Analysis of Electromagnetic Information Leakage Based on Cryptographic Integrated Circuits

Cryptographic algorithm is the most commonly used method of information security protection for many devices. The secret key of cryptographic algorithm is usually stored in these devices’ registers. In this paper, we propose an electromagnetic information leakage model to investigate the relationship between the electromagnetic leakage signal and the secret key. The registers are considered as electric dipole models to illustrate the source of the electromagnetic leakage. The equivalent circuit of the magnetic field probe is developed to bridge the output voltage and the electromagnetic leakage signal. Combining them, the electromagnetic information leakage model’s function relationship can be established. Besides, an electromagnetic leakage model based on multiple linear regression is proposed to recover the secret key and the model’s effectiveness is evaluated by guess entropy. Near field tests are conducted in an unshielded ordinary indoor environment to investigate the electromagnetic side-channel information leakage. The experiment result shows the correctness of the proposed electromagnetic leakage model and it can be used to recover the secret key of the cryptographic algorithm.


Introduction
With the rapid development of the internet of things (IoT), a large number of low cost integrated circuits have been embraced in a wide range of applications including micromachines. Information security issues in these applications have increasingly attracted people's attention. The emergence of side-channel analysis [1] has led to a great threat to integrated circuits. The internal information of embedded artificial intelligence devices is revealed by side-channel analysis in [2,3]. Power side-channel information is used to recover the secret key in [4]. Sensitive user information can be recovered from the acoustic side-channel of keyboard in [5]. Numerous types of side-channels have been successfully exploited to reveal secret information in previous years, such as time [6], power consumption [7], electromagnetic emission [8,9], optical signal [10] or acoustic emanation [11].
Electromagnetic side-channel analysis exploits unintentional electromagnetic leakages captured from integrated circuits to reveal secret information, especially in the area of crypto devices. Electromagnetic emission is used to identify the devices and operations in [12,13]. Screen contents are detected via electromagnetic side-channel information in [14]. Although there are several works on side-channel leakage measurements and modeling for hardware security in IoT devices [14,15], they do not consider the cryptographic algorithms. It is well known that electromagnetic side-channel analysis plays an important role in the area of crypto devices. A malicious attacker can deduce the secret key of the crypto device by analyzing the correlation between the electromagnetic leakage information and the internal states of the cryptographic algorithm. Cross devices are used to recover the secret key by electromagnetic emission in [16,17]. Near field electromagnetic sidechannel analysis gains more and more attractions in recent years. Practical real-world near field electromagnetic analysis on commercial contactless smartcards in a black-box scenario is shown in [18]. The secret key is recovered from realistic cryptographic algorithm implementations using electromagnetic leakage traces in [19]. Electromagnetic side-channel analysis on PC implementations of elliptic curve cryptology is demonstrated by measuring the PC's electromagnetic emanations in [20]. An end-to-end electromagnetic side-channel analysis system is introduced in [21]. The system combines an electromagnetic leakage scanning platform and analysis methods into a single system, which can carry out all steps automatically. Most of the previous publications mainly focus on the key recovery of cryptographic algorithms, including our previous works [22,23]. As far as we know, there are seldom works on the electromagnetic leakage model of cryptographic integrated circuits to reveal the relationship between the electromagnetic leakage signal and the cryptographic algorithm. Several works [24][25][26] just show a simple analysis about the electromagnetic leakage.
Based on previous works, we focus on the electromagnetic information leakage model of the registers related to the secret key during the process of encryption in this paper. The main contributions of the paper are as follows: • An electromagnetic information leakage model in the process of hardware implementation is proposed to explain the relationship between the electromagnetic leakage and the secret key in detail. The registers are considered as electric dipole models to illustrate the source of the electromagnetic leakage. The equivalent circuit of the magnetic field probe is developed to bridge the output voltage and the electromagnetic leakage signal. • An electromagnetic information leakage model based on multiple linear regression is proposed to recover the secret key of the cryptographic algorithm. The correctness of electromagnetic information leakage model also is verified by multiple linear regression according to near field tests.
The rest of this paper is organized as follows. The experimental setup is shown in Section 2. We propose the electromagnetic leakage model in Section 3. The electromagnetic leakage model based on multiple linear regression is shown in Section 4. Finally, the conclusion is presented in Section 5.

Experimental Setup
In this section, we elaborate the experimental setup in near field tests, including the devices used in the experimental platform and the cryptographic algorithm.

Experimental Platform
Near field tests are conducted in an unshielded ordinary indoor environment to investigate the electromagnetic side-channel information leakage. The experiment platform is illustrated in Figure 1 which is composed of a Sakura-G board, a magnetic probe, a low noise amplifier, a Keysight oscilloscope (Keysight MSOS054A) and a direct current power supply. The Sakura-G FPGA board is used for encryption and the board is a universal test device specifically designed to standardize the security evaluation methodology of cryptographic modules on hardware security. There are two XILINX Spartan-6 chips on the board which are fabricated using 45-nm technology. One is served as the main security chip (XC6SLX75-2CSG484C), the other is the controller chip (XC6SLX9-2CSG225C). The main chip is responsible for performing the cryptographic operations and the controller chip provides the main chip with digital stimuli and controls its conditions of cryptographic operation. The board is powered by a direct current power supply in order to reduce unnecessary noise influence. A passive magnetic probe (Langer LF-B 3) is used to detect electromagnetic source of cryptographic operations. Detailed information about the probe is described in Section 3. The main process of the experiment is shown in the following: (1) The computer sends 128-bit plaintext and 128-bit secret key to the Sakura-G board.
(2) The Sakura-G board is responsible for encryption and returns the ciphertext to the computer. (3) The electromagnetic leakage signal is detected by the magnetic probe and then it is amplified by the low noise amplifier. (4) The electromagnetic leakage trace is measured by the oscilloscope and transferred to the control computer. (5) The computer is used to receive electromagnetic leakage traces and responsible for data storage, communication and further analysis. (6) This process is repeated many times until the electromagnetic leakage trace requirement is met.

Cryptographic Algorithm
The hardware implementation is shown in Figure 2. The benchmark of cryptographic circuit is Advanced Encryption Standard (AES) which is critical for securing many applications. AES is a symmetrical block cipher that converts 128-bit plaintexts into ciphertexts using an original 128-bit key. AES-128 algorithm has 10 rounds and every round uses a different 128-bit round key which is calculated from the original 128-bit key. There are four sub-processes per round: SubBytes, ShiftRows, MixColumns, AddRoundKey. The last round skips the MixColumns sub-processes.
According to Figure 2, the process of hardware implementation can be summarized. Firstly, the 128-bit plaintexts and 128-bit secret key are delivered by the controller chip to the main chip. The plaintexts are XORed with the original key and the output intermediate values are stored into the registers. Then the main chip performs one AES round including SubBytes, ShiftRows, MixColumns and AddRoundKey in every clock cycle and the output intermediate values after AddRoundKey are also stored into the registers. Finally, the output ciphertexts are stored into the registers after last round.
One of the measured electromagnetic trace is shown in the Figure 3. We can see that there are 11 peaks in the electromagnetic trace. The first peak is the loading of plaintext into the register and the other 10 peaks are 10 rounds of the AES.

Electromagnetic Leakage Model
In this section, the electromagnetic leakage model will be described according to the electromagnetic leakage process. The main process can be divided into two parts: emission part and receiving part, just as shown in Figure 4. In emission part, electric dipole models are built to characterize the electromagnetic emission of the integrated circuit's registers. In receiving part, the equivalent circuit for the magnetic probe is also given to bridge the electromagnetic leakage signal and the output voltage.

Emission Part
Receiving Part Chip Electromagnetic Probe Oscilloscope Figure 4. The main process of electromagnetic leakage process.

Source of Electromagnetic Signal Leakage
Most modern integrated circuits are designed in Complementary Metal Oxide Semiconductor (CMOS) technology. It is well known that CMOS inverters are the core of almost all digital integrated circuit designs. The structure of a CMOS inverter is shown in Figure 5, which is composed of a p-channel enhanced MOS (PMOS) and a n-channel enhanced MOS (NMOS). It can be seen as a push-pull switch. Sensitive information can be leaked when the CMOS inverter is switched "ON" and "OFF". The electromagnetic consumption of the CMOS circuit can be divided into two parts, one is static consumption which is mainly determined by the leakage current, the other is dynamic consumption. In the static state, whether the V in is high (1) or low (0), the NMOS transistor and the PMOS transistor will not be turned on at the same time, one of them must be in the cut-off state, and the resistance in cut-off state is very high. So the static current is very small and the static consumption caused is also very small, accounting for about 1% of the total consumption. The static consumption is not considered in this paper due to its small proportion. Dynamic consumption is mainly switch consumption and short circuit consumption, accounting for about 99% of the total consumption. Relevant information shows that the switching consumption caused by signal inversion accounts for more than 85% of the total consumption.
When the input V in is low (0), the PMOS transistor is turned on and the NMOS transistor is turned off. The current flows through the PMOS transistor, the load capacitance C Load is charged and the external energy is consumed.
When the input V in is high (1), the PMOS transistor is turned off, the NMOS transistor is turned on. The current flows through the NMOS transistor, the load capacitor C Load is discharged and the energy is released to the outside.
In integrated circuits, information leakage is determined by the flip state of the gate circuit at the CMOS gate level. At the register level, the register is composed of multiple inverters, information leakage depends on the frequency of the inverters flip.
Ideally, the current variation of the integrated circuit is caused by the change of the logic state of the circuit. The electromagnetic leakage of integrated circuit is caused by the current flow of controller, input/output, data processing, or chip part. Most integrated circuits generally work under the control of clock signals. In each clock cycle, the corresponding short-term logic state conversion will be completed. At the same time, there will be corresponding current variations in the data processing module due to data changes. The state transition process is often completed instantaneously, and will remain in a stable state after completion until the arrival of the next clock cycle. In each clock cycle, the state transition and corresponding current variation are caused by a few bits in the data, so we can only consider the current variation in a single clock cycle.
For a certain cryptographic chip, the intermediate value state of the secret key is often stored in the registers. We consider a register as a structure similar to a CMOS inverter. When the register state changes, there will be a change in the current, resulting in electromagnetic emission. When we use the switching characteristics of the CMOS inverter, the inversion of the register state can often be completed in a short period of time, assuming that the two states before and after the j-th register flips are R and R , respectively. Therefore, the current generated by the j-th register flips under the controlling of the clock can be written as where α j is the j-th register current conversion coefficient, β j is the j-th register fan-out coefficient.

Modeling the Registers
With the development of microelectronics technology, the manufacturing process of the chip has reached the nm level. As a result, the size of a register is also extremely small. According to the antenna theory [27], the current element is one of the most basic electromagnetic emission elements in the emitting system. Therefore, a simple and effective method is to use the current element to analyze the emission of the integrated circuit. This method is also applicable to any structure of the emitting system. The current element is usually used in electric dipoles, any actual emitting system can be decomposed into many continuous current filaments, then subdivided into electric dipoles. The field of the emitting system can be found by the sum of the contributions of these electric dipoles. Therefore, the register with current can be equivalent to an electric dipole and the current is approximately uniformly distributed. The primary electric dipole is shown in Figure 6, which is a short conducting wire of length l. We assume the current I in the short conducting wire to be uniform. The electromagnetic retarded vector potential A in Figure 6 is where µ 0 is the permeability of free space, r is the distance from point O to point P, k = 2π λ . It is convenient to use spherical coordinate system when calculating electromagnetic field, the transformation from Cartesian coordinate system to spherical coordinate system is given in Equation (3 The spherical components of A = e r A r + e θ A θ + e φ A φ are The magnetic field strength H can be obtained So the spherical components of the magnetic field strength H is During the process of signal acquisition, the magnetic probe is close to the region where the cryptographic chip works. In this region, kr 1, so this region is often called the near zone. In the near zone, 1 kr 1 (kr) 2 and e −jkr ≈ 1. The leading term in Equation (6) is where we ignore other terms. Therefore, the magnetic field strength H generated by the registers are where n is the number of registers.

Modeling the Magnetic Probe
The magnetic probe is mainly a sensing element composed of an inductive coil, which can be considered as an electromagnetic sensor. When the magnetic probe is used to detect the electromagnetic signal, the magnetic induction intensity B can pass through the receiving area S of the probe vertically by adjusting the direction of the probe. According to Faraday's law of electromagnetic induction [28], the induced electromotive force of the probe is where N is the number of turns of the coil in the probe. The equivalent circuit for the magnetic probe is given in Figure 7. L 0 is the loop inductance, C 0 is the loop capacitance, R L is the load resistance. So the output voltage u o can be written as where In the experimental environment, l can be regarded as constant values. For a given magnetic probe, the parameters L 0 , C 0 , R L , N, S are constant values. Besides, the low noise amplifier provides a gain of η. Considering the noise influence, the Equation (10) can be simplified as where The Equation (11) is the proposed electromagnetic leakage model. We can see that the output of the magnetic probe u o is positively correlated with the number of flip registers

Electromagnetic Leakage Model Based on Multiple Linear Regression
In this section, an electromagnetic leakage model based on multiple linear regression is built and the model is validated by multiple linear regression (MLR). Finally, we discuss the experimental results and recover the secret key of AES algorithm successfully.

Multiple Linear Regression
Multiple linear regression is usually used to study the relationship between an output variable y and multiple input variables denoted X = (x 1 , · · · , x k ).
Multiple linear regression in matrix form is where The most popular estimation method in linear regression is least square method. The estimation of β can be calculated bŷ The estimation ofŷ isŷ = Xβ The determination coefficient R 2 of linear estimation is a value in [0,1], which reflects the similarity of model fitting. The larger the value, the better the similarity of fitting.
Comparing Equation (11) with Equation (12), if the states change of the registers (R j ⊕ R j ) is regarded as the input variable x k , k j is regarded as β k and the output voltage u o is regarded as the output variable y, then the electromagnetic leakage process can be modeled by multiple linear regression. Its correctness also can be verified by the determination coefficient of multiple linear regression. The determination coefficient of the correct key should be higher than other key candidates.
The main process of electromagnetic leakage model to recover the secret key is shown in Algorithm 1.

Algorithm 1: Electromagnetic Leakage Model Based On Multiple Linear Regression.
Input: Electromagnetic traces T, Ciphertexts C; Output: the optimal key guess key optimal 1 key guess = 0; 2 while key guess < 2 n do 3 (R, R ) = ComputeRV(C, key guess ); //Compute the registers' states 4 ∆R = R ⊕ R ; 5 R square = MLR(T, ∆R); //Compute the determination coefficient R 2 6 key guess + + 7 end 8 key optimal = Max(R square ); //Select the optimal key guess 9 return key optimal Guess entropy is a common metric used in side-channel analysis [29,30]. It is defined as the average key rank number of the correct key candidate in all key candidates with an optimal strategy. The optimal strategy means to rank the key candidates from most to least likely based on the value of the correlation analysis. The guess entropy can be used to evaluate the effectiveness of the electromagnetic leakage model. The determination coefficient can be used as the value of the correlation analysis.

Experiment Result
Using the experimental platform shown in Section 2, we record 6000 electromagnetic leakage traces with sampling rate 500 MSa/s. The near field experiment is conducted in an unshielded ordinary indoor environment. We use the collected electromagnetic traces to verify the electromagnetic leakage model. AES algorithm is a symmetrical block cipher algorithm, so we use single block (8 bits) as the input variables of multiple linear regression. In this paper, we implement the electromagnetic leakage model based on multiple linear regression experiments on a 2.1 GHz Intel Core E5 windows platform with 64 GB RAM.
Taking the first byte of the secret key for example, the experimental result is illustrated in Figure 8. There is an obvious higher peak at the position of 19 on the horizontal axis in Figure 8 which indicates the correct key is 19 and the fitting similarity of the correct key is much better than that of other key candidates. According to the test for overall significance, the p values of different key candidates are shown in Figure 9. We can see that when the key candidate is 19, its p value is 4.54 × 10 −22 . It can be considered to reject the null hypothesis. The relationship between determination coefficient R 2 and the number of electromagnetic traces is shown in Figure 10. Blue line is the determination coefficient R 2 of the correct key, the other lines are other key candidates. The determination coefficient of the correct key is separated from the others with the increasing number of electromagnetic traces. It needs about 600 electromagnetic traces to recover the secret key successfully. When the number of trace is less than 600, it's difficult to distinguish them because of noise influence. More electromagnetic traces can eliminate the influence of noise to a certain extent.
In order to evaluate the effectiveness of the electromagnetic leakage model, partial guess entropy of the correct key candidate is calculated and is shown in Figure 11. According to Figure 10, it can be known that when the number of electromagnetic trace is more than 1000, the correct key candidate is already recovered. More electromagnetic traces can not provide further help except to increase the computational complexity. Therefore, we only consider the partial guess entropy within 1000. When the number of electromagnetic trace is small, the partial guess entropy is lower than 200. It is difficult to recover the key under this condition. With a smaller number of traces increase, the guessing entropy is significantly reduced. When the number of electromagnetic trace is 400, the guess entropy is ranked in the first few positions. Around 600 electromagnetic traces, the partial guess entropy falls to the first position indicating the key is recovered correctly. When the number of electromagnetic trace is more than 600, the partial guess entropy is in a stable state and remains in the first position. The partial guess entropy also proves that the proposed electromagnetic leakage model can be used to recover the key of the cryptographic algorithm.

Conclusions
In this paper, we proposed an electromagnetic information leakage model to explore the secret key in cryptographic integrated circuits. The electric dipole models were built to characterize the electromagnetic leakage. A magnetic probe was used to receive electromagnetic leakage signal and bridge the output voltage and the electromagnetic leakage signal. Both of them constituted the electromagnetic information leakage model. The model illustrated the relationship between the electromagnetic leakage signal and secret key. Besides, we proposed an electromagnetic leakage model based on multiple linear regression to recover the secret key. The correctness of the model was validated by multiple linear regression according to near field tests and its effectiveness was evaluated by guess entropy. The experiment results showed the proposed electromagnetic leakage model can be used to recover the secret key of the cryptographic algorithm. The electromagnetic leakage model also can be applied to other micro cryptographic devices, such as smart cards, embedded devices, microcomputers, and other micromachines, because these devices have the similar physical structure. Other cryptographic algorithms also can use a similar method to characterize the electromagnetic information leakage. However, we haven't done the relevant experiments on these devices which remain to be studied in the future. Besides, the specific values in the electromagnetic leakage model will also be explored in our future work.