Deep Learning-Based Side-Channel Attacks on Secure and Conventional Cryptographic Circuits Using FinFET and TFET Technologies

Abstract

Electronic devices are now ubiquitous across both professional and personal domains, often containing sensitive information that should remain undisclosed to untrustworthy third parties. Consequently, there is an increased demand for effective security measures to prevent the leakage of confidential data. While some devices utilize mathematically secure algorithms to safeguard sensitive information, there remains a vulnerability to informational leaks through Side-Channel Attacks (SCAs) targeting hardware platforms. Non-profiled SCAs, including Correlation Power Analysis (CPA), are particularly practical since they require access only to the target device. In this study, we propose and investigate the use of Deep Learning (DL) techniques to enhance the effectiveness of non-profiled SCAs through an optimized Deep Learning Power Analysis (DLPA) algorithm. Optimized DLPA attacks are implemented using Multi-Layer Perceptron (MLP) and Convolutional Neural Network (CNN) models, and are applied to the PRIDE SBox-4 block across conventional CMOS-style circuits and secure Sense Amplifier-Based Logic (SABL) Dual Precharge Logic (DPL) structure circuits. Both FinFET and TFET device technologies are evaluated. The experimental results show that the optimized DLPA approach consistently outperforms traditional CPA attacks. The optimized DLPA method succeeds even against TFET-based SABL-DPL circuits, which are resistant to conventional techniques. These findings demonstrate the increased threat posed by DL-based SCAs and highlight the need for evaluating hardware security against advanced machine learning-based methods.

1. Introduction

Today, the market for electronics, including smart, connected IoT devices, is continuously expanding, and they are integral to both our professional and personal lives, often containing sensitive information that must remain confidential. The security vulnerabilities of these devices have led to an increased demand for security measures to prevent malicious attacks [1,2,3,4]. Despite employing mathematically secure algorithms, cryptographic devices may still leak information from their physical hardware when subjected to Side-Channel Attacks (SCAs) [3]. Physical characteristics such as timing delays [2], power consumption [3], and electromagnetic emanations [5] during device computation with secret data (key) serve as the main leakage points that are exploited by SCAs to reveal sensitive information. Correlation Power Analysis (CPA) [6,7] is a non-profiled power-based Side-Channel Attack (SCA) method and belongs to the category of Dynamic Power Analysis. CPA is considered to be a variant of Differential Power Analysis (DPA) [8]. In CPA attacks, adversaries collect power consumption traces from the target device along with the corresponding input values, and apply statistical correlation techniques to extract the secret key.

In order to counter power analysis attacks, Dual Precharge Logic (DPL) circuit styles have been introduced. Additionally, due to the band-to-band tunneling (BTBT) principle, circuits with Tunnel Field Effect Transistor (TFET) technology can have enhanced DPA attack resilience while consuming less power than their CMOS counterparts [9,10]. The sense amplifier-based logic (SABL) style is a recent DPL style topology proposed for secure circuit design [11,12]. In [13], an SABL-DPL structure with TFET technology was proposed and was demonstrated to have a high SCA resiliency against DPA attacks. This will be one of the reference designs analyzed in this work against Artificial Intelligence (AI) attack methods.

With the rise of AI, Deep Learning (DL) techniques have found application across various domains. Deep Learning-based Side-Channel Attack (DL-SCA) has become a hot topic of research since 2016 [14,15,16]. Hackers leverage DL-based SCAs to breach secure systems, exploiting their superior strength and efficiency compared to traditional methods. Consequently, encrypted information from secure circuits, previously resistant to traditional SCAs, can be vulnerable to DL-based approaches. Recent research studies show that the DL-SCA method may offer many advantages over the traditional SCAs, such as preventing the need for preprocessing [17], robustness to different masking, hiding countermeasures [14,18], and so on. Just like traditional SCAs, Deep Learning techniques can be applied in both profiled SCAs and non-profiled SCAs. In [14,19], DL techniques were applied to conduct profiled SCAs. H. Maghrebi et al. employed various types of Neural Networks, such as CNN and MLP, in profiled SCAs [14], demonstrating their superiority over Template Attacks, a form of profiled SCA. E. Cagli et al. [20] demonstrated the effectiveness of CNN in handling de-synchronized traces, a common challenge in SCAs, due to the translation invariance property of CNN. Traditionally, SCAs fail when dealing with de-synchronized traces. Moreover, Data Augmentation, when applied in CNN, enhances training set size and attack outcomes. Profiled SCAs require accessing a pair of identical devices, one profiled device and one target device. On the other hand, non-profiled attacks, also known as non-invasive Side-Channel Attacks, do not require a profiling device. Non-profiled SCAs with Deep Learning technologies, like Deep Learning Power Analysis (DLPA) [21], demonstrate a stronger and more effective ability to conquer target devices than traditional CPA attacks. However, the original DLPA algorithm was evaluated using artificially generated simulation data and publicly available databases. When applied to data obtained by simulating secure circuits, the traces may exhibit minimal differences, making it difficult to distinguish between classes. This can lead to either success or failure across all datasets. To address this limitation, this study optimizes the original DLPA algorithm.

In this paper, SCAs with Deep Learning techniques are applied to Dual Pre-charge Logic (DPL)-style secure cryptography circuits and also conventional CMOS-style circuits to evaluate their SCA-resilient performance. Both FinFET and TFET technologies are evaluated. The proposed DL-based SCA attack performance is compared to the results of traditional CPA attacks. Our results confirm that DL-based attacks can succeed against even TFET-based SABL-DPL structure security circuits. All the results are derived from HSpice simulations and therefore may not fully capture the actual silicon process variations and noise present in real-world SCA implementations. Nevertheless, they provide valuable early-stage insights into the behavior of both traditional SCAs and DL-based SCAs on FinFET and TFET technologies.

2. Materials and Methods

2.1. Side Channel Attack Target: Device Scheme and Circuit Implementations

This research evaluates the resistance of both conventional CMOS-style circuits and SABL-DPL structure circuits in FinFET and TFET technologies to SCAs, by employing Deep Learning-based techniques and the traditional Correlation Power Analysis (CPA).

2.1.1. Cryptographic Device Scheme

In this paper, a case study involving optimized DLPA attacks and CPA attacks applied to the design of PRIDE SBox-4 is investigated. PRIDE is a lightweight block cipher from [22]. It is a Substitution–Permutation Network (SPN) structure block cipher, whose algorithm uses a 64-bit input plaintext and a 128-bit key for encryption with a total of 20 rounds. Specifically, similarly to many power analysis attacks targeting the non-linear operation block (SBoxes) in the secure algorithm, this research focuses on the four-bit substitution box (SBox-4) implemented by the PRIDE algorithm, which is the most vulnerable block of this cipher. In the field of Side-Channel Analysis (SCA), the AES encryption algorithm is frequently employed as a benchmark cryptographic scheme [23,24]. Compared to the lightweight PRIDE algorithm, AES is considerably more complex. In this study, PRIDE is chosen over AES because SCA researchers typically implement AES on FPGAs, whereas the present work investigates encryption at the transistor level, using FinFET and TFET device models. At present, no FPGA platforms are based TFET technologies, and a direct transistor-level implementation of the AES S-box (SBox-8) is infeasible in this study, as it requires more than 1000 logic gates. Moreover, the objective of this paper is to evaluate the performance of both Deep Learning–based SCA and traditional SCA on FinFET and TFET devices. The fundamental principles of SCA remain consistent regardless of whether AES or PRIDE is employed.

The SBox-4 in PRIDE has four-bit inputs ($x_0-x_3$) and four-bit outputs ($y_0-y_3$). The substitution functions of SBox-4 are described by the Equations (1)–(4) shown below:

$$y_3=x_1\oplus x_3{x}_2,$$

(1)

$$y_2=x_0\oplus x_2{x}_1,$$

(2)

$$y_1=x_3\oplus y_3{y}_2,$$

(3)

$$y_0=x_2\oplus y_2{y}_1$$

(4)

To build the SBox-4 block, four two-input XOR gates and four two-input AND gates are required. In this case study, conventional CMOS-style circuits and SABL-DPL structure circuits are used to build the SBox-4 separately, and then are simulated. Furthermore, both FinFET and TFET technologies are used and tested in this research.

The ultimate goal of the SCAs is to obtain the key K of the encryption device. For the simulation-based non-profiled SCAs, it is often assumed that the inputs D and the encryption algorithm are known by the hackers. In this case, it doesn’t matter whether the outputs V are known or not, because hackers can deduce them from the inputs and the encryption algorithm. The cryptographic device scheme used in this case study is shown in Figure 1, where the inputs $d_i$ are 1000 randomly generated four-bit plaintexts, the key $k^{*}$ is a four-bit secure key, and the four-bit outputs $V_{i,k^{*}}$ are produced after the XOR operation of plaintexts and secure key, and then through the SBox-4 block. Additionally, the power traces $T_i$ of the SBox-4 are measured, which will be used to provide the required data for the traditional CPA attacks and the DL-based SCAs later.

2.1.2. CMOS-Style Circuits

The standard CMOS logic style circuits, as shown in Figure 2, often present a strong relationship between processed data and power consumption, which could be exploited by the power analysis attacks. With the increased demand for security applications, other logic style circuits need to be studied to protect secure keys from power analysis attacks.

2.1.3. SABL-DPL Structure Circuits

Dual Precharge Logic (DPL)-style circuits have two operation phases: the precharge phase and the evaluation phase. Compared with conventional standard logic style circuits, which can only provide the true output, DPL-style circuits could provide both the true and the complemented outputs each clock cycle. Moreover, the power consumption of each transition is almost the same, so it provides better security than the conventional CMOS-style circuits. The SABL-DPL structure is a widely used type of DPL style circuit, offering higher efficiency compared to other DPL variants [12]. Figure 3a exhibits the FinFET-based SABL-DPL structure, in which a differential pull-up network (DPUN) provides the true and complementary outputs and a differential pull-down network (DPDN) executes the logic function. The DPDN structures for the AND/NAND and XOR/XNOR gates are shown in Figure 4, which are the two logic functions used in the case study of this research.

Although the FinFET-based SABL-DPL structure circuit has performed well against traditional power analysis attacks, TFET device technology can improve the security level of the SABL-DPL structure circuit, and can reduce the power consumption at the same time, as shown in [13]. The TFET-based SABL-DPL structure circuit is shown in Figure 3b. In the FinFET-based SABL-DPL structure circuit, the device between the nodes N1 and N2 is always ON to equalize the voltage level of the two nodes. However, due to the unidirectional property of the TFET device, the current can only go in one direction, either from the source terminal to the drain terminal or from the drain terminal to the source terminal, depending on the type of device. An N-type TFET device pair, TN1 and TN2, is introduced to solve this issue. According to [25], there will be a bootstrapping phenomenon when the TFET technology is introduced to the SABL-DPL structure circuit. This phenomenon is caused by the capacitive coupling between two different bootstrapped nodes (shown in red and blue in Figure 3). Due to the unidirectional property of the TFET device, when the nodes’ voltage is higher than Vdd or lower than GND, the nodes can not discharge or charge. M. J. Avedillo and J. Nunez proposed a solution to this problem in [26]. The two N-type devices and two P-type devices, TN3, TN4, TP3, and TP4, are added to solve the bootstrapping phenomenon. The source terminal of the P-type device connects to the bootstrapped node. In order to discharge the undesired positive voltage, its drain terminal connects to Vdd, and its gate terminal connects to GND. Likewise, introducing an N-type TFET with its source connected to the bootstrapped node, its drain to GND, and its gate to Vdd makes it possible for this N-type device to charge the undesired negative node back to GND. In this way, the two TFET devices both connect to the bootstrapped node and solve the bootstrapping phenomenon.

2.2. SCA Algorithms

2.2.1. Correlation Power Analysis SCAs

Correlation Power Analysis (CPA) is usually considered as a variant of Differential Power Analysis (DPA), but in some of the literature it is also considered to be an independent category within the area of Dynamic Power Analysis, similar to the two original main categories, Simple Power Analysis and Differential Power Analysis [8].

The procedure of the CPA attack mechanism used in this case study is exhibited in Algorithm 1 as follows. There are two phases in the CPA attack algorithm. The data collection phase is step one in the algorithm. During the first phase, the transient power consumption of the SBox-4 block is measured with N randomly generated plaintexts $d_i$ as inputs. In this case study, there are 1000 plaintext input patterns ($N=1000$). The transient power consumption is measured by the transient analysis method in HSpice, and the measure step is set as 1ps. For each power trace $T_i$, the power consumption between 0 and 7 ns is collected. Therefore, there will be 7000 measure points $M_{i,n}$ per power trace. Only the measurement points within specific time intervals, corresponding to relevant switching activity, are selected for analysis.

Steps two to nine in the algorithm comprise the second phase: the correlation analysis phase. First of all, the hypothetical intermediate values $V_{i,k}$ are calculated by the known plaintext input and each guessing key k with the function of the XOR and then the SBox-4 block. Regarding to step four and five, there are slight differences between conventional CMOS-style circuits and SABL-DPL structure circuits. For the conventional CMOS-style circuits, information leaking may occur when the output of SBox-4 changes, so the Hamming Distance (HD) $H{D}_{i,k}$ is calculated from the current and previous hypothetical intermediate values. In contrast, because the precharge phase in SABL-DPL structure circuits will pull down the outputs to zero, the information may be leaked the moment that the clock cycle enters the next precharge phase from the current evaluation phase. Thus, Hamming Weight (HW) of the hypothetical intermediate values is calculated for SABL-DPL structure circuits. Then, the hypothetical power consumption $H_{i,k}$ is obtained based on either the Hamming Weight or the Hamming Distance power model. Finally, the power consumption of measure point $M_{i,n}$ at the same timestamp in each power trace $T_i$ is collected, and then its correlation with the hypothetical power consumption is calculated. In this way, the correct key $k^{*}$ could be found with the highest correlation.

Algorithm 1 Correlation Power Analysis Attack Algorithm

1: Measure N power traces $T_i$ with corresponding plaintext $d_i$ 2: for $k=0$; $k\le 2^{m-1}$; $k++$do 3:    Compute the hypothetical intermediate values $V_{i,k}$ 4:   Calculate the Hamming Weights value $H{W}_{i,k}$ or the Hamming Distance value $H{D}_{i,k}$ based on the hypothetical intermediate values $V_{i,k}$ 5:    Calculate the hypothetical power consumption $H_{i,k}$ with HW/HD power model 6:    for Each measure point $M_{i,n}$ in power trace $T_i$ do 7:      Calculate the correlation between the measured power at measure point and the hypothetical power consumption 8:    end for 9: end for 10: Find the correct key $k^{*}$ with highest correlation

2.2.2. Optimized Deep Learning Power Analysis SCAs

The application of Deep Learning in the field of non-profiled SCA has been explored in this research. Deep Learning Power Analysis (DLPA) was originally introduced in [21]. DLPA combines CPA-like hypotheses with Deep Learning training. Algorithm 2 outlines the procedure for a DLPA attack. Initially, similar to traditional CPA attacks, N power traces $T_i$ are collected from the target device alongside corresponding input plaintext $d_i$. For each potential secure key k, hypothetical intermediate values $V_{i,k}$ are computed using $V_{i,k}=F(d_i,k)$, where F represents the mathematical function of the target device. Additionally, hypothetical power consumption $H_{i,k}$ is derived from these intermediate values using power models like the HW model. Subsequently, Deep Learning training is performed using power traces $T_i$ as the training set and hypothetical power consumption $H_{i,k}$ as the corresponding labels. Successful training of the DL model, indicated by favorable training metrics such as highest accuracy and lowest lost, reveals the correct secure key $k^{*}$ through the set of labels $H_{i,k^{*}}$.

In this research, the DLPA algorithm is used as the basis for the DL-based SCAs method to attack a cryptographic device in Figure 1. Two different Deep Learning architectures, Multi Layer Perceptron (MLP) and Convolutional Neural Networks (CNN), are selected as the training model in the DLPA attacks. The criterion of the original DLPA algorithm is the highest accuracy and lowest loss. The key corresponding to the dataset with the highest accuracy and lowest loss is the key obtained after the DLPA attack. As mentioned in Section 1, the original DLPA algorithm, evaluated on artificially generated data and publicly available databases, struggles with real secure circuit simulations where trace differences are minimal. To address this, an optimized version is developed in this study, which deploys different model architectures and shifts the evaluation focus toward the model’s training dynamics. Specifically, the evaluation focuses on whether the model is easier to train on a given dataset, as indicated by consistently higher accuracy and lower loss during each epoch compared to other datasets.

Algorithm 2 Deep Learning Power Analysis (DLPA)

1: Measure N power traces $T_i$ with corresponding plaintext $d_i$ 2: Set training and validation datasets as $X_{training}+X_{validation}=T_i$ 3: for $k=0$; $k\le 2^{m-1}$; and $k++$do 4:    Compute the hypothetical intermediate values $V_{i,k}$ 5:    Calculate the hypothetical power consumption $H_{i,k}$ 6:    Set training label as $Y=H_{i,k}$ 7:    Perform Deep Learning training DL($X_{training}$,Y) for n epochs, and record $acc$ and $loss$ 8: end for 9: Compare $acc$ and $loss$ of each DL; the correct key $k^{*}$ leads to the best metrics

Since the goal is to compare the training difficulty across different datasets, factors such as learning rate, weight decay, and hyperparameter settings can significantly influence the model’s performance. To minimize these effects and ensure the stability and reliability of the conclusions, the optimized DLPA algorithm is trained using various combinations of learning rates, weight decay values, and hyperparameters. The model’s performance is then averaged across these configurations. To further reduce the impact of randomness, each hyperparameter combination is trained three times, and the results are averaged. Additionally, the dataset is shuffled before each training run.

The architecture detail of the proposed MLP model in this case study is listed:

• Dense input layer;
• Dense hidden layer with ReLU activation;
• Dropout layer with 0.3 drop rate;
• Dense hidden layer with ReLU activation;
• Dropout layer with 0.2 drop rate;
• Dense output layer with 16 neurons and softmax activation.

A four-layer MLP structure was used in optimized DLPA attacks. There is one input layer, two hidden layers, and one output layer. There are dropout layers following each hidden layer. ReLU was used as the activation function, Adam was selected as the optimizer, and Local Loss was selected as the loss function. With Local Loss, for samples that are easy to classify, that is, the samples with high prediction probability, the loss is automatically reduced, while for samples that are difficult to classify, the loss is relatively larger.

Alternatively, the architecture detail of the proposed CNN model is given as follows:

• 1D convolution layer with filters of size 3, ReLU activation, and stride of 1;
• 1D max pooling layer with pooling size of 2;
• 1D convolution layer with filters of size 3, ReLU activation, and stride of 1;
• 1D max pooling layer with pooling size of 2;
• Dense layer with 128 neurons and ReLU activation;
• Dropout layer with dropout rate of 0.3;
• Dense output layer with 16 neurons and softmax activation.

Regarding the CNN model in this optimized DLPA method, it has two convolution layers and two max pooling layers, followed by a dense layer and a dropout layer. At the end of the CNN model, a dense output layer with softmax activation is attached. In this CNN model, in order to maintain consistency with the MLP model and facilitate comparison, ReLU is again used as the activation function, Adam is selected as the optimizer, and Local Loss is selected as the loss function.

The argument settings and the hyperparameter ranges of each architecture are listed in

Table 1. Argument Settings and hyperparameter range of neural networks in pptimized DLPA attacks.

	MLP		CNN
	Conventional	SABL-DPL	Conventional	SABL-DPL
Loss Function	Local Loss
Optimizer	Adam
Batch Size	128
Epochs	200
Input Features	10	30	10	30
Learning Rate Range	0.0002, 0.00025, 0.0003
	(0.0008, 0.001, 0.0012) *		(0.0013, 0.0014, 0.0015) **
Weight Decay Range	0, 0.00001, 0.00002
First Layer Range	70, 75, 80, 85, 90	30, 36, 42, 48	256, 384	80, 96, 112
Second Layer Range	25, 27, 30, 32, 35	60, 68, 76, 84	128, 256	120, 160
Total Combinations	225	144	36	54

* Additional training combinations for MLP models; ** additional training combinations for CNN models.

. It can be seen in Table 1 that the input feature numbers for traditional CMOS-style circuits and SABL-DPL structure circuits are different. The time periods for collecting the transient power consumption during the attack are also different for these circuits. The specific time periods for collecting transient power consumption for each circuit will be introduced in Section 3.

For all circuit structures, the common learning rate used is 0.0002, 0.00025, and 0.0003. However, for the TFET-based SABL-DPL structure circuit, the optimized DLPA attack results show that all guessed keys perform similarly. Therefore, in order to further verify the attack results, additional learning rate combinations (0.0008, 0.001, and 0.0012) are used for training the MLP models and (0.0013, 0.0014, and 0.0015) are used for training the CNN models.

3. Side-Channel Attack Procedures and Results

3.1. Side-Channel Attack Flows

The CPA attack flow and optimized DLPA attack flow of this case study are shown in Figure 5 and Figure 6. The first few steps of these two attacks are similar. However, in the DLPA attack flow, the hypothetical power consumptions $H_{i,k}$ are set as the dataset labels. Also, unlike the measure points $M_{i,n}$ at the same timestamp that are used to calculate the correlations in the CPA attack flow, the power consumptions of measure points in the power traces are used together as the dataset for the training models. In total, 80% of the dataset is randomly selected as the training dataset, and the remaining 20% of power traces are used as the testing dataset.

The hypothetical power consumption models used for the two circuit styles are different. For CMOS-style circuits, the model is based on Hamming Distance. Since these circuits do not use a clock signal, their outputs switch directly in response to input changes, resulting in power consumption from both zero-to-one and one-to-zero transitions. Therefore, Hamming Distance is an appropriate model for capturing this behavior. Additionally, the attacked encryption scheme is PRIDE SBox-4. As shown in Section 2.1.1, the computation of intermediate variables involves dependencies (e.g., $y1$ depends on $y2$ and $y3$, and $y0$ depends on $y1$ and $y2$). Before the final output is generated, multiple internal transitions occur due to signal propagation delays. These intermediate flips contribute to the overall power consumption and must be considered when constructing the hypothetical power model. As a result, relying on a single measurement point (1 ps) is insufficient. In this case study, the measured power traces were averaged over every 60 points to capture the relevant switching activity. The resulting data was used in both traditional CPA and the optimized DLPA attacks. As previously noted in Section 2.2.2, this results in a ten-feature input for the DLPA model targeting CMOS-style circuits.

For SABL-DPL structure circuits, the hypothetical power consumption is modeled using Hamming Weight. These circuits operate under a clock and alternate between evaluation and precharge phases. When entering the precharge phase, all outputs are pulled down to zero. At this moment, only the outputs that were previously at logic high will switch, contributing to power consumption, while the outputs already at zero remain unchanged. Thus, Hamming Weight accurately reflects the switching activity in this phase. Because the relevant leakage occurs specifically during the precharge phase, only 30 measurement points around this event are selected for analysis. This is the reason the DLPA attacks for SABL-DPL circuits use 30 input features. Data from other parts of the trace is not useful and is excluded. Reducing the number of input features also simplifies the Deep Learning Model, lowers the computational cost, and significantly reduces the training time.

3.2. SCA Standard Metrics and Analysis

Measurements To Disclosure (MTD) is a common metric for measuring the safety of target circuits regarding DPA attacks [27,28]. MTD is the minimum number of power traces required to retrieve the correct key, so a smaller MTD means weaker resistance to DPA attacks, and the larger MTD, the safer the target circuit. Other standard metrics, such as Success Rate (SR) and Guessing Entropy (GE), are also frequently used to measure the target circuit’s resistance to DL-based SCAs [29]. SR or GE usually describes the average rank of the correct secret key from all the key hypotheses, which reveals the performance of DL models in recovering the secret key [30]. Imagine we assume that the size of the key space is K, the key guessing vector (representing the prioritized rank of guessing the correct key in a single attack) is $g=[g_1,g_2,\dots ,g_K]$, and the correct key for the attacked device is $k^{*}$. GE is the average rank of key $k^{*}$ in g. Therefore, when the GE constantly becomes equal to one, this attack attempt is considered as a successful attack [31]. One the other hand, SR is the probability that $g_1$ in the key guessing vector is equal to the correct key $k^{*}$. Thus, the closer SR is to one, the better the attack.

In this study, MTD is employed as the standard measure for evaluating traditional SCA attacks. Alternative metrics such as SR and GE are not adopted here, as the primary objective is to determine whether the DLPA attack succeeds on the target circuits rather than to conduct a comparative performance assessment. Moreover, in the optimized DLPA algorithm, numerous hyperparameter configurations are trained three times for each attack attempt, resulting in substantial computational overhead. Consequently, it is impractical to perform the thousands of training iterations required to derive GE or SR values across progressively increasing power traces.

3.3. SCA Results for Conventional CMOS-Style Circuits

In this case study, 1000 plaintext inputs are randomly generated, and the cryptographic device is simulated using three different secret keys: 0 (b’0000), 6 (b’0110), and 7 (b’0111), all under the same set of fixed inputs. Figure 7 presents the results of CPA attacks on the SBox-4 block implemented using conventional CMOS-style circuits with either FinFET or TFET technology, using key 7 as an example. The correlation values for the guessed key 7 are significantly higher than those for other key guesses, clearly indicating the correct secret key. Similar to the results with key 7, all CPA attacks using different secret keys on the SBox-4 in these configurations are successful, and the correct keys are successfully recovered.

As shown in Figure 7, the MTD of FinFET-based or TFET-based SBox-4 with conventional CMOS-style circuits are all smaller than 100, which means they have poor resistance to the CPA attacks. At the same time, it can be noted that the average MTD of the TFET-based circuit is larger than that of the FinFET-based circuit, which confirms that the CPA resistance of the TFET-based circuit is stronger than that of the FinFET-based one. After point-to-point Pearson correlation analysis, the maximum correlation value for the TFET-based circuit occurs at measurement point 67, which is later than the peak at point 66, which is observed for the FinFET-based circuit. This shift is attributed to the slower switching speed of the TFET circuit compared to the FinFET circuit.

The example results using the secret key 7 for optimized DLPA attacks with the MLP model on the FinFET-based and TFET-based SBox-4 blocks with conventional CMOS-style circuits are shown in Figure 8. The training settings and architectural details of the MLP model are provided in Section 2.2.2. As mentioned in the previous section, the dataset was randomly split into two groups: one for training (80%) and the other for validation (20%). The accuracy and loss performances were essentially the same for both the training dataset and validation dataset, so only the training dataset results are shown in Figure 8. The secret keys used in these experiments are still 0 (b’0000), 6 (b’0110), and 7 (b’0111), selected to ensure a fair comparison with the CPA attack results. The correct secret key 7 is successfully revealed by the optimized DLPA attacks using the MLP model on both the FinFET-based and TFET-based SBox-4 blocks. During training, the model with the correct secret key 7 keeps achieving significantly higher accuracy and lower loss compared to other key guesses. Similarly, the correct secret keys 0 and 6 are also successfully recovered using the optimized DLPA attacks with the MLP model.

In the same way, Figure 9 shows the example results using the secret key 7, displaying the training accuracies and losses for all key guesses when applying the CNN model to the same dataset. As shown in the figures, the model trained with data corresponding to the correct secret key 7 achieves significantly higher accuracy and lower loss than the other key guesses over each epoch. These results demonstrate that the optimized DLPA attacks using the CNN model can also successfully recover the correct secret key on conventional CMOS-style circuits.

3.4. SCA Results of SABL-DPL Structure Circuits

The same attack attempts are also applied to the SABL-DPL structure circuits in this case study. The example CPA attack results using the secret key 7 on the SBox-4 block with SABL-DPL structure circuits are shown in Figure 10. As observed in the figures, the correct secret key can still be revealed from the FinFET-based SBox-4 block with the SABL-DPL structure. The MTD is significantly higher compared to the conventional CMOS-style circuits, indicating improved resistance to CPA attacks. In contrast, the CPA attack results on the TFET-based SBox-4 block with the SABL-DPL structure show that the correlation values for the correct key are not significantly different from those of incorrect key guesses. Compared to their FinFET-based counterparts, the TFET-based SABL-DPL circuits demonstrate strong resistance to CPA attacks, further supporting the conclusion that TFET technology offers better CPA resilience. Other measurement results using secret keys 0 and 6 are consistent with this observation.

For comparison, the optimized DLPA attacks using the MLP model are also applied to the FinFET-based and TFET-based SBox-4 blocks with SABL-DPL structure circuits. As before, the secret keys selected are 0 (b’0000), 6 (b’0110), and 7 (b’0111). The example results for key 7, showing the accuracies and losses for all key guesses during MLP training, are presented in Figure 11. It can be observed that, for the FinFET-based SABL-DPL circuits, the dataset corresponding to the correct secret key achieves significantly a higher accuracy and lower loss than the other key guesses. This indicates that the optimized DLPA attack using the MLP model can successfully recover the correct key in this configuration. However, for the TFET-based SBox-4 block with the SABL-DPL structure, the accuracies across all key guesses are similar. Nevertheless, as shown in Figure 11d, the dataset corresponding to the correct key begins to show a trend of lower loss in the last few epochs of training. Zooming in on the last 50 epochs, as illustrated in Figure 12, shows this trend more clearly.

In order to verify this trend and ensure the reliability of the conclusion, a larger learning rate range was selected, and the average was taken after training for the new hyperparameter combination. In this study, the new learning rate was selected as 0.0008, 0.001, and 0.0012. The weight decay and hidden layer parameter ranges remained unchanged. The results are shown in Figure 13. It can be observed more clearly that the MLP-based optimized DLPA algorithm can find the correct secure key in the TFET-based encryption circuits, while the traditional CPA method cannot find it.

The optimized DLPA attack results using the CNN model on FinFET-based and TFET-based SBox-4 blocks with SABL-DPL structure circuits are shown in Figure 14. For the FinFET-based circuits, the correct secret keys can be successfully identified, as the training accuracy and loss for the correct key are clearly better than those for other key guesses. For the TFET-based SABL-DPL circuits, the accuracies and losses across all key guesses are generally similar, as shown in Figure 14c,d. However, a slight advantage in loss is observed for the correct key during the final training epochs. This trend becomes clearer when zooming in on the last 50 epochs, as illustrated in Figure 15. To further confirm this pattern, additional training was performed using a range of larger learning rates. For the CNN model, new learning rates of 0.0013, 0.0014, and 0.0015 were tested, while the weight decay and hidden layer parameters remained unchanged. The average results are presented in Figure 16. These results suggest that the CNN-based optimized DLPA method can also identify the correct key in TFET-based encryption circuits. Keys 0 and 6 were also tested and produced consistent results.

4. Discussion

This research exhibits a case study of CPA and optimized DLPA attacks on the PRIDE SBox-4 block with different circuit architectures and different device technologies. The attack results and computational cost are summarized in

Table 2. Attack results summary.

Attack Method	Circuit Style	Technology	Secure Key	Successful Attack?	MTD
CPA	Conventional Circuit	FinFET	0	☑	24
			6	☑	16
			7	☑	38
		TFET	0	☑	25
			6	☑	18
			7	☑	49
	SABL-DPL Structure	FinFET	0	☑	67
			6	☑	340
			7	☑	149
		TFET	0	□	>1000
			6	□	>1000
			7	□	>1000
Attack Method	Circuit Style	Technology	Secure Key	Successful Attack?	Computational Cost
MLP-DLPA	Conventional Circuit	FinFET	0, 6, 7	☑	8.8 h
		TFET	0, 6, 7	☑	8.7 h
	SABL-DPL Structure	FinFET	0, 6, 7	☑	1.5 h
		TFET	0, 6, 7	☑	1.6 h
CNN-DLPA	Conventional Circuit	FinFET	0, 6, 7	☑	7.2 h
		TFET	0, 6, 7	☑	7.3 h
	SABL-DPL Structure	FinFET	0, 6, 7	☑	2.7 h
		TFET	0, 6, 7	☑	2.8 h

. It can be concluded from the table that the circuits with TFET technology have better resistance to the CPA attacks than the FinFET technology. The conventional CMOS-style circuits are not safe to either CPA attack or optimized DLPA attack, no matter which technology is used. Compared to the conventional CMOS-style circuits, the SABL-DPL circuits can better resist CPA attacks. Although the FinFET-based SABL-DPL structure circuits can be successfully exploited by CPA attacks, the TFET-based SABL-DPL structure circuits completely resist the CPA attacks.

The optimized DLPA attacks can find the correct secure keys in all circuit structures and technologies investigated in this study. Tested circuits are not immune to optimized DLPA attacks with MLP models and CNN models. For the TFET-based secure circuits, the accuracies and losses of the correct secure key are not much different from that of the other guessing keys. However, zooming in on the training loss curves for the last few epochs, it can be observed that the performance of the correct key is slightly better (more visible) than the other keys when using a large learning rate range.

The optimized DLPA attack is able to extract the correct secret key from TFET-based SABL-DPL structure circuits, whereas the conventional CPA attack fails to do so. This discrepancy arises because DLPA leverages the entire power trace dataset during analysis, while traditional CPA techniques rely on a single measurement point per trace to compute Pearson correlations. Conventional CPA performs point-by-point correlation analysis and identifies the maximum correlation value for each guessed key at a specific time instance. However, in secure circuit designs—such as those employing SABL-DPL structures—the maximum Pearson correlation often does not correspond to the correct key. Notably, although the correct key may not exhibit the highest correlation at that specific time point, its correlation remains relatively elevated across a broader temporal range. This subtle pattern is inaccessible to conventional CPA attacks but can be exploited by Deep Learning Models such as MLPs or CNNs, enabling them to correctly identify the secure key.

However, as illustrated in Table 2, traditional SCA requires only a few minutes to compute the Pearson correlation, whereas the optimized DLPA attacks incur a significant drawback, necessitating several hours of training time.

In future works, the optimized DLPA algorithm will be used to attack other secure circuits or encryption structures, and we will investigate improved circuits against DLPA. For example, as described in [32], the reason why the SABL-DPL structure secure circuits cannot completely resist SCAs is that in their DPDN branch, there is a voltage difference between the internal nodes, which causes the two differential branches to start from different voltage values when entering the next phase, resulting in information leakage. Further modifications can improve this vulnerability. Moreover, process variation and noise modeling will be added to the simulations to minimize the gap between transistor-level simulations and the practical side-channel leakage observed in silicon measurements. Another promising application of Deep Learning–based Side-Channel Attacks is in the domain of post-quantum cryptographic algorithms, such as the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). Notably, ML-DSA schemes such as CRYSTALS-Dilithium have already been shown to exhibit vulnerabilities to SCAs, as demonstrated in [33].

5. Conclusions

This paper explores the application of Deep Learning (DL) in power-based Side-Channel Attacks (SCAs). An optimized version of the Deep Learning Power Analysis (DLPA) algorithm is developed and evaluated using both Multi-Layer Perceptron (MLP) and Convolutional Neural Network (CNN) models. The optimized DLPA attacks are applied to the PRIDE SBox-4 block with conventional CMOS-style circuits and secure Sense Amplifier-Based Logic (SABL) Dual Precharge Logic (DPL) structure circuits, using both FinFET and TFET technologies. The attack performance is compared against traditional Correlation Power Analysis (CPA) results. The experimental results (simulation only) show that the optimized DLPA attacks, with both MLP and CNN models, outperform traditional CPA attacks. Notably, while CPA attacks fail against the TFET-based SABL-DPL structure circuits, the optimized DLPA methods successfully recover the correct secret keys. The preliminary simulation results demonstrate the potential of the proposed approach; nevertheless, further comprehensive analyses under realistic operating conditions (i.e., process variations, noise, and jitter) are required to substantiate its effectiveness and establish its broader applicability.