Constant power might not be too cool, but may be unavoidable for certain calculations -- e.g., AES encryption/decryption. It would be an interesting theorem if constant power were the *only* solution. Some sort of "tri-stating with memory" might allow lower power consumption for the vast majority of wires that won't be changing on every clock cycle. Having a wire stay at either "0" or "1" for long periods of time doesn't cost anything, but changing the state of a wire does cost the charging/discharging of the capacitance of the wire. In this type of logic, the problem won't be "1's" or "0's", but transitions: "+1", "-1". So the game may be to have a double-width bus where half the bus gets XOR'd with <secret> and the other half gets XOR'd with not-<secret>, so that exactly length-<secret> bits change. I think it may be possible to build systems having both "secret" and "non-secret" bits; the only constraint is that the instantaneous power is independent of the secret bits -- i.e., the power computation function is a *tautology* of the secret bits. This leads us to consider a circuit design system which outputs circuits both for the value to be computed, as well as another circuit which computes the power/energy consumed by the computation. It is up to the circuit design system to make sure that the two sets of circuits are in sync. While we're at it, we can also output a circuit that computes the *timing* for the value-computing circuit. For many situations, this circuit may be trivial, but for others -- e.g., carry-propagation -- this circuit may not be trivial. At 01:47 PM 5/16/2018, Tom Knight wrote:
There are circuit topologies (as opposed to semiconductor technologies) that compute both the true and complement of every signal. To a very good first approximation, the power dissipated is constant in these circuits independent of the data flowing through them. The downside is that power dissipation is constant, but high. ECL logic is an early bipolar version, but similar topologies can be built with NMOS or CMOS technologies. It might be appropriate to use these topologies in security-sensitive applications.
On May 16, 2018, at 1:46 PM, Henry Baker <hbaker1@pipeline.com> wrote: I've been thinking about the *power* side-channel: the ability to watch instantaneous power consumption to guess what a computer is computing.
Closely related: the chip temperature side-channel: the ability to watch instantaneous temperature distributions across a chip to guess what a computer is computing.
Note that simple power supply filtering doesn't work well enough, as one might be able to watch enough computation to still be able to discern some amount of information.
Since many computers would like to keep confidential what they are computing, the question is raised:
**Are there computer arithmetic circuits which draw the same sequence of instantaneous power draws *regardless* of the numbers being computed or moved?**
For example, some computer circuit may draw slightly more power when a "1" appears on a bus instead of a "0". Under these conditions, it might make sense to drive the bus with both the number and its binary complement, in order to keep the power draw the same, no matter what bit pattern is being operated on.
Are there particular number representations and arithmetic circuits (or even *boolean circuits*) whose power consumption is indifferent ("oblivious") to the input bit patterns?
Note that CMOS typically utilizes both PNP and NPN transistors in a complementary fashion. However, due to semiconductor physics, these transistors are not 100% complementary -- especially at high clock rates -- and therefore they don't provide as much obliviousness as one would like, so assume for this conversation that we might still have to mirror even CMOS gates.