/
wang21physical

wang21physical

Owned by Sara Faour
Last updated: Jun 29, 2023
3 min read

Title of the paper: Physical Design Strategies for Mitigating Fine-Grained Electromagnetic Side-Channel Attacks

Available at: https://ieeexplore.ieee.org/abstract/document/9431438

Abstract

We present physical design strategies viz. (i) power grid shielding, (ii) power grid twisting, (iii) increased local decoupling capacitors with VSS shields, and (iv) isolated S-Box module placement to improve the resilience of the Advanced Encryption Standard (AES-128) cryptographic core against fine-grained electromagnetic (EM) side-channel analysis (SCA). Localized EM field measurements are performed using a 0.5 mm radius H-field probe on 3 different, 40nm CMOS test-chips implementing 9 physical design configurations of the AES core. These physical design strategies show 2.45x, 1.51x, 2.61x, and 2.71x higher measurements to disclosure (MTD) respectively compared to the baseline design without incurring any power overhead. These
strategies can be applied independently or optimally combined further improving fine-grained EM SCA resilience.

Need for fine-grained EM SCA techniques

Typically, countermeasures against EM SCA focus on coarse-grained measurements using large-diameter EM probes. Such attacks have very low signal-to-noise ratio (SNR), as signals from information-leaking blocks are obfuscated by uncorrelated sources picked up by the probe resulting in a spatial-averaged EM profile.

Fine-grained EM SCA attacks, on the other hand, scan a chip’s surface using small probes in multiple orientations and can isolate high SNR configurations to recover secure information at a significantly lower cost [3].

Simulations of fine-grained EM SCA attacks using an EM probe [4] of 50 μm diameter and placed 75 μm
above an AES core, show that most of the 16 key bytes can be revealed within 1000 traces at 3 different locations.

 

look at the high precision!

Goal of this work:

In this work, the authors systematically demonstrate four physical design strategies to mitigate fine-grained EM SCA vulnerability at no power cost and controlled area increase.

Physical design strategies for fine-grained EM SCA resilience

  1. Power grid shielding

  2. Twisted power grids

  3. Local decoupling capacitors

  4. Isolated S-box module placement

Measurement results

AES core area is 15,625 um2 = 0.015625 mm2

 

The authors test 3 different 40nm CMOS chips implementing a total of 9 physical design strategies for the AES core to improve fine-grained EM SCA resilience.

The fine-grained EM SCA attacks are implemented using a high-fidelity EM measurement setup.

The automated, high-fidelity measurement setup uses a 0.5 mm radius H-field probe, at a height of 0.1 mm above the package, scans an area of 8 mm × 8 mm, and uses a 30 dB amplifier to boost the captured EM signal strength.

EM signal amplitude does not show a linear relationship with MTD demonstrating that reduced EM sensor amplitude does not necessarily increase EM SCA resilience.

References

[3] An Adaptive Acquisition Approach to Localize Electromagnetic Information Leakage from Cryptographic Modules

[4] Efficient simulation of EM side-channel attack resilience