Evaluating signal processing techniques
in side-channel electromagnetic attacks to cryptographic systems
Ricardo Maçãs Ricardo Chaves
INESC-ID INESC-ID
IST, Universidade de Lisboa IST, Universidade de Lisboa
Lisboa, Portugal Lisboa, Portugal
ricardo.macas@tecnico.ulisboa.pt ricardo.chaves@inesc-id.pt
Abstract—The security of electronic devices is paramount to
our information society. Side-channel attacks enable a potential
attacker to stealthily compromise the devices by exploiting
their emanations, such as the electromagnetic (EM) radiation,
resulting from the operation of the device. The objective of this
article is to compare different attack methodologies empirically
with respect to their signal processing techniques, in partic-
ular, trace filtering and a newly-proposed technique named
correlation filtering. A methodology of analysis is defined for
consistent and repeatable results. Finally, evaluations of the
effects of different signal processing techniques were conducted
in attacks against a smartcard implementation of the AES
cipher, where the correlation filtering technique was found to
successfully improve the attack performance in randomized
trials.
1. Introduction
The information society is ever more pervasive in our
lives: it permeates into all aspects of society, replacing older
technology with connected, intelligent devices. More and
more devices are made smart, especially the ever more
popular Internet of Things (IoT) movement, consisting of
existing devices such as door locks that are made intelligent
with networking functionality. Even if such devices employ
secure algorithms, side-channel attacks may still be able to
exploit their physical implementation, by taking advantage
of information leaked by the emanations resulting from their
operation.
Electronic systems developed in the 21st century use
complementary metal-oxide semiconductor transistor cells
(CMOS), desirable for producing devices with low idle
power consumption. CMOS cells implement a logic gate by
having a complementary pull-up and pull-down network that
alternate in insulating the path between the power source and
the ground, only briefly consuming power during transitions
when, momentarily, both networks conduct. At that moment,
a small current flows through the circuit, which in turn leads
to power consumption and the emanation of electromagnetic
(EM) radiation [1]. Naturally, this implies that the emana-
tion is data-dependent. Since the aforementioned physical
Gonçalo Tavares
INESC-ID
IST, Universidade de Lisboa
Lisboa, Portugal
goncalo.tavares@tecnico.ulisboa.pt
process leads to both the power consumption and the EM
emanation, similar techniques can be used for both, and EM
attacks are generally regarded as a particular instance of
power attacks [2].
In general, taking into account some model h, the leak-
age signal L(t) can be described as a sum of the contri-
butions of all the gates g in the circuit processing values
at instant t, affected by some normally-distributed additive
noise N [3]:
X
L(t) = h(g, t) + N (t). (1)
g
There are several attack techniques that attempt to ex-
tract the most information from the available signals, such
as Correlation Attacks [4] and Template Attacks [5]. These
techniques focus on specific calculations being executed in
the target device that enable the attacker to effectively guess
the key. However, this means that the signals are affected
by intrinsic electronic noise caused by unrelated calculations
that are not pertinent to the attack and that ultimately hinder
its performance. Then, the usage of signal processing tech-
niques, such as frequency filtering, to facilitate the attack
by rejecting reject unwanted noise sources is a compelling
strategy.
A brief description of this document’s structure follows.
Section 2 presents a brief introduction of the existing attack
methods, followed by Section 3, which describes the pro-
posed metrics to evaluate the performance of the attacks.
Section 4 addresses the hardware and software used and
their setup and configuration. An overview of the findings
follows in Section 5. Finally, Future Work is presented in
Section 6 and the Conclusions of the authors in Section 7.
2. State of art
A differential power attack proceeds by taking a working
hypothesis over a small part of the key and, using the same
plaintexts as the physical device, it computes the interme-
diate calculations of the cipher state. From the intermediate
values, it models the expected power consumption for those
operations and contrasts them with the observed signals
from the physical device. If the differences in the expected
power follow the actual power consumption, there’s evi-
dence that the partial key hypothesis is correct.
This process requires several time-aligned recordings
of the power consumption, called traces, and the usage
of a statistical test to quantify their agreement with the
hypotheses. This is called the distinguisher, because it is
the metric that allows the attack to distinguish the correct
secret from the remaining (rejected) hypotheses.
Correlation attacks
An example of a differential power attack is the Cor-
relation Attack, first introduced by Eric Brier et al. [4]. It
uses the aforementioned framework for differential power
attacks, where the distinguisher is the estimator of the
Pearson correlation coefficient, which will indicate a linear
dependency between the power hypotheses for each trace hi
and the power consumption Ti observed at some given time
instant t0 :
PM
(hi − h̄) · (Ti [t0 ] − T [t0 ])
r(t0 ) = qPi=1 (2)
M 2 2 The estimator of the expected correct position can be
i=1 (hi − h̄) · (Ti [t0 ] − T [t0 ])
where the means are indicated by a bar.
Depending on the device architecture and the experi-
mental setup, the leakage may correlate inversely with the
power model. To maximize the information extracted from
the attack, the absolute value of the correlation is used
instead, which is highest whether the model is directly or
inversely correlated [6].
Should the t0 intermediate value calculation time not be
known precisely, the correlation can be calculated for several
time samples across the traces and the best (highest) absolute
correlation |r| is recorded out of all the time samples and
partial keys considered. In a sense, a correlation trace r[t]
is created which indicates the correlation over time for a
given key.
3. Methodology of evaluation
The uncertainty associated with the signal variability and
the statistical tools used means that two attacks using signals
captured in identical conditions do not necessarily have the
same results. Accordingly, each attack strategy is then tried
several times for a total of N partial attacks, on a random
sample taken from a pool of traces collected in the same
session, and the metrics are presented with their average
across attacks to partial keys, m, and an error term e, the
standard error, in the form m ± e.
Differential attacks return a distinguisher score for every
candidate partial key tested. If these scores are sorted in
increasing order, their position in the candidate list indi-
cates their relative rank amid themselves. As such, every
candidate has a score and position pair (di , pi ). The pair
that corresponds to the correct secret key is denoted by a
star, as (d? , p? ).
Success rate (SR). The sample success rate is calculated as
a ratio of N partial attacks, ran under the same conditions,
that determined the correct candidate:
#Attacksp? =1
SR = P̃ (p? = 1) = . (3)
N
Note the success rate is an estimate of the probability
P̃ of having the correct value of the subkey as the best
candidate [7]. The success rate concept can be generalized
to having the correct key in the first n hypotheses (instead
of just being the first) by computing the corresponding ratio.
Average correct position. After collecting N partial attacks
ran under the same conditions, one may estimate what is the
mean position of the correct partial key in the candidate list.
The expected correct position is then defined as the product
of each position i, times the probability of the correct subkey
occupying such position, or mathematically,
X
E(p? ) = i · P (p? = i). (4)
i
Standaert et al. [7] named this metric guessing entropy.
mathematically expressed as the average correct position
Ẽ(p? ), computed as
PN
j p(?,j)
Ẽ(p? ) = , (5)
N
where j represents each attack out of N attacks to partial
keys.
4. Experimental setup
Correlation attacks were carried out against a smartcard
powered by the Atmel AVR ATMega163 micro-controller,
programmed with the AES 128 bit cipher. The attack used
the SAKURA-W [8] platform to enable the communication
between the computer and the smartcard. The platform,
and in turn the smartcard placed in it, was powered by
a laboratory bench power supply to provide a stable and
isolated power source.
In order to avoid capturing the electronic emanations
from nearby components, a custom-built smartcard extender
was developed at the laboratory that enabled the smartcard
to operate outside of the slot with its surface exposed. The
smallest magnetic field probe of the Beehive Electronics
100 Series EMC probe set was used to capture the EM
signal, amplified by the Beehive Electronics 150A EMC
probe amplifier, and digitized by a PicoScope 6404D com-
puter oscilloscope. To enable the time-aligned capture of
the traces, a trigger signal function is programmed to the
smartcard that switches an auxiliary pin when the ciphering
algorithm starts.
In order to find the optimal probe position, a manual
systematic analysis of the smartcard’s surface was carried
out. While performing ciphering operations, the magnetic
probe was placed directly on top of the chip area and the
 TABLE 1. E XTRACT OF THE BASELINE RESULTS IN ELECTROMAGNETIC
CORRELATION ATTACKS TO THE FIRST ROUND OF AES, FOR 50 TRIALS

Number of traces SR E(p? )

800 traces 0.08 ± 0.01 91.45 ± 2.67
1 500 traces 0.25 ± 0.02 28.11 ± 1.57
2 000 traces 0.57 ± 0.02 8.36 ± 0.75
Figure 1. Diagram of the smartcard extender. A smartcard was placed 3 000 traces 0.92 ± 0.01 1.26 ± 0.06
in the extended slot, and the cutout reveals the surface under which the
microprocessor resides, exposed for probe access. 5 000 traces 1.00 ± 0.00 1.00 ± 0.00

different signals that could be found along the surface were correlation peaks. In essence, instead of selecting specific
identified, along with their positions. Several sample attacks points of interest in time, the correlation filtering technique
were carried out for the signals captured at each of these exploits time redundancy of points with similar information,
positions, and the final position chosen for the probe was in order to exclude wrong candidates.
the one that completed the attacks with the least amount of The attacker can determine the optimal cut-off frequency
traces. for this filter using a clone device in their possession,
The correlation attack was chosen to perform the side- by processing the correlation traces with decreasing cut-
channel attacks to the AES 128-bit cipher, using a Hamming off frequencies until they no longer improve the result. A
Weights model. The intermediate calculation targeted is the subjective visual evaluation of the filtered correlation trace
result of the SBOX operation in the first round. Each byte may suffice to determine a non-optimal cut-off frequency.
of the result is the sum of a key byte and plaintext byte, For this experiment, the filters were generated using
transformed by the SBOX. Since every byte is independent, MATLAB’s fir1 function, with a Hamming window and
targeting each of the 16 bytes individually is the simplest 2400 taps. The average out of the 50 trials was taken for
way to effectively divide the partial keys. the position of the correct partial key, illustrated in Figure 2.
The optimal −6 dB cut-off frequency was determined to be
16.25 MHz, corresponding to the minimum of the average
5. Results correct position.
A pool of 5 500 EM traces was continuously acquired
in a single session with a sampling rate of 1.25 GHz. The
probe was placed at the position previously determined
as optimal, and the plaintext input to the smartcard was
randomly generated and subsequently saved along with the
corresponding captured traces.
From this pool, a fixed number of traces was randomly
drawn by the computer to carry out each trial of the corre-
lation attack. In total, 50 trials were completed in order to
characterize the performance of the attack when constrained
to that number of traces, using the proposed metrics. This
corresponds to 16 · 50 = 800 attacks to every partial key.
The process was then repeated for other sizes of the attacked
trace set, in order to evaluate the progression of the attack
performance as the set of traces increases. This serves as
the baseline for contrasting with any improvement from
additional signal processing or changes in the experimental
setup, as laid in Table 1.
In particular, the correlation filtering technique was
Figure 2. Determination of optimal low pass cut-off frequency via minima
tested. It is based on the observation that, for high sampling of the average correct position metric.
rates, the instant when the targeted intermediate calculation
is executed spans a significant number of time samples. To evaluate the additional performance gained by ap-
Often, the correlation may spuriously peak in a time sample plying this technique, the same process was applied as
for a wrong key, due to noise, leading to an incorrect result. described previously for the baseline. Several trials were
By low-pass filtering the correlation trace |r(t)| for each conducted, constrained to increasing number of traces. Fig-
partial key candidate, the correlations of the neighbouring ure 3 shows the comparison between the success rate curves
time samples are taken into account to remove spurious of the baseline and the correlation filtered attack. The tech-
nique displays a consistent improvement in the success rate
when controlling for number of traces, and converges in
approximately half the number of traces to a unitary success
rate.
The technique presented consists in filtering after the
correlation is calculated, but one may ask if simply filtering
the original traces leads to the same results. In fact, this
hypothesis was tested by following an identical procedure as
described before, and the optimal cut-off frequency for con-
ventional trace filtering was determined to be 15.625MHz,
which is very similar to the one determined for correlation
filtering. Table 2 shows the metrics for 800 traces, where it
is clear that correlation filtering improves the results over
trace filtering with an additional 0.02 increase in success
rate and an improved average position with smaller standard
error, indicating additional consistency.
would enable an attacker to profile the locations of the
smartcard where the leakage is optimal. The usage of novel
magnetic imaging sensors (to acquire emanations of multiple
locations simultaneously), signal processing techniques (to
isolate the signal of interest while reducing noise) and multi-
channel attacks, is an interesting avenue of exploration to
improve the existing results for side-channel attacks.
7. Conclusion
In summary, the proposed evaluation methodology suc-
cessfully allowed the direct comparison of different attacks
using a detailed framework. In general, applying signal
processing techniques to electromagnetic attacks lead to sig-
nificant improvements characterized by faster convergence
in the correct candidate and better success rates. This work
introduced the correlation filtering technique, which was
shown to improve the success of the electromagnetic attacks
for all metrics tested by exploiting the time redundancy
of high-sampling rate acquisition after calculation of the
correlation.

Acknowledgments
The authors would like to thank the laboratory colleague
Ruben Afonso for assisting with the design and construction
of the smartcard extender. This work was supported by na-
tional funds through Fundação para a Ciência e a Tecnologia
(FCT) with reference UID/CEC/50021/2013.

References
[1] F.-X. Standaert, “Introduction to side-channel attacks,” in Secure Inte-
grated Circuits and Systems. Springer, 2010, pp. 27–42.
Figure 3. Success rate curves for the baseline attack and the attack with
correlation filtering. [2] J. R. Rao and P. Rohatgi, “Empowering side-channel attacks,”
Cryptology ePrint Archive, Report 2001/037, 2001. [Online].
Available: http://eprint.iacr.org/2001/037
TABLE 2. C OMPARISON OF ELECTROMAGNETIC ATTACKS RESULTS [3] M. Aigner and E. Oswald, “Power analysis tutorial,” Institute for
USING DIFFERENT SIGNAL PROCESSING TECHNIQUES .
Applied Information Processing and Communication, Graz, Austria,
Tech. Rep., 2000.
SR E(p? )
Experiment [4] E. Brier, C. Clavier, and F. Olivier, Correlation Power Analysis with
(% improv.) (% improv.) a Leakage Model. Berlin, Heidelberg: Springer Berlin Heidelberg,
800 traces 2004, pp. 16–29.
0.08 ± 0.01 91.45 ± 2.67
Baseline [5] S. Chari, J. R. Rao, and P. Rohatgi, “Template attacks,” in Revised
Papers from the 4th International Workshop on Cryptographic
800 traces Hardware and Embedded Systems, ser. CHES ’02. London,
0.86 ± 0.01 1.74 ± 0.12
Traces Filtered UK, UK: Springer-Verlag, 2003, pp. 13–28. [Online]. Available:
(975.0%) (98.1%) http://dl.acm.org/citation.cfm?id=648255.752740
fc (−6dB) : 15.625 MHz
[6] S. Mangard, E. Oswald, and T. Popp, Power analysis attacks: Reveal-
800 traces ing the secrets of smart cards. Springer Science & Business Media,
0.88 ± 0.01 1.34 ± 0.05
Correlation Filtered 2008, vol. 31.
(1000.0%) (98.5%)
fc (−6dB) : 16.25 MHz [7] F.-X. Standaert, T. Malkin, and M. Yung, “A unified framework for
the analysis of side-channel key recovery attacks.” in Eurocrypt, vol.
5479. Springer, 2009, pp. 443–461.
6. Future work [8] M. Matsubayashi and A. Satoh, “Side-channel Attack user reference
architecture board SAKURA-W for security evaluation of IC card,” in
In the setup used, the probe position was derived using a 2015 IEEE 4th Global Conference on Consumer Electronics (GCCE),
manual systematic scan of the surface of the smartcard, how- 2015, pp. 565–569.
ever, an automated scan with computer-assisted positioning