See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/335420141

SCNIFFER: Low-Cost, Automated, EfficientElectromagnetic Side-Channel

Sniffing

Preprint · August 2019

CITATIONS READS

0 171

5 authors, including:

Debayan Das Arijit Raychowdhury

Intel Georgia Institute of Technology
62 PUBLICATIONS 896 CITATIONS 297 PUBLICATIONS 5,919 CITATIONS

SEE PROFILE SEE PROFILE

Shreyas Sen
Purdue University
210 PUBLICATIONS 2,332 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Machine Learning View project

Internet of Body - Human Body Communication View project

All content following this page was uploaded by Shreyas Sen on 03 December 2020.

The user has requested enhancement of the downloaded file.

 1

SCNIFFER: Low-Cost, Automated, Efficient

Electromagnetic Side-Channel Sniffing
Josef Danial, Student Member, IEEE, Debayan Das, Student Member, IEEE, Santosh Ghosh, Member, IEEE,
Arijit Raychowdhury, Senior Member, IEEE and Shreyas Sen, Senior Member, IEEE

Abstract—Electromagnetic (EM) side-channel analysis (SCA) Comparison of MTD for Different Chip Locations
a) XMEGA High Leakage Location b) XMEGA Low Leakage Location
is a prominent tool to break mathematically-secure cryptographic
engines, especially on resource-constrained IoT devices. Presently,
arXiv:1908.09407v3 [cs.CR] 29 Feb 2020

to perform EM SCA on an embedded IoT device, the entire

Peak Correlation

Peak Correlation
MTD = 250 MTD = 5,000
chip is manually scanned and the MTD (Minimum Traces to
Disclosure) analysis is performed at each point on the chip to
reveal the secret key of the encryption algorithm. However, an au-
tomated end-to-end framework for EM leakage localization, trace
acquisition, and attack has been missing. This work proposes
SCNIFFER: a low-cost, automated EM Side Channel leakage Number of Traces Number of Traces
SNIFFing platform to perform efficient end-to-end Side-Channel c) STM32 High Leakage Location d) STM32 Low Leakage Location
attacks. Using a leakage measure such as TVLA, or SNR, we
propose a greedy gradient-search heuristic that converges to one
Peak Correlation

Peak Correlation
of the points of highest EM leakage on the chip (dimension:
MTD = 250 MTD > 10,000
N × N ) within O(N ) iterations, and then perform Correlational
EM Analysis (CEMA) at that point. This reduces the CEMA
attack time by ∼ N times compared to an exhaustive MTD
analysis, and > 20× compared to choosing an attack location at
random. We demonstrate SCNIFFER using a low-cost custom-
built 3-D scanner with an H-field probe (< $500) compared to Number of Traces Number of Traces
> $50, 000 commercial EM scanners, and a variety of microcon-
trollers as the devices under attack. The SCNIFFER framework Fig. 1: The difference in MTD between a CEMA attack at a
is evaluated for several cryptographic algorithms (AES-128, DES, point of high leakage vs. at a point of low leakage for both an
RSA) running on both an 8-bit Atmega microcontroller and a 8-bit XMEGA microcontroller (a, b) and a 32-bit STM32F3
32-bit ARM microcontroller to find a point of high leakage and
then perform a CEMA at that point.
microcontroller (c, d). At a location of high leakage, the
correct key separates in 250 traces for both microcontrollers,
Index Terms—End-to-end EM SCA Attack, Low-Cost EM while a low leakage location requires > 20× more traces on
Scanning, Automated Framework, SCNIFFER
the XMEGA. At a low leakage location on the STM32F3, the
key does not separate at all within 10,000 traces.
I. I NTRODUCTION
As the internet of things (IoT) continues to grow, security of
many edge nodes has become critical. With many of these edge radiation as described in [4]. The EM emissions can either
nodes being simple microcontrollers, side-channel attacks pose be caused by key-dependent operations or other operations,
a powerful threat to their security. In the world of cryptogra- the key-dependent operations create key-dependent EM emis-
phy, side-channel attacks have long been identified as a threat sions, which contribute to the side-channel signal, while other
to the security of computing and communication systems operations contribute to algorithmic noise. EM SCA attacks
attempting to provide confidentiality and integrity of sensitive have successfully been used in the real world on PCs, shown
data, since the introduction of Differential Power Analysis in [5] and [6], and also on Smart Cards, in [7] [8]. One
in [1]. By analyzing physical side-channel information, such powerful and commonly used side-channel analysis technique
as power consumption, timing, or electromagnetic emissions, is correlational electromagnetic analysis (CEMA). In CEMA,
cryptographic algorithms that are mathematically secure can EM measurements are taken while a cryptographic algorithm
be broken efficiently. is executing on the target system (each measurement is known
EM side-channel analysis (SCA) is a method of using as a trace), and these traces are correlated with a leakage
the information found in the electromagnetic emissions of a model, such as the Hamming Weight or Hamming Distance
cryptographic system to extract the secret key, compromising of data at a particular point in an algorithm [1], under a
the security of such a system. Such attacks have been shown hypothesis of a subset of the secret key. In a successful
to be capable of actually extracting secret key information, attack, the hypothesis that results in maximum correlation
as in [2] and [3]. These EM emissions originate from current corresponds to the secret key. By attacking the hidden key
consumption of an IC running cryptographic algorithms, which incrementally, for example one byte at a time for AES-128,
while flowing through the metal layers of an IC cause EM the entire secret key can be recovered, in orders of magnitude
 2

less time than brute force or other cryptanalysis methods. • Secondly, a greedy gradient-descent heuristic is proposed
which converges to a point of high leakage on an N × N
chip within O(N ) iterations. This algorithm is evaluated
A. Motivation
with both TVLA and SNR as the measures of leakage.
EM side-channel attacks, while powerful in that they are (Sections 4, 5)
non-invasive and do not require any physical changes to the • Finally, the SCNIFFER attack is demonstrated on two
system being attacked, and benefit from allowing an attacker different microcontroller architectures (8-bit XMEGA
to choose the location with maximum information leakage and 32-bit STM32F3), improving the number of traces
(SNR), introduce a number of additional challenges compared required by ∼ 100× compared to the traditional exhaus-
to the power SCA attacks. Firstly, as the EM signals go tive search based attack. (Sections 5, 6)
through a power to EM transformation that reduces amplitude
compared to the measurement noise floor, meaning more
C. Paper Organization
traces, or more expensive measurement equipment may be
needed to perform an attack. Secondly, unlike power attacks, The remainder of the paper is organized as follows. Section
EM attacks require attackers to choose the location of the 2 provides the background and summarizes the existing works
attack in the system to capture the EM traces. This choice can on EM Scanning and side-channel attacks. In Section 3,
have a drastic impact on the effectiveness and efficiency of the SCNIFFER framework is introduced and the low cost,
an attack. As seen in Figure 1, depending on where the EM custom-built EM scanning platform is presented. Section 4
probe is placed on a chip, the MTD for a CEMA attack can describes two options for measuring leakage, signal amplitude
vary by > 20×, even for the small 9mm x 9mm Atmega and and TVLA, and provides motivation for finding the point of
STM microcontrollers used as the target devices for this work. highest leakage. In Section 5, the gradient-descent algorithm
Current methods for determining the best location to perform for efficiently determining a point of high information leakage
CEMA are based on exhaustive search, simply performing is proposed. Next, Section 6 provides results of running the
a CEMA attack at most locations. Alternatively, it is also system on microcontrollers of varying architectures, crypto-
possible to choose an arbitrary location, and use as many traces graphic algorithms executed, and measures of leakage. Finally,
as necessary to perform the CEMA. Practically, if the size of Section 7 concludes the paper.
the system is larger, finding the correct location of the EM
leakage becomes extremely challenging and requires scanning II. BACKGROUND AND R ELATED W ORK
the entire chip/system. IoT devices have been successfully attacked using side
Given the limitations of present attack systems, in this work, channel attacks, for example CPA was used to extract en-
we propose a low-cost, fully automated, end-to-end platform cryption keys from Philips Hue smart lamps in [9]. EM side-
for performing efficient EM side-channel attacks. The core channel attacks were first proposed in [10], and share many
of this framework is a ∼ $200 3-D printer, which we have properties with power side-channel attacks, however, can be
modified to utilize as a low-cost EM scanner. SCNIFFER also performed at a distance, even up to one meter, as in [11]. One
uses a greedy gradient-search heuristic using a leakage mea- of the most powerful EM SCA attacks is CEMA, which is
sure,such as test vector leakage assessment (TVLA), or SNR the straightforward application of Correlation Power analysis
to quickly and automatically locate a point of high leakage. (CPA) [12] on EM traces.
Finally, once the point is determined, the proposed SCNIFFER However, to make these profiled and non-profiled EM
framework performs the correlational or differential EM anal- SCA attacks more practical and real-time on any embedded
ysis (CEMA/DEMA) at this point. While both CEMA and platform/device, the trace capture and the attack needs to be
DEMA are possible attacks, throughout this work, we will automated and more efficient.
demonstrate results with CEMA. Such an automated low-cost SCNIFFER can use several methods of assessing leakage,
attack platform significantly increases the threat surface for for instance, simple signal magnitude, Test Vector Leakage
IoT devices. Assessment (TVLA) [13], or SNR [14]. In TVLA, two sets of
traces are collected. In one set, both the key and plaintext used
B. Contribution as input to the algorithm under test are kept fixed, and in the
other the plaintext is varied randomly, while the key remains
Specific contributions of this article are: fixed. To assess the leakage, one then performs Welch’s t-test
• Firstly, a fully-automated system for efficiently scanning for each time point of the trace. Welch’s t-test is given by
a cryptographic chip and finding a location of high leak- t = rX̄12−X̄22 , where X̄1 , X̄2 are the sample means of the
s1 s
age to mount an end-to-end EM SCA attack is proposed. N1 + N2
2
The entire attack set-up is extremely low-cost, owing to two sets, s1 , s2 are sample standard deviations for the sets,
the custom-built EM scanner (adapting a ∼ $200 3-D and N1 , N2 are the sizes of the sets. If the maximum t-value
printer) used for mounting the attack, compared to the at a point is above 4.5, one can conclude leakage is present
commercially available EM probe stations, which are very with 99.999% confidence. Meanwhile, we consider the signal
costly (> $50, 000). The system achieves 100µm spatial to noise ratio as defined in [14], to be SNR = VV AR[N
AR[Q]
] , where
resolution, and has a scan range of 220mm × 220mm, Q is the side channel leakage, and N is the noise. Unlike
and is easily replicable. (Section 3) TVLA, which does not guarantee exploitable leakage, SNR
 3

Scope Scanner Amplifier Probe

Picture a) SCNIFFER Platform

Cost $250 $200 $130 $50

SCNIFFER 10-bit ADC 100 µm 20dB 16mm2

Specifications 105 MS/s
H Field Probe
Model Chipwhisperer-Lite Ender 3 Tekbox TWBA2 Tekbox TBPS01

Riscure EM - 2.5 µm - 1mm2

Probe Station
Specifications

TABLE I: Summary of the main components of the 3D Scanner

SCNIFFER system, their costs, performance, and a compari-
son to Riscure’s EM Probe Station.
Amplifier

Microcontroller
defined in this way can be directly related to the success rate under attack
of a CEMA attack [14].
Once SCNIFFER has chosen a point to attack, CEMA is b)
used to recover the secret key. CEMA revolves around making
hypotheses on secret values, then predicting the EM leakage
of an intermediate variable based on the key. Measurements
(traces) are taken while the device performs encryption, then
the measurements are correlated with the predicted leakage
for all hypotheses. The hypothesis that results in the largest
correlation is taken as the guess for the secret value. The
number of traces needed to recover the key in this way is then
Microcontroller H Field Probe
the minimum traces to disclosure (MTD). In this work, the under attack
secret values are the bytes of the AES key, and the intermediate
variable is the first round sbox output, and Hamming Weight,
that is, the number of 1’s in the binary representation of this Chipwhisperer
variable, is used as the leakage model of data at this point. Capture Board
Addressing the issue of finding where a chip leaks the
most EM radiation has been investigated in [15], and [16].
EM scanning with a focus on side-channel attacks, that is,
determining where the most cryptographic information leaks Fig. 2: (a) The complete EM Scanning and trace capture set-up
within a chip has been addressed in [17] and [18]. However, system, including the 3-D printer, Chipwhisperer system, EM
such methods focus on observing the leakage over the entire probe, amplifier, and victim. (b) Close-up of scanner, showing
chip, not efficiently finding the point or region of the maximum probe and victim board.
leakage. This causes these methods to take a long time and a
majority of the time is spent collecting data that is unnecessary
for an attacker. By creating a framework that minimizes this A. Low Cost EM Scanning Setup
unnecessary data collection, EM side-channel attacks can be The scanning hardware consists of an Ender-3 3-D
made more efficient, powerful, and practical, requiring far printer [20] with a 10mm loop diameter H-field probe attached
fewer traces to reveal the secret key of the cryptographic to the extruder, the Chipwhisperer [21] platform for interfacing
algorithm. Additionally, these platforms can be orders of with the victim (The CW309T-XMEGA mounted on the
magnitude more costly than the system proposed in this work, 308 UFO Target board) and trace collection, an amplifier to
for instance the Riscure EM Probe station [19] itself can cost amplify the EM probe output, and finally a PC to control both
∼ $50, 000, while the entire SCNIFFER system costs < $500. the 3-D printer and the Chipwhisperer Lite capture board.
SCNIFFER is the first fully-automated, efficient EM SCA While such EM scanning systems do exist, for instance,
attack framework and the system is described in the following Riscure’s EM Scanning Station, we chose to create such a
section. system from scratch for the following reasons: 1) Commercial
scanning systems (like Riscure [19]) scanning station is orders
III. SCNIFFER: L OW C OST AUTOMATED EM S CANNING of magnitude more expensive and 2) It is very straightforward
The SCNIFFER system is designed for low cost and au- to interface with the custom system to develop the scanning
tomation. In this section, we first describe the physical com- algorithm. As seen in Table I, the cost of a commercial scanner
ponents that make up SCNIFFER, then discuss the automation is orders of magnitude higher than SCNIFFER, and while it
aspect of the system. is hard to know if this price has been inflated by the selling
 4

a) AES128: SNR Heatmap a) 3-D AES TVLA Surface Plot

b)

t-value
SNR (dB)
X

Y b) Distribution of t-values at a Point of High Leakage

b) 0, 0 Grid Overlay 30, 0

Number of Occurrences
X

t-value

0, 30 Y 30, 30 Fig. 4: (a) TVLA Surface plot. Again, the surface is not smooth
or monotonic, as there are many local minima and maxima,
Fig. 3: (a) Heatmap of the SNR values obtained by performing as in Figure 5(a). (b) Histogram of TVLA measurements at a
a full 30 × 30 scan of the 8-bit target microcontroller. (b) This single point. 50 TVLA measurements were made at a point
shows the grid divisions where leakage measurements were of high leakage, each done as in (a), using 400 traces each.
performed. 1000 traces were used to compute the SNR values Given the distribution much wider seen in (b), the increased
at each point. The part of the target microcontroller board roughness of the surface in (a) can be explained.
which leak the most information can be observed.

off-the-shelf components make maintenance straightforward.

company, it is reasonable for prices to be higher, as there are The software support is quite strong, being open source, and
not many EM scanners on the market. the printer is plug-and-play compatible with any device with a
To manipulate the probe, an Ender-3 3-D printer, running serial port. The system is capable of performing a 30×30 scan
stock firmware was used. This model of printer has a minimum of the chip in ∼ 15 minutes, and perform an amplitude scan in
step size of 0.1mm, and can be controlled via a USB serial ∼ 75 minutes. The probe used is a commercial H-field probe
connection. It has a maximum movement speed of 180 mm/s, for performing EMC measurements, and the signal is amplified
with a print area of 220mm×220mm×250mm. The precision before being passed to the Chipwhisperer capture board. While
and speed offered by this 3-D printer are sufficient to complete the probe used does not have extremely high spatial resolution,
a 50 × 50 scan of the 9mm × 9mm IC used in testing in the probe resolution matches the scan resolution, allowing
an acceptable time. Additional justification for the choice of heatmaps such as the one in Figure 3(a) to be created, and
printer, beyond the cost includes the ease of interfacing, the Chipwhisperer is able to capture enough information leakage
form factor, maintainability, and software support. The open for the target devices considered, leading to low MTDs when
source firmware used by this printer is well documented, and probed at appropriate locations, as seen in figure 1, while still
can be controlled through an exposed serial port, making inter- being low cost. Even though this probe is on the larger side,
facing very easy. The printer also has an open form factor that the SCNIFFER platform is compatible with more sensitive
allows the probe and victim board to be mounted easily. While probes and is expected to become more precise with such
the durability and hardware support would not be as good as probes. The complete system is shown in Figure 2(a) showing
a commercial EM scanner, the simple construction and use of the 3-D printer, the probe, Chipwhisperer system, and PC.
 5

a) 3-D AES SNR Surface Plot TVLA– Amplitude – SNR – MTD Comparison
a) TVLA b) Signal Amplitude
SNR (dB)

X
Y Y
Y
c) SNR d) MTD

b) Distribution of SNR at a Point of High Leakage

X
Number of Occurrences

Y Y

Fig. 6: 10 × 10 heatmap of (a) TVLA values (b) signal

amplitudes (c) SNR values and (d) MTDs. From these plots
TVLA and SNR appear to correlate to MTD much better than
the signal amplitude. While amplitude is easy to measure, it
is clear that high amplitude of leakage does not necessarily
correspond to high information leakage.

SNR (dB) pared to the Riscure system.

Fig. 5: (a) SNR surface plot of the same scan as Figure 3(a).
Here it can be clearly seen that the surface is not smooth B. Automated EM Scanning
or monotonic, as there are many local minima and maxima.
(b) Histogram of SNR measurements at a single point. 50 Now that the SCNIFFER system’s low cost hardware has
SNR measurements were made at 1 point. This distribution been described, we move to the automated scanning and attack
can explain some of the roughness of the surface seen in (a). procedure. The basic premise of the automated system is to
locate a point on the target device where the chosen leakage
measure is high by using the scanning algorithm specified in
Section 5, then automatically perform CEMA at this point.
The probe and victim IC are shown in detail in Figure 2(b). This removes the need for an expert to manually analyze
The probe position can be controlled manually, through the example traces to choose a location for an attack.
3-D printer controls, or programmatically through the serial During an attack, the probe is positioned at a location dic-
connection to a PC, as it is in the SCNIFFER system. tated by the intelligent scanning algorithm, then, the appropri-
The major cost savings in the SCNIFFER system come ate ADC phase for trace collection is determined by capturing
from using a low cost 3-D printer to control the probe, instead traces at varying ADC phases, and the phase giving the largest
of a high cost motorized table. The total cost of the 3-D printer, average amplitude is chosen for further measurements at that
probe and amplifier used in SCNIFFER is ∼ $500, which is a particular point. The signal is sampled at 29.48MHz, 4× the
few orders of magnitude less expensive than many motorized clock frequency of 7.37MHz, so clock edges are aligned to
tables by themselves, and nearly two orders of magnitude less samples. The signal is amplified by the external amplifier, as
expensive than systems such as Riscure’s EM probe station well as the Chipwhisperer internal amplifier (set to a gain of
(∼ $50, 000). While more expensive scanners, probes and 34.5dB), but no other prepossessing is performed. Chipwhis-
measurement systems could improve spatial and frequency perer is then used to capture traces for leakage measurement
resolution, such a system would only be available to very (through SNR, TVLA or other measures) and finally CEMA
sophisticated attackers. As SCNIFFER aims to demonstrate is performed at the location found by the algorithm to have
practical, low-cost attacks are possible using systems two the highest leakage. Example leakage measures tested with
orders of magnitude cheaper than existing scanners, high-cost, SCNIFFER, and the development of the intelligent scanning
high resolution components are not used. Table I summarizes algorithm, along with detailed results are described in the
these components, including their costs and performance com- following sections.
 6

IV. S IGNAL L EAKAGE M EASUREMENT USING SCNIFFER performed is the non-specific, fixed versus random t-test. We
As the choice of probe location is a major factor in choose N = 200 for the number of traces in each group, for a
determining the number of traces needed to recover a key total of 400 traces per TVLA performed. This number of traces
in CEMA as shown in Figure 1, this location must be chosen creates large separation between points of low leakage and
intelligently. Currently, this is done by either exhaustive search ones of high leakage, as seen in Figure 4(a), where the high
of the entire chip, or by an expert evaluating sample EM leakage location reaches a t-value of 22, while the low leakage
traces at several locations, and choosing a location based on location only reaches a t-value of 4. Note that the TVLA
visual inspection of the traces. While an exhaustive search surface is rough, with many local minima and maxima. Even at
will certainly produce the best location to attack, it requires a a fixed location there is variance in the TVLA measurements,
large amount of time, especially for systems with a large initial shown in Figure 4(b). However, it is infeasible to perform
MTD. Choosing a location based on visual inspection of traces many TVLA measurements at each point to average out this
may result in a location that can be attacked, however not nec- noise.
essarily the best in terms of MTD. Additionally, this method
C. SNR for Leakage Measurement
requires an expert to perform the inspection of traces. In this
work, we aim to fully automate the process of choosing a Compared to amplitude and TVLA, SNR, as defined in [14]
location as an expert might, by looking at measures of leakage, requires more traces, however has a direct relationship to the
and finding a location with high leakage. As with a manual MTD. Given this relationship, one can estimate the MTD, thus
choice, this location may not be the location corresponding to a location maximizing SNR will minimize MTD. 1000 traces
the lowest MTD, but should leak enough information to be were used to calculate the SNR, as for the 8-bit microcontroller
attacked in a reasonable amount of time, without the need for used, this gave large separation between locations of high and
an expert. low leakage, as seen in Figure 5, where the SNR varies from
SCNIFFER is designed such that any measure of leakage -30dB to 3dB. SNR is calculated using the same intermediate
can be used. For example signal amplitude, Test Vector Leak- variable and leakage model as the CEMA used, that is, the
age Assessment (TVLA) [13], or SNR could be used, and the first round sbox output and the the Hamming Weight model,
SCNIFFER platform will be able to converge to a location respectively. Like with TVLA, the surface is somewhat rough,
where the leakage measure is high in O(N ) measurements. but again it is infeasible to take many SNR measurements to
We provide results using both TVLA and SNR, both described, average out this noise.
and then compared in the following subsections.
D. Correlation among Amplitude, TVLA, SNR, MTD
While signal amplitude, TVLA, and SNR can all be used
A. Signal Amplitude for Leakage Measurement with SCNIFFER as measures for leakage, since the end goal of
As motivation for why side-channel leakage measures must the SCNIFFER system is to perform an attack, we investigate
be used with SCNIFFER to locate low MTD locations, we how these measures compare to the MTD at each location. To
measure the signal amplitude at each point of the victim chip, compare the measures, a 10 × 10 scan of the chip was carried
producing the heatmap seen in Figure 6(b). The amplitude was out, and CEMA was performed using 1,000 traces at each
measured as the mean square amplitude of each trace, averaged point. The resulting heatmap, along with heatmaps for SNR,
across 10 traces. As can clearly be seen in that figure, the TVLA, and amplitude, are shown in Figure 6. From these
amplitude does not correlate to the MTD at all, as expected. results, clearly TVLA and SNR both appear to correlate to
Hence, further results are shown using one of the two leak- the MTD strongly, however amplitude correlates very poorly.
age measures explained in the following sections, TVLA and While signal amplitude is easy to measure, there is no guar-
SNR. While these are the measures chosen for demonstrating antee that this measure correlates to the MTD, as high signal
SCNIFFER, they are by no means the best nor the only leakage does not imply high information leakage. Additionally,
measures that can be used, as SCNIFFER does not rely on an uncorrelated EM source having high signal leakage could
specific leakage type, only requires that the leakage correlate confuse an attacker into choosing a poor location to attack.
with the MTD. Determining the best measures of leakage in While TVLA also does not guarantee high exploitable leakage,
terms of the attack success rate and minimum number of traces it can be used to identify and focus on regions where leakage is
required is a future research direction. detected with confidence. Additionally, for the microcontroller
considered in this work, TVLA does empirically correlate to
the MTD quite well, even if it is not guaranteed to be the case
B. TVLA for Leakage Measurement
in general. Finally, as SNR is directly related to the attack
While signal amplitude is quick to measure, it has no rela- success rate, it unsurprisingly is highly correlated in practice.
tionship to side channel leakage. As the goal of SCNIFFER is Further, due to this correlation, the location of highest SNR
to locate a position with high side channel leakage, amplitude will theoretically be the location of lowest MTD, achieving
is therefore not a good measure. A measure that does consider SCNIFFER’s goal.
side channel leakage, and may be a better fit for SCNIFFER is
TVLA. While high t-values from TVLA may not necessarily V. G REEDY G RADIENT-S EARCH H EURISTIC
imply a low MTD, it allows locations where leakage is A critical piece of the SCNIFFER system is the algorithm
detected with high confidence to be focused on. The TVLA for locating the point of high leakage at which the attack
 7

should be performed. It is through this algorithm that the N = Grid Resolution;

SCNIFFER attack framework gains benefits over an exhaus- maxLeakage = 0;
tive search, as the high leakage location in an N × N grid initLocs = getInitialLocations(initialGridSize, N);
can be found with N measurements as opposed to N 2 . As an for loc ∈ initLocs do
example, we use SNR as the leakage measure to demonstrate moveProbe(loc);
the performance of the SCNIFFER greedy gradient-search leakage = getLeakage();
algorithm throughout this section. The remainder of this sec- if leakage > maxLeakage then
tion describes the algorithm in detail, and provides results of maxLeakage = leakage;
running the algorithm on an Atmel XMEGA 8-bit processor startLoc = loc;
running software AES. end
end
A. Algorithm Description moveProbe(startLoc);
bestLoc = startLoc;
To avoid taking measurements at all possible points, we
m = startLoc;
propose a heuristic search algorithm for finding a point of high
while Not Converged do
leakage in a minimum number of scans. The search algorithm
delta = getDelta(get4Neighbors());
works in two phases. In the first phase, the search space is
m = m−stepSize∗delta;
divided into an M × M grid, where M is the initial grid
moveProbe(m);
size parameter, and the leakage is measured at the center of
leakage = getLeakage();
each grid cell. Then in the second phase, a gradient search
if leakage > maxLeakage then
algorithm is started from the point of the highest leakage found
maxLeakage = leakage;
in the first phase. The gradient is computed by measuring the
bestLoc = loc;
leakage of the four grid cells adjacent to the current cell, then
end
treating each measurement as the magnitude of a vector whose
end
direction is the direction from the cell where the gradient Algorithm 1: Gradient Search Heuristic to find the high
is being estimated to the cell where the measurement was leakage location
made. The average of these vectors is treated as the estimate
of the gradient. The next point to measure is determined
by adding a vector in the direction of the gradient with a Effect of Scan Resolution
magnitude of stepSize to the current location. This location is
then mapped to a grid cell, and the leakage is next measured
in the center of this resulting grid cell. Given this method, Converges in
movement is restricted to be between grid cells, and is not ~O(N)
entirely arbitrary, however movement to diagonal cells or Measurements
moving multiple cells at once are possible moves, depending
MTD

on the stepSize parameter.

The algorithm will stop if it attempts to measure outside the
search space, instead moving only to the edge. A maximum
number of iterations can also be specified, along with an “iter-
ations without improvement” stopping criteria. The “iterations
without improvement parameter should be set to a sizeable
fraction of the grid resolution N, for values too small, several
iterations may pass without improvement, especially for noisy Number of SNR Measurements
surfaces, and the algorithm may stop prematurely. This two
phase process is described in Algorithm 1. Fig. 7: Leakage vs. number of SNR measurements for varying
grid scales. The data for the 30 × 30 grid was the same as in
B. Performance Figures 3 and 5(a). The full 60 × 60 and 10 × 10 grids were
Based on experimental results, the algorithm is able to locate also collected, allowing the performance of the algorithm to be
a point of high leakage in a N × N grid of possible measure- seen at various degrees of measurement resolution. Through
ments in ≈ N SNR measurements. Figure 7 demonstrates that these results, it can be seen that even as the size of the search
as the search grid size increases by N 2 , the number of tests space increases by N 2 , the time to converge increases by only
required only increases by N , showing the improvement over N.
an exhaustive search is more drastic as the size of the scan
increases, either due to increased resolution or larger scan area.
We also see the effect of the parameters of the algorithm, and changes. As expected, as more initial points are scanned, fewer
see how varying them affects performance. In Figure 8(a), gradient steps are required to converge to the high leakage
where, by increasing the resolution of the initial search grid, location. In Figure 8(b), the step size is varied, and we see
the lowest MTD found for a given number of measurements that for a small step size, the algorithm gets stuck in a local
 8

Effect of Parameters on Algorithm Performance a) Path Taken by SCNIFFER: TVLA

a) Effect of Starting Sample Grid

t-value
X
MTD

Y
Number of SNR Measurements
b) Path Taken by SCNIFFER: SNR
b) Effect of Step Size
Stuck in local minimum

0.54 mm
(1 Cell)

SNR (dB)
0.84 mm
MTD

(2 Cells)
1.14 mm X
(3 Cells)

Number of SNR Measurements Y

Fig. 8: (a) MTD vs number of SNR measurements performed Fig. 9: Heatmaps for AES running on the 8-bit microcontroller,
for varying the initial sample grid size parameter. Note that the with the path taken by SCNIFFER shown for TVLA in (a),
2 × 2 and 3 × 3 grids locate the point of high leakage within and SNR in (b). The same search algorithm parameters were
40 measurements, while a single point start only reaches a used in all cases.
higher MTD, and after 45 such measurements. For all initial
sample grid sizes, a step size of 1.14mm was used. (b) This
demonstrates the effect of step size on performance. A step a) MTD for TVLA SCNIFFER b) MTD for SNR SCNIFFER

size too small can result in the algorithm getting stuck in a

MTD = 183 MTD = 134
Peak Correlation

Peak Correlation

local maximum, and in this case as the step size increased,

convergence sped up, however, for much larger step sizes, it is
possible to overshoot the location of highest leakage, resulting
in slower, less smooth convergence. For all step sizes, a 2 × 2
initial sample grid was used. Both (a) and (b) used a 30 × 30
scan resolution.
Number of Traces Number of Traces

Fig. 10: MTD plots at locations found by SCNIFFER using

minimum, and does not converge to the point of high leakage TVLA as a leakage measure (a), and SNR as a leakage
the other step sizes do. It is worth noting that even though measure (b). While the MTD is not the minimum, it is fairly
the algorithm gets stuck in a local minimum, the initial grid close to the minimum for both measures, with SNR having a
search, SCNIFFER still finds a relatively low MTD location. slightly lower MTD than TVLA.
A larger step size also converges, and if the step size is too
large however, the convergence is slower, and less smooth, as
it may step over the best point. Note that the effective step
size is a function of both the resolution of the scan, N , and see that for reasonable choices of parameters, the algorithm is
the step size parameter of the algorithm. This, along with the observed to converge to a point of high leakage in O(N ) steps
dimensions, L, of the chip allow calculating the effective step for an N × N grid of measurements, providing SCNIFFER
size as N1 ∗ L mm ∗ StepSize. Given these results, one can with a significant improvement over an exhaustive search.
 9

Convergence
Leakage Measure
Location
MTD Total Traces Number of Traces Analyzed vs. SNR

Number of Traces Analyzed

TVLA (2, 2) 183 5,807
SNR (7, 10) 134 10,134
Exhaustive (3, 6) 91 100,000

TABLE II: Comparison of different leakage measures used

with SCNIFFER, as well as results of a full exhaustive search.
The total traces includes the traces needed for the initial
search, gradient search, and CEMA. The exhaustive search
total traces includes a 1000 trace CEMA at all 100 locations. ~100x Reduction
in Traces to Attack

VI. R ESULTS
In this section, we provide results of using the SCNIFFER
framework in various scenarios. We start with the results of
an attack using TVLA, then with SNR. Following this, we Signal-to-noise Ratio (SNR) (dB)
provide a short discussion of the number of traces needed in
a SCNIFFER attack. We then show the performance of the Fig. 11: Number of traces required for TVLA and SNR based
TVLA and SNR based attacks for a variety of cryptographic SCNIFFER compared to exhaustive search vs. SNR for the
algorithms. Next, results comparing the 8-bit architecture chip case of a 10 × 10 scan. The ∼ 100× reduction is due to the
used so far to a 32-bit architecture chip are shown, again fact that an exhaustive search must perform a CEMA at each
for both TVLA and SNR measures. Finally, we show results location, while SCNIFFER only visits N locations.
showing the effects of a Masking countermeasure, using the
SNR based attack.
total number of traces needed to perform an attack changes
as the SNR of the device under attack changes. Previous
A. TVLA Based SCNIFFER
works have shown in [22] and [14] that the MTD for a
While it is not guaranteed to correlate with MTD, TVLA CEMA attack is related to the SNR of the signal used in the
can be used with the SCNIFFER algorithm. The path taken for attack by M T D = k0 ∗ SN1R2 . Additionally, [23], [24] have
this case is shown in Figure 9(a). This path remains in the zone shown that the number of traces needed to perform a TVLA
of high TVLA values, and as TVLA correlates well with MTD (NT V LA ) or calculate SNR (NSN R ) is also related to SNR by
in our experiments, this location has a very low MTD, seen in NT V LA = c0 ∗ SN1 R and NSN R = c1 ∗ SN1 R . From there, it is
Figure 10(b), and is among the lowest on the chip. TVLA at straightforward to quantify the performance of an exhaustive
each location requires a total of 400 traces to compute TVLA, search and SCNIFFER using both TVLA and SNR as follows,
and additional traces would be needed for systems with lower
SNR, as we describe in section IV D. Additionally, as the 1 1
TVLA surface is not smooth, convergence is slightly slowed, NSCN −T V LA = N ∗ c0 ∗ + k1 ∗ (1)
SN R SN R2
increasing the attack time.
1 1
NSCN −SN R = N ∗ c1 ∗ + k1 ∗ (2)
B. SNR Based SCNIFFER SN R SN R2
In contrast to TVLA, which does not guarantee leakage 1
found is exploitable, SNR does, as it is related to the MTD. Nexh = N 2 ∗ k1 ∗ (3)
SN R2
We see that SNR based SCNIFFER does take a different path
than TVLA, and converges to a different location. The MTD where N ×N is the resolution of the grid scan, and k0 , k1 , and
at this location is slightly lower than the TVLA location, but c0 are arbitrary constants chosen such that the models match
still not the absolute lowest found on the chip. Furthermore, to the results presented.
accurately measure SNR, more traces than TVLA are needed A SCNIFFER attack requires measurements to be made at
for measurement, increasing the number of traces needed, and approximately N points for an N × N grid, as the search
this number increases as the SNR reduces, as discussed in algorithm requires O(N ) measurements, with each requiring
section IV D. Despite this, once the SNR reduces below a NT V LA in the TVLA case and NSN R in the SNR case.
certain point, shown in Figure 11, a SNR-based SCNIFFER Additionally a single CEMA attack requiring M T D traces
attack becomes as efficient as a TVLA-based attack, with the is needed, resulting in equations (1) and (2). An exhaustive
additional guarantee of exploitable leakage. search on the other hand would require a CEMA to be
performed at all N 2 locations, resulting in equation (3). These
trends are pictured in Figure 11, which clearly shows the 100×
C. Number of Traces Needed For SCNIFFER Attacks reduction in required traces in the case of a 10 × 10 scan for
The performance of the SCNIFFER platform can be quan- low values of SNR. This reduction can be explained by the
tified and compared to other methods by investigating how the fact that the number of traces needed to measure TVLA or
 10

Effect of Crypto Algorithm on Effect of Architecture on SCNIFFER

SCNIFFER Algorithm Convergence Algorithm Convergence
a) a)

Maximum t-value
Maximum t-value

Number of TVLA Measurements

b)
Number of TVLA Measurements

Maximum SNR (dB)

b)
Maximum SNR (dB)

Number of SNR Measurements

Fig. 13: (a) Max t-value vs. number of measurements for both
Number of SNR Measurements
the 8-bit XMEGA microcontroller and the 32-bit STM32F3
microcontroller. The algorithm converges within O(N ) mea-
Fig. 12: (a) Max t-value vs. number of TVLA tests performed
surements, where N = 30 in both cases. the algorithm
for all cryptographic algorithms (AES, DES, RSA), showing
parameters used are the same as in Figure 12. (b) Max SNR
the scanning algorithm performs well, finding the point of
vs. number of measurements for both microcontroller archi-
max leakage within 40 TVLA tests in all cases, with a grid
tectures, again showing convergence in O(N ) measurements.
size of 30 × 30. The initial sampling grid was 2 × 2 and
The parameters used are the same as those in part (a).
the step size was 0.84mm. Note that for RSA, one of the
initial samples is already close to the maximum, and this
maximum is found in just one step. For AES and DES, whose
leakage patterns are less smooth, and have smaller areas of D. Effect of Cryptographic Algorithm on Convergence
high leakage, the time to converge is higher. (b) Max SNR vs. Next, in Figure 12(a), the effect of different cryptographic
number of SNR measurements for all algorithms (AES, DES, algorithms running on the target microcontroller can be seen,
RSA). The search algorithm again performs well, converging when using TVLA. For AES, DES, and RSA, the gradient
in all cases in about O(N ) measurements. search algorithm converges a point of high leakage in a similar
number of traces. A 30 × 30 scan was performed for all algo-
rithms, and the parameters were fixed at a 2 × 2 starting grid
and step size of 0.54 mm for all cases. A similar plot, using the
same parameters but SNR as opposed to TVLA can be seen
in Figure 12(b). Again, the search converges in approximately
SNR changes as SN1 R , compared to the MTD which changes the same number of measurements for all algorithms. Through
as SN1R2 . Additionally, the number of points traversed is only this, we see that the greedy gradient search algorithm performs
N , as opposed to N 2 for an exhaustive search. Also, we see well regardless of the specific cryptographic algorithm, and
TVLA slightly outperforms SNR in terms of number of traces regardless of the leakage measure chosen.
needed to perform an attack when SNR is high. For low SNR,
the performance of both measures is mostly equivalent, as the
number of traces needed is dominated by the CEMA, and E. Effect of Architecture on Convergence
using SNR as the leakage measure gives guarantees on the Additionally, we investigate the effect of different architec-
success rate of the CEMA, which TVLA does not. tures (microcontrollers) on SCNIFFER. Up to now, the results
 11

Effect of Masking require more traces to be used to calculate the SNR.

VII. C ONCLUSIONS
This work has introduced SCNIFFER, a fully automated
integrated system for conducting end-to-end EM side-channel
attacks against cryptographic systems. SCNIFFER combines
SNR (dB)

an EM leakage scanning platform, and correlation EM analysis

into a single system, which can perform all steps of an
attack automatically. The system is comprised of a low-
cost custom scanning hardware and gradient search heuristic
based scanning algorithm. We also plan to make our code
for implementing the efficient SCNIFFER framework and
controlling the low-cost 3-D printer for scanning publicly
available.
Number of SNR Measurements SCNIFFER is capable of using a variety of measures
of leakage, and the search algorithm was shown to find a
Fig. 14: Max SNR vs. number of measurements for the location of high leakage in an N × N chip search space with
unmasked and a masked implementation of AES on the 8- O(N ) measurements, providing a significant improvement
bit microcontroller. The algorithm converges within O(N ) over exhaustive search, and performing all stages of the search
measurements, where N = 30 in both cases. the algorithm and attack completely automatically, removing the need for
parameters used are the same as in Figure 12. expert analysis.
Using this fully automated attack, it is possible to efficiently
find a point of high leakage and launch a CEMA attack
shown have been obtained with an 8-bit XMEGA microcon- at this location at the press of a button. The attack uses a
troller. We now use a 32-bit STM32F3 microcontroller running minimal number of traces, for a variety of microcontroller
software AES as the target device. The STM32F3 uses the architectures and cryptographic algorithms. Even as the size of
same clock frequency as the 8-bit XMEGA, 7.37MHz, and the chip increases, or as protections lowering the SNR, such
sampling is again done at 4× this frequency. Similarly the as masking, are put in place, SCNIFFER retains efficiency.
amplifier gain is the same as the 8-bit case. Given the same Finally, we show that as the SNR of the system under attack
parameters for the greedy gradient search, the algorithm con- decreases, SCNIFFER attacks maintain their advantage over
verges to a location of high leakage within N measurements, existing methods, reducing the number of traces needed by a
with N = 30 in this case. These results are shown in Figure factor of N compared to an exhaustive search, for an N × N
13(a) for TVLA, and Figure 13(b) for SNR. In both figures, scan of a chip.
the 8-bit and 32-bit architectures are compared, given the same
measurement and search algorithm parameters. In this context, R EFERENCES
it is worth mentioning that as the size of the chip under [1] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Advances
attack increases, finding the location of the cryptographic in Cryptology CRYPTO 99, ser. Lecture Notes in Computer Science,
M. Wiener, Ed. Springer Berlin Heidelberg, pp. 388–397.
engine could be a difficult task. In scenarios such as attacking [2] K. Gandolfi, C. Mourtel, and F. Olivier, “Electromagnetic analysis:
large systems, the SCNIFFER framework would be extremely Concrete results,” in Cryptographic Hardware and Embedded Systems
useful in efficiently determining the position of high leakage CHES 2001, ser. Lecture Notes in Computer Science, . K. Ko, D. Nac-
cache, and C. Paar, Eds. Springer Berlin Heidelberg, pp. 251–261.
and then performing the attack at that point. [3] J.-J. Quisquater and D. Samyde, “ElectroMagnetic analysis (EMA):
Measures and counter-measures for smart cards,” in Smart Card Pro-
gramming and Security, ser. Lecture Notes in Computer Science, I. Attali
F. Effect of Masking on Convergence and T. Jensen, Eds. Springer Berlin Heidelberg, pp. 200–210.
[4] D. Das, M. Nath, B. Chatterjee, S. Ghosh, and S. Sen, “Stellar: A
Lastly, the effects of a masking countermeasure with a generic em side-channel attack protection through ground-up root-cause
fixed mask on the performance of SCNIFFER have been analysis,” in 2019 IEEE International Symposium on Hardware
investigated. We again use the same measurement and search Oriented Security and Trust (HOST). Los Alamitos, CA, USA:
IEEE Computer Society, may 2019, pp. 11–20. [Online]. Available:
parameters, and for both cases, the SCNIFFER algorithm https://doi.ieeecomputersociety.org/10.1109/HST.2019.8740839
converges in approximately O(N ) measurements. These re- [5] D. Genkin, L. Pachmanov, I. Pipman, and E. Tromer, “Stealing keys
sults are shown in figure 14, where we see the algorithm from pcs using a radio: Cheap electromagnetic attacks on windowed
exponentiation,” in Cryptographic Hardware and Embedded Systems –
converges after 35-40 measurements for both masked and CHES 2015, T. Güneysu and H. Handschuh, Eds. Berlin, Heidelberg:
unmasked implementations. As one would expect, the SNR Springer Berlin Heidelberg, 2015, pp. 207–228.
for the masked implementation is significantly lower than [6] D. Genkin, L. Pachmanov, I. Pipman, and E. Tromer, “ECDH
key-extraction via low-bandwidth electromagnetic attacks on PCs,” in
the unmasked implementation, but the SCNIFFER search Proceedings of the RSA Conference on Topics in Cryptology - CT-RSA
algorithm is still able to locate a higher SNR region through 2016 - Volume 9610. Springer-Verlag New York, Inc., pp. 219–235.
gradient search. While the measurement parameters used here [Online]. Available: http://dx.doi.org/10.1007/978-3-319-29485-8 13
[7] A. Matthews, “Low cost attacks on smart cards.” Next Generation
were the same as elsewhere, an important note is that for Security Software Ltd. [Online]. Available: https://pdfs.semanticscholar.
countermeasures that reduce the SNR more drastically, would org/1b5a/48426397d3e5d7d56b35ffe2d8456e29834e.pdf
 12

[8] T. Kasper, D. Oswald, and C. Paar, “EM side-channel attacks on

commercial contactless smartcards using low-cost equipment,” in Infor-
mation Security Applications, ser. Lecture Notes in Computer Science,
H. Y. Youm and M. Yung, Eds. Springer Berlin Heidelberg, pp. 79–93.
[9] E. Ronen, A. Shamir, A.-O. Weingarten, and C. OFlynn, “IoT goes
nuclear: Creating a ZigBee chain reaction,” in 2017 IEEE Symposium
on Security and Privacy (SP). IEEE, pp. 195–212. [Online]. Available:
http://ieeexplore.ieee.org/document/7958578/
[10] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi, “The EM
sidechannel(s),” in Cryptographic Hardware and Embedded Systems -
CHES 2002, ser. Lecture Notes in Computer Science, B. S. Kaliski, . K.
Ko, and C. Paar, Eds. Springer Berlin Heidelberg, pp. 29–45.
[11] C. Ramsay and J. Lohuis, “Tempest attacks against aes,” Technical
Report White paper, Fox-IT, Tech. Rep., 2017. [Online]. Available:
https://hardwear.io/document/slides-craig-ramsay.pdf
[12] E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with a
leakage model,” in Cryptographic Hardware and Embedded Systems -
CHES 2004, ser. Lecture Notes in Computer Science, M. Joye and J.-J.
Quisquater, Eds. Springer Berlin Heidelberg, pp. 16–29.
[13] G. Becker, J. Cooper, E. DeMulder, G. Goodwill, J. Jaffe, G. Kenworthy,
T. Kouzminov, A. Leiserson, M. Marson, P. Rohatgi et al., “Test vector
leakage assessment (tvla) methodology in practice,” in International
Cryptographic Module Conference, vol. 1001, 2013, p. 13.
[14] S. Mangard, “Hardware countermeasures against DPA a statistical
analysis of their effectiveness,” in Topics in Cryptology CT-RSA 2004,
ser. Lecture Notes in Computer Science, T. Okamoto, Ed. Springer
Berlin Heidelberg, pp. 222–235.
[15] Y. Liu and B. Ravelo, “Fully time-domain scanning of EM near-field
radiated by RF circuits,” Progress In Electromagnetics Research, vol. 57,
pp. 21–46, 2014.
[16] V. Lomn, P. Maurine, L. Torres, T. Ordas, M. Lisart, and J. Toublanc,
“Modeling time domain magnetic emissions of ICs,” in Integrated
Circuit and System Design. Power and Timing Modeling, Optimization,
and Simulation, ser. Lecture Notes in Computer Science, R. van Leuken
and G. Sicard, Eds. Springer Berlin Heidelberg, pp. 238–249.
[17] L. Sauvage, S. Guilley, and Y. Mathieu, “Electromagnetic radiations of
fpgas: High spatial resolution cartography and attack on a cryptographic
module,” ACM Transactions on Reconfigurable Technology and Systems
(TRETS), vol. 2, no. 1, pp. 1–24, 2009.
[18] J. Heyszl, S. Mangard, B. Heinz, F. Stumpf, and G. Sigl, “Localized
electromagnetic analysis of cryptographic implementations,” in Topics
in Cryptology CT-RSA 2012, ser. Lecture Notes in Computer Science,
O. Dunkelman, Ed. Springer Berlin Heidelberg, pp. 231–244.
[19] EM probe station: Electromagnetic analysis solution. [Online].
Available: https://www.riscure.com/product/em-probe-station/
[20] Creality3d ender-3 3d printer economic ender DIY
KITS. [Online]. Available: https://www.creality3d.shop/products/
creality3d-ender-3-pro-high-precision-3d-printer
[21] C. OFlynn and Z. D. Chen, “ChipWhisperer: An open-source platform
for hardware embedded security research,” in Constructive Side-Channel
Analysis and Secure Design, ser. Lecture Notes in Computer Science,
E. Prouff, Ed. Springer International Publishing, pp. 243–260.
[22] O. Standaert, E. Peeters, G. Rouvroy, and J. Quisquater, “An
overview of power analysis attacks against field programmable
gate arrays,” vol. 94, no. 2, pp. 383–394. [Online]. Available:
https://ieeexplore.ieee.org/document/1580507
[23] D. B. Roy, S. Bhasin, S. Guilley, A. Heuser, S. Patranabis, and
D. Mukhopadhyay, “CC meets fips: A hybrid test methodology for first
order side channel analysis,” IEEE Transactions on Computers, vol. 68,
no. 3, pp. 347–361, 2018.
[24] D. B. Roy, S. Bhasin, S. Guilley, A. Heuser, S. Patranabis, and
D. Mukhopadhyay, “Leak me if you can: Does tvla reveal success
rate,” IACR Cryptology ePrint Archive, Tech. Rep., 2016. [Online].
Available: https://eprint.iacr.org/2016/1152

View publication stats