Comprehensive Study of Side-Channel Attack on Emerging Non-Volatile Memories ^†

Abstract

Emerging Non-Volatile Memories (NVMs) such as Magnetic RAM (MRAM), Spin-Transfer Torque RAM (STTRAM), Phase Change Memory (PCM) and Resistive RAM (RRAM) are very promising due to their low (static) power operation, high scalability and high performance. However, these memories bring new threats to data security. In this paper, we investigate their vulnerability against Side Channel Attack (SCA). We assume that the adversary can monitor the supply current of the memory array consumed during read/write operations and recover the secret key of Advanced Encryption Standard (AES) execution. First, we show our analysis of simulation results. Then, we use commercial NVM chips to validate the analysis. We also investigate the effectiveness of encoding against SCA on emerging NVMs. Finally, we summarize two new flavors of NVMs that can be resilient against SCA. To the best of our knowledge, this is the first attempt to do a comprehensive study of SCA vulnerability of the majority of emerging NVM-based cache.

1. Introduction

Several emerging Non-Volatile Memories (NVMs) such as Magnetic RAM (MRAM) [1,2], Spin-Transfer Torque RAM (STTRAM) [3,4,5], Phase Change Memory (PCM) [6,7] and Resistive RAM (RRAM) [8,9] offer high density/speed and low (static) power operation. Their application can extend various sectors. For example, SRAM in cache (L2/L3) can be replaced by STTRAM [10,11] since it offers compatible endurance and speed. RRAM and STTRAM can be considered to replace eFlash [10,12]. A Solid State Drive (SSD) using PCM, namely Optane is already sold by Intel [13]. Additionally, low-power computations and novel architectures can be realized by NVMs [10,11]. In addition to storage, NVMs are also investigated for novel applications, such as neuromorphic computing, ambient sensor, security primitive, etc., [10]. However, the unique NVM features brings new threats to data privacy and security. Therefore, they should be investigated properly before their wide adoption.

Vulnerabilities of emerging NVMs: NVMs are susceptible to ambient parameters, such as thermal and magnetic field. This can be leveraged to launch Denial-of-Service (DoS) attacks [14]. NVMs also suffer from supply voltage droop. The role of high supply noise (i.e., droop and ground bounce) to launch fault injection attack has also been investigated in [15]. An adversary can generate deterministic supply noise in emerging NVM-based Last Level Cache (LLC) by writing a specific data pattern in his memory. The generated noise can propagate to the victim’s space and affect the write/read operation (i.e., fault injection attacks [15]). Furthermore, NVMs suffer from asymmetric [16] and high read/write current (i.e., write/read current for data ‘1’ and data ‘0’ are different), which can be leveraged to launch Side-Channel Attack (SCA) [17,18].

SCA has been a serious threat to cryptographic chip [19] which are widely used in computer/network-based security control systems [20], as well as the secure measurement systems [21]. In prior works, secured and low-power asynchronous Advanced Encryption Standard (AES) substitution box (S-Box) has been proposed [22]. Furthermore, asymmetric mask has also been proposed to secure Data Encryption Standard (DES) circuit [19]. Traditional memories have also been investigated for their vulnerability to SCA. The work [23] shows that a geometrically regular structure can be observed in SRAM. The side channel leakage significantly correlates with the number of state transitions, which is known as Hamming Distance (HD). This is true since SRAM write current is different when a complementary data are written compared to the previously stored data. The current dependency on the data can be leveraged and information can be extracted by power analysis attacks. Therefore, the new memory technologies should be investigated for their resistance to such known threats.

This work investigates the vulnerability of various NVM-based LLC by monitoring the current drawn by the LLC from $V_{DD}$ during write and/or read operations and performing Differential Power Analysis (DPA) based SCA. We have assumed that the CPU executes cryptographic operations (typically executed on network data). The cipher text, intermediate computations and round keys are periodically written (in LLC) and read from LLC. A small resistance in series with $V_{dd}$ or GND can be leveraged to find the current drawn by LLC by measuring the voltage drop across it. The voltage can be sampled using precise instruments at high frequency (1 GHz) with high accuracy (<1% error). Note that accurate measurement of the power profile is essential of a successful attack [22]. Techniques such as [24] can provide accurate power consumption characterization. A picture of the system level illustration of attack setup is shown in Figure 1.

STTRAM suffers from high and asymmetric read/write current [26,27]. Therefore, STTRAM read/write current is a function of new data being written and the stored data. In [27], write current is leveraged to design a Correlation Power Analysis (CPA) on STTRAM-based cache. Ref. [25] extended the above lines of works and investigated various information leakage channels, such as write/read current for STTRAM and MRAM. In this work, we study the SCA vulnerability of read/write current of all emerging NVMs and analyze the attack model on the commercial chips such as MRAM. To the best of our knowledge, this paper is the first work towards this direction. In summary, this work makes the following new contributions over [25]:

• Investigate SCA vulnerability of RRAM read/write operations based on simulation results;
• Investigate SCA vulnerability of PCM read/write operations based on simulation results;
• Show that encoding read/write operations cannot protect NVM from SCA attack;
• Emphasize on more device level solutions to remove the data signature.

2. General Background

2.1. Advanced Encryption Standard (AES)

AES [28] is a NIST standard for symmetric encryption. AES is a block cipher which encrypts 128-bit plaintext P into a 128 ciphertext C, with a secret key. The key size can be chosen from 128/192/256 bits, depending on the desired security. Depending on the key size, the algorithm consist of 10/12/14 rounds, respectively. 4 sub-operations are computed in each round $R_i,0\le i\le 9$ denotes round index on a state of 128 bits organized as $4\times 4$ matrix. SubBytes (SB) is a non-linear look up table, followed by two linear permutations called ShiftRows (SR) and MixColumns (MC). A round key $k_i$ computed from master key is added to the state in each round during AddRoundKeys (ARK) operation. All rounds except the last (skips MixColumns) are identical.

The prime target of this study is the last round key $k_9$ of AES-128, which computes C = SR(SB(R₉))^∧K₉. This operation is byte-wise over 16 bytes (128 bits). Given a hardware implementation with round based architecture, the final ciphertext overwrites the state register containing $R_9$. Therefore, C (1 byte) can be computed by finding $R_9$ (1 byte) and $K_9$ (1 byte). This observation can be used to implement a divide and conquer approach to extract all 16bytes, 1byte at a time. The key expansion algorithm is public and computes the master key from $k_9$.

2.2. Side-Channel Attack

Side-channel attacks (SCA [29]) target the physical implementation of otherwise theoretically secure cryptographic algorithms. The attacks exploit observable physical traits of the target implementation, which are related to underlying sensitive computation. The observable trait which is linked to underlying CMOS technology can be timing [30], power consumption [23] or electromagnetic (EM) emanation [31], etc. In terms of power analysis, a CMOS gate consumes significant power whenever the input changes (also known as transition), while the power consumed with no input change is minimal. Moreover, there could be secondary power consumption differences in different input transition (0→1 or 1→0). These differences can be easily captured on a standard oscilloscope. If the differences are related to sensitive computation, it leaks information to the attacker. HD model is used for memory components. Note that HD is equal to the total bit flips during write operation. Next, a statistical analysis is performed to find a dependency between the simulated or observed side channel measurements and the hypothetical leakage (calculated by the leakage model using hypotheses on the key). As stated before, SCA can work in a divide and conquer setting, like byte-wise in AES, allowing recovery of small parts of the key independently and combination of the recovered key bytes to form the full key. This makes the attack complexity linear For SCA to be successful, the correct key hypothesis, compared to others, shows a significantly higher statistical dependency. Some common statistical tools that are used for SCA are Pearson correlation coefficient [32] and difference of means (DoM [29]).

2.3. Attack Model

The attack targets memory updates (read/write) in NVM with sensitive data from a cryptographic computation.

2.3.1. Attacking Write Data

For memory write operations, the target is last round update of AES-128 encryption ($R_9\to C$), where C is public. The leakage L can be modeled as: L = HD(C, R₉) + N = HW(C^∧R₉) + N where N is the noise of measurement. HW(.) denotes the Hamming Weight function, which is equal to the total number of ‘1’ in a data [33].

As $k_9$ is not known, the attacker can guess it bytewise to recover individual bytes of $l_9$. Thus, knowing one byte of C and guessing one byte of $k_9$, the attacker computes hypothetical value of $R_9$, leading to L. The correlation between L and the actual side-channel traces will be highest for the correct value of $k_9$, thus statistically revealing its value. The process is repeated for each byte of $k_9$ independently. If the algorithm is changed, the attack remains fairly the same, only functions to compute $R_9$ will be updated, which are anyways public.

2.3.2. Attacking Read Data

The attack process targeting read data are similar to the one for write. The main differences are:

The data bus is generally pre-charged to ‘0’ each clock cycle before performing a new read. This makes the initial state of the target data bus where sensitive information is read, as all 0’s. The attack targets the moment when $R_9$ of AES-128 encryption is loaded for encryption of ciphertext C. As before, C is public and $R_9$ can be guessed based on $k_9$ hypotheses. The leakage L can be modeled as: L = HW(R₉) + N, where N is the noise in the measurement. Apart from the leakage computation, the rest of the attack settings remain the same.

2.4. Write/Read Trace Generation

For key extraction from emerging NVMs using DPA attack, 5000 write traces using the same secret key with different plaintexts for all the 10 AES-128 rounds were generated. As NVM write current depends on previous stored data, when writing to the memory array, the initial value of all 128 bits (i.e., for R₀) were kept as 0, and for the following AES rounds, the stored data are written with new round outputs. Similarly, 5000 read traces were generated when reading R₉ output stored in the memory.

3. Case Study: STTRAM

3.1. Basics of STTRAM

STTRAM bitcell (Figure 2a) contains one MTJ and one access (NMOS) transistor. MTJ has two ferromagnetic layers separated by an oxide layer. They are known as Pinned Layer (PL) and Free Layer (FL). If the magnetic orientation of the layers are parallel to each other, the MTJ resistance is low. If the orientation are antiparallel to each other, the MTJ resistance is high. Typically, data ‘1’ and ‘0’ are represented by the high and low resistance, respectively. Magnetic orientation of FL can be toggled from the one state to another by passing the write current (>critical current) from Sourceline (SL) to Bitline (BL) for data ‘0’ to ‘1’ (or vice versa). Figure 2b shows the energy barrier between two stable state of MTJ.

A 22 nm NMOS and one MTJ based on [28] are used for the simulation. Various simulation parameters used in this work are summarized in

Table 1. STTRAM Simulation Parameters used in this work.

Parameter	Value
Access transistor (nMOS) (W/L)	100 nm/30 nm
MTJ FL volume	1.04 × 10−17 cm3
MTJ anisotropy (uniaxial), Ku	150,150 erg/cc
Magnetization saturation, Ms	790 Oe
MTJ anisotropic magnetic field, Hk	380 Oe
MTJ Thermal barrier, Δ	37.99
Tunnel magnetoresistance, TMR	2
Write/read latency	3 ns/1 ns
nMOS/pMOS width ratio (read circuit)	1/6

.

3.2. Asymmetric Write and Read Current

STTRAM write current is a function of the polarity of the stored data. The equivalent resistance of MTJ is low (high) in state ‘0’ (‘1’). Figure 3a shows $I_{write}$ for 1→0. During write, the initial current is high since MTJ resistance is low. However, the current goes low after successful write. Similarly, write current for 1→0 goes from low to high (Figure 3b).

Note that three phases can be identified in the waveform for $I_{write}$ of 0→1 and 1→0; ‘Old data’, ‘Transition from old data to new data’ and finally, ‘New data’. $I_{write}$ of 1→1 and 0→0 are fairly constant since the MTJ state does not change. The current magnitude difference of low and high states of current waveform (for 0→1 and 1→0) is significant and therefore, reveals the information about new and previous data.

STTRAM read current (Figure 3c) also depends on the present state of the bit. The amplitude difference between two read currents depend on the Tunnel Magneto Resistance [16] of MTJ. For a good sense margin during read, a higher TMR is desirable. However, this adversely affects the data security.

3.3. SCA on STTRAM Write Operation

Figure 4a shows the results to extract the first key bytes from write operation of STTRAM. The figure presents the correlation evolution for the entire key candidates against the trace number. SCA is successful when the correct key (denoted by black line) emerges out from the band of all wrong keys (denoted by grey). The first key byte extraction takes around 800 traces. It could be concluded that signal to noise ratio, SNR of STTRAM write current is low, which makes SCA harder. Similar result is obtained for other key bytes (with minor statistical discrepancy). With the given 2000 traces, it is possible to recover only 8 bytes from 2000 traces. All key bytes are expected to be retrieved with more measurements. However, it is evident that the SCA performance is poor. The reason behind sub-optimal SCA result either could be poor attack setting or low SNR. We can rule out low SNR since simulation traces are very precise. Therefore, SCA on STTRAM write operation provides a false impression of higher resiliency compared to SRAM [25] since the attack is not developed considering the underlying technology.

Improved Attack: We have tried to pre-process the traces since the difference in write current between the final and initial phase is analogous to a switching activity and thereby, should correlate with HD model. Therefore, we generated new traces from the old ones by simply subtracting the current values at final time samples from the initial time samples. The choice of time samples was made considering the attack settings. This type of pre-processing also compresses the traces and thereby, accelerating the SCA computation.

The result of SCA on the pre-processed traces is shown in Figure 4b. The first key byte can be extracted with 300 traces whereas the non-pre-processed version required 800 traces. Note that the entire key is retrieved by 1600 traces. Therefore, we can conclude that the efficiency of attack has significantly improved.

3.4. SCA on STTRAM Read Operation

Further investigation is done to identify the vulnerability of the read. The main difference between STTRAM write vs. read operation is that a constant read voltage is applied across the bitcell. The cell draws current based on the stored data which is sensed to determine the data. In case of read, SCA can exploit the time window when R₉ is read in order to compute the final ciphertext. Therefore, the read current leakage model is: L = HW(R₉) + N.

The rest of the SCA setting is similar. Figure 4c summarizes the result. The attack is very efficient and can extract the first key byte in 40 traces and the entire key extraction needs only 400 traces.

In summary, our investigation reveals that although the characteristics of side channel leakage of STTRAM are different from SRAM, the distinction cannot be considered as a protection. By tweaking the attack setting and applying very basic pre-processing, similar exploitability can be found. Furthermore, read current revealed a high vulnerability. Therefore, designers can target efficient countermeasures to emphasize securing the read operation.

4. Case Study: MRAM

4.1. Basics of MRAM

MRAM cell (Figure 5a) is consist of one MTJ and one nMOS access transistor (similar to STTRAM bitcell (Figure 2a)). However, the MRAM MTJ lies between a couple of metal lines known as bit-line (BL) and digit-line (DL). The BL and DL are orthogonal to each other, parallel to the cell plane, one above and one below the MTJ. The write current is passed through BL and DL with appropriate polarity which induces a magnetic field and exerts a torque on the FL magnetic orientation. This flips the FL magnetic orientation. The access transistor has no part in the write operation. Although MRAM write is magnetic field driven and STTRAM write is current driven, MRAM and STTRAM read operations are similar. Therefore, MRAM read current also shows the data dependency since the asymmetry of the read is due to the difference of the MTJ resistance of parallel/anti-parallel states. Ref. [25] evaluated a DPA based SCA on MRAM read. For this study, a MRAM commercial chip [34] is used. The features of the chip is shown in

Table 2. MRAM Chip Characteristic.

Parameter	Value
Capacity	16 Mbit
Write/Read latency	35 ns
Data/Address bus length	8/21
$V_{DD}$	3.3 V
Data retention time	>20 years
AC standby current	9–14 mA
AC active current (read)	60–68 mA
AC Active Current (write)	152–180 mA
Output enable access time	15 ns

.

4.2. Experimental Setup

MRAM chip [34] was interfaced with a Basys 3 [35] board with an Artix-7 FPGA [36] using a PCB with four layers. The design of the PCB optimized the wire capacitance, resistance and stray inductance to keep the read signature integrity consistent. A capacitor with ~19 μF was used between the GND and V_dd to keep the DC supply power stabilized. A current shunt with 1 Ω resistance was connected between the MRAM chip ground and the GND of the PCB to measure the current drawn by the chip as shown in Figure 1. The traces for read current were captured by a Keysight DSOS-804A High Definition Oscilloscope [37] with a bandwidth of 8 GHz and a sampling frequency of 20 GSa/s. Figure 5b shows the experimental setup. Note, that the FPGA frequency is 100 MHz and the MRAM minimum read cycle is 35 ns. Therefore, we have divided the 100 MHz clock frequency by 4 and thereby, implementing 40 ns for read/write cycle time.

4.3. SCA on MRAM Write Operation

In [27], a Correlation Power Analysis (CPA) on MRAM write operation has been performed. The work proposes a hypothetical power model that considers the difference of 0 → 1 and 1 → 0 transitions to estimate the post-alignment power consumption while writing to MRAM. They considered the stream cipher MICKEY-128 2.0 to validate the proposed attack model. The results show that the secret key can be retrieved from MRAM write operation traces.

4.4. SCA on MRAM Read Operation

The data bus length of MRAM is 8. Therefore, data 0 to 255 can be read in one read cycle. Data 0 to 255 was written sequentially on a fixed address and 20 read operations were performed to capture the read current waveform for each data sample. A total of 15 ns is required to enable the output after the read enable signal is asserted (timing reference voltage is 1.5 V [34]). This indicates that the actual read sensing is done in 15 ns although the read cycle is 40 ns. Similar to the method proposed in [23] where read/write signature for SRAM is experimentally found by taking the average voltage at a Point of Interest (POI), we have calculated the average current for the Window of Interest (WOI) for each data that is being read from MRAM. A single read waveform captured on the oscilloscope is shown in Figure 5c. The start of WOI is considered when the read enable signal (green) crosses 1.5 V since the timing reference voltage is 1.5 V [29]. The average read current in the proposed WOI for data 0 to 255 is plotted in Figure 6a. It is clear that the average $I_{read}$ in the WOI depends on the number of ones in 8-bit read data. The average current reduces with the increasing HW of the 8-bit data. This proves that MRAM read current which is asymmetric in nature reveals the sensitive read data.

Similar to the simulation case, DPA-based SCA is implemented on MRAM read by exploiting the time window when R₉ is read to compute the final cipher text. Therefore, the read signature leakage model is: L = HW(R₉) + N. However, a restriction is only 8 bit data can be read in one cycle from the MRAM chip. Therefore, R₉ round output is read in total of 16 cycles. However, the read current in simulation is measured for all 16 bytes. The read current corresponding to the byte under attack is the signal of interest since we attack one byte at a time. Therefore, the current related to the other 15 bytes is considered as noise. For MRAM chip, we read only one byte in each cycle and therefore, noise related to other 15 bytes become zero. This leads to 15× less (algorithmic) noise in the experimental measurement compared to the case in simulation.

The correlation against the time samples within the WOI is shown in Figure 6b. The correlation for the correct key hypothesis clearly stands out from all the wrong key hypotheses, confirming the practical side channel vulnerability of MRAM read current. Note that 15 traces were enough to perform the SCA (Figure 6c, correlation vs. the number of traces). A successful SCA with 15 traces is faster compared to 40 traces for STTRAM in simulated setting (Section 3.4). This is because the experimental measurements contained 15× less algorithmic noise.

5. Case Study: RRAM

5.1. Basics of RRAM

RRAM storage element is mainly an oxide material between two electrodes namely, Top Electrode (TE) and Bottom Electrode (BE) (Figure 7a). The filament between the electrodes can be formed or ruptured based on the direction and magnitude of the electric field through it. If a filament is formed between the two electrodes, the resistance of the cell is low (Low Resistance State, LRS) and that can be considered as data ‘0’. However, if the filament is ruptured, the resistance of the cell is high (High Resistance State, HRS) and that can be considered as data ‘1’.

5.2. Asymmetric Read/Write Current

Figure 7b shows RRAM write current for writing data 0→1, 0→0, 1→0 and 1→1. Similar to STTRAM, current is almost constant for writing data 0→0 and 1→1 while the new data, old data and the transition regions are distinguishable for writing data 0→1 and 1→0. Therefore, the total write current for writing a full data word is a function of data pattern. Similarly, RRAM read current is also asymmetric (Figure 7c). The average current drawn by the bitcell is more if the stored datum is ‘0’.

A 65 nm nMOS along with ASU (bipolar HfO_x-based) RRAM Verilog-A model [38] is used in this work. Simulation parameters are provided in

Table 3. Parameters used for RRAM Simulation.

Parameter	Value
Access Transistor W/L/VT	195 nm/65 nm/0.423 V
RRAM Gap for RL/RH	0.53 nm/1.368 nm
Unit Cell Size	12 F2
System Clock Frequency/Vdd	2 GHz/2.2 V
Read/Write Latency	0.5 ns (1 cycle)/10 ns (20 cycle)

.

5.3. SCA on RRAM Write Operation

The attack model follows the description provided in Section 2.3, i.e., HD leakage model with Pearson Correlation. Figure 8a demonstrate the attack results to extract the first byte of the key from RRAM write operation. The attack is efficient and can reveal the correct key in only 900 traces.

5.4. SCA on RRAM Read Operation

The attack follows the description provided in Section 2.3. Figure 8b demonstrate the attack results to extract the first byte of the key from RRAM read operation. The attack is efficient and can reveal the correct key in only 200 traces.

6. Case Study: PCM

6.1. Basics of PCM

There are two major PCM designs (Figure 9a); heater-based and self-heating-based [39]. The first one contains a material layer (e.g., titanium nitride or tungsten [39,40,41]) that act as a heat source to heat the adjacent layer of phase-change material [39]. The later one relies on the internal generated heat within the PCM and helps the state change of the material [39]. $G{e}_{2}S{b}_{2}T{e}_5$ (GST) [40,42] is used as a phase-change material for both designs. Another example of a similar phase-change material is $I{n}_{3}S{b}_{1}T{e}_2$ [43].

A current is applied through the PCM cell to force the cell to either SET (low resistance) or RESET (high resistance) during write. A small voltage is applied across the cell during read operation and the resistance is sensed to read the stored data.

6.2. Asymmetric Read and Write Current

Figure 9b shows PCM write current for writing data 0→1, 0→0, 1→0 and 1→1. Unlike STTRAM and RRAM, the write current of PCM does not depend on the old data, rather depends on the new data that is being written to the cell. This reduces the 4 write current combinations to 2 which an adversary can leverage to launch a stronger SCA attack. Similarly, PCM read current is also asymmetric (Figure 9c). The current drawn by the bitcell is significantly more if the stored datum is ‘0’ compared to case of ‘1’.

A 65 nm nMOS along with ASU RRAM Verilog-A model [44] is used for analysis. Simulation parameters are provided in

Table 4. Parameters used for PCM Simulation.

Parameter	Value
Access Transistor W/L/VT	195 nm/65 nm/0.423 V
Bottom Contact Width, CW	28 nm
GST thickness	49 nm
RSET/RRESET/RWRITE	9 kΩ/3.6 MΩ/1 kΩ
Read/Write Latency	20 ns (40 cycle)/150 ns (300 cycle)

.

6.3. SCA on PCM Write Operation

Figure 10a demonstrates the results to extract the first key byte from PCM write operation. The attack is successful, efficient and only takes 200 traces to reveal the key. Furthermore, the full key can be extracted in 400 traces.

6.4. SCA on PCM Read Operation

Figure 10b demonstrates the results to extract the first key byte from PCM read operation. The attack is successful, efficient and only takes 200 traces to reveal the key.

6.5. Comparative Analysis of NVM Vulnerability to SCA

Finally, we compare all the previous results in

Table 5. Comparative Analysis of SCA Vulnerability of NVMs w.r.t their side-channel resistance in terms of minimum number of traces to disclose (MTD) first byte of the key.

NVM	MTD
STTRAM (write)	300
STTRAM (read)	40
MRAM (read)	15
RRAM (write)	900
RRAM (read)	200
PCM (write)	200
PCM (read)	200

. While STTRAM (write) and RRAM (write) offer the highest resistance, it is obvious that all the tested memory technologies are sooner or later vulnerable. This brings the need of strong countermeasures. In the following section, we test some commonly used countermeasures or mitigation techniques from the side-channel domain.

7. Analysis of Encoding as a Mitigation Technique

The authors of [45] propose that encoding could obfuscate the data signature and make the key extraction difficult. Therefore, we have performed four types of encoding for write operation and two types of encoding for read operation to analyze the impact of encoding. We have considered RRAM as a test case.

• Write Encoding Try 1: Out of 128-bit write data, first MSB 8 bits are encoded with reverse polarity. This means that for those 8 bits, high resistance state is considered as data ‘0’ and low resistance state is considered as data ‘1’. The key extraction result is shown in Figure 11a. It is evident that the attack is successful and the first byte of the key can be retrieved in roughly 800 traces.
• Write Encoding Try 2: Out of 128-bit write data, first MSB 16 bits are encoded with reverse polarity. Figure 11b shows the corresponding successful attack result where the first byte of the key can be retrieved in roughly 950 traces.
• Write Encoding Try 3: Out of 128-bit write data, first MSB 32 bits are encoded with reverse polarity. The attack result is summarized in Figure 11c. The first byte of the key can be retrieved in roughly 600 traces.
• Write Encoding Try 4: Out of 128-bit write data, first MSB 64 bits are encoded with reverse polarity. Figure 12a shows that the first byte of the key can be retrieved in roughly 600 traces.
• Read Encoding Try 1: Out of 128-bit read data, first MSB 32 bits are encoded with reverse polarity. Figure 12b shows that the first byte of the key can be retrieved in roughly 350 traces.
• Read Encoding Try 2: Out of 128-bit read data, first MSB 64 bits are encoded with reverse polarity. The attack result is summarized in Figure 12c. We note that the first byte of the key can be retrieved in roughly 200 traces.

Without encoding, it took 900 traces to extract the first byte of the key from RRAM write operation. After encoding, 950 traces are required (with Try 2). Therefore, we conclude that encoding does improve the resistance but is not an effective mitigation technique. A similar conclusion can be drawn for encoding on read operation.

The underlying reason for such vulnerability is emerging NVMs basically use different resistance states to store different data. Therefore, there would always be a minuscule difference between data ‘0’ and ‘1’ read/write currents. Thus, the mitigation needs to identify, (possibly by profiling) if a better codeword exists that reduces the difference (e.g., 0001 and 1110). Even then, with large number of traces the attack might be feasible. These results are in line with that on SRAM as shown in [46].

8. Discussion

8.1. Assumptions Used in This Work

Following assumptions are made in this work: (i) the current drawn by the LLC can be isolated from the total system current. Note that the total system current will also include the CPU current. However, the adversary can filter out the high frequency components of the total current by applying signal processing [47] since the CPU current frequency is much higher compared to cache current (long NVM read and write latency); (ii) the proposed SCA model is independent of cache size. This assumption is true as long as the cache is large enough to hold the round keys. The unused cache will only contribute to constant leakage which can be filtered out; (iii) the CPUs considered are laptop and PCs although the attack can be investigated for Internet of Things (IoTs) as well; and (iv) AES is the cryptographic application. Other algorithms such as MICKEY 2.0 (shown in [27]) are also vulnerable.

8.2. Considerations for Improving SCA Efficiency

Note that asymmetric NVM read and write current can serve as two isolated side channels to steal the encryption key. The attack can be improved by noting that read and write are performed on the same key during AES rounds. Thus, the attack accuracy and speed of key extraction can be improved by a cross-correlation between asymmetric read and write currents.

8.3. Considerations for SCA Resiliency

To weaken SCA, the data dependent asymmetry in read/write current should be eliminated or masked. In [48], a technique to eliminate side channel signature of emerging NVM using on-chip capacitor and very steady and robust voltage regulator [49] is proposed. The on-chip capacitor hides the side channel from being captured at the supply voltage and the robust voltage regulator provides steady supply to the capacitor during charging phase. Although the paper shows example of RRAM, the design can be extended to other NVMs as well.

9. Conclusions

In this work, we summarized a thorough study of SCA on various emerging NVMs such as STTRAM, MRAM, RRAM and PCM-based LLC, respectively. We have assumed AES-128 operation being performed on LLC and leveraged the asymmetric write/read current during the AES round operations. Results revealed that the read operation is more susceptible to leak the key although write current showed greater asymmetry than read current. Our investigation also shows that applying basic pre-processing resulted in much improvement of the attack. The proposed attack model is also experimentally validated using a commercial MRAM chip. We have also investigated mitigation techniques proposed in prior works. We conclude that techniques like encoding is not sufficient to protect the key and we need more device level solutions to hide the data signature.