DPA Resistant AES on FPGA using Partial DDL Jens-Peter Kaps and Rajesh Velegalati ECE Department, George Mason University 4400 University Drive, Fairfax, VA 22030, USA Email: {jkaps, rvelegal}@gmu.edu Abstract—Current techniques to implement Dynamic Differ- ential Logic (DDL), a countermeasure against Differential Power Analysis (DPA) on Field Programmable Gate Arrays (FPGAs) lead to an increase in area consumption of up to factor 11. In this paper we introduce Partial DDL, a technique in which DDL is applied only to a part of the cryptographic hardware implementation. We propose principle rules for Partial DDL to guide the designer in how to split up a circuit into DDL protected and unprotected paths. In order to validate our approach we implemented a lightweight architecture of AES in the Partial Separated Dynamic Differential Logic (Partial SDDL) for FPGAs. The results show that our implementation with Partial SDDL is as resistant to DPA as a full SDDL implementation while it consumes only 76% of the total area occupied by the full SDDL design. This is an area increase of 2.3 times over an unprotected single ended design. I. I NTRODUCTION With ever increasing miniaturization and ubiquity of com- puting devices such as smart cards, wireless sensor network (WSN) nodes, radio frequency identification (RFID) tags etc., security threats against them have become a growing con- cern [1], [2]. Even though these devices protect confidential information using cryptographic algorithms that withstand rigorous cryptanalytic attacks, an adversary can obtain the secret information by observing the so-called side channel leakage from the cryptographic device. These side channels can be power consumption, execution time, or electromagnetic emanations of the device. Amongst these passive non-invasive side channel attacks (SCA), the power analysis attack [3], [4] has received the most amount of attention by the research com- munity because it is very powerful, can easily be conducted, and has been used successfully many times. It can be applied to dedicated cryptographic processors as well as to general purpose processors running a cryptographic software. The fact that ultra-low power implementations of cryptographic algorithms perform most operations in a serial fashion, in order to conserve power, makes them especially susceptible to DPA. When it turned out that the cryptographic devices are vulnerable to power analysis, there has been great effort in the development of countermeasures against DPA. Dynamic Differential Logic (DDL) styles have been very successful in thwarting DPA attacks on ASICs [5]. However, current imple- mentations of DDL styles on FPGAs have a very large area overhead which is not suitable for low area implementations. DDL aims to break the connection between the instantaneous power consumption of a circuit and the data being processed. This would make a DPA attack infeasible. DDL accomplishes F L S R AES S−BOX 8 Key 8 FF1 FF2 Q 8 Protected Part Fig. 1. Block Diagram of Test Circuit this goal through duplicating the circuit into a direct and a complementary logic. It pre-charges the inputs of the circuit and the outputs of all memory elements during one half of a clock cycle (pre-charge phase) and performs the computation in the other half (evaluation phase). This guarantees constant switching activity, i.e. either a bit in the direct or the corre- sponding bit in the complementary logic switch. For example consider the circuit shown in Fig.1. An 8-bit LFSR is used to supply inputs to the SBOX. The output of the SBOX is XORed with key and stored in register FF1. The register FF2 drives the outputs of the chip and is implemented in I/O blocks (IOB). Table I shows the comparison between different DDL styles applied to the test circuit shown in Fig.1. The Single Ended (SE) implementation of the circuit shown in Fig.1 makes heavy use of Wide Dedicated Multiplexers (WDM)s, a special intrinsic features in Xilinx FPGAs, when synthesizing the S-Box. The Separated Dynamic Differential Logic for FPGAs (SDDL for FPGAs) [6] design does not use the WDMs. Hence, the area consumption of the SDDL for FPGA design is nearly 4 times that of Single Ended (SE) design. The WDDL implementation has an area overhead of nearly 5 times and DWDDL nearly 11 times to that of a SE design. DWDDL is the most secure of the three DDL styles although its area consumption makes it impracticable for many FPGA applications. The area consumption and security estimates of SDDL for FPGAs style is taken from [6] and that of Wave Dynamic Differential Logic (WDDL) and Double Wave Dynamic Differential Logic (DWDDL) is taken from [7], [8]. Although DDL implementations on FPGAs are explored in [5], [9]–[11], to our knowledge not much work has been done to reduce the area overhead incurred due to DDL styles. In [9] Guilley et al. presented optimization techniques which reduce the size of a WDDL implementations on FPGAs. They were able to reduce the size of their WDDL implementation of Triple DES by 23% [8] through a new synthesis flow. However, this design is still much larger than a single ended design due to the use of only positive logic as required by 2010 18th IEEE Annual International Symposium on Field-Programmable Custom Computing Machines 978-0-7695-4056-6/10 $26.00 © 2010 IEEE DOI 10.1109/FCCM.2010.49 273