Different flavors of side-channel attacks such astiming attacks, power attacks, electromagnetic attacks andradio-frequency attacks on cryptographic algorithms have been studiedon embedded software for over a decade; the idea behind these attacksis that the measurements (computationtime, power consumption, electro-magnetic radiation ) aredata-dependent and statistical analysis of the collected curves revealsthe secret key.
Associated security countermeasures are fairly well understood bynow and therefore expected to be implemented by most manufacturers.However, at the hardware design level, the picture is completelydifferent.
Secure silicon manufacturers have been aware of physical securityissues and invasive attacks for quite a while too, but protectingembedded chips against such attacks requires deep architecturalknowledge and needs to be taken into account right from the start. Itis increasingly difficult if not impossible to add effectivecountermeasures after tape out, specifically when it comes to securelyimplementing cryptographic cores.
In this article we provide an overview of typical hardware attackequipment and techniques  required for extracting static secrets from the chip and forreverse-engineering the chip layout itself. Such invasive attacks canbe divided into three main categories, which are 1) chip de-capsulation , 2) probing and e-beam attacks , and 3) focused ion beam attacks .
Chipde-capsulation is typically done by etching and allows exposingthe hardwired logic and memory of the chip. Dry etching refers to thebombardment of ions onto the semiconductor surface to dislodge portionsof material from the exposed surface. Wet etching refers to the removalof material by applying a liquid bath of chemical etchant to thesilicon wafer. Both techniques generally achieve the required exposure.
Probing refers to a setup with extremely thin micro-probes or needles whichtarget a single memory cell or bus line and allow reading thetransitions on the bus or the contents of a very specific memorylocation on the chip.
Currently a maximum of 7 to 8 needles can be operated concurrentlyon the same chip without functionally destroying it. Yet another way toprobe is to use an electron-beam coupled with a detector which allowsto measure if the bus or cell is carrying along a one or a zero bydetecting the reflected secondary electrons when it is bombarded withelectrons.
Focused ionbeams proceed the same way with ions but are used to drill holesinto certain specific locations in order to disconnect hardwired lines.This allows cutting tracks and disabling functional sections of thechip such as random number generators or security sensors as if theynever existed.
Focused ion beams can also deposit new material to create new linkswhich hadn't been there before. For example, mechanically blown fusescan be reconstructed this way or large probe pads can be manufacturedlocally to allow for easy-access probing. A fourth and somewhatdifferent type of threat relates to the fact that an opponent may tryto challenge the chip physically while it is running a sensitivecomputation.
These so-called fault attacks aim at retrieving secrets used atruntime. They preferably use light flashes in different wavelengths todisturb the functional behaviour of the chip. Lasers, X-rays or simplewhite light flashes are typical examples of such light sources whichcan produce random transient computation faults at run-time.
Other factors in faulty behavior
Other environmental stress such as abnormal operating voltage orfrequency, or high or low temperatures may also result in faultybehavior.
Faulty cryptographic computations in turn allow recovering on-boardsecret keys by offline cryptanalytic methods. As attacks and threatsare being published, manufacturers constantly add new hardware securityfeatures on their products. Even though most of them do nottraditionally publish their designs and keep their security featuresprivate, in the following we provide some insight into hardwaresecurity features and secure silicon design principles .
Hardware security sensors detect abnormal environmental conditionssuch as outof- range operating temperature, clock frequency or externalpower supply glitches. They also detect when the chip is flashed withwhite light, UV or X-rays and take corrective actions such as shuttingdown the chip or forcing it to reset and clear all sensitive data.Another common strategy is to isolate the internal clock from theexternal clock supply to disallow random clock glitches and thus tostop fault attacks on the clock.
A protective conductive shield or grid called a metal mesh issometimes placed on top of the chip in order to protect it againstphysical removal of the passivation layer to avoid invasive attacksusing heavier equipment. In order to counter to reverse- engineeringthe chip layout, so-called glue logic design is used to spreaddifferent memory blocks and logical functions all over the chip.
Dynamic data and address scrambling protect against probingindividual ROM, RAM or EEPROM memory cells or external data buses. As amatter of fact, even if probing succeeds, the attacker does not knowwhat he is actually looking at. For further protection against probingattacks, data busses are best buried under several independent metallayers and a submicron scale is used wherever possible.
Latest flash memory provides an additional technological barrier inthe sense that it is much denser (65 to 90nm technology) than othertypes of memory and thus much more difficult to read out. Firstexperiments on 90nm Flash memory show that probing attacks are of lessconcern than RAM, ROM or EEPROM.
Algorithms in hardware
Another widespread practice among chip manufacturers is a move towardssecure SoC solutions by implementing cryptographic algorithms inhardware. Of course, a cryptographic accelerator with embedded memorythat stores and processes a secret key increases the security level ofthe device by making attacks much more difficult.
However, 'keeping secrets in hardware' is not a guarantee that theywill stay secure. Implementing a cryptographic algorithm in SoC resultsin a black box that has several observable physical properties such aspower consumption, electromagnetic radiation, time required to completean operation.
This side-channel information can be measured when the deviceprocesses secret information, and the measurements can be used forattacking the key   . Thisfact has been known since the early days of smart cards and had beendiscreetly addressed in patents such as  that proposed to mask powerconsumption signal while reading and writing zeros or ones by adding toa circuit so called simulation cells built in such a way that theyconsume current substantially equal to those of memory cells.
Ever since, there is a race between a growing sophistication ofhardware side channel attacks and countermeasures. Initially most ofthe successful real-life published attacks targeted implementations ofcryptographic algorithms on relatively simple microcontrollers; for atypical ASIC implementation composed of a few hundreds of thousands ofgates to determine the exact shape of the power supply current seemedto be impossible.
However, in 1999 the confirmation that differential power analysisattacks on cryptographic hardware is indeed possible appeared in  where the authors developedattack techniques on a binary method of modular exponentiation widelyused in the RSA algorithm.
Testing Montgomery multiplication
In order to confirm that the attacks worked in real life, an experimentwas conducted using a smartcard equipped with a Montgomerymultiplication circuit to speed up modular reduction.
The experiment carried out on 64-bit long data and modulusdemonstrated that with statistical methods it was possible todistinguish the bias signal for correct and incorrect guesses of theexponent bit due to minor variations in power consumption betweensquaring and multiplication, even if they were performed in a uniformway on a special-purpose multiplier. Fortunately, the countermeasuresfor RSA are implemented at the algorithmic, software level.
They include masking a message with a random value prior toexponentiation and unmasking it with its inverse after exponentiationin order to preclude an attacker from predicting intermediate results;blinding the exponent by randomly splitting it into two shares andexecuting exponentiation first with one, and then with another share;and randomizing the exponentiation algorithm itself.
For secret key accelerators the situation differs: no softwarecountermeasures can be added to a hardware cipher. On the other hand,usually such a cipher is a very small, difficult to locate part of alarge system-on-chip, and rather than observing an instantaneous powerconsumption at the cipher output at a precise moment, what can bemeasured is the power consumption of the entire ASIC during a clockperiod.
Specialized evaluation labs probably can conduct attacks anyway;and in 2004 an academic publication described a real attack on an ASICimplementation of the Advanced Encryption Standard  . The attack exploited a specificfeature of the datapath itself, where in order to optimize performance,the result of the initialization operation that XOR-s 128-bits of datawith 128- bits of the secret key, was written into a register at therising edge of the second clock cycle.
Hence, it was enough to measure power consumption of the AES coreduring first two clock cycles since these data contained informationwhich was directly related to the attacked key. Even with a 128-bitdatapath the attackers could successfully use 'divide and conquer'strategies by targeting only the first 8 bits of the key and minimizingthe effect of the power signal that was unrelated to the first 8 bitsby carefully selecting input data and by treating unrelated signal asnoise. This was an attack on registers, somewhat similar to traditionalattacks on microprocessors.
However, a year later a new powerful attack targeted theintermediate results that occur only at the outputs of logic gates  . The transitions occurring atlogic gate are very difficult to predict because logic gates switchtheir output potentially several times per clock cycle.
Specially developed tools
In order to assess the power consumption of the combinational circuit,the complete 'glass box' simulation of the attacked part of thiscircuit was conducted for all possible input transitions, and for eachsimulation the number of transitions that occurred at the interestingpart was counted using a specially developed tool.
The statistics calculated on these results have been used topredict the outputs of logic gates of a real circuit. Although thepre-processing stage included acquisitions of millions of power tracesto collect statistics, the final attack revealed 8-bits of the key with25,000 measurements.
The countermeasures for secret key ciphers must be built-in, notadd-on. The far from exhaustive list includes:
1) Randomizing theexternal clock by clock skipping or alternatively using aninternal self-timed clock with randomized frequency modulation or clockjitter. At a system architecture level, asynchronous self-timedcircuits were proposed as well as techniques similar to multithreadingwith threads being randomly selected. These countermeasures aim atpreventing an attacker from predicting accurately the time when certaindata are processed in a certain way.
2) Random register andnetwork pre-charging , random register re-naming, insertion ofoperations on random data interleaved with real operations with orwithout duplication of hardware, or simply adding a noise source. Thesecountermeasures aim at increasing the noise to signal ratio of themeasurements.
3) Masking all data withrandom values . Several alternatives for masking schemes wereproposed for AES, from algorithmic level multiplicative masking to agate level substitution of each gate in the data path with a 'maskedequivalent', as in the first published industrial AES core with agate-level masking . Thesecountermeasures aim at de-correlating the power signal from theprocessed data.
4) Equalizing dynamicpower dissipation while processing zeros and ones. These areusually based on non-standard logic styles, such as dual or dynamiclogic, and require full custom design.
These countermeasures aim at decreasing the signal to noise ratio.Both attack methods and hardware countermeasures remain quite intuitivetoday, but Common Criteria evaluation labswork towards providing a more formal approach to security assurance.The overall hardware security of current embedded chips is rathersatisfactory. Eventually, the amount of hardware security featuresbeing added on the chip is directly proportional to the value of thegoods the embedded device should protect.
1. Anderson, R., Kuhn, M.: Lowcost attacks on tamper resistant devices, In M. Loman et al. (eds.),Security Protocols, proceedings 5th International Workshop IWSP, volume1361 of Lecture Notes in Computer Science, pp. 125-136, Springer-Verlag, 1997.
2. Fruhauf, S., Sourge, L.:Safety device against the unauthorized detection of protected data,U.S. patent number 5,404,402; April 4, 1995.
3. Kocher, P.: Timingattacks on implementations of Diffie-Hellman, RSA, DSS, and othersystems, In Advances in Cryptology — CRYPTO'96, volume 1109 of LectureNotes in Computer Science, pp. 103-113, Springer-Verlag, 1996.
4. Kocher, P., Jaffe, J.,Jun, B.: Differential power analysis, In Advances in Cryptology –CRYPTO'99, volume 1666 of Lecture Notes in Computer Science, pp.388-397, Springer-Verlag, 1999.
5 . Kommerling, O., Kuhn,M.: Design principles for tamper-resistant smartcard processors, InProc. USENIX Workshop on Smartcard Technology (Smartcard 99), pp. 9-20,1999.
6. Mangard, S.,Pramstaller, N., Oswald, E.,: Sucessfully Attacking Masked AES HardwareImplementation, In Cryptographic Hardware and Embedded Systems: CHES2005, volume 3659 of Lecture Notes in Computer Science, pp. 157-171,Springer- Verlag, 2006.
7. Messergers, T.S.,Dabbish, E.A., Sloan, R.H.: Power Analysis Attacks on ModularExponentiation in Smartcards, In Cryptographic Hardware and EmbeddedSystems: CHES 1999, volume 1717 of Lecture Notes in Computer Science,pp. 144-157, Springer-Verlag, 1999.
8. Ors, S. B., Gurkaynak,F., Oswald, E., Preneel, B.: Power-Analysis Attack on an ASIC AESImplementation, In Proc. Int. Conference on Information Technology(ITCC), volume 2, pp. 546-552, April 2004.
9. Trichina, E.,Korkishko, T., Lee K.-H.: Small size, low power, side-channel immuneAES co-processor: Design and synthesis results, In Proc. Of the ForthConf. on the Advanced Encryption Standard (AES 2005), volume 3373 ofLecture Notes in Computer Science, pp. 113-127, Springer- Verlag, 2006.
For a PDF version of this story,go to “ Addingextra hardware security for secure embedded devices.”