Current Balancing Random Body Bias in FDSOI Cryptosystems as a Countermeasure to Leakage Power Analysis Attacks

This paper identifies vulnerabilities to recently proposed countermeasures to leakage power analysis attacks in FDSOI systems based on the application of a random body bias. The vulnerabilities are analyzed and the relative difficulty to obtain the secret key, once the vulnerabilities are taken into account, are compared to the original proposals. A new countermeasure, based on a new body bias scheme, is then proposed. The new countermeasure is based on the equalization of asymmetries in static power consumption dependent on data being stored in registers implemented in FDSOI technology. The countermeasure’s effectiveness is theoretically established through the development of a power model based on technological parameters, and further reinforced through numerical simulations of a dummy cryptosystem implementing part of an AES encrypting round.


I. INTRODUCTION
T HE exploitation of power consumption of cryptographic circuits as a source of information and a means to retrieve the secret key has been extensively studied in the last two decades [1]. These so called Power Analysis Attacks (PAA) rely on asymmetries in power consumption that arise from differing circuit states subjected to the data being processed in intermediate stages of encrypting algorithms.
Traditionally, PAA have mainly focused on the dynamic power consumption of cryptographic circuits to derive statistical models of power consumption based on the data being processed. These models of power consumption allow the testing of secret key hypothesis with a minimum setting and quick computation.
PAA traditionally rely on statistical metrics, namely, the Difference of Means or the Pearson Correlation Coefficient (PCC) [2], to test secret key hypothesis given a correct power model. Since power consumption is dependent on processed data which is, in turn, dependent on the secret key, the power consumed by a cryptographic circuit is highly correlated with its correct secret key. Countermeasures to PAA attempt to decorrelate this relation.
As a rule of thumb, countermeasures to PAA can be separated in two categories: those that introduce uncorrelated noise during the execution of the encrypting algorithm, thus obfuscating meaningful correlation between the power consumption model and the measurements taken [3] [4]; and those that attempt to reduce the asymmetries in power consumption that arise from differing circuit states [5] [6]. Both types of countermeasures effectively reduce the Signal to Noise Ratio (SNR) utilizing different principles.
Nonetheless, as transistor nodes progress further into the nanometer scale, the contribution of leakage power to overall power consumption becomes more significant. With the reduction of operating voltages and standard-cell area that accompanies shorter transistors' channel length, dynamic power consumption is scaled down, while traditional bulk technologies experience an increase in leakage current from various physical phenomena [7]. As a result, the last decade has seen an emergence of PAA based on the static power consumption of cryptographic circuits [8] [9], along studies of their feasibility as well as potential countermeasures.
Fully depleted silicon-on-insulator (FDSOI) technologies address some of the short channel effects that contribute to the increase of leakage current in shorter nodes [7]. At the same time, their structure allows the application of a wide dynamic range of body bias. Recent studies [10] [11] have proposed taking advantage of this wide body bias dynamic range as a means to introduce static power noise, thus hindering the acquisition of the secret key.
On the other hand, the authors in [12] have recently developed and simulated standard cells that equalize the static power consumption of combinational and sequential logic in nanometer bulk technology.
In this paper, we explore and analyze the feasibility of utilizing a body bias scheme that can effectively act as a current equalizer between register states. Section II presents a summary of the findings and analyses performed in [10] and [11]. Section III describes how these findings can be undone through a bivariate power model, while Section IV presents a numerical analysis of the effect of this new power model on symmetric random body bias. Sections V and VI describe the new proposed countermeasure and its rationale, as well as how the analyses are performed. The results of these analyses are presented in Section VII. Lastly, conclusions follow.

II. BACKGROUND
An analysis of the different leakage currents in which a register can incur depending on the data that it stores was formalized in [8]. In the article, the authors identify 3 magnitudes of interest; namely, I 1 , I 0 and ϵ which are, respectively, the leakage current of a register that stores a 1, a 0, and their difference (ϵ = I 1 − I 0 ).
With these, the authors of [8] established a power model of the leakage current of an n-bit register array that stores an intermediate result on an encryption process.
Where HW , the Hamming Weight, is the number of ones stored in the register slice of interest. In a block cryptosystem, the HW is a function of the plaintext, the secret key, and the non-linear subtitution performed by an S-box.
Given the linear dependence between the leakage current consumed by the register array and the Hamming Weight of the word stored, this power model can be used to perform Correlation Power Analysis Attacks (CPAA) [2].
In [10] and [11], the authors explore the potential of utilizing cryptosystems implemented in FDSOI technology to dynamically modify the leakage currents of the register arrays by changing the body bias so as to introduce uncorrelated noise that decreases the correlation between the Hamming Weight and the leakage consumption.
The countermeasure presented in [10] and [11] relies on the application of a symmetrical random body bias level at the beginning of the encryption process. The body bias level is symmetrical in the sense that its absolute value is the same for NMOS and PMOS transistors: that is, V bbN = −V bbP . This body bias level is maintained throughout the whole process. At the beginning of a new encryption process, a new body bias level is set, following a random sequence.
Explorations on the leakage consumption of registers under a varying body bias are presented in [11], where it is shown that, for the technology and libraries studied in the article, the different leakage currents of interest (when a register stores a 1, a 0, and their difference) are exponentially dependent on the absolute value of the body bias under the symmetric conditions above described.
Under these conditions, the leakage current of an n-bit register slice can be shown to be: Where both I 0 (|V bb |) and ϵ(|V bb |) are exponential functions of the form: With a and b being technological parameters. Differing values of body bias decorrelate the leakage current values from the Hamming Weight for successive encryption processes.
In fact, it can be shown that, assuming that the the distribution of the random variable |V bb | establishes a well-defined distribution of I 0 (|V bb |), the Pearson Correlation Coefficient (PCC) between the leakage current and the Hamming Weight of the register array becomes: Where σ 2 I0 is the variance of I 0 (|V bb |), σ 2 HW is the variance of the Hamming Weight, and we have assumed that the variance of ϵ(|V bb |) is comparatively negligible so it can be considered a constant.
The effectiveness of the countermeasure is demonstrated both in [10] and [11]. In [10], the authors provide empirical testing on the countermeasure under a variety of conditions. In [11], an analytical model is developed and contrasted against electrical and Monte Carlo simulations of a dummy cryptosystem.
However, this countermeasure has some limitations. First, as already analyzed in [11], trace averaging can undermine the countermeasure at the expense of an increased number of required measurements. Secondly, once a state of the cryptosystem is identified, the countermeasure can be fully undermined.
In the next section, we present and analyze this problem. The rest of the article is devoted to the development of a new body bias scheme that can address these vulnerabilities.

III. BIVARIATE POWER MODEL
Consider a block cryptosystem that comprises several rounds of encryption. Consider a state register, where intermediate values of the encryption process are stored. In the AES cryptosystem, this state register is represented by the state matrix. Consider an attack where the n bits of interest are evaluated at time t 2 . Assume that, at a previous time, at time t 1 , the same state register stores some bits that are known to the attacker.
Assume, also, that the attacker is able to track the progression from the value stored at time t 1 to the value stored at time t 2 . In the AES cryptosystem, t 1 can represent the initialization phase, when the plaintext is loaded onto the state register, and t 2 the evaluation after the first round of encryption. Or, alternatively, t 1 can represent the time of evaluation of an encryption round for which all previous roundkeys are already known, and t 2 represents the evaluation time of the following round of encryption.
Regardless of how the attack is conceptualized, we assume that the state value and therefore the HW at time t 1 is known to the attacker for every possible plaintext, and the progression from the values stored at t 1 to the values stored at t 2 is a function of an unknown secret key under attack.
Thus, the leakage currents of this particular register slice at times t 1 and t 2 can be expressed as: While HW t2 is an unknown value, given that both rounds belong to the same encryption process, the value of |V bb | remains constant between equations (5) and (6). As such, it can be seen that in the above equations, only the Hamming Weights are different. It is then possible to obtain a new power model of the leakage current by subtracting equation (6) from equation (5).
Since the main source of decorrelated noise introduced by this countermeasure is provided by the factor n · I 0 (|V bb |), which varies between encryption processes, but remains constant during the same encryption process, much of the effectiveness of the countermeasure proposed in [10] and [11] is eliminated by performing this subtraction.
While HW t1 and HW t2 might be uncorrelated, given the effect of an S-Box, they are not independent. As such, performing an accurate analysis of the probability distribution that accompanies these variables can be hard to generalize.
Nonetheless, we can perform some simplified analysis by considering that, together, they form a new random variable: With expected value and variance equal to: Where we have considered that the variance of HW t1 is n 4 , following from a plaintext of n bits, independent from each other, with a uniform probability distribution. These assumptions are reinforced by numerical simulations that are addressed in later sections. Thus, equation 7 can be expressed as: With these considerations, the PCC between equation (11) and the variable of interest, Z, in the presence of the countermeasure introduced in [11] can be shown to be, without algorithmic or non-algorithmic noise, and with a correct key: Where µ ϵ and σ 2 ϵ are, respectively, the expected value and variance of ϵ(|V bb |).
By performing inter-trace averaging, the noise introduced by the countermeasure (σ 2 ϵ ), already significantly smaller once the subtraction has been performed, can be reduced. That is, if for every input plaintext of interest that evaluates to z, the encryption process is repeated N times, the resulting, averaged traces would see their sources of noise reduced to In the following section we evaluate the effect that this post-processing has on the countermeasure proposed in [10] and in [11].

IV. SYMMETRIC BODY BIAS BIVARIATE POWER MODEL
In order to compare the effectiveness of the countermeasure against a bivariate leakage model we utilize the same body biasing scheme as in [11]: Where V bbQ is the quiescent point of the body bias, ∆V bb the step increase of the body bias and S a discrete uniform random variable that can adopt any integer value between This way, ϵ(|V bb |) can be expressed as: Utilizing the same registers from the same technological library as in [11], the parameters a and b can be extracted and the variance and expected value of ϵ(S) calculated.
We perform the comparison by solving equation (12) for different numbers of s max and plotting it against the univariate leakage considered in [11] under equal countermeasure conditions: V bbQ = 0.5V , ∆V bb = DR 2smax , with DR being the maximum allowable dynamic range of the body bias for the technology; in this case, 1V , and with n = 8 bits under attack. The results can be seen in Fig. 1.
It can be seen that, under the same countermeasure conditions, the PCC of the bivariate case is much higher than that of the univariate leakage.
Furthermore, the rate of increase of the PCC under trace averaging conditions is much higher for the bivariate case.
Under trace averaging conditions, with N traces per plaintext, the different variances are scaled by a factor of 1 N . VOLUME 4, 2016  (2)) and a bivariate power model (Equation (11))  It can be seen that, for the bivariate case, very few traces are required to achieve almost maximum correlation, thus significantly facilitating the acquisition of the secret key even in the presence of the countermeasure.
The following sections are devoted to the development of a body bias scheme that can offer protection against these considerations.

V. CURRENT BALANCING BODY BIAS
In order to address these vulnerabilities we begin by noting that the signal of interest that conveys information regarding the secret key is the variable ϵ. Specifically, the expected value of ϵ, which appears in the numerator of equation (12). Thus, the PCC between the leakage current consumption and the Hamming Weight of the bits of interest are directly proportional to µ ϵ .
The definition of ϵ, stated above, is the difference between the leakage current consumed by a flip-flop that stores a 1 and a flip-flop that stores a 0. Since the body bias allows us to modify the leakage current profile of the registers, we wish to explore if a body bias scheme exists that would arbitrarily reduce this difference, essentially reducing the SNR, not by introducing uncorrelated noise, but by reducing the magnitude of the signal of interest.
In order to do so, sufficient simulations are performed to extract the curves of ϵ as a function of both V bbn and V bbp for the registers under study. Figure 2 shows a collection of curves resulting from a double parametric sweep. The different curves represent the value of ϵ for varying v bbp with a fixed value of v bbn , whose value ranges from 0 V (the uppermost curve) to 1 V (the one at the bottom). Observing the set of curves for ϵ(V bbn , V bbp ) it can be seen that there exists a subset of values of the xy-plane defined by (V bbn ) × (V bbp ) where ϵ ≈ 0. This can be seen by noting the zero-point crossings for different curves in the body bias sweep represented by the horizontal red curve of Fig. 2.
The different curves of ϵ(V bbn , V bbp ) are then extracted and with the help of Matlab's fitting tools, expressed as a bivariate polynomial of degree n of the following form: With a ij as the different polynomial coefficients. A polynomial of degree n = 4 is sufficient to fit the data with an R 2 value of 1.
An algorithm is then implemented to solve for all the pairs of values of V bbn and V bbp such that |ϵ(V bbn , V bbp )| ≤ c, where c is a constant that can be set arbitrarily small.
We set c ≤ 1 nA and solve for the pair of body bias values of V bbn and V bbp that make the register under study present leakage currents such that |I 1 − I 0 | = |ϵ| ≤ 1 nA. We obtain two contour lines, whose encased area represents the possible pairs of V bbn and V bbp values that solve for the above conditions (Fig. 3).
The pair of contour lines seen in Fig. 3 can be expressed as an affine function of the form: Where b 1 and b 2 are constants. The bivariate polyomial obtained for ϵ(V bbn , V bbp ) can now be reduced to an univariate polynomial, of the form: Thus, the polynomial can be solved for values of ϵ consistently kept at 1 nA.

VI. PROPOSED COUNTERMEASURE
With these considerations we can establish a body bias scheme that serves as a countermeasure protecting against attacks with a bivariate power model described in previous sections.
Consider a countermeasure that fixes the body bias value V bbn of registers at the beginning of a encryption process. Once V bbn is fixed, V bbp is adjusted until the value of ϵ reaches a certain threshold.
These values are maintained during the encryption process. At the beginning of a new encryption process, a new value of V bbn is chosen independently and at random, and the process begins anew.
We consider the positive body bias, V bbn , a random variable of the form: Where the different terms are defined as: With DR as the Dynamic Range of the body bias, limited to the domain of the positive body bias V bb where there exist a value of negative body bias that meets the imposed criterion.
The value of the negative body bias is set accordingly following equation (16).
With these considerations we now have a model with which to determine the effectiveness of this proposed countermeasure.
To do so, we solve equation for the PCC between the Hamming Weight of the bits of interest and the bivariate leakage (Equation (12)) under noiseless assumption and in the presence of algorithmic and non-algorithmic noise. It is necessary to determine the expected value and variance of ϵ under these conditions. Given the model above derived, these can be determined numerically utilizing the following definitions.

VII. RESULTS
In order to establish the effectiveness of the proposed countermeasure, Equation (12), the PCC between the Hamming Weight of the bits under attack and the bivariate leakage current model defined in Equation (7) is solved for the body bias scheme presented in [11] (symmetrical body bias) along the results provided by the Current Balancing body bias derived in the above sections.
We consider a noiseless system under correct key assumptions, utilizing the conditions shown in Table 2. Equation (12) is solved for a variety of s max values. The results can be seen in Fig.4.  It might seem at first that current balancing body bias contemplated in previous sections presents significantly worse values (a higher PCC that can facilitate the acquisition of the secret key). This can be explained by noting that, under noiseless assumptions, the only source of noise is determined by the variance of ϵ and the variances of the Hamming Weights. Since in the Current Balancing body bias scheme the Dynamic Range of the body bias is limited, the variance of ϵ is smaller.
However, consider the case of a noisy system. That is, Equations (5) and (6)   ) with non-algorithmic noise in the presence of a Symmetrical (blue) and a Current Balancing (orange) random body bias scheme, in the presence of non-algorithmic GW noise Figure 5 plots the results of the PCC for the Current Balancing and Symmetrical body bias schemes with a noise power of σ 2 b = −134 dBW, the thermal noise produced by a 1 ohm shunt resistor connected to a 1 V power supply, with measurements of up to a bandwidth of 10 MHz. This noise represents the pre-amplifications and pre-filtering measurements obtained in settings such as those described in [13]. Even though it is still somewhat arbitrary, it suffices, without loss of generality, for illustration purposes. It can be seen that the PCC for the Current Balancing case is approximately one order of magnitude smaller than the symmetric body bias. At the same time, if the value of s max is fixed to 32 and we plot the PCC against the number of averaged traces for the same noise conditions, it can be seen (Fig. 6) that the Pearson Correlation Coefficient increases much more slowly when the Current Balancing body bias scheme is applied. That is, non-algorithmic noise severely dominates.

A. ALGORITHMIC AND NON-ALGORITHMIC NOISE
The results so far consider an n-bit register array, with n = 8 bits, subjected to some source of non-algorithmic, white gaussian noise.
A more realistic scenario considers a cryptosystem that processes n + m bits, with n being the the bits of interest under attack, and m the rest of bits not pertinent to the attack that introduce algorithmic noise. The bivariate power model under these conditions (Equation (11)) becomes: Where Z n is defined in Equation (8) as the difference between the Hamming Weight of the bits of interest n after a round of encryption and before the round of encryption. Similarly, Z m is defined as the difference between the Hamming Weight of the remaining m bits not pertinent to the attack after and before the same round of encryption.
As in previous discussions, HW mt2 and HW mt1 might be uncorrelated but are not independent. In order to be able to treat them analytically, we make some assumptions regarding the distribution of Z m .
The magnitude B represents a gaussian white noise term with zero mean and variance equal to 2σ 2 b considering additivity.
With this, it can be shown that the PCC between the bivariate power model and Z n is: Figure 7 plots Equation (26) for a n + m = 128-bit system with n = 8 bits under attack, considering the presence of additive GWN as a function of noise power for different number of averaged traces.
We are assuming exclusively inter-trace averaging, and thus all sources of noise (σ 2 ϵ , σ 2 Zm and σ 2 b ) are scaled by a factor of 1 N , with N being the number of traces measured and averaged per plaintext.  Figure 7 shows that for small noise powers (below −160 or −170 dBW depending on the number of averages) algorithmic noise dominates as a factor. In fact, it can be shown that for small magnitudes of gaussian noise power the countermeasure, under a bivariate attack, barely introduces noise. As such, the PCC between Z n and the leakage current can be approximated as: Thus, only when non-algorithmic noise becomes comparatively high is current balancing body bias significantly effective.
On the other hand, Fig. 8 presents a comparison between the PCC (Equation (26)) obtained through current balancing and symmetric body bias under the conditions presented in Table 2 as a function of noise power for a number of averaged traces N = 1000. It can be seen that the current balancing case is much more susceptible to noise power, as expected by the reduction of the signals of interest.

B. NUMERICAL SIMULATIONS
We mount a numerically simulated CPA attack on a dummy cryptosystem that reflects the bivariate power model described above and summarized in Equation (22), under the countermeasure conditions established in Table 2.
In order to do so, we set an 128-bit secret key that represents a round key. The dummy cryptosystem comprises a round of encryption of the AES from the M ixColumns, up to the SubBytes routine, without including the former [14]. That is, we consider that the whole state matrix after the M ixColumns routine is known to the attacker and directly consider this state the input plaintext. Each of the 16 bytes of the plaintext are then XORed with their corresponding byte of the secret key. Each XORed byte is then fed to the AES S-Box and the result is again considered to be stored in the state matrix.
The attack is performed on n = 8 bits (1 byte). For each input plaintext i of interest (with 0 ≤ i ≤ 255), N realizations of Equation (22) are numerically simulated. For each realization, the 15 remaining bytes of the plaintext are generated at random, each bit following a uniform probability distribution. The random variable S is also realized randomly following the distribution described in Section IV under the constraints described in Section V, thus generating a random body bias value that keeps ϵ ≈ 1 nA. Finally, for each of the N realizations, a white gaussian noise value following the VOLUME 4, 2016 distribution described above, for a noise power of -134 dBW is also produced.
The N realizations are then averaged: Thus, a vector comprising 256 I leak values, one for each possible plaintext is obtained. The PCC between this vector and the vector Z n solved for each possible 8-bit secret key is calculated. At the same time, Table 5 presents the values of the expected value and variance of Z m for increasing number of averaged traces. As N increases, the first and second moment of Z m more closely resemble the theoretical values that had been previously assumed; namely, that µ Zm = 0 and that σ 2 Zm = m 2 = 60, with m being the number of bits not under attack, 120 in this particular simulation.

VIII. CONCLUSIONS
In this paper, a vulnerability to the countermeasures presented in [10] and [11] is identified and analyzed following the derivations made in [11], showing that the countermeasure's effectiveness resulting from the application of a random body bias at the beginning of the encryption process can be highly undermined once a known state of the cryptosystem is obtained.
A new countermeasure against leakage power analysis attacks is presented in response to these findings. The countermeasure exploits the backgate of FDSOI transistors to modify the leakage current profile of registers, diminishing the asymmetries that arise from stored data.
Results show that the countermeasure effectiveness is dependent on the magnitude of noise power present in the circuit or measuring system. While no such analysis is presented, the magnitude of ϵ clearly determines, as well, the effectiveness of the proposed scheme. In this paper the authors have restricted themselves to a value of ϵ ≈ 1 nA, adopting a conservative stance before a system implementation is made.
The results presented are obtained for registers implemented with Low Threshold Voltage (LVT) transistors. However, simulations and analysis have also been performed for registers implemented with higher VT transistors. These results have been omitted for simplicity, as they did not differ significantly from the ones presented.
An important observation that stems from the results obtained is that the variance of ϵ is negligible as compared to the other sources of noise in the circuit (be them algorithmic or non-algorithmic), and has little impact on the effectiveness of the countermeasure. In a perfect implementation in which the value of ϵ were to remain exactly the same at all times, the variance of ϵ would actually be 0. Because of this, it is not necessary to choose the value of the body bias at random. This would free the system implementation of a True or Pseudo Random Number Generator, and design efforts could be devoted to a system that maintains ϵ as small as possible for differing operating temperatures.
Further studies should focus on circuit design of the proposed countermeasure to study the practical limitations of its implementation.