Towards Efficient and Reliable
Side Channel Evaluations at Design Time
Danilo Šijačić, Josep Balasch, Bohan Yang, and Ingrid Verbauwhede
imec-COSIC, KU Leuven, Belgium
Email: name.surname@esat.kuleuven.be
Abstract—Models and tools developed by the semiconductor
community have matured over decades of use. As a result,
hardware simulations can yield highly accurate pre-silicon
estimates for e.g. timing and area figures. In this work we
design, implement, and evaluate a highly efficient framework
that combines a largely automated full-stack standard-cell
design flow with state of the art techniques for side channel
analysis. We show how this approach can be used to efficiently
evaluate side channel leakage prior to chip manufacturing.
Moreover, it is independent of the underlying countermeasure
and it can be applied starting from the earliest stages of the
design flow. In addition to the description of our toolchain
we provide experimental validation through assessment of the
side channel security of representative cryptographic circuits.
We discuss aspects related to the performance, scalability,
and utility of our approach. In particular, we show that our
toolchain can evaluate information leakage with 1 million
simulated traces in less than 4 hours using a single desktop
workstation, for a design larger than 100kGE.
1. Introduction
1.1. Motivation
Side Channel Attacks (SCA) are acknowledged as major
threats to cryptographic implementations. Unlike conven-
tional cryptanalysis techniques stemming from mathemat-
ics, SCA leverage information that leaks through inherent
physical channels. A very popular exploitable channel is
the instantaneous power consumption (IPC) [1] of a device.
IPC measurement, or power trace carries within information
about the values and operations internally processed by a cir-
cuit, including cryptographic keys. SCA security assesment
is ultimately done after a device is manufactured. Vulnera-
bilities discovered by millions of post-silicon measurements
cause major set backs, or can detect flaws that require
complete redesign. In this context, simulations rise as an
attractive alternative to assess the security of cryptographic
implementations at design time. Simulation techniques for
typical hardware design constraints are long-studied and
well-integrated into Electronic Design Automation (EDA)
tools. Hence they can provide remarkably accurate area,
delay, and power estimates even in the earliest design stages.
We aim to leverage this knowledge and show how it can
be efficiently combined with the SCA evaluation techniques
to diagnose SCA leakage starting from the earliest design
steps.
1.2. Related Work
The topic of IPC simulation in the context of SCA has
been previously addressed in the literature. The generation
and analysis of IPC estimates is in fact the prevalent ap-
proach to evaluate secure logic styles. To name a few, Tiri
and Verbauwhede [2] target an AES core implemented in
Wave Dynamic Differential Logic (WDDL) [3]; Regazzoni
et al. [4] instruction set extensions in MOS Current Mode
Logic; Custom design flows [5], and models [6], [7], [8]
are tailored for specific cases. It is understood from these
works that different balances of the simulation accuracy/time
trade-off influence the security assessment. Nevertheless, to
the best of our knowledge there is no information on the
computational cost of these simulations, nor detailed insight
in how they should be carried out.
1.3. Our Contributions
We address SCA evaluations at design time in a whole-
some and methodical manner. To make this approach prac-
tical, we develop, implement, and document a configurable
and extensible framework. It combines state of the art EDA
tools for synthesis and simulation with our custom parsers
and analysis tools written in C. Secondly, we experimen-
tally validate our toolchain by applying it to a number
of protected circuits representative of cryptographic imple-
mentations. Lastly, we apply our toolchain to analyse a
larger circuirt and provide a discussion of our toolchain and
proposed methodology.
2. Design Time Evaluation Framework
Precision of modern EDA models and absence of noise
allow simulations intimate observations of the target circuit,
otherwise unatainable using measurements. Available early
in the design flow, simulations may greatly reduce time
to market and make the entire design process error prone.
Hence SCA evaluations at design time can be great help
for the digital designers. Nevertheless, simulations can not
capture manufacturing defects and variations. For this reason >_
they are not a replacement for lab evaluations, but a valuable CLI LM Handlers
design aid.
1 2 3 4 5 LS LT PS LSIM PSIM SSIM
SM
2.1. Design Rationale Parameters
2 run.LS
beh.LSIM
2 1 syn.LSIM
...
32 run.LT 3 2 1 gln.LSIM
43 2 run.PS 4 3 2 1 par.LSIM
We focus on standard-cell (SC) design flow, as the most
widely used in practice. SC libraries are collections of basic 5 Analyzers 5 Parsers Generators
(e.g., AND2, OR2, INV), as well as more complex (e.g., TVLA DoM ... LP PP SP TG DG SG
MUX21) cells. They entail different physical “views” of
SCs that are used for synthesis, simulation and optimiza- *.afd *.pff 1 tb.v 2 syn.sdf

tion. SC design flow can be generally divided into three X C tool User I/O x Textual file i Parameter set i

design stages: behavioral, structural, and physical. In the X Python tool >_ Command line interface x Binary file i x Parametrized file

behavioral stage, the functionality of a design is commonly Figure 1: High level architecture of the toolchain.
captured using hardware description languages. In the struc-
tural stage, the design is mapped to a set of SCs from a TABLE 1: List of commercial EDA tools used.
library through the processes of logic synthesis and library Acronym Function Tool
translation. In the physical stage, the design is brought to LS Logic synthesis Synopsys Design Compiler
its final, post-layout form through the process of physical LT Library translation Synopsys Design Compiler
synthesis. After each synthesis step, design estimates are PS Physical synthesis Cadence Innovus
obtained by means of simulation. Designs are to proceed LSIM Logic simulation MentorGraphics ModelSim
PSIM Physical simulation Synopsys PrimeTime with PX plugin
to the next stage, only once they fit all constraints. If this SSIM SPICE simulation Synopsys HSPICE
is not the case, designers can immediately proceed to fix
their design. The goal of our work is to incorporate SCA
evaluations at design time in the same manner. description in e.g. Verilog. Logic functionality is synthesized
Information leakage estimates obtained at different ab- (SYN) using generic logic gates. This functionality is then
straction layers need to be analyzed in order to assess mapped to library cells of a concrete library, to form a
the security of a circuit. We opt for a lightweight method gate-level netlist (GLN). Placed and Routed (PAR) design
Test Vector Leakage Assessment (TVLA) methodology pre- stage comes last, before the tape-out. Generators are utility
sented in [9] uses the T-test distinguisher to detect statistical
dependencies between sensitive data and side channel infor-
mation contained in IPC measurements. The test analyzes design.v 2 run.LS 3 2 run.LT 43 2 run.PS
two classes of measurements (partitioned according to sensi-
BEH LS SYN LT GLN PS PAR
tive information) to assess whether their means are different.
A so-called t value is calculated by applying the Welch’s t-
test. If the t value is outside the ±4.5 range, the test rejects x Design stage
x Commercial tool
the null-hypothesis with confidence greater than 99.999% SCA evaluation
SCA closure 2 1 syn.LSIM 3 2 1 gln.LSIM 4 3 2 1 par.LSIM
for large numbers of measurements, i.e. indicating that the
mean of the sets at a particular sample is distinguishable Figure 2: SC design flow stages using our toolchain.
and thus highlighting the existence of side-channel leakage.
tools which primarily aid the automation. The test bench
2.2. Framework Description generator (TG) produces test benches based on Verilog code
of the design (e.g. tb.v) and parameters obtained from the
Our framework is depicted in Figure 2. Through a simple SM. A Delay Generator (DG) is additionally used to annotate
Command Line Interface (CLI) it allows traversal of entire generic netlists at SYN design stage (see ∆-delay model
design and analysis stages. in Section 2.3). We design a set of parsers optimized to
The Session Manager (SM) is responsible for keeping process and store IPC data in a SCA-friendly manner; and
track of sets of parameters of the design. We distinguish 5 implement it in C. Regardless of the type of data we parse,
types of parameters:

1 simulation,
2 design constraints,
3 Logic Parsers (LP), Power Parsers (PP), and SPICE Parsers
design resources,
4 physical constraints,

5 power models. (SP) output a Power Frame File (PFF), a custom binary
Handlers wrap commercial EDA tool, thereby facili- format. We use analyzers to process PFF files. Each sub-
tating design and simulation stages in a streamlined and module implements a technique necessary to assess the SCA
automated manner. They produce TCL scripts (e.g. run.LS, security of the circuit, e.g. TVLA or DPA. In particular
par.LSIM) used to control the underlying tools. The set for TVLA, we follow the roadmap due to Schneider and
of commercial tools we currently rely on, together with its Moradi [10] which enables estimation and computation of
acronym, is given in Table 1. The traversal of design stages distribution parameters in a single pass. The reason why
is depicted in Figure 2. The initial behavioral (BEH) stage we abstain from applying the faster leakage assessment
enables design capture and functional simulation of a circuit of Reparaz et al. [11] is the prohibitive cost of storing
histograms in our setting, i.e. with high sampling rates and
quantization bits larger than 8 bits.
2.3. Simulation Models
Composite Current Sources (CCS) are state of the art SC
models used for timing and power simulations with accuracy
comperable to SPICE. For each SC they capture a high
level of detail, such as asymmetries of transitions caused
by different input pins of a SC. We rely on these models in
GLN and PAR stages. In earlier stages we use using ∆-delay
models. For each SC, regardless of its functionality, size, or
input transition, the output is delayed by ∆ such that:
1) ∆ = 0, also known as zero-delay model;
2) ∆ > 0;
3) ∆ = f (F, δ), where F is the cells’ fanout, and δ
is the delay when F = 1.
The selection of f allows to refine the model. In this work
we opt for a simple version given in Equation 1,
∆ = δ(1 + (F − 1)θ), (1)
where θ represents a scaling factor between 0.05 ≤ θ ≤
0.20. Commonly the number of toggles is used to represent
IPC in the SCA community. It is a very crude model based
on the predominance of dynamic power consumption. It
is completely symmetrical in a sense that each transition
always results in a Dirac-like pulse of unitary height. To
address the assymetry between rising and falling edges of a
SC, we ameliorate this model as shown in Equation 2.
 0
 1 for rising edge,
Ptransition = 1 − α for falling edge, (2)
 0 otherwise,
with parameter −1.0 ≤ α ≤ 1.0. We refer to it as Marching-
Sticks Model (MSM) for its graphical interpretation. In a
sense, we can relate MSM to CCS power models in the
same manner as ∆-delay models relate to the timing ones.
2.4. Simulation Methodology
Our methodology sits directly on top of every stage in
the traditional SC design flow. While these stages may be
technically alike to the functional simulations for timing
closure (e.g., use same tools), the rationale behind them is
completely different. In the traditional design flow designers
care about the values in the steady state, i.e. after all
transitions have settled. In contrast, we focus on observing
changes in the dynamic IPC caused by an input transition.
In order to capture all possible transitions of a circuit with
n input bits we need to simulate 22n − 2n transitions.
We call this type of simulation Exhaustive Dynamic Power
Capturing (EDPC). We find this feasible for circuits with
up to 16 input bits. We primarily use EPDC for rigorous
evaluation of smaller design blocks, such as S-Boxes or
masked AND gates. For larger designs, we use (pseudo-)
random transitions.
3. Experimental Validation
To validate our toolchain we perform series of experi-
ments using different representative cryptographic circuits,
design stages, and model flavors. Due to spatial limitations
we present only the first-order secure TI PRESENT S-box
by Poschmann et al. [12]. The 4-bit PRESENT S-box is
decomposed into two quadratic S-boxes F and G, which
are split into three shares in accordance to the principles of
Threshold Implementations (TI). The overall design requires
three shares per variable and consumes no internal random-
ness. The total number of inputs (resp. outputs) is thus 12
(4 sensitive bits masked with 3 shares), leading to more
than 16 million measurements for all possible transitions.
We perform all experiments using a single thread of the
Intel i7-7700k. We use a 45nm open source SC library from
NanGate. Simulation resolution is set to 1ps.
Combining EDPC and first-order fix1 vs. random TVLA
for this circuit results in a contant t-value equal to zero using
MSM power models. As expected, this design shows no
signs of leakage in the first-order moment. Figure 3 shows
the result of the first-order TVLA given that one share is
turned off (fixed input value to zero). As expected, breaking
defining property of TI yields an insecure implementation,
caught by our tools. Additionally, Figure 3 shows how well
MSM compares to CCS models. Figure 4 shows the result of
30
20
10
t-score
10
20 CCS
MSM
300 500 1000 1500 2000 2500 3000 3500
t[ps]
Figure 3: First order TVLA, MSM vs. CCS at GLN stage,
224 − 212 traces, first share off.
the second-order TVLA for the first 1 million of transitions.
As expected, this implementation is not secure in higher
orders.
4. Discussion
For this approach to be practical it has to yield results in
a timely manner, such that designers are delayed minimally.
Table 2 gives runtimes of simulations and processing of IPC
data per 1 million traces at PAR stage that involves fully ex-
tracted layout parasitics. These numbers are obtained using
a single thread. Due to the embarassingly parallel nature of
these simulations computations can be broken into smaller
batches (e.g. 10k traces large), and fed to the LSIM → LP →
TVLA pipeline. Since all TVLA evaluations are performed
on the fly using [10], in case a faulty implementation is
1. Fix set corresponds to the case were all 4 unshared input bits equal
zero.

40
20
t-score
0 well as partial funding from Intel.
20
40
0 500 1000 1500 2000 2500
t[ps]
Figure 4: Second order TVLA, MSM at PAR stage, 1 million
traces.
analyzed designers may get feedback much before all the
traces are run. To test the scalability of this approach we
apply this recipe to a fully unrolled, 127kGE large AES
circuit. We find the obtained numbers favorable. Namely,
under these assumption 1 million traces at 1ps resolution,
evaluated in less than 36 thread hours. This maps to 4 hours
on a single $300 CPU for a design that exceeds 100kGE.
Since all models are deterministic this can easily be run
on multiple machines, making it a very efficient and cost-
effective solution for side channel evaluations at design time.
TABLE 2: Runtime per 1 million traces, per 1 thread of
i7-7700k, for PAR stage simulations.
Design Area [kGE] Period [ps] Simulate [h]
PRESENT 0.35 3600 0.01
AES-128 127.18 36000 30.33
5. Conclusions and Future Work
In this work we present a comprehensive and extensible
framework for SCA evaluation at design time. Based on state
of the art EDA tools and SCA evaluation methodologies,
it combines them in a methodical and automated manner.
We benchmark the performance of our complete toolchain
to show its suitability in testing realistic cryptographic de-
signs, and argue its feasibility for real-world use even when
relying on a single desktop workstation. Our next steps are
to gain insight on the influences of different SC libraries
and to explore the effects of individual parameters in more
detail. Furthermore, we plan to study the fine implications
of simulation artifacts on the manufactured chip through
comparison to actual measurements in a lab setting. We
aim to use the insights gained along this research to refine
existing models for the needs of more efficient and reliable
SCA evaluation at design time.
Acknowledgments
This project has received partial funding from the Eu-
ropean Unions Horizon 2020 research and innovation pro-
gramme under the Marie Skłodowska-Curie grant agreement
No. 643161, and HECTOR grant agreement No. 644052; as
References
[1] P. C. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in
Advances in Cryptology - CRYPTO ’99 (M. J. Wiener, ed.), vol. 1666
of LNCS, pp. 388–397, Springer, 1999.
[2] K. Tiri and I. Verbauwhede, “Simulation models for side-channel
3000 3500
information leaks,” in Design Automation Conference - DAC 2005
(W. H. J. Jr., G. Martin, and A. B. Kahng, eds.), pp. 228–233, ACM,
2005.
[3] K. Tiri and I. Verbauwhede, “A logic level design methodology for
a secure DPA resistant ASIC or FPGA implementation,” in Design,
Automation and Test in Europe - DATE 2004), pp. 246–251, IEEE
Computer Society, 2004.
[4] F. Regazzoni, A. Cevrero, F. Standaert, S. Badel, T. Kluter, P. Brisk,
Y. Leblebici, and P. Ienne, “A design flow and evaluation framework
for dpa-resistant instruction set extensions,” in Cryptographic Hard-
ware and Embedded Systems - CHES 2009 (C. Clavier and K. Gaj,
eds.), vol. 5747 of LNCS, pp. 205–219, Springer, 2009.
[5] K. Tiri and I. Verbauwhede, “A digital design flow for secure in-
tegrated circuits,” IEEE Trans. on CAD of Integrated Circuits and
Systems, vol. 25, no. 7, pp. 1197–1208, 2006.
[6] M. Aigner, S. Mangard, F. Menichelli, R. Menicocci, M. Olivieri,
T. Popp, G. Scotti, and A. Trifiletti, “Side channel analysis resistant
design flow,” in 2006 IEEE International Symposium on Circuits and
Systems, pp. 4 pp.–2912, May 2006.
[7] A. Moradi, M. Salmasizadeh, M. T. M. Shalmani, and T. Eisenbarth,
“Vulnerability modeling of cryptographic hardware to power analysis
attacks,” Integration, the VLSI Journal, vol. 42, no. 4, pp. 468 – 478,
Process [h] 2009.
0.01 [8] D. Fujimoto, M. Nagata, T. Katashita, A. T. Sasaki, Y. Hori, and
5.58 A. Satoh, “A fast power current analysis methodology using capacitor
charging model for side channel attack evaluation,” in Hardware-
Oriented Security and Trust - HOST 2011, pp. 87–92, IEEE, 2011.
[9] J. Cooper, E. DeMulder, G. Goodwill, J. Jaffe, G. Kenworthy,
and P. Rohatgi, “Test Vector Leakage Assessment (TVLA) method-
ology in practice.” International Cryptographic Module Confer-
ence, 2013. http://icmc-2013.org/wp/wp-content/uploads/2013/09/
goodwillkenworthtestvector.pdf.
[10] T. Schneider and A. Moradi, “Leakage assessment methodology -
A clear roadmap for side-channel evaluations,” in Cryptographic
Hardware and Embedded Systems - CHES 2015 (T. Güneysu and
H. Handschuh, eds.), vol. 9293 of LNCS, pp. 495–513, Springer, 2015.
[11] O. Reparaz, B. Gierlichs, and I. Verbauwhede, “Fast leakage as-
sessment,” in Cryptographic Hardware and Embedded Systems -
CHES 2017 (W. Fischer and N. Homma, eds.), vol. 10529 of LNCS,
pp. 387–399, Springer, 2017.
[12] A. Poschmann, A. Moradi, K. Khoo, C. Lim, H. Wang, and S. Ling,
“Side-channel resistant crypto for less than 2, 300 GE,” J. Cryptology,
vol. 24, no. 2, pp. 322–345, 2011.