Electronics Guide

Sources of Timing Variation

Timing variations arise from several sources in typical embedded implementations. Conditional branches that depend on secret data cause different code paths with different execution times. Early-exit optimizations that terminate loops when certain conditions are met leak information about when those conditions occur. Cache behavior creates timing differences when some memory accesses hit the cache while others miss. Even multiplication and division operations on some processors take variable time depending on operand values.

The modular exponentiation operation used in RSA provides a classic example. Square-and-multiply algorithms process exponent bits sequentially, performing a squaring operation for every bit but only performing multiplication when the bit is one. This creates a direct timing correlation between the secret exponent bits and the operation duration.

Timing Attack Countermeasures

Constant-time algorithms: The fundamental defense against timing attacks is ensuring that all operations take the same amount of time regardless of input values or secret data. This requires eliminating all data-dependent branches, ensuring uniform memory access patterns, and avoiding variable-time instructions.

Branchless programming: Replace conditional branches with arithmetic operations that compute the same result without branching. For example, instead of conditionally selecting between two values based on a secret bit, compute both results and use bitwise operations to select the correct one.

Uniform table lookups: When table lookups are required, access the entire table rather than only the needed entry. This prevents cache timing attacks from revealing which entry was accessed.

Time padding: Add random delays to obscure the actual operation time. While less robust than constant-time implementations, timing padding can increase attack difficulty when constant-time operation is not feasible.

Blinding: Transform input data with random values before processing, then remove the blinding after the operation completes. This prevents correlation between inputs and timing while still producing correct results.

Simple Power Analysis

Simple Power Analysis (SPA) directly interprets power traces to extract secrets. When examining the power consumption during RSA operations, for example, the square and multiply operations have distinctly different power signatures. An attacker can visually identify which operations occur and directly read the secret exponent bits from a single power trace.

SPA attacks are straightforward to execute when implementations lack protection, requiring only an oscilloscope connected to the power supply or through a small resistor in the ground path. The challenge for attackers is obtaining sufficient signal quality, but this is readily achievable with modern equipment.

Differential Power Analysis

Differential Power Analysis (DPA) uses statistical methods to extract secrets from many power traces, even when individual traces reveal little information. DPA correlates hypothetical power consumption models with actual measurements to identify which key hypotheses best explain the observed power patterns.

In a typical DPA attack against AES, the attacker captures power traces during many encryption operations. For each possible value of a key byte, the attacker predicts the power consumption at a specific point based on a power model such as the Hamming weight of intermediate values. Statistical correlation between predicted and actual power reveals which key hypothesis is correct.

DPA can extract keys even from implementations that resist SPA, making it a more powerful and general attack technique. However, it requires more traces and more sophisticated analysis.

Power Analysis Countermeasures

Masking: Split all sensitive intermediate values into multiple shares such that the actual secret is never directly processed. Each share is processed independently, and only their combination reveals the true value. Properly implemented masking defeats DPA because the power consumption of individual shares reveals nothing about the secret.

Hiding: Reduce the signal-to-noise ratio by adding random noise to power consumption or by using circuit techniques that consume constant power regardless of data values. Dual-rail logic, where every signal and its complement are processed together, theoretically consumes constant power.

Shuffling: Randomize the order of independent operations. When multiple S-box lookups or similar operations occur, processing them in random order prevents attackers from knowing which operation corresponds to which portion of the key.

Amplitude and temporal randomization: Randomly vary operation timing and current consumption to decorrelate measurements from secrets. Random delays, dummy operations, and variable-frequency clocking all contribute to this protection.

Hardware countermeasures: Design custom logic cells that consume data-independent power. Implement on-chip voltage regulation that masks power consumption from external observation. Use noise generators that inject random current consumption.

EM Attack Advantages

EM attacks can target specific chip areas by positioning probes directly over regions of interest. This spatial selectivity allows attackers to isolate signals from cryptographic engines while filtering out noise from unrelated circuit activity. Power analysis measures aggregate chip consumption, but EM analysis can focus on individual components.

EM attacks can sometimes bypass power-side countermeasures. On-chip voltage regulation that masks external power consumption may not prevent local EM emissions. Shielding and filtering effective against power analysis may leave EM paths unprotected.

Attacks can be conducted without electrical contact. While power analysis requires connection to the power supply, EM probes need only proximity to the target. This enables attacks on devices with protected or inaccessible power connections.

EM Attack Countermeasures

Shielding: Enclose sensitive components in conductive shielding that attenuates EM emissions. Effective shielding requires careful attention to apertures, seams, and cable penetrations that could leak emissions.

On-chip countermeasures: Implement noise generators and randomization circuits that obscure EM signatures. Design balanced circuits that minimize differential emissions.

Active cancellation: Generate intentional EM emissions designed to mask or cancel signals from cryptographic operations. This technique requires careful calibration but can effectively obscure useful signals.

Layout techniques: Position sensitive circuits to minimize emissions and maximize coupling with noise sources. Interleave cryptographic logic with other circuits to complicate spatial isolation.

Attack Mechanisms

In prime and probe attacks, the attacker fills cache sets with their own data, allows the victim to execute, then measures access time to their data. Slow access indicates the victim evicted attacker data, revealing which cache sets the victim accessed.

Flush and reload attacks operate on shared memory. The attacker flushes a shared memory region from cache, waits for the victim to execute, then times access to that region. Fast access indicates the victim loaded the data, revealing that the victim accessed that memory location.

These attacks are particularly effective against table-driven cryptographic implementations. AES lookup tables indexed by secret-dependent values leak information about those secrets through cache access patterns.

Cache Attack Countermeasures

Constant-memory-access patterns: Access all possible memory locations regardless of actual need. For table lookups, read the entire table and use masking to select the desired entry without revealing which entry is needed.

Bit-sliced implementations: Implement algorithms using bitwise operations rather than table lookups. Bit-sliced AES, for example, processes multiple blocks in parallel using only logical operations, eliminating table access entirely.

Cache partitioning: Isolate cryptographic operations in dedicated cache partitions that other processes cannot probe. Hardware cache partitioning or software-based isolation can provide this protection.

Disable cache for sensitive operations: Execute cryptographic code from non-cached memory. This eliminates cache-based side channels but significantly impacts performance.

Hardware AES instructions: Use processor instructions specifically designed for AES that operate entirely in registers without table access. Modern processors with AES-NI or equivalent instructions provide both performance and side-channel resistance.

Fault Injection Methods

Voltage glitching: Briefly disrupt the power supply voltage to cause timing violations or computational errors. Voltage glitches can be precisely timed to affect specific operations while leaving others undisturbed.

Clock glitching: Inject extra clock edges or vary the clock frequency to violate timing requirements. This causes registers to capture incorrect values or operations to complete incompletely.

Electromagnetic fault injection: Apply localized electromagnetic pulses to induce currents in specific chip regions. EM fault injection can target particular circuits with high spatial precision.

Laser fault injection: Use focused laser beams to flip individual bits in memory or registers. Laser attacks provide extremely precise spatial and temporal control over induced faults.

Temperature manipulation: Operate devices outside specified temperature ranges to cause timing failures or memory errors. While less precise than other methods, temperature attacks require minimal equipment.

Differential Fault Analysis

Differential Fault Analysis (DFA) extracts keys by comparing correct and faulty cryptographic outputs. For block ciphers, a fault introduced in a late round produces a faulty ciphertext that, when compared with the correct ciphertext, reveals information about the round keys.

A single successful fault in the ninth round of AES, for example, can reduce the key search space to a small set of candidates quickly confirmed by exhaustive search. DFA is remarkably efficient, often requiring only a handful of faulty computations to fully recover a key.

Fault Injection Countermeasures

Redundant computation: Perform critical operations multiple times and compare results. Faults affecting one computation are unlikely to identically affect redundant copies. Operations proceed only when all copies agree.

Error detection codes: Protect intermediate values with checksums or error-detecting codes. Verify these codes before using values or producing outputs. This detects both natural errors and injected faults.

Temporal redundancy: Execute operations at different times and compare results. Time separation makes it difficult for single glitches to affect all computations identically.

Infection countermeasures: Propagate faults to affect all output bits rather than just a few. When faults cause complete output randomization rather than localized changes, DFA becomes ineffective.

Sensors and detectors: Monitor for attack signatures such as voltage deviations, clock anomalies, light exposure, or temperature extremes. Trigger countermeasures when attacks are detected.

Secure failure modes: When faults or attacks are detected, fail securely by erasing keys, locking the device, or entering a safe state. Never output potentially compromised results.

Defense in Depth

Layer multiple independent countermeasures so that failure of any single mechanism does not compromise security. Combine constant-time algorithms with masking, add redundant computation with sensor monitoring, and implement both hardware and software protections.

Each layer should protect against different attack variants. Masking addresses DPA but not SPA; constant-time code prevents timing attacks but not power analysis. Comprehensive protection requires addressing all relevant attack categories.

Security Evaluation

Perform side-channel evaluation throughout development, not just at the end. Test Vector Leakage Assessment (TVLA) provides statistical methods for detecting information leakage without requiring full attack implementation. Regular evaluation catches vulnerabilities before they reach production.

Professional security laboratories offer formal evaluation against standards such as Common Criteria or EMVCo. Certification may be required for payment systems, government applications, or other high-security deployments.

Algorithm Selection

Choose algorithms designed for efficient side-channel-resistant implementation. Some algorithms naturally resist certain attacks or admit efficient countermeasures. Consider side-channel properties alongside cryptographic strength and performance requirements.

Post-quantum algorithms currently under standardization vary significantly in their side-channel characteristics. Evaluate these properties when selecting algorithms for long-term deployment.

Hardware-Software Co-design

Coordinate hardware and software countermeasures for maximum effectiveness. Hardware features such as random number generators, masking support, and redundancy checking enable efficient software countermeasures. Software that fails to utilize hardware protections wastes both security and performance.

Modern secure microcontrollers provide side-channel countermeasures including hardware masking, dual-rail logic, and protected cryptographic accelerators. Leveraging these features is far more effective than implementing software-only protections.