Yu-ichi Hayashi

Analysis of Electromagnetic Information Leakage From Cryptographic Devices With Different Physical Structures

This paper presents a novel analysis of electromagnetic (EM) information leakage from cryptographic devices, based on the electromagnetic interference (EMI) theory. In recent years, side-channel attack using side-channel information (e.g., power consumption and EM radiation) is of major concern for designers of cryptographic devices. However, few studies have been conducted to investigate how EM information leakage changes according to devices physical parameters. In this paper, we introduce a cryptographic device model to analyze EM information leakage based on the EMI theory in a systematic manner. This device model makes it possible to acquire the frequency characteristics of EM radiation depending on physical parameters, such as board size and power-line length, accurately. The analysis results show that EM information leakage can be explained by the major EMI parameters such as board size and cable length attached to the board. In addition, we demonstrate that the intensity of EM information leakage from a generic device is also explained by board size and cable length.

Non-invasive EMI-based fault injection attack against cryptographic modules

In this paper, we introduce a new type of intentional electromagnetic interference (IEMI) which causes information leakage in electrical devices without disrupting their operation or damaging their physical structure. Such IEMI could pose a severe threat to a large number of electrical devices with cryptographic modules since it can be used for performing fault injection attacks, which in turn allows for obtaining faulty outputs (i.e., ciphertexts) from cryptographic modules and exploiting them to reveal information about secret keys. Such faulty outputs are usually generated by inducing faults into target modules through modification or invasion of the modules themselves. In contrast, IEMI-based fault injection can be performed on the target modules from a distance by using an off-the-shelf injection probe without leaving any hard evidence of the attack. We demonstrate fault injection attacks based on the above IEMI through experiments using an Advanced Encryption Standard (AES) module implemented on a standard evaluation board (SASEBO). The experimental results indicate that generating effective faults is feasible and, therefore, such IEMI presents a tangible threat to many existing electrical devices and systems that use cryptographic modules for secure communication and transactions.

A Threat for Tablet PCs in Public Space: Remote Visualization of Screen Images Using EM Emanation

The use of tablet PCs is spreading rapidly, and accordingly users browsing and inputting personal information in public spaces can often be seen by third parties. Unlike conventional mobile phones and notebook PCs equipped with distinct input devices (e.g., keyboards), tablet PCs have touchscreen keyboards for data input. Such integration of display and input device increases the potential for harm when the display is captured by malicious attackers. This paper presents the description of reconstructing tablet PC displays via measurement of electromagnetic (EM) emanation. In conventional studies, such EM display capture has been achieved by using non-portable setups. Those studies also assumed that a large amount of time was available in advance of capture to obtain the electrical parameters of the target display. In contrast, this paper demonstrates that such EM display capture is feasible in real time by a setup that fits in an attaché case. The screen image reconstruction is achieved by performing a prior course profiling and a complemental signal processing instead of the conventional fine parameter tuning. Such complemental processing can eliminate the differences of leakage parameters among individuals and therefore correct the distortions of images. The attack distance, 2 m, makes this method a practical threat to general tablet PCs in public places. This paper discusses possible attack scenarios based on the setup described above. In addition, we describe a mechanism of EM emanation from tablet PCs and a countermeasure against such EM display capture.

Mechanism behind Information Leakage in Electromagnetic Analysis of Cryptographic Modules

This paper presents radiation mechanism behind Electromagnetic Analysis (EMA) from remote locations. It has been widely known that electromagnetic radiation from a cryptographic chip could be exploited to conduct side-channel attacks, yet the mechanism behind the radiation has not been intensively studied. In this paper, the mechanism is explained from the view point of Electromagnetic Compatibility (EMC): electric fluctuation released from a cryptographic chip can conduct to peripheral circuits based on ground bounce, resulting in radiation. We demonstrate the consequence of the mechanism through experiments. For this purpose, Simple Electromagnetic Analysis (SEMA) and Differential Electromagnetic Analysis (DEMA) are conducted on FPGA implementations of RSA and AES, respectively. In the experiments, radiation from power and communication cables attached to the FPGA platform is measured. The result indicates, the information leakage can extend beyond security boundaries through such cables, even if the module implements countermeasures against invasive attacks to deny access at its boundary. We conclude that the proposed mechanism can be used to predict circuit components that cause information leakage. We also discuss advanced attacks and noise suppression technologies as countermeasures.

Fundamental Measurement of Electromagnetic Field Radiated from a Coaxial Transmission Line Caused by Connector Contact Failure

When contact failure occurs in a connector in a coaxial HF signal transmission line, an electromagnetic field is radiated around the line. We have measured the electromagnetic field and examined the characteristics of such radiation. The results show that the radiation is related to the contact resistance and the symmetry of the distribution of contact points at the connector. When contact resistance is low, radiation is observed at resonant frequencies related to the length of the transmission line. If a connector has axially asymmetric contact points, its radiation is higher than that when the contact points are symmetric. We show that if contact points in a connector are axially symmetrical with resistance lower than 0.25Ω, the electromagnetic interference caused by the connector contact failure is as low as the background noise.

Card-Based Protocols for Any Boolean Function

Card-based protocols that are based on a deck of physical cards achieve secure multi-party computation with information-theoretic secrecy. Using existing AND, XOR, NOT, and copy protocols, one can naively construct a secure computation protocol for any given (multivariable) Boolean function as long as there are plenty of additional cards. However, an explicit sufficient number of cards for computing any function has not been revealed thus far. In this paper, we propose a general approach to constructing an efficient protocol so that six additional cards are sufficient for any function to be securely computed. Further, we prove that two additional cards are sufficient for any symmetric function.

EM Attack Is Non-invasive? - Design Methodology and Validity Verification of EM Attack Sensor

This paper presents a standard-cell-based semi-automatic design methodology of a new conceptual countermeasure against electromagnetic EM analysis and fault-injection attacks. The countermeasure namely EM attack sensor utilizes LC oscillators which detect variations in the EM field around a cryptographic LSI caused by a micro probe brought near the LSI. A dual-coil sensor architecture with an LUT-programming-based digital calibration can prevent a variety of microprobe-based EM attacks that cannot be thwarted by conventional countermeasures. All components of the sensor core are semiautomatically designed by standard EDA tools with a fully-digital standard cell library and hence minimum design cost. This sensor can be therefore scaled together with the cryptographic LSI to be protected. The sensor prototype is designed based on the proposed methodology together with a 128bit-key composite AES processor in 0.18μm CMOS with overheads of only 2respectively. The validity against a variety of EM attack scenarios has been verified successfully.

A local EM-analysis attack resistant cryptographic engine with fully-digital oscillator-based tamper-access sensor

A cryptographic engine (CE) resistant to local EM-analysis attacks (L-EMAs) is developed. An LC-oscillator-based tamper-access sensor detects a micro EM-probe approach and therefore protects the secret key information. A fully-digital sensor circuit with a reference-free dual-coil sensing scheme and a ring-oscillator-based one-step digital sensor calibration reduces the sensor area overhead to 1.6%. The sensor intermittently operates in interleave between CE operations, which saves power and performance penalty to 7.6% and 0.2%. A prototype in 0.18μm CMOS successfully demonstrates L-EMA attack detection and key protection for the first time.

Efficient Evaluation of EM Radiation Associated With Information Leakage From Cryptographic Devices

This paper presents an efficient map generation technique for evaluating the intensity of electromagnetic (EM) radiation associated with information leakage for cryptographic devices at the printed circuit board level. First, we investigate the relation between the intensity of the overall EM radiation and the intensity of EM information leakage on a cryptographic device. For this purpose, we prepare a map of the magnetic field on the device by using an EM scanning system, after which we perform correlation electromagnetic analysis (CEMA) at all measurement points on the device, including points above the cryptographic module. The examined device is a standard evaluation board for cryptographic modules (side-channel attack standard evaluation board), where a cryptographic circuit is implemented on one of the field-programmable gate arrays on the board. With this experiment, we demonstrate that both an EM radiation map and an information leakage map can be generated simultaneously by scanning the board only once. We also confirm that the generated map is in good agreement with the corresponding map obtained from exhaustive CEMAs.

Yet Another Fault-Based Leakage in Non-uniform Faulty Ciphertexts

This paper discusses the information leakage that comes from the non-uniform distribution of the faulty calculation results for hardware AES implementations under setup-time violations. For the setup-time violation, it is more difficult to predict the faulty value than the introduced difference itself. Therefore, the faulty calculation results have been always paired with the fault-free calculations as the information leakage. However, the faulty calculation results under statistical analyses can directly leak the secret. This leakage is mainly caused by the circuit structure rather than the transition differences for variant input data. Generally, this work explains the mechanism of the non-uniform distribution of faulty calculation results. For the widely used composite field based AES S-box, we explain and demonstrate that the probability of the emergence of a particular faulty value is much higher than other values. We use the key recovery method proposed by Fuhr et al., and show the successful key recovery using only the faulty calculation results. In addition, against the attack target that encrypts random plaintexts, we extend the attack in case the faults are injected remotely using electromagnetic interference without any injection timing trigger.