Abstract
Since the first announcement of a Side Channel Analysis (SCA) about ten years ago, considerable research has been devoted to studying these attacks on Application Specific Integrated Circuits (ASICs), such as smart cards or TPMs. In this article, we compare power-line attacks with ElectroMagnetic (EM) attacks, specifically targeting Field Programmable Gate Array devices (FPGAs), as they are becoming widely used for sensitive applications involving cryptography.
We show experimentally that ElectroMagnetic Analysis (EMA) is always faster than the historical Differential Power Analysis (DPA) in retrieving keys of symmetric ciphers. In addition, these analyses prove to be very convenient to conduct, as they are totally non-invasive.
Research reports indicate that EMA can be conducted globally, typically with macroscopic home-made coils circling the device under attack, with fair results. However, as accurate professional EM antennas are now becoming more accessible, it has become commonplace to carry out EM analyses locally.
Cartography has been carried out by optical means on circuits realized with technology greater than 250 nanometers. Nonetheless, for deep submicron technologies, the feature size of devices that are spied upon is too small to be visible with photographic techniques. In addition, the presence of the 6+ metallization layers obviously prevents a direct observation of the layout. Therefore, EM imaging is emerging as a relevant means to discover the underlying device structure.
In this article, we present the first images of deep-submicron FPGAs. The resolution is not as accurate as photographic pictures: we notably compare the layout of toy design examples placed at the four corners of the FPGAs with the EM images we collected. We observe that EM imaging has the advantage of revealing active regions, which can be useful in locating a particular processor (visible while active---invisible when inactive).
In the context of EM attacks, we stress that the exact localization of the cryptographic target is not necessary: the coarse resolution we obtain is sufficient. We note that the EM imaging does not reveal the exact layout of the FPGA, but instead directly guides the attacker towards the areas which are leaking the most. We achieve attacks with an accurate sensor, both far from (namely on a SMC capacitor on the board) and close to (namely directly over the FPGA) the encryption co-processor. As compared to the previously published attacks, we report a successful attack on a DES module in fewer than 6,300 measurements, which is currently the best cracking performance against this encryption algorithm implemented in FPGAs.
- Agrawal, D., Archambeault, B., Rao, J. R., and Rohatgi, P. 2002. The EM side-channel(s). In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 2523. Springer, 29--45. Google ScholarDigital Library
- Agrawal, D., Rao, J. R., and Rohatgi, P. 2003. Multi-channel attacks. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 2779. Springer, 2--16.Google Scholar
- Archambeau, C., Peeters, É., Standaert, F.-X., and Quisquater, J.-J. 2006. Template attacks in principal subspaces. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. vol. 4249. Springer, 1--14. Google ScholarDigital Library
- Brier, R., Clavier, C., and Olivier, F. 2004. Correlation power analysis with a leakage model. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. 16--29.Google Scholar
- Carlier, V., Chabanne, H., Dottax, E., and Pelletier, H. 2005. Generalizing square attack using side-channels of an AES implementation on an FPGA. In Proceedings of the International Conference on Field Programmable Logic. T. Rissa, S. J. E. Wilton, and P. H. W. Leong, Eds. IEEE, 433--437.Google Scholar
- Chari, S., Rao, J., and Rohatgi, P. 2002. Template attacks. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 2523. Springer, 13--28. Google ScholarDigital Library
- Clavier, C., Coron, J.-S., and Dabbous, N. 2000. Differential power analysis in the presence of hardware countermeasures. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science. Springer-Verlag, London, UK, 252--263. Google ScholarDigital Library
- Drimer, S. 2008. Volatile FPGA design security---a survey. Version 0.96, http://www.cl.cam.ac.uk/~sd410/papers/fpga_security.pdf.Google Scholar
- Dyrkolbotn, G. O. and Snekkenes, E. 2007. A wireless covert channel on smart cards (Short Paper). In Proceedings of the International Conference on Information and Communication Security. Lecture Notes in Computer Science, vol. 4307. Springer, 249--259. Google ScholarDigital Library
- Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., and Shalmani, M. T. M. 2008. Physical cryptanalysis of keeloq code hopping applications. Cryptology ePrint Archive, Report 2008/058. http://eprint.iacr.org/.Google Scholar
- Fahn, P. N. and Pearson, P. K. 1999. IPA: A new class of power attacks. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 1717. Springer, 173. Google ScholarDigital Library
- Gandolfi, K., Mourtel, C., and Olivier, F. 2001. Electromagnetic analysis: Concrete results. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 2162. Springer, 251--261. Google ScholarDigital Library
- Guilley, S., Hoogvorst, P., and Pacalet, R. 2004. Differential power analysis model and some results. In Proceedings of the World Computer Congress SmartCard Research and Advanced Application Conference. 127--142. Toulouse, France.Google Scholar
- Guilley, S., Hoogvorst, P., and Pacalet, R. 2007. A fast pipelined multi-mode DES architecture operating in IP representation. Integration, VLSI J. 40, 479--489. Google ScholarDigital Library
- Guilley, S., Sauvage, L., Danger, J.-L., Graba, T., and Mathieu, Y. 2008. Evaluation of power-constant dual-rail logic as a protection of cryptographic applications in FPGAs. In Proceedings of the International Conference on Secure System Integration and Reliability Improvement. IEEE, Yokohama, Japan, 16--23. Google ScholarDigital Library
- Guilley, S., Sauvage, L., Danger, J.-L., Selmane, N., and Pacalet, R. 2008. Silicon-level solutions to counteract passive and active attacks. In Proceedings of the 5th Workshop on Fault Detection and Tolerance in Cryptography, IEEE-CS. 3--17. Google ScholarDigital Library
- Homma, N., Nagashima, S., Imai, Y., Aoki, T., and Satoh, A. 2006. High-resolution side-channel attack using phase-based waveform matching. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. 187--200. Google ScholarDigital Library
- Kocher, P., Jaffe, J., and Jun, B. 1999. Differential power analysis. In Proceedings of the International Cryptology Conference (CRYPTO’99). Lecture Notes in Computer Science, vol. 1666. Springer-Verlag, 388--397. Google ScholarDigital Library
- Le, T.-H., Clédière, J., Canovas, C., Robisson, B., Servière, C., and Lacoume, J.-L. 2006. A proposition for correlation power analysis enhancement. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 4249. Springer, 174--186. Google ScholarDigital Library
- Le, T.-H., Clédière, J., Servière, C., and Lacoume, J.-L. 2007. Efficient solutions for signal misalignment in side channel analysis. In Proceedings of 32nd IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP). 257--260.Google Scholar
- Li, H., Markettos, A., and Moore, S. 11-14 Oct. 2005. A security evaluation methodology for smart cards against electromagnetic analysis. In Proceedings of the 39th Annual 2005 International Carnahan Conference on Security Technology (CCST’05). 208--211.Google Scholar
- Messerges, T. S., Dabbish, E. A., and Sloan, R. H. 1999. Investigations of Power Analysis Attacks on Smartcards. In Proceedings of the USENIX Workshop on SmartCard Technology. 151--162. Google ScholarDigital Library
- Mulder, E. D., Buysschaert, P., Örs, S. B., Delmotte, P., Preneel, B., Vandenbosch, G., and Verbauwhede, I. 2005. Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem. In Proceedings of the IEEE International Conference on Computer as a tool (EUROCON). 1879--1882.Google Scholar
- NIST/ITL/CSD. 1999. Data Encryption Standard. FIPS PUB 46-3. http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf.Google Scholar
- Örs, S. B., Oswald, E., and Preneel, B. 2003. Power-analysis attacks on an FPGA: First experimental results. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 2779. Springer-Verlag, 35--50.Google Scholar
- Peeters, r., Standaert, F.-X., Donckers, N., and Quisquater, J.-J. 2005. Improved higher order side-channel attacks with FPGA experiments. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, J. R. Rao and B. Sunar, Eds. Lecture Notes in Computer Science, vol. 3659. Springer-Verlag, 309--323. Google ScholarDigital Library
- Peeters, R., Standaert, F.-X., and Quisquater, J.-J. 2007. Power and electromagnetic analysis: Improved model, consequences and comparisons. Integration, VLSI J. Hardware 40, 52--60. Google ScholarDigital Library
- Pelletier, H. and Charvet, X. 2005. Improving the DPA attack using wavelet transform. NIST’s Physical Security Testing Workshop. Website: http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-3/physec/papers/physecpaper14.pdf.Google Scholar
- Polti, A. 2007. STRATIX -- SH4 prototype PCB for high-performance embedded systems. Website: http://www.enst.fr/~polti/realisations/shix20/.Google Scholar
- Quisquater, J.-J. and Samyde, D. 2001. Electromagnetic analysis (EMA): Measures and counter-measures for smardcards. In Smart Card Programming and Security (E-smart 2001), I. Attali and T. P. Jensen, Eds. Lecture Notes in Computer Science, vol. 1240. Springer-Verlag, 200--210. ISSN 0302-9743. Google ScholarDigital Library
- Rechberger, C. and Oswald, E. 2004. Practical template attacks. In Proceedings of the Workshop on Introspective Architectures. Lecture Notes in Computer Science, vol. 3325. Springer, 443--457.Google Scholar
- Skorobogatov, S. P. 2005. Semi-invasive attacks---A new approach to hardware security analysis. Ph.D. thesis, Cambridge University/Computer Laboratory, Security Group, TAMPER laboratory. Tech. Rep. UCAM-CL-TR-630, ISSN 1476-2986.Google Scholar
- Skorobogatov, S. P. 2006. Optically enhanced position-locked power analysis. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 4249. Springer, 61--75. Google ScholarDigital Library
- Standaert, F.-X., Örs, S. B., and Preneel, B. 2004. Power analysis of an FPGA: Implementation of Rijndael: Is pipelining a DPA countermeasure? In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 3156. Springer-Verlag, 30--44.Google Scholar
- Standaert, F.-X., Peeters, R., Macé, F., and Quisquater, J.-J. 2006. Updates on the security of FPGAs against power analysis attacks. Reconfigurable Computing: Architectures and Applications. Lecture Notes in Computer Science, vol. 3985. Springer-Verlag.Google Scholar
- Standaert, F.-X., Peeters, R., Rouvroy, G., and Quisquater, J.-J. 2006. An Overview of Power Analysis Attacks Against Field Programmable Gate Arrays. Proc. IEEE 94, 2, 383--394.Google ScholarCross Ref
- Wollinger, T., Guajardo, J., and Paar, C. 2004. Security on FPGAs: State-of-the-art implementations and attacks. Trans. Embed. Comput. Syst. 3, 3, 534--574. Google ScholarDigital Library
Index Terms
- Electromagnetic Radiations of FPGAs: High Spatial Resolution Cartography and Attack on a Cryptographic Module
Recommendations
Security on FPGAs: State-of-the-art implementations and attacks
In the last decade, it has become apparent that embedded systems are integral parts of our every day lives. The wireless nature of many embedded applications as well as their omnipresence has made the need for security and privacy preserving mechanisms ...
Isolated WDDL: A Hiding Countermeasure for Differential Power Analysis on FPGAs
Security protocols are frequently accelerated by implementing the underlying cryptographic functions in reconfigurable hardware. However, unprotected hardware implementations are susceptible to side-channel attacks, and Differential Power Analysis (DPA) ...
Mitigating Electrical-level Attacks towards Secure Multi-Tenant FPGAs in the Cloud
Special Section on Security in FPGAs and Regular ArticlesA rising trend is the use of multi-tenant FPGAs, particularly in cloud environments, where partial access to the hardware is given to multiple third parties. This leads to new types of attacks in FPGAs, which operate not only on the logic level, but ...
Comments