New Approaches of Side-Channel Attacks Based on Chip Testing Methods

Abstract

The state-of-the-art test infrastructure security is based on the assumption of preventing access to the sensitive information and the (publicly) accessible outputs or test infrastructure subset are supposed to not leak any secret information. In addition, for achieving functional safety requirements, the on-chip test infrastructure is re-used in-field and cannot be completely disabled after manufacturing test phase. Therefore, the access to the scan chains or similar test access ports which can lead to sensitive information needs to be restricted or encrypted to guarantee the security of the test infrastructure. However, in this work we show that having access to (small delay) test results on insensitive (public) outputs can in fact reveal secret data. Using real hardware, we have performed template attacks using the results of delay testing on the output of cryptographic circuits and were able to retrieve the key with very few test inputs. This template attack requires only a few random patterns on the victim device, which could be different from the device used for template building. In addition, the attack is also resilient against runtime variation and noise, as well as inaccuracies and down-sampling of delay testing measurements.