Side-Channel Attacks 101

Course outline

Modern cryptography has produced a multitude of secure ciphers that protect our daily electronic transactions. However, once the cipher is implemented on a physical device (microprocessor, FPGA, ASIC etc.) it becomes vulnerable to side-channel attacks. Side-channel attacks are a unique intersection of cryptography, electronics and statistics, pervading all aspects of modern hardware security. The attacks monitor closely the power consumption or electromagnetic emission of a cryptographic device and they are able to extract the secret key using statistical techniques. In this training course we will provide an introduction to side-channel analysis, showcasing the core techniques for key recovery. During the course the students will get the chance to develop several basic side-channel tools in Matlab/Octave. Subsequently they will use them to perform attacks on datasets in order to extract the secret key.

Course sections

Introduction to side-channel attacks

• Basic concepts and background information
• Side-channel leakage modeling
• Simple power analysis
• Differential power analysis

Correlation power analysis in software and hardware

• Assignment 1: Extracting the cipher key from the electromagnetic emission of an ARM Cortex-M4 processor
• Assignment 2: Extracting the cipher key from the power consumption of an FPGA-based AES implementation

Template attacks

• Probability theory and statistics
• Step-by-step guide to profile and exploit a device's side-channel
• Assignment 3: Template building/matching using the electromagnetic emission of an industrial control system

Higher order attacks

• Introduction to side-channel countermeasures (masking, shuffling, etc.)
• Higher-order side-channel attacks
• Assignment 4: Second-order attack using correlation and templates on a masking countermeasure implemented on an AVR smartcard

Who should attend the course

• Researchers and students who want to learn the core techniques of side-channel analysis
• Penetration testers, auditors and evaluators of secure embedded devices
• Developers of secure IoT products
• Any embedded security enthusiast

What should attendees bring

• Laptop with Windows or Linux
• Matlab or Octave installed

What will be provided

• Lecture slides and assignments
• Matlab code and examples
• Side-channel datasets captured from AVR/ARM processors and FPGA implementations

About the Trainers

Lejla Batina
Lejla Batina studied and worked as a research assistant at the Technical University Eindhoven where she got her professional doctorate in Engineering degree in Mathematics for Industry - in 2001. After that she worked as a cryptographer for Pijnenburg - Securealink (later SafeNet, BV), in Vught, The Netherlands. She got her Ph.D. degree from KU Leuven, Belgium in 2005 where she also continued with postdoctoral research. She is currently a professor in the Digital Security group of the Computing Science Department at the Radboud University and active participant in the CHES and IACR communities. Her research interests are hardware security, lightweight cryptography, cryptography for pervasive computing (smart cards, RFIDs, etc.), side-channel attacks/countermeasures and implementations of cryptography.

Kostas Papagiannopoulos
Kostas Papagiannopoulos received a degree in Electrical and Computer engineering from the National Technical University of Athens, Greece in 2011. He received his joint M.Sc. in Information Security from Radboud University, Technical University Eindhoven and University of Twente in 2014. He is currently a Ph.D. candidate in the Digital Security group of Radboud University in Nijmegen, the Netherlands. In addition he was a research visitor at the Riscure testing/evalution lab in Delft, in 2016. His research interests are side-channel attacks and countermeasures, high-performance cryptographic implementations, machine learning and information theory.