a state machine encoding methodology against power analysis...
TRANSCRIPT
https://doi.org/10.1007/s10836-019-05821-z
A State Machine Encoding Methodology Against Power AnalysisAttacks
Richa Agrawal1 · Ranga Vemuri1 ·Mike Borowczak2
Received: 21 May 2019 / Accepted: 19 August 2019© Springer Science+Business Media, LLC, part of Springer Nature 2019
AbstractPower side-channel attacks have been shown to be effective against recovering protected information from integratedcircuits. Existing defense methods are expensive in area, power or both. Small-scale ICs used in embedded systems andIoT devices are expected to be safe and secure, and yet cannot afford the area and power overheads of the sophisticateddefense methods. This paper presents a design methodology for finite state controllers (FSMs) to defend against poweranalysis attacks while ensuring low power overhead. Further, a desired level of security can be achieved while minimizingpower consumption. We formulate a set of constraints on state encoding based on security and power metrics. We expressthese constraints as a Boolean satisfiability (SAT) problem and use a SAT solver to generate constraint satisfying encodings.Experimental results using over 100 FSMs from BenGen and MCNC benchmark suites show a graded increase in encodinglength (up to 40% for original FSMs and 40–70% for restructured FSMs) depending on the security level chosen. Trade-offbetween security and power is demonstrated as the mutual information between power side-channel and the Hamming attackmodels can vary between 0 and 2, depending on the level of security desired. An average power reduction of up to 40%is observed in power-constrained FSMs with respect to restructured FSMs and 4–20% reduction with respect to minimalencoding strategy.
Keywords Low power · Finite state controllers · Power analysis · Satisfiability checking · Boolean constraints
1 Introduction
Small finite state machines (FSM) are central to the designof numerous small-scale electronic appliances used inhome automation, environment/infrastructure monitoring,health care and emerging safety-critical systems such asdrones and self-driven cars. These systems are consideredcritical as they carry and control access to personal orsecure information. It is estimated that there will be 50billion small-scale IoT devices by 2020. These devicestypically have limited computation power and need to beenergy efficient [14] which makes low-cost, low-power
Parts of this paper were previously published in [2] and [1].This paper consolidates all the results, expands the discussion andincludes new results.
Responsible Editor: K. Basu
� Richa [email protected]
Extended author information available on the last page of the article.
defense methods highly desirable. Hence, sophisticatedcryptographic algorithms and hardware protection schemessuch as [4, 6], which incur high cost in terms of area andpower, cannot be implemented in these systems.
Reverse engineering attacks on integrated circuits consistof both invasive and non-invasive methods and have beenstudied for the past few years [15, 24]. Invasive methodsare destructive in nature in addition to being expensiveand laborious to perform [10, 33]. Non-invasive attacksto reverse-engineer an FSM are based on characterizingmachine behavior using only input-output values of FSMsand are restricted by memory and time usage [9, 30].
Side-channel attacks are non-invasive [34, 42] hardware-based attacks that exploit the relationship between theoperations of the target device and measurable physicalvariables [38]. They can use measurements such as powerconsumption, electromagnetic radiation and response time.Side-channel measurements can be used independently orto supplement cryptanalysis attacks [29]. Power analysisattacks use only power consumption information whichmakes them cost-efficient, easy and powerful against low-cost small-scale embedded devices [3, 5, 17, 22, 23]. They
/ Published online: 9 September 2019
Journal of Electronic Testing (2019) 35:621–639
reveal the contents of internal registers by targeting thedependency of power consumption on the data switching inthese registers.
For small-scale FSMs, reverse-engineering attacks arealso known to be quite effective [30]. These attacks canbe improved by combining side-channel information alongwith its functional output values to engineer the attack.Fault-detection attacks already employ power [28] and EMside-channel leakage [16] to determine first a known-goodbaseline and then detect alterations by comparing it tothe baseline. A similar power analysis attack to reverse-engineering [9, 36] an FSM seems quite plausible. Poweranalysis attack can also be combined with cryptanalysis toreverse engineer an FSM [37].
Current defense methods against power analysis attacksinclude using cryptographic subsystems [6] to encrypt thedata flow to/from the device. But for small-scale devices,their large area and power overheads can render them unfea-sible for practical use. Hardware protection schemes wherespecial power-invariant cells are used such as WDDL [31]and MDPL [27] prevent unintentional leakage of informa-tion. Such cell level solutions which work on a low-levelimplementation also have high area and power costs.
High-level protection schemes hide or mask criticalinformation to make side-channel measurements indepen-dent of the input data and the device’s computational tra-jectory. In finite state machines, the state registers storeinformation within their encodings [41]. This informationcan be subject to power analysis attacks since power con-sumption profiles can be correlated to data changes in theregisters and be used to reverse engineer the state machine.Careful state encoding is thus essential to avoid informationleakage through power [7].
In this paper, we discuss a low-cost secure design method-ology against power analysis attacks using a constrainedstate assignment strategy for finite state controllers. Byappropriate state encoding, the method removes or reducesthe correlation between the generated power footprint andthe state sequence. The proposed methodology includes auser-defined, graded security-metric, which provides thedesigner with flexibility to design the state machine withrequired security at the cost of area and power [2]. Wefurther propose power-efficient techniques to design low-power secure state machines. Ability to reduce power with-out sacrificing security is a great tool but has its limitationsin area. However, reducing power with a trade-off againstsecurity can be more effective in terms of area and becomesan essential tool [1].
In Section 2, we introduce the controller model andthe attack model. In Section 3, we develop constraintson state encoding to mitigate information leakage throughthe power side-channel and propose a heuristic method to
group the states and transitions to allow secure encodingwhile controlling power and area penalty. In Section 4,we introduce power reduction techniques with bothcompromised and uncompromised security levels. Section 5formulates the encoding problem as a Boolean satisfiability(SAT) problem and in Section 6 we describe how to usea satisfiability solver to generate encodings. In Section 7,we present experimental results using over 100 benchmarksto demonstrate the effectiveness of the proposed methods.There are different classes of countermeasures [11, 21]ranging from algorithmic to cell level defense methods.Among these, it is appropriate to compare the proposedmethods with cell-level defense methodologies. We offerconcluding remarks in Section 8.
2 Preliminaries
2.1 FSM State Encoding
Let M = (S, I, T , so) be a finite state machine where S isfinite set of states, I is finite set of input symbols, T : SXI →S is a state transition function and so ∈ S is the initial state.Let s1, s2 . . . sM , where M = |S|, denote the states.
When a FSM is implemented as a synchronous sequentialcircuit, the states are encoded as a set of Boolean statevariables which are stored in flip-flops. We assume the useof R delay flip-flops. Let Q =< qo, q1, . . . qR > denote theBoolean valued vector of these R state variables. Let E :S → (b1, b2, . . . bR), where bi ∈ {0, 1}, be a state encodingfunction which maps each state to a Boolean vector of sizeR. The mapping should assign a unique vector to each state,that is, ∀si ,sj ∈S, E(si) = E(sj ) =⇒ si = sj . A sequentialcircuit is an implementation of an FSM if and only if whenthe FSM is in state s ∈ S, the sequential circuit is in stateQ = E(s).
Let the Hamming Weight of a Boolean vector B (thenumber of ones in B) be denoted by HW(B). Let theHamming Distance between two Boolean vectors B1 and B2
of the same size (the number of positions in which the twovectors differ) be denoted by HD(B1, B2).
R is referred to as the size or length of the encoding. Stateencodings in which R = �log2(M)� are called minimal-length encodings or simply minimal encodings and thisvalue is denoted as Rmin for that FSM. Encodings in whichR = M and, for all states s, HW(E(s)) = 1, are called one-hot encodings. We will refer to this value of R as Rmax forthat FSM.
Given an FSM and certain (security and power)constraints on the encoding function, we are interested infinding encodings of size R ∈ [Rmin, Rmax] such that theconstraints are met and R is minimized.
J Electron Test (2019) 35:621–639622
2.2 Attacks
The attacker’s intent is to reverse engineer the FSM by attack-ing the state register of the FSM implementation. By utiliz-ing the information leaked through the power side-channelduring the run-time of the FSM implementation realizedin CMOS technology and predicting the changes in thestate variables, the attacker tries to construct the FSM. Thiscan be done in two ways: (1) By hypothesizing a statemachine and, making use of a high-level power model, gen-erating predicted high-level power trace for a large inputsequence and computing its correlation with the actualpower trace for the same input sequence. High correlationvalidates the hypothesis. (2) The attacker can also constructa state machine incrementally if the high-level power modelhas a high correlation with the actual power consumptionsuch that each state and each transition have unique powerfootprints. In this case, by conducting distinguishing exper-iments in which different input sequences causing differentpower draws are applied, the attacker incrementally recon-structs the state machine. The first type of attacks are namedDifferential Power Attacks (DPA) and the second type arenamed Simple Power Attacks (SPA) [22].
Power side-channel attacks are generally based on high-level power models for synchronous sequential circuits.
The Hamming Weight model assumes that the powerdrawn in a CMOS circuit is dependant on the status ofeach state bit which in turn depends on E(s) for each states. Hence the power consumed when a circuit is in states is correlated to the Hamming weight of the state underencoding E, or HW(E(s)).
The Hamming Distance model assumes that the dynamicpower consumption in a CMOS circuit depends on the statetransitions which are characterized by the switching activityin the state registers. Hence, the power consumed when acircuit transitions from state s1 to state s2 is correlated tothe Hamming distance of the transition from s1 to s2 underencoding E, or HD(E(s1), E(s2)).
The Switching Distance model (or modified HD model)assumes that a CMOS gate consumes slightly more powerduring rise than during fall. The attack model can takethis difference into account. For example, [26] introduceda parameter δ to capture the difference. δ is defined asthe normalized difference of the transition leakages: δ =(P0→1 −P1→0)/P0→1. Nominally, δ = 0.17. In this model,power consumed when a circuit transitions from state s1 tostate s2 is correlated to SD(E(s1), E(s2)), where the SDvalues shown in Table 1 for one bit are summed up acrossall the bits in the encoding. This is called the SwitchingDistance of the transition from s1 to s2 under encoding E.
Successful attack is possible only if the states can bedistinguished from one another based on the power mea-surements and if the state transitions can be distinguished
Table 1 Switching distance model
Transition SD
0 → 0 0
0 → 1 1
1 → 0 1-δ
1 → 1 0
from one another based on the power measurements. If thecircuit consumes constant power in all states and consumesconstant power during all transitions then there would noinformation leakage through the side-channel. Several cell-level defenses against DPA and SPA have been proposedbased on the idea of designing circuits to draw constantpower during all states and transitions [27, 32]. Thesemethods impose significant power and area penalties [31].
3 Secure State Encoding
3.1 Security Constraints on Encoding
In this paper, we adopt a different approach. We ensurethat the state encoding is done so as to avoid informationleakage through the power channel. Consider an encodingwhich ensures that all states have the same Hammingweight and all transitions have the same Hamming distance.For example, the one-hot encoding ensures that all stateshave a Hamming weight of 1 and all transitions have aHamming distance of 2. Under such an encoding, the FSMimplementation is unlikely to leak any information viapower traces either under the Hamming weight attack or theHamming distance attack. However, this constraint leads toencodings requiring a large encoding size R [7]. We proposemethods to reduce the encoding size while ensuring securityand to further reduce the encoding size to save power andarea while trading off security.
We can represent an FSM by a State Transition Graph(STG) in which each state is represented by a unique vertexand all transitions from one state to another are representedby unique edges. For convenience, overloading the notationused for the FSM, we refer to the STG as (S, T , so) where Sdenotes the set of state vertices, T ⊆ (SXS) is the set ofdirected edges denoting the state transitions and so ∈ S isthe vertex representing the start state. When there is no confu-sion, we use the terms FSM and its STG interchangeably.
We define reachability of a state as follows: Let L be anon-negative integer. A state s is L-Reachable if there existsan input sequence of length L to take the machine to s fromthe start state. That is, s can be reached in L clock cyclesfrom the start state. Formally, a state s is L reachable if thereis path of length L from so to s in the STG. We use the
J Electron Test (2019) 35:621–639 623
predicate Rl(s) to denote the L-Reachability of state s. It isof course possible that there may be multiple paths to reacha state and, hence, multiple values of L for which a state s isL-reachable.
Let SL ⊆ S be a subset of states which are L-reachable.Formally, SL = {s ∈ S|Rl(s) = L}. Let TL be the set ofall transitions in the STG originating from the states in SL.Formally, TL = {(s1, s2) ∈ T |s1 ∈ SL}
In order to avoid information leakage through the powerside channel and thwart DPA or SPA attacks, all states whichare reachable in the same number of cycles should have thesame power footprint and all transitions that can be traversedin the same number of cycles should be indistinguishableby their power consumption. This leads to the followingconstraints on the state encoding: For any L, (1) All statesin SL should have the same Hamming weight. (2) Alltransitions in TL should have the same Hamming distance.
Consider Fig. 1. For L = 0,3,6..., SL = {s1}. For L =1,4,7,...,SL = {s2, s3}. For L = 2,5,8..., SL = {s4, s5, s6}.Any encoding in which HW(s2) = HW(s3), HW(s4) =HW(s5) = HW(s6), HD(t1) = HD(t2), HD(t3) = HD(t4) =HD(t5) = HD(t6), and HD(t7) = HD(t8) = HD(t9) will thwartan attacker’s effort to exploit the power channel using theHW and HD models. It is not necessary that all states shouldhave the same HW and all transitions should have the thesame HD; that would increase the encoding length. Usingthe precise requirements based on SL and TL reduces theencoding length while retaining security against HW andHD attack models.
To understand security against SD attacks, consider twoseparate state transitions in a FSM, {s1 → s2} and {s3 →s4}, where s1 and s3 belong to same L-reachable set SL1,and s2 and s4 belong to set SL2, as shown in Fig. 2. Let theirstate encodings be such that:
HW(s1) = HW(s3) = W1
HW(s2) = HW(s4) = W2
HD(t1) = HD(t2) = D
SD(t1) = Z1, SD(t2) = Z2,
Fig. 1 Example FSM
Fig. 2 Security against SD attack model
Let number of low to high bit changes (0 to 1) duringtransition t1 be denoted by R1 and number of high to low bitchanges (1 to 0) changes be denoted by F1.
D = R1 + F1 (1)
By simple math, it can be calculated that during transitiont1, the number of ones in state encoding E(s2) is equal to thesum of the number of ones in E(s1) and the number of (0to 1) changes subtracted by the number of (1 to 0) changes.Therefore,
W2 = W1 + (R1 − F1) (2)
which implies:
R1 = (D + W2 − W1)/2
F1 = (D − W2 + W1)/2
Since Z1 is a function of R1 and F1, which in turn arefunctions of D, W1 and W2, switching distance of transitionst1 and t2 are equal. Hence transitions in the same TL set haveequal switching distance.
Z1 = R1 + δ ∗ F1 =⇒ Z2 = Z1 (3)
In general, when for all path lengths i, |Si | are asmall fraction of |S|, small (R closer to Rmin) and secureencodings can be found. In this case, the Si sets induce apartition on S such that for any i and j, either Si = Sj orSi ∪ Sj = Ø. The above example illustrates this. On theother hand if for some i, Si = S, then all states must havethe same HW and all transitions the same HD. In this casesecure encodings tend to be long (R closer to Rmax). Thereare several situations that result in large Si sizes for some i
values:Consider the FSM shown in Fig. 3a. For i ≥ 3, Si = S.
This forces all states to have same HW and all transitionsthe same HD for secure encoding. For the FSM shownin Fig. 3b, according to requirement (2) above, transitions{t1, t3, t5} should have the same HD and transitions {t2, t4}should have the same HD. However, it is impossible toencode different HD values to t1 and t2 since both arebetween the same pair of states. Similar is the case witht4 and t5 this forces all transitions to have the sameHD again leading to longer encoding lengths. In the nextsubsection we present a heuristic based on State Transition
J Electron Test (2019) 35:621–639624
(a) (b)
Fig. 3 States with multiple-L
Probabilities to partition the states and transitions so asto reduce the encoding length while minimizing the sidechannel information leakage.
Finally, consider a transition of the form T (s, i) =s. These lead to self-loops in the STG. Clearly, for anyencoding E, HD(E(s),E(s)) = 0. This leads to a vulnerabilitysince HD of 0 cannot be achieved for all other transitionsout of s to other states. That is, requirement (2) above isunenforceable when a state in STG has self-loops as well asother edges. To circumvent this situation, when security ismore important than power and area, we replace each statewith self-loop with the functionally equivalent pair of states[8] as shown in Fig. 4. This allows flexibility in encodingthe resulting pair of states subject to the above constraints.
3.2 State Transition Probabilities
Often, practical FSMs consists of cycles and back-to-backtransitions illustrated in Fig. 3. These features increasethe length of secure encoding, leading to power and areapenalties. In this section we propose a heuristic based onState Transition Probabilities (STP) for short and secureencodings which are also power and area efficient.
Assuming that all primary inputs I are independent ofeach other and equally likely to occur in every clock cycle,we propose to group together states (transitions) which havea high probability of being in the same L-reachability set
Fig. 4 Transformation of self-loop
SL (TL) and generate encoding constraints such that eachstate (transition) in a group has the same HW (HD) as theother states (transitions) in that group. Since in the absenceof information about the FSM structure, an attacker is likelyto apply random input data, this heuristic attempts to avoidinformation leak in the resulting power trace.
In order to calculate the STP values, FSMs should bedeterministic. Non-deterministic FSMs can have multiplepaths or next states for a given state and input pair. Theymight also have undefined transitions for few inputs to astate (incomplete FSM). Deterministic FSMs have exactlyone transition defined for every possible state and input pair.
In this research we have developed a FSM-checker toolbased on satisfiability solver to check for deterministicFSMs. Let’s assume that the given FSM has a set of Mstates and I1,2 denotes a subset of input (I ) that initiate thetransition from state s1 to state s2:
S = {s1, s2, s3, ..., sM}
I1,2 = {i ∈ I |(s1Xi) → s2}Let’s define predicate DistinctP ath for two transitions
(s1, s2) and (s1, s3) originating from the same state s1:
DistinctP ath((s1, s2), (s1, s3)) = I1,2
⋂I1,3 ≡ ∅ (4)
For every state si (i ∈ [1, M]), all input sets Ii,j (j ∈[1, M]) must be disjoint in nature. Similarly let’s definepredicate CompleteFSM:
CompleteFSM(s1) =⋃
i∈I
I1,i ≡ I (5)
For every state si (∀i ∈ M), a transition must be definedfor every input. Both the predicates must be satisfied by thegiven FSM to be determined as a Deterministic FSM. Thepredicates are checked by a satisfiability solver.
If multiple paths exist for same state-input pair, theFSM cannot be modified into a deterministic one with-out changing the functionality of FSM. On other hand, ifany transition (input for a given state) is found missing(i.e. incomplete FSM), the tool includes the said transi-tion as a self-loop transition for the given state of FSM.This completes the FSM and transforms a non-deterministicFSM to a deterministic FSM without altering its func-tionality. The FSM-checker tool was tested on BenGen[20] and MCNC [40] benchmark FSMs. Few MCNCbenchmark FSMs were found to be incomplete and weremodified before calculating state transition probabilities.
STP values can be obtained experimentally or theoret-ically. We adapt a theoretical method for STP calculationpreviously proposed by [35]. At any given time step, theFSM must be in one of its states. Probability that the FSM
J Electron Test (2019) 35:621–639 625
is in state sn can be determined by the following system ofequations:
P(sn) =M∑
m=1
P(sm) ∗ P(Imn), n ∈ {1, M} (6)
Out of the M equations corresponding to the M states,any one equation can be derived from the remaining M-1 equations and, hence, is redundant. The final equationrequired to solve the set of M linear equations with Munknown state probabilities P(sn) is formulated from thefact that the FSM always has to exist in one of its internalstates. Hence,
M∑
m=1
P(sm) = 1 (7)
State Transition Probability (STP) for every transition(sm, sn) can then be calculated using,
P((sm, sn)) = P(sm) ∗ P(Imn) (8)
3.3 Algorithm for Probabilistic Reachability Sets
Division of the states of an FSM into the SL sets dependson the reachability of states in various clock cycles. Theaim of heuristic algorithm is to find the ‘most probable’clock-cycles for reaching states, which can be determinedusing the most probable path to reach the state from thestart state. To find the most probable path, we need tofollow the path of maximum state transition probability.Considering a STG with STPs as weights on the edges.The problem simplifies to finding the path with maximumweights. To solve this problem, a greedy iterative algorithmis used, which is similar to a weighted breadth-first searchor a simpler version of Dijkstra’s algorithm [13]. Notethat, unlike Dijkstra’s algorithm, weights of the edges arenot added to the weights for the next states, since theyhave already been taken into account during the calculationof the STPs. The proposed algorithm has complexity ofO(NlogN).
Algorithm 1, divides the FSM into maximum number ofsets based on its internal structure. The algorithm generatestwo mappings: SN assigns a set number to each state andST assigns a set number to each transition. These setsare probabilistic approximations of SL and TL respectively.The algorithm uses a priority-queue or max-heap of statetransitions weighted on their STPs such that the transitionwith maximum STP is always on top of the heap. It is to benoted that states with self-loops are transformed into a pairof states (Fig. 4) before the algorithm is invoked.
3.4 Effectiveness of Probabilistic Set Division
Algorithm 1 aims to divide sets and transitions intogroups such that when appropriate state encoding followingrequirements (1) and (2) is done, the state sequencestraversed cannot be uniquely determined by their HW, HDor SD footprints (or equivalently by the power footprints).To illustrate the effectiveness of the algorithm, consider thetwo MCNC benchmark FSMs, DK15 (consisting of 4 statesand 12 transitions) and S8 (consisting of 5 states and 13transitions), shown in Fig. 5. Let both FSMs be restructuredby transforming states with self-loops into a pair of states.Let both the FSMs be divided into 3-l sets using Algorithm 1and encoded using the state encodings given in Table 2. Thestate registers of both FSMs can assume only 2 HW values(2 or 4) and state-transitions can take only 2 HD values (2or 4).
Different HW patterns generated in the state registerof restructured-DK15 implementation are: {2, 2, 4}, {2, 4,4} and {2, 2, 4, 4} in varying combinations. This gives
J Electron Test (2019) 35:621–639626
(a) DK15 (b) S8 (c) Generic
Fig. 5 MCNC benchmarks and generic FSM
the illusion of a generic 4-state FSM with HWs (2, 2, 4,4) and HDs (2, 4), as shown in Fig. 5c. The HW andHD patterns generated by this generic FSM can be quitesimilar to the patterns generated by the restructured-DK15benchmark, thereby masking the internal behavior of thetarget FSM. The HW patterns generated by restructuredFSM-S8 implementation are also {2, 2, 4}, {2, 4, 4} and {2,2, 4, 4} in varying combinations and can also be representedby the same generic 4-state FSM design.
It should be noted that an FSM with no branches or loopsis an interesting special case in terms of reachability. In suchan FSM there is only one state that can be reached in anygiven clock-cycle. This expels the ambiguity between statesbeing reached in the same clock-cycle that our solutioncreates for an attacker. Absence of branches from a current
Table 2 Example state assignments for restructured DK15 and S8
State Restructured secure encoding
(a)DK15
s1A 01111
s1B 00110
s2A 11110
s2B 10100
s3A 01100
s3B 11101
s4 10001
(b)S8
s1A 01001
s1B 11101
s2A 11011
s2B 11000
s3A 01010
s3B 10111
s4A 01111
s4B 10100
s5A 00101
s5B 10010
state of FSM confirms the single next state as the onlypossible outcome. On the other hand, an FSM with multiplebranches and loops contain multiple states that can bereached in the same clock cycle. These are the kinds ofFSMs that our proposed solution works best for.
3.5 Graded Security
Encoding all states (transitions) to have the same HW (HD)values corresponds to putting all the states (transitions) inthe same SL (TL). This is an extreme case where the attackmodel will be unable to distinguish between any two statesor any two transitions, providing maximum security. Thehigher the number of set divisions, the more the amountof information that can be leaked about the FSM’s state.Reducing the number of set divisions increases the lengthof encoding while increasing security of the design. Thedesigner can thus choose the level of security at the cost ofpower or area.
Algorithm 1 provides a solution for maximum possibleset division of the FSM to ensure a level of security whilekeeping power and area contained. Given a STG, let thenumber of SN sets produced by Algorithm 1 be Lmax. Togenerate a different set division (say l sets, lower thanLmax), the algorithm needs a modification: Lines 18 and27 where set numbers are assigned should be modified asfollows:
18 : SN(v) = (SN(u) + 1)mod l
27 : ST (t) = SN(u) mod l
Limiting the STG partition to l ≤ Lmax sets allows auser to trade security for power/area for various values ofl. Setting l = 1 results in maximum security by placingall states (transitions) in one set but leads to maximumpower/area. Distributing states and transitions accordingto the modified algorithm is likely to generate a cyclicpattern of HW/HD values assumed by the FSM with respectto clock cycles. However, a perfect cyclic pattern thoughaimed at, is not achieved for every FSM structure due toconflicts resolution using STPs.
J Electron Test (2019) 35:621–639 627
4 Secure and Low Power FSM Encodings
For larger FSMs, restructuring self-loop transitions can leadto increase in power and area, which might prove to becostly in terms of both area and power. Ability to reducepower with or without a trade-off against security is anessential tool for the designers. In this section, we introducepower reduction techniques with both compromised anduncompromised security levels.
4.1 Security vs Power Trade-off
Self-loop transitions in FSMs lead to zero Hammingdistance value which reduces the power consumption.However, near-zero power consumption indicates to theattacker that the machine remained in the current state. Inorder to save power/area we ignore self-loops and divide thestates and transitions into desired number of SL and TL sets,as discussed before using Algorithm 1.
Consider BBARA MCNC benchmark FSM (consisting of10 states and 37 transitions, with start state st0) shown inFig. 6 with weighted state transition probabilities (STPs)shown on their edges. Transforming self-loops into a pair ofstates as discussed in Section 3 results in a restructured FSM(consisting of 20 states and 74 transitions). A satisfyingsecure encoding implementation will have almost doublethe area and power requirements. Implementing proposedlow-power technique, let’s ignore self-loop transitions, and
Fig. 6 MCNC benchmark BBARA
Table 3 Example state assignment for BBARA for different encodingstrategies without restructuring
States Minimalencoding
Secureencoding
Low power &secure encoding
st0 1010 01110 101101
st1 1100 00100 100100
st2 0100 10110 100001
st3 0111 11001 100111
st4 1111 01000 000101
st5 0001 11010 000110
st6 1000 01101 110110
st7 0011 11100 110101
st8 1110 10000 010100
st9 0000 10011 001100
Estimated SA 0.443 0.5148 0.445
Avg. SimulatedPower (uA)
1.59 1.56 1.41
assume that the states and transitions of the FSM aredivided into 4-l sets (where Lmax = 7) using Algorithm 1.A satisfying encoding strategy for this division is shownin Table 3 under Secure Encoding. Different HW, HDand SD values generated in the state register of theFSM implementation are shown in Table 4. This FSMimplementation gives the illusion of a generic 4-state FSMshown in Fig. 7, which generates Hamming patterns similarto the benchmark FSM.
Secure designs with intact self-loop transitions dono lead to any information leakage against HW powerattacks. Against HD and SD power attacks, the proposedcompromise might reveal some reachability information inthe form of presence of a self-loop transition. However,it does not compromise on information regarding othertransitions or reachability of rest of the states in any manner.The critical information is secure and as the results showthe consequent impact on security due to proposed designtrade-off is minimal.
Table 4 Values assumed by BBARA FSM State Register for threedifferent encoding strategies without restructuring
Attack Different values assumed by state register
Model Minimal Secure Low-power& secure
Hammingweight
(0, 1, 2, 3, 4) (1, 3) (2, 4)
Hammingdistance
(0, 1, 2, 3, 4) (0, 2, 4) (0, 2)
Switchingdistance
(0, 1, 1-δ, 2-δ, 2-2δ, 3, 3-δ, 3-2δ,3-3δ, 4-δ, 4-4δ)
(0, 2, 2-δ, 2-2δ,4-δ, 4-2δ)
(0, 2, 2-δ, 2-2δ)
J Electron Test (2019) 35:621–639628
Fig. 7 Generic 4-state FSM
4.2 Low Power Encodings
In this section, we discuss a method to minimize power(without security) using only constrained state encodingsfor finite state machines.
Dynamic power consumption of a CMOS circuit is propor-tional to its average switching activity and switching activityof an FSM state register can be estimated using its STPs.
Let us assume that a state encoding E assigns bit-vectorsof length R to every state. Let bn = E(sn) be encoding ofstate sn, where br
n is the value of rth bit, r ∈ [1, R]. Theswitching activity (SAr ) of each flip-flop can be calculatedusing the STP and the toggle density of the flip-flops:
SAr =M∑
m=1
M∑
n=1
P ((sm, sn)) ∗(brm
⊕brn
)(9)
Let C be average capacitance per register bit, fCLK befrequency of FSM operation and VDD be supply voltage.Dynamic power consumption can be calculated as:
P = 1
2∗ V 2
DD ∗ fCLK ∗ C ∗R∑
r=1
SAr (10)
The Switching Activity (SA) of the state register can beestimated as:
SA =R∑
r=1
SAr =M∑
m=1
m∑
n=1
(wmn)∗HD(E(sm), E(sn)) (11)
where,
wmn = P((sm, sn)) + P((sn, sm))
HD(E(sm), E(sn)) =R∑
r=1
(brm
⊕brn) = HDmn
Given a FSM, we are interested in finding encoding ofsize R ∈ [Rmin, Rmax] such that Switching activity (SA)is minimal. In order to obtain such low power encodings(ignoring security), the following constraints are placedon state encodings: (1) Distinct States: Every state in theFSM must have unique state encoding. This implies the
HD((E(sm), E(sn)) ≥ 1, m �= n. (2) Switching activityConstraint: Switching Activity (SA) of the state registermust be as low as possible.
These constraints will be used to generate valid stateencodings with low power profile.
4.3 Low Power Encodings for a Given Security Level
We now show a method to combine power reduction whilemaintaining the level of security afforded by the choice of l.
In order to obtain a secure and low power design,additional constraints to security constraints, are placed onstate encodings to minimize average switching activity ofthe state register. This is achieved by assigning lower HDvalues to transitions with higher STPs.
Let the FSM transitions be divided into J TL sets,T1, T2, . . . TJ . Since all transitions in every TL set must havethe same HD value, SA estimation can be written as:
SA =J∑
j=1
⎛
⎝HDj ∗∑
t∈Tj
P (t)
⎞
⎠ (12)
where, HDj is the HD value associated by E with Tj andP(t) are the STPs of the transitions in set Tj .
The bounded range [SAmin, SAmax] can be calculatedas follows. The lower bound of SA equates to minimumpossible value of HD, that is ‘0’ for a self-loop transition:
SAmin =J∑
j=1
(0) ∗∑
t∈Tj
P (t) = 0 (13)
SAmax, the upper bound of SA, corresponds to every flip-flop switching in every clock cycle or the HD of every validtransition is equal to the number of encoding bits R:
SAmax =J∑
j=1
R ∗∑
t∈Tj
P (t) = R ∗M∑
m=1
M∑
n=1
P((sm, sn)) = R (14)
These parameters will be used to generate encodings asdescribed in the next section.
4.4 State Encoding Constraints
The problem of generating the desired state encodingscan be stated in terms of set of constraints. For thegiven level of security, Algorithm 1 divides all the states(transitions) of the FSM (with or without restructuringself-loop transitions) into appropriate number of SL (TL)sets. The following set of constraints are applied to find avalid set of state encodings within the range [Rmin, Rmax]discussed in Section 2:
1. Distinct States: Every state in the FSM must haveunique state-encoding.
J Electron Test (2019) 35:621–639 629
2. SL Set Constraints: States with the same SL set numbermust have the same Hamming weight.
3. TL Set Constraints: Transitions with the same TL setnumber must have the same Hamming distance.
In order to generate secure and low-power stateencodings, an additional constraint to minimize averageswitching activity is applied:
4. Switching Activity Constraint: Switching Activity (SA)of the state register in the FSM should be as low aspossible.
In benchmark FSM BBARA shown in Fig. 6, we canobserve an increase in encoding length from Minimalencoding (ME) to Secure encoding (SE) to Low power &Secure encoding (LPSE), while noting an improvement insecurity and power respectively. Table 3 shows differentencodings for the benchmark FSM and Table 4 showspossible Hamming patterns assumed by them. MinimalEncodings are unsecure encodings which are used forcomparison. As can be seen, the state registers can assumeonly two unique HW values for SE and LPSE whereasfive unique HW values for ME. The transitions can alsoassume only two or three unique HD values for SE andLPSE in comparison to five unique HD values assumed byME strategy. Similarly, unique SD values for SE and LPSErange within four and six whereas for ME there can beeleven unique values. Moreover, the estimated SwitchingActivity and Simulated Power in Table 4 show improvementfor Low Power & Secure encodings over Secure encodings.
Therefore, security for FSMs can be achieved along withlow power consumption and the designer can choose thelevel of security at the cost of area and power.
5 Boolean Approach to Encoding
Given the security and power constraints, the problem ofgenerating the state assignment can be transformed into aBoolean satisfiability (SAT) problem. Let’s assume that thegiven FSM has a set of M states:
S = {s1, s2, s3, ..., sM}
5.1 Low Power Encoding
In order to generate low power state encodings withoutsecurity, the two constraints defined in Section 4.2 must besatisfied. Given the binary encodings bm = E(sm) of statesm of bit-length R, let’s define a predicate DistinctStates
for states s1 and s2 being distinct by defining HD(s1, s2)
should be a positive integer:
DistinctStates(s1, s2) =R∑
r=1
(br
1
⊕br
2
)≥ 1 (15)
Lets define predicate MinimumSA to obtain minimumswitching activity in the FSM transitions. SA is definedusing Eq. 11:
MinimumSA(SA) =M∑
m=1
M∑
n=1
wmn ∗ HDmn ≡ SA (16)
For a given FSM, a valid state encoding solution willsatisfy both the above defined predicates and generateminimum switching activity for a given R-bit encoding.Experimental results provided in Section 7.3 demonstratepower reduction achieved using only constrained stateencodings.
5.2 Secure Encoding
To generate secure encodings, constraints defined inSection 4.4 must be satisfied. Let the division of ‘M’ statesinto ‘J ’ SL sets and transitions into ‘K’ TL sets be obtained.
States s1 and s2 of bit-length R being distinct can bedefined by predicate DistinctStates in Eq. 15. Let’s definea predicate EqualHW for two states s1 and s2 having thesame Hamming Weight:
EqualHW(s1, s2) =R∑
r=1
(br1) ≡
R∑
r=1
(br2) (17)
For any Sj , all sm ∈ Sj (∀j ∈ [1, J ]) should have equalHamming weight i.e. every pair in Sj must satisfy predicateEqualHW . Similarly let’s define predicate EqualHD:
EqualHD((s1, s2),(s3, s4))=R∑
r=1
(br
1
⊕br
2
)≡
R∑
r=1
(br
3
⊕br
4
)
(18)
All transitions in Tk set must have equal Hamming distancei.e. every pair of transitions in Tk (∀k ∈ [1, K]) must satisfyEqualHD.
To obtain minimum switching activity in the FSMtransitions, let’s define predicate CorrectSA. SA is definedusing Eq. 12 and our aim is to minimize it:
CorrectSA(SA) =l∑
k=1
HD(Tk) × Wk ≡ SA (19)
where, Wk is the sum of wmn’s of all transitions in Tk .For a valid solution, we need to find state-encodings for
a given R-bit encoding and a given SA value, such that itsatisfies all the above defined predicates.
In this research we have used the Z3 SMT (SatisfiabilityModulo Theories) solver [12] to solve for a valid stateassignment, although any SAT solver can be used. Z3 isa high performance solver which has the ability to solvemodels comprising of bit-vector variables and constraints interms of those vectors.
J Electron Test (2019) 35:621–639630
6 Algorithm for Secure State Assignment
The obtained constraints are applied to the SMT Solver tofind a valid set of state encodings within the range [Rmin,Rmax] for all three proposed methods. As discussed inSection 3, Restructured secure FSMs transform their self-loop transitions and apply only three constraints: DistinctStates, Equal HW and Equal HD. Section 4.1 discussessecure encodings for original FSMs, which also applythe above three constraints without restructuring its self-loop transitions. The fourth constraint ‘Switching Activityconstraint’ is applied to generate secure and low-powerencodings by minimizing average switching activity asdiscussed in Section 4.3.
Note that, the SMT solver doesn’t accept fractionalvalues. Hence, we have scaled all the STP values by acommon factor so that they can be represented as integers.This results in scaling up of SA, SAmin and SAmax tolarger integer values, minimizing errors introduced due torounding off fractional STP values.
Algorithm 2 finds secure and low power FSM stateencodings using all four constraints. For each encoding sizeR, the algorithm finds an encoding (if it exists) to yieldthe minimum possible switching activity. Upon finding asatisfiable solution, line 17 updates SAmax to current SA
value, which reduces search time by excluding encodingsolutions with higher switching activity. Since SMT solver
is used to generate state encodings, the complexity of thealgorithm depends on the efficiency of the solver.
Customizing the constraints on state encodings leadsto different encoding styles. Hence, Algorithm 2 can bemodified to find valid state encodings for: (1) Secure Restr-cutured FSMs, (2) Secure Original FSMs, and (3) UnsecureLow-power FSMs.
7 Experimental Results and Analysis
All experiments were performed using over 100 bench-marks from BenGen [20] and MCNC [40] suites. EachFSM was encoded with different encodings, minimal binaryand secure encodings with different levels of security,using restructured method and the two proposed low-powermethodologies. These encodings were converted to Ver-ilog and then synthesized in 90nm CMOS technology usingSynopsys DC Compiler. After converting these gate-levelnetlists to Spice using a Verilog-to-Spice converter, powersimulation was performed using 1000 random input vectorsgenerated using a stimuli-generator. Every FSM implemen-tation resulting from different state encodings for all threesecurity-methodologies were simulated using Nanosim toobtain power traces.
Best-case attack model data was generated using thesame input stimuli to perform statistical analysis. Ham-ming weight, Hamming distance and Switching distancedata were calculated for the 1000-vector input stimuli forevery implementation of the FSM. Perl scripting was used
Fig. 8 Flowchart used in experiments
J Electron Test (2019) 35:621–639 631
Fig. 9 Size of benchmark FSMs as states vs transitions
to calculate mutual Information (MI) between the powertraces obtained using Nanosim and the attack model datagenerated. Figure 8 presents the entire experimental flow forgenerating the area and security results. Figure 9 shows therange of sizes of the benchmark FSMs used in the exper-imentation, in terms of number of states and transitions.Input bit-length for these FSMs ranged between 1 and 16.
We report results for (1) the restructured FSMs withtransformed self-loops [2], (2) the original FSMs without
restructuring self-loops, and (3) low-power design fororiginal FSMs [1].
7.1 Security Analysis
Algorithm 1 provides a way to increase security by adjustingthe parameter l. Decreasing l, increases the encoding lengthand improves security. We use Mutual Information (MI)(between the power traces and the HW, HD or SD models)as a distinguisher to measure security (MI ≥ 0) against allthree forms of attacks [18].
Figure 10 shows reduction in information leakage(in terms of MI) as security increases. Since encodinglength requirement increases for higher security, the plotdemonstrates the basic trade-off between security and area.In FSMs without restructuring (i.e. original FSMs), perfectsecurity (‘Zero’ MI) can only be achieved against HWattacks due to presence of self-loops in FSMs. HD and SDattacks can reveal self-loops within the FSMs. Low powerdesign for original FSMs see no reduction in security andresults in similar security, as shown in Fig. 10b.
Figure 11 plots this difference in security betweenoriginal FSMs and low-power design for original FSMsfor a single benchmark BBARA FSM (Lmax = 7). It also
Fig. 10 Average mutualinformation between powerside-channel and hammingmodels
(a) Restructured FSMs
(b) Original FSMs
J Electron Test (2019) 35:621–639632
(a) Original FSMs
(b) Original FSMs with Low Power
Fig. 11 Graded security for BBARA MCNC benchmark FSM
demonstrates a detailed security vs l trade-off. It is to benoted that while each l-set division results in a uniquestate assignment, the encoding bit-length may or may notvary every time. From a design perspective, it makes senseto choose among implementations with maximum securityfor every unique encoding bit-length. Table 5 demonstratesthe decrease in security (in terms of increasing MI) as l
Fig. 12 Encoding length for maximum security
increases and compares with unconstrained minimal lengthencodings (ME). Since Lmax varies for every FSM, thetable displays results averaged for l = 1, 2, median-valued l
(Lmedian) and maximum-valued l (Lmax).Figure 12 shows the increase in the encoding bit-length
(with respect to unconstrained minimal length encoding) formaximum possible security, where all states and transitionshave the same Hamming weight, Hamming distance andSwitching distance for restructured, original and originallow power FSMs. Difference in encoding length (R)requirement can be seen when loops are restructured.Restructuring the FSMs increases the number of states by anaverage of 60% and transitions by 158% which increases theaverage encoding length by 40-70% depending on the levelof security (l) chosen, whereas original FSMs only increaseencoding length by 15-40%.
Encodings for different bit-lengths are obtained usingAlgorithm 1 with different l values, ranging from 1 to Lmax
Table 5 Mutual information between power side channel and Hamming models as l increases
l-value Average MI against % difference in MI w.r.t. ME
HW HD SD HW HD SD
Original FSMs
one 0 0.66 0.86 − 100 − 57.79 − 68.46
two 0.69 1.00 1.55 − 56.81 − 41.84 − 45.72
Lmedian 0.87 1.18 1.89 − 46.92 − 28.45 − 25.92
Lmax 1.31 1.37 2.24 − 21.63 − 24.76 − 15.89
ME 1.66 1.75 2.57 0 0 0
Original FSMs with low power
one 0 0.70 0.75 − 100 − 61.47 − 72.57
two 0.70 0.99 1.64 − 58.20 − 44.35 − 43.48
Lmedian 0.78 1.12 1.81 − 56.27 − 39.25 − 32.61
Lmax 1.31 1.25 2.10 − 19.40 − 33.62 − 21.68
ME 1.66 1.75 2.57 0 0 0
J Electron Test (2019) 35:621–639 633
Fig. 13 Encoding length forgraded security
for each FSM. Figure 13 shows the increase in the encodinglength (from the respective minimal encoding lengths) fordifferent l values for 4 specific benchmarks. For example,for BBARA, as l value is reduced from Lmax = 7 to 1,encoding length needed to be increased by 1 to 3 bits. (Notethat, while each l value results in a different encoding, thelength of the encoding may or may not change with everyl.) The trend to trade encoding length for security using l asthe control ‘knob’ can be seen for each benchmark.
7.2 Area Analysis
Areas of the synthesized FSMs for different encodingsdepend on their encoding lengths. Increase in securityleads to an increase in area which exhibits the trade-off capability of the proposed method. Figure 14 showsthe normalized area increase for maximum security forboth original and restructured FSMs with respect to theunconstrained minimal length encodings for the originalFSMs. On average, for maximum security in restruc-tured FSMs (ie. MI(power,HW)=0, MI(power,HD)=0 and
Fig. 14 Normalized area for maximum security
MI(power,SD)=0), area increases by a factor of 2.04, but canbe reduced to as low as 1, according to the desired securitylevel.
In original FSMs, for maximum security (ie.MI(power,HW)=0), area increases only by a factor of 1.37.Additional low-power switching activity constraint intro-duces a slight increase in the encoding bit-requirement.30% of benchmark FSMs observed no increment, whilethe rest observed a 5% increase on average. Table 6 com-pares this increase with respect to unconstrained minimallength encodings, as l increases. The average layout arearequirement increased by 4% due to these constraints.
MDPL technique [27] increases area requirement by afactor of 4.5 and reduces speed by half, whereas WDDL[31] increases area by a factor between 3.2 and 3.6 alsoreducing the speed by half. The proposed methods incomparison shows significant area improvement withoutany penalty in speed.
Figure 15 shows the increase in area requirements asthe security increase for few benchmarks, illustrating thetrade-off capability of the proposed method.
7.3 Power Analysis
This section discusses the results of power constraints onstate encodings without security constraints. Experiments
Table 6 Area comparison of original FSMs as l increases
% Area Increase w.r.t. unconstrained minimal encoding
l-value Secure encoding Secure & low-power encoding
one 40.01% 34.17%
two 27.85% 29.38%
Lmedain 17.32% 19.59%
Lmax 12.90% 12.71%
J Electron Test (2019) 35:621–639634
Fig. 15 Normalized area forgraded security
were performed on original FSMs, where Z3 SMTsolver was used to generate valid state encodings withlowest switching activity. Table 7 shows the powerconsumed (PSAT ) by different MCNC benchmark FSMs.The estimated dynamic power is calculated by using Eq. 10,assuming equal probability of one(zero) appearing at everyinput bit. Other values used to compute power were sameas used in [19]: VDD = 5V , fCLK = 5MHz, averagecapacitance per register bit C = 3pF . The power resultsobtained are in mW units. We compare results with area-oriented state assignment programs like NOVA [39], JEDI[25] and a heuristic method for state assignment - SequentialAlgorithm technique [19]. PNOV A, PJEDI , and PSeq aredynamic power consumption values (in mW ) with the statesencoded using the NOVA, JEDI, and Sequential Algorithmtechniques respectively, as reported in [19].
Though this method provides with best-possible solutionfor low-power results, its exhaustive nature limits its use tosmall-to-medium sized FSMs. CPU time for Z3 SMT solverexecution increases exponentially as size and connectivityof the FSM increases.
7.4 Power and Security Analysis
Average power determined using NanoSim simulationsshows a reduction when low power techniques areimplemented along with security measures. Figure 16 showsthe average normalized power consumption with respect tounconstrained minimal length encodings for three types ofencodings. Restructured FSMs require much higher powerthan original FSMs due to increase in area. On average,power consumption increases by a factor of 3.4 for securerestructured FSMs [2], compared to a factor of 1.6 for secureoriginal FSMs.
Switching Activity constraint further reduces powerconsumption for every benchmark within the range of 0-40%. For maximum security (ie. MI(power,HW)=0), onaverage a reduction of 15% is observed. Table 8 showsaverage power reduction due to additional low powerconstraints applied to Original FSMs as l increases. Themethod also observes power reduction with respect tounconstrained minimal length encoding, in over 30% ofbenchmark FSMs. It should be noted that these low-power
Table 7 Dynamic power consumption (mW ) for different encoding styles
FSM PNOVA PJEDI PSeq PSATPNOVAPSAT
PJEDIPSAT
PSeqPSAT
bbara 83.91 59.44 52.77 51.62 1.62 1.15 1.02bbtas 144.29 112.50 83.15 83.15 1.37 1.35 1.00beecount 160.50 108.05 89.42 79.18 2.02 1.36 1.12dk14 311.29 263.69 223.65 207.28 1.50 1.27 1.08dk27 299.11 325.89 223.21 223.21 1.34 1.46 1.00modulo12 156.25 93.75 93.75 93.75 1.67 1.00 1.00s27 216.65 170.43 168.33 166.22 1.30 1.03 1.01s8 53.21 42.41 33.90 27.47 1.94 1.54 1.23train11 107.34 77.45 63.52 62.50 1.72 1.24 1.02
J Electron Test (2019) 35:621–639 635
Fig. 16 Normalized power forgraded security
Table 8 Power comparison for different encodings of Original FSMs as l increases
l-value Secure & low-power vs secure encoding Secure & low power vs unconstrained minimal encoding
one − 16.29% + 3.71%
two − 13.06% + 6.93%
Lmedian − 15.50% + 7.84%
Lmax − 18.51% − 7.97%
Fig. 17 Power profile of STYRMCNC benchmark FSM
J Electron Test (2019) 35:621–639636
techniques do not result in any security trade-off and haveno substantial increase in synthesized area.
Figure 17 compares power profiles for different securitylevels in a single STYR MCNC benchmark FSM (consistingof 30 states and 93 transitions). Restructured securedesigns have much higher power consumption than originalsecure designs. Power consumption further decreases inoriginal FSM for low power & secure implementation, eventhough encoding length increases for maximum security (ie.MI(power,HW)=0).
8 Conclusion and FutureWork
This work proposed a power attack resistant designmethodology with user-defined security metric usingconstrained state assignment and an extension for furtherlow-power designs. For restructured FSMs, security againstHW models range between 34–100%, 62-100% against HDmodel and 56-100% against SD model. The overall increasein encoding length of a typical benchmark ranges from 40-73%, depending on the security level. By restructuring theFSMs, we are able to achieve MI of 0 against all three SD,HD and HW models.
Two kinds of low-power improvements with and withoutsecurity trade-off were also achieved using constrained stateassignment. For original FSMs, the security against HWmodel range between 18–100%, while it ranged between30-58% against HD model and between 27–60% againstSD model. The overall increase in encoding length ofa typical benchmark ranges from 15–55%, depending onsecurity level and power optimization. Reduction in powerconsumption by more than 50% is observed for all FSMswith respect to restructured FSMs, and additional low-power constraint introduces further reduction in powerranging between 4–20% depending on security level.
Hence, the proposed method defends against bothfirst-order and higher-order power attacks. Future workincludes exploring encodings to prevent combined powerand cryptanalysis attacks. Also, feasibility of the attack ondeep sub-micron technology can be explored.
References
1. Agrawal R, Borowczak M, Vemuri R (2019) A state encodingmethodology for side-channel security vs. power trade-off explo-ration. In: Proceedings of 2019 32nd international conference onVLSI design and 2019 18th international conference on embeddedsystems (VLSID). IEEE, pp 70?-75
2. Agrawal R, Vemuri R (2018) On state encoding against poweranalysis attacks for finite state controllers. In: Proceedings ofinternational symposium on hardware oriented security and trust.IEEE, pp 181–186
3. Akkar M-L, Bevan R, Dischamp P, Moyart D (2000) Poweranalysis, what is now possible... In: Proceedings of internationalconference on the theory and application of cryptology andinformation security. Springer, pp 489–502
4. Aljazeera K, Nandakumar R, Ershad S (2016) Design andcharacterization of L-Block cryptocore. In: 2016 internationalconference on proceedings of signal processing, communication,power and embedded system (SCOPES). IEEE, pp 166–172
5. Ambrose JA, Ragel RG, Jayasinghe D, Li T, ParameswaranS (2015) Side channel attacks in embedded systems: a taleof hostilities and deterrence. In: Proceedings of sixteenthinternational symposium on quality electronic design. IEEE,pp 452–459
6. Bahnasawi MA, Ibrahim K, Mohamed A, Mohamed MK,Moustafa A, Abdelmonem K, Ismail Y, Mostafa H (2016) ASIC-oriented comparative review of hardware security algorithmsfor Internet of Things applications. In: Proceedings of 201628th international conference on microelectronics (ICM). IEEE,pp 285–288
7. Borowczak M, Vemuri R (2012) S* FSM: a paradigm shift forattack resistant FSM designs and encodings. In: Proceedings ofASE/IEEE international conference on biomedical computing.IEEE, pp 96–100
8. Borowczak M, Vemuri R (2014) Enabling side channel secureFSMs in the presence of low power requirements. In: Proceedingsof 2014 IEEE computer society annual symposium on VLSI.IEEE, pp 232–235
9. Brutscheck M, Schmidt B, Franke M, Schwarzbacher AT, BeckerS (2009) Identification of deterministic sequential finite statemachines in unknown CMOS ICs
10. Chikofsky EJ, Cross JH (1990) Reverse engineering and designrecovery: a taxonomy. IEEE Softw 7(1):13–17
11. Das D, Maity S, Nasir SB, Ghosh S, Raychowdhury A, SenS (2018) ASNI: attenuated signature noise injection for low-overhead power side-channel attack immunity. IEEE TransCircuits Syst Regul Pap 65(10):3300–3311
12. De Moura L, BjØRner N. (2008) Z3: an efficient SMT solver. In:Proceedings of international conference on tools and algorithmsfor the construction and analysis of systems, pp 337–340
13. Dijkstra EW (1959) A note on two problems in connexion withgraphs. Numerische mathematik 1(1):269–271
14. Dofe J, Frey J, Yu Q (2016) Hardware security assurancein emerging IoT applications. In: Proceedings of 2016 IEEEinternational symposium on circuits and systems (ISCAS),vol 2016. IEEE, pp 2050–2053
15. Ferrigno J, Hlavac M (2008) When AES blinks: introducingoptical side channel. IET Inf Secur 2(3):94–98
16. Gandolfi K, Mourtel C, Olivier F (2001) Electromagnetic analysis:Concrete results. In: Proceedings of international workshop oncryptographic hardware and embedded systems. Springer, pp 251–261
17. Gebotys CH, Gebotys RJ (2002) Secure elliptic curve implemen-tations: an analysis of resistance to power-attacks in a DSP proces-sor. In: Proceedings of international workshop on cryptographichardware and embedded systems. Springer, pp 114–128
18. Gierlichs B, Batina L, Tuyls P, Preneel B (2008) Mutual infor-mation analysis. Cryptographic hardware and embedded systems–cryptographic hardware and embedded systems 2008, pp 426–442
19. Grzes T, Solov’ev V (2014) Sequential algorithm for low-powerencoding internal states of finite state machines. Journal ofComputer & Systems Sciences International 53(1):92
20. Jozwiak L, Gawlowski D, Slusarczyk A (2004) An effectivesolution of benchmarking problem: FSM benchmark generatorand its application to analysis of state assignment methods. In:
J Electron Test (2019) 35:621–639 637
Proceedings of Euromicro symposium on digital system design.IEEE, pp 160–167
21. Kar M, Singh A, Mathew S, Rajan A, De V, MukhopadhyayS (2017) 8.1 improved power-side-channel-attack resistance ofan AES-128 core via a security-aware integrated buck voltageregulator. In: Proceedings of 2017 IEEE international solid-statecircuits conference (ISSCC). IEEE, pp 142?-143
22. Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In:Proceedings of advances in cryptology CRYPTO’99. Springer,pp 789–789
23. Mangard S, Oswald E, Popp T (2008) Power analysis attacks:Revealing the secrets of smart cards. Springer Science & BusinessMedia, Berlin
24. Masalskis G et al (2008) Reverse engineering of CMOS integratedcircuits. Elektronika ir elektrotechnika 88(8):25–28
25. Newton A et al Synthesis of multiple level logic from symbolichigh-level description languages. In: Proceedings of VLSIconference
26. Peeters E, Standaert F-X, Quisquater J-J (2007) Power andelectromagnetic analysis: Improved model, consequences andcomparisons. Integration, the VLSI journal 40(1):52–60
27. Popp T, Mangard S (2005) Masked dual-rail pre-charge logic:DPAResistance without routing constraints. In: Proceedings ofinternational workshop on cryptographic hardware and embeddedsystems. Springer, pp 172–186
28. Potkonjak M, Nahapetian A, Nelson M, Massey T (2009)Hardware trojan horse detection using gate-level characterization.In: Proceedings of design automation conference, 2009. 46thACM. IEEE, pp 688-?693
29. Renauld M, Standaert F-X (2009) Algebraic side-channel attacks.Inscrypt 6151:393–410
30. Smith J, Oler K, Miller C, Manz D (2017) Reverse engineeringintegrated circuits using finite state machine analysis. In:Proceedings of 50th Hawaii international conference on systemsciences, pp 2906–2914
31. Tiri K, Verbauwhede I (2004) A logic level design methodologyfor a secure DPA resistant ASIC or FPGA implementation. In:Proceedings of the conference on design, automation and test inEurope-Volume 1. IEEE Computer Society, p 10246
32. Tiri K, Akmal M, Verbauwhede I (2002) A dynamic and differen-tial CMOS logic with signal independent power consumption towithstand differential power analysis on smart cards. In: Proceed-ings of 28th European solid-state circuits conference (ESSCIRC).IEEE, pp 403–406
33. Torrance R, James D (2011) The state-of-the-art in semi-conductor reverse engineering. In: Proceedings of 2011 48thACM/EDAC/IEEE design automation conference (DAC). IEEE,pp 333–338
34. Tria A, Choukri H (2011) Invasive attacks.Springer, Boston, pp 623–629. [Online]. Available:https://doi.org/10.1007/978-1-4419-5906-5-511
35. Tsui C-Y, Monteiro J, Pedram M, Devadas S, Despain AM, LinB (1995) Power estimation methods for sequential logic circuits.IEEE Trans Very Large Scale Integr VLSI Syst 3(3):404–416
36. Uting S, Brutscheck M, Schwartzbacher A, Becker S (2011)FPGA based optimisation and implementation of nondestructiveidentification procedures. In: Proceedings of international solidstate circuits conference
37. Vamja H, Agrawal R, Vemuri R (2019) Non-invasive reverseengineering of finite state machines using power analysis andboolean satisfiability. In: Proceedings of 2019 IEEE 62nd
international midwest symposium on circuits and systems(MWSCAS). IEEE, pp 452–455
38. Verbauwhede I (2010) Secure integrated circuits and systems.Springer
39. Villa T, Sangiovanni-Vincentelli A (1989) NOVA: state assign-ment of finite state machines for optimal two-level logic imple-mentations. In: Proceedings of 26th ACM/IEEE design automa-tion conference. ACM, pp 327–332
40. Yang S (1991) Logic synthesis and optimization benchmarksuser guide: version 3.0 microelectronics center of North Carolina(MCNC)
41. Yuan L, Qu G (2004) Information hiding in finite state machine.In: Proceedings of international workshop on information hiding.Springer, pp 340–354
42. Zhou Y, Feng D (2005) Side-channel attacks: ten years after itspublication and the impacts on cryptographic module securitytesting. IACR Cryptology ePrint Archive 2005:388
Richa Agrawal earned M.S. in Electrical Engineering at Universityof Cincinnati in 2018. She graduated from National Institute ofTechnology, Rourkela, India with a Bachelor of Technology inElectrical and Communication Engineering in 2010. Richa conductsresearch in areas of Hardware Security, Side-channel Analysis andArchitectures for Image Processing. She has authored research papersat the VLSID, HOST and ICCCT Conferences and is an IEEE member.She is currently a researcher in Digital Design Environments Lab(DDEL) and pursuing a career in VLSI design.
Dr. Ranga Vemuri has been on the faculty of Electrical and ComputerEngineering at University of Cincinnati since 1989 and is currentlya Professor. His interests span various topics within Hardware Trust,Correctness and Security; VLSI Design and Architectures; EmbeddedSystems, Cyber-Physical Systems and Applications; Formal Methodsand Formal Verification; Electronic Design Automation, Logicand Physical Synthesis; Reconfigurable Computing and FPGAs;Approximate Computing; Sensor Networks. He and his students havepublished over 300 papers. Dr. Vemuri graduated over 40 PhD and60 MS students. His research has been funded by AFRL, DARPA,NSF, SRC, State of Ohio and various industries including EDAptiveComputing Inc..
Dr. Mike Borowczak received his PhD in Computer Science andEngineering in 2013. He is currently the Loy and Edith HarrisAssistant Professor of Computer Science at the University ofWyoming, where he also serves as the Director of the CybersecurityEducation and Research (CEDAR) Center. His research interestsinclude Secure Distributed Systems, Security and Resilience ofAutonomous Systems, Continuous and Adaptive Authentication,Cyber-Physical Systems and Applications, and Hardware-LevelSecurity for Lightweight Agents. He and his students have publishedover 46 journal and conference publications. He is a senior member ofthe IEEE and ACM. His research has been funded by the NSF, NSA,Idaho National Laboratories, and the State of Wyoming.
Publisher’s Note Springer Nature remains neutral with regard tojurisdictional claims in published maps and institutional affiliations.
J Electron Test (2019) 35:621–639638
Affiliations
Richa Agrawal1 · Ranga Vemuri1 · Mike Borowczak2
Ranga [email protected]
Mike [email protected]
1 Digital Design Environments Laboratory, School of Electronicsand Computing Systems, University of Cincinnati, Cincinnati, OH45221, USA
2 Department of Computer Science, College of Engineering andApplied Science, University of Wyoming, Laramie, WY 82071,USA
J Electron Test (2019) 35:621–639 639