Optically Enhanced Position-Locked Power Analysis

  • Sergei Skorobogatov
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4249)


This paper introduces a refinement of the power-analysis attack on integrated circuits. By using a laser to illuminate a specific area on the chip surface, the current through an individual transistor can be made visible in the circuit’s power trace. The photovoltaic effect converts light into a current that flows through a closed transistor. This way, the contribution of a single transistor to the overall supply current can be modulated by light. Compared to normal power-analysis attacks, the semi-invasive position-locking technique presented here gives attackers not only access to Hamming weights, but to individual bits of processed data. This technique is demonstrated on the SRAM array of a PIC16F84 microcontroller and reveals both which memory locations are being accessed, as well as their contents.


side-channel attacks power analysis semi-invasive attacks optical probing 


  1. 1.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  2. 2.
    Messerges, T., Dabbish, E., Sloan, R.: Investigations of Power Analysis Attacks on Smartcards. In: USENIX Workshop on Smartcard Technology, Chicago, Illinois, USA, May 10–11 (1999)Google Scholar
  3. 3.
    Coron, J.-S.: Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  4. 4.
    Moore, S., Anderson, R., Mullins, R., Taylor, G., Fournier, J.: Balanced Self-Checking Asynchronous Logic for Smart Card Applications. Microprocessors and Microsystems Journal 27(9), 421–430 (2003)CrossRefGoogle Scholar
  5. 5.
    Popp, T., Mangard, S.: Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 172–186. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Quisquater, J.-J., Samyde, D.: ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smard Cards. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Skorobogatov, S., Anderson, R.: Optical Fault Induction Attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Habing, D.H.: Use of Laser to Simulate Radiation-induced Transients in Semiconductors and Circuits. IEEE Transactions on Nuclear Science 12(6), 91–100 (1965)CrossRefGoogle Scholar
  9. 9.
    Ajluni, C.: Two New Imaging Techniques Promise to Improve IC Defect Identification. Electronic Design 43(14), 37–38 (1995)Google Scholar
  10. 10.
    Heinrich, H.K., Pakdaman, N., Prince, J.L., Jordy, G., Belaidi, M., Franch, R., Edelstein, D.C.: Optical Detection of Multibit Logic Signals at Internal Nodes in a Flip-chip Mounted Silicon Static Random-Access Memory Integrated Circuit. Journal of Vacuum Science and Technology, Microelectronics and Nanometer Structures 10(6), 3109–3111 (1992)CrossRefGoogle Scholar
  11. 11.
    Wagner, L.C.: Failure Analysis of Integrated Circuits: Tools and Techniques. Kluwer Academic Publishers, Dordrecht (1999)Google Scholar
  12. 12.
    Aigner, M., Oswald, E.: Power Analysis Tutorial,
  13. 13.
    Kömmerling, O., Kuhn, M.G.: Design Principles for Tamper-Resistant Smartcard Processors. In: USENIX Workshop on Smartcard Technology, Chicago, Illinois, USA, May 10–11 (1999)Google Scholar
  14. 14.
    Samyde, D., Skorobogatov, S., Anderson, R., Quisquater, J.-J.: On a New Way to Read Data from Memory. In: SISW 2002 First International IEEE Security in Storage Workshop, Greenbelt Marriott, Maryland, USA (December 11, 2002)Google Scholar
  15. 15.
    Belyakov, V.V., Chumakov, A.I., Nikiforov, A.Y., Pershenkov, V.S., Skorobogatov, P.K., Sogoyan, A.V.: Prediction of Local and Global Ionization Effects on ICs: The Synergy between Numerical and Physical Simulation. Russian Microelectronics 32(2), 105–118 (2003)CrossRefGoogle Scholar
  16. 16.
    Microchip PIC16F8X 18-pin Flash/EEPROM 8-Bit Microcontrollers,
  17. 17.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: Workshop on Fault Detection and Tolerance in Cryptography, Florence, Italy (June 30, 2004)Google Scholar
  18. 18.
    Semiconductors Research Ltd: Special equipment for semi-invasive hardware security analysis of semiconductors,
  19. 19.
    Mayer-Sommer, R.: Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smart Cards. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 78–92. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. 20.
    Skorobogatov, S.: Semi-invasive attacks – A new approach to hardware security analysis. Technical Report UCAM-CL-TR-630, University of Cambridge, Computer Laboratory (April 2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sergei Skorobogatov
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUnited Kingdom

Personalised recommendations