A Tutorial on Physical Security and

Side-Channel Attacks

François Koeune1,2 and François-Xavier Standaert1

1
UCL Crypto Group, Place du Levant,
3. 1348 Louvain-la-Neuve, Belgium
[email protected]
http://www.dice.ucl.ac.be/crypto/
2
K2Crypt, Place Verte 60 box 2,
1348 Louvain-la-Neuve, Belgium
[email protected]
http://www.k2crypt.com/

Abstract. A recent branch of cryptography focuses on the physical con-

straints that a real-life cryptographic device must face, and attempts
to exploit these constraints (running time, power consumption, . . . ) to
expose the device’s secrets. This gave birth to implementation-specific
attacks, which often turned out to be much more efficient than the best
known cryptanalytic attacks against the underlying primitive as an ide-
alized object. This paper aims at providing a tutorial on the subject,
overviewing the main kinds of attacks and highlighting their underlying
principles.

1 Introduction and Objectives

A cryptographic primitive can be considered from two points of view: on the one
hand, it can be viewed as an abstract mathematical object or black box (i.e. a
transformation, possibly parameterized by a key, turning some input into some
output); on the other hand, this primitive will in fine have to be implemented in
a program that will run on a given processor, in a given environment, and will
therefore present specific characteristics.
The first point of view is that of “classical” cryptanalysis; the second one is that
of physical security. Physical attacks on cryptographic devices take advantage of
implementation-specific characteristics to recover the secret parameters involved
in the computation. They are therefore much less general – since it is specific to a
given implementation – but often much more powerful than classical cryptanaly-
sis, and are considered very seriously by cryptographic devices’ implementors.
The goal of this paper is to provide the reader with a first tutorial on physical
security. The paper will explore certain of the most important kinds of physical
attacks, from direct data probing to electromagnetic analysis. However, the in-
tention is not to make an exhaustive review of existing techniques, but rather
to highlight the philosophy underlying the main attacks. So, this is not to be
viewed a security manual, but as an introductory course in a specific branch of
cryptography.

A. Aldini, R. Gorrieri, and F. Martinelli (Eds.): FOSAD 2004/2005, LNCS 3655, pp. 78–108, 2005.


c Springer-Verlag Berlin Heidelberg 2005
 A Tutorial on Physical Security and Side-Channel Attacks 79

The authors did their best to keep the paper easy to read, giving a good
understanding of the general principle of physical attacks. Strict formalism was
sometimes sacrificed to the benefit of intuition, whereas many references were
provided to guide the interested reader during his first steps in that fascinating
and emerging subject.
Physical attacks usually proceed in two steps: an interaction phase, during
which an attacker exploits some physical characteristic of a device (e.g. measures
running time or current flow, inserts faults, . . . ) and an exploitation phase, an-
alyzing this information in order to recover secret information. Although we
will discuss the first phase, we will mostly focus on the second: once a “sig-
nal” has been obtained, how can we exploit this signal to expose a device’s
secrets?

1.1 Model
The context of a physical attack is the following: we consider a device capa-
ble of performing cryptographic operations (e.g. encryptions, signatures, . . . )
based on a secret key. This key is stored inside the device, and protected from
external access. We assume that an attacker has the device at his disposal,
and will be able to run it a number of times, possibly with input values of his
choice. In addition, during the device’s processing, he will be able to act on
or measure some parameters related to the environment, the exact nature of
which depends on the attack’s context. This can for example be the device’s
running time, the surrounding electromagnetic field, or some way of inducing
errors during the computation. The attacker has of course no direct access to
the secret key.
Note that the expression “at disposal” might have various meanings: in some
cases, it can be a complete gain of control, like for example by stealing an
employee’s identification badge during his lunch break, attacking it and then
putting it back in place to go unnoticed. As another example, we would like to
point out that there are situations where the owner of the device himself might
be interested in attacking it, e.g. in the case of a pay-TV decoder chip. On
the other hand, the control of the attacker on the device might be much more
limited: he could for example be hidden behind the corner of the street when the
genuine user is using his device, and monitoring electromagnetic radiations from
a distance, or interrogating the device through a web interface, and monitoring
the delay between request and answer.
Modern cryptography is driven by the well-known Kerckhoffs’ assumption,
which basically states that all the secret needed to ensure a system’s security
must be entirely gathered in the secret keys. In other words, we must assume that
an attacker has perfect knowledge of the cryptographic algorithm, implementa-
tion details, . . . The only thing that he does not know – and which is sufficient
to guarantee security – is the value of the secret keys. We will adopt this point
of view here, and consider that the attacker is familiar with the device under
attack, and that recovering the secret keys is sufficient to allow him to build a
pirated device with the same power and privileges as the original one.