Electromagnetic Radiations of FPGAs: High Spatial Resolution Cartography and Attack on a Cryptographic Module

Since the first announcement of a Side Channel Analysis (SCA) about ten years ago, considerable research has been devoted to studying these attacks on Application Specific Integrated Circuits (ASICs), such as smart cards or TPMs. In this article, we compare power-line attacks with ElectroMagnetic (EM) attacks, specifically targeting Field Programmable Gate Array devices (FPGAs), as they are becoming widely used for sensitive applications involving cryptography. We show experimentally that ElectroMagnetic Analysis (EMA) is always faster than the historical Differential Power Analysis (DPA) in retrieving keys of symmetric ciphers. In addition, these analyses prove to be very convenient to conduct, as they are totally non-invasive. Research reports indicate that EMA can be conducted globally, typically with macroscopic home-made coils circling the device under attack, with fair results. However, as accurate professional EM antennas are now becoming more accessible, it has become commonplace to carry out EM analyses locally. Cartography has been carried out by optical means on circuits realized with technology greater than 250 nanometers. Nonetheless, for deep submicron technologies, the feature size of devices that are spied upon is too small to be visible with photographic techniques. In addition, the presence of the 6+ metallization layers obviously prevents a direct observation of the layout. Therefore, EM imaging is emerging as a relevant means to discover the underlying device structure. In this article, we present the first images of deep-submicron FPGAs. The resolution is not as accurate as photographic pictures: we notably compare the layout of toy design examples placed at the four corners of the FPGAs with the EM images we collected. We observe that EM imaging has the advantage of revealing active regions, which can be useful in locating a particular processor (visible while active---invisible when inactive). In the context of EM attacks, we stress that the exact localization of the cryptographic target is not necessary: the coarse resolution we obtain is sufficient. We note that the EM imaging does not reveal the exact layout of the FPGA, but instead directly guides the attacker towards the areas which are leaking the most. We achieve attacks with an accurate sensor, both far from (namely on a SMC capacitor on the board) and close to (namely directly over the FPGA) the encryption co-processor. As compared to the previously published attacks, we report a successful attack on a DES module in fewer than 6,300 measurements, which is currently the best cracking performance against this encryption algorithm implemented in FPGAs.

[1]  Sergei P. Skorobogatov Optically Enhanced Position-Locked Power Analysis , 2006, CHES.

[2]  Christof Paar,et al.  Security on FPGAs: State-of-the-art implementations and attacks , 2004, TECS.

[3]  Sylvain Guilley,et al.  Differential Power Analysis Model and Some Results , 2004, CARDIS.

[4]  Thomas S. Messerges,et al.  Investigations of Power Analysis Attacks on Smartcards , 1999, Smartcard.

[5]  Eric Peeters,et al.  Updates on the Security of FPGAs Against Power Analysis Attacks , 2006, ARC.

[6]  Jean-Louis Lacoume,et al.  A Proposition for Correlation Power Analysis Enhancement , 2006, CHES.

[7]  Ralph Howard,et al.  Data encryption standard , 1987 .

[8]  Sylvain Guilley,et al.  Silicon-level Solutions to Counteract Passive and Active Attacks , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[9]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[10]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[11]  Dakshi Agrawal,et al.  Multi-channel Attacks , 2003, CHES.

[12]  Bart Preneel,et al.  Power Analysis of an FPGA: Implementation of Rijndael: Is Pipelining a DPA Countermeasure? , 2004, CHES.

[13]  Sylvain Guilley,et al.  Evaluation of Power-Constant Dual-Rail Logic as a Protection of Cryptographic Applications in FPGAs , 2008, 2008 Second International Conference on Secure System Integration and Reliability Improvement.

[14]  Peter K. Pearson,et al.  IPA: A New Class of Power Attacks , 1999, CHES.

[15]  Jean-Louis Lacoume,et al.  Efficient Solution for Misalignment of Signal in Side Channel Analysis , 2007, 2007 IEEE International Conference on Acoustics, Speech and Signal Processing - ICASSP '07.

[16]  Xavier Charvet,et al.  Improving the DPA attack using Wavelet transform ∗ , 2005 .

[17]  Sergei Skorobogatov,et al.  Semi-invasive attacks: a new approach to hardware security analysis , 2005 .

[18]  B. Preneel,et al.  Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem , 2005, EUROCON 2005 - The International Conference on "Computer as a Tool".

[19]  Elisabeth Oswald,et al.  Practical Template Attacks , 2004, WISA.

[20]  Hervé Chabanne,et al.  Generalizing square attack using side-channels of an AES implementation on an FPGA , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[21]  Akashi Satoh,et al.  High-Resolution Side-Channel Attack Using Phase-Based Waveform Matching , 2006, CHES.

[22]  Sylvain Guilley,et al.  A fast pipelined multi-mode DES architecture operating in IP representation , 2007, Integr..

[23]  FRANÇOIS-XAVIER STANDAERT,et al.  An Overview of Power Analysis Attacks Against Field Programmable Gate Arrays , 2006, Proceedings of the IEEE.

[24]  Eric Peeters,et al.  Improved Higher-Order Side-Channel Attacks with FPGA Experiments , 2005, CHES.

[25]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[26]  Christophe Clavier,et al.  Differential Power Analysis in the Presence of Hardware Countermeasures , 2000, CHES.

[27]  Christof Paar,et al.  Physical Cryptanalysis of KeeLoq Code Hopping Applications , 2008, IACR Cryptol. ePrint Arch..

[28]  Bart Preneel,et al.  Power-Analysis Attacks on an FPGA - First Experimental Results , 2003, CHES.

[29]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[30]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[31]  Eric Peeters,et al.  Power and electromagnetic analysis: Improved model, consequences and comparisons , 2007, Integr..

[32]  Eric Peeters,et al.  Template Attacks in Principal Subspaces , 2006, CHES.

[33]  Einar Snekkenes,et al.  A Wireless Covert Channel on Smart Cards (Short Paper) , 2006, ICICS.

[34]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[35]  Huiyun Li,et al.  A security evaluation methodology for smart cards against electromagnetic analysis , 2005, Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology.

[36]  Saar Drimer,et al.  Volatile FPGA design security { a survey , 2008 .