Skip to main content

Attacking at Non-harmonic Frequencies in Screaming-Channel Attacks

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2023)


Screaming-channel attacks enable Electromagnetic (EM) Side-Channel Attacks (SCAs) at larger distances due to higher EM leakage energies than traditional SCAs, relaxing the requirement of close access to the victim. This attack can be mounted on devices integrating Radio Frequency (RF) modules on the same die as digital circuits, where the RF can unintentionally capture, modulate, amplify, and transmit the leakage along with legitimate signals. Leakage results from digital switching activity, so previous works hypothesized that this leakage would appear at multiples of the digital clock frequency, i.e., harmonics.

This work demonstrates that compromising signals appear not only at the harmonics and that leakage at non-harmonics can be exploited for successful attacks. Indeed, the transformations undergone by the leaked signal are complex due to propagation effects through the substrate and power and ground planes, so the leakage also appears at other frequencies. We first propose two methodologies to locate frequencies that contain leakage and demonstrate that it appears at non-harmonic frequencies. Then, our experimental results show that screaming-channel attacks at non-harmonic frequencies can be as successful as at harmonics when retrieving a 16-byte AES key. As the RF spectrum is polluted by interfering signals, we run experiments and show successful attacks in a more realistic, noisy environment where harmonic frequencies are contaminated by multi-path fading and interference. These attacks at non-harmonic frequencies increase the attack surface by providing attackers with more potential frequencies where attacks can succeed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

  2. 2.

  3. 3.

    Frequency-hopping is the repeated switching of the carrier frequency during radio transmission to reduce interference and avoid interception. In the case of Bluetooth transmissions, switching occurs among 81 channels, from 2.4 GHz to 2.48 GHz with 1 MHz wide bands.

  4. 4.

    A raw trace corresponds to the collected signal, sampled and quantized by the SDR.

  5. 5.

    This score means that there is information leakage with confidence \(>0.99999\) [11, 14, 25].

  6. 6.

    50 is the minimal number usually considered by the side-channel community for statistically meaningful results.


  1. Adamczyk, B.: Foundations of Electromagnetic Compatibility: With Practical Applications. Wiley, Hoboken (2017)

    Book  Google Scholar 

  2. Afzali-Kusha, A., Nagata, M., Verghese, N.K., Allstot, D.J.: Substrate noise coupling in SoC design: modeling, avoidance, and validation. Proc. IEEE 94(12), 2109–2138 (2006)

    Article  Google Scholar 

  3. Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM Side—Channel(s). In: Kaliski, B.S., Koç, ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems-CHES 2002. CHES 2022, LNCS, vol. 252, pp. 29–45. Springer, Heidelberg (2003).

  4. Agrawal, D., Rao, J.R., Rohatgi, P.: Multi-channel attacks. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 2–16. Springer, Heidelberg (2003).

    Chapter  Google Scholar 

  5. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004).

    Chapter  Google Scholar 

  6. Camurati, G., Francillon, A., Standaert, F.X.: Understanding screaming channels: from a detailed analysis to improved attacks. IACR Trans. Cryptograph. Hardware Embed. Syst. 358–401 (2020)

    Google Scholar 

  7. Camurati, G., Poeplau, S., Muench, M., Hayes, T., Francillon, A.: Screaming channels: when electromagnetic side channels meet radio transceivers. In: ACM Conference on Computer and Communications Security, pp. 163–177 (2018)

    Google Scholar 

  8. Chari, S., Rao, J.R., Rohatgi, P.: Template Attacks. In: Kaliski, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003).

    Chapter  Google Scholar 

  9. Choi, J., Yang, H.Y., Cho, D.H.: TEMPEST comeback: a realistic audio eavesdropping threat on mixed-signal SoCs. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (2020)

    Google Scholar 

  10. Dessouky, G., Sadeghi, A.R., Zeitouni, S.: SoK: secure FPGA multi-tenancy in the cloud: challenges and opportunities. In: IEEE EuroS &P, pp. 487–506 (2021)

    Google Scholar 

  11. Durvaux, F., Standaert, F.X.: From improved leakage detection to the detection of points of interests in leakage traces. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 240–262. Springer, Heidelberg (2016).

    Chapter  Google Scholar 

  12. Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001).

    Chapter  Google Scholar 

  13. Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis: a generic side-channel distinguisher. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 426–442. Springer, Heidelberg (2008).

    Chapter  Google Scholar 

  14. Gilbert Goodwill, B.J., Jaffe, J., Rohatgi, P.: A testing methodology for side-channel resistance validation. In: NIST Non-Invasive Attack Testing Workshop, vol. 7, pp. 115–136 (2011)

    Google Scholar 

  15. Guillaume, J., Pelcat, M., Nafkha, A., Salvador, R.: Virtual triggering: a technique to segment cryptographic processes in side-channel traces. In: 2022 IEEE Workshop on Signal Processing Systems (SiPS), pp. 1–6. IEEE (2022)

    Google Scholar 

  16. Kocher, P., Ja, J.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).

    Chapter  Google Scholar 

  17. Le, J., Hanken, C., Held, M., Hagedorn, M.S., Mayaram, K., Fiez, T.S.: Experimental characterization and analysis of an asynchronous approach for reduction of substrate noise in digital circuitry. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 20(2), 344–356 (2011)

    Google Scholar 

  18. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards, vol. 31. Springer, New York (2008).

    Book  Google Scholar 

  19. Masure, L., Dumas, C., Prouff, E.: A comprehensive study of deep learning for side-channel analysis. IACR Trans. Cryptograph. Hardware Embed. Syst. 3488–375 (2019)

    Google Scholar 

  20. Mohamed, C., Barelaud, B., Ngoya, E.: Physical analysis of substrate noise coupling in mixed circuits in SoC technology. In: The 5th European Microwave Integrated Circuits Conference, pp. 274–277. IEEE (2010)

    Google Scholar 

  21. Noulis, T., Baumgartner, P.: CMOS substrate coupling modeling and analysis flow for submicron SoC design. Analog Integr. Circ. Sig. Process 90, 477–485 (2017)

    Article  Google Scholar 

  22. Poussier, R., Standaert, F.X., Grosso, V.: Simple key enumeration (and rank estimation) using histograms: an integrated approach. In: Gierlichs, B., Poschmann, A. (eds.) CHES 2016. LNCS, vol. 9813, pp. 61–81. Springer, Heidelberg (2016).

    Chapter  Google Scholar 

  23. Rhee, W., Jenkins, K.A., Liobe, J., Ainspan, H.: Experimental analysis of substrate noise effect on PLL performance. IEEE Trans. Circ. Syst. II Express Briefs 55(7), 638–642 (2008)

    Google Scholar 

  24. Schellenberg, F., Gnad, D.R.E., Moradi, A., Tahoori, M.B.: An inside job: remote power analysis attacks on FPGAs. In: 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE), p. 6 (2018)

    Google Scholar 

  25. Schneider, T., Moradi, A.: Leakage assessment methodology: extended version. J. Cryptogr. Eng. 6, 85–99 (2016)

    Article  Google Scholar 

  26. Standaert, F.X.: Introduction to side-channel attacks. Secure Integr. Circ. Syst. 27–42 (2010)

    Google Scholar 

  27. Wang, R., Wang, H., Dubrova, E.: Far field EM side-channel attack on AES using deep learning. In: 4th ACM Workshop on Attacks and Solutions in Hardware Security, pp. 35–44 (2020)

    Google Scholar 

Download references


We want to acknowledge the reviewers of the current and previous versions of this paper, as well as Dr. Maria Méndez Real and Dr. Dennis Gnad for their constructive feedback.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Jeremy Guillaume .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Guillaume, J., Pelcat, M., Nafkha, A., Salvador, R. (2024). Attacking at Non-harmonic Frequencies in Screaming-Channel Attacks. In: Bhasin, S., Roche, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2023. Lecture Notes in Computer Science, vol 14530. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54408-8

  • Online ISBN: 978-3-031-54409-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics