A 4900-μm² 839-Mb/s Side-Channel Attack-Resistant AES-128 in 14-nm CMOS With Heterogeneous Sboxes, Linear Masked MixColumns, and Dual-Rail Key Addition

Cryptographic circuits such as advanced encryption standard (AES) are vulnerable to correlation power analysis (CPA) side-channel attacks (SCAs), where an adversary monitors chip supply current signatures or electromagnetic (EM) emissions to decipher the value of embedded keys. This article describes an all-digital, fully synthesizable SCA-resistant 16-b serial AES-128 hardware accelerator fabricated in 14-nm CMOS, occupying 4900 $\mu \text{m}^{2}$ . Randomized byte-order shuffling through heterogeneous Sboxes, linear masked MixColumns, and dual-rail AddRoundKey circuits enable: 1) 9.2 $\times $ lower correlation between current signatures and hamming distance (HD)/hamming weight (HW) power models compared to an unprotected AES implemented in 14-nm CMOS; 2) 2.3 $\times $ attenuation of a correlation ratio for correct key guesses; 3) 839-Mb/s encryption throughput with 11-mW total power consumption measured at 750 mV, 25 °C; 4) peak energy efficiency of 390 Gbps/W measured at an energy optimal point of 290 mV, 25 °C, representing an overhead of 23% over the unprotected AES engine; 5) 1200 $\times $ improvement in minimum-traces-to-disclosure (MTD) over an unprotected AES accelerator, with no successful CPA attacks observed after 12M encryptions; and 7) >1100 ${\times }$ improvement in test vector leakage assessment (TVLA) metric in power and EM time- and frequency-domain analyses.