AES-Based Cryptographic and Biometric Security Coprocessor IC in 0.18-μm CMOS Resistant to Side-Channel Power Analysis Attacks Kris Tiri, David D. Hwang, Alireza Hodjat, Bo-Cheng Lai, Shenglin Yang, Patrick Schaumont, and Ingrid Verbauwhede Electrical Engineering Department University of California, Los Angeles, CA, 90095 {tiri, dhwang, ahodjat, bclai, shengliny, schaum, ingrid}@ee.ucla.edu Abstract This paper describes an embedded security coprocessor that consists of four components: an Advanced Encryption Stan- dard (AES) based cryptographic engine, a fingerprint matching oracle, template storage, and an interface unit. Two function- ally-identical coprocessors are fabricated using a TSMC 6M 0.18-μm process. The first coprocessor uses standard cells and encrypts at 3.84 Gb/s. The second coprocessor uses Wave Dy- namic Differential Logic (WDDL) combined with differential routing to combat side-channel information leakage through power analysis attacks. It encrypts at 0.99 Gb/s. The coproces- sor is part of a security-partitioned embedded system called ThumbPod. Keywords: Advanced Encryption Standard (AES), cryptog- raphy, differential power analysis, coprocessor, biometrics. Introduction In recent years, the integrated circuit has emerged as a weak link in embedded security applications. The IC broadcasts in- formation that is related to the secret key being used in the encryption operation. Several attacks have been reported that use information such as power consumption, time delay, and electromagnetic radiation to find the secret key. These side- channel attacks (SCAs) are a real threat for any device in which the security IC is easily observable, such as smart cards and other embedded devices [1],[2]. As an example of the po- tency of SCAs, Schneier wrote in 1998 that there is not enough silicon in the galaxy or enough time before the sun burns out to perform a brute-force attack (trying all possible keys) on the 3- DES cipher with a 112-b key [3]. With the differential power analysis (DPA) side-channel attack, however, we were able to find the key of a standard cell IC AES implementation with a 128-b key in less than three minutes with standard laboratory equipment. Clearly, SCAs pose serious concerns for the em- bedded IC security community. There are two steps required to secure an embedded system from such side-channel attacks. The first step is security parti- tioning, in which an embedded system is partitioned into two parts: a secure and an insecure module. Such partitioning en- sures that the processing and storage of non-sensitive informa- tion is done on the insecure module, and the processing and storage of all sensitive information is done on the secure mod- ule. The second step is to use circuit and physical techniques to combat side-channel attacks on the secure module only. Though such techniques require considerable overhead in terms of area and power, due to security partitioning only the secure module must be protected for the system to remain se- cure, thus minimizing such overhead. We have designed such a partitioned secure embedded sys- tem called ThumbPod, which is used for biometric and crypto- graphic embedded authentication, as shown in Fig. 1. Security partitioning has been performed to divide the system into an insecure module (an FPGA LEON 32-b RISC processor) and a secure module (a coprocessor IC). This paper discusses the secure coprocessor IC. The coproc- essor consists of four components: an Advanced Encryption Standard (AES) based cryptographic engine, fingerprint match- ing oracle, template storage, and an interface unit. Two functionally-identical coprocessors were fabricated on the same die using a TSMC 6M 0.18-μm process. The first coprocessor was implemented using standard cells and regular routing techniques. The second coprocessor was implemented using a logic style called Wave Dynamic Digital Logic (WDDL) and a layout technique called differential routing to combat side-channel power analysis attacks. We fabricated two functionally-identical coprocessors to allow us to compare the side-channel resistance of a typical IC versus one with special circuit techniques. The remainder of this paper is as follows. The next section describes the IC system architecture. The third section de- scribes power analysis countermeasures. Subsequently, area, timing and power numbers are presented together with the power attack resistance. Finally related state-of-the-art and a conclusion are presented. ORACLE CONTROLLER CRYPTO CONTROLLER K AES CORE 0000 KEY SK IN OUT RAND1 RAND2 TEMPLATE STORAGE FINGERPRINT MATCHING FUNCTIONS SECURITY FLAGS CRYPTO ORACLE DECISION XOR TO CRYPTO DOUT ADDRESS READ/WRITE INTERFACE “LEON” 32-BIT SPARC V8 PROCESSOR MEMORY INS INS DIN DIN COPROCESSOR IC Fig. 1. ThumbPod system architecture (fabricated IC is shaded).