Exploring Effect of Residual Electric Charges on Cryptographic Circuits

Building leakage models is important in designing countermeasures against side-channel attacks (SCAs), and Hamming-weight/distance (HW/HD) models are traditional leakage models. Electromagnetic analysis (EMA) attacks using a tiny EM probe are the most powerful SCAs. Recent studies have reported that EMA attacks can measure SCA leaks not included in the HW/HD models [16,19]. A current-path leak is one such leak, and a mirror circuit was introduced as a countermeasure against it. We experimentally found that a mirror circuit insufficiently hides (decreases) EMA leaks, resulting in residual electric charges (RECs) between stacked transistors leaking secret information. REC leaks are not included in the current-path leakage model as well as the HW/HD leakage models. RECs can carry the history of the gate's state over multiple clock cycles. Therefore, we propose a countermeasure against REC leaks and designed advanced encryption standard-128 (AES-128) circuits using IO-masked dual-rail read-only memory (MDR-ROM) with a 180-nm complementary metal-oxide-semiconductor (CMOS) process. We compared the resilience of our AES-128 circuits against EMA attacks with and without our countermeasure. We also discuss RECs' effect on physically unclonable functions (PUFs). RECs do not make PUFs vulnerable but affect PUF performance. We demonstrate that RECs affect the performance of arbiter PUFs (APUFs) we fabricated with 180- and 40-nm CMOS processes.