Randomized logic against side channel attacks

Abstract

A randomization element includes a logic input for inputting a logic signal, a logic output for outputting the input logic signal at a delay and a randomization element. The randomization elements introduces the delay between said logic input and said logic output and operates selectably in static mode and in dynamic mode in accordance with a mode control signal. A logic circuit may be formed with randomization elements interspersed amongst the logic gates, to obtain protection against side channel attacks by inputting a selected control sequence into the randomization elements.

Claims

1. A randomization element comprising: a logic input, configured to input a logic signal; a logic output, configured to output said logic signal at a delay; and a delay element associated with said logic input and logic output, configured to introduce a delay between said logic input and said logic output, wherein said delay element operates selectably in static mode and in dynamic mode in accordance with a mode control signal, wherein said delay element comprises: a first two-to-one multiplexer, having a first input connected to a ground signal, a second input connected to a clock signal, an output and a control input connected to said mode control signal; and a second two-to-one multiplexer, having a first input connected to said logic input, a second input connected to a reference voltage, an output connected to said logic output and a respective control input connected to said output of said first two-to-one multiplexer, wherein said control input of said first two-to-one multiplexer selects between said first and said second inputs of said first two-to-one multiplexer for outputting at said output of said first two-to-one multiplexer, and wherein said control input of said second two-to-one multiplexer selects between said first and said second inputs of said second two-to-one multiplexer for outputting at said output of said second two-to-one multiplexer.

2. The randomization element according to claim 1, wherein during dynamic operation said delay is controlled by a timing of a clock signal.

3. The randomization element according to claim 2, wherein said delay element operates in precharge mode, and a logic level input at said logic input is output at said logic output on a rising edge of said clock signal.

4. The randomization element according to claim 2, wherein said delay element operates in predischarge mode, and a logic level input at said logic input is output at said logic output on a falling edge of said clock signal.

5. The randomization element according to claim 1, further comprising a logic gate configured to perform a logic function, wherein said logic input of said randomization element is connected to a logic output of said logic gate, such that said logic gate and said randomization element operate in tandem to provide said logic function in static or dynamic mode in accordance with said mode control signal and with a timing controlled by said mode control signal and a clock signal.

6. The randomization element according to claim 1, wherein during dynamic operation said delay is controlled by a timing of said clock signal.

7. The randomization element according to claim 1, wherein during static operation said delay element minimizes a propagation delay of said logic signal through said randomization element.

8. A logic circuit, comprising: a plurality of logic gates; a plurality of randomization elements interspersed between said logic gates, each of said randomization elements being configured to introduce a delay between a logic output of a respective preceding logic gate and a logic input of a respective following logic gate, wherein each of said randomization elements operates selectably in static mode and in dynamic mode in accordance with a respective mode control signal; and a control sequence provider associated with said randomization elements, configured to provide sequences of control signals to said randomization elements, wherein said sequences are selected to shape a logic circuit power profile and logic signal propagation timing during logic circuit operation, so as to combat side channel attacks, wherein at least one of said randomization elements comprises: a first two-to-one multiplexer, having a first input connected to a ground signal, a second input connected to a clock signal, an output and a control input connected to said mode control signal; and a second two-to-one multiplexer, having a first input connected to a logic output of a preceding logic gate, a second input connected to a reference voltage, an output connected to a logic input of a following logic gate, and a respective control input connected to said output of said first two-to-one multiplexer, wherein said control input of aid first two-to-one multiplexer selects between said first and said second inputs of said first two-to-one multiplexer for outputting at said output of said first two-to-one multiplexer, and wherein said control input of said second two-to-one multiplexer selects between said first and said second inputs of said second two-to-one multiplexer for outputting at said output of said second two-to-one multiplexer.

9. The logic circuit according to claim 8, wherein some of said randomization elements are configured to operate in precharge mode and others of said randomization elements are configured to operate in predischarge mode.

10. The logic circuit according to claim 8, wherein a respective delay of each of said randomization elements is controlled by a timing of a respective clock signal.

11. The logic circuit according to claim 10, wherein when a randomization element operates in precharge mode a logic level obtained from a logic output of a preceding logic gate is provided to said a logic input of a following logic gate on a rising edge of a respective clock signal.

12. The logic circuit according to claim 10, wherein when a randomization element operates in precharge mode a logic level obtained from a logic output of a preceding logic gate is provided to a logic input of a following logic gate on a falling edge of a respective clock signal.

13. The logic circuit according to claim 8, wherein for at least one randomization element of said randomization elements, an input of the at least one randomization element is connected to a logic output of a logic gate performing a respective logic function, such that said logic gate and the at least one randomization element operate in tandem to provide said logic function in static or dynamic mode in accordance with a respective mode control signal and with a delay controlled by a respective delay control signal.

14. The logic circuit according to claim 13, wherein said respective delay control signal comprises a clock signal.

15. The logic circuit according to claim 8, wherein said control sequence provider is configured to generate said sequences of control signals.

16. The logic circuit according to claim 8, wherein said sequences of control signals comprise random sequences.

17. The logic circuit according to claim 8, wherein said sequences of control signals are input from an external device through a control sequence input connection.

18. A method for combating side channel attacks on a logic circuit, comprising: providing a logic circuit, wherein said logic circuit comprises: a plurality of logic gates; and a plurality of randomization elements interspersed between said logic gates, each of said randomization elements introducing a delay between a logic output of a respective preceding logic gate and a logic input of a respective following logic gate, wherein each of said randomization elements operates selectably in static mode and in dynamic mode in accordance with a respective control signal and wherein a respective delay of each of said randomization elements is controlled by a timing of a respective clock signal; selecting a sequence of control signals to shape a logic circuit power profile and logic signal propagation timing during logic circuit operation so as to combat side channel attacks; and inputting said sequence of control signals to said randomization elements, wherein at least one of said randomization elements comprises: a first two-to-one multiplexer, having a first input connected to a ground signal, a second input connected to a respective clock signal, an output and a control input connected to a respective control signal; and a second two-to-one multiplexer, having a first input connected to a logic output of a respective preceding logic gate, a second input connected to a reference voltage, an output connected to a logic input of a respective following logic gate, and a control input connected to said output of said first two-to-one multiplexer, wherein said control input of said first two-to-one multiplexer selects between said first and said second inputs of said first two-to-one multiplexer for outputting at said output of said first two-to-one multiplexer, and wherein said control input of said second two-to-one multiplexer selects between said first and said second inputs of said second two-to-one multiplexer for outputting at said output of said second two-to-one multiplexer.

19. The method according to claim 18, wherein said sequence of control signals is selected to randomize said logic circuit power profile and/or said logic signal propagation timing.

20. The method according to claim 18, wherein some of said randomization elements are configured to operate in precharge mode and others of said randomization elements are configured to operate in predischarge mode.

21. The method according to claim 18, wherein respective clock signals are synchronized.

22. The method according to claim 18, further comprising adjusting a relative timing of clock signals to further shape said logic signal propagation timing and/or said logic circuit power profile.

23. The method according to claim 18, wherein the selecting a sequence of control signals comprises inputting said sequence from an element external to said logic circuit.

24. The method according to claim 18, wherein said sequence is one of: a random sequence and a semi-random sequence.

Description

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

(1) Some embodiments of the invention are herein described, by way of example only, with reference to the accompanying drawings. With specific reference now to the drawings in detail, it is stressed that the particulars shown are by way of example and for purposes of illustrative discussion of embodiments of the invention. In this regard, the description taken with the drawings makes apparent to those skilled in the art how embodiments of the invention may be practiced.

(2) In the drawings:

(3) FIG. 1 is a simplified block diagram of a randomization element, according to embodiments of the invention;

(4) FIGS. 2A and 2B are simplified block diagrams of an RMT.sup.2L precharge unit and an RMT.sup.2L predischarge unit respectively, according to exemplary embodiments of the invention;

(5) FIG. 3 illustrates cascading a standard gate to an RMT.sup.2L unit with precharge;

(6) FIG. 4 is a simplified block diagram of a logic circuit with randomization elements, according to embodiments of the invention;

(7) FIG. 5 is an illustration of an exemplary logic path inside a crypto-system;

(8) FIG. 6 illustrates random pre-charging (RPL) of combinatorial networks;

(9) FIG. 7 is a simplified diagram of a logic cone of one bit implementation of an 8-bit S-box using RMT.sup.2L units, according to an exemplary embodiment of the invention;

(10) FIG. 8 is a simplified block diagram of an RDI Pipeline stage with random delays;

(11) FIG. 9 illustrates RDI vulnerability to attacks;

(12) FIG. 10 is a simplified flowchart of a method for combating side channel attacks on a logic circuit, according to embodiments of the invention;

(13) FIG. 11 is a simplified block diagram illustrating Crypto-core architecture;

(14) FIG. 12 is a simplified block diagram of a crypto-module utilizing RMT.sup.2L, according to embodiments of the invention;

(15) FIG. 13 is a simplified block diagram of a delay system producing Q different phases, according to embodiments of the invention;

(16) FIG. 14 is a simplified block diagram of an 8-bit S-box with separated bits, according to embodiments of the invention;

(17) FIG. 15 is a simplified block diagram of a vertical RMT.sup.2L logic circuit configuration, according to embodiments of the invention;

(18) FIG. 16 is a simplified block diagram of a diagonal RMT.sup.2L logic circuit configuration, according to embodiments of the invention;

(19) FIG. 17 is a simplified illustration of a DPA/CPA Test Circuit;

(20) FIG. 18 shows CPA attack simulation results for 8-bit S-box using static RMT.sup.2L units; and

(21) FIG. 19 shows CPA attack simulation results for an 8-bit S-box using RMT.sup.2L units.

DESCRIPTION OF SPECIFIC EMBODIMENTS OF THE INVENTION

(22) The present invention, in some embodiments thereof, relates to a logic circuit designed for protection against side channel attacks, and, more particularly, but not exclusively, to a method for operating such a logic circuit to protect against side channel attacks.

(23) The embodiments presented here perform Randomized Multi Topology and Timing Logic (RMT.sup.2L). The RMT.sup.2L approach is based on random selection between two topologies, static and dynamic (where the last may pre-charge or pre-discharge the output voltage) using an RMT.sup.2L unit (embodiments of which are presented below). The RMT.sup.2L units may be placed in any desired location in a logic circuit (e.g. a crypto-core\module). RMT.sup.2L provides different delays at the clock signals of the RMT.sup.2L (i.e., pre-charge/pre-discharged starting/ending points), using a modular and power-efficient delay system. The construction of the RMT.sup.2L units and their utilization in a sophisticated random-delay and random-topology scheme results in a powerful high-immunity PA hardware. RMT.sup.2L simulation results under different configurations (presented below) show immunity to DPA/CPA attacks as compared to the CMOS family. These results also indicate higher immunity to DEMA attacks, as the randomized power profile of these gates results in randomized electromagnetic radiation as well.

(24) Before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not necessarily limited in its application to the details of construction and the arrangement of the components and/or methods set forth in the following description and/or illustrated in the drawings and/or the Examples. The invention is capable of other embodiments or of being practiced or carried out in various ways.

(25) RMT.sup.2L Overview

(26) The RMT.sup.2L concept is implemented using RMT.sup.2L units which have two modes of operation: static and dynamic. These RMT.sup.2L units are connected to chosen outputs of standard existing gates composing the logic circuit (e.g. cryptographic device), and they do not affect or harm the functionality of the system. Each RMT.sup.2L unit may be randomly operated in static mode (CMOS-like) or in one of two dynamic modes (precharge or predischarge) at each system clock cycle. The location of the RMT.sup.2L units is designed in such a way that the random propagation time delay will cover the whole clock cycle period or some large part of it (spreading the correlative currents from the system on large portion of the clock cycle). The RMT.sup.2L units may also be used for introducing initial conditions to the logic circuit. With this understanding, the power signature of such a logic circuit (e.g. cryptographic device) is hard to be captured in large number of samples (large statistics) because no synchronization is possible. Such a crypto-system that includes RMT.sup.2L units is therefore much more immune to power attacks.

(27) RMT.sup.2L Unit

(28) In some embodiments, the RMT.sup.2L unit is a randomization element which operates in static and dynamic mode in accordance with a mode control signal, and serves to introduce a controllable delay between the randomization element's input and output. As described below, including randomization elements in a logic circuit may be used to introduce random initial conditions to the logic circuit and/or to control propagation timing of the logic signals through the logic circuit.

(29) Reference is now made to FIG. 1, which is a simplified block diagram of a randomization element according to embodiments of the invention. Randomization element 100 is located between the output gate of logic gate 110 and an input of logic gate 120 (shown here with two logic inputs for exemplary purposes). Delay element 101 introduces a delay between the logic signal output by logic gate 110 and a logic input of logic gate 120, based on a delay control and/or clock signal as described below. Optionally, under certain conditions (e.g. in static mode) no additional delay is introduced into the logic signal path by randomization element 100, other than the propagation time of the logic signal through the randomization element. Randomization element 100 operates selectably in static mode and in dynamic mode in accordance with the mode control signal. The power profile of each mode of operation (i.e. static or dynamic) is different for the same logic computation.

(30) Optionally, a clock signal is provided to randomization element 100 and during dynamic operation the delay introduced by randomization element 100 is controlled by a timing of the clock signal.

(31) Optionally, the randomization element operates in both static and dynamic precharge modes. During precharge (i.e. setting up the initial conditions) randomization element 100 provides a logic level 1 to the logic input of logic gate 120 on the rising edge of the clock signal and for as long as the clock signal is in logic high and the mode control signal selects dynamic operation.

(32) In alternate embodiments, the randomization element operates in both static and dynamic predischarge modes. During predischarge randomization element 100 provides a logic level 0 to the logic input of logic gate 120 on the rising edge of the clock signal and for as long as the clock signal is in logic high and the mode control signal selects dynamic operation.

(33) Optionally, during evaluation mode (i.e. the falling edge of the clock signal) the logic level output from logic gate 110 is provided via randomization element 100 to the logic input of logic gate 120.

(34) FIGS. 2A and 2B are simplified circuit diagrams of exemplary embodiments of an RMT.sup.2L unit. In the embodiment of FIG. 2A, RMT.sup.2L unit may operate either in static mode or in dynamic precharge mode. In the embodiment of FIG. 2B, RMT.sup.2L unit may operate either in static mode or in dynamic predischarge modes.

(35) The exemplary embodiments of FIGS. 2A and 2B are based on two degenerated 21 multiplex (Mux) components. The RMT.sup.2L unit concept may be implemented with-in different ways and different standard logic components (e.g., implementation with only logic gates instead of using Mux components). The truth tables of the RMT.sup.2L unit are presented in Table 1 and Table 2 (for units with precharge and predischarge respectively).

(36) TABLE-US-00001 TABLE 1 Truth table of RMT.sup.2L Precharge unit CLK RND Out Don't care 1 In (Static) 1 0 1 (Precharge) 0 0 In (Evaluation)

(37) TABLE-US-00002 TABLE 2 Truth table of RMT.sup.2L Predischarge unit CLK RND Out Don't care 1 In (Static) 1 0 0 (Predischarge) 0 0 In (Evaluation)
Cascading an RMT.sup.2L Unit to Standard Gates

(38) An RMT.sup.2L unit may be connected to an output of any logic gate, as illustrated by the cascading of logic gate 110 to randomization element 100 in FIG. 1. Optionally, logic gate 110 and randomization element 100 operate in tandem to provide the logic function implemented by logic gate 110 in static or dynamic mode, in accordance with the mode control signal into randomization element 100.

(39) In some embodiments, an RMT.sup.2L unit is placed in any location inside a logic circuit (e.g. crypto-system) where it is desired to control operating mode and/or timing (i.e. delay). The RMT.sup.2L unit (either precharge or predischarge type) is connected to the output of a standard gate existing in this location. An example of cascading a standard CMOS NAND gate to a RMT.sup.2L unit with precharge is shown in FIG. 3.

(40) As a result of this connectivity, the output of the RMT.sup.2L unit behaves like the output of the standard CMOS NAND gate when static mode is set, and it behaves like dynamic precharge logic when dynamic mode is set. Thus, by cascading a standard gate to an RMT.sup.2L unit, the logic gate may be selectably operated in two modes, where each mode obviously consumes completely different power. In the same way an RMT.sup.2L unit with predischarge may be simply cascaded to an output of any standard gate.

(41) Logic Circuit with Randomization Elements

(42) Reference is now made to FIG. 4, which is a simplified block diagram of a logic circuit with randomization elements, according to embodiments of the invention. The non-limiting example shown here includes four logic gates and three randomization elements; however it is to be understood that other embodiments may include different numbers of logic gates and/or randomization elements. For clarity and generality, connections between the circuit elements are not shown. Note that other circuit elements may be present between the randomization element and the preceding and/or following logic gate, as required for circuit operation.

(43) Logic circuit 400 includes randomization elements (420.1-420.m) interspersed between logic gates (410.1-410.n). Each of the randomization elements may introduce a delay between the logic output of the preceding logic gate and the logic input of the following logic gate. Each of the randomization elements operates selectably in static mode and in dynamic mode in accordance with a respective mode control signal. Control sequence provider 430 provides sequences of control signals to the randomization elements. The sequences are selected to shape the logic circuit's power profile and signal propagation timing during operation, so as to combat side channel attacks.

(44) Optionally, the sequence of control signals is generated by and/or stored in control sequence provider 430. Alternately or additionally, the control sequence is input to control sequence provider 430 from an external source.

(45) Optionally the control sequence is a random sequence.

(46) Optionally, the control sequence is selected to distribute precharge and predischarge timing throughout the logic pathways.

(47) In some embodiments, some of the randomization elements operate in precharge mode and others operate in predischarge mode.

(48) Optionally, the delay time introduced by each of the randomization elements is controlled by a timing of a respective clock signal. Alternately or additionally the clock signals are synchronized. Optionally, the same clock signal (e.g. system clock) is input to all of the randomization elements.

(49) Embodiments of logic circuits with randomization elements may be implemented in circuits, including, but not limited to:

(50) a) An integrated circuit (IC) customized for a particular use, such as an Application-Specific Integrated Circuit (ASIC);

(51) b) A programmable logic device intended for general-purpose use. Examples of such programmable logic devices include, but are not limited to: Field-Programmable Gate Array (FPGA), Gate Array, Uncommitted Logic Array (ULA), Programmable Logic Array (PLA), Programmable Array Logic (PAL), Complex Programmable Logic Device (CPLD), Erasable Programmable Logic Device (EPLD) and Structured ASIC.

(52) Using RMT.sup.2L Units in a Typical Path of Crypto-System

(53) A typical path of a crypto-system implemented using logic gates may be considered as a logic cloud consisting of standard gates, inputs and outputs. An example of such a logic path is illustrated in FIG. 5.

(54) In this example two RMT.sup.2L units (510 and 520) are placed inside the logic path. As may be seen, these units are connected to the outputs of different standard gates at different locations, and they each have two control signals (CLK and RND) which are governed externally. In one example, the CLK signal is fed by the system clock; the RND signal is a random signal fed by a sequence generator (which typically is present in cryptographic systems), and determines the operation mode of the RMT.sup.2L unit. Each RMT.sup.2L unit may be implemented either as precharge or predischarge type. This kind of implementation that includes planted RMT.sup.2L units has two major effects that significantly improve the immunity to power attacks of the system: a) These units result in random power profile of the crypto-system. b) The propagation delays (i.e., timing) of the signals depend on the locations of these units (or their clock phase arrival timeelaborated in the next section). In other words, the designer who determines the RMT.sup.2L units locations (or clock phases), may control the timing of the signals. As a result, a smeared picture of propagation delays may be achieved by locating these units cleverly.

(55) For purposes of better understanding some embodiments of the present invention, as illustrated in FIGS. 1-5, 7 and 10-19 of the drawings, reference is made to RPL and RDI countermeasures as illustrated in FIGS. 6, 8 and 9.

(56) RPL Vulnerabilities

(57) In RPL countermeasures all data inputs (registers outputs) of the combinatorial logic are precharged to a random value (fed by an RNG) at the beginning of every clock cycle, and the real data is evaluated later on during the clock period (see FIG. 6).

(58) In standard CMOS circuits the consumed current is correlated to the multiplication of the Hamming Distance and Hamming Weight models (i.e. HD.Math.HW). This is due to the current flows from power supply only when a CMOS gate's output changes from 0 to 1. The HW and HD are given by Eq. 1.

(59) $\begin{array}{cc}\mathrm{HW}\left(s\right)=\underset{i=0}{\overset{n-1}{.Math.}}s\left(i\right)\mathrm{HD}\left(s_{j-1},s_j\right)=\mathrm{HW}\left(s_{j-1}{s}_j\right),& \left(1\right)\end{array}$
where s is a binary vector of length n (e.g., the output data of the S-box block). As a result, the current consumption of a CMOS circuit, I, is correlated only with a specific 0.fwdarw.1 voltage transition. This may be written as a function of two consequent states of the circuit outputs sampled voltage in terms of the clock cycle j, s.sub.j1 and s.sub.j, as shown in Eq. 2:

(60) $\begin{array}{cc}I\underset{k}{\overset{}{.Math.}}I\left(\mathrm{HD}\left(s_{j-1}\left(k\right),s_j\left(k\right)\right).Math.\mathrm{HW}\left(s_j\left(k\right)\right)\right),& \left(2\right)\end{array}$
where I(HD(s.sub.j1(k), s.sub.j(k)).Math.HW (s.sub.j(k))) is the current contribution from previous to the present clock cycle; it is valuable only when an output rises from 0 to 1.

(61) Conventional RPL is vulnerable to PA attacks during evaluation (i.e., between the falling edge of SEL signal and the end of the clock cycle). At this interval the real data is propagated to the outputs. Prior to this real value assertion (at the evaluation of the clock cycle), a random value was precharged to the whole inputs of the circuit. This means that all the logic (including the outputs) are affected by it and precharges to some values (depending on the random precharged vector at the inputs and on the combinational logic). For large enough statistics that considers all possible random precharged vectors, a random value of such input vector may be averaged to a constant value with

(62) $\mathrm{HW}=\frac{n}{2}$
at the inputs, where n is the input vector length (i.e., it may be considered as all possible options were examined and each input vector and its complement exist). Therefore, the input data may statistically be considered as changing from an averaged-constant value with fixed HW (in this case

(63) $\frac{n}{2})$
to the real data with known HW; the HD between these two states could also be computed from the average precharged input value to the known real data value. In the same fashion that the average input vector of the random precharge process was computed the average output vector of the precharge process could be computed due to the knowledge of the circuit functionality. Therefore this technique is sensitive at the inputs and outputs to Hamming Distance.Math.Hamming Weight, HD.Math.HW model (from some averaged reference state which may be computed). Hence, the power consumption of the module is still correlated to the HD.Math.HW model, where the HD is related to the difference between a certain output value of an i1 cycle (a real data value) and the output value of the i cycle (an averaged data value). As RPL is sensitive to HD.Math.HW model but only from a reference state R to a current known state S.sub.j, it is more correct to refer its vulnerability to the state of only one cycle. In that context we treat the RPL as correlated to the HW model of the current state s.sub.j with the addition of some constant due to the reference state R. It is important to note that since the hypothesized average transition switch is smaller (i.e., from a reference (averaged) state R to 1 in RPL when current is consumed, instead of a 0 to 1 transition in CMOS) then smaller correlation values will be computed in respect to CMOS which makes this method less PA vulnerable.

(64) Accordingly, if referring to the precharge and evaluation periods shown in FIG. 6, the current consumption of the RPL technique is correlated to the HD.Math.HW between 2 consequent cycles (where the first is R and thus correlate to the HW of the current cycle). Such correlations will be visible at the rising edge of the SEL signal (i.e., beginning of the precharge period), as at this point the output changes from previous real data state s.sub.j1 to a reference R state; similarly, the they will appear at the falling edge of the SEL signal (i.e., beginning of the evaluation period), as at this point the output changes from previous reference R state to a real data state s.sub.j. These two correlations are described in Eqn. 3:

(65) $\begin{array}{cc}I{.Math.}_{\mathrm{rising}\mathrm{SEL}}\underset{k}{\overset{}{.Math.}}I\left(\mathrm{HW}\left(s_{j-1}\left(k\right)\right)\right)I{.Math.}_{\mathrm{falling}\mathrm{SEL}}\underset{k}{\overset{}{.Math.}}I\left(\mathrm{HW}\left(s_j\left(k\right)\right)\right),& \left(3\right)\end{array}$
RMT.sup.2L Advantages Over RPL

(66) In contrast with conventional RPL techniques, in RMT.sup.2L not all data inputs are precharged to a random value, but only specific nodes inside the logical cone. i.e., parts of the logic will be affected by this precharge and other would not be. Moreover, at different clock cycles the different RMT.sup.2L units behave differently (randomly pre-charge\pre-discharge or not) and therefore in each clock cycle different parts of the logic will be affected by different paths coming from random pre\dis-charge elements or from data inputs. Thus, since in the setup phase (equivalent to precharge in RPL) input value have different possible mechanisms (pre-charge, pre-discharge or static-no change), the RMT.sup.2L methodology is much less sensitive to any models for any single-bit or multiple-bit hypothesis of Hamming Distance, Hamming Weight, or any of their combinations neither at the module inputs nor at its outputs. Correlation to any of the models will be much smaller. In fact, this point is crucial for the readers understanding: In RPL the random vectors are inserted to the input of the module and it is reasonable to assume an attacker knows the functionality of the module because the cryptographic algorithm is known, therefore he may compute the outputs of the system for any hypothesized random input. However, with RMT.sup.2L, the elements are inserted inside the logical cone and therefore the random units impact on the outputs depends on the combinational elements hardware implementation which is not known to the attacker (typically it depends on the system designer and the synthesis tools), this makes their impact to look random for an attacker which is a key strength of this method.

(67) FIG. 7 illustrates the efficiency of using the RMT.sup.2L methodology in terms of security. In this example we zoom in to one output of an 8-bit S-box using several RMT.sup.2L units. For simplicity we look at one output bit implementation which may be considered as a logic cone. Since for different clock cycles random RMT.sup.2L units become active (while all the rest are set to static modes), and in each cycle each node in the circuit will be affected by paths from the input\different RMT.sup.2L units and therefore, randomly vary its power profile and propagation delays to the output (will be further discussed next). As a result, the power profile of such a module is less correlated to the processed data, and thus such a module is less sensitive to any of the HW/HD models or any combinations of them.

(68) RDI Vulnerabilities

(69) In RDI countermeasures a random delay is inserted to the input signals of the module in order to randomize its current profile (see FIG. 8). These random delays lead to smeared propagation delay paths at the outputs of the module; thus, this technique might be immune to power attacks if attacking the outputs of the module. However, this technique is vulnerable to power attacks at the inputs of the module. Delay insertion at the inputs induces high correlation between the inputs and the power profile for longer periods (as long as the inserted delay), if attacking the inputs, along a large time interval inside the clock cycle. In the example illustrated in FIG. 9, a random delay of eight inverters is assumed producing a total T delay; they are connected to the second data line of the input register. A data sequence obtained in d.sub.0 relative to the clock signal is demonstrated. Since that in the RDI technique the data lines themselves are delayed, the power profile at the switching times are correlated to the input data over a longer time interval T: if there is a switch at the data line d.sub.0 (that causes power consumption), all the even inverters in this chain, d.sub.1-d.sub.4 will consume a correlative power to the same data; thus, along the whole interval T, the power consumption is correlated to the data.

(70) RMT.sup.2L Advantages Over RDI

(71) In RMT.sup.2L methodology however, the delays are inserted on the clock network (e.g. see FIG. 13) which does not hold any side-channel information on the data, and therefore is not vulnerable to attacks even at the inputs of the module. In addition, the delay implementation for RMT.sup.2L units clock-signals consumes much less hardware comparing to RDI (in RDI there is a delay chain for each input and in RMT.sup.2L there is only one chain on the clock path), which makes it more energy and area effective.

(72) Method for Protecting Against SCAs

(73) Reference is now made to FIG. 10, which is a simplified flowchart of a method for combating side channel attacks on a logic circuit, according to embodiments of the invention.

(74) In 1000 a logic circuit including logic gates with randomization elements interspersed amongst them is provided. The randomization elements operate as described above, to introduce a delay between a logic output of a respective preceding logic gate and a logic input of a respective following logic gate, and to operate selectably in static mode and in dynamic mode in accordance with a respective mode control signal. The respective delay of each of the randomization elements is controlled by the timing of a respective clock signal. Both the logic circuit and the randomization elements are configured and operate substantially as described above.

(75) In some embodiments, some of the randomization elements operate in precharge mode and others operate in predischarge mode.

(76) In 1010, a sequence of control signals (denoted a control sequence) is selected to shape a logic circuit power profile and logic signal propagation timing during logic circuit operation so as to combat side channel attacks. Optionally, the control sequence is one of a random sequence or a semi-random sequence. Optionally the control sequence includes both mode control and delay control signals. Further optionally, some or all of the delay control signals are respective clock signals for respective randomization elements. In alternate embodiments, the control sequence includes only mode control signals.

(77) In 1020, the control sequence is input to the randomization elements.

(78) In some embodiments, the control sequence is selected to randomize the logic circuit power profile and/or the logic signal propagation timing.

(79) Optionally, selecting the control sequence includes inputting the sequence from an element external to the logic circuit.

(80) Optionally, the clock signals are synchronized.

(81) Optionally in 1030, the relative timing of the clock signals is adjusted to further shape the logic signal propagation timing and/or the logic circuit power profile.

(82) The Randomized Multi Topology and Timing Logic (RMT.sup.2L) described herein enhances immunity to DPA/CPA. The RMT.sup.2L technique provides high immunity to side-channel attacks by two major approaches: randomization of two topologies, static and dynamic (precharge or predischarge), in any desired location in the crypto-core, and creating different arrival times of the logic paths (propagation delays) to the output. This results in random power profiles and smeared propagation delays of the crypto-chips, preventing the side channel attacks to reveal the stored sensitive data. Simulation results and Matlab data processing of several RMT.sup.2L implementation configurations verify a higher immunity to DPA/CPA attacks, as demonstrated below.

(83) It is expected that during the life of a patent maturing from this application many relevant cryptographic devices, cryptographic algorithms, logic gates, randomization elements, static mode logic gates and circuits, dynamic mode logic gates and circuits will be developed and the scope of the terms cryptography, cryptographic device, cryptographic algorithm, logic gate, randomization element, static mode and dynamic mode is intended to include all such new technologies a priori.

(84) The terms comprises, comprising, includes, including, having and their conjugates mean including but not limited to.

(85) The term consisting of means including and limited to.

(86) The term consisting essentially of means that the composition, method or structure may include additional ingredients, steps and/or parts, but only if the additional ingredients, steps and/or parts do not materially alter the basic and novel characteristics of the claimed composition, method or structure.

(87) As used herein, the singular form a, an and the include plural references unless the context clearly dictates otherwise. For example, the term a compound or at least one compound may include a plurality of compounds, including mixtures thereof.

(88) Throughout this application, various embodiments of this invention may be presented in a range format. It should be understood that the description in range format is merely for convenience and brevity and should not be construed as an inflexible limitation on the scope of the invention. Accordingly, the description of a range should be considered to have specifically disclosed all the possible subranges as well as individual numerical values within that range. For example, description of a range such as from 1 to 6 should be considered to have specifically disclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numbers within that range, for example, 1, 2, 3, 4, 5, and 6. This applies regardless of the breadth of the range.

(89) Whenever a numerical range is indicated herein, it is meant to include any cited numeral (fractional or integral) within the indicated range. The phrases ranging/ranges between a first indicate number and a second indicate number and ranging/ranges from a first indicate number to a second indicate number are used herein interchangeably and are meant to include the first and second indicated numbers and all the fractional and integral numerals therebetween.

(90) It is appreciated that certain features of the invention, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination or as suitable in any other described embodiment of the invention. Certain features described in the context of various embodiments are not to be considered essential features of those embodiments, unless the embodiment is inoperative without those elements.

(91) Various embodiments and aspects of the present invention as delineated hereinabove and as claimed in the claims section below find calculated and simulation support in the following examples.

EXAMPLES

(92) Reference is now made to the following examples, which together with the above descriptions illustrate some embodiments of the invention in a non limiting fashion.

(93) The examples discussed herein demonstrate part the new technique methodology against DPA/CPA attacks, the randomization and locations alternatives are presented through test circuit simulations and data process.

(94) General Description of the Crypto-Core Architecture

(95) An exemplary cryptographic module 1100 (also denoted herein a combinational block) is presented in FIG. 11.

(96) The cryptographic module 1100 includes two main blocks; a combinatorial crypto-module 1110 containing the cryptographic logic and RMT.sup.2L units, and register arrays 1120 located at the input and output of the combinatorial logic. These blocks are connected to the V.sub.DD power domain where the DPA/CPA attacks use it for power traces recording. There are several configurations in which the RMT.sup.2L units may be located inside the S-box; a few examples are shown next. The N RND control signals are the N random bits coming externally from a sequence generator, which typically already exists inside crypto cores (e.g., an LFSR module). These signals are connected to the random signals of the RMT.sup.2L units (which determines the operated topology of the respective RMT.sup.2L units: Static or Dynamic with precharge or predischarge). The modes of operation of the two types of the RMT.sup.2L units are summarized in Tables 1 and 2 above.

(97) Combinatorial Logic Description

(98) The modified combinatorial logic of a crypto-module 1200 which utilizes the RMT.sup.2L concept is illustrated in FIG. 12.

(99) The crypto-module 1200 of FIG. 12 includes a Delay system block 1210 that produces Q different phase clock signals (for the RMT.sup.2L units) out of the system clock. The idea is that every RMT.sup.2L unit or every group of RMT.sup.2L units will receive different clock phases such that the timing of the system signals is smeared over the clock period. As previously mentioned, there are N RND signals fed externally from a sequence generator that are connected to the RMT.sup.2L units. The 8-bit S-box with the RMT.sup.2L units is the cryptographic module that in addition to its functional operation was added with several RMT.sup.2L units in different locations and may change their operation modes on run-time (and thus the system power consumption and timing). The module may eventually work as a regular 8-bit S-box but in a secure way in terms of power attacks.

(100) The Delay System

(101) The purpose of delay system 1210 is to ensure that the RMT.sup.2L units located inside the crypto-core receive their clock signals with different phases. In such a way, in addition to the random power profile of the module, the timing of the different signals is random as well. In order to achieve these different phases but still ensure that the S-box functionality is not damaged, a buffers chain is implemented, divided by Q links, and each link in this chain outputs a shifted clock phase. A specific phase phi [i], i0, that feeds an RMT.sup.2L unit is obtained by an OR operation between the first phase (which may be the system clock) and the shifted i'th clock phase. In such a way, all RMT.sup.2L units enter the precharge period at the same time (e.g., at the rising edge of the system clock), while different RMT.sup.2L units may enter the evaluation period at completely different times. This fact may significantly improve the security of the crypto-core by adding random power consumption and smearing the propagation delay paths. This method of delay implementation is a very cost and area effective, for example in comparison to RDI. An example of such Delay system implementation module 1310 producing Q phases is illustrated in FIG. 13.

(102) Each link in the chain provides a specific time delay T, hence the largest delay phase is around QT. The designer may define the connectivity of each RMT.sup.2L unit or each group of RMT.sup.2L units to these phases. It just needs to be ensured that there is sufficient time for evaluation phases of the dynamic RMT.sup.2L units, and that there is no risk for the S-box functionality to be damaged (easily satisfied with standard synthesis tools). Note that in case that the RMT.sup.2L units are located randomly inside the crypto-core (or in a diagonal configuration as shown in FIG. 16) in such a way that the physical propagation delays of the paths are sufficient for DPA/CPA immunity, a transparent mode may be configured (by the mode signal) and all RMT.sup.2L units receive the system clock (at the same phase).

(103) 8-Bit S-Box

(104) The 8-bit S-box is based on the known Look-Up table (taken from the AES standard). It may be implemented in any chosen architecture. In order to prevent multibit attacks the randomization of outputs arrival times and pre-charge\discharge mechanisms for different outputs should be independent therefore a conceptual easy to understand and arranged RMT.sup.2L location configurations are presented. Specifically, a sound architecture where no shared logic exists between logical cones is presented; we note such a construction by separated bits. This architecture may be used for achieving minimal number of shared logic gates and clearly it increases the number of gates, area and power consumption however provides high immunity to multibit attacks. Note that this architecture is not compulsory when using RMT.sup.2L, however, the less shared logic, the simpler and more effective way to locate the RMT.sup.2L units. The separated bits scheme is illustrated in FIG. 14.

(105) Note that after the synthesis of the S-box (for any architecture implemented), the RMT.sup.2L units are inserted into the module in the desired location (using simple scriptural manipulations of the netlist).

(106) Examples of S-Box Configurations Using RMT.sup.2L Units

(107) In this section we give several examples of one bit of the separated S-box module (bit0), and describe how the logic may be implemented using the RMT.sup.2L units planted inside. Of course more than one configuration may be implemented as a combined configuration.

(108) One possible configuration is a vertical arrangement of the RMT.sup.2L units, as shown in FIG. 15. These units are located in a vertical way close to the entrance of the module, ensuring that every path from the inputs to the output includes (at least) one RMT.sup.2L unit. In addition, each RMT.sup.2L unit receives different clock phase from the delay system. As a result, this configuration leads a random power profile, as well as random timing to each path.

(109) Another possible configuration option is a diagonal arrangement of the RMT.sup.2L units, as shown in FIG. 16. In this configuration we also ensure that every path from the inputs to the output includes (at least) one RMT.sup.2L unit. However, in this case the clock signals of the RMT.sup.2L units may be the same clock (the same phase) therefore the propagation delay is smeared along most of the clock period. Also in this configuration the power profile, as well as the timing to each path are random.

(110) Yet another possible configuration may include a random arrangement of RMT.sup.2L units. Optionally, a crypto-module may be implemented using a combination of several configurations for each bit. For example: vertical and diagonal, random and vertical, random and diagonal, and so forth. Additionally or alternately, different bits of the module may be implemented using different configurations or a different combination of configurations. From a system level point of view, in an AES algorithm implementation (e.g. AES-128) each S-box may consist of different configurations inside or different combinations of several configurations.

(111) Test Setup

(112) A test setup was established for the security evaluation of our proposed RMT.sup.2L countermeasure. The test setup used for the DPA/CPA analysis, shown in FIG. 17, includes the device under attack (DUA), the current measurement setup, and the power profile recordings data process (using Matlab). The 8-bit input signal is first XORed with an 8-bit secret key, and then the result propagates to the 8-bit S-box block. The S-box implementation contains the RMT.sup.2L units, whereas their RND signals are governed by a sequence generator that produces random sequences (implemented using Cadence's pseudo-random generator or Verilog A).

(113) Simulation Results

(114) The first DUA was realized using the static mode of operation (CMOS like). The circuit inputsIn[7:0] were fed by 500 random but known inputs, and the current were recorded to perform CPA attack based on the SNR metric. A multi-bit CPA attack was implemented, shown in FIG. 18. FIG. 18 shows the maximum correlations obtained between the measured current profiles and the processed data, as a function of the guessed key. The attack successfully reveals the secret key arbitrarily set to be (77).sub.10, as no countermeasures were adopted.

(115) Using the same test-circuit as described previously, a module with RMT.sup.2L units was evaluated on two configurations, vertical and diagonal. As in the previous test, for the CPA attack process, the current graphs were recorded for the different inputsIn[7:0] fed by 500 random but known inputs. In these cases, CPA attacks were also established for 1000 and 10000 random input vectors for more accurate security evaluation. In this experiment, several different RNG signals were used for the precharge and static topologies, and were inserted to the RMT.sup.2L units of the test-circuit, whereas all the other gates were standard CMOS.

(116) FIG. 19 presents the maximum correlation results as a function of the key guesses, for the vertical (FIGS. 19a, 19c and 19e) and diagonal (FIGS. 19b, 19d and 19f) configuration implementations. The rows in the figure refer to the number of input vectors inserted to the tested module (500, 1000, and 10000, for top, middle and bottom rows respectively). FIG. 19a shows a vertical configuration with 500 input vectors. FIG. 19b shows a diagonal configuration with 500 input vectors. FIG. 19c shows a vertical configuration with 1000 input vectors. FIG. 19d shows a diagonal configuration with 1000 input vectors. FIG. 19e shows a vertical configuration with 10000 input vectors. FIG. 19f shows a diagonal configuration with 10000 input vectors.

(117) It is seen that by using RMT.sup.2L units the correct key (shown by the solid arrow) cannot be extracted, as other keys have the maximum correlation with the power profiles (shown by the dashed arrow). The correlation between the correct key and the processed data was minimized by randomly changing the RMT.sup.2L topologies, causing random power profiles and random timings.

(118) Although the invention has been described in conjunction with specific embodiments thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art. Accordingly, it is intended to embrace all such alternatives, modifications and variations that fall within the spirit and broad scope of the appended claims.

(119) All publications, patents and patent applications mentioned in this specification are herein incorporated in their entirety by reference into the specification, to the same extent as if each individual publication, patent or patent application was specifically and individually indicated to be incorporated herein by reference. In addition, citation or identification of any reference in this application shall not be construed as an admission that such reference is available as prior art to the present invention. To the extent that section headings are used, they should not be construed as necessarily limiting.