The Impact of Clock Frequencies on Remote Power Side-Channel Analysis Attack Resistance of Processors in Multi-Tenant FPGAs

Abstract

Field-programmable gate arrays (FPGAs) are widely used in cloud servers as an acceleration solution for compute-intensive tasks. Cloud FPGAs are typically multi-tenant, enabling resource sharing among multiple users but are vulnerable to power side-channel analysis (SCA) attacks due to their programmability and runtime dynamic reconfigurability. It is well-known that the clock frequencies of the circuits on multi-tenant FPGAs affect power consumption, but their impact on remote correlation power analysis (CPA) attacks has largely been ignored in the literature. This work systematically evaluates how clock frequency variations influence the effectiveness of remote CPA attacks on multi-tenant FPGAs. We develop a theoretical model to quantify this impact and validate our findings through the CPA attacks on processors running AES-128 and SM4 cryptographic algorithms. Our results demonstrate that the runtime clock frequency significantly affects the performance of remote CPA attacks. Our work provides valuable insights into the security implications of frequency scaling in multi-tenant FPGAs and offers guidance on selecting clock frequencies to mitigate power side-channel risks.

1. Introduction

With the advancement of cloud computing services, field-programmable gate arrays (FPGAs) have been widely deployed in cloud servers due to hardware parallelism and dynamic reconfigurability. Cloud FPGAs are widely used in cloud servers, to implement computation acceleration, such as machine learning, financial analytics, security, and video processing. Cloud FPGAs are generally multi-tenant to maximize resource utilization, enabling multiple users to share a single FPGA chip physically, while maintaining logical isolation. Since tenants share the power distribution networks (PDNs) of an FPGA in the cloud, the power side-channel presents a potential attack surface for malicious attackers. Attackers can leverage the programmable logic of the FPGA to implement power sensors, monitor the power consumption related to sensitive data computations within the victim’s circuit, and subsequently extract confidential information. As power side-channel attacks leverage data-dependent changes in power consumption, the dynamic power consumption generated by transistor switching is mainly exploited [1]. In multi-tenant FPGAs, attackers commonly deploy time-to-digital converters (TDCs) or ring oscillators (ROs) to monitor transient power fluctuations on the FPGA chip at high sampling rates, allowing them to infer the victim’s private information [2,3,4,5].

Additionally, in multi-tenant FPGAs, where attackers can not only monitor the PDN but also manipulate it to induce malicious voltage drops by power plundering circuits (e.g., RO), causing timing violations and subsequent faults in the circuits to reveal confidential information [6,7,8].

In previous studies, to prevent timing violations caused by voltage drops on the PDN, static frequency scaling (SFS) [5] and dynamic frequency scaling (DFS) [5,9] frameworks were applied. The SFS framework calculates the safe clock frequency based on the maximum delay difference caused by voltage drop and executes the circuits at a conservatively low clock frequency. The DFS framework dynamically scales the circuit clock frequency based on real-time voltage measurements and passively executes the victim circuit at a lower clock frequency. However, in multi-tenant FPGAs, computationally intensive workloads cause significant voltage drops due to the rapid switching of a large number of logic gates. Since these workloads are not instantaneous and often exhibit prolonged execution times, the circuit may operate at a reduced clock frequency for an extended duration. This may unexpectedly introduce new vulnerabilities to power side-channel analysis attacks. Therefore, our study aims to investigate the vulnerabilities introduced by frequency scaling to remote correlation power analysis attacks on multi-tenant FPGAs.

Reference [10] proposed a tunable dual-polarity TDC, introducing the following three dynamically adjustable parameters: transition polarity, sample window, frequency, and phase. Utilizing this tunable bipolar TDC as a power monitoring sensor on multi-tenant FPGAs for CPA attacks improved the ranking of the correct sub-key value by 2×.

By adjusting the transition polarity, sample window, frequency, and phase of the TDC, the moments when the victim circuit’s power consumption reaches its maximum can be more frequently exposed within the sampling points of the TDC. Similarly, for an unadjusted TDC, reducing clock frequency in the victim circuit may increase the occurrence of power consumption peaks within the TDC’s sampling points, thereby increasing the risk of correlation power analysis attacks.

The contributions of this paper are the following:

• To the best of our knowledge, we present the first theoretical analysis of unintended power side-channel leakage caused by changes in the victim circuit’s clock frequency.
• We characterize the performance of CPA with varying clock frequencies and phase relationships between the victim circuit and the TDC of an attacker using three metrics. The results confirm that a successful CPA attack requires fewer power traces when there is a specific relationship between phase and frequency.
• We present the CPA attack results of the AES-128 and SM4 algorithms on a Cortex-M0 operating at different clock frequencies to validate our theoretical analysis. Our study investigates the side-channel leakage phenomena of general-purpose processors on FPGAs when dynamically changing the clock frequencies.

The rest of the paper is organized as follows. The background is briefly explained in Section 2. Section 3 presents a theoretical analysis of unintended power side-channel leakage caused by the victim’s clock frequency changes. The experimental setup is presented in Section 4.1. Section 4 characterizes clock frequency and the phase relationships between the victim circuit and the TDC, and the CPA results are presented. The research limitations of this work and future developments are discussed in Section 5. The paper is concluded in Section 6.

2. Background

2.1. Threat Model of Multi-Tenant FPGAs

We adopt the widely accepted threat model described in numerous studies on electrical-level threats in multi-tenant FPGAs [11,12,13], as depicted in Figure 1. In this model, attackers can program an arbitrary design in a partial region of an FPGA shared with at least one victim user. There are no logic or clock signal connections between FPGA tenants, and each tenant has its own clock resource. We assume the victim utilizes their portion of the programmable logic for a security-related algorithm, such as a block cipher. The attacker and the victim are logically isolated on FPGA; they can only access the public resources on multi-tenant FPGAs, such as external I/O. Consequently, the remaining connections are facilitated through PDNs, making all possible attack surfaces side-channels.

The PDN can be equivalently modeled as an RLC network, where switching activity on the chip induces variations in the supply current, leading to voltage fluctuations within the PDN [14]. Other tenants sharing the same FPGA chip can also perceive these variations in the supply voltage, posing both reliability and security issues in FPGA multi-tenancy. The attacker is assumed to use FPGA logic to integrate a sensor that records side-channel information, such as voltage fluctuations, which can be analyzed to extract secret keys from cryptographic circuits implemented on the FPGA.

2.2. Voltage-Drop Sensors

Generally, RO and TDC are two types of voltage-drop sensors deployed on multi-tenant FPGAs [2,3,4,15,16]. The principle of both TDC and RO-based sensors is circuit delay, which is proportional to the supply voltage. Therefore, the change of sensor logic delay reflects the voltage fluctuation of victim circuits, which is relevant to the switching activity induced by manipulated data.

On FPGAs, ROs are typically constructed using look-up tables (LUTs), while TDCs are formed using delay lines built by cascaded CARRY4. The choice between RO-based and TDC-based voltage sensors primarily depends on sampling accuracy and voltage sensitivity. RO-based sensors are easier to implement but have lower sensitivity to instantaneous voltage changes and require longer sampling times. Conversely, TDC-based sensors can achieve higher sampling rates and exhibit greater sensitivity to instantaneous voltage changes, as the carry chains are more sensitive to delays caused by voltage drops [17]. For hardware acceleration, the circuits running on multi-tenant FPGAs typically operate at high clock frequencies. Thus, TDCs are commonly selected as sensors to measure transient voltage changes on multi-tenant FPGAs.

The schematic of the TDC-based delay sensor is shown in Figure 2. The TDC-based delay sensor features the following two input clocks: one drives the delay line, and the other samples the D flip-flops (DFFs) connected to the outputs of the delay line. These clocks typically operate at a high frequency and have a phase difference $\theta$, which is used to calibrate the outputs. The output range of the TDC sensor is adjustable and is referred to as the observed delay line. The direct output of the TDC is a binary vector of the propagation speed, which contains different numbers of consecutive zeros and ones, and needs an encoder to convert it as a readable output. For example, in our design shown in Figure 2, the TDC length is 160, with each set of four binary outputs corresponding to one encoder. Moreover, the final output is the sum of the outputs of 40 encoders. The 40 encoders convert the 160-bit input into a readable 8-bit integer output. This vector of the propagation speed is captured as a discrete-time signal, referred to as a power trace, and can be analyzed to infer confidential information from the circuit.

2.3. Correlation Power Analysis Attack

In 2004, reference [18] proposed the CPA attacks based on Pearson’s correlation coefficient, which is an efficient technique to extract the key of the cipher.

Measuring the power traces of cipher hardware running with different plaintext is necessary for CPA attacks. Let P denote the number of collected power traces and T denote the length of each power trace. For CPA attacks, the raw data of the collected power traces can be represented as a matrix O of size $P\times T$. The steps of CPA attacks are as follows:

• Select an appropriate intermediate value v that must be related to both the confidential information and the known input plaintext. The choice of v depends on the targeted encryption algorithm and the leakage characteristics of the target hardware implementation. For the AES algorithm, commonly used intermediate values in CPA attacks are the output of the first round AddRoundKey or the first output of the S-box.
• Compute the intermediate values for all possible keys k, based on the corresponding input plaintext p, to generate an intermediate value matrix V of size $K\times P$.
• Choose an appropriate power model and compute the hypothetical power consumption matrix H for the intermediate value matrix V. Common power models include the Hamming weight (HW) model and the Hamming distance (HD) model. For example, for recovering byte 0 of the AES first round key using the S-box output as intermediate values, the element h of the hypothetical power consumption matrix H can be expressed as follows:

  $$h_p^k=HW(SBox(b_p^0\oplus k)$$

  (1)

  where $b_p^0$ is byte 0 of the plaintext p, and $HW$ denotes the Hamming weight.
• Calculate the Pearson correlation coefficient between the hypothetical power consumption matrix H and the observed power consumption matrix O, resulting in a correlation coefficient matrix R of size $K\times T$. Each element $r_{k,t}$ can be expressed as Equation (2), where $t_{p,t}$ represents the value of the t-th sample point in the power trace corresponding to the plaintext p.

  $$r_{k,t}={\displaystyle \frac{{\sum }_{p=0}^{P-1}(h_{p,k}-\overline{h_k})(t_{p,t}-\overline{t_t})}{\sqrt{{\sum }_{p=0}^{P-1}{(h_{p,k}-\overline{h_k})}^2{\sum }_{p=0}^{P-1}{(t_{p,t}-\overline{t_t})}^2}}}$$

  (2)
• Rank all possible keys k based on the magnitude of their correlation coefficients, with the key having the highest correlation coefficient being ranked first as the guessed key.

3. Theoretical Analysis of Clock Frequency Impact on the Power Side-Channel

3.1. Power Side-Channel

In CMOS circuits, dynamic power is the primary source of power consumption and is related to the secret data processed by the circuits, making it exploitable as a side-channel. The power side-channel analysis attack aims to extract specific confidential information by analyzing the data-dependent power consumption of a cryptographic implementation. The dynamic power of the CMOS circuit is expressed as Equation (3), consisting of switching power consumption $P_{sw}$ and short-circuit power consumption $P_{sc}$ [19,20]. $\alpha$, C, $V_{DD}$, f, $I_{peak}$, and $t_{sc}$ represent the switching activity factor, load capacitance, supply voltage, clock frequency, peak current and shortcut-circuit time, respectively.

$$\begin{array}{cc}\hfill P_{dyn}& =P_{sw}+P_{sc}\hfill \\ \hfill & =\alpha ·C·V_{DD}^2·f+V_{DD}·I_{peak}·t_{sc}·f\hfill \end{array}$$

(3)

As shown in Figure 3, after the rising edge of the clock, the supply current from the PDN to the circuit reaches its maximum, which will cause detectable voltage fluctuations on the PDN [21]. Attackers usually sample power consumption at a fixed sampling frequency. Therefore, whether the sampling point overlaps with the time window of detectable voltage fluctuations, $t_{pvalid}$, will greatly influence the quality of the power trace. When the sampling point overlaps with $t_{pvalid}$, the power consumption that can be used for power analysis attacks in the power trace accounts for a large proportion. It can be considered that the signal-to-noise ratio of the power trace is high at this time, leading to the improvement of the CPA attack performance. Next, we will quantitatively analyze the factors that affect the quality of the power trace.

3.2. Mechanism of Clock Frequency Impact

To explain how changes in the clock frequency of the victim circuit affect the performance of the CPA attack, we assume the attacker collects power traces at a fixed sampling frequency, given that the attacker lacks knowledge of the victim’s clock phase or frequency. Typically, circuits on cloud FPGAs employ timing elements sensitive to rising clock edges. When the victim circuit’s clock is at a rising edge, the logic gates switch, causing significant current changes, leading to detectable voltage fluctuations in the PDN. Consequently, if the attacker’s sampling points align with the victim circuit’s clock-rising edge, the power sensor can detect more apparent voltage fluctuations.

As shown in Figure 4, we denote the phase difference between the attacker’s sampling clock and the victim’s runtime clock as $\varphi$. The attacker’s sampling clock frequency is $F_{\mathit{Attacker}}$, and the victim circuit’s runtime clock frequency is $F_{\mathit{Victim}}$. The positions of rising edges of the victim’s runtime clock can then be expressed by Equation (4), where n is a non-negative integer.

$$t_{victim}\left(n\right)={\displaystyle \frac{n}{F_{\mathit{Victim}}}}$$

(4)

The attacker’s sampling point can be described by Equation (5), where m is also a non-negative integer.

$$t_{attacker}\left(m\right)={\displaystyle \frac{m}{F_{\mathit{Attacker}}}}+\varphi , \varphi \in \left[-\pi ,\pi \right]$$

(5)

The current variations and voltage fluctuations on the PDN last for a duration. If the attacker’s sampling points coincide with this time window, they can still detect significant voltage fluctuations. We define the time window of a detectable power consumption change on the PDN as $t_{pvalid}$. Thus, when the attacker’s sampling point meets Equation (6), this sample point is effective for power analysis attacks, referred to as a valid sample point.

$$\Delta ={\displaystyle \frac{n}{F_{\mathit{Victim}}}}-{\displaystyle \frac{m}{F_{\mathit{Attacker}}}}+\varphi , \Delta \in [0,t_{\mathit{pvalid}}], n,m\in \mathbb{N}$$

(6)

As illustrated in Figure 4a,c, when the phase difference ${\varphi }_1$ between the attacker’s clock and the victim circuit’s clock is small, increasing the victim circuit’s clock frequency raises the proportion of valid sample points among all sample points, making extracting useful information easier for CPA attacks. Conversely, as depicted in Figure 4a,b, the large phase difference ${\varphi }_2$ can cause the attacker’s sampling clock to fall outside the PDN voltage fluctuation window, making it harder to extract information from power traces.

Since the current variations are maximal near clock-rising edges of victim circuits, the information of the valid sample points provided to power analysis attacks varies, as shown in Figure 3. To characterize this effect, we apply a weighted average to derive the effective power quantity (EPQ). The weight $w_p$ of the effective power within $t_{\mathit{pvalid}}$ is modeled as decreasing linearly with the time difference between the attacker’s sample point and the victim circuit’s clock-rising edge, as expressed in Equation (7).

$$w_p=1-{\displaystyle \frac{\Delta }{t_{\mathit{pvalid}}}}$$

(7)

Thus, EPQ can be expressed as Equation (8), where M is the total number of sample points in a power trace.

$$EPQ={\displaystyle \frac{{\sum }_m^M{w}_p}{M}}$$

(8)

To further validate our theory, we conduct CPA attacks to extract the keys of the AES and SM4 algorithms running on a Cortex-M0 softcore.

4. Results and Analysis

4.1. Experimental Setup

Our experimental platform is the Zedboard with Xilinx Aritx-7 FPGA (xc7z020clg484-1) and a ZCU102 board with a Xilinx Zynq UltraScale+ FPGA (xczu9eg-2ffvb1156-2-e).

The victim circuit is an ARM Cortex-M0 running block cipher algorithm. We utilize the open source netlist format RTL code of the ARM Cortex-M0 to implement it on FPGA. In our experiments on cryptographic algorithms, we evaluated two types of block ciphers, AES-128 and SM4, selecting the output of the first-round SBox as the attack point. We choose the HW model as our power consumption model. The target of CPA attacks is to extract the round key of the first round. For the AES algorithm, denote the sub-key as $k^i$, the byte i of plaintext as $b_p^i$, and the SBox operation as $Sbox\left(\right)$. The hypothesis power consumption of AES is expressed in Equation (9).

$$h_p^k=HW\left(Sbox(b_p^i\oplus k^i)\right)$$

(9)

For the SM4 algorithm, because the first round does not involve the first byte of the plaintext, we set the first byte of the plaintext to zero, which is commonly used to improve the efficiency of attacking the SM4 algorithm [22]. Thus, the hypothesis power consumption for the SM4 algorithm is described by Equation (10).

$$h_p^k=HW\left(Sbox(b_p^1\oplus b_p^2\oplus b_p^3\oplus k^i)\right)$$

(10)

To avoid the impact of re-layout and routing on the clock, we utilized the dynamic reconfiguration capability of the Xilinx clock management tile (CMT) to adjust the frequency of the victim circuit and the TDC sampling clock frequency [23]. Each Xilinx CMT includes a mixed-mode clock manager (MMCM) and a phase-locked loop (PLL), and we utilize the MMCM to implement dynamic reconfiguration. For multi-tenant FPGAs, there is usually a common global clock, and then the clock is distributed to each tenant through interconnection [24]. In our experiment, $F_{Victim}$ and $F_{Attacker}$ are derived from the same common base clock, which is in line with the general scenario on cloud FPGAs.

We used the same encryption key and randomized plaintext to ensure consistency across experiments. A 160-bit TDC sensor (observable delay lines with 160 elements) was used to record the power traces of the Cortex-M0 running at different clock frequencies. For Zedboard with Artix-7 FPGA, we applied four TDC sensors. For ZCU102 with Zynq UltraScale+ FPGA, we applied 16 TDC sensors. To reduce the noise, we average the power traces collected by multiple TDC sensors and average every 10 collected power traces as the final power trace.

To explore the impact of $F_{Victim}$, $\varphi$ and $F_{Attacker}$, we designed three sets of comparative experiments. The experimental conditions are shown in

Table 1. Experiments setup.

Experiment	$\mathit{\varphi }$	${\mathit{F}}_{\mathit{Attacker}}$
1	random	300 MHz
2	0	300 MHz
3	0	5 $\times F_{victim}$

.

In the first experimental setup, we consider a typical CPA attack scenario where the attacker collects power traces at a fixed sampling rate. Concurrently, the victim operates at a constant clock frequency. A random phase difference $\varphi$ exists between the victim’s clock and the attacker’s sampling clock. The phase alignment function of the CMTs is not enabled in this experiment, so the two clocks have a random phase difference when powered on. In the second set of experiments, the phase difference $\varphi$ between the clock of the attacked circuit and the attacker’s sampling clock is 0. The attacker collects power traces at a constant sampling rate while the victim operates at a fixed frequency to assess the impact of frequency on CPA attacks. In the final experiment, we maintain a zero phase difference but keep the sampling rate to five times the constant $F_{Victim}$ to further analyze its effect on CPA attacks.

4.2. CPA Evaluation Metrics

Following prior work, we employ multiple metrics to analyze the results of the CPA attack. The CPA attack sorts the sub-keys of the block cipher according to the correlation coefficient to obtain the most likely key value. To quantify the performance of the CPA attack from all aspects, we use the three most commonly used indicators, guessing entropy (GE), partial success rate (PSR), and minimum traces for disclosure (MTD) [25,26,27,28].

• GE: GE is an indicator based on the correlation coefficient matrix R. For byte i of the round key (referred to as sub-key $k_i$), all possible key byte guesses are ordered by their correlation coefficient in descending order to determine the rank of the correct key byte. The ranks for all correct key bytes are then summed logarithmically to calculate the GE, as illustrated in Equation (11). We use t to indicate the number of traces used to calculate this GE.

  $$G{E}_t=\sum _{i=1}^{K}lo{g}_2\left[rank\left(k_i^{correct\_key}\right)\right]$$

  (11)
  A lower GE signifies lower average ranks across all key bytes, typically indicating that more key bytes have been successfully recovered. A GE value of 0 means that all key bytes have been recovered. In practice, a CPA attack is considered successful if the GE value falls below a predefined threshold, enabling the recovery of key bytes with reasonable computational effort. It should be noted that a low GE value does not guarantee the correct sub-key ranks first, as erroneous sub-keys may still be present. Thus, GE is not a reliable metric for assessing CPA attack performance in recovering all sub-keys. Only GE = 0 indicates full sub-key recovery.
• PSR: We also use the PSR calculated as Equation (12) to evaluate the effectiveness of CPA attacks in recovering the sub-keys.

  $$PS{R}_t={\displaystyle \frac{N_i^{ck}}{N_{total}}}\times 100\%$$

  (12)
  In Equation (12), $N_i^{ck}$ denotes the number of correctly estimated sub-keys using i traces. $N_{total}$ denotes the number of total sub-keys. We use t to indicate the number of traces used to calculate this PSR. For example, $PS{R}_{20,000}=100\%$ means that all sub-keys are correctly retrieved using 20,000 traces.
• MTD: The minimum number of traces needed to recover the key. If the MTD value is smaller, it proves that it is easier to recover the key through the CPA attack.

When all sub-keys are successfully recovered, we employ the MTD to quantify the efficacy of CPA. Conversely, when CPA fails to extract all sub-keys, we utilize GE and PSR to assess the efficacy of CPA. For the SM4 algorithm, there are only 4 sub-keys per round, while AES-128 has 16 sub-keys, so the MTD of the SM4 algorithm is generally smaller than the MTD of the AES-128 algorithm. The maximum GE value of CPA attacks on the SM4 algorithm is 32 while for the AES-128 algorithm is 128.

4.3. Random $\varphi$ and Fixed $F_{Attacker}$

Our first set of experiments assumes that the attacker collects power traces at a fixed sampling frequency. The attacker does not know the clock phase of the attacked circuit, so when collecting power traces, there is a random phase difference between the attacker’s sampling clock and the clock of the attacked circuit. This scenario represents the most generalized remote CPA attack targeting the multi-tenant FPGA.

We use the same bitstream to perform CPA attacks on each FPGA platform, the physical structure of the circuit is the same, but different values of $F_{Victim}$ are applied during the operation. We repeat the experiment five times for each $F_{Victim}$ to assess the effect of the initial random phase difference and eliminate the interference of factors such as noise.

Figure 5 and Figure 6 illustrate the trends in MTD versus $F_{Victim}$ on Artix-7 FPGA and UltraScale+ FPGA. On Artix-7 FPGA, because when $F_{Victim}=60$ MHz, even if 30,000 power traces are collected, there are always some sub-keys that cannot be extracted successfully, so the MTD value of $F_{Victim}=60$ MHz is missing in Figure 5a. There is a large difference in MTD values between different CPA attacks in Figure 5 and Figure 6, because of the random phase difference between the two CMTs at restart. Furthermore, our results indicate that the UltraScale+ FPGA exhibits higher MTD of CPA attacks than the Artix-7 FPGA. The higher MTD values of the UltraScale+ FPGA are attributed to more available hardware resources and the use of fewer percent resources for equivalent circuit implementations, leading to voltage drops that are more difficult to detect.

For the case of random $\varphi$, we use the theoretical model in Section 3.2 to calculate the EPQ corresponding to each $F_{Victim}$ at a sampling frequency of 300 MHz in the range of $-{180}^{\circ }$ to ${180}^{\circ }$ with a step size of $\varphi$ in ${30}^{\circ }$. Because $t_{pvalid}$ in the model only depends on the physical structure of the circuit, we set $t_{pvalid}$ to a fixed value of 1.5 ns for Artix-7 FPGA and 1.1 ns for UltraScale+ FPGA (derived from the Vivado implementation report) when modeling.

The EPQ values simulated by the model are shown in Figure 7, where Figure 7a corresponds to EPQ calculated on Zedboard with Artix-7 FPGA and Figure 7b corresponds to EPQ calculated on ZCU102 with UltraScale+ FPGA.

Based on the model simulation results, the EPQ is significantly influenced by $F_{Victim}$ and the initial phase difference $\varphi$. Our experimental results also confirm this, and there is a large difference between MTDs for different CPA attacks because of the different $\varphi$ and different $F_{Victim}$.

First, consider the effect of $F_{Victim}$ during the victim circuit operation. When $\varphi$ stays constant, if the victim circuit changes its clock frequency, the EPQ value can increase. This means the ability to resist power analysis attacks becomes weaker, which raises the risk of unexpected side-channel leakage.

Next, consider the initial phase difference $\varphi$. According to the results calculated by the model, for some frequencies, the EPQ is greatly affected by $\varphi$, so in our experiments, the MTD value varies greatly between different CPA attacks at the same $F_{Victim}$.

4.4. Fixed $\varphi$ and Fixed $F_{Attacker}$

In our second experimental setup, we assume the attacker acquires power traces at a constant fixed sampling frequency $F_{Attacker}$, with an initial phase difference $\varphi$ of 0 between the attacker’s sampling clock and the victim circuit’s clock. Similarly, we repeat the experiment fitve times for each $F_{Victim}$ to eliminate interference from factors such as noise.

When $\varphi$ is fixed to 0, the CPA attack cannot obtain all sub-keys at a certain $F_{Victim}$, such as 55 MHz.Thus, we use GE and PSR to evaluate the performance of CPA. We compare the modeled EPQ with the GE and PSR of the CPA attack, and the results are shown in Figure 8 and Figure 9. Higher GE means worse CPA attack performance, so there should be a negative correlation between EPQ and GE. To make the relationship between the modeled EPQ and experimental GE easier to see, we use $1/EPQ$ in Figure 8a,b and Figure 9a,b. The modeled EPQs are represented by gray dashed lines, while the GEs and PSRs derived from five CPA experiments are illustrated as bar graphs. From Figure 8 and Figure 9, when $\varphi$ is 0, the trend of EPQs from our model with $F_{Victim}$ basically matches the performance trend of the actual CPA attack with $F_{Victim}$. This shows that the EPQ can correctly represent the relationship between CPA attack performance and $F_{Victim}$ when $\varphi =0$. Because we do not examine the exact relationship between EPQ, GE, and PSR. Thus, the minimum EPQ does not always match the $F_{Victim}$ value that is hardest to attack using CPA.

Nevertheless, when the EPQ is low, as observed at $F_{Victim}$ values of 35 MHz and 55 MHz, key extraction via CPA attacks on both AES and SM4 algorithms proves challenging.

4.5. Fixed $\varphi$ and Proportional $F_{Attacker}$

Our third set of experiments assumes that the attacker collects power traces at a sampling frequency five times the clock frequency of the attacked circuit, and the phase difference between the attacker’s sampling clock and the initial clock of the attacked circuit is 0. In this case, for any $F_{Victim}$, the total number of sample points collected is the same.

In the third set of experiments, the EPQs from the model are consistently 0.2 across all values of $F_{Victim}$ for both Artix-7 FPGA and UltraScale+ FPGA, which are higher than the EPQs obtained by modeling in experiments 1 and 2. Therefore, the expected CPA attack performance should be independent of $F_{Victim}$, and better than experiments 1 and 2.

Figure 10 and Figure 11 shows how MTD changes with $F_{Victim}$. To compare with the results of random $\varphi$ and fixed $F_{Attacker}$, the MTDs in Section 4.3 are plotted in gray. In the case of $F_{Victim}$ is 60 MHz on Artix-7 FPGA, 16 sub-keys of the AES-128 algorithm cannot be all extracted even with 30,000 traces, we use * in Figure 10a to indicate that the sub-keys are not completely extracted with 30,000 traces. It can be seen that for all $F_{Victim}$, the MTDs remain at a low level, indicating the CPA performance of fixed $\varphi$ and proportional $F_{Attacker}$ is much better than that of random $\varphi$ and fixed $F_{Attacker}$. Across the three groups of experiments, the third exhibited the lowest MTDs. Furthermore, the MTDs showed negligible variance across varying $F_{Victim}$ values, matching the expectations of the model calculation.

For different $F_{Victim}$, there are small fluctuations in MTDs, which may be caused by the noise of idle FPGA resources and dynamic power consumption of circuit components not related to encryption. Especially on UltraScale+ FPGA, because of less resource utilization on UltraScale+ FPGA. However, overall, for any $F_{Victim}$, there is no significant difference between MTDs.

5. Discussion and Future Works

Reference [29] mentioned that clock frequency affects the stability of the side-channel signal of long wire information leakage. However, the specific reasons for the impact have not been explored. We designed three sets of experiments to explore the impact of clock frequency on the power side-channel.

Based on the results of three sets of experiments, we can conclude that the changes of $F_{Victim}$ and $\varphi$ will cause the circuit to leak different amounts of information related to confidential data through power consumption. More specifically, when the SFS or DFS framework is implemented as a countermeasure to mitigate power attacks by a voltage drop, inappropriate clock frequency scaling can amplify power side-channel leakage, thereby increasing the vulnerability to correlation power analysis attacks. To the best of our understanding, no prior research has systematically assessed the unintended power leakage resulting from frequency scaling frameworks. Our research extends the security considerations of applying frequency scaling frameworks on multi-tenant FPGAs. We propose a simple and effective model to simulate the effects of the victim’s running clock frequency and the phase difference between the clocks of the attacker and victim by calculating EPQ. The results of model calculation and experiments show that these two factors significantly impact the performance of power side-channel analysis attacks. Therefore, when implementing frequency scaling frameworks on multi-tenant FPGAs for power attack mitigation, careful clock frequency selection is crucial.

We suggest integrating the dynamic clock frequency and phase adjustment within current frequency scaling frameworks to enhance the resistance of circuits in multi-tenant FPGAs against power analysis attacks. The dynamic clock frequency and phase adjustment introduce random misalignment in power traces, making it resist other types of power analysis attacks such as differential power analysis (DPA) or template attacks. The typical frequency scaling framework in reference [5] utilized the dynamic reconfiguration port (DRP) of the Xilinx CMTs. Because the CMTs can change the clock phase while config clock frequency at run-time, integrating this approach into the frequency scaling framework does not lead to hardware cost. In reference [30], the PLL’s multi-channel phase-shifted clock output is used, and a phase-shifted clock is randomly selected as the input clock using the pseudo-random number generator (PRNG) output. According to their results, the resistance of SCA improved by 2000× while introducing only an extra 20 LUTs, 64 registers, eight global clock buffers (BUFGs), and 2 PLLs. References [31,32] evaluates the cost and effect of utilizing Xilinx CMTs to achieve the random clock execution on multi-tenant FPGAs. Their experimental results verified that by only dynamically changing the clock frequency (without changing the clock phase), it is possible to protect against power analysis attacks such as traditional CPA and CPA with fast Fourier transform (FFT) preprocessing, and each of them introduces very little hardware overhead. The main hardware overhead is to use an additional MMCM to generate a dynamically configurable random clock. However, for circuits that have already applied the frequency scaling framework, no additional MMCM overhead will be generated. References [33,34] have proposed a frequency and phase randomization (FPR) method to mitigate CPA attacks, but they all need to instantiate multiple cores, resulting in large hardware overhead. The FPR method randomizes the clock of each core to create several power consumption peaks within one clock cycle, making it harder to align the power traces. Reference [33] implemented FPR on Xilinx PYNQ-Z2 board. The experiment results showed that with the frequency shift method, the MTD increased by 6.54× at best, and with the phase shift method, the MTD increased by 22.92× at best. Reference [34] implemented FPR on a multicore ASIC platform. The experiment results showed the FPR method doubled the MTD of CPA attacks. Integrating this approach into the frequency scaling framework can strengthen defenses against fault injection and power analysis attacks. Therefore, a way to combine the frequency scaling framework with random clock frequency and phase execution is the focus of one of our follow-up works.

However, our work still presents some limitations. We conducted the experiments at a fixed $F_{victim}$, the $F_{victim}$ was adjusted by the DFS framework and was not considered in our experiment. However, the DFS framework needs to receive feedback on real-time voltage changes, and the rate of $F_{victim}$ changes is relatively slow. Preprocessing methods, such as sliding window (SW) [35], dynamic time wrapping (DTW) [36], principal component analysis (PCA) [37], and FFT [38] can be applied to overcome the misalignment induced by $F_{victim}$ changes. In our follow-up work, we will further evaluate the performance of multi-tenant FPGAs against CPA attacks under the DFS framework. Moreover, the $t_{pvalid}$ value used in our model was directly obtained from the Vivado implementation report. However, due to the complexity of actual circuit implementations, integrating both simulations and experimental measurements to determine a more precise $t_{pvalid}$ value is necessary. Additionally, variations in the operating clock frequency can significantly impact the peak dynamic power of the circuit. We need to create a more accurate model to account for this impact in the future.

6. Conclusions

In this work, we proposed a model to fit the effect of the running clock frequency of the victim circuit and the phase difference between the victim’s clock and the attacker’s sampling clock on power analysis attacks in multi-tenant FPGAs, and we designed three sets of experiments to verify the model. Through theoretical analysis and experimental verification, it is verified that the model can fit the ability of multi-tenant FPGA circuits to resist CPA attacks at different operating clock frequencies. Due to the limitations of multi-tenant FPGAs, the sampling rate of the on-chip power sensor used by malicious attackers is typically limited to several hundred MHz. Consequently, users of multi-tenant FPGAs can use the EPQ model to determine the frequency value with minimal EPQ in the most conservative case ($\varphi =0$), ensuring that frequency scaling occurs at a lower EPQ. This study offers novel perspectives on frequency scaling within multi-tenant FPGA environments, which can critically enhance the security of applications deployed on multi-tenant FPGAs.