Abstract
Many side channels including power consumption, electromagnetic emanation, optical radiation, and even sound have been studied since the first publication of a side channel attack at the end of the 1990s. Most of these channels can be relatively easily used for an overall analysis of the cryptographic system (implementation of efficient passive attacks) or for injection of faults. Until recently, only the optical channel allowed both analysis of locally leaked information and precise injection of faults (single-bit errors). Recent works showed that the near-field electromagnetic channel enables similar results to be obtained. Like the optical channel, the near-field electromagnetic channel allows both active and passive attacks, which, in addition, can be theoretically non-invasive and contactless. However, the cost of the attack bench that is needed to exploit the near-field electromagnetic channel is less than that of an optical channel. Recently, we showed that it is possible to use the near-field electromagnetic channel to perform an efficient active attack targeting the true random number generator (TRNG) based on ring oscillators. In cryptography, TRNGs are chiefly used to generate encryption keys and other critical security parameters, so the proposed active attack could have serious consequences for the security of the whole cryptographic system. Here, we present the coupling of a passive attack and an active attack. The proposed coupled attack first uses a spectral differential analysis of the TRNG electromagnetic radiation to obtain valuable information on the position of ring oscillators and their frequency range. This information is then used to tune the electromagnetic harmonic signal to temporarily synchronize the ring oscillators. In this paper, we propose a fault model of the entropy extractor which shows that the behavior of the ring oscillators changes, and that it occurs additional and unwanted “fake rising edges” of the clock signal which disturb the flip-flops involved in such TRNGs. The effectiveness of our proposed coupled attack questions the use of ring oscillators in the design of TRNGs.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener M. (Ed.), In the proceedings of the 19th annual international cryptology conference, CRYPTO 1999, Springer, Lecture Notes in Computer Science, vol. 1666, pp. 388–397 (1999)
Quisquater, J.J., Samyde, D.: Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In: Attali, I., Jensen, T.P. (Eds.), In the proceedings of E-smart, Springer-Verlag, lecture notes in computer science, vol. 2140, pp. 200–210 (2001)
Fischer, V.: A closer look at security in random number generators design. In: Proceedings of 3rd international workshop on constructive side-channel analysis and secure design, COSADE, pp. 167–182 (2012)
Simka, M.: Active non-invasive attack on true random number generator. In: Proceedings of the 6th PhD student conference, Technical University of Koice, Slovakia, pp. 129–130 (2006)
Simka, Martin, Milo, Drutarovsk, Viktor, Fischer: Testing of PLL-based true random number generator in changing working conditions. Radioengineering 20(1), 94–101 (2011)
Sunar, B., Martin, W.J., Stinson, D.R.: A provably secure true random number generator with built-in tolerance to active attacks. IEEE Trans. Comput. 56(1), 109–119 (2007)
Wold, K., Tan, C.H.: Analysis and enhancement of random number generator in FPGA based on oscillator rings. In: Proceedings of the international conference on reconfigurable computing and FPGAs, ReConFig 2008, pp. 385–390 (2008)
Bochard, N., Bernard, F., Fischer, V., Valtchanov, B.: True-randomness and pseudo-randomness in ring oscillator-based true random number generators. Int. J. Reconfig. Comput. Hindawi, Vol. 2010, ID 879281, p. 13
Markettos, A.T., Moore, S.W.: The frequency injection attack on ring-oscillator-based true random number generators. Cryptogr Hardw Embed Syst CHES, pp. 317–331 (2009)
Wold, K., Petrovi, S.: Robustness of TRNG against attacks that employ superimposing signal on FPGA supply voltage. In: Proceedings of the Norwergian information security conference, NISK, pp. 81–92 (2010)
Bayon, P., Bossuet, L., Aubert, A., Fischer, V., Poucheret, F., Robisson, B., Maurine, P.: Contactless electromagnetic active attack on ring oscillator based true random number generator. In: Constructive side-channel analysis and secure design, COSADE, pp. 151–166 (2012)
Poucheret, F., Robisson, B., Chusseau, L., Maurine, P.: Local electromagnetic coupling with CMOS integrated circuits. In: Proceedings of international workshop on electromagnetic compatibility of integrated circuits, EMC COMPO (2011)
Takahashi, J., Hayashi, Y., Homma, N., Fuji, H., Aoki, T.: Feasibility of fault analysis based on intentional electromagnetic interference. In: Proceedings of IEEE international symposium on electromagnetic compatibility, EMC, pp. 782–787 (2012)
Hayashi, Y., Homma, N., Mitzuki, T., Aoki, T., Sone, H.: Precisely timed IEMI fault injection synchronized with EM information leakage. In: Proceedings of the IEEE international symposium on electromagnetic compatibility EMC, pp. 738–742 (2014)
AIST, Side-channel Attack Standard Evaluation Board (SASEBO) http://staff.aist.go.jp/akashi.satoh/SASEBO/en/index.html
Evariste II: a modular hardware system for development and evaluation of cryptographic functions and random number generators. http://labh-curien.univ-st-etienne.fr/wiki-evariste-ii
Sauvage, L., Guilley, S., Mathieu, Y.: Electromagnetic radiations of FPGAs: high spatial resolution cartography and attack on a cryptographic module ACM transactions on reconfigurable technology and systems. Vol. 2, No. 1, Article 4 (2009)
Bayon, P., Bossuet, L., Aubert, A., Fischer, V.: Electromagnetic analysis on ring oscillator-based true random number generators. In: Proceedings of the IEEE international symposium on circuits and systems, ISCAS (2013)
Ben, S.D., Ramdani, M., Sicard, E.: Case studies EMC test-chips, low-emission microcontrollers. In: Electromagnetic compatibility of integrated circuits: technique for low emission and susceptibility, Springer, Chapter 6, 311–314 (2006)
Dong, X., Deng, S., Hubing, T., Beetner, D.: Analysis of chip-level EMI using near-field magnetic scanning. In: Proceedings of IEEE international symposium on electromagnetic compatibility, EMC, IEEE, pp. 174–177 (2004)
Bossuet, L., Fischer, V., Bayon, P.: Contactless transmission of intellectual property data to protect FPGA designs. In: Proceedings of the 23nd IFIP/IEEE international conference on very large scale integration, VLSI-SoC (2015)
Bossuet, L., Ngo, X.T., Cherif, Z., Fischer, V.: A PUF based on a transient effect ring oscillator and insensitive to locking phenomenon. IEEE Trans. Emerg Top. Comput. 2(1), 30–36 (2014)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bayon, P., Bossuet, L., Aubert, A. et al. Fault model of electromagnetic attacks targeting ring oscillator-based true random number generators. J Cryptogr Eng 6, 61–74 (2016). https://doi.org/10.1007/s13389-015-0113-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-015-0113-2