ARTICLE IN PRESS

INTEGRATION, the VLSI journal 42 (2009) 468–478

Contents lists available at ScienceDirect

INTEGRATION, the VLSI journal

0167-92

doi:10.1

$ Thi� Corr

E-m

salmasi@

eisenba

journal homepage: www.elsevier.com/locate/vlsi

Vulnerability modeling of cryptographic hardware to poweranalysis attacks$

Amir Moradi a,�, Mahmoud Salmasizadeh b, Mohammad Taghi Manzuri Shalmani a, Thomas Eisenbarth c

a Department of Computer Engineering, Sharif University of Technology, Tehran, Iranb Electronics Research Center, Sharif University of Technology, Tehran, Iranc Horst Gortz Institute for IT Security, Ruhr University Bochum, Germany

a r t i c l e i n f o

Article history:

Received 2 March 2008

Received in revised form

16 September 2008

Accepted 26 January 2009

Keywords:

SPA

DPA

Glitches

Toggle-count DPA

Vulnerability

60/$ - see front matter & 2009 Elsevier B.V. A

016/j.vlsi.2009.01.001

s project is partially supported by Iran Natio

esponding author.

ail addresses: a_moradi@ce.sharif.edu, morad

sharif.edu (M. Salmasizadeh), manzuri@sharif.

rth@crypto.rub.de (T. Eisenbarth).

a b s t r a c t

Designers and manufacturers of cryptographic devices are always worried about the vulnerability of

their implementations in the presence of power analysis attacks. This article can be categorized into two

parts. In the first part, two parameters are proposed to improve the accuracy of the latest hypothetical

power consumption model, so-called toggle-count model, which is used in power analysis attacks.

Comparison between our proposed model and the toggle-count model demonstrates a great advance,

i.e., 16%, in the similarity of hypothetical power values to the corresponding values obtained by an

analog simulation. It is supposed that the attacker would be able to build such an accurate power

model. Thus, in the second part of this article we aim at evaluating the vulnerability of implementations

to power analysis attacks which make use of our proposed power model. Simple power analysis, various

types of differential power analysis, and correlation power analysis are taken into account. Then, some

techniques are proposed to examine the vulnerability of implementations to such kinds of power

analysis attacks.

& 2009 Elsevier B.V. All rights reserved.

1. Introduction

In 1996, Kocher introduced the information leakage ofimplementations [11]. He showed that the response time of animplementation of public key cryptographic algorithms such asRSA and DSS is correlated to the secret values. Thus, it was calledtiming attack. Also, he mentioned that power consumptionand electromagnetic radiation of cryptographic hardware maybe used to reveal secret information while the cryptographicalgorithms are secure against the known cryptanalysis methods.In 1999, Kocher et al. presented practical results of a powerfulattack which used power consumption values of a cryptographicdevice [12]. In fact, two methods were introduced to extract thesecret key through power consumption channel: simple poweranalysis (SPA) and differential power analysis (DPA) attacks. SPA isa technique for which secret information such as secret keyparts are discovered directly via visual inspection of the powerconsumption traces. Preventing SPA attacks is not so hard; manytechniques have been proposed so far such as the avoidance of keydependent conditional branches in microprocessors [12] and

ll rights reserved.

nal Science Foundation.

i@crypto.rub.de (A. Moradi),

edu (M.T. Manzuri Shalmani),

noise addition to power consumption traces [2]. However,DPA attacks are capable for revealing the secret key of imple-mentations which have been equipped by SPA countermeasures.In a typical DPA attack, the attacker repeats the power consump-tion measurement for alternative input values; then, statisticaltools help to specify the correct secret key among the otherhypotheses.

Afterwards side channel attacks were taken into considerationby many researchers. Several techniques have been proposed ascountermeasure against power analysis attacks. In contrast, manyapproaches have been introduced to improve the functionalityand the applicability of DPA attacks on resistant implementations.For instance, the insertion of dummy instructions in micropro-cessor-based implementations was proposed to counteract DPAattacks [6] by misaligning the power consumption traces. Then,the frequency-based DPA attack [9] was introduced to defeat thiscountermeasure. Indeed, fast Fourier transform (FFT) helps tosolve the misalignment problem of the power traces. Also,masking techniques were used to randomize the power values.When this method is used at gate level, each logic signal ismasked by a random bit [27]. However, in [17] it was shown thatgate level masking can not prevent the information leakagebecause of the difference between the arrival time of the inputsand the mask signals. Moreover, second order and higher orderDPA attacks [15] were proposed to use two or more points ofpower consumption traces to attack masked implementations.

ARTICLE IN PRESS

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478 469

On the other hand, dual-rail and pre-charge logic styles wereintroduced to make the power consumption of implementationsalike for all possible states such as sense amplifier-based logic(SABL) [26] and wave dynamic differential logic (WDDL) [28]. Themixture of pre-charge logic and gate level masking led to RandomSwitching Logic (RSL) [25] and masked dual-rail pre-charge logic(MDPL) [22]. Although the use of these logic styles improvesthe resistance against the side channel attacks, they must beapplied at the transistor or even deeper design levels. Conse-quently, there are many limitations on their usage such as area,power consumption, and performance.

Moreover, the masking technique is applied at the algorithmlevel too. In this case, an input value, i.e., plaintext or ciphertext, ismasked with a random generated value, i.e., mask. Then, the effectof the mask value is removed at the end of the encryption/decryption process. In fact, an algorithmic masking schemechanges the correlation between the input values and the powerconsumption traces. The power consumption values correlatewith the internal values processed, but the relation between theinternal and input values depends on the mask values whichare generated randomly. The algorithmic masking schemes canbe applied at every unit of a cryptographic algorithm, but thecomplexity of the masking removal process depends on thenonlinearity of the unit masked. Many approaches have beenpublished to make a masked AES-Sbox [5,10,21,27] because otheroperations of AES encryption/decryption are linear and easy tomask [1]. The security or the vulnerability of different algorithmicmasking schemes has been analyzed theoretically, and thesecurity of some of them has been proven [21]. Therefore, themasking techniques were being considered as an effective methodto resist power analysis attacks until Mangard et al. presented theresult of a practical power analysis attack which could reveal thesecret key of two masked AES implementations [18]. In fact, theychanged the hypothetical power consumption model. The ham-ming weight/distance of the processed data was the conventionalpower consumption model in typical DPA attacks, but Mangardet al. used the fact that glitches in combinational CMOS circuitsplay the most significant role in the power consumption. Theyapplied the number of toggles instead of the hamming weightas the hypothetical power model. They showed that two maskedimplementations of AES-128 encryption algorithm are vulnerableas well as the unmasked one. Although the security of the usedmasking schemes has been proven, the theoretical analyses havebeen performed on the base of the old hypothetical power model.Accordingly, the usage of a more accurate power model led to asuccessful attack. Later in [19], Mangard et al. showed that theXOR gates of the mask multipliers cause the information leakageof the implemented masked S-boxes. Although they proposed twotechniques to prevent the leakage, the resistant implementationsmight be vulnerable against a DPA attack which uses a moreaccurate power model.

The first goal of this paper is to define a more accuratehypothetical power consumption model. The improvementof the proposed modifications in the hypothetical power modelare verified by the simulation results. We do not intend to designa more powerful DPA attack. However, as the second aimwe propose a theoretical method to evaluate the vulnerabilityof implementations using our proposed power model. In otherwords, we introduce some techniques to be used by the designersof the cryptographic devices. They can use these techniques toexamine the vulnerability of their designs before the implementa-tion. The proposed methods are based on the simulation results ofthe combinational logic circuits. Thus, some parts of the hardwarewhich should be secured must be simulated for all possibleintermediate values. The proposed methods examine the vulner-ability to various kinds of power analysis attacks.

The rest of the article is organized as follows. In Section 2,we recall the principles of the previous power consumptionmodels and the toggle-count model presented in [18]. Some newparameters are proposed to improve the accuracy of the toggle-count model in Section 3. In Section 4, the simulation results ofthe achieved improvement using our proposed model are shown.We illustrate the usage of our model for vulnerability evaluationin Section 5. Finally, Section 6 presents the conclusions of ourresearch.

2. Power consumption models

The power analysis attack scenario is to discover some secretinformation (a part of the main key or an intermediate valuewhich depends on the main key) using power consumption tracesmeasured during the computation of the algorithm. In fact, anattacker attempts to discover the correlation between the powertraces and the secret values. In SPA attacks, the secret informationis exploited directly by examining (in some cases by visualinspection) the power traces. Since the instruction flow of somesoftware implementations of cryptographic algorithms dependson the secrets, investigating the power traces may helpsrecovering the instruction flows and consequently the secretkey. In fact, the SPA attacks reveal the dependency of theoperations and the power values. On the other hand, templateattacks [8], a powerful branch of SPA, reveal the dependency ofdata processed and the power values too. Since the softwareimplementations are not the main target of our analysis in thisarticle, the aim of SPA in our discussions relates to a branch wheredependency of the processed data is taken into account. However,in DPA attacks, especially in correlation-based one, the attackercreates a hypothetical model (at the abstract level) to estimatethe instantaneous power consumption of the attacked device.These estimations are compared with the measured power traces.Statistical methods such as mean and correlation coefficient helpthe comparisons to exploit the secrets. In power analysis attacksthere is a hypothetical model which predicts the instantaneouspower consumption values of the device using the design detailsand the input and/or output values of the attacked part. In [12], ithas been shown that there is a direct correlation between thepower consumption and the hamming weight of the values storedin registers.

PðtÞ /Xn

i¼1

RiðtÞ, (1)

where PðtÞ is the estimated power consumption at time t, n is thenumber of single-bit registers, and RiðtÞ denotes the value storedin the ith register at time t. This model works for bipolar circuits,which are usually not used for the design of digital circuitsany more. Furthermore this model can be applied for manycontemporary microprocessors/microcontrollers containing a pre-charged data/address bus. Thus, in this case the power consump-tion values are proportional to the hamming weight of thetransferred values.

Nowadays almost all application specific digital integratedcircuits are implemented in CMOS technology. The dominantfactor of the power consumption of a CMOS gate (in technologieswith l490 nm) is the dynamic power consumption [13]. Therefore,the power consumption of a register depends on its transitionrather than on its current state. It has been shown that the powerconsumption for a 0! 1 and a 1! 0 transition is higher than fora 0! 0 or a 1! 1 transition. Hence the number of the changedbits in the registers correlates with the instantaneous powerconsumption of the CMOS circuits during load time. This powerconsumption model is called the hamming distance model,

ARTICLE IN PRESS

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478470

described by the following equation.

PðtÞ /Xn

i¼1

RiðtÞ � Riðt � 1Þ. (2)

The applicability of the hamming distance model has been provedin many DPA attacks [3,12,15,23]. Fig. 1 shows the power tracessampled during the load of an 8-bit register in different states.However, the power consumption of the cryptographic devicesare not actually similar to what is presented in Fig. 1 because thepower consumption of a device depends not only on the numberof changed bits of the registers, but also on the powerconsumption of the combinational circuits located in the outputof the changed registers, see Fig. 2. Consequently, if there is acombinational circuit at the output of the registers, the resultsshown in Fig. 1 will not be correct, and the SPA attacks are notsuccessful in most cases. In order to deal with such a problem, theDPA attack has been introduced by Kocher et al. [12]. In fact, aconventional DPA attack tries to detect the difference between thepower consumption values of two sets, using no specifichypothetical model to estimate the power consumption values.In a conventional DPA attack the effect of a single-bit registeron the power consumption is used to determine the correcthypothesis. Afterwards a general method of DPA attacks wasintroduced in [14] which uses the effect of all changed bits.Appendix A gives more details of the DPA attacks.

In contrast, a correlation power analysis attack [4] makes useof a hypothetical power model. In fact, it is a general case of theDPA attacks that uses a hypothetical power model to estimatethe power consumption values and compare the estimations withthe actual power values in order to distinguish the correct guess.The simplest power model for CMOS circuits is illustrated byEq. (2). Also, the statistical techniques help to avoid the effect ofthe combinational circuits on power values and to determine thecorrect prediction. In fact, the effect of a combinational circuitcould be considered as noise in power consumption values ofregisters.

The security or vulnerability of countermeasures has beenanalyzed using the conventional DPA concepts illustrated above.

Fig. 1. Sampled power consumption traces

A

H

Q1

Q8

ENB

RegisterA

CombinaCircu

clock

y x

Fig. 2. Block diagram o

Security of some masking methods [1,5,10,21] has been proven byassuming certain power consumption characteristics. However,when Mangard et al. published the results of a successful attackon two masked AES ASIC implementations [18], the efficiencyof the masking schemes to prevent the information leakagewas put in doubt. Mangard et al. changed the hypotheticalpower consumption model and constructed a more accurate one.The combinational circuits that are located in the output of thechanged registers play the main role in their proposed model.They supposed that the attacker knows the design details of thecombinational circuits, means the back-annotated netlist of someparts of the attacked device. In fact, they introduced the toggle-count model as the number of toggles that occur in thecombinational circuits after the change in registers.

PðtÞ /Xm

i¼1

giðtÞ, (3)

where m is the number of internal signals, giðtÞ denotes thenumber of toggles occurring in the ith signal at the period of½t; t þ ��, and � is determined according to the delay of the longestpath of the combinational circuit.

Consider register A in Fig. 2, and suppose that x has been storedin. When the clock signal triggers the register to load value y,several glitches happen in the combinational circuit. As men-tioned previously, transitions play the significant role in thepower consumption of CMOS circuits. Mangard et al. [18]used this fact and introduced the number of toggles as anew hypothetical power consumption model. Fig. 3 shows oneexample of glitches occurring after the change in input of an AESS-box. It is well known that the glitches happen in combinationalcircuits because of the delay in logic gates, and the delay of thelogic gates depends on many parameters namely the used processtechnology and supply voltage, VDD. Although most of the glitcheshappen sequentially not simultaneously, the effect of glitches onpower consumption are added accumulatively and appear asa peak in power consumption traces such as examples shown inFig. 4. Moreover,

R �0 VDD � IðtÞdt is defined to measure the power

consumption. Accordingly, the number of toggles is a reasonable

for different states of an 8-bit register.

A

H

Q1

Q8

ENB

Register

tional it

clock

f a typical circuit.

ARTICLE IN PRESS

02 b3

77 c3 47 6d/bSbox/A/bSbox/Q

02 b3

77 16 06 04 0c 48 40 41 c1 c3 43 47 66 6d

[7]

[6]

[5]

[4]

[3]

[2]

[1]

[0]

1ns 2ns 3ns 4ns

Fig. 3. The glitches that occur at the output of AES-Sbox, if the input changes form 02hex to b3hex.

Pow

er C

onsu

mpt

ion

/bSbox/A

/bSbox/Q

Fig. 4. Example of sampled power consumption and glitches in an implementation of AES S-box.

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478 471

method to estimate the power consumption values. Mangard et al.used this concept and applied the toggle-count model in acorrelation-based power analysis attack called toggle-count DPAattack [18].

In this scenario, the attacker simulates the combinationalcircuit for all possible values, that is x and y in Fig. 2. For an8-bit register the attacker has to simulate the circuit 256� 255times and count the number of toggles in each simulationseparately. Statistical tools such as the correlation coefficient helpto discover the secret value using the comparison betweensimulated results and the measured power traces; see AppendixB for more details of the toggle-count DPA attack. If the attackercan find the correct values x and/or y, the implementationis vulnerable. In [18] it is shown that weak implementationscause information leakage even though masking techniques wereemployed. Thus, many parameters which affect the occurrenceof glitches determine the vulnerability of implementations toDPA attacks.

Note that power consumption values can be estimatedin different levels of simulation: behavioral, logical, and analoglevels [16]. The quality and the precision of the estimationdepends on the chosen level of simulation. Simulation atbehavioral level is the fastest and has the lowest precision.Also, it is suitable only for special parts of the implementationssuch as a data/address bus. On the other hand, analog simulatorsare the most precise tools, but the analog simulation of largecircuits are very time consuming. For instance, we needed roughly50 days/PC to simulate an AES S-box for all possible changes in its8-bit input with Synopsys HSPICE simulator. Consequently, logicsimulators are frequently used because of their moderate quality

and speed. The toggle-count model is based on the results of alogic simulation which is performed on the back-annotated netlistof the combinational circuit of the attacked/evaluated device.In fact, in the next section we aim at improving the precision of alogic level model, toggle-count model.

3. Enhanced toggle-count model: our proposed power model

As mentioned above, the number of toggles has beenconsidered as the hypothetical power consumption model in[18]. The authors showed that if the attacker uses the moreaccurate hypothetical model, she might have a better chance todiscover the secret information. In this section, some parametersare proposed to improve the accuracy of this model. We do notwant to design a new attack; however, we suppose that theattacker could use an accurate model to estimate the instanta-neous power consumption. Then, we apply the new model toevaluate the vulnerability of implementations.

Power consumption of a CMOS element includes Pstatic ,Pshort-circuit , and Pswitch [13]:

Ptotal ¼ Pstatic þ Pshort-circuit þ Pswitch, (4)

Pstatic ¼XðLeakage Current � Supply VoltageÞ, (5)

Pshort-circuit ¼ bðVDD � 2VtÞ3

Pstatic is approximately constant during the operation of thecircuit. Thus, we propose PðtÞ in our hypothetical model by

HPðtÞ ¼ a � HPshort-circuitðtÞ þ g � HPswitchðtÞ, (8)

ARTICLE IN PRESS

Vss

VDD

chargingHI toggles

Vss

VDD

LO toggles discharging

Fig. 5. The different effects of HI and LO toggles on Pswitch .

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478472

where HP means hypothetical power consumption. According tothe CMOS technology concepts, the required current to charge anddischarge the capacitive load is the dominant factor of the powerconsumption in technologies bigger than 90 nm. The designersshould justify the coefficients according to the specification of theimplementation. Note that the role of Pswitch in power consump-tion values will be more important using the novel nanometertechnologies.

It should be noted that in submicron technologies, static poweris much more than dynamic power and is the dominant factor inpower consumption values. Since the static power does not playany role in power analysis attacks (because it does not depend onthe data processed), our proposed model to estimate the powerconsumption still is feasible. One important point in modeling thepower consumption of cryptographic devices is that the powervalues estimated by a hypothetical power model are not actualpower values in Watt, but they are proportional to the real values.

3.1. Gate fanouts

According to Eq. (7), Pswitch depends on CL (we used theso-called lumped-C model to describe the charging powerconsumption of CMOS cells). When the output of a CMOS gatechanges from HI to LO or vice versa, the load capacitance CL atthe gate output is charged or discharged. Therefore, the amountof CL influences the power consumption, and CL depends on thefanout of the gates. The effect of the fanouts has not beenconsidered by toggle-count model. Thus, we propose the follow-ing equations:

HPshort-circuitðtÞ ¼Xn

i¼1

giðtÞ, (9)

HPswitchðtÞ ¼Xn

i¼1

giðtÞ � f i. (10)

Here f i indicates the number of fanout gates of the ith gate.

3.2. LO and HI toggles

According to Eq. (6), Pshort-circuit relates to the small timeinterval that the gate output changes. The transition length, i.e.,the duration of time that there is a route from VDD to VSS, affectsPshort-circuit . However, in Eqs. (3) and (9) it is supposed that HI andLO transitions at the gate output consume the same amountof energy. HI and LO toggles might be different because of theused process technology, the difference between W=L ratios, etc.Thus, Eq. (9) is modified as follows:

HPshort-circuitðtÞ ¼Xn

i¼1

ðkh � hgiðtÞ þ kl � lgiðtÞÞ, (11)

where hgiðtÞ and lgiðtÞ are the number of HI and LO togglesrespectively in the ith gate at the period of ½t; t þ ��. kh and kl

coefficients are determined by the implementation technologyand especially by the W=L ratios of the n and p type transistors.In other words, kh=kl is proportional to the ratio of the rise timeby the fall time. W=L ratios are not the same for all transistorswith the same type in a circuit; consequently, the rise/fall timeratios differ. However, we can determine the average ratiofor kh=kl. Obviously, if the effect of HI and LO transitions are thesame, kh equals kl, and Eqs. (9) and (11) will be equivalent.

HI and LO toggles affect Pswitch more significantly. It is shown inFig. 5 that when the output of a CMOS element changes form LO toHI, the capacitive load will be charged, and the charging current isobserved through VDD or VSS route. However, when it changesfrom HI to LO, the charged capacitance will be discharged and the

saved energy will be released as heat in the n type transistor. Inthis case, no current is observed through VDD or VSS. In fact, just HItoggles participate in Pswitch:

HPswitchðtÞ ¼Xn

i¼1

ðhgiðtÞ � f iÞ. (12)

It should be noted that the difference between HI and LOtoggles has been reported first in [24]. The authors have shownthat observing the different effect of HI and LO transitions allowsmaking a new model, signed distance, to estimate the powerconsumption of a cryptographic device more accurately thanhamming weight and hamming distance models.

In short, Eqs. (8), (11), and (12) are proposed as the newhypothetical power consumption model. In the next section, thecomparison between our proposed model and the toggle-countmodel is illustrated.

4. Comparison of the hypothetical power models

The implementation of an AES S-box which is presented in [7]is considered to evaluate the accuracy of our proposed model. Wesimulated the implementation using HSPICE and TSMC 0:18mmstandard cell library with 1.8 V supply voltage for all possiblechanges in input signals, i.e., 255� 256 states. In fact, this step hasbeen performed to obtain values which are close to real powerconsumption values. On the other hand, its back-annotated netlistwas simulated logically to get the number of toggles of each signalfor each state.

4.1. Training phase

In order to use our proposed hypothetical power model, thedesigner has to justify the parameters, i.e., a, g, kh, and kl.As mentioned, a and g balance the effect of short-circuit andswitching power consumption. In fact, the ratio of Pshort-circuit byPswitch of a simple inverter gate could be used as a=g ratio. Thedesigner can simulate a mere NOT gate with the used processtechnology specification to obtain Pshort-circuit by Pswitch ratio. Notethat the result of hypothetical power models are not actually in Wattbut are proportional to values which are close to real power values.Thus, the magnitudes of a and g are not important; just their ratioaffects the hypothetical power values. For instance, our simulationresults (with Synopsys HSPICE and TSMC 0:18mm standard celllibrary) show that Pswitch plays the most significant role (approxi-mately 75%) in power consumption values. Thus, we assumed a=g ¼1=3 to examine the precision of our proposed model.

ARTICLE IN PRESS

Fig. 6. Diagrams of hypothetical power values and analog simulated ones.

Table 1Correlation coefficient between the hypothetical power models and the values

obtained from a analog simulation for an implementation of an AES-Sbox.

Set 1 Set 2 Correlation coefficient

Analog simulated Toggle-count model [18] 0.775

Analog simulated Our proposed model 0.938

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478 473

kh and kl that are applied in Eq. (11) are used to makedifference between the effect of LO and HI toggles. As mentioned,W=L ratio of n type and p type transistors plays the mostsignificant role in kh=kl ratio. For example, in our simulations W=L

of the n type transistors equals 5, and it is 15 for the p type. Thesimulation results show that average of rise/fall time equals 1.2.Therefore, we set kh and kl coefficients as 1.1 and 0.9, respectively.As same as a=g ratio, the magnitudes of kh and kl are notimportant and their ratio influences our hypothetical model, butwe recommend to keep kh þ kl ¼ 2 in order to make a=g andkh=kl ratios independent.

4.2. Comparison

The simulation results and the given parameters were used bytoggle-count model and our proposed one to obtain hypotheticalpower values. Fig. 6 shows the mean diagrams of analogsimulated and hypothetical power consumption values for allpossible input values of the simulated AES S-box. It is quiteobvious that the diagram of the proposed hypothetical model ismore similar to the diagram of analog simulated values. However,for theoretical analysis the correlation coefficient is used tocompare the similarity of diagrams. According to Table 1, whichshows the comparison between the correlation coefficients, ourproposed model shows a higher accuracy than the toggle-countmodel. In fact, the precision is improved 0:938� 0:775 ¼ 16%.

Although the proposed hypothetical model is more accuratethan the previous ones and it can be used to attack implementa-tions that are resistant to the toggle-count DPA attack, we donot aim at evaluating the effectiveness of a DPA attack usingour proposed model. Instead, in the next section we apply thismodel to evaluate the vulnerability of implementations to poweranalysis attacks.

5. Use of a hypothetical power model forvulnerability evaluation

Signal-to-noise ratio (SNR) is a term for the powerratio between the signal and the noise. Eq. (13) representsits general formula (P and A denotes average power and RMS

amplitude, respectively).

SNR ¼Psignal

Pnoise¼

Asignal

Anoise

� �2

. (13)

However, the general definition of an SNR in a digitalenvironment is given by

SNR ¼VarðsignalÞ

VarðnoiseÞ. (14)

In case of the power analysis attacks, the SNR quantifies howmuch information is leaking from the power consumption traces.The higher the SNR, the higher is the leakage [16]. In fact, thesignal corresponds to the component of the power consumptionthat is exploitable by the attacker. Also, the noise component is thesum of all types of noise in power consumption traces. Essentially,there are two kinds of noise in power consumption traces:(i) electronic noise and (ii) switching noise. When a powermeasurement of a fixed operation on some fixed data is repeated,the measurement is different for every repetition. This noisecomponent of the power consumption is denoted by electronicnoise. The sources of electronic noise are manifold. Some of thesenoise sources are noise of power supply, noise of clock generator,and quantization noise. In contrast, variations of power traces thatare caused by cells that are not relevant for the attack is known asswitching noise. The amount of switching noise depends not onlyon the measurement setup but also strongly on the architectureof the attacked device. Obviously, the higher the switching noise,the smaller is the SNR. Thus, we suppose that the powerconsumption traces do not contain the switching noise compo-nent because we want to evaluate the cryptographic device in aworst case scenario. As a consequence, noise components in ourestimation of the SNR correspond only to the electronic noise.

Now, the open problem is how the probability of a successfulattack is exploited from the SNR. We suppose that the attackerhas access to the implementation details. Hence, she knows thedesign architecture and some parameters of the implementationsuch as the used fabrication technology. Therefore, she can useour proposed hypothetical model to estimate the power con-sumption values accurately.

Our purpose is to examine whether she will succeed todiscover the secret key using known power analysis attacksor not. If so, the designer must modify the architecture to make aresistant implementation. The purpose of vulnerability modelingis to find the probability of a successful attack.

Definition: success rate of a power analysis attack is the ratio ofnumber of states where the secret key can be found correctly overthe number of all states for the secret key.

In other words, the designer of a cryptographic device usesall possible values for the secret key (or a part of the secret key)

ARTICLE IN PRESS

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478474

and perform power analysis attacks to determine for which onethe attacker might be able to discover the secrets correctly.

To clarify the definition, consider the device shown by Fig. 7.We have simulated the device for 100 random plaintexts for each16 possible secret keys, i.e., 1600 times. The aim of the attack is tofind the 4-bit secret key for all possible cases. Since simulatedpower values do not contain electronic noise, usually using thesepower values leads to successful attacks. Thus, we have addednormally distributed electronic noise to each point of powertraces manually. Table 2 shows the result of attacks for standarddeviation of 2 mA for electronic noise. According to this table, theattacks have been successful for nine cases. Thus, the success rateequals 9

16 ¼ 0:5625. This process have been repeated for differentvalues of noise standard deviation, and finally the diagram shownby Fig. 8 has been obtained.

We have repeated task illustrated using real power consump-tion traces of a Spartan-II FPGA that implements an 8-bit XORfollowed by an AES S-box. Since the secret key is an 8-bit value,1000 measurements have been done for each of 256 secret keys.

0.001 0.0015 0.0

0.2

0.4

0.6

0.8

1

Noise Standa

Suc

cess

Rat

e

Fig. 8. Success rate over no

0.003 0.0035 0.004 0.00

0.2

0.4

0.6

0.8

1

Noise Standa

Suc

cess

Rat

e

Fig. 9. Success rate of a real attack

Table 2Attack results for noise standard deviation of 2 mA.

Correct key 0 1 2 3 4 5 6 7 8 9 a b c d e f

Revealed value 0 2 2 3 c 5 6 7 a 9 3 b 9 e e 6

Successp p p p p p p p p

Fig. 7. Block diagram of the attacked device.

Note that in this case, the measurements include electronic noise.As described for the previous attacked device, additional electro-nic noise have been added to power values in order to calculatethe success rate vs. noise standard deviation which is shownby Fig. 9.

Now, Fig. 10 shows the success rate of both attacks overthe SNR. Obviously, both attacks roughly lead to the samediagram. Therefore, we can define a function which describesthe probability of a successful attack (success rate) on the base ofthe SNR.

To the best of our knowledge, SNRs are usually expressedin terms of the logarithmic decibel scale. In decibels, the SNR is,by definition, 10 times the logarithm of the power ratio:

SNR ðdBÞ ¼ 10 � log10VarðsignalÞ

VarðnoiseÞ

� �. (15)

We propose to use the inverse of SNR (dB) to determine theprobability,

FðSNRÞ ¼ 10�0:1�VarðnoiseÞ=VarðsignalÞ¼

1

10 �VarðsignalÞ

VarðnoiseÞ

ffiffiffiffiffiffi10p

, (16)

where Fð Þ is a cumulative distribution function (cdf). In fact, thecalculated SNR is used to obtain the probability. As presentedin [16], SNRs that are bigger than 1 lead to a successful attack.Also, it has been shown that a successful attack can be performedeven with lower SNRs (such as 0.1), but in this case much moremeasurements are needed in comparison with the higher SNRs.Fig. 11 shows the diagram of our proposed distribution function.Obviously, the diagram matches above discussions about the SNRsand the probability of a successful attack.

As mentioned previously, if the designer tends to obtain theexact amount of the power consumption in Watt, he has to use ananalog simulator which needs a great amount of time to simulateall states of the intermediate values. Consequently, the hypothe-tical power consumption models, such as our proposed one, areused for estimation.

002 0.0025 0.003rd Deviation [A]

ise standard deviation.

045 0.005 0.0055 0.006rd Deviation [A]

over noise standard deviation.

ARTICLE IN PRESS

1 2 3 4 5 60

0.2

0.4

0.6

0.8

1

SNR

Suc

cess

Rat

e AES attackPRESENT attack

Fig. 10. Success rate over SNR.

Fig. 11. Diagram of the distribution function.

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478 475

We define HPðx; yÞ, the amount of power consumptionobserved when input signals change from x to y, as follows:

HPðx; yÞ ¼ Our hypothetical power model ða; g;kh;kl;F;Gðx! yÞÞ.

(17)

The designer defines a, g, kh, and kl according to the parametersof the implementation. F is the set of f i, i.e., the number of fanoutsfor each internal signal. Gðx! yÞ is the set of hgi and lgi, thenumber of HI and LO toggles that occur when input signals changefrom x to y.

However, as described the hypothetical power consumptionvalues, HPð�Þ, are not actual power values in Watt, but they areapproximately proportional to real power consumption of theattacked/evaluated device. Thus, an estimation for HVarðsignalÞ,the hypothetical variance, is given by

HVarðsignalÞ ¼1

n� 1�Xn

i¼1

ðHPi � HPÞ2. (18)

As pointed out, hypothetical power consumption values areproportional to real power values:

HPðx; yÞ ¼ f � Pðx; yÞ. (19)

Consequently, the hypothetical variance of power consumptionvalues can be rewritten as follows:

HVarðsignalÞ ¼1

n� 1�Xn

i¼1

ðf � Pi �f � PÞ2

¼f2

n� 1�Xn

i¼1

ðPi � PÞ2 ¼ f2� VarðsignalÞ. (20)

The designer can use the analog simulators for a few number ofintermediate values to estimate the average power consumptionin Watt, P. This means that he can extract f coefficient by HP=P

ratio. Consequently, he can use the hypothetical power values toestimate VarðsignalÞ with a reasonable accuracy.

As described, variance of noise, the other term in SNR which isrequired to calculate the probability of a successful attack,depends on several parameters. Thus, the vulnerability of a device

similarly depends on these parameters. Then, the designer shouldcalculate the SNR and the probability of a successful attack fordifferent values of noise standard deviation. As a result, a diagramwhich describes the probability of a successful attack over noisestandard deviation such as that one shown by Fig. 12 is obtained.

In fact, this diagram determines a threshold for noise standarddeviation to have a successful attack. Fig. 12 shows that thethreshold for the device which is under evaluation is about 1 mW.Although noise standard deviation depends on measurementsetup, power supply, environmental noise, and etc, it is about1–6 mW for the cases using usual and not professional equip-ments [16]. Thus, the evaluated device whose diagram shown byFig. 12 will be vulnerable in the presence of suitable measurementequipments.

The method described above is a general view of our proposedtechnique. In the following subsections we illustrate techniques toevaluate the vulnerability to various power analysis attacks usingthe proposed method.

5.1. SPA attack

In SPA attacks the attacker tries to extract the secretinformation from power consumption traces directly. In mostcases, the goal of SPA is to extract the hamming weight or thehamming distance of the processed data by measuring a lot oftraces and averaging to reduce the measurement noise (which isthe base of some template attacks). Consequently, the secret keyhypotheses will be bounded to a smaller group. Some functionswhich might be used by the attacker to examine the dependencyof power values to hamming weight of hamming distance aredefined as follows. Note that X means the average of all possiblevalues for variable X.

HPHWxðhÞ ¼ HPðx; yÞ for HWðxÞ ¼ h, (21)

HPHWyðhÞ ¼ HPðx; yÞ for HWðyÞ ¼ h, (22)

HPHWx�yðhÞ ¼ HPðx; yÞ for HWðx� yÞ ¼ h, (23)

HPHWzðhÞ ¼ HPðx; yÞ for HWðf ðyÞÞ ¼ h, (24)

f ðyÞ in Eq. (24) is the function of the circuit under evaluation inwhich the input changes from x to y. We can now calculateVarðsignalÞ (and consequently the SNR) for each of abovefunctions. It should be noted that if the circuit which is underevaluation is resistant using one of the function defined, it doesnot mean that the circuit is resistant against SPA attacks. On theother hand, if the threshold of noise standard deviation for oneof the defined functions shows a high level of vulnerability, it isnot needed to check other functions. Note that the definedfunctions in Eqs. (21)–(24) are not the sole functions which can bedefined for SPA attacks. They can rather be seen as examples toillustrate our evaluation method.

ARTICLE IN PRESS

Fig. 12. A sample diagram of success rate over noise standard deviation.

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478476

5.2. DPA attack

In typical first order DPA attacks, a partition function dividespower consumption values into two sets based on one bit of x, y,x� y, or something similar. Thus, some functions are defined asfollows:

HPbxði;vÞ ¼ HPðx; yÞ for ðx & 2iÞ ¼ v � 2i, (25)

HPbyði;vÞ ¼ HPðx; yÞ for ðy & 2iÞ ¼ v � 2i, (26)

HPbx�yði;vÞ ¼ HPðx; yÞ for ððx� yÞ & 2iÞ ¼ v � 2i, (27)

HPbwðj;vÞ ¼ HPðx; yÞ for ðf ðxÞ & 2jÞ ¼ v � 2j, (28)

HPbzðj;vÞ ¼ HPðx; yÞ for ðf ðyÞ & 2jÞ ¼ v � 2j, (29)

HPbw�zðj;vÞ ¼ HPðx; yÞ for ððf ðxÞ � f ðyÞÞ & 2jÞ ¼ v � 2j. (30)

In fact, above functions are the mean of the power consumptionvalues on the base of ith bit, i.e., v. Also, in Eqs. (25)–(30) ‘&’means logical AND operation. Consequently, the following func-tions are defined to determine the difference between the powerconsumption values (differential hypothetical power, DHP) thathave been classified using the introduced partition functions:

DHPxðiÞ ¼ðHPbxði;1Þ � HPbxði;0ÞÞ

2

2, (31)

DHPyðiÞ ¼ðHPbyði;1Þ � HPbyði;0ÞÞ

2

2, (32)

DHPx�yðiÞ ¼ðHPbx�yði;1Þ � HPbx�yði;0ÞÞ

2

2, (33)

DHPwðjÞ ¼ðHPbwðj;1Þ � HPbwðj;0ÞÞ

2

2, (34)

DHPzðjÞ ¼ðHPbzðj;1Þ � HPbzðj;0ÞÞ

2

2, (35)

DHPw�zðjÞ ¼ðHPbw�zðj;1Þ � HPbw�zðj;0ÞÞ

2

2. (36)

Obviously, i is less than the bit-length of input signals of theimplemented combinational circuit, and j is less than the outputsignals bit-length. In fact, the functions which are defined inEqs. (31)–(36) are the variance of the illustrated partitionfunctions. Similarly, the SNRs are calculated and the vulnerability(for different values f noise standard deviation) can be evaluated.

In addition to the presented functions, other ones can bedefined to partition the power consumption values on the base ofother relations between x, y, f ðxÞ, and f ðyÞ. We introduced someexamples to present our proposed model.

5.3. Correlation power analysis attacks

As mentioned previously, in correlation power analysis attacksthe attacker estimates hypothetical power consumption for

intermediate values depending on input and key hypotheses.Then, the correlation coefficient between the hypothetical powervalues and the sampled power traces distinguishes the correcthypothesis among others.

What makes an implementation to be vulnerable to correlationpower analysis attack is the difference between the powerconsumption values for alternative inputs. In other words, ifthe power consumption values are the same for all input values,no tool, e.g., correlation coefficient, can recover the relationbetween sampled and hypothetical power values. Accordingly,the most general case of hypothetical power consumptionvalues, HPðx; yÞ, is taken into account to calculate VarðsignalÞ andSNR. In a limited case, PxðdÞ, PyðdÞ, Px�yðdÞ, and PzðdÞ are defined asfollows:

HPxðdÞ ¼ HPðd; yÞ; HPyðdÞ ¼ Pðx; dÞ, (37)

HPx�yðdÞ ¼ HPðx; yÞ for ðx� yÞ ¼ d, (38)

HPzðdÞ ¼ HPðx; yÞ for f ðyÞ ¼ d. (39)

Note that one of the results presented in [18] is a correlationpower analysis attack which uses toggle-count model. It wasshown that PyðdÞ differs significantly for alternative d values in animplementation of AES S-box. Then, the performed attack coulddiscover the secret key.

Zero-input DPA attack, which was presented in [19], uses thecase where power consumption values have a significant mini-mum for zero input. Then, a simple hypothetical power model hasbeen defined to be used in a correlation power analysis attack.Some parameters are defined to evaluate the vulnerability ofimplementations to this simplified attack.

HPeakminx¼ðHPxðdÞ �minðHPxðdÞÞÞ

2

2, (40)

HPeakmaxx ¼ðmaxðHPxðdÞÞ � HPxðdÞÞ

2

2, (41)

HPeakminxand HPeakmaxx estimate the variance of a simple

hypothetical power consumption model which uses the mini-mum/maximum of HPxðdÞ. Similarly, the distance between thepeak and the average can be computed for other functionsillustrated. Then, the vulnerability can be evaluated using thevariances estimated.

6. Conclusions

In the first part of this article, we have represented thehypothetical power consumption models applied in the variouspower analysis attacks. We have focused on the most precise one,called toggle-count model. Two parameters were proposed toenhance its accuracy: (i) the effect of the number of fanouts on

ARTICLE IN PRESS

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478 477

switching power consumption, Pswitch, and (ii) the different effectsof HI and LO toggles on Pswitch and Pshort-circuit . The comparisonbetween our proposed model and the toggle-count model showsan improvement (16%) in the similarity to an analog simulationresults.

Although our proposed hypothetical power consumptionmodel can be used to attack on some resistant implementations,our aim was to use it in vulnerability evaluation. In otherwords, we suppose that the attacker can build a very accuratemodel to predict power values. Thus, we examine the vulner-ability of the implementation using the assumed power model.Some methods have been illustrated to evaluate the vulnerabilityof implementations against various power analysis attacks.We have considered SPA, typical DPA, and correlation poweranalysis attacks to examine the vulnerability. In fact, we haveused the concept of SNR for evaluating the vulnerability of acryptographic device to power analysis attacks. We defineda function to compute the probability of a successful attackaccording to the SNR. As a summary, using the following stepsenables designers to evaluate the vulnerability of designs prior tochip production:

�

The hypothetical power consumption values are obtainedusing the results of a logical simulation for all possible statesof intermediate values. � The mean of actual power consumption is estimated using an

analog simulator for a few number of intermediate values.Thus, f, the coefficient between hypothetical and real powervalues, is calculated easily.

� The SNR of the desired function which may be used in a

power analysis attack is computed using the hypotheticalpower values, f, and different values for noise standarddeviation.

� Finally, the threshold of noise standard deviation to have a

successful power analysis attack is determined.

Appendix A. Typical DPA attack

Suppose that an implementation of the AES encryptionalgorithm is the attacked device. Also, assume that an 8-bitAddroundkey which is followed by an S-Box block at the firstround are taken into account in this attack. The 8-bit Addround-key is the XOR result of 8-bit of the plaintext, p, and 8-bit of thesecret key, k. Moreover, the result of S-Boxðp� kÞ is stored in an8-bit register. The attack scenario is started by sampling powerconsumption values for random plaintexts, p1; p2; . . . ; pn, when thedesired register is loaded. Thus, we obtain n power consumptionvalues, v1;v2; . . . ;vn. Suppose that the LSB of the desired register isselected as the partition function.

PFðp; kÞ ¼ LSBðSBoxðp� kÞÞ.

Partition function is used to classify the sampled power values intwo groups, S0 and S1.

S0ðkÞ ¼ fvijPFðpi; kÞ ¼ 0g; S1ðkÞ ¼ fvijPFðpi; kÞ ¼ 1g

We aim at finding the correct value for the 8-bit of the secret key,k. Thus, S0ðkÞ and S1ðkÞ are created for all possible values of k.Then, the difference between the average of two sets arecomputed for each value of the guessed secret key.

dðkÞ ¼ jS0ðkÞ � S1ðkÞj.

Finally, the correct hypothesis is distinguished by the biggestdifference, dðkÞ.

k0 ¼ arg maxkðdðkÞÞ.

Kocher et al. have discussed the theoretical analysis of theillustrated procedure in [12].

Appendix B. Toggle-count DPA attack

Consider the device introduced in Appendix A, but supposethat the considered register is placed between Addroundkey andS-Box block. It is supposed that we know the detailed informationof the S-Box block architecture. Means, we access to its back-annotated netlist. First, we simulate the netlist for all possiblechanges in 8-bit input register, i.e., 256� 255 states. The numberof toggles in internal signals is counted for each simulation round.Consequently, we obtain

TCðx; yÞ ¼ Number of toggles when input register changes from x to y

Then, the hypothetical power model is defined as follows:

HPðzÞ ¼ TCðx; yÞ for y ¼ z.

Similarly, n power consumption values, v1;v2; . . . ;vn, are obtainedfor n random plaintexts, p1; p2; . . . ; pn. Thus, we can create a vectoron the base of the sampled values.

SampledVectorðiÞ ¼ vi.

Also, 256 vectors are constructed according to the key hypotheses.

HypotheticalVectorkðiÞ ¼ HPðk� piÞ.

The correlation coefficient between SampledVector and eachHypotheticalVector is computed separately:

CCðkÞ ¼ Correlation coefficient ðSampledVector;HypotheticalVectorkÞ.

Finally, the correct hypothesis is distinguished by the biggestcoefficient.

k0 ¼ arg maxkðCCðkÞÞ.

The theoretical analysis of the correlation power analysisattacks is illustrated in [4], and some details about the toggle-count model can be found in [18].

References

[1] M.-L. Akkar, C. Giraud, An implementation of DES and AES, secure againstsome attacks, in: Cryptographic Hardware and Embedded Systems—CHES2001, Lecture Notes in Computer Science, vol. 2162, Springer, Berlin, 2001,pp. 309–318.

[2] L. Benini, E. Omerbegovic, A. Macii, M. Poncino, E. Macii, F. Pro, Energy-awaredesign techniques for differential power analysis protection, in: Proceeding ofthe 40th Design Automation Conference—DAC 2003, ACM, New York, 2003,pp. 36–41.

[3] S. Berna Ors, E. Oswald, B. Preneel, Power analysis attacks on an FPGA—

first experimental results, in: Cryptographic Hardware and EmbeddedSystems—CHES 2003, Lecture Notes in Computer Science, vol. 2779, Springer,Berlin, 2003, pp. 35–50.

[4] E. Brier, C. Clavier, F. Olivier, Correlation power analysis with a leakage model,in: Cryptographic Hardware and Embedded Systems—CHES 2004, LectureNotes in Computer Science, vol. 3156, Springer, Berlin, 2004, pp. 16–29.

[5] J. Blomer, J. Guajardo, V. Krummel, Provably secure masking of AES, in:Selected Areas in Cryptography—SAC 2004, Lecture Notes in ComputerScience, vol. 3357, Springer, Berlin, 2005, pp. 69–83.

[6] M. Bucci, R. Luzzi, M. Guglielmo, A. Trifiletti, A countermeasure againstdifferential power analysis based on random delay insertion, in: Proceedingsof the IEEE International Symposium on Circuits and Systems—ISCAS 2005,IEEE, New York, 2005, pp. 3547–3550.

[7] D. Canright, A very compact S-box for AES, in: Cryptographic Hardwareand Embedded Systems—CHES 2005, Lecture Notes in Computer Science,vol. 3659, Springer, Berlin, 2005, pp. 441–455.

[8] S. Chari, J.R. Rao, P. Rohatgi, Template attacks, in: Cryptographic Hardwareand Embedded Systems—CHES 2002, Lecture Notes in Computer Science, vol.2523, Springer, Berlin, 2002, pp. 13–28.

[9] C.H. Gebotys, S. Ho, C.C. Tiu, EM analysis of Rijndael and ECC on a wirelessJava-based PDA, in: Cryptographic Hardware and Embedded Systems—CHES2005, Lecture Notes in Computer Science, vol. 3659, Springer, Berlin, 2005,pp. 250–264.

ARTICLE IN PRESS

A. Moradi et al. / INTEGRATION, the VLSI journal 42 (2009) 468–478478

[10] J.D. Golic, C. Tymen, Multiplicative masking and power analysis of AES, in:Cryptographic Hardware and Embedded Systems—CHES 2002, Lecture Notesin Computer Science, vol. 2523, Springer, Berlin, 2003, pp. 198–212.

[11] P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS,and other systems, in: Advances in Cryptology—CRYPTO ’96, Lecture Notes inComputer Science, vol. 1109, Springer, Berlin, 1996, pp. 104–113.

[12] P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in: Advances inCryptology—CRYPTO ’99, Lecture Notes in Computer Science, vol. 1666,Springer, Berlin, 1999, pp. 388–397.

[13] S.M. Kang, Y. Leblebici, CMOS Digital Integrated Circuits: Analysis and Design,McGraw-Hill, New York, 2002.

[14] T.-H. Le, J. Clediere, C. Canovas, B. Robisson, C. Serviere, J.-L. Lacoume, Aproposition for correlation power analysis enhancement, in: CryptographicHardware and Embedded Systems—CHES 2006, Lecture Notes in ComputerScience, vol. 4249, Springer, Berlin, 2006, pp. 174–186.

[15] T.S. Messerges, Using second-order power analysis to attack DPA resistantsoftware, in: Cryptographic Hardware and Embedded Systems—CHES 2000,Lecture Notes in Computer Science, vol. 1965, Springer, Berlin, 2000, pp. 238–251.

[16] S. Mangard, E. Oswald, T. Popp, Power Analysis Attacks, Revealing the Secretsof Smart Cards, Springer, Berlin, 2007 ISBN 0-387-30857-1.

[17] S. Mangard, T. Popp, B.M. Gammel, Side-channel leakage of masked CMOSgates, in: Topics in Cryptology—CTRSA 2005, The Cryptographers’ Track at theRSA Conference, Lecture Notes in Computer Science, vol. 3376, Springer,Berlin, 2005, pp. 351–365.

[18] S. Mangard, N. Pramstaller, E. Oswald, Successfully attacking masked AEShardware implementations, in: Cryptographic Hardware and EmbeddedSystems—CHES 2005, Lecture Notes in Computer Science, vol. 3659, Springer,Berlin, 2005, pp. 157–171.

[19] S. Mangard, K. Schramm, Pinpointing the side-channel leakage of masked AEShardware implementations, in: Cryptographic Hardware and EmbeddedSystems—CHES 2006, Lecture Notes in Computer Science, vol. 4249, Springer,Berlin, 2006, pp. 76–90.

[21] E. Oswald, S. Mangard, N. Pramstaller, V. Rijmen, A side-channel analysis resistantdescription of the AES S-box, in: Fast Software Encryption—FSE 2005, LectureNotes in Computer Science, vol. 3557, Springer, Berlin, 2005, pp. 413–423.

[22] T. Popp, S. Mangard, Masked dual-rail pre-charge logic DPA-resistancewithout routing constraints, in: Cryptographic Hardware and EmbeddedSystems—CHES 2005, Lecture Notes in Computer Science, vol. 3659, Springer,Berlin, 2005, pp. 172–186.

[23] E. Peeters, F.-X. Standaert, N. Donckers, J.-J. Quisquater, Improved higher-order side-channel attacks with FPGA experiments, in: CryptographicHardware and Embedded Systems—CHES 2005, Lecture Notes in ComputerScience, vol. 3659, Springer, Berlin, 2005, pp. 309–323.

[24] E. Peeters, F.-X. Standaert, J.-J. Quisquater, Power and electromagneticanalysis: improved model, consequences and comparisons, in: Integration,the VLSI Journal, vol. 40, Elsevier, Amsterdam, 2007, pp. 52–60.

[25] D. Suzuki, M. Saeki, T. Ichikawa, Random switching logic: a countermeasureagainst DPA based on transition probability, Cryptology ePrint Archive, Report2004/346, 2004 hhttp://eprint.iacr.org/i.

[26] K. Tiri, M. Akmal, I. Verbauwhede, A dynamic and differential CMOS logicwith signal independent power consumption to withstand differential poweranalysis on smart cards, in: Proceedings of the European Solid-State CircuitsConference, IEEE, New York, 2002, pp. 403–406.

[27] E. Trichina, T. Korkishko, Small size, low power, side channel-immune AEScoprocessor: design and synthesis results, in: Advanced Encryption Standar-d—AES, Lecture Notes in Computer Science, vol. 3373, Springer, Berlin, 2005,pp. 113–127.

[28] K. Tiri, I. Verbauwhede, A logic level design methodology for a secure DPAresistant ASIC or FPGA implementation, in: Proceedings of the Design,Automation and Test in Europe Conference—DATE 2004, IEEE ComputerSociety, Silver Spring, MD, 2004, pp. 46–251.

Amir Moradi received the B.Sc. degree in ComputerEngineering from Shahid Beheshti University in Iran, in2001. He also received the M.Sc. and Ph.D. degrees inComputer Engineering from Sharif University of Tech-nology in Iran, in 2004 and 2008, respectively.Currently, he is a post-doc researcher at the EmbeddedSecurity Group of Horst Gortz Institute for IT-Securityin Ruhr University of Bochum, Germany. His researchinterests are in the areas of side channel attacks andthe implementation of cryptographic algorithms.

Mahmoud Salmasizadeh received the B.Sc. and M.Sc.degrees in Electrical Engineering from Sharif Universityof Technology in Iran, in 1972 and 1989, respectively.He also received the Ph.D. degree in InformationTechnology from Queensland University of Technologyin Australia, in 1997. Currently he is an assistantprofessor in Electronic Research Center and adjunctassistant professor in Electrical Engineering Depart-ment at Sharif University of Technology, Tehran, Iran.His research interests include cryptography and net-work security. He is the founding member and thehead of scientific committee, Iranian Society of

Cryptology.

Mohammad T. Manzuri Shalmani received his B.Sc.and M.Sc. in Electrical Engineering from Sharif Uni-versity of Technology (SUT), Iran, in 1984 and 1988,respectively. He also received the Ph.D. degree inElectrical and Computer Engineering from ViennaUniversity of Technology, Austria, in 1995. Currently,he is an associate professor in Computer EngineeringDepartment of SUT, Tehran, Iran. His main researchinterests include digital signal processing, cryptogra-phy, image processing, and data communications.

Thomas Eisenbarth is a Ph.D. candidate in theDepartment of Electrical Engineering at Ruhr Univer-sity Bochum, where he is also a research assistant withthe Embedded Security Group of the Horst GortzInstitute for IT Security. His research interests includeembedded security, efficient implementation of cryp-tographic algorithms, and physical security. Eisenbarthhas an M.Sc. in Electrical Engineering and ComputerScience from Ruhr University Bochum. He is a studentmember of the IEEE Computer Society and theInternational Association of Cryptologic Research(IACR).