Power Analysis of Single-Rail Storage Elements as Used in MDPL

Several dual-rail logic styles make use of single-rail flip-flops for storing intermediate states. We show that single mask bits, as applied by various side-channel resistant logic styles such as MDPL and iMDPL, are not sufficient to obfuscate the remaining leakage of single-rail flipflops. By applying simple models for the leakage of masked flip-flops, we design a new attack on circuits implemented using masked single-rail flip-flops. Contrary to previous attacks on masked logic styles, our attack does not predict the mask bit and does not need detailed knowledge about the attacked device, e.g., the circuit layout. Moreover, our attack works even if all the load capacitances of the complementary signals are perfectly balanced and even if the PRNG is ideally unbiased. Finally, after performing the attack on DRSL, MDPL, and iMDPL circuits we show that single-bit masks do not influence the exploitability of the revealed leakage of the masked flip-flops.