STOCKHOLM, SWEDEN 2020
Far Field
Electromagnetic Side
Channel Analysis of
AES
KTH Thesis Report
Zihao Zhao
Zihao Zhao <zihaoz@kth.se>
Electrical Engineering and Computer Science KTH Royal Institute of Technology
Place for Project
Stockholm, Sweden
KTH Royal Institute of Technology
Examiner
Prof. Elena Dubrova Department of Electronics
KTH Royal Institute of Technology
Supervisor
Huanyu Wang
Department of Electronics
Side-Channel Attacks (SCAs) have become a realistic threat to implementations of cryptographic algorithms. By utilizing the unintentionally leaked side-channel information during the execution of a cryptographic algorithm, it is possible to bypass the theoretical strength of the algorithm and extract its secret key. Recently, far-field electromagnetic (EM) emissions have been used in SCAs to extract keys from mixed-signal chips used in wireless communication protocols (such as Bluetooth). In such type of chips, the EM leakage is mixed with radio carrier and accidentally amplified by the antenna. Attacks exploiting such far-field EM side-channels may succeed over a much longer distance than the attacks based on near-field EM side-channels. Therefore, it is necessary to further investigate far-field EM side channels.
In this thesis, we perform far-field EM side-channel attacks using two techniques: correlation and template analysis. We analyse an Arm Cortex-M4 microprocessor implementation of Advanced Encryption Standard (AES)-128 with a Bluetooth module on different distances up to 50cm. We first evaluate how the inter-chip diversity and the distance can affect the attack efficiency of template analysis. Our current results show that a template constructed using traces from one device captured at distance d can recover the secret key from 4,000 traces from the d device captured at the same distance d. However, if the distance is changed, or if traces are captured from different devices, the attack fails. This shows that it is not sufficient to build a template based on traces captured from a single device at a fixed distance. In addition, we present a pre-processing technique for allocating leakage points, which can significantly improve the attack efficiency of correlation analysis.
Keywords
Side channel attacks har blivit ett realistiskt hot mot implementering av kryptografiska algoritmer. Genom att använda den oavsiktligt läckta sidokanalinformationen under exekveringen av en kryptografisk algoritm är det möjligt att kringgå algoritmens teoretiska styrka och extrahera dess hemliga nyckel. Nyligen har EM-utsläpp från fältfält använts i SCAsför att extrahera nycklar från blandade signalchips som används i trådlösa kommunikationsprotokoll (t.ex. Bluetooth). I en sådan typ av chips blandas EM-läckan med radiobäraren och förstärks av misstag av antennen. Attacker som utnyttjar sådana långtgående EM-sidokanaler kan lyckas på mycket längre avstånd än attackerna baserade på EM-sidokanaler nära fältet. Därför är det nödvändigt att ytterligare undersöka EM-sidokanalanalyser från fältet. I denna avhandling utför vi EM-sidokanalanalys med fältfält med två tekniker: korrelationsanalys och mallanalys. Vi analyserar en Arm Cortex-M4-mikroprocessorimplementering av AES med en Bluetooth-modul inbäddad på kortet på olika avstånd upp till 50 cm från den mottagande antennen. Vi utvärderar först hur mångfalden mellan chip och avståndet kan påverka attackeffektiviteten för mallanalys. Våra nuvarande resultat visar att en mall konstruerad med spår från en enhet fångad på avstånd d från den mottagande antennen kan återställa den hemliga nyckeln från 4K spår från samma enhet som fångats på samma avstånd d från den mottagande antennen. Om avståndet ändras eller om spår från en annan enhet analyseras misslyckas dock attacken. Detta visar att det inte är tillräckligt att bygga en mall baserad på spår från en enda enhet fångad på ett fast avstånd från den mottagande antennen. Dessutom presenterar vi en förbehandlingsteknik för allokering av läckagepunkter i spåren och visar att den kan förbättra attackeffektiviteten för korrelationsanalysen betydligt.
Nyckelord
I have learned a lot from my last two years of master’s study at KTH Royal Institute of Technology. It is a great pleasure to learn from or even cooperate with those lovely and inspiring professors, students, and staff in the Department of the Embedded system. Their knowledge and ideas have enlightened me a lot, especially my examiner Prof. Elena Dubrova and supervisor Huanyu Wang. Along the way, we are always keeping in close touch and having interesting discussions. Without their help, it would be impossible for me to finish my thesis work.
Studying abroad will never be easy emotionally. I appreciate that my parents and girlfriend have always stood behind my back. Their support and understanding would always help me go through some dark moments.
This is an end but also a brand new start for me. I will keep on going with all the lessons learned. Hope everyone lives a wonderful life.
1 Introduction
1
1.1 Research Objectives. . . 2
1.2 Contribution. . . 2
1.3 Outline . . . 2
2 Theoretical Background
3
2.1 Advanced Encryption Standard . . . 32.2 Side Channel Analysis. . . 7
2.2.1 Correlation Analysis . . . 7
2.2.2 Template Analysis . . . 8
2.3 EM Side-Channels Emissions . . . 10
2.3.1 EM emissions characteristics . . . 11
2.3.2 Determination of central frequency . . . 11
3 Related Work
13
4 Method
15
4.0.1 Assumptions and limitations . . . 154.0.2 Hypothesis . . . 16
4.1 Hardware Setup . . . 16
4.1.1 nRF52 DK . . . 16
4.1.2 Vertical Flat Panel Antenna . . . 17
4.1.3 USRP N210 . . . 18
4.1.4 Receiver Antenna . . . 19
4.1.5 Amplifier and Powerbox . . . 20
4.1.6 Experimental Setup . . . 20
4.2.1 Drop Start . . . 21
4.2.2 Positioning . . . 22
4.2.3 Trace Cutting . . . 22
4.2.4 Align and Average . . . 23
4.3 Correlation EM Attack Setup . . . 23
4.4 Template EM Attack Setup . . . 25
4.5 Evaluation Methods . . . 25
5 Results
26
5.1 Correlation Analysis Results . . . 275.1.1 Experiment I . . . 27
5.1.2 Experiment II . . . 29
5.2 Template Analysis Results . . . 31
5.2.1 Experiment III . . . 31 5.2.2 Experiment IV . . . 32 5.2.3 Experiment V . . . 33 5.2.4 Experiment VI . . . 34
6 Conclusions
36
6.1 Countermeasures . . . 366.1.1 Countermeasures at the chip level . . . 37
6.1.2 Countermeasures at the algorithmic level . . . 37
6.1.3 Countermeasures at the physical level . . . 38
6.2 Future Work . . . 38
Introduction
Cryptography is widely used in the information and communication field to ensure the security of electronic data. Usually, the mathematical properties of the cryptographic algorithms determine and ensure the strength of security. However, by utilizing the unintentionally leaked side-channel information during the execution of a cryptographic algorithm, it is possible to bypass the theoretical strength of the algorithm and extract its secret key. Attacks based on that side-channel information are called Side-Channel Attacks (SCAs).
SCAs are one of the realistic threats against the implementation of cryptographic algorithms. According to the available leakage information, there are different kinds of SCAs. For example, SCA based on the power consumption [17], execution time [16], acoustic information [33], cache information [15] [27], and electromagnetic radiation [31], etc. Many widely used algorithms, such as Advanced Encryption Standard (AES) have been broken by SCAs.
In this thesis, we investigate SCAs against AES embedded on an off-the-shelf BlueTooth device in a real office environment. The efficiency of SCAs affected by device diversity and distances are the main study field. Besides, we focus on the far-field EM analysis in our experiments. Rather than deploying SCAs based on side-channel information such as power consumption or execution time, the far-field electromagnetic based attacks can be applied from a distance. Without physically getting access to the device, it is easier to demonstrate a more effective attack in a realistic scenario.
1.1
Research Objectives
[7] presented the first template attack on AES-128 using far-field EM emission, called screaming channels. Compared to the traditional EM emission, the screaming channel takes advantage of the coupling effect of the digital and analog circuits on mixed-signal chips. They also successfully achieved full key recovery from 10 meters with 428 traces in an anechoic chamber. However, they used traces captured from the same device at the same distance for both establishing template and attacking. 3 presents a further explanation.
1.2
Contribution
In this thesis, we go steps further to evaluate how the different devices and different distances can affect the attack efficiency of correlation and template attack.
We build a template on EM traces captured at a fixed distance from one device and use the template to attack traces captured from different devices or at different distances. Our results show that the template attack is sensitive to distance and chip diversity. Besides, we present a pre-processing technique for allocating leakage points in the traces and showing that it can significantly improve the efficiency of correlation analysis.
1.3
Outline
This thesis is organized as follows. Chapter 1 and 2 review the introduction and background respectively. Chapter 3 introduces the related work. Chapter 4 describes our hardware setup and implementation of the correlation and template attacks. Chapter 5 presents our experimental results, and Chapter 6 concludes this paper.
Theoretical Background
In this chapter, we introduce the background of AES and two widely used side-channel attacks: template attack and correlation attack. And we present how EM emissions are generated and leaked on the mix-signal chips.
2.1
Advanced Encryption Standard
The Advanced Encryption Standard (AES) is an electronic data cryptographic algorithm proposed by the U.S. National Institute of Standards and Technology (NIST) in 2001 [1]. Because of the outstanding properties, it soon replaced its predecessor, the Data Encryption Standard (DES) [10].
AES is a block cipher in the Rijndael cipher family [9] with fixed block size. The key length of AES can be 128, 192, and 256 bits for AES-128, AES-192, and AES-256 respectively. Also, as a symmetric-key algorithm, AES uses the same key for both data encryption and decryption.
In this thesis, AES-128 was chosen as the cryptographic algorithm. Based on the function of substitution–permutation network [32], AES operates on a 4 × 4 column-major order array of bytes. Especially for AES-128, 10 rounds of the matrix operations were deployed on a single encryption process, given by the pseudo-code shown in Table 2.1.1.
Pseudo-Code for the AES encryption // AES-128 Cipher
// in: 128 bits (plaintext) // out: 128 bits (ciphertext)
// Nr: number of rounds, Nr = 10 for AES-128 // Nb: number of columns in a state, Nb = 4
// w: expanded key K, Nb * (Nr + 1) = 44 words, (1 word = Nb bytes) state = in;
AddRoundKey(state, w[0, N b − 1]); for round = 1 step 1 to Nr − 1 do
SubBytes(state); // Point of attack in round 1 ShiftRows(state);
MixColumns(state);
AddRoundKey(state, w[round * N b, (round + 1) * N b − 1]); end for
SubBytes(state); ShiftRows(state);
AddRoundKey(state, w[Nr * Nb, (Nr + 1) * Nb − 1]); out = state;
Table 2.1.1: Pseudo-Code for the AES encryption [39].
After the initiate process, for each AES-128 round, there are 4 operations: SubBytes, ShiftRows, MixColumns, and AddRoundKey (The tenth round does not contain the MixColumns operation).
1.SubBytes
During the SubBytes stage, the S-Box is an 8-bits input and an 8-bits output matrix, shown in Equation 2.1, which can also be express as s= S(c). Both the input and output are interpreted as polynomials over GF(2). bi are the multiplicative inverse of the
initial input bytes ci of the S-Box. And the SubBytes output si are generated by the
to the output bytes S(ai,j) through the S-Box matrix. s0 s1 s2 s3 s4 s5 s6 s7 = 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 b0 b1 b2 b3 b4 b5 b6 b7 + 1 1 0 0 0 1 1 0 (2.1)
Figure 2.1.1 shows the mapping table of SubBytes. Same as the matrix, it represents a replacement rule between the input and output bytes.
Figure 2.1.1: AES-128 SubBytes [29].
2.ShiftRows
The second stage is the ShiftRows. The output bytes generated from SubBytes are shifted following the matrix row shown in Figure 2.1.2. For each ai,j, the shifting
operation only happen in row 2, 3, and 4 for 1, 2 and 3 bits respectively.
3.MixColumns
The third stage is the MixColumns which is another operation to ensure cipher’s complexity. Figure 2.1.3 indicates the function of MixColumns. By taking 4 bytes as the input and 4 bytes as the output, MixColumns XORs ai,j and C(X). The result is a new output matrix. During this stage, C(X) is another 4 x 4 fixed matrix, see Equation 2.2.
Figure 2.1.3: AES-128 MixColumns [29].
C(X) = 2 3 1 1 1 2 3 1 1 1 2 3 3 1 1 2 (2.2) 4.AddRoundKey
The final stage during one single AES encryption round is AddRoundKey. There is a round-key matrix shown in Figure 2.1.4. Each byte in the MixColumns output matrix be added by the corresponding bytes in the round-key matrix. Every single round has its unique round-key matrix derive from the initial secret key. The output bi,jbecomes
Figure 2.1.4: AES-128 AddRoundKey [29].
2.2
Side Channel Analysis
In this thesis, we evaluate two widely used SCAs, correlation analysis and template analysis. We present the mathematics background and core function of the two methods in this section.
2.2.1
Correlation Analysis
The correlation analysis is based on the correlation between the side-channel information and the statistical models to recover the secret key. Usually, the model can be created based on the Hamming Weight (HW) or Hamming Distance (HD). In this thesis, we use HW as the model. The best key guess of the correlation attack is the one with the highest correlation calculation result.
In this thesis, we locate the attack point to the output of the S-box in the first AES encryption round. Since our target is a software implementation of AES. The S-box is pre-stored in the memory as a look-up table. The look-up process of AES SubBytes operation needs to load its output from memory onto the bus, it is easy to leak information about the secret key.
outputs and its corresponding n= [1, 2, · · · , N] plaintexts. See Equation 2.3, for each single subkey byte, k is the possible key guesses and pnis a byte of the nth plaintext.
hn,k = HammingWeight(Sbox [pn⊕ k]) (2.3)
After making the HW model, we get n traces t with m sampling points each. Then we compare our model to the traces captured from the device under attack based on the Pearson’s correlation coefficient, shown in Equation 2.4. For a fixed key guess and a fixed position of sampling point, we can calculate hnand tnrespectively.
Pn = ∑N n=1[(hn− ¯h)(tn− ¯t)] » [∑Nn=1(hn− ¯h)2][∑Nn=1(tn− ¯t)2] (2.4)
At this level, we can simply tell which k is the best key guess by testing all possible key guesses k and sampling points m. Then we choose the one with the largest Pearson’s correlation coefficient Pkmax as the final result.
2.2.2
Template Analysis
The core of the template analysis is extracting the hidden secret information by profiling the statistical characteristics of random factors in the side-channel information. The result of the profiling is the so-called ’Template’. Usually, there are two stages, which are template establishment stage and template matching stage.
1.Template Establishment Stage
The template is consists of mean vector and covariance matrix. The first step is to build 2l templates for each possible subkeys, l is the length of the secret key. If a
fixed plaintext encrypted by each secret key for n times, we get n corresponding side-channel traces with m sampling points each. Also, we get a matrix Tm×nfor the samples
of side-channel information. The trace mean can be expressed as Equation 2.5.
¯t=< ¯t1, ¯t2, · · ·, ¯tm > (2.5)
The corresponding noise matrix Nm×n can be generated by calculating the difference
secret key is shown in Formula 2.6. Nm×n = t11 − ¯t1 t12− ¯t2 · · · t1m− ¯tm t21 − ¯t1 t22− ¯t2 · · · t2m− ¯tm ... ... ... tn1− ¯t1 tn2 − ¯t2 · · · tnm− ¯tm (2.6)
The horizontal row of the matrix represents the noise vector of a trace. Meanwhile, the vertical row reflects the random variable Nx, which is the amplitude of the noise at that time. The covariance of the two random variables Nvand Nuis shown in Equation
2.7. cov(Nu, Nv) = 1 n− 1 n ∑ k=1 (tku− ¯tu)(tkv− ¯tv) (2.7)
All the random variables of the noise amplitude can be described as a covariance matrix Cm×n, see Equation 2.8. Cm×m =
cov(N1, N1) cov(N1, N2) · · · cov(N1, Nm)
cov(N2, N1) cov(N2, N2) · · · cov(N2, Nm)
... ... ...
cov(Nm, N1) cov(Nm, N2) · · · cov(Nm, Nm)
(2.8)
So far, the variables needed for the template, which is the mean ¯t and covariance C, are all available. After that, the template can be successfully established based on the two variables with a large amount of traces.
2.Template Matching Stage
After acquiring enough traces from the profiling device and constructing the template, we can deploy the template attack by matching the template using traces t′captured from the device under attack.
The probability p reflects the template matching result, shown in Equation 2.9.
p(t′;< ¯t, C >) = √ 1 (2π)m|C| ex p ï −1 2(t ′ − ¯t)TC−1(t′− ¯t) ò (2.9)
According to the maximum likelihood estimation (MLE), the highest probability pmaxrefers to be the best template and the best key guess.
2.3
EM Side-Channels Emissions
In this last section, we take a look into the Electromagnetic Side-Channel emission. It is important to analyze how cryptographic algorithm is processed in a mixed-signal chip system.
The structure of the mixed-signal chip is presented in Figure 2.3.1. It is composed of two different parts, the digital part, and the analog part. In the digital part, CPU core block and cryptographic block are the key blocks involved in the AES execution process. Since it is on the physical level, all operations will be a series of bit flips, which controlled by the internal system clock of CPU core. To conclude, the CPU core and crypto block do the job of running the cryptographic algorithm.
Figure 2.3.1: Mixed-signal chip system.
After this procedure, the encrypted data is generated and transmitted through the Bus line. In our design, this digital signal, in other words, the data stream is converted into an analog signal by Digital-to-Analog Converter (DAC). After the processing of RF blocks and Voltage-Controlled Oscillator (VCO), the signal will be modulated by a high-frequency carrier signal. In the end, this signal is amplified by a Power Amplifier (PA) and transmitted by an antenna. Which specific frequency and power level that the analog signal adopted is determined by wireless transmission standard.
2.3.1
EM emissions characteristics
In Figure 2.3.1, the bit flips generated by the logic component in the crypto block are the side-channel leakage. The reason is the sharp, swift transformation of high level current to low-level current. In most chip designs, there is a probe that can detect this kind of EM emissions. This kind of emission is called direct EM emissions.
Other than the control of the system clock signal, CPU core may generate other impacts on the crypto block such as inevitable digital noise. Moreover, the data stream transmission over the bus line may also cause unexpected impacts. In the analog part, when the signal is modulated and transmitted, the possible leakage and indirect emission will also be transmitted. Therefore, this kind of indirect EM emission can be detected from a suitable distance.
2.3.2
Determination of central frequency
On the receiver side, it is important to decide the central frequency we adopted to capture the EM emissions. We assume that in the time domain, clock signal is s(t), the cryptographic signal is c(t). In frequency domain, after Fourier transform, we noted clock signal as S(f), the cryptographic signal as C(f). Thus the modulated signal in the time domain is shown in Formula 2.10.
c1(t) = c(t) · s(t) (2.10)
In frequency domain, the modulated signal is
C1(t) = C( f) ∗ S( f) = +∞
∑
−∞
AnC( f − nfs) (2.11)
where fs is the frequency of the clock signal and An is the amplitude of the square
wave.
For the second modulation in the RF block, we assume the carrier frequency as fc. Thus
the modulated signal in the frequency domain is
C2(t) = +∞
∑
−∞
AnC( f − nfs− fc) (2.12)
signal in the frequency domain shown as below: C2(t) =
∑
n,N
AnC( f − (n − N) fs)+ ANC( f ) (2.13)
At this level, things become easy since we can use filters to get the low-frequency signal which is the original cryptographic signal that we pursue.
Related Work
Other than the background of SCAs that we have already introduced. This chapter mainly focus on the related work of EM side-channel analysis.
Since this thesis is based on mixed-signal chip embedded on Bluetooth devices, the noise has always been an inevitable issue. There are plenty of researches regarding the signal emission in Printed Circuit Broads (PCBs) [21]. However, even though mixed-signal designs are similar to PCB designs, the security issue has not been a focus. In [37], the study of noise coupling mechanisms is introduced in details that how the systems will be affected and how to avoid undesirable phenomenons like rings or other isolation structures.
The TEMPTEST specification [36] states the EM attacks towards the physical computing system in 2001. In the same year, Gandolfi Et al successful achieve the full-key recovery from micro-controllers based on EM probes [11]. In 2003, [3] implemented the EM-based SCAs to attack DES encryption on smart cards. Also they indicated that there are mainly two types of EM emissions, which are direct emissions and indirect emissions. The first one happens in the digital components on the chip, while the second one is generated by the coupling effect from multiple components. This concept is crucial for capturing EM emission from a longer distance. It is used as a reference for the implementation of this thesis.
After that, Genkin Et al presented the first physical SCAs on elliptic curve cryptography on the PC [12]. They extracted the secret key within seconds in a distance across a wall. Moreover, [43] enabling the power SCAs in the integrated FPGA without physical access. And [39–42] explored how board diversity can affect the accuracy of
side-channel attack.
Most of the recent work demonstrated attacks based on EM emission are called the screaming channel [7]. Camurati presented this new SCA as an enhanced EM attack that can demonstrate a full key recovery against AES-128 on an nRF52832 chip. They deployed the template attack and recovered 16 bytes secret key from 10m. In details, this attack needed around 70,000 traces for template establishment, and only 428 traces to achieve a full key recovery in an anechoic chamber. The office environment is also tested by [7], which required 52,589 traces at a distance of 1m. All the traces hold the repetition number of 500 in their experiments.
According to [7], the screaming channel is a powerful and practical attack method. Carrying out a realistic attack from a relatively short distance only needs an off-the-shelf antenna and a primary level SDR. Although more and better equipment are needed if the researchers want to do the experiments in longer distances, the work we cover in this project proves that the screaming channel is a real threat against the mixed-signal chip devices.
In the end, other work worth mentioning are some advanced toolkit and software. Measuring techniques like power consumption of individual instructions [34], attacker’s advantages when an instruction is changed [6] are well developed. Software like GNU Radio [13] is an open-source framework that enables researchers to design and implement radio systems. All these work simplifies trace collection and analysis. In terms of code work covered by this thesis work, some official documentations also provide a lot of inspirations.
Method
This chapter introduces the experimental methods.
4.0.1
Assumptions and limitations
The following list indicates the assumptions and limitations of the experiments. 1. The adversary has full control of the profiling device including all physical access
rights and details of chip design.
2. The adversary has limited access to the DUA. Since it is hard to get full access to the DUA in a realistic scenario, we assume that there are only 10,000 traces averaged by 50 times captured from DUA.
3. There is only one template in this thesis to evaluate the efficiency of the template analysis effect by attacking distances and device diversity. And the traces used to construct the template are captured from the profiling device at a fixed distance. 4. The profiling device and the victim device are theoretically the same.
5. The experimental scenario is not perfect, which is an office environment with windows, walls, and Wi-Fi/Bluetooth access points. There are various noise sources and co-band interference which can be regarded as evidence of the robustness of SCAs.
4.0.2
Hypothesis
The correlation analysis may fail to break AES because of its sensitiveness to the environment. The template analysis may be able to break AES. However, the attack efficiency can be influenced by the restricted conditions. Besides, when it comes to the scenario of different attacking distances or the different victim devices, the template attack may fail to recover the key, which means more traces are needed.
4.1
Hardware Setup
This section details all the equipment involved in the experiments.
4.1.1
nRF52 DK
The nRF52 DK is a development kit for Bluetooth Low Energy, Bluetooth mesh, NFC, and the 2.4 GHz proprietary development on the nRF52810 and nRF52832 SoCs [24]. Generally, all the Python scripts for Bluetooth communication and the AES software implementation are running on this kit. One of the advantages of nRF52 DK is its on-board SEGGER J-Link debugger, which allows us to program and debug the SoC. Besides, the SEGGER supports the Studio, Keil, GCC, IDEs, and some other toolchains. In this thesis, we use GCC to burn firmware onto the board. Moreover, nRF52 can be powered by both the CR2032 coin cell battery and the USB header. We choose the latter in our experiments.
Key features of nRF52 Development Kit:
• nRF52832 flash-based ANT™/ANT+™ Bluetooth® Low Energy SoC solution • Buttons and LEDs for user interaction
• I/O interface for Arduino form factor plug-in modules • SEGGER J-Link OB debugger with debug out functionality • Virtual COM port interface via UART
• Drag-and-drop Mass Storage Device (MSD) programming • Supporting NFC-A listen mode
Figure 4.1.1: Physical map of nRF53 development Kit.
4.1.2
Vertical Flat Panel Antenna
Since the nRF52 Development Kit has its integrated on-board PCB antenna, which is not satisfactory to deploy the experiment. The external antenna always used to enhance signal strength and transmission quality. We choose the VP165/24 Flat Panel Antenna to transmit the BLE packet instead of the in-built antenna. The detailed information is shown in Table 4.1.1, refer to the official documentation [38].
Type directional flat panel antenna Polarization vertical Frequency 2400-2485 MHz Impedance 50 ohm Gain 9 dbi HPBW azimuth 65° elevation 65° Power handling 20 W
Connector (1) SMA female or (2) white RG58 3-10 m with male SMA connector Table 4.1.1: Specifications of Flat Panel Antenna.
Figure 4.1.2: Physical map of Flat Panel Antenna.
4.1.3
USRP N210
Universal Software Radio Peripheral (USRP) is a type of software-defined radios (SDR) device, which always used in radio laboratory [13]. In this thesis, the USRP N210 is in charge of receiving the side-channel information from the transmitter. To be specific, traces are captured and processed by the USRP N210 and the GNU Radio respectively. The following list shows the key features.
Key features of USRP N210:
• Use with GNU Radio, LabVIEW™ and Simulink™ • Modular Architecture: DC-6 GHz
• Dual 100 MS/s, 14-bit ADC • Dual 400 MS/s, 16-bit DAC
• DDC/DUC with 25 mHz Resolution
• Spartan 3A-DSP 3400 FPGA (N210)
Figure 4.1.3: Physical map of USRP N210.
4.1.4
Receiver Antenna
In the receiver end, we use the TP-Link TL-ANT2424B antenna to capture the signal and deliver it to the USRP. TL-ANT2424B is a 2.4GHz 24dBi Grid Parabolic Antenna that has relatively high gain, far coverage, stable structure, and simple installation.
4.1.5
Amplifier and Powerbox
To enhance the amplitude of the traces, we use a ZEL-1724LN amplifier powered by PowerBox 3000. The table 4.1.2 shows the specifications of the ZEL-1724LN amplifier.
Operating Temperature -54°C to 85°C Storage Temperature -55°C to 100°C
DC Voltage 17V
Input RF Power (no damage) +13 dBm
Resistance 50Ω
Frequency (MHz) 1700-2400
Table 4.1.2: Specifications of ZEL-1724LN amplifier.
4.1.6
Experimental Setup
The experimental environment is based on a real office which is a 60 square meter conference room with several BLE and Wi-Fi access points. This environment is not ideal. There are reflections of the walls and interference of other BLE and Wi-Fi signals. The physical map of the conference room and the connection diagram are shown in Figure 4.1.5 and Figure 4.1.6 respectively.
Figure 4.1.5: Overview of the experimental environment.
4.2
Data Collecting and Pre-processing
After obtaining traces from the USRP, there are several steps need to be done before deploying an actual attack.
4.2.1
Drop Start
Figure 4.2.1: Captured raw trace data.
The first step is drop start. Figure 4.2.1 deploys the raw trace. In the beginning, the waveform presents a sine wave and each BLE packet was stretched and deformed. It can be considered as an initial stage of the BLE transmission due to the signal modulation procedure on the device. Therefore, it is impossible to deploy an attack based on raw trace. The drop start is simply abandoning the front part of the trace. We can see the decent shape of trace after drop start in Figure 4.2.2.
Figure 4.2.2: Trace after the drop start operation.
4.2.2
Positioning
The second step is positioning. This step aims to locate and collect the traces we need for SCAs from the raw trace. We know that each BLE packet contains the entire ten encryption rounds of AES, which containing attack points of SCAs.
Since the BLE packets are based on the clock signal on the chip, it can be detected by filters. By using the low-pass and band-pass filters, traces containing attack points can be collected. They are marked as a series of yellow protrusions at the lower part of the displayed figures.
4.2.3
Trace Cutting
The third step is trace cutting. After obtaining all traces, it is still inefficient to deploy an actual attack. Specifically, each trace contains the whole AES encryption stages. However, the only one we are interested in is the S-Box output in the first AES round. Therefore, cutting the traces can enhance the efficiency of SCAs. To achieve the goal, for each BLE packet, we cut the traces and only keep the first AES encryption round shown in Figure 4.2.3.
4.2.4
Align and Average
The final step is align and average. Although all BLE packets are collected based on the clock signal, it can not be guaranteed that they are all well-aligned. The synchronization problem can still influence the efficiency of SCAs. To solve this issue, we first select some traces as the standard trace model. Then we calculate the correlation between the trace model and other traces. Based on the calculation result, we align the traces by slightly shifting them to match the trace model. Finally, multiple aligned traces are averaged to further reduce the influences of noises.
Figure 4.2.4: Enlarged view of the traces before and after aligned.
Figure 4.2.4 shows the traces before and after the average operation and the latter is the one we used in the following experiments.
4.3
Correlation EM Attack Setup
All the correlation EM attack experiments are based on the ChipWhisperer. ChipWhisperer is an open-source toolchain for hardware security evaluating [23]. Especially, the ChipWhisperer Analyzer is the one we used in this thesis as a simulator of the Correlation EM attack.
The correlation attack is a built-in function of the ChipWhisperer Analyzer, thus we can simply call the function by declaring the following variables: side-channel traces, plain text, and known key. ChipWhisperer Analyzer operates the correlation analysis and generates the key guess compared with the known key. Here is an example that shows how the ChipWhisperer Analyzer work shown in Figure 4.3.1.
Figure 4.3.1: Example of the Chipwhisperer PGE result.
We can see the Partial Guessing Entropy (PGE) result of the correlation analysis. The plot displays the PGE of 16 best key guesses for 16 sub-keys. For example, PGE 0 means that the best key guess can be recovered by the correlation analysis. The more the PGE approaching 0 the more likely a cryptographic algorithm can be broken by correlation analysis.
Figure 4.3.2: Example of the Chipwhisperer sample for the subkey guesses.
Figure 4.3.2 presents the leakage points, which is another view of the result. The X-axis is the sampling point of the traces in the first AES encryption round, and the Y-axis is the accumulation of the correlation analysis result. For each trace, at each sampling point, there is a correlation result value. Those values are added together and form the shape of each peak.
There are 16 peaks in the figure, which are 16 key bytes of AES. For each key byte, If the red line has the largest absolute value and covers all the green lines, it means the key guess is correct, or versus versa.
4.4
Template EM Attack Setup
The template EM attack was implemented by the Python script, which is also derived from the ChipWhisperer. There are several advantages of Python scripts. For example, it is convenient to add randomness when we select the traces for profiling and attacking. What is more, the Python script provides us the convenience to adjust the changeable parameters.
There are two important parameters during the template establishment: POI (Points of interesting) and Spacing. Generally speaking, more POIs make the template specialized to a certain trace set, while fewer POIs have better universality to different trace sets. According to our experience, 10 POIs are enough for deploying a template analysis, and we set POI to 5 in the following experiments.
Spacing stands for the minimum distance between POIs. It determines the span of the POI, which spacing is set to 1 in this thesis.
It is worth noting that, there is usually an over-fitting problem of the template. If a template is constructed with too many traces, the specificity of the template might be too high to attack different trace sets. However, the number of traces does not exceed 200,000 in this thesis, and the over-fitting problem can be ignored.
4.5
Evaluation Methods
The Partial Guessing Entropy (PGE) was chosen to be the evaluation method. PGE is a key rank of all key candidates, and the ’partial’ means that we are finding the guessing entropy on each subkey [25] [26] [35]. The Guessing Entropy represents the position of the real key. Once, it equals to 0, it means the real key has the largest probability, and the attack is successful. Similarly, PGE x means that the correct key guessing is at rank x. In other words, there are x incorrect ranked higher than the correct guess. PGE does not necessarily have to be at 0 since values close to 0 also has a certain probability to recover the key. Therefore, PGE can intuitively reflect the result of SCAs.
Results
To evaluate the efficiency of correlation analysis, we captured multiple traces from different devices at various distances. Rather than building a template and recovering key separately in a different set of traces such as template analysis, for each attack, correlation analysis only focuses on one trace set.
Secondly, the efficiency of template analysis is affected by the device diversity and attacking distances are also demonstrated in this chapter. A summary chart is listed as a conclusion in the end.
Finally, a pre-processing technique for the correlation analysis is presented. This method reallocates leakage points in the traces, which can significantly improve the attack efficiency of correlation analysis.
Experiments are designed and set up as follow:
1. Experiment I: Evaluating the efficiency of the correlation analysis at various distances (5cm; 15cm; 30cm; 50cm).
2. Experiment II: Discussing the key recovery possibility of the correlation analysis based on the pre-processing technique.
3. Experiment III: Evaluating the efficiency of the template analysis, when it used to attack the same device at the same distance.
4. Experiment IV: Further evaluating the efficiency of the template analysis affected by the trace repetition number.
can affect the attack efficiency of template analysis.
6. Experiment VI: Evaluating how the attack distance (5cm; 15cm; 30cm; 50cm) can affect the attack efficiency of template analysis.
The only template used in the experiment is constructed using traces captured from the device I at 30cm. All the traces are averaged by 50 times except Experiment IV (repetition number: 300). If an experiment can recover the key within 10,000 traces, it can be considered as a successful attack.
5.1
Correlation Analysis Results
This section demonstrates the results of the correlation analysis based on Experiment I and II.
5.1.1
Experiment I
Experiment I aims to demonstrate the result of the correlation EM analysis based on the ChipWhisperer Analyzer.
Figure 5.1.1: Leakage points of the correlation attack at 5cm with 10,000 traces.
Figure 5.1.1 shows the result of the ChipWhisperer. In this case, the correlation analysis fails to recover the key at 5cm within 10,000 traces. In this figure, we can distinguish the 16 leakage points, which are the 16 key bytes of AES. From the figure, we can see that all the red lines are covered by the green lines at each peak, which means the correlation analysis cannot recover the key in this case. The results are similar when it comes to 15cm, 30cm, and 50cm shown in Figure 5.1.2.
(a) Leakage points at 15cm
(b) Leakage points at 30cm
(c) Leakage points at 50cm
Figure 5.1.2: Leakage points of the correlation attack at 15cm, 30cm and 50cm with 10,000 traces.
So far, the correlation analysis cannot break AES in an office environment within 10,000 traces. However, when we look into the enlarged picture of the subkey 0 area shown in Figure 5.1.3, we can find that there is a second peak form the opposite direction after the first highest peak. In the second peak area, the red line reaches the peak.
Figure 5.1.3: Enlarged view of the first subkey area at 30cm with 10,000 traces.
The red line has better properties in the second peak area comparing to the highest one, which is the original attack point. However, to find out if this phenomenon is a coincidence, and what if we relocate the attack point to the second peak area, we should test more traces to further optimize the properties of the second peak area.
5.1.2
Experiment II
As an extension of the previous experiment, Experiment II cut the traces and relocate the correlation attack point to the area which only contains the second peak. As more traces are added, the value of the peak becomes more obvious through the continuous probabilistic superposition.
Figure 5.1.4: Leakage points of the correlation attack at 30cm with 50,000 traces.
Figure 5.1.4 shows that when there are more than 50,000 traces, all the 16 second peaks are clear and distinct. Figure 5.1.5 shows the enlarged view of the first key byte area. We can detect the position of the second peak and relocated the correlation attack point to it. This pre-processing technique can significantly improve the efficiency of the correlation analysis. Table 5.1.1 shows the correlation result after deploying the pre-processing technique. Since the analysis is simulated by ChipWhisperer, the result is at a rough level.
30cm 50cm
Device 1 8k 4k
Device 2 7k 4k
Table 5.1.1: Number of traces needed to recover one key byte by correlation analysis.
If we can determine the exact location of each second peak and deploy the attack, all the key bytes can be recovered within 10,000 traces.
Figure 5.1.5: Enlarged view of the first Subkey area at 30cm with 50,000 traces.
Due to time and place limitations, only 30cm and 50cm have enough traces to deploy the pre-processing technique for correlation analysis. The results of the 50cm are shown in Figure 5.1.6.
Figure 5.1.6: Enlarged view of the first Subkey area at 50cm with 50,000 traces.
By utilizing this technique, the efficiency of the correlation analysis can be significantly increased. For devices such as nRF52 DK, this pre-processing technique is also suitable for deploying attack from different devices at different distances.
5.2
Template Analysis Results
This section demonstrates the results of the template analysis in a real office environment based on Experiment III to VI. The template is constructed using traces captured from device I at 30cm. Each trace is averaged by 50 times.
5.2.1
Experiment III
Experiment III evaluates the efficiency of the template analysis under the same device and the same distance situation. The result is shown in the Figure 5.2.1.
Figure 5.2.1: PGE for trace repetition number 50 at 30cm.
The figure indicates the relationship between Guessing Entropy and trace number. If the guessing entropy follow a downtrend as the increase of traces and convert to zero, it means that the key can be successfully recovered. In this case, PGE dropped significantly at the beginning, but it does not reach 0 within 10,000 traces.
Figure 5.2.2: Enlarged view of convergence area.
With more traces, PGE approaches 0 at around 40,000, which is shown in Figure 5.2.2. This result indicates that the template analysis fails to recover the key within 10,000. However, it can succeed with more traces. Besides, the attack efficiency is relatively high since the sharp drop of PGE with a few amount of traces at the beginning.
5.2.2
Experiment IV
Experiment IV is also based on the same template, same device, and the same distance. However, the repetition number of each trace increase from 50 to 300 to further evaluate the efficiency of the template analysis.
Figure 5.2.3: PGE for trace repetition number 300 at 30 cm.
Figure 5.2.4: Enlarged view of the convergence area.
Figure 5.2.3 and 5.2.4 show the template analysis result with a larger repetition number. PGE drops as the increase of the traces and approaches to 0 at around 4,000. In this case, the secret key can be recovered within 10,000 traces. With the increase of the repetition number, the efficiency of the template analysis is significantly improved. In other words, each trace captured from the device under attack is highly correlated with the template.
5.2.3
Experiment V
Experiment V introduces device II which is the same as device I. The two devices have the same parameters and properties.
Figure 5.2.5: PGE for trace repetition number 50 from Device 2 at 30cm.
Figure 5.2.5 shows the result of Experiment V. The template and the attack distance remain the same, while the target device is device II this time. Similarly, the figure shows the PGE of the known key. As the number of traces increases, PGE keeps decreasing slightly. More specifically, PGE has dropped by only 50 units with 7,000 traces. Because of the low correlation of traces and template, each trace has a low contribution to the PGE result.
The templates analysis fails to recover the key using traces captured from different devices within 7,000 traces. However, if it follows the downtrend of PGE, the attack does have a chance to recover the key with more traces.
5.2.4
Experiment VI
Experiment VI evaluates the efficiency of the template analysis affected by the attack distance. The template and the target device remain the same, while the traces captured from the target device are at several distances (5cm, 15cm, 30cm, and 50cm).
Figure 5.2.6: PGE at 15 cm. Figure 5.2.7: PGE at 50 cm.
The results of the three experiments reach a high level of similarity. PGE results at the three distances are three straight horizontal lines respectively. Figure 5.2.6 and Figure 5.2.7 show the result of 15cm and 50cm. The straight line indicates that if the traces used to construct the template and traces used to match the template are captured from different distances, the PGE result will not change. In this case, each trace does not match the template at all. In other words, the template analysis has no chance to recover the key with traces captured from different distances.
From a mathematical perspective, the traces captured from the victim device should be subjected to a Gaussian probability calculation during a template matching stage. After that, the calculation result affects the output of the PGE array. In this case, since the template can not be matched, the result calculated by the Gaussian function is always 0. Therefore, templates constructed using traces collected at a certain distance can not be used to deploy an attack at different distances, no matter farther or closer. In summary, the template analysis is sensitive to the attack distance.
5cm 15cm 30cm, 50/300 times averaged traces 50cm
Device 1 - - 40000/4400
-Device 2 - - Need More Traces
Table 5.2.1 shows the conclusion. A template constructed using traces from one device captured at 30cm can recover the secret key from 4,000 traces captured from the same device at the same distance. The traces for key recovery increases by 10 times when the repetition number reduces from 300 to 50. However, if the distance is changed, or if traces from a different device are analyzed, the attack fails.
Conclusions
This chapter summarizes and discusses the previous experimental results. Besides, countermeasures against SCAs and future works are presented.
In this thesis, the repetition number of each trace is set to 50. The total number of traces captured from the device under attack is limited to 10,000.
In summary, only when analyzing traces captured from the same device at the same distance, it is possible for the template analysis to recover the key. Besides, the attack efficiency of template analysis is affected by the attack distance, device diversity, and trace repetition number.
Correlation analysis fails to break AES from 10,000 traces. However, based on the pre-processing technique, the attack efficiency is significantly improved, and the attack can even achieve a full key recovery. The correlation analysis might be a better choice to deploy SCAs based on EM traces in an office environment.
6.1
Countermeasures
It is worth clarifying that the purpose of our research on SCAs is to propose some feasible countermeasures. We would like to introduce the countermeasures from three aspects: Chip design and manufacturing, cryptographic algorithm protection, and physical protection.
6.1.1
Countermeasures at the chip level
Firstly, since EM SCAs take advantages of the sensitive information leaked by the coupling effect of digital and analog components on the chip, isolating one of them can be a feasible solution. Besides, adding shield components between digital and analog circuits can also reduce side-channel leakage to some extent.
For instance, techniques like the guard rings, isolation structure on the chip, and some active noise reduction techniques can reduce the propagation of coupling [2]. Moreover, the fully digital architecture chips are possible to prevent EM leakages. Since this kind of digital chips transform some analog circuits to digital, the signal can be modulated directly without requiring analog components to participate in this process [28]. Besides, there are also some bottom-line options, for example, decreasing the transmission power of components when the chip is executing the encryption process. However, those countermeasures lead to an increase in terms of financial cost and physical size of chips, which is a trade-off.
6.1.2
Countermeasures at the algorithmic level
There are some countermeasures to foil side-channel attacks on an algorithmic level. Hiding and masking are two commonly used methods according to related studies [19][20][30].
The hiding technique aims to reduce the Signal-to-noise ratio (SNR) of the side-channel signal. Generally speaking, reducing SNR can be achieved through two methods: enhance the noise and reduce the side-channel leaked information. Technologies of Shielding, asynchronous logic, and balanced the circuit logic styles are some widely used hiding technique [19].
The masking technique aims to eliminate the correlation between side-channel emissions and sensitive information. If the correlation is weak enough, the side-channel information are not capable to deploy an attack [4][8][14]. The masking technique is usually operated by logic gate circuits of the cryptographic block to achieve the purpose of generating randomness and out-of-order factors.
Some other methods have also contributed to countering SCAs. For example, the fresh re-keying technology increases the difficulty of SCAs to obtain enough information from victim devices [22]. Meanwhile a new countermeasure based on the co-design
of hardware and software has been proposed [18].
6.1.3
Countermeasures at the physical level
[19] Any attacker who wants to deploy SCAs needs to physically contact or even directly invade the Device Under Attack (DUA) to collect the side-channel information. Therefore, preventing attackers from approaching and getting access to DUA is one of the most direct and effective ways to against SCAs [5]. US government requires a security zone within 200 feet of the encryption center to prevent security threats announced in the latest TEMPEST document [36], which is a typical example of physical protection of the side-channel information from attackers.
Another concern is the behavior of users matter. It is always worth paying attention to the potential danger around the device when exposed to the public area.
6.2
Future Work
We only collected limited traces because of the outbreak of the Coronavirus and there is no chance to get access to more devices. For future work of this thesis, the experiments can be carried out with more traces and more devices. In this thesis, experiments related to the two devices can be switched and repeated for variable control. Moreover, it is significant to deploy SCAs against different cryptographic algorithms. In the last, longer distances can be tested to explore the potential properties of the template analysis and correlation analysis.
[1] Advanced Encryption Standard. en. Page Version ID: 958396753. May 2020. URL: https : / / en . wikipedia . org / w / index . php ? title = Advanced _ Encryption _ Standard&oldid=958396753 (visited on 05/24/2020).
[2] Afzali-Kusha, Ali, Nagata, Makoto, Verghese, Nishath K, and Allstot, David J. “Substrate noise coupling in SoC design: Modeling, avoidance, and validation”. In: Proceedings of the IEEE 94.12 (2006), pp. 2109–2138.
[3] Agrawal, Dakshi, Archambeault, Bruce, Rao, Josyula R, and Rohatgi, Pankaj. “The EM side—channel (s)”. In: International workshop on cryptographic hardware and embedded systems. Springer. 2002, pp. 29–45.
[4] Akkar, Mehdi-Laurent and Giraud, Christophe. “An implementation of DES and AES, secure against some attacks”. In: International Workshop on Cryptographic Hardware and Embedded Systems. Springer. 2001, pp. 309– 318.
[5] Anderson, Ross and Kuhn, Markus. “Tamper resistance-a cautionary note”. In: Proceedings of the second Usenix workshop on electronic commerce. Vol. 2. 1996, pp. 1–11.
[6] Callan, Robert, Zajic, Alenka, and Prvulovic, Milos. “A Practical Methodology for Measuring the Side-Channel Signal Available to the Attacker for Instruction-Level Events”. In: 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture. 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture. ISSN: 2379-3155. Dec. 2014, pp. 242–254. DOI: 10 . 1109 / MICRO.2014.39.
[7] Camurati, Giovanni, Poeplau, Sebastian, Muench, Marius, Hayes, Tom, and Francillon, Aurélien. “Screaming channels: When electromagnetic side
channels meet radio transceivers”. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018, pp. 163–177.
[8] Chari, Suresh, Jutla, Charanjit S, Rao, Josyula R, and Rohatgi, Pankaj. “Towards sound approaches to counteract power-analysis attacks”. In: Annual International Cryptology Conference. Springer. 1999, pp. 398–412.
[9] Daemen, Joan and Rijmen, Vincent. “The Rijndael block cipher: AES proposal”. In: First candidate conference (AeS1). 1999, pp. 343–348.
[10] Find Articles in Journal of Research of the National Institute of Standards and Technology: May-June 2002. URL: https : / / web . archive . org / web / 20071103105501 / http : / / findarticles . com / p / articles / mi _ m0IKZ / is _ 3 _ 107 ? pnum=2&opg=90984479 (visited on 05/24/2020).
[11] Gandolfi, Karine, Mourtel, Christophe, and Olivier, Francis. “Electromagnetic analysis: Concrete results”. In: International workshop on cryptographic hardware and embedded systems. Springer. 2001, pp. 251–261.
[12] Genkin, Daniel, Pachmanov, Lev, Pipman, Itamar, and Tromer, Eran. “ECDH key-extraction via low-bandwidth electromagnetic attacks on PCs”. In: Cryptographers’ Track at the RSA Conference. Springer. 2016, pp. 219–235.
[13] GNU Radio Opens an Unseen World | WIRED. URL: https://www.wired.com/ 2006/06/gnu-radio-opens-an-unseen-world/ (visited on 05/16/2020).
[14] Golić, Jovan D and Tymen, Christophe. “Multiplicative masking and power analysis of AES”. In: International Workshop on Cryptographic Hardware and Embedded Systems. Springer. 2002, pp. 198–212.
[15] Kelsey, John, Schneier, Bruce, Wagner, David, and Hall, Chris. “Side channel cryptanalysis of product ciphers”. In: European Symposium on Research in Computer Security. Springer. 1998, pp. 97–110.
[16] Kocher, Paul C. “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems”. In: Annual International Cryptology Conference. Springer. 1996, pp. 104–113.
[17] Kocher, Paul, Jaffe, Joshua, and Jun, Benjamin. “Differential Power Analysis”. In: Advances in Cryptology — CRYPTO’ 99. Ed. by Michael Wiener. Berlin, Heidelberg: Springer Berlin Heidelberg, 1999, pp. 388–397. ISBN: 978-3-540-48405-9.
[18]
Lumbiarres-Lopez, Ruben, Lopez-Garcia, Mariano, and Canto-Navarro, Enrique. “A new countermeasure against side-channel attacks based on hardware-software co-design”. In: Microprocessors and Microsystems 45 (2016), pp. 324–338. ISSN: 0141-9331. DOI: https : / / doi . org / 10 . 1016 / j . micpro . 2016 . 06 . 009. URL: http : //www.sciencedirect.com/science/article/pii/S014193311630076X.
[19] Mai, Ken. “Side Channel Attacks and Countermeasures”. In: Introduction to Hardware Security and Trust. Ed. by Mohammad Tehranipoor and Cliff Wang. New York, NY: Springer New York, 2012, pp. 175–194.
[20] Mangard, Stefan, Oswald, Elisabeth, and Popp, Thomas. Power analysis attacks: Revealing the secrets of smart cards. Vol. 31. Springer Science & Business Media, 2008.
[21] Maxim Integrated - Analog, Linear, and Mixed-Signal Devices. URL: https : //www.maximintegrated.com/en.html.
[22] Medwed, Marcel, Standaert, François-Xavier, Großschädl, Johann, and Regazzoni, Francesco. “Fresh re-keying: Security against side-channel and fault attacks for low-cost devices”. In: International Conference on Cryptology in Africa. Springer. 2010, pp. 279–296.
[23] newaetech/chipwhisperer. original-date: 2014-08-31T13:36:31Z. May 2020. URL: https://github.com/newaetech/chipwhisperer (visited on 05/18/2020). [24] nRF52DK development kit for Bluetooth Low Energy. en. Library Catalog:
www.nordicsemi.com. URL: https : / / www . nordicsemi . com / en / Software % 20and%20tools/Development%20Kits/nRF52%20DK (visited on 05/14/2020). [25] O’Flynn, Colin and Chen, Zhizhang. Side Channel Power Analysis of an
AES-256 Bootloader. Tech. rep. 899. 2014. URL: http://eprint.iacr.org/2014/899 (visited on 05/23/2020).
[26] O’Flynn, Colin and Chen, Zhizhang (David). ChipWhisperer: An Open-Source Platform for Hardware Embedded Security Research. Tech. rep. 204. 2014. URL: http://eprint.iacr.org/2014/204 (visited on 05/23/2020).
[27] Page, Dan. “Theoretical use of cache memory as a cryptanalytic side-channel.” In: IACR Cryptology ePrint Archive 2002.169 (2002).
[28] Parikh, V. K., Balsara, P. T., and Eliezer, O. E. “A fully digital architecture for wideband wireless transmitters”. In: 2008 IEEE Radio and Wireless Symposium. 2008, pp. 147–150.
[29] Pub, NIST FIPS. “197: Advanced encryption standard (AES)”. In: Federal information processing standards publication 197.441 (2001), p. 0311.
[30] QUB, Philip Hodgers, USI, Francesco Regazzoni, QUB, Richard Gilmore, QUB, Ciara Moore, and RUB, Tobias Oder. “Secure Architectures of Future Emerging cryptography”. In: (2016).
[31] Quisquater, J-J. “A new tool for non-intrusive analysis of smart cards based on electro-magnetic emissions. The SEMA and DEMA methods”. In: Eurocrypt2000 rump session (2000).
[32] Schneier, Bruce, Kelsey, John, Whiting, Doug, Wagner, David, Hall, Chris, Ferguson, Niels, Kohno, Tadayoshi, and Stay, Mike. “The Twofish Team’s Final Comments on AES Selection”. en. In: (), p. 13.
[33] Shamir, Adi and Tromer, Eran. “Acoustic cryptanalysis: on nosy people and noisy machines”. In: Online at http://people. csail. mit. edu/tromer/acoustic (2004).
[34] Shao, Yakun and Brooks, David. “Energy characterization and instruction-level energy model of Intel’s Xeon Phi processor”. In: Sept. 2013, pp. 389–394. ISBN: 978-1-4799-1234-6. DOI: 10.1109/ISLPED.2013.6629328.
[35] Standaert, François-Xavier, Malkin, Tal G, and Yung, Moti. “A unified framework for the analysis of side-channel key recovery attacks”. In: Annual international conference on the theory and applications of cryptographic techniques. Springer. 2009, pp. 443–461.
[36] tempest.pdf - National Security Agency Central Security Service Search Results. URL: https : / / search . usa . gov / search ? query = tempest . pdf & affiliate = nsa_css&utf8=%26%23x2713%3B (visited on 05/11/2020).
[37] Verghese, Nishath, Chu, Wen Kung, and McCanny, Jim. “Modeling and Analysis of Substrate Noise Coupling in Mixed-Signal ICs”. In: Substrate Noise Coupling in Mixed-Signal ASICs. Ed. by Stéphane Donnay and Georges Gielen. Boston, MA: Springer US, 2003, pp. 47–63. ISBN: 978-0-306-48170-3. DOI: 10.1007/0-306-48170-7_3. URL: https://doi.org/10.1007/0-10.1007/0-306-48170-7_3.
[38] VP-165/24 Wifi 2,4GHz Flat Panel directional antenna 9dBi. URL: https : / / www.wimo.com/en/vp165-24.
[39] Wang, Huanyu, Brisfors, Martin, Forsmark, Sebastian, and Dubrova, Elena. “How diversity affects deep-learning side-channel attacks”. In: 2019 IEEE Nordic Circuits and Systems Conference (NORCAS): NORCHIP and International Symposium of System-on-Chip (SoC). IEEE. 2019, pp. 1–7.
[40] Wang, Huanyu and Dubrova, Elena. Federated Learning in Side-Channel Analysis. Cryptology ePrint Archive, Report 2020/902. https://eprint.iacr.org/ 2020/902. 2020.
[41] Wang, Huanyu and Dubrova, Elena. “Tandem Deep Learning Side-Channel Attack Against FPGA Implementation of AES.” In: IACR Cryptol. ePrint Arch. 2020 (2020), p. 373.
[42] Wang, Huanyu, Forsmark, Sebastian, Brisfors, Martin, and Dubrova, Elena. “Multi-source training deep learning side-channel attacks”. In: IEEE 50th International Symposium on Multiple-Valued Logic (2020).
[43] Zhao, Mark and Suh, G Edward. “FPGA-based remote power side-channel attacks”. In: 2018 IEEE Symposium on Security and Privacy (SP). IEEE. 2018, pp. 229–244.
