The perfect is the enemy of the good, and so much good can be achieved by differential logic with constant current that we can make very impressive improvements in side channel behavior with these techniques. Yes, they won’t be perfect. Does this mean we should ignore them? I would not want to be challenged use a side channel on such a device to pull out information, while we know that for standard CMOS it is almost trivial.

On May 24, 2018, at 11:35 AM, Henry Baker <hbaker1@pipeline.com> wrote:

I've been pondering the problem of building logic gates whose power consumption is *100% independent* ("power oblivious"?) of the input & output values.

I'm starting to think that this task may be impossible.

Here are my reasons:

1. Digital logic depends upon the ability to *standardize* signals to 0's and 1's with a significant *margin* between a 0 or a 1. Thus, each logic gate has a definition of what inputs it is willing to *accept*, and what outputs it is capable of *producing*. So long as the "producing" signals are a subset of the "accepting" signals, then the logic family will operate correctly as logic gates.

However, operating correctly as logic gates won't necessarily eliminate the *power side-channel* which can leak information about what values are being operated on and what values are being produced.

There are several sources of *noise* and *variability* of these signals. Noise is uncertainty produced by inherent statistical variation -- e.g., the number of electrons being switched -- or *interference* ("crosstalk") from other signals -- or faint traces of *history* from previous gate computations.

Variability comes from manufacturing differences -- e.g., variations in the sizes of gates, lengths of wires, etc.

One of the major successes of digital circuitry is its resistance to both kinds of variation -- noise and manufacturing variability.

However, in the case of power side-channels the variation is no longer *statistical* because we're dealing with an individual circuit and an individual gate. Given enough measurements, we can likely characterize *each and every separate gate* on a chip and identify its unique characteristics.

2. Another kind of noise has to do with the *history* of a particular signal -- e.g., which paths the signal has taken to get to a particular gate. Yes, the signal falls within the limits of acceptability to the gate, but minor differences in the signal can still "leak through" the gate and end up as minor differences in the output of the gate. Thus, although the zero-th order of the signal is a "0" or "1", the remaining orders of the signal may incorporate information about the history of the signal which may be leaked through the power consumption of the subsequent gates.

Yes, we could significantly *tighten* the *standardization* for each signal, and therefore narrow the *acceptability* of each gate, but this would dramatically reduce the performance and increase the cost of the resulting system circuits. After all, one of the major reasons for preferring digital circuits over analog circuits in the first place is to avoid the tight manufacturing constraints of high precision analog circuits.

3. One of the means to reduce the power side-channel is to *mirror* certain computations in an effort to compensate for a variation in one version of the computation with an offsetting variation in the other version of the computation. The simplest version of this is "differential signaling", where only the *difference* between two signals is significant, and the *common mode* -- the signal appearing on both mirrored outputs -- is ignored.

Unfortunately, while the common mode for signals can be rejected for computation purposes, *power -- being a quadratic function -- cannot be rejected*, since all contributions are positive. Since there is no such thing as "negative power", there is no way to "subtract" this common mode power.

4. Timing. One possibility to avoid manufacturing variation issues is to utilize *the same* circuitry to perform the *mirror image* calculation. Thus, one might perform two (or more) calculations with different inputs and outputs on *the same gates* to confuse any power watchers as to exactly which computation is the *real* computation. While these computations still can't mirror all of the noise issues, they can -- in theory -- remove actual gate size and actual wire length from contributing to the side-channel. However, it appears to be quite difficult to hide *which calculation is the real one*, and since they are separated in time, it is still possible to measure them all through the power side-channel.

5. Quantums ? Perhaps the only solution will be a simplified version of "quantum computation" in which a signal is a *single electron* or a *single photon* -- i.e., a single quantum -- so that the *standardization* of the signal is due to the *identical* behavior of each quantum (electron or photon). As in (QKD) quantum key distribution, the problem is now making sure that only one quantum appears on a wire at any one time; two or more quanta produce an error that needs to be corrected.

Unfortunately, such a simplified quantum computer may not be so easy to build, as it requires *eliminating* all other quantum behavior -- e.g., *superposition* and *entanglement* -- which behavior is actually *desired* by the builders of so-called "quantum computers".

So in the end, eliminating these *quantum side channels* also means eliminating most *quantum behavior*.

--- I don't have any answers, but I'm wondering if eliminating the power side-channel may simply be impossible from a theoretical point of view. An analogy might be eliminating *glitches* from *arbiters*, and there may even be a connection between these two problems.

_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com https://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun