Simple Photonic Emission Analysis of AES

Photonic Side Channel Analysis for the Rest of Us
  • Alexander Schlösser
  • Dmitry Nedospasov
  • Juliane Krämer
  • Susanna Orlic
  • Jean-Pierre Seifert
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7428)

Abstract

This work presents a novel low-cost optoelectronic setup for time- and spatially resolved analysis of photonic emissions and a corresponding methodology, Simple Photonic Emission Analysis (SPEA). Observing the backside of ICs, the system captures extremly weak photoemissions from switching transistors and relates them to program running in the chip. SPEA utilizes both spatial and temporal information about these emissions to perform side channel analysis of ICs. We successfully performed SPEA of a proof-of-concept AES implementation and were able to recover the full AES secret key by monitoring accesses to the S-Box. This attack directly exploits the side channel leakage of a single transistor and requires no additional data processing. The system costs and the necessary time for an attack are comparable to power analysis techniques. The presented approach significantly reduces the amount of effort required to perform attacks based on photonic emission analysis and allows AES key recovery in a relevant amount of time.

Keywords

Photonic side channel emission analysis optical temporal analysis spatial analysis AES full key recovery 

References

  1. 1.
    Bascoul, G., Perdu, P., Benigni, A., Dudit, S., Celi, G., Lewis, D.: Time Resolved Imaging: From logical states to events, a new and efficient pattern matching method for VLSI analysis. Microelectronics Reliability 51(9-11), 1640–1645 (2011), http://dx.doi.org/10.1016/j.microrel.2011.06.043 CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.: Cache-timing attacks on AES (2004), http://cr.yp.to/papers.html#cachetiming
  3. 3.
    Clavier, C., Coron, J.-S., Dabbous, N.: Differential Power Analysis in the Presence of Hardware Countermeasures. In: Koç, Ç.K., Paar, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 252–263. Springer, Heidelberg (2000), http://dx.doi.org/10.1007/3-540-44499-8_20 CrossRefGoogle Scholar
  4. 4.
    Daemen, J., Rijmen, V.: The design of Rijndael: AES – the Advanced Encryption Standard. Springer, Heidelberg (2002)MATHGoogle Scholar
  5. 5.
    Di-Battista, J., Courrege, J.-C., Rouzeyre, B., Torres, L., Perdu, P.: When Failure Analysis Meets Side-Channel Attacks. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 188–202. Springer, Heidelberg (2010), http://dx.doi.org/10.1007/978-3-642-15031-9_13 CrossRefGoogle Scholar
  6. 6.
    Egger, P., Grutzner, M., Burmer, C., Dudkiewicz, F.: Application of time resolved emission techniques within the failure analysis flow. Microelectronics Reliability 47(9-11), 1545–1549 (2007), http://dx.doi.org/10.1016/j.microrel.2007.07.067 CrossRefGoogle Scholar
  7. 7.
    Ferrigno, J., Hlaváč, M.: When AES blinks: introducing optical side channel. Information Security, IET 2(3), 94–98 (2008), http://dx.doi.org/10.1049/iet-ifs:20080038 CrossRefGoogle Scholar
  8. 8.
    Gullasch, D., Bangerter, E., Krenn, S.: Cache games – bringing access-based cache attacks on AES to practice. In: 2011 IEEE Symposium on Security and Privacy, pp. 490–505 (2011), http://dx.doi.org/10.1109/SP.2011.22
  9. 9.
    Heyszl, J., Mangard, S., Heinz, B., Stumpf, F., Sigl, G.: Localized Electromagnetic Analysis of Cryptographic Implementations. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 231–244. Springer, Heidelberg (2012), http://dx.doi.org/10.1007/978-3-642-27954-6_15 CrossRefGoogle Scholar
  10. 10.
    Kash, J., Tsang, J.: Dynamic internal testing of CMOS circuits using hot luminescence. IEEE Electron Device Letters 18(7), 330–332 (1997), http://dx.doi.org/10.1109/55.596927 CrossRefGoogle Scholar
  11. 11.
    Nedospasov, D., Schlösser, A., Seifert, J., Orlic, S.: Functional integrated circuit analysis. In: 2012 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST (2012)Google Scholar
  12. 12.
    Nohl, K., Evans, D., Starbug, S.: Reverse-engineering a cryptographic RFID tag. In: 17th USENIX Security Symposium, pp. 185–193 (2008), http://www.usenix.org/event/sec08/tech/full_papers/nohl/nohl_html/
  13. 13.
    Rabaey, J.M., Chandrakasan, A.: Digital Integrated Circuits. A Design Prespective, 2nd edn. Pearson Education (2003)Google Scholar
  14. 14.
    Rankl, W., Effing, W.: Smart Card Handbook, 4th edn. Wiley (2010)Google Scholar
  15. 15.
    Selmi, L., Mastrapasqua, M., Boulin, D., Bude, J., Pavesi, M., Sangiorgi, E., Pinto, M.: Verification of electron distributions in silicon by means of hot carrier luminescence measurements. IEEE Transactions on Electron Devices 45(4), 802–808 (1998), http://dx.doi.org/10.1109/16.662779 CrossRefGoogle Scholar
  16. 16.
    Skorobogatov, S.: Using Optical Emission Analysis for Estimating Contribution to Power Analysis. In: 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 111–119 (2009), http://dx.doi.org/10.1109/FDTC.2009.39
  17. 17.
    Song, P., Stellari, F., Huott, B., Wagner, O., Srinivasan, U., Chan, Y., Rizzolo, R., Nam, H.J., Eckhardt, J., McNamara, T., Tong, C.L., Weger, A., McManus, M.: An advanced optical diagnostic technique of IBM z990 eServer microprocessor. In: Proceedings of the IEEE International Test Conference, ITC 2005, pp. 1227–1235 (2005), http://dx.doi.org/10.1109/TEST.2005.1584091, doi:10.1109/TEST.2005.1584091
  18. 18.
    Tosi, A., Stellari, F., Pigozzi, A., Marchesi, G., Zappa, F., Heights, Y.: A Challenge for Emission Based Testing and Diagnostics. Reliability Physics, 595–601 (2006), http://dx.doi.org/10.1109/RELPHY.2006.251284
  19. 19.
    Tsang, J.C., Fischetti, M.V.: Why hot carrier emission based timing probes will work for 50 nm, 1V CMOS technologies. Microelectronics Reliability, 1465–1470 (2001), http://dx.doi.org/10.1016/S0026-2714(01)00194-9Google Scholar
  20. 20.
    Tsang, J.C., Kash, J.A., Vallett, D.P.: Picosecond imaging circuit analysis. IBM Journal of Research and Development 44(4), 583–603 (2000), http://dx.doi.org/10.1147/rd.444.0583 CrossRefGoogle Scholar
  21. 21.
    Villa, S., Lacaita, A., Pacelli, A.: Photon emission from hot electrons in silicon. Physical Review B 52(15), 10993–10999 (1995), http://www.dx.doi.org/10.1103/PhysRevB.52.10993 CrossRefGoogle Scholar
  22. 22.
    Weste, N.H.E., Harris, D.: CMOS VLSI Design: A Circuits and Systems Perspective, 4th edn. Addison Wesley (2010)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Alexander Schlösser
    • 1
  • Dmitry Nedospasov
    • 2
  • Juliane Krämer
    • 2
  • Susanna Orlic
    • 1
  • Jean-Pierre Seifert
    • 2
  1. 1.Optical TechnologiesTechnische Universität BerlinGermany
  2. 2.Security in TelecommunicationsTechnische Universität BerlinGermany

Personalised recommendations