Signal Processing in Side Channel Attacks
From this blog series, we will start looking in the depth of Side-channel Attack (SCA) details. In this blog, we will see the signal processing part for Side-channel attacks. To get an understanding of the basics of SCA refer here. The variety of SCA methods includes power analysis, electromagnetic attacks, timing attacks etc. This blog will focus on specifically Power analysis and the necessary signal processing involved in it.
There are different methods and steps to collect power traces from a chip performing cryptography operations. These operations may be symmetric encryption such as AES, asymmetric encryption such as ECC, or hash functions such as MD5, SHA-1, SHA-256, etc.
The number of power traces collected may be in the range of 100 – 5000 or more. This varies from case to case. The different acquisition systems come with different sampling rates and resolutions. With the higher sampling rate, the noise in the collected traces also increases. The whole crux of SCA is to predict the encryption key with power analysis methods. If the traces collected are noisy, unevenly sampled, inconsistent then the prediction goes completely wrong.
From a digital signal processing perspective, there are time domain and frequency domain algorithms to analyse collected traces. In this particular blog, we will discuss time-domain methods and in subsequent blogs, we will go deeper into frequency domain analysis.
Following are some of the important signal processing steps that can be performed over the traces in order to perform successful side-channel attacks.
The downsampling is a process where one starts with high-resolution data and needs to reduce the amount of data, by just selecting some points that are evenly distributed. So here is the three-step procedure for downsampling data.
- Pick a new sampling rate
- Low pass filter at the new Nyquist frequency (not the Nyquist frequency of the original data sampling rate, but the Nyquist frequency corresponding to the new sampling rate) which is lower than the original sampling rate.
- Downsample the signal
As shown below is partial time series of power traces capture has 20000 samples.
Performing downsampling by the factor of 25 we can see in the next figure, the same time series now has only 800 samples, but the time series shape has been unaffected.
With the downsampled signal the total number of samples required for the power analysis algorithm will decrease, thus reducing the computation cost in terms of memory and time.
During the power analysis, peaks in the signal play a crucial role. If peaks are not detected properly the prediction goes wrong. Generally, the peaks in the collected traces are either distorted or flat-topped. The pre-processing step for peak detection is through Finite Impulse Response (FIR) low pass filter the signal with a certain cut-off frequency. Also, the smoothing can be achieved in the filtered signal using a moving average filter if the signal is noisy in amplitude. In the image below the time series that was discussed above has been smoothened using a moving average filter.
Further Butterworth low pass filter applied to the above signal by properly selecting the order of the filter and cut off frequency make traces clean. In the following picture moving averaged signal is further filtered with cut off frequency of 1 MHz and filter order of 5. You can refer here mathematics for the .Moving average filter and FIR filter.
Note in the above image the peaks are reduced due to filtering. But this is just a partial representation of the whole trace. For complete trace, there will be many more peaks that can be found out.
Next step is to detect the peaks. It’s observed in the traces about certain patterns. The local peaks in each pattern are significant. There are multiple peak detection algorithms available in signal processing to detect the peaks depending upon the periodic or non-periodic distribution of the signal. In the case of traces collected from the cryptographic operation, it is most likely to have a periodicity. To identify the peaks, we try to find the distance between the first two peaks and repeat it for the remaining peaks in the traces. The following image shows peaks detected with the orange cross.
Dynamic Time Warping (DTW):
This is a very crucial and important stage of signal processing for power analysis. First, let us understand the challenge in the collected power traces. The data acquisition setup generally involves an RC filter and a crystal oscillator of a certain KHz or MHz range frequency. These components add the capacitive effect which in turn results in nanoseconds or microseconds delay in successive traces. As you can see in the figure, the two different signals are shifted in time. In simple terms, the signals are not aligned properly on sample to sample. While performing correlation over the traces poses a challenge as peaks that are not matching will end up in the wrong correlation coefficient.
To solve this issue the efficient algorithm called Dynamic Time Warping (DTW) gives wonderful results. This is also called as elastic stretching of signals. Let us understand the concept of DTW. DTW creates a distance matrix of the shortest path by finding the distance between each time point between two time series signals. Thus, it finds the trajectory of the path which generally remains diagonal. Thus, the warping is the matrix looped over each row to find the minimum distance. To simplify it have a look at the figure below with red time series and blue time series. We will perform DTW over red so that it aligns blue time series.
As a result of warping, you will see below both signals are aligned such that the red time series has taken a shape of the blue one and the blue time series has extended in time similar to the red one which is just like an elastic stretch alignment.
To see how does the DTW aligned power traces look, have look at the figure below. You can observe three different time series with red, green, and blue are aligned in the time domain using DTW. As a result, while performing power analysis the peaks will match.
In the next blog, we will see how the above methods are useful for determining the encryption key from the traces.
To summarize, successful side-channel attacks can be performed if the signal processing pipeline is well implemented in the pre-processing stage. Major steps are signal downsampling, signal filtering, peak detection, and signal alignment. The DTW technique add computational cost in terms of memory and time, but having right amount of signal downsampling and filtering will help to achieve it faster.
Steve.D.Smith Ph.D., [The Scientist and Engineer’s Guide to Digital Signal Processing.] (https://www.analog.com/en/education/education-library/scientist_engineers_guide.html)
Payatu is a research-powered cybersecurity service and training organization specialized in IoT, embedded, mobile, cloud, infrastructure security, and advanced security training. We offer a full IoT/IIoTT ecosystem security assessment, including hardware, firmware, middleware, and application interfaces. If you are looking for security testing services then let’s talk, share your requirements: https://payatu.com/#getstarted Payatu is at the front line of IoT security research, with a great team, and in house tools like expliot.io. In the last 8+ years, Payatu has performed, security assessment of 100+ IoT/IIoT product ecosystems and we understand the IoT ecosystem inside out. Get in touch with us. Click on the get started button below.