placement to improve the resilience of the Advanced Encryption Standard (AES-128) cryptographic core against fine-grained electromagnetic (EM) side-channel analysis (SCA). Localized EM field measurements are performed using a 0.5 mm radius H-field probe on 3 different, 40nm CMOS test-chips implementing 9 physical design configurations of the AES core. These physical design strategies show 2.45x, 1.51x, 2.61x, and 2.71x higher measurements to disclosure (MTD) respectively compared to the baseline design without incurring any power overhead. These strategies can be applied independently or optimally combined further improving fine-grained EM SCA resilience. Need for fine-grained EM SCA techniques: Data-dependent current switching causes information leakage through both EM and power side-channels in cryptographic modules [1]. Compared to power attacks, EM SCA attacks are non-invasive and can be more potent. Typically, countermeasures against EM SCA focus on coarse-grained measurements using large-diameter EM probes [2]. Such attacks have very low signal-to-noise ratio (SNR), as signals from information-leaking blocks are obfuscated by uncorrelated sources picked up by the probe resulting in a spatial-averaged EM profile. Fine-grained EM SCA attacks, on the other hand, scan a chip's surface using small probes in multiple orientations and can isolate high SNR configurations to recover secure information at a significantly lower cost [3]. Simulations of fine-grained EM SCA attacks [4] using an EM probe of 50 µm diameter and placed 75 µm above an AES core, show that most of the 16 key bytes can be revealed within 1000 traces at 3 different locations (Fig. 1a-1d). EM waveforms at optimal locations can further reduce measurements to disclosure (MTD) of key bytes, although with higher simulation cost. In this work, we systematically demonstrate four physical design strategies to mitigate fine-grained EM SCA vulnerability at no power cost and controlled area increase. Physical design strategies for fine-grained EM SCA resilience: 1. Power grid shielding: The EM emanations originating from leaking components in an AES core can be minimized by inserting internal metal shields. Four AES cores having different power grid designs are implemented in Chip-1 (Fig. 2a). The baseline AES core (Design-1) floorplan is done with a flattened netlist using M1-M6 metal layers. Design-2 and Design-4 are built upon the baseline Design-1 but insert additional power/ground tracks in M7 and M8 metal layers. Design-2 adds 8 sets of 3 µm wide power grids on M7 and 8 sets of 4 µm power grids on M8 layer for both VDD and VSS rails. Design-4 adds 8 vertical 12 µm M8 VSS stripes and 8 horizontal 10 µm M7 VSS stripes which are shorted with via-7. These top two metal layers act as robust VSS shields and are connected to the VSS power ring outside the AES core. 2. Twisted power grids: In a conventional power grid, VDD and VSS metal lines are arranged in parallel. The supply current and the ground return current flows in opposite directions and generates EM fields surrounding the metal tracks. The magnetic field lines due to these two power grid lines carrying currents in opposite directions are canceled partially at far ends but add up in the middle which can be readily sensed by optimal positioning of the EM probe and can reveal the underlying data-dependent signature. We propose the use of twisted power grids to mitigate the fine-grained EM SCA vulnerability (Fig. 2b). Design-3 adds a twisted power grid with 8 sets of 2.5 µm power grid on M7 while leaving some space for cross-layer twisting from above M8 layer and 8 sets of 4 µm VDD and VSS stripes which are twisted 7 times along Y-direction on M8 layer over the AES core. The periodic M8 layer power grid twisting can cancel the local EM fields symmetrically along the x-and y-orientations (Fig. 2c-2d).

The EM emanations from the AES core can be minimized by lowering the peak switching current which attenuates the SNR. This can be achieved by enabling a local energy storage in the form of standardcell-based decoupling capacitors (Decap). Decap cells are implemented as MOSFET capacitors and are placed adjacent to logic gates performing AES computations. Design-5 (Fig. 3a) implements extra Decap cells consisting of a total of ~15 pF capacitance while incurring 20% larger area. Design-6, 7, and 8 are built upon Design-4 and include M7-M8 layer shields. Design-6 adds dense 4 µm wide M7 and M8 VSS shield which is connected to power ring outside AES core. Design-7 increases the width of VSS shielding stripes to 10 µm on M7 and 12 µm on M8; Design-8 removes Via-7 to make two M7 and M8 shielding VSS layers isolated from each other over the AES core. 4. Isolated S-box module placement: During the AES execution, the Substitute-Byte (S-Box) modules execute in parallel for all 16 bytes (Fig. 3b). If all S-box logic is randomly placed, it can create one large current path due to the concurrent operation creating high SNR. Design-9 separates S-box and Mix-Column modules and place them in 5 by 5 matrix evenly across the AES core (Fig. 3c). Isolating S-box modules results in shorter current paths inside each module, lowering the SNR, thus improving fine-grain EM SCA resilience. Measurement results: Fig. 4a and Fig. 7 show die-photographs of 3 different 40nm CMOS test-chips implementing a total of 9 physical design strategies for the AES core to improve fine-grained EM SCA resilience. The fine-grained EM SCA attacks are implemented using a high-fidelity EM measurement setup (Fig. 4b) and an adaptive acquisition protocol which rapidly isolates potent measurement configurations [3]. The protocol is split into two phases -phase-I identifies initial configurations to recover key bytes from the AES module and phase-II performs multiple, progressively constrained scans using a greedy search algorithm on the configurations identified by phase-I, to identify the most optimal configuration. To observe the effect of countermeasures on probe orientation, phase-II scans are performed using a probe in x-and y-orientations. For each byte 𝑏, the orientation 𝑜 with the lower 𝑀𝑇𝐷 is chosen as the final MTD cost of recovering that byte. The automated, high-fidelity measurement setup (Fig. 4b) uses a 0.5 mm radius H-field probe, at a height of 0.1 mm above the package, scans an area of 8 mm × 8 mm (Fig. 5a), and uses a 30 dB amplifier to boost the captured EM signal strength. An MTD map is generated for each scan (Fig. 5b) and the 𝑀𝑇𝐷 is quantified by monitoring the correlations. EM measurements show that for the baseline design, (Design-1) the peak-to-peak voltage on the last encryption cycle is ~110mV (Fig. 5c), the first byte requires MTD = 2520 measurements (Fig. 5d) and the total cost of recovering all keys is ∑ MTD = 34650 measurements (Fig. 6a). The baseline design, with the smallest peak-to-peak voltage due to vacant M7 and M8 layers, still recovers keys with the lowest cost (Fig. 6b). EM signal amplitude does not show a linear relationship with MTD demonstrating that reduced EM sensor amplitude does not necessarily increase EM SCA resilience (Fig. 6b). Creating a dense metal grid (Design-2) improves total MTD by 1.15x which further improves to 2.45x with wider VSS shields (Design-4) (Fig. 6c). Twisted lateral power grids improve fine-grain EM SCA resilience by 3x along the Y-direction and by 1.5x along the X-direction (Design-3). This suggests that power grid twisting along lateral as well vertical directions can be robust against both X and Y directional EM SCA. Adding local Decaps increases resilience by 1.3x (Design-4) which can be improved to 2.67x by additional top metal shields (Design-8). Isolating S-box placement increases EM SCA resilience by 2.7x (Design-9). These physical design strategies do not incur power overhead (Fig. 4c). Acknowledgments: This research is supported in parts by Intel, Silicon Labs, and NSF. Authors thank TSMC for chip fabrication.