Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On Borrowed Time -- Preventing Static Side-Channel Analysis

Robert Dumitru, Thorben Moos, Andrew Wabnitz, Yuval Yarom

TL;DR

The paper addresses the rising threat of static side-channel analysis, including Static Power SCA, LLSI, and IA, by proposing Borrowed Time, an in-chip countermeasure that wipes sensitive register contents when clock stoppage is detected. It presents two implementation approaches—a PLL-based detector and an asynchronous delay-based detector—analyzes trade-offs, and demonstrates practical effectiveness through end-to-end CPA attacks on AES and masked SKINNY targets, showing leakage disappears under Borrowed Time with large trace budgets. A key finding is that memory effects extend exploitable leakage in static SCA unless stopped clocks are detected quickly, and Borrowed Time can counteract this by triggering masked clears within a clock cycle, with moderate hardware overhead and compatibility with masking. The work highlights practical implications for protecting cryptographic implementations in FPGA/ASIC contexts and outlines limitations (e.g., false positives, clock-gated restrictions) and avenues for automation and future work.

Abstract

In recent years a new class of side-channel attacks has emerged. Instead of targeting device emissions during dynamic computation, adversaries now frequently exploit the leakage or response behaviour of integrated circuits in a static state. Members of this class include Static Power Side-Channel Analysis (SCA), Laser Logic State Imaging (LLSI) and Impedance Analysis (IA). Despite relying on different physical phenomena, they all enable the extraction of sensitive information from circuits in a static state with high accuracy and low noise -- a trait that poses a significant threat to many established side-channel countermeasures. In this work, we point out the shortcomings of existing solutions and derive a simple yet effective countermeasure. We observe that in order to realise their full potential, static side-channel attacks require the targeted data to remain unchanged for a certain amount of time. For some cryptographic secrets this happens naturally, for others it requires stopping the target circuit's clock. Our proposal, called Borrowed Time, hinders an attacker's ability to leverage such idle conditions, even if full control over the global clock signal is obtained. For that, by design, key-dependent data may only be present in unprotected temporary storage when strictly needed. Borrowed Time then continuously monitors the target circuit and upon detecting an idle state, securely wipes sensitive contents. We demonstrate the need for our countermeasure and its effectiveness by mounting practical static power SCA attacks against cryptographic systems on FPGAs, with and without Borrowed Time. In one case we attack a masked implementation and show that it is only protected with our countermeasure in place. Furthermore we demonstrate that secure on-demand wiping of sensitive data works as intended, affirming the theory that the technique also effectively hinders LLSI and IA.

On Borrowed Time -- Preventing Static Side-Channel Analysis

TL;DR

The paper addresses the rising threat of static side-channel analysis, including Static Power SCA, LLSI, and IA, by proposing Borrowed Time, an in-chip countermeasure that wipes sensitive register contents when clock stoppage is detected. It presents two implementation approaches—a PLL-based detector and an asynchronous delay-based detector—analyzes trade-offs, and demonstrates practical effectiveness through end-to-end CPA attacks on AES and masked SKINNY targets, showing leakage disappears under Borrowed Time with large trace budgets. A key finding is that memory effects extend exploitable leakage in static SCA unless stopped clocks are detected quickly, and Borrowed Time can counteract this by triggering masked clears within a clock cycle, with moderate hardware overhead and compatibility with masking. The work highlights practical implications for protecting cryptographic implementations in FPGA/ASIC contexts and outlines limitations (e.g., false positives, clock-gated restrictions) and avenues for automation and future work.

Abstract

In recent years a new class of side-channel attacks has emerged. Instead of targeting device emissions during dynamic computation, adversaries now frequently exploit the leakage or response behaviour of integrated circuits in a static state. Members of this class include Static Power Side-Channel Analysis (SCA), Laser Logic State Imaging (LLSI) and Impedance Analysis (IA). Despite relying on different physical phenomena, they all enable the extraction of sensitive information from circuits in a static state with high accuracy and low noise -- a trait that poses a significant threat to many established side-channel countermeasures. In this work, we point out the shortcomings of existing solutions and derive a simple yet effective countermeasure. We observe that in order to realise their full potential, static side-channel attacks require the targeted data to remain unchanged for a certain amount of time. For some cryptographic secrets this happens naturally, for others it requires stopping the target circuit's clock. Our proposal, called Borrowed Time, hinders an attacker's ability to leverage such idle conditions, even if full control over the global clock signal is obtained. For that, by design, key-dependent data may only be present in unprotected temporary storage when strictly needed. Borrowed Time then continuously monitors the target circuit and upon detecting an idle state, securely wipes sensitive contents. We demonstrate the need for our countermeasure and its effectiveness by mounting practical static power SCA attacks against cryptographic systems on FPGAs, with and without Borrowed Time. In one case we attack a masked implementation and show that it is only protected with our countermeasure in place. Furthermore we demonstrate that secure on-demand wiping of sensitive data works as intended, affirming the theory that the technique also effectively hinders LLSI and IA.
Paper Structure (29 sections, 1 equation, 13 figures, 2 tables, 1 algorithm)

This paper contains 29 sections, 1 equation, 13 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Physical Side-Channel Analysis
  4. Static Side-Channel Analysis
  5. Static Power SCA Attacks
  6. Non-Power Static SCA Attacks
  7. Countermeasures
  8. Clocking in Digital Systems
  9. Threat Model
  10. Borrowed Time Countermeasure
  11. PLL-Based Detection
  12. Asynchronous Delay-Based Detection
  13. Comparison of Proposed Designs.
  14. Potential Design Automation
  15. Evaluation Setup
  16. ...and 14 more sections

Figures (13)

  • Figure 1: Static power SCA attack stages in the face of Borrowed Time countermeasure: (1) (2) -- The attacker leverages a stopped clock for prolonged static measurement period. (3) -- Borrowed Time detects clock stoppage and clears sensitive data. (4) -- The attacker can no longer observe static leakage.
  • Figure 2: Block diagram showing basic elements of a PLL.
  • Figure 3: PLL-based Borrowed Time countermeasure system design. Upon detection of a stopped clock, the alarm signal $\overline{\hbox{LOCKED}}$ selects random values to be written into sensitive registers, performing the masked clear.
  • Figure 4: Asynchronous delay-based Borrowed Time countermeasure system design. Upon detection of a stopped clock, the alarm signal stop_detect selects random values to be written into sensitive registers. delayed_edge, a delayed version of stop_detect, is instantly selected by stop_detect as the target system clock and provides an active clock edge to latch random input values, performing the masked clear.
  • Figure 5: Timing diagram of system signals with a stopped clock condition.
  • ...and 8 more figures