Power Side-channel Attacks Research Articles

PARADISE: Criticality-Aware Instruction Reordering for Power Attack Resistance

Power side-channel attacks exploit the correlation of power consumption with the instructions and data being processed to extract secrets from a device (e.g., cryptographic keys). Prior work primarily focused on protecting small embedded micro-controllers and in-order processors rather than high-performance, out-of-order desktop and server CPUs. In this paper, we present Paradise , a general-purpose out-of-order processor with always-on protection, that implements a novel dynamic instruction scheduler to provide obfuscated execution and mitigate power analysis attacks. To achieve this, we exploit the time between operand availability of critical instructions ( slack ) and create high-performance random schedules. Further, we highlight the dangers of using incorrect adversarial assumptions, which can often lead to a false sense of security. Therefore, we perform an extended security analysis on AES-128 using different levels of adversaries, from basic to advanced, including a CNN-based attack. Our advanced security evaluation assumes a strong adversary with full knowledge of the countermeasure and demonstrates a significant security improvement of 556 × when combined with Boolean Masking over a baseline only protected by masking, and 62, 500 × over an unprotected baseline. The resulting overhead in performance, power and area of Paradise is \(3.2\% \) , \(1.2\% \) and \(0.8\% \) respectively.

Hardware/Software Cooperative Design Against Power Side-Channel Attacks on IoT Devices

Hardware/Software Cooperative Design Against Power Side-Channel Attacks on IoT Devices

I Choose You: Automated Hyperparameter Tuning for Deep Learning-Based Side-Channel Analysis

Today, the deep learning-based side-channel analysis represents a widely researched topic, with numerous results indicating the advantages of such an approach. Indeed, breaking protected implementations while not requiring complex feature selection made deep learning a preferred option for profiling side-channel analysis. Still, this does not mean it is trivial to mount a successful deep learning-based side-channel analysis. One of the biggest challenges is to find optimal hyperparameters for neural networks resulting in powerful side-channel attacks. This work proposes an automated way for deep learning hyperparameter tuning based on Bayesian optimization. We build a custom framework denoted AutoSCA supporting machine learning and side-channel metrics. Our experimental analysis shows that our framework performs well regardless of the dataset, leakage model, or neural network type. We find several neural network architectures outperforming state-of-the-art attacks. Finally, while not considered a powerful option, we observe that neural networks obtained via random search can perform well, indicating that the publicly available datasets are relatively easy to break.

Compositional Verification of First-Order Masking Countermeasures against Power Side-Channel Attacks

Power side-channel attacks allow an adversary to efficiently and effectively steal secret information (e.g., keys) by exploiting the correlation between secret data and runtime power consumption, hence posing a serious threat to software security, particularly cryptographic implementations. Masking is a commonly used countermeasure against such attacks, which breaks the statistical dependence between secret data and side-channel leaks via randomization. In a nutshell, a variable is represented by a vector of shares armed with random variables, called masking encoding , on which cryptographic computations are performed. While compositional verification for the security of masked cryptographic implementations has received much attention because of its high efficiency, existing compositional approaches either use implicitly fixed pre-conditions that may not be fulfilled by state-of-the-art efficient implementations, or require user-provided hard-coded pre-conditions that are time consuming and highly non-trivial, even for an expert. In this article, we tackle the compositional verification problem of first-order masking countermeasures, where first-order means that the adversary is allowed to access only one intermediate computation result. Following the literature, we consider countermeasures given as gadgets, which are special procedures whose inputs are masking encodings of variables. We introduce a new security notion parameterized by an explicit pre-condition for each gadget, as well as composition rules for reasoning about masking countermeasures against power side-channel attacks. We propose accompanying efficient algorithms to automatically infer proper pre-conditions, based on which our new compositional approach can efficiently and automatically prove security for masked implementations. We implement our approaches as a tool MaskCV and conduct experiments on publicly available masked cryptographic implementations including 10 different full AES implementations. The experimental results confirm the effectiveness and efficiency of our approach.

Quantum Circuit Reconstruction from Power Side-Channel Attacks on Quantum Computer Controllers

The interest in quantum computing has grown rapidly in recent years, and with it grows the importance of securing quantum circuits. A novel type of threat to quantum circuits that dedicated attackers could launch are power trace attacks. To address this threat, this paper presents first formalization and demonstration of using power traces to unlock and steal quantum circuit secrets. With access to power traces, attackers can recover information about the control pulses sent to quantum computers. From the control pulses, the gate level description of the circuits, and eventually the secret algorithms can be reverse engineered. This work demonstrates how and what information could be recovered. This work uses algebraic reconstruction from power traces to realize two new types of single trace attacks: per-channel and total power attacks. The former attack relies on per-channel measurements to perform a brute-force attack to reconstruct the quantum circuits. The latter attack performs a single-trace attack using Mixed-Integer Linear Programming optimization. Through the use of algebraic reconstruction, this work demonstrates that quantum circuit secrets can be stolen with high accuracy. Evaluation on 32 real benchmark quantum circuits shows that our technique is highly effective at reconstructing quantum circuits. The findings not only show the veracity of the potential attacks, but also the need to develop new means to protect quantum circuits from power trace attacks. Throughout this work real control pulse information from real quantum computers is used to demonstrate potential attacks based on simulation of collection of power traces.

Power Side-Channel Attacks on Crypto-core based on RISC-V ISA for High-security Applications

Power Side-Channel Attacks on Crypto-core based on RISC-V ISA for High-security Applications

Beware Your Standard Cells! On Their Role in Static Power Side-Channel Attacks

Beware Your Standard Cells! On Their Role in Static Power Side-Channel Attacks

Remote Power Side-Channel Attacks on FPGAs

Remote Power Side-Channel Attacks on FPGAs

Power Side-channel Attack Resistant Circuit Designs of ARX Ciphers Using High-level Synthesis

In the Internet of Things (IoT) era, edge devices have been considerably diversified and are often designed using high-level synthesis (HLS) for improved design productivity. However, HLS tools were originally developed in a security-unaware manner, resulting in vulnerabilities to power side-channel attacks (PSCAs), which are a serious threat to IoT systems. Currently, the impact and applicability of existing methods to PSCA-resistant designs using HLS are limited. In this article, we propose an effective HLS-based design method for PSCA-resistant ciphers implemented in hardware. In particular, we focus on lightweight block ciphers composed of addition/rotation/XOR (ARX)-based permutations to study the effects of the threshold implementation (which is one of the provably secure countermeasures against PSCAs) to the behavioral descriptions of ciphers along with the changes in HLS scheduling. The results obtained using Welch’s t-test demonstrate that our proposed method can successfully improve the resistance against PSCAs for all ARX-based ciphers used as benchmarks.

Instruction-Level Power Side-Channel Leakage Evaluation of Soft-Core CPUs on Shared FPGAs

Side-channel disassembly attacks recover CPU instructions from power or electromagnetic side-channel traces measured during code execution. These attacks typically rely on physical access, proximity to the victim device, and high sampling rate measuring instruments. In this work, however, we analyze the CPU instruction-level power side-channel leakage in an environment that lacks physical access or expensive measuring equipment. We show that instruction leakage is present even in a multitenant FPGA scenario, where the victim uses a soft-core CPU, and the adversary deploys on-chip voltage-fluctuation sensors. Unlike previous remote power side-channel attacks, which either require a considerable number of victim traces or attack large victim circuits such as machine learning accelerators, we take an evaluator’s point of view and provide an analysis of the instruction-level power side-channel leakage of a small open-source RISC-V soft processor core. To investigate whether the power side-channel traces leak secrets, we profile the victim device and implement various instruction opcode classifiers based on both classical machine learning algorithms used in disassembly attacks, and novel, deep learning approaches. We explore how parameters such as placement, trace averaging, profiling templates, and different FPGA families (including a cloud-scale FPGA) impact the classification accuracy. Despite the limited leakage of the soft-core CPU victim and a reduced accuracy and sampling rate of on-chip sensors, we show that in a worst-case scenario for the evaluator, i.e., an attacker breaching physical separation, we can identify the opcode of executed instructions with an average accuracy as high as 86.46%. Our analysis shows that determining the executed instruction type is not a classification bottleneck, while leakages between instructions of the same type can be challenging for deep learning models to distinguish. We also show that the instruction-level leakage is significantly reduced in a cloud-scale FPGA scenario with higher soft-core CPU frequencies. Nevertheless, our results show that even small circuits, such as soft-core CPUs, leak potentially exploitable information through on-chip power side channels, and users should deploy mitigation techniques against disassembly attacks to protect their proprietary code and data.

Thwarting code-reuse and side-channel attacks in embedded systems

Embedded devices are increasingly present in our everyday life. They often process critical information, and hence, rely on cryptographic protocols to achieve security. However, embedded devices remain particularly vulnerable to attackers seeking to hijack their operation and extract sensitive information by exploiting side channels and code reuse. Code-Reuse Attack (CRAs) can steer the execution of a program to malicious outcomes, altering existing on-board code without direct access to the device memory. Moreover, Side-Channel Attacks (SCAs) may reveal secret information to the attacker based on mere observation of the device. Thwarting CRAs and SCAs against embedded devices is especially challenging because embedded devices are usually resource constrained. Fine-grained code diversification can hinder CRAs by introducing uncertainty to the binary code; while software mechanisms can thwart timing or power SCAs. The resilience to either attack may come at the price of the overall efficiency. Moreover, a unified approach that preserves these mitigations against both CRAs and SCAs is not available. In this paper, we propose a novel SecDivCon approach that tackles this challenge. SecDivCon is a combinatorial compiler-based approach that combines software diversification against CRAs with software mitigations against SCAs. SecDivCon restricts the performance overhead introduced by the generated code that thwarts the attacks and hence, offers a secure-by-design approach enabling control over the performance-security trade-off. Our experiments, using 16 benchmark programs, show that SCA-aware diversification is effective against CRAs, while preserving SCA mitigation properties at a low, controllable overhead. Given the combinatorial nature of our approach, SecDivCon is suitable for small, performance-critical functions that are sensitive to SCAs. SecDivCon may be used as a building block to whole-program code diversification or in a re-randomization scheme of cryptographic code.

Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86

<italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Power side-channel attacks exploit data-dependent variations in a CPU’s power consumption to leak secrets. In this article, we show that on modern CPUs, power side-channel attacks can be turned into timing attacks that can be mounted without access to any power measurement interface. This discovery exploits how, under certain circumstances, the dynamic frequency scaling of modern x86 CPU depends on the current power consumption (and hence, data). We demonstrate that this “frequency side channel” is a real threat to the security of cryptographic software. First, we reverse engineer the dependency between data, power, and frequency on a modern x86 CPU—finding, among other things, that differences as small as a set bit’s position in a word can be distinguished through frequency changes. Second, we describe a novel chosen-ciphertext attack against (constant-time implementations of) SIKE that allows full key extraction via remote timing.</i>

Residual vulnerabilities to power side channel attacks of lightweight ciphers cryptography competition finalists

AbstractThe protection of communications between Internet of Things (IoT) devices is of great concern because the information exchanged contains vital sensitive data. Malicious agents seek to exploit those data to extract secret information about the owners or the system. Power side channel attacks are of great concern on these devices because their power consumption unintentionally leaks information correlatable to the device's secret data. Several studies have demonstrated the effectiveness of authenticated encryption with advanced data, in protecting communications with these devices. A comprehensive evaluation of the seven (out of 10) algorithm finalists of the National Institute of Standards and Technology (NIST) IoT lightweight cipher competition that do not integrate built‐in countermeasures is proposed. The study shows that, nonetheless, they still present some residual vulnerabilities to power side channel attacks (SCA). For five ciphers, an attack methodology as well as the leakage function needed to perform correlation power analysis (CPA) is proposed. The authors assert that Ascon, Sparkle, and PHOTON‐Beetle security vulnerability can generally be assessed with the security assumptions “Chosen ciphertext attack and leakage in encryption only, with nonce‐misuse resilience adversary (CCAmL1)” and “Chosen ciphertext attack and leakage in encryption only with nonce‐respecting adversary (CCAL1)”, respectively. However, the security vulnerability of GIFT‐COFB, Grain, Romulus, and TinyJambu can be evaluated more straightforwardly with publicly available leakage models and solvers. They can also be assessed simply by increasing the number of traces collected to launch the attack.

1-b Delta-Sigma ADC-Based Power Side-Channel Attack Detection Sensor

Countermeasures against power side-channel attack (SCA) range from algorithmic modifications to modifying the power consumption characteristics of the device by the inclusion of noise sources or suppressing the current signature. However, these techniques are, in most cases, passive protection techniques and come with the unacceptable area and power overheads for resource-constrained devices. In this letter, we propose a power SCA detection sensor based on a 1-b delta-sigma analog-to-digital converter, which allows for detection of an ongoing attack within as fast as <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$6.4\,\mu \text{s}$</tex-math></inline-formula> , with immunity to power supply noise, at an area overhead of <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\leq 8\%$</tex-math></inline-formula> for advanced encryption standard (AES)-256, while reducing the power overhead by 66% compared to the current state-of-the-art.

RDS: FPGA Routing Delay Sensors for Effective Remote Power Analysis Attacks

State-of-the-art sensors for measuring FPGA voltage fluctuations are time-to-digital converters (TDCs). They allow detecting voltage fluctuations in the order of a few nanoseconds. The key building component of a TDC is a delay line, typically implemented as a chain of fast carry propagation multiplexers. In FPGAs, the fast carry chains are constrained to dedicated logic and routing, and need to be routed strictly vertically. In this work, we present an alternative approach to designing on-chip voltage sensors, in which the FPGA routing resources replace the carry logic. We present three variants of what we name a routing delay sensor (RDS): one vertically constrained, one horizontally constrained, and one free of any constraints. We perform a thorough experimental evaluation on both the Sakura-X side-channel evaluation board and the Alveo U200 datacenter card, to evaluate the performance of RDS sensors in the context of a remote power side-channel analysis attack. The results show that our best RDS implementation in most cases outperforms the TDC. On average, for breaking the full 128-bit key of an AES-128 cryptographic core, an adversary requires 35% fewer side-channel traces when using the RDS than when using the TDC. Besides making the attack more effective, given the absence of the placement and routing constraint, the RDS sensor is also easier to deploy.

A Single-Inductor–Triple-Output Buck DC-DC Converter With Electromagnetic Gated Low Dropouts for Higher Resistance to Electromagnetic and Power Side-Channel Attacks With 3B Minimum Traces to Disclosure Improvement in Internet of Things Applications

The security protection of IoT urges the design of low electromagnetic interference (EMI) and small power signature in power chips. To achieve high security, small chip area, and high efficiency, this paper proposes a single-inductor triple-output (SITO) buck DC-DC converter with Electromagnetic (EM) gated Low Dropouts (LDO) to reduce the EM leaked signature. Experimental results shows that the peak value of electromagnetic interference noise can be reduced from 88.44dBlV to 54.92dBlV, complying with EN 55032 Class B specifications. In addition, it can achieve 3 billion (B) minimum traces to disclosure (MTD) under power side-channel attack, which is at least three times improvement compared to prior-arts.

An Encrypted On-Chip Power Supply With Random Parallel Power Injection and Charge Recycling Against Power/EM Side-Channel Attacks

As hardware security becomes a crucial challenge for modern electronic devices to protect information privacy, this article presents an encrypted on-chip power supply to combat power and electromagnetic (EM) side-channel attacks (SCAs) for crypto cores. By splitting power and security into separate paths, random parallel power injection and charge recycling are realized to encrypt supply power activities for high SCA immunity while largely minimizing power and performance overheads. Despite of crypto core power variations, the proposed power supply can maintain uncorrelated input profile by adaptively modulating parallel noisy power injection. Moreover, its EM leakage is highly attenuated by spreading the spectrum energy to a wide frequency range and increasing noise floor. To achieve such, a recycled masking power stage with an encryption interface is designed to randomly inject power noise and recycle system charge with random <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">on</small> -time modulation while still retaining nominal power delivery. A silicon IC prototype of this design is fabricated using a 65 nm CMOS process with an active die area of 0.19 mm <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> . Measured input power profiles are fully encrypted to improve power SCA immunity. Operating at a nominal switching frequency of 10 MHz, random parallel power encryption reduces peak EM interference noise from 64.57 dBμV to 43.12 dBμV to meet EN55032 Class B standards and verify EM spectrum profile encryption. In response to a step-up load change from zero to full load current of 200 mA, the power supply achieves 1% settling time of 0.78 μs, with measured voltage droop of 54 mV with no other performance overhead. It achieves a peak efficiency of 90.5%, only suffering the maximum power overhead of 4.9%.

ALScA: A Framework for Using Auxiliary Learning Side-Channel Attacks to Model PUFs

Physical unclonable functions (PUFs) have emerged as potent hardware primitives owing to their intrinsic properties of being secret key-free, clone-proof, and lightweight. However, PUFs cannot avoid the threats of machine learning modeling and side-channel attacks (SCAs). Nevertheless, almost all attacks neglect the correlations between the mathematical model and side-channel models introduced by PUF internal parameters; thus, such attacks fail to exploit related data and struggle in modeling complex PUFs. To address this problem, we propose a framework for using auxiliary learning SCAs to model strong PUFs by learning multiple related tasks together. Side-channel information predictions are introduced as auxiliary tasks to facilitate the primary task of predicting response. The parameters hard for the primary task to learn can be shared by the auxiliary tasks that learn the same parameters more straightforwardly. Based on the proposed framework, we design a specific auxiliary learning power SCA that employs power level prediction as the auxiliary task. The proposed attack is implemented with the hard-parameter sharing and hierarchy sharing deep neural networks. Experimental results demonstrate that the proposed attack succeeds in modeling XOR APUF, MPUF, and iPUF and outperforms the state-of-the-art methods in modeling MPUF and iPUF. We evaluate the influences of task relatedness, architecture, and loss weight ratio. Furthermore, we propose a fine-grained classification-based method to generate the auxiliary task with an enhanced relationship to the primary task. According to the response, the class corresponding to a specific side-channel state is further divided into two subclasses. Experimental results demonstrate that the generated auxiliary task promotes performance and alleviates the adverse effects of improper architecture and parameters.

Emerging tunnel FET and spintronics-based hardware-secure circuit design with ultra-low energy consumption

Present complementary metal–oxide–semiconductor (CMOS) technology with scaled channel lengths exhibits higher energy consumption in designing secure electronic circuits against hardware vulnerabilities and breaches. Specifically, CMOS sense amplifier-based secure differential power analysis (DPA) countermeasures at scaled channel lengths show large energy consumption, with increased vulnerability. Additionally, spin-transfer torque magnetic tunnel junction (STT-MTJ) and CMOS-based logic-in-memory (LiM) cells demonstrate high energy consumption due to the large write current requirement of the STT-MTJ and poor MOS device performance at scaled channel lengths. This paper for the first time leverages emerging tunnel field effect transistor (TFET) steep-slope device characteristics and compatible non-volatile STT-MTJ devices for enhanced hardware security with ultra-low energy consumption at lower supply voltages. TFET-based sense amplifier-based logic (SABL) gates are proposed that achieve 3× lower energy consumption than the Si FinFET SABL designs. Further, utilizing TFET SABL gates, a TFET PRIDE S-box is designed that exhibits higher DPA resilience with 3.2× lower energy consumption than the FinFET designs. With the resulting lower static power consumption, TFET SABL-based cryptosystems are thus less vulnerable to static power side-channel attacks. Additionally, the proposed STT-MTJ and TFET LiM gates achieve 4× lower energy consumption than the STT-MTJ and FinFET designs. Lastly, these gates are explored in a logic encryption/locking technique that shows 3.1× lower energy consumption than the STT-MTJ and FinFET-based design.

A Lightweight Power Side-Channel Attack Protection Technique With Minimized Overheads Using On-Demand Current Equalizer

A lightweight on-demand current equalizer is proposed in this brief to enhance the resistance of the encryption engine to power side-channel attack (PSCA) with a minimized performance-power-area (PPA) overhead. The proposed on-demand current equalizer is operated based on the real-time activity of the encryption engine to minimize the corresponding current signature leakage, while enhancing the supply quality by reducing the voltage droop. Therefore, an encryption engine employing the proposed PSCA protection technique has a low power overhead without suffering from any performance degradation. In addition, an embedded randomization method is proposed to further strengthen the resistance of the encryption engine to PSCA while maintaining the power supply quality. A prototype chip that integrates the proposed design, a 128-bit advanced encryption standard (AES) engine, and a digital low-dropout voltage regulator (DLDO) was fabricated in 180-nm CMOS technology. Measurement results show that the proposed design achieves <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$234{\times }$ </tex-math></inline-formula> minimum traces to disclose (MTD) improvements in correlation power analysis (CPA), with no performance overhead, 21.17% power overhead, and 32.88% area overhead, respectively.