Mathematically secure cryptographic algorithms, when implemented on a physical substrate, leak critical “side-channel” information, leading to power and electromagnetic (EM) analysis attacks. Circuit-level protections involve switched capacitor, buck converter, or series low-dropout (LDO) regulator-based implementations, each of which suffers from significant power, area, or performance tradeoffs and has only achieved a minimum traces to disclosure (MTD) of $10M$ till date. Utilizing an in-depth white-box model, this work, for the first time, focuses on signature suppression in the current domain, which provides an $Attenuation^{2}$ enhancement in MTD, leading to orders of magnitude improvement in both power and EM side-channel analysis (SCA) immunities. Using a combination of current-domain “signature attenuation” (CDSA) along with local lower level metal routing, the critical correlated information in the crypto current is significantly suppressed before it reaches the supply pin. Especially, to prevent the EM leakage from its source (metal layers carrying the correlated crypto current acting as antennas), this work embraces lower level metal routing of the CDSA embedding the crypto-IP so that the signature becomes highly suppressed before it passes through the higher metal layers (which radiates significantly) to connect to the external pin. The 65-nm CMOS test chip contains both protected and unprotected parallel AES-256 implementations, running at a clock frequency of 50 MHz. Test vector leakage assessment (TVLA) on the protected CDSA-AES, demonstrated with on-chip measurements for the first time, shows that the higher level metal layers leak significantly more compared with the lower level metal routing. Correlational power and EM analysis (CPA/CEMA) attacks on the unprotected implementation were able to extract the secret key within $8k$ and $12k$ traces, respectively, while the protected CDSA-AES could not be broken even after $1B$ encryptions for both power and EM SCA, evaluated both in the time and frequency domains, showing an improvement of $100\times $ over the prior state-of-the-art countermeasures with comparable power and area overheads.

中文翻译：

---

EM 和 Power SCA-Resilient AES-256 通过 >350x 电流域特征衰减和局部下层金属布线

数学上安全的加密算法在物理基板上实施时，会泄漏关键的“侧信道”信息，从而导致电源和电磁 (EM) 分析攻击。电路级保护涉及基于开关电容器、降压转换器或串联低压差 (LDO) 稳压器的实施，其中每一种都受到显着的功率、面积或性能权衡的影响，并且仅实现了最低限度的披露痕迹 (MTD) 1000 万美元 迄今为止。利用深入的白盒模型，这项工作首次专注于当前域中的签名抑制，它提供了一个 $衰减^{2}$ MTD 的增强，导致功率和 EM 侧信道分析 (SCA) 抗扰度的数量级提高。使用电流域“特征衰减”(CDSA) 与局部较低层金属布线的组合，加密电流中的关键相关信息在到达电源引脚之前被显着抑制。特别是，为了防止 EM 从其源头（携带相关加密电流充当天线的金属层）泄漏，这项工作包含嵌入加密 IP 的 CDSA 的较低级别金属路由，以便签名在通过之前被高度抑制更高的金属层（显着辐射）以连接到外部引脚。65-nm CMOS 测试芯片包含受保护和不受保护的并行 AES-256 实现，以 50 MHz 的时钟频率运行。受保护的 CDSA-AES 上的测试矢量泄漏评估 (TVLA)，首次通过片上测量进行演示，表明与较低级别的金属布线相比，较高级别的金属层泄漏明显更多。对未受保护实施的相关功率和 EM 分析 (CPA/CEMA) 攻击能够提取内部的秘密密钥 $8k$ 和 $12k$ 分别跟踪，而受保护的 CDSA-AES 即使在 $1B$ 功率和 EM SCA 的加密，在时域和频域中都进行了评估，显示了 $100\次 $ 以可比的功率和面积开销超过先前最先进的对策。