 effect of device aging on static power analysis attacks and it's joint work with Nachme Karimi and Tormen Moos. Does it work? Okay, good. Thank you for the introduction. Yeah, I'm going to first show you some, should I reuse it? Okay, thank you. Okay, yeah, I'm going to explain shortly about the fundamentals of static power consumption and such an analysis based on static power consumption and some basics about device aging, which is a common and known fact in VLSI and test domain and also the target that we have selected in our experiments plus simulation analysis and practical analysis on some fabricated chips and of course I'm concluding this talk based on the study that we have done. You know that for those that are in the VLSI domain probably it's very trivial and known but this is suppose that you have a transistor that can be seen as a switch. When the transistor is on the switch is conducting then there is a current passing through the channel but when the transistor is off the switches actually should be not conducting but there is a steel little current passing through the channel for instance from the drain to the source which is referred to leakage current or static power consumption. You know it means that with the device whatever the switch is not conducting and everything is in a stable mode still there is a small current passing through the VDD to the ground of the chip which is referred to leakage current or static power consumption. This picture is actually predictive. Many years ago it has been predicted that in future when the technology is a smaller than the amount of static power consumption this line. The green one goes up and up and on and becomes even larger than dynamic power consumption. It means that this will be the main factor of the power consumption of the system. Indeed I can say that I should say that it didn't happen really like this means that now in the new technologies that we have based on the development of the semiconductor and so on it's not exactly like this. The static power consumption went up but not exactly higher than dynamic power consumption. It's also known that this static power consumption or static leakage is data dependent means that if you have for instance one just inverter the input of the inverter A is for instance zero then the circuit is equivalent to just one NMOS transistor which is off. And when the input is A the circuit is similar to just PMOS transistor which is off. But leakage current of these two transistors the NMOS and PMOS transistor when they are not conducting they are not the same. Means that the static leakage or the current leakage which is passing through the VDD to the ground of this inverter depends on this input. Of course this is true in more complicated gates like a NAND gate. When the input is zero zero the circuit is seen as two NMOS transistors in series and when the input is zero one or one zero then you will see just one NMOS transistor. And when the input is one one you have two PMOS transistors in parallel. Then again the amount of static power consumption of the gate depends on the input which is given to the gate. Then in total if you have a combinatorial circuit which is large like the A is a spark for instance then the amount of a static leakage of this combinatorial circuit will be dependent on the input of the combinatorial circuit. Of course based on this fact a couple of search and analysis based on static power consumption has been developed also based on simulation and also in practice. Of course there are some difficulties how to measure it but we will see it later. On the other hand we have the device aging fact means that if you have a CMOS device and it's working for a long time and it's aged then it faces some reliability issues. What does it mean? For example you have a circuit which has the maximum clock frequency of 200 megahertz and you are running at 200 megahertz everything is fine and if the device is working for a couple of months this 200 megahertz clock if you give it a still 200 megahertz there is no guarantee that the device performs without any failure. It means that if you want to be sure the device still performs correctly then it's better to decrease the clock frequency for instance 195 then you are sure that no failure is happening. The reason for this is threshold voltage of the transistor that we will see in more detail here that affects and the reliability of the circuits. There are parameters about device aging, TDDB, electro migration, BTI and HCI. I'm not of course explaining everything here because there are too much into physics and electronics just I shortly explained the effect of the last two one the BTI or NBTI negative bias temperature instability means that if the device is aged the threshold voltage of PMOS transistors is going up and HCI hot carrier injection the effect of HCI based on aging means that if the device is aged the NMOS transistor mainly NMOS transistors have the higher threshold voltage. We can just summarize everything to this fact that if the device is aged then the threshold voltage of the transistor is going up. Of course there are different reasons for that and how they are affected and so on. We are not getting into details but this is the message that we can get from the aging of the CMOS devices. This is for instance the simulation which NACMA did that you run it in the one PMOS transistor for a long time for instance six months and then at the same time we are just measuring the threshold voltage or observing the threshold voltage of the PMOS transistor. When the transistor is under stress the stress means that for NBTI the transistor is always switching. The transistor is always switching is under stress and you see that for a long time the threshold voltage is increasing over the time and then for sometimes if you stop giving the stress to the transistor and then again put it under stress you will see that the threshold voltage is recovered a bit and then go up again and recovered and go up again means that for some part of the increase in the threshold voltage of the NBTI can be recovered which is not the case for HCI means that for NMOS transistors when they are aged or effective of the HCI the threshold voltage goes up but if you just leave a device to rest nothing is recovered. Now based on this too I have to say that the threshold voltage plays an important role and the tradeoff between the delay of the circuit and also the leakage current of the CMOS devices means that for some applications that they are not timing critical you can take from the low power libraries of a standard logic libraries and then what happens then you have actually the higher threshold voltage of the transistor and then the amount of leakage current of these gates will be a smaller and then you have a low power let's say library or low power design that you have of course just based on the library which is selected but at the same time this does not work for or does not work for timing critical applications means that the circuit will be a bit slower compared to non-high threshold voltage libraries but aging as I said affects on the threshold voltage means that if the device is aged then of course the threshold voltage of the transistor going up and then at the same time the circuit becomes a bit slower. Now this is the effect and at the same time you can say that the amount of static power consumption will be decreased when we have a higher threshold voltage and then this aging process which should affect on these two facts also can be accelerated means that if you run the device at a high temperature and also high supply voltage that the device gets aged faster. What we can see here or what we have observed and I just want to give you the short message of this talk is that because when the device is aged the amount of static power consumption is decreased then of course the attacks become a bit harder because the level of signal compared to the level of noise is decreased but at the same time what we have observed was the data dependency between the static power consumption and the input of the circuit is also changing during the time when the device is aged. It doesn't mean that if you have a dependency or function between the amount of static power and the input of the circuit if this function is just decreased by a factor just everything is changing when the device is aged. For the target we have selected one very simple small implementation of the present cipher which has only four bit of sparks here. We are actually mainly concentrating on the sparks in simulation which is just four bit bijection. This is the chip that we have fabricated just in 65 nanometer technology this is just two millimeter by two millimeter chip and what you see here the small circle here is the present core, complete core not only the S-Box. Based on the simulation we did this aging acceleration at 90 degree and also the VDD 1.4 when the nominal voltage value is 1.2 for the simulation we have taken the net list of all fabricated chip and it's exactly the same net list or the S-Box which is fabricated and the chip is taken and then we have measured the static power consumption for all input values means that of course the S-Box is forward then we have 16 different input values and the blue bar at the left side of each of this group of bars is the static power consumption for the when the device is not aged means that the fresh device. You see that after aging one week up to eight weeks the amount of static leakage has decreased instantly and then is still decreasing over the time. This is not the only effect that we have observed also if you concentrate on some particular inputs you see that before the device is aged we are roughly for some input values the static power consumption is the same but after the aging this balance is not existing anymore means that for one of the input values it consumes more static power compared to the other one. But for the other inputs you can see also other way around means that before the device is aged there is a difference between the static power but when the device is aged for both inputs they consume roughly the same amount of power. These are the things that I already explained the data dependency will be different and also absolute leakage current is decreasing and we have performed some tests on this and the simulated data based on first TVLA-T test fixed versus random tests to just look at the see the dependency or how much detectable leakage exists here at the first one you see the original value original device and then after four weeks and after eight weeks the T test is decreasing as we were expecting and also if you run a classical CPA attack using the Hammingweight model you can see also that the number of measurements that you need to perform the test successfully is also increasing at the same time the correlation value is also decreasing. Then for the practical things this is actually the board that we have customized ourselves and then here is the chip which is on the socket and then this two millimeter by two millimeter chip is actually here and then of course the board has some facilities to measure the static power consumption and this is the, oops, this is the amplifier that we also build ourselves with a gain of 100 and this 100 times the signal is amplified and I have to say that the normal amplifiers that are usually used by dynamic power consumption measurements cannot be used here because we are interested in DC shift of the signal if you use AC amplifiers that they are just passing the dynamic power consumption they are not useful here then you don't get anything about the static power consumption and then here we have a climate chamber that we have to control the temperature when we are measuring the static power consumption this is super sensitive to the temperature if you just put your finger close to the chip you will see that the static power consumption goes up. How do we measure, suppose as I said the circuit should be in idly mode and then we are interested in the amount of static power which is passing through the circuit for instance you will stop the clock and then you have to wait for a long time till all the bumps are gone and the effect of dynamic power consumption and then again for another long time you can get a measurement here, get a trace and then get average over this T2 time to get a singular value as a meaning of the amount of static power consumption of the circuit at that state. If you want to know how long they are for instance from T1 you can have 100 ms, 200 ms so for T2 roughly the same from 100 to 500 ms of course if you measure here longer then you get rid of noise much easier. Torban will show in the next talk that you actually don't need to stop the clock if the circuit does not have any activity and the clock is still running you can still perform this attack and measure this static power consumption. We have conducted our tests on two different chips of course the same chips but from two samples. The aging was done at the 90 degree and the voltage VDD of 1.4 all the measurements that we have done at 20 degree and 1.2 volt means that we got the fresh device measured at 20 degree and 1.2 volt put in the oven with 90 degree and the VDD of 1.4 for four weeks took it out again put it in another setup with 20 degree and 1.2 measure again put it in the oven. This process is repeated why? Because first of all we wanted to measure at 20 degree and at the same time we wanted to avoid any effect of the aging on the board and the PCB and the components and the measurement setup. Means that we were just 100% sure that the effect of aging that we are observing is just on the chip not on the board not on the any other components of the setup. The result were off very the same why we have done it in two devices or two chips because we have received some comments that it might be what you have seen is might be a coincidence. You have to at least repeat it on different chips or different samples to make sure that what you are observing exactly correct which is a true comment actually. Here the two results are roughly the same I cannot say they are 100% the same because they are two different samples. The T value is decreasing as we have observed in the simulation and also the correlation value is also decreasing roughly the same thing that we have seen in the simulation. What is important to say of course I'm not going to read all these numbers in the table about the result of the simulation and the measurement. What is interesting here if you look at the average of our total power consumption or current passing is that here you have, you can see that the distance or difference between the original value and after four weeks aging and eight weeks aging, you see that the amount of current is decreased but what we have seen in simulation is not completely fitting to here. In the simulation we have seen that the amount of static power is decreasing instantly after the first week of aging and then it's decreased with a smaller or shorter speed. But what we see here is not completely linear but you are very close to linear. That amount of static power consumption is decreasing over the time. Based on this we have repeated another measurement and another test and another chip with 150 nanometer that as I said we have to control the temperature when we are measuring the static power and the static power consumption depends on the temperature as well. Then it's always nicer or better if you want to measure static power consumption that you do with that high temperature. It means that you put the device in the oven and at 80 degree and always you are measuring at 80 degree. Then what happens? Actually the device is also aged at the same time. It means that if we measure at the first week here one million traces and perform that attack we'll see we need roughly 100,000 traces. The devices are still on the oven is always on the measurement and then after the second week you see again that you get one million traces or many measurements and now you need 200,000 traces or measurements to perform. Then this number of measurements that you need to use for the evaluation or analysis is increasing. If I want to conclude here, I mean just repeat what I said that the leakage current is decreasing by when the device is aged. The attack space on static power consumption becomes harder. The dependency between the power consumption and data which is input of the combinatorial circuit is also getting different. What is the most important part to say is that when we are measuring for a long time in the oven for high temperature for a long time for instance eight weeks that the traces that we got in the first week they are not fitting to the traces that we got under eight weeks. I mean that if you want to have for instance here 100 million traces measured during the eight weeks they are not actually the samples of the same population. The dependency that we are looking for is actually changing. This is actually, I think this is the only message that I want to say that if you have the device in the oven and then measure it, measure the device, measure core of the device and then at the end for instance it took eight weeks and then you want to perform another attack or another measurement under another core of the same chip that chip is already aged and what you are observing might be completely different to the case if you take a completely fresh sample and measure it. Thank you so much for your attention. I think I talked longer than I should. It's okay. Thank you. Thank you. Questions? Hi, thanks for the nice presentation. I have two questions. First is you didn't tell us what kind of technology for the simulations? Because the simulations strongly depend your SPICE models. What SPICE models or what did you use? We have taken the SPICE model and the technology information from the same chip that we have fabricated because first we fabricated the chip and then performed the simulation. Okay, and that's 65 nanometer, what? Low power, TSMC, whatever? I cannot tell the name of the company because it's under NDA. We are forbidden to give the name of the company. Okay, because there is a big difference between low power and throughput. I can't say it's low power. I can't say that it's low power. Second question is what would happen if you use FD SOI? Sorry, I didn't get it. FD SOI, which is kind of used in smaller technologies. Which supposedly doesn't leak. FD fully depleted silicon on insulator. FD SOI. I think I should transfer this question to NAPMA who is sitting close to you in the areas of the VLSI. But I can say that we have not considered this. Okay, thank you. Actually, maybe we can type offline, so don't type it up. Thank you. Thank you. Thank you. More questions? It's time for the next speaker. So let's thank Amir again.