Вы находитесь на странице: 1из 4

Evaluating signal processing techniques

in side-channel electromagnetic attacks to cryptographic systems

Ricardo Maçãs Ricardo Chaves Gonçalo Tavares


INESC-ID INESC-ID INESC-ID
IST, Universidade de Lisboa IST, Universidade de Lisboa IST, Universidade de Lisboa
Lisboa, Portugal Lisboa, Portugal Lisboa, Portugal
ricardo.macas@tecnico.ulisboa.pt ricardo.chaves@inesc-id.pt goncalo.tavares@tecnico.ulisboa.pt

Abstract—The security of electronic devices is paramount to process leads to both the power consumption and the EM
our information society. Side-channel attacks enable a potential emanation, similar techniques can be used for both, and EM
attacker to stealthily compromise the devices by exploiting attacks are generally regarded as a particular instance of
their emanations, such as the electromagnetic (EM) radiation, power attacks [2].
resulting from the operation of the device. The objective of this In general, taking into account some model h, the leak-
article is to compare different attack methodologies empirically age signal L(t) can be described as a sum of the contri-
with respect to their signal processing techniques, in partic- butions of all the gates g in the circuit processing values
ular, trace filtering and a newly-proposed technique named at instant t, affected by some normally-distributed additive
correlation filtering. A methodology of analysis is defined for noise N [3]:
consistent and repeatable results. Finally, evaluations of the
X
L(t) = h(g, t) + N (t). (1)
effects of different signal processing techniques were conducted g
in attacks against a smartcard implementation of the AES
cipher, where the correlation filtering technique was found to There are several attack techniques that attempt to ex-
successfully improve the attack performance in randomized tract the most information from the available signals, such
trials.
as Correlation Attacks [4] and Template Attacks [5]. These
techniques focus on specific calculations being executed in
the target device that enable the attacker to effectively guess
1. Introduction the key. However, this means that the signals are affected
by intrinsic electronic noise caused by unrelated calculations
The information society is ever more pervasive in our that are not pertinent to the attack and that ultimately hinder
lives: it permeates into all aspects of society, replacing older its performance. Then, the usage of signal processing tech-
technology with connected, intelligent devices. More and niques, such as frequency filtering, to facilitate the attack
more devices are made smart, especially the ever more by rejecting reject unwanted noise sources is a compelling
popular Internet of Things (IoT) movement, consisting of strategy.
existing devices such as door locks that are made intelligent A brief description of this document’s structure follows.
with networking functionality. Even if such devices employ Section 2 presents a brief introduction of the existing attack
secure algorithms, side-channel attacks may still be able to methods, followed by Section 3, which describes the pro-
exploit their physical implementation, by taking advantage posed metrics to evaluate the performance of the attacks.
of information leaked by the emanations resulting from their Section 4 addresses the hardware and software used and
operation. their setup and configuration. An overview of the findings
Electronic systems developed in the 21st century use follows in Section 5. Finally, Future Work is presented in
complementary metal-oxide semiconductor transistor cells Section 6 and the Conclusions of the authors in Section 7.
(CMOS), desirable for producing devices with low idle
power consumption. CMOS cells implement a logic gate by 2. State of art
having a complementary pull-up and pull-down network that
alternate in insulating the path between the power source and A differential power attack proceeds by taking a working
the ground, only briefly consuming power during transitions hypothesis over a small part of the key and, using the same
when, momentarily, both networks conduct. At that moment, plaintexts as the physical device, it computes the interme-
a small current flows through the circuit, which in turn leads diate calculations of the cipher state. From the intermediate
to power consumption and the emanation of electromagnetic values, it models the expected power consumption for those
(EM) radiation [1]. Naturally, this implies that the emana- operations and contrasts them with the observed signals
tion is data-dependent. Since the aforementioned physical from the physical device. If the differences in the expected
power follow the actual power consumption, there’s evi- Success rate (SR). The sample success rate is calculated as
dence that the partial key hypothesis is correct. a ratio of N partial attacks, ran under the same conditions,
This process requires several time-aligned recordings that determined the correct candidate:
of the power consumption, called traces, and the usage
of a statistical test to quantify their agreement with the #Attacksp? =1
SR = P̃ (p? = 1) = . (3)
hypotheses. This is called the distinguisher, because it is N
the metric that allows the attack to distinguish the correct Note the success rate is an estimate of the probability
secret from the remaining (rejected) hypotheses. P̃ of having the correct value of the subkey as the best
candidate [7]. The success rate concept can be generalized
Correlation attacks to having the correct key in the first n hypotheses (instead
of just being the first) by computing the corresponding ratio.
An example of a differential power attack is the Cor-
relation Attack, first introduced by Eric Brier et al. [4]. It Average correct position. After collecting N partial attacks
uses the aforementioned framework for differential power ran under the same conditions, one may estimate what is the
attacks, where the distinguisher is the estimator of the mean position of the correct partial key in the candidate list.
Pearson correlation coefficient, which will indicate a linear The expected correct position is then defined as the product
dependency between the power hypotheses for each trace hi of each position i, times the probability of the correct subkey
and the power consumption Ti observed at some given time occupying such position, or mathematically,
instant t0 : X
E(p? ) = i · P (p? = i). (4)
i
PM
(hi − h̄) · (Ti [t0 ] − T [t0 ]) Standaert et al. [7] named this metric guessing entropy.
r(t0 ) = qPi=1 (2)
M 2 2 The estimator of the expected correct position can be
i=1 (hi − h̄) · (Ti [t0 ] − T [t0 ])
mathematically expressed as the average correct position
where the means are indicated by a bar. Ẽ(p? ), computed as
Depending on the device architecture and the experi- PN
mental setup, the leakage may correlate inversely with the j p(?,j)
Ẽ(p? ) = , (5)
power model. To maximize the information extracted from N
the attack, the absolute value of the correlation is used where j represents each attack out of N attacks to partial
instead, which is highest whether the model is directly or keys.
inversely correlated [6].
Should the t0 intermediate value calculation time not be 4. Experimental setup
known precisely, the correlation can be calculated for several
time samples across the traces and the best (highest) absolute
Correlation attacks were carried out against a smartcard
correlation |r| is recorded out of all the time samples and
powered by the Atmel AVR ATMega163 micro-controller,
partial keys considered. In a sense, a correlation trace r[t]
programmed with the AES 128 bit cipher. The attack used
is created which indicates the correlation over time for a
the SAKURA-W [8] platform to enable the communication
given key.
between the computer and the smartcard. The platform,
and in turn the smartcard placed in it, was powered by
3. Methodology of evaluation a laboratory bench power supply to provide a stable and
isolated power source.
The uncertainty associated with the signal variability and In order to avoid capturing the electronic emanations
the statistical tools used means that two attacks using signals from nearby components, a custom-built smartcard extender
captured in identical conditions do not necessarily have the was developed at the laboratory that enabled the smartcard
same results. Accordingly, each attack strategy is then tried to operate outside of the slot with its surface exposed. The
several times for a total of N partial attacks, on a random smallest magnetic field probe of the Beehive Electronics
sample taken from a pool of traces collected in the same 100 Series EMC probe set was used to capture the EM
session, and the metrics are presented with their average signal, amplified by the Beehive Electronics 150A EMC
across attacks to partial keys, m, and an error term e, the probe amplifier, and digitized by a PicoScope 6404D com-
standard error, in the form m ± e. puter oscilloscope. To enable the time-aligned capture of
Differential attacks return a distinguisher score for every the traces, a trigger signal function is programmed to the
candidate partial key tested. If these scores are sorted in smartcard that switches an auxiliary pin when the ciphering
increasing order, their position in the candidate list indi- algorithm starts.
cates their relative rank amid themselves. As such, every In order to find the optimal probe position, a manual
candidate has a score and position pair (di , pi ). The pair systematic analysis of the smartcard’s surface was carried
that corresponds to the correct secret key is denoted by a out. While performing ciphering operations, the magnetic
star, as (d? , p? ). probe was placed directly on top of the chip area and the
TABLE 1. E XTRACT OF THE BASELINE RESULTS IN ELECTROMAGNETIC
CORRELATION ATTACKS TO THE FIRST ROUND OF AES, FOR 50 TRIALS

Number of traces SR E(p? )


800 traces 0.08 ± 0.01 91.45 ± 2.67
1 500 traces 0.25 ± 0.02 28.11 ± 1.57
2 000 traces 0.57 ± 0.02 8.36 ± 0.75
Figure 1. Diagram of the smartcard extender. A smartcard was placed 3 000 traces 0.92 ± 0.01 1.26 ± 0.06
in the extended slot, and the cutout reveals the surface under which the
microprocessor resides, exposed for probe access. 5 000 traces 1.00 ± 0.00 1.00 ± 0.00

different signals that could be found along the surface were correlation peaks. In essence, instead of selecting specific
identified, along with their positions. Several sample attacks points of interest in time, the correlation filtering technique
were carried out for the signals captured at each of these exploits time redundancy of points with similar information,
positions, and the final position chosen for the probe was in order to exclude wrong candidates.
the one that completed the attacks with the least amount of The attacker can determine the optimal cut-off frequency
traces. for this filter using a clone device in their possession,
The correlation attack was chosen to perform the side- by processing the correlation traces with decreasing cut-
channel attacks to the AES 128-bit cipher, using a Hamming off frequencies until they no longer improve the result. A
Weights model. The intermediate calculation targeted is the subjective visual evaluation of the filtered correlation trace
result of the SBOX operation in the first round. Each byte may suffice to determine a non-optimal cut-off frequency.
of the result is the sum of a key byte and plaintext byte, For this experiment, the filters were generated using
transformed by the SBOX. Since every byte is independent, MATLAB’s fir1 function, with a Hamming window and
targeting each of the 16 bytes individually is the simplest 2400 taps. The average out of the 50 trials was taken for
way to effectively divide the partial keys. the position of the correct partial key, illustrated in Figure 2.
The optimal −6 dB cut-off frequency was determined to be
16.25 MHz, corresponding to the minimum of the average
5. Results correct position.
A pool of 5 500 EM traces was continuously acquired
in a single session with a sampling rate of 1.25 GHz. The
probe was placed at the position previously determined
as optimal, and the plaintext input to the smartcard was
randomly generated and subsequently saved along with the
corresponding captured traces.
From this pool, a fixed number of traces was randomly
drawn by the computer to carry out each trial of the corre-
lation attack. In total, 50 trials were completed in order to
characterize the performance of the attack when constrained
to that number of traces, using the proposed metrics. This
corresponds to 16 · 50 = 800 attacks to every partial key.
The process was then repeated for other sizes of the attacked
trace set, in order to evaluate the progression of the attack
performance as the set of traces increases. This serves as
the baseline for contrasting with any improvement from
additional signal processing or changes in the experimental
setup, as laid in Table 1.
In particular, the correlation filtering technique was
Figure 2. Determination of optimal low pass cut-off frequency via minima
tested. It is based on the observation that, for high sampling of the average correct position metric.
rates, the instant when the targeted intermediate calculation
is executed spans a significant number of time samples. To evaluate the additional performance gained by ap-
Often, the correlation may spuriously peak in a time sample plying this technique, the same process was applied as
for a wrong key, due to noise, leading to an incorrect result. described previously for the baseline. Several trials were
By low-pass filtering the correlation trace |r(t)| for each conducted, constrained to increasing number of traces. Fig-
partial key candidate, the correlations of the neighbouring ure 3 shows the comparison between the success rate curves
time samples are taken into account to remove spurious of the baseline and the correlation filtered attack. The tech-
nique displays a consistent improvement in the success rate would enable an attacker to profile the locations of the
when controlling for number of traces, and converges in smartcard where the leakage is optimal. The usage of novel
approximately half the number of traces to a unitary success magnetic imaging sensors (to acquire emanations of multiple
rate. locations simultaneously), signal processing techniques (to
The technique presented consists in filtering after the isolate the signal of interest while reducing noise) and multi-
correlation is calculated, but one may ask if simply filtering channel attacks, is an interesting avenue of exploration to
the original traces leads to the same results. In fact, this improve the existing results for side-channel attacks.
hypothesis was tested by following an identical procedure as
described before, and the optimal cut-off frequency for con- 7. Conclusion
ventional trace filtering was determined to be 15.625MHz,
which is very similar to the one determined for correlation In summary, the proposed evaluation methodology suc-
filtering. Table 2 shows the metrics for 800 traces, where it cessfully allowed the direct comparison of different attacks
is clear that correlation filtering improves the results over using a detailed framework. In general, applying signal
trace filtering with an additional 0.02 increase in success processing techniques to electromagnetic attacks lead to sig-
rate and an improved average position with smaller standard nificant improvements characterized by faster convergence
error, indicating additional consistency. in the correct candidate and better success rates. This work
introduced the correlation filtering technique, which was
shown to improve the success of the electromagnetic attacks
for all metrics tested by exploiting the time redundancy
of high-sampling rate acquisition after calculation of the
correlation.

Acknowledgments
The authors would like to thank the laboratory colleague
Ruben Afonso for assisting with the design and construction
of the smartcard extender. This work was supported by na-
tional funds through Fundação para a Ciência e a Tecnologia
(FCT) with reference UID/CEC/50021/2013.

References
[1] F.-X. Standaert, “Introduction to side-channel attacks,” in Secure Inte-
grated Circuits and Systems. Springer, 2010, pp. 27–42.
Figure 3. Success rate curves for the baseline attack and the attack with
correlation filtering. [2] J. R. Rao and P. Rohatgi, “Empowering side-channel attacks,”
Cryptology ePrint Archive, Report 2001/037, 2001. [Online].
Available: http://eprint.iacr.org/2001/037
TABLE 2. C OMPARISON OF ELECTROMAGNETIC ATTACKS RESULTS [3] M. Aigner and E. Oswald, “Power analysis tutorial,” Institute for
USING DIFFERENT SIGNAL PROCESSING TECHNIQUES .
Applied Information Processing and Communication, Graz, Austria,
Tech. Rep., 2000.
SR E(p? )
Experiment [4] E. Brier, C. Clavier, and F. Olivier, Correlation Power Analysis with
(% improv.) (% improv.) a Leakage Model. Berlin, Heidelberg: Springer Berlin Heidelberg,
800 traces 2004, pp. 16–29.
0.08 ± 0.01 91.45 ± 2.67
Baseline [5] S. Chari, J. R. Rao, and P. Rohatgi, “Template attacks,” in Revised
Papers from the 4th International Workshop on Cryptographic
800 traces Hardware and Embedded Systems, ser. CHES ’02. London,
0.86 ± 0.01 1.74 ± 0.12
Traces Filtered UK, UK: Springer-Verlag, 2003, pp. 13–28. [Online]. Available:
(975.0%) (98.1%) http://dl.acm.org/citation.cfm?id=648255.752740
fc (−6dB) : 15.625 MHz
[6] S. Mangard, E. Oswald, and T. Popp, Power analysis attacks: Reveal-
800 traces ing the secrets of smart cards. Springer Science & Business Media,
0.88 ± 0.01 1.34 ± 0.05
Correlation Filtered 2008, vol. 31.
(1000.0%) (98.5%)
fc (−6dB) : 16.25 MHz [7] F.-X. Standaert, T. Malkin, and M. Yung, “A unified framework for
the analysis of side-channel key recovery attacks.” in Eurocrypt, vol.
5479. Springer, 2009, pp. 443–461.
6. Future work [8] M. Matsubayashi and A. Satoh, “Side-channel Attack user reference
architecture board SAKURA-W for security evaluation of IC card,” in
In the setup used, the probe position was derived using a 2015 IEEE 4th Global Conference on Consumer Electronics (GCCE),
manual systematic scan of the surface of the smartcard, how- 2015, pp. 565–569.
ever, an automated scan with computer-assisted positioning