Since the first announcement of a Side Channel Analysis (SCA) about ten years ago, considerable research has been devoted to studying these attacks on Application Specific Integrated Circuits (ASICs), such as smart cards or TPMs. In this article, we compare power-line attacks with ElectroMagnetic (EM) attacks, specifically targeting Field Programmable Gate Array devices (FPGAs), as they are becoming widely used for sensitive applications involving cryptography.

We show experimentally that ElectroMagnetic Analysis (EMA) is always faster than the historical Differential Power Analysis (DPA) in retrieving keys of symmetric ciphers. In addition, these analyses prove to be very convenient to conduct, as they are totally non-invasive.

Research reports indicate that EMA can be conducted globally, typically with macroscopic home-made coils circling the device under attack, with fair results. However, as accurate professional EM antennas are now becoming more accessible, it has become commonplace to carry out EM analyses locally.

Cartography has been carried out by optical means on circuits realized with technology greater than 250 nanometers. Nonetheless, for deep submicron technologies, the feature size of devices that are spied upon is too small to be visible with photographic techniques. In addition, the presence of the 6+ metallization layers obviously prevents a direct observation of the layout. Therefore, EM imaging is emerging as a relevant means to discover the underlying device structure.

In this article, we present the first images of deep-submicron FPGAs. The resolution is not as accurate as photographic pictures: we notably compare the layout of toy design examples placed at the four corners of the FPGAs with the EM images we collected. We observe that EM imaging has the advantage of revealing active regions, which can be useful in locating a particular processor (visible while active---invisible when inactive).

In the context of EM attacks, we stress that the exact localization of the cryptographic target is not necessary: the coarse resolution we obtain is sufficient. We note that the EM imaging does not reveal the exact layout of the FPGA, but instead directly guides the attacker towards the areas which are leaking the most. We achieve attacks with an accurate sensor, both far from (namely on a SMC capacitor on the board) and close to (namely directly over the FPGA) the encryption co-processor. As compared to the previously published attacks, we report a successful attack on a DES module in fewer than 6,300 measurements, which is currently the best cracking performance against this encryption algorithm implemented in FPGAs.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Dakshi Agrawal , Bruce Archambeault , Josyula R. Rao , Pankaj Rohatgi, The EM Side-Channel(s), Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems, p.29-45, August 13-15, 2002
	2	Agrawal, D., Rao, J. R., and Rohatgi, P. 2003. Multi-channel attacks. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 2779. Springer, 2--16.
	3	Archambeau, C., Peeters, É., Standaert, F.-X., and Quisquater, J.-J. 2006. Template attacks in principal subspaces. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. vol. 4249. Springer, 1--14.
	4	Brier, R., Clavier, C., and Olivier, F. 2004. Correlation power analysis with a leakage model. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. 16--29.
	5	Carlier, V., Chabanne, H., Dottax, E., and Pelletier, H. 2005. Generalizing square attack using side-channels of an AES implementation on an FPGA. In Proceedings of the International Conference on Field Programmable Logic. T. Rissa, S. J. E. Wilton, and P. H. W. Leong, Eds. IEEE, 433--437.
	6	Suresh Chari , Josyula R. Rao , Pankaj Rohatgi, Template Attacks, Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems, p.13-28, August 13-15, 2002
	7	Christophe Clavier , Jean-Sébastien Coron , Nora Dabbous, Differential Power Analysis in the Presence of Hardware Countermeasures, Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems, p.252-263, August 17-18, 2000
	8	Drimer, S. 2008. Volatile FPGA design security---a survey. Version 0.96, http://www.cl.cam.ac.uk/~sd410/papers/fpga_security.pdf.
	9	Dyrkolbotn, G. O. and Snekkenes, E. 2007. A wireless covert channel on smart cards (Short Paper). In Proceedings of the International Conference on Information and Communication Security. Lecture Notes in Computer Science, vol. 4307. Springer, 249--259.
	10	Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., and Shalmani, M. T. M. 2008. Physical cryptanalysis of keeloq code hopping applications. Cryptology ePrint Archive, Report 2008/058. http://eprint.iacr.org/.
	11	Paul N. Fahn , Peter K. Pearson, IPA: A New Class of Power Attacks, Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems, p.173-186, August 12-13, 1999
	12	Karine Gandolfi , Christophe Mourtel , Francis Olivier, Electromagnetic Analysis: Concrete Results, Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems, p.251-261, May 14-16, 2001
	13	Guilley, S., Hoogvorst, P., and Pacalet, R. 2004. Differential power analysis model and some results. In Proceedings of the World Computer Congress SmartCard Research and Advanced Application Conference. 127--142. Toulouse, France.
	14	Sylvain Guilley , Philippe Hoogvorst , Renaud Pacalet, A fast pipelined multi-mode DES architecture operating in IP representation, Integration, the VLSI Journal, v.40 n.4, p.479-489, July, 2007  [doi>10.1016/j.vlsi.2006.06.004]
	15	Sylvain Guilley , Laurent Sauvage , Jean-Luc Danger , Tarik Graba , Yves Mathieu, Evaluation of Power-Constant Dual-Rail Logic as a Protection of Cryptographic Applications in FPGAs, Proceedings of the 2008 Second International Conference on Secure System Integration and Reliability Improvement, p.16-23, July 14-17, 2008  [doi>10.1109/SSIRI.2008.31]
	16	Sylvain Guilley , Laurent Sauvage , Jean-Luc Danger , Nidhal Selmane , Renaud Pacalet, Silicon-level Solutions to Counteract Passive and Active Attacks, Proceedings of the 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography, p.3-17, August 10-10, 2008  [doi>10.1109/FDTC.2008.18]
	17	Homma, N., Nagashima, S., Imai, Y., Aoki, T., and Satoh, A. 2006. High-resolution side-channel attack using phase-based waveform matching. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. 187--200.
	18	Paul C. Kocher , Joshua Jaffe , Benjamin Jun, Differential Power Analysis, Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, p.388-397, August 15-19, 1999
	19	Le, T.-H., Clédière, J., Canovas, C., Robisson, B., Servière, C., and Lacoume, J.-L. 2006. A proposition for correlation power analysis enhancement. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 4249. Springer, 174--186.
	20	Le, T.-H., Clédière, J., Servière, C., and Lacoume, J.-L. 2007. Efficient solutions for signal misalignment in side channel analysis. In Proceedings of 32nd IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP). 257--260.
	21	Li, H., Markettos, A., and Moore, S. 11-14 Oct. 2005. A security evaluation methodology for smart cards against electromagnetic analysis. In Proceedings of the 39th Annual 2005 International Carnahan Conference on Security Technology (CCST’05). 208--211.
	22	Thomas S. Messerges , Ezzy A. Dabbish , Robert H. Sloan, Investigations of power analysis attacks on smartcards, Proceedings of the USENIX Workshop on Smartcard Technology on USENIX Workshop on Smartcard Technology, p.17-17, May 10-11, 1999, Chicago, Illinois
	23	Mulder, E. D., Buysschaert, P., Örs, S. B., Delmotte, P., Preneel, B., Vandenbosch, G., and Verbauwhede, I. 2005. Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem. In Proceedings of the IEEE International Conference on Computer as a tool (EUROCON). 1879--1882.
	24	NIST/ITL/CSD. 1999. Data Encryption Standard. FIPS PUB 46-3. http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf.
	25	Örs, S. B., Oswald, E., and Preneel, B. 2003. Power-analysis attacks on an FPGA: First experimental results. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 2779. Springer-Verlag, 35--50.
	26	Peeters, r., Standaert, F.-X., Donckers, N., and Quisquater, J.-J. 2005. Improved higher order side-channel attacks with FPGA experiments. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, J. R. Rao and B. Sunar, Eds. Lecture Notes in Computer Science, vol. 3659. Springer-Verlag, 309--323.
	27	Eric Peeters , François-Xavier Standaert , Jean-Jacques Quisquater, Power and electromagnetic analysis: improved model, consequences and comparisons, Integration, the VLSI Journal, v.40 n.1, p.52-60, January 2007  [doi>10.1016/j.vlsi.2005.12.013]
	28	Pelletier, H. and Charvet, X. 2005. Improving the DPA attack using wavelet transform. NIST’s Physical Security Testing Workshop. Website: http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-3/physec/papers/physecpaper14.pdf.
	29	Polti, A. 2007. STRATIX -- SH4 prototype PCB for high-performance embedded systems. Website: http://www.enst.fr/~polti/realisations/shix20/.
	30	Quisquater, J.-J. and Samyde, D. 2001. Electromagnetic analysis (EMA): Measures and counter-measures for smardcards. In Smart Card Programming and Security (E-smart 2001), I. Attali and T. P. Jensen, Eds. Lecture Notes in Computer Science, vol. 1240. Springer-Verlag, 200--210. ISSN 0302-9743.
	31	Rechberger, C. and Oswald, E. 2004. Practical template attacks. In Proceedings of the Workshop on Introspective Architectures. Lecture Notes in Computer Science, vol. 3325. Springer, 443--457.
	32	Skorobogatov, S. P. 2005. Semi-invasive attacks---A new approach to hardware security analysis. Ph.D. thesis, Cambridge University/Computer Laboratory, Security Group, TAMPER laboratory. Tech. Rep. UCAM-CL-TR-630, ISSN 1476-2986.
	33	Skorobogatov, S. P. 2006. Optically enhanced position-locked power analysis. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 4249. Springer, 61--75.
	34	Standaert, F.-X., Örs, S. B., and Preneel, B. 2004. Power analysis of an FPGA: Implementation of Rijndael: Is pipelining a DPA countermeasure? In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. Lecture Notes in Computer Science, vol. 3156. Springer-Verlag, 30--44.
	35	Standaert, F.-X., Peeters, R., Macé, F., and Quisquater, J.-J. 2006. Updates on the security of FPGAs against power analysis attacks. Reconfigurable Computing: Architectures and Applications. Lecture Notes in Computer Science, vol. 3985. Springer-Verlag.
	36	Standaert, F.-X., Peeters, R., Rouvroy, G., and Quisquater, J.-J. 2006. An Overview of Power Analysis Attacks Against Field Programmable Gate Arrays. Proc. IEEE 94, 2, 383--394.
	37	Thomas Wollinger , Jorge Guajardo , Christof Paar, Security on FPGAs: State-of-the-art implementations and attacks, ACM Transactions on Embedded Computing Systems (TECS), v.3 n.3, p.534-574, August 2004  [doi>10.1145/1015047.1015052]