## Galvanically Isolated, Power and Electromagnetic Side-Channel Attack Resilient Secure AES Core with Integrated Charge Pump based Power Management

Meizhi Wang, Shanshan Xie, Ping Na Li, Aseem Sayal, Ge Li, Vishnuvardhan V. Iyer, Aditya Thimmaiah, Michael Orshansky, Ali E. Yilmaz, and Jaydeep P. Kulkarni ECE Department, University of Texas at Austin

E-mail: wang.mz@utexas.edu, jaydeep@austin.utexas.edu

**Abstract:** A galvanic isolation (GI) technique for cryptographic cores is proposed to mitigate power and electromagnetic (EM) sidechannel analysis (SCA) attacks. The design uses deep N-well technology and an integrated charge pump-based power delivery and management to completely isolate V<sub>CC</sub>, V<sub>SS</sub>, and substrate nodes from the external supply and ground pins, improving the SCA resilience due to supply as well as ground bounce. Measured results from a 128-bit Advanced Encryption Standard (AES) core implemented in a 40nm CMOS show >600x and >220x improvement against a correlation power analysis (CPA) and coarse-grained EM SCA attack, respectively, while operating at 20% lower frequency, consuming 2.3x more power, and occupying 0.0136 mm<sup>2</sup> larger area.

Galvanic isolation for SCA mitigation: Cryptographic integrated circuits such as AES cores, are vulnerable to SCA attacks due to ease of physical access and unintentional data-dependent information leakage. Various countermeasures based on voltage regulator and power management techniques, such as switched capacitor current equalizers, analog and digital low dropout regulators, and buck converters have been explored [1-4]. They isolate the external supply pin (V<sub>CC</sub>) or randomize the supply current signatures to improve the resilience of the AES core against SCA attacks. However, the shared external ground pins (Vss) between the AES core and the power converter remain susceptible to SCA attacks. This is particularly critical in modern SoCs wherein multiple Vss pins are arranged in a ball grid array (BGA). Side channel information can be obtained by monitoring the voltage bounce and substrate noise coupling [5] on these Vss BGA pins, especially those in close proximity with the AES core (Fig. 1a). Post-layout simulation of a 128-bit AES core shows about 6000 Vss bounce traces on the top-level metal lavers revealing the secret key to a correlation power analysis (CPA) attack confirming the vulnerability of the Vss pins to the SCA attacks (Fig. 1b). To mitigate the SCA vulnerability due to supply as well as ground bounces, we propose a galvanically isolated (GI) power delivery mechanism that completely separates the AES current loop from the external V<sub>CC</sub>/V<sub>SS</sub> pin loops (Fig. 1c). The proposed approach is inspired by the galvanic isolation principle employed in high-voltage power converters [6]. Using the transformer principle, the circuits connected on the secondary side of the high-voltage power converter are galvanically isolated and protected from the potentially high transient voltages and currents present on the primary side. The galvanic isolation for the AES core is achieved using a reconfigurable capacitor bank built with backend MoM (Metal-over-Metal) capacitors which act as an energy reservoir (Fig. 1d). The capacitor bank, along with an integrated power management unit (PMU), supplies the required charge for the AES computation, thus completely isolating its compute current loop from the external Vcc/Vss supply loops. The deep N-well secures the AES core by reducing the substrate noise-induced side-channel leakage.

Charge pump boost circuits: The GI-AES computation is performed in 3 phases (Fig. 2). In the first phase (precharge phase), the PMOS P1 header and NMOS N1 footer are activated, with all capacitors connected in parallel and precharged to V<sub>CC</sub>. In the second phase (compute phase), both P1 and N1 transistors are deactivated, isolating the capacitor bank from external V<sub>CC</sub> and V<sub>SS</sub> pins. The AES core is connected between VTOP and VBOT rails which are shared across the capacitor bank. V<sub>TOP</sub> and V<sub>BOT</sub> rails are internal and not routed as external pins, thus concealing the crypto-compute signature. Initially, only C<sub>0</sub> capacitor supplies charge to the AES core with other capacitors are isolated from VTOP and VBOT rails. As Co charge depletes, the voltage swing across  $V_{TOP}$  and  $V_{BOT}$  reduces. This voltage swing is monitored with the help of two sense amplifiers and predetermined reference voltages (Vref-1,2). Once the voltage swing below a critical voltage (Vcrit) is detected, the PMU triggers voltage doubling on the first capacitor stage (C1A and C1B) by

asserting the Boost<sub>1</sub> signal, connecting both C<sub>1A</sub> and C<sub>1B</sub> in series. As C<sub>1A</sub> and C<sub>1B</sub> capacitors are precharged to V<sub>CC</sub> in the first phase, the voltage across this seriesconnected capacitor stage is boosted to  $2^*V_{cc}$  (Fig. 2b). This boosted voltage capacitor branch (C<sub>1A</sub> and C<sub>1B</sub> in series) when connected in parallel with the C<sub>0</sub> capacitor, the resulting charge-pumping operation increases the voltage swing (V<sub>TOP</sub> - V<sub>BOT</sub>) across the AES core larger than the V<sub>crit</sub>. The AES compute activity



continues and when the voltage across  $V_{\text{TOP}}$  and  $V_{\text{BOT}}$  rails goes below V<sub>crit</sub>, the PMU triggers another voltage doubler capacitor stage (C<sub>2A</sub> and C<sub>2B</sub>) by asserting Boost<sub>2</sub> signal. The capacitor bank voltage would vary depending upon the encryption activity and utilization of boosting stages. In the third charge-share (CS) phase, once all voltage doubler capacitor stages are utilized, V<sub>TOP</sub> and V<sub>BOT</sub> rails are shorted using a transistor to achieve a pre-set voltage, hiding the AES compute signature during the subsequent precharge phase. If AES computation is completed before the estimated time interval, the PMU remains idle for the remaining duration of this phase. Thus, constant timing duration, along with the fixed precharge current (or charge) signature, ensures no data-dependent side-channel leakage to the external supply/ground pins. Multiple voltage boosting stages gradually transferring charge from precharged capacitor stages to the active capacitor bank, can prolong AES computations by maintaining V<sub>TOP</sub>-V<sub>BOT</sub> swing above V<sub>crit</sub>. The AES operating frequency is set based on V<sub>crit</sub> to mitigate any timing errors due to variable V<sub>TOP</sub>-V<sub>BOT</sub> voltage swing. Incremental charge transfers also reduce EM emanations and mitigate EM SCA vulnerabilities. The PMU can also enable additional off-chip capacitors based boosting stages. Differential sense amplifiers act as level shifters to convert VTOP/VBOT swing AES outputs to full Vcc/Vss swing output scan bits.

Measurement results: Fig. 7 shows the die-photograph of a 40nm AES test-chip implementing proposed galvanic isolation technique. Oscilloscope waveform traces from a stand-alone charge pump voltage boost circuit (no AES load) demonstrate successful triggering of multiple boosting stages and increasing the voltage swing across VTOP and VBOT rails (Fig. 3a). Observed VTOP/VBOT waveforms during 3 phase operations, PMU control signal waveforms and trigger points matched to the system flow chart confirm the functionality of the proposed GI-AES design (Fig. 3b & 3c). The ground bounce on four randomly located Vss grid nodes is monitored for both designs (Fig. 3d & 3e). Test vector leakage assessment (TVLA) is performed using two sets, each containing 20,000 fixed plaintexts and 20,000 random plaintexts [7]. The proposed GI-AES design succeeds in reducing the maximum absolute t-value by ~6.5x in time-domain and ~25x in frequencydomain under 4.5 threshold, protecting the design against power SCA (Fig. 4a). Correlation-based SCA attacks are performed on power (Fig. 4b) and coarse-grained EM signatures (Fig. 4c) [8]. With the baseline AES, the CPA attack reveals the first correct key byte after ~5000 traces, the correct key correlation is 47% higher than the next possible key guess. Fig. 5a and 5b show the power and EM SCA attack setup. The coarse-grain EM SCA attack uses a 10-mm H-field probe 1-mm above the package and reveals the first key byte after ~9000 traces. With the proposed GI-AES, no correct key byte is detected by CPA even after 3 million traces and by coarse-grain EM SCA after 2 million traces, increasing the measurements to disclose (MTD) key bytes by >600x and >220x respectively. The GI-AES technique's ability to mitigate fine-grain EM SCA attacks [9] is currently under investigation. Fig.6 compares the GI-AES measured results with prior schemes. Test-chip summary is shown in Fig. 5c.

Acknowledgments: This research is supported in parts by Intel, Silicon Labs, and NSF. Authors would like to thank TSMC for chip fabrication, Dr. Sanu Mathew, Dr. Raghavan Kumar, and Dr. Vivek De for helpful technical discussions.

## **References:**

[1] C. Tokunaga, *et al.*, *ISSCC*, 2009, [2] M. Kar, *et al.*, *ISSCC*, 2017,
[3] M. Doulcier-Verdier, *et al.*, *ISSCC*, 2011 [4] A. Singh, *et al.*, *ISSCC*, 2019 [5] D. Fujimoto, *et al.*, *HOST*, 2014 [6] N. Mohan, *et al.*, 3rd edition [7] G. Goodwill, *et al.*, *NIST Technical Report*, 2008 [8] G. Ding, *et al.*, *WMWA*, 2009 [9] V. V. Iyer, *et al.*, *WMCS*, 2019



Fig. 1. (a) Ground and substrate bounces in BGA arranged V<sub>SS</sub> pins (b) Baseline AES post-layout simulation and CPA results (c) & (d) Proposed Galvanically Isolated (GI) AES operates in the crypto logic domain, completely isolated from the external domain



Fig. 3. Experimental demonstration (a) Stand-alone charge pump voltage boost circuit (b)&(c) GI AES core operation: control signal with  $V_{TOP}/V_{BOT}$  and flow chart (d)&(e) Four randomly located  $V_{SS}$  nodes for ground bounce monitoring on Baseline and GI AES





Fig. 2. (a) Block diagram of the proposed GI AES system with PMU and dual side level shifter circuit (b) Capacitor bank diagram with three boosts settings (c) Capacitor bank switching patterns for baseline AES and GI AES (three phases)



Fig. 4. Measured results (a) Power SCA TVLA in time and frequency domains (b) CPA results of (i) Baseline AES and (ii) GI AES (c) Measured coarse-grained EM signal and SCA results of Baseline and GI AES

| Parameters                              | ISSCC'09<br>[1]                                | ISSCC'17<br>[2]                    | ISSCC'11<br>[3]          | ISSCC'19<br>[4]                                   | This Work |                                                                               |                                                     |
|-----------------------------------------|------------------------------------------------|------------------------------------|--------------------------|---------------------------------------------------|-----------|-------------------------------------------------------------------------------|-----------------------------------------------------|
|                                         |                                                |                                    |                          |                                                   | Baseline  | Proposed                                                                      | Improvemen                                          |
| Technology                              | 130nm                                          | 130nm                              | 130nm                    | 130nm                                             | 40nm      |                                                                               | -                                                   |
| AES Power (mW)                          | 33.32                                          | 10.5                               | -                        | 10.9                                              | 10        | 23                                                                            | -2.3X                                               |
| AES Frequency                           | 100MHz                                         | 40MHz                              | 50MHz                    | 80MHz                                             | 50MHz     | 40MHz                                                                         | -20%                                                |
| Area (mm <sup>2</sup> )                 | 1.37                                           | <sup>1</sup> 0.002135              | 1.886                    | 1.75                                              | 0.032     | <sup>2</sup> 0.0456                                                           | -1.425X                                             |
| Countermeasure<br>Type                  | Switched-<br>Capacitor<br>Current<br>Equalizer | Integrated<br>Voltage<br>Regulator | Duplicated<br>Data Paths | On-chip<br>Digital<br>Low<br>Dropout<br>Regulator |           | Galvanic<br>Isolation<br>(Improved<br>Vcc, Vss and<br>substrate<br>isolation) | Improved<br>Vcc, Vss, and<br>substrate<br>isolation |
| CPA MTD<br>(1 Byte)                     | 10M                                            | >100,000                           | 1M                       | 8.4M                                              | 5,000     | > 3M                                                                          | > 600X+                                             |
| TVLA Time Domain<br>Max  t-value        | -                                              | 2.5                                |                          | 11.9                                              | 24        | 3.7                                                                           | 6.5X                                                |
| TVLA Frequency<br>Domain Max<br> tvalue | -                                              | 4                                  | -                        | -                                                 | 97        | 3.9                                                                           | 25X                                                 |
| Coarse-grained EM<br>SCA MTD (1 Byte)   | -                                              | -                                  | 800,000                  | 6M                                                | 9,000     | > 2M                                                                          | > 220X+                                             |

Fig. 6. Galvanically isolated AES performance summary and prior work comparison