ASCENT: Amplifying Power Side-Channel Resilience via Learning & Monte-Carlo Tree Search

Cryptographic hardware is vulnerable to PSCAs, which exploit the fluctuations in a device’s power consumption to reveal sensitive information like keys (survey-PSC). Thus, these attacks leverage the fundamental connection between a device’s power consumption and its internal state during operations. There are different types of PSCAs, including simple power analysis (SPA), differential power analysis (DPA), and correlation power attack (CPA) (brier2004CPA).¹¹1SPA directly interprets the power profiles during specific cryptographic operations, aiming to deduce sensitive data. DPA goes further by comparing power consumption across multiple similar operations with varying inputs. This technique seeks to isolate variations in power profiles that directly correlate with the influence of the secret key. CPA employs statistical tools, most commonly the Pearson correlation coefficient (PCC), to match hypothesized power consumption patterns against the actual power measurements. The highest correlation often reveals the correct key. Note that we utilize CPA in this work; more details are provided further below.

Technology Implications. With continuous advancements for the ever-shrinking technology nodes, the threat of static power side-channel attacks (S-PSCAs) has significantly increased over the years (leakage-2010-TCAS; amstatic2014; giorgetti2007). Unlike dynamic PSCAs, which focus on power fluctuations during active computations, S-PSCAs exploit the relationship between stored data and static power consumption (leakage power). More specifically, advanced nodes utilize standard cells of various types with different power-performance characteristics, e.g., low-threshold voltage (LVT) and ultra-low threshold voltage (ULVT) cells are faster than the regular (RVT) cells, thereby hel** to meet faster timing constraints, albeit at the expense of significantly higher leakage power. LVT and ULVT cells are essential for timing closure, i.e., the careful final-stage efforts in design automation. In short, these implications highlight the need for dedicated countermeasures that protect against S-PSCAs.

Countermeasures. To combat S-PSCAs, security-aware designers can employ masking (mask-2005; bhandari2024lightweight), shuffling, and/or balancing (Moos_Moradi_2021; 7324539) schemes.²²2Further countermeasures and details are discussed in Section 2.2. Also note that the specific countermeasures employed for this work are discussed in Section 2.3. In general, these strategies seek to obscure the power profiles. Despite their demonstrated effectiveness, they all increase design overheads considerably, necessitating to strive a careful balance between security and PPA during the design process.

As indicated, here we tackle this challenge through our novel, learning-and-search based framework for logic synthesis.

Simulation-Based Power Analysis. This is crucial for understanding a design’s vulnerability to PSCAs before investing into actual tape-outs. Commonly utilized procedures work along the following lines; we employ such a procedure as well in this work.

First, through gate-level simulations, a value change dump (VCD) file is obtained. This captures all the relevant state information of the device under test. In combination with the post-synthesis netlist and the library files, this allows for accurate power analysis. Second, power simulation tools calculate the power consumption of each cell, including static/leakage power and internal power from input/output switching transitions. Importantly, for S-PSCA assessments, zero-delay simulations enable precise static power capture during specific operations (unlike an averaged leakage power analysis provided by full-timing simulations).

Correlation Power Analysis (CPA). This attack hinges on identifying a correlation between a device’s power consumption and the intermediate data processed throughout cryptographic operations. An attacker collects power consumption data and then hypothesizes on all possible intermediate data values, which often involve direct correlations to parts or derivatives of the secret key.

More specifically, power consumption is predicted for each hypothetical intermediate value, typically using models like Hamming weight or Hamming distance, which relate binary data representation to power. The core of CPA involves calculating the PCC between actual power measurements and the predictions for each hypothesis. The hypothesis yielding the highest correlation often represents the correct assignment for some part/derivative of the key, allowing the attacker to reconstruct the full key eventually.

S-PSC Attacks and Countermeasures. (giorgetti2007) showed, for the first time, the potential of S-PSCAs as a severe threat. (amstatic2014) have conducted one of the first practical experiments for S-PSCAs using FPGAs, with some follow-up work presented in (7927198). (leakage-2010-TCAS) highlighted the importance of leakage power and its effect on PSCAs especially for advanced nodes. (Moos_Moradi_2021) proposed various countermeasures against S-PSCAs, albeit with considerable PPA overheads. (bhandari2023lightweight) have shown the impact of various types of standard cells on S-PSCAs. (bhandari2024lightweight) proposed a lightweight masking scheme against S-PSCAs. (Karimi_Moos_Moradi_2019) have demonstrated the important side-effect of aging for S-PSCAs in advanced technology nodes. (10.1007/978-3-319-57339-7_5) studied multivariate techniques focused on leakage power consumption to enhance cryptographic security assessments. (9040870; cryptography5030016) proposed standard-cell, delay-based dual-rail pre-charge logic (SC-DDPL) as countermeasure. However, due to its structural complexity, this countermeasure is incompatible with commercial design flows.

Design Frameworks for Advancing PSC Resilience. (karna) introduced a framework that scores and optimizes design parts to minimize PSC vulnerabilities. This approach is limited by the impractical assumption of timing slacks being ubiquitously available. It also lacks an actual PSC evaluation. (rtl_psc) proposed a framework for assessing PSC vulnerabilities at the register-transfer level (RTL), with the goal to aid countermeasure implementation. (7364404) studied circuit replication and SRAM sharing for PSC resilience in FPGAs. This approach notably increases design costs but significantly improves security while maintaining FPGA configurability. (10.1145/3488932.3517415) emphasized the importance of automated modeling for early, system-level detection of potential leaks. (Tiri2004SecureLS) proposed a methodology for so-called wave dynamic differential logic (WDDL) on FPGAs.

Summary. Prior art for S-PSC countermeasures is focused on detailed empirical studies, with only limited considerations for generalized design-time integration of the countermeasures. At the same time, prior art for frameworks is limited to D-PSCAs, not S-PSCAs, and was proposed for high-level design stages and/or for FPGAs. Thus, there is no prior art that proposes a security-first approach toward the complex, yet critical, challenge of design-space exploration for S-PSCA countermeasure integration in ASICs. Also recall the exploratory finding from Section 1. This gap provides the main motivation for our work.

As motivated in Sections 2.1 and 2.2, S-PSCAs are becoming ever-more relevant for advanced technology nodes, and various countermeasures have been proposed. In our study, we consider the following two representative, SOTA countermeasures against S-PSCAs.³³3While these two SOTA countermeasures appear similar from a high-level view, their implementation details and, thus, efficiency to hinder S-PSCAs still differ (Moos_Moradi_2021, Table 5). Importantly, ASCENT is agnostic to the countermeasures a designer likes to explore and eventually integrate.

Quadruple Algorithmic Symmetrizing (QuadSeal) (7324539). This technique can protect against both dynamic and static PSCAs. It focuses on achieving a balance in Hamming weights/distances for the cryptographic operations in hardware. It operates by quadrupling the unprotected circuit structure and balancing the arrangement of the so-called substitution boxes (S-Boxes) in three of those circuit copies in a specific manner. Additionally, it involves rotating inputs to the resulting balanced structure, to mitigate other real-world dependencies introduced by, e.g., manufacturing process variations, timing-path imbalances, aging, etc.

Exhaustive Logic Balancing (ELB) (Moos_Moradi_2021). To reduce the correlation between input data and the leakage current of standard cells, selected sensitive cells are duplicated and fed with inverted input data, which is akin to differential logic. Cell duplication is scaled based on the number of possible input vectors—a single-input cell is duplicated once, while two-input cells are quadrupled. This, along with the inverted inputs, ensures a constantly uniform input distribution across all related cells.

Logic synthesis transforms a high-level hardware design (e.g., in RTL) into an optimized and technology-specific gate-level netlist. This process offers significant flexibility, as any single design can be mapped to many functionally equivalent but structurally different netlists, all with distinct PPA characteristics. Toward that end, so-called recipes are devised, which are sequences of optimization steps. However, the sheer number of possible recipes and netlists makes this a complex problem, in fact a $\Sigma^{P}_{2}$-complete problem.

Setting. Commercial tools like Synopsys DC and Cadence Genus are tuned for PPA optimization and use proprietary optimization algorithms toward that end. Aside from scripting interfaces tailored for such PPA optimization, these tools lack direct mechanisms to tune synthesis for other objectives like PSC resilience.

Thus, research into novel optimization techniques, including our work on security-first synthesis, often relies on the open-source and customizable Yosys framework (yosys). In fact, Yosys is the most widely adopted, SOTA synthesis framework for and by academia.

AIG Representation, Generic Problem Formulation. Within Yosys, ABC (abc) is used for combinational optimization. First, ABC converts the design into a homogeneous logic-network implementation called and-inverted graph (AIG). Next, ABC’s algorithms employ various transformations at the sub-graph-level (abc). Importantly, users are free to tweak these algorithms in general and the selection and order of transformations in particular, all to optimize the AIG circuit representation according to their objectives.

More formally, in line with earlier works (chowdhury2021openabc; chowdhury2022bulls; chowdhury2024retrieval) a synthesis recipe $a^{T}$ is a sequence of $T$ transformation steps operating on an AIG structure to optimize for PPA and/or other metrics (e.g. security (basak2023almost)), all while preserving the original functionality. We denote $\mathcal{A}$ of $\mathbf{L}$ unique synthesis transformations, $\{a_{0},a_{1},\ldots,a_{L-1}\}$ ($a_{i}\in\mathcal{A}$), in a synthesis recipe $a^{T}$. Thus, the number of synthesis recipes of length $T$ is $\mathbf{L}^{\mathbf{T}}$, including repeatable transformations. This search space is denoted by $\mathcal{A}^{T}$. The problem of generating a PPA-optimal synthesis recipe for an AIG is:

where $\eta$ is the synthesis function defined as $\eta:AIG\times\mathcal{A}\longrightarrow AIG$.

MCTS is an optimization algorithm best suited for tree-structured search-space exploration. It has been used in selected prior art for logic synthesis (yu2020flowtune; pei2023alphasyn; chowdhury2024retrieval; delorenzo2024make), albeit only for PPA optimization.

Structure. The MCTS search tree contains a root node representing the initial state ($S_{0}$). A node is called leaf if there exist an $a_{t}\in\mathcal{A}$ that still remains unexplored and the node is terminal state. Each node preserves two attributes: (1) node visit count $N(S_{t},a_{t})$ and (2) cumulative reward $R(S_{t},a_{t})$.⁴⁴4$N(S_{t},a_{t})$ is the number of times the nodes is visited during exploration. $R(S_{t},a_{t})$ is the total reward obtained while exploring the sub-tree rooted at that node.

MCTS operates in four stages as follows.

1) Selection: of the “most promising node” in the MCTS tree until a leaf node is reached for further exploration. The selection is based on the upper confidence tree (UCT) computation as follows:

That is, UCT computation considers exploitation and exploration.

Exploitation computes the ratio of the reward $R(S_{t},a_{t})$ accumulated over the sub-tree rooted at that node and the visits count $N(S_{t},a_{t})$. This average reward is obtained by exploring the sub-tree which, in turn, is done by picking an action $a_{t}$ from state $S_{t}$.

Exploration prioritizes nodes which have been less explored so far. It loosely computes the ratio of the parent’s visit count ($\sum_{a_{t}\in\mathcal{A}}N(S_{t},a_{t})$) and the current node’s visit count ($N(S_{t},a_{t})$). Thus, the score increases if the parent node has been frequently visited whereas the current node has been less explored.

Starting from state $S_{0}$, $\pi_{MCTS}$ navigates the search space by selecting the “best” action $a_{t}$ that achieves the maximum score combining exploitation and exploration terms (Equation 2), effectively performing a best-first exploration. The selection process continues until a leaf node is encountered.

2 and 3) Expansion and Rollout: Once a leaf node is selected, an action $a_{t}$ is chosen (at random) from the set of unexplored actions. A node is added to the MCTS tree and node attributes are initialized. We call the trajectory $\tau$ a sequence of nodes visited during MCTS selection and expansion, which is represented by $\{S_{0},(S_{0},a_{0}),(S_{1},a_{1})..,(S_{\tau},a_{\tau})\}$.

4) Backpropagation: After computing the score for the terminal state $S_{T}$, the trajectory $\tau$ is backtracked from the leaf node till the root node. The cumulative reward $R(S_{t},a_{t})$ and node visit count $N(S_{t},a_{t})$ for each node in $\tau$ are updated with $R(S_{T})$ and $1$, respectively. Next, the process repeats from Stage 1) again.

To obtain a zero-shot predictor, we have to collect historical S-PSCA data in a one-time effort. Key challenges here are (i) high runtime cost of S-PSCA evaluation even for such one-time effort and (ii) ensuring a representative dataset of diverse netlists with varying S-PSCA resilience. Next, we discuss how we tackle these challenges and finally outline the actual training approach.

Having established a fast and accurate zero-shot predictor, we now have to integrate it into an search strategy for maximizing PSCA resilience. \AcfMCTS, with its ability to intelligently balance exploration and exploitation, is a natural fit for this complex task. Its delayed reward model aligns with our problem.

After completion of the MCTS process, we obtain the best synthesis recipe using a greedy approach following standard procedures (most-rewarding-node selection and most-visited-node selection). This recipe is expected to generate the most S-PSCA resilient design post-countermeasure application. Finally, we synthesize the circuit using this recipe, apply the countermeasure of choice, and run an actual S-PSCA evaluation to report the final $PT_{score}$.

AES Implementation. We use non-masked Electronic Code Book (ECB) mode AES with S-Box as a look-up table. ECB mode pads data until the length of the block which is 128.

We use a commercial 28nm technology library, focusing on the TT corner (25 degrees Celsius, 0.9V), and using different VT cells.

S-PSCA Setup. We implement a C++-based CPA attack following (knechtel22_PSC). It incrementally increases the number of traces through coarse and thorough sampling for 128 trials, aiming for a 90% success rate with thorough sampling. In other words, the attack is thoroughly assessed in multiple runs, not only one-shot trials.

The total number of traces depends on the case study; for baseline AES, up to 10K traces are sufficient, whereas QuadSeal and ELB countermeasures on top require 50K and 100K traces, respectively.

$PT_{score}$ Predictor. We collected a corpus of 1,000 random, different synthesis recipes for the baseline AES, with features extracted as in Section 4. This took us $\approx$30 days. We split the dataset into 80% and 20% for training and testing, respectively.

We used XGBoost (chen2016xgboost), a scalable and distributed, gradient-boosted decision tree (GBDT) library to implement the predictor model. We trained our model on an AMD EPYC 7542 server equipped with 128 CPUs and 1TB RAM, running Red Hat Enterprise Linux Server Release 7.9 (Maipo). The CAD flow utilized both open-source and commercial tools, including Synopsys VCS M-2017.03-SP1 for RTL and gate-level simulations, Yosys for logic synthesis, and Synopsys PrimeTime PX M-2017.06 for power simulations.

ASCENT Framework. We developed ASCENT in-house by implementing MCTS algorithm and plugged it with $PT_{score}$ . We compute the handcrafted features generated from the synthesized netlist and pass it to $PT_{score}$ which provides quick feedback with a latency of 100 ms. We use Yosys (v0.38) to perform end-to-end synthesis which takes roughly $\sim$2.8 minutes on a single thread CPU run on our Intel server (Frequency: 2.3GHz, Memory: 256GB).