QRL: A High Performance QuadrupleRail Logic for Resisting DPA on FPGA Implementations
 1.1k Downloads
Abstract
DualRail Precharge Logic (DPL) has proven to be an effective countermeasure logic style against Differential Power Analysis (DPA). All previous DPL architectures employ the precharge mechanism to achieve DPA resistance. However, due to its additional precharge phase, an inherent drawback of these DPL architectures lies within its degraded performance (less than 1/2 times compared to the nominal data rate), and hence they are not suitable for applications where high performance is required. In this paper, we present QuadrupleRail Logic (QRL), a new DPAhardened approach for cryptographic implementations in FPGA. The main merit of this proposal is that the system throughput can be effectively maintained by removing the precharge phase. By introducing a synchronized and identical quadruplerail network, strengthened DPA resistance can be achieved. In order to test the robustness of QRL against DPA, we launch DPA on a QRLbased standard AES processor on Xilinx Virtex5 FPGA. The experimental results show that DPA on QRL AES is failed by analyzing 100,000 power consumption traces, which achieves the competitive DPA resistance level as typical DPL schemes, and gains at least 110 times stronger than the unprotected AES.
Keywords
FPGA Power analysis Dualrail precharge logic (DPL) High performance Quadruplerail1 Introduction
Since the inspiring work of Kocher et al. [7], Differential Power Analysis (DPA) has been widely considered as a critical threat to the hardware implementations of cryptographic algorithms. The idea of DPA is that the processed data in the crypto device inevitably has correlation with the amount of the withdrawn current from the power source. By analyzing the dependencies hidden inside the collected power consumption, some confidential information, typically as the cipher key, can be exploited. FPGA has been one of the most widely used platforms of cryptographic implementations, and it is shown in [10, 13] that DPA can be a real and important threat against the FPGA based cryptographic implementations. Moreover, authors of [14] show that the register on FPGA is an important source of power leakage, and the activity of register can be easily distinguished due to the enable signal of registers managed by a control part, which makes register the most common DPA attack element on FPGA.
To defeat DPA, many countermeasures need to be applied at lowlevel logic layers, i.e., gate level or layout level. This is due to the fact that many significant power leakages come from the physical level rather than the higher algorithmic level. DualRail Precharge Logic (DPL) is one of the typical protection methods aiming at lowlevel protection. In order to compensate the datadependent power leakages, two parallel rails corresponding to the true rail and the false rail are generated to work in the evaluation phase and the precharge phase periodically. However, one of the most influential drawbacks of DPL scheme is the significant degradation of the system throughput, since the precharge phase which generates invalid value in the circuit commonly occupies a great portion of the computation time. For instance, the calculation speed of WDDL (a typical DPL scheme) [18] falls to 50 % of the unprotected implementation. In fact, all DPL methods suffer from such a reduction of computational performances. Thus, these countermeasures are not suitable for the high performance environments (e.g., base stations in modern encryptionsupported mobile communication systems).
Two possible methods to solve this problem are reducing the precharge phase and eliminating the precharge phase. In [9], a nonregular clock is applied to BCDL, in order to reduce the precharge phase. Unfortunately, the nonregular clock is more complex than the conventional clock scheme, and the speed of BCDL still falls to 75 % of the unprotected implementation. Different from DPL schemes, a new DualRail scheme named HDRL [16] removes the precharge phase, by connecting together the ground voltage current (i.e. VSS) of the complementary gate and the supply voltage current (i.e. VDD) of the original gate. However, HDRL is not applicable to FPGAs, since the VSS and VDD cannot be properly implemented on LookUpTables (LUTs).
Our Contributions. In this paper, we follow the same general idea about eliminating the precharge phase and take advantage of the strategy of trading space for time, in order to improve the performance of our DPA countermeasure. We propose a new DPAhardened approach on FPGA based implementations, namely, the QuadrupleRail Logic (QRL) architecture, which can maintain a high performance that is approximately equal to the unprotected system, while without sacrificing its resistance against DPA attacks. In order to verify the robustness of QRL against DPA, we perform experiments on a QRLenabled AES implementation based on FPGA. The experimental results show that the DPA robustness of QRL is as good as a typical DPL scheme WDDL, and is at least 110 times stronger than the unprotected AES implementation.
Organization. In Sect. 2, we briefly introduce the related works of existing DPL solutions. Section 3 discusses the reason for the performance degradation and introduces the details of our new QRL structure. We launch experiments to further demonstrate the strength of QRL against DPA in Sect. 4. Section 5 concludes the paper.
2 Related Work
DPL is one of the most typical logiclevel countermeasures against DPA. The operation of the DPL logic is defined by two main concepts. First, DPL has two parallel rails, namely, the dualrail which consists of the original (True/T) rail and the complementary (False/F) rail as a counterpart of the T rail. Therefore, the signals in DPL are represented with a pair of values which are generated by the T rail and the F rail respectively. Second, the dual rails work simultaneously in complementary behaviors. More precisely, the T rail and the F rail work in the evaluation and the precharge phase periodically. In each evaluation period, the value \(a_{(T)}\) in T rail and \(a_{(F)}\) in F rail compensate with each other (i.e., \([a_{(T)}:a_{(F)}]\) is always in state of [1 : 0] or [0 : 1]). In each precharge period, the pair of values \([a_{(T)}:a_{(F)}]\) is reset to a fix state (typically [0 : 0]). In a sequel, the circuit system theoretically provides constant power consumption regardless of the processed data if DPL can be properly realized. The theoretical foundations for security of dualrail logic and some efficient techniques for building such logic circuits is introduced by [6].
Many architectures have been introduced for achieving a secure and lowcost DPL realization. Wave Dynamic Differential Logic (WDDL) was proposed in [18], where a logic wave of values ‘0’ is propagated through all the gate of the combinatorial logic chain. To optimize and improve DPL, several techniques have been previously proposed. Some techniques focus on the problem about identical routing, such as MDPL (Mask DPL)[11], DWDDL (Double WDDL) [19], and routing repair methods [4]. Others pay attention to the Early Propagation Effect (EPE) [15]. For instance, DRSL [2], STTL [12], BCDL [9], DPLnoEE [1], and PADPL [3], take different tactics to overcome the EPE problem.
According to the effect of the precharge mechanism, one of the most influential drawbacks of DPL schemes is its significant decrease of the performance. In [9], authors prove that among several schemes (WDDL, MDPL, STTL, DRSL, Seclib, IWDDL and basic BCDL), all schemes provide a low calculation speed which is less than 50 %. The performance of PADPL is also less than half of the unprotected implementation. In [3] and [4], two PADPL instances respectively provide 25 % and 41.7 % evaluation time during each clock cycle.
To improve the performance of DPL schemes, two solutions are usually employed: the first is to reduce the precharge phase and the second is to eliminate the precharge phase. The first idea can be achieved by using a nonregular clock, which leads to a shorter clock cycle in each precharge phase. In [9], compared with the basic BCDL, the accelerated BCDL can achieve a higher speed up to 1.3–1.5 times. More precisely, the maximum frequency of the accelerated BCDL is 50.64 MHz, rising up to 70 % of unprotected implementation (71.88 MHz of unprotected implementation). Unlike the DPL architectures, a DualRail scheme called HDRL [16] improves the calculation speed by following the second idea. HDRL is designed based on the hypothesis that the VSS current drawn by a gate is indistinguishable for different inputs. The complementary pair of gates consists of two identical gates where the VDD of the gate in F rail is connected with the VSS of the gate in T rail. Through this scheme, the precharge phase is unnecessary and HDRL can achieve a higher calculation speed that is approximately equal to the unprotected system. HDRL is the first approach to eliminate the precharge phase, although the source current drawn by the circuit is not considered in HDRL, and the result is based on simulation tools rather than practical experiments [8].
However, compared with the unprotected implementation, both ideas have some drawbacks. Although the nonregular clock provides a less precharge time, the performance degradation still exists. Another drawback of the nonregular clock is that it may be limited by the clock system in ASIC or FPGA. Furthermore, even if HDRL is a good method to remove the precharge phase, it is not suitable for FPGA platform, where the VSS and VDD of LUT are restricted. Therefore, how to increase the performance of DPLlike approaches remains an open problem, and it is still the main bottleneck to apply these countermeasure in high performance environments, especially in FPGA.
3 QuadrupleRail Logic
Although HDRL is not suitable for FPGA platform, it does imply that the DPL structure without the precharge mechanism is a promising approach to achieve higher performance. Based on the general idea, we propose a logic style named QuadrupleRail Logic (QRL), which follows the strategy of trading space for time to highly improve the performance while still maintaining strong DPA resistance.
3.1 The Low Performance and Precharge Mechanism
However, the precharge mechanism plays an important role in DPL, where the precharge phase is inserted between two adjacent evaluation phases to forcibly reset the whole system, except for the values stored in the precharge state, as shown in Fig. 1. Let CntS and Cnt1 be the number of switches between every two adjacent states and value ‘1’ in each state respectively. It is obvious that all values of CntS are 1 in both phases. At the same time, Cnt1 keeps 1 in each evaluation phase and 0 in each precharge phase. This operation ensures that each complementary signal pair \([a_{(T)}: a_{(F)}]\) is able to provide constant values in both phases, and only one bit switch in each phase. Thus, this scheme effectively mitigates the variations of the power leakages, but at the expense of occupying half of the duty cycle of the evaluation phase. Briefly speaking, DPL provides a dualrail complementary scheme in circuit: the first one is the value complement through the dualrail mechanism, and the second one is the switch complement through the precharge mechanism.
3.2 QRL Architecture

Value Complement. Maintain each state of the complementary signal pair which has half and only half bits to ‘1’.

Switch Complement. Maintain two adjacent states of the complementary signal pair which have half and only half bits switch. In other words, the new scheme ensures that the complementary signal pair has half and only half bits switch in each clock cycle.

No precharge. The precharge phase is fully removed.

Original (True/T) rail: the value \(a_{(T)}\) in the T rail is the original value in the unprotected single rail circuit.

Complementary (False/F) rail: the value \(a_{(F)}\) in the F rail is the complementary value of \(a_{(T)}\) as the case of DPL, i.e., \(a_{(F)}=\overline{a_{(T)}}\).
 Switch complementary (SC) rail: the value \(a_{(SC)}\) in the SC rail is generated by \(a_{(T)}\) and the last state of \(a_{(T)}\). When \(a_{(T)}\) is switched in two adjacent states, \(a_{(SC)}\) would keep its state. On the contrary, \(a_{(SC)}\) would be switched. To sum up, the switch complementary rail ensures that the signal pair \([a_{(T)}:a_{(SC)}]\) has one and only one switch in each clock cycle. Let \(a^L_{(\upsilon )}\) and \(a^P_{(\upsilon )}\) denote the last and the current state of the value \(a_{(\upsilon )}\). The value \(a^P_{(SC)}\) is described by:$$\begin{aligned} a^L_{(T)} \oplus a^P_{(T)}= & {} \overline{a^L_{(SC)} \oplus a^P_{(SC)}} \nonumber \\ a^P_{(SC)}= & {} a^L_{(T)} \oplus a^P_{(T)} \oplus \overline{a^L_{(SC)}}. \end{aligned}$$(1)
 Double complementary (DC) rail: the value \(a_{(DC)}\) in the DC rail is the complementary value of \(a_{(SC)}\). The DC rail is not only the value complement of the SC rail, but also ensures that the signal pair \([a_{(F)}:a_{(DC)}]\) has one and only one bit switch in each clock cycle. Similarly, the value \(a^P_{(DC)}\) is described by:$$\begin{aligned} a^P_{(DC)}= & {} a^L_{(F)} \oplus a^P_{(F)} \oplus \overline{a^L_{(DC)}}. \end{aligned}$$(2)
Based on the aforementioned theoretical elaboration, we discuss the practical implementation of QRL. Firstly, we show how to implement the basic component, namely, the QRLenabled compound register system. Then we explain how to complete the whole QRL system.
3.3 QRL Register Exemplar
3.4 Generalized QRL
Although the register can be easily protected by QRL, similar protection manner can not be applied to LUT, the basic calculation component in FPGA, mainly due to the fact that the last state of LUT cannot be stored. As a result, it is impossible to make the LUTs on SC and DC rails meet the Switch Complement principle. Therefore, a different strategy of implementing QRL on LUT must be developed.

Reset the complementary signal quartet \([a_{(T)}:a_{(F)}:a_{(SC)}:a_{(DC)}]\) which meet that \(a_{(SC)}=a_{(T)}\), \(a_{(F)}=\overline{a_{(T)}}\), and \(a_{(DC)}=\overline{a_{(SC)}}\). According to Eq. 5, in such situation, \(a_{(SC)}=a_{(T)}\) in each even clock cycle, and \(a_{(SC)}=a_{(F)}\) in each odd clock cycle. The relationship of \(a_{(DC)}\) is similar.

Reset the complementary signal quartet \([a_{(T)}:a_{(F)}:a_{(SC)}:a_{(DC)}]\) which meet that \(a_{(SC)}=\overline{a_{(T)}}\), \(a_{(F)}=\overline{a_{(T)}}\), and \(a_{(DC)}=\overline{a_{(SC)}}\). As similar as the first case, in such situation, \(a_{(SC)}=a_{(F)}\) in each even clock cycle, and \(a_{(SC)}=a_{(T)}\) in each odd clock cycle. The relationship of \(a_{(DC)}\) is similar.
Taking each rail which consists of register and LUT into consideration, the compound register system should be replaced with four standard registers. The inputs of registers are generated by LUTs on each rails, and the outputs of registers become inputs of subsequent LUTs on corresponding rails. Therefore, the generalized QRL scheme consists of two parts. The first part is the compound register system, which stores the input data (e.g., plaintext and key) from the top module, in order to generate the complementary signal quartet \([a_{(T)}: a_{(F)}:a_{(SC)}:a_{(DC)}]\). The second part is the four divided rails, which consist of registers and LUTs , in order to complete the compensation of the quadruplerail network. More precisely, the generalized QRL scheme can be completed only by the second part, when the input data from the top module meets the requirement of the complementary signal quartet.
Moreover, QRL can be potentially applied to other nonFPGA platforms, although it is designed directly for FPGA scenarios. LUT, which is the special component in FPGA, can be implemented by standard CMOS cells. For instance, ASIC platform, which has more design freedom to designers than FPGA, can generate a QRL circuit by standard CMOS cells. Consequently, QRL is not only suitable for FPGA, but also portable to other platforms.
4 Implementation and Security Evaluation
In order to evaluate the robustness, area cost and performance of QRL, we implemented AES128 with three different structures, an unprotected AES128, a WDDL AES128 and a QRL AES128 on a Xilinx Virtex5 XC5VLX50 FPGA, where the clock frequency is 2 MHz.
4.1 Implementation
To implement QRL, we used a strategy based on an automated “copypaste” and “conflictrepair” method as mentioned in [5, 17], which can reduce the design complexity and provide more balanced routing on FPGAs. Firstly, we split the initial AES128 design into two functional modules, one functional module Cont to supply clock signal, to control I/O and to be the top package, the other called Enc to preform AES algorithm. It is obvious that only the securitysensitive Enc needs to be transformed into QRL style. Then, the original rail in Enc is generated with 5input LUTs, and other three rails are created by the “copypaste” execution. In this case, it would hardly be possible to repair the routing conflicts between four rails with an interleaved placement way, so we adopt the separate placement of each rail in QRL. Next, we insert the control signals Par and En into corresponding LUTs, and recode the Boolean functions of these LUTs. Afterwards, all wires are routed and repaired by the “reroute” execution in the FPGA editor. Finally, the netlist is exported to the FPGA editor to generate the bitstream.
4.2 Security Evaluation and Attack Results
Pearson Correlation Coefficient based Power Analysis (CPA) is applied during the security analysis, for evaluating the security level of the QRL against differential power attacks. In order to make fair comparisons, we launch similar attacks to an unprotected implementation and a WDDL implementation. The power traces are captured using a LeCroy WaveRunner 610Zi digital oscilloscope at a sampling rate of 2.5 GS/s. The attack point is the registers which store the Sbox outputs from each computation rounds, and the transitions of those registers will leak the information about AES subkeys. Hamming distance model is used in our experiments due to the power consumption property of register on the Virtex5 FPGA.
Rank of right key in unprotected, WDDL, QRL structures.
Rank  

Unprotected  1 
WDDL  3 
QRL  12 
According to Table 1, it is obvious that both WDDL and QRL have the tendencies that the right keys may be revealed by significantly increasing the number of power traces, although the right keys do not lead to the highest coefficient. In this case, their ranks in all key guesses list seem small, and the right keys in WDDL and QRL can be revealed by the analysis based on the \(3^{rd}\)order success rate and the \(12^{th}\)order success rate respectively. The primary cause is the unbalanced routing repairs which are generated by commercial FPGA design tools, and it is more severe in the case of QRL, which should be keep the balanced routing signal quartet. However, even if QRL suffers more serious unbalanced routing that may lead to glitches, the rank of the right key in QRL is larger than that of WDDL, which implies that the security of QRL is a little better than that of WDDL. Consequently, QRL gains an increase factor of robustness against DPA at least 110 times compared to the unprotected one, and its DPA resistance level is comparable to WDDL.
4.3 Cost and Performance Evaluation
Cost and performance of AES in unprotected, WDDL, QRL structures.
Register  LUT  Duty cycle of evaluation  Maximum throughput  

Unprotected  737  1346  100 %  1.89 Gbps 
WDDL  1505  5153  50 %  0.91 Gbps 
QRL  1505  5428  100 %  1.78 Gbps 
Compared with the unprotected structure, both register occupations of QRL and WDDL are increased by 768. The increased area of QRL comes from the registers to store the 128bit roundkey and 128bit intermediate state of each round in F, SC, and DC rails. For WDDL, the increased area is due to the “MasterSlave” register system which is commonly used in DPL architectures. The total number of occupied registers in both QRL and WDDL is less than 4 times of the unprotected one, due to the fact that some control components do not require transformation, such as the control registers in Cont. In the perspective of LUT, both the quadruplerail network with four complementary rails and the 5 inputs of LUT (the last input is used by Par or En) contribute to the increased area of QRL. However, the results show that the LUT occupation of QRL just rises up to 105 % of WDDL (5428 LUTs of QRL compared to 5153 LUTs of WDDL). This is because of the restriction to the usage of limited gates as the AND and OR logic in WDDL. More precisely, we can constraint 2 compound 2input gates to one SLICE, since there are 4 LUTs in each Virtex5 SLICE. According to the result, we find that the cost of QRL is a little more than WDDL.
Next, we discuss the performance for each design. Due to the removal of the precharge phase, the duty cycle of evaluation phase in QRL is equal to the unprotected one, which is 2 times higher than WDDL (100 % in QRL compared to 50 % in WDDL). Thus, the maximum throughput of QRL is theoretically equal to the unprotected one, and rises up to 94 % of the unprotected one in practical evaluations (1.78 Gbps of QRL compared to 1.89 Gbps of the unprotected case), which is much higher than WDDL (0.91 Gbps of WDDL). Moreover, in order to further evaluate the performance, we compare QRL to the accelerated BCDL^{1}, which has the highest performance among the existing DPL schemes for FPGA. According to [9], the duty cycle of evaluation phase and the maximum throughput of the accelerated BCDL rise up to 75 % and 53 % of the unprotected implementation respectively. It is obvious that QRL has a higher performance than the accelerated BCDL. The result implies that the more efficient solution for improving performance is to eliminate the precharge phase rather than to reduce it.
5 Conclusion
In this paper, we proposed QRL as a new countermeasure against DPA on FPGAs. Based on the strategy of trading space for time, by adopting the quadruplerail network, we can remove the precharge phase in previous DPL architectures in order to concurrently achieve high performance and high DPA resistance. Due to the elimination of the precharge phase, QRL provides the performance at a high level that is equal to the unprotected system, which is roughly 2 times higher than other DPLbased countermeasures. At the same time, the high resistance against DPA is not sacrificed. As shown in our experiments, a QRL implementation of AES128 on FPGA offers the competitive DPA resistance level as WDDL, at least 110 times stronger than the unprotected implementation. Thus, QRL is suitable for some high performance scenarios where the security enhancement is as well desired. The techniques to minimize the glitches and unbalanced routing signal quartet among each rail in QRL will be specially emphasized in the future work.
Footnotes
References
 1.Bhasin, S., Guilley, S., Flament, F., Selmane, N., Danger, J.L.: Countering early evaluation: an approach towards robust dualrail precharge logic. In: WESS 2010, p. 6. ACM (2010)Google Scholar
 2.Chen, Z., Zhou, Y.: Dualrail random switching logic: a countermeasure to reduce side channel leakage. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 242–254. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 3.He, W., de la Torre, E., Riesgo, T.: A prechargeabsorbed DPL logic for reducing early propagation effects on FPGA implementations. In: 6th IEEE International Conference on ReConFigurable Computing and FPGAs, Cancun (2011)Google Scholar
 4.He, W., de la Torre, E., Riesgo, T.: An interleaved EPEimmune PADPL structure for resisting concentrated EM side channel attacks on FPGA implementation. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 39–53. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 5.He, W., Otero, A., de la Torre, E., Riesgo, T.: Automatic generation of identical routing pairs for FPGA implemented DPL logic. In: ReConFig 2012, pp. 1–6. IEEE (2012)Google Scholar
 6.Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 7.Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 8.Marzouqi, H., Mahmoud, A., Khaled, S.: Review of gatelevel differential power analysis and fault analysis countermeasures. Inf. Secur. 8, 51–66 (2014). IETCrossRefGoogle Scholar
 9.Nassar, M., Bhasin, S., Danger, J.L., Duc, G., Guilley, S.: BCDL: a High speed balanced DPL for FPGA with global precharge and no early evaluation. In: Proceedings of Design, Automation and Test in Europe, pp. 849–854. IEEE Computer Society, Dresden (2010)Google Scholar
 10.Örs, S.B., Oswald, E., Preneel, B.: Poweranalysis attacks on an FPGA – first experimental results. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 35–50. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 11.Popp, T., Mangard, S.: Masked dualrail precharge logic: DPAresistance without routing constraints. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 172–186. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 12.Soares, R., Calazans, N., Lomne, V., Maurine, P., Torres, L., Robert, M.: Evaluating the robustness of secure triple track logic through prototyping. In: Proceedings of the 21st Symposium on Integrated Circuits and System Design (SBCCI08), Gramado, Brazil, pp. 193–198. ACM, New York (2008)Google Scholar
 13.Standaert, F.X., Örs, S.B., Preneel, B.: Power analysis of an FPGA implementation of rijndael: is pipelining a DPA countermeasure? In: Joye, M., Quisquater, J.J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 30–44. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 14.Standaert, F.X., van Oldeneel tot Oldenzeel, L., Samyde, D., Quisquater, J.J.: Power analysis of FPGAs: how practical is the attack? In: Cheung, P.Y.K., Constantinides, G.A. (eds.) FPL 2003. LNCS, vol. 2778, pp. 701–711. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 15.Suzuki, D., Saeki, M.: Security evaluation of DPA countermeasures using dualrail precharge logic style. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 255–269. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 16.Tanimura, K., Dutt, N.: HDRL: homogeneous dualrail logic for DPA attack resistive secure circuit design. IEEE Embed. Syst. Lett. 4(3), 57–60 (2012)CrossRefGoogle Scholar
 17.Tu, C., He, W., Gao, N., de la Torre, E., Liu, Z., Liu, L.: A progressive dualrail routing repair approach for FPGA implementation of crypto algorithm. In: Huang, X., Zhou, J. (eds.) ISPEC 2014. LNCS, vol. 8434, pp. 217–231. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 18.Tiri, K., Verbauwhede, I.: A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In: DATE 2004, Vol. 1, pp. 246–251. IEEE Computer Society, Los Alamitos (2004)Google Scholar
 19.Yu, P., Schaumont, P.: Secure FPGA circuits using controlled placement and routing. In: Hardware/Software Codesign and System Synthesis  CODES+ISSS 2007, pp. 45–50. ACM, New York (2007)Google Scholar