Hongying Liu,Yibo Fan,Satoshi Goto

DOI: https://doi.org/10.1166/asl.2012.2080

2012-01-01

Advanced Science Letters

Abstract:Electromagnetic emissions leak confidential data of cryptographic devices. The electromagnetic emission has been reported as an important side channel for cryptanalysis. Electromagnetic Analysis (EMA) exploits the external radiation of cryptographic devices during encryption to reveal secret keys. The performance of EMA depends on the acquired signals to a large extent. To protect the devices from attacks, noises are introduced in the side channel either by unintentional interference from surroundings or elaborate design from engineers. Thus the secret recovery becomes difficult and even unavailable. In this paper, we propose two signal processing techniques to counteract both of these noises. The bandpass filtering and independent component analysis are widely used in other areas. We demonstrate their applications to EMA against the encryption algorithms on application-specific integrated circuit. With these techniques, the secret keys are extracted successfully and rapidly. © 2012 American Scientific Publishers. All Rights Reserved.

Huafeng CHEN,Haibin SHEN,Xiaolang YAN

2008-01-01

Abstract:The design-for-testability structure based on scan-chain often compromises the security of crypto chips.A method to attack certain hardware implementation of elliptic curve cryptography was presented.And an easy but effective secure scan method against the attack was proposed,which would not compromise the security of the chip,while maintaining high fault coverage.By controlling operational mode of the chip,the disability mechanism of scan enable signal was applied.The scan function was disabled when there existed security information in the chip.It solved the problem of secure information disclosure caused by scan chain design.

Chenguang Wang,Qiang Zhou,Yici Cai,Haoyi Wang

DOI: https://doi.org/10.1145/3240765.3240804

2018-11-05

Abstract:Electromagnetic (EM) analysis is to reveal the secret information by analyzing the EM emission from a cryptographic device. EM analysis (EMA) attack is emerging as a serious threat to hardware security. It has been noted that the on-chip power grid (PG) has a security implication on EMA attack by affecting the fluctuations of supply current. However, there is little study on exploiting this intrinsic property as an active countermeasure against EMA. In this paper, we investigate the effect of PG on EM emission and propose an active countermeasure against EMA, i.e. EM Equalizer (EME). By adjusting the PG impedance, the current waveform can be flattened, equalizing the EM profile. Therefore, the correlation between secret data and EM emission is significantly reduced. As a first attempt to the co-optimization for power and EM security, we extend the EME method by fixing the vulnerability of power analysis. To verify the EME method, several cryptographic designs are implemented. The measurement to disclose (MTD) is improved by 1138x with area and power overheads of 0.62% and 1.36%, respectively.

Engineering,Computer Science

Hongying Liu,Xin Jin,Yukiyasu Tsunoo,Satoshi Goto

DOI: https://doi.org/10.1587/transfun.e96.a.185

2013-01-01

Abstract:Electromagnetic emissions leak confidential data of cryptographic devices. Electromagnetic Analysis (EMA) exploits such emission for cryptanalysis. The performance of EMA dramatically decreases when correlated noise, which is caused by the interference of clock network and exhibits strong correlation with encryption signal, is present in the acquired EM signal. In this paper, three techniques are proposed to reduce the correlated noise. Based on the observation that the clock signal has a high variance at the signal edges, the first technique: single-sample Singular Value Decomposition (SVD), extracts the clock signal with only one EM sample. The second technique: multi-sample SVD is capable of suppressing the clock signal with short sampling length. The third one: averaged subtraction is suitable for estimation of correlated noise when background samplings are included. Experiments on the EM signal during AES encryption on the FPGA and ASIC implementation demonstrate that the proposed techniques increase SNR as much as 22.94 dB, and the success rates of EMA show that the data-independent information is retained and the performance of EMA is improved.

Yan Long,Qinhong Jiang,Chen Yan,Tobias Alam,Xiaoyu Ji,Wenyuan Xu,Kevin Fu

DOI: https://doi.org/10.14722/ndss.2024.24552

2024-01-01

Abstract:IoT devices and other embedded systems are increasingly equipped with cameras that can sense critical information in private spaces.The data security of these cameras, however, has hardly been scrutinized from the hardware design perspective.Our paper presents the first attempt to analyze the attack surface of physical-channel eavesdropping on embedded cameras.We characterize EM Eye-a vulnerability in the digital image data transmission interface that allows adversaries to reconstruct high-quality image streams from the cameras' unintentional electromagnetic emissions, even from over 2 meters away in many cases.Our evaluations of 4 popular IoT camera development platforms and 12 commercial off-the-shelf devices with cameras show that EM Eye poses threats to a wide range of devices, from smartphones to dash cams and home security cameras.By exploiting this vulnerability, adversaries may be able to visually spy on private activities in an enclosed room from the other side of a wall.We provide root cause analysis and modeling that enable system defenders to identify and simulate mitigation against this vulnerability, such as improving embedded cameras' data transmission protocols with minimum costs.We further discuss EM Eye's relationship with known computer display eavesdropping attacks to reveal the gaps that need to be addressed to protect the data confidentiality of sensing systems.

Josef Danial,Debayan Das,Santosh Ghosh,Arijit Raychowdhury,Shreyas Sen

DOI: https://doi.org/10.1109/access.2020.3025022

IF: 3.9

2020-01-01

IEEE Access

Abstract:Electromagnetic (EM) side-channel analysis (SCA) is a prominent tool to break mathematically-secure cryptographic engines, especially on resource-constrained devices. Presently, to perform EM SCA on an embedded device, the entire chip is manually scanned and the MTD (Minimum Traces to Disclosure) analysis is performed at each point on the chip to reveal the secret key of the encryption algorithm. However, an automated end-to-end framework for EM leakage localization, trace acquisition, and attack has been missing. This work proposes SCNIFFER: a low-cost, automated EM Side Channel leakage SNIFFing platform to perform efficient end-to-end Side-Channel attacks. Using a leakage measure such as Test Vector Leakage Assessment (TVLA), or the signal to noise ratio (SNR), we propose a greedy gradient-search heuristic that converges to one of the points of highest EM leakage on the chip (dimension: $N times N$ ) within $O(N)$ iterations, and then perform Correlational EM Analysis (CEMA) at that point. This reduces the CEMA attack time by $sim N$ times compared to an exhaustive MTD analysis, and by $> 20times $ compared to choosing an attack location at random. We demonstrate SCNIFFER using a low-cost custom-built 3-D scanner with an H-field probe (<$500) compared to >$50, 000 commercial EM scanners, and a variety of microcontrollers as the devices under attack. The SCNIFFER framework is evaluated for several cryptographic algorithms (AES-128, DES, RSA) running on both an 8-bit Atmega microcontroller and a 32-bit ARM microcontroll-r to find a point of high leakage and then perform a CEMA at that point.

computer science, information systems,telecommunications,engineering, electrical & electronic

Richard Xian-Ke Gao

DOI: https://doi.org/10.1109/temc.2023.3325371

IF: 2.036

2024-01-01

IEEE Transactions on Electromagnetic Compatibility

Abstract:An effective source reconstruction method (SRM) to predict the noise coupling from an unknown electromagnetic interference (EMI) source inside a shielding enclosure is proposed in this work. On account of the difficulty and time-consuming in phase measurement of near-field, the magnitude-only near-field scanning is employed to obtain the near-field above EMI sources in free space, and the leakage near-field from the slots and/or holes of a shielding enclosure after the EMI source is inserted into the enclosure. The infinitesimal dipole is used as the equivalent source of the EMI source. The proposed method can generally be divided into three steps. First, the positions and initial moments of the equivalent dipoles of an unknown EMI source without any shielding enclosure are derived by using dynamic differential evolution (DDE) algorithm. Second, the obtained dipoles are thereafter placed into an arbitrarily shaped shielding enclosure, and the full-wave simulation is implemented to build the relationship between the dipoles and the measured leakage field from the slots/holes of the shielding enclosure. Third, the dipole moments are thereby optimized by using the DDE method again based on the magnitude-only leakage field. It is worth highlighting that only a relatively small region of near-field on the leakage plane is sufficient for obtaining an effective equivalent dipole model in the shielding enclosure. The results of numerical simulation and physical measurement have verified the effectiveness of the proposed SRM for modeling unknown EMI sources in a shielding enclosure.

Ya Gao,Haocheng Ma,Qizhi Zhang,Xintong Song,Yier Jin,Jiaji He,Yiqiang Zhao

DOI: https://doi.org/10.1109/tifs.2024.3483551

IF: 7.231

2024-10-30

IEEE Transactions on Information Forensics and Security

Abstract:Electromagnetic side-channel analysis (EM SCA) attack poses a serious threat to integrated circuits (ICs), necessitating timely vulnerability detection before deployment to enhance EM side-channel security. Various EM simulation methods have emerged for analyzing EM side-channel leakage, providing sufficiently accurate results. However, these simulator-based methods still face two principal challenges in the design process of high security chips. Firstly, the large volume of measurement data required for a single security evaluation results in substantial time overhead. Secondly, design iterations lead to repetitive security evaluations, thus increasing the evaluation cost. In this paper, we propose EMSim+ which includes two efficient and accurate layout-level EM side-channel leakage evaluation frameworks named EMSim+GAN and EMSim+GAN+TL to mitigate the above challenges, respectively. EMSim+GAN integrates a Generative Adversarial Network (GAN) model that utilizes the chip's cell current and power grid information to predict EM emanations quickly. EMSim+GAN+TL further incorporates transfer learning (TL) within the framework, leveraging the experience of existing designs to reduce the training datasets for new designs and achieve the target accuracy. We compare the simulation results of EMSim+ with the state-of-the-art EM simulation tool, EMSim as well as silicon measurements. Experimental results not only prove the high efficiency and high simulation accuracy of EMSim+, but also verify its generalization ability across different designs and technology nodes.

computer science, theory & methods,engineering, electrical & electronic

Wl Yuan,Ep Li

DOI: https://doi.org/10.1109/ISEMC.2004.1350005

2004-01-01

Abstract:With the advance in high-speed electronics and the presence of new standard on electromagnetic susceptibility, EMS analysis and evaluation is becoming increasingly important. This paper investigates EMS of shielded electronic equipments in a device level by using full-wave numerical technique combined with the circuit-based method. The method of moment in terms of the mixed-potential electric field integral equation for the geometries of arbitrary combined wire/surface is developed for susceptibility evaluation. With numerical analysis, the effect of external EM noise on electronic equipment is characterized and an equivalent secondary source model is extracted for further EMS analysis of internal high-speed susceptible circuit in a lower board level.

Jun Li,Xing-Chang Wei,Liang Gao,Yu-Fei Shu

DOI: https://doi.org/10.1109/apemc.2017.7975492

2017-01-01

Abstract:A novel equivalent radiation source method is proposed to take place of the real radiating integrated circuit (IC) in this paper. The method utilizes amplitude-only near-field scanning data to reconstruct equivalent magnetic dipole array, and the differential evolution optimization algorithm is proposed to extract the locations, orientation and moments of those dipoles. By importing the equivalent dipoles model into 3D full-wave simulator together with the victim circuits model, the electromagnetic interference issues in mixed RF/digital systems can be well predicted. A commercial IC is used to validate the accuracy and efficiency of this proposed method. The coupled power at the victim antenna port calculated by the equivalent radiation source is compared with the measured data. Good consistency is obtained which confirms the validity and efficiency of the method.

Si-Yao Tang,Xing-Chang Wei

DOI: https://doi.org/10.1109/icept59018.2023.10491920

2023-01-01

Abstract:In this paper, we use the equivalent sources based on near-field scanning to predict the electromagnetic leakage produced by circuit inside package. First, we use the near-field scanning system to obtain the electromagnetic information above the radiation source. Next, we calculate the equivalent electric and magnetic dipoles array of the radiation source. Finally, we predict the electromagnetic leakage by put the dipoles array into package simulation model. The accuracy of the proposed method has been verified through a practical measurement example.

Han Gan,Hongxin Zhang,Muhammad Saad Khan,Xueli Wang,Fan Zhang,Pengfei He

DOI: https://doi.org/10.1109/cc.2017.8068768

2017-01-01

China Communications

Abstract:Correlation power analysis (CPA) has become a successful attack method about crypto-graphic hardware to recover the secret keys. However, the noise influence caused by the random process interrupts (RPIs) becomes an important factor of the power analysis attack efficiency, which will cost more traces or attack time. To address the issue, an improved method about empirical mode decomposition (EMD) was proposed. Instead of restructuring the decomposed signals of intrinsic mode functions (IMFs), we extract a certain intrinsic mode function (IMF) as new feature signal for CPA attack. Meantime, a new attack assessment is proposed to compare the attack effectiveness of different methods. The experiment shows that our method has more excellent performance on CPA than others. The first and the second IMF can be chosen as two optimal feature signals in CPA. In the new method, the signals of the first IMF increase peak visibility by 64% than those of the tradition EMD method in the situation of non-noise. On the condition of different noise interference, the orders of attack efficiencies are also same. With external noise interference, the attack effect of the first IMF based on noise with 15dB is the best.

Junjun Huan,Peyman Dehghanzadeh,Soumyajit Mandal,Swarup Bhunia

DOI: https://doi.org/10.1109/access.2023.3300222

IF: 3.9

2023-08-09

IEEE Access

Abstract:Modern microelectronics life-cycle and supply chain ecosystem bring multiple untrusted entities, which can compromise their integrity. A major integrity issue of microelectronics stems from piracy of intellectual properties (IP) and counterfeiting, which causes significant revenue loss to the semiconductor manufacturers. Further, these components often lead to compromised functionality, reliability, security, and safety of an electronic system. This paper presents secure information transmission and probing methods for verifying the integrity of digital integrated circuit (ICs) based on their electromagnetic (EM) near-field emissions and thereby protecting systems against counterfeit components. The proposed method has been tested on both high-level instructions executed by microprocessors or Systems-on-Chip (serving as examples of software), and also logic circuits within FPGA fabrics and ASICs (serving as examples of hardware). The authentication information required by each digital system is generated using a pseudo-random number generator circuit and securely transmitted via near-field magnetic emissions. The authorized party can probe these emissions using a near-field probe, process the acquired signals to improve the signal-to-noise ratio (SNR), and then recover the secure information through matched filtering. Experimental results from commercial SoCs are used to demonstrate the proposed technique. Methods for reducing EM interference during integrity verification of both FPGAs and ASICs are also described.

computer science, information systems,telecommunications,engineering, electrical & electronic

Haocheng Ma,Jiaji He,Yanjiang Liu,Leibo Liu,Yiqiang Zhao,Yier Jin

DOI: https://doi.org/10.1109/tcad.2020.3024938

2019-01-01

Abstract:Side-Channel Analysis (SCA) attacks are major threats to hardware security. Upon this security threat, various countermeasures at different design layers have been proposed against SCA attacks. These approaches often introduce significant performance overheads and impose high requirements of side-channel security backgrounds to IC designers. In this paper, we propose an automatic computer-aided design (CAD) tool that can enhance the circuit resistance against electromagnetic (EM) SCA attacks. This new tool will guide a security-driven placement process and can be seamlessly integrated into the modern IC design flow. The protected IC design will be resilient to SCA attacks with negligible area and power overheads. In order to develop this tool, we first investigate the root-cause of EM leakage at layout level and mathematically demonstrate the feasibility of security-driven placement through the EM leakage modeling. We then identify that the correlation between the data under protection and the EM leakage can be significantly reduced through data-dependent registers reallocation. Simulation results on cryptographic circuits prove the effectiveness of both the constructed EM leakage model and the EM model based CAD tool for EM security.

Jia-Chen Zhang,Xingchang Wei,Li Ding,Xian-Ke Gao,Zi-Xiang Xu

DOI: https://doi.org/10.1109/tmtt.2020.3011416

IF: 4.3

2020-01-01

IEEE Transactions on Microwave Theory and Techniques

Abstract:There is a great demand and challenge for the nondestructive detection of an unknown electromagnetic interference (EMI) radiation source inside the printed circuit board (PCB). In this article, an electromagnetic imaging method based on the plane-wave spectrum and transmission line model is proposed. By scanning the radiated field outside the PCB and calibrating the electric or magnetic probe with a reference source, the field inside the PCB can be evaluated, and the image of the unknown radiation source inside the PCB can thus be predicted. The proposed method is validated by simulation and measurement examples. Correlation coefficients between the predicted field and the reference are larger than 0.9, which reveals the good accuracy of the proposed method. This method will be greatly applicable in determining the EMI sources inside electronic devices.

Wenhai Zhou,Fan-tong Kong

DOI: https://doi.org/10.1109/ICCT46805.2019.8947185

2019-10-01

Abstract:Correlative electromagnetic side channel attack (CEMA) is a common and effective method in side channel attacks. However, a large amount of data acquisition and processing restricts the time of key cracking. This paper proposes a fast side channel attack method, which encrypts the selected plaintexts and filters the collected electromagnetic data on frequency domain, and then performs CEMA analysis. Finally, only 150 pieces of electromagnetic data are used to successfully crack all the keys of the advanced encryption standard (AES) cryptographic algorithm, and the cracking time is reduced to 1/50 of the traditional method.

Engineering,Computer Science

Kun Gu,Liji Wu,Xiangyu Li,Xiangxin Zhang

DOI: https://doi.org/10.1109/cis.2011.149

2011-01-01

Abstract:Information security is very important for the smart cards. Electromagnetic analysis (EMA) attack is a common method of side channel attacks which is a serious threat for the security of smart cards. So it is necessary to build a system to estimate the ability of the smart card to resist EMA attack. In this paper, an automatic EMA system for smart cards is designed and implemented. This system can measuring the electromagnetic field of smart card and can also carry out EMA attack. To verify the effectiveness of this system, an EMA attack was successfully carried out by it on a FPGA which 3DES cryptographic algorithm was loaded and implemented. 3DES is widely used in bank IC card and USB key. It is important to make sure of the safety of these financial IC cards. The experimental results showed that the applicable electromagnetic field signal can be traced to estimate the ability of the security device to resist EMA attack.

Jinghai Guo,Ling Zhang,Xin Yan,Hanzhi Ma,Da Li,Er-Ping Li

DOI: https://doi.org/10.1109/emcsipi49824.2024.10705449

2024-01-01

Abstract:This paper proposes a sparse emission source microscopy (ESM) technique based on active machine learning to localize high-frequency electromagnetic interference (EMI) sources. The proposed method, which combines the query-by-committee (QBC) algorithm and a newly proposed entropy feedback (EF) technique, can significantly improve the efficiency of high-frequency EMI source location by reducing the number of scanning points. The results of simulation and measurement examples show that the proposed method is much more time-efficient compared with the full sampling method. Also, the method demonstrates a noticeable advantage over the uniform sampling and random sampling approaches, and has higher accuracy of EMI source location with the same number of sparse scanning samples.

Di Wang,Xing-Chang Wei,En-Xiao Liu,Richard Xian-Ke Gao

DOI: https://doi.org/10.1109/memc.2023.10136447

2023-01-01

IEEE Electromagnetic Compatibility Magazine

Abstract:This paper elaborates the near-field scanning and modeling technique developed for electromagnetic interference (EMI) analysis. The technique has been increasingly deployed in many R&D labs of universities and testing centers of industry companies due to its advantages in terms of time and cost, comparing with conventional EMI measurement methods. The major research works related to the near-field scanning and modeling are probe design and source reconstruction method (SRM). In this article, the working principle of electric and magnetic probes are firstly introduced. Probe parameters including calibration factor, electric center, sensitivity, spatial resolution and bandwidth are discussed. Next, the equivalent radiation source modeling approach is presented. Through SRM, a complex and unknown EMI source is substituted with the simplified equivalent radiation source based on the electromagnetic fields measured by magnetic and/or electric probes. The phaseless SRM is thereafter discussed for addressing the limitations in conventional SRM and its applications prove that the near-field scanning and modeling technique can effectively predict EMI far-field radiation and near-field coupling.

Yu-Ru Feng,Xing-Chang Wei,Li Ding,Tian-Hao Song,Richard Xian-Ke Gao

DOI: https://doi.org/10.1109/temc.2021.3083665

IF: 2.036

2021-01-01

IEEE Transactions on Electromagnetic Compatibility

Abstract:Near field scanning is one of the most useful methods for electromagnetic interference (EMI) diagnosis. However, large scanning points and long scanning time are the major obstacles when the device under test is complex. To resolve the issue, a novel hybrid method including two steps to quickly predict the near field pattern of an unknown EMI source is proposed. The first step is to reconstruct a full field pattern from a sparse scanning using the joint Schatten p-norm and Lp-norm method, where less sampling points are required on the original scanning plane. The second step is the near-near field transformation based on the plane wave spectrum method. It uses one single field pattern to derive the field distributions on multiplanes around the EMI source by introducing a calibration factor. The source reconstruction method in the second step can also be used to predict far field and coupled power to the victim circuit. Both simulation and experimental examples have validated the feasibility of the proposed method.