An Overview of Side Channels

2.1.1.1 Non-Invasive Side Channels

Execution Time. The first side channel attack published in the open literature dates from 1996 and is due to Paul Kocher [140]. The leakage source targeted in this seminal work is the variable execution time of cryptographic implementations. Because of optimizations in the underlying software libraries, certain arithmetic operations require more or less time to execute given different input parameters. Kocher showed how timing variances in modular multiplications allow an adversary to recover private keys used in cryptosystems such as Diffie-Hellman [87] and RSA [189] after applying some statistical analysis.

Follow-up works such as Dhem et al. [85] demonstrated the applicability of timing attacks on portable cryptographic tokens, while Brumley and Boneh [56]

successfully targeted RSA implementations running on a local OpenSSL-based web server.

Power Consumption. Three years after the introduction of timing attacks,

Kocher, Jaffe and Jun [141] published a yet more threatening form of side channel: the power consumption. Kocher et al. showed that the instantaneous power consumption of a circuit over time is linked to the intermediate values and operations being processed, and presented two attacks capable of evaluating this dependence:

• Simple Power Analysis (SPA) exploits key-dependent patterns in the power consumption present in one (or very few) leakage measurements, often by simple visual inspection. Although the interpretation of power measurements requires some expertise and/or knowledge on the circuit and on the implementation, this form of attack is particularly devastating for algorithms where power patterns can be directly linked to key-bit dependent operations or branches.

• Differential Power Analysis (DPA) exploits the leakage present on a larger set of leakage measurements. As opposed to SPA, it does not require knowledge on implementation details and its basic principles are not algorithm dependent. The first step in a DPA attack consists in building a model to estimate the power consumption of the device given a set of possibilities on a computationally suitable (sub-)key space. The second step consists in evaluating the dependence between the power model and the leakage measurements using a statistical distinguisher that yields the strongest dependency for the correct key guess.

Electromagnetic Emanations. The electromagnetic (EM) side channel was independently proposed by Gandolfi et al. [101] and Quisquater and Samyde [182]

in the early 2000s. Every changing current or voltage within a circuit generates an electromagnetic field. Measurements of this field over time inherently carry information about the circuit’s internal behavior, which may in turn relate to the execution of a cryptographic algorithm.

Due to their similar leakage origin, attacks exploiting the EM side channel are analogous to the ones exploiting power consumption, namely Simple EM Analysis (SEMA) and Differential EM Analysis (DEMA). Note however that while power consumption is typically tied to global observations of a circuit, the electromagnetic field allows to focus on local elements over its surface.

Other Non-invasive Side Channels. While execution time, power consumption, and EM emanations are often acknowledged as the most relevant and threatening side channels, other leakage sources that can be potentially exploited in a non-invasive manner have been introduced in related works:

• Temperature. Brouchier et al. [55] show how it is possible for concurrent processes running on a computer to exploit the temperature side channel, i.e. heat dissipation of the CPU, in order to gain knowledge on internal computations. Access to this side channel can indirectly be done by software commands querying the speed of the CPU fan. A recent work by Hutter and Schmidt [123] characterizes the temperature side channel on embedded microcontrollers and identifies a (low-frequency) linear relationship between heat radiation and circuit activity.

• Visual. Kuhn [146] delineates a mechanism to eavesdrop contents displayed by a cathode-ray tube monitor at a distance, using off-the-shelf components such as a photomultiplier tube and a computer equipped with a fast analog-to-digital converter.

• Acoustic. Along with the previously mentioned attack of Wright [228], a study by Shamir and Tromer [203] demonstrates that some patterns of operations can be recognized by the sound emanated by a CPU. This low-frequency side channel stems from mechanical stress due to continuous heating and cooling effects.

2.1.1.2 (Semi-) and Invasive Side Channels

The previous side channels can be accessed in the vicinity of the target device, i.e. without need of tampering with its physical structure. However, it may be the case that adversaries can profit from a certain level of intrusion if it is within their capabilities. For instance, a semi-invasive approach based on chip decapsulation allows to bring the EM coil close to the passivation layer and therefore improve the signal to noise ratio of the leakage measurements [101].

Ferrigno and Hlavác [97] recently introduced the optical side channel, exploiting the number of photons that are emitted by transistors of an integrated circuit when changing their state. Access to such information not only requires techniques to thin down and polish the silicon layer on the backside of the die, but also specialized equipment to measure emitted photons. Recent works by Schlosser et al. [193] and Kramer et al. [144] have shown how this side channel can be exploited similar to SPA and DPA techniques, respectively, while proposing alternatives to lower the cost of the equipment.

A particular type of invasive attacks is based on (micro-)probing techniques [143].

These attacks target inner elements of a circuit that store or transport sensitive information, for instance, secret cryptographic key(s). By placing a thin needle on top of such elements adversaries can directly read out values processed by the circuit. Due to this, probing based attacks are often not considered as

side channel attacks, but rather a particular case of passive invasive attacks.

Needless to say, access to such fine grained information requires expensive equipment and thus its applicability is bounded to specialized labs or attackers.