Spatial and Temporal Analysis

For a photonic side channel attack, we want to observe only a small part of the DUA and get its photonic emissions with a high temporal resolution. We identify this part

34/136 Chapter 3 Photonic Emission Analysis

Figure 3.6: Optical emission image of the S-Box in memory. The 256 bytes of the S-Box are located from memory address 0x23f to 0x33e, as in Table 4.1. The address 0x23f is the eighth byte of the SRAM line starting with address 0x238, i.e., the S-Box has an offset of 7 bytes. The emissions of the row drivers are clearly visible to the left of the memory bank. The image allows direct readout of the bit values of the stored data. The byte shown in the overlay, for example, corresponds to 0b01100011 = 0x63, the first value of the AES S-Box.

from emission images captured with the CCD and then use the second detector to measure the photonic emission only of the selected components. During our research, we used two different techniques for the temporally resolved measurements.

Both are based on a single InGaAs/InP APD commonly found in telecommu-nication transceivers (Telcordia GR-468-CORE). It is operated in Geiger mode, i.e., the diode is supplied with a high reverse-bias voltage just below avalanche break-down. Single photons exiting one electron within the diode then cause an avalanche of carriers and thus high amplification. To minimize dark current, the diode is ther-moelectrically cooled. Dark current (or dark counts) is the leakage current when the diode detects photons although it is not exposed to the light source [164]. Afterpuls-ing, an adversary effect in InGaAs/InP APDs, is reduced by extensive quenching circuits and gated operation, a technique where the bias voltage is only applied dur-ing small windows in time. The diode is coupled to the microscope via an optical fiber. The measuring spot of the DUA, corresponding to the fiber’s aperture, can be freely positioned for temporal analysis. The spot size can be varied. Areas of inter-est, identified in an emission image, can thus be selected for temporal analysis with high spatial selectivity. Even single transistors can be selected for precise

measure-3.2 Experimental Setups 35/136

ments. Because of its spectral sensitivity above 1 µm, unlike the CCD, this detector does not require a thinned DUA substrate, as silicon is transparent in this spectral range. Hence, if spatial orientation relative to the IC’s layout can be obtained by other means, substrate thinning can be omitted completely. This is interesting when applying the presented methodologies across multiple samples of an identical IC, as only a single sample has to be prepared to provide orientation.

Once the area of interest is identified, we record a set of traces while the device encrypts certain plaintexts. In the case of a DPA, a trace refers to a set of power consumption measurements taken across a cryptographic operation [103]. Such a trace can be plotted as a line graph. In the case of photonic emission analysis, a single measurement only results in a discrete vector with most of the entries equal to 0. However, we also use the term trace to refer to the measurement of photonic emissions of a single encryption of a certain plaintext. Hence, a trace t_i is recorded while the device encrypts the input data i. Each trace consists of N points in time, i.e., N is the length of the traces and thus, t_i = (t_i,1, . . . , ti,N). The traces t_i and their components t_i,n, n ∈ I = {1, . . . , N }, respectively, thus refer to real photonic emissions and each t_i,n, corresponds to a number of count events.

At the beginning of our research, we had to compose each trace from multiple measurements. When it is used in so-called gated operation, the APD is rendered sensitive only for a short window in time during every execution of the target code.

This short time frame is called detection gate. To reconstruct the complete signal temporally, the detection gate has to be synchronized during all executions and it has to be shifted regularly relative to the signal, similar to a sampling oscilloscope.

Provided that the detection gate can be controlled with high precision, the time resolution and the measurement time depend only on the employed gate width.

To implement this detection scheme, we used an FPGA-based controller that is phase-locked to the clock of the DUA. A block diagram of the system is shown in Figure 3.2. When the DUA executes the target code, the FPGA digitally delays and triggers the APD detection gate. Each FPGA-controlled trigger renders the APD sensitive for a preset amount of time, the detection gate. The detection gate length was 20 ns for the SPEA measurements. Detection events are sent back to the FPGA and counted in the corresponding time bins. The set of triggers is shifted by the length of the detection gate after an appropriate number of measurements and the next set of data points is being collected. An additional analog delay can be employed for fine delay control. The absolute time resolution of the system is jitter-limited to approximately 1 ns. The measurement time to reconstruct the extremely weak photoemission signals can be immense: millions of measurements may be necessary to achieve an adequate Signal-to-Noise Ratio (SNR), i.e., a large signal and low noise. To drastically reduce the measurement times, the FPGA triggers hundreds of APD detection gates per execution of the target code. This results in interleaved measurements, and the whole set of interleaved measurements then reconstructs the signal. With our first setup, we stored only accumulated measurements, i.e., we stored only a single trace per input byte. This was more efficient in terms of memory space, but obstructed efficiency analyses from the cryptographic point of view.

36/136 Chapter 3 Photonic Emission Analysis

Improved Setup

Later, we developed an improved system for the temporal measurement of location-dependent leakage. This was the consistent further development of the original setup. It was also used in [166]. This system does not require multiple detection gates, but allows to measure the traces in free-running mode. Moreover, it allows us to store each trace separately, instead of one accumulated trace per input. This allows more detailed analyses.

Due to the weak photonic emission from the DUA, temporal acquisition of this leakage requires a detector which is very fast and highly sensitive to infrared wavelengths. The improved setup features better adopted optics and an InGaAs-APD that is more suitable for this kind of application, as compared to the original setup. The detector signal from the APD is processed first in a Time-to-Digital Converter (TDC), before transmitted to the data processor together with the trigger signal from the DUA. The TDC tags each occurring event with a resolution of 81 ps. This allows for the calculation of the timing of a detected photon in relation to the DUA’s trigger. The accuracy of the measured timing of single events is limited by the overall jitter of about 200 ps, which is caused by the electronics in the APD and the signal detection at the TDC. If required, superresolution methods can even increase the time resolution to 6 ps. However, regarding the clock period of 62.5 ns of the DUA, a time resolution of about 200 ps is sufficient. The low dark count rate of the APD allows to use it in free-running mode. Therefore, the costly gating technique as used in the original setup is not longer necessary. Moreover, the free-running mode and the low dark count rate enable a significant reduction in measurement time. We needed only a few minutes to capture all traces for a successful DPEA, see Section 4.2. Nevertheless, the improved system has also been built from commercially available components. Only the mounting of the DUA on a three-dimensional moving stage and the necessary electronics to communicate with the DUA are custom-made. The price for the necessary hardware of our improved system adds up to approximately 50,000 - 60,000e. Thus, its price is similar to the price of the original setup.

37/136

Chapter 4

The Photonic Side Channel

Optical emission attacks will very likely result in the need to introduce new countermeasures during the design of semiconductor chips.

(S. Skorobogatov [160])

This chapter describes how the physical information gained during a photonic emis-sion analysis can be used to reveal information about secret cryptographic keys and to conduct a photonic side channel attack. As it is the case for the well-known Simple Power Analysis and Differential Power Analysis, both simple and differential attacks based on photonic emission are defined and presented. Accordingly, these attacks are called Simple Photonic Emission Analysis and Differential Photonic Emission