güç ölçüm sayısı fazla oldug˘u
için bu atakları gerçekles¸tirmek için güçlü bilgisayarlara ihtiyaç duyuluyor ve DPA
atakları oldukça dog˘ru sonuçlar veriyor.
Kocher’in çalıs¸masından sonra kripto aygıtlarına duyulan güven büyük ölçüde sarsıldı
ve kripto cihazlarının güvenlig˘inin sag˘lanması için dizayn as¸amasında dizaynın
gerçeklenmesiyle algoritmanın birlikte düs¸ünülmesi gerektig˘i ortaya çıktı. Bu
andan sonra tasarımcılar aygıtlarının ne kadar güvenilir oldug˘unu anlamak için
tasarladıkları çiplere yan kanal atakları uygulamaya bas¸ladılar. Bu uygulamalar yan
kanal ataklarının nasıl gelis¸tirilebileceg˘i hususunda çalıs¸malara yol açtı.
Yan kanal ataklarının bas¸arısı yapılan güç ölçümünün kalitesiyle dog˘rudan
bag˘lantılıdır. Dolayısıyla ölçüm sonuçlarının iyiles¸tirilmesi atag˘ı bas¸arıya ulas¸tırmak
için gereken ölçüm sayısını azalttıg˘ı için çok önemlidir. Güç ölçüm sonuçlarını
etkileyen temel kalite kriterleri elektronik gürültü ve anahtarlama gürültüsüdür.
Elektronik gürültünün ana unsurları güç kaynag˘ı gürültüsü, saat üretecinin gürültüsü,
devre kartı ve arayüz kartı arasındaki etkiles¸imden kaynaklanan gürültü, manyetik
emisyonlar ve kuantizasyon gürültüsüdür. Elektronik gürültü kaynakları her
devrede vardır ve bunları bütünüyle elimine etmek mümkün deg˘ildir. Anahtarlama
gürültüsü ise kripto aygıt hücrelerinin çıkıs¸ deg˘erlerinin GHz mertebesinde deg˘is¸mesi
sonucunda çıkmaktadır. Anahtarlama gürültüsü bu makalede anlatılan güç ölçüm
devreleri yardımıyla elimine edilebilir.
Güç ölçümleri genel olarak düs¸ük deg˘erli bir direncin kripto aygıtını besleyen güç
kaynag˘ıyla kripto aygıtı arasına bag˘lanarak direncin üzerinde meydana gelen voltaj
düs¸üs¸ünün ölçülmesiyle elde ediliyor. Bu ölçüm s¸u nedenlerle sag˘lıklı bir sonuç
vermiyor: Bag˘lanan direnç kripto aygıtının parazitik kapasitansıyla bir filtre gibi
davranarak ölçüm cihazıyla kripto cihazındaki hücreler arasındaki band genis¸lig˘ini
limitliyor. Bag˘lanan direnç deg˘eri düs¸ük oldug˘u için bu ölçülebilir voltaj deg˘erinin
düs¸ük olmasına ve ölçüm duyarlılıg˘ının düs¸mesine neden oluyor. Ayrıca direnç
üzerine düs¸en voltaj deg˘eri kripto aygıtı tarafından çekilen akıma bag˘lı oldug˘u için
kripto aygıtının besleme gerilimi sabit olmuyor. Bu da kripto aygıtının dengesiz bir
gerilimle beslenerek aygıt davranıs¸ının deg˘is¸mesine yol açıyor. Direnç ile yapılan
ölçümlerde ortaya çıkan bu aksaklıklar tezin üçüncü bölümünde verilen benzetimlerde
xxi
gözlenmis¸tir. Bu aksaklıkların ortadan kaldırılabilmesi için 2006 senesinde SCM
devresi önerilmis¸. Bu devre atak yapılan kripto aygıtına geri besleme ile sabit bir
besleme voltajı sag˘layarak ölçüm yapılırken cihaz karakteristig˘inin deg˘is¸memesini
sag˘lıyor. Ayrıca ölçüm cihazıyla kripto aygıtındaki hücreler arasında yüksek bir
band genis¸lig˘i ve kazanç sag˘layarak ölçümün yüksek dog˘rulukla takip edilebilmesini
ve ölçümdeki tepe deg˘erlerinin ortalama deg˘erden belirgin s¸ekilde ayrılmasını
sag˘lıyor. Ölçülen voltaj deg˘erinin dirençle yapılan ölçümlere kıyasla 8.5 kat fazla
olması sebebiyle ölçüm duyarlılıg˘ı artıyor ve sinyal gürültü oranında 10dB iyiles¸me
gözleniyor.
Bu makalede klasik yöntem olan direnç üzerinden yapılan ölçümler, SCM devresi
kullanılarak yapılan ölçümler ve SCM devresine alternatif olarak sunulan ikinci
nesil akım tas¸ıyıcı tabanlı SCM ile yapılan ölçümler devre karakteristikleri,
kutuplama voltaj stabiliteleri ve güç ölçüm performansları bakımından incelenmis¸ ve
deg˘erlendirilmis¸tir. Bilgisayar ortamında yapılan deg˘erlendirmeleri ve benzetimleri
daha gerçekçi kılmak adına bahsi geçen güç ölçüm devrelerinin giris¸ dataları için
labaratuvar ortamından akım ölçüm ucuyla alınan güç ölçümleri referans olarak
kullanılmıs¸tır. Ayrıca yapılan literatür aras¸tırmaları neticesinde kriptografik FPGA
es¸deg˘er modelinin 50nF’lık bir kapasitör ile 1.3nH’lik bir indüktörden olus¸tug˘u
gözlenmis¸tir. Yine gerçeg˘e yakın sonuçlar elde etmek için bu es¸deg˘er kriptografik
FPGA modeli bütün benzetimlerde kullanılmıs¸tır.
SCM devresinin alternatifi olarak ikinci nesil akım tas¸ıyıcı(CCII+) tabanlı SCM
devresi bu tezde sunulmus¸tur. Benzetim sonuçlarına göre CCII+ tabanlı SCM
devresi, kutuplama voltajı dıs¸ında ölçüm duyarlılıg˘ı, kazanç ve band genis¸lig˘i
yönünden standart SCM devresi ile benzer performans gösteriyor. CCII+ tabanlı SCM
devresinde standart SCM devresine göre daha az aktif eleman kullanılmıs¸tır. Standart
SCM’in aksine devre içersindeki indüktör topraklanmıs¸ oldug˘u için bu komponentin
yerine sadece aktif elemanlarla olus¸turulmus¸ bir indütör benzetimi kullanılabilir.
Bu deg˘erlendirmelere göre önerilen CCII+ tabanlı SCM devresinin standart SCM’e
göre CMOS uygulamaları için daha uygun oldug˘u görülmüs¸tür. Ayrıca yapılan
benzetim sonuçlarına göre güç ölçümlerinde standart SCM ve CCII+ tabanlı SCM’in
kullanılmasıyla direnç ile yapılan ölçümlere göre ölçüm kalitesinin arttıg˘ı sonucuna
varılmıs¸tır. Bu sonuca göre güç ölçümlerinde standart SCM ve CCII+ tabanlı SCM
kullanıldıg˘ı zaman direnç ile yapılan ölçümlere kıyasla atak için gereken ölçüm
sayısının, bas¸ka bir deyis¸le atag˘ı sonuca ulas¸tırmak için harcanan eforun azalacag˘ı
öngörülmektedir.
Bunların dıs¸ında SCM devresi kullanılarak bilgisayar ortamında diferansiyel güç
analizi benzetimi gerçekles¸tirilmis¸tir. Bu benzetim için 10000 data noktalı 8500
mesaj kullanılmıs¸tır. Bu benzetimin sonucu olarak korelasyon deg˘erlerinin güç
ölçüm sayısına göre deg˘is¸imi elde edilmis¸ ve bitler arasındaki ayrımın 3000. data
noktasından sonra bas¸ladıg˘ı tespit edilmis¸tir.
Sonuç olarak yan kanal atakları için yapılan ölçümlerde SCM devresinin en dog˘ru
ve güvenilir sonuçları verdig˘i görülmüs¸tür. CCII+ tabanlı SCM devresinin standart
SCM ile ölçüm duyarlılıg˘ı, kazanç ve band genis¸lig˘i yönünden benzer performans
sergiledig˘i ancak kutuplama voltaj stabilitesi yönünden CCII+ tabanlı SCM devresinin
zayıf oldug˘u ve bu dizaynın voltaj stabilitesi yönünden gelis¸tirilmesi gerektig˘i
görülmüs¸tür. Direnç ile yapılan güç ölçümleri ise dog˘ru ve güvenilir sonuçlar
vermemektedir çünkü ölçüm duyarlılıg˘ı, kutuplama voltaj stabilitesi, ölçüm devresiyle
kripto aygıtı arasındaki band genis¸lig˘i dig˘er devrelerle yapılan ölçümlere göre oldukça
düs¸üktür. Bu gözlemlere göre güç ölçümlerinde direnç yerine SCM güç ölçüm
xxii
devrelerinin kullanılması ölçüm için gereken eforu ve zamanı azaltacaktır.
xxiii
xxiv
1. INTRODUCTION
Cryptographic devices are used to securely store secret data. They are the main part
of security systems [4]. During the encryption process of cryptographic device, an
algorithm is executed. Execution of an algorithm leads to manipulation of secret data
such as secret keys. Hence, the cryptographic device has to protect this secret data
against accessing of third parties by preventing cloning [6].
The main research topic of cryptanalysis was mainly focused on the investigation of
the deficiencies and weaknesses in the algorithms. The physical implementation of the
cryptographic chip has been out of concern until, in 1998, Kocher [7] showed that the
secret data can be revealed from the cryptographic device by using a novel method:
side channel attacks. Side channel attacks are based on the information leakage from
the cryptographic device.
In cryptographic device, during the execution of an algorithm, physical quantities such
as power consumption, electromagnetic emission and execution timing shows different
waveforms based on the operation conducted by the cryptographic device. Therefore,
by monitoring these physical quantities, the secret information of the cryptographic
device can be reached. This leakage can be reduced by high-cost shielding and power
consumption filtering methods but it cannot be removed completely because of the
features of CMOS design technology. In CMOS technology, electron flow through the
silicon substrate of the transistor during charging or discharging of the transistor’s gate
capacitance, consumes power and produces electromagnetic radiation [7].
Nowadays, power analysis attacks are taken into account during design steps of
cryptographic devices in order to improve device resistance against side channel
attacks. Power analysis attacks are based on the measurement of the instantaneous
power consumption waveforms, which are also called as power traces from the device
under attack [6]. Therefore, the quality of the measurement directly affects the
effort(number of power traces) needed to obtain a successful attack.
1
1.1 Purpose of Thesis
Analog power measurement circuits are used between the device under attack and
the digital oscilloscope in order to improve the measurement quality and decrease the
power traces needed to obtain a successful attack.
In this thesis, three different power measurement circuits are explained, examined
and compared with each other. These power measurement circuits are resistive
measurement circuit(RMC), supply current measuring circuit(SCM) and second
generation current conveyor based supply current measuring circuit(CCII+ Based
SCM). Second generation current conveyor based supply current measuring
circuit(CCII+ Based SCM) is introduced for the first time in literature by this thesis.
1.2 Thesis Outline
This thesis presents general information about side channel attacks in cryptographic
devices and the description and application of the three analog circuits that are used in
power measurement setups. Chapter 1, gives brief information of the thesis with the
review of associated literature. Chapter 2 follows introduction chapter. In this chapter,
brief description of side channel attacks against cryptographic devices is given with
the information of how power analysis attacks are conducted. Chapter 3 deals with
power measurement circuits, detailed review of these circuits with power measurement
simulation results are presented. Power measuring circuits that are focused in this
chapter are given below:
◦ Resistive measurement circuit (RMC)
◦ Supply current measuring circuit (SCM)
◦ Second generation current conveyor based supply current measuring circuit (CCII+
Based SCM)
Conclusion and recommendations are given in Chapter 4. In addition, model
parameters used in PSpice simulations are given in Appendices part.
2
1.3 Simulations
All simulations are performed in PSpice software with the actual current drawn form
the chip data given as input and simulation results are interpreted in Matlab software.
Actual current drawn from the chip data is taken from the measurements of [1]. Bulk
terminal is connected to most positive power supply in PMOS transistors and most
negative power supply in NMOS transistors. In order to avoid confusion, bulk terminal
is not shown in circuit schematics. Model parameters used in PSpice simulations of
the CCII+ in Chapter 3 for NMOS is given in the Appendix A.1 and for PMOS is given
in the Appendix A.2.
3
4
2. SIDE CHANNEL ATTACKS AGAINST CRYPTOGRAPHIC DEVICES
2.1 Cryptography and Cryptographic Devices
Cryptographic algorithms are widely used to provide secrecy and unity of private data.
These algorithms are mathematical functions that takes a message which is usually
called plaintext and encrypts it via cryptographic key. The algorithm used is publicly
known but the key is kept secret. The most widely used cryptographic algorithms
are Advanced Encrypiton Standard(AES) and Rivest-Shamir-Adleman(RSA)
algorithms [4].
Cryptographic devices are electronic devices that are capable of implementing
Cryptographic algorithms. Smart cards and Radio-Frequency Identification(RFID)
cards are some examples of cryptographic devices.
A strong algorithm is not enough to secure the cryptographic key. Implementation of
the cryptographic system is also needed to be focused in order to ensure security.
Figure 2.1 shows a typical cryptography process.
Figure 2.1: Typical cryptography process [2].
2.2 Attacks on Cryptographic Devices
There are several attacks that try to reveal the cryptographic key. These attacks vary
in terms of time, cost and equipment needs. The categorizing is mainly based on
whether the attack is passive or active and whether it is invasive, semi-invasive or
5
non-invasive [4].
In passive attacks the key is obtained by measuring the physical properties of the
cryptographic device. Unlike the passive attacks, in active attacks, attacker interferes
the device and analyse it accordingly.
In invasive attacks device is de-packed and accessed by direct probing. In
semi-invasive attacks the device is again de-packed but this time it is observed without
a direct contact. In non-invasive attack, the device is observed by using the external
pins of it. Since, the device is not shattered, there is no evidence left behind [4].
Non-invasive attack is the cheapest and easiest way to conduct an attack against
cryptographic devices.
Side channel attacks are in the category of passive non-invasive attacks. It includes
power analysis attacks [7], timing attacks [8] and electromagnetic attacks [9], [10].
Power analysis attacks are more powerful and easier compared with timing attacks and
electromagnetic attacks. Figure 2.2 shows an example of an evaluation board used for
side channel attacks.
Figure 2.2: SASEBO-G side channel attack evaluation board [3].
6
2.3 Power Analysis Attacks
Because of the CMOS design rules, cryptographic device consumes different amount
of power during different operations. By observing this power consumption one
can reveal the secret key from the cryptographic device. There are two main power
analysis attacks. These are simple power analysis(SPA) attacks and differential power
analysis(DPA) attacks.
2.3.1 Simple power analysis
Simple power analysis(SPA) attack was introduced by Paul Kocher [7].Simple power
analysis(SPA) attack is used when there are small number of plaintexts. Therefore, in
SPA, attacker deals with only one or few traces [4]. The main disadvantage of this type
of attack is that the attacker should have a detailed knowledge about the device under
attack.
As an example, Figure 2.3 shows a power trace of a microcontroller while an AES
encryption is performed. Power is measured by connecting a 1Ω resistance via the
ground connection of the microcontroller. The power trace is uniform except the 10
negative peak points. These 10 negative peak points corresponds to the moments where
the AES algorithm is executed. Figure 2.4 shows detailed view of one of these peaks.
Since the device consumes different amount of power during different operations, by
knowing the used algorithm, the secret key can be found [4].
7
Figure 2.3: The power trace of the microcontroller performing AES encryption [4].
Figure 2.4: Detailed view of the power trace [4].
A simple double and add algorithm is given in Table 2.1. It is obvious that during
double and add operation cryptographic device will consume more power compared
with the double only operation. From the algorithm in Table 2.1, double and add
operation corresponds to a key bit 1 and the double only operation corresponds to a
key bit 0. The power trace corresponding to this algorithm is given in Figure 2.5. If
this power trace is analysed by considering the above fact, it can be easily found that
the key is 1001100 [1].
8
Table 2.1: Double and add algorithm [1].
1: Q←− P
2: for i from l-2 down to 0 do
3: Q←− 2Q
4: if ki = 1 then
5: Q←− Q+P
6: end if
7: end for
Figure 2.5: Detailed view of the power trace [1].
2.3.2 Differential power analysis
Differential power analysis(DPA) attack was introduced by Paul Kocher [7].
Differential power analysis(DPA) attack is used when the algorithm is complex and
there are many power traces. In DPA attack detailed knowledge of the device is not
necessary. This is the main advantage of DPA attack against SPA attack. In addition,
DPA attack is analysed at a fixed point, not necessarily at a fixed time [4].
All DPA attacks are based on the following steps illustrated in Figure 2.6 [4]:
1. Choose an intermediate result of the executed algorithm that is a function of
plaintext and key.
9
2. d=(d1,.....,dD)’ where di corresponds to the data value of the ith encryption.
Encryption of each data block results in a power trace. Measure the power consumption
of the cryptographic device during encryption of D different data blocks. With these
power traces a DxT size matrix can be formed where T denotes the length of the power
trace.
3. k=(k1,.....,kK)’ where ki denotes the ith key value which is also called as key
hypotheses. K is the total number of possible key values. Calculate hypothetical
intermediate values matrix V with size DxK.
Vi, j= f (di,k j) (2.1)
4. Map the hypothetical intermediate values V to hypothetical power consumption
values H by using Hamming-Distance or Hamming-Weight simulation techniques.
The quality of the mapping simulation determines the success of the DPA attack.
5. Make a comparison of hypothetical power consumption matrix H and power trace
matrix T. The result of this comparison leads to a matrix R with a size KxT . The
highest value of matrix R indicates the index of the used intermediate result and the
key. If the values of R are close to each other such that it is difficult to distinguish the
maximum value, it means there are not enough power traces to conduct a relationship
between hypothetical power consumption matrix and power trace matrix. More power
traces means more H and T columns and more definite result. The elements of R which
are also called as correlation coefficients can be found by using the following equation
where hi and t j denotes the mean values of hi and t j:
ri, j=
∑Dd=1(hd,i−hi)∗ (td, j−t j)√
∑Dd=1((hd,i−hi)2)∗∑Dd=1((td, j−t j)2)
(2.2)
(td, j−t j) term in Equation 2.2 approaches to zero while td, j approaches to t j. Namely,
for a chosen key value if the peak values of the power traces approach to its
neighbourhoods then it becomes difficult to distinguish the maximum value of R
matrix. Hence, it becomes harder to find a definite result from DPA attack. Therefore,
higher peak values in power trace measurements increases the probability of attack
success.
10
Figure 2.6: Block diagram of DPA attack steps [4].
2.4 Measurement Setup
Measurement setup of a typical power analysis attack consists of several components.
As shown in Figure 2.7, these components are [4]:
◦ Cryptographic Device
◦ Clock Generator
◦ Power Supply
◦ Power Measurement Circuit or Electromagnetic(EM) Probe
◦ Digital Sampling Oscilloscope
◦ Computer
11
Figure 2.7: Typical measurement setup [1].
A block diagram of a typical measurement setup is given in Figure 2.8.
Figure 2.8: Block diagram of typical measurement setup [4].
First cryptographic device is powered up with a stable external power supply and
supplied with a clock signal. Now device is ready for encryption. Then, computer
sets the oscilloscope and sends command to cryptographic device to start encryption.
During the encryption power consumption of the cryptographic device is measured by
a power measurement circuit or an EM probe and recorded by oscilloscope. Then,
output of cryptographic algorithm and recorded power traces are received by the
computer. These steps are repeated until necessary number of power traces obtained
[4].
2.5 Quality Criteria for Measurements
The power consumption of a cryptographic device is an analog high frequency(HF)
signal. Therefore, the power consumption of the individual cells are in the range
of GHz [4]. Furthermore, there are many factors that effect the quality of the
12
measurement. These are thermal noise, reflections on wires, crosstalk, filtering and
other interferes of the environment [4]. In order to obtain a correct measurement,
measurement setup should cope with the these factors. Hence, it is a challenging work
to measure the power traces of a cryptographic devices and the success of the power
analysis attack is directly related with the measurement precision.
The effects of thermal noise, reflections on wires, crosstalk, filtering and other
interferes of the environment can be observed as noise in the measurement of power
traces. The noise level in the power traces indicates the quality of the measurement. It
is also possible to conduct power trace measurement in a noisy environment. However,
noise increases the required number of power traces to obtain a successful attack.
There are two important noise components. These are electronic noise and switching
noise [4].
2.5.1 Electronic noise
Repeated power trace measurements with the same inputs result in different outputs.
The reason between this discrepancy is the electronic noise. Electronic noise appears
in every measurements and it is not possible to completely remove it [4]. The most
important electronic noise sources are given below [4]:
◦ Power Supply Noise: Any fluctuation in the power supply of the attacked
cryptographic device appears as noise in the power trace measurement. Hence, a very
stable power supply is a must.
◦ Noise of the Clock Generator: Correct alignment of power traces decreases the
effort needed to obtain a successful attack. Also, the noise in the amplitude of the
clock signal directly effects the power traces. In order to obtain accurate measurement
of power traces, stable clock frequency and stable clock signal amplitude is needed.
Therefore it is reasonable to use a sinusoidal clock signal instead of a rectangular one.
◦ Conducted Emissions: The measurement board and the interface board should be
separated and isolated in order to eliminate the noise caused by conducted emissions.
◦ Radiated Emissions: The effect of the noise caused by the radiated emissions can
be eliminated by putting the device under attack into a Faraday cage and shielding the
communication and measurement lines.
◦Quantization Noise: Analog-to-digital conversion conducted by oscilloscope causes
13
the quantization noise. Higher conversion resolution results in lower quantization
noise. Since there is a trade-off between the resolution and sampling rate of the
oscilloscope, it is important to choose a proper resolution. 8-bit resolution is sufficient
for power analysis attacks.
2.5.2 Switching noise
Cryptographic device cells switch their output at the rate of GHz during the execution
of the cryptographic algorithm. This switching operation causes high power
consumption. In power analysis attacks, the power consumption of the relevant
cell is important. Power consumption of all other components contributes to noise.
To eliminate this noise, precisely positioned small EM probes are used to perform
measurement. However, in practise it is not an easy job to precisely locate EM probes.
Usually instead of this method, the total power consumption is measured by inserting
an electronic circuit between the power supply and the attacked device. In this method,
two main factors effect the switching noise. These are bandwidth of the connection
between oscilloscope and logic cells and clock frequency of the device under attack [4].
2.5.3 Bandwidth
As mentioned before the power consumption of the individual cells are in the range of
GHz [4]. Therefore, in order to precisely measure the power consumption of the cells,
a path with the bandwidth range of GHz is necessary. This is not practical because
of the parasitics on the measurement path. For example, power supplies are usually
built with a high capacitance between VDD and GND ports in order to provide stable
bias. However, this connection compromise a big parasitic in the path of the power
consumption signal. Also, the connections established between the power supply and
the GND and VDD pins of the cryptographic device via bonding wires add parasitic
inductance to the path of the power consumption signal. This parasitic inductance
with the on-chip bypass capacitance constitute a filter on the power signal path.
The bandwidth of this filter limits the bandwidth of the original power consumption
signal [4]. The effects of this undesirable filter can be reduced with the circuits given
in Chapter 3 of this thesis but cannot be removed completely. Figure 2.9 shows the
14
impedance measurement of a cryptographic FPGA [5]. From this figure, it is obvious
that the equivalent model of a cryptographic FPGA is composed of a capacitance of
50 nF and an inductance of 1.3 nH.
Figure 2.9: Impedance measurement of a cryptographic FPGA [5].
2.5.4 Clock frequency
Clock frequency is another contributor to switching noise. If very high clock frequency
is used for the device under attack, then the measured power signals of consecutive
clock cycles may overlap resulting in a wrong measurement. If the cryptographic
device specification permits, it is better to attack with low clock frequency in order to
reduce switching noise.
15
16
3. POWER MEASUREMENT CIRCUITS
Power measurement circuits are used to measure the power consumption of a
cryptographic device. There are some factors limiting the quality of the measurement
that are mentioned previously. However, to conduct a successful attack the power
measurement should be precise. Hence, it is very crucial to design and use fast, reliable
power measurement circuits.
In this chapter, widely used resistive measurement circuit(RMC) and supply-current
measuring circuit(SCM) are explained. In addition to these circuits, a new SCM
circuit based on a second generation current conveyor(CCII+) is introduced. Also,
a comparison of these circuits is given at the end of this chapter.
Power consumption data of a cryptography chip shown in Figure 3.1 was taken from
laboratory environment [1]. As stated in [1] the clock frequency applied to the chip
is around 300 kHz and the sampling frequency of the oscilloscope is 250 MHz. This
data is used as input to power measurement circuits to conduct a realistic simulation
profile. From now on this data will be referred as actual chip current.
Figure 3.1: Actual current drawn from the chip.
17
3.1 Resistive Measurement Circuit
Resistive Measurment Circuit (RMC) consists of a small resistor connected between
the VDD or VSS pins of the cryptographic device and the power supply.
3.1.1 Circuit description of RMC
The circuit schematic of RMC is given in Figure 3.2. The voltage drop across the
resistor is proportional to power consumption of the chip.
Figure 3.2: Resistive measurement circuit(RMC) [6].
This circuit is very easy to implement. However, it is very hard to obtain good quality
results because of the following limitations [6]:
1. Because of the parasitic capacitances of the cryptographic device, there occurs a
time constant R.C. This time constant limits the bandwidth of the power signal. Hence,
low values of R should be used in this configuration.
2. R is the amplification factor of the measured current signal. If the value of R chosen
low, then the output voltage level will be low. Hence, it will be harder to measure the
output voltage level. This means a reduction in the sensitivity of the measurement.
Therefore, if low values are chosen for R value to increase the bandwidth, then
sensitivity of the measurement would be lower. There is a trade-off between bandwidth
and sensitivity of RMC.
3. The resistor R causes a I(t) ∗ R voltage drop. Hence, the bias voltage of the
cryptographic chip becomes VDD′ = VDD− I(t) ∗R. Since, this expression depends
18
on the drawn current, it is not stable. This unstable bias voltage affects the behaviour
of the cryptographic chip and results in misleading evaluations.
3.1.2 Main characteristics of RMC
The resistive measurement simulation circuit based on the equivalent cryptographic
FPGA model is given in Figure 3.3. The measurement resistance R is chosen as 50Ω.
C f pga is 50nF and L f pga is 1.3nH. 3.3VVDD bias voltage is used for the attacked FPGA.
Figure 3.3: RMC simulation circuit.
The bias voltage of the FPGA in RMC is shown in the Figure 3.4. It can be seen that
the bias voltage is not stable.
Figure 3.4: Bias voltage of the FPGA in RMC.
19
The frequency dependence of input impedance is shown in Figure 3.5. As expected it
shows a series RLC characteristic.
Figure 3.5: Input impedance characteristic of RMC.
3.1.3 Power measurement simulation of RMC
The power measurement simulation result of RMC is given in Figure 3.6. It can be
seen from the figure that the RMC output is not able to follow the actual chip current
because of its limited bandwidth. Also, RMC output is attenuated. 0.11V max voltage
level shows that the sensitivity is very low.
Figure 3.6: Power measurement simulation of RMC.
20
3.2 Supply Current Measuring Circuit(SCM)
Supply current measuring circuit(SCM) is introduced by Bucci in 2006 [11]. This
circuit is an active circuit that measure the instantaneous current consumption of the
device under attack while at the same time supplying the device with a stable bias
voltage. By supplying stable bias voltage, power analysis attacks can be conducted
with high precision without disturbing the operation of the device under attack. SCM
circuit denotes a low impedance current measuring input and high transimpedance
gain while providing a stable bias [6]. Therefore, SCM circuit exhibits higher
bandwidth, higher sensitivity and more stable bias compared with RMC.
3.2.1 Circuit description of SCM
The circuit schematic of SCM is given in Figure 3.7. Current consumption signal
Iin(t) is read from the device under attack. The reference input VDD is connected to
the positive terminal of the input opamp. A stable bias voltage VDD is provided to the
device under attack at the negative terminal of the opamp via low-frequency voltage
feedback loop closed after a voltage buffer [6].
High slew rate and low noise were the main criteria for the selection of the discrete
components [6]. AD8009 has been chosen for opamps. In order to eliminate the
oscillation, 10pF value has been chosen for the compensation capacitance C f . 500 Ω
value has been chosen for R f to obtain a transimpedance gain of 250 V/A. 100 µH
value has been chosen for inductance L. +5V/-5V bias voltage is used for the SCM
and 3.3 V VDD bias voltage is used for the attacked FPGA.
The output voltage of the SCM can be expressed as follows:
Vout(t) =−R f2 Iin(t) (3.1)
Then, the transimpedance gain is,
T (s) =
R f
2
(3.2)
21
Figure 3.7: Supply current measurement circuit.
For Av(voltage gain of the transimpedance amplifier)  1, transfer function of SCM
can be formulated as follows:
Vout
Iin
(s)'−1
2
R fLs
R f +Ls+R fC fLs2
(3.3)
Assuming poles of the transfer function apart from each other such that p1  p2,
routine transfer function analysis yields the following pole locations:
(s+ p1)(s+ p2) = R f +Ls+R fC fLs2 (3.4)
s2 + s(p1 + p2)+ p1p2 = R f +Ls+R fC fLs2 (3.5)
p1 =
1
R fC f
(3.6)
p2 =
R f
L
(3.7)
DC analysis of SCM for U1 opamp yields the following equations:
Av(V2,+−V2,−) =V2,out (3.8)
Av(V1,out−V2,out) =V2,out (3.9)
V2,out =
Av
Av+1
V1,out (3.10)
V2,out 'V1,out (3.11)
Using Equation 3.11, DC analysis for U1 opamp yields:
Av(V1,+−V1,−) =V1,out (3.12)
22
Av(V1,+−V1,out) =V1,out (3.13)
V1,+ =
Av+1
Av
V1,out (3.14)
V1,+ =VDD 'V1,out 'V1,− (3.15)
Equation 3.15 shows that the voltage feedback provides stable bias to device under
attack which is connected to negative terminal of U1 opamp.
U2 opamp is used to prevent input current flowing in the reverse direction through the
inductor. If direct connection made between V1,out and the inductor, the output of the
U1 opamp V1,out would be affected.
Low impedance value at the input of the SCM is essential in order not to load the
cryptographic device. As shown in Equation 3.17, theoretical input impedance is very
low.
Zin =
1
1+Av
(R f//
1
sC f
//sL) (3.16)
Av 1,Zin −→ 0 (3.17)
3.2.2 Main characteristics of SCM
The supply current measuring circuit based on the equivalent cryptographic FPGA
model is given in Figure 3.8.
Figure 3.8: SCM simulation circuit.
23
The bias voltage of the attacked FPGA in SCM is shown in the Figure 3.9. It can be
seen that attacked FPGA is biased with a stable 3.3V.
Figure 3.9: Bias voltage of FPGA in SCM.
The frequency response of the transimpedance gain for SCM compared with ideal
characteristic given in Equation (3.3) is shown in Figure 3.10.
Figure 3.10: Frequency response of transimpedance gain for SCM compared with
ideal response.
24
The frequency dependence of input impedance for SCM is shown in Figure 3.11. It
can be seen that input impedance is low as expected.
Figure 3.11: Input impedance characteristic of SCM.
3.2.3 Power measurement simulation of SCM
The power measurement simulation result of SCM is given in Figure 3.12. It can be
seen from the figure that the SMC output follows the actual chip current successfully.
Since peak values are amplified and the difference between the maximum valued
consecutive peaks are increased, the difference between correlation coefficient values
in R matrix becomes more distinctive. Hence, the number of power traces needed to
conduct a DPA attack is significantly reduced. Furthermore, peak amplitudes ranging
from 0.1V to 0.9V shows an improvement in the sensitivity.
3.3 CCII+ Based Supply Current Measuring Circuit
Second generation current conveyor(CCII) is a multi-purpose analogue component that
is widely used in signal processing applications and it constitutes a building block for
universal active element design [12]. It is introduced by Sedra and Smith in 1970.
Since 1970, different types of current conveyor designs have been introduced [13]
[14].The block diagram of an ideal CCII is given in Figure 3.13. Basically, an ideal
CCII is a three terminal device with terminals X, Y and Z. There is a voltage follower
25
Figure 3.12: Power measurement simulation of SCM.
between X and Y terminals and a positive CCII+ or a negative CCII- current follower
between X and Z terminals [15] Terminal relations of an ideal CCII is given in Equation
3.18.
Figure 3.13: Block diagram of an ideal CCII.
 iyvx
iz
=
0 0 01 Rx 0
0 ±1 0
vyix
vz
 (3.18)
A CCII+ based SCM circuit design is proposed in this part of the thesis. This power
measurement circuit operates with the same principle of the SCM circuit explained
in the previous section. However, CCII+ based SCM circuit constructed with less
active elements and since the inductor is grounded it can be replaced with an active
only grounded inductor simulator [16]. By this way CMOS realisation of SCM circuit
becomes feasible.
26
3.3.1 Circuit description of CCII+ based SCM
Schematic of a typical second generation translinear current conveyor circuit is given
in Figure 3.14. 3.3V bias voltage is needed for FPGA. The typical translinear CCII+
shown in Figure 3.14 is not able to supply this voltage at Y terminal. Hence, this
topology is modified. The realisation of the modified CCII+ used in SCM circuit is
shown in Figure 3.15. Transistor aspect ratios are given in Table 3.1.
Figure 3.14: Schematic of a typical translinear CCII+ circuit.
Figure 3.15: Realisation of modified CCII+.
Table 3.1: Transistor aspect ratios of designed CCII+.
Transistors W L
M1-M2 150 1.2
M3-M4 125 1.2
27
Small signal resistance at X terminal of CCII+ can be expressed with the following
equation:
rx =
1
gm2
(1+
ro3
ro2
) =
1
gm2
(1+
1
gm3
ro2
) (3.19)
This relationship shows that rx is approximately equal to 1gm2 which is expected to be
in the range of hundred Ωs.
Small signal resistance at Y and Z terminals of CCII+ can be expressed with the
following equations:
ry ' ∞ (3.20)
rz = ro4 (3.21)
The circuit schematic of CCII+ based SCM is given in Figure 3.16. The bias voltage
VDD connected to y terminal appears at the x terminal of CCII+. Hence, VDD voltage
becomes the bias voltage of the FPGA under attack. The current drawn from the FPGA
is conveyed to z terminal and filtered with a parallel RLC circuit. The values for RLC
circuit are chosen as R f=250Ω, C f=10pF , L=100µH. A voltage buffer is used at the
output stage. The transfer function expression of CCII+ based SCM is identical to
SCM transfer function given in Equation 3.3.
Figure 3.16: Schematic of CCII+ based SCM circuit.
3.3.2 Main characteristics of CCII+ based SCM
In this section main characteristics of the designed CCII+ is given before the main
characteristics of CCII+ based SCM. CCII+ circuit simulations are obtained for a bias
28
current of 2mA. The voltage transfer characteristics of CCII+ is given in Figure 3.17.
It indicates a close voltage ratio between input voltages 2V to 5V. The current transfer
characteristic of CCII+ is shown in Figure 3.18. There is a DC current gain of 2.11
between ix and iz. The DC current gain is advantageous for the operation of SCM
because it increases the measured peak values of the power traces.
Figure 3.17: Voltage transfer characteristic of CCII+.
Figure 3.18: Current transfer characteristic of CCII+.
29
Frequency response of the voltage gain between Y and X terminals is given in Figure
3.19. The voltage bandwidth is exceeding 100MHz.
Figure 3.19: Frequency response of voltage gain between Y and X terminals of CCII+.
Frequency response of the current gain between X and Z terminals is shown in Figure
3.20.
Figure 3.20: Frequency response of current gain between X and Z terminals of CCII+.
30
The frequency dependency of the parasitic resistance at X terminal of CCII+ is shown
in Figure 3.21. It exhibits 245Ω value.
Figure 3.21: Frequency dependency of the parasitic resistance at X terminal of CCII+.
The bias voltage of the attacked FPGA connected to X terminal of CCII+ based SCM
is shown in the Figure 3.22. The bias voltage is not stable. The stability can be
increased by further improvement of the CCII+ design.
Figure 3.22: Bias voltage of FPGA in CCII+ based SCM.
31
The frequency response of the transimpedance gain for CCII+ based SCM compared
with ideal characteristic given in Equation 3.3 is shown in Figure 3.23.
Figure 3.23: Frequency response of transimpedance gain for CCII+ based SCM
compared with ideal response.
3.3.3 Power measurement simulation of CCII+ based SCM
The power measurement simulation result of CCII+ based SCM is given in Figure
3.24. CCII+ based SCM follows the actual chip current with high precision. In
addition, it amplifies the peak values while increasing the bandwidth of the current
signals. Therefore, it provides a prosperous measurement of power traces and
decreases the effort needed to conduct a DPA attack.
3.4 Comparison of Power Measurement Circuits
Brief comparison of the power measurement circuits explained in the previous
sections is given in this section. Comparison is based on bias stability, measurement
accuracy and the degree of sensitivity. Also, a comparison of frequency response of
transimpedance gain for standard SCM and CCII+ based SCM with the expected ideal
response is given at the end of this section.
32
Figure 3.24: Power measurement simulation of CCII+ based SCM.
Comparison of bias voltages supplied to FPGA under three different power
measurement configuration is shown in Figure 3.25. It can be seen from the figure
that standard SCM provides more stable bias voltage compared with RMC and
CCII+ based SCM. The reason behind this performance is the low frequency voltage
feedback loop provided by an inductor. CCII+ based SCM is expected to supply more
stable bias, however the parasitic gate capacitances of the input transistors pose an
obstacle to it. Bias stability of CCII+ based SCM can be increased by a more effective
design that eliminates the effect of the input parasitic capacitances. In RMC, since
there is no feedback loop compensating the variations of bias voltage, the bias voltage
will change in accordance with the current drawn from the FPGA.
Figure 3.25: Comparsion of bias voltages supplied to FPGA.
33
Comparison of power measurement simulations with supplied actual chip current in
terms of measurement accuracy is given in Figure 3.26. Because of the high bandwidth
and transimpedance gain of standard SCM and CCII+ based SCM, they show excellent
performance while tracking actual chip current. On the other hand, RMC could not
able to follow the actual chip current due to its bandwidth limitation. The wide
difference between bandwidths can be interpreted by comparing the peak durations.
According to these results the following inference can be made: If a DPA attack is
conducted using RMC, standard SCM and CCII+ based SCM with the same number
of power trace measurement , it will be easier to distinguish the maximum correlation
coefficient value in R matrix in attacks performed by standard SCM and CCII+ based
SCM.
Figure 3.26: Comparison of power measurement simulations.
Comparison of maximum peak levels for RMC, standard SCM and CCII+ based SCM
is given in Figure 3.27. For standard SCM and CCII+ based SCM peak amplitudes
are ranging from 0.1V to 0.94V. On the contrary, maximum peak amplitude for RMC
is 0.11V. The maximum peak amplitude of RMC is 8.5 times smaller than peak
amplitude of standard SCM and CCII+ based SCM. Equation 3.22 shows signal to
noise ratio(SNR) expression. If Equation 3.22 is taken as a figure of merit at sensitivity
comparison, standard SCM and CCII+ based SCM shows 10dB improvement in the
sensitivity to the current consumption variations of a device under attack [6].
34
SNR= 10log(
S
N
) (3.22)
Figure 3.27: Comparison of maximum peak levels.
Comparison of frequency response of transimpedance gain for standard SCM and
CCII+ based SCM with the expected ideal response based on Equation 3.3 is shown in
Figure 3.28. As it can be seen from the Figure 3.28, theoretical transfer characteristic
obtained in Equation 3.3 fits substantially with the simulation results.
Figure 3.28: Comparsion of frequency response of transimpedance gains with ideal
response.
35
3.4.1 Simulated correlation values of DPA by using SCM circuit
Simulated correlation values of power analysis attack conducted can be seen from
Figure 3.29. Blue graph corresponds to "1" bit and red graph corresponds to "0" bit.
As it is seen from Figure 3.29, separation begins after 3000 power trace. Therefore, it
can be concluded that corresponding bit is 0.
Figure 3.29: Simulated correlation values of DPA by using SCM circuit.
36
4. CONCLUSIONS AND RECOMMENDATIONS
Cryptographic devices are the main part of security systems [4]. No information should
leak during encryption process. However, Kocher showed that there is an information
leakage that could be obtained by monitoring power consumption, electromagnetic
emission and execution timing [7]. The monitoring of such physical quantities of
cryptographic device is called side channel attack.
Power consumption simulations are performed both by designers and attackers.
Attackers use these simulations to reveal the secret key of the cryptographic chip
whereas designers use it to predict the resistance of their designs against side channel
attacks.
Typical measurement setup to perform a power analysis attacks is composed of a power
supply, a clock generator, a measurement circuit, a digital sampling oscilloscope and
the attacked cryptographic device [4]. These components are easy to find and low
cost in such a way that one can perform this attack at anywhere. There are two
main power analysis attacks. These are simple power analysis(SPA) and differential
power analysis(DPA). Both are introduced by Kocher. DPA is a more effective attack
compared with SPA for sophisticated cryptographic devices.
The success of power analysis attack highly depends on the quality of the
measurements. The figure of merit of power analysis measurements is signal to noise
ratio(SNR) of measured power trace. Noise in power measurements consists of two
components. These are electronic noise and switching noise. Switching noise is highly
depends on the clock frequency of the cryptographic device and the bandwidth of the
connection between logic cells and oscilloscope [4]. It is not possible to completely
remove electronic noise and switching noise. However, by using SCM and CCII+
based SCM power measurement circuits explained in Chapter 3, the SNR of the
measured power waveform can be improved.
The power analysis measurements can be performed with the circuits given in Chapter
3. The resistive measurement circuit(RMC) is widely used in power measurement
applications. However, RMC is not able to give good quality measurement results
37
because its bandwidth and sensitivity is limited and it is not able to supply stable bias
to device under attack [6] SCM circuit introduced in 2006 and CCII+ based SCM
circuit introduced in this thesis provide significant improvement in terms of bandwidth,
sensitivity and bias stability. The results of these improvements can be seen from the
power simulations obtained in Chapter 3. These improvements are expected to lead
a reduction in the number of power traces needed to perform power analysis attacks.
The newly introduced CCII+ based SCM circuit showed a similar performance with
standard SCM. There are two main advantages of CCII+ based SCM. It has less active
elements than standard SCM. Also, since the inductor is grounded in CCII+ based
SCM, it is more suitable for CMOS realisation. Hence, the newly introduced CCII+
based SCM circuit can be used as an alternative to standard SCM circuit. However, it
is hard to provide stable bias with CCII+ based SCM.
38
REFERENCES
[1] De Mulder, E., Örs, S.B., Preneel, B. and Verbauwhede, I. (2007). Differential
power and electromagnetic attacks on a FPGA implementation of
elliptic curve cryptosystems, Computers and Electrical Engineering, 33,
367–382.
[2] Url-1, http://www.idga.org, access date: 26.04.2014.
[3] Url-2, http://www.rcis.aist.go.jp, access date: 26.04.2014.
[4] Mangard, S., Oswald, M.E. and Popp, T. (2007). Power Analysis Attacks -
Revealing the Secrets of Smart Cards.
[5] Iokibe, K., A.T.O.K. and Toyota, Y. (2013). Equivalent circuit modeling of
cryptographic integrated circuit for information security design, IEEE
Transactions on Electromagnetic Compatibility, 55, 581–588.
[6] Bucci, M., Giancane, L., Luzzi, R., Scotti, G. and Trifiletti, A. (2008).
Enhancing power analysis attacks against cryptographic devices, IET
Circuits, Devices and Systems.
[7] Kocher, P. C., J.J. and Jun, J. (1999). Differential Power Analysis, Advances
in Cryptology: Proceedings of CRYPTO’ 99, Santa Barbara, California,
USA.
[8] Kocher, P.C. (1996). Timing Attacks on Implementations of Diffie-Helman,
RSA, DSS, and Other Systems, Advances in Cryptology: Proceedings of
CRYPTO’ 96, Santa Barbara, California, USA.
[9] Gandolfi, K., Mourtel, C. and Olivier, F. (2001). Electromagnetic Analysis :
Concrete Results, Cryptographic Hardware and Embedded Systems —
CHES 2001, 2162, 251–261.
[10] Quisquater, J.J. and Samyde, D. (2001). Electromagnetic analysis (ema): Mea-
sures and counter-measures for smart cards, Smart Card Programming and
Security, 200–210.
[11] Bucci, M., Giancane, L., Luzzi, R., Scotti, G. and Trifiletti, A. (2006).
Enhancing power analysis attacks against cryptographic devices, 2006
IEEE International Symposium on Circuits and Systems.
[12] Smith, K. and Sedra, A. (1970). “A second-generation current conveyor and its
applications, IEEE Transactions on Circuit Theory, 17, 132–134.
39
[13] Minaei, S., Sayin, O. and Kuntman, H. (2006). A new CMOS electronically
tunable current conveyor and its application to current-mode filters, IEEE
Transactions on Circuits and Systems I: Regular Papers, 53.
[14] Becvar, D., Vrba, K., Zeman, V. and Musil, V. (2000). Novel universal active
block: a universal current conveyor, 2000 IEEE International Symposium
on Circuits and Systems. Emerging Technologies for the 21st Century.
Proceedings (IEEE Cat No.00CH36353), 3.
[15] Calvo, B., C.S.M.P. and M. T., S. (2003). Novel high performance CMOS current
conveyor, Microelectronics Reliability, volume 43, pp.955–961.
[16] Yamacli, S., O.S.K.H. (2011). New active-only grounded inductance simulator
employing current-mode approach suitable for wide band operation,
International Journal of Electronics, 98, 981–994.
40
APPENDICES
APPENDIX A.1 : PSpice Model Parameters for NMOS
APPENDIX A.2 : PSpice Model Parameters for PMOS
41
42
APPENDIX A.1
* *** Flags ***
+MOBMOD =1.000e+00 CAPMOD =2.000e+00
+NLEV =0
* *** Threshold voltage related model parameters ***
+K1 =6.044e-01
+K2 =2.945e-03 K3 =-1.72e+00 K3B =6.325e-01
+NCH =2.310e+17 VTH0 =4.655e-01
+VOFF =-5.72e-02 DVT0 =2.227e+01 DVT1 =1.051e+00
+DVT2 =3.393e-03 KETA =-6.21e-04
+PSCBE1 =2.756e+08 PSCBE2 =9.645e-06
+DVT0W =0.000e+00 DVT1W =0.000e+00 DVT2W =0.000e+00
* *** Mobility related model parameters ***
+UA =1.000e-12 UB =1.723e-18 UC =5.756e-11
+U0 =4.035e+02
* *** Subthreshold related parameters ***
+DSUB =5.000e-01 ETA0 =3.085e-02 ETAB =-3.95e-02
+NFACTOR=1.119e-01
* *** Saturation related parameters ***
+EM =4.100e+07 PCLM =6.831e-01
+PDIBLC1=1.076e-01 PDIBLC2=1.453e-03 DROUT =5.000e-01
+A0 =2.208e+00 A1 =0.000e+00 A2 =1.000e+00
+PVAG =0.000e+00 VSAT =1.178e+05 AGS =2.490e-01
+B0 =-1.76e-08 B1 =0.000e+00 DELTA =1.000e-02
+PDIBLCB=2.583e-01
* *** Geometry modulation related parameters ***
+W0 =1.184e-07 DLC =8.285e-09
+DWC =2.676e-08 DWB =0.000e+00 DWG =0.000e+00
+LL =0.000e+00 LW =0.000e+00 LWL =0.000e+00
+LLN =1.000e+00 LWN =1.000e+00 WL =0.000e+00
+WW =0.000e+00 WWL =0.000e+00 WLN =1.000e+00
+WWN =1.000e+00
* *** Temperature effect parameters ***
+AT =3.300e+04 UTE =-1.80e+00
+KT1 =-3.30e-01 KT2 =2.200e-02 KT1L =0.000e+00
+UA1 =0.000e+00 UB1 =0.000e+00 UC1 =0.000e+00
+PRT =0.000e+00
* *** Overlap capacitance related and dynamic model parameters ***
+CGDO =2.100e-10 CGSO =2.100e-10 CGBO =1.100e-10
+CGDL =0.000e+00 CGSL =0.000e+00 CKAPPA =6.000e-01
+CF =0.000e+00 ELM =5.000e+00
+XPART =1.000e+00 CLC =1.000e-15 CLE =6.000e-01
* *** Parasitic resistance and capacitance related model parameters ***
+RDSW =6.043e+02
43
+CDSC =0.000e+00 CDSCB =0.000e+00 CDSCD =8.448e-05
+PRWB =0.000e+00 PRWG =0.000e+00 CIT =1.000e-03
* *** Process and parameters extraction related model parameters ***
+TOX =7.700e-09 NGATE =0.000e+00
+NLX =1.918e-07
* *** Substrate current related model parameters ***
+ALPHA0 =0.000e+00 BETA0 =3.000e+01
* *** Noise effect related model parameters ***
+AF =1.400e+00 KF =2.810e-27 EF =1.000e+00
+NOIA =1.000e+20 NOIB =5.000e+04 NOIC =-1.40e-12
* *** Common extrinsic model parameters ***
+LINT =-1.67e-08 WINT =2.676e-08 XJ =3.000e-07
+RSH =8.200e+01 JS =2.000e-05
+CJ =9.300e-04 CJSW =2.800e-10
+MJ =3.100e-01 MJSW =1.900e-01
+PB =6.900e-01 TT =0.000e+00
+PBSW =9.400e-01
* ———————————————————————-
44
APPENDIX A.2
* *** Flags ***
+MOBMOD =1.000e+00 CAPMOD =2.000e+00
+NLEV =0
* *** Threshold voltage related model parameters ***
+K1 =5.675e-01
+K2 =-4.39e-02 K3 =4.540e+00 K3B =-8.52e-01
+NCH =1.032e+17 VTH0 =-6.17e-01
+VOFF =-1.13e-01 DVT0 =1.482e+00 DVT1 =3.884e-01
+DVT2 =-1.15e-02 KETA =-2.56e-02
+PSCBE1 =1.000e+09 PSCBE2 =1.000e-08
+DVT0W =0.000e+00 DVT1W =0.000e+00 DVT2W =0.000e+00
* *** Mobility related model parameters ***
+UA =2.120e-10 UB =8.290e-19 UC =-5.28e-11
+U0 =1.296e+02
* *** Subthreshold related parameters ***
+DSUB =5.000e-01 ETA0 =2.293e-01 ETAB =-3.92e-03
+NFACTOR=8.237e-01
* *** Saturation related parameters ***
+EM =4.100e+07 PCLM =2.979e+00
+PDIBLC1=3.310e-02 PDIBLC2=1.000e-09 DROUT =5.000e-01
+A0 =1.423e+00 A1 =0.000e+00 A2 =1.000e+00
+PVAG =0.000e+00 VSAT =2.000e+05 AGS =3.482e-01
+B0 =2.719e-07 B1 =0.000e+00 DELTA =1.000e-02
+PDIBLCB=-1.78e-02
* *** Geometry modulation related parameters ***
+W0 =4.894e-08 DLC =-5.64e-08
+DWC =3.845e-08 DWB =0.000e+00 DWG =0.000e+00
+LL =0.000e+00 LW =0.000e+00 LWL =0.000e+00
+LLN =1.000e+00 LWN =1.000e+00 WL =0.000e+00
+WW =0.000e+00 WWL =0.000e+00 WLN =1.000e+00
+WWN =1.000e+00
* *** Temperature effect parameters ***
+AT =3.300e+04 UTE =-1.35e+00
+KT1 =-5.70e-01 KT2 =2.200e-02 KT1L =0.000e+00
+UA1 =0.000e+00 UB1 =0.000e+00 UC1 =0.000e+00
+PRT =0.000e+00
* *** Overlap capacitance related and dynamic model parameters ***
+CGDO =2.100e-10 CGSO =2.100e-10 CGBO =1.100e-10
+CGDL =0.000e+00 CGSL =0.000e+00 CKAPPA =6.000e-01
+CF =0.000e+00 ELM =5.000e+00
+XPART =1.000e+00 CLC =1.000e-15 CLE =6.000e-01
* *** Parasitic resistance and capacitance related model parameters ***
+RDSW =1.853e+03
+CDSC =6.994e-04 CDSCB =2.943e-04 CDSCD =1.970e-04
+PRWB =0.000e+00 PRWG =0.000e+00 CIT =1.173e-04
* *** Process and parameters extraction related model parameters ***
45
+TOX =7.700e-09 NGATE =0.000e+00
+NLX =1.770e-07
* *** Substrate current related model parameters ***
+ALPHA0 =0.000e+00 BETA0 =3.000e+01
* *** Noise effect related model parameters ***
+AF =1.290e+00 KF =1.090e-27 EF =1.000e+00
+NOIA =1.000e+20 NOIB =5.000e+04 NOIC =-1.40e-12
* *** Common extrinsic model parameters ***
+LINT =-8.14e-08 WINT =3.845e-08 XJ =3.000e-07
+RSH =1.560e+02 JS =2.000e-05
+CJ =1.420e-03 CJSW =3.800e-10
+MJ =5.500e-01 MJSW =3.900e-01
+PB =1.020e+00 TT =0.000e+00
+PBSW =9.400e-01
* ———————————————————————-
46
CURRICULUM VITAE
Name Surname: Ahmet Emin Bekmezci
Place and Date of Birth: Seyhan, 15.10.1990
E-Mail: ahmetemin_3@hotmail.com
B.Sc.: METU, Electrical and Electronics Engineering (2012)
Professional Experience and Rewards:
02/2012-05/2012 : Part-Time Engineer
Micro-Nano Devices Design Division,
Microelectronics,Guidance and Electro-optics Division (MGEO)
ASELSAN Electronic Industries Inc., Ankara
06/2011-07/2011: Summer Internship
Micro-Nano Devices Design Division,
Microelectronics, Guidance and Electro-optics Division (MGEO)
ASELSAN Electronic Industries Inc., Ankara
07/2011-08/2011: Summer Internship
Radar Division,
DHMI˙ Adnan Menderes Airport Electronics Directory, I˙zmir
2010-2011: Undergraduate Researcher
Advisor: Assoc. Prof. Ali Özgür Yılmaz
Research Area: Radar Signal Processing
Middle East Technical University(METU), Ankara
47
